Full Disclosure - Seclist

APPLE-SA-2017-09-25-9 macOS Server 5.4

Full Disclosure - Seclist

Posted by Apple Product Security on Sep 25

APPLE-SA-2017-09-25-9 macOS Server 5.4

macOS Server 5.4 is now available and addresses the following:

FreeRadius
Available for: macOS High Sierra 10.13
Impact: Multiple issues in FreeRADIUS
Description: Multiple issues existed in FreeRADIUS before 2.2.10.
These were addressed by updating FreeRADIUS to version 2.2.10.
CVE-2017-10978
CVE-2017-10979

Installation note:

macOS Server 5.4 may be obtained from the Mac App Store.

Information will...
  • open
  • next
Full Disclosure - Seclist

APPLE-SA-2017-09-25-8 iTunes 12.7 for Windows

Full Disclosure - Seclist

Posted by Apple Product Security on Sep 25

APPLE-SA-2017-09-25-8 iTunes 12.7 for Windows

iTunes 12.7 for Windows addresses the following:

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed through improved
input validation.
CVE-2017-7081: Apple
Entry added September 25, 2017

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted...
  • open
  • next
Full Disclosure - Seclist

APPLE-SA-2017-09-25-7 iTunes 12.7

Full Disclosure - Seclist

Posted by Apple Product Security on Sep 25

APPLE-SA-2017-09-25-7 iTunes 12.7

iTunes 12.7 addresses the following:

Data Sync
Available for: OS X Yosemite 10.10.5 and later
Impact: An application may be able to access iOS backups performed
through iTunes
Description: An access control issue was addressed by restricting
access to iOS backups to iTunes.
CVE-2017-7079: Pi Delta
Entry added September 25, 2017

Installation note:

iTunes 12.7 may be obtained from:...
  • open
  • next
Full Disclosure - Seclist

APPLE-SA-2017-09-25-6 Additional information for APPLE-SA-2017-09-20-3 tvOS 11

Full Disclosure - Seclist

Posted by Apple Product Security on Sep 25

APPLE-SA-2017-09-25-6
Additional information for APPLE-SA-2017-09-20-3 tvOS 11

tvOS 11 addresses the following:

CFNetwork Proxies
Available for: Apple TV (4th generation)
Impact: An attacker in a privileged network position may be able to
cause a denial of service
Description: Multiple denial of service issues were addressed through
improved memory handling.
CVE-2017-7083: Abhinav Bansal of Zscaler Inc.
Entry added September 25, 2017...
  • open
  • next
Full Disclosure - Seclist

APPLE-SA-2017-09-25-5 Additional information for APPLE-SA-2017-09-20-2 watchOS 4

Full Disclosure - Seclist

Posted by Apple Product Security on Sep 25

APPLE-SA-2017-09-25-5
Additional information for APPLE-SA-2017-09-20-2 watchOS 4

watchOS 4 addresses the following:

CFNetwork Proxies
Available for: All Apple Watch models
Impact: An attacker in a privileged network position may be able to
cause a denial of service
Description: Multiple denial of service issues were addressed through
improved memory handling.
CVE-2017-7083: Abhinav Bansal of Zscaler Inc.
Entry added September 25, 2017...
  • open
  • next
Full Disclosure - Seclist

APPLE-SA-2017-09-25-4 Additional information for APPLE-SA-2017-09-19-1 iOS 11

Full Disclosure - Seclist

Posted by Apple Product Security on Sep 25

APPLE-SA-2017-09-25-4
Additional information for APPLE-SA-2017-09-19-1 iOS 11

iOS 11 addresses the following:

Bluetooth
Available for: iPhone 5s and later, iPad Air and later,
and iPod touch 6th generation
Impact: An application may be able to access restricted files
Description: A privacy issue existed in the handling of Contact
cards. This was addressed with improved state management.
CVE-2017-7131: Dominik Conrads of Federal Office for...
  • open
  • next
Full Disclosure - Seclist

APPLE-SA-2017-09-25-3 Additional information for APPLE-SA-2017-09-19-2 Safari 11

Full Disclosure - Seclist

Posted by Apple Product Security on Sep 25

APPLE-SA-2017-09-25-3
Additional information for APPLE-SA-2017-09-19-2 Safari 11

Safari 11 addresses the following:

Safari
Available for: OS X El Capitan 10.11.6, and macOS Sierra 10.12.6,
macOS High Sierra 10.13
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2017-7085: xisigr of Tencent's Xuanwu Lab (tencent.com)...
  • open
  • next
Full Disclosure - Seclist

APPLE-SA-2017-09-25-2 iCloud for Windows 7

Full Disclosure - Seclist

Posted by Apple Product Security on Sep 25

APPLE-SA-2017-09-25-2 iCloud for Windows 7

iCloud for Windows 7 is now available and addresses the following:

SQLite
Available for: Windows 7 and later
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-7127: an anonymous researcher

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web...
  • open
  • next
Full Disclosure - Seclist

APPLE-SA-2017-09-25-1 macOS High Sierra 10.13

Full Disclosure - Seclist

Posted by Apple Product Security on Sep 25

APPLE-SA-2017-09-25-1 macOS High Sierra 10.13

macOS High Sierra 10.13 is now available and addresses the following:

Application Firewall
Available for: OS X Lion v10.8 and later
Impact: A previously denied application firewall setting may take
effect after upgrading
Description: An upgrade issue existed in the handling of firewall
settings. This issue was addressed through improved handling of
firewall settings during upgrades.
CVE-2017-7084:...
  • open
  • next
Full Disclosure - Seclist

First public BlueBorne (Linux Kernel <= 4.13.1 - BlueTooth Buffer Overflow) DEMO/Proof of Concept exploit

Full Disclosure - Seclist

Posted by Marcin Kozlowski on Sep 25

Didn't see it posted here, so here it is. For educational and testing
purposes only. It is not armed with payload, only Proof of Concept, to show
it is possible. Contact me directly in case of any questions.

Git Repo:
https://gitlab.com/marcinguy/blueborne-CVE-2017-1000251

Exploit databases:

https://www.exploit-db.com/exploits/42762/
http://0day.today/exploit/28596

Thanks,
Marcin
  • open
  • next
Full Disclosure - Seclist

SSD Advisory – FLIR Systems Multiple Vulnerabilities

Full Disclosure - Seclist

Posted by Maor Shwartz on Sep 25

SSD Advisory – FLIR Systems Multiple Vulnerabilities

Full report: https://blogs.securiteam.com/index.php/archives/3411
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

Vulnerabilities Summary
The following advisory describes 5 (five) vulnerabilities found in FLIR
Systems FLIR Thermal/Infrared Camera FC-Series S, FC-Series ID, PT-Series.

FLIR – “Best-in-class thermal cameras with on-board analytics for
high-performance intrusion detection....
  • open
  • next
Full Disclosure - Seclist

SSD Advisory – Sentora / ZPanel Password Reset Vulnerability

Full Disclosure - Seclist

Posted by Maor Shwartz on Sep 25

SSD Advisory – Sentora / ZPanel Password Reset Vulnerability

Full report: https://blogs.securiteam.com/index.php/archives/3386
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

Vulnerability Summary
The following advisory describes a password reset found in Sentora / ZPanel.

Sentora is “a free to download and use web hosting control panel developed
for Linux, UNIX and BSD based servers or computers. The Sentora software
can turn a domestic or...
  • open
  • next
Full Disclosure - Seclist

OpenText Documentum Administrator and Webtop - XML External Entity Injection

Full Disclosure - Seclist

Posted by Etnies on Sep 25

Title: OpenText Documentum Administrator and Webtop - XML External
Entity Injection
Author: Jakub Palaczynski, Pawel Gocyla
Date: 24. September 2017
CVE (Administrator): CVE-2017-14526
CVE (Webtop): CVE-2017-14527

Affected software:
==================
Documentum Administrator
Documentum Webtop

Exploit was tested on:
======================
Documentum Administrator version 7.2.0180.0055
Documentum Webtop version 6.8.0160.0073
Other versions may...
  • open
  • next
Full Disclosure - Seclist

OpenText Documentum Administrator and Webtop - Open Redirection

Full Disclosure - Seclist

Posted by Etnies on Sep 25

Title: OpenText Documentum Administrator and Webtop - Open Redirection
Author: Jakub Palaczynski
Date: 24. September 2017
CVE (Administrator): CVE-2017-14524
CVE (Webtop): CVE-2017-14525

Affected software:
==================
Documentum Administrator
Documentum Webtop

Exploit was tested on:
======================
Documentum Administrator version 7.2.0180.0055
Documentum Webtop version 6.8.0160.0073
Other versions may also be vulnerable.

Open...
  • open
  • next
Full Disclosure - Seclist

KL-001-2017-016 : Solarwinds LEM Insecure Update Process

Full Disclosure - Seclist

Posted by KoreLogic Disclosures on Sep 25

KL-001-2017-016 : Solarwinds LEM Insecure Update Process

Title: Solarwinds LEM Insecure Update Process
Advisory ID: KL-001-2017-016
Publication Date: 2017.09.25
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-016.txt

1. Vulnerability Details

Affected Vendor: Solarwinds
Affected Product: Multiple
Affected Version: Multiple
Platform: Embedded Linux
CWE Classification: CWE-284: Improper Access...
  • open
  • next
Linux Security

openSUSE: 2017:2567-1: important: openjpeg2

Linux Security
LinuxSecurity.com: An update that fixes 15 vulnerabilities is now available. An update that fixes 15 vulnerabilities is now available. An update that fixes 15 vulnerabilities is now available.
  • open
  • next
Krebs on Security

Source: Deloitte Breach Affected All Company Email, Admin Accounts

Krebs on Security

Deloitte, one of the world’s “big four” accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted “very few” clients. But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.

deloitte

In a story published Monday morning, The Guardian said a breach at Deloitte involved usernames, passwords and personal data on the accountancy’s top blue-chip clients.

“The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached,” The Guardian’s Nick Hopkins wrote. “The companies include household names as well as US government departments. So far, six of Deloitte’s clients have been told their information was ‘impacted’ by the hack.”

In a statement sent to KrebsOnSecurity, Deloitte acknowledged a “cyber incident” involving unauthorized access to its email platform.

“The review of that platform is complete,” the statement reads. “Importantly, the review enabled us to understand precisely what information was at risk and what the hacker actually did and to determine that only very few clients were impacted [and] no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.”

However, information shared by a person with direct knowledge of the incident said the company in fact does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems.

This source, speaking on condition of anonymity, said the team investigating the breach focused their attention on a company office in Nashville known as the “Hermitage,” where the breach is thought to have begun.

The source confirmed The Guardian reporting that current estimates put the intrusion sometime in the fall of 2016, and added that investigators still are not certain that they have completely evicted the intruders from the network.

Indeed, it appears that Deloitte has known something was not right for some time. According to this source, the company sent out a “mandatory password reset” email on Oct. 13, 2016 to all Deloitte employees in the United States. The notice stated that employee passwords and personal identification numbers (PINs) needed to be changed by Oct. 17, 2016, and that employees who failed to do so would be unable to access email or other Deloitte applications. The message also included advice on how to pick complex passwords:

A screen shot of the mandatory password reset email Deloitte sent to all U.S. employees in Oct. 2016, around the time sources say the breach was first discovered.

A screen shot of the mandatory password reset message Deloitte sent to all U.S. employees in Oct. 2016, around the time sources say the breach was first discovered.

The source told KrebsOnSecurity they were coming forward with information about the breach because, “I think it’s unfortunate how we have handled this and swept it under the rug. It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.”

“Cyber intel” refers to Deloitte’s Cyber Intelligence Centre, which provides 24/7 “business-focused operational security” to a number of big companies, including CSAA Insurance, FedExInvesco, and St. Joseph’s Healthcare System, among others.

This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.

In its statement about the incident, Deloitte said it responded by “implementing its comprehensive security protocol and initiating an intensive and thorough review which included mobilizing a team of cyber-security and confidentiality experts inside and outside of Deloitte.” Additionally, the company said it contacted governmental authorities immediately after it became aware of the incident, and that it contacted each of the “very few clients impacted.”

“Deloitte remains deeply committed to ensuring that its cyber-security defenses are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cyber security,” the statement concludes.

Deloitte has not yet responded to follow-up requests for comment.  The Guardian reported that Deloitte notified six affected clients, but Deloitte has not said publicly yet when it notified those customers.

Deloitte has a significant cybersecurity consulting practice globally, wherein it advises many of its clients on how best to secure their systems and sensitive data from hackers. In 2012, Deloitte was ranked #1 globally in security consulting based on revenue.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a private company based in the United Kingdom. According to the company’s Web site, Deloitte has more than 263,000 employees at member firms delivering services in audit and insurance, tax, consulting, financial advisory, risk advisory, and related services in more than 150 countries and territories. Revenues for the fiscal year 2017 were $38.8 billion.

The breach at the big-four accountancy comes on the heels of a massive breach at big-three consumer credit bureau Equifax. That incident involved several months of unauthorized access in which intruders stole Social Security numbers, birth dates, and addresses on 143 million Americans.

This is a developing story. Any updates will be posted as available, and noted with update timestamps.

  • open
  • next
Security Week

Banking Trojan Uses NSA-Linked Exploit

Security Week

Newly observed Retefe banking Trojan samples have implemented the National Security Agency-related EternalBlue exploit, Proofpoint security researchers have discovered.

read more

image image image image image image image image
  • open
  • next
Security Week

Company That Tracks Location of Cars Left Data Open to the World

Security Week

A misconfigured Amazon Web Services (AWS) S3 bucket containing more than half a million records pertaining to an auto tracking company was left publicly accessible, thus leaking the data stored in it, Kromtech security researchers warn.

read more

image image image image image image image image
  • open
  • next
Linux Security

Gentoo: GLSA-201709-25: Chromium: Multiple vulnerabilities

Linux Security
LinuxSecurity.com: Multiple vulnerabilities have been found in Chromium, the worst of which could result in the execution of arbitrary code.
  • open
  • next
Linux Security

Gentoo: GLSA-201709-24: RAR, UnRAR: Multiple vulnerabilities

Linux Security
LinuxSecurity.com: Multiple vulnerabilities have been found in RAR and UnRAR, the worst of which may allow attackers to execute arbitrary code.
  • open
  • next
Linux Security

Ubuntu 3429-1: Libplist vulnerability

Linux Security
LinuxSecurity.com: Libplist could be made to crash if it opened a specially crafted file.
  • open
  • next
Krebs on Security

Canadian Man Gets 9 Months Detention for Serial Swattings, Bomb Threats

Krebs on Security

A 19-year-old Canadian man was found guilty of making almost three dozen fraudulent calls to emergency services across North America in 2013 and 2014. The false alarms, two of which targeted this author — involved phoning in phony bomb threats and multiple attempts at “swatting” — a dangerous hoax in which the perpetrator spoofs a call about a hostage situation or other violent crime in progress in the hopes of tricking police into responding at a particular address with deadly force.

Curtis Gervais of Ottawa was 16 when he began his swatting spree, which prompted police departments across the United States and Canada to respond to fake bomb threats and active shooter reports at a number of schools and residences.

Gervais, who taunted swatting targets using the Twitter accounts “ProbablyOnion” and “ProbablyOnion2,” got such a high off of his escapades that he hung out a for-hire shingle on Twitter, offering to swat anyone with the following tweet:

wantswat

Several Twitter users apparently took him up on that offer. On March 9, 2014, @ProbablyOnion started sending me rude and annoying messages on Twitter. A month later (and several weeks after blocking him on Twitter), I received a phone call from the local police department. It was early in the morning on Apr. 10, and the cops wanted to know if everything was okay at our address.

Since this was not the first time someone had called in a fake hostage situation at my home, the call I received came from the police department’s non-emergency number, and they were unsurprised when I told them that the Krebs manor and all of its inhabitants were just fine.

Minutes after my local police department received that fake notification, @ProbablyOnion was bragging on Twitter about swatting me, including me on his public messages: “You have 5 hostages? And you will kill 1 hostage every 6 times and the police have 25 minutes to get you $100k in clear plastic.” Another message read: “Good morning! Just dispatched a swat team to your house, they didn’t even call you this time, hahaha.”

po2-swatbk

I told this user privately that targeting an investigative reporter maybe wasn’t the brightest idea, and that he was likely to wind up in jail soon.  On May 7, @ProbablyOnion tried to get the swat team to visit my home again, and once again without success. “How’s your door?” he tweeted. I replied: “Door’s fine, Curtis. But I’m guessing yours won’t be soon. Nice opsec!”

I was referring to a document that had just been leaked on Pastebin, which identified @ProbablyOnion as a 19-year-old Curtis Gervais from Ontario. @ProbablyOnion laughed it off but didn’t deny the accuracy of the information, except to tweet that the document got his age wrong.

A day later, @ProbablyOnion would post his final tweet before being arrested: “Still awaiting for the horsies to bash down my door,” a taunting reference to the Royal Canadian Mounted Police (RCMP).

A Sept. 14, 2017 article in the Ottawa Citizen doesn’t name Gervais because it is against the law in Canada to name individuals charged with or convicted of crimes committed while they are a minor. But the story quite clearly refers to Gervais, who reportedly is now married and expecting a child.

The Citizen says the teenager was arrested by Ottawa police after the U.S. FBI traced his Internet address to his parents’ home. The story notes that “the hacker” and his family have maintained his innocence throughout the trial, and that they plan to appeal the verdict. Gervais’ attorneys reportedly claimed the youth was framed by the hacker collective Anonymous, but the judge in the case was unconvinced.

Apparently, Ontario Court Justice Mitch Hoffman handed down a lenient sentence in part because of more than 900 hours of volunteer service the accused had performed in recent years. From the story:

Hoffman said that troublesome 16-year-old was hard to reconcile with the 19-year-old, recently married and soon-to-be father who stood in court before him, accompanied in court Thursday by his wife, father and mother.

“He has a bright future ahead of him if he uses his high level of computer skills and high intellect in a pro-social way,” Hoffman said. “If he does not, he has a penitentiary cell waiting for him if he uses his skills to criminal ends.”

According to the article, the teen will serve six months of his nine-month sentence at a youth group home and three months at home “under strict restrictions, including the forfeiture of a home computer used to carry out the cyber pranks.” He also is barred from using Twitter or Skype during his 18-month probation period.

Most people involved in swatting and making bomb threats are young males under the age of 18 — the age when kids seem to have little appreciation for or care about the seriousness of their actions. According to the FBI, each swatting incident costs emergency responders approximately $10,000. Each hoax also unnecessarily endangers the lives of the responders and the public.

In February 2017, another 19-year-old — a man from Long Beach, Calif. named Eric “Cosmo the God” Taylor — was sentenced to three year’s probation for his role in swatting my home in Northern Virginia in 2013. Taylor was among several men involved in making a false report to my local police department at the time about a supposed hostage situation at our house. In response, a heavily-armed police force surrounded my home and put me in handcuffs at gunpoint before the police realized it was all a dangerous hoax.

  • open
  • next
Security Week

Deloitte Says 'Very Few' Clients Hit by Hack

Security Week

Deloitte Office

Deloitte said Monday that "very few" of the accounting and consultancy firm's clients were affected by a hack after a news report said systems of blue-chip clients had been breached.

read more

image image image image image image image image
  • open
  • next
Security Week

Oracle Releases Patches for Exploited Apache Struts Flaw

Security Week

Oracle has released patches for many of its products to address several vulnerabilities in the Apache Struts 2 framework, including one that has been exploited in the wild for the past few weeks.

read more

image image image image image image image image
  • open
  • next
Security Week

RedBoot Ransomware Modifies Master Boot Record

Security Week

A newly discovered ransomware family has the ability to replace the Master Boot Record and modify the partition table, allowing the malware to function as a wiper.

read more

image image image image image image image image
  • open
  • next
Secunia

Apache Struts2 exploitation: Beyond putting out fires!

Secunia

By Marcelo Pereira, Product Marketing Manager

The unfolding of the Equifax breach shows that the attack started around two months after the Apache Struts2 vulnerability was disclosed – and the patch was made available – by the Apache Foundation. That means the vulnerability could have been eliminated with a patch long before the attack.

The case exposes a persistent challenge IT and Dev pros face: it takes much longer to mitigate vulnerabilities than it takes hackers to start exploiting them. This is not an isolated example. Just remember the consequences of the WannaCry attacks back in May – and Heartbleed, Shellshock etc., etc., etc.…

At the heat of the WannaCry attacks, I asked: Are we having the right discussion? And I ask today again:

Are we having the right discussion?

Many are probably just putting out fires now, trying to find and fix any vulnerable instances of Apache Struts2. But the fact is, it is becoming increasingly urgent that we move beyond dealing with the consequences of the exploitation of non-mitigated vulnerabilities, to discussing how we can ensure that operational processes include security policies and practices. This is the only way to avoid the incredibly large amount of unpatched software with known vulnerabilities we leave out there for hackers to exploit.

Why?

Because the number of incidents exploiting known vulnerabilities we see reported all the time proves that it is not enough that we rely on all the next-gen, bullet-proof cyber-kryptonite out there as a defense, when we do not work to reduce the number of cracks and holes hackers can use to break into our systems.

Relying solely on attack detection technologies – no matter how sophisticated – is the same as not buying a lock for your doors expecting that your alarm system will protect your house from an invasion.

It’s a matter of thinking of risk reduction. Binary thinking does not apply here. The fact that we cannot mitigate it all does not mean we should not mitigate at all. It a matter of strategy and tactics.

It is possible to make sound improvements by using the right set of Software Vulnerability Management tools to support efforts to reduce the window of opportunity for hackers.

Join us on October 5 for a webinar to discuss how to reduce the risk window for hackers and avoid the costly consequences of a successful breach.

  • open
  • next
Linux Security

Fedora 27: kernel Security Update

Linux Security
LinuxSecurity.com: The 4.13.3 stable update contains a number of important fixes across the tree.
  • open
  • next
Schneier on Security

GPS Spoofing Attacks

Schneier on Security

Wired has a story about a possible GPS spoofing attack by Russia:

After trawling through AIS data from recent years, evidence of spoofing becomes clear. Goward says GPS data has placed ships at three different airports and there have been other interesting anomalies. "We would find very large oil tankers who could travel at the maximum speed at 15 knots," says Goward, who was formerly director for Marine Transportation Systems at the US Coast Guard. "Their AIS, which is powered by GPS, would be saying they had sped up to 60 to 65 knots for an hour and then suddenly stopped. They had done that several times."

All of the evidence from the Black Sea points towards a co-ordinated attempt to disrupt GPS. A recently published report from NRK found that 24 vessels appeared at Gelendzhik airport around the same time as the Atria. When contacted, a US Coast Guard representative refused to comment on the incident, saying any GPS disruption that warranted further investigation would be passed onto the Department of Defence.

"It looks like a sophisticated attack, by somebody who knew what they were doing and were just testing the system," Bonenberg says. Humphreys told NRK it "strongly" looks like a spoofing incident. Fire Eye's Brubaker, agreed, saying the activity looked intentional. Goward is also confident that GPS were purposely disrupted. "What this case shows us is there are entities out there that are willing and eager to disrupt satellite navigation systems for whatever reason and they can do it over a fairly large area and in a sophisticated way," he says. "They're not just broadcasting a stronger signal and denying service this is worse they're providing hazardously misleading information."

  • open
  • next
Security Week

DHS Notifies States Targeted by Russia in Election Hacks

Security Week

The U.S. Department of Homeland Security (DHS) has finally notified the states whose systems were targeted by hackers before last year’s presidential election.

read more

image image image image image image image image
  • open
  • next
Linux Security News

1.4 Million New Phishing Sites Launched Each Month

Linux Security News
LinuxSecurity.com: The number of phishing attacks reach a record rate in 2017, but the majority of the phishing sites remain active for just four- to eight hours.
  • open
  • next
Linux Security News

Beyond public key encryption

Linux Security News
LinuxSecurity.com: One of the saddest and most fascinating things about applied cryptography is how 6689264031_4c7516b3e1_zlittle cryptography we actually use. This is not to say that cryptography isn't widely used in industry - it is. Rather, what I mean is that cryptographic researchers have developed so many useful technologies, and yet industry on a day to day basis barely uses any of them.
  • open
  • next
Security Week

Verizon Engineer Exposes Internal System Data

Security Week

Researchers discovered an unprotected Amazon Web Services (AWS) S3 bucket containing potentially sensitive information associated with a system used internally by Verizon.

read more

image image image image image image image image
  • open
  • next
Linux Security

Gentoo: GLSA-201709-23: Tcpdump: Multiple vulnerabilities

Linux Security
LinuxSecurity.com: Multiple vulnerabilities have been found in Tcpdump, the worst of which may allow execution of arbitrary code.
  • open
  • next
Security Week

Adobe Accidentally Posts Private PGP Key

Security Week

Adobe’s product security incident response team (PSIRT) accidentally published a private PGP key on its blog. The compromised key was quickly revoked and a new key was generated after the incident came to light.

read more

image image image image image image image image
  • open
  • next
Linux Security

Fedora 25: mingw-LibRaw Security Update

Linux Security
LinuxSecurity.com: This update fixes CVE-2017-14348. ---- This update fixes CVE-2017-13735.
  • open
  • next
Linux Security

Fedora 26: LibRaw Security Update

Linux Security
LinuxSecurity.com: Fix for possible buffer overrun in kodak_65000 decoder Fix for possible heap overrun in Canon makernotes parser Fix for CVE-2017-13735 CVE-2017-14265: Additional check for X-Trans CFA pattern data ---- Patch for CVE-2017-14348
  • open
  • next
Linux Security

Fedora 26: python-jwt Security Update

Linux Security
LinuxSecurity.com: Upgrade to 1.5.3 and also note that 1.5.1 fixed CVE-2017-11424.
  • open
  • next
Linux Security

Fedora 26: pkgconf Security Update

Linux Security
LinuxSecurity.com: # Security fixes - fix crash in edge case where a .pc file has misquoting in a fragment list. # Other bug fixes: - fix logic edge case when comparing relocated paths
  • open
  • next
Ars Technica

Volkswagen’s emissions cheating scandal had a long, complicated history

Ars Technica
image

2010 Volkswagen Jetta TDI Sportwagen photographed in Washington, DC, USA. (credit: IFCAR)

This story originally ran October 8, 2015, just a few weeks after it was discovered that new diesel Volkswagens and Audis ran undisclosed software that allowed the cars to cheat on their US federal emissions tests. This week was the two-year anniversary of the explosive news, and we're resurfacing this story to take another look at the history of automakers gaming regulations. Since this story ran in 2015, Volkswagen agreed to a multi-billion dollar settlement with 2.0L diesel vehicle customers in 2016, and in 2017, researchers were able to get a more detailed look at the code that made the diesels' driving so dirty.

In mid-September, the US Environmental Protection Agency dropped a bomb on Volkswagen Group, the German company that owns Volkswagen, Audi, Porsche, Lamborghini, and other notable car brands. The EPA sent the umbrella company a Notice of Violation, explaining that it discovered “defeat devices” on Volkswagen and Audi diesel passenger cars from 2009 and later.

The defeat devices—actually less a “device” than code on the cars’ electronic control module that detects whether a car is in a lab or on the road—were preventing the cars’ emissions control systems from working properly while the car was operating under normal driving conditions, likely boosting the car’s performance or fuel efficiency rating or both. The EPA said that nearly 500,000 of these diesel cars were caught spewing emissions well in excess of the federal rules, sending the company’s stock into a tailspin.

Read 43 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Is the alt-right’s use of Pepe the Frog “fair use?”

Ars Technica
image

Enlarge / A supporter holds a campaign sign for Republican presidential nominee Donald Trump with 'Pepe the Frog' drawn on it during a rally in Minneapolis in November 2016. (credit: Chip Somodevilla/Getty Images)

What can you do when your favorite frog gets away from you?

When Matt Furie drew Pepe the Frog for a short-lived magazine in 2005, he had no way of knowing the character would become a mascot for the so-called "alt-right," a loose coalition of far-right groups that veer towards white nationalism.

But during the 2016 election cycle, that's exactly what happened—and that's what Furie is now trying to undo. Furie has undertaken a campaign to restore Pepe's image as the gentle, stoner frog he intended, rather than a symbol of hate. He's hired a lawyer to send cease-and-desist letters over uses of Pepe that he didn't authorize. So far, targets include T-shirts being sold on Amazon and elsewhere, a book by an alt-right blogger "Baked Alaska" called Meme Magic: Secrets Revealed, a video game called Build the Wall, and a video by another alt-right blogger, Mike Cernovich.

Read 33 remaining paragraphs | Comments

  • open
  • next
Ars Technica

In shift towards electric vehicles, Volkswagen looking for cobalt contracts

Ars Technica
image

Enlarge / This photo, taken on May 31, 2015 near a mine between Lubumbashi and Kolwezi, shows a man carrying a bag of minerals as people separate cobalt from sand and rock in a lake. AFP PHOTO / FEDERICO SCOPPA (credit: Getty Images)

Volkswagen is looking for serious, long-term contracts with cobalt producers, according to a Reuters report on Friday. Cobalt is a common component in lithium-ion rechargeable batteries, and it's projected to command more and more demand as electric vehicles are adopted in greater numbers. Currently cobalt is trading at about $26 per pound.

Securing reserves of the kinds of materials used in batteries will be key to Volkswagen’s future growth. After the so-called “dieselgate” scandal of 2015, Volkswagen Group pledged to pivot away from diesel to electric vehicles (EVs). The German automaker has said it wants to produce up to 3 million electric vehicles by 2025 and offer 80 electric vehicle models across all 12 brands by 2030. If VW Group succeeds, it would be a considerable feat given that so far there are only about 2 million EVs of any brand on the road worldwide.

As more automakers move to develop EVs, the minerals used to make car batteries will become more and more important. In 2015, Tesla secured two contracts with mining companies Bacanora Minerals and Rare Earth Minerals, as well as Pure Energy Minerals to explore lithium deposits in northern Nevada and Mexico. Cobalt is often used as a component in electric powertrain batteries because cobalt-based lithium batteries tend to have high energy density (although other materials like nickel and manganese can be used in lithium-ion batteries as well, depending on the battery application).

Read 4 remaining paragraphs | Comments

  • open
  • next
Linux Security

Gentoo: GLSA-201709-22: Oracle JDK/JRE, IcedTea: Multiple vulnerabilities

Linux Security
LinuxSecurity.com: Multiple vulnerabilities have been found in Oracle's JRE and JDK software suites, and IcedTea, the worst of which may allow execution of arbitrary code. [More...]
  • open
  • next
Linux Security

Gentoo: GLSA-201709-21: PHP: Multiple vulnerabilities

Linux Security
LinuxSecurity.com: Multiple vulnerabilities have been found in PHP, the worst of which could result in the execution of arbitrary code.
  • open
  • next
Krebs on Security

Equifax or Equiphish?

Krebs on Security

More than a week after it said most people would be eligible to enroll in a free year of its TrustedID identity theft monitoring service, big three consumer credit bureau Equifax has begun sending out email notifications to people who were able to take the company up on its offer. But in yet another security stumble, the company appears to be training recipients to fall for phishing scams.

Some people who signed up for the service after Equifax announced Sept. 7 that it had lost control over Social Security numbers, dates of birth and other sensitive data on 143 million Americans are still waiting for the promised notice from Equifax. But as I recently noted on Twitter, other folks have received emails from Equifax over the past few days, and the messages do not exactly come across as having emanated from a company that cares much about trying to regain the public’s trust.

Here’s a redacted example of an email Equifax sent out to one recipient recently:

equifaxcare

As we can see, the email purports to have been sent from trustedid.com, a domain that Equifax has owned for almost four years. However, Equifax apparently decided it was time for a new — and perhaps snazzier — name: trustedidpremier.com.

The above-pictured message says it was sent from one domain, and then asks the recipient to respond by clicking on a link to a completely different (but confusingly similar) domain.

My guess is the reason Equifax registered trustedidpremier.com was to help people concerned about the breach to see whether they were one of the 143 million people affected (for more on how that worked out for them, see Equifax Breach Response Turns Dumpster Fire). I’d further surmise that Equifax was expecting (and received) so much interest in the service as a result of the breach that all the traffic from the wannabe customers might swamp the trustedid.com site and ruin things for the people who were already signed up for the service before Equifax announced the breach on Sept. 7.

The problem with this dual-domain approach is that the domain trustedidpremier.com is only a few weeks old, so it had very little time to establish itself as a legitimate domain. As a result, in the first few hours after Equifax disclosed the breach the domain was actually flagged as a phishing site by multiple browsers because it was brand new and looked about as professionally designed as a phishing site.

What’s more, there is nothing tying the domain registration records for trustedidpremier.com to Equifax: The domain is registered to a WHOIS privacy service, which masks information about who really owns the domain (again, not exactly something you might expect from an identity monitoring site). Anyone looking for assurances that the site perhaps was hosted on Internet address space controlled by and assigned to Equifax would also be disappointed: The site is hosted at Amazon.

While there’s nothing wrong with that exactly, one might reasonably ask: Why didn’t Equifax just send the email from Equifax.com and host the ID theft monitoring service there as well? Wouldn’t that have considerably lessened any suspicion that this missive might be a phishing attempt?

Perhaps, but you see while TrustedID is technically owned by Equifax Inc., its services are separate from Equifax and its terms of service are different from those provided by Equifax (almost certainly to separate Equifax from any consumer liability associated with its monitoring service).

THE BACKSTORY

What’s super-interesting about trustedid.com is that it didn’t always belong to Equifax. According to the site’s Wikipedia page, TrustedID Inc. was purchased by Equifax in 2013, but it was founded in 2004 as an identity protection company which offered a service that let consumers automatically “freeze” their credit file at the major bureaus. A freeze prevents Equifax and the other major credit bureaus from selling an individual’s credit data without first getting consumer consent.

By 2006, some 17 states offered consumers the ability to freeze their credit files, and the credit bureaus were starting to see the freeze as an existential threat to their businesses (in which they make slightly more than a dollar each time a potential creditor — or ID thief — asks to peek at your credit file).

Other identity monitoring firms — such as LifeLock — were by then offering services that automated the placement of identity fraud controls — such as the “fraud alert,” a free service that consumers can request to block creditors from viewing their credit files.

[Author’s note: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they are not legally required to do this — and very often don’t.]

Anyway, the era of identity monitoring services automating things like fraud alerts and freezes on behalf of consumers effectively died after a landmark lawsuit filed by big-three bureau Experian (which has its own storied history of data breaches). In 2008, Experian sued LifeLock, arguing its practice of automating fraud alerts violated the Fair Credit Reporting Act.

In 2009, a court found in favor of Experian, and that decision effectively killed such services — mainly because none of the banks wanted to distribute them and sell them as a service anymore.

WHAT SHOULD YOU DO

These days, consumers in all states have a right to freeze their credit files, and I would strongly encourage all readers to do this. Yes, it can be a pain, and the bureaus certainly seem to be doing everything they can at the moment to make this process extremely difficult and frustrating for consumers. As detailed in the analysis section of last week’s story — Equifax Breach: Setting the Record Straight — many of the freeze sites are timing out, crashing or telling consumers just to mail in copies of identity documents and printed-out forms.

Other bureaus, like TransUnion and Experian, are trying mightily to steer consumers away from a freeze and toward their confusingly named “credit lock” services — which claim to be the same thing as freezes only better. The truth is these lock services do not prevent the bureaus from selling your credit reports to anyone who comes asking for them (including ID thieves); and consumers who opt for them over freezes must agree to receive a flood of marketing offers from a myriad of credit bureau industry partners.

While it won’t stop all forms of identity theft (such as tax refund fraud or education loan fraud), a freeze is the option that puts you the consumer in the strongest position to control who gets to monkey with your credit file. In contrast, while credit monitoring services might alert you when someone steals your identity, they’re not designed to prevent crooks from doing so.

That’s not to say credit monitoring services aren’t useful: They can be helpful in recovering from identity theft, which often involves a tedious, lengthy and expensive process for straightening out the phony activity with the bureaus.

The thing is, it’s almost impossible to sign up for credit monitoring services while a freeze is active on your credit file, so if you’re interested in signing up for them it’s best to do so before freezing your credit. But there’s no need to pay for these services: Hundreds of companies — many of which you have probably transacted with at some point in the last year — have disclosed data breaches and are offering free monitoring. California maintains one of the most comprehensive lists of companies that disclosed a breach, and most of those are offering free monitoring.

There’s a small catch with the freezes: Depending on the state in which you live, the bureaus may each be able to charge you for freezing your file (the fee ranges from $5 to $20); they may also be able to charge you for lifting or temporarily thawing your file in the event you need access to credit. Consumers Union has a decent rundown of the freeze fees by state.

In short, sign up for whatever free monitoring is available if that’s of interest, and then freeze your file at the four major bureaus. You can do this online, by phone, or through the mail. Given how unreliable the credit bureau Web sites have been for placing freezes these past few weeks, it may be easiest to do this over the phone. Here are the freeze Web sites and freeze phone numbers for each bureau (note the phone procedures can and likely will change as the bureaus get wise to more consumers learning how to quickly step through their automated voice response systems):

Equifax: 866-349-5191; choose option 3 for a “Security Freeze”

Experian: 888-397-3742;
–Press 2 “To learn about fraud or ADD A
SECURITY FREEZE”
–Press 2 “for security freeze options”
–Press 1 “to place a security freeze”
–Press 2 “…for all others”
–enter your info when prompted

Innovis: 800-540-2505;
–Press 1 for English
–Press 3 “to place or manage an active duty alert
or a SECURITY FREEZE”
–Press 2 “to place or manage a SECURITY
FREEZE”
–enter your info when prompted

Transunion: 888-909-8872, choose option 3

If you still have questions about freezes, fraud alerts, credit monitoring or anything else related to any of the above, check out the lengthy primer/Q&A I published here on Sept. 11, The Equifax Breach: What You Should Know.

  • open
  • next
Linux Security

Gentoo: GLSA-201709-18: Mercurial: Multiple vulnerabilities

Linux Security
LinuxSecurity.com: Multiple vulnerabilities have been found in Mercurial, the worst of which could lead to the remote execution of arbitrary code.
  • open
  • next
Linux Security

Gentoo: GLSA-201709-20: Postfix: Privilege escalation

Linux Security
LinuxSecurity.com: A vulnerability in Postfix may allow local users to gain root privileges.
  • open
  • next
Linux Security

Gentoo: GLSA-201709-19: Exim: Local privilege escalation

Linux Security
LinuxSecurity.com: A vulnerability in Exim may allow local users to gain root privileges.
  • open
  • next
Linux Security

Gentoo: GLSA-201709-17: CVS: Command injection

Linux Security
LinuxSecurity.com: A command injection vulnerability in CVS may allow remote attackers to execute arbitrary code.
  • open
  • next
Linux Security

Gentoo: GLSA-201709-16: Adobe Flash Player: Multiple vulnerabilities

Linux Security
LinuxSecurity.com: Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code.
  • open
  • next
more
mark as read