Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • John McAfee: McAfee antivirus is one of the worst products on the planet
  • Highway to hack: why we’re just at the beginning of the auto-hacking era

    Imagine it’s 1995, and you’re about to put your company’s office on the Internet. Your security has been solid in the past—you’ve banned people from bringing floppies to work with games, you’ve installed virus scanners, and you run file server backups every night. So, you set up the Internet router and give everyone TCP/IP addresses. It’s not like you’re NASA or the Pentagon or something, so what could go wrong?

    That, in essence, is the security posture of many modern automobiles—a network of sensors and controllers that have been tuned to perform flawlessly under normal use, with little more than a firewall (or in some cases, not even that) protecting it from attack once connected to the big, bad Internet world. This month at three separate security conferences, five sets of researchers presented proof-of-concept attacks on vehicles from multiple manufacturers plus an add-on device that spies on drivers for insurance companies, taking advantage of always-on cellular connectivity and other wireless vehicle communications to defeat security measures, gain access to vehicles, and—in three cases—gain access to the car’s internal network in a way that could take remote control of the vehicle in frightening ways.

  • backdooring your javascript using minifier bugs

    In addition to unforgettable life experiences and personal growth, one thing I got out of DEF CON 23 was a copy of POC||GTFO 0x08 from Travis Goodspeed. The coolest article I’ve read so far in it is “Deniable Backdoors Using Compiler Bugs,” in which the authors abused a pre-existing bug in CLANG to create a backdoored version of sudo that allowed any user to gain root access. This is very sneaky, because nobody could prove that their patch to sudo was a backdoor by examining the source code; instead, the privilege escalation backdoor is inserted at compile-time by certain (buggy) versions of CLANG.

    That got me thinking about whether you could use the same backdoor technique on javascript. JS runs pretty much everywhere these days (browsers, servers, arduinos and robots, maybe even cars someday) but it’s an interpreted language, not compiled. However, it’s quite common to minify and optimize JS to reduce file size and improve performance. Perhaps that gives us enough room to insert a backdoor by abusing a JS minifier.

More in Tux Machines

Decision Making With If Else and Case Statements in Bash Scripts

In this chapter of bash beginner series, you'll learn about using if-else, nested if else and case statements in bash scripts. Read more

Debian GNU/Linux 11 (Bullseye) Artwork Contest Is Now Open for Entries

This is the moment for aspiring artists and designers who want to display their work in front of millions of Debian users to submit their best artwork for the upcoming Debian GNU/Linux 11 (Bullseye) operating system series, due for release in mid-2021. Submissions are opened until November 1st, 2020, but your artwork needs to meet the following specifications. For example, you will have to create a wiki page for your artwork proposal at DebianArt/Themes, write down a few words about your idea, use an image format that can be later modified using free and open source software, and add a license that lets the Debian Project distribute your artwork within Debian GNU/Linux. Read more

GNOME 3.36.5 Desktop Update Released with Various Improvements and Bug Fixes

Coming about a month after the release of the GNOME 3.36.4 update, GNOME 3.36.5 is here as the latest stable bugfix release for the GNOME 3.36 desktop environment series. As expected, the new update is packed with updated core components and apps to keep GNOME 3.36’s stability and reliability at the higher standards. Highlights of the GNOME 3.36.5 update include Firefox Sync improvements for the Flatpak version of the Epiphany (GNOME Web) web browser, along with a fix for the way newly created tabs are ordered when closing new tabs, as well as a fix for a drag-and-drop crash in File Roller that occurred when cancelling the file overwrite process. Read more

Android Leftovers