Language Selection

English French German Italian Portuguese Spanish

Security: RDP, Avast, GNU Privacy Guard (GPG or GnuPG) and New FUD

Filed under
Security
  • [Attackers] Are Breaking Directly Into Telecom Companies to Take Over Customer Phone Numbers

    This use of RDP is essentially what SIM swappers are now doing. But instead of targeting consumers, they're tricking telecom employees to install or activate RDP software, and then remotely reaching into the company's systems to SIM swap individuals.

    The process starts with convincing an employee in a telecom company's customer support center to run or install RDP software. The active SIM swapper said they provide an employee with something akin to an employee ID, "and they believe it." [Attackers] may also convince employees to provide credentials to a RDP service if they already use it.

    Once RDP is enabled, "They RDP into the store or call center [computer] [...] and mess around on the employees' computers including using tools," said Nicholas Ceraolo, an independent security researcher who first flagged the issue to Motherboard. Motherboard then verified Ceraolo's findings with the active SIM swapper.

  • Wladimir Palant: Pwning Avast Secure Browser for fun and profit

    Avast took an interesting approach when integrating their antivirus product with web browsers. Users are often hard to convince that Avast browser extensions are good for them and should be activated in their browser of choice. So Avast decided to bring out their own browser with the humble name Avast Secure Browser. Their products send a clear message: ditch your current browser and use Avast Secure Browser (or AVG Secure Browser as AVG users know it) which is better in all respects.

    Avast Secure Browser is based on Chromium and its most noticeable difference are the numerous built-in browser extensions, usually not even visible in the list of installed extensions (meaning that they cannot be disabled by regular means). Avast Secure Browser has eleven custom extensions, AVG Secure Browser has eight. Now putting eleven extensions of questionable quality into your “secure” browser might not be the best idea. Today we’ll look at the remarkable Video Downloader extension which essentially allowed any website to take over the browser completely (CVE-2019-18893). An additional vulnerability then allowed it to take over your system as well (CVE-2019-18894). The first issue was resolved in Video Downloader 1.5, released at some point in October 2019. The second issue remains unresolved at the time of writing. Update (2020-01-13): Avast notified me that the second issue has been resolved in an update yesterday, I can confirm the application version not being vulnerable any more after an update.

  • Powerful GPG collision attack spells the end for SHA-1

    New research has heightened an already urgent call to abandon SHA-1, a cryptographic algorithm still used in many popular online services.

    In a paper called SHA-1 is a Shambles, researchers Gaëtan Leurent and Thomas Peyrin have demonstrated a new, powerful attack on the system that could enable attackers to fake digital certificates for as little as $45,000.

    Leurent, from INRIA in France, and Peyrin, from the Nanyan Technological University in Singapore, demonstrated their attack by creating a fake digital certificate using the GNU Privacy Guard (GPG or GnuPG) system.

    Published in 1995, SHA-1 is a hashing function that creates a digital fingerprint calculated from a block of data such as a file.

  • The open source licence debate: comprehension consternations & stipulation frustrations

    “Fundamentally, it boils down to open source software licencing being generally hard to [comprehend and] understand. Most devs start these projects as a passion project and just publish it with some basic license they might live to regret later when they consider their options. Fundamentally, this is another avenue for them to gain funding, but would imagine there are limits to the scalability of what can be achieved,” added Turunen.

More in Tux Machines

Python Programming Leftovers

  • The tiniest of Python templating engines

    In someone else's project (which they'll doubtless tell you about themselves when it?s done) I needed a tiny Python templating engine. That is: I wanted to be able to say, here is a template string, please substitute a bunch of variables into it. Now, Python already does this, in about thirty different ways, and str.format or string.Template do most of it as built-in.

  • How to set a variable in Django template
  • Why ASGI is Replacing WSGI in Django

    When I first learnt about how to deploy my Django website. I took the easy route which was deploying it on Heroku. There's literally tons of tutorial on how the process of deploying it work. Heck, there was even a book about the benefits of deploying Django using Heroku. Soon in my own work, I needed to deploy my own Django project. It was working well for a bundled development grade web server. I thought to myself, why not find a better way on a production-grade web server. Instead of just a miserable default web server that is not production-grade. My journey in searching on deploying Django started for me. Which if you look at multiple tutorial references they still suggest the use of Heroku or Digital Ocean.

  • Weekly Python StackOverflow Report: (ccxi) stackoverflow python report
  • Understand predicate pushdown on row group level in Parquet with pyarrow and python

    We are using the NY Taxi Dataset throughout this blog post because it is a real world dataset, has a reasonable size and some nice properties like different datatypes and includes some messy data (like all real world data engineering problems).

Android Leftovers

MNT Reform 2 Open Source DIY Arm Linux Modular Laptop Coming Soon (Crowdfunding)

We first covered MNT Reform in fall of 2017, when it was a prototype for a DIY and modular laptop powered by NXP i.MX 6QuadPlus processor, and with plans to eventually use i.MX 8 hexa-core processor. Last year they designed several beta units of Reform to get feedback for a dozen users, and have now fully redesigned the laptop based on an NXP i.MX 8M system-on-module with the crowdfunding campaign expected to go live in February on Crowd Supply. The goals of the project are to provide an open-source hardware laptop that avoids binary blobs as much as possible and is environmentally friendly. These goals guided many of the technical decisions. For example, there are many NXP i.MX 8M SoM’s, but MNT selected Nitrogen8M as the schematics are available after registration on Boundary Devices website, and that means people wanting to create their own module compatible with Reform 2 could do so. Read more

today's leftovers and howtos

  • [Ubuntu] Design and Web team summary – 17 January 2020

    The second iteration of this year is the last one before our mid-cycle sprint next week. Here’s a short summary of the work the squads in the Web & Design team completed in the last 2-week iteration.

  • 5 key steps to take your IoT device to market

    IoT businesses are notoriously difficult to get off the ground. No matter how good your product is or how good your team is, some of the biggest problems you will face are just in getting to market and maintaining your devices once they’re in the field. The webinar will take a look at how Canonical’s Brand Store product allows you to get to market while catering for long term problems and the need to keep your product up to date in the future. More specifically, this webinar will look at the common problems we see organisations facing on their way to getting an IoT device to market, and cover five key steps to solve these problems. Along the way we will dig a little into serval case studies Canonical has done with various customers and partners to show you what has already been achieved with these solutions.

  • Fake cases — make sure yours is the real deal

    We’ve had some reports of people finding cases that pretend to be official Raspberry Pi products online — these are fakes, they’re violating our trademark, they’re not made very well, and they’re costing you and us money that would otherwise go to fund the Raspberry Pi Foundation’s charitable work. (Reminder, for those who are new to this stuff: we’re a not-for-profit, which means that every penny we makes goes to support our work in education, and that none of us gets to own a yacht.)

  • Let’s Talk With Neal Gompa of Fedora @ openSUSE Conference

    In this episode of Let’s Talk, we sat down with Neal Gompa of the Fedora community at openSUSE Conference

  • FOSSCOMM 2019 aftermath

    FOSSCOMM (Free and Open Source Software Communities Meeting) is a Greek conference aiming at free-software and open-source enthusiasts, developers, and communities. This year was held at Lamia from October 11 to October 13. It is a tradition for me to attend this conference. Usually, I have presentations and of course, booths to inform the attendees about the projects I represent. This year the structure of the conference was kind of different. Usually, the conference starts on Friday with a "beer event". Now it started with registration and a presentation. Personally, I made my plan to leave Thessaloniki by bus. It took me about 4 hours on the road. So when I arrived, I went to my hotel and then waited for Pantelis to go to University and set up our booths.

  • Fugue open sources Regula to evaluate Terraform for security misconfigurations and compliance violations

    Regula rules are written in Rego, the open source policy language employed by the Open Policy Agent project and can be integrated into CI/CD pipelines to prevent cloud infrastructure deployments that may violate security and compliance best practices. “Developers design, build, and modify their own cloud infrastructure environments, and they increasingly own the security and compliance of that infrastructure,” said Josh Stella, co-founder and CTO of Fugue. “Fugue builds solutions that empower engineers operating in secure and regulated cloud environments, and Regula quickly and easily checks that their Terraform scripts don’t violate policy—before they deploy infrastructure.”

  • Finance goes agile as open source checks the security box

    “At Northwestern Mutual, we’ve finally gotten past that curve,” said Sean Corkum (pictured, right), senior engineer at Northwestern Mutual. “Now we’re trying to make it even easier for our internal developers to participate in open source … and contribute more to the community.”

  • Top NLP Open Source Projects For Developers In 2020
  • Kiwi TCMS: Project roadmap 2020

    Hello testers, the Kiwi TCMS team sat down together last week and talked about what we feel is important for us during the upcoming year. This blog post outlines our roadmap for 2020!

  • Shift on Stack: api_port failure
  • How To Git Commit With Message