Does Wi-Fi Security Really Matter?
by Lawrence D'Oliveiro
Seems the Wi-Fi Alliance is having yet another crack at coming up with
a really secure protocol, this time to be called WPA3
<http://www.theregister.co.uk/2018/01/09/wi_fi_wpa3/>.
Does anybody care? Remember that on the Internet, security is
implemented between the endpoints, the protocols are designed not to
care that everything in-between might be pawed through by
eavesdroppers, or even active attackers trying to inject fake data.
1 year, 1 month
Mass Router Hack Exposes Millions of Devices To Potent NSA Exploit
by Peter Reutemann
'More than 45,000 Internet routers have been compromised by a newly
discovered campaign that's designed to open networks to attacks by
EternalBlue, the potent exploit that was developed by, and then stolen
from, the National Security Agency and leaked to the Internet at
large, researchers say. From a report:
The new attack exploits routers with vulnerable implementations of
Universal Plug and Play to force connected devices to open ports 139
and 445, content delivery network Akamai said in a blog post. As a
result, almost 2 million computers, phones, and other network devices
connected to the routers are reachable to the Internet on those ports.
While Internet scans don't reveal precisely what happens to the
connected devices once they're exposed, Akamai said the ports --which
are instrumental for the spread of EternalBlue and its Linux cousin
EternalRed -- provide a strong hint of the attackers' intentions.
The attacks are a new instance of a mass exploit the same researchers
documented in April. They called it UPnProxy because it exploits
Universal Plug and Play -- often abbreviated as UPnP -- to turn
vulnerable routers into proxies that disguise the origins of spam,
DDoSes, and botnets.'
-- source: https://tech.slashdot.org/story/18/11/29/1849254
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174
http://www.cms.waikato.ac.nz/~fracpete/
http://www.data-mining.co.nz/
1 year, 6 months
Proprietary Software Subverts Security Of Your PC
by Lawrence D'Oliveiro
Audio company Sennheiser has just issued a fix
<https://arstechnica.com/information-technology/2018/11/sennheiser-disclos...>
for a really nasty vulnerability where their software for Windows and
Mac would install a special fake browser certificate that the machine
would continue to trust thereafter, even after the software was removed.
Unfortunately, because the installation also included the private key
for that certificate (which is never supposed to be distributed), it
could then be exploited by arbitrary third parties to trick such
machines into trusting random sites.
1 year, 6 months
Half of all Phishing Sites Now Have the Padlock
by Peter Reutemann
'You may have heard you should look for the padlock symbol at the top
of a website before entering your password or credit card information
into an online form. It's well-meaning advice, but new data shows it
isn't enough to keep your sensitive information secure. From a report:
Recent data from anti-phishing company PhishLabs shows that 49 percent
of all phishing sites in the third quarter of 2018 bore the padlock
security icon next to the phishing site domain name as displayed in a
browser address bar. That's up from 25 percent just one year ago, and
from 35 percent in the second quarter of 2018. This alarming shift is
notable because a majority of Internet users have taken the age-old
"look for the lock" advice to heart, and still associate the lock icon
with legitimate sites. A PhishLabs survey conducted last year found
more than 80% of respondents believed the green lock indicated a
website was either legitimate and/or safe. In reality, the https://
part of the address (also called "Secure Sockets Layer" or SSL) merely
signifies the data being transmitted back and forth between your
browser and the site is encrypted and can't be read by third parties.
The presence of the padlock does not mean the site is legitimate, nor
is it any proof the site has been security-hardened against intrusion
from hackers.'
-- source: https://it.slashdot.org/story/18/11/27/1521240
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174
http://www.cms.waikato.ac.nz/~fracpete/
http://www.data-mining.co.nz/
1 year, 6 months
Two Linux Kernels Revert Performance-Killing Spectre Patches
by Peter Reutemann
'Friday Greg Kroah-Hartman released stable point releases of Linux
kernel 4.19.4, as well as 4.14.83 and 4.9.139. While they were basic
maintenance updates, the 4.19.4 and 4.14.83 releases are significant
because they also reverted the performance-killing Spectre patches
(involving "Single Thread Indirect Branch Predictors", or STIBP) that
had been back-ported from Linux 4.20, according to Phoronix:
There is improved STIBP code on the way for Linux 4.20 that by default
just applies STIBP to SECCOMP threads and processes requesting it via
prctl() but otherwise is off by default (that behavior can also be
changed via kernel parameters). Once that code is ready to go for
Linux 4.20, we may see it then back-ported to these stable trees.
Aside from reverting STIBP, these point releases just have various
fixes in them as noted for 4.19.4, 4.14.83, and 4.9.139.
Last Sunday Linus Torvalds complained that the performance impact of
the STIPB code "was clearly way more expensive than people were told,"
according to ZDNet:
"When performance goes down by 50 percent on some loads, people need
to start asking themselves whether it was worth it. It's apparently
better to just disable SMT entirely, which is what security-conscious
people do anyway," wrote Torvalds. "So why do that STIBP slow-down by
default when the people who *really* care already disabled SMT?"'
-- source: https://linux.slashdot.org/story/18/11/24/2320228
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174
http://www.cms.waikato.ac.nz/~fracpete/
http://www.data-mining.co.nz/
1 year, 6 months
Alphabet's Cybersecurity Group Touts Its New Open Source Private VPN
by Peter Reutemann
'Alphabet's cybersecurity division Jigsaw has designed a new open
source private VPN aimed at journalists and the people sending them
data. "Their work makes them more vulnerable to attack," said Santiago
Andrigo, Jigsaw's product manager. "It can get really scary when
they're outed and you're passing over information."
Unscrupulous VPN providers can steal your identity, peek in on your
data, inject their own ads on non-secure pages, or analyze your
browsing habits and sell that information to advertisers, says one
Jigsaw official. And you can't know for sure whether you can trust
them, no matter what they say in the app store. "Journalists should be
aware that their online activities might be subject to surveillance
either by government agencies, their internet service providers or a
hacker with malicious intent," said Laura Tich, technical evangelist
for Code for Africa, a resource for African journalists. "As
surveillance becomes ubiquitous in today's world, journalists face an
increasing challenge in establishing secure communication in the
digital space."
The new private VPN, dubbed "Outline", is specifically designed to be
resistant to censorship — because it's harder to detect as a VPN (and
therefore is less likely to be blocked). Outline uses an encrypted
socks5 proxy that looks like normal internet traffic. Once the user
chooses a server location, Outline spins up a DigitalOcean server on
Ubuntu, installs Docker, and imports an image of the actual server.
It's been named Outline because in places where internet use may be
restricted — it gives you a line out.'
-- source: https://yro.slashdot.org/story/18/11/25/0117226
Cheers, Peter
--
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174
http://www.cms.waikato.ac.nz/~fracpete/
http://www.data-mining.co.nz/
1 year, 6 months
