The most popular free certificate signing authority Let’s Encrypt is going to revoke more than 3 million TLS certificates within the next 24 hours that may have been issued wrongfully due to a bug in its Certificate Authority software.

The bug, which Let’s Encrypt confirmed on February 29 and was fixed two hours after discovery, impacted the way it checked the domain name ownership before issuing new TLS certificates.

As a result, the bug opened up a scenario where a certificate could be issued even without adequately validating the holder’s control of a domain name.

The Certification Authority Authorization (CAA), an internet security policy, allows domain name holders to indicate to certificate authorities (CAs) whether or not they are authorized to issue digital certificates for a specific domain name.

Let’s Encrypt considers domain validation results good only for 30 days from the time of validation, after which it rechecks the CAA record authorizing that domain before issuing the certificate. The bug — which was uncovered in the code for Boulder, the certificate signing software used by Let’s Encrypt — is as follows:

“When a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times.” In other words, when Boulder needed to parse, for example, a group of 5 domains names that required CAA rechecking, it would check one domain name 5 times as opposed to checking each of the 5 domains once.

The company said the bug was introduced as part of an update back in July 2019.

This means that Let’s Encrypt might have issued certificates that it shouldn’t have in the first place, as a result of which it’s revoking all the TLS certificates that were affected by the bug.

The development comes as Let’s Encrypt project announced last week that it had issued its one-billionth free TLS certificate since its launch in 2015.

Let’s Encrypt said 2.6 percent of approximately 116 million active certificates are affected — about 3,048,289 — out of which about one million are duplicates of other affected certificates.

Affected website owners have until 8PM UTC (3PM EST) March 4 to manually renew and replace their certificates, failing which visitors to the websites will be greeted with TLS security warnings — as the certificates are revoked — until the renewal process is complete.

It’s worth noting that the certificates issued by Let’s Encrypt are valid for a period of 90 days, and ACME clients such as Certbot are capable of automatically renewing them.

But with Let’s Encrypt revoking all impacted certificates, website admins will have to perform a forced renewal to prevent any interruptions.

Besides using the tool https://checkhost.unboundtest.com/ to check if a certificate needs replacement, Let’s Encrypt has put together a downloadable list of affected serial numbers, allowing subscribers to check if their websites rely on an affected certificate.

The post Let’s Encrypt Revoking 3 Million TLS Certificates appeared first on CVTF Studios.net.

The post Crypto-Mining Supply Chain Attack Hits UK Gov’t websites appeared first on CVTF Studios.net.

Swati Khandelwal

Technical Writer, Security Blogger and IT Analyst.

She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

Link: https://thehackernews.com/2017/05/cryptocurrency-mining-botnet.html

The post 15000 compromised servers appeared first on CVTF Studios.net.

Cybersecurity and cyberattacks have become prominent topics lately. No matter how much you secure your network, vulnerabilities continue to emerge for different operating systems and applications. Most recently, security professionals have discovered two critical vulnerabilities in a third-party PDF reading application called Foxit Reader. These vulnerabilities allow hackers to execute arbitrarily-defined code on a user‘s computer when Foxit Reader is used without Safe Reading Mode enabled.

Two critical zero–day vulnerabilities

On August 17th, researchers Steven Seeley and Ariele Caltabiano discovered two vulnerabilities in Foxit Reader:

1. CVE-2017-10951, which acts as a command injection bug that resides in the app.launchURL function and executes strings provided by hackers. This vulnerability is mainly due to improper validation.

2. CVE-2017-10952, which exists in the saveAs function and allows hackers to execute an arbitrarily–specified file on user computers. If the arbitrary file is modified, then hackers can modify anything on the end user’s computer. Steven Seeley has tested a proof of concept and published it on Zero Day Initiative.

How can you keep Foxit Reader safe?

1.Take precautions: Avoid downloading attachments from email addresses you don’t know. Opening a PDF from a nefarious sender could compromise your entire system.

2.Manually change settings: Whether you’re using Foxit Reader or Foxit Phantom PDF, go to the settings menu and enable Safe Reading Mode and uncheck Enable JavaScript Actions.

3.Employ automatic patch management: Doing all the ground work manually is tiresome and complicated, especially since the number of vulnerabilities per application continually increases. Regularly updating your network is one of the best ways to remain free from zero-day vulnerabilities. Stay vigilant by employing patch management software like Desktop Central, which manages and deploys patches automatically.

How can ManageEngine help?

ManageEngine offers two types of support for these Foxit Reader vulnerabilities:

1.Patch deployment

Desktop Central can patch Windows, Mac, Linux, and over 250 third-party applications, all from a central location. We have released an update specifically for Foxit products to automatically enable Safe Reading Mode in Foxit PDF applications.

2.Registry configuration

With Desktop Central, you can deploy specific registry configurations, including the Foxit-specific keys below, to managed computers.

Key for enabling Safe Reading Mode:
HKEY_CURRENT_USER\Software\Foxit Software\Foxit Reader 8.0\Preferences\TrustManager
bSafeMode=1 (Enable Safe Reading Mode)
bSafeMode=0 (Disable Safe Reading Mode)

Key for unchecking Enable JavaScript Actions:
HKEY_CURRENT_USER\Software\Foxit Software\Foxit Reader 8.0\Preferences\Others
bEnableJS=1 (Enable JavaScript Actions)
bEnableJS=0 (Disable JavaScript Actions)

Start using Desktop Central today to evade vulnerabilities and breaches happening across any third–party application.
Related posts :

The post Two critical vulnerabilities in Foxit Reader appeared first on CVTF Studios.net.

An Update with You in Mind

Gear up for a more intuitive WordPress!

Version 4.8 of WordPress, named “Evans” in honor of jazz pianist and composer William John “Bill” Evans, is available for download or update in your WordPress dashboard. New features in 4.8 add more ways for you to express yourself and represent your brand.

Though some updates seem minor, they’ve been built by hundreds of contributors with you in mind. Get ready for new features you’ll welcome like an old friend: link improvements, three new media widgets covering images, audio, and video, an updated text widget that supports visual editing, and an upgraded news section in your dashboard which brings in nearby and upcoming WordPress events.

---

Exciting Widget Updates

The post Update of WordPress to 4.8 appeared first on CVTF Studios.net.

Last updated August 1, 2016 By Munif Tanjim– https://itsfoss.com

Looking for best Linux to learn hacking?

Whether you want to pursue a career in Information Security or you are already working as a security professional or if you are just interested in this specific field of knowledge, a decent Linux distro that suits your purpose is a must.

There are countless Linux distros for various purposes. Some are designed for specific tasks in mind and others are for different interfaces.

We have seen weird Ubuntu distributions in an older article. But, today we are going to have a look at a list of some of the best Linux distro to learn hacking and Penetration Testing.

Before we see the best Linux distros for hackers, I would recommend you to check for online hacking courses at our ITSFOSS shop.

Best Linux hacking distros in 2016

I have basically listed out various Linux distributions focusing on security. These Linux distros provide various tools that are needed for assessing networking security and other similar tasks. List is in no particular order.

Kali Linux

Kali Linux is the most widely known Linux distro for ethical hacking and penetration testing. Kali Linux was developed by Offensive Security taking on the mantle of BackTrack.

The post What is the best Linux Distributions for Hacking and Penetration Testing in 2016 appeared first on CVTF Studios.net.

The post Fortinet SSH Backdoor Found In Firewalls appeared first on CVTF Studios.net.

Like most commands on Linux, SSH can be used with input/output redirection via |Unix Pipe. SSH can be used with this pipeline too. The basic concept here is understanding how the Unix pipeline works.
When you understand the way pipes work, you can get seriously creative. This article covers what happens when you combine Unix pipes and SSH. It should be noted that since Unix pipes can be just about anything, there are no doubt going to be commands not on this list would also be useful.

Understanding the Unix Pipeline

Pipes on Unix (and by extension, Linux) are used to chain programs together and make them work together. For example, using cat, you can show the contents of a file, but if you used a pipe, you could chain the cat command to the more command to make the file easier to read through.

cat file1 | more

The basic idea here is this: program1 fileX | program2. It’s not just limited to one file and two programs, though. Piping can get about as advanced as you need it to be with as many modifiers as you can think of.

Note: Some types of pipes can be done without using the |. Some may use > instead.

The post How to Use SSH Pipes on Linux appeared first on CVTF Studios.net.

Even if law enforcement wins the case, it could still lose.

https://www.fastcompany.com/3058040/fast-feed/apple-engineers-might-quit-if-ordered-to-unlock-iphone-for-fbi

There’s a new challenge to law enforcement’s effort to get Apple to unlock one of the San Bernardino shooter’s phones. The government faces off against Apple in court on Tuesday to argue that the company must comply with a previous court order to bypass the security features built into iOS and also build a version of iOS with a back door accessible to the government. Apple has been strongly opposed to the order and now several key Apple engineers are saying they could simply quit the company instead of being forced to work to weaken the security of software and devices they helped build, reports the New York Times.

“Apple employees are already discussing what they will do if ordered to help law enforcement authorities,” reports the Times. “Some say they may balk at the work, while others may even quit their high-paying jobs rather than undermine the security of the software they have already created, according to more than a half-dozen current and former Apple employees.”

By choosing to quit instead of work on building what Apple is referring to as “GovtOS,” several legal experts told the Times, Apple and the engineers that choose to leave the company could likely avoid accusations of being in contempt of court. Indeed, Apple has already argued in its legal filings in the case that any conscription would curb an employee’s freedom of speech by forcing them to do things they consider offensive.

While quitting a job isn’t ideal for any employee, it’s not like these engineers would have trouble finding work elsewhere. “The fear of losing a paycheck may not have much of an impact on security engineers whose skills are in high demand,” notes the Times. “Indeed, hiring them could be a badge of honor among other tech companies that share Apple’s skepticism of the government’s intentions.”

Apple has said that if it is ordered to build “GovtOS” it would likely take six to 10 Apple engineers a month to do so. Sources told the Times that the team would need to be made up of very specific engineers in Apple across its hardware, software, and services division. And while Apple currently doesn’t have a GovtOS team assembled, the specific members of the team are obvious.

“They include an engineer who developed software for the iPhone, iPad and Apple TV. That engineer previously worked at an aerospace company. Another is a senior quality-assurance engineer who is described as an expert ‘bug catcher’ with experience testing Apple products all the way back to the iPod. A third likely employee specializes in security architecture for the operating systems powering the iPhone, Mac and Apple TV,” the Times reports.

Of course, these Apple employees could simply refuse to comply with the order instead of quitting, but in doing so, say legal sources, those employees and Apple could then be found in contempt of court.

But if every engineer Apple needed for GovtOS quit “Apple could demonstrate that this happened to the court’s satisfaction, then Apple could not comply and would not have to,” Joseph DeMarco, a former federal prosecutor, told the Times. “It would be like asking my lawn guy to write the code.”

This is, of course, all theoretical, for now. No one knows what the outcome of Apple’s legal battle with the FBI will be or how long and drawn out the fight will be. But if worse comes to worst, the FBI may still not get what it wants.

“It’s an independent culture and a rebellious one,” Jean-Louis Gassée, a former engineering manager at Apple, told the Times. “If the government tries to compel testimony or action from these engineers, good luck with that.”

The post Apple Engineers Might Quit If Ordered To Unlock iPhone For FBI appeared first on CVTF Studios.net.

‘Marauders Map’ lets you track friends using FB Messenger: Tool plots a precise location each time someone uses the site

• Harvard student has created a digital ‘Marauder’s Map’ that uses location data from Facebook Messenger to pinpoint an individual’s movements
• Relies on people sharing their location by default in messages
• Map was designed to highlight how much data is leaked from Facebook 

By Sarah Griffiths for MailOnline

Published: 14:02, 28 May 2015 | Updated: 16:26, 28 May 2015

Harry Potter may have had a magical paper ‘Marauder’s Map’ but now there’s a digital equivalent that can pinpoint your friends’ locations using information from Facebook.

The extension loads when the Messages tab is opened and ‘scrapes’ the page for location data to show the movement of friends with a startling degree of accuracy.

While some people may see the map as a useful tool, it serves to highlight how much data Facebook’s messaging service shares – and could leave individuals open to stalking, for example.

The post FaceBooks Messenger’s app lets people send their location to friends and it defaults to sending a location with all messages appeared first on CVTF Studios.net.