Security Alerts & News
by Tymoteusz A. Góral

#697 Linux foundation badge program to boost open source security
The Linux Foundation says a new Core Infrastructure Initiative (CII) Best Practices Badge program launched Tuesday will help companies interested in adopting open source technologies evaluate projects based on security, quality and stability.

The CII Best Practices Badge does not issue certificates nor validate open source projects. Instead, CII is a platform for open source projects such as OpenSSL, Node.js, and GitLab to self-disclose critical aspects of their projects.
#696 Microsoft SHA-1 deprecation final countdown begins
The home stretch of Microsoft’s planned SHA-1 deprecation schedule has arrived. This summer, with the planned release of the Windows 10 Anniversary Update, users should see signs that the weak cryptographic hash function is being phased out.

Microsoft said that once the anniversary update is rolled out, Microsoft Edge and Internet Explorer will no longer display the lock icon in the address bar for any site signed with a SHA-1 certificate.

Developers should see this happening soon in the Windows Insider Preview build, Microsoft said.

Last November, Microsoft hinted that it would starting blocking SHA-1 signed TLS certificates this June, moving up its scheduled deprecation of SHA-1 by more than six months. By February 2017, Microsoft said last week, Edge and IE will block SHA-1 certs outright.
#695 Ubuntu founder pledges no back doors in Linux
Ubuntu developers are gathering this week for the Ubuntu Online Summit (UOS), which runs from May 3-5, to discuss development plans for the upcoming Ubuntu 16.10 Linux distribution release, code-named "Yakkety Yak."

In a video interview with Mark Shuttleworth, founder of Ubuntu Linux and Canonical, he discusses Ubuntu 16.10, including the Mir display server and his views on security including the use of encryption.

Ubuntu 16.10 is set to debut in October and follows the Ubuntu 16.04 update, which was released on April 21. While it's not yet entirely clear what exact features will land in Ubuntu 16.10, one candidate is the Mir display server. The Ubuntu community--and Shuttleworth in particular--has been talking about migrating to Mir since at least 2013. The promise of Mir is a unified display technology that will work across desktops, mobile devices and even TVs. While there is some controversy among members of the Linux community over the transition to Mir, Shuttleworth emphasized that few people will ever know the difference.

"I can't say when Mir will drop into Ubuntu as the default display system, but I can say when it does, no one should notice it," Shuttleworth told eWEEK. "That's our commitment: The set of experiences that people enjoy about Ubuntu--they can count on."
#694 OpenSSL patches two high-severity vulnerabilities
The latest batch of OpenSSL security patches were released today, with a pair of high-severity flaws and four low-severity issues addressed in OpenSSL 1.0.1t and OpenSSL 1.0.2h.

One of the high-severity flaws, CVE-2016-2107, opens the door to a padding oracle attack that can allow for the decryption of traffic if the connection uses an AES CBC cipher and the server supports AES-NI.

“The AES issue is interesting. If you can [man-in-the-middle] then you can inject packets, look at the error codes, and then eventually figure out the AES key,” said Rich Salz, a member of the OpenSSL development team and an engineer at Akamai. “So it’s for national-scale attackers who can force DNS or BGP routes, or small hackers who can hack Wi-Fi in Starbucks.”
#693 FBI reaffirms stance not to pay ransomware attackers
The FBI has issued a warning to businesses about the relentless wave of ransomware. The bulletin includes preventative tips, and an affirmation of the bureau’s stance that companies affected by cryptoransomware attacks in particular should not succumb to temptation and pay their attackers off.

The warning comes at the same time as a Michigan utility continues to recover from an attack disclosed one week ago. Lansing Board of Water and Light posted a statement on its Facebook page this afternoon that it continues to investigate the attack, and that it has hired an incident response firm to handle recovery of its IT systems.
#692 LG's new fingerprint sensor doesn't need a button
LG Innotek has developed a fingerprint sensor that's placed under a glass surface instead of in a physical button, the company announced Sunday.

The new sensor could lead to smartphones that you can unlock by placing your finger on the phone screen.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12