The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.
Monthly Archives: March 2016
Go home SSLv2, you’re DROWNing
The SSLv2 protocol had its 21st birthday last month, but it’s no cause to celebrate with an alcohol beverage, since the protocol was already deprecated when it turned 18.
Announced today is an attack called DROWN that takes advantage of systems still using SSLv2.
Many cryptographic libraries already disable SSLv2 by default, and updates from the OpenSSL project and Red Hat today catch up.
What is DROWN?
CVE-2016-0800, also known as DROWN, stands for Decrypting RSA using Obsolete and Weakened eNcryption and is a Man-in-the-Middle (MITM) attack against servers running TLS for secure communications.
This means that if an attacker can intercept and modify network traffic between a client and the host, the attacker could impersonate the server on what is expected to be a secure connection. The attacker could then potentially eavesdrop or modify important information as it is transferred between the server and client.
Other Man-in-the-Middle attacks have included POODLE and FREAK. The famous OpenSSL Heartbleed issue from April 2014 did not need a Man-in-the-Middle and was therefore a much more severe risk.
How does it work?
The DROWN issue is technically complicated, and the ability to attack using it depends on a number of factors described in more detail in the researchers’ whitepaper. In short, the issue uses a protocol issue in SSLv2 as an oracle in order to help break the encryption on other TLS services if a shared RSA key is in use. The issue is actually quite tricky to exploit by itself, but made easier on servers that are not up to date with some previous year-old OpenSSL security updates. They call this “Special DROWN”, as it could allow a real-time Man-in-the-Middle attack.
Red Hat has a vulnerability article in the Customer Portal which explains the technical attack and the dependencies in more detail.
How is Red Hat affected?
OpenSSL is affected by this issue. In Red Hat Enterprise Linux, the cryptographic libraries GnuTLS and NSS are not affected by this issue as they intentionally do not enable SSLv2.
Customers who are running services that have the SSLv2 protocol enabled could be affected by this issue.
Red Hat has rated this issue as having Important security severity. A successful attack would need to be able to leverage a number of conditions and require an attacker to be a Man-in-the-Middle.
Red Hat advises that SSLv2 is a protocol that should no longer be considered safe and should not be used in a modern environment. Red Hat updates for OpenSSL can be found here: https://access.redhat.com/security/cve/cve-2016-0800. The updates cause the SSLv2 protocol to be disabled by default.
Our OpenSSL updates also include several other lower priority security fixes which are each described in the Errata. Your organization should review those issues as well when assessing risk.
If you are a Red Hat Insights customer, a test has been added to identify servers affected by this issue.
What do you need to do?
If you are unsure of any details surrounding this issue in your environment, you should apply the update and restart services as appropriate. For detailed technical information please see the Red Hat vulnerability article.
Security protocols don’t turn 21 every day, so let’s turn off SSLv2, raise a glass, and DROWN one’s sorrows. Cheers!
CEBA-2016:0298 CentOS 6 findutils FASTTRACKBugFix Update
CentOS Errata and Bugfix Advisory 2016:0298 Upstream details at : https://rhn.redhat.com/errata/RHBA-2016-0298.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: ed1a7580800b4cb68fd882f39eafe9c4a0d8b2ec9ff6d25358f2f10d9cc35555 findutils-4.4.2-9.el6.i686.rpm x86_64: fbbb4d9e91b0a7cac328167d09a3591d9ee50e990d86da45bee99f8020a03db3 findutils-4.4.2-9.el6.x86_64.rpm Source: 8f0afaba4a8461e71ea4001750df754ff6406e5a68e5276c8aae4a36a6a9632c findutils-4.4.2-9.el6.src.rpm
Super Tuesday is still offline. What’s the catch?
even though the US is among the most technologically advanced nations in the world, most of its voters cannot cast their ballots online. Is internet voting a risk? Ondrej Kubovič reports.
The post Super Tuesday is still offline. What’s the catch? appeared first on We Live Security.
Safer selfies on the way as Instagram plans two-step verification
More than 400 million selfie lovers can breathe a sigh of relief – Instagram, the social network phenomenon, has revealed that the two-step verification process is soon to be unveiled on its platform.
This means that Instagram accounts will now be better protected by a log-in procedure which should make things harder for cyber-attackers trying to access accounts without permission. With the new two-step procedure, an email address and password will no longer be enough to enter; the user will also need to have the smartphone that the account is linked to.
Facebook, which owns Instagram, already offers the new log-in option, and now the photo platform will boast it, too. Every person that has an account on Instagram can now link it to a telephone number, ensuring an extra layer of security.
So, every time that someone (even the account owner) tries to access the account from a new device, the social media platform will send a code to this telephone number. Without this code it will be impossible to access the account.
This new feature will be rolled out progressively, so soon all users that are worried about their security will be able to enter their telephone number and avoid cyber-attackers accessing their accounts and eliminating photos or using the account for malicious means.
Caution on Instagram
This new security measures comes not long after the platform put its own users’ privacy at risk. When it introduced a new feature, the ability to manage various accounts from the same device, there were serious security issues unearthed.
A bug meant that some users could see notifications belonging to other accounts that shared the device. This highlighted that having the same Instagram account synchronized on different devices meant that different users could see messages, notifications, and even like other photos.
Despite this flaw being fixed, what is certain is that internet users must always take care when sharing information and should be aware of their privacy online.
Thus, the two-step verification process on Instagram is a step forward in terms of security and should protect users the same way as Facebook, Microsoft, and Google already do. Even though new verification techniques are being worked on (such as the ones created by a group of investigators at the ETH Information Security Institute in Zurich), at the moment the best way is to use our personal telephone numbers.
However, it’s just as important to have a two-step verification as it is have secure passwords: they should be long, contain numbers; different cases; symbols, and should be different for each account. To be able to manage the large number of passwords needed today, it’s best to have a password manager just like the one offered by Panda via its different protection packs, which allows you to be in control of different passwords at the click of a button.
The post Safer selfies on the way as Instagram plans two-step verification appeared first on MediaCenter Panda Security.
Bugtraq: Fing v3.3.0 iOS – Persistent Mail Encoding Vulnerability
Fing v3.3.0 iOS – Persistent Mail Encoding Vulnerability
Bugtraq: [security bulletin] HPSBUX03552 SSRT102983 rev.1 – HP-UX BIND running Named, Remote Denial of Service (DoS)
[security bulletin] HPSBUX03552 SSRT102983 rev.1 – HP-UX BIND running Named, Remote Denial of Service (DoS)
Bugtraq: Microsoft PowerPointViewer Code Execution
Microsoft PowerPointViewer Code Execution
Bugtraq: WordPress plugin GravityForms Cross-site Scripting vulnerability
WordPress plugin GravityForms Cross-site Scripting vulnerability
The Dirty Dozen tax scams: Identity theft, phone scams and phishing schemes, oh my!
Scammers target taxpayers as they prepare their tax returns or hire someone to do so.
It’s that time of the year again – tax season is upon us.
Recently, the Internal Revenue Service wrapped up its annual “Dirty Dozen” list of tax scams. This year, identity theft topped the list, but phone scams and phishing schemes also deserve special mentions. It’s important that taxpayers guard against ploys to steal their personal information, scam them out of money or talk them into engaging in questionable behavior with their taxes. While discussing the topic of tax scams, IRS Commissioner John Koskinen said:
“We are working hard to protect taxpayers from identity theft and other scams this filing season. . .Taxpayers have rights and should not be frightened into providing personal information or money to someone over the phone or in an email. We urge taxpayers to help protect themselves from scams — old and new.”
In addition to releasing the “Dirty Dozen” list, the IRS has also renewed a consumer alert for email schemes. This renewal came after seeing an approximate 400 percent surge in phishing and malware incidents so far this tax season.
We encourage taxpayers to review the list in a special section on IRS.gov and be on the lookout for the many different forms of tax scams. Many of these con games peak during filing season as people prepare their tax returns or hire someone to do so.
Taking a closer look at this year’s “Dirty Dozen” scams
Here‘s what you should keep your eyes open for throughout this tax season:
Identity theft: Taxpayers need to watch out for identity theft — especially around tax time. The IRS continues to aggressively pursue the criminals that file fraudulent returns using someone else’s Social Security number. Though the agency is making progress on this front, taxpayers still need to be extremely careful and do everything they can to avoid being victimized.
Phone scams: Phone calls from criminals impersonating IRS agents remain an ongoing threat to taxpayers. The IRS has seen a surge of these phone scams in recent years as scam artists threaten taxpayers with police arrest, deportation and license revocation, among other things.
Phishing: Taxpayers need to be on guard against fake emails or websites looking to steal personal information. The IRS will never send taxpayers an email about a bill or refund out of the blue, so don’t click on one claiming to be from the IRS.
Return preparer fraud: Be on the lookout for unscrupulous return preparers. The vast majority of tax professionals provide honest high-quality service, but there are some dishonest preparers who set up shop each filing season to perpetrate refund fraud, identity theft and other scams that hurt taxpayers.
Offshore tax avoidance: The recent string of successful enforcement actions against offshore tax cheats and the financial organizations that help them shows that it’s a bad bet to hide money and income offshore. Taxpayers are best served by coming in voluntarily and getting caught up on their tax-filing responsibilities.
Inflated refund claims: Be wary of anyone who asks taxpayers to sign a blank return, promises a big refund before looking at their records, or charges fees based on a percentage of the refund. Scam artists use flyers, ads, phony store fronts and word of mouth via trusted community groups to find victims.
Fake charities: Be on guard against groups masquerading as charitable organizations to attract donations from unsuspecting contributors. Contributors should take a few extra minutes to ensure their hard-earned money goes to legitimate and currently eligible charities.
Falsely padding deductions on returns: Taxpayers should avoid the temptation of falsely inflating deductions or expenses on their returns to under pay what they owe or possibly receive larger refunds.
Excessive claims for business credits: Avoid improperly claiming the fuel tax credit, a tax benefit generally not available to most taxpayers. The credit is generally limited to off-highway business use, including use in farming. Taxpayers should also avoid misuse of the research credit.
Falsifying income to claim credits: Don’t invent income to wrongly qualify for tax credits, such as the Earned Income Tax Credit. Taxpayers are sometimes talked into doing this by scam artists. This scam can lead to taxpayers facing big bills to pay back taxes, interest and penalties and in some cases, criminal prosecution.
Abusive tax shelters: Don’t use abusive tax structures to avoid paying taxes. The vast majority of taxpayers pay their fair share, and everyone should be on the lookout for people peddling tax shelters that sound too good to be true. When in doubt, taxpayers should seek an independent opinion regarding complex products they are offered.
Frivolous tax arguments: Don’t use frivolous tax arguments in an effort to avoid paying tax. Promoters of frivolous schemes encourage taxpayers to make unreasonable and outlandish claims even though they are wrong and have been repeatedly thrown out of court. The penalty for filing a frivolous tax return is $5,000.
Proceed with caution while filing taxes
Perpetrators of illegal scams can face significant penalties and interest and possible criminal prosecution. IRS Criminal Investigation works closely with the Department of Justice to shut down scams and prosecute the criminals behind them. Taxpayers should remember that they are legally responsible for what is on their tax return even if it is prepared by someone else. Be sure the preparer is up to the task.
For more information about tax scams, check out the IRS on YouTube.
Follow Avast on Facebook, Twitter, YouTube, and Google+ where we keep you updated on cybersecurity news every day.
