Language Selection

English French German Italian Portuguese Spanish

Security

Livepatching With Linux 5.1 To Support Atomic Replace & Cumulative Patches

Filed under
Linux
Security

With the Linux 5.1 kernel cycle that should get underway in just over one month's time, there will now be the long in development work (it's been through 15+ rounds of public code review!) for supporting atomic replace and cumulative patches.

Read more

IPFire 2.21 - Core Update 127 is available for testing

Filed under
GNU
Linux
Security

New year, new update ready for testing! We have been busy over the holidays and are bringing you an update that is packed with new features and many many performance improvements.

This is quite a long change log, but please read through it. It is worth it!

Read more

Security: Bo Weaver, New Scares, Clones With Malware

Filed under
Security
  • Bo Weaver on Cloud security, skills gap, and software development in 2019

    Bo Weaver, a Kali Linux expert shares his thoughts on the security landscape in the cloud. He also talks about the skills gap in the current industry and why hiring is a tedious process. He explains the pitfalls in software development and where the tech is heading currently.

    Bo, along with another Kali Linux expert Wolf Halton were also interviewed on why Kali Linux is the premier platform for testing and maintaining Windows security. They talked about advantages and disadvantages for using Kali Linux for pentesting. We also asked them about what they think about pentesting in cybersecurity, in general. They have also talked about their stance about the role of pentesting in cybersecurity in their interview titled, “Security experts, Wolf Halton and Bo Weaver, discuss pentesting and cybersecurity”

    [...]

    I laugh and cry at this term. I have a sticker on my laptop that says “There is no Cloud…. Only other people’s computers.” Your data is sitting on someone else’s system along with other people’s data. These other people also have access to this system. Sure security controls are in place but the security of “physical access” has been bypassed.

    You’re “in the box”. One layer of security is now gone.
    Also, your vendor has “FULL ACCESS” to your data in some cases. How can you be sure what is going on with your data when it is in an unknown box in an unknown data center? The first rule of security is “Trust No One”. Do you really trust Microsoft, Amazon, or Google? I sure don’t!!! Having your data physically out of your company’s control is not a good idea. Yes, it is cheaper but what are your company and its digital property worth?

    [...]

    In software development, I see a dumbing down of user interfaces. This may be good for my 6-year-old grandson, but someone like me may want more access to the system. I see developers change things just for the reason of “change”. Take Microsoft’s Ribbon in Office. Even after all these years, I find the ribbon confusing and hard to use. At least, with Libre Office, they give you a choice between a ribbon and an old school menu bar. The changes in Gnome 3 from Gnome 2. This dumbing down and attempting to make a desktop usable for a tablet and a mouse totally destroyed the usability of their desktop. What used to take 1 click now takes 4 clicks to do.

  • Security experts, Wolf Halton and Bo Weaver, discuss pentesting and cybersecurity [Interview]
  • Cloud security products uninstalled by mutating malware [Ed: Affects already-compromised servers]

    Linux is more prevalent than one might think, Microsoft Azure is now predominantly run on Linux servers - it's not just the Chinese cloud environments being hosted via Linux, it's likely that your business is running at least one cloud service on a Linux server too.

  • Google Play still has a clone problem in 2019 with no end in sight

    A fake app tries to clone another app in name, looks, and functionality, often also adding something like malware. Despite Google’s best efforts, both types of apps were fairly common in 2018.

Security: Cincoze Back Doors (ME), Windows 10 Mobile Killed (No More Patches), New FUD About 'Linux Servers'

Filed under
Security
  • Industrial Apollo Lake mini-PC features dual GbE with PoE

    Cincoze announced a compact, rugged “DA-1100” embedded PC with an Apollo Lake SoC, triple display support, dual GbE ports with PoE, 4x USB 3.0 ports, SATA, and expansion via mini-PCIe and homegrown add-on modules.

    Cincoze has updated its “entry level” Intel Bay Trail based DA-1000 industrial mini-PC, which is sold under the same name in the U.S. by Logic Supply. The new Apollo Lake based DA-1100, which is now referred to as an edge computer is not only a bit faster, but offers a few key enhancements, including PoE and triple displays. No pricing was listed by Taiwan-based Cincoze, but Logic Supply sold the earlier DA-1000 at $569 and up including a 32GB SATA SSD. It’s possible the new model will end up at Logic Supply as well.

  • Microsoft is Ending Windows 10 Mobile Support on December 10th, 2019

    After the end of support, Windows Phones will continue to work, but some features will eventually shut down. Automatic and manual backups for settings and apps will cease after March 10, 2020. And services like photo upload and device restore will stop December 2020.

  • Linux-Targeting Cryptojacking Malware Disables Cloud-Based Security Measures: Report [Ed: They make it sound like GNU/Linux is the problem; but it relies on already-compromised GNU/Linux systems]

    A new cryptojacking malware has the ability to disable cloud-based security measures to avoid detection on Linux servers, research by information security company Palo Alto Networks Jan. 17 reveals.

    The malware in question mines Monero (XMR) and is reportedly a modified version of one used by the so-called “Rocke” group, originally discovered by cybersecurity firm Talos in August last year. According to the research, one of the first things that the malware does is check for other cryptocurrency mining processes and add firewall rules to block any other cryptojacking malware.

Security: Updates, 'Smart' Things, Android Proprietary Software and Firefox Woes on Windows

Filed under
Security
  • Security updates for Friday
  • How Do You Handle Security in Your Smart Devices?

    Look around your daily life and that of your friends and family, and you’ll see that smart devices are beginning to take over our lives. But this also means an increase in a need for security, though not everyone realizes it, as discussed in a recent article on our IoT-related site. Are you aware of the need for security even when it’s IoT-related? How do you handle security in your smart devices?

  • A Vulnerability in ES File Explorer Exposes All of Your Files to Anyone on the Same Network
  • 2018 Roundup: Q1

    One of our major pain points over the years of dealing with injected DLLs has been that the vendor of the DLL is not always apparent to us. In general, our crash reports and telemetry pings only include the leaf name of the various DLLs on a user’s system. This is intentional on our part: we want to preserve user privacy. On the other hand, this severely limits our ability to determine which party is responsible for a particular DLL.

    One avenue for obtaining this information is to look at any digital signature that is embedded in the DLL. By examining the certificate that was used to sign the binary, we can extract the organization of the cert’s owner and include that with our crash reports and telemetry.

    In bug 1430857 I wrote a bunch of code that enables us to extract that information from signed binaries using the Windows Authenticode APIs. Originally, in that bug, all of that signature extraction work happened from within the browser itself, while it was running: It would gather the cert information on a background thread while the browser was running, and include those annotations in a subsequent crash dump, should such a thing occur.

Security: Jenkins, Polyverse, Rootkits, Cryptojacking and Kali Linux

Filed under
Security

Security: Updates, Leaks, Kubernetes and Let's Encrypt

Filed under
Security
  • Security updates for Thursday
  • Oracle Releases First Critical Patch Update of 2019, Red Hat Enterprise Linux and Fedora to Drop MongoDB, The Linux Foundation Announces Its 2019 Event Lineup, Firefox Closing Its Test Pilot Program and GoDaddy to Support AdoptOpenJDK

    Oracle released its first Critical Patch Update of the year this week, which addresses 284 vulnerabilities. eWeek reports that "Thirty-three of the vulnerabilities are identified as being critical with a Common Vulnerabilities Scoring System (CVSS) score of 9.0 or higher."

  • Over 1 Billion Login Credentials Leaked, Here’s How to See if You Were Compromised

    Good morning! A whole slew of usernames and plaintext passwords were leaked for a number of different sites—at 772 million and 21 million respectively, it’s the largest data leak in history. Here’s how to make sure your information is still safe.

    This collection of email address and passwords—dubbed “Collection #1”—groups together several smaller breaches into a larger master file of sorts. This huge collection of data comes from several different sites, so your personal info may have been compromised from multiple different sources. That means your information could’ve been compromised multiple times—the same email address with different passwords.

  • Kubernetes security: 4 tips to manage risks

    Kubernetes has one of the liveliest (if not the liveliest) communities around. Getting involved is one of the best ways to get up to speed and stay abreast of best security practices. That community values the same thing you’re seeking: Making the most of Kubernetes’ power while minimizing any risks that come with its increasing adoption.

    “This community clearly cares deeply about security, and it emphasizes education and inclusion, so security staff can look forward to a helpful, educational community from whom they can learn,” Dang says.

    “Get educated and follow industry best practices, like the CIS Kubernetes Benchmark,” advises Amir Jerbi, CTO at Aqua Security. “Kubernetes is a complex system with many configuration options, any of which, if done wrong, could leave clusters open to attacks.”

    Plugging into the vibrant Kubernetes community is a great step toward ensuring your organization’s implementation isn’t creating unnecessary vulnerabilities.

  • Protect Your Websites with Let's Encrypt

    Back in the bad old days, setting up basic HTTPS with a certificate authority cost as much as several hundred dollars per year, and the process was difficult and error-prone to set up. Now we have Let's Encrypt for free, and the whole thing takes just a few minutes.

Security: Amadeus, Kubernetes, WordPress and More

Filed under
Security
  • Major Security Breach Discovered Affecting Nearly Half of All Airline Travelers Worldwide

    According to ELAL, the bug stems from their supplier Amadeus’ (https://amadeus.com/en/industries/airlines) online booking system, which controls a staggering 44% market share of airlines operating worldwide, including United Airlines, Lufthansa, Air Canada, and many more. While booking a flight with ELAL, we received the following link to check our PNR: https://fly.elal.co.il/LOTS-OF-NUMBERS-HERE.

    By simply changing the RULE_SOURCE_1_ID, we were able to view any PNR and access the customer name and associated flight details.

  • Kubernetes flaw shows API security is no ‘set & forget’ deal

    When a report surfaced last month detailing a ‘severe vulnerability’ in Kubernetes, the popular, open-source software for managing Linux applications deployed within containers, many of us will have wondered what the deeper implications of this alleged flaw could mean.

    Although the flaw was quickly patched, it allowed any user to escalate their privileges to access administrative controls through the Kubernetes API server.

  • WordPress to show warnings on servers running outdated PHP versions
  • Top 10 app vulnerabilities: Unpatched plugins and extensions dominate
  • This Clever New Ransomware Attempts To Steal Your PayPal Credentials

    Meanwhile, PayPal offers two factor authentication which, when turned on, can offer a vital extra layer of security should your password and username be compromised, Moore says.

  • A deep dive into the technical feasibility of Bloomberg's controversial "Chinese backdoored servers" story

    These denials also don't add up: Bloomberg says it sourced its story from multiple (anonymous) sources who had direct knowledge of the incidents and who had been employed in the named organizations while they were unfolding. Bloomberg stood by its reporting, and implied that the idea that all these sources from different organizations would collude to pull off a hoax like this.

    Faced with the seemingly impossible task of sorting truth from hoax in the presence of contradictory statements from Big Tech and Bloomberg, technical experts began trying to evaluate whether the hacks attributed to the Chinese spy agencies were even possible: at first, these analyses were cautiously skeptical, but then they grew more unequivocal.

    Last month, Trammell Hudson -- who has developed well-regarded proof-of-concept firmware attacks -- gave a detailed talk giving his take on the story at the Chaos Communications Congress in Leipzig.

Security: Oracle Blobs, Microsoft Fragmentation and Ripple

Filed under
Security
  • Oracle Patches 284 Vulnerabilities in January Critical Patch Update

    Oracle released its first Critical Patch Update for 2019 on Jan. 15, providing patches for 284 vulnerabilities.

    The January 2019 CPU addresses security vulnerabilities found across the Oracle software portfolio, including ones affecting database, middleware, Java, PeopleSoft, Siebel and E-Business Suite applications. Thirty-three of the vulnerabilities are identified as being critical with a Common Vulnerabilities Scoring System (CVSS) score of 9.0 or higher. CVSS is a standardized method for helping organizations understand the impact and severity of software vulnerabilities.

  • Microsoft Rolls Out New Updates for Different Versions of Windows 10, Includes Small Bug Fixes

    Just a week ago, Microsoft released its Patch Tuesday updates for all the supported versions of Windows 10. And now, the company has come up with new updates for Windows 10 versions 1709, 1803, and 1703. The cumulative updates released by the company do not include any security patches but has quite a few changes that have been rolled out. Here are the updates that Microsoft has rolled for the three versions of Windows 10.

  • Only XRP Private Keys That Used Software From Before August 2015 Are Vulnerable

    Ripple (XRP) software libraries published before August 2015 potentially rendered private keys which signed multiple transactions vulnerable, Ripple announced in a statement released on Jan 16.

    Recent research jointly conducted by the DFINITY Foundation and the University of California revealed that a portion of Bitcoin (BTC), Ethereum (ETH) and Ripple addresses are vulnerable.

    As is known among cryptographers, the security of Elliptic Curve Digital Signature Algorithms (ECDAs) employed by the aforementioned cryptocurrencies is highly dependent on random data, which are known as nonces. The research further explains:

Security: Updates, Reproducible Builds and More

Filed under
Security
  • Security updates for Wednesday
  • Reproducible Builds: Weekly report #194

    Here’s what happened in the Reproducible Builds effort between Sunday January 6 and Saturday January 12 2019...

  • ES File Explorer Has A Hidden Web Server; Data Of 500 Million Users At Risk
  • The Evil-Twin Framework: A tool for testing WiFi security

    The increasing number of devices that connect over-the-air to the internet over-the-air and the wide availability of WiFi access points provide many opportunities for attackers to exploit users. By tricking users to connect to rogue access points, hackers gain full control over the users' network connection, which allows them to sniff and alter traffic, redirect users to malicious sites, and launch other attacks over the network..

    To protect users and teach them to avoid risky online behaviors, security auditors and researchers must evaluate users' security practices and understand the reasons they connect to WiFi access points without being confident they are safe. There are a significant number of tools that can conduct WiFi audits, but no single tool can test the many different attack scenarios and none of the tools integrate well with one another.

    The Evil-Twin Framework (ETF) aims to fix these problems in the WiFi auditing process by enabling auditors to examine multiple scenarios and integrate multiple tools. This article describes the framework and its functionalities, then provides some examples to show how it can be used.

  • KDE Plasma5 – Jan ’19 release for Slackware

    Here is your monthly refresh for the best Desktop Environment you will find for Linux. I just uploaded “KDE-5_19.01” to the ‘ktown‘ repository. As always, these packages are meant to be installed on a Slackware-current which has had its KDE4 removed first. These packages will not work on Slackware 14.2.

    It looks like Slackware is not going to be blessed with Plasma5 any time soon, so I will no longer put an artificial limitation on the dependencies I think are required for a solid Plasma5 desktop experience. If Pat ever decides that Plasma5 has a place in the Slackware distro, he will have to make a judgement call on what KDE functionality can stay and what needs to go.

Syndicate content

More in Tux Machines

Radio Telescopes Horn In With GNU Radio

Who doesn’t like to look up at the night sky? But if you are into radio, there’s a whole different way to look using radio telescopes. [John Makous] spoke at the GNU Radio Conference about how he’s worked to make a radio telescope that is practical for even younger students to build and operate. The only real high tech part of this build is the low noise amplifier (LNA) and the project is in reach of a typical teacher who might not be an expert on electronics. It uses things like paint thinner cans and lumber. [John] also built some blocks in GNU Radio that made it easy for other teachers to process the data from a telescope. As he put it, “This is the kind of nerdy stuff I like to do.” We can relate. Read more

New Releases: Kodachi 5.8, Tails RC, HardenedBSD Stable, KookBook 0.2.0

  • Kodachi 5.8 The Secure OS
    Linux Kodachi operating system is based on Debian 9.5 / Ubuntu 18.04 it will provide you with a secure, anti-forensic, and anonymous operating system considering all features that a person who is concerned about privacy would need to have in order to be secure. Kodachi is very easy to use all you have to do is boot it up on your PC via USB drive then you should have a fully running operating system with established VPN connection + Connection established + service running. No setup or knowledge is required from your side we do it all for you. The entire OS is functional from your temporary memory RAM so once you shut it down no trace is left behind all your activities are wiped out. Kodachi is a live operating system that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:
  • Call for testing: [Tails] 3.12~rc1
    You can help Tails! The first release candidate for the upcoming version 3.12 is out. We are very excited and cannot wait to hear what you think about it, especially the new simplified USB installation method (see below). :)
  • Stable release: HardenedBSD-stable 12-STABLE v1200058.2
  • KookBook 0.2.0 available – now manage your cooking recipes better
    Some people have started talking about maybe translation of the interface. I might look into that in the future. And I wouldn’t be sad if some icon artists provided me with a icon slightly better than the knife I drew. Feel free to contact me if that’s the case. Happy kooking!

Programming: Conway’s Game of Life, py3status and Teaching Python at Apple

  • Optimizating Conway
    Conway’s Game of Life seems to be a common programming exercise. I had to program it in Pascal when in High School and in C in an intro college programming course. I remember in college, since I had already programmed it before, that I wanted to optimize the algorithm. However, a combination of writing in C and having only a week to work on it didn’t leave me with enough time to implement anything fancy. A couple years later, I hiked the Appalachian Trail. Seven months away from computers, just hiking day in and day out. One of the things I found myself contemplating when walking up and down hills all day was that pesky Game of Life algorithm and ways that I could improve it. Fast forward through twenty intervening years of life and experience with a few other programming languages to last weekend. I needed a fun programming exercise to raise my spirits so I looked up the rules to Conway’s Game of Life, sat down with vim and python, and implemented a few versions to test out some of the ideas I’d had kicking around in my head for a quarter century.
  • py3status v3.16
    Two py3status versions in less than a month? That’s the holidays effect but not only! Our community has been busy discussing our way forward to 4.0 (see below) and organization so it was time I wrote a bit about that.
  • #195 Teaching Python at Apple

Games: Protontricks, vkQuake2, System Shock, Dead Ascend, Lord of Dwarves and Panda3D

  • Protontricks, a handy tool for doing various tweaks with Steam Play has been forked
    For those brave enough to attempt to get more Windows games to run through Steam Play, Protontricks is a handy solution and it's been forked.
  • vkQuake2, the project adding Vulkan support to Quake 2 now supports Linux
    At the start of this year, I gave a little mention to vkQuake2, a project which has updated the classic Quake 2 with various improvements including Vulkan support. Other improvements as part of vkQuake2 include support for higher resolution displays, it's DPI aware, HUD scales with resolution and so on. Initially, the project didn't support Linux which has now changed. Over the last few days they've committed a bunch of new code which fully enables 64bit Linux support with Vulkan.
  • The new System Shock is looking quite impressive with the latest artwork
    System Shock, the remake coming eventually from Nightdive Studios continues along in development and it's looking impressive. In their latest Kickstarter update, they showed off what they say is the "final art" after they previously showed the game using "temporary art". I have to admit, while this is only a small slice of what's to come, from the footage it certainly seems like it will have a decent atmosphere to it.
  • Dead Ascend, an open source point and click 2D adventure gameDead Ascend, an open source point and click 2D adventure game
    For those wanting to check out another open source game or perhaps see how they're made, Dead Ascend might be a fun choice for a little adventure. Developed by Lars from Black Grain Games, Dead Ascend features hand-drawn artwork with gameplay much like classic point and click adventures.
  • Lord of Dwarves will have you build large structures and defend them, developed on Linux
    Here's a fun one, Lord of Dwarves from developer Stellar Sage Games is a game about helping a kingdom of dwarves survive, build, and prosper. It's made on Linux too and releasing in Early Access in March. The developer emailed in about it and to let everyone know that it was "developed in Linux using only open source software". You can actually see them showing it off on Ubuntu in a recent video. While it's going to be in Early Access, they told me it's "feature complete with a full campaign and sandbox mode" with the extra time being used for feedback and to polish it as much as possible.
  • A Journey of the Panda3D
    I don’t know why am I still working on Panda 3D despite the failure to export the Blender mesh to the Panda 3D engine but anyway here is a quick update for the development of the Panda3D’s game. Yesterday after the Panda 3D engine had failed again to render the blender 3D mesh together with its texture on the game scene, I had made another search for the solution on Google but again...