Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Microsoft Warns about Worm Attacking Exim Servers on Azure [Ed: Microsoft should also warn "customers" of Windows back doors for the NSA, but it does not (this one was patched ages ago; the Microsoft back doors aren't). Shouldn't Microsoft ask its proxies and partners, as usual, to come up with buzzwords and logos and Web sites for bugs in FOSS, then talk about how FOSS is the end of the world?]
  • The Highly Dangerous 'Triton' [Attackers] Have Probed the US Grid [Ed: It's Windows]

     

    Over the past several months, security analysts at the Electric Information Sharing and Analysis Center (E-ISAC) and the critical-infrastructure security firm Dragos have been tracking a group of sophisticated [attackers] carrying out broad scans of dozens of US power grid targets, apparently looking for entry points into their networks. Scanning alone hardly represents a serious threat. But these [attackers], known as Xenotime—or sometimes as the Triton actor, after their signature malware—have a particularly dark history. The Triton malware was designed to disable the so-called safety-instrument systems at Saudi Arabian oil refinery Petro Rabigh in a 2017 cyberattack, with the apparent aim of crippling equipment that monitors for leaks, explosions, or other catastrophic physical events. Dragos has called Xenotime "easily the most dangerous threat activity publicly known."

  • A Researcher Found a Bunch of Voting Machine Passwords Online

    A little more than a week ago, the Department of Homeland Security confirmed that it was going to forensically analyze computer equipment associated with part of the 2016 elections in North Carolina in association with questions about Russian hacking. The news prompted an information security researcher to announce that he’d found evidence of other election security issues in North Carolina last fall, which he’d kept quiet until now.

    Chris Vickery, the director of cyber-risk research at UpGuard, a cybersecurity services firm, tweeted June 7 that he had found an unlocked online repository that contained what he said were passwords for touchscreen voting machines. The repository, he said, also contained other information, including serial numbers for machines that had modems, which theoretically could have allowed them to connect to the internet.

    Vickery said that after he found the open repository in September 2018, he immediately told state officials, who locked the file. State officials have told Mother Jones that the passwords were nearly 10 years old and encrypted—a claim disputed by Vickery and a Democratic technology consultant in North Carolina—but admitted that the file shouldn’t have been publicly available online.

  • TPM now stands for Tiny Platform Module: TCG shrinks crypto chip to secure all the Things [Ed: Misusing the word "trust" to obliterate computer freedom and general-purpose computing]

    The Trusted Computing Group (TCG), a nonprofit developing hardware-based cybersecurity tools, has started work on the "world's tiniest" Trusted Platform Module (TPM).

    TPMs are silicon gizmos designed to protect devices by verifying the integrity of essential software – like firmware and BIOS − and making sure no dodgy code has been injected into the system prior to boot.

    These are widely used to protect servers. Now TCG wants to adopt the technology for devices that are so small that the inclusion of a full TPM chip might be impractical due to cost, space and power considerations.

    The first tiny TPM prototype, codenamed Radicle, was demonstrated last week at a TCG members' meeting in Warsaw, Poland.

    [...]

    We have to mention that for years, TCG and its TPMs were criticised by the open-source software community, which suspected the tech could be used for vendor lock-in – GNU father Richard Stallman called trusted computing "treacherous computing", but it looks like his worst fears have not come to pass.

    That doesn't mean TPMs haven't seen their share of dark days: back in 2017, it emerged that security chips made by Infineon contained a serious flaw, with experts estimating that 25 to 30 per cent of all TPMs used globally were open to attack.

  • What Is a Buffer Overflow

    A buffer overflow vulnerability occurs when you give a program too much data. The excess data corrupts nearby space in memory and may alter other data. As a result, the program might report an error or behave differently. Such vulnerabilities are also called buffer overrun.

    Some programming languages are more susceptible to buffer overflow issues, such as C and C++. This is because these are low-level languages that rely on the developer to allocate memory. Most common languages used on the web such as PHP, Java, JavaScript or Python, are much less prone to buffer overflow exploits because they manage memory allocation on behalf of the developer. However, they are not completely safe: some of them allow direct memory manipulation and they often use core functions that are written in C/C++.

  • Any iPhone can be hacked

    Apple’s so called secure iPhones can be turned over by US coppers using a service promoted by an Israeli security contractor.

    Cellebrite publicly announced a new version of its product known as a Universal Forensic Extraction Device or UFED, one that it's calling UFED Premium. In marketing that update, it says that the tool can now unlock any iOS device cops can lay their hands on, including those running iOS 12.3.

    Cellebrite claims UFED Premium can extract files from many recent Android phones as well, including the Samsung Galaxy S9 but no-one ever called them secure and safe.

    What is unusual is that Cellebrite is making  broad claims about turning over Apple gear. This is not a cat-and-mouse claim where they exploit a tiny flaw which one day might be fixed. It would appear that Cellebrite has its paw on a real howler.

  • Cellebrite Claims It Can Unlock ‘Any’ iPhone And iPad, 1.4 Billion Apple Devices Hackable

    Israel-based Cellebrite has announced a new version of its system Universal Forensic Extraction Device (UFED) — UFED Premium — which is capable of unlocking any iPhone, high-end Android device, or an iPad.

    The forensics company has suggested that UFED Premium is meant to help the police in unlocking iPhones and Android smartphones and getting data from locked smartphones.

  • Web-based DNA sequencers getting compromised through old, unpatched flaw

    DnaLIMS is developed by Colorado-based dnaTools. It provides software tools for processing and managing DNA sequencing requests.

    These tools use browsers to access a UNIX-based web server on the local network, which is responsible for managing all aspects of DNA sequencing.

    A simple Google search shows that dnaLIMS is used by a number of scientific, academic and medical institutions.

  • Generrate Cryptographically Secure RANDOM PASSWORD
  • DMARC, mailing list, yahoo and gmail

    Gmail was blocking one person’s email via our list (he sent that using Yahoo and from his iPhone client), and caused more than 1700 gmail users in our list in the nomail block unless they check for the mailman’s email and click to reenable their membership.

    I panicked for a couple of minutes and then started manually clicking on the mailman2 UI for each user to unblock them. However, that was too many clicks. Suddenly I remembered the suggestion from Saptak about using JavaScript to do this kind of work. Even though I tried to learn JavaScript 4 times and failed happily, I thought a bit searching on Duckduckgo and search/replace within example code can help me out.

  • Tired of #$%& passwords? Single Sign-on could be savior

    So how is single sign-on more secure, if Facebook is in charge? It's not, say security experts. "They’ve shown they can’t be trusted with our information," says Rudis.

  • Are SSO Buttons Like “Sign-in With Apple” Better Than Passwords?

    Apple recently announced a new product that could prevent users from giving away their email ID to every other site on the internet. It’s expected to launch sometime later in 2019.

    Called “Sign-in with Apple,” it is similar to other Single Sign-on services provided by Google and Facebook. The button lets you login to websites without creating a new user account every time.

  • App Makers Are Mixed on ‘Sign In With Apple’

    But other app makers have mixed feelings on what Apple has proposed. I spoke to a variety of developers who make apps for iOS and Android, one of whom asked to remain anonymous because they aren’t authorized to speak on behalf of their employer. Some are skeptical that Sign In with Apple will offer a solution dramatically different from what’s already available through Facebook or Google. Apple’s infamous opacity around new products means the app makers don’t have many answers yet as to how Apple’s sign in mechanism is going to impact their apps. And one app maker went as far as referring to Apple’s demand that its sign-in system be offered if any other sign-in systems are shown as “petty.”

  • Chinese Cyberattack Hits Telegram, App Used by Hong Kong Protesters

    “This case was not an exception,” he wrote.

    The Hong Kong police made their own move to limit digital communications. On Tuesday night, as demonstrators gathered near Hong Kong’s legislative building, the authorities arrested the administrator of a Telegram chat group with 20,000 members, even though he was at his home miles from the protest site.

  • Security News This Week: Telegram Says China Is Behind DDoS

    As protests erupted in the streets of Hong Kong this week, over a proposed law that would allow criminal suspects to be extradited to mainland China, the secure messaging app Telegram was hit with a massive DDoS attack. The company tweeted on Wednesday that it was under attack. Then the app’s founder and CEO Pavel Durov followed up and suggested the culprits were Chinese state actors. He tweeted that the IP addresses for the attackers were coming from China. “Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram). This case was not an exception,” he added. As Reuters notes, Telegram was DDoSed during protests in China in 2015, as well. Hong Kong does not face the strict [Internet] censorship that exists in mainland China, although activists have expressed concern about increased pressure from Beijing on the region.

  • Nextcloud signs public letter, opposing German plan to force decryption of chat

More in Tux Machines

Announcing coreboot 4.10

The 4.10 release covers commit a2faaa9a2 to commit ae317695e3 There is a pgp signed 4.10 tag in the git repository, and a branch will be created as needed. In nearly 8 months since 4.9 we had 198 authors commit 2538 changes to master. Of these, 85 authors made their first commit to coreboot: Welcome! Between the releases the tree grew by about 11000 lines of code plus 5000 lines of comments. Read more Also: Coreboot 4.10 Released With New Support For Many Chromebooks & Random Motherboards

Red Hat and Fedora Leftovers

  • Building an organization that's always learning: Tips for leaders

    In open organizations, informal learning is critical to success. "Informal learning" accounts for all learning that occurs outside a training program, a classroom, or another formalized instruction setting. Unlike the learning in these formalized learning settings, informal learning is unstructured, personal, and voluntary. As a result, systematic study of it is difficult. But due to the prevalence and importance of informal learning in workplaces, several researchers have called for additional research into the subject—and particularly for the design of instruments to actually measure informal learning. Such instruments could likewise be useful in open organizations hoping to measure and foster informal learning practices among employees.

  • 9 people for sysadmins to follow on Twitter

    While Twitter certainly isn't the most open source platform, the open source community on the social network brings a lot of great minds together on a daily basis. The site, as I see it, also democratizes access to these brilliant minds since we're all just one @ away. Here are nine people whose Twitter accounts are making my pursuit of sysadmin knowledge, and its continued evolution, better. They fall across the spectrum of technology with the one thing they have in common being their passionate, informative, and thoughtful perspective. They share a wealth of knowledge from explaining Linux commands through comics, to applying a PhD's worth of knowledge to making DevOps make sense.

  • Fedora 32 System-Wide Change proposal: x86-64 micro-architecture update
    Fedora currently uses the original K8 micro-architecture (without 3DNow! and other AMD-specific parts) as the baseline....
    
  • Fedora Developers Discuss Raising Base Requirement To AVX2 CPU Support

    An early change being talked about for Fedora 32, due out in the spring of next year, is raising the x86_64 CPU requirements for running Fedora Linux. When initially hearing of this plan, the goal is even more ambitious than I was initially thinking: AVX2. A feature proposal for Fedora 32 would raise the x86_64 base-line for their compiler builds to needing AVX2. Advanced Vector Extensions 2 is Intel Sandy Bridge and newer or AMD Jaguar/Bulldozer and newer. This came as quite a surprise even to myself that Fedora is planning to jump straight from their existing AMD K8 baseline to now AVX2-supportive CPUs.

  • Stable docker CE for Fedora 30 are available!

    Do you use docker? If you are using Fedora 30 then I have good news for you. They officially relesed stable docker CE for Fedora 30, yay! Most of us have been waiting for stable docker since February, OMG! You can check issue #600 how frustrating most of docker users because we don’t have stable release and unable to use testing or nightly release because of missing containerd.io and forced dev to seek alternatives using old repo (F29) or using Podman as workaround.

  • Outreachy FHP week 7: Pytest, UI enhancements, FAS search

    From Outreachy.org: The theme for this week is “Modifying Expectations”. Outreachy mentors and interns start the internship with a specific set of project goals. However, usually those goals need to be modified, and that’s perfectly fine! Delays to projects happen. Maybe your project turned out to be more complicated than you or your mentor anticipated. Maybe you needed to learn some concepts before you could tackle project tasks. Maybe the community documention wasn’t up-to-date or was wrong. These are all perfectly valid reasons for projects to be a bit behind schedule, as long as you’ve been working full-time on the project. In fact, free and open source contributors have to deal with these kinds of issues all the time. Projects often seem simple until you start working on them. Project timelines are ususally a very optimistic view of what could happen if everything goes exactly as planned. It often doesn’t, but people still make optimistic plans. Modifying your project timeline to set more realistic goals is a skill all contributors need to learn. [....] I was a beginner in Django when I started working on this project. Earlier I worked on JavaScript-based framework, and switching to Python was a big change for me. So, it was always learning and implementing on my part. Since Django was new to me, I had to learn it fast, at least the core concept. I found some good resources but they were so detailed that at the end of the document, I would have lost interest in some of the topics. Then I found this tutorial, which turned out to be the perfect platform to have an overall grasp of the widely used python framework. I learned about containers, their importance and concept of virtualization. How Docker can also be used when we want to deploy an application to an environment. Understood the concept behind it, learned the basic commands and how to deal with multiple Docker containers. In the second half of my internship, I improved and wrote tests of the project without having any prior knowledge of the concept at the beginning.

Programming Leftovers

  • Excellent Free Books to Learn Java

    Java is a general-purpose, concurrent, class-based, object-oriented, high-level programming language and computing platform first released by Sun Microsystems in 1995. It is related in some ways to C and C++, in particular with regard to its syntax, and borrows a few ideas from other languages. Java applications are compiled to bytecode that can run on any Java virtual machine (JVM) regardless of computer architecture. Java is designed to be simple enough that many programmers can quickly become proficient in the language. It’s one of the most popular programming languages especially for client-server web applications.

  • GFX-RS Portability 0.7 Released With Vulkan Events, Binding Model Improvements

    The GFX-RS high performance graphics API for the Rust programming language and based on Vulkan while mapping to Metal when on Apple systems is out with a new release. GFX-RS continues to be about being a cross-platform API for Rust that is bindless and high performance while retaining the traits of Vulkan but with back-ends as well for Direct3D 11/12, Metal, and even OpenGL 2 / GLES2.

  • Use the Requests module to directly retrieve the market data

    Hello and welcome back to our cryptocurrency project. In the previous article I had mentioned before that I want to use the cryptocompy module to create our new cryptocurrency project, however, after a closer look at the CriptoCompare API I think we have better used the original API to make the rest call instead of using the wrapper module because the original API seems to provide more returned data type than the one offered by the cryptocompy module.

  • Eli Bendersky: Faster XML stream processing in Go

    XML processing was all the rage 15 years ago; while it's less prominent these days, it's still an important task in some application domains. In this post I'm going to compare the speed of stream-processing huge XML files in Go, Python and C and finish up with a new, minimal module that uses C to accelerate this task for Go. All the code shown throughout this post is available in this Github repository the new Go module is here.

  • How to Use Binder and Python for Repoducible Research

    In this post we will learn how to create a binder so that our data analysis, for instance, can be fully reproduced by other researchers. That is, in this post we will learn how to use binder for reproducible research. In previous posts, we have learned how to carry out data analysis (e.g., ANOVA) and visualization (e.g., Raincloud plots) using Python. The code we have used have been uploaded in the forms of Jupyter Notebooks.

  • Wingware Blog: Introducing Functions and Methods with Refactoring in Wing Pro

    In this issue of Wing Tips we explain how to quickly create new functions and methods out of existing blocks of Python code, using Wing Pro's Extract Method/Function refactoring operation. This is useful whenever you have some existing code that you want to reuse in other places, or in cases where code gets out of hand and needs to be split up to make it more readable, testable, and maintainable. Wing supports extracting functions and methods for any selected code, so long as that code does not contain return or yield statements. In that case automatic extraction is not possible, since Wing cannot determine how the extracted function should be called from or interact with the original code.

  • How to Use Binder and Python for Reproducible Research

    In this post we will learn how to create a binder so that our data analysis, for instance, can be fully reproduced by other researchers. That is, in this post we will learn how to use binder for reproducible research. In previous posts, we have learned how to carry out data analysis (e.g., ANOVA) and visualization (e.g., Raincloud plots) using Python. The code we have used have been uploaded in the forms of Jupyter Notebooks. Although this is great, we also need to make sure that we share our computational environment so our code can be re-run and produce the same output. That is, to have a fully reproducible example, we need a way to capture the different versions of the Python packages we’re using.

  • NumPy arange(): How to Use np.arange()

    NumPy is the fundamental Python library for numerical computing. Its most important type is an array type called ndarray. NumPy offers a lot of array creation routines for different circumstances. arange() is one such function based on numerical ranges. It’s often referred to as np.arange() because np is a widely used abbreviation for NumPy. Creating NumPy arrays is important when you’re working with other Python libraries that rely on them, like SciPy, Pandas, Matplotlib, scikit-learn, and more. NumPy is suitable for creating and working with arrays because it offers useful routines, enables performance boosts, and allows you to write concise code.

  • Cogito, Ergo Sumana: Beautiful Soup is on Tidelift

    I've been doing a tiny bit of consulting for Tidelift for a little over a year now, mainly talking about them to open source maintainers in the Python world and vice versa. (See my October 2018 piece "Tidelift Is Paying Maintainers And, Potentially, Fixing the Economics of an Industry".) And lo, in my household, my spouse Leonard Richardson has signed up as a lifter for Beautiful Soup, his library that helps you with screen-scraping projects.

  • Chris Moffitt: Automated Report Generation with Papermill: Part 1

    This guest post that walks through a great example of using python to automate a report generating process. I think PB Python readers will enjoy learning from this real world example using python, jupyter notebooks, papermill and several other tools.

  • Cryptocurrency user interface set up

    As mentioned above, in this article we will start to create the user interface of our latest cryptocurrency project. Along the path we will also use the CryptoCompare API to retrieve data.

  • Python Snippet 2: Quick Sequence Reversal
  • 10x Evilgineers | Coder Radio 367

    Mike rekindles his youthful love affair with Emacs and we debate what makes a "10x engineer". Plus the latest Play store revolt and some of your feedback.

BlueStar Linux 5.2.1

Today we are looking at BlueStar Linux 5.2.1. This release of BlueStar is an Arch rolling distro and comes with Linux Kernel 5.2.1 and KDE Plasma 5.16.3 and uses about 700MB of ram when idling. Bluestar Linux is a beautiful Arch/KDE distro that works great out of the box and is receiving a lot of love from their very active developer. Read more Direct/video: BlueStar Linux 5.2.1 Run Through