Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • Technology That Could End Humanity—and How to Stop It

    WIRED: What is the vulnerable world hypothesis?

    Nick Bostrom: It's the idea that we could picture the history of human creativity as the process of extracting balls from a giant urn. These balls represent different ideas, technologies, and methods that we have discovered throughout history. By now we have extracted a great many of these and for the most part they have been beneficial. They are white balls. Some have been mixed blessings, gray balls of various shades. But what we haven't seen is a black ball, some technology that by default devastates the civilization that discovers it. The vulnerable world hypothesis is that there is some black ball in the urn, that there is some level of technology at which civilization gets decimated by default.

  • Huawei banned from using US components without approval

    The US has placed Chinese telecommunications equipment vendor Huawei Technologies and some 70 of its affiliates on a list that means it will have to obtain government approval in order to buy American-made components.

  • Trump declares national emergency over IT threats

    He signed an executive order which effectively bars US companies from using foreign telecoms believed to pose national security risks.

  • Huawei offers 'no-spy' contracts and promises to 'shutdown' if China forces backdoors

    Despite emphatic denials from the Chinese tech giant, there are still significant suspicions around the world about how close Huawei is to the Chinese government and whether, if expected to, it would plant back doors in its equipment to allow remote access.

  • The radio navigation planes use to land safely is insecure and can be [cracked]

    Now, researchers have devised a low-cost hack that raises questions about the security of ILS, which is used at virtually every civilian airport throughout the industrialized world. Using a $600 software defined radio, the researchers can spoof airport signals in a way that causes a pilot’s navigation instruments to falsely indicate a plane is off course. Normal training will call for the pilot to adjust the plane’s descent rate or alignment accordingly and create a potential accident as a result.

  • Why I've started using NoScript

    For one, NoScript's user interface has become much better: Now, if a page isn't working right, you simply click the NoScript icon and whitelist any domains you trust, or temporarily whitelist any domains you trust less. You can set it to automatically whitelist domains you directly visit (thereby only blocking third-party scripts).

    A more pressing change is that I'm now much less comfortable letting arbitrary third parties run code on my computer. I used to believe that my browser was fundamentally capable of keeping me safe from the scripts that it ran. Sure, tracking cookies and other tricks allowed web sites to correlate data about me, but I thought that my browser could, at least in principle, prevent scripts from reading arbitrary data on my computer. With the advent of CPU-architecture-based side channel attacks (Meltdown and Spectre are the most publicized, but it seems like new ones come out every month or so), this belief now seems quite naïve.

  • It’s Almost Impossible to Tell if Your iPhone Has Been [Cracked]

    “The simple reality is there are so many 0-day exploits for iOS,” Stefan Esser, a security researcher that specializes in iOS, wrote on Twitter. “And the only reason why just a few attacks have been caught in the wild is that iOS phones by design hinder defenders to inspect the phones.”

  • Google recalls its Bluetooth Titan Security Keys because of a security bug

    To exploit the bug, an attacker would have to within Bluetooth range (about 30 feet) and act swiftly as you press the button on the key to activate it. The attackers can then use the misconfigured protocol to connect their own device to the key before your own device connects. With that — and assuming that they already have your username and password — they could sign into your account.

    Google also notes that before you can use your key, it has to be paired to your device. An attacker could also potentially exploit this bug by using their own device and masquerading it as your security key to connect to your device when you press the button on the key. By doing this, the attackers can then change their device to look like a keyboard or mouse and remote control your laptop, for example.

  • Google offers free 2FA Bluetooth Titan Security Key swaps after security flaw discovered

    Make that most people. In a post on its security blog, Google divulged Wednesday that it has discovered a “misconfiguration” with the Bluetooth Low Energy version of its Titan Security Key that could allow a nearby attacker to “communicate with your security key, or communicate with the device to which your key is paired.”

  • Kubernetes security: 5 mistakes to avoid

    Modern applications and infrastructure no doubt require modern security practices, but the fundamentals still apply.

    “The majority of data breaches are easily preventable with basic cybersecurity hygiene,” says Tim Buntel, VP of application security at Threat Stack.

    That should be received as good news: Fundamental issues such as access and privilege remain fundamental, even as containers, microservices, orchestration, and other evolutionary developments continue to shake up IT. In fact, one of the biggest out-of-the-gate risks that can occur as organizations adopt new technologies is that they develop amnesia around best practices like enforcing the principle of least privilege.

    Consider the rise of Kubernetes in the enterprise: Like any tool or technology, it comes with security considerations. That’s not because Kubernetes is inherently risky or insecure – far from it. Rather, many of the risks occur because teams get caught up in the power and popularity of Kubernetes without properly considering what it will take to effectively run it in production, says Matt Wilson, chief information security advisor at BTB Security.

  • How to protect your devices against the ZombieLoad attack

More in Tux Machines

Announcing Oracle Solaris 11.4 SRU12

Today we are releasing the SRU 12 for Oracle Solaris 11.4. It is available via 'pkg update' from the support repository or by downloading the SRU from My Oracle Support Doc ID 2433412.1. Read more Also: Oracle Solaris 11.4 SRU12 Released - Adds GCC 9.1 Compiler & Python 3.7

Redcore Linux 1908 Released, Which Fixes Many of the Pending Bugs

Redcore Linux developer has released the new version of Redcore Linux 1908 and code name is Mira. This release fixes most of the outstanding bugs and some more polishing. Also, added new features as well. Bunch of packages (1000+) got updated because this release is based on Gentoo’s testing branch, unlike previous releases which were based on a mix of Gentoo’s stable and testing branches. Starting from Redcore Linux 1908, the packages shold be up-to-date since it’s using Gentoo’s testing branch. Read more

Red Hat Satellite 6.6 Beta is now available with enhancements across reporting, automation, and supportability

We are pleased to announce that Red Hat Satellite 6.6 is now available in beta to current Satellite customers. Red Hat Satellite is a scalable platform to manage patching, provisioning, and subscription management of your Red Hat infrastructure, regardless of where it is running. The Satellite 6.6 beta is focused on enhancements across reporting, automation, and supportability While Satellite 6.6 Beta supports Red Hat Enterprise Linux 8 hosts, it is important to note that Satellite 6.6 must be installed on a Red Hat Enterprise Linux 7 host. Support for running Satellite itself on a Red Hat Enterprise Linux 8 host is scheduled for a later release. Read more Also: Serverless on Kubernetes, diverse automation, and more industry trends

Android Leftovers