February 5, 2025
Keeping tech free
Now that a working exploit of the USB vulnerability that’s baked-in to the USB standard has been released, it might be a prudent move to no longer employ any USB devices that aren’t already under your control until this situation has been fixed.
The exploit was first made public two months ago at the Black Hat conference in Las Vegas when Karsten Nohl and Jakob Lell of Berlin based Security Research Labs (SRL) demonstrated an attack they called BadUSB to a standing-room-only crowd.
Editor’s note: This article was updated 9/4/2014 at 5:15 p.m. EDT to include latest update from Tux Machines publisher.
The DDOS attack that has rendered the popular Linux site Tux Machines virtually unreachable for nearly two weeks, now seems to be affecting sister site TechRights. Roy Schestowitz, publisher of both sites, told FOSS Force that the attack on TechRights began at about one o’clock Friday afternoon GMT.
“…an hour ago I got some automatic reports and some messages from readers saying that Tech Rights had gone offline,” he said. “I then checked logs, grepped on ‘NT’ (all the zombies are [running different versions of] NT), and saw pretty much the same pattern as on Tux Machines.”
As of eleven o’clock this evening EDT, both site were reachable from FOSS Force’s offices in North Carolina, but we’ve been unable to determine if this is because the attacks have ended or if this is only a temporary reprieve.
Patches are available to fix the bash vulnerability known as Shellshock, along with three additional security issues recently found in the bash shell. The patches are available for all major Linux distros as well as for Solaris, with the patches being distributed through the various distros.
After the patch is applied, there are a couple of commands that can be run from a terminal to ascertain that a system is no longer vulnerable. For details, see the article Steven J. Vaughan-Nichols has written for ZDNet. As yet, there is no patch available for OS X, although Apple says that one is on the way, while assuring its users that Mac systems aren’t vulnerable except for the most advanced users.
The good news about all this is that it demonstrates how quickly the Linux community can get the word out and then rally to engineer a solution when a security problem is discovered. The bad news is that not all Linux users listen. Too many users believe that the security features that are baked into Linux offer complete protection, no matter what. Unfortunately, that’s not the case. It never was, nor can it ever be.
My friend Andrew Wyatt, who spent time some years back as the founder and lead developer of the Fuduntu Linux distro, attempted to address this fact recently in a comment to an article on FOSS Force:
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
“Tyranny. Pure and simple. If it is software, somebody will find a way to hack it. If it is hardware, ‘old’ smartphones will be worth their weight in platinum.”
My friend Ross from Toronto made this comment with a link he posted on Facebook to The Free Thought Project’s article on a new about-to-be law in California. The law mandates a kill switch on all new smartphones, allowing the owner of a stolen phone to disable it until it’s recovered. The bill, CA SB 962, now only needs the expected signature of governor Jerry Brown to become law. In July, a similar law went into effect in Minnesota.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Just because the good guys have discovered a new security risk doesn’t mean the bad guys haven’t known about it forever. The risk is only new to us. It’s actually been there for a long time, maybe forever. Who knows how long everyone from the black hats in Moscow to the NSA in bucolic Maryland have been taking advantage of what appears to us to be a “new” exploit?
The USB security hole recently unveiled by Berlin based Security Research Labs (SRL) seems to be of those that’s been around “forever.”
(click to enlarge)
The trouble is, most of these chips are relatively easy to reprogram.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Reuters reported yesterday that the Chinese government has banned the use of Windows 8 on Chinese government computers. According to the official Xinhua news agency, the ban is being put in place by the Central Government Procurement Center primarily over security concerns now that Microsoft has ended support for XP, which is thought to be the most widely used operating system within China. This news has led Forbes to speculate that this may prompt Redmond to continue to support the OS within the People’s Republic.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
eBay announced this morning that they’ve been hacked and that “encrypted passwords and other non-financial data” have been compromised. They’re expected to begin notifying their customer base later today, which will include a suggestion for users to change their passwords. The company says that PayPal, an eBay subsidiary, uses its own servers and was not affected by the attack.
According to CNET, the first public news of the compromise came by way of a cryptic blog posting by PayPal:
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
The sharing feature of the Jetpack plugin for WordPress is currently being exploited for the purpose of sending spam and possibly for DDOS attacks. FOSS…
Internet, News, Politics, Security and Social Networks
FOSS Week in Review U.S. giving up control of DNS root zone On Friday, March 14, the U.S. announced it’ll relinquish control of the Internet’s…
Java is the target for half of all exploits
We’ve been saying for a couple of years now that Java isn’t safe and have been urging everyone who will listen to disable Java in the browser. As we’ve been saying this, comments to our articles on Java security have filled with folks wagging a finger and “reminding” us that Java is only a threat in the browser, that otherwise Java is safe.
That is wrong. The only time Java is safe is when it’s in a cup. According to an article published on IT World, researchers say that Java is now responsible for fully half of the exploits discovered in December.
Cops tracking phones sans warrants
It appears that the police in Tallahassee, Florida have been busy tracking folks by their cell phones without bothering to show up before a judge and ask for a warrant. Why would they violate the constitutional rights of their citizens this way? Evidently because they were using technology on loan and had signed a non-disclosure agreement.
According to Wired, this information came to light in an appeal of a sexual battery case dating back to 2008 in which a suspect was tracked using the technology to locate a phone that had been stolen from the victim. The police have admitted using the device 200 times, with no judge or warrant involved, since 2010. In a blog post made Monday, the ACLU said the device is “likely a Stingray made by the Florida-based Harris Corporation.” Evidently, the ACLU has long suspected that Harris has been loaning the devices to Florida police departments.
