Scott Radaszkiewicz

Click for Article

Fresh off the heals of another Linux vulnerability discovered about a month ago, another flaw has been discovered.   CVE-2016-8655 is a flaw that could allow a local user to gain root access privileges to the Linux operating system.  This flaw effects almost every Linux distribution that is available.

A patch was released last week, so users are encouraged to patch their Linux distributions.

I always find Linux flaws to be of particular interest.  I think Linux has that inherent stigma that it’s for “techies” and you have to be super technical to get it to work.   And, I think part of that is true, Linux is probably more prevalent among the “techie” users.   So, it always amazes me that flaws, like the one above are found 5 years later.

Executive Summary

PowerPoint Presentation

 

Article Link

Just to prove again that nothing is safe in this world, the Google Pixel Phone and Microsoft Edge were both hacked in less than a minute each in hacking competitions.

Google Pixel was hacked by a team in under a minute.  The hack used a zero-day vulnerability to achieve remote code access on the phone.  The hack opened a Google Chrome page and displayed “Pwned by 360 Alpha Team”.  The hack earned a cash prize of $120,000 for the team.

Microsoft Edge was hacked in just 18 seconds by a team.  The team gained SYSTEM-level remote code execution access on the system.   Details of the hack were not made public until a fix is released.

In my opinion, it is utterly amazing to see that teams of hackers can crack systems in mere minutes, or even seconds with known hacking techniques.  You would think that major vendors like Google and Microsoft would have those avenues all locked up by now, but unfortunately, not.

Just keep in mind, nothing is safe!

 

 

 

 

I found this to be very interesting.  A very good interactive tutorial on how SQL injection works.

Click Here

 

Click for Article

Two new security vulnerabilities have been found in MySql, an opensource database management system.   MySQL is extremely popular and is listed as the #2 world’s most popular database.

One of the flaws allows a hacker to execute code to elevate their user status to a database system user.   This elevation could allow the hacker to gain complete access to all databases on the hacked server. The second flaw allows a hacker to escalate their user privileges to root user.

Patches for these exploits are already available, and users of MySQL are urged to apply them immediately.

Information is King!   And gaining access to information gives anyone the keys to the castle.  So much information is stored in databases about us, it’s scary.   Popular database flaws like this are scary.   It adds one more tool in a hackers toolbox to gain access to our information.   The recent breaches of online accounts and credit card information just goes to reinforce the fact that hackers will always target this valuable information!

 

 

 

 

Executive Summary

Presentation

Video

 

Click for Article

This article is about a flaw in iOS 10 which allows the execution of malicious code if your view a JPEG, font files or PDF file through a website or email.  The good news is that Apple has released iOS 10.1 to correct this issue.  In fact, the iOS 10.1 update addresses 11 security flaws.

This announcement is fresh of the heels of a DD0S attack last week that used some non-conventional technologies such as cameras, routers and DVR’s to perform that attack.   It’s only a matter of time before hackers turn to other avenues to perform their attacks as other avenues are closed off.   Everyone thinks phones, cameras, etc are safe from this, but the truth is, anything that is connected to the Internet can, and most likely will, be a target for hackers.

 

 

 

 

Article Link: Click Here

This article explains how researchers from the University of Pennsylvania, INRIA, CNRS and Universite de Lorraine have proven how the NSA broke the Diffie-Hellman key exchange algorithm.

The algorithm uses keys generated with large prime numbers, that is theorized that it would take hundreds or thousands of years to decrypt with today’s technology.    According this article states that it took the researchers only two months, and 3,000 CPU’s to break a 1,024-bit key.

This was accomplished by “backdooring” the prime numbers used to compute the algorithm by randomly selecting very large primes from a pre-defined set which made it 10,000 times easier to solve the problem.

This article is very interesting.  Most encryption is based on algorithms.  While many are deemed to be secure, there are hundreds, or thousands, if not millions of people out there looking for ways to break the code.   New discoveries are being made in mathematics that could possibly render some algorithms useless.   the encryption is man made, and whatever can be engineered by man, can one day be un-engineered.

 

Article Link:  Click for Article

This article is about Yahoo building a software program that would secretly scan users emails, and this was done at the request of a US intelligence officials.  This was done in 2015 via a secret court order and the information is reported to have gone to the NSA or FBI.

Many top Yahoo officials were unaware of this and the Chief Information Security Officer resigned from the company, expressing regret that he was left out of this information.

It’s pretty scary how open our lives have become.   I assume, if there was a court order, there was a legitimate concern.  But it just goes to reinforce the fact that you should not put anything into any digital medium that you would not want being read by another person!  There is no privacy.   Be it hackers or the government, the information can be obtained!

Weblink:  Qubes OS

So, the Hacker news reported that Qubes OS 3.2 has been released.  So, I have never heard of Qubes OS, so I figure I better take a peek and see.  Basically Qubes OS is an operating system that attempts to provide security through isolation.

In essence, the Qubes OS is a virtual machine manager and applications are run within their own virtual machine.   Qubes makes a common desktop environment that manages all of these virtual settings.

I find this idea enticing.   In a way, many of us do this already.  I know I do.  With the ease and availability of Virtualization, many tech savvy users work to segregate their work.  I for instance, have several different VM machines that I employ.   I ahve a VM that I use specifically for personal email and web browsing.  This way, if I get some virus, etc, it won’t effect my work system.

Some good info can be found on Wikipedia:  Click

Who knows, maybe isolationism is the best defense for the future.  We can’t stop it, we can only hope to contain it and limit it’s impact!

And I downloaded the ISO and plan to give this a test.   FYI – can’t install on a virtual machine, so it’s designed for bare metal install.   I’ll let you all know what I find when I get around to tinkering with it!