An anonymous reader writes: Alpine Linux Development team released Alpine Linux v3.6. Some of the features introduced into Rust 1.17.0, Cargo 0.18.0, PHP 7.1, LLVM 4.0, Go 1.8, Python 3.6, nginx 1.12 and Ruby 2.4. Support added for 64-bit little-endian POWER machines and 64-bit IBM z Systems. Docker images are based on Alpine Linux. Alpine Linux was designed with security in mind. The kernel is patched with an unofficial port of grsecurity/PaX, and all userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. The simple and lightweight OpenRC is the init system currently used by Alpine Linux. Unlike Debian, Ubuntu, RHEL, Arch Linux and CentOS distributions of Linux, Alpine does not use systemd.
chicksdaddy writes: Software used to remotely program implantable cardiac devices by a number of vendors is rife with exploitable software vulnerabilities that leave the devices vulnerable to attacks and compromise, according to a report by the firm Whitescope Inc.(http://blog.whitescope.io/2017/05/understanding-pacemaker-systems.html), The Security Ledger reports. (https://securityledger.com/2017/05/code-blue-8k-vulnerabilities-in-software-to-manage-cardiac-devices/)
Researchers Billy Rios of Whitescope and Jonathan Butts analyzed the hardware and software associated with implantable cardiac devices spanning four, separate vendors and product families and found a wide range of security weaknesses. Among other things, home monitoring devices do not validate the source of firmware updates, creating the potential for a s0-called “man- in-the-middle attack” that could send counterfeit firmware to a home monitoring devices. In a related issue, none of the vendors studied digitally signed the firmware to ensure that it is official and to limit the ability of non-authorized firmware to run on devices.
Component re-use and "cross pollination" between similar devices by different vendors is a major problem, the researchers found. Across the four vendors, there was an average of 86 third-party components used in the implantable devices and 43 vulnerable third-party components. Per-device, the average number of known vulnerabilities in those third-party components was 2,166.
The security of implantable medical devices has been the subject of controversy. In August, 2016, for example, the firm MedSec released a report on vulnerabilities in devices manufactured by St. Jude Medical. MedSec, working with Wall Street firm Muddy Waters, warned of a wide range of exploitable security holes in the company’s pacemakers, implantable cardioverter defibrillator (ICD), and cardiac resynchronization therapy (CRT) devices. A subsequent report by the U.S. Food and Drug Administration (FDA), released in April (https://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2017/ucm552687.htm) found that St. Jude Medical (now Abbott) knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or other mitigations, or by replacing those devices. (https://securityledger.com/2017/04/fda-st-judes-knew-about-device-flaws-2-years-before-muddy-waters-report/)
mi writes: In his final congressional testimony before he was fired by President Trump this month, then-FBI Director James Comey unequivocally told lawmakers his agency used sensitive espionage data gathered about Americans without a warrant only when it was “lawfully collected, carefully overseen and checked.”
Once-top secret U.S. intelligence community memos reviewed by Circa tell a different story, citing instances of “disregard” for rules, inadequate training and “deficient” oversight and even one case of deliberately sharing spy data with a forbidden party.
An anonymous reader writes: What many have feared has become reality today, after Malwarebytes researchers have discovered an online malvertising campaign that can bypass ad blockers. Named RoughTed, this campaign has been going strong for over a year, and has been delivering malicious ads on sites such as Adf.ly, ExtraTorrent, Openloud, and many others in the Alexa top 500.
In an interview, Jerome Segura, the researcher who discovered this campaign says RoughTed uses very aggressive advertising to detect a user's PC details. Segura also says that RoughTed is not the first malvertising campaign to deploy ad-blocker bypassing scripts, but it's the first at such a large scale. Users of ad-blockers have also started noticing RoughTed's ability to bypass their extensions.[Adblock Plus,uBlock originor AdGuard]
Furthermore, RoughTed seems to be very diverse, sending users to all sort of nasty sites, such as exploit kits, Windows PUP download sites, Mac adware sites, iOS pay-per-install schemes, online surveys, tech support scams, rogue Chrome extensions, and others. Basically, this malvertising campaign takes advantage of most of its traffic, not just users that use old IE versions.
Lauren Weinstein writes: Of course, firms could indeed choose to withdraw from such markets, perhaps in conjunction with geoblocking of domestic users in those countries to meet government prohibitions against strong encryption. Pretty awful prospects.
There is another possibility though — that I’ll admit up front would be highly controversial. Rather than crippling those designated encryption systems in those countries under government orders, firms could choose to disable those encryption systems entirely!
I know that this sounds counterintuitive, but please hang with me for a few minutes!
Lauren Weinstein writes: Within hours of Google announcing their new “Store Sales Measurement” system, my inbox began filling with concerned queries. I held off responding on this until I could get additional information directly from Google. With that now in hand I feel comfortable in addressing this issue.
schwit1 writes: The Vermont Department of Motor Vehicles has been caught using facial recognition software — despite a state law preventing it.
Documents obtained by the American Civil Liberties Union of Vermont describe such a program, which uses software to compare the DMV’s database of names and driver’s license photos with information with state and federal law enforcement. Vermont state law, however, specifically states that “The Department of Motor Vehicles shall not implement any procedures or processes that involve the use of biometric identifiers.”
The program, the ACLU says, invites state and federal agencies to submit photographs of persons of interest to the Vermont DMV, which it compares against its database of some 2.6 million Vermonters and shares potential matches. Since 2012, the agency has run at least 126 such searches on behalf of local police, the State Department, FBI, and Immigrations and Customs Enforcement.
boundary writes: The UK government looks to be about to put the most egregious parts of the Investigative Powers Act into force 'soon after the election' (which is in a couple of weeks) in the wake of the recent bombing in Manchester. 'Technical Capability Orders' require tech companies to break their own security. I wonder who'll comply?
Instead, researchers from the Georgia Institute of Technology, the IMDEA Software Institute and EURECOM posit that a better approach would be an analysis of network traffic to suspicious domains that would potentially cut detection times down by weeks or even months.
The researchers’ conclusions are based on a study of five years’ worth of network traffic from a large U.S.-based internet service provider, comprised of more than five billion network events. The group had more than 26 million malware samples at their disposal, and studied DNS server requests made by malware and potentially unwanted programs (PUPs), as well as the timing around the registration of expired domains.
The researchers concluded that attackers—including spammers and adware purveyors dabbling in PUPs—re-use infrastructure over and over and that provides a better early-detection signal than an exclusive study of malware and PUP domains. They found more than 300,000 malware samples were active for at least two weeks before they were submitted to a feed such as VirusTotal or picked up and analyzed in a vendor feed.
“When we looked at when malware samples actually showed up in malware feeds where they dynamically analyzed and network signal was extracted from them, we noticed that network signal was extracted in the feed often weeks or months after we saw the first resolutions for that domain in real network traffic from a major ISP in the U.S,” said Chaz Lever of Georgia Tech, one of the report’s coauthors.