KevLar's Space

my little space on the interwebs

Critical Git Security Vulnerability Announced

An anonymous reader writes Github has announced a security vulnerability and has encourage users to update their Git clients as soon as possible. The blog post reads in part: “A critical Git security vulnerability has been announced today, affecting all versions of the official Git client and all related software that interacts with Git repositories, including GitHub for Windows and GitHub for Mac. Because this is a client-side only vulnerability, github.com and GitHub Enterprise are not directly affected. The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem….Updated versions of GitHub for Windows and GitHub for Mac are available for immediate download, and both contain the security fix on the Desktop application itself and on the bundled version of the Git command-line client.”

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1w41eXk

Critical Git Security Vulnerability Announced

An anonymous reader writes Github has announced a security vulnerability and has encourage users to update their Git clients as soon as possible. The blog post reads in part: “A critical Git security vulnerability has been announced today, affecting all versions of the official Git client and all related software that interacts with Git repositories, including GitHub for Windows and GitHub for Mac. Because this is a client-side only vulnerability, github.com and GitHub Enterprise are not directly affected. The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem….Updated versions of GitHub for Windows and GitHub for Mac are available for immediate download, and both contain the security fix on the Desktop application itself and on the bundled version of the Git command-line client.”

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1w41eXk

Grinch Vulnerability Could Put a Hole In Your Linux Stocking

itwbennett writes In a blog post Tuesday, security service provider Alert Logic warned of a Linux vulnerability, named grinch after the well-known Dr. Seuss character, that could provide attackers with unfettered root access. The fundamental flaw resides in the Linux authorization system, which can inadvertently allow privilege escalation, granting a user full administrative access. Alert Logic warned that Grinch could be as severe as the Shellshock flaw that roiled the Internet in September.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1JaYdyJ

Hackers Compromise ICANN, Access Zone File Data System

Trailrunner7 writes with this news from ThreatPost: Unknown hackers were able to compromise vital systems belonging to ICANN, the organization that manages the global top-level domain system, and had access to the system that manages the files with data on resolving specific domain names. The attack apparently took place in November and ICANN officials discovered it earlier this month. The intrusion started with a spear phishing campaign that targeted ICANN staffers and the email credentials of several staff members were compromised. The attackers then were able to gain access to the Centralized Zone Data System, the system that allows people to manage zone files. The zone files contain quite bit of valuable information, including domain names, the name server names associated with those domains and the IP addresses for the name servers. CANN officials said they are notifying any users whose zone data might have been compromised.” (Here’s ICANN’s public note on the compromise.)

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1J9hwZ2

US Links North Korea To Sony Hacking

schwit1 writes Speaking off the record, senior intelligence officials have told the New York Times, CNN, and other news agencies that North Korea was “centrally involved” in the hack of Sony Pictures Entertainment. It is not known how the US government has determined that North Korea is the culprit, though it is known that the NSA has in the past penetrated North Korean computer systems. Previous analysis of the malware that brought down Sony Pictures’ network showed that there were marked similarities to the tools used in last year’s cyber-attack on South Korean media companies and the 2012 “Shamoon” attack on Saudi Aramco. While there was speculation that the “DarkSeoul” attack in South Korea was somehow connected to the North Korean regime, a firm link was never published.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1zzzaju

RFID-Blocking Blazer and Jeans Could Stop Wireless Identity Theft

An anonymous reader writes A pair of trousers and blazer have been developed by San Francisco-based clothing company Betabrand and anti-virus group Norton that are able to prevent identity theft by blocking wireless signals. The READY Active Jeans and the Work-It Blazer contain RFID-blocking fabric within the pockets’ lining designed to prevent hacking through radio frequency identification (RFID) signals emitted from e-passports and contactless payment card chips. According to the clothing brand, this form of hacking is an increasing threat, with “more than 10 million identities digitally pick pocketed every year [and] 70% of all credit cards vulnerable to such attacks by 2015.”

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1zxMF4i

Over 9,000 PCs In Australia Infected By TorrentLocker Ransomware

First time accepted submitter River Tam writes Cybercriminals behind the TorrenLocker malware may have earned as much as $585,000 over several months from 39,000 PC infections worldwide, of which over 9,000 were from Australia. If you’re a Windows user in Australia who’s had their files encrypted by hackers after visiting a bogus Australia Post website, chances are you were infected by TorrentLocker and may have contributed to the tens of thousands of dollars likely to have come from Australia due to this digital shakedown racket.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1zxME0g

Over 9,000 PCs In Australia Infected By TorrentLocker Ransomware

First time accepted submitter River Tam writes Cybercriminals behind the TorrenLocker malware may have earned as much as $585,000 over several months from 39,000 PC infections worldwide, of which over 9,000 were from Australia. If you’re a Windows user in Australia who’s had their files encrypted by hackers after visiting a bogus Australia Post website, chances are you were infected by TorrentLocker and may have contributed to the tens of thousands of dollars likely to have come from Australia due to this digital shakedown racket.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1C0MKj5

Google Proposes To Warn People About Non-SSL Web Sites

mrspoonsi writes The proposal was made by the Google developers working on the search firm’s Chrome browser. The proposal to mark HTTP connections as non-secure was made in a message posted to the Chrome development website by Google engineers working on the firm’s browser. If implemented, the developers wrote, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. Currently only about 33% of websites use HTTPS, according to statistics gathered by the Trustworthy Internet Movement which monitors the way sites use more secure browsing technologies. In addition, since September Google has prioritised HTTPS sites in its search rankings.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/13dEkpI

Top Five Theaters Won’t Show “The Interview” Sony Cancels Release

tobiasly writes The country’s top five theater chains — Regal Entertainment, AMC Entertainment, Cinemark, Carmike Cinemas and Cineplex Entertainment — have decided not to play Sony’s The Interview. This comes after the group which carried off a massive breach of its networks threatened to carry out “9/11-style attacks” on theaters that showed the film. Update: Sony has announced that it has cancelled the planned December 25 theatrical release.

Read more of this story at Slashdot.



via Slashdot: IT http://ift.tt/1v0J4X2

Follow

Get every new post delivered to your Inbox.