Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Industry Watch: Of open source, data breaches and speed [Ed: And proprietary software is a lot less suitable for security and privacy purposes because there are surveillance 'features' disguised and back doors too]

    Open-source software helps developers work faster and smarter, as they don’t have to ‘re-invent the wheel’ every time create an application. They just need to be sure the license attached to that software allows them to use the component the way they want. They also need to stay on top of that application, so if the component changes, or an API changes, their application isn’t affected and they are still in compliance.

    Data protection is also something organizations must get serious about. While the GDPR only affects users in the European Union, it’s only a matter of time before those or similar regulations are in place in the U.S. and elsewhere. Companies should get a jump on that by doing a thorough audit of their data, to know they are prepared to be compliant with whatever comes down from the statehouses or from Washington, D.C.

    On the speed side, the benefits of Agile and DevOps are clear. These methodologies enable companies to bring new software products to market faster, with the result of getting a jump on the competition, working more efficiently and ultimately serving your customers.

    Unfortunately, these efforts are usually done by different teams of developers, database administrators and security experts. If the Equifax and Facebook breaches have taught us anything, it’s that you can’t expect developers to be security experts, and you can’t expect DB admins to understand the ramifications on the business when data is misunderstood.

    It will take a coordinated approach to IT to achieve business goals while not leaving the company — and its IP and PII data — exposed.

  • VLC patches critical flaws through EU open source bug bounty program

    More than 30 security issues have been fixed in VLC, the popular open source media player, with developers praising an EU-funded bug bounty program for helping produce its most secure update yet.

    VLC media player, created by the software non-profit VideoLAN, was found to have 33 vulnerabilities within various versions, including two that were considered critical.

    An out-of-bounds write was one of the severe vulnerabilities found to affect all VLC versions, and a stack buffer overflow was also discovered in VLC 4.0.

    Less severe vulnerabilities consisted of out-of-band reads, heap overflows, NULL-dereference, and use-after-free bugs.

    An updated version, VLC 3.0.7, has since been released for users to download.

  • VLC Player Gets Patched for Two High Severity Bugs
  • Asigra FreeNAS plugin brings open source data protection [Ed: Some openwashing of proprietary software]

    Asigra is trying to capture FreeNAS users with a free-to-try plugin version of its backup software.

    The Asigra FreeNAS plugin released this week allows customers to turn their iXsystems FreeNAS storage systems into backup targets. It encrypts and deduplicates data before it is sent to the FreeNAS system. The plugin also detects and quarantines malware and ransomware so that it doesn't get backed up.

  • TrueCommand Brings Single Pane of Glass Management to TrueNAS and FreeNAS Fleets
  • WSO2 and Ping Identity Partner to Provide Comprehensive, AI-Powered Cyber-Attack Protection for APIs
  • The Open Source Cookbook: A Baker’s Guide to Modern Application Development

    Let’s begin our cookbook by selecting our recipe. I’ve had some phenomenal baked goods, and I’ve had some not-so-phenomenal baked goods (there is rarely a bad baked good). But I’ve been surprised before, by a croissant from a diner that didn’t taste like the one from the local French bakery, or by a buttercream frosting at a supermarket that just didn’t have the same delicate touch as the one I make at home. In each case, I expected the same as I had before – by title – yet encountered a much different experience. When selecting your recipes, it’s important to understand which type of a particular food you are expecting to make, or you may be met with a different taste when you finish than you were hoping for when you began.

    [...]

    As with cooking, when incorporating open source components into applications, it’s important to understand origin and evolution of what you’re baking into your software. Carefully review your open source component versions, and evaluate the community’s activity in order to have the greatest chance possible to predict the possible technical debt you may inherit.

Security Leftovers

Filed under
Security
  • Yubico recalls government-grade security keys due security bug

    If you buy a government-grade security key, the one thing you really want from it is government-grade security. It's the very dictionary definition of "you had one job." That's why it's somewhat embarrassing that Yubico has put out a recall notice on its FIPS series of authentication keys which, it turns out, aren't completely secure.

  • [Microsoft's] EternalBlue exploit surfaces in bog standard mining attack Featured

    A bog standard attack aimed at planting a cryptocurrency miner has been found to be using advanced targeted attack tools as well, the security firm Trend Micro says, pointing out that this behaviour marks a departure from the norm.

Security Leftovers: Patches, FUD, and Management Engine 12 (Intel Back Door)

Filed under
Security

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • WSL2 and Kali
  • Security service tracks embedded Linux vulnerabilities

    Timesys has launched a Vigiles security monitoring and management platform with CVE tracking for embedded Linux available as free software or as a subscription service.

    Timesys Vigiles automates the identification, tracking, and analysis of vulnerabilities by comparing embedded Linux firmware with NIST’s daily Common Vulnerabilities and Exposures (CVE) notifications. The software helps customers focus on vulnerabilities that pose the biggest threats to a customer’s specific software components, thereby “eliminating the need to manually monitor and analyze thousands of vulnerabilities,” says Timesys.

  • Vim devs fix system-pwning text editor bug [Ed: This requires obtaining and opening malicious files though]

    The attack exploits a vulnerability in a Vim feature called modelines, which lets you set variables specific to a file. As long as these statements are in the first few lines, Vim interprets them as instructions. They might tell Vim to display the file with a text width of 60 characters, for example. Or maybe you want to expand tabs to spaces to avoid another geek’s ire.

  • Mail servers running Exim come under attack

    Mail servers running the Exim mail transport agent are being exploited, with the attackers using a vulnerability disclosed a few days ago to run arbitrary commands as root, a security practitioner has warned.

    Exim, one of the four MTAs commonly used on Unix servers, is developed by Phillip Hazel at the University of Cambridge. It is the default on some Linux distributions, like Debian.

    [...]

    The original post about the vulnerability was released by Qualys Research Labs on 5 June, which said it was trivially exploitable in local and non-default cases, but with the default configuration an attack would take a long time to succeed.

  • Exim email servers are now under attack [Ed: The drama queen that CBS hired (Cimpanu) says "Almost half of the internet's email servers are now being attacked with a new exploit." It sounds a lot worse when in fact many are patched and the "half" refers to number of installs, not attacks. Misreporting. FUD. ZDNet is not a news site but a tech tabloid. It should be regarded as such.]

Security Leftovers

Filed under
Security
  • Securing The Nation With Insecure Databases: CBP Vendor Hacked, Exposing Thousands Of License Plate, Car Passenger Photos

    US Customs and Border Protection has suffered an inevitability in the data collection business. The breach was first reported by the Washington Post. It first appeared to affect the DHS's airport facial recognition system, but further details revealed it was actually a border crossing database that was compromised.

    The breach involved photos of travelers and their vehicles, which shows the CPB is linking people to vehicles with this database, most likely to make it easier to tie the two together with the billions of records ICE has access to through Vigilant's ALPR database.

    The breach involved a contractor not following the rules of its agreement with the CBP. According to the vendor agreement, all harvested data was supposed to remain on the government's servers. This breach targeted the vendor, which means the contractor had exfiltrated photos and plate images it was specifically forbidden from moving to its own servers.

  • PHP version 7.2.20RC1 and 7.3.7RC1
  • The GoldBrute botnet is trying to crack open 1.5 million RDP servers

    The latest round of bad news emerged last week when Morphus Labs’ researcher Renato Marinho announced the discovery of an aggressive brute force campaign against 1.5 million RDP servers by a botnet called ‘GoldBrute’.

  • New Brute-Force Botnet Targeting Over 1.5 Million RDP Servers Worldwide

    The campaign, discovered by Renato Marinho at Morphus Labs, works as shown in the illustrated image, and its modus operandi has been explained in the following steps: [...]

  • 32 bit is dead - Long live 32 bit

    This is another follow-up post on the Intel processor vulnerabilities. Yay. With more bad news. Yay!

    Instead of a long build-up, I will just give you the point: 32 bit is broken

    Well, is that really news? Not really. The real news is that Intel processors are broken - but you already know that. You also know that there are fixes around. Patches for the kernel. Disabling Intel(R) Hyper-Threading.

Security FUD Leftovers

Filed under
Security

Security: Updates, "Smart" Cards and More

Filed under
Security
  • Security updates for Wednesday
  • Why Smart Cards Are Smart

    I hope you've found this discussion of the benefits of OpenPGP smart cards useful. With the large market of USB security tokens out there (which has grown even larger with the interest in secure cryptocurrency storage), you have a lot of options to choose from in a number of price ranges. Be sure to check which GPG key sizes and algorithms a smart card supports before you buy it, especially if you use newer elliptic curve algorithms or larger (3072- or 4096-bit) RSA keys.

  • Are Your Linux Servers Really Protected?
  • ProdataKey, DW Partner to Integrate Access Control and VMS

    DW customers can add a pdk io system to their site via a Cloud platform that reduces upfront investment in on premise hardware and management. DW Spectrum IPVMS is accessed with freely distributed client software for Windows/Linux/Mac, the DW Cloud web client for all leading web browsers and via the free DW Spectrum mobile app for iOS and Android.

    The server software is included with pre-configured DW Blackjack NVR servers or it can be installed on third-party Windows or Ubuntu Linux-based systems.

Security Leftovers

Filed under
Security
  • A [Windows] virus has thrown Philadelphia’s court system into chaos

     

    Since May 21st, a virus has shut down Philadelphia’s online court system, bringing network access to a standstill. The problems started unexpectedly: suddenly, no one could seem to access the system to file documents. “It wasn’t working,” says Rachel Gallegos, a senior staff attorney with the civil legal aid organization Community Legal Services. “I thought it was my computer.”

  • Linux Command-Line Editors Vulnerable to High-Severity Bug

     

    Vim and Neovim have both released patches for the bug (CVE-2019-12735) that the National Institute of Standards and Technology warns, “allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline.”
     

    “Beyond patching, it’s recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines,” the researcher said.

  • Beware Linux users! Vulnerability in Vim or Neovim Editor could compromise your Linux
  • The bits and bytes of PKI

    In two previous articles—An introduction to cryptography and public key infrastructure and How do private keys work in PKI and cryptography?—I discussed cryptography and public key infrastructure (PKI) in a general way. I talked about how digital bundles called certificates store public keys and identifying information. These bundles contain a lot of complexity, and it's useful to have a basic understanding of the format for when you need to look under the hood.

  • Update Uncertainty | TechSNAP 405

    We explore the risky world of exposed RDP, from the brute force GoldBrute botnet to the dangerously worm-able BlueKeep vulnerability.

    Plus the importance of automatic updates, and Jim’s new backup box.

  • Microsoft's June 2019 Patch Tuesday fixes many of SandboxEscaper's zero-days

    Microsoft has published today its monthly roll-up of security updates, known as Patch Tuesday. This month, the OS maker has patched 88 vulnerabilities, among which 21 received a rating of "Critical," the company's highest severity ranking.

    Furthermore, the May 2019 Patch Tuesday also included fixes for four of the five zero-days that a security researcher and exploit seller by the name of SandboxEscaper published online over the course of the last month.

  • Researchers use Rowhammer bit flips to steal 2048-bit crypto key [Ed: Mass slanderer and FUDmeister from Ars Technica (he got sued for his style) recalls Rowhammer (which is more theoretical a risk then a real one)]
  • RAMBleed Attack Can Steal Sensitive Data From Computer Memory[Ed: Rowhammer was mentioned by another site of FUDmeisters (one of whom CBS hired for clickbait)]

Security: Updates, Microsoft TCO and Red Hat Enterprise Linux 8

Filed under
Security
  • Security updates for Tuesday
  • Hack Brief: [Attackers] [Copied] a Border Agency Database of Traveler Photos [iophk: "Microsoft TCO"]

    In its rush to gather biometric data from travelers in the US, Customs and Border Protection has apparently neglected basic safeguards to protect it. One of its subcontractors was recently breached, leaving photos of travelers and license plates in the hands of [attackers].

    The Washington Post first reported the incident, whose full scope remains unclear. But the [attack] has raised sharp questions about the agency’s already controversial push for biometrics. Facial recognition scans have become more routine at airports; CBP wants it in the top 20 US airports by 2021.

  • Consistent PKCS #11 support in Red Hat Enterprise Linux 8

    In recent years, there have been a number of security issues taking advantage of flaws in applications and even computer processors. These opened new attack vectors or made some others more viable and exploitable than before. We can talk about timing differences, cache access patterns and other side-channel attacks that can be exploited either locally, from the same machine or even over the network to read or reconstruct our secrets.

    Keeping secret information storage isolated from other unrelated applications on a single system is a long-standing data protection technique. Storage isolation is usually implemented in software by isolating processes, applications, containers or virtual machines running on the same physical machine. Hardware tokens are taking this principle to another level, providing the physical isolation of the secret information, which has the potential to improve security significantly. Working with external hardware for storing secrets in an operating system historically has been difficult for system administrators and end users, and this is what we are improving in Red Hat Enterprise Linux 8.

Security Leftovers

Filed under
Security
  • Report: Response to the Consultation on the Government's regulatory proposals regarding consumer Internet of Things (IoT) security

    Open Rights Group (ORG) is a UK-based digital campaigning organisation working to protect fundamental rights to privacy and free speech online. With over 3,000 active supporters, we are a grassroots organisation with local groups across the UK.

    We are a project partner to Values and Ethics in Responsible Technology in Europe (VIRT-EU) – a European project funded by the Horizon 2020 program. VIRT-EU’s mission is to foster ethical thinking in IoT development. The following comments stem predominantly from our experience accumulated in the course of that project.

    We address the consultation questions in order below, omitting questions 7, 8 and 9 as these lie outside our remit.

    1. Do you agree that the Government should take powers to regulate on the security of consumer IoT products? If yes, do you agree with the proposed legislative approach?

    We welcome the proposal to create primary legislation to introduce enhanced security for consumers using IoT devices. We also support the approach of making some requirements mandatory in the first instance with a longer strategy.

  • 'This Is a Bombshell': Facial Recognition Data Collected by US Customs Agency Hacked

    "This is a bombshell," said Evan Greer, deputy director of the advocacy group Fight fight for the Future, in response to the reporting. "Even if you 100% trust the US government with your biometric information (which you shouldn't) this is a reminder that once your face is scanned and stored in a database, it's easily shared across government agencies, stolen by hackers, other governments, etc."

    Buzzfeed, also among the first to report on the breach on Monday, noted that the "cyberattack comes amid the ongoing rollout of CBP's "biometric entry-exit system," the government initiative to biometrically verify the identities of all travelers crossing US borders." As BuzzFeed News reported Citing earlier reporting, Buzzfeed pointed out that "CBP is scrambling to implement the initiative with the goal of using facial recognition technology on '100 percent of all international passengers,' including American citizens, in the top 20 US airports by 2021."

  • What you need to know about the MDS vulnerability and Red Hat Virtualization

    A new series of vulnerabilities in Intel processors, known as Microarchitectural Data Sampling, or more simply MDS, was recently made public and Red Hat released information about how the vulnerabilities affect our software and how to protect your organization.

    In the simplest terms, MDS is a vulnerability in Intel processors similar to Spectre and Meltdown; it allows a guest to read protected memory from anywhere on the host or guest. To mitigate the risks exposed by MDS, a combination of updated microcode, updated kernel(s), patches, and administrator action will need to be taken for both the hypervisors and virtual machines in your Red Hat Virtualization deployment. Unlike some similar vulnerabilities, simply disabling SMT and/or hyper-threading is not enough to protect your applications.

  • 5 reasons chaos engineering is indispensable to the CISO

    Security leaders, including the chief information security officer (CISO), are challenged to continuously demonstrate their role within the company's value stream as part of improving security. In doing so, a growing number of security organizations are shifting toward a more "applied security mode," leading many to rethink our traditional practices and question their effectiveness in today's high-velocity, software-driven world.

  • Wireless Security | Roadmap to Securing Your Infrastructure
  • IPFire on AWS: Update to IPFire 2.23 - Core Update 132

    Today, we have updated IPFire on AWS to IPFire 2.23 - Core Update 132 - the latest official release of IPFire.

    This update brings you the new Intrusion Prevention System out-of-the-box as well as updates to the whole system.

  • Amitabh Bachchan’s Twitter Account “Hacked” And DP Got Changed
Syndicate content