Slashdot Mirror
Domain: sophos.com
Stories and comments across the archive that link to sophos.com.
Comments · 553
-
Odd /. won't report on UBlock/Adblock problems
Odd
* "OpenSORES" BLOWS IT AGAIN is why!
APK
P.S.=> Ask yourselves that question - ESPECIALLY from BLEEPING COMPUTER (which
-
Re:Fuck You Microsoft.
You are assuming:
1. That people feel that they're in a position to do something about it, which they often aren't ("just use Linux" isn't practical for some, especially those who are technically inept). Plus they feel helpless in their digital lives in general, since Google and Facebook and everyone else does it. Google and Facebook and everyone else do it doesn't mean it's right, contrary to people such as yourself who think that's a good excuse.
2. That people are aware of it in the first place. Most people are rather appalled when someone bothers to tell them what "telemetry" means in actual terms, let alone when people start pointing out things such as the ToS for Office 365 where they can tell you what you can and can't make with their software. And before you say "but that's only for Office 365!", well, they're trying to force Windows 10 into being a service, so it's only a matter of time.
Tell Mr. Gates to hire a better shill, he's not getting his money's worth with you.
-
Re:My Synology NAS has antivirus, why not a SmartT
It does protect against Linux malware too. It's a Linux box running an older kernel with numerous services exposed, and periodically exploits are found.
For example, this flaw in Samba was pretty severe: https://nakedsecurity.sophos.c...
Still not convinced that McAfee is the best solution, but a Linux based NAS is not immune to malware either.
-
Real threat or industrial espionage?
Security cameras and their hub systems have been hacked like crazy, largely because the average user (homeowner, retail lackey, office lackey) doesn't even bother changing the default passwords, much less a firewall or any reasonable security measures. Here's a report of a website streaming over 70,000 hacked cameras, and here's a report of over a hundred police surveillance cameras being hacked to send spam right in DC. They're plenty hackable, just a matter of whether the Chinese state thinks it's worth risking sanctions from the countries they're surveilling.
But this could also easily be industrial espionage. In the US, anyone competing with Huawei could simply spend a few million lobbying to convince congress that it's happening. No proof is required, only that the capability is there, and that if China was doing it we might never know.
-
Re:Terrible idea
-
Re:Sorry, liberals
Because to make such a comment you need to supply your name and number. People have tried to get a hold of supporters of the FCC's plan to do away with network neutrality and the people they called has no idea about any such comment made in their them. This would be evidence of rampant identity theft and FRAUD.
The dumb crooks were even ballsey enough to impersonate senators
And this isn't some niche thing, it's rampant and widespread.
If you're here on Slashdot, there's no way you woudln't know this. So you must either be a shill or a "true believer" in your party's politics. Seek help.
-
It's somewhat sad that then people didn't ...Wow, careful there Linus. Forgot all about the Copy On Write bug that you fixed in the Linux kernel in 2005, but which you then unfixed, declared "theoretical" and which was then ignored for over a decade until it hit the fan in 2016?
This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago [] but that was then undone due to problems on s390 [W]hat used a purely theoretical race back then has become easier to trigger.
-
Re:NSS
The news is you can unlock a phone via the usb port
This is not news. Attack surface of USB is gargantuan. Completely indefensible.
-
Re:I run Antivirus in/on my android...
How interesting it is, then, that Antivirus vendors are still implementing Antivirus for Mac and linux.
Even MORE so, they are implementing antivirus that hooks into your Virtualization/cloud platforms to protect your VMs, both virtual servers and Virtual Desktops...
Here is te solution from ESET for VMWare:
https://www.eset.com/int/busin...Here is from Bitdefender, for many Hypervisors:
https://www.bitdefender.com/bu...Here is the one from Sophos:
https://www.sophos.com/en-us/m...But hey, I guess I'll better surrender my geek credentials, as well as all the people working in ClamAV, and all the engineers and managers that are working in such a clear dead end technologies as Mac and Linux antivirus at those companies (and many more).
After all, is soo clear for me now, you and Anon coward can not be wrong.
-
Re:Router?
A "secure" router won't help you. What does "hacked twice recently" actually mean?
Quite possibly this person means like the vulnerability in this router:
https://nakedsecurity.sophos.c..."We described a flaw that allowed attackers to force your router to open up its administration interface to the internet, something you would never normally do."
Port forward every port you need to attack the host on the inside and go for it. -
Re:Smart people are different
> the guy who recently admitted that the standard password policy recommendations (expire after 3 months and all that) were something he pulled out of his ass...
paywalled article...
The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!
Bill Burr’s 2003 report recommended using numbers, obscure characters and capital letters and updating regularly—he regrets the error
By Robert McMillan
Aug. 7, 2017 12:41 p.m. ET
https://www.wsj.com/articles/t...via
https://it.slashdot.org/story/...
some other coverage from the time:
https://www.tomsguide.com/us/p...
https://nakedsecurity.sophos.c... -
See? Google reads your email!
Google reads your email, unlike Microsoft!
-
Re:I saw this long ago on other security sites
-
Doesn't look very "private" to security pros
See subject & https://nakedsecurity.sophos.com/2018/04/17/gmails-new-confidential-mode-wont-be-completely-private/
APK
P.S.=> Read that link's content & judge for yourselves... apk
-
Re:It's so easy to do it right
So what?
Not sure if you're trolling, unaware or making some sort of pedantic argument. Key stretching and adaptive hashing are considered best practice and here's a couple references to read up on including some from TFA. These solutions will partially mitigate the impact of weak passwords.
http://plaintextoffenders.com/...
https://codahale.com/how-to-sa...
https://nakedsecurity.sophos.c... -
Re:Wouldn't work with FaceID...
From another source:
In theory, Apple’s Face ID authentication is supposed to require eye movement to work. But Marc Rogers, researcher and head of information security at Cloudflare, told Forbes that he’s recently discovered that photos of open eyes work just fine.
A few months ago, Vietnamese researchers did the same thing. With a mask.
-
Re:Not simple and would not work here
-
Re:Ok, so the problems here are:
In this context, the SHA-1 hash only has one iteration.
In 2010, it only cost $2.10 to crack a 6 char password in an EC2 instance.
https://www.geek.com/news/rese...
Since then hardware has become much faster. Today's GPU's can do several billion hashes per second.
There have also been more advances made in brute forcing SHA-1
https://nakedsecurity.sophos.c... -
Re:The weakest security
Are passwords that hard to remember?
Once you start requiring them to be 12 characters long, and contain at least one uppercase character, one lowercase character, one numeral, and one Egyptian hieroglyph they are.
By the way, those complexity rules have been officially withdrawn by NIST. In fact, TFA is an instance of the very problem that drove the rule change. Now all we have to do is spend 20 years undoing the damage of the old, stupid, complexity rules.
-
Re:Earlier police failures...
if you have a decent amount of technical know how you can make yourself pretty difficult to track down
Well, he's been found and arrested already — so much for the "pretty difficult". Police should've shown the same vigor before his actions resulted in a death.
I don't believe I've seen anyone react to that bomb threat with anything other than disapproval.
In denial much? Open any article on the subject and browse the comments. For example, from here:
- Sounds like someone called in an anonymous bomb threat. Cute.
- Got me all excited there for a second, bummer.
- Not the most productive thing for sure. But what's the alternative?
- Considering Pai's complete disregard of the public's opinion on the matter, or the many accusations of fraud on the comment period, I think at this point it's a moment of "desperate times call for desperate measures."
I'd say, the ratio of approval to disapproval there is 1:1...
-
Devs should do QA
Subject stolen from another story.
Apple has had a lot issues with dates, clocks and alarms on the mobile devices. Including the interesting 1970 bug. https://nakedsecurity.sophos.com/2016/02/26/apple-will-unbrick-iphones-bricked-by-1970-bug/
Better QA might help but this shouldn't be so hard.
-
EVIL Kaspersky
OK, they're ALL out to get you. If you didn't pay for it, you're the product. I fear my local government more than a far-away one. I'm a minnow, no some plankton living in the social/financial sea. It's only metadata. If you've got nothing to hide, you've got nothing to fear. Ever uploaded something to VirusTotal/Google/MS/Amazon? If it's unencrypted in the cloud, it's probably now on someone's ELSE's cloud too. If encrypted, it's still fair game. KAV have good reviews. So I'll just leave this here and get my coat,
OVERVIEW
https://www.pcworld.com/articl...
https://www.av-test.org/en/ant...
http://chart.av-comparatives.o...
Free
https://usa.kaspersky.com/free...
https://www.bitdefender.com/su...
https://www.malwarebytes.com/m...
https://www.avira.com/en/free-...
https://home.sophos.com/
https://www.pandasecurity.com/...
Just PICK one just as long as it's not the default MS Defender. They couldn't stop it from getting in to start with, what makes you think their AV is going to do better? -
Re: Equifax ran Linux
lols, you mean like how linux had 31 high severity bugs that were unfixed for more than a year??
https://nakedsecurity.sophos.c...
ofcource.. they're wrong.. blah blah,, biased report, ms shill, yawn..
nobody except linux cheerleaders think linux security is worth a damn. clueless people installing LAMP on their web server continue to get rooted, daily. this is after you people barely figured out how to run apache as non-root, and still haven't gotten rid of setuid binaries. great security tradition indeed.
-
Re:The real problem is
Exactly. And this isn't the first time its happened either.
-
Re: The bug is in Disk Utility GUI volume creation
You apparently don't understand the "GotoFail" bug. Here's an explanation, for example.
-
Re:Why So Long?
They probably need the 4 months to fix their crappy system. Your credit account is locked using a pass code that they provide. The pass code is the timestamp of the date you requested the lock. Come on people. This isn't hard.
-
Re: Embrace and Extend
Bingo.
I'm very glad the Windows has a good way to run Linux programs. Why? Well, I don't want to waste an afternoon figuring out which three lines I need to write to handle something that any reasonable desktop OS would handle with no hassle.
By which time you've probably spent several weeks insecurely downloading Chromium to have a proper web browser, going through YouTube videos learning how to restore your desktop functionality, making sure to turn off the windows store so your kids don't auto-install some malware searching sites to try to find instructions to turn off the spyware features, probably managing to get some other drive by malware in the process. Installing antivirus software, then removing it when you find out that it had malware included.
But, cutting and pasting a three line script. That's really the time killer. Isn't it.
-
Re: I'm going to start surfing incognito
nope. sorry.
there are many ways to 'fingerprint' a browser client, especially if you allow scripts to run. 'cookies' are just the easiest way.
https://nakedsecurity.sophos.c...
https://arstechnica.com/inform...and, if you're on mobile, you're might be fucked regardless. your provider may be inserting unique guid into http requests.
-
Re:wrong direction
the "one plug for everything" trend that began with USB Type C is a step in the wrong direction.
Yes. It's bad for security. Suppose a friend asks you to copy a file onto a USB stick. Temporarily forget about exploits in filesystem code when reading corrupt filesystems. Since USB can work as either storage or a keyboard, your friend might have caught a USB stick controller firmware virus that emulates a keyboard and types things that exploit you.
Now suppose a port can connect either storage or a video card. Video cards use PCIe. Instead of a keyboard, the malicious stick now has hardware debugger access to physical RAM and can establish persistence on your machine without exploiting the OS, like Thunderstrike 2:
What to do? Avoid plugging untrusted Thunderbolt devices into your Mac, for example if someone you don’t know offers to lend you a network adaptor at a conference.
It's difficult to make use of this kind of speed, like 1/10th of RAM bandwidth, through a hardware interface with small attack surface because it requires offloading intelligence from the CPU which means giving discretion to the hardware. The right way to create a security boundary while preserving speed is with a network interface, ex. Infiniband's "verbs," that explicitly post buffers that will be written into. USB's history is more generic. If they're just jacking the speed without transforming it into basically a network interface, then either it won't deliver the speed for applications other than storage, or it will leave users exposed to Thunderstrike 3. I hope it's the former but am pretty sure it's the latter.
It will be like BadUSB times nine thousand.
-
Re: They forgot to mention two important contribut
Smartphones and their apps track and trace peoples purchases, movements, social groups, etc. Apple itself is but a small portion of it but they created a surveillance ecosystem.
Google (Hint: the maker of Android) reads your mail, tracks your browser history, your shopping habits and your movements among other things. I'm pretty sure Apple is an amateur convention compared to Google when it comes to monitoring every single thing their customers do.
Actually, Apple has, and continues to, take great steps to NOT track you.
Even when they want anonymized statistical data, they have instituted cutting-edge techniques to separate the data from the user's, or device's, IDs. Here's some examples:
https://www.wired.com/2016/06/...
-
Re:vaccine
Via Sophos:
In cases where the SMB exploit fails, Petya tries to spread using PsExec under local user accounts. (PsExec is a command-line tool that allows users to run processes on remote systems.) It also runs a modified mimikatz LSAdump tool that finds all available user credentials in memory.
It attempts to run the Windows Management Instrumentation Command-line (WMIC) to deploy and execute the payload on each known host with relevant credentials. (WMIC is a scripting interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed through it.)
So on networked systems, if a host has the "vaccination" gets hit but has credentials for other systems that permit logon/execution saved, then it can still spread. If you don't save networked credentials for other PCs on your network on a given PC, then it shouldn't be an issue on a fully patched network.
I could see this being an issue on corporate networks if Windows Server is not fully patched and a server like AD has a network logon that is valid across a wide number of client PCs/other servers, but the impact on most home networks is likely minimal.
Still wouldn't hurt to apply the 'vaccination' to each PC you own as a precaution though. -
Re:Last Remote Root hole in OpenSSH ? Oh yeah, NEV
All the worms, ransomware, and malware that gets widespread exposure and ends up loaded on millons of vectors is ALWAYS WINDOWS.
Except for little things, like heartbleed?
When was the last time you saw a remote root exploit for SSH?
-
Re:Honeypot ransomware
Sophos supposedly has technology (intercept X) that can heuristically determine when an encryption event is going down and should automatically block it. It works by looking for files being rapidly encrypted and immediately stops it and i believe tries to roll back the changes so that less than 1% is actually encrypted.
For us, the virus scanner has caught a few ransomware viruses before they made it that far, so we have yet to test that. But its a well advertised feature of their product line.
https://www.sophos.com/en-us/p...
It requires its own license, and I think its selling like hotcakes these days.
-
Might as well use Tor
At least with Tor, you can be more confident that you are not being keybridged.
-
Re:What was the ROI?
The tech consultants on the UK newschannels say that it is possible to buy randomware kits off the black market.
https://nakedsecurity.sophos.c...
Given that shareware file system explorers and encryption routines are standard library functions, and it's easy enough to create a webpage with paypal and bitcoin pay buttons, just tacking on some network system exploits will allow the implementation of instant randomware.
-
Re:I feel left out
You mean like Heartbleed or Shellshock? Or how about the one that not only affected Linux PCs but also affected every Android device from 4.4 on up thus leaving tens of millions vulnerable on devices that will never be patched? Or how about when the Linux Mint site was serving malware? Like that?
Joke all you want about MSFT but at least their OS gets 10 years of patches, you don't see tens of millions of Windows machines at risk because MSFT won't provide patches. Oh and just FYI since the Linux community was so quick to claim "Android is Linux!" you might want to know that by that metric Linux infections are skyrocketing while windows infections are dropping like a stone making Linux the most malware ridden OS on mobile networks which it has been for 3 years running now...congrats!
-
Re:What should happen and what will happen
The second to last Yahoo security breach was so bad in part because the passwords were hashed with a completely unsalted MD5 https://nakedsecurity.sophos.com/2016/12/15/yahoo-breach-ive-closed-my-account-because-it-uses-md5-to-hash-my-password/. The lack of salting would have been by itself a problem even when MD5 was still considered secure.
Actually, even with salting, no standard cryptographic hash function is appropriate for password databases. You can squeak by if you iterate the hash function enough times, but even that is pretty weak, since it means that an attacker with lots of GPUs -- or, even worse, special-purpose hardware -- can perform hashes so much faster than you can that the key stretching you obtain is minimal.
The state of the art in password hashing is algorithms like Argon2, with parameters that are tuned to require significant amounts of not just CPU time, but RAM and threads. Argon2, tuned to require, say, 10ms of time on four cores and 256 MiB of RAM, is going to significantly strengthen passwords. The RAM requirement means a GPU with 4 GiB of RAM can only test 16 passwords in parallel, making GPU-based cracking essentially useless, since what GPUs provide is huge parallelism. Custom ASICs would do better, but would still run into bottlenecks on the speed of the RAM. Making really fast cracking hardware would require either huge amounts of RAM, or large amounts of extremely fast RAM. Either way, big $$$.
Even better, if at all possible you should use a hash that is keyed as well as salted. Doing that requires having some place to store the key that won't be compromised by the same sorts of attacks that compromise your password database. In most cases that's hard to do. Argon2 will accept a key so you can get both sorts of protection, though if you can be really, really certain that no attacker can ever get the key, then you can use a standard cryptographic hash function in a keyed mode, e.g. HMAC-SHA256, though I'd still recommend using a purpose-designed password hash (e.g. Argon2) in case your key is compromised.
-
What should happen and what will happen
If one looks at the history of what happened the last time a major hash was broken, there was a large gap between when MD5 has its first collisions and when it became practical to detect collisions. There was about a little under a decade between when the first collisions were found and when it became easy to find collisions. The general expectation is that hash systems will fail gracefully in a similar way so we have a large amount of warning to switch over. Unfortunately, we've also seen that in practice people don't adopt new hash algorithms nearly as fast as they should. The second to last Yahoo security breach was so bad in part because the passwords were hashed with a completely unsalted MD5 https://nakedsecurity.sophos.com/2016/12/15/yahoo-breach-ive-closed-my-account-because-it-uses-md5-to-hash-my-password/. The lack of salting would have been by itself a problem even when MD5 was still considered insecure. That in 2015, a decade after MD5 was broken for almost all purposes, Yahoo was still using it, is appalling. Unfortunately, they likely aren't the only one. And I fully expect that if Slashdot is around in a decade we'll read about someone who has foolishly stored passwords using SHA-1.
-
Re:AV Free for years
I thought that was the point behind Apple's App Store
Just another trust model. You're giving up control over your system to some curator and trusting them keep you safe.
Of course nothing is perfectly safe -
Re:Best Linux Distro
-
Re:Exploding heads
Any reasonably fast device running Android 6.0 or higher must enable encryption by default.
https://nakedsecurity.sophos.c...
I don't know how many devices that is, but I'd guess... a lot? Before Nougat was released, Marshmallow had around a 20% market share of Android versions:
-
Re:Sign of things to come
People are willing to pay if the prices is right and the convenience is there.
Are they ok whipping their credit card out for a monthly/annual subscription on every site they visit? No way, but that doesn't mean they are unwilling to pay anything.
Micropayments have been proposed for years as an alternative to advertising but it hasn't been practical to enter payment data for every web site, or to make payments less than a dollar when there are credit card fees (and minimums?).
Readability, Pocket/ReaditLater (and Instapaper?) all talked about passing a portion of their own revenues on to the content creators.
https://gigaom.com/2012/04/03/...
The Brave web browser is giving it a shot with Bitcoin, but we'll see how that goes.
https://nakedsecurity.sophos.c...
The advertising network model is broken and has a steady stream of malvertising on reputable web sites, as well as making the web worse by crowding out content more and more in favor of advertisements.
I'm hoping something better wins, and when it does, I will be ready with my credit card.
-
Re:Chrome
-
Re:Really?
Indeed it is, but it likely isn't really exposed "directly to the Internet". More likely it runs some service through a Seagate server that makes it available (likely by default, no less). After all, this is designed for home users and how many home users even would know how to modify their router's default rules to expose a specific port on a specific system to the internet?
You're incorrect. You may wish to read the technical report covering this issue. -PCP
-
Re:from the five-days-too-late dept
Let's add a summary from a Sophos blog:
https://nakedsecurity.sophos.c...
The problem with "proper" security is that it works against the user
NIST guidelines:
Favor the user. To begin with, make your password policies user friendly and put the burden on the verifier when possible.Long passwords that you can't remember
NIST guidelines:Applications must allow all printable ASCII characters, including spaces, and should accept all UNICODE characters.. We often advise people to use passphrases, so they should be allowed to use all common punctuation characters and any language to improve usability and increase variety... No composition rules. What this means is, no more rules that force you to use particular characters or combinations
so far no one has come up with a better way to do it.
Says the guy who obviously hasn't read the guidelines they're criticizing.
-
Re:Linux ISO discs...
Hopefully you are not using a USB drive you found in a parking lot or was given away at a conference.
-
USB stick better?
Be glad it ain't one of those
Yeah, there's still a place for good ol' optical media.
-
Several questions
Is this browser keybridged to Opera Corporate? Is Opera able to decrypt TLS sessions run through the VPN? Does this add Opera-controlled root CAs that allow mitm?
Opera Mini has terrible security, as it uses the native Android WebKit/WebView. Does Opera guarantee that anything it provides for this VPN has current patches and passes all relevant tests (i.e. http://ssllabs.com?
-
Re:how about false security pop ups?
Why blame MS? The false alarm most people have gotten is from Google. There's a reason they had to change it: https://nakedsecurity.sophos.c...
-
Insurance Files Key?
Remember, back in the heat of the Snowden affair, it was rumored that he had established an insurance stash of files. And during that same time frame the existence of a hoard of Wikileaks insurance files was revealed. https://nakedsecurity.sophos.c... These files files were in three traunches - 3.6GB, 49GB, and 349GB. Supposedly these were encrypted with AES256. The string posted by Snowden is 256 bits long. Has anyone tried opening the Wikileaks files with this string?