Security and Proprietary Software Blunders
-
How To Prevent SSH Brute Force Attacks Using Fail2ban In Linux
Linux is a popular operating system for servers and other devices. It is known for its stability, security, and flexibility. However, no operating system is immune to attack. One of the most common types of attacks against Linux servers is a brute-force attack. In this step-by-step guide, we'll show you how to install and configure fail2ban on a Linux system and how to prevent SSH brute force attacks with Fail2ban.
-
Inconsistencies in the Common Vulnerability Scoring System (CVSS)
Interesting research:
Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities
Abstract: The Common Vulnerability Scoring System (CVSS) is a popular method for evaluating the severity of vulnerabilities in vulnerability management. In the evaluation process, a numeric score between 0 and 10 is calculated, 10 being the most severe (critical) value. The goal of CVSS is to provide comparable scores across different evaluators. However, previous works indicate that CVSS might not reach this goal: If a vulnerability is evaluated by several analysts, their scores often differ. [...]
-
Developers Warned of Malicious PyPI, NPM, Ruby Packages Targeting Macs
Malicious packages uploaded to PyPI, NPM, and Ruby repositories are targeting macOS users with information stealing malware.
-
United Airlines Says the Outage That Held Up Departing Flights Was Not a Cybersecurity Issue
United Airlines flights were halted nationwide on Sept. 5, because of an “equipment outage,” according to the FAA.
-
Three Australian firms latest to be hit by Alphv ransomware gang
While Core Desktop has not yet made any public statement about the attacks, the ABC claimed to have seen a letter sent by the company to its clients saying it had become of the intrusion on 22 August.
The three companies that were attacked are pathology services provider TissuPath, real estate agent Barry Plant and strata management firm Strata Plan.
-
7 Million Users Possibly Impacted by Freecycle Data Breach
Freecycle.org is prompting millions of users to reset their passwords after their credentials were compromised in a data breach.
-
9 Vulnerabilities Patched in SEL Power System Management Products
Nine vulnerabilities patched in SEL electric power management products, adding to the 19 other flaws fixed earlier this year.
-
Norfolk Southern Says a Software Defect — Not a Hacker — Forced It to Park Its Trains This Week
Norfolk Southern believes a software defect — not a hacker — was the cause of the widespread computer outage that forced the railroad to park all of its trains.
-
CISA Hires ‘Mudge’ to Work on Security-by-Design Principles
The U.S. government’s cybersecurity agency CISA on Monday confirmed the addition of Peiter ‘Mudge’ Zatko to its roster of prominent voices preaching the gospel of security-by-design and secure-by-default development principles.
Zatko, most recently the CISO at Twitter who blew the whistle on the social media giant’s security shortcomings, is joining the agency in a part-time capacity to work on the “security and resilience by design” pillar of the Biden administration’s National Cybersecurity Strategy.
-
MITRE and CISA Release Open Source Tool for OT Attack Emulation
MITRE and CISA introduce Caldera for OT, a new extension to help security teams emulate attacks targeting operational technology systems.
-
Breaking Into Secure Facilities With OSDP
Facilities like hospitals, banks, data centers, airports, power and natural gas plants, and government institutions secure their properties with authorization hardware built to use the Open Supervised Device Protocol (OSDP). Unfortunately, there are both design weaknesses and poor practices which can be realistically exploited in the real world. OSDP advertises itself as an encrypted protocol, yet many installations use unencrypted modes. While it has defenses against trivial replay attacks, it has such a small counter inside that with enough samples one could replay communications on the wire. It also uses a truncated Message Authentication Code (MAC), which exposes OSDP systems to brute-force attacks. And lastly, OSDP is by design easy to misuse: installers can leave the controller perpetually in "install" mode which allows any device to ask for secret credentials for another device without any encryption on a shared communication line.
-
Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach
In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.
-
A year after the disastrous breach, LastPass has not improved
In September last year, a breach at LastPass’ parent company GoTo (formerly LogMeIn) culminated in attackers siphoning out all data from their servers. The criticism from the security community has been massive. This was not so much because of the breach itself, such things happen, but because of the many obvious ways in which LastPass made matters worse: taking months to notify users, failing to provide useful mitigation instructions, downplaying the severity of the attack, ignoring technical issues which have been publicized years ago and made the attackers’ job much easier. The list goes on.
Now this has been almost a year ago. LastPass promised to improve, both as far as their communication goes and on the technical side of things. So let’s take a look at whether they managed to deliver.
TL;DR: They didn’t. So far I failed to find evidence of any improvements whatsoever.