Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Security: Cryptocurrency Mining, Hardware Bugs in HPC, and Dan Goodin's Latest Sensationalism

Filed under
Security
  • Cryptocurrency Mining Company Coinhive Shocked To Learn Its Product Is Being Abused

    So if you haven't noticed, the entire cryptocurrency mining thing has become a bit of an absurd stage play over the last few months. From gamers being unable to buy graphics cards thanks to miners hoping to cash in on soaring valuations, to hackers using malware to covertly infect websites with cryptocurrency miners that use visitors' CPU cycles without their knowledge or consent. As an additional layer of intrigue, some websites have also begun using such miners as an alternative to traditional advertising, though several have already done so without apparently deeming it necessary to inform visitors.

    At the heart of a lot of this drama is crypotcurreny mining software company Coinhive, whose software is popping up in both malware-based and above board efforts to cash in on the cryptocurrency mining craze. Coinhive specifically focuses on using site visitor CPU cycles to help mine Monero. The company's website insists that their product can help websites craft "an ad-free experience, in-game currency or whatever incentives you can come up with." The company says its project has already resulted in the mining of several million dollars worth of Monero (depending on what Monero's worth any given day).

  • Fluid HPC: How Extreme-Scale Computing Should Respond to Meltdown and Spectre

    The Meltdown and Spectre vulnerabilities are proving difficult to fix, and initial experiments suggest security patches will cause significant performance penalties to HPC applications. Even as these patches are rolled out to current HPC platforms, it might be helpful to explore how future HPC systems could be better insulated from CPU or operating system security flaws that could cause massive disruptions. Surprisingly, most of the core concepts to build supercomputers that are resistant to a wide range of threats have already been invented and deployed in HPC systems over the past 20 years. Combining these technologies, concepts, and approaches not only would improve cybersecurity but also would have broader benefits for improving HPC performance, developing scientific software, adopting advanced hardware such as neuromorphic chips, and building easy-to-deploy data and analysis services. This new form of “Fluid HPC” would do more than solve current vulnerabilities. As an enabling technology, Fluid HPC would be transformative, dramatically improving extreme-scale code development in the same way that virtual machine and container technologies made cloud computing possible and built a new industry.

  • Raw sockets backdoor gives attackers complete control of some Linux servers [Ed: Here goes Dan Goodin again (sued for sensationalism), using the term "back door" in relation to Linux when actually referring to already-infected (compromised) machines]

    Once installed, Chaos allows malware operators anywhere in the world to gain complete control over the server via a reverse shell.

Security: Blaming Russia for Windows Back Doors Being Exploited, New Updates, BuckHacker, and More

Filed under
Security

Security: Salon 'Malware', Georgia's Plan, Let's Encrypt, USB, and Hardware Bugs

Filed under
Security
  • Salon Offers To Remove Ads If Visitors Help Mine Cryptocurrency

    As we've been discussing, the rise of stealth cryptocurrency miners embedded on websites has become a notable problem. In some instances, websites are being hacked and embedded with stealth cryptocurrency miners that quickly gobble up visitors' CPU cycles without their knowledge. That's what happened to Showtime recently when two different domains were found to be utilizing the Coinhive miner to hijack visitor broswers without users being informed. Recent reports indicate that thousands of government websites have also been hijacked and repurposed in this fashion via malware.

    But numerous websites are also now exploring such miners voluntarily as an alternative revenue stream. One major problem however: many aren't telling site visitors this is even happening. And since some implementations of such miners can hijack massive amounts of CPU processing power while sipping a non-insubstantial amount of electricity, that's a problem.

  • Georgia Senate Thinks It Can Fix Its Election Security Issues By Criminalizing Password Sharing, Security Research

    When bad things happen, bad laws are sure to follow. The state of Georgia has been through some tumultuous times, electorally-speaking. After a presidential election plagued with hacking allegations, the Georgia Secretary of State plunged ahead with allegations of his own. He accused the DHS of performing ad hoc penetration testing on his office's firewall. At no point was he informed the DHS might try to breach his system and the DHS, for its part, was less than responsive when questioned about its activities. It promised to get back to the Secretary of State but did not confirm or deny hacking attempts the state had previously opted out of.

    To make matter worse, there appeared to be evidence the state's voting systems had been compromised. A misconfigured server left voter records exposed, resulting in a lawsuit against state election officials. Somehow, due to malice or stupidity, a server containing key evidence needed in the lawsuit was mysteriously wiped clean, just days after the lawsuit was filed.

  • Let's Encrypt Hits 50 Million Active Certificates and Counting

    In yet another milestone on the path to encrypting the web, Let’s Encrypt has now issued over 50 million active certificates. Depending on your definition of “website,” this suggests that Let’s Encrypt is protecting between about 23 million and 66 million websites with HTTPS (more on that below). Whatever the number, it’s growing every day as more and more webmasters and hosting providers use Let’s Encrypt to provide HTTPS on their websites by default.

  • Linux systems can still be hacked via USB sticks

    Linux systems could be a risk from malware on USB memory sticks, according to security researchers.

    The bug affects users running the KDE Plasma desktop environment, which is widely used in GNU/Linux distributions. The issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0.

  • Spectre & KPTI Get More Fixes In Linux 4.16, Offsets Some KVM Performance Losses

    While we are past the Linux 4.16 merge window, more Spectre and Meltdown related improvements and changes are still being allowed into the kernel, similar to all the KPTI/Retpoline work that landed late in Linux 4.15. On Wednesday was another big batch of KPTI and Spectre work that has already been merged.

  • Kali Linux Ethical Hacking OS Getting Fix for Meltdown & Spectre with Linux 4.15

IPFire 2.19 - Core Update 118 released

Filed under
GNU
Linux
Security

this is the official release announcement for IPFire 2.19 – Core Update 118. It comes with a number of security and bug fixes as well as some new features. Please note the that we are dropping support for some add-ons.

Read more

Security: Windows, Salon, Fraud. Skype and More

Filed under
Security
  • Critical Telegram flaw under attack disguised malware as benign images [Ed: Windows]

    The flaw, which resided in the Windows version of the messaging app, allowed attackers to disguise the names of attached files, researchers from security firm Kaspersky Lab said in a blog post. By using the text-formatting standard known as Unicode, attackers were able to cause characters in file names to appear from right to left, instead of the left-to-right order that's normal for most Western languages.

  • Salon to ad blockers: Can we use your browser to mine cryptocurrency?

    Salon explains what's going on in a new FAQ. "How does Salon make money by using my processing power?" the FAQ says. "We intend to use a small percentage of your spare processing power to contribute to the advancement of technological discovery, evolution, and innovation. For our beta program, we'll start by applying your processing power to help support the evolution and growth of blockchain technology and cryptocurrencies."

  • Why children are now prime targets for identity theft [sic] [iophk: "the real name for this is "fraud" and there are already existing laws on it"]

    SSA believed this change would make it more difficult for thieves to “guess” someone’s SSN by looking at other public information available for that person. However, now that an SSN is not tied to additional data points, such as a location or year of birth, it becomes harder for financial institutions, health care providers, and others to verify that the person using the SSN is in fact the person to whom it was issued.

    In other words: Thieves now target SSNs issued after this change as they know your 6-year-old niece or your 4-year-old son will not have an established credit file.

  • Microsoft won't plug a huge zero-day in Skype because it'd be too much work

    The bug in the automatic updater (turd polisher) for the Windows desktop app has a ruddy great hole in it that will let dodgy DLLs through.

  • ‘I Lived a Nightmare:’ SIM Hijacking Victims Share Their Stories

    The bug itself didn’t expose anything too sensitive. No passwords, social security numbers, or credit card data was exposed. But it did expose customers’ email addresses, their billing account numbers, and the phone’s IMSI numbers, standardized unique number that identifies subscribers. Just by knowing (or guessing) customer’s phone numbers, hackers could get their target’s data.

    Once they had that, they could impersonate them with T-Mobile’s customer support staff and steal their phone numbers. This is how it works: a criminal calls T-Mobile, pretends to be you, convinces the customer rep to issue a new SIM card for your number, the criminal activates it, and they take control of your number.

Plasma 5.12.1 bugfix update lands in backports PPA for Artful 17.10

Filed under
KDE
Security

After the initial release of Plasma 5.12 was made available for Artful 17.10 via our backports PPA last week, we are pleased to say the the PPA has now been updated to the 1st bugfix release 5.12.1.

The full changelog for 5.12.1 can be found here.

Including fixes and polish for Discover and the desktop.

Also included is an update to the latest KDE Frameworks 5.43.

Upgrade instructions and caveats are as per last week’s blog post, which can be found here.

The Kubuntu team wishes users a happy experience with the excellent 5.12 LTS desktop, and thanks the KDE/Plasma team for such a wonderful desktop to package.

Read more

Security: Updates, Microsoft, Google, and Telegram

Filed under
Security
  • Security updates for Wednesday
  • Winter Olympics was hit by cyber-attack, officials confirm [Ed: This is a Microsoft Windows issue, but Bill Fates is paying The Guardian, so...]
  • Google Patches Chromebooks Against Meltdown/Spectre, Adds New Chrome OS Features

    Earlier this month, Google updated its Chrome OS computer operating system to stable version 64.0.3282.134 and platform version 10176.65.0, an update that's now available for most Chromebook devices.

    Besides the usual security improvements and bug fixes, the latest Chrome OS 64 release includes several new features that are worth mentioning, such as the ability to take screenshots by simultaneously pressing the Power and Volume Down buttons on your Chromebook with a 360-degree hinge.

  • Skype can't fix a nasty security bug without a massive code rewrite
  • Perfect Computer Security Is a Myth. But It’s Still Important [Ed: The "everything is broken" defeatism overlooks the coordinated vandalism done to put back doors in most things]

    Maybe you’ve heard it before: “Security is a myth.” It’s become a common refrain after a never-ending string of high-profile security breaches. If Fortune 500 companies with million dollar security budgets can’t lock things down, how can you?

    And there’s truth to this: perfect security is a myth. No matter what you do, no matter how careful you are, you will never be 100 percent safe from hackers, malware, and cybercrime. That’s the reality we all live in, and it’s important to keep this in mind, if only so that we can all feel more sympathy for victims.

  • Microsoft Fixes 50 Vulnerabilities In February’s Patch Tuesday Update

    Microsoft has released February’s cumulative updates for Windows 10, better known as Patch Tuesday. The reason why the update is worth getting is it comes with fixes for 50 vulnerabilities in various versions of Windows 10.

    As per the release notes, the software addressed as a part of the Patch Tuesday update are Windows OS, Microsoft Edge, Internet Explorer, Microsoft Office, Microsoft Office Services and Web Apps, and the JavaScript engine ChakraCore. In addition to security fixes, Microsoft has also made improvements to address minor glitches in Windows 10.

  • Telegram Zero-Day Vulnerability Lets Hackers Pwn Your PC to Mine Cryptocurrency

    A zero-day vulnerability was discovered by Kaspersky Lab in the Telegram Desktop app that could let hackers pwn your computer to mine for cryptocurrencies like Zcash, Monero, Fantomcoin, and others.

    Kaspersky Lab's security researchers say the zero-day vulnerability can be used to deliver multi-purpose malware to computer users using the Telegram Desktop app, including backdoors and crypto-cash mining software.

    The security company also discovered that hackers had actively exploited the vulnerability in the Telegram Desktop app, which is based on the right-to-left override Unicode method, since March last year, but only to mine cryptocurrencies like Fantomcoin, Monero, and Zcash.

Security: Telegram, Bounties and More

Filed under
Security
  • Telegram zero-day let hackers spread backdoor and cryptocurrency-mining malware

    A zero-day vulnerability in Telegram Messenger allowed attackers to spread a new form of malware with abilities ranging from creating a backdoor trojan to mining cryptocurrency.

    The attacks take advantage of a previously unknown vulnerability in the Telegram Desktop app for Windows and were spotted being used in the wild by Kaspersky Lab.

    Researchers believe the Russian cybercriminal group exploiting the zero-day were the only ones aware of the vulnerability and have been using it to distribute malware since March 2017 -- although it's unknown how long the vulnerability had existed before that date.

  • More Than 4,000 Government Websites Infected With Covert Cryptocurrency Miner

    The rise of cryptocurrency mining software like Coinhive has been a decidedly double-edged sword. While many websites have begun exploring cryptocurrency mining as a way to generate some additional revenue, several have run into problems if they fail to warn visitors that their CPU cycles are being co-opted in such a fashion. That has resulted in numerous websites like The Pirate Bay being forced to back away from the software after poor implementation (and zero transparency) resulted in frustrated users who say the software gobbled upwards of 85% of their available CPU processing power without their knowledge or consent.

    But websites that don't inform users this mining is happening are just one part of an emerging problem. Hackers have also taken to using malware to embed the mining software into websites whose owners aren't aware that their sites have been hijacked to make somebody else an extra buck. Politifact was one of several websites that recently had to admit its website was compromised with cryptocurrency-mining malware without their knowledge. Showtime was also forced to acknowledge (barely) that websites on two different Showtime domains had been compromised and infected with Coinhive-embedded malware.

  • Why Bug Bounties Matter

    Bugs exist in software. That's a fact, not a controversial statement. The challenge (and controversy) lies in how different organizations find the bugs in their software.

    One way for organizations to find bugs is with a bug bounty program. Bug bounties are not a panacea or cure-all for finding and eliminating software flaws, but they can play an important role.

  • Shell Scripting and Security

    The internet ain't what it used to be back in the old days. I remember being online back when it was known as ARPAnet actually—back when it was just universities and a handful of corporations interconnected. Bad guys sneaking onto your computer? We were living in blissful ignorance then.

    Today the online world is quite a bit different, and a quick glimpse at the news demonstrates that it's not just global, but that bad actors, as they say in security circles, are online and have access to your system too. The idea that any device that's online is vulnerable is more true now than at any previous time in computing history.

  • Security updates for Tuesday
  • Open Source Security Podcast: Episode 82 - RSA, TLS, Chrome HTTP, and PCI

Security: Meltdown, Equifax, IOC's Microsoft Experience

Filed under
Security
Syndicate content

More in Tux Machines