[SECURITY] [DSA 3503-1] linux security update
[security bulletin] HPSBGN03550 rev.2 - HP Operations Manager i and BSM using Apache Flex BlazeDS, Remote Disclosure of Information
[security bulletin] HPSBHF03439 rev.1 - HP Commercial PCs with Sure Start, Local Denial of Service

Amazon's $50 Fire tablet, which runs Fire OS 5. (credit: Mark Walton)

In the wake of Apple's high-profile fight with the FBI, more users and journalists have been paying attention to encryption of local storage in phones and tablets. Apple strengthened the encryption on all iDevices in iOS 8, making it so that no one could decrypt the storage without knowing the user's passcode. Google made encryption a requirement for all Google-approved Android phones that ship with Marshmallow (after a false start in Lollipop), and it has been available as an optional Android security feature for years.

Amazon's Fire OS is a fork of Android, based on the Android Open Source Project (AOSP) code but without Google's apps and services or guaranteed compatibility with apps developed for Google-approved Android. Amazon has heavily customized the UI and provides its own app store, but it typically leans on AOSP code for under-the-hood, foundational features—in older Fire OS versions, the optional device encryption was handled the same way it was on any Android device. However, according to user David Scovetta and others on Amazon's support forums, that encryption support has been deprecated and removed in recent releases of Fire OS 5, both for new Fire tablets and for older devices that have been upgraded.

We contacted Amazon for comment, and the company told us that local device encryption support was removed in FireOS 5 because the feature wasn't being used:

Read 3 remaining paragraphs | Comments


Enlarge (credit: Genkin et al.)

Researchers have devised an attack on Android and iOS devices that successfully steals cryptographic keys used to protect Bitcoin wallets, Apple Pay accounts, and other high-value assets.

The exploit is what cryptographers call a non-invasive side-channel attack. It works against the Elliptic Curve Digital Signature Algorithm, a crypto system that's widely used because it's faster than many other crypto systems. By placing a probe near a mobile device while it performs cryptographic operations, an attacker can measure enough electromagnetic emanations to fully extract the secret key that authenticates the end user's data or financial transactions. The same can be done using an adapter connected to the USB charging cable.

"An attacker can non-invasively measure these physical effects using a $2 magnetic probe held in proximity to the device, or an improvised USB adapter connected to the phone's USB cable, and a USB sound card," the researchers wrote in a blog post published Wednesday. "Using such measurements, we were able to fully extract secret signing keys from OpenSSL and CoreBitcoin running on iOS devices. We also showed partial key leakage from OpenSSL running on Android and from iOS's CommonCrypto."

Read 6 remaining paragraphs | Comments


Pirates like those shown here aboard a dhow in waters off western Malaysia in January 2006 were using data stolen from a shipping company's systems to target cargo ships and steal specific crates of valuables in hit-and-run attacks. (credit: US Navy)

When the terms "pirate" and "hacker" are used in the same sentence, usually it's a reference to someone breaking digital rights management on software. But that wasn't the case in an incident detailed in the recently released Verizon Data Breach Digest report, unveiled this week at the RSA security conference. Verizon's RISK security response team was called in by a global shipping company that had been the victim of high-seas piracy aided by a network intrusion.

The shipping company experienced a series of hit-and-run attacks by pirates who, instead of seeking a ransom for the crew and cargo, went after specific shipping containers and made off with high-value cargo.

"It became apparent to the shipping company that the pirates had specific knowledge of the contents of each of the shipping crates being moved," the RISK team recounted in the report. "They’d board a vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate—and that crate only—and then depart the vessel without further incident."

Read 4 remaining paragraphs | Comments

[SECURITY] [DSA 3502-1] roundup security update
[SECURITY] [DSA 3426-2] ctdb regression update
Virginia works for a federal agency. She cannot use her hands because of a spinal cord injury, so she relies on a speech recognition system to operate her email and other applications. As her work group moves to a cloud-based software ...
[slackware-security] mailx (SSA:2016-062-01)
WordPress Bulk Delete Plugin [Privilege Escalation]
[slackware-security] php (SSA:2016-062-03)
[slackware-security] openssl (SSA:2016-062-02)
Panda SM Manager iOS Application - MITM SSL Certificate Vulnerability
Open-Xchange Security Advisory 2016-03-02
Cisco Security Advisory: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016
[security bulletin] HPSBHF03436 rev.1 - HP Thin Client with ThinPro OS, running Linux, Local Elevated Privileges
Internet Storm Center Infocon Status