LWN.net: Simply Secure announces itself

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

A new organization to “make security easy and fun” has announced itself in a blog post entitled “Why Hello, World!”. Simply Secure is targeting the usability of security solutions: “If privacy and security aren’t easy and intuitive, they don’t work. Usability is key.
The organization was started by Google and Dropbox; it also has the Open Technology Fund as one of its partners.
To build trust and ensure quality outcomes, one core component of our work will be public audits of interfaces and code. This will help validate the security and usability claims of the efforts we support.

More generally, we aim to take a page from the open-source community and make as much of our work transparent and widely-accessible as possible. This means that as we get into the nitty-gritty of learning how to build collaborations around usably secure software, we will share our developing methodologies and expertise publicly. Over time, this will build a body of community resources that will allow all projects in this space to become more usable and more secure.”

SANS Internet Storm Center, InfoCON: green: Apple Releases OS X 10.9.5 / Safari 6.2 and 7.1 with several security fixes http://support.apple.com/kb/HT1222, (Thu, Sep 18th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

How much are your medical records worth in the cybercrime underground? This week, KrebsOnSecurity discovered medical records being sold in bulk for as little as $6.40 apiece. The digital documents, several of which were obtained by sources working with this publication, were apparently stolen from a Texas-based life insurance company that now says it is working with federal authorities on an investigation into a possible data breach.

The "Fraud Related" section of the Evolution Market.

The “Fraud Related” section of the Evolution Market.

Purloined medical records are among the many illicit goods for sale on the Evolution Market, a black market bazaar that traffics mostly in narcotics and fraud-related goods — including plenty of stolen financial data. Evolution cannot be reached from the regular Internet. Rather, visitors can only browse the site using Tor, software that helps users disguise their identity by bouncing their traffic between different servers, and by encrypting that traffic at every hop along the way.

Last week, a reader alerted this author to a merchant on Evolution Market nicknamed “ImperialRussia” who was advertising medical records for sale. ImperialRussia was hawking his goods as “fullz” — street slang for a package of all the personal and financial records that thieves would need to fraudulently open up new lines of credit in a person’s name.

Each document for sale by this seller includes the would-be identity theft victim’s name, their medical history, address, phone and driver license number, Social Security number, date of birth, bank name, routing number and checking/savings account number. Customers can purchase the records using the digital currency Bitcoin.

A set of five fullz retails for $40 ($8 per record). Buy 20 fullz and the price drops to $7 per record. Purchase 50 or more fullz, and the per record cost falls to just $6.40 — roughly the price of a value meal at a fast food restaurant. Incidentally, even at $8 per record, that’s cheaper than the price most stolen credit cards fetch on the underground markets.

Imperial Russia's ad on Evolution pimping medical and financial records stolen from a Texas life insurance firm.

Imperial Russia’s ad pimping medical and financial records stolen from a Texas life insurance firm.

“Live and Exclusive database of US FULLZ from an insurance company, particularly from NorthWestern region of U.S.,” ImperialRussia’s ad on Evolution enthuses. The pitch continues:

“Most of the fullz come with EXTRA FREEBIES inside as additional policyholders. All of the information is accurate and confirmed. Clients are from an insurance company database with GOOD to EXCELLENT credit score! I, myself was able to apply for credit cards valued from $2,000 – $10,000 with my fullz. Info can be used to apply for loans, credit cards, lines of credit, bank withdrawal, assume identity, account takeover.”

Sure enough, the source who alerted me to this listing had obtained numerous fullz from this seller. All of them contained the personal and financial information on people in the Northwest United States (mostly in Washington state) who’d applied for life insurance through American Income Life, an insurance firm based in Waco, Texas.

American Income Life referred all calls to the company’s parent firm — Torchmark Corp., an insurance holding company in McKinney, Texas. This publication shared with Torchmark the records obtained from Imperial Russia. In response, Michael Majors, vice president of investor relations at Torchmark, said that the FBI and Secret Service were assisting the company in an ongoing investigation, and that Torchmark expected to begin the process of notifying affected consumers this week.

“We’re aware of the matter and we’ve been working with law enforcement on an ongoing investigation,” Majors said, after reviewing the documents shared by KrebsOnSecurity. “It looks like we’re working on the same matter that you’re inquiring about.”

Majors declined to answer additional questions, such as whether Torchmark has uncovered the source of the data breach and stopped the leakage of customer records, or when the company believes the breach began. Interestingly, ImperialRussia’s first post offering this data is dated more than three months ago, on June 15, 2014. Likewise, the insurance application documents shared with Torchmark by this publication also were dated mid-2014.

The financial information in the stolen life insurance applications includes the checking and/or savings account information of the applicant, and is collected so that American Income can pre-authorize payments and automatic monthly debits in the event the policy is approved. In a four-page discussion thread on Imperial Russian’s sales page at Evolution, buyers of this stolen data took turns discussing the quality of the information and its various uses, such as how one can use automated phone systems to verify the available balance of an applicant’s bank account.

Jessica Johnson, a Washington state resident whose records were among those sold by ImperialRussia, said in a phone interview that she received a call from a credit bureau this week after identity thieves tried to open two new lines of credit in her name.

“It’s been a nightmare,” she said. “Yesterday, I had all these phone calls from the credit bureau because someone tried to open two new credit cards in my name. And the only reason they called me was because I already had a credit card with that company and the company thought it was weird, I guess.”

ImperialRussia discusses his wares with potential and previous buyers.

ImperialRussia discusses his wares with potential and previous buyers.

More than 1.8 million people were victims of medical ID theft in 2013, according to a report from the Ponemon Institute, an independent research group. I suspect that many of these folks had their medical records stolen and used to open new lines of credit in their names, or to conduct tax refund fraud with the Internal Revenue Service (IRS).

Placing a fraud alert or freeze on your credit file is a great way to block identity thieves from hijacking your good name. For pointers on how to do that, as well as other tips on how to avoid becoming a victim of ID theft, check out this story.

LWN.net: Thursday’s security advisories

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated icedove (two
vulnerabilities) and libav (multiple
unspecified vulnerabilities).

openSUSE has updated curl (13.1,
12.3: two cookie-handling vulnerabilities).

Oracle has updated automake (OL5:
code execution from 2012), bind97 (OL5:
three vulnerabilities, two from 2013), conga (OL5: multiple vulnerabilities some
going back to 2012), krb5 (OL5: code
execution), krb5 (OL5: multiple
vulnerabilities, two from 2013), and nss,
nspr
(multiple vulnerabilities, one from 2013).

SUSE has updated squid3
(SLE11SP3: denial of service).

Schneier on Security: The Full Story of Yahoo’s Fight Against PRISM

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In 2008 Yahoo fought the NSA to avoid becoming part of the PRISM program. They eventually lost their court battle, and at one point were threatened with a $250,000 a day fine if they continued to resist. I am continually amazed at the extent of the government coercion.

TorrentFreak: Hollywood Workers Demand Peter Sunde’s Dignity & Freedom

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

peter-sundeThe imprisonment of former Pirate Bay spokesman Peter Sunde has been going on since late May 2014, provoking a number of reports on the conditions under which he is being held.

Despite being accused of non-violent crimes, Peter is being held in a high-security unit and without concern for his dietary needs. As a result he’s literally wasting away.

Following the tragic death of his father who recently succumbed to a long-standing set of illnesses, the week delivered yet more bad news. Although the prison would allow him to attend the funeral, Peter was told he could expect to carry his father’s coffin wearing handcuffs.

Understandably the news provoked much outrage. Why would a non-violent and now-frail man with with just a few days left on his sentence try to escape from not one but two prison guards? As that improbable situation was discussed among supporters online, a much less traditional support group were asking the same questions.

Hollywood director Lexi Alexander has been a vocal supporter of Peter and earlier this year broke with the usual Tinseltown position by calling for his release.

While her outspoken approach is uncharacteristic of a Hollywood worker, it may come as a surprise that she is definitely not on her own. During recent weeks the director and actress, who has several movies under her belt, called for other like-minded individuals in Hollywood to make themselves known.

The result was the publication a few minutes ago of a video dedicated to the uncuffing, release and support of Peter Sunde.

“We created this video in solidarity with Peter as he attends his father’s funeral today,” Alexander told TorrentFreak.

“Originally I had planned to do this over the next few weeks, but when I heard about Peter’s father’s death yesterday, we scrambled and got it together within a few hours.”

lexi-peter

While a few of the people in the video have understandably chosen to remain anonymous, others have been very happy to show their faces. With the famous Hollywood sign in the background, first up, Julie Bush.

“Julie Bush was pro-piracy before I even knew what file-sharing meant,” Alexander told TF. “She used to be a writer on the show Sons of Anarchy and now she’s writing a major property for Universal Studios: Robert Ludlum’s The Sigma Protocol.”

JulieBush

Bush has written on a number of occasions about Hollywood’s “dumb” approach to piracy.

“Many showrunners and executives I know not only pirate stuff all the time but also privately endorse the idea that piracy is good for the industry, a great way to advertise, and essential to building a healthy audience,” she explained last year.

The gentleman holding up the sign calling for the un-cuffing of Peter is actor Ross McCall. He appeared in Band of Brothers, Alexander’s movies Green Street and Green Street 2, before moving on to star in TV series including Crash, White Collar and Luther.

uncuff-peter

“The pretty blonde [0m 53s] is producer Catrin Cooper. Very outspoken about her opposition to criminalizing file-sharing,” Alexander continues. Cooper has worked in several roles on movies including Casino Royale, Harry Potter and the Prisoner of Azkaban, and Batman Begins.

“The guy with ‘Free Peter Sunde’ on his shirt is a writer and actor named Edward DeRuiter, one of his movies was just released last month,” Alexander adds.

“Then there’s Brent Weichsel, who against my advice decided to put his name and union on the sign. He’s Local 600 Camera Assistant.”

It’s quite something and particularly brave for these individuals to put their name to the support of someone described by studio bosses as someone intent on the ruination of the industry. That said, and as clearly pointed out on one of the signs held up in the video, Hollywood workers are not only writers and directors, they’re also humans too.

The video, which features writers and authors, directors, producers, a screenwriter, a cinematographer, an engineer and a dialect coach, is embedded below and available on Lexi’s blog.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Darknet - The Darkside: Twitter Vulnerability Allows Deletion Of Payment Details

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

Twitter has been in the news a lot lately, firstly about their patent filing regarding the pro-active scanning on the web for malware and then the bug bounty going live – which is related to this story. This is a pretty neat Twitter vulnerability that was discovered by someone taking part in the Twitter bug [...]

The post Twitter…

Read the full post at darknet.org.uk

TorrentFreak: Expendables 3 Downloaders Told To Pay Up – Or Else

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Back in July a pretty much pristine copy of The Expendables 3 leaked online. It was a dramatic event for those behind the production as the movie’s premier on BitTorrent networks trumped its theatrical debut by several weeks.

Distributor Lionsgate was quick to react. Just days after the leak the entertainment company sued several file-sharing sites, which eventually resulted in the closure of file-hosting site Hulkfile. But more action was yet to come.

Doubling up on their efforts, Lionsgate also targeted hosting providers, domain registrars and seedboxes while at the same time sending thousands of DMCA takedown notices to have content and links to content removed.

However, a big question remained unanswered. Would the makers of The Expendables 3 start tracking down alleged file-sharers to force them into cash settlements as happened with previous iterations of the movie? It’s taken a few weeks but confirmation is now in.

Millennium Films, the production company behind The Expendables 3, is now shaking down individual Internet users they believe to have downloaded and shared the leaked movie without permission. What do they want? Hard cash, of course.

Interestingly, and at least for now, the company isn’t going through the courts filing subpoenas against ISPs to obtain downloaders’ personal details. In a switch of tactics the company is sending DMCA takedown notices to ISPs via CEG TEK International and requesting that the notices are forwarded to the customers in question instead. In addition to the usual cease and desist terminology, Millennium tag on cash settlements demands too.

Expendables 3-notice

As can be seen in the image above, the production company is giving notice recipients until October 5, 2014 to come up with the money – or else.

“If within the prescribed time period described above you fail to (i) respond or settle, or (ii) provide by email to support@cegtek.com written evidence of your having consent or permission from Millennium Films to use the Work in connection with Peer-to-Peer networks (note that fraudulent submissions may give rise to additional liabilities), the above matter may be referred to attorneys representing the Work’s owner for legal action,” the settlement offer reads.

Of course, whether people fill in CEG TEK’s settlement form or write to them with their personal details, the end result will be the same. The company will now have the person’s identity, something they didn’t previously have since at this stage ISPs have only forwarded the notices.

While the notices are real (CEG TEK have confirmed the action) little is known about how much money Millenium/CEG TEK are demanding to make a supposed lawsuit go away. However, TorrentFreak has learned that CEG TEK are simultaneously sending out settlement demands to alleged downloaders of The Expendables 2. A copy of the settlement page demand – $300 – is shown below.

expend2-demand

While some people will no doubt be worrying about how to deal with these demands and whether Millenium will follow through on its implied threat to sue, at least some of these notices will be falling on deaf ears. LiquidVPN, an anonymity company listed in our 2014 report, received one such notice but as a no-log provider, could not forward it to its customer.

Compare that to the despair of a user posting on KickassTorrents who got caught after relying on IP address blocking software (typos etc corrected).

“I woke up to this alongside four other notices from my ISP. I stopped downloading six days ago, but I’m receiving old notices about movies that were downloaded a month ago and I basically can’t do nothing about it since its old. I use PeerBlock and it’s a bunch of bullshit. What should I do with this October 5 deadline on a settlement? Please help!” he wrote.

Finally, and as Lionsgate, Millennium Films and CEG TEK shake down sites, hosting services, domain registrars, seedbox providers and now end users, the big mystery surrounding the most important questions remain unanswered.

Who – at Lionsgate, Millennium or one of its partners – had full access to a clean DVD copy of the movie? Who then put that copy in a position of being placed online? The FBI, who can crack the most complex of terrorist crimes, are reportedly involved and must’ve asked these questions. Yet the culprit still hasn’t been found……

Could it be that studios become less cooperative when blame falls too close to home?

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Linux How-Tos and Linux Tutorials: How to Install Arch Linux the Easy Way with Evo/Lution

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Linux How-Tos and Linux Tutorials. Original post: at Linux How-Tos and Linux Tutorials

The one who ventures into an install of Arch Linux and has only experienced installing Linux with Ubuntu or Mint is in for a steep learning curve. The number of people giving up halfway is probably higher than the ones that pull it through. Arch Linux is somewhat cult in the way that you may call […]

Read more at Xmodulo

SANS Internet Storm Center, InfoCON: green: ISC StormCast for Thursday, September 18th 2014 http://isc.sans.edu/podcastdetail.html?id=4153, (Thu, Sep 18th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: IOS8 is out – IOS 8 has arrived and with it the numerous devices that will be updating over the next few days or so your internet connection will be busy. , (Thu, Sep 18th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: [$] LWN.net Weekly Edition for September 18, 2014

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

The LWN.net Weekly Edition for September 18, 2014 is available.

SANS Internet Storm Center, InfoCON: green: Your online background check is now public!, (Wed, Sep 17th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

An email titled “Your online background check is now public” might be half-scary if it was sent to a real person. But if it is a bunch of honeypot email addresses that have nobody associated to them in real life, and they get half a dozen of these emails per week, then it can only be spam, scam, or – most likely – both.

After tolerating and binning these noisy emails for a number of weeks, we finally decided to take a look-see on what is behind them. Turns out they all lead to “instantcheckmate-dot-com”, who are peddling “background investigation services”.

Sadly, the “background check” for our Honeypot actually wasn’t all that extensive. I would have loved to read about the sleazy hidden life of our little Honeypot, especially its speeding tickets (highly unlikely, it is an old i486) and its convictions for possession (more likely, given that on past occasions, smoke has been seen coming from the enclosure), or its sex offenses (unlikely again, given that its ports are all serial, and its slots are all ISA :).

We didn’t try the Instant Checkmate “service”, so I can’t tell if its any good. But given that its offerings apparently need to be spammed, and the spammed URLs change daily, and redirect across four hops to end up on tcgtrkr-dot-com, and finally on instantcheckmate, I’d say the odds are they ain’t up to much good.

If you own this “service”, you are welcome to comment, after all, your background check is now public :). If you prefer not to comment, you might want to consider removing email addresses that have the word “sans” in them from your spam list, maybe?

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: Some stable kernel updates

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

Greg Kroah-Hartman has made some progress on the stable patch backlog with
the release of
3.16.3,
3.14.19, and
3.10.55.

TorrentFreak: AT&T Patents Technology to Keep Torrent Files Alive

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

attIn recent years the intellectual property division of AT&T has patented quite a few unusual inventions. Today we can add another to the list after the telecoms company was granted a patent which aims to keep torrent files available for as long as possible.

In the patent (pdf), which was awarded yesterday, the ISP points out that BitTorrent is a very effective way of sharing files online. However, AT&T also signals some drawbacks, including the fact that some torrent swarms stop working because there are no complete copies of the file available.

“As more and more peers download a complete copy of the file, the performance of the torrent deteriorates to the point that it becomes difficult for the file to be located and downloaded. As a result, current BitTorrent systems are not desirable for downloading older files,” the patent reads.

Since there are often many swarms downloading the same content via different trackers, it could be that the file lives on elsewhere. Similarly, other peers might be willing to start seeding the dead torrent again. AT&T’s patent pairs these sources to increase the availability of files downloaded via BitTorrent.

AT&T’s torrent patent
patent-att

The patent proposes to add “collaboration information” which may be obtained from each peer when it joins a torrent swarm. If a torrent has no active seeds available, this information can point the downloader to “dormant peers” or external trackers that still have active seeders.

“If the file is not available at an active peer, the tracker node has two options; it may contact some of the listed dormant peers to see if they are willing to make the file available, and/or it may contact a remote tracker node listed for the file,” the patent reads.

“If the file is made available by a dormant peer and/or at a remote torrent, the local peer can then establish a peer-to-peer communication with the dormant peer or a peer on the remote torrent, and download the file therefrom. As a result, the local peer can locate and download files that are not available on its current torrent from both dormant peers and peers in other torrents.”

The idea to point people to other trackers is not new. Most torrents come with multiple trackers nowadays to ensure that a file remains available for as long as possible. AT&T’s proposed invention would automate this feature.

The idea to contact “dormant peers” is more novel. In short, that means that people who previously downloaded a file, but are no longer seeding it, can get a request to make it available again.

Whether the ISPs has any real life applications for their invention is yet unknown. The current patent was granted this week, but the first application dates back to 2005, a time when BitTorrent wasn’t quite as mainstream as it is today.

The patent certainly doesn’t mean that the ISP encourages sharing copyrighted files. Among other anti-piracy innovations, AT&T previously patented systems to track content being shared via BitTorrent and other P2P networks and report those offenders to the authorities.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: Identifying Dread Pirate Roberts

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

According to court documents, Dread Pirate Roberts was identified because a CAPTCHA service used on the Silk Road login page leaked the users’ true location.

LWN.net: [$] X and SteamOS

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

alt="[Keith Packard]" width=130 height=150/>

In a talk entitled “SteamOS Magic”, longtime X developer Keith Packard
looked at the new Linux “distribution” and the effort to turn the Linux
desktop into a gaming console. It turns out that, with a fairly small
amount of code, Steam and SteamOS creator, Valve, was able to take the
existing X-based desktop and
turn it into a “living-room experience”.

Click below (subscribers only) for the full report from LinuxCon North
America.

TorrentFreak: Copyright Holders Want Netflix to Ban VPN Users

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

netflixWith the launch of legal streaming services such as Netflix, movie and TV fans have less reason to turn to pirate sites.

At the same time, however, these legal options invite people from other countries where the legal services are more limited. This is also the case in Australia where up to 200,000 people are estimated to use the U.S. version of Netflix.

Although Netflix has geographical restrictions in place, these are easy to bypass with a relatively cheap VPN subscription. To keep these foreigners out, entertainment industry companies are now lobbying for a global ban on VPN users.

Simon Bush, CEO of AHEDA, an industry group that represents Twentieth Century Fox, Warner Bros., Universal, Sony Pictures and other major players said that some members are actively lobbying for such a ban.

Bush didn’t name any of the companies involved, but he confirmed to Cnet that “discussions” to block Australian access to the US version of Netflix “are happening now”.

If implemented, this would mean that all VPN users worldwide will no longer be able to access Netflix. That includes the millions of Americans who are paying for a legitimate account. They can still access Netflix, but would not be allowed to do so securely via a VPN.

According to Bush the discussions to keep VPN users out are not tied to Netflix’s arrival in Australia. The distributors and other rightsholders argue that they are already being deprived of licensing fees, because some Aussies ignore local services such as Quickflix.

“I know the discussions are being had…by the distributors in the United States with Netflix about Australians using VPNs to access content that they’re not licensed to access in Australia,” Bush said.

“They’re requesting for it to be blocked now, not just when it comes to Australia,” he adds.

While blocking VPNs would solve the problem for distributors, it creates a new one for VPN users in the United States.

The same happened with Hulu a few months ago, when Hulu started to block visitors who access the site through a VPN service. This blockade also applies to hundreds of thousands of U.S. citizens.

Hulu’s blocklist was implemented a few months ago and currently covers the IP-ranges of all major VPN services. People who try to access the site through one of these IPs are not allowed to view any content on the site, and receive the following notice instead:

“Based on your IP-address, we noticed that you are trying to access Hulu through an anonymous proxy tool. Hulu is not currently available outside the U.S. If you’re in the U.S. you’ll need to disable your anonymizer to access videos on Hulu.”

It seems that VPNs are increasingly attracting the attention of copyright holders. Just a week ago BBC Worldwide argued that ISPs should monitor VPN users for excessive bandwidth use, assuming they would then be pirates.

Considering the above we can expect the calls for VPN bans to increase in the near future.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

LWN.net: Security advisories for Wednesday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Debian has updated apt (multiple vulnerabilities) and dbus (multiple vulnerabilities).

Red Hat has updated krb5 (RHEL5: code execution).

SUSE has updated procmail
(SLE11 SP3: code execution) and kernel
(SLES11 SP1: multiple vulnerabilities).

Ubuntu has updated apt (multiple
vulnerabilities), libav (12.04: code
execution), and openjdk-7 (14.04:
updates for arm64 and ppc64el).

Linux How-Tos and Linux Tutorials: Systemd for Developers I

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Linux How-Tos and Linux Tutorials. Original post: at Linux How-Tos and Linux Tutorials

systemd not only brings improvements for administrators and users, it also brings a (small) number of new APIs with it. In this blog story (which might become the first of a series) I hope to shed some light on one of the most important new APIs in systemd:

Socket Activation

In the original blog story about systemd I tried to explain why socket activation is a wonderful technology to spawn services. Let’s reiterate the background here a bit.

Read more at Lennart Poettering’s blog.

Krebs on Security: Critical Update for Adobe Reader & Acrobat

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe has released a security update for its Acrobat and PDF Reader products that fixes at least eight critical vulnerabilities in Mac and Windows versions of the software. If you use either of these programs, please take a minute to update now.

adobeshatteredUsers can manually check for updates by choosing Help > Check for Updates. Adobe Reader users on Windows also can get the latest version here; Mac users, here.

Adobe said it is not aware of exploits or active attacks in the wild against any of the flaws addressed in this update. More information about the patch is available at this link.

For those seeking a lightweight, free alternative to Adobe Reader, check out Sumatra PDF. Foxit Reader is another popular alternative, although it seems to have become less lightweight in recent years.

LWN.net: Garrett: ACPI, kernels and contracts with firmware

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

Matthew Garrett writes
about the challenges
faced by the developers working on ACPI-based ARM
systems. “Somebody is going to need to take responsibility for
tracking ACPI behaviour and incrementing the exported interface whenever it
changes, and we need to know who that’s going to be before any of these
systems start shipping. The alternative is a sea of ARM devices that only
run specific kernel versions, which is exactly the scenario that ACPI was
supposed to be fixing.

Schneier on Security: Tracking People From their Cell Phones with an SS7 Vulnerability

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

What’s interesting about this story is not that the cell phone system can track your location worldwide. That makes sense; the system has to know where you are. What’s interesting about this story is that anyone can do it. Cyber-weapons arms manufacturers are selling the capability to governments worldwide, and hackers have demonstrated the capability.

Schneier on Security: Tracking People From their Cellphones with an SS7 Vulnerability

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

What’s interesting about this story is not that the cell phone system can track your location worldwide. That makes sense; the system has to know where you are. What’s interesting about this story is that anyone can do it. Cyber-weapons arms manufacturers are selling the capability to governments worldwide, and hackers have demonstrated the capability.

LWN.net: Business as usual for openSUSE

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

The openSUSE project has posted a
statement
on how things will change after Attachmate’s merger with
Micro Focus. In short, they don’t think anything will change.
Business as Usual: There are no changes planned for the SUSE
business structure and leadership. There is no need for any action by the
openSUSE Project as a result of this announcement.