Notices tagged with security, page 15

BSI-Chefin: Deutschland auf Cyberangriffe schlecht vorbereitet

Die deutsche Abwehr gegen Hacker-Attacken hat nach Einschätzung von Claudia Plattner gefährliche Lücken.

https://www.heise.de/news/BSI-Chefin-Deutschland-auf-Cyberangriffe-schlecht-vorbereitet-9671760.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#BSI #Security #news

xz-Attacke: Hintertür enträtselt, weitere Details zu betroffenen Distros

Experten halten die Hintertür in liblzma für den bis dato ausgeklügeltesten Supplychain-Angriff. Er erlaubt Angreifern, aus der Ferne Kommandos einzuschleusen.

https://www.heise.de/news/xz-Attacke-Hintertuer-entraetselt-weitere-Details-zu-betroffenen-Distros-9671588.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#Debian #Fedora #Linux #LinuxDistribution #OpenSource #Opensuse #RedHat #Security #SSH #Ubuntu #news

This is one of the best explanations of the xz matter I have seen so far:
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor

and it leads in with a quote to remember -

"This dependency existed not because of a deliberate design decisionby the developers of OpenSSH, but because of a kludge added by some Linux distributions to integrate the tool with the operating system’s newfangled orchestration service, systemd."

Enjoy!

#xz #opensource #security #openssh

UPDATE: AT&T just officially confirmed that the data breach is real which came from 7.6 million current and 65.4 million former customers from 2019 and earlier. https://techcrunch.com/2024/03/30/att-reset-account-passcodes-customer-data/

#ATT #AT&T #databreach #security #fraud #identitytheft

Hintertür in xz-Bibliothek gefährdet SSH-Verbindungen

Der Angriff wurde offenbar von langer Hand geplant. Ein möglicherweise staatlicher Akteur versteckte eine Backdoor in der liblzma-Bibliothek.

https://www.heise.de/news/Hintertuer-in-xz-Bibliothek-gefaehrdet-SSH-Verbindungen-9671317.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#Backdoor #Linux #Security #news

Regarding xz-utils backdoor (liblzma5): Right now no Debian stable versions are known to be affected.
Compromised packages were part of the Debian testing, unstable and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1. The package has been reverted to use the upstream 5.4.5 code, which we have versioned 5.6.1+really5.4.5-1. Debian #Linux 12/11/10 appears safe. Taken from https://lists.debian.org/debian-security-announce/2024/msg00057.html #infosec #security

🚨 ⚠️ Emergency PSA: A critical security exploit was discovered in the xz package recently, used for compression and decompression on nearly all Linux distributions.

Rawhide users ARE impacted and should immediately STOP using Rawhide until the package update is fully rolled back. (1/3)

Security Advisory: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

#Fedora #Linux #OpenSource #Security #Privacy

Backdoor in upstream xz/liblzma leading to ssh server compromise https://www.openwall.com/lists/oss-security/2024/03/29/4 #unix #linux #openssh #infosec #security

For those of you who use LLMs to help you code, here's a warning: these tools have been shown to hallucinate packages in a way that allows an attacker to poison your application. https://www.theregister.com/2024/03/28/ai_bots_hallucinate_software_packages/ #ai #gpt #chatgpt #security

There's a #security #vulnerability in Saflok’s RFID-based keycard locks so assume anyone can open those locks to get into your hotel room and yeah, it won't be fixed unless something life-threating happens which is even more wild. https://www.schneier.com/blog/archives/2024/03/security-vulnerability-in-safloks-rfid-based-keycard-locks.html

😮
"Warning: Apple Users Targeted in Advanced Phishing Attack Involving Password Reset Requests"

This one is kind of amazing to me. An exploit that continuously puts up a "Reset Password" alert on your iPhone until you hit approve.

Takes 100 clicks on "Don't Allow" to disable.

https://www.macrumors.com/2024/03/26/apple-password-reset-phishing-attack/
#security #Apple #iPhone

Nach Taurus-Leaks: Neues BSI-Sicherheitskennzeichen für Videokonferenzen

Grundlage für das Kennzeichen ist eine Selbstverpflichtung der Anbieter. Einige wichtige Sicherheitsmerkmale sind jedoch weiter freiwillig.

https://www.heise.de/news/Nach-Taurus-Leaks-Neues-BSI-Sicherheitskennzeichen-fuer-Videokonferenzen-9666336.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#BSI #Security #Videokonferenz #news

SimpleX Chat: Real privacy via stable profits and non-profit protocol governance.

See the post about v5.6 release with quantum resistant end-to-end encryption and also how SimpleX network will deliver real privacy via a profitable business and non-profit protocol governance:

https://simplex.chat/blog/20240323-simplex-network-privacy-non-profit-v5-6-quantum-resistant-e2e-encryption-simple-migration.html

Esra'a Al Shafei (@alshafei) has just joined SimpleX Chat team to help us deliver these goals - welcome!

#privacy #security

#Russia’s top #security agency said that 40 people had been killed & >100 wounded as a result of the attack, state news agencies reported.

#Shooting #Explosion #Putin #Moscow #CrocusCityHall
https://www.nytimes.com/live/2024/03/22/world/moscow-shooting?smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb

The #UnitedStates #Embassy in #Moscow issued a #security alert on Mar 7, warning that its personnel were “monitoring reports that #extremists have imminent plans to target large gatherings in Moscow, to include concerts.”

The statement warned Americans that an attack could take place in the next 48 hrs.

#Shooting #Explosion #Putin #Russia #CrocusCityHall
https://ru.usembassy.gov/security-alert-avoid-large-gatherings-over-the-next-48-hours/

“Disabling cyberattacks” are hitting critical US water systems, White House warns

#news #tech #technology #technews #security #usa #cybersecurity #cyberattack

https://arstechnica.com/security/2024/03/critical-us-water-systems-face-disabling-cyberattacks-white-house-warns/

Wer auf der Suche nach (kurzen) Tipps ist, wie er seine Identität im Internet wirksam schützen kann, sollte einen Blick auf 👇 werfen. 31 Tipps für mehr Sicherheit und Privatsphäre im Internet. Gerne mit eigenen Tipps ergänzen.

https://www.kuketz-blog.de/31-tipps-fuer-mehr-sicherheit-und-datenschutz-im-internet/

#secprivacy2023 #sicherheit #datenschutz #awareness
#security #privacy #schutz

Why is a very important #security feature, #TwoFactorAuthentication, a premium, #DeviantArt?

Your users have to pay to get a basic #cybersecurity feature like #2FA?

Me: "You need a new server. The current one is 14 years old, critical, and starting to show signs of fatigue and inadequacy."
Them: "No, make it work. At most, we'll add more RAM."
Me: "We should still upgrade it, and no, you can't keep running virtualized Windows Server 2008 indefinitely, even if it's only on the LAN. You need to plan an upgrade for the entire infrastructure."
Them: "No, we have no budget for this (after spending thousands of euros on purely aesthetic office redecorations for staff offices, which were already in excellent condition)."
Me: "It's about 3,000, maximum 4,000 euros - do you realize that if that server were to go down, the loss for you would be in those figures every hour of downtime? Maybe you don't worry about it, but I do, because I understand what you're risking."
Them: "Find a way to make the current hardware work stably so you can stop worrying."
Me: "Okay, I've found the solution. From now on, you can find yourselves a new consultant, because from now on, I've already stopped worrying about you."

Sometimes it's necessary, unfortunately.

#IT #SysAdmin #SysAdminLife #Security #BusinessContinuity

Adding the ability to edit S3 api key/secret credentials is sketchy and requires careful consideration.

Before: fetch from cached .env variables

After: fetch from redis cache, if fails fetch from db, if fails fetch from cached .env vars

Now we need to store api keys in the database and hydrate the cache with the values, so I'm encrypting the db values and decrypting them in the redis cache.

Few db columns need this level of security, but I think I got this right 🤔

#pixelfed #security