0-days hitting Fedora and Ubuntu open desktops to a world of hurt


If you run a mainstream distribution of Linux on a desktop computer, there's a good chance security researcher Chris Evans can hijack it when you do nothing more than open or even browse a specially crafted music file. And in the event you're running Chrome on the just-released Fedora 25, his code-execution attack works as a classic drive-by.

The zero-day exploits, which Evans published on Tuesday, are the latest to challenge the popular conceit that Linux, at least in its desktop form, is more immune to the types of attacks that have felled Windows computers for more than a decade and have increasingly snared Macs in recent years.

While Evans' attacks won't work on most Linux servers, they will reliably compromise most desktop versions of Linux, which employees at Google, Facebook, and other security conscious companies often use in an attempt to avoid the pitfalls of Windows and Mac OS X. Three weeks ago, Evans released a separate Linux zero-day that had similarly dire consequences.

Read 8 remaining paragraphs | Comments

What can you do with a billion Yahoo passwords? Lots of bad things

An image sent by DNC staffer Alexandra Chalupa shows a warning message she received from Yahoo Mail. She may have been targeted using data from one of the Yahoo breaches or a forged cookie based on stolen Yahoo code. (credit: Alexandra Chalupa)

In October of 2013, as a result of documents leaked by Edward Snowden, we learned the National Security Agency tapped straight into the connections between data centers at Yahoo and Google as part of a program called MUSCULAR. A month later, Yahoo announced it would encrypt all of its internal networks between data centers and add Secure Socket Layer encryption and secure (HTTPS) Web connections to all its services.

That move, however, failed to prevent two major breaches of user data: a breach affecting user data from more than 500 million user accounts late in 2014 (revealed in September) and the breach revealed yesterday involving data from more than 1 billion accounts. The recent break took place in August of 2013—before the barn door was closed. In addition, Yahoo's chief information security officer, Bob Lord, said that the parties behind the 2014 breach had stolen some of Yahoo's code and used it to forge Web "cookies" that gave access to users' accounts without the need to use login credentials.

Evidence of the August 2013 breach was given to Yahoo by "law enforcement officials," according to Lord, but it was likely discovered by a security researcher watching for data on underground markets. That suggests the data was in circulation in underground marketplaces in one form or another and actively in use by Internet criminal rings for a variety of purposes. If that's the case, then practically all of Yahoo's users who set up accounts prior to 2013 may have had details from their accounts used in targeted attacks, attempts to gain access to other Web accounts and cloud services, or any number of other scams.

Read 8 remaining paragraphs | Comments