Security Alerts & News
by Tymoteusz A. Góral

History
#1201 EU to give free security audits to Apache HTTP server and Keepass
The European Commission announced on Wednesday that its IT engineers would provide a free security audit for the Apache HTTP Server and KeePass projects.

The EC selected the two projects following a public survey that took place between June 17 and July 8 and that received 3,282 answers.

The survey and security audit are part of the EU-FOSSA (EU-Free and Open Source Software Auditing) project, a test pilot program that received funding of €1 million until the end of the year.

Other projects considered in the survey included MySQL, Git, ElasticSearch, FileZilla, WinSCP, OpenSSH, Notepasd++, Firefox, 7-Zip, VLC Media Player, Glibc, the Linux kernel, Apache Tomcat, BounchyCastle, OpenSSL, Drupal, VeraCrypt, Apache Commons, and the TYPO3 CMS.
#1200 GOP delegates suckered into connecting to insecure WiFi hotspots
A Wi-Fi hack experiment conducted at various locations at or near the Republican National Convention site in Cleveland, US, underlines how risky it can be to connect to public Wi-Fi without protection from a VPN.

The exercise, carried out by security researchers at Avast, an anti-virus firm, revealed that more than 1,000 delegates were careless when connecting to public Wi-Fi.

Attendees risked the possibility of being spied on and hacked by cybercriminals or perhaps even spies while they checked their emails, banked online, used chat and dating apps, and even while they accessed Pokemon Go.

Avast researchers set up fake Wi-Fi networks at various locations around the Quicken Loans Arena and at Cleveland Hopkins International Airport with fake network names (SSIDs) such as “Google Starbucks”, “Xfinitywifi”, “Attwifi”, “I vote Trump! free Internet” and “I vote Hillary! free Internet” that were either commonplace across the US or looked like they were set up for convention attendees.
#1199 Malicious computers caught snooping on Tor-anonymized Dark Web sites
The trust of the Tor anonymity network is in many cases only as strong as the individual volunteers whose computers form its building blocks. On Friday, researchers said they found at least 110 such machines actively snooping on Dark Web sites that use Tor to mask their operators' identities.

All of the 110 malicious relays were designated as hidden services directories, which store information that end users need to reach the ".onion" addresses that rely on Tor for anonymity. Over a 72-day period that started on February 12, computer scientists at Northeastern University tracked the rogue machines using honeypot .onion addresses they dubbed "honions." The honions operated like normal hidden services, but their addresses were kept confidential. By tracking the traffic sent to the honions, the researchers were able to identify directories that were behaving in a manner that's well outside of Tor rules.
#1198 Auto industry publishes best practices for cybersecurity
In-brief: An Automotive industry information sharing group has published Best Practices” document, giving individual automakers guidance on improving the cybersecurity of their vehicles.

The Automotive industry’s main group for coordinating policy on information security and “cyber” threats has published a “Best Practices” document, giving individual automakers guidance on implementing cybersecurity in their vehicles for the first time.

The Automotive Information Sharing and Analysis Center (ISAC) released the Automotive Cybersecurity Best Practices document on July 21st, saying the guidelines are for auto manufacturers as well as their suppliers.

The Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training, and collaboration with appropriate third parties.

Taken together, they move the auto industry closer to standards pioneered decades ago and embraced by companies like Microsoft. They call on automakers to design software to be secure from the ground up and to take a sober look at risks to connected vehicles as part of the design process.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12