Language Selection

English French German Italian Portuguese Spanish


Security Leftovers

Filed under
  • Security updates for Friday
  • [Older] [Cr]ackers target Office 365 business accounts

    The IT security company recently analyzed account takeover attacks targeted at its customers to discover that 29 percent of organizations had their Office 365 accounts compromised by [attackers] in March of this year.

    In March alone, over 1.5m malicious and spam emails were sent from hacked Office 365 accounts highlighting the potential impact this security threat poses.

  • Symantec chief Clark makes a sudden exit as sales fall
  • [Attackers] claim to have breached top anti-virus firms in US

    Three top unnamed anti-virus companies located in the US appear to have been hacked by a collective that communicates in both Russian and English, and is offering to sell source code belonging to these firms, plus network access, for more than US$300,000.

    The security firm Advanced Intelligence (AdvIntel) said in a blog post on Thursday that Fxmsp specialised in breaching secure, protected networks to exfiltrate private corporate and government information.

    AdvIntel said Fxmsp had said in March that they had obtained top-secret information from three top anti-virus companies located in the US.

Security: Unsecured Servers, NSA Back-Doored Microsoft Servers, and Docker Image of Alpine Linux

Filed under
  • Two crypto-mining groups are fighting a turf war over unsecured Linux servers [Ed: This isn't about Linux but about bad passwords etc.]

    Both groups operate mass-scanning operations that look for open or unpatched cloud services and servers to infect them with a multi-functional Linux-based malware strain.

  • Researchers in the Dark on Powerful LightNeuron Malware for Years

    LightNeuron, a backdoor specifically designed to target Microsoft Exchange mail servers, has flown under the radar since at least 2014, despite being the malware linchpin at the center of several targeted campaigns.

    A fresh analysis of the recently uncovered code shows that it’s the first publicly known malware to use a malicious Microsoft Exchange Transport Agent – but the extraordinarily clever way that LightNeuron conceals itself is the most notable aspect of the report.

  • Phishing Attacks Mostly Impersonate Microsoft, Netflix & PayPal Accounts [Ed: Microsoft itself is phishing; it is giving all your passwords to the NSA and its affiliates]

    Phishing attacks are evolving in their approach. The latest report from Trend Micro concludes that big consumer software companies like Microsoft, Netflix, and Payal were impersonated by hackers to carry out the most phishing attacks.

    Phishing attacks in 2018 utilized social engineering to steal people’s credentials. The steps involved in phishing attacks remain the same. However, these fake-warning phishing emails contain, sound more convincing than ever before.

  • Alpine Linux Docker Images Shipped for 3 Years with Root Accounts Unlocked

    Alpine Linux Docker images available via the Docker Hub contained a critical flaw allowing attackers to authenticate on systems using the root user and no password.

    For three years, some Alpine Linux Docker images have shipped with a root account and no password, opening the door for attackers to easily access vulnerable servers and workstations provisioned for the images.

Open source bug poses threat to sites running multiple CMSes

Filed under

Websites running the Drupal, Joomla, or Typo3 content-management systems are vulnerable to attacks that could possibly execute malicious code until administrators install just-released patches, developers and security researchers warned.

The vulnerability resides in the PharStreamWrapper, a PHP component developed and open-sourced by CMS maker Typo3. Indexed as CVE-2019-11831, the flaw stems from a path-traversal bug that allows hackers to swap a site's legitimate phar archive with a malicious one. A phar archive is used to distribute a complete PHP application or library in a single file, in much the way a Java archive file bundles many Java files into a single file.

Read more

Security Leftovers

Filed under
  • Security updates for Thursday
  • WordPress Security Guidelines You Should Follow
  • glibc 2.28 cleanup – no more memory leaks

    glibc already released 2.29, but I was still on a much older version and hadn’t noticed 2.28 (which is the version that is in RHEL8) has a really nice fix for people who obsess about memory leaks.

    When running valgrind to track memory leaks you might have noticed that there are sometimes some glibc data structures left.

    These are often harmless, small things that are needed during the whole lifetime of the process. So it is normally fine to not explicitly clean that up. Since the memory is reclaimed anyway when the process dies.

  • Remembering the Morris Worm, the first internet felony
  • Bug in Alpine Linux Docker Image Leaves Root Account Unlocked
  • A Brief History of Containerization: Why Container Security Best Practices Need to Evolve Now

    Maybe it’s the advent of the internet, or perhaps your brain skipped all the way back to the steam engine. When asked that question, how many people do you think would land on shipping containers? They might not be the first thing that comes to mind, but the invention of shipping containers in the 1950s catalyzed change. Introducing a standard container helped pave the way for faster, cheaper and more reliable transportation of goods across the globe.

    In many ways parallel to how physical containers shaped shipping, application containers are revolutionizing software development methods. Much like physical containers, application containers are a form of digital packaging. They rely on that attribute to provide virtual isolation for deploying or running various applications that use the same operating system (OS) or cloud.

    Containers support a microservice-based architecture, an approach to redefining large-scale software projects to be more scalable and modular. Container technology can also help make it easier to run applications in different working environments under different conditions because it provides a solid runtime environment. Combined with the open source wave that has permeated the industry, this new wave of development has been a boon to cloud providers, developers and managed services alike.

  • The fight to reclaim the term ‘hacker’ starts here

    In the early days of computing, ‘hacker’ was generally a positive term.

    It started to gain traction through the Unix hack culture that took place at US universities in the ’60s and ’70s – an era recorded in free software guru Eric Raymond’s ‘A Brief History of Hackerdom’ and articles by GNU creator Richard Stallman, among others.

    The inaugural edition of SwigCast – featuring an interview with ethical hackers Paul Johnston and Santiago Diaz – explores these ideas and delves into why better representations of hackers is needed today more than ever.
“Right now, ‘hacker’ is used in an entirely different connotation,” said Johnston.

  • Google’s Project Mainline in Android Q will help speed up security updates

    Android version fragmentation is one of the biggest challenges for Google to solve. While the Google Pixel smartphones are among the most secure smartphones on the market thanks to the incredible efforts of Pixel and AOSP engineers, many other smartphones are vulnerable to exploits due to running outdated OS versions or outdated security patch levels. The latest report from Gartner shows that Android 9 Pie is an incredibly secure OS, yet only approximately 10% of all smartphones are on the release.

Security: Firmware, Amazon, NSA-Windows, JavaScript, Kali Linux, Alpine Linux and Dharma Ransomware for Windows

Filed under
  • Why open source firmware is important for security

    [...] I hope this gave you some insight into what’s being built with open source firmware and how making firmware open source is important! If you would like to help with this effort, please help spread the word. Please try and use platforms that value open source firmware components. Chromebooks are a great example of this, as well as Purism computers. You can ask your providers what they are doing for open source firmware or ensuring hardware security with roots of trust. Happy nerding! Smile

  • Amazon Hit by Extensive Fraud With [Attackers] Siphoning Merchant Funds

    Amazon believes it was the victim of a "serious" online attack by [fraudsters] who broke into about 100 seller accounts and funneled cash from loans or sales into their own bank accounts, according to a U.K. legal document. The [attack] took place between May 2018 and October 2018, Amazon’s lawyers said in a redacted filing from November that can now be made public.

  • Chinese Spies Intercepted NSA [Windows] Malware Attack, Weaponized It Against Targets Around The World

    You don't own the exploits you've created. That's the lesson the NSA has learned over the past few years as its hacking tools have made their way into the public domain via leaks. Of course, the harshest parts of this lesson have been felt by the general public, rather than the NSA, however. The leaked tools were swiftly repurposed to generate a new strain of ransomware, which took down dozens of businesses and government services around the world.

    But it's not just a random assortment of internet baddies wreaking havoc with NSA hacking tools and exploits. It's also state-sponsored hackers making use of these tools. A report from Symantec shows other nations are more than willing to turn our state-sponsored attacks against us -- demonstrating the danger of engaging in a cyberwar using weaponized code.

  • How Chinese Spies Got the N.S.A.’s Hacking Tools, and Used Them for Attacks

    You don't own the exploits you've created. That's the lesson the NSA has learned over the past few years as its hacking tools have made their way into the public domain via leaks. Of course, the harshest parts of this lesson have been felt by the general public, rather than the NSA, however. The leaked tools were swiftly repurposed to generate a new strain of ransomware, which took down dozens of businesses and government services around the world.

    But it's not just a random assortment of internet baddies wreaking havoc with NSA hacking tools and exploits. It's also state-sponsored hackers making use of these tools. A report from Symantec shows other nations are more than willing to turn our state-sponsored attacks against us -- demonstrating the danger of engaging in a cyberwar using weaponized code.


    The N.S.A. used sophisticated malware to destroy Iran’s nuclear centrifuges — and then saw the same code proliferate around the world, doing damage to random targets, including American business giants like Chevron. Details of secret American cybersecurity programs were disclosed to journalists by Edward J. Snowden, a former N.S.A. contractor now living in exile in Moscow. A collection of C.I.A. cyberweapons, allegedly leaked by an insider, was posted on WikiLeaks.

    “We’ve learned that you cannot guarantee your tools will not get leaked and used against you and your allies,” said Eric Chien, a security director at Symantec.

    Now that nation-state cyberweapons have been leaked, hacked and repurposed by American adversaries, Mr. Chien added, it is high time that nation states “bake that into” their analysis of the risk of using cyberweapons — and the very real possibility they will be reassembled and shot back at the United States or its allies.

    In the latest case, Symantec researchers are not certain exactly how the Chinese obtained the American-developed code. But they know that Chinese intelligence contractors used the repurposed American tools to carry out cyberintrusions in at least five countries or territories: Belgium, Luxembourg, Vietnam, the Philippines and Hong Kong. The targets included scientific research organizations, educational institutions and the computer networks of at least one American government ally.

  • Unless you want your payment card data skimmed, avoid these commerce sites

    More than 100 e-commerce sites around the world are infected with malicious code designed to surreptitiously skim payment card data from visitors after they make purchases, researchers reported on Wednesday. Among those infected are US-based websites that sell dental equipment, baby merchandise, and mountain bikes.

    In total, researchers with China-based Netlab 360 found 105 websites that executed card-skimming JavaScript hosted on the malicious domain magento-analytics[.]com. While the domain returns a 403 error to browsers that try to visit it, a host of magento-analytics[.]com URLs host code that’s designed to extract the name, number, expiration date, and CVV of payment cards that are used to make purchases. The e-commerce sites are infected when the attackers add links that cause the malicious JavaScript to be executed.

  • 21 Best Kali Linux Tools for Hacking and Penetration Testing

    Here’s our list of best Kali Linux tools that will allow you to assess the security of web-servers and help in performing hacking and pen-testing.

    If you read the Kali Linux review, you know why it is considered one of the best Linux distributions for hacking and pen-testing and rightly so. It comes baked in with a lot of tools to make it easier for you to test, hack, and for anything else related to digital forensics.

    It is one of the most recommended Linux distro for ethical hackers. Even if you are not a hacker but a webmaster – you can still utilize some of the tools to easily run a scan of your web server or web page.

    In either case, no matter what your purpose is – we shall take a look at some of the best Kali Linux tools that you should be using.

    Note that not all tools mentioned here are open source.

  • Alpine Linux Docker Image root User Hard-Coded Credential Vulnerability

    Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the root user. This vulnerability appears to be the result of a regression introduced in December t2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container that utilize Linux PAM, or some other mechanism that uses the system shadow file as an authentication database, may accept a NULL password for the root user.

  • Alpine Linux Docker images ship a root account with no password

    Alpine Linux Docker images distributed via the official Docker Hub portal for the past three years and a half have been using a blank (NULL) password for the root account, security researchers from Cisco have revealed today.

    All Alpine Linux Docker images, since v3.3, are impacted, Cisco Talos said today in a security alert.

    The issue was first discovered back in August 2015, patched in November, then accidentally re-opened three weeks later, in December 2015, only to be re-discovered again by a Cisco Umbrella researcher in January this year. The issue was initially thought to impact only the Glider Labs Alpine Linux Docker image, but it was later discover to impact the official image as well.

  • Dharma Ransomware Installs Antivirus On [Windows] PC Only To Encrypt Files Later

    The two malicious files are taskhost.exe and Defender_nt32_enu.exe. The first file activates the Dharma Ransomware itself as RANSOM.WIN32.DHARMA.THDAAAI.

  • Dharma Ransomware Uses AV Tool to Distract from Malicious Activities

    The downloaded file is a self-extracting archive named Defender.exe, which drops the malicious file taskhost.exe as well as the installer of an old version of ESET AV Remover renamed as Defender_nt32_enu.exe. Trend Micro identifies taskhost.exe as a file connected to the Dharma ransomware (detected as RANSOM.WIN32.DHARMA.THDAAAI)

Security: IPFire 2.23, Updates, Mozilla Recovering and More

Filed under

Security: SSH Honey Keys and Chaos of Microsoft/NSA

Filed under
  • SSH Honey Keys

    The thought behind honey keys is similar to Honeywords, a concept published a while ago to help identify attempts to use data collected in breaches to gain unauthorized access to a user account. In our case, the attacker attempts to authenticate with the honey key, the action is logged (or another action chosen by the defender) and an alarm is sounded for use of the key.

  • Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak

    One of the most significant events in computer security happened in April 2017, when a still-unidentified group calling itself the Shadow Brokers published a trove of the National Security Agency’s most coveted hacking tools. The leak and the subsequent repurposing of the exploits in the WannaCry and NotPetya worms that shut down computers worldwide made the theft arguably one of the NSA’s biggest operational mistakes ever.

    On Monday, security firm Symantec reported that two of those advanced [attack] tools were used against a host of targets starting in March 2016, fourteen months prior to the Shadow Brokers leak. An advanced persistent threat [attack] group that Symantec has been tracking since 2010 somehow got access to a variant of the NSA-developed "DoublePulsar" backdoor and one of the Windows exploits the NSA used to remotely install it on targeted computers.

  • Turla LightNeuron: An email too far

    Recently, ESET researchers have investigated a sophisticated backdoor used by the infamous espionage group Turla, also known as Snake. This backdoor, dubbed LightNeuron, has been specifically targeting Microsoft Exchange mail servers since at least 2014. Although no samples were available for analysis, code artefacts in the Windows version lead us to believe that a Linux variant exists.

  • Researchers discover highly stealthy Microsoft Exchange backdoor

    Aside from the Transport Agent, which is dropped in the Exchange folder located in the Program Files folder and registered in the mail server’s configuration, the backdoor also uses a DLL file containing most of the malicious functions needed by the Transport Agent.

    As mentioned before, the backdoor can block emails, modify their body, recipient and subject, created a new email, replace attachments, and re-create and re-send the email from the Exchange server to bypass the spam filter.

    It can create email and attachment logs, encrypt emails and store then, and parse JPG/PDF attachments and decrypt and execute the commands found in them.

    LightNeuron can also be instructed to write and execute files, delete and exfiltrate them, execute processes, disable itself, perform extensive logging (backdoor actions, debug, error, etc.) and perform automatic file exfiltration at a particular time of the day and night.

  • Russian Nation-State Group Employs Custom Backdoor for Microsoft Exchange Server

    "It's not really a vulnerability. They are using legitimate functionality [of Exchange]," he says.

    Microsoft was not available for comment at the time of this posting.

  • New backdoor targets Microsoft Exchange mail servers

    The malware was able to use the transport agent to read and modify every email passing through the server, compose and send emails, and block any email.

    ESET said LightNeuron used steganography to hide its commands inside a PDF document or a JPG image.

Security: FOSS Updates, Russia and China Having Fun With NSA Back Doors, SDDC, Firefox Issues Fixes

Filed under

Security: Cyberseek, Ransom, Google, Huawei and GNOME

Filed under
  • Wired for Safety: Cybersecurity professionals in demand

    We desperately need more cybersecurity professionals. The Bureau of Labor Statistics predicts a 28% increase in the need for cybersecurity professionals by 2021. In 2016, they estimated that there were 100,000 jobs open and Cyberseek suggests there were over 313,000 online job listings between 2017 and 2018.

  • How Does Ransomware Work (And Is It Still A Threat)? [Ed: All ransomware exploits or relies on inherently insecure systems, or those with back doors, like all the proprietary software operation systems (where part of the design is intentional insecurity)]

    Threats come and go, but one thing remains the same: the ability of cybercriminals to adapt to circumstances. A brief decline of interest in ransomware as criminals focused their attention on cryptojacking during the previous year appears to have come to an end, and ransomware attacks are once again escalating.

    In this post, we’ll explain what ransomware is, how it spreads, how prevalent it is and what you can do to protect yourself against it.

  • Google Releases Android Security Patch for May 2019, Includes 30 Security Fixes
  • Huawei Hypocrisy

    Theresa May almost certainly sacked Gavin Williamson not just on the basis of a telephone billing record showing he had a phone call with a Telegraph journalist, but on the basis of a recording of the conversation itself. It astonishes me that still, after Snowden and his PRISM revelations, after Wikileaks Vault 7 releases, and after numerous other sources including my own humble contribution, people still manage to avoid the cognitive dissonance that goes with really understanding how much we are surveilled and listened to. Even Cabinet Ministers manage to pretend to themselves it is not happening.

    The budget of the NSA, which does nothing else but communications intercept, is US $14.2 billion this year. Think about that enormous sum, devoted to just communications surveillance, and what it can achieve. The budget of the UK equivalent, GCHQ, is £1.2 billion, of which about 10% is paid by the NSA. Domestic surveillance in the UK has been vastly expanded and many taboos broken. But the bedrock of the system with regard to domestic intercepts is still that legal restrictions are dodged, as the USA’s NSA spies on UK citizens while the UK’s GCHQ spies on US citizens, and then the information is swapped. It was thus probably the NSA that harvested Williamson’s phone call, passing the details on. Given official US opposition to the UK employing Huawei technology, Williamson’s call would have been a “legitimate” NSA target.

    Mass surveillance works on electronic harvesting. Targeted phone numbers apart, millions of essentially random calls are listened to electronically using voice recognition technology and certain key words trigger an escalation of the call. Williamson’s call discussing Huawei, China, the intelligence services, and backdoors would certainly have triggered recording and been marked up to a human listener, even if his phone was not specifically targeted by the Americans – which it almost certainly was.

  • Georges Basile Stavracas Neto: Restricting users

    Imagine for a second that you are in an elementary school. The leadership is optimistic on exposing students to technology. They have set up big rooms with rows and rows of computers ready for their students to use.

    Would you give complete permissions to these teenagers using the computers? Would you allow them to install and uninstall programs as they wish, access any website they feel like, use for as much time they want?

Tails 3.13.2 is out

Filed under

This release is an emergency release to fix a critical security vulnerability in Tor Browser.

Read more

Syndicate content

More in Tux Machines

Programming/Development Leftovers

Openwashing Leftovers/New Examples

Kernel and Linux Foundation in Pockets of Proprietary Software Vendors

  • AT&T, Nokia open up the radio’s edge to third party apps [Ed: Openwashing to dominate the standards and interfaces (with patents) through the "Linux" Foundation]
    AT&T and Nokia have developed a radio edge cloud (REC) appliance that the two companies plan to release into open source via the Linux Foundation. The REC will make it possible for third parties to develop apps and get access to the radio access network (RAN). [...] Murphy said that it is not easy to predict all the use cases for REC but added that having an open source edge cloud with open interfaces to the RAN control will allow operators to have more options.
  • Accord Project to develop open source framework for smart legal contracts [Ed: They're promoting and spreading proprietary software and proprietary formats of Microsoft]
    One of the main purposes of Accord Project is, therefore, to provide a vendor-neutral “.doc” format for smart legal agreements.
  • Apple joins the open-source Cloud Native Computing Foundation
    Apple, in typical fashion, isn’t commenting on the announcement, but the CNCF notes that end-user memberships are meant for organizations that are “heavy users of open source cloud native technologies” and that are looking to give back to the community. By becoming a CNCF end-user member, companies also join the Linux Foundation .
  • Linux stable tree mirror at github [Ed: Greg Kroah-Hartman giving Microsoft more control over Linux]
    It differs from Linus’s tree at: in that it contains all of the different stable tree branches and stable releases and tags, which many devices end up building on top of. So, mirror away! Also note, this is a read-only mirror, any pull requests created on it will be gleefully ignored, just like happens on Linus’s github mirror. If people think this is needed on any other git hosting site, just let me know and I will be glad to push to other places as well.

Security Leftovers

  • Industry Watch: Of open source, data breaches and speed [Ed: And proprietary software is a lot less suitable for security and privacy purposes because there are surveillance 'features' disguised and back doors too]
    Open-source software helps developers work faster and smarter, as they don’t have to ‘re-invent the wheel’ every time create an application. They just need to be sure the license attached to that software allows them to use the component the way they want. They also need to stay on top of that application, so if the component changes, or an API changes, their application isn’t affected and they are still in compliance. Data protection is also something organizations must get serious about. While the GDPR only affects users in the European Union, it’s only a matter of time before those or similar regulations are in place in the U.S. and elsewhere. Companies should get a jump on that by doing a thorough audit of their data, to know they are prepared to be compliant with whatever comes down from the statehouses or from Washington, D.C. On the speed side, the benefits of Agile and DevOps are clear. These methodologies enable companies to bring new software products to market faster, with the result of getting a jump on the competition, working more efficiently and ultimately serving your customers. Unfortunately, these efforts are usually done by different teams of developers, database administrators and security experts. If the Equifax and Facebook breaches have taught us anything, it’s that you can’t expect developers to be security experts, and you can’t expect DB admins to understand the ramifications on the business when data is misunderstood. It will take a coordinated approach to IT to achieve business goals while not leaving the company — and its IP and PII data — exposed.
  • VLC patches critical flaws through EU open source bug bounty program
    More than 30 security issues have been fixed in VLC, the popular open source media player, with developers praising an EU-funded bug bounty program for helping produce its most secure update yet. VLC media player, created by the software non-profit VideoLAN, was found to have 33 vulnerabilities within various versions, including two that were considered critical. An out-of-bounds write was one of the severe vulnerabilities found to affect all VLC versions, and a stack buffer overflow was also discovered in VLC 4.0. Less severe vulnerabilities consisted of out-of-band reads, heap overflows, NULL-dereference, and use-after-free bugs. An updated version, VLC 3.0.7, has since been released for users to download.
  • VLC Player Gets Patched for Two High Severity Bugs
  • Asigra FreeNAS plugin brings open source data protection [Ed: Some openwashing of proprietary software]
    Asigra is trying to capture FreeNAS users with a free-to-try plugin version of its backup software. The Asigra FreeNAS plugin released this week allows customers to turn their iXsystems FreeNAS storage systems into backup targets. It encrypts and deduplicates data before it is sent to the FreeNAS system. The plugin also detects and quarantines malware and ransomware so that it doesn't get backed up.
  • TrueCommand Brings Single Pane of Glass Management to TrueNAS and FreeNAS Fleets
  • WSO2 and Ping Identity Partner to Provide Comprehensive, AI-Powered Cyber-Attack Protection for APIs
  • The Open Source Cookbook: A Baker’s Guide to Modern Application Development
    Let’s begin our cookbook by selecting our recipe. I’ve had some phenomenal baked goods, and I’ve had some not-so-phenomenal baked goods (there is rarely a bad baked good). But I’ve been surprised before, by a croissant from a diner that didn’t taste like the one from the local French bakery, or by a buttercream frosting at a supermarket that just didn’t have the same delicate touch as the one I make at home. In each case, I expected the same as I had before – by title – yet encountered a much different experience. When selecting your recipes, it’s important to understand which type of a particular food you are expecting to make, or you may be met with a different taste when you finish than you were hoping for when you began. [...] As with cooking, when incorporating open source components into applications, it’s important to understand origin and evolution of what you’re baking into your software. Carefully review your open source component versions, and evaluate the community’s activity in order to have the greatest chance possible to predict the possible technical debt you may inherit.