Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Internet Explorer zero-day lets hackers steal files from Windows PCs [Ed: Microsoft Windows has back doors, so this is "small potatoes"]

    A security researcher has published today details and proof-of-concept code for an Internet Explorer zero-day that can allow hackers to steal files from Windows systems.

  • MicroBriefly: The tiniest firewall I have seen – Firewalla

    ...BSD Unix, and about the size of a paperback novel (small by standards of those days). Now, solid state storage (SSD) and low power CPUs are tiny, enough to easily fit in a matchbox or lighter sized device.

  • 'World's First Smart Contract Firewall' for EOS Launched By SlowMist

    Developers of EOSIO, an initiative supported by Block.one, a Cayman Islands-registered open-source software development firm with $4 billion in total funding (to date), have published a blog post, noting they’ve carefully looked into improving smart contract security on EOS.

    According to EOSIO’s blog, published on April 11th, FireWall.X provides an effective set of tools for “protecting smart contracts built” on EOS from “malicious hacks.” As explained by Zhong Qifu, a product manager at SlowMist Technology Co., the firm that developed FireWall.X, the “world’s first firewall” system for smart contracts aims to ensure the security of all EOS-based decentralized applications (dApps).

  • Bootstrap supply chain attack is another attempt to poison the barrel [Ed: Happens in proprietary software but we don't hear about it. Full of back doors.]

    Somebody smuggled something bad into the vast third-party, open-source supply chain we all depend upon.

  • Framing supply chain attacks

    The increase in the demand for innovative software has effectively reshaped the software development industry itself. Today, speed and agility are paramount and development teams are pushed to deliver highly advanced applications in record time — which means that writing every single line of code from the ground up is often not a sustainable practice. As the NIST puts it, “This ecosystem has evolved to provide a set of highly refined, cost-effective, reusable ICT solutions.”.

  • Apache Axis servers vulnerable to RCE due to expired domain
  • Building a data pipeline to defend New York from cyber threats
  • Linux Foundation aims to improve the sustainability and security of open source projects [Ed: Zemlin PAC pushing a Microsoft-led proprietary software effort]
  • Why AV companies are making their technology open source

    Some AV developers are opening source code for their technology, a strategy they can use to collect data and tech from anyone using their code, and which could help bring products to market faster.

    Why it matters: Open source providers are experimenting with how much of their technology to share, while protecting their intellectual property to stay competitive. Their decisions will have lasting implications for how AV technology develops.

  • Open Source Web Application SSO
  • Magento sites under attack through easily exploitable SQLi flaw

    A recently patched SQL injection flaw affecting the popular open-source e-commerce platform Magento is being actively exploited by attackers, so if you haven’t implemented the provided security update or patch, now is the time to do it.

  • A security researcher with a grudge is dropping Web 0days on innocent users

    Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed.

    Over the past week, zeroday vulnerabilities in both the Yuzo Related Posts and Yellow Pencil Visual Theme Customizer WordPress plugins—used by 60,000 and 30,000 websites respectively—have come under attack. Both plugins were removed from the WordPress plugin repository around the time the zeroday posts were published, leaving websites little choice than to remove the plugins. On Friday (three days after the vulnerability was disclosed), Yellow Pencil issued a patch. At the time this post was being reported, Yuzo Related Posts remained closed with no patch available.

More in Tux Machines

GNOME Devs Mull Making Dedicated System Info Tool

Would you find the GNOME desktop more useful if it could tell you more about the system you’re running? If so, you may be interested to hear about a new app mooted by GNOME design team member Allan Day. Day proposes the creation of a new hardware diagnostics tool that would, in his words: “show technical details about the system and the available hardware. It would also include information about the firmware for your hardware, and allow blacklisting certain firmware versions.” Now, call me wrong — I usually am — but doesn’t that sounds like it would be mightily useful? Read more

Android Leftovers

OSS: Legal and Licensing Workshop (LLW), Molly de Blanc on 'Breaking Up', Apache Software Foundation News and Beancount Examined

  • Business models and open source
    One of the more lively sessions that was held at the 2019 Legal and Licensing Workshop (LLW) was Heather Meeker's talk on open-source business models and alternative licensing. As a lawyer in private practice, Meeker worked on a number of the alternative licenses that were drafted and presented over the last year or so. But she is also part of a venture capital (VC) firm that is exclusively investing in companies focused on open source, so she has experience in thinking about what kinds of models actually work for those types of businesses. The LLW is organized annually by the Free Software Foundation Europe (FSFE). It is meant as a gathering for lawyers, engineers, and others interested in licensing topics. By default, sessions are run under the Chatham House Rule, which means that participants cannot be identified, either by name or affiliation. Meeker waived that rule for her talk, though those from the audience who made comments may or may not have waived the rule. Meeker acknowledged that her topic was controversial, but that she would be "your Beatrice [from the Divine Comedy] to the miasma of venture-backed open-source companies". Her slides were entitled "What color are your razor blades? FOSS business models". The title is referencing the famous What Color is Your Parachute? book for job seekers. The idea is to imagine an idea with specificity, so open-source companies need to imagine what they are selling (their "razor blades") with specificity in order to be successful. Otherwise, she said, they end up with the business model of the Underpants Gnomes ("1. Collect underpants, 2. ?, 3. Profit"). For a long time, there was a tendency for open-source entrepreneurs to equate "lots of downloads" with profit, which is more or less the same thing. That is not really going to happen unless a lot of thought is put into how the business will actually function.
  • Molly de Blanc: breaking up
    FLOSS is about choice (among other things). One of the things we get from developer freedom is the ability to specialize or have specialized technology — the development of features and tools, the fixing of bugs and anti-features.
  • Apache Software Foundation Advances Enterprise App Development With Top Level Projects
    The open source Netbeans Java Integrated Developer Environment (IDE) and SkyWalking application performance monitoring (APM) project efforts move forward. Open source is often at the core of modern enterprise applications and few if any organizations have as much impact as the Apache Software Foundation (ASF). The Apache Software Foundation runs its open source projects on a hierarchy of principally three levels, top-level projects (TLPs), sub-projects and incubated projects. Achieving the TLP status is a major milestone for an open source effort. Among the projects that have recently achieved TLP status is the Apache Netbeans Java Integrated Developer Environment (IDE) and the Apache Skywalking application performance monitoring (APM) efforts.
  • Counting corporate beans
    Some things simply take time. When your editor restarted the search for a free accounting system, he had truly hoped to be done by now. But life gets busy, and accounting systems are remarkably prone to falling off the list of things one wants to deal with in any given day. On the other hand, accounting can return to that list quickly whenever LWN's proprietary accounting software does something particularly obnoxious. This turns out to be one of those times, so your editor set out to determine whether beancount could do the job. Beancount was already covered here almost exactly one year ago, but that review was focused on personal finances; company accounting has a different set of requirements. That article is worth reviewing, though, as the material covered there will (mostly) not be repeated here. Here, instead, the emphasis will be on what a simple business needs. At the top of the list is the ability to import data into the system and to get it back out again. An ongoing business has a long accounting history that needs to be present going forward. Beancount keeps all of its data in a plain-text file with a well-documented format, so both import and export are relatively easy. Building on the the tools written to extract data from QuickBooks, your editor was able to write a script to import the accounting database into beancount over the course of an hour or two.

Security: Updates, Windows Issues, GNOME Security Internship and Slackware Security Updates

  • Security updates for Wednesday
  • Microsoft blocks Windows 10 May 2019 Update on PCs that use USB storage or SD cards
  • Windows Malware ‘Aggah’ Infects Your PCs Through Microsoft Word Docs
    The latest in a series of online attacks is ‘Aggah’, a global malware campaign with roots in the Middle East. The Windows Malware comprises a commodity Trojan script being spread via an infected Microsoft Word Document. The perpetrators are tricking users into downloading and activating the malicious code using RevengeRAT. Since RevengeRat is comprised of several open source Trojan builds, it is very difficult to pinpoint the actual spammer. The people involved in this are using the alias name ‘haggah’ to carry out their operation.
  • Ludovico de Nittis: After GNOME Security Internship - Update 7
    I received a few code reviews in the GNOME Settings Daemon MR that I’ll try to address in the next days. Also I’m going to widen the requirements for allowing keyboards when the screen is locked. Right now if the lock screen is active we authorize a keyboard only if it is the only available keyboard in the system. It was a good idea in theory but not that much in practice. For example let’s assume that you use an hardware USB switch hub between your desktop and your laptop with a mouse and a keyboard attached. If you have a “gaming” mouse with extra keys it is not only a mouse but also a keyboard. That means that when you want to switch from your laptop the the desktop, the mouse and the keyboard will be connected nearly simultaneously and if the mouse goes first the real keyboard will not the authorized. So you’ll be locked out from your system. The gaming mouse is also only an example. If you have a yubikey shared in this USB hub there will be the same problem explained above. For this reason in the next days I’ll edit the current implementation so that every USB keyboards will be authorized even if the lock screen is active. However we will still show a notification to explain that we authorized a new keyboard while the screen was locked.
  • MATE 1.22.1 Brings Sharper Icons and Security Updates
    It's been a month since the final release of MATE 1.22.0 and the developers has pushed a new update MATE 1.22.1 which fixed some issues, including security fixes in the code that still uses unsafe functions such as strcat or strcpy. The new mate-icon-theme is also featuring a sharper icons for some MATE components as can be seen in the git log. The icons are now built using latest inkscape version so you will notice some differences once you upgrade your MATE components and logout from your X and login again or reboot your machine. For this new update, i had to patch the upstream source a bit to remove a dependency of inkscape in order to build mate-utils. It was introduced in this commit, but i revert some of the changes in the latest commit here. It won't have any effect at all for users as inkscape is only used as a build dependency, not as runtime dependency.