Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Google and IBM launch open-source security tool for containers

    Google and IBM, together with a few other partners, released an open-source project that gathers metadata that developers can use to secure their software.

    According to an IBM blog post, the goal of the project is to help developers keep security standards, while microservices and containers cut the software supply chain.

  • Top 10 Hacking Techniques Used By Hackers

    We live in a world where cyber security has become more important than physical security, thousands of websites and emails are hacked daily. Hence, It is important to know the Top hacking techniques used by hackers worldwide to exploit vulnerable targets all over the internet.

  • Protect your wifi on Fedora against KRACK

    You may have heard about KRACK (for “Key Reinstallation Attack”), a vulnerability in WPA2-protected Wi-Fi. This attack could let attackers decrypt, forge, or steal data, despite WPA2’s improved encryption capabilities. Fear not — fixes for Fedora packages are on their way to stable.

  • Federal watchdog tells Equifax—no $7.25 million IRS contract for you

    The Government Accountability Office (GAO) on Monday rejected Equifax's bid to retain its $7.25 million "taxpayer identity" contract—the one awarded days after Equifax announced it had exposed the Social Security numbers and other personal data of some 145 million people.

  • Adobe Flash vulnerability exploited by BlackOasis hacking group to plant FinSpy spyware

    Security researchers have discovered a new Adobe Flash vulnerability that has already been exploited by hackers to deploy the latest version of FinSpy malware on targets. Kaspersky Lab researchers said a hacker group called BlackOasis has already taken advantage of the zero-day exploit – CVE-2017-11292 – to deliver its malicious payload via a Microsoft Word document.

  • Companies turn a blind eye to open source risk [Ed: No, Equifax got b0rked due to bad practices, negligence, incompetence, not FOSS]

    For instance, criminals who potentially gained access to the personal data of the Equifax customers exploited an Apache Struts CVE-2017-5638 vulnerability.

  • Checking Your Passwords Against the Have I Been Pwned List

    Two months ago, Troy Hunt, the security professional behind Have I been pwned?, released an incredibly comprehensive password list in the hope that it would allow web developers to steer their users away from passwords that have been compromised in past breaches.

Security: Equifax, Grafeas, Updates and Open Source Security Podcast

Filed under
Security

Security Leftovers

Filed under
Security
  • Outlook, Office 2007 slowly taken behind the shed, shots heard

    A decade after their release, Microsoft Office 2007 and Outlook 2007 today fell out of extended support. Gaze teary-eyed at your installation discs. The software has entered the Long Dark Tea-Time of the Soul.

    The cutoff has been coming for some time, of course, but if you're of a nostalgic bent, the Outlook 2007 epitaph is here, and the somewhat longer (with more dates to absorb) Office 2007 farewell is here.

    With extended support ending for both 2007-era families, no new features, bug fixes, security patches, nor support, will be available in future for the programs.

  • Researchers Reveal Critical KRACK Flaws in WPA WiFi Security

    The WPA2 protocol which is widely used to secure WiFi traffic is at risk from multiple vulnerabilities, collectively referred to as "KRACK Attacks" that were publicly disclosed on Oct. 16

    "Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted," the vulnerability disclosure warns."The attack works against all modern protected Wi-Fi networks."

    KRACK is an acronym for Key Reinstallation Attacks, which were discovered by security research Mathy Vanhoef and Frank Piessens working at Belgian University KU Leuven. The researchers have disclosed the details of the KRACK attack in a research paper and plan on discussing it further in talks at the Computer and Communications Security (CCS) and Black Hat Europe conferences later this year.

  • The World Once Laughed at North Korean Cyberpower. No More.

Wi-Fi WPA2 Encryption Problem (and Hype About That)

Filed under
Security
  • Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping

    An air of unease set into the security circles on Sunday as they prepared for the disclosure of high-severity vulnerabilities in the Wi-Fi Protected Access II protocol that make it possible for attackers to eavesdrop Wi-Fi traffic passing between computers and access points.

  • WiFi Security Is Borked - We're All Screwed... Maybe

    KRACK - or the Key Reinstallation AttaCK - looks like the new infosec word we all need to know. According to the authors of a paper that will be presented at conference in a couple of weeks, Mathy Vanhoef of KU Leuven and Frank Piessens say they have found a way to circumvent WPA2 security - one of the key tools used for protecting wireless networks. If KRACk proves to be true, all bets are off when it comes to stopping eavesdroppers from listening in to your wireless network.

  • Your Wifi router could be hiding a scary vulnerability

    Anybody that has a WiFi router might want to be sure to have their login details close at hand throughout the course of today.

    That’s because later today security researcher Mathy Vanhoef will reveal a potentially disastrous vulnerability in the WPA2 protocol.

    The Wifi Protected Access protocol appears to have been cracked by Vanhoef according to Gizmodo which took a look at the source code of the researcher’s website Krack Attacks and found this throw forward.

  • Wi-Fi WPA2 encryption possibly cracked

    Just to add on to your Monday morning blues, WPA2 (Wi-Fi Protected Access Version 2) which is the de-facto encryption method used by the majority of Wi-Fi routers is rumored to have been cracked.

Linus Torvalds lauds fuzzing for improving Linux security

Filed under
Linux
Security

Linus Torvalds release notification for Linux 4.14's fifth release candidate contains an interesting aside: the Linux Lord says fuzzing is making a big difference to the open source operating system.

Torvalds' announcement says Linux kernel 4.14 is coming along nicely, with this week's release candidate pleasingly small and “fairly normal in a release that has up until now felt a bit messier than it perhaps should have been.”

This week's most prominent changes concern “... more fixes for the whole new x86 TLB [translation lookaside buffer – Ed] handling due to the ASID [address space ID - Ed] changes that came in this release.”

Read more

Security: MalwareTech, JavaScript, Vista 10, TPM2, Intel Back Door, Linux Bug, Pizza Hut Breach, Telcos Spying

Filed under
Security
  • Let MalwareTech Surf! Status Report
  • 500 million PCs are being used for stealth cryptocurrency mining online

    A month or so ago, torrent search website The Pirate Bay raised concern among the community as visitors noticed their CPU usage surged whenever a page was opened.

  • Dutch slam Windows 10 for breaking privacy laws

    Dutch authorities claim Microsoft’s Windows 10 operating system is violating data protection and privacy laws, and warned they may impose fines on the US technology giant.

    “Microsoft breaches the Dutch data protection law by processing personal data of people that use the Windows 10 operating system on their computers,” the Dutch Data Protection Authority (DPA) said in a statement late Friday.

    The company fails to “clearly inform” users of Windows 10 that it “continuously collects personal data about the usage of apps and web surfing behavior through its web browser Edge, when the default settings are used,” the DPA said.

  • Using Elliptic Curve Cryptography with TPM2

    One of the most significant advances going from TPM1.2 to TPM2 was the addition of algorithm agility: The ability of TPM2 to work with arbitrary symmetric and asymmetric encryption schemes. In practice, in spite of this much vaunted agile encryption capability, most actual TPM2 chips I’ve seen only support a small number of asymmetric encryption schemes, usually RSA2048 and a couple of Elliptic Curves. However, the ability to support any Elliptic Curve at all is a step up from TPM1.2. This blog post will detail how elliptic curve schemes can be integrated into existing cryptographic systems using TPM2. However, before we start on the practice, we need at least a tiny swing through the theory of Elliptic Curves.

  • Sakaki's EFI Install Guide/Disabling the Intel Management Engine

    The Intel Management Engine ('IME' or 'ME') is an out-of-band co-processor integrated in all post-2006 Intel-CPU-based PCs. It has full network and memory access and runs proprietary, signed, closed-source software at ring -3,[1][2][3][4] independently of the BIOS, main CPU and platform operating system[5][6] — a fact which many regard as an unacceptable security risk (particularly given that at least one remotely exploitable security hole has already been reported[7][8]).

  • Linux vulnerable to privilege escalation

    An advisory from Cisco issued last Friday, October 13th, gave us the heads-up on a local privilege escalation vulnerability in the Advanced Linux Sound Architecture (ALSA).

    The bug is designated CVE-2017-15265, but its Mitre entry was still marked “reserved” at the time of writing. Cisco, however, had this to say about it before release:

  • Pizza Hut was hacked, company says

    According to a customer notice emailed from the pizza chain, those who placed an order on its website or mobile app between the morning of Oct. 1 and midday Oct. 2 might have had their information exposed.

    The “temporary security intrusion” lasted for about 28 hours, the notice said, and it’s believed that names, billing ZIP codes, delivery addresses, email addresses and payment card information — meaning account number, expiration date and CVV number — were compromised.

  • Want to see something crazy? Open this link on your phone with WiFi turned off

    These services are using your mobile phone’s IP address to look up your phone number, your billing information and possibly your phone’s current location as provided by cell phone towers (no GPS or phone location services required). These services are doing this with the assistance of the telco providers.

  • Telcos "selling realtime ability to associate web browsing with name & address"

Security: Kaspersky, Grafeas, Schneier Book

Filed under
Security

Microsoft Breaking the Law and Computer Security Woes

Filed under
Microsoft
Security

How do you dump the firmware from a "secure" voting machine? With a $15 open source hardware board

Filed under
Hardware
Security

One of the highlights of this year's Defcon conference in Vegas was the Voting Machine Hacking Village, where security researchers tore apart the "secure" voting machines America trusts its democracy to.

The Voting Machine Hacking Village just released its master report on the vulnerabilities they found, and the participants are talking about it on Twitter, including Joe Fitz's note that he dumped the firmware off a Accuvote TSX with one of Adafruit's $15 open source hardware FT232h breakout boards.

Read more

Security: Australia, IRS, and Grafeas

Filed under
Security
  • Australian defense firm was hacked and F-35 data stolen, DOD confirms

    The Australian Cyber Security Centre noted in its just-issued 2017 Threat Report that a small Australian defense company "with contracting links to national security projects" had been the victim of a cyber-espionage attack detected last November. "ACSC analysis confirmed that the adversary had sustained access to the network for an extended period of time and had stolen a significant amount of data," the ACSC report stated. "The adversary remained active on the network at the time."

    More details of the breach were revealed on Wednesday at an IT conference in Sydney. ASD Incident Response Manager Mitchell Clarke said, "The compromise was extensive and extreme." The attacker behind the breach has been internally referred to at the Australian Signals Directorate as "APT Alf" (named for a character in Australia's long-running television show Home and Away, not the US television furry alien). Alf stole approximately 30 gigabytes of data, including data related to Australia's involvement in the F-35 Joint Strike Fighter program, as well as data on the P-8 Poseidon patrol plane, planned future Australian Navy ships, the C-130 Hercules cargo plane, and the Joint Direct Attack Munition (JDAM) bomb. The breach began in July of 2016.

  • After second bungle, IRS suspends Equifax’s “taxpayer identity” contract

    The tax-collecting agency is now temporarily suspending the contract because of another Equifax snafu. The Equifax site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which, when clicked, infected visitors' computers with adware that was detected by just three of 65 antivirus providers. The development means that at least for now, taxpayers cannot open new Secure Access accounts with the IRS. Secure Access allows taxpayers to retrieve various online tax records and provides other "tax account tools" to those who have signed up.

  • Google, IBM Partner to Tighten Container Security
  • Grafeas, new open-source API for the software supply chain, released
Syndicate content

More in Tux Machines

Graphics: Mesa 17.2.6 RC, AMDGPU, and Vulkan

  • Mesa 17.2.6 release candidate
  • Mesa 17.2.6 RC Arrives With 50+ Fixes
    While Mesa 17.3 is imminent and should be released as stable within the next few days, Mesa 17.2.6 is being prepped for release as the current point release.
  • 43 More AMDGPU DC Patches Hit The Streets
    While the massive AMDGPU DC infrastructure has been merged for Linux 4.15, the flow of improvements to this display code continues and it looks like the next few kernel cycles at least could be quite busy on the AMD front.
  • A Prototype Of The Vulkan Portability Initiative: Low-Level 3D To Vulkan / D3D12 / Metal
    A Mozilla engineer has put out a prototype library in working on the Vulkan Portability Initiative for allowing low-level 3D graphics support that's backed by Vulkan / Direct3D 12 / Metal. With Apple sticking to their own Metal graphics API and Direct3D 12 still being the dominant graphics API on Windows 10, The Khronos Group has been working towards better 3D portability for where Vulkan may not be directly supported by the OS/drivers or otherwise available. They've been working to target a subset of the Vulkan API that can be efficiently mapped to these other native graphics APIs and to have the libraries and tooling for better compatibility and code re-use of these different graphics APIs.

Kernel: Linux 4.15, TLDR, and Linus Torvalds' Latest Rant

  • Linux 4.15 Adds AMD Raven Ridge Audio ID
    Not only is AMD Stoney Ridge audio (finally) being supported by the Linux 4.15 kernel, but it also looks like Raven Ridge audio should now be working too.
  • Linux 4.14.2 Fixes The BCache Corruption Bug
    Normally I don't bother mentioning new Linux kernel point releases on Phoronix unless there are some significant changes, as is the case today with Linux 4.14.2.
  • TLDR is what Linux man pages always should have been
    If you get stuck using a Linux tool, the first port of call shouldn’t be to Stack Overflow, but rather its “man pages.” Man — which is short for manual — retrieves documentation for a given program. Unfortunately, this can often be dense, hard to understand, and lacking in practical examples to help you solve your problem. TLDR is another way of looking at documentation. Rather than being a comprehensive guide to a given tool, it instead focuses on offering practical example-driven instructions of how something works.
  • Linux creator Linus Torvalds: This is what drives me nuts about IT security
    Developers are often accused of not thinking about security, but Linux kernel founder Linus Torvalds has had enough of security people who don't think about developers and end-users. After blasting some kernel developers last week for killing processes in the name of hardening the kernel, Torvalds has offered a more measured explanation for his frustration with security myopia. While he agrees that having multiple layers of security in the kernel is a good idea, certain ways of implementing it are not, in particular if it annoys users and developers by killing processes that break users' machines and wreck core kernel code. Because ultimately, if there are no users, there's not much point in having a supremely secure kernel, Torvalds contends.

Unity 7 Hoping To Become An Official Flavor For Ubuntu 18.04 LTS

While Canonical abandoned their work on the Unity desktop environment in favor of the Unity-inspired customized GNOME Shell that debuted in Ubuntu 17.10, some within the community have remained interested in maintaining Unity 7 and even getting it into an official spin/flavor of Ubuntu. Posted today to the community.ubuntu.com was a Unity maintenance roadmap, reiterating the hope by some in the Ubuntu community for Ubuntu Unity to become an official LTS distribution of Ubuntu. They are hoping to make it an official flavor alongside Kubuntu, Ubuntu Budgie, Xubuntu, and others. Read more Original/direct: Unity Maintenance Roadmap

Programming/Development: Django and Google India

  • An introduction to the Django ORM
    One of the most powerful features of Django is its Object-Relational Mapper (ORM), which enables you to interact with your database, like you would with SQL. In fact, Django's ORM is just a pythonical way to create SQL to query and manipulate your database and get results in a pythonic fashion. Well, I say just a way, but it's actually really clever engineering that takes advantage of some of the more complex parts of Python to make developers' lives easier.
  • Hey, Coders! Google India Is Offering 130,000 Free Developer Scholarships — Here’s How To Apply
  • Google to prepare 1.3 lakh Indians for emerging technologies

    "The new scholarship programme is in tandem with Google's aim to train two million developers in India. The country is the second largest developer ecosystem in the world and is bound to overtake the US by 2021," William Florance, Developer Products Group and Skilling Lead for India, Google, told reporters here.