Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Bluetooth BR/EDR supported devices are vulnerable to key negotiation attacks

    The encryption key length negotiation process in Bluetooth BR/EDR Core v5.1 and earlier is vulnerable to packet injection by an unauthenticated, adjacent attacker that could result in information disclosure and/or escalation of privileges. This can be achieved using an attack referred to as the Key Negotiation of Bluetooth (KNOB) attack, which is when a third party forces two or more victims to agree on an encryption key with as little as one byte of entropy. Once the entropy is reduced, the attacker can brute-force the encryption key and use it to decrypt communications.

  • Security updates for Thursday

    Security updates have been issued by openSUSE (irssi, ledger, libheimdal, libmediainfo, libqb, and libsass) and Slackware (mozilla).

  • Inspect PyPI event logs to audit your account's and project's security

    To help you check for security problems, PyPI is adding an advanced audit log of user actions beyond the current (existing) journal. This will, for instance, allow publishers to track all actions taken by third party services on their behalf.

Guix Makes Bitcoin Core Development More Trustless

Filed under
GNU
Security

According to Dong, “Guix allows users to verify that the Bitcoin Core client they download corresponds exactly to the code that Bitcoin Core developers write. It mitigates attacks that target the way we turn our codebase into the client executables we release.”

In spite of the clear focus on the needs of developers, Guix is also something that users may need and want to use if they choose to be cautious about the software that they run.

At press time, Guix is only available for Ubuntu builds.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Debian (kernel, linux-4.9, otrs2, and tomcat8), Fedora (igraph and jhead), openSUSE (ansible, GraphicsMagick, kconfig, kdelibs4, live555, mumble, phpMyAdmin, proftpd, python-Django, and znc), Oracle (kernel and openssl), Red Hat (kernel, openssl, and rh-mysql80-mysql), Scientific Linux (kernel and openssl), Slackware (kernel), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork and mariadb-100), and Ubuntu (linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-aws, linux-aws-hwe, linux-lts-xenial, linux-aws, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux-snapdragon, php5, php7.0, php7.2, and wpa).

  • He tried to prank the DMV. Then his vanity license plate backfired big time.

    It seemed like a good idea at the time.

  • Thoughts from Defcon 27 – This is why I do what I do

    Every year, thousands of security professionals descend upon Las Vegas to take part in a series of conferences known as Hacker Summer Camp. This year, Black Hat, BSides Las Vegas, Defcon 27 and the Diana Initiative took up the majority of the conference space. So, what makes this one of the most relevant and successful security conferences?

Best Chromebook laptops for school

Filed under
GNU
Linux
Hardware
Security

You might think a Chromebook is limited because it can only run programs when it's online. That's not true. For example, you can still work with Google Docs when you're offline.

Also, you can now run many Android apps on Chromebooks. And, these days you can run a full Linux desktop on your new Intel-based Chromebook. Indeed, as my tech buddy Mike Elgan points out, today's high-end Chromebook laptops "run more apps without dual- or multi-booting than any other computing platform. Chromebook laptops can run apps from Android, Linux, and Windows concurrently in the same session."

In addition, as FutureSource points out, when it comes to school work, Chromebook laptops combine "affordable devices, productivity tools via G-Suite, easy integration with third-party platforms/tools, task management/distribution via Google Classroom, and easy device management remains extremely popular with US teachers and IT buyers alike."

One unsung advantage of Chromebook laptops is that, if your dog ate the Chromebook, you wouldn't have lost your work. All you need do is get another one, log on, and you're back in business with all your e-mail, documents, and calendars intact and ready to go. Another sweet deal that comes when you buy a Chromebook is that you can get 100GB of free Google One cloud storage for a year. That's more than enough room for your homework.

And, since it's easy to erase a Chromebook and then reset it to your account, this is safer than using a used Windows laptop.

Read more

LibreOffice 6.2.6 is ready, all users should update for enhanced security

Filed under
LibO
Security

The Document Foundation announces LibreOffice 6.2.6, the sixth minor release of the LibreOffice 6.2 family, targeted at users in production environments. All users of LibreOffice 6.1.x and LibreOffice 6.2.x versions should upgrade immediately for enhanced security, as the software includes both security fixes and some months of back-ported fixes.

Read more

Pi-Hole - The DNS Triangle

Filed under
GNU
Linux
Security
HowTos

At the end of the day, I had Pi-hole running, but the setup was far from trivial. There were four or five cardinal problems, and none of these should have happened, because the installation wizard could have gone through separate checks to make sure things were working. Part of the first-time run could be the service check, and if there are issues there, some sort of self-diagnosis to make sure FTL is up and running. The same applies to the Web service. Then, there's the password reset and list update. All of these would make the experience much more streamlined.

As a product, Pi-Hole is a very nice and powerful tool. It does its job extremely well, it's fast, effective and robust, and the Web UI is nicely designed. You also gain some on the traffic side, as there's less content that needs to be served, and fewer queries to be resolved, hence performance improvement for the stuff that matters. The setup isn't trivial but it is achievable, and you have a lot of flexibility in how you wire up your network. You could have Pi-Hole as a standalone system, or it could serve all the different devices in your home. All in all, this is the doomsday weapon for if and when the Internet turns rogue on you. Well worth testing, but remember the second rule of thermodynamics. You can't have trivial and complex at the same time.

Read more

Security: PGP & GPG, Flaws, and Nmap 7.80

Filed under
Security
  • The Impending Demise of “PGP & GPG”

    My No Starch books normally sell out their print run, get reprinted a few times, and fade into Out Of Print status. But PG3 never sold out its initial print run.

  • Down the Rabbit-Hole...

    It took a lot of effort and research to reach the point that I could understand enough of CTF to realize it’s broken. These are the kind of hidden attack surfaces where bugs last for years. It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed.

    Now that there is tooling available, it will be harder for these bugs to hide going forward.

  • Flaws in 4G Routers of various vendors put millions of users at risk

    “Those manufacturers who are going to be selling 5G routers are currently selling 3G and 4G routers. Which – and I really cannot stress this enough – are mainly bad.”

  • Hack in the box: Hacking into companies with “warshipping”

    Penetration testers have long gone to great lengths to demonstrate the potential chinks in their clients' networks before less friendly attackers exploit them. But in recent tests by IBM's X-Force Red, the penetration testers never had to leave home to get in the door at targeted sites, and the targets weren't aware they were exposed until they got the bad news in report form. That's because the people at X-Force Red put a new spin on sneaking in—something they've dubbed "warshipping."

    Using less than $100 worth of gear—including a Raspberry Pi Zero W, a small battery, and a cellular modem—the X-Force Red team assembled a mobile attack platform that fit neatly within a cardboard spacer dropped into a shipping box or embedded in objects such as a stuffed animal or plaque. At the Black Hat security conference here last week, Ars got a close look at the hardware that has weaponized cardboard.

  • These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer

    It looks like an Apple lightning cable. It works like an Apple lightning cable. But it will give an attacker a way to remotely tap into your computer.

  • Nmap Defcon Release! 80+ improvements include new NSE scripts/libs, new Npcap, etc.

    Nmap 7.80 source code and binary packages for Linux, Windows, and Mac are available for free download from the usual spot: [...]

Stable release: HardenedBSD-stable 12-STABLE v1200059.3

Filed under
Security
BSD

HardenedBSD-12-STABLE-v1200059.3

Read more

Linux Stressed in Fedora, Red Hat/IBM and Security

Filed under
Red Hat
Security
  • Fedora Developers Discuss Ways To Improve Linux Interactivity In Low-Memory Situations

    While hopefully the upstream Linux kernel code can be improved to benefit all distributions for low-memory Linux desktops, Fedora developers at least are discussing their options for in the near-term improving the experience. With various easy "tests", it's possible to easily illustrate just how poorly the Linux desktop responds when under memory pressure. Besides the desktop interactivity becoming awful under memory pressure, some argue that an unprivileged task shouldn't be able to cause such behavior to the system in the first place.

  • How open source can help banks combat fraud and money laundering

    Jump ahead a few years to the Fourth EU AML Directive - a regulation which required compliance by June 2017 - demanding enhanced Customer Due Diligence procedures must be adhered to when cash transactions reach an aggregated amount of more than $11,000 U.S. dollars (USD). (The Fifth EU AML Directive is on the way, with a June 2020 deadline.) In New Zealand’s Anti-Money Laundering and Countering Financing of Terrorism Amendment Act of 2017 it is stated that banks and other financial entities must provide authorities with information about clients making cash transactions over $6,500 USD and international monetary wire transfers from New Zealand exceeding $650 USD. In 2018, the updated open banking European Directive on Payment Services (PSD2) that requires fraud monitoring also went into effect. And the Monetary Authority of Singapore is developing regulations regarding the use of cryptocurrencies for terrorist funding and money laundering, too.

  • Automate security in increasingly complex hybrid environments

    As new technologies and infrastructure such as virtualization, cloud, and containers are introduced into enterprise networks to make them more efficient, these hybrid environments are becoming more complex—potentially adding risks and security vulnerabilities.

    According to the Information Security Forum’s Global Security Threat Outlook for 2019, one of the biggest IT trends to watch this year is the increasing sophistication of cybercrime and ransomware. And even as the volume of ransomware attacks is dropping, cybercriminals are finding new, more potent ways to be disruptive. An article in TechRepublic points to cryptojacking malware, which enables someone to hijack another's hardware without permission to mine cryptocurrency, as a growing threat for enterprise networks.

    To more effectively mitigate these risks, organizations could invest in automation as a component of their security plans. That’s because it takes time to investigate and resolve issues, in addition to applying controlled remediations across bare metal, virtualized systems, and cloud environments -- both private and public -- all while documenting changes.

  • Josh Bressers: Appsec isn’t people

    The best way to think about this is to ask a different but related question. Why don’t we have training for developers to write code with fewer bugs? Even the suggestion of this would be ridiculed by every single person in the software world. I can only imagine the university course “CS 107: Error free development”. Everyone would fail the course. It would probably be a blast to teach, you could spend the whole semester yelling at the students for being stupid and not just writing code with fewer bugs. You don’t even have to grade anything, just fail them all because you know the projects have bugs.

    Humans are never going to write bug free code, this isn’t a controversial subject. Pretending we can somehow teach people to write bug free code would be a monumental waste of time and energy so we don’t even try.

    Now it’s time for a logic puzzle. We know that we can’t train humans to write bug free code. All security vulnerabilities are bugs. So we know we can’t train humans to write vulnerability free code. Well, we don’t really know it, we think we can if you look at history. The last twenty years has had an unhealthy obsession with getting humans to change their behaviors to be “more secure”. The only things that have come out of these efforts are 1) nobody likes security people anymore 2) we had to create our own conferences and parties because we don’t get invited to theirs 3) they probably never liked us in the first place.

Security Leftovers

Filed under
Security
  • To equip tomorrow's cybersecurity experts, we'll need an open approach

    Today's world—marked by an increase of Internet-connected devices, digital assets, and information systems infrastructure—demands more cybersecurity professionals. Cybersecurity is the practice of defending these devices, assets, and systems against malicious cyberattacks from both internal and external entities. Often these cyberattacks are linked to cybercrimes, or crimes committed using a computer to generate profit or to affect the integrity, availability, and confidentiality of the data or system. In 2016, cybercrimes cost the global economy more than $450 billion.

    [...]

    It's critical for students to not only become acquainted with the advantages of open source software but also to develop strong skills working openly, since open source software is not only common in the IT industry in general, but is specifically necessary in the field of cybersecurity. With this approach, students can learn within the safety and guidance of the classroom while also naturally acquiring research and troubleshooting skills by facing challenges that are presented or arise during exercises.

  • Cloud-native Java, open source security, and more industry trends

    As part of my role as a senior product marketing manager at an enterprise software company with an open source development model, I publish a regular update about open source community, market, and industry trends for product marketers, managers, and other influencers.

  • Indian Counseling Company Files Criminal Complaint Against Blogger Who Informed It About A Sensitive Data Leak

    As Doe notes, it appears 1to1Help's lawyers made a number of self-serving omissions when filing this complaint. First, they failed to point out the article had already been published, which would have allowed the court to review the content and see if it actually violated the law.

    Second, the lawyers claimed Doe's site was "rogue," due to it containing no contact information for Doe. They were either wrong or lying, as Doe's site does contain a contact number and she is reachable via social media and other venues, having spent more than a decade covering security breaches.

    Finally, 1to1Help claimed in its filing that Doe tried to blackmail it by giving Anil Bisht deadlines to respond for comment before publication. That's called journalism, not blackmail, and either its lawyers can't comprehend that or willfully misportrayed this extremely common process to the court.

    The problem isn't the person reporting the leak. The problem is the leak and the company that took its time responding to the problem and then decided to take legal action when the person reporting the leak refused to cover it up.

Syndicate content