Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • The Week in Tech: What Should Your City Do if It’s Hit by Ransomware? [iophk: No. Cities are seen as low-hanging fruit because many still run MS-Windows]

    Cities are now seen as low-hanging fruit by [attackers], because of “legacy systems and lack of budget” to upgrade, said Jennifer Daffron, a risk researcher at the University of Cambridge. They’re also great places to cause chaos, and [attackers], especially nation-state ones, “love to cause chaos to get street cred,” Mr. Falco said.

  • 4 chilling lessons from a tech hotline scam

    He had a few questions, did a Google search for Yahoo’s small business helpline and called. Little did he know the listed number wasn’t for Yahoo tech support at all. Scammers found a way to push their fake number to the top of his Google search, and Bob was tricked into calling a convincing-sounding technician. When the person on the other end asked for his login information, including password and home address, he didn’t question the request. [...]

  • [Old] Why [attackers] ignore most security flaws

    The reasons they wouldn't can vary. Most [intrusion] is criminal, not espionage, and criminal [attackers] tend to make decisions based on hacking the most computers with the least amount of effort. Not all vulnerabilities are easy to use and not all of the easy to use vulnerabilities are in products that are widely deployed.

  • [Old] What’s the best approach to patching vulnerabilities?

    New research shows that most vulnerabilities aren’t exploited and those that are tend to have a high CVSS score (awarded on the basis of how dangerous and easy to exploit the vulnerability is). So, not surprisingly, the most easily exploited flaws are the ones exploited most frequently.

    What’s more surprising is that there’s apparently no relationship between the proof-of-concept (PoC) exploit code being published publicly online and the start of real-world attacks.

Security: Microsoft/RDP, Misattributed FUD, Linux Patching and LibreOffice Update

Filed under
Security
  • RDP Exposure To The Internet

    The Remote Desktop Protocol, commonly referred to as RDP, is a proprietary protocol developed by Microsoft that is used to provide a graphical means of connecting to a network-connected computer. RDP client and server support has been present in varying capacities in most every Windows version since NT. Outside of Microsoft’s offerings, there are RDP clients available for most other operating systems. If the nitty gritty of protocols is your thing, Wikipedia’s Remote Desktop Protocol article is a good start on your way to a trove of TechNet articles.

    RDP is essentially a protocol for dangling your keyboard, mouse and a display for others to use. As you might expect, a juicy protocol like this has a variety of knobs used to control its security capabilities, including controlling user authentication, what encryption is used, and more. The default RDP configuration on older versions of Windows left it vulnerable to several attacks when enabled; however, newer versions have upped the game considerably by requiring Network Level Authentication (NLA) by default. If you are interested in reading more about securing RDP, UC Berkeley has put together a helpful guide, and Tom Sellers, prior to joining Rapid7, wrote about specific risks related to RDP and how to address them.

  • Golang Malware Targets Linux-Based Servers [Ed: Better headline would say something like, "malware written in some programming language (Go) wants people to foolishly install it on a server and it's compiled for or made compatible with GNU/Linux"]

    A cryptominer campaign has been targeting Linux-based servers using a new Golang malware, according to research published by F5 Labs.

    Though not often seen in the threat landscape, the Golang malware was first identified in mid-2018 and has sustained throughout 2019. Researchers noted the latest operation, which has infected an estimated several thousand machines, began around June 10. The first exploit requests were identified around June 16.

  • Microsoft wants to join private Linux security developer board [Ed: If Linux values security, then it will reject the company that started PRISM with the NSA]

    Microsoft has applied to join a private group of Linux developers responsible for reporting and discussing security issues before they go public.

  • Microsoft bids for behind-the-scenes access to Linux flaws [Ed: They have already taken over parts of the Linux Foundation, so why not this?]

    Request to join security lists come as the firm reveals Linux usage on Azure VMs outweighs Windows usage.

  • [Slackware] LibreOffice 6.2.5 packages available

    Earlier this week, the Document Foundation released version 6.2.5 of their office suite LibreOffice. I have built and uploaded sets of packages for Slackware 14.2 and also for -current, 32bits and 64bits.

    The Document Foundation themselves finally think that 6.2.x is production ready: “… Users in production environments can start evaluating LibreOffice 6.2.5…“. I was already happy with 6.2.4 and I find the capability to open and work with MS Office documents improving all the time.

KeePass open source password manager review

Filed under
Software
Reviews
Security

KeePass is a free and open-source (FOSS) password manager. It is a Windows program, but versions of it are available for all platforms including macOS, iOS, Android, and Linux. KeePass is not hard to use, but it lacks the slick user interfaces offered by many of its commercial rivals.

Syncing across devices also take a little more work than with most password manager apps, but there is a good reason for this. KeePass uses true end-to-end encryption. You create encrypted KeePass (.kdbx) files that, by default, never leave the device they are created on.

They are not stored on a centralized database that can be hacked (as commercial password manger ones often are), and only you hold the encryption keys to them. The main downside of this, of course, is that there is no safety net - no third party that can bail you out if you forget your master password!

Read more

Raspberry Pi 4 and Kali

Filed under
GNU
Linux
Security

We love the Raspberry Pi, and judging by the response we got to a late night tweet we sent out last weekend a lot of you love the Pi too!

Because of that, when the Pi 4 dropped we wanted to get Kali supported on it right away.

Whats new on the Raspberry Pi 4?

The Raspberry Pi 4 is actually a pretty amazing little machine. The Pi has always been known for its low cost and easy accessibility, but with the 4 we can actually throw real performance onto that list as well.

Read more

Security: Updates, DerpTrolling and TCP Patches for Ubuntu

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by SUSE (firefox, mozilla-nss, mozilla-nspr, helm-mirror, libu2f-host, and libu2f-host, pam_u2f) and Ubuntu (bzip2 and irssi).

  • Man Gets Prison For DDoSing Steam, EA, Microsoft, Sony, Nintendo, DOTA2, Riot Games….

    In one of its kind acts, a Utah-based man named Austin Thompson (23) is going to prison for launching DDoS attacks on servers of various gaming companies.

    The hacker, who goes by the online moniker DerpTrolling, compromised the servers of Microsoft Xbox, Sony Play Station, Quake Live, DOTA2, League of Legends, and Steam between December 2013 and January 2014.

  • Hacker who launched DDoS attacks on Sony, EA, and Steam gets 27 months in prison

    At the time, Thompson used the @DerpTrolling Twitter account to announce attacks and take requests for services users wanted him to take down.

    While the hacker had been active since 2011, his most famous stretch of activity was between December 2013 and January 2014, when most of his high-profile DDoS attacks took place, before the account going inactive.

    The attacks caused many online gaming services to go offline, and after seeing DerpTrolling success and the media coverage the hacker got, many other hacking crews followed suit in subsequent years.

  • Ubuntu updates for TCP SACK Panic vulnerabilities

    Issues have been identified in the way the Linux kernel’s TCP implementation processes Selective Acknowledgement (SACK) options and handles low Maximum Segment Size (MSS) values. These TCP SACK Panic vulnerabilities could expose servers to a denial of service attack, so it is crucial to have systems patched.

    Updated versions of the Linux kernel packages are being published as part of the standard Ubuntu security maintenance of Ubuntu releases 16.04 LTS, 18.04 LTS, 18.10, 19.04 and as part of the extended security maintenance for Ubuntu 14.04 ESM users.

    It is recommended to update to the latest kernel packages and consult Ubuntu Security Notices for further updates.

Security: OpenPGP, Cisco, Windows, Magento, Georgia and China

Filed under
Security
  • Someone Is Spamming and Breaking a Core Component of PGP’s Ecosystem

    Last week, contributors to the PGP protocol GnuPG noticed that someone was “poisoning” or “flooding” their certificates. In this case, poisoning refers to an attack where someone spams a certificate with a large number of signatures or certifications. This makes it impossible for the the PGP software that people use to verify its authenticity, which can make the software unusable or break. In practice, according to one of the GnuPG developers targeted by this attack, the hackers could make it impossible for people using Linux to download updates, which are verified via PGP.

    It’s unclear who’s behind these attacks, but the targets are Robert J. Hansen and Daniel Kahn Gillmor, both OpenPGP protocol developers.

    “We've known for a decade this attack is possible. It's now here and it's devastating,” Hansen wrote in his attack post-mortem.

  • Certificates Issued to Huawei Subsidiary Found in Cisco Switches

    Researchers noticed that the firmware for some Cisco switches contains X.509 certificates and associated private keys issued to a US-based subsidiary of Huawei. An investigation by the networking giant revealed that it was an oversight related to the use of an open-source third-party component.

    [...]

    In an informational advisory published on Wednesday, Cisco says its FindIT development team uses OpenDaylight for testing purposes and the certificates should not have been included in production firmware.

  • St John Ambulance becomes latest casualty of a ransomware attack [iophk: those signing off on Windows deployments need to see real jail time]

    Though it's "confident" that data has not been shared outside St John Ambulance, it fessed that the data of everyone who has opened an account, booked or attended a training course until February 2019 was affected.

    This data includes names, courses, contact details, costs, invoicing details and, in some cases, driving licence data. No passwords or credit card details were taken, and no records have been doctored.

  • Magento Patches Flaws Leading to Site Takeover

    Because at one point in the sanitization process sanitized links are injected back into the string via vsprintf(), an additional double quote is injected into the tag, which allows for an attribute injection.

    “This allows an attacker to inject arbitrary HTML attributes into the resulting string. By injecting a malicious onmouseover event handler and a style attribute to make the link an invisible overlay over the entire page, the XSS payload triggers as soon as a victim visits a page that contains such an XSS payload and moves his mouse,” the security firm says.

    Because the method is used to sanitize order cancellation notes, an attacker could exploit the vulnerability to inject arbitrary JavaScript that is triggered when an employee reviews the cancelled order.

  • Server image mystery in Georgia election security case

    The FBI data could reveal whether [attackers] tampered with elections in Georgia because the server in question had a gaping security hole that went unpatched for more than six months before being publicly exposed. Data on the server included passwords used by county officials to access elections management files.

    Technicians at the Center for Elections Systems at Kennesaw State University, which then ran the state’s election system, erased the server’s data on July 7, 2017, less than a week after the voting integrity suit was filed. After the AP reported on it three months later, Kemp denied ordering the data destruction or knowing about it in advance and called it reckless, inexcusable and inept.

    But the FBI had a forensic backup, which it made in March 2017 when it investigated the security hole. The FBI has not responded to repeated requests by the AP to confirm that it continues to possess the data. FBI Atlanta spokeswoman Jenna Sellitto wouldn’t say whether the FBI has examined the data on that image to determine whether any tampering or other malicious activity occurred.

  • Georgia Failed to Subpoena Image of Wiped Elections Server

    Marilyn Marks of the Coalition for Good Governance, a plaintiff in the case, said that if the state failed to secure the data from the FBI — despite informing U.S. District Judge Amy Totenberg in October 2017 of its intent to do so with the subpoena — it clearly has something to hide.

    "If they have destroyed records then it can be presumed that those records would have shown our allegations to be true," Marks said.

    Neither the Secretary of State's office nor an attorney representing it in the case, Josh Belinfante, would say why the subpoena was never filed. Nor would they say whether they had obtained the data through other means for secure safekeeping. The FBI in Atlanta also wouldn't say whether it has provided the state with a copy.

  • Antivirus firms start flagging spyware installed by Chinese border control

    It recently came to light that the border control authority in China's Xinjiang region was installing surveillance software on the phones of tourists without their knowledge or consent. The software apparently kept an eye out for terms that related to Islamic extremism and literature by the Dalai Lama.

9 Open Source Password Managers to Secure Yourself With

Filed under
OSS
Security

People use password managers so that they don’t have to remember all the usernames/passwords of the websites they visit. Instead, they can just remember 1 password, and then access all the other passwords whenever they need. In addition to that, this allows you as a user to increase the length and the complexity of the passwords you use, because now, you no longer have to remember them, so you can make your Facebook’s password something like 21#^#Y3#^2h281+_0H^I@F!##YU&^ with no problem.

Also, some password managers offer other features that you can use. E.g: Auto-fill (automatically fill the passwords when you open the URL in your browser), synchronization between devices, team storage (sharing passwords between multiple people), smartphone integration, various types & tools of encryption, emergency codes.. And so on.

Traditionally, there are many closed-source proprietary password managers, and there are those which are open source. In today’s article, we’ll see 9 open source password managers that you can use to secure yourself.

Read more

Michał Górny (Gentoo) and Daniel Kahn Gillmor (Debian) on OpenPGP Security

Filed under
GNU
Linux
Gentoo
Security
Debian
  • Michał Górny: SKS poisoning, keys.openpgp.org / Hagrid and other non-solutions

    The recent key poisoning attack on SKS keyservers shook the world of OpenPGP. While this isn’t a new problem, it has not been exploited on this scale before. The attackers have proved how easy it is to poison commonly used keys on the keyservers and effectively render GnuPG unusably slow. A renewed discussion on improving keyservers has started as a result. It also forced Gentoo to employ countermeasures. You can read more on them in the ‘Impact of SKS keyserver poisoning on Gentoo’ news item.

    Coicidentally, the attack happened shortly after the launch of keys.openpgp.org, that advertises itself as both poisoning-resistant and GDPR-friendly keyserver. Naturally, many users see it as the ultimate solution to the issues with SKS. I’m afraid I have to disagree — in my opinion, this keyserver does not solve any problems, it merely cripples OpenPGP in order to avoid being affected by them, and harms its security in the process.

    In this article, I’d like to shortly explain what the problem is, and which of the different solutions proposed so far to it (e.g. on gnupg-users mailing list) make sense, and which make things even worse. Naturally, I will also cover the new Hagrid keyserver as one of the glorified non-solutions.

  • Daniel Kahn Gillmor: WKD for debian.org

    By default, this will show you any matching certificate that you already have in your GnuPG local keyring. But if you don't have a matching certificate already, it will fall back to using WKD.

    These certificates are extracted from the debian keyring and published at https://openpgpkey.debian.org/.well-known/debian.org/, as defined in the WKD spec. We intend to keep them up-to-date when ever the keyring-maint team publishes a new batch of certificates. Our tooling uses some repeated invocations of gpg to extract and build the published tree of files.

    Debian is current not implementing the Web Key Directory Update Protocol (and we have no plans to do so). If you are a Debian developer and you want your OpenPGP certificate updated in WKD, please follow the normal procedures for Debian keyring maintenance like you always have.

Security Leftovers

Filed under
Security
  • Security updates for Thursday

    Security updates have been issued by CentOS (libssh2 and qemu-kvm), Debian (lemonldap-ng), Fedora (tomcat), Oracle (kernel), and SUSE (elfutils, kernel, and php5).

  • Many VMware Products Affected by SACK Linux Vulnerabilities
  • YouTube Bans ‘Hacking And Phishing’ Videos; Pisses Off Infosec Guys

    As the number of users on the platform has increased over the years, so has YouTube’s list of ‘banned content.’ Adding further to the list, YouTube has banned ‘instructional hacking and phishing’ videos.

    The latest bans have led to the deletion of several educational videos on ethical hacking as they now violate YouTube’s Terms of Service. The list also includes ‘extremely dangerous challenges,’ ‘eating disorders’ and ‘violent events’ as banned categories.

  • This Android Malware ‘Records’ Your Screen To ‘Steal’ Banking Details

    Creators behind malicious malware are evolving and coming up with new techniques to make it almost impossible for a normal user to spot them. A new banking trojan named BianLian, which was previously used as a dropper for spreading notorious banking malware like Anubis is affecting Android users all over the world.

  • New Golang malware plays the Linux field in quest for cryptocurrency [Ed: The CBS tech tabloid ZDNet (with Microsoft funding and running it) continues to associate "Linux" with some malware one needs to actually install]

    A new form of malware has been spotted in the wild by cybersecurity companies which say the code's main focus is the fraudulent mining of the Monero (XMR) cryptocurrency.

  • 10 Best Free Password Manager Software For 2019 [Ed: A site called "FOSS" something recommends proprietary software and worse -- sending all your passwords to some dodgy entity called LastPass (while calling it "free"!)]

Security: SKS, YouTube, Malware and More

Filed under
Security
  • Impact of SKS keyserver poisoning on Gentoo

    The SKS keyserver network has been a victim of certificate poisoning attack lately. The OpenPGP verification used for repository syncing is protected against the attack. However, our users can be affected when using GnuPG directly. In this post, we would like to shortly summarize what the attack is, what we did to protect Gentoo against it and what can you do to protect your system.

    The certificate poisoning attack abuses three facts: that OpenPGP keys can contain unlimited number of signatures, that anyone can append signatures to any key and that there is no way to distinguish a legitimate signature from garbage. The attackers are appending a large number of garbage signatures to keys stored on SKS keyservers, causing them to become very large and cause severe performance issues in GnuPG clients that fetch them.

    The attackers have poisoned the keys of a few high ranking OpenPGP people on the SKS keyservers, including one Gentoo developer. Furthermore, the current expectation is that the problem won’t be fixed any time soon, so it seems plausible that more keys may be affected in the future. We recommend users not to fetch or refresh keys from SKS keyserver network (this includes aliases such as keys.gnupg.net) for the time being. GnuPG upstream is already working on client-side countermeasures and they can be expected to enter Gentoo as soon as they are released.

  • YouTube's latest ban? Infosec instructional videos are outlawed

    Google's video-sharing site YouTube has started to ban videos that show users how to get past software restrictions and provide instructions on information security.

  • Youtube's ban on "hacking techniques" threatens to shut down all of infosec Youtube

    Youtube banning security disclosures doesn't make products more secure, nor will it prevent attackers from exploiting defects -- but it will mean that users will be the last to know that they've been trusting the wrong companies, and that developers will keep on making the same stupid mistakes...forever.

  • TN men use Bluetooth-enabled tablet to steal cars

    During the interrogation, one of the accused –a car mechanic- said he bought a Bluetooth-enabled tablet online used by car showroom staff to access the vehicles.

  • Kaspersky reinforce collaboration with INTERPOL in the fight against cybercrime

    This cooperation strengthens the existing relationship between the two organizations, ensuring information and technology sharing can support INTERPOL in cybercrime-related investigations. Within the new agreement, Kaspersky will share information about its cyberthreat research and provide the necessary tools to assist with full digital forensics, aimed at strengthening efforts on the prevention of cyberattacks.

  • China Is Forcing Tourists to Install Text-Stealing Malware at its Border

    The malware downloads a tourist’s text messages, calendar entries, and phone logs, as well as scans the device for over 70,000 different files.

  • Chinese border guards reportedly install spy apps on tourists' Android phones

    Border guards reportedly took tourists' phones and secretly installed an app on them which could extract emails, texts and contacts, along with information about the handset; basically a mother-load of privacy-sapping stuff.

    There are reports that in some cases Android phones are returned to those entering the region with an app called Fēng cǎi installed. Apple's iPhones don't appear to come back with the app, but they could have been scanned by border control guards in a separate area after travellers were forced to hand them over.

  • China Snares Tourists’ Phones in Surveillance Dragnet by Adding Secret App

    The app gathers personal data from phones, including text messages and contacts. It also checks whether devices are carrying pictures, videos, documents and audio files that match any of more than 73,000 items included on a list stored within the app’s code.

Syndicate content

More in Tux Machines

Today in Techrights

Android Leftovers

GCC vs. Clang Compiler Benchmarks On POWER9 With Raptor's Blackbird

While for Intel x86_64 with the latest compilers it's a very competitive race between LLVM Clang and GCC, how is that battle playing out on the IBM POWER9 front? Using the interesting Raptor Blackbird with IBM POWER9 4-core / 16-thread CPU, here are some recent benchmarks I did between GCC 9, GCC 10, and LLVM Clang 8. Last month using the Raptor Blackbird with quad-core / sixteen thread IBM POWER9 CPU while running Ubuntu 19.10 ppc64le, I ran compiler tests while using GCC 9.1.0 stable, GCC 10.0 snapshot from mid June, and LLVM Clang 8.0.1 as some reference tests for seeing how these compilers are performing for POWER9. All tested compilers were in their release/optimized builds and various POWER-friendly C/C++ benchmarks were carried out for checking on the performance impact of the different generated binaries. Read more

Android Leftovers