Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 11 hours 58 min ago

Windows Defender Becomes First Antivirus To Run Inside a Sandbox

Mon, 10/29/2018 - 07:20
An anonymous reader writes: Windows Defender is the first antivirus to gain the ability to run inside a sandbox environment, Microsoft said in an announcement. In software design, a "sandbox" is a security mechanism that works by separating a process inside a tightly controlled area of the operating system that gives that process access to limited disk and memory resources. The idea is to prevent bugs and exploit code from spreading from one process to another, or to the underlying OS. "We're in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation," Microsoft said in a celebratory blog post. Users who can't wait until Microsoft finishes testing the feature can also enable it right now. Support for Windows Defender running inside a sandbox environment has been silently added since Windows 10 version 1703. To enable it right now, Windows 10 users can follow these steps.

China's OnePlus, Backed by Qualcomm and T-Mobile, Launches OnePlus 6T Smartphone in US

Mon, 10/29/2018 - 02:05
OnePlus, a five-year old Chinese smartphone company whose high-end products are little known outside a tech-savvy niche is entering the U.S. market on Monday with the backing of two key local allies: chipmaking giant Qualcomm and mobile operator T-Mobile. Reuters reports: The foray by Shenzhen-based OnePlus comes after U.S. mobile carriers AT&T and Verizon this year backed away from plans to work with China's Huawei on high-end phones in face of pressure from the U.S. government, which considers Huawei a security risk. But the OnePlus alliance, to be announced today in New York, shows how many U.S.-China business relationships, including those involving the most advanced technologies, are marching ahead despite the U.S. China trade war. OnePlus has quietly become the No. 3 client for Qualcomm's most expensive mobile phone chips, behind Samsung and LG Electronics, according to data from market researcher Canalys. The phone to be unveiled Monday, called the 6T, will sell for a price of $549 (for the base model, which offers 6GB of RAM and 128GB of internal storage) but packs features that are typically present only in pricier handsets. Xiaomi, a Chinese rival that also focuses on feature-packed phones at bargain prices, has said it plans to launch in the U.S. next year, but did not respond to a request for comment on whether those plans are still in place. The OnePlus 6T will laregely offer the same specs as its predecessor -- the OnePlus 6, which was launched earlier this year. Some of the key changes include a smaller notch on the front display and a built-in fingerprint scanner that is embedded in it. Full specs and review here.

IBM To Buy Red Hat, the Top Linux Distributor, For $34 Billion

Sun, 10/28/2018 - 11:00
International Business Machines (IBM) is acquiring software maker Red Hat in a deal valued at $34 billion, the companies said Sunday. From a report: The purchase, announced on Sunday afternoon, is the latest competitive step among large business software companies to gain an edge in the fast-growing market for Internet-style cloud computing. In June, Microsoft acquired GitHub, a major code-sharing platform for software developers, for $7.5 billion. IBM said its acquisition of Red Hat was a move to open up software development on computer clouds, in which software developers write applications that run on remote data centers. From a press release: This acquisition brings together the best-in-class hybrid cloud providers and will enable companies to securely move all business applications to the cloud. Companies today are already using multiple clouds. However, research shows that 80 percent of business workloads have yet to move to the cloud, held back by the proprietary nature of today's cloud market. This prevents portability of data and applications across multiple clouds, data security in a multi-cloud environment and consistent cloud management. IBM and Red Hat will be strongly positioned to address this issue and accelerate hybrid multi-cloud adoption. Together, they will help clients create cloud-native business applications faster, drive greater portability and security of data and applications across multiple public and private clouds, all with consistent cloud management. In doing so, they will draw on their shared leadership in key technologies, such as Linux, containers, Kubernetes, multi-cloud management, and cloud management and automation. IBM's and Red Hat's partnership has spanned 20 years, with IBM serving as an early supporter of Linux, collaborating with Red Hat to help develop and grow enterprise-grade Linux and more recently to bring enterprise Kubernetes and hybrid cloud solutions to customers. These innovations have become core technologies within IBM's $19 billion hybrid cloud business. Between them, IBM and Red Hat have contributed more to the open source community than any other organization.

Nobody's Cellphone Is Really That Secure, Bruce Schneier Reminds

Sun, 10/28/2018 - 06:00
Earlier this week, The New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump's personal cellphone and using the information gleaned to better influence his behavior. This should surprise no one, writes Bruce Schneier. From a story: Security experts have been talking about the potential security vulnerabilities in Trump's cellphone use since he became president. And President Barack Obama bristled at -- but acquiesced to -- the security rules prohibiting him from using a "regular" cellphone throughout his presidency. Three broader questions obviously emerge from the story. Who else is listening in on Trump's cellphone calls? What about the cellphones of other world leaders and senior government officials? And -- most personal of all -- what about my cellphone calls? There are two basic places to eavesdrop on pretty much any communications system: at the end points and during transmission. This means that a cellphone attacker can either compromise one of the two phones or eavesdrop on the cellular network. Both approaches have their benefits and drawbacks. The NSA seems to prefer bulk eavesdropping on the planet's major communications links and then picking out individuals of interest. In 2016, WikiLeaks published a series of classified documents listing "target selectors": phone numbers the NSA searches for and records. These included senior government officials of Germany -- among them Chancellor Angela Merkel -- France, Japan, and other countries. Other countries don't have the same worldwide reach that the NSA has, and must use other methods to intercept cellphone calls. We don't know details of which countries do what, but we know a lot about the vulnerabilities. Insecurities in the phone network itself are so easily exploited that 60 Minutes eavesdropped on a U.S. congressman's phone live on camera in 2016. Back in 2005, unknown attackers targeted the cellphones of many Greek politicians by hacking the country's phone network and turning on an already-installed eavesdropping capability. The NSA even implanted eavesdropping capabilities in networking equipment destined for the Syrian Telephone Company. Alternatively, an attacker could intercept the radio signals between a cellphone and a tower. Encryption ranges from very weak to possibly strong, depending on which flavor the system uses. Don't think the attacker has to put his eavesdropping antenna on the White House lawn; the Russian Embassy is close enough.

New SystemD Vulnerability Discovered

Sat, 10/27/2018 - 12:34
The Register reports that a new security bug in systemd "can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box" by a malicious host on the same network segment as the victim. According to one Red Hat security engineer, "An attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." According to the bug description, systemd-networkd "contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisements are received." OneHundredAndTen shared this article from the Register: In addition to Ubuntu and Red Hat Enterprise Linux, systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default. Systemd creator Leonard Poettering has already published a security fix for the vulnerable component -- this should be weaving its way into distros as we type. If you run a systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

Twelve Malicious Python Libraries Found and Removed From PyPI

Sat, 10/27/2018 - 11:34
An anonymous reader writes: A software security engineer has identified 12 Python libraries uploaded on the official Python Package Index (PyPI) that contained malicious code. The 12 packages used typo-squatting in the hopes a user would install them by accident or carelessness when doing a "pip install" operation for a mistyped more popular package, like Django (ex: diango). Eleven libraries would attempt to either collect data about each infected environment, obtain boot persistence, or even open a reverse shell on remote workstations. A twelfth package, named "colourama," was financially-motivated and hijacked an infected users' operating system clipboard, where it would scan every 500ms for a Bitcoin address-like string, which it would replace with the attacker's own Bitcoin address in an attempt to hijack Bitcoin payments/transfers made by an infected user. 54 users downloaded that package -- although all 12 malicious packages have since been taken down. Four of the packages were misspellings of django -- diango, djago, dajngo, and djanga.

Canonical Releases Statistics Showing Adoption of Snap Packages

Sat, 10/27/2018 - 07:34
Canonical is applauding what it calls "exceptional adoption" of snaps -- and has shared some new statistics about its whole "Snappy" software deployment and package management system. Long-time Slashdot reader AmiMoJo shared this article from Neowin: snaps are seeing 100,000 installs every day on cloud, server, container, desktop and on IoT devices, which works out to around three million installs each month. Of course, these statistics don't only take into account snap installs on Ubuntu, but other distributions too. Canonical said that snaps are supported on 41 Linux distributions including Ubuntu, Debian, Linux Mint, Arch Linux, Fedora, and many more... Snap packages first launched alongside Ubuntu 16.04 which was released in 2016. They have several benefits over typical Linux packages, for example, their dependencies are bundled into the package making them easy to install, they get automatic updates and can be rolled back by the maintainer if issues arise, and they're sandboxed, giving the user more security.