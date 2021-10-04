Security Leftovers
Immediate Steps to Strengthen Critical Infrastructure against Potential Cyberattacks | CISA
In light of persistent and ongoing cyber threats, CISA urges critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential cyberattacks. CISA has released CISA Insights: Preparing For and Mitigating Potential Cyber Threats to provide critical infrastructure leaders with steps to proactively strengthen their organization’s operational resiliency against sophisticated threat actors, including nation-states and their proxies.
Gumtree – leaking your data and not really listening | Pen Test Partners
Gumtree claims to take user security and privacy seriously. They hide your surname and use an internal messaging system to allow buyer/seller communication, without revealing user’s email addresses. It’s a huge site that until recently was owned by eBay, so they must be pretty secure…. right?
Security updates for Wednesday [LWN.net]
Security updates have been issued by Fedora (libopenmpt), openSUSE (icu.691, log4j, nim, postgresql10, and xorg-x11-server), Red Hat (idm:DL1), SUSE (gettext-runtime, icu.691, runc, storm, storm-kit, and xorg-x11-server), and Ubuntu (xorg-server, xorg-server-hwe-18.04, xwayland).
NSO Group’s Pegasus spyware: how we got here and what now
Earlier this month, the news broke that an unknown assailant used NSO Group’s Pegasus spyware tool to target the phones of nine U.S. State Department employees. This breach is only the latest in a series of revelations on hacks into the personal devices of journalists, human rights defenders, lawyers, and high-level government officials across the world. The spyware firm’s tools have enabled authoritarian regimes and other bad actors to strip away their victims’ privacy and violate their rights, with few restraints, while the company profits.
To evade accountability, NSO has long claimed to have control of who uses its spyware, meanwhile arguing that it doesn’t have insight into what clients do with it. But now, after years of research, reporting, and global activism, as well as the brave efforts of victims coming forward, we are securing tangible victories in the fight against NSO and spyware worldwide. Like other countries, the U.S. is finally stepping up to curb use of NSO’s technology that violates human rights.
Mozilla Security Blog: Preventing secrets from leaking through Clipboard
For decades users have been pressing Ctrl+C or relying on copy buttons. All these tricks and shortcuts to speed up text processing have become natural and intuitive to us. We do not pay attention to what is happening to copied information besides the fact that we can paste it. It’s safe to assume that most of us consider the clipboard as temporary data sharing. Once you copy something previous data in the clipboard will be overwritten. People rely on this assumption when they copy sensitive information such as passwords.
Starting with Firefox 94 and ESR 91.3, your browser keeps the temporary and local promise of clipboard in certain places where users expect privacy, and will not share that data with either Clipboard History or Cloud Clipboard. This protects users when they copy passwords and usernames from the Passwords page, and will protect everything people copy to the clipboard from a Private Browsing window.
xorg-server 21.1.2
This release fixes 4 recently reported security vulnerabilities and several regressions. In particular, the real physical dimensions are no longer reported by the X server anymore as it was deemed to be a too disruptive change. X server will continue to report DPI as 96. Below is a list of changes since 21.1.1: Dave Airlie (1): dri2: add crocus to the list of va_gl users Jocelyn Falempe (2): xf86/logind: fix call systemd_logind_vtenter after receiving drm device resume xf86/logind: Fix drm_drop_master before vt_reldisp Jonathan Gray (1): glamor: fix free of uninitialised pointers Matt Turner (1): test: #undef NDEBUG so assert is not compiled away Matthieu Herrb (1): remove the PRE_RELEASE message. Peter Hutterer (1): xkb: fix XkbSetMap check for the keytypes count Povilas Kanapickas (7): Revert "hw/xfree86: Propagate physical dimensions from DRM connector" meson: Correctly set DDXOSVERRORF and DDXBEFORERESET on xwin record: Fix out of bounds access in SwapCreateRegister() xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() Xext: Fix out of bounds access in SProcScreenSaverSuspend() render: Fix out of bounds access in SProcRenderCompositeGlyphs() xserver 21.1.2 Sam James (1): hw/xfree86: fix sbus build for SPARC nerdopolis (1): xfree86: On Linux, while only seat0 can have TTYs, don't assmume all seat0s have TTYs git tag: xorg-server-21.1.2Also: X.Org Server 21.1.2 Released With Security Fixes, Back To Pretending All Displays Are 96 DPI
Kodachi is the operating system for those who value privacy but don't want to learn Linux
Do you veer toward the over-cautious when it comes to your privacy? Do you loathe the idea that you're being tracked by third-party cookies, and standard browsers and operating systems aren't capable of doing enough to keep you safe? At the same time, are you too busy to learn a new operating system? If that sounds like you, there's an operating system, created by a single developer (although it's based on Ubuntu), that goes out of its way to be the exact OS for such a use case. The platform in question is Kodachi Linux, and it has your back. [...] A quick test (using whatsmyip.com) and the Dashboard information was spot on. What's even better is that I didn't notice the slightest slowdown in network traffic. So, if you're concerned the cost of this level of privacy is speed, fret not. And because Kodachi leaves absolutely no trace, you can be certain nothing will be able to track you (even on a command-line level). The desktop in use is Xfce and is configured such that it includes a left edge panel and a bottom centered dock. With this setup, anyone should be right at home with the interface. The only trick might be how the dock launchers are arranged in folders. However, all one has to do is hover the cursor over one of the folders to reveal what it contains (Figure C).
$399 PinePhone Pro Explorer Edition Linux Smartphone will go on sale within weeks
The PinePhone Pro began shipping to developers earlier this month. And soon it’ll be available for anyone to purchase. Pine64 has announced that it will begin taking orders for the $399 Linux-friendly smartphone in late December or early January. First announced in October, the PinePhone Pro is a smartphone with a 6 inch HD+ display, a Rockchip RK3399S hexa-core processor, 4GB of RAM, 128GB of storage. While those specs put the phone in mid-range territory, they aren’t the things that make the PinePhone Pro stand out. Pine64’s new smartphone has a few features that seem like throwbacks in 2021… but in a good way. It has a removable 3,000 mAh battery, a headset jack, and a microSD card reader. The phone also has physical switches that allow you to disable hardware including the cameras, mic, headphones, and wireless features if you want privacy.
CISA Adds Two Known Exploited Vulnerabilities to Catalog
