Story

Brian Krebs says public shaming culture could put lives at risk after the release of personal information from the infidelity websiteTop data security analyst Brian Krebs has warned that people could take their lives after their personal details were exposed in a hack of infidelity website Ashley Madison.“We have to be very cautious and I think sensitive to this,” Krebs, who broke the initial story, said. “There’s a very real chance that people are going to overreact. I wouldn’t be surprised if we saw people taking their lives because of this, and obviously piling on with ridicule and trying to out people is not gonna help the situation.” Continue reading...

Employees, asked what they would hate to see go wrong, listed privacy and security flaws prominentlySenior staff at Ashley Madison, the hacked extramarital dating site, were raising concerns over its security procedures as recently as June, just a month before the site was attacked.Internal documents leaked as part of the attack show concerns over “a lack of security awareness across the organisation” being raised by one vice president. A database containing the documents and more than 30 million user records exfiltrated in the attack, was posted to the internet on Tuesday. Continue reading...

Hamilton lawyer Hussein Hamdani was suspended as a federal security adviser at the end of April. He recently received a letter of appreciation from the government that made no mention of his suspension.

CentOS has updated pam (C6; C7: denial of service).Debian has updated python-django (multiple vulnerabilities).Debian-LTS has updated wordpress (multiple vulnerabilities).Fedora has updated audit (F21; F22: unsafe escape-sequence handling), icecast (F21; F22: denial of service), kernel (F21; F22: information leak), openssh (F22: multiple vulnerabilities), rubygem-rack (F22: denial of service), rubygems (F21: DNS hijacking), strongswan (F21; F22: multiple vulnerabilities), and xfsprogs (F21: information leak).Oracle has updated pam (O6; O7: denial of service).Red Hat has updated kernel (RHEL6: privilege escalation) and pam (RHEL6, 7: denial of service).Scientific Linux has updated pam (SL6, 7: denial of service).Ubuntu has updated python-django (12.04, 14.04, 15.04: multiple vulnerabilities) and openssh (12.04, 14.04, 15.04: upstream regression resulting in denial of service).

Comments

Deal contains measures to tackle human traffickers and commitments to boost humanitarian support for vulnerable migrantsBritish and French ministers are to meet in Calais on Thursday to sign an agreement aimed at alleviating the disturbances involving migrants at the French port.

CentOS has updated glibc (C5:code execution from 2013), mysql55-mysql(C5: multiple unspecified vulnerabilities, one from 2014), net-snmp(C7; C6:code execution), sqlite (C6: codeexecution), sqlite (C7: threevulnerabilities), and subversion (C6: threevulnerabilities).Debian has updated apache2 (twovulnerabilities), gdk-pixbuf (codeexecution), and nss (two vulnerabilities).Debian-LTS has updated libstruts1.2-java (unclear vulnerability from 2014).Fedora has updated erlang (F22; F21:man-in-the-middle vulnerability), firefox(F22: many vulnerabilities), flac (F21: twovulnerabilities from 2014), gnutls (F21:code execution), golang (F22; F21: HTTP request smuggling),nagios-plugins (F22; F21: three vulnerabilities), qemu (F22: two vulnerabilities), uwsgi(F22; F21:denial of service), and webkitgtk4 (F22:three unspecified vulnerabilities).Mageia has updated kdepim (M4: noattachment encryption from 2014).openSUSE has updated subversion(two vulnerabilities) and virtualbox (two vulnerabilities).Oracle has updated glibc (OL5:code execution from 2013), mysql55-mysql(OL5: multiple unspecified vulnerabilities, one from 2014), net-snmp(OL7; OL6:code execution), sqlite (OL7: threevulnerabilities), sqlite (OL6: codeexecution), and subversion (OL6: three vulnerabilities).Red Hat has updated net-snmp(RHEL6&7: code execution).Scientific Linux has updated glibc (SL5: code execution from 2013), mysql55-mysql (SL5: multiple unspecifiedvulnerabilities, one from 2014), net-snmp(SL6&7: code execution), sqlite (SL6:code execution), and subversion (SL6: threevulnerabilities).Ubuntu has updated kernel (12.04:three vulnerabilities), kernel (15.04; 14.04: denial of service), linux-lts-trusty (12.04: denial of service),linux-lts-utopic (14.04: denial ofservice), linux-lts-vivid (14.04: denial ofservice), linux-ti-omap4 (12.04: threevulnerabilities), and net-snmp (twovulnerabilities, one from 2014).

Academics found cars were vulnerable to ‘keyless theft’, including models from Audi, Honda and Volkswagen – which suppressed the research for two yearsA major security flaw in more than 100 car models has been exposed in an academic paper that was suppressed by a major manufacturer for two years.Flavio Garcia, a computer scientist at the University of Birmingham, and two colleagues from a Dutch university were unable to release the paper after Volkswagen won a case in the high court to ban its publication. Continue reading...

Comments

Through the years, Firefox has enjoyed a reputation as one of the most secure Web browsers on any platform, and it's the default browser for many Linux distros. However, a security exploit appeared this week that has shown users they can't afford to be complacent about security. Mozilla has rushed to patch the flaw, and a new release has closed the hole (39.0.3). But, plenty of users still haven't updated their browsers.

Nmap is a free and open source network discovery and security auditing utility that is widely used in the Linux users community as it is simple to use yet very powerful. Nmap works by sending data packets on a specific target (by IP) and by interpreting the incoming packets to determine what posts are open/closed, what services are running on the scanned system, whether firewalls or filters are set up and enabled, and finally what operation system is running.

Comments

Arch Linux has updated glibc(denial of service from 2014).Debian-LTS has updated libidn(information disclosure) and subversion (information disclosure).Fedora has updated bzr (F22; F21:denial of service from 2013), firefox (F21:multiple vulnerabilities), and flac (F22: two vulnerabilities).Gentoo has updated adobe-flash(multiple vulnerabilities), icecast (denialof service), and libgadu (threevulnerabilities from 2013 and 2014).openSUSE has updated firefox (13.2; 13.1:multiple vulnerabilities) and flash-player (13.2; 13.1: many vulnerabilities).Oracle has updated kernel 3.8.13 (OL7; OL6: tworemote denial of service flaws), kernel 2.6.39 (OL6; OL5: tworemote denial of service flaws), and kernel 2.6.32 (OL6; OL5: tworemote denial of service flaws).Red Hat has updated glibc (RHEL5:code execution from 2013), mysql55-mysql (RHEL5; RHSC2:multiple unspecified vulnerabilities, one from 2014), rh-mysql56-mysql (RHSC2: multiple unspecifiedvulnerabilities), sqlite (RHEL6:code execution), sqlite (RHEL7: three vulnerabilities), and subversion (RHEL6: three vulnerabilities).Scientific Linux has updated sqlite (SL7: three vulnerabilities).Slackware has updated firefox(multiple vulnerabilities) and thunderbird(multiple vulnerabilities).Ubuntu has updated openssh(15.04, 14.04, 12.04: two vulnerabilities) and pollinate (15.04, 14.04: certificate update).

Comments

For your reading pleasure, here is the c2k15 report from Bob Beck (beck@):

We learnt about a national security matter from a newspaper rather than the prime minister when a Liberal backbencher floated the idea of bombing SyriaThe most important duty of a government is to keep its people safe.That’s why Labor has worked sensibly and co-operatively with the Government on national security, and will continue to do so. Continue reading...

Apple has released OS X version 10.10.5, and with it comes a bevy of fixes. Although the company states that this update "improves the stability, compatibility, and security of your Mac," the star of the show here may be a fix for the DYLD_PRINT_TO_FILE privilege escalation vulnerability. That bug was discovered by Stefan Esser, and it's apparently under attack in the wild. Esser had previously published an OS X kernel extension called SUIDGuard that users could install to mitigate the problem.The story would end there, but there's one more thing. Esser has since tweeted that Apple "fixed some bugs and made another security problem worse" in 10.10.5. ...Read more...

Arch Linux has updated freeradius(certificate verification botch) and subversion (two vulnerabilities).CentOS has updated kernel (C6:two remote denial of service flaws).Fedora has updated gnutls (F22:denial of service), nbd (F22; F21: denial of service), pcre (F22: code execution), andwordpress (F22; F21: multiple vulnerabilities).Mageia has updated gdk-pixbuf2.0(M5: code execution) and owncloud (three vulnerabilities).openSUSE has updated glibc (13.1:denial of service from 2014) and kernel(13.2: multiple vulnerabilities, some from 2014).Oracle has updated kernel (OL6:two remote denial of service flaws).Red Hat has updated kernel(RHEL6: two remote denial of service flaws).Scientific Linux has updated kernel (SL6: two remote denial of service flaws).SUSE has updated firefox(SLE11SP4, SP3: information leak).

Chinese company releases firmware update after fears new problem software could, as with Superfish, be used to let hackers access vulnerable computersSix months after apologising to users for pre-installing security-busting malware Superfish on its consumer laptops, Chinese PC manufacturer Lenovo has again had to remove another pre-installed component from its laptops over security fears.But this time, the problem software, called the “Lenovo Service Engine (LSE)”, is built into the firmware of the laptops themselves, in a low-level operating system called the BIOS, invisible even to Windows. (The BIOS is what is running the screens of white-on-black text seen on many computers as they start up). It launches when the computer is turned on, before Windows loads, and then replaces Microsoft’s start-up diagnostics program (which ensures that the system was shut down properly, that the disk isn’t corrupted, and that it’s safe to launch Windows) with its own. Continue reading...

Richard Di Natale urges Australian federal police to investigate allegations Sarah Hanson-Young was followed by Wilson guards while visiting the island in 2013The Greens are demanding Wilson Security be barred from rebidding for work at the Nauru immigration detention centre after claims one of its senators was subject to systematic spying.An unnamed whistleblower alleges Sarah Hanson-Young had her every move tracked by a team of eight Wilson guards while visiting the island in 2013, a claim at odds with evidence the company has given to a Senate inquiry. Continue reading...

Thorne, who was last week sentenced to eight months’ prison for flying under a false name, is in segregation at Goulburn’s supermax prisonA controversial preacher jailed for flying under a false name is being held at Goulburn’s supermax prison in segregation under the highest security classification in New South Wales.Junaid Thorne, 26, was last week sentenced to eight months’ prison, with a minimum four months behind bars, for using false ID to obtain an airline ticket and flying under a false name. Continue reading...

Debian has updated request-tracker4 (cross-site scripting).Red Hat has updated flash-plugin(RHEL5&6: many vulnerabilities).SUSE has updated firefox (SLE12:information leak), java-1_7_0-ibm(SLE11SP3, SP2: many vulnerabilities), and kernel-rt (SLE11SP3: many vulnerabilities,including some from 2014).