Language Selection

English French German Italian Portuguese Spanish

Security

Security: DHS on Potential Voting Machines Cracking, Joomla Patches Critical Flaw

Filed under
Security
  • DHS tells 21 states they were Russia hacking targets before 2016 election
  • 1. WikiLeaks, Russian edition: how it’s being viewed

    Russia has been investing heavily in a vision of cyberdemocracy that will link the public directly with government officials to increase official responsiveness. But it is also enforcing some of the toughest cybersecurity laws to empower law enforcement access to communications and ban technologies that could be used to evade surveillance. Could WikiLeaks put a check on Russia’s cyber regime? This week, the online activist group released the first of a promised series of document dumps on the nature and workings of Russia’s surveillance state. So far, the data has offered no bombshells. “It’s mostly technical stuff. It doesn’t contain any state contracts, or even a single mention of the FSB [security service], but there is some data here that’s worth publishing,” says Andrei Soldatov, coauthor of “The Red Web,” a history of the Soviet and Russian internet. But, he adds, “Anything that gets people talking about Russia's capabilities and actions in this area should be seen as a positive development.”

  • Joomla patches eight-year-old critical CMS bug

    Joomla has patched a critical bug which could be used to steal account information and fully compromise website domains.

    This week, the content management system (CMS) provider issued a security advisory detailing the flaw, which is found in the LDAP authentication plugin.

    Lightweight Directory Access Protocol (LDAP) is used by Joomla to access directories over TCP/IP. The plugin is integrated with the CMS.

    Joomla considers the bug a "medium" severity issue, but according to researchers from RIPS Technologies, the problem is closer to a critical status.

  • Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection

    With over 84 million downloads, Joomla! is one of the most popular content management systems in the World Wide Web. It powers about 3.3% of all websites’ content and articles. Our code analysis solution RIPS detected a previously unknown LDAP injection vulnerability in the login controller. This one vulnerability could allow remote attackers to leak the super user password with blind injection techniques and to fully take over any Joomla! <= 3.7.5 installation within seconds that uses LDAP for authentication. Joomla! has fixed the vulnerability in the latest version 3.8.

Security: FOSS Updates, SEC, CCleaner

Filed under
Security
  • Security updates for Friday
  • SEC Chairman reveals financial reporting system was hacked
  • CCleaner malware outbreak is much worse than it first appeared
  • CCleaner Hack May Have Been A State-Sponsored Attack On 18 Major Tech Companies

    At the beginning of this week, reports emerged that Avast, owner of the popular CCleaner software, had been hacked. Initial investigations by security researchers at Cisco Talos discovered that the intruder not only compromised Avast's servers, but managed to embed both a backdoor and "a multi-stage malware payload" that rode on top of the installation of CCleaner. That infected software -- traditionally designed to help scrub PCs of cookies and other tracking software and malware -- was subsequently distributed by Avast to 700,000 customers (initially, that number was thought to be 2.27 million).

    And while that's all notably terrible, it appears initial reports dramatically under-stated both the scope and the damage done by the hack. Initially, news reports and statements by Avast insisted that the hackers weren't able to "do any harm" because the second, multi-stage malware payload was never effectively delivered. But subsequent reports by both Avast and Cisco Talos researchers indicate this payload was effectively delivered -- with the express goal of gaining access to the servers and networks of at least 18 technology giants, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself.

IoT botnet Linux.ProxyM turns its grubby claws to spam rather than DDoS

Filed under
Security

An IoT botnet is making a nuisance of itself online after becoming a conduit for spam distribution.

Linux.ProxyM has the capability to engage in email spam campaigns with marked difference to other IoT botnets, such as Mirai, that infamously offered a potent platform for running distributed-denial-of-service attacks (DDoSing). Other IoT botnets have been used as proxies to offer online anonymity.

Read more

Security: Antipatterns in IoT Security, Signing Programs for Linux, and Guide to Two-Factor Authentication

Filed under
Security
  • Antipatterns in IoT security

    Security for Internet of Things (IoT) devices is something of a hot topic over the last year or more. Marti Bolivar presented an overview of some of the antipatterns that are leading to the lack of security for these devices at a session at the 2017 Open Source Summit North America in Los Angeles. He also had some specific recommendations for IoT developers on how to think about these problems and where to turn for help in making security a part of the normal development process.

    A big portion of the talk was about antipatterns that he has seen—and even fallen prey to—in security engineering, he said. It was intended to help engineers develop more secure products on a schedule. It was not meant to be a detailed look at security technologies like cryptography, nor even a guide to what technical solutions to use. Instead, it targeted how to think about security with regard to developing IoT products.

  • Signing programs for Linux

    At his 2017 Open Source Summit North America talk, Matthew Garrett looked at the state of cryptographic signing and verification of programs for Linux. Allowing policies that would restrict Linux from executing programs that are not signed would provide a measure of security for those systems, but there is work to be done to get there. Garrett started by talking about "binaries", but programs come in other forms (e.g. scripts) so any solution must look beyond simply binary executables.

    There are a few different reasons to sign programs. The first is to provide an indication of the provenance of a program; whoever controls the key actually did sign it at some point. So if something is signed by a Debian or Red Hat key, it is strong evidence that it came from those organizations (assuming the keys have been securely handled). A signed program might be given different privileges based on the trust you place in a particular organization, as well.

  • A Guide to Common Types of Two-Factor Authentication on the Web

    Two-factor authentication (or 2FA) is one of the biggest-bang-for-your-buck ways to improve the security of your online accounts. Luckily, it's becoming much more common across the web. With often just a few clicks in a given account's settings, 2FA adds an extra layer of security to your online accounts on top of your password.

    In addition to requesting something you know to log in (in this case, your password), an account protected with 2FA will also request information from something you have (usually your phone or a special USB security key). Once you put in your password, you'll grab a code from a text or app on your phone or plug in your security key before you are allowed to log in. Some platforms call 2FA different things—Multi-Factor Authentication (MFA), Two Step Verification (2SV), or Login Approvals—but no matter the name, the idea is the same: Even if someone gets your password, they won't be able to access your accounts unless they also have your phone or security key.

    There are four main types of 2FA in common use by consumer websites, and it's useful to know the differences. Some sites offer only one option; other sites offer a few different options. We recommend checking twofactorauth.org to find out which sites support 2FA and how, and turning on 2FA for as many of your online accounts as possible. For more visual learners, this infographic from Access Now offers additional information.

    Finally, the extra layer of protection from 2FA doesn't mean you should use a weak password. Always make unique, strong passwords for each of your accounts, and then put 2FA on top of those for even better log-in security.

Security: SEC Breach, DNSSEC, FinFisher, CCleaner and CIA

Filed under
Security

Security: Apple's Betrayal, Intel ME Back Doors Backfire, and Optionsbleed

Filed under
Security
  • iOS 11 Muddies WiFi and Bluetooth Controls

    Turning WiFi and Bluetooth off is often viewed as a good security practice. Apple did not rationalize these changes in behavior.

  • How To Hack A Turned-Off Computer, Or Running Unsigned Code In Intel Management Engine

    Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer, and the ability to execute third-party code allows compromising the platform completely. Researchers have been long interested in such "God mode" capabilities, but recently we have seen a surge of interest in Intel ME. One of the reasons is the transition of this subsystem to a new hardware (x86) and software (modified MINIX as an operating system) architecture. The x86 platform allows researchers to bring to bear all the power of binary code analysis tools.

  • Optionsbleed: Don’t get your panties in a wad

    To be honest, this isn’t the first security concern you’ve run in to, and it isn’t the first security issue you’re vulnerable to, that will remain exploitable for quite some time, until after someone you rely on fixed the issue for you, meanwhile compromising your customers.

    [...]

    Is it a small part of the SSL public key? A small part of the web request response? A chunk of the path to the index.php? Or is it a chunk of the database password used? Nobody knows until you get enough data to analyse the results of all data. If you can’t appreciate the maths behind analysing multiple readings of 8 arbitrary bytes, choose another career. Not that I know what to do and how to do it, by the way.

Security: Patches, CCleaner, Equifax Story Changes, 'Trusted IoT Alliance', Kali Linux 2017.2 and NBN

Filed under
Security

Security: SEC Cracked, Back Doors in Manchester Police, NBN Scans, and Securing Wi-Fi

Filed under
Security
  • SEC reveals it was hacked, information may have been used for illegal stock trades
  • Manchester Police still runs Windows XP on 20 per cent of PCs

    The Met has recently signed a deal with storage company Box which will, amongst other things, reduce the amount of data held locally.

  • Manchester police still relies on Windows XP [Ed: update below]

    The BBC has appealed against its refusal to provide an update.

  • NBN leverages open source software to analyse faults

    A new NBN initiative will use a range of open source projects including Apache SPARK, Kafka, Flume, Cassandra and JanusGraph to help analyse and improve the end user experience on the National Broadband Network.

    The government-owned company today announced it was launching a new ‘Tech Lab’, which it hopes will provide insights into pain points for customers on its network and help resolve faults sooner.

  • 5 Ways to Secure Wi-Fi Networks

    Wi-Fi is one entry-point hackers can use to get into your network without setting foot inside your building because wireless is much more open to eavesdroppers than wired networks, which means you have to be more diligent about security.

    But there’s a lot more to Wi-Fi security than just setting a simple password. Investing time in learning about and applying enhanced security measures can go a long way toward better protecting your network. Here are six tips to betters secure your Wi-Fi network.

You lost your ballpoint pen, Slack? Why's your Linux version unsigned?

Filed under
Linux
Security

Slack is distributing open Linux-based versions of its technology that are not digitally signed, contrary to industry best practice.

The absence of a digital signature creates a means for miscreants to sling around doctored versions of the software that users wouldn't easily be able to distinguish from the real thing.

El Reg learned of the issue from reader Trevor Hemsley, who reported the problem to Slack back in August and only notified the media after a promised fix failed to appear.

Security: Equifax, Kodi, Infrared, and Windows XP in 2017

Filed under
Security
  • Safer but not immune: Cloud lessons from the Equifax breach
  • Warning: If you are using this Kodi repository, you could be in danger

    Kodi is quite possibly the best media center software of all time. If you are looking to watch videos or listen to music, the open source solution provides an excellent overall experience. Thanks to its support for "addons," it has the potential to become better all the time. You see, developers can easily add new functionality by writing an addon for the platform. And yes, some addons can be used for piracy, but not all of them are. These addons, such as Exodus and Covenant, are normally added using a repository, which hosts them.

    [...]

    We do not know 100 percent if the person that re-registered the metalkettle name on GitHub is planning anything evil, but it is better to be safe than sorry.

  • Infrared signals in surveillance cameras let malware jump network air gaps

    The malware prototype could be a crucial ingredient for attacks that target some of the world's most sensitive networks. Militaries, energy producers, and other critical infrastructure providers frequently disconnect such networks from the Internet as a precaution. In the event malware is installed, there is no way for it to make contact with attacker-controlled servers that receive stolen data or issue new commands. Such airgaps are one of the most basic measures for securing highly sensitive information and networks.

    The proof-of-concept malware uses connected surveillance cameras to bridge such airgaps. Instead of trying to use the Internet to reach attacker-controlled servers, the malware weaves passwords, cryptographic keys, and other types of data into infrared signals and uses a camera's built-in infrared lights to transmit them. A nearby attacker then records the signals with a video camera and later decodes embedded secrets. The same nearby attackers can embed data into infrared signals and beam them to an infected camera, where they're intercepted and decoded by the network malware. The covert channel works best when attackers have a direct line of sight to the video camera, but non-line-of-sight communication is also possible in some cases.

  • Manchester police still relies on Windows XP

    England's second biggest police force has revealed that more than one in five of its computers were still running Windows XP as of July.
    Greater Manchester Police told the BBC that 1,518 of its PCs ran the ageing operating system, representing 20.3% of all the office computers it used.
    Microsoft ended nearly all support for the operating system in 2014. Experts say its use could pose a hacking risk.
    The figure was disclosed as part of a wider Freedom of Information request.
    "Even if security vulnerabilities are identified in XP, Microsoft won't distribute patches in the same way it does for later releases of Windows," said Dr Steven Murdoch, a cyber-security expert at University College London.

Syndicate content

More in Tux Machines

Tizen 3.0 and Home Spying Appliances

Vulkan FOSS Adoptions

  • SDL 2.0.6 released, introduces Vulkan support
    The cross-platform development library has seen the release of its latest version. Quite a few exciting changes this time around, including support for Vulkan and more types of gamepads. SDL [Official Site] is something that has been used in quite a diverse array of projects and plenty of game ports that have made their way to Linux have taken advantage of it. The latest release has its fair share of general improvements but most noticeable is the implementation of Vulkan support. This hopefully will make it easier for developers to take advantage of the Vulkan API and help it gain more traction.
  • X.Org Foundation Has Become A Khronos Adopter
    The X.Org Foundation board announced during this week's XDC2017 summit that they have officially completed the paperwork to become a Khronos adopter. The X.Org Foundation is now considered a pro-bono adopter for The Khronos Group so that the community-based open-source drivers targeting Khronos APIs for conformance can submit conformance test results and become a certified implementation.

Security: DHS on Potential Voting Machines Cracking, Joomla Patches Critical Flaw

  • DHS tells 21 states they were Russia hacking targets before 2016 election
  • 1. WikiLeaks, Russian edition: how it’s being viewed
    Russia has been investing heavily in a vision of cyberdemocracy that will link the public directly with government officials to increase official responsiveness. But it is also enforcing some of the toughest cybersecurity laws to empower law enforcement access to communications and ban technologies that could be used to evade surveillance. Could WikiLeaks put a check on Russia’s cyber regime? This week, the online activist group released the first of a promised series of document dumps on the nature and workings of Russia’s surveillance state. So far, the data has offered no bombshells. “It’s mostly technical stuff. It doesn’t contain any state contracts, or even a single mention of the FSB [security service], but there is some data here that’s worth publishing,” says Andrei Soldatov, coauthor of “The Red Web,” a history of the Soviet and Russian internet. But, he adds, “Anything that gets people talking about Russia's capabilities and actions in this area should be seen as a positive development.”
  • Joomla patches eight-year-old critical CMS bug
    Joomla has patched a critical bug which could be used to steal account information and fully compromise website domains. This week, the content management system (CMS) provider issued a security advisory detailing the flaw, which is found in the LDAP authentication plugin. Lightweight Directory Access Protocol (LDAP) is used by Joomla to access directories over TCP/IP. The plugin is integrated with the CMS. Joomla considers the bug a "medium" severity issue, but according to researchers from RIPS Technologies, the problem is closer to a critical status.
  • Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection
    With over 84 million downloads, Joomla! is one of the most popular content management systems in the World Wide Web. It powers about 3.3% of all websites’ content and articles. Our code analysis solution RIPS detected a previously unknown LDAP injection vulnerability in the login controller. This one vulnerability could allow remote attackers to leak the super user password with blind injection techniques and to fully take over any Joomla! <= 3.7.5 installation within seconds that uses LDAP for authentication. Joomla! has fixed the vulnerability in the latest version 3.8.

OpenSUSE fonts – The sleeping beauty guide

Pandora’s box of fonts is one of the many ailments of the distro world. As long as we do not have standards, and some rather strict ones at that, we will continue to suffer from bad fonts, bad contrast, bad ergonomics, and in general, settings that are not designed for sustained, prolonged use. It’s a shame, because humans actually use computers to interface with information, to READ text and interpret knowledge using the power of language. It’s the most critical element of the whole thing. OpenSUSE under-delivers on two fonts – anti-aliasing and hinting options that are less than ideal, and then it lacks the necessary font libraries to make a relevant, modern and pleasing desktop for general use. All of this can be easily solved if there’s more attention, love and passion for the end product. After all, don’t you want people to be spending a lot of time interacting, using and enjoying the distro? Hopefully, one day, all this will be ancient history. We will be able to choose any which system and never worry or wonder how our experience is going to be impacted by the choice of drivers, monitors, software frameworks, or even where we live. For the time being, if you intend on using openSUSE, this little guide should help you achieve a better, smoother, higher-quality rendering of fonts on the screen, allowing you to enjoy the truly neat Plasma desktop to the fullest. Oh, in the openSUSE review, I promised we would handle this, and handle it we did! Take care. Read more