Language Selection

English French German Italian Portuguese Spanish

Security

Canonical Releases Kernel Security Updates for Ubuntu 17.10 and Ubuntu 16.04 LTS

Filed under
Security
Ubuntu

For Ubuntu 17.10 (Artful Aardvark) users, today's security update addresses a bug (CVE-2018-8043) in Linux kernel's Broadcom UniMAC MDIO bus controller driver, which improperly validated device resources, allowing a local attacker to crash the vulnerable system by causing a denial of service (DoS attack).

For Ubuntu 16.04 LTS (Xenial Xerus) users, the security patch fixes a buffer overread vulnerability (CVE-2017-13305) in Linux kernel's keyring subsystem and an information disclosure vulnerability (CVE-2018-5750) in the SMBus driver for ACPI Embedded Controllers. Both issues could allow a local attacker to expose sensitive information.

Read more

Security: Updates, Reproducible Builds, Match.com and More

Filed under
Security
  • Security updates for Tuesday
  • Reproducible Builds: Weekly report #156
  • A Match.com glitch reactivated a bunch of old profiles, raising concerns about user data

    A Match Group spokesperson confirmed that a “limited number” of old accounts had been accidentally reactivated recently and that any account affected received a password reset. Match.com’s current privacy statement, which was last updated in 2016, says that the company can “retain certain information associated with your account” even after you close it. But that Match Group spokesperson also told The Verge that the company plans to roll out a new privacy policy “in the next month or so,” in order to comply with the EU’s General Data Protection Regulation (GDPR); under the new policy, all those years-old accounts will be deleted. The Verge has requested clarification on which accounts will qualify for deletion, and what “deletion” will specifically entail, but has not received a response as of press time.

  • New hacks siphon private cryptocurrency keys from airgapped wallets

    Like most of the other attacks developed by Ben-Gurion University professor Mordechai Guri and his colleagues, the currency wallet exploits start with the already significant assumption that a device has already been thoroughly compromised by malware. Still, the research is significant because it shows that even when devices are airgapped—meaning they aren't connected to any other devices to prevent the leaking of highly sensitive data—attackers may still successfully exfiltrate the information. Past papers have defeated airgaps using a wide array of techniques, including electromagnetic emissions from USB devices, radio signals from a computer's video card, infrared capabilities in surveillance cameras, and sounds produced by hard drives.

  • New hacker group targets US health-care industry, researchers say

    The group, which Symantec has named “Orangeworm,” has been installing backdoors in large international corporations based in the U.S., Europe and Asia that operate in the health-care sector.

    Among its victims are health-care providers and pharmaceutical companies, as well as IT companies and equipment manufacturers that work for health organizations.

AV Linux Multimedia-Focused OS Gets New Stable Release with Meltdown Patches

Filed under
GNU
Linux
Security

AV Linux, the open-source GNU/Linux distribution designed for multimedia content creation, has been updated recently to version 2018.4.2, a release that adds Meltdown mitigations, updated components, and various other enhancements.

Probably the most important change in the AV Linux 2018.4.2 release is the implementation of the KPTI (Kernel page-table isolation) patch to protect users against the Meltdown security vulnerability, but only for 64-bit installations. The distribution is now powered by the long-term supported Linux 4.9.76 kernel, and users can disable the KPTI patch at boot.

Read more

Nearly 15 million Nintendo Switches are now hackable (other NVIDIA Tegra X1 devices too)

Filed under
GNU
Linux
Security
Gaming
Gadgets

Earlier this year hackers started to show evidence of an exploit that allowed you to load custom software on a Nintendo Switch game console. Theoretically that opens the door for homebrew applications, modified games, or even running an alternate operating system such as a GNU/Linux distribution on Nintendo’s latest game system. It could also make it possible to run pirated games, which is why console makers usually don’t encourage this sort of thing.

But now a team of hackers called ReSwitched have described a bootrom vulnerability called Fusée Gelée that makes it possible for anyone to hack a Nintendo Switch… assuming you’re willing to do a little hardware hacking too.

Read more

today's leftovers

Filed under
Security
  • Discovery of Terminal app for Chrome OS suggests future support for Linux software

    Chrome OS is a fairly flexible operating system, and its support for Android apps via the Google Play Store opens up a world of software. It has been thought -- and hoped -- for some time that Linux support might be on its way, and this is looking increasingly likely.

    A Terminal app has appeared in the Chrome OS dev channel, strongly suggesting that support for Linux applications could well be on the horizon -- something which will give Chromebooks a new appeal.

  • Put Wind into your Deployments with Kubernetes and Helm

    I’m a Software Engineer. Every day, I come into work and write code. That’s what I’m paid to do. As I write my code, I need to be confident that it’s of the highest quality. I can test it locally, but anyone who’s ever heard the words, “...but it works on my machine,” knows that’s not enough. There are huge differences between my local environment and my company’s production systems, both in terms of scale and integration with other components. Back in the day, production systems were complex, and setting them up required a deep knowledge of the underlying systems and infrastructure. To get a production-like environment to test my code, I would have to open a ticket with my IT department and wait for them to get to it and provision a new server (whether physical or virtual). This was a process that took a few days at best. That used to be OK when release cycles were several months apart. Today, it’s completely unacceptable.

  • KDE Plasma 5.13 Desktop Environment Promises Much Better Wayland Support

    The adoption of the next-generation Wayland display server amongst Linux-based operating systems is slowly, but surely, changing the Linux world for better.

    While most of the popular GNU/Linux distributions out there are shy on adopting Wayland by default, major Linux desktop environments like GNOME and KDE continue to offer improved Wayland support with each new major release.

    KDE Plasma 5.13 is being worked on these days, and KDE developer Roman Gilg reported over the weekend on the progress, so far, on the Plasma Wayland component for the next major release, which looks to be pretty promising.

    One of the most significant changes implemented in Plasma Wayland for KDE Plasma 5.13 is the ability to run more Linux apps on the Wayland display manager, either as native Wayland clients or as Xwayland clients.

  • [Mageia] Weekly Roundup 2018 – Week 16

    Work on the LXQt packages is still ongoing; watch this space for Great Plasma Update news.

  • Ubuntu Weekly Newsletter Issue 524
  • Is English Wikipedia’s ‘rise and decline’ typical?

    The figure comes from “The Rise and Decline of an Open Collaboration System,” a well-known 2013 paper that argued that Wikipedia’s transition from rapid growth to slow decline in 2007 was driven by an increase in quality control systems. Although many people have treated the paper’s finding as representative of broader patterns in online communities, Wikipedia is a very unusual community in many respects. Do other online communities follow Wikipedia’s pattern of rise and decline? Does increased use of quality control systems coincide with community decline elsewhere?

  • Two DMV Startups Are Updating an Open Source Security System to Prevent Data Hacks
  • Comprehensive Android Binary Scans Find Known Security Vulnerabilities in 1 Out of Every 5 of the 700 Most Popular Apps on Google Play Store [Ed: Insignary is again badmouthing FOSS platforms as a form of marketing that's basically disguised as 'research' or 'study']
  • Ryzen Stability Issues Are Still Affecting Some FreeBSD Users

    While in recent months there have been some improvements to FreeBSD that have helped yield greater reliability in running AMD Ryzen processors on this BSD operating system, some users are still reporting hard to diagnose stability problems on FreeBSD.

    For some, FreeBSD on Ryzen is still leading to lock-ups, even while the system may be idle. Also making it hard to debug, for some they can trigger a lock-up within an hour of booting their system while for others they may be able to make it a week or two before hitting any stability problem.

  • 6 DevOps trends to watch in 2018

    Here at Loggly, we live and breathe logs and uncovering underlying data. It probably comes as no surprise that we’re passionate about the future of log analysis and metric monitoring. Communicating with key subject matter experts in the DevOps space plays an important role in helping us understand where the industry is headed.

  • Trouble in techno hippie paradise

    Another interesting point: while the number of people addicted to nicotine has been going down globally lately, the number of network addicts has outnumbered those by far now. And yet the long term effects of being online almost 24/365 have not yet been researched at all. The cigarette companies claimed that most doctors smoke. The IT industry claims it's normal to be online. What's your wakeup2smartphone time? Do you check email every day?

Security: Updates, Trustjacking, Breach Detection

Filed under
Security
  • Security updates for Monday
  • iOS Trustjacking – A Dangerous New iOS Vulnerability

    An iPhone user's worst nightmare is to have someone gain persistent control over his/her device, including the ability to record and control all activity without even needing to be in the same room. In this blog post, we present a new vulnerability called “Trustjacking”, which allows an attacker to do exactly that.

    This vulnerability exploits an iOS feature called iTunes Wi-Fi sync, which allows a user to manage their iOS device without physically connecting it to their computer. A single tap by the iOS device owner when the two are connected to the same network allows an attacker to gain permanent control over the device. In addition, we will walk through past related vulnerabilities and show the changes that Apple has made in order to mitigate them, and why these are not enough to prevent similar attacks.

  • What Is ‘Trustjacking’? How This New iOS Vulnerability Allows Remote Hacking?

    This new vulnerability called trustjacking exploits a convenient WiFi feature, which allows iOS device owners to manage their devices and access data, even when they are not in the same location anymore.

  • Breach detection with Linux filesystem forensics

    Forensic analysis of a Linux disk image is often part of incident response to determine if a breach has occurred. Linux forensics is a different and fascinating world compared to Microsoft Windows forensics. In this article, I will analyze a disk image from a potentially compromised Linux system in order to determine the who, what, when, where, why, and how of the incident and create event and filesystem timelines. Finally, I will extract artifacts of interest from the disk image.

    In this tutorial, we will use some new tools and some old tools in creative, new ways to perform a forensic analysis of a disk image.

Security: IBM, Windows Freezes, 2FA and More

Filed under
Security

Security: Twitter and Facebook

Filed under
Security
  • Twitter banned Kaspersky Lab from advertising in Jan

     

    Twitter has banned advertising from Russian security vendor Kaspersky Lab since January, the head of the firm, Eugene Kaspersky, has disclosed.  

  • When you go to a security conference, and its mobile app leaks your data

     

    A mobile application built by a third party for the RSA security conference in San Francisco this week was found to have a few security issues of its own—including hard-coded security keys and passwords that allowed a researcher to extract the conference's attendee list. The conference organizers acknowledged the vulnerability on Twitter, but they say that only the first and last names of 114 attendees were exposed.

  • The Security Risks of Logging in With Facebook

     

    In a yet-to-be peer-reviewed study published on Freedom To Tinker, a site hosted by Princeton's Center for Information Technology Policy, three researchers document how third-party tracking scripts have the capability to scoop up information from Facebook's login API without users knowing. The tracking scripts documented by Steven Englehardt, Gunes Acar, and Arvind Narayanan represent a small slice of the invisible tracking ecosystem that follows users around the web largely without their knowledge.

  • Facebook Login data hijacked by hidden JavaScript trackers

     

    If you login to websites through Facebook, we've got some bad news: hidden trackers can suck up more of your data than you'd intended to give away, potentially opening it up to abuse.

Security: Updates, IBM, Elytron and Container Vulnerability Scanning

Filed under
Security
  • Security updates for Friday
  • IBM Security launches open-source AI

    IBM Security unveiled an open-source toolkit at RSA 2018 that will allow the cyber community to test their AI-based security defenses against a strong and complex opponent in order to help build resilience and dependability into their systems.

  • Elytron: A New Security Framework in WildFly/JBoss EAP

    Elytron is a new security framework that ships with WildFly version 10 and Red Hat JBoss Enterprise Application Platform (EAP) 7.1. This project is a complete replacement of PicketBox and JAAS. Elytron is a single security framework that will be usable for securing management access to the server and for securing applications deployed in WildFly. You can still use the legacy security framework, which is PicketBox, but it is a deprecated module; hence, there is no guarantee that PicketBox will be included in future releases of WildFly. In this article, we will explore the components of Elytron and how to configure them in Wildfly.

  • PodCTL #32 – Container Vulnerability Scanning

Security Leftovers

Filed under
Security
  • Hackers once stole a casino's high-roller database through a thermometer in the lobby fish tank

    Hackers are increasingly targeting "internet of things" devices to access corporate systems, using things like CCTV cameras or air-conditioning units, according to the CEO of a cybersecurity firm.

    The internet of things refers to devices hooked up to the internet, and it has expanded to include everything from household appliances to widgets in power plants.

    Nicole Eagan, the CEO of Darktrace, told the WSJ CEO Council Conference in London on Thursday: "There's a lot of internet-of-things devices, everything from thermostats, refrigeration systems, HVAC systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface, and most of this isn't covered by traditional defenses."

  • Certificate Transparency and HTTPS

    CT stands for “Certificate Transparency” and, in simple terms, means that all certificates for websites will need to be registered by the issuing Certificate Authority (CA) in at least two public Certificate Logs.

  • Security updates for Thursday
  • IBM introduces open-source library for protecting AI systems
  • How to combine SSH key authentication and two-factor authentication on Linux
  • openSUSE Heroes loves Let’s Encrypt™ – Expect certificate exchange

    openSUSE loves Let's Encrypt™

    Maybe some of you noticed, that our certificate *.opensuse.org on many of services will expire soon (on 2018-04-23).

    As we noticed that – as well – we decided to put a bit of work into this topic and we will use Let’s Encrypt certificates for the encrypted services of the openSUSE community.

    This is just a short notice / announcement for all of you, that we are working on this topic at the moment. We will announce, together with the deployment of the new certificate, the regarding hashes and maybe some further information on our way of implementing things.

Syndicate content

More in Tux Machines

today's howtos

Graphics: VC4 and AMDVLK Driver

  • VC4 display, VC5 kernel submitted
    For VC5, I renamed the kernel driver to “v3d” and submitted it to the kernel. Daniel Vetter came back right away with a bunch of useful feedback, and next week I’m resolving that feedback and continuing to work on the GMP support. On the vc4 front, I did the investigation of the HDL to determine that the OLED matrix applies before the gamma tables, so we can expose it in the DRM for Android’s color correction. Stefan was also interested in reworking his fencing patches to use syncobjs, so hopefully we can merge those and get DRM HWC support in mainline soon. I also pushed Gustavo’s patch for using the new core DRM infrastructure for async cursor updates. This doesn’t simplify our code much yet, but Boris has a series he’s working on that gets rid of a lot of custom vc4 display code by switching more code over to the new async support.
  • V3D DRM Driver Revised As It Works To Get Into The Mainline Kernel
    Eric Anholt of Broadcom has sent out his revised patches for the "V3D" DRM driver, which up until last week was known as the VC5 DRM driver. As explained last week, the VC5 driver components are being renamed to V3D since it ends up supporting more than just VC5 with Broadcom VC6 hardware already being supported too. Eric is making preparations to get this VideoCore driver into the mainline Linux kernel and he will then also rename the VC5 Gallium3D driver to V3D Gallium3D.
  • AMDVLK Driver Gets Fixed For Rise of the Tomb Raider Using Application Profiles
    With last week's release of Rise of the Tomb Raider on Linux ported by Feral Interactive, when it came to Radeon GPU support for this Vulkan-only Linux game port the Mesa RADV driver was supported while the official AMDVLK driver would lead to GPU hangs. That's now been fixed. With the latest AMDVLK/XGL source code as of today, the GPU hang issue for Rise of the Tomb Raider should now be resolved.

AMD Ryzen 7 2700X Linux Performance Boosted By Updated BIOS/AGESA

With last week's initial launch-day Linux benchmarks of the Ryzen 5 2600X / Ryzen 7 2700X some found the Linux performance to be lower than Windows. While the root cause is undetermined, a BIOS/AGESA update does appear to help the Linux performance significantly at least with the motherboard where I've been doing most of my tests with the Ryzen 7 2700X. Here are the latest benchmark numbers. Read more

GNU: The GNU C Library 2.28 and Guix on Android

  • Glibc 2.28 Upstream Will Build/Run Cleanly On GNU Hurd
    While Linux distributions are still migrating to Glibc 2.27, in the two months since the release changes have continued building up for what will eventually become the GNU C Library 2.28. The Glibc 2.28 work queued thus far isn't nearly as exciting as all the performance optimizations and more introduced with Glibc 2.27, but it's a start. Most notable at this point for Glibc 2.28 is that it will now build and run cleanly on GNU/Hurd without requiring any out-of-tree patches. There has been a ton of Hurd-related commits to Glibc over the past month.
  • Guix on Android!
    Last year I thought to myself: since my phone is just a computer running an operating system called Android (or Replicant!), and that Android is based on a Linux kernel, it's just another foreign distribution I could install GNU Guix on, right? It turned out it was absolutely the case. Today I was reminded on IRC of my attempt last year at installing GNU Guix on my phone. Hence this blog post. I'll try to give you all the knowledge and commands required to install it on your own Android device.
  • GNU Guix Wrangled To Run On Android
    The GNU Guix transactional package manager can be made to run on Android smartphones/tablets, but not without lots of hoops to jump through first.