Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Tuesday's security updates
  • Why Aren't There Better Cybersecurity Regulations for Medical Devices?

    This summer, the Food and Drug Administration warned hospitals to stop using a line of drug pumps because of a cybersecurity risk: a vulnerability that could allow an attacker to remotely deliver a fatal dose to a patient. SAINT Corporation engineer Jeremy Richards, one of the researchers who discovered the vulnerability, called the drug pump the “the least secure IP enabled device I’ve ever touched in my life.”

    There is a growing body of research that shows just how defenseless many critical medical devices are to cyberattack. Research over the last couple of years has revealed that hundreds of medical devices use hard-coded passwords. Other devices use default admin passwords, then warn hospitals in the documentation not to change them.

  • Congress Introduces Provision That Could Make Vehicle Security Research Illegal

    Far too often Congress proposes tech legislation that is either poorly researched or poorly drafted (or both). Fortunately, most of the bills don't advance. Unfortunately, this doesn’t seem to dissuade Congress from constantly writing these types of bills. The House Energy and Commerce Committee released such a bill last week. It's only a discussion draft and hasn't been introduced as a formal bill yet, but its provisions would not only effectively put the brakes on car security research, but also immunize auto manufactures from FTC privacy enforcement when (not if) they fail to secure our cars. It's a classic one-two punch from Congress: not understanding something and then deciding to draft a bill about it anyway.

  • Crypto researchers: Time to use something better than 1024-bit encryption

    It’s possible for entities with vast computing resources – such as the NSA and major national governments - to compromise commonly used Diffie-Hellman keys, and over time more groups will be able to afford cracking them as computing costs go down.

  • The first rule of zero-days is no one talks about zero-days (so we’ll explain)

    How do you defend yourself against the unknown? That is crux of the zero-day vulnerability: a software vulnerability that, by definition, is unknown by the user of the software and often its developer as well.

    Everything about the zero-day market, from research and discovery through disclosure and active exploitation, is predicated upon this fear of the unknown—a fear that has been amplified and distorted by the media. Is the world really at threat of destabilisation due to lone-wolf hackers digging up vulnerabilities in popular software packages and selling them to whichever repressive government offers the most money? Or is it just a classic case of the media and megacorp lobbyists focusing on the sexy, scary, offensive side of things, and glossing over the less alluring aspects?

More in Tux Machines

Best Dual Pane File Managers for Linux

This article will cover a list of free and open source dual-pane and multi-pane file managers available for Linux. These file managers provide a broader look at various files and folders stored on your storage devices. They also improve overall productivity and file handling experience, especially if you regularly navigate through a lot of files using keyboard shortcuts. [...] These are some of the most popular dual-pane and multi-pane file managers available for Linux. While these file managers may seem cluttered and a little verbose at times, they are really useful if you want to quickly navigate through multiple files at once and run simultaneous file operations. Read more

Most Popular and Essential Linux Applications for 2021

One of the best things that come with Linux is its large collection of applications and tools. Linux has established a respectable name for itself and is well known for having some of the most excellent and stable applications, several of which are free and open source. 2020 has been another excellent year for the production and development of several amazing and outstanding applications, and the story is mostly going to be the same next year, as well. This article covers the top 10 applications that are expected to be extremely popular in 2021. Read more

Security Leftovers

  • Door 02: Marketing department or selection bias? - Open Source Security

    Josh and Kurt talk about cybersecurity statistics and the value of the data we have.

  • Security updates for Tuesday

    Security updates have been issued by Debian (libxstream-java, musl, mutt, pdfresurrect, vips, and zsh), Fedora (libuv, nodejs, thunderbird, and xen), openSUSE (libssh2_org, mutt, neomutt, and thunderbird), Oracle (firefox and thunderbird), Red Hat (firefox, rh-nodejs12-nodejs, rh-php73-php, and thunderbird), Scientific Linux (thunderbird), SUSE (libX11, mariadb, mutt, python-pip, python-setuptools, and python36), and Ubuntu (containerd, php-pear, and sniffit).

  • Two More X.Org Server Security Advisories Issued - Possible Privilege Escalation - Phoronix

    Trend Micro's Zero Day Initiative has uncovered two more security issues with the aging X.Org Server that as we roll into 2021 is still powering most of the Linux desktops. The security researchers found multiple input validation failures with the X.Org Server's XKB keyboard extension. Insufficient checks on different checks could lead to out-of-bounds memory accesses or buffer overflows.

  • X.Org server security advisory: December 1, 2020
    X.Org server security advisory: December 1, 2020
    
    
    Multiple input validation failures in X server XKB extension
    ============================================================
    
    These issues can lead to privileges elevations for authorized clients
    on systems where the X server is running privileged.
    
    * CVE-2020-14360 / ZDI CAN 11572 XkbSetMap Out-Of-Bounds Access
    
    Insufficient checks on the lengths of the XkbSetMap request can lead to
    out of bounds memory accesses in the X server.
    
    * CVE-2020-25712 / ZDI-CAN-11839 XkbSetDeviceInfo Heap-based Buffer Overflow
    
    Insufficient checks on input of the XkbSetDeviceInfo request can lead
    to a buffer overflow on the head in the X server.
    
  • xorg-server 1.20.10

    Xorg-server 1.20.10 has been released. This version fixes security issues that could lead to privilege escalation, or other problems.

Graphics: Intel, NVIDIA and Mesa

  • Intel Begins Preparing Linux Graphics Driver Support For Xe HP As "Gen12.5" - Phoronix

    Xe HP is Intel's discrete GPU aiming to compete against the latest-generation AMD and NVIDIA compute accelerators. Xe HP isn't scheduled to reach general availability until well into 2021 while now as they begin ramping up their sampling of Xe HP to potential customers, the Linux open-source driver support is preparing to roll-out. While Xe HP is about scaling up Intel Xe Graphics (Gen12), the Xe HP driver support is introducing it as a new "Gen12.5" target rather than just "Gen12" that is used by Tiger Lake / Rocket Lake / Xe LP.

  • NVIDIA Is Working On DMA-BUF Passing That Should Help Improve Their Wayland Support

    NVIDIA is working on allowing their proprietary driver to support passing buffers as DMA-BUF. In turn this should allow for better supporting their proprietary driver on Wayland compared to the EGLStreams mess. A Phoronix reader tipped us off to NVIDIA developer comments last month in response to a KDE EGLStreams bug. A bug report was opened regarding that restarting the compositing breaks the EGLStreams back-end for KDE's KWin.

  • Mesa Now 2~5x Faster For SPECViewPerf Following OpenGL Optimizations - Phoronix

    Well known open-source AMD Linux graphics driver developer Marek Olšák has just merged one of his largest set of optimizations in recent times: 2~5x faster performance for SPECViewPerf. SPECViewPerf is the common industry benchmark for measuring graphics performance for professional applications with benchmark viewsets from 3ds Max, CATIA, Maya, Solidworks, Siemens NX, and other programs. The performance when using Mesa drivers have been lagging but now thanks to common Mesa infrastructure improvements by Mesa, the performance is wildly improved.