Topic security

Beware of hacked ISOs if you downloaded Linux Mint on February 20th, 2016

by
Anonymous Coward
in security on (#14SDS)
Linux Mint installation media briefly compromised:
I'm sorry I have to come with bad news. We were exposed to an intrusion today. It was brief and it shouldn't impact many people, but if it impacts you, it's very important you read the information below.

What happened? Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.

Does this affect you? As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition. If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn't affect you either.

Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.
More information: Linux Mint Blog, ycombinator, reddit, LWN

DHS stripped of failed MyGov system

by
Anonymous Coward
in security on (#13RTE)
In a shocking move the Australian government has transferred control of the MyGov portal to the DTO. This slap in the face to the mighty DHS comes after several months of serious problems with the online government portal after the Australian tax system, Centrelink, Medicare and other systems were changed to use MyGov as the central logon. Tens of thousands of Australians took to social media in 2015 to complain about the DHS portal after the ATO made using the portal mandatory for online tax returns. The problems were so bad that the ATO opened a backdoor allowing citizens to bypass the MyGov system. After spending millions to integrate two of the largest federal departments, Centrelink and Medicare, the step of removing MyGov from the hands of the DHS is an F on this year's report card.

Palemoon Ships with Anti-Fingerprinting option

by
Anonymous Coward
in security on (#13RRJ)
story imageAs of Palemoon 25.6 a new option is available to poison canvas data. This option is not enabled by default due to the performance cost. Users can enabled it in about:config by setting canvas.poisondata to true. This browserleaks page has a technical writeup on how canvas data can be used to generate a fingerprint for a browser using a live example of browser fingerprinting code.

HTTPA protocol for tracking how private data is used online.

by
in security on (#10FM9)
By now, most people feel comfortable conducting online financial transactions on the Web. The cryptographic schemes that protect online banking and credit card purchases have proven their reliability over decades. But right now, there is no effective way to prevent misuse of your data by the people authorized to access it, say for example a bank employee can still access your data, and frequently we are reading news about misuse of the data by the bank employees. i-e Once you share your data with the bank, Healthcare system or any other private company, for your online transactions, you don't have any control over who exactly is using or misusing your data.

http://news.mit.edu/2014/whos-using-your-data-httpa-0613

Google play forces updates like Windows 10

by
Anonymous Coward
in security on (#YVWF)
Microsoft recently copped flak over forcing users to accept Windows 10 updates. Some users have reported serious problems from Windows 10 updates which included system failure. Now Google is following the same path. Google Play now has a term in the licencing agreement which allows Google to force update any software on Android devices. Without root access most users will be SOL to block or fix problems.

The relevant text reads:
Updates. You may need to install updates to Google Play or related Google software that we introduce from time to time to use Google Play and to access or download Content. Content originating from Google may communicate with Google servers from time to time to check for available updates to the Content and to the functionality of Google Play, such as bug fixes, patches, enhanced functions, missing plug-ins and new versions (collectively, "Updates"). Your use of the Content you have installed requires that you have agreed to receive such automatically requested Updates. If you do not agree to such automatically requested and received Updates then please do not use the Google Play store or install this Content.

Full terms at:
https://play.google.com/intl/en-us_au/about/play-terms.html

Online Payment Provider Refuses VPN Users Citing Fraud

by
Anonymous Coward
in security on (#YDDF)
Australian company pin.net.au now refuses to process payments for VPN users. The software used by the pin.net.au rejects payments originating from a known VPN IP address as it is "high risk" and may be an attempt to conduct fraud. A pin.net.au representative has stated that users need to disable VPN software to make online purchases. The Australian government recently started logging internet and phone activity. Australian politicians have recommended using a VPN and other secure technology to ensure privacy online.

Dell Laptop Security Hole Acknowledged

by
Anonymous Coward
in security on (#XCWE)
In a similar situation to the Lenovo backdoor "Superfish", Dell has now acknowledged that a security hole exists in some of its recently shipped laptops that could make it easy for hackers to intercept users' private data.

Dell shipped a self-signed root CA certificate, with it's private key; intended to "provide a better, faster and easier customer support experience" but which can instead allow hackers to read encrypted messages and redirect browser traffic to spoofs of real websites. The certificate is included with newer XPS, Latitude, Inspiron and Precision laptops and can be manually removed. A string of recent key leakage and reuse vulnerabilities are an alarming reminder of the inherent trust we put in our hardware providers.

Two web-based tests are available, courtesy of Kenn White and Hanno Bick to check if you are vulnerable.

Tor Says Feds Paid Carnegie Mellon $1M to Help Unmask Users

by
Anonymous Coward
in security on (#TDNC)
"Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes," Dingledine writes. "Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users."

RATS: the Radio Transceiver System, an open source communication tool for the security-obsessed

by
Anonymous Coward
in security on (#T6HE)
The Internet... Who Needs It?

"As a growing number of web users have become more security-conscious, there's been an explosion of VPNs and encryption tools and other security services for the Internet. But what about a device that lets you bypass the Internet entirely? That's the goal of RATS,[1] the Radio Transceiver System, an open source communication tool for the security-obsessed and/or the Internet-bereft."

"The RATS is simple: it's a small antenna that connects to computers by USB and lets them send encrypted messages and file transfers directly, via radio transmission. There are two obvious advantages to this: firstly, it doesn't rely on any network being up or even the power staying on - as long as your laptop has some batteries, you can send and receive - and secondly, it's a level of security and privacy that trumps most of what you can do on-line. Apart from being entirely separated from the Internet, it employs AES-256 encryption with a randomized salt so even the same message sent repeatedly will produce completely different encrypted data every time.

The range of the RATS antenna is about a kilometer in a city, but it can also be connected to superior antennas and, in areas with no obstacles, achieve ranges above 5km. Obviously this means it isn't suited to everything, but alongside the Internet it could be extremely powerful for certain local applications in urban neighborhoods, workplaces, and other situations where we normally use the robust global Internet just to send short messages to people within walking distance. But perhaps more than anything it could be a boon for people living under governments that censor and monitor on-line communications, allowing local groups to coordinate without so much as touching the compromised networks."

- https://www.techdirt.com/blog/innovation/articles/20151031/07410132682/awesome-stuff-Internet-who-needs-it.shtml
(Archived) https://archive.is/XQxJm

[1] https://www.kickstarter.com/projects/1688986732/rats-chat-and-send-files-without-Internet/description
(Archived) https://archive.is/ly2mt

Sony BMG Rootkit Scandal: 10 Years Later

by
Anonymous Coward
in security on (#SJNZ)
- Page 1/2:
http://www.networkworld.com/article/2998251/malware-cybercrime/sony-bmg-rootkit-scandal-10-years-later.html

- Page 2/2:
http://www.networkworld.com/article/2998251/malware-cybercrime/sony-bmg-rootkit-scandal-10-years-later.html?page=2

- Archived pages 1 & 2:
https://archive.is/4TrDq
https://archive.is/uwL2M

Historical posts by Bruce Schneier, blog posts which contain a vast resource of information shared by his open community in which anyone can post - more technical and polite than most discussion forums!

We remember the rootkit:

https://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html
https://www.schneier.com/blog/archives/2005/11/sony_secretly_i_1.html
https://www.schneier.com/blog/archives/2005/11/the_sony_rootki.html
https://www.schneier.com/blog/archives/2005/11/more_on_sonys_d.html
https://www.schneier.com/blog/archives/2005/11/still_more_on_s_1.html
https://www.schneier.com/essays/archives/2005/11/real_story_of_the_ro.html
https://www.schneier.com/blog/archives/2006/02/lessons_from_th.html
https://www.schneier.com/essays/archives/2006/05/everyone_wants_to_ow.html
https://www.schneier.com/blog/archives/2006/05/who_owns_your_c.html
https://www.schneier.com/blog/archives/2014/12/reacting_to_the.html
https://www.schneier.com/blog/archives/2012/06/the_failure_of_3.html
https://www.schneier.com/blog/archives/2014/12/more_data_on_at.html
https://www.schneier.com/blog/archives/2005/11/surveillance_an.html
https://www.schneier.com/blog/archives/2005/11/surveillance_an.html
https://www.schneier.com/blog/archives/2007/03/faking_hardware.html
https://www.schneier.com/blog/archives/2007/07/federal_agents_1.html

* New Slashdot Story (10/28/2015):

- Revisiting the Infamous Sony BMG Rootkit Scandal 10 Years Later
http://it.slashdot.org/story/15/10/28/1829203/revisiting-the-infamous-sony-bmg-rootkit-scandal-10-years-later

= Old Slashdot stories on the topic:

http://it.slashdot.org/story/05/10/31/2016223/sony-drm-installs-a-rootkit
http://games.slashdot.org/story/05/11/07/1221209/sony-rootkit-phones-home
http://yro.slashdot.org/story/05/11/10/0024259/california-class-action-suit-sony-over-rootkit-drm
http://yro.slashdot.org/story/05/11/17/2140208/real-story-of-the-rogue-rootkit
http://it.slashdot.org/story/05/11/29/1823212/sony-warned-weeks-ahead-of-rootkit-flap
http://yro.slashdot.org/story/05/11/13/1419206/sonys-eula-worse-than-its-rootkit
http://yro.slashdot.org/story/07/07/12/1256258/sony-sues-rootkit-maker
http://yro.slashdot.org/story/05/11/02/1421250/more-on-sonys-drm-rootkit
http://yro.slashdot.org/story/07/12/17/0314218/a-legal-analysis-of-the-sony-bmg-rootkit-debacle
http://it.slashdot.org/story/06/01/17/1512245/sony-rootkit-still-a-problem
http://yro.slashdot.org/story/05/11/18/2010224/sony-amazon-detail-rootkit-cd-buybacks
http://news.slashdot.org/story/05/11/17/1350209/dvd-jons-code-in-sony-rootkit
http://yro.slashdot.org/story/05/12/22/160206/sony-drm-installed-even-when-eula-declined
http://apple.slashdot.org/story/05/11/11/064215/sony-music-cds-contain-mac-drm-software-too

= Related:

http://it.slashdot.org/story/07/03/04/1511210/hacker-defeats-hardware-based-rootkit-detection
http://it.slashdot.org/story/07/05/31/187219/a-look-at-bsd-rootkits
http://news.slashdot.org/story/09/04/15/1327247/the-rootkit-arsenal
http://yro.slashdot.org/story/07/07/17/199223/will-security-firms-detect-police-spyware
http://it.slashdot.org/story/13/05/04/0024202/antivirus-firms-wont-co-operate-with-pc-hacking-dutch-police
http://linux.slashdot.org/story/12/11/20/1733237/new-linux-rootkit-emerges
http://yro.slashdot.org/story/14/03/12/1738237/how-the-nsa-plans-to-infect-millions-of-computers-with-malware
12345678910...