Category Archives: Linux

90 Percent of All SSL VPN Use Insecure or Outdated Encryption

image

Information security firm High-Tech Bridge has conducted a study of SSL VPNs (Virtual Private Networks) and discovered that nine out of ten such servers don’t provide the security they should be offering, mainly because they are using insecure or outdated encryption.

An SSL VPN is different from a classic IPSec VPN because it can be used inside a standard Web browser without needing to install specific software on the client-side.

SSL VPNs are installed on servers, and clients connect to the VPN via their browsers alone. This connection between the user’s browser and the VPN server is encrypted with the SSL or TLS protocol.

Three-quarters of all SSL VPNs use untrusted certificates

Researchers from High-Tech Bridge say they analyzed 10,436 randomly selected SSL VPN servers and they found that most of them are extremely insecure.

They claim that 77% of all SSL VPNs use SSLv3 or SSLv2 to encrypt traffic. Both of these two versions of the SSL protocol are considered insecure today. These protocols are so insecure that international and national security standards, such as the PCI DSS and NIST SP 800-52 guidelines, have even gone as far as to prohibit their usage.

Regardless of their SSL version, 76% of all SSL VPN servers also used untrusted SSL certificates. These are SSL certificates that the server has not confirmed, and that attackers can mimic and thus launch MitM (Man-in-the-Middle) attacks on unsuspecting users.

High-Tech Bridge experts say that most of these untrusted certificates are because many SSL VPNs come with default pre-installed certificates that are rarely updated.

Some VPNs still use MD5 to sign certificates

Additionally, researchers also note that 74% of certificates are signed with SHA-1 signatures, and 5% with MD5 hashes, both considered outdated.

41% of all SSL VPNs also used insecure 1024 key lengths for their RSA certificates, even if, for the past years, any RSA key length below 2048 was considered to be highly insecure.

Even worse, one in ten SSL VPNs is still vulnerable to the two-year-old Heartbleed vulnerability, despite patches being available.

Out of all the tested SSL VPNs, researchers say that only 3% followed PCI DSS requirements. None managed to comply with NIST (National Institute of Standards and Technology) guidelines.

High-Tech Bridge is also providing a free tool that can tell users if their SSL VPN or HTTPS website is actually doing a good job of protecting them.

For the original story follow this link to Softpedia for more information.

This Hack Lets You Run Any Android App on Your Chromebook

image

Using a small JavaScript script, the hack, which is detailed in full on GitHub, allows any regular Android APK to be packaged up and, for want of a better term, side-loaded onto a Chromebook. It can then be run under the Android App Runtime in the same way as the ‘official’ Vine, Dulingo and Evernote. 

Restrictions mean that only one Android app can be run at a time.

To watch a Youtube video demonstration and the full original story follow this link to OMG Chrome.

Try It Out

If the thought of waiting for Google to partner up with the maker of your favourite app, game or utility is too much to bear, you could don your hard hat and try it out for yourself.

But be warned: it’s not a guide for the fainthearted or the technically averse. The developer behind the hack,
Vladikoff, cautions that his tool is for ‘proof of concept’ and is provided without any kind of warrant or assurance. The hack is also not endorsed by Google, Chromium or Android.

To follow along you’ll need a Chromebook with the Android Runtime plugin installed, the Android Vine app (which will be replaced during the course of the guide) and an OS X or Linux desktop from which to ‘package’ your app.

Applications tested and said to be working include Twitter, both tablet and mobile modes, and Flipboard (which was demoed running on a Chromebook at Google I/O).

Other apps tested but that crash include Google Chrome for Android (!), Spotify, SoundCloud and Swing Copters.

You can find more details and a download for the script on the project’s GitHub page, linked below.

‘Run Android APKs on Chromebooks’ Guide

NSA whistleblower: No software is ‘safe from surveillance’

image
A former NSA official said the agency has "more resources" for surveillance than the average user can ever hope to defend against.

William Binney doesn’t have a membership card to the small group of which he’s a part — people who have spoken out against the National Security Agency, and been left relatively unscathed — but at least he has the next best thing, a valid passport.

The former National Security Agency official, who spent three decades of his life in espionage — and is said to have been one of the reasons why Edward Snowden took and handed thousands of classified documents to journalists two years ago — still talks about his time in the intelligence community.

“The biggest threat to US citizens is the US government,” said Binney in a Reddit “ask me anything” session.

Which in itself would be a bold claim if it weren’t for the most recent revelations, which we can thank his whistleblowing “successor” for.

The NSA, once called the “No Such Agency” for its clandestine and secretive operations, has been embroiled in a string of intelligence-gathering and law-bending practices that have not only ensnared much of the world’s communications, but also the data belonging to Americans — the same people the agency is tasked with protecting.

One of those operations included developing cyberweapons based on hardware and software security vulnerabilities.

“I don’t think any software is safe from surveillance,” said Binney, in response to a question about free and open-source operating systems and software, such as Linux.

A few days earlier, the NSA, known for exploiting vulnerabilities in software, said in more than 90 percent of cases it would disclose flaws, with the exception of when “national security reasons” outweigh the public good. The NSA did not say when it would disclose those flaws, however, leaving open the possibility that they are used before they are turned over to be fixed.

Binney’s comments run contrary to how many see, in particular, open-source software, which many regard as more secure than closed-off systems, like Windows.

Ladar Levison, founder of Lavabit, the encrypted email service said to have been used by Snowden prior to his departure from the US, said in phone conversation earlier this year that although he distrusts some US software, “you don’t have to distrust everything.”

“The true problem is that you don’t know what can be trusted and what can’t. I personally find myself seeking open platforms, systems, and tools, where I can go in and look — or at least if not myself, one of my peers,” he said.

Other open-source developers, like Cryptocat developer Nadim Kobeissi, have also said that open-source code makes it near-impossible to include backdoors.

To read more and the full story follow this link to ZD Net.

New Android Malware Sprouting Like Weeds

image

Information stored on an Android smartphone or tablet is vulnerable to almost 4,900 new malware files each day, according to a report G Data SecurityLabs released Wednesday.

Cybercriminals’ interest in the Android operating system has grown, the firm’s Q1 2015 Mobile Malware Report revealed.

“The report suggests that Android devices are becoming a bigger target for the bad guys and more profitable than in previous years,” said Andy Hayter, security evangelist for G Data.

The number of new malware samples in the first quarter increased 6.4 percent (440,267) from the fourth quarter of last year (413,871). The number of malware strains rose by 21 percent compared with the first quarter of 2014 (316,153).

More than 2 million new Android malware strains are likely to surface this year, G Data security predicted.

Just the Start

The 2 million figure is very realistic, due to the increasing use of Android devices for banking and shopping online, G Data suggested.

“The report shows that the OS has a bigger market share than the others, and thus is more interesting to security researchers and malware authors alike. Also, a lot of vendors offer Android devices varying in quality standards, but that is not a problem of the OS itself, but rather of the vendor in question,” Hayter told LinuxInsider.

Google introduced premium SMS Checks last year. After that, the malware models started to spread out, he noted.

“Before that time there were a few very active malware families, such as SMS FakeInstaller,” Hayter said. “Since then there are lots of small families.”

Financially Motivated

At least 41 percent of consumers in Europe and 50 percent in the U.S. use a smartphone or tablet for their banking transactions. Plus, 78 percent of Internet users make purchases online.

The new malware files have a financial foundation, according to the G Data report. At least half of all Android malware now in circulation includes banking Trojans, SMS Trojans and similar malware components.

The actual percentage of malware-infected Android apps easily could be higher, the researchers warned. They only studied malware with a direct financial purpose — many other types of cases might exist.

For example, a malware program might install apps or steal credit card data as an additional process after a payment is made. Because that type of malware would not seem to be financially motivated, it would not have been included in the report’s statistics.

Thin Dividing Line

Free Android apps offer particularly attractive attack vectors to cybercriminals. Many apps, especially free apps, rely on advertising to fund their development.

Bad apps can hide themselves in the background or conceal functions from users. Bad apps also can send legitimate apps’ data to additional advertising networks.

Apps that do such things — like programs running on PC OSes — are called “Potentially Unwanted Programs,” or PUPs. The report categorizes such apps as adware, noting that they often hide in manipulated or fake apps that are installed from sources other than the Google Play Store.

Malware Magnet

Android is a derivative of Linux, an operating system generally considered less likely to be targeted by viruses and malware. However, Android is less rigorous and less secure than other mobile platforms, said Rob Enderle, principal analyst at the Enderle Group.

“There is much more sideloading, which means there is a far easier path to getting viruses on Android devices than any other mobile platform,” he told LinuxInsider.

Google historically has been less focused on security and customer satisfaction than firms that are more closely tied to user revenue, Enderle said. Another reason for Android’s vulnerability is that mobile platforms generally don’t run security software.

Historically, they have been somewhat protected because of their tight ties to curated stores, “but now that smartphones have PC-like performance, they are becoming a magnet for malware,” noted Enderle.

“Google’s lack of focus on this problem, reminiscent of Microsoft’s similar mistake in the late 1990s — which resulted in their having to rethink their OS and create Windows XP — has created a massive exposure for Android users,” he said.

To read more follow this link to Linux Insider.

Automotive Grade Linux Delivers Open Automotive Software Stack for the Connected Car

image

SAN FRANCISCO and TOKYO (AUTOMOTIVE LINUX SUMMIT), June 30, 2014 – Automotive Grade Linux (AGL), a collaborative open source project developing a common, Linux-based software stack for the connected car, today announced that its first open source software release is available for download, bringing the industry one step closer to achieving a standard Linux-based software platform for the connected car.

AGL is building the industry’s only fully open automotive platform, allowing automakers to leverage a growing software stack based on Linux while retaining the ability to create their own branded user experience. Standardizing on a single platform means the industry can rapidly innovate where it counts to create a safe and reliable connected car experience. Open collaboration within the AGL community means support for multi-architectures and features to bolster the in-vehicle infotainment (IVI) experience.

“Openness and collaboration are key to accelerating the development of a common, standard automotive platform so the industry can more quickly achieve its vision of delivering the connected car,” said Dan Cauchy, general manager of automotive, The Linux Foundation. “This AGL release is a great step forward and the community is already looking to build on its work to address a number of additional capabilities and features in subsequent releases. With AGL at the core, the industry will be able to more rapidly innovate and evolve to meet customer needs.”

AGL builds on top of Tizen IVI and adds key applications developed in HTML5 and JavaScript into a single open source reference platform. 

See slideshow of AGL key features including:

• Home Screen
• Dashboard
• Google Maps
• HVAC
• Media Playback
• News Reader (AppCarousel)
• Audio Controls
• Bluetooth Phone
• Smart Device Link Integration

Each component includes a detailed Design Requirements Document (DRD) with descriptions, use cases, HMI flows, graphical assets, architecture diagrams and more. AGL code, DRDs and more are all available on the AGL wiki to give anyone the background and tools needed to use the software and start contributing to the project.

“Using AGL means the industry benefits from the stability and strength of a common Linux distribution, Tizen IVI, at the core while bringing their own unique applications and functionality to market faster,” said Rudolf Strief, director of embedded solutions, The Linux Foundation. “Collaborating within the AGL community helps the industry avoid fragmentation that can waste time and R&D resources that could be put to better use innovating on safety and reliability for drivers.”

AGL is free to download and anyone can participate in the open source community. Learn more: http://automotive.linuxfoundation.org/

For more information follow the source link below.

Source: Linux Foundation

Rugged, wildly modular tablet runs Android and Linux

image
CrossfirePro running Android

Entegra announced a rugged, modular tablet that’s configurable for a wide range of environments and applications, and supports both Android 4.2 and Linux.

Entegra’s CrossfirePro is unlike any tablet you’ve encountered: it’s the consummate chameleon of rugged slates, boasting a modularity that starts with its snap-in Qseven computer-on-module processing core and extends to nearly every aspect of its I/O and software. Though it ships standard with a 1.86GHz quad-core Intel Bay Trail M-series N2930 processor, the COM-based core supports alternatives ranging from faster or slower Intel and AMD x86 CPUs, to ARM-based SoCs. It also accepts I/O add-ons such as barcode scanners, magnetic strip readers, fingerprint scanners, smart card and NFC readers, and a variety of custom modules, says the company.

image
CrossfirePro with a rear-mounted cardswipe/keypad module

Entegra also offers three docks for the CrossfirePro, which support its use in office, point-of-sale, and vehicular environments. These would presumably be accompanied by snap-in or add-on modules, operating systems, and application software suitable to each market.

image
CrossfirePro Desk Dock
image
CrossfirePro Vehicle Dock
image
CrossfirePro Point-of-sale Dock

The photos below show how the Qseven COM and mSATA storage devices snap into compartments in the rear of the tablet.

image
CrossfirePro’s configurable Qseven COM and mSATA storage device

To support such an extensive array of modularity, Entegra designed a unique mainboard that’s controlled by a PIC microcontroller. The PIC chip serves as a “traffic cop” to initialize and manage the options it discovers upon power-up, as illustrated in the diagram below.

image
CrossfirePro’s PIC µC discovers modules and configures the tablet accordingly on power-up

For a full list of the specs follow the source link below.

Source: LinuxGizmos.com