Language Selection

English French German Italian Portuguese Spanish

Proprietary Software and Security Failures

Filed under
Security
  • Apple has pushed a silent Mac update to remove hidden Zoom web server

    Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission.

    The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom quietly installed on users’ Macs when they installed the app.

  • Microsoft denies it will move production out of China

    Nikkei had also previously reported in June that Apple is similarly considering moving between 15% and 30% of all iPhone production out of China and has asked its major suppliers to weigh up the costs.

  • Microsoft's reseller chief explains why it's angering some of its partners by taking away a key perk: 'We can't afford to run every single partner's organization for free anymore'

    Gavriella Schuster, corporate vice president and One Commercial Partner channel chief at Microsoft, says that while it cost the company practically nothing to provide partners with traditional software, it would be a significant expense for the company to provide cloud services like Office 365 for free.

  • KRP: At least 1,000 devices compromised in data breach in Lahti

    KRP on Tuesday revealed that its pre-trial investigation shows that the unauthorised access detected in the city’s data systems earlier this summer was an organised attack rather than an error by an individual user.

    The attacker or attackers managed to cause damage by actively spreading a malware, compromising at least a thousand devices.

  • GnuPG 2.2.17 released to mitigate attacks on keyservers

    gpg: Ignore all key-signatures received from keyservers. This change is required to mitigate a DoS due to keys flooded with faked key-signatures. The old behaviour can be achieved by adding keyserver-options no-self-sigs-only,no-import-clean to your gpg.conf. [#4607]

  • Security updates for Thursday

    Security updates have been issued by Debian (dosbox and openjpeg2), Oracle (dbus and kernel), Scientific Linux (dbus), Slackware (mozilla), and SUSE (fence-agents, libqb, postgresql10, and sqlite3).

  • What Is Zero Trust Architecture?

    Zero Trust architecture might be popular now, but that doesn’t necessarily mean it’s for you. If you find your needs are met by your current security, you may not want to switch. That said, keep in mind that waiting until you have a security breach isn’t an ideal way to evaluate your security.

  • OpenPGP certificate flooding

    A problem with the way that OpenPGP public-key certificates are handled by key servers and applications is wreaking some havoc, but not just for those who own the certificates (and keys)—anyone who has those keys on their keyring and does regular updates will be affected. It is effectively a denial of service attack, but one that propagates differently than most others. The mechanism of this "certificate flooding" is one that is normally used to add attestations to the key owner's identity (also known as "signing the key"), but because of the way most key servers work, it can be used to fill a certificate with "spam"—with far-reaching effects.

    The problems have been known for many years, but they were graphically illustrated by attacks on the keys of two well-known members of the OpenPGP community, Daniel Kahn Gillmor ("dkg") and Robert J. Hansen ("rjh"), in late June. Gillmor first reported the attack on his blog. It turned out that someone had added multiple bogus certifications (or attestations) to his public key in the SKS key server pool; an additional 55,000 certifications were added, bloating his key to 17MB in size. Hansen's key got spammed even worse, with nearly 150,000 certifications—the maximum number that the OpenPGP protocol will support.

    The idea behind these certifications is to support the "web of trust". If user Alice believes that a particular key for user Bob is valid (because, for example, they sat down over beers and verified that), Alice can so attest by adding a certification to Bob's key. Now if other users who trust Alice come across Bob's key, they can be reasonably sure that the key is Bob's because Alice (cryptographically) said so. That is the essence of the web of trust, though in practice, it is often not really used to do that kind of verification outside of highly technical communities. In addition, anyone can add a certification, whether they know the identity of the key holder or not.

  • FinSpy Malware ‘Returns’ To Steal Data On Both Android And iOS

    As per the researchers, the spyware was again active in 2018 and the latest activity was spotted in Myanmar in June 2019. These implants are capable of collecting personal information such as SMS, Emails, Calendars, Device Locations, Multimedia and even messages from some popular social media apps.

    If you are an iOS user, then the implant is only observed to work on jailbroken devices. If an iOS device is already jailbroken then this spyware can be remotely installed via different mediums like messaging, email, etc. However, the implants have not been observed on the latest version of iOS.

  • New FinSpy iOS and Android implants revealed ITW

    FinSpy is spyware made by the German company Gamma Group. Through its UK-based subsidiary Gamma International Gamma Group sells FinSpy to government and law enforcement organizations all over the world. FinSpy is used to collect a variety of private user information on various platforms. Its implants for desktop devices were first described in 2011 by Wikileaks and mobile implants were discovered in 2012. Since then Kaspersky has continuously monitored the development of this malware and the emergence of new versions in the wild. According to our telemetry, several dozen unique mobile devices have been infected over the past year, with recent activity recorded in Myanmar in June 2019. Late in 2018, experts at Kaspersky looked at the functionally latest versions of FinSpy implants for iOS and Android, built in mid-2018. Mobile implants for iOS and Android have almost the same functionality. They are capable of collecting personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers.

More in Tux Machines

How to Create Persistent Fedora LIVE USB From Ubuntu

This quick tutorial explains how to create persistent LIVE USB using Fedora Operating system in Ubuntu. Read more

Android Leftovers

Python Programming Leftovers

  • How to Read SAS Files in Python with Pandas

    In this post, we are going to learn how to read SAS (.sas7dbat) files in Python. As previously described (in the read .sav files in Python post) Python is a general-purpose language that also can be used for doing data analysis and data visualization.

  • Daudin – a Python shell

    A few nights ago I wrote daudin, a command-line shell based on Python. It allows you to easily mix UNIX and Python on the command line.

  • How to Convert Python String to Int and Back to String

    This tutorial describes various ways to convert Python string to int and from an integer to string. You may often need to perform such operations in day to day programming. Hence, you should know them to write better programs. Also, an integer can be represented in different bases, so we’ll explain that too in this post. And there happen to be scenarios where conversion fails. Hence, you should consider such cases as well and can find a full reference given here with examples.

  • Thousands of Scientific Papers May be Invalid Due to Misunderstanding Python

    It was recently discovered that several thousand scientific articles could be invalid in their conclusions because scientists did not understand that Python’s glob.glob() does not return sorted results. This is being reported on by Vice, Slashdot and there’s an interesting discussion going on over on Reddit as well.

Audiocasts/Shows/Screencasts: Open Source Security Podcast, Linux Action News and Manjaro 19.09.28 KDE-DEV Run Through

  • Open Source Security Podcast: Episode 165 - Grab Bag of Microsoft Security News

    Josh and Kurt about a number of Microsoft security news items. They've changed how they are handling encrypted disks and are now forcing cloud logins on Windows users.

  • Linux Action News 127

    Richard Stallman's GNU leadership is challenged by an influential group of maintainers, SUSE drops OpenStack "for the customer," and Google claims Stadia will be faster than a gaming PC. Plus OpenLibra aims to save us from Facebook but already has a miss, lousy news for Telegram, and enormous changes for AMP.

  • GNU World Order 13x42

    On the road during the **All Things Open** conference, Klaatu talks about how to make ebooks from various sources, with custom CSS, using the Pandoc command.

  • Manjaro 19.09.28 KDE-DEV Run Through

    In this video, we are looking at Manjaro 19.09.28 KDE-DEV.