Security

At The Linux Foundation's Open Source Summit North America in Vancouver, Linus Torvalds, Linux's creator, and Dirk Hohndel, VMware VP and chief open source officer, had a wide-ranging conversation about Linux security, open-source developer, and quantum computing.

Torvalds would really like his work to get back to being boring. It hasn't been lately because of Intel's CPU Meltdown and Spectre security bugs. The root cause behind these security holes was speculative execution.

More than half of all healthcare data breaches reported during 2017 could be traced back to people on the inside of victim organisations, according to an annual study by Verizon.

The company's latest Protected Health Information Data Breach Report (PHIDBR) looked at 1,368 mostly US examples, identifying 782 (57.5 per cent) as having an insider element.

It may be the end of August, that time when a sticky malaise settles in, but hackers can wreak havoc even during summer vacation. Which is why WIRED’s security writers keep covering the news.

Like this story of how Iran set up a global propaganda campaign targeting social media. Issie Lapowski lays out everything we know about the country's 2018 propaganda machine, like how they used fake profile photos to catfish targets, and they had a real thing for Bernie Sanders.

Security researchers from Booz Allen Hamilton have spotted a previously unseen and undocumented malware strain that targets point-of-sale (POS) systems.

The malware, which they named RtPOS, appears to be Russian in origin, according to an initial technical analysis published last week. Overall, this new malware strain is nowhere near as sophisticated as other fellow POS malware strains, such as TreasureHunter, UDPoS, RawPOS, or MajikPOS.

A security researcher has published on Twitter details about a vulnerability in the Windows OS.

The vulnerability is a "local privilege escalation" issue that allows an attacker to elevate the access of malicious code from a limited USER role to an all-access SYSTEM account.

Will Dormann, an engineer of CERT/CC, has confirmed the vulnerability and has issued an official CERT/CC alert last night. Dormann says the vulnerability resides in the Windows Task Scheduler, and more precisely in the Advanced Local Procedure Call (ALPC) interface.

Researchers at the University of Alabama at Birmingham have developed a new method for two-factor authentication via wearables using speech signals.

It’s not been a great week for cell carriers. EE was hit with two security bugs and T-Mobile admitted a data breach. Now, Sprint is the latest phone giant to admit a security lapse, TechCrunch has learned.

Using two sets of weak, easy-to-guess usernames and passwords, a security researcher accessed an internal Sprint staff portal. Because the portal’s log-in page didn’t use two-factor authentication, the researcher — who did not want to be named — navigated to pages that could have allowed access customer account data.

WireGuard is a new type of VPN which aims to be simpler to set up and maintain than current VPNs and to offer a higher degree of security. The software is free and open source—it's licensed GPLv2, the same license as the Linux kernel—which is always a big plus in my book. It's also designed to be easily portable between operating systems. All of that might lead you to ask: in a world that already has IPSEC, PPTP, L2TP, OpenVPN, and a bewildering array of proprietary SSL VPNs, do we need yet another type of VPN?

T-Mobile and AT&T customers’ account PINs — passcodes meant to protect mobile accounts from being hacked — have been exposed by two different security flaws, which were discovered by security researchers Phobia and Nicholas “Convict” Ceraolo.

Apple’s online store contained the security flaw that inadvertently exposed over 72 million T-Mobile customers’ account PINs. The website for Asurion, a phone insurance company, had a separate vulnerability that exposed the passcodes of Asurion’s AT&T customers.

On August 22, 2018, the Apache Software Foundation reported a new vulnerability in the Apache Struts framework (CVE-2018-11776) that could allow an attacker to execute remote code and possibly gain access to a targeted system. The flaw exists because Apache Struts does not perform proper validation of input data. This is a flaw in the Struts framework core, which means all Struts installations are potentially vulnerable.