Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • Technology That Could End Humanity—and How to Stop It

    WIRED: What is the vulnerable world hypothesis?

    Nick Bostrom: It's the idea that we could picture the history of human creativity as the process of extracting balls from a giant urn. These balls represent different ideas, technologies, and methods that we have discovered throughout history. By now we have extracted a great many of these and for the most part they have been beneficial. They are white balls. Some have been mixed blessings, gray balls of various shades. But what we haven't seen is a black ball, some technology that by default devastates the civilization that discovers it. The vulnerable world hypothesis is that there is some black ball in the urn, that there is some level of technology at which civilization gets decimated by default.

  • Huawei banned from using US components without approval

    The US has placed Chinese telecommunications equipment vendor Huawei Technologies and some 70 of its affiliates on a list that means it will have to obtain government approval in order to buy American-made components.

  • Trump declares national emergency over IT threats

    He signed an executive order which effectively bars US companies from using foreign telecoms believed to pose national security risks.

  • Huawei offers 'no-spy' contracts and promises to 'shutdown' if China forces backdoors

    Despite emphatic denials from the Chinese tech giant, there are still significant suspicions around the world about how close Huawei is to the Chinese government and whether, if expected to, it would plant back doors in its equipment to allow remote access.

  • The radio navigation planes use to land safely is insecure and can be [cracked]

    Now, researchers have devised a low-cost hack that raises questions about the security of ILS, which is used at virtually every civilian airport throughout the industrialized world. Using a $600 software defined radio, the researchers can spoof airport signals in a way that causes a pilot’s navigation instruments to falsely indicate a plane is off course. Normal training will call for the pilot to adjust the plane’s descent rate or alignment accordingly and create a potential accident as a result.

  • Why I've started using NoScript

    For one, NoScript's user interface has become much better: Now, if a page isn't working right, you simply click the NoScript icon and whitelist any domains you trust, or temporarily whitelist any domains you trust less. You can set it to automatically whitelist domains you directly visit (thereby only blocking third-party scripts).

    A more pressing change is that I'm now much less comfortable letting arbitrary third parties run code on my computer. I used to believe that my browser was fundamentally capable of keeping me safe from the scripts that it ran. Sure, tracking cookies and other tricks allowed web sites to correlate data about me, but I thought that my browser could, at least in principle, prevent scripts from reading arbitrary data on my computer. With the advent of CPU-architecture-based side channel attacks (Meltdown and Spectre are the most publicized, but it seems like new ones come out every month or so), this belief now seems quite naïve.

  • It’s Almost Impossible to Tell if Your iPhone Has Been [Cracked]

    “The simple reality is there are so many 0-day exploits for iOS,” Stefan Esser, a security researcher that specializes in iOS, wrote on Twitter. “And the only reason why just a few attacks have been caught in the wild is that iOS phones by design hinder defenders to inspect the phones.”

  • Google recalls its Bluetooth Titan Security Keys because of a security bug

    To exploit the bug, an attacker would have to within Bluetooth range (about 30 feet) and act swiftly as you press the button on the key to activate it. The attackers can then use the misconfigured protocol to connect their own device to the key before your own device connects. With that — and assuming that they already have your username and password — they could sign into your account.

    Google also notes that before you can use your key, it has to be paired to your device. An attacker could also potentially exploit this bug by using their own device and masquerading it as your security key to connect to your device when you press the button on the key. By doing this, the attackers can then change their device to look like a keyboard or mouse and remote control your laptop, for example.

  • Google offers free 2FA Bluetooth Titan Security Key swaps after security flaw discovered

    Make that most people. In a post on its security blog, Google divulged Wednesday that it has discovered a “misconfiguration” with the Bluetooth Low Energy version of its Titan Security Key that could allow a nearby attacker to “communicate with your security key, or communicate with the device to which your key is paired.”

  • Kubernetes security: 5 mistakes to avoid

    Modern applications and infrastructure no doubt require modern security practices, but the fundamentals still apply.

    “The majority of data breaches are easily preventable with basic cybersecurity hygiene,” says Tim Buntel, VP of application security at Threat Stack.

    That should be received as good news: Fundamental issues such as access and privilege remain fundamental, even as containers, microservices, orchestration, and other evolutionary developments continue to shake up IT. In fact, one of the biggest out-of-the-gate risks that can occur as organizations adopt new technologies is that they develop amnesia around best practices like enforcing the principle of least privilege.

    Consider the rise of Kubernetes in the enterprise: Like any tool or technology, it comes with security considerations. That’s not because Kubernetes is inherently risky or insecure – far from it. Rather, many of the risks occur because teams get caught up in the power and popularity of Kubernetes without properly considering what it will take to effectively run it in production, says Matt Wilson, chief information security advisor at BTB Security.

  • How to protect your devices against the ZombieLoad attack

More in Tux Machines

KDE Usability & Productivity: Week 72

Week 72 in Usability & Productivity initiative is here and it’s chock-full of goodies! We continue to polish Plasma 5.16 ahead of its release in two weeks. There was one point in time when veteran KDE developer and author of the new notifications system Kai Uwe Broulik was literally committing fixes faster than I could add them to this blog post! In addition, features for Plasma 5.17 as well as many of our apps are starting to trickle in. Check it out... Read more

Iran & Iraq Are Embracing GNU Health Project | Dr Axel Braun

In this episode of Let’s Talk, Dr Axel Braun talks about the new features and updates of the GNU Health project. He also talked about the increasing adoption of the project. Read more Also: The Man Behind OpenSUSE Conference – Douglas DeMaio

GNOME 3.33.2 released!

Hello GNOME developers,

GNOME 3.33.2 is now available. This is the second unstable release
leading to 3.34 stable series.

I had to disable gnome-contacts, gnome-calendar and gnome-maps because of the not-very-well coordinated evolution-data-server transition.

If you want to compile GNOME 3.33.2, you can use the official
BuildStream project snapshot.

https://download.gnome.org/teams/releng/3.33.2/gnome-3.33.2.tar.xz

The list of updated modules and changes is available here:

https://download.gnome.org/core/3.33/3.33.2/NEWS

The source packages are available here:

https://download.gnome.org/core/3.33/3.33.2/sources/

WARNING!
--------
This release is a snapshot of development code. Although it is
buildable and usable, it is primarily intended for testing and hacking
purposes. GNOME uses odd minor version numbers to indicate development
status.

For more information about 3.34, the full schedule, the official module
lists and the proposed module lists, please see our 3.33 wiki page:

https://www.gnome.org/start/unstable


Cheers,

Abderrahim Kitouni,
GNOME Release Team
Read more Also: GNOME 3.33.2 Released As Another Step Towards The GNOME 3.34 Desktop

Security Leftovers

  • Serious Security: Don't let your SQL server attack you with ransomware [Ed: Article focuses on things like Windows and RDP. SQL Server is proprietary software that runs on a platform with NSA back doors. So if you choose it, then you choose to have no security at all, only an illusion of it. Why does the article paint Windows issues as pertaining to MySQL?]
    Tales from the honeypot: this time a MySQL-based attack. Old tricks still work, because we're still making old mistakes - here's what to do. [...] As regular readers will know, one of the popular vehicles for malware crooks at the moment is Windows RDP, short for Remote Desktop Protocol.
  • How Screwed is Intel without Hyper-Threading?
    As it stands Microsoft is pushing out OS-level updates to address the four MDS vulnerabilities and you’ll get those with this month's Windows 10 1903 update. However, this doesn’t mitigate the problem entirely, for that we need motherboard BIOS updates and reportedly Intel has released the new microcode to motherboard partners. However as of writing no new BIOS revisions have been released to the public. We believe we can test a worst case scenario by disabling Hyper-Threading and for older platforms that won’t get updated this might end up being the only solution.
  • SandboxEscape drops three more Windows 10 zero-day exploits

    SandboxEscaper also indicated that she was in the market to sell flaws to "people who hate the US", a move made in apparent response to FBI subpoenas against her Google account.

  • Huawei can’t officially use microSD cards in its phones going forward

    The SD Association is also by no means the first to cut ties: Google, ARM, Intel, Qualcomm, and Broadcom are also among the companies that have stopped working with Huawei due to the ban. The Wi-Fi Alliance (which sets Wi-Fi standards across the industry) has also “temporarily restricted” Huawei’s membership due to the US ban, and Huawei has also voluntarily left JEDEC (a semiconductor standards group best known for defining RAM specifications) over the issues with the US as well, according to a report from Nikkei Asian Review. All this could severely hamper Huawei’s ability to produce hardware at all, much less compete in the US technology market.

  • Huawei barred from SD Association: What’s that mean for its phones and microSD cards?

    As such, companies that aren’t on the SD Association’s list of members can’t officially produce and sell devices with SD card support that use the SD standards. According to SumahoInfo, the member page showed Huawei a few weeks ago, but no longer lists the firm this week.