Language Selection

English French German Italian Portuguese Spanish

Security: Intel Back Door, Hacking a Fingerprint Biometric, Dashlane, Vault 8, Cryptojacking, MongoDB and More

Filed under
Security
  • Recent Intel Chipsets Have A Built-In Hidden Computer, Running Minix With A Networking Stack And A Web Server

    The "Ring-3" mentioned there refers to the level of privileges granted to the ME system. As a Google presentation about ME (pdf) explains, operating systems like GNU/Linux run on Intel chips at Ring 0 level; Ring-3 ("minus 3") trumps everything above -- include the operating system -- and has total control over the hardware. Throwing a Web server and a networking stack in there too seems like a really bad idea. Suppose there was some bug in the ME system that allowed an attacker to take control? Funny you should ask; here's what we learned earlier this year...

    [...]

     Those don't seem unreasonable requests given how serious the flaws in the ME system have been, and probably will be again in the future. It also seems only fair that people should be able to control fully a computer that they own -- and that ought to include the Minix-based computer hidden within.

  •  

     

  • “Game Over!” — Intel’s Hidden, MINIX-powered ME Chip Can Be Hacked Over USB

    Even the creator of MINIX operating system didn’t know that his for-education operating system is on almost every Intel-powered computer.

  • Researchers find almost EVERY computer with an Intel Skylake and above CPU can be owned via USB

     

    Turns out they were right. Security firm Positive Technologies reports being able to execute unsigned code on computers running the IME through USB. The fully fleshed-out details of the attack are yet to be known, but from what we know, it’s bad.

  •  
     

  • Hacking a Fingerprint Biometric
  •  

  • Dashlane Password Manager Now Supports Linux [Ed: But why would anyone with a clue choose to upload his/her passwords?]

    Dashlane, the popular password manager, now supports Linux (and ChromeOS and Microsoft Edge) thanks to new web extension and web app combination.

  • Source Code For CIA’s Spying Tool Hive Released By Wikileaks: Vault 8

    From November 9, Wikileaks has started a new series named Vault 8. As a part of this series, the first leak contains the source code and analysis for Hive software project. Later, the other leaks of this series are expected to contain the source code for other tools as well.

  • Cryptojacking found on 2496 online stores

    Cryptojacking - running crypto mining software in the browser of unsuspecting visitors - is quickly spreading around the web. And the landgrab extends to online stores. The infamous CoinHive software was detected today on 2496 e-commerce sites.

  • 2,500+ Websites Are Now “Cryptojacking” To Use Your CPU Power And Mine Cryptocurrency
  • MongoDB update plugs security hole and sets sights on the enterprise

    Document database-flinger MongoDB has long positioned itself as the dev's best friend, but after ten years it is now fluffing itself up for the enterprise.

    The firm, which went public just last month and hopes to earn up to $220m, has now launched the latest version of its database, which aims to appeal to these bigger customers.

  • How AV can open you to attacks that otherwise wouldn’t be possible [Ed: Any proprietary software put on top of any other software (FOSS included) is a threat and a possible back door]

    Antivirus programs, in many cases, make us safer on the Internet. Other times, they open us to attacks that otherwise wouldn't be possible. On Friday, a researcher documented an example of the latter—a vulnerability he found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control.

    AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker's choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off-limits to the attacker. Six of the affected AV programs have patched the vulnerability after it was privately reported. The remaining brands have yet to fix it, said Florian Bogner, a Vienna, Austria-based security researcher who gets paid to hack businesses so he can help them identify weaknesses in their networks.

  • Estonia arrests suspected FSB agent accused of “computer-related crime”

    Estonian authorities announced this week that they had recently arrested a Russian man suspected of being an agent of the Federal Security Service (FSB) who was allegedly planning "computer-related crime."

    The 20-year-old man, whose identity was not made public, was arrested last weekend in the Estonian border city of Narva as he was trying to return to Russia.

More in Tux Machines

OSS Leftovers

  • Sunjun partners with Collabora to offer LibreOffice in the Cloud
  • Tackling the most important issue in a DevOps transformation
    You've been appointed the DevOps champion in your organisation: congratulations. So, what's the most important issue that you need to address?
  • PSBJ Innovator of the Year: Hacking cells at the Allen Institute
  • SUNY math professor makes the case for free and open educational resources
    The open educational resources (OER) movement has been gaining momentum over the past few years, as educators—from kindergarten classes to graduate schools—turn to free and open source educational content to counter the high cost of textbooks. Over the past year, the pace has accelerated. In 2017, OERs were a featured topic at the high-profile SXSW EDU Conference and Festival. Also last year, New York State generated a lot of excitement when it made an $8 million investment in developing OERs, with the goal of lowering the costs of college education in the state. David Usinski, a math and computer science professor and assistant chair of developmental education at the State University of New York's Erie Community College, is an advocate of OER content in the classroom. Before he joined SUNY Erie's staff in 2007, he spent a few years working for the Erie County public school system as a technology staff developer, training teachers how to infuse technology into the classroom.

Mozilla: Wireless Innovation for a Networked Society, New AirMozilla Audience Demo, Firefox Telemetry

  • Net Neutrality, NSF and Mozilla's WINS Challenge Winners, openSUSE Updates and More
    The National Science Foundation and Mozilla recently announced the first round of winners from their Wireless Innovation for a Networked Society (WINS) challenges—$2 million in prizes for "big ideas to connect the unconnected across the US". According to the press release, the winners "are building mesh networks, solar-powered Wi-Fi, and network infrastructure that fits inside a single backpack" and that the common denominator for all of them is "they're affordable, scalable, open-source and secure."
  • New AirMozilla Audience Demo
    The legacy AirMozilla platform will be decommissioned later this year. The reasons for the change are multiple; however, the urgency of the change is driven by deprecated support of both the complex back-end infrastructure by IT and the user interface by Firefox engineering teams in 2016. Additional reasons include a complex user workflow resulting in a poor user experience, no self-service model, poor usability metrics and a lack of integrated, required features.
  • Perplexing Graphs: The Case of the 0KB Virtual Memory Allocations
    Every Monday and Thursday around 3pm I check dev-telemetry-alerts to see if there have been any changes detected in the distribution of any of the 1500-or-so pieces of anonymous usage statistics we record in Firefox using Firefox Telemetry.

Games: All Walls Must Fall, Tales of Maj'Eyal

  • All Walls Must Fall, the quirky tech-noir tactics game, comes out of Early Access
    This isometric tactical RPG blends in sci-fi, a Cold War that never ended and lots of spirited action. It’s powered by Unreal Engine 4 and has good Linux support.
  • Non-Linux FOSS: Tales of Maj'Eyal
    I love gaming, but I have two main problems with being a gamer. First, I'm terrible at video games. Really. Second, I don't have the time to invest in order to increase my skills. So for me, a game that is easy to get started with while also providing an extensive gaming experience is key. It's also fairly rare. All the great games tend to have a horribly steep learning curve, and all the simple games seem to involve crushing candy. Thankfully, there are a few games like Tales of Maj'Eyal that are complex but with a really easy learning curve.

KDE and GNOME: KDE Discover, Okular, Librsvg, and Phone's UI Shell

  • This week in Discover, part 7
    The quest to make Discover the most-loved Linux app store continues at Warp 9 speed! You may laugh, but it’s happening! Mark my words, in a year Discover will be a beloved crown jewel of the KDE experience.
  • Okular gains some more JavaScript support
    With it we support recalculation of some fields based on others. An example that calculates sum, average, product, minimum and maximum of three numbers can be found in this youtube video.
  • Librsvg's continuous integration pipeline
    With the pre-built images, and caching of Rust artifacts, Jordan was able to reduce the time for the "test on every commit" builds from around 20 minutes, to little under 4 minutes in the current iteration. This will get even faster if the builds start using ccache and parallel builds from GNU make. Currently we have a problem in that tests are failing on 32-bit builds, and haven't had a chance to investigate the root cause. Hopefully we can add 32-bit jobs to the CI pipeline to catch this breakage as soon as possible.
  • Design report #3: designing the UI Shell, part 2
    Peter has been quite busy thinking about the most ergonomic mobile gestures and came up with a complete UI shell design. While the last design report was describing the design of the lock screen and the home screen, we will discuss here about navigating within the different features of the shell.