Language Selection

English French German Italian Portuguese Spanish

Security

Security: Curl, Two Factor Authentication (2FA) and Hacking With Kali Linux

Filed under
Security
  • Daniel Stenberg: curl + hackerone = TRUE

    There seems to be no end to updated posts about bug bounties in the curl project these days. Not long ago I mentioned the then new program that sadly enough was cancelled only a few months after its birth.

    Now we are back with a new and refreshed bug bounty program! The curl bug bounty program reborn.

  • Liz Fong-Jones on how to secure SSH with Two Factor Authentication (2FA)

    Liz mentions that by adding passphrase encryption, the private keys become resistant to theft when at rest. However, when they are in use, the usability challenges of re-entering the passphrase on every connection means that “engineers began caching keys unencrypted in memory of their workstations, and worse yet, forwarding the agent to allow remote hosts to use the cached keys without further confirmation”.

    The Matrix breach, which took place on April 11 showcases an example of what happens when authenticated sessions are allowed to propagate without a middle-man. The intruder in the Matrix breach had access to the production databases, potentially giving them access to unencrypted message data, password hashes, and access tokens.

  • Hacking With Kali Linux

    Before I talk about the series that I am going to start, let us briefly talk about who should follow this series.

    I know there are so many people out there who are very curious to learn hacking just to hack their partner's social media account. Well, if you are such a person, please listen to me. Hacking is not about getting into somebody's personal life and steal their information. It is illegal.

    Somebody well said - “We need to have a talk on the subject of what's yours and what's mine.”

    So you should not hack information that is not yours.

    ​But if you are a tech enthusiast who wants to make a career as a penetration tester or white hat hacker, this series can be really a good way to start. So for such enthusiasts, I am creating a page where you can follow the series. You can also follow our social media pages so you get a notification when a new informative article comes out.

Security: 'Phone' Gimmicks, GNU/Linux Tools and More

Filed under
Security
  • Guess Who Fooled The Nokia9 PureView – A Pack Of Chewing Gum!

    We are all aware that smartphone security options such as fingerprint scanners and facial recognition aren’t 100% secure. This has been proved further with the case of the Nokia 9 PureView, which appears to have been unlocked by a pack of chewing gum.

    As per a couple of tweets, the Nokia 9 PureView is reportedly getting unlocked via unidentified fingerprints of another user and a pack of chewing gum.

  • Linux Distributions Should Enhance how Sudo Asks for Passwords

    One thing to be noticed from the picture above is that the password is hidden. When users write anything at that time, nothing will be displayed on the screen, not even asterisks. They’ll have to trust that there’s something written in the terminal and just write their passwords and hit Enter.

    Historically, this is done for both ease of implementation and security reasons. It makes it difficult for people standing near your shoulder from knowing your password length. If they don’t know your password length, it would be harder for them to guess it. They can, of course, listen to the keystrokes you are hitting and try to guess how many characters did you hit? But that’s more difficult than just looking at the screen and counting the number of asterisks there.

    Also, when they see that your password is too long, they might not even try to use your computer and guess your password. But if your password is less than few characters, it will give them hope.

    Additionally, in terms of implementation, displaying an asterisk instead of the password character requires more code and work to do. In the terminal, when you write normal commands and you see them in the terminal, it’s because the “echo mode” is set to On, meaning that all characters will be displayed on your screen. In sensitive commands, however, such as sudo or passwd, “echo mode” is set to Off, which simply doesn’t take the extra step of printing those characters to the screen. So that’s less work and code to do, and it went on like that since the Unix days to simply hide the password characters

  • Top 10 Best Linux Password Managers In 2019

    If you are a Linux users and struggling to get a proper password manager then this post is for you. In this post, We have listed the best (at least for us) Linux password managers for you.

  • Your Netflix Bandersnatch Choices Can Be Tracked By Hackers

    Netflix took the video streaming industry by storm when it debuted Black Mirror: Bandersnatch last year. The “choose your own adventure” themed movie puts viewers in charge of the story and flow of the movie. The success of Bandersnatch even led to the creation of a second interactive show ‘You vs. Wild’ featuring Bear Grylls.

  • Proactively Identifying Compromised Passwords | Roadmap to Securing Your Infrastructure

Using Ksplice To Detect Exploit Attempts

Filed under
Linux
Security
HowTos

Ksplice is a very cool technology. Ksplice allows you to patch important security updates to your system without a reboot. The in-memory code is patched as well as on-disk components, closing all the gaps for a security vulnerability. All the while, your applications keep running.

A new feature of Ksplice is Known Exploit Detection. When you patch your system with Ksplice, not only is the security vulnerability closed, but also tripwires are laid down for privilege escalation vulnerabilities. If an attacker attempts to exploit a CVE you’ve patched, Ksplice notifies you.

Ksplice is both protecting your system and alerting you to suspicious activity. Very cool.

Read more

Also: Oracle's Ksplice Live Kernel Patching Picks Up Known Exploit Detection

Security: Windows, Marcus Hutchins, Phishing, OpenVPN, DARPA, DINSIC

Filed under
Security
  • The latest Windows patch is breaking even more PCs with antivirus installed

    Earlier this week we reported that Microsoft halted updates to Windows PCs running Sophos and Avast’s security solutions, following user complaints that their machines were locking up or failing to boot. Since then, the list of known issues for the rogue update was itself updated to acknowledge compatibility issues with Avira and ArcaBit antivirus installed, with Microsoft temporarily blocking updates to those affected systems, too. Today, Ars Technica noticed that Microsoft is investigating compatibility issues for systems with McAfee antivirus installed, though it hasn’t started blocking the April 9 update from those PCs just yet.

  • ‘WannaCry Hero’ Marcus Hutchins Pleads Guilty to Making Banking Malware [iophk: "It looks like they squeezed malware tech with a “plea bargain”. So I would take reports of a guilty plea with a large grain of salt. They probably threatened him with 1000s of years in prison as an alternative. The plea “deal” is not mentioned in the summary, thus misleading the public about the situation."]

    Marcus Hutchins, a security researcher known for helping stop the destructive WannaCry ransomware, plead guilty to hacking crimes on Friday.

    Hutchins was accused of writing a banking malware called Kronos in 2014, after he finished high school. The researcher was arrested in Las Vegas after attending the hacker conference Def Con in 2017. Days later, he plead not guilty in a Milwaukee courtroom. He was scheduled to be tried this summer.

  • Google will begin to block sign-ins from embedded browser frameworks in June

    Phishing — schemes to nab personal data with disguised malicious webpages and emails — constituted more than 70% of all cyber attacks in 2016, according to a Verizon report. In an effort to combat them, Google last year announced it would require users to enable JavaScript during Google Account sign-in so that it could run attack-detecting risk assessments, and today, the company said it’ll begin to block all sign-ins from embedded browser frameworks like Chromium Embedded Framework starting in June.

  • A deeper look into OpenVPN: Security vulnerabilities

    OpenVPN is the backbone of online security. It is supported in many popular virtual private network (VPN) providers such as NordVPN and ExpressVPN, and continues to receive frequent updates well into its 17th year in operation.

    It’s an unwritten rule of information technology, however, that popular security protocols will attract the largest contingent of hackers. As OpenVPN is open source, it is therefore much easier for hackers to locate and exploit security vulnerabilities within the software design.

    Nevertheless, the value of the open-source model is that it promotes open collaboration, thus encouraging other programmers to suggest changes to the design. This way, security vulnerabilities can be communicated directly to the developers, who then have the option to patch the software and eliminate the vulnerability.

  • DARPA’s New/Old Plan for a Hack-Proof Voting Machine

    The Pentagon’s top research arm is working to build a hack-proof voting machine by combining something brand new with something old – specifically, secure open-source hardware and software using advanced cryptography on one end, and good old paper on the other.

    The Defense Advanced Research Projects Agency (DARPA) recently awarded the tech company Galois a $10 million contract for the project, which grew out of a broader agency project to remedy hardware vulnerabilities, the snappily named SSITH, for System Security Integrated Through Hardware and Firmware.

    Galois, which focuses on ensuring the trustworthiness of hardware and software, will design the system, which will start with a different approach used by established voting machine makers, who have come under criticism over the vulnerabilities in their systems, Motherboard reported. For one, it will use open-source software, rather than the proprietary systems used by companies such as Election Systems & Software. It also will use open-source hardware, built from designs developed under the SSITH program.

  • New Attacks (and Old Attacks Made New)

    This is shown again in Fortinet's latest Global Threat Landscape Report for the fourth quarter of 2018, where we reported that exploits that targeted individual organizations — often variations of existing malware or the misuse of FOSS (free/open source software) security tools — continue to grow at a rapid pace: 10% over the quarter, while the number of unique exploits they experienced increased by 5%. This suggests that, despite some reports suggesting that malicious actors follow the same work routines as their victims, cybercriminals didn't take much of a break over the holidays. And as you would expect, all of this malware — especially botnets — is becoming more complex and harder to detect.

  • Security flaw in French government messaging app exposed confidential conversations

    Tchap wasn’t built from scratch. The DINSIC, France’s government agency in charge of all things digital, forked an open-source project called Riot, which is based on an open-source protocol called Matrix.

    In a few words, Matrix is a messaging protocol that features end-to-end encryption. It competes with other protocols, such as the Signal Protocol that is widely used by consumer apps, such as WhatsApp, Signal, Messenger’s secret conversations and Google Allo’s incognito conversions — Messenger and Allo conversations aren’t end-to-end encrypted by default.

  • French Government's 'Secure' WhatsApp Replacement Hacked In Just 90 Minutes

    In order to better protect official conversations, the French government developed its own secure instant messaging alternative to WhatsApp.

Security: Iran, Google, GrammaTech, FireEye and Latest FUD From WhiteSource

Filed under
Security
  • Someone is Leaking an Iranian Hacking Group's Arsenal

    For the last few weeks, someone has been publishing the source code of the hacking tools used by a high-level attack team that’s been linked to the Iranian government. The tools belong to a group known variously as APT34 and OilRig, and whoever is dumping them appears to have some interest in not just exposing the tools but also the group’s operations.

    The leaks began in late March on a Telegram channel and have continued through this week. Researchers at Chronicle, a security company owned by Google’s parent company, Alphabet, have examined the leaked tools and confirmed that they are indeed the same ones used by the OilRig attackers. OilRig has been connected to a number of intrusions at companies and government agencies across the Middle East and Asia, including technology firms, telecom companies, and even gaming companies. Whoever is leaking the toolset also has been dumping information about the victims OilRig has targeted, as well as data identifying some of the servers the group uses in its attacks.

  • Google will examine new Android developer accounts more closely

    For the better part of two years, Google has made a concerted effort to improve control over data in Android apps, chiefly by introducing system-level changes in Android, refining its Google Play developer policies, requiring developers to disclose the collection and use of sensitive data, and restricting access to certain permissions (like those involving SMS and call logs). But it hasn’t always been fully transparent with about these changes, and toward that end, the Mountain View company today announced that it’s “clarifying” several of its rules and reviewing the way it handles noncompliant apps.

  • GrammaTech Releasing Binary Analysis and Rewriting Interface into Open Source
  • Adobe Flash security tool Flashmingo debuts in open source community [Ed: Just kill Adobe Trash. The sooner, the better. This one helps openwashing of that malicious proprietary software blob, courtesy of CBS.]
  • Open Source Tool From FireEye Automates Analysis of Flash Files

    Security company FireEye this week announced the release of an open source tool designed to automate the analysis of Adobe Flash files in order to identify malware and prevent infections.

  • Counting Vulnerabilities In Open Source Projects and Programming Languages [Ed: Microsoft partner and anti-FOSS front group WhiteSource is once again using FUD in order to promote its brand and its non-FOSS 'services'; they advertise by bashing FOSS. Microsoft proud.]

Security Leftovers

Filed under
Security
  • Riccardo Padovani: Responsible disclosure: improper access control in Gitlab private project.

    As I said back in September with regard to a responsible disclosure about Facebook, data access control isn’t easy. While it can sound quite simple (just give access to the authorized entities), it is very difficult, both on a theoretical side (who is an authorized entity? What does authorized mean? And how do we identify an entity?) and on a practical side.

  • Integrating Password and Privilege Management for Unix and Linux Systems[Ed: More spammy pages under the guise of "whitepaper"]

    Unix and Linux build the foundation for most business-critical systems. Thus, they present target-rich environments for cyber-attackers. Privileged Access Management (PAM) helps to mitigate such risks. To succeed, security teams must follow an integrated approach, covering both privilege elevation and centralized management of shared account credentials.

  • How Not to Acknowledge a Data Breach

    My guess is that what Wipro means by “zero-day” is a malicious email attachment that went undetected by all commercial antivirus tools before it infected Wipro employee systems with malware.

  • Facebook stored millions of Instagram passwords in plain text

    Facebook says it stored millions of Instagram users’ passwords in plain text, leaving them exposed to people with access to certain internal systems. The security lapse was first reported last month, but at the time, Facebook said it only happened to “tens of thousands of Instagram users,” whereas the number is now being revised up to “millions.” The issue also affected “hundreds of millions of Facebook Lite users” and “tens of millions of other Facebook users.”

  • Update: Facebook passwords for hundreds of millions of users were exposed to Facebook employees

    Facebook confirmed March 21 that hundreds of millions of user passwords were being stored in a “readable format” within its servers, accessible to internal Facebook employees—including millions more Instagram users than previously thought. Affected users will be notified, Facebook said, so they can change those passwords.

  • Facebook 'unintentionally' uploaded 1.5 million people's email contacts without asking

    This is how it unfolded: a security researcher spotted that Facebook was asking some users to put in their email passwords when they signed up with a new account to verify their identity. Business Insider then experimented with what would happen if you were brave/mad enough to do so and found that a message popped up saying it was "importing" its contacts without having the decency to check that was okay first.

    Apparently, 1.5 million people just accepted this as just one of those things, and the information was then used to build up Facebook's uncanny ability to predict when you know somebody.

  • In new gaffe, Facebook improperly collects email contacts for 1.5 million

    Facebook's privacy gaffes keep coming. On Wednesday, the social media company said it collected the stored email address lists of as many as 1.5 million users without permission. On Thursday, the company said the number of Instagram users affected by a previously reported password storage error was in the "millions," not the "tens of thousands" as previously estimated.

  • Facebook says it 'unintentionally uploaded' 1.5 million people's email contacts without their consent

    Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network, Business Insider can reveal. The Silicon Valley company said the contact data was "unintentionally uploaded to Facebook," and it is now deleting them.

  • With Nation Distracted by Mueller Report, Facebook Admits Millions of Users' Passwords Affected by Latest Privacy Breach

    On Thursday, Facebook added to a blog post from March 21 to let users know that instead of storing tens of thousands of Instagram passwords, as it had reported last month, the number of users affected by the privacy breach was in the millions. Facebook is the parent company of Instagram.

    "Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format," wrote Pedro Canahuati, vice president of Engineering, Security and Privacy. "We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others."

    The stored passwords were found in January during a routine security check, according to Facebook. In March, when the breach was first announced, the company said the passwords were never visible to anyone outside of Facebook.

Security Leftovers

Filed under
Security

10 Best Linux Password Managers

Filed under
GNU
Linux
Security

Password managers are applications created to enable users to keep their passwords in a single place and absolve themselves of the need to remember every single one of their passwords.

They, in turn, encourage clients to use passwords that are as complex as possible and remember a single master password. Modern password managers even go an extra mile to keep other information such as card details, files, receipts, etc. safely locked away from prying eyes.

You might be wondering which password manager app will work best on your Linux machine and I am here to answer your question with my list of the 10 best Linux password managers.

Read more

Security: DNS, Windows, Kaspersky and Lethal USB

Filed under
Security
  • The wave of domain hijackings besetting the Internet is worse than we thought

    The report was published Wednesday by Cisco’s Talos security group. It indicates that three weeks ago, the highjacking campaign targeted the domain of Sweden-based consulting firm Cafax. Cafax’s only listed consultant is Lars-Johan Liman, who is a senior systems specialist at Netnod, a Swedish DNS provider. Netnod is also the operator of i.root, one of the Internet’s foundational 13 DNS root servers. Liman is listed as being responsible for the i-root. As KrebsOnSecurity reported previously, Netnod domains were hijacked in December and January in a campaign aimed at capturing credentials. The Cisco report assessed with high confidence that Cafax was targeted in an attempt to re-establish access to Netnod infrastructure.

  • New Windows Zero-Day Vulnerability Grants Hackers Full Control Over PCs [Ed: The NSA already had these permissions. Now everyone has these.]

    According to the latest Kaspersky Lab Report, a Windows Zero-Day vulnerability is serving as a backdoor for hackers to take control of users’ PCs.

    The latest exploit utilizes a use-after-free attack and has a technical name CVE-2019-0895. The exploit is found in win32k.sys and grants hackers Local Privilege meaning they’re able to access resources usually outside of users’ capabilities.

  • New zero-day vulnerability CVE-2019-0859 in win32k.sys
  • AP Exclusive: Mysterious operative haunted Kaspersky critics

    He also asked Giles to repeat himself or speak louder so persistently that Giles said he began wondering “whether I should be speaking into his tie or his briefcase or wherever the microphone was.”

    “He was drilling down hard on whether there had been any ulterior motives behind negative media commentary on Kaspersky,” said Giles, a Russia specialist with London’s Chatham House thinktank who often has urged caution about Kaspersky’s alleged Kremlin connections. “The angle he wanted to push was that individuals — like me — who had been quoted in the media had been induced by or motivated to do so by Kaspersky’s competitors.”

  • Feds: Saint Rose grad used 'killer' device to fry computers

    In 2016, College of Saint Rose graduate assistant Vishwanath Akuthota said he believed there was a "lot of opportunity" for him at the school.

    On Monday, federal prosecutors said he took advantage of a different kind of opportunity — access to campus — when he destroyed dozens of computers at a cost of more than $50,000.

  • Student Uses “USB Killer” To Fry $58,000 Worth of Computers

OpenSSH 8.0 released

Filed under
Security
BSD

This release contains mitigation for a weakness in the scp(1) tool
and protocol (CVE-2019-6111): when copying files from a remote system
to a local directory, scp(1) did not verify that the filenames that
the server sent matched those requested by the client. This could
allow a hostile server to create or clobber unexpected local files
with attacker-controlled content.

This release adds client-side checking that the filenames sent from
the server match the command-line request,

The scp protocol is outdated, inflexible and not readily fixed. We
recommend the use of more modern protocols like sftp and rsync for
file transfer instead.

Read more

Syndicate content