Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Why You Should Trust Open Source Software Security | IT Pro

    When it comes to open source vs. proprietary software security, security experts say open source software security sets the bar high.

  • SUSE Private Registry: A safe Harbor for your containers. - SUSE Communities

    SUSE Private Registry provides integration points for container content vulnerability scanning services. Included by default is Trivy, a simple and comprehensive scanner that can search image contents for vulnerabilities in OS packages (for SLES, openSUSE, Alpine, RHEL, CentOS, Debian, and others) as well as many language/framework package managers (like Bundler, Composer, Pipenv, Poetry, npm, yarn, and Cargo).

  • Basics of Kubernetes security – IBM Developer

    Kubernetes is popular among developers and administrators, and the concepts of deploying, scaling, and managing containerized applications are very familiar. However, when production deployments are discussed, one area of Kubernetes that is critical to production deployments is security. It’s important to understand how the platform manages authentication and authorization of users and applications.

    If your Kubernetes cluster holds sensitive information such as bank account details, medical records, or anything confidential, you should take advantage of all the security precautions that Kubernetes offers. In addition, you can use plenty of non-Kubernetes-specific security tools and approaches to add extra security layers.

Cloud Data Encryptor Cryptomator Adds Experimental FUSE Support On Windows, KWallet Integration

Filed under
Security

Cryptomator, a client-side encryption tool for cloud files (and more), has been updated recently with experimental FUSE support on Windows (via WinFSP), KWallet support, vault statistics, and more.

Cryptomator is a free and open source Java tool that provides client-side encryption for your cloud storage files, available for Windows, Mac and Linux. There are also iOS and Android applications - these are open core (a business model for the monetization of commercially produced open-source software), and need to be purchased.

It works with cloud storage services that synchronize with a local directory, like Dropbox, OneDrive (on Linux using e.g. OneDrive Free Client fork) and Google Drive (including using it with Insync). You can choose to either encrypt your whole cloud storage, or only a few sensitive files, in either a single or multiple vaults.

Read more

Security: Patches, Linux Format Special and POWER9 Problems

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by CentOS (firefox), Fedora (chromium, microcode_ctl, mingw-libxml2, seamonkey, and xen), openSUSE (slurm_18_08 and tor), Oracle (thunderbird), SUSE (buildah, firefox, go1.14, go1.15, krb5, microcode_ctl, perl-DBI, podman, postgresql12, thunderbird, ucode-intel, wireshark, wpa_supplicant, and xen), and Ubuntu (firefox and phpmyadmin).

  • Cyber insecurity | Linux Format

    Each year we proclaim it’s time to learn how to hack. But why? Jonni always gets angry at the subversion of the term ‘hacking’ and I can understand why. Hacking is fun, as is finding out how systems work and how to get them to do things they were never meant to do.

    With open source and the Linux ecosystem there’s an abundance of hacking fun to be had, and it’s no wonder all the key tools for learning how to hack – and actually hack – are developed and run out of Linux systems.

    For this year’s look at the world of hacking Jonni’s introducing you to the metasploit framework. This is a playground where you can learn, explore and develop hacking skills. It’s usually paired with Kali Linux, and we’re putting these on the Linux Format DVD, which makes a welcome return.

  • IBM POWER9 CPUs Need To Flush Their L1 Cache Between Privilege Boundaries Due To New Bug

    CVE-2020-4788 is now public and it's not good for IBM and their POWER9 processors... This new vulnerability means these IBM processors need to be flushing their L1 data cache between privilege boundaries, similar to other recent CPU nightmares.

    While IBM POWER9 allows speculatively operating on completely validated data in the L1 cache, when it comes to incompletely validated data that bad things can happen. Paired with other side channels, local users could improperly obtain data from the L1 cache.

    CVE-2020-4788 was made public this morning and is now causing all stable Linux kernel series to receive the mitigation that amounts to hundreds of lines of new code. The mitigation is flushing the L1 data cache for IBM POWER9 CPUs across privilege boundaries -- both upon entering the kernel and on user accesses.

Security Patches in OpenSUSE and SUSE

Filed under
Security
SUSE
  • Two Tumbleweed Snapshots update PostgreSQL, Mesa

    Snapshot 20201117 provides the latest update of packages for the rolling release. Among the packages to update was Mozilla Thunderbird to version 78.4.3; the email client updated a Rust patch and brought in a new feature from a previous minor version that prompts for an address to be used when starting an email from an address book entry with multiple addresses. KDE’s Plasma 5.20.3 stopped the loading of multiple versions of the same plugin in the task manager KSysGuard and there were many other bug fixes for Plasma users. Four months of shell scripts were updated in the hxtools 20201116 version; one of the changes to gpsh changed the tmp location to /var/tmp, which was to avoid saving potentially large files to tmpfs. The Linux Kernel made a jump from 5.9.1 to 5.9.8, which had a change for Btrfs as well as several USB changes. Database package postgresql 13 had its first point release to 13.1, which took care of three Common Vulnerabilities and Exposures and fixed a time test case so it works when the USA is not observing daylight-savings time. The graphical tool for administering virtual machines, virt-manager slimmed down the filesystem device editor User Interface. Text editor vim had a fix for when a crash happens when using a popup window with “latin1” encoding and python 3.8.6 took care of CVE-2019-20916.

  • Guardicore and SUSE partner to help you protect your critical applications - SUSE Communities

    Within the cybersecurity segment, Guardicore stands out from the crowd with its Guardicore Centra Platform disrupting the legacy firewall market by implementing micro-segmentation in your organization. Their software-only approach is decoupled from the physical network, providing a faster alternative to firewalls. Built for the agile enterprise, Guardicore offers greater security and visibility in the cloud, data-center, and endpoint. It also ensures security doesn’t slow you down and thanks to SUSE environments, it allows you to code and deploy on demand

Digital Restrictions (DRM) and Spying, Proprietary Software and (In)Security

Filed under
Security
  • macOS Leaks Application Usage, Forces Apple to Make Hard Decisions

    Last week, users of macOS noticed that attempting to open non-Apple applications while connected to the Internet resulted in long delays, if the applications opened at all. The interruptions were caused by a macOS security service attempting to reach Apple’s Online Certificate Status Protocol (OCSP) server, which had become unreachable due to internal errors. When security researchers looked into the contents of the OCSP requests, they found that these requests contained a hash of the developer’s certificate for the application that was being run, which was used by Apple in security checks.[1] The developer certificate contains a description of the individual, company, or organization which coded the application (e.g. Adobe or Tor Project), and thus leaks to Apple that an application by this developer was opened.

    Moreover, OCSP requests are not encrypted. This means that any passive listener also learns which application a macOS user is opening and when.[2] Those with this attack capability include any upstream service provider of the user; Akamai, the ISP hosting Apple’s OCSP service; or any hacker on the same network as you when you connect to, say, your local coffee shop’s WiFi. A detailed explanation can be found in this article.

  • Microsoft developing ‘Pluton’ security chip for Windows

    Microsoft will work with Intel, Advanced Micro Devices Inc. and Qualcomm Inc. to help them build Pluton into their personal computer processors. Firmware updates to CPU-integrated Pluton chips will be released by Microsoft as part of Windows updates.

  • Microsoft's new 'Pluton' security processor gets buy-in from Intel, AMD

    Advocates of the new security chip, known as Pluton, say it will cut off a key vector for data-stealing attacks: a communication channel between a computing system’s central processing unit (CPU) and another piece of hardware known as the trusted platform module (TPM). In one example of that type of attack, researchers from security company NCC Group in 2018 showed how an attacker could undermine the booting process for “a large number of TPM-enabled computing platforms.”

    The Pluton chip will be built into Windows computers through “future chips” made by AMD, Intel and Qualcomm, Microsoft said. It’s unclear when, exactly, all of that hardware will be on the market. Microsoft would only say that the work is ongoing.

  • Apple Reduces App Store Commission for Small Businesses

    Apple has been getting hit by app developers lately for its commission policy of taking 30 percent of all purchases. It has made a change that makes it seem like it will benefit smaller businesses, but critics say it really doesn’t mean much.

  • Apple spins better than Warnie as it backs down on AppStore commission

    The fact that even a company valued at US$2 trillion (A$2.7 trillion) has to sometimes heed public sentiment has been aptly illustrated by Apple announcing overnight that it would be lowering its take on apps sold from its App Store to 15% for small businesses that pull in less than a million.

  • Nordea [crackers] face prison and hefty fines, court rules [iophk: Windows TCO]

    Ostrobothnia District Court on Tuesday sentenced two men to prison terms as well as fines and compensation payments after finding the pair guilty of [cracking] into Nordea Bank's computer system in an attempt to steal several million euros.

  • The M1 Macs

    Apple, in its keynote last week, emphasized that the M1 MacBook Air has no fan. (Intel-based MacBook Airs most definitely do. The defunct 12-inch no-adjective MacBook was Apple’s only fanless Intel Mac.) Apple’s point there was to brag that the M1 runs so cool that a high-performance MacBook could be designed without one. Some Mac users, I think, mistakenly took this to mean that the Air had an advantage over the M1 MacBook Pro, in that the fanless Air would always run silently, if sometimes slower. I think this assumption was wrong: the M1 MacBook Pro is, to my ears, always silent as well. Whatever its active cooling system is doing, it isn’t making even a whisper of noise.

    No Intel-based laptop with vaguely comparable performance to these machines can possibly match that silence. If you care about noise, the game is already over.

  • Security updates for Thursday

    Security updates have been issued by Arch Linux (chromium and firefox), CentOS (bind, curl, fence-agents, kernel, librepo, libvirt, microcode_ctl, python, python3, qt and qt5-qtbase, resource-agents, and tomcat), Debian (drupal7, firefox-esr, jupyter-notebook, packer, python3.5, and rclone), Fedora (firefox), Mageia (firefox, nss), openSUSE (gdm, kernel-firmware, and moinmoin-wiki), Oracle (net-snmp), SUSE (libzypp, zypper), and Ubuntu (c-ares).

  • We can’t move forward by looking back – Open Source Security

    For the last few weeks Kurt and I have been having a lively conversation about security ratings scales. Is CVSS good enough? What about the Microsoft scale? Are there other scales we should be looking at? What’s good, what’s missing, what should we be talking about.

    There’s been a lot of back and forth and different ideas, over the course of our discussions I’ve come to realize an important aspect of security which is we don’t look forward very often. What I mean by this is there is a very strong force in the world of security to use prior art to drive our future decisions. Except all of that prior art is comically out of date in the world of today.

    An easy example are existing security standards. All of the working groups that build the standards, and ideas the working groups bring to the table, are using ideas from the past to solve problems for the future. You can argue that standards are at best a snapshot of the past, made in the present, to slow down the future. I will elaborate on that “slow down the future” line in a future blog post, for now I just want to focus on the larger problem.

    It might be easiest to use an example, I shall pick on CVSS. The vast majority of ideas and content in a standard such as CVSS is heavily influenced by what once was. If you look at how CVSS scores things, it’s clear a computer in a datacenter was in mind for many of the metrics. That was fine a decade ago, but it’s not fine anymore. Right now anyone overly familiar with CVSS is screaming “BUT CVSS DOESN’T MEASURE RISK IT MEASURES SEVERITY”, which I will say: you are technically correct, nobody cares, and nobody uses it like this. Sit down. CVSS is a perfect example of the theory being out of touch with reality.

  • Linux Foundation, CNCF Launch Kubernetes Security Specialist Certification

CentOS Linux 7 Receives Patches for Latest Intel CPU Vulnerabilities, Update Now

Filed under
Security

CentOS Linux developer and maintainer Johnny Hughes announced today the availability of a new version of the microcode_ctl package that provides Intel CPU microcode updates in the CentOS Linux 7 release to address recent security vulnerabilities.

Being derived from the sources of Red Hat Enterprise Linux, CentOS Linux gets its updates from the upstream repositories. Now, you’re probably already aware of the recently discovered security vulnerabilities affecting some Intel processors, so you’re wondering when the patches will land in CentOS Linux 7. Well, the time is now!

Read more

The 10 Best Linux Anti-Spam Tools and Software in 2020

Filed under
Linux
Security

Linux anti-spam tools are great ways to protect your inbox from flooding with unexpected messages. I know it quite well how frustrating it is to deal with these kinds of spams. They are not only time consuming, but also they are great security threats to your computer. Although, individual users like me don’t have to do that much struggle to fight spams. However, large companies, for example, the service providers, are very prone to spams. You will be surprised to know that almost 45 percent of the emails sent are spams, and it costs a huge sum of money to fight spams.

If you use email services from giant providers like Gmail or Outlook, they will automatically give you spam protection. But if your organization or school uses a custom email service, you must need a spam protection tool. Surprisingly, Linux has a wide range of anti-spam tools that are absolutely free.

Read more

Security: Patching and New Kinds of Threats

Filed under
Security
  • Security updates for Tuesday

    Security updates have been issued by Debian (libdatetime-timezone-perl, openldap, pacemaker, and restic), Fedora (libmediainfo, mediainfo, mingw-python3, and seamonkey), Gentoo (libexif), openSUSE (raptor), Oracle (kernel and microcode_ctl), Scientific Linux (firefox), SUSE (kernel-firmware, postgresql, postgresql96, postgresql10 and postgresql12, and raptor), and Ubuntu (openldap and postgresql-10, postgresql-12, postgresql-9.5).

  • Be Very Sparing in Allowing Site Notifications

    An increasing number of websites are asking visitors to approve “notifications,” browser modifications that periodically display messages on the user’s mobile or desktop device. In many cases these notifications are benign, but several dodgy firms are paying site owners to install their notification scripts and then selling that communications pathway to scammers and online hucksters.

    [...]

    This is evident by the apparent scale of the infrastructure behind a relatively new company based in Montenegro called PushWelcome, which advertises the ability for site owners to monetize traffic from their visitors. The company’s site currently is ranked by Alexa.com as among the top 2,000 sites in terms of Internet traffic globally.

    Website publishers who sign up with PushWelcome are asked to include a small script on their page which prompts visitors to approve notifications. In many cases, the notification approval requests themselves are deceptive — disguised as prompts to click “OK” to view video material, or as “CAPTCHA” requests designed to distinguish automated bot traffic from real visitors.

  • Measuring Middlebox Interference with DNS Records

    The Domain Name System (DNS) is often referred to as the “phonebook of the Internet.” It is responsible for translating human readable domain names–such as mozilla.org–into IP addresses, which are necessary for nearly all communication on the Internet. At a high level, clients typically resolve a name by sending a query to a recursive resolver, which is responsible for answering queries on behalf of a client. The recursive resolver answers the query by traversing the DNS hierarchy, starting from a root server, a top-level domain server (e.g. for .com), and finally the authoritative server for the domain name. Once the recursive resolver receives the answer for the query, it caches the answer and sends it back to the client.

    Unfortunately, DNS was not originally designed with security in mind, leaving users vulnerable to attacks. For example, previous work has shown that recursive resolvers are susceptible to cache poisoning attacks, in which on-path attackers impersonate authoritative nameservers and send incorrect answers for queries to recursive resolvers. These incorrect answers then get cached at the recursive resolver, which may cause clients that later query the same domain names to visit malicious websites. This attack is successful because the DNS protocol typically does not provide any notion of correctness for DNS responses. When a recursive resolver receives an answer for a query, it assumes that the answer is correct.

    DNSSEC is able to prevent such attacks by enabling domain name owners to provide cryptographic signatures for their DNS records. It also establishes a chain of trust between servers in the DNS hierarchy, enabling clients to validate that they received the correct answer.

Proprietary Software and Security Issues

Filed under
Microsoft
Mac
Security

IPFire 2.25 - Core Update 152 released

Filed under
Linux
Security

Another update for IPFire is out: IPFire 2.25 - Core Update 152

Before we talk about what is new, I would like to as you for your support for our project. IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate

This update comes with various smaller bug fixes and improvements and updates the Windows File Sharing Add-on.

Read more

Syndicate content

More in Tux Machines

today's howtos

  • How to install MySQL server on CentOS 8 Linux - nixCraft

    How do I install MySQL server 8.0 on CentOS 8 Linux server running on Linode and AWS cloud? How do I add and set up a new MySQL user and database account on the newly created CentOS server? Oracle MySQL server version 8.0 is a free and open-source free database server. It is one of the most popular database system used in web apps and websites on the Internet. Typically MySQL is part of the LAMP (Linux, Apache/Nginx, MySQL, Perl/Python/PHP) stack. Popular open-source software such as WordPress, MediaWiki, and others profoundly used by MySQL as a database storage engine. Let us see how to install MySQL server version 8.x on CentOS 8 Linux server.

  • Linux Fu: VPN For Free With SSH | Hackaday

    If you see a lot of banner ads on certain websites, you know that without a Virtual Private Network (VPN), hackers will quickly ravage your computer and burn down your house. Well, that seems to be what they imply. In reality, though, there are two main reasons you might want a VPN connection. You can pay for a service, of course, but if you have ssh access to a computer somewhere on the public Internet, you can set up your own VPN service for no additional cost. The basic idea is that you connect to a remote computer on another network and it makes it look like all your network traffic is local to that network. The first case for this is to sidestep or enhance security. For example, you might want to print to a network printer without exposing that printer to the public Internet. While you are at the coffee shop you can VPN to your network and print just like you were a meter away from the printer at your desk. Your traffic on the shop’s WiFi will also be encrypted.

  • YANUB: yet another (nearly) useless blog: QSoas tips and tricks: using meta-data, first level

    By essence, QSoas works with \(y = f(x)\) datasets. However, in practice, when working with experimental data (or data generated from simulations), one has often more than one experimental parameter (\(x\)). For instance, one could record series of spectra (\(A = f(\lambda)\)) for different pH values, so that the absorbance is in fact a function of both the pH and \(\lambda\). QSoas has different ways to deal with such situations, and we'll describe one today, using meta-data. [...] QSoas is a powerful open source data analysis program that focuses on flexibility and powerful fitting capacities. It is released under the GNU General Public License. It is described in Fourmond, Anal. Chem., 2016, 88 (10), pp 5050–5052. Current version is 2.2. You can download its source code there (or clone from the GitHub repository) and compile it yourself, or buy precompiled versions for MacOS and Windows there.

  • Many ways to sort file content on Linux

    The Linux sort command can arrange command output or file content in a lot more ways than you might realize--alphabetically, numerically, by month and randomly are only some of the more interesting choices. In this post, we take a look at some of the more useful sorting options and explain how they differ.

  • How to install Luminance HDR

    Luminance HDR is an open-source GUI tool that provides an easy to use toolkit for HDR imaging. It is available on all major Linux operating systems and is excellent for photographers. In this guide, we will go over how to install Luminance HDR on Linux.

  • How to add a WordPress user sign up - Anto Online

    Adding an external user sign up page on a website allows users to register for different roles. Once registered, they can perform tasks such as adding new articles, new comments, and even performing other actions such as designing. Allowing a user to sign up is a common thing for bloggers and companies that accept guest posts. However, this feature can also be used to offer premium content for your members. But, this may require more custom fields and branding. The default WordPress sign up page contains fixed fields and a WordPress logo.

  • How to install Lyrebird on a Chromebook - a Discord Voice Changer

    Today we are looking at how to install Lyrebird, a voice changer for Discord on a Chromebook. Please follow the video/audio guide as a tutorial where we explain the process step by step and use the commands below.

  • How to play Brawlhalla on Linux

    Brawlhalla is a free-to-play 2D fighting game. It was developed by Blue Mammoth Games, published by Ubisoft, and released on Nintendo Switch, Xbox One, PS4, and PC. In this guide, we’ll show you how to play it on Linux.

Games: RetroArch, PulseAudio, Anarch

  • You can now try the RetroArch Playtest on Steam for Linux | GamingOnLinux

    With the awesome RetroArch application for running emulators and all sorts coming to Steam, they now have a Playtest available you can opt into to try it out. Using the new dedicated Steam Playtest feature announced by Valve in early November, developers can have a banner on their Steam store page letting users request access. So the Libretro team have put this up, and as of today it also has Linux builds available for testing.

  • PulseAudio 14.0 Released With Better USB Gaming Headset Support - Phoronix

    While in 2021 we might begin to see PipeWire replacing PulseAudio by default at least on bleeding-edge distributions like Fedora, for now PulseAudio still is the dominant sound server used by desktop Linux distributions. Rolling out today is PulseAudio 14.0. PulseAudio 14.0 comes with many changes compared to PulseAudio 13.0 that shipped all the way back in September of 2019.

  • "Anarch", a new, public-domain Doom-like game coded from scratch in <256K

    I've argued that the video-game "Doom" is a sort of cultural version of Turing Completeness. Given that we're jamming computers and screens into just about any device these days, inevitably (and delightfully) someone gets it to run Doom: Watches, digital cameras, ATMs, pregnancy sticks. But you know what's even cooler? Creating your own new, original game in the exactly style of Doom, and making it so wildly resource-efficient that it fits in under 256K and will run on just about any computational device around. That's what the programmer Miloslav Číž has done, with his new game "Anarch". You can play it in your browser here or download it here; I just blasted away in it for a while, and it's a hoot — he neatly channels the mechanics and twitchy low-rez aesthetics of the original. Gameplay trailer is here; he put it in the public domain, and the code is all here on Gitlab.

Announcing Istio 1.6.14

This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.6.13 and Istio 1.6.14 Read more More:

  • ISTIO-SECURITY-2020-011
  • Support for Istio 1.6 has ended

    As previously announced, support for Istio 1.6 has now officially ended. At this point we will no longer back-port fixes for security issues and critical bugs to 1.6, so we heartily encourage you to upgrade to the latest version of Istio (1.8) if you haven’t already.

Moving into the future with the FSF tech team

The FSF is well-known for spearheading the advocacy and support of free software, not just by recommending it in the face of pervasive proprietary options, but also by condemning nonfree software altogether. Following this recommendation is hard, even for us, because of the ever-increasing dependency on software and computer networks that we are all subject to. To follow through with our commitment, our tech team maintains a large list of services that many other offices our size would have long ago been wrongly pressured into transferring to one of the handful of gigantic corporations that monopolize those services. Your work email account is most likely implemented through Gmail or Outlook; your office's software is likely to be served by Amazon Web Services, along with all the data backups; your company's customer service is likely to be managed through Salesforce or SAP, and so on. Make no mistake, this is true for your local government and school networks, too! In contrast, at the FSF, we never jumped on the outsourcing wagon, and we don't use any Service as a Software Substitute (SaaSS) in our operations. We run our own email servers, telephony and fax service, print shop, full server stack, backups, networking, systems monitoring, accounting, customer relationship management (CRM) software, and a long list of other tasks and software development projects, with a team of just four extremely dedicated technicians. And we implement this on hardware that has been carefully evaluated to meet very high ethical standards, criteria that we push for vendors to achieve through our "Respects Your Freedom" certification program. Read more