Language Selection

English French German Italian Portuguese Spanish

Security

Security: WireGuard, Birds and Updates

Filed under
Security
  • WireGuard Restored In Android's Google Play Store After Brief But Controversial Removal

    After Google dropped the open-source WireGuard app from their Play Store since it contained a donation link, the app has now been restored within Google's software store for Android users but without the donation option.

    The WireGuard app for Android makes it easy to setup the secure VPN tunnel software on mobile devices, similar to its port to iOS and other platforms. The WireGuard apps are free but have included a donation link to the WireGuard website should anyone wish to optionally make a donation to support the development of this very promising network tech.

  • Letting Birds scooters fly free

    At that point I had everything I need to write a simple app to unlock the scooters, and it worked! For about 2 minutes, at which point the network would notice that the scooter was unlocked when it should be locked and sent a lock command to force disable the scooter again. Ah well.

    So, what else could I do? The next thing I tried was just modifying some STM firmware and flashing it onto a board. It still booted, indicating that there was no sort of verified boot process. Remember what I mentioned about the throttle being hooked through the STM32's analogue to digital converters[3]? A bit of hacking later and I had a board that would appear to work normally, but about a minute after starting the ride would cut the throttle. Alternative options are left as an exercise for the reader.

    Finally, there was the component I hadn't really looked at yet. The Quectel modem actually contains its own application processor that runs Linux, making it significantly more powerful than any of the chips actually running the scooter application[4]. The STM communicates with the modem over serial, sending it an AT command asking it to make an SSL connection to a remote endpoint. It then uses further AT commands to send data over this SSL connection, allowing it to talk to the internet without having any sort of IP stack. Figuring out just what was going over this connection was made slightly difficult by virtue of all the debug functionality having been ripped out of the STM's firmware, so in the end I took a more brute force approach - I identified the address of the function that sends data to the modem, hooked up OpenOCD to the SWD pins on the STM, ran OpenOCD's gdb stub, attached gdb, set a breakpoint for that function and then dumped the arguments being passed to that function. A couple of minutes later and I had a full transaction between the scooter and the remote.

    The scooter authenticates against the remote endpoint by sending its serial number and IMEI. You need to send both, but the IMEI didn't seem to need to be associated with the serial number at all. New connections seemed to take precedence over existing connections, so it would be simple to just pretend to be every scooter and hijack all the connections, resulting in scooter unlock commands being sent to you rather than to the scooter or allowing someone to send fake GPS data and make it impossible for users to find scooters.

  • Security updates for Friday

    Security updates have been issued by Debian (poppler, sudo, and wordpress), Oracle (java-1.8.0-openjdk), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and kernel), and SUSE (kernel and postgresql10).

Can Linux improve ATM security?

Filed under
Linux
Security

While ATM security is not necessarily "life critical" as with many other industries (think transportation, medical and some industrial applications) there are certainly financial and identity theft risks associated with these devices.

Plenty of info is available on the web regarding various ATM attack vectors, estimated number of annual hacks and the cost to the industry. The question we will ponder here is very specific: Would replacing the Windows operating system in an ATM with a Linux-based one improve security? Most experts believe the answer is yes.

Today's ATM looks much like a personal computer on your desk. It runs the world's most popular desktop operating system — Windows —on the world's most popular hardware: Intel motherboards.

But therein lies part of the problem. Being "most popular" means there are few barriers to keeping the bad guys from simulating the internals of a typical ATM. This fact alone makes Windows more prone to attack than alternatives.

Read more

Security: Linux, Docker and Guix

Filed under
Security
  • Unpatched Linux bug may open devices to serious attacks over Wi-Fi

    The flaw is located in the RTLWIFI driver, which is used to support Realtek Wi-Fi chips in Linux devices. The vulnerability triggers a buffer overflow in the Linux kernel when a machine with a Realtek Wi-Fi chip is within radio range of a malicious device. At a minimum, exploits would cause an operating-system crash and could possibly allow a hacker to gain complete control of the computer. The flaw dates back to version 3.10.1 of the Linux kernel released in 2013.

  • Docker Attack Worm Mines for Monero
  • Insecure permissions on profile directory (CVE-2019-18192)

    We have become aware of a security issue for Guix on multi-user systems that we have just fixed (CVE-2019-18192). Anyone running Guix on a multi-user system is encouraged to upgrade guix-daemon—see below for instructions.

    Context

    The default user profile, ~/.guix-profile, points to /var/guix/profiles/per-user/$USER. Until now, /var/guix/profiles/per-user was world-writable, allowing the guix command to create the $USER sub-directory.

    On a multi-user system, this allowed a malicious user to create and populate that $USER sub-directory for another user that had not yet logged in. Since /var/…/$USER is in $PATH, the target user could end up running attacker-provided code. See the bug report for more information.

    This issue was initially reported by Michael Orlitzky for Nix (CVE-2019-17365).

Canonical Outs Linux Kernel Security Update for Ubuntu 19.04 to Patch 9 Flaws

Filed under
Linux
Security
Ubuntu

The new security update for Ubuntu 19.04 is here to patch a total of seven security flaws affecting the Linux 5.0 kernel used by the operating system, including an issue (CVE-2019-15902) discovered by Brad Spengler which could allow a local attacker to expose sensitive information as a Spectre mitigation was improperly implemented in the ptrace susbsystem.

It also fixes several flaws (CVE-2019-14814, CVE-2019-14815, CVE-2019-14816) discovered by Wen Huang in the Marvell Wi-Fi device driver, which could allow local attacker to cause a denial of service or execute arbitrary code, as well as a flaw (CVE-2019-15504) discovered by Hui Peng and Mathias Payer in the 91x Wi-Fi driver, allowing a physically proximate attacker to crash the system.

Read more

Purism Partners with Halo Privacy to Bring Extra Security to Its Linux Devices

Filed under
Linux
Security

Purism is already known for providing top notch security and privacy for its Linux laptops and phones, but with the new partnership with Halo Privacy, the company wants to bring strong cryptography and custom managed attribution techniques to secure communications from direct attacks.

These new, unique security stack provided by Halo Privacy works together with Purism's state-of-the-art security implementations for its Linux devices, including the Librem Key USB security token with tamper detection and PureBoot secure UEFI replacement, to cryptographically guarantee signing of the lowest level of firmware and user's privacy.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Debian (apache2 and unbound), Fedora (opendmarc, runc, and sudo), openSUSE (epiphany, GraphicsMagick, and libopenmpt), Oracle (kernel and sudo), Red Hat (java-1.8.0-openjdk, jss, kernel, kernel-rt, and kpatch-patch), SUSE (crowbar-core, crowbar-openstack, grafana, novnc, openstack-keystone, openstack-neutron, openstack-neutron-lbaas, openstack-nova, openstack-tempest, python-pysaml2, python-urllib3, rubygem-chef, rubygem-easy_diff, sleshammer, libpcap, sudo, and tcpdump), and Ubuntu (aspell and libsdl1.2).

  • Cybersecurity Awareness Month: Increasing our self-awareness so we can improve security

    October has been National Cybersecurity Awareness Month since 2004. According to staysafeonline.org, this initiative was started by the National Cybersecurity Alliance and the US Department of Homeland Security to help all Americans stay safe and secure when online. This month is usually marked with a significant uptick in cybersecurity outreach and training. It’s also the one month of the year when you can get a significant amount of cybersecurity swag such as webcam covers, mugs, and pens. This event has an outward focus to raise awareness of security globally,

    Many other events have come into existence along with this. For example, there are numerous electronics recycling events that now occur in October where people can securely dispose of their old computers. Some municipalities have extended this to include safe disposal of old prescription medications, paints, and other hazardous materials.

    Recent events in the greater technology community, specifically the resignation of Richard Stallman from both MIT and the Free Software Foundation, have become character foils that show us that while we have come a long way, we still have a long way ahead of us to improve.

  • Michael Tremer/IPFire: On quadrupling throughput of our Quality of Service

    There have been improvements to our Quality of Service (or QoS) which have made me very excited.

    Our QoS sometimes was a bottleneck. Enabling it could cut your bandwidth in half if you were unlucky. That normally was not a problem for larger users of IPFire, because if you are running a 1 Gigabit/s connection, you would not need any QoS in the first place, or your hardware was fast enough to handle the extra load.

    For the smaller users this was, however, becoming more and more of a problem. Smaller systems like the IPFire Mini Appliance are designed to be small (the clue is in the name) and to be very energy-efficient. And they are. They are popular with users with a standard DSL connection of up to 100 Megabit/s which is very common in Germany. You have nothing to worry about here. But if you are lucky to have a faster Internet connection, then this hardware and others that we have sold before might be running out of steam. There is only so much you can get out of them.

  • The City Of Baltimore Blew Off A $76,000 Ransomware Demand Only To Find Out A Bunch Of Its Data Had Never Been Backed Up [Ed: Windows]

    The City of Baltimore was hit with a ransomware attack in May of this year. Criminals using remodeled and rebranded NSA exploits (EternalBlue) knocked out a "majority" of the city's servers and crippled many of its applications. More details didn't surface until September when the city's government began reshuffling the budget to cover the expenses of recovering from the attack.

Google: Replacing Google Chrome, AMP and Titan Security Keys

Filed under
Google
Security
Web
  • The top 5 alternatives to Google Chrome

    Google Chrome is the most popular web browser on the market. It provides a user-friendly, easy-to-use interface, with a simple appearance featuring a combined address and search bar with a small space for extensions.

    Chrome also offers excellent interconnectivity on different devices and easy syncing that means that once a user installs the browser on different devices, all their settings, bookmarks and search history come along with it. Virtually all a user does on Google chrome is backed up to Google Cloud.

    Chrome also offers easy connectivity to other Google products, such as Docs, Drive, and YouTube via an “Apps” menu on the bookmarks bar, located just below the address/search bar. Google Translate, one of the best translation applications currently available on the internet, is also included.

  • Google unplugs AMP, hooks it into OpenJS Foundation after critics turn up the volume [Ed: Microsoft Tim on Google passing a bunch of EEE to a foundation headed by a Microsoft ‘mole’, 'open'JS ]

    AMP – which originally stood for Accelerated Mobile Pages though not any more – was launched in 2015, ostensibly to speed up page loading on smartphones. The technology includes AMP HTML, which is a set of performance-optimized web components, and the AMP Cache, which serves validated AMP pages. Most AMP pages are served by Google’s AMP Cache.

  • Google USB-C Titan Security Keys Begin Shipping Tomorrow

    Google announced their new USB-C Titan Security Key will begin shipping tomorrow for offering two-factor authentication support with not only Android devices but all the major operating systems as well.

    The USB-C Titan Security Key is being manufactured by well known 2FA key provider Yubico. This new security key is using the same chip and firmware currently used by Google's existing USB-A/NFC and Bluetooth/NFC/USB Titan Security Key models.

Improved Security and Privacy Indicators in Firefox 70

Filed under
Moz/FF
Security
Web

The upcoming Firefox 70 release will update the security and privacy indicators in the URL bar.

In recent years we have seen a great increase in the number of websites that are delivered securely via HTTPS. At the same time, privacy threats have become more prevalent on the web and Firefox has shipped new technologies to protect our users against tracking.

To better reflect this new environment, the updated UI takes a step towards treating secure HTTPS as the default method of transport for websites, instead of a way to identify website security. It also puts greater emphasis on user privacy.

Read more

Proprietary Software Security and FOSS Patches

Filed under
Security
  • Compromised AWS API Key Allowed Access to Imperva Customer Data

    Imperva has shared more information on how [attackers] managed to obtain information on Cloud Web Application Firewall (WAF) customers, and revealed that the incident involved a compromised administrative API key.

  • Oil Refiner Reports Major IT Incident in Finland

    It’s not yet clear whether the cause is a malfunction or a cyber attack, according to spokeswoman Susanna Sieppi. The issue is under investigation, and it’s too early to estimate when the systems will be fixed, she said by phone.

  • WordPress 5.2.4 Security Release

    WordPress 5.2.4 is now available! This security release fixes 6 security issues.

    WordPress versions 5.2.3 and earlier are affected by these bugs, which are fixed in version 5.2.4. Updated versions of WordPress 5.1 and earlier are also available for any users who have not yet updated to 5.2.

  • Ubuntu Releases Patch for Major ‘sudo’ Security Exploit

    Canonical has issued an urgent security fix to the ‘sudo’ package in the Ubuntu archives following the discovery of a major security flaw.

    A critical fix has rolled out to all users of Ubuntu 16.04 LTS, 18.04 LTS, 19.04 and 19.10 (and one assumes Ubuntu 14.04 ESR too) — just run a sudo apt upgrade to install it.

    But what about the flaw inquisition? Well, if you’re yet to hear about it I appreciate meditative disconnect from social media. The oft toxic waste pools of chatter were with wet with alarm — some manufactured, the rest well weighted — over CVE-2019-14287 when it was announced yesterday, October 14.

  • Security updates for Tuesday

    Security updates have been issued by Debian (sudo and xtrlock), openSUSE (sudo), Red Hat (Single Sign-On), Slackware (sudo), SUSE (binutils, dhcp, ffmpeg, kernel, kubernetes-salt, sudo, and tcpdump), and Ubuntu (sudo).

Linux security hole: Much sudo about nothing

Filed under
Linux
Security

There's a lot of hubbub out there now about a security hole in the Unix/Linux family's sudo command. Sudo is the command, which enables normal users to run commands as if they were the root user, aka the system administrator. While this sudo security vulnerability is a real problem and needs patching, it's not nearly as bad as some people make it out to be.

At first glance the problem looks like a bad one. With it, a user who is allowed to use sudo to run commands as any other user, except root, can still use it to run root commands. For this to happen, several things must be set up just wrong.

First the sudo user group must give a user the right to use sudo but doesn't give the privilege of using it to run root commands. That can happen when you want a user to have the right to run specific commands that they wouldn't normally be able to use. Next, sudo must be configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification.

Read more

Syndicate content

More in Tux Machines

Linux Devices/Open Hardware

  • Site.js and Pi

    Chatting about Pi, on a Pi, with a chat server running on Site.js on the same Pi.

  • This MicroATX Motherboard is Based on Phytium FT2000/4 Arm Desktop SoC @ 3.0 GHz
  • Rikomagic R6 Review – Part 1: Android Mini Projector’s Unboxing and First Boot

    Rikomagic R6 is a mini Android projector that looks like a vintage radio, or depending on your point of view a mini vintage television.

  • Brief on Behalf of Amicus Curiae Open Source Hardware Association in Curver Luxembourg, SARL v. Home Expressions Inc., No. 18-2214 (Fed. Cir.)

    Curver Luxembourg, SARL v. Home Expressions Inc. is a case of first impression for the Court of Appeals for the Federal Circuit. The question on appeal is whether a design patent’s scope is tied to the article of manufacture disclosed in the patent. In this amicus brief, the Open Source Hardware Association (“OSHWA”) explains the potential effects on open source hardware development, and design practice generally, of untethering design patent protection from the article of manufacture disclosed in the patent. A large percentage of open-source hardware combines both ornamental and functional elements, and industrial design routinely involves applying design concepts from disparate fields in novel ways. To engage in this practice, open-source hardware designers need to know the universe of available source material and its limits. Further, understanding the licensing requirements of open-source hardware begins with understanding how the elements that make up that hardware may or may not be protected by existing law. Accordingly, while many creators of open-source hardware do not seek patent protection for their own creations, an understandable scope of design patent protection is nonetheless essential to their ability to collaborate with other innovators and innovate lawfully. The brief argues that the District Court in the case—and every district court that has considered the issue—correctly anchored the patented design to the article of manufacture when construing the patent. The brief explains that anchoring the patented design to the disclosed article of manufacture is the best approach, for several reasons. Connecting the patented design to the disclosed article of manufacture calibrates the scope of design patent protection to the patentee’s contribution over the prior art. It avoids encumbering the novel and nonobvious application of prior designs to new articles of manufacture, a fundamental and inventive practice of industrial design. It aligns the scope of design patent protection with its purpose: encouraging the inventive application of a design to an article of manufacture. This balances protection for innovative designs with later innovators’ interest in developing future designs. Finally, anchoring the patented design to the disclosed article of manufacture helps fulfill design patent law’s notice function by clarifying the scope of protection.

Graphics: Gallium3D and AMDGPU

  • Gallium3D's Mesa State Tracker Sees "Mega Cleanup" For NIR In Mesa 19.3

    AMD developer Marek Olšák has landed a "mega cleanup" to the Gallium3D Mesa state tracker code around its NIR intermediate representation handling. As part of getting the NIR support in good enough shape for default usage by the RadeonSI driver, Marek has been working on a number of clean-ups involving the common Gallium / Mesa state tracker code for NIR.

  • AMDGPU DC Looks To Have PSR Squared Away - Power-Savings For Newer AMD Laptops

    It looks like as soon as Linux 5.5 is where the AMDGPU kernel driver could be ready with Panel Self Refresh (PSR) support for enabling this power-savings feature on newer AMD laptops. While Intel's Linux driver stack has been supporting Panel Self Refresh for years, the AMD support in their open-source Linux driver code has been a long time coming. We've seen them working towards the support since Raven Ridge and now it appears the groundwork has been laid and they are ready to flip it on within the Display Core "DC" code.

today's howtos and programming bits

  • CentOS 8 Package Management with DNF on the Command Line
  • AdamW’s Debugging Adventures: “dnf is locked by another application”
  • Managing user accounts with Cockpit
  • Download Ubuntu 19.10 ISO image to install on VirtualBox VM
  • GNU poke: Dealing with alternatives - Unions in Poke

    Computing with data whose form is not the most convenient way to be manipulated, like is often the case in unstructured binary data, requires performing a preliminary step that transforms the data into a more convenient representation, usually featuring a higher level of abstraction. This step is known in computer jargon as unmarshalling, when the data is fetch from some storage or transmission media or, more generally, decoding. Once the computation has been performed, the result should be transformed back to the low-level representation to be stored or transmitted. This is performed in a closing step known as marshalling or, more generally, encoding. Consider the following C program whose purpose is to read a 32-bit signed integer from a byte-oriented storage media at a given offset, multiply it by two, and store the result at the same offset.

  • Android NDK r21 moves to beta

    Android announced that NDK r21 is now in beta. Android NDK is a toolset for implementing parts of an app in native code. The release — which is the first long term support release — includes improved defaults for better security and performance. One of the key features in the release is an update to GNU Make to version 4.2, which provides a number of bug fixes, and enables ‘–output-sync’ to avoid interleaving output with error messages, the team explained. This is enabled by default with ndk-build. Additionally, GDB, the GNU project debugger, has been updated to version 8.3, which includes fixes for debugging modern Intel CPUs.

  • What is the history behind C Programming and Unix?

    If you think C programming and Unix are unrelated, then you are making a big mistake. Back in the 1970s and 1980s, if the Unix engineers at Bell Labs had decided to use another programming language instead of C to develop a new version of Unix, then we would be talking about that language today. The relationship between the two is simple; Unix is the first operating system that is implemented with a high-level C programming language, got its fame and power from Unix. Of course, our statement about C being a high-level programming language is not true in today’s world. This article is an excerpt from the book Extreme C by Kamran Amini. Kamran teaches you to use C’s power. Apply object-oriented design principles to your procedural C code. You will gain new insight into algorithm design, functions, and structures. You’ll also understand how C works with UNIX, how to implement OO principles in C, and what multiprocessing is.

Server: Mirantis, Containers, GraalVM and Pensando

  • Mirantis Partners With OpenStack Foundation to Support Upgraded COA Exam

    “With the OpenStack market forecasted to grow to $7.7 billion by 2022 according to 451 research, the demand for Certified OpenStack Administrators is clearly strong and set to continue growing for many years to come,” said Mark Collier, COO of the OpenStack Foundation. “We are excited to collaborate with Mirantis, who has stepped up to provide the resources needed to manage the COA, including the administration of the vendor-neutral OpenStack certification exam.”

  • How to use containers with an eye on security

    Containers are all the rage. With good reason. With containers, your company’s apps and service deployments become considerably more agile, more reliable, and even more secure. This is true for software development companies (who develop apps and services for other businesses), as well as companies looking to roll out web-based and mobile applications with an unheard of speed and reliability. But with any new technology, comes hurdles. One of the biggest hurdles for any business is security. Data breaches have become rampant and it’s on the shoulders of every company to do everything in their power to make sure they are rolling out technology that is as secure as possible. This idea should certainly be applied to containers. But what can you do to use containers security? Fortunately, there are a few steps that you can take from the very beginning.

  • GraalVM: Clearing up confusion around the term and why Twitter uses it in production

    What does the “umbrella term” GraalVM stand for? We interviewed Chris Thalinger (Twitter) at JAX London 2019. Hear what he has to say about the meaning of Graal and how it can benefit Twitter as well as the environment.

  • Pensando Systems Exits Stealth Mode With Plans To Take On Amazon AWS

    While normally we don't cover hardware start-ups on Phoronix, Pensando Systems has just exited stealth and given their focus will be heavily involved with Linux and in fact already have their first kernel driver mainlined. After announcing a $145 million (USD) Series-C round, Pensando Systems exited "stealth" and revealed the first details of what they are trying to achieve with this company led by many ex-Cisco staff. [...] Pensando has been on our radar since as I wrote about last month when they were just a stealth networking startup they already upstreamed their first Linux kernel driver. In the Linux 5.4 kernel is a Pensando "Ionic" driver for a family of network adapters. In this week's press release, Pensando didn't specifically call out Ionic but presumably is the backbone to their hardware. Now that they are beginning to talk about their ambitions, hopefully we see more Linux kernel patches from them soon.