Language Selection

English French German Italian Portuguese Spanish

Security

New WireGuard Snapshot Offers Better Compatibility With Distributions/Kernels

Filed under
GNU
Linux
Software
Security

WireGuard sadly isn't slated for the now-open Linux 5.4 merge window, but lead developer Jason Donenfeld has put out a new development snapshot of this open-source secure VPN tunnel.

Coming barely two weeks since the previous WireGuard snapshot, this newest development release isn't too heavy on the changes but the focus is on better portability/compatibility.

Read more

New Distro Releases: EasyOS Buster 2.1.3, EasyOS Pyro 1.2.3 and IPFire 2.23 - Core Update 136

Filed under
GNU
Linux
Security
Debian
  • EasyOS Buster version 2.1.3 released

    EasyOS version 2.1.3, latest in the "Buster" series, has been released. This is another incremental upgrade, however, as the last release announced on Distrowatch is version 2.1, the bug fixes, improvements and upgrades have been considerable since then. So much, that I might request the guys at Distrowatch to announce version 2.1.3.

  • EasyOS Pyro version 1.2.3 released

    Another incremental release of the Pyro series. Although this series is considered to be in maintenance mode, it does have all of the improvements as in the latest Buster release.

  • IPFire 2.23 - Core Update 136 is available for testing

    the summer has been a quiet time for us with a little relaxation, but also some shifted focus on our infrastructure and other things. But now we are back with a large update which is packed with important new features and fixes.

European Commission improving the security of widely used open source software

Filed under
OSS
Security

Amongst the many benefits of free and open source software, include the economic advantages of code reuse and the sharing of programming costs. For public institutions however, there are more fundamental reasons for embracing the open source model: [...]

Read more

Security: Vista 10 Woes, Linux FUD and More

Filed under
Security
  • Caution: KB4515384 is breaking audio on Windows 10

    If you’ve already installed KB4515384, and you want to try and fix the audio problem before you attempt the uninstall it, there is really only solution that you can try. Open the Control Panel sound settings.

    On the Playback tab, double-click your speakers to open their Properties. The properties window should have an ‘Enhancements’ tab though, it may be missing as in the case of the screenshot below. If the tab is there, go to it and enable all enhancements, and click Apply. Next, disable them all, and click Apply again.

  • Lilocked ransomware (Lilu) affects thousands of Linux-based servers [Ed: This is not about "Linux"; they're repeating ZDNet (tabloid) talking points from their anti-Linux trolls, whom CBS hired to attack Linux (the real issue here is malware being installed)]

    A ransomware strain named Lilocked or Lilu has been affecting thousands of Linux-based servers all over the world since mid-July and the attacks got intensified by the end of August, ZDNet reports.

  • From PowerShell to auditing: Expand your cybersecurity know-how at SANS London 2019 [Ed: PowerShell is used a lot by CRACKERS. Why does The Register associate NSA back-doored stuff with security? (clue/hint: money)]
  • DigitalOcean Continues Working On Linux Core Scheduling To Make HT/SMT Safer

    With Hyper Threading continuing to look increasingly unsafe in data centers / shared computing environments in light of all the speculative execution vulnerabilities exposed thus far particularly with L1TF and MDS having no SMT-secure mitigation, DigitalOcean continues working on their Linux kernel "core scheduling" patches so they can still make use of HT/SMT in a sane and safe manner.

    DigitalOcean's core scheduling work is their way to make Hyper Threading safe by ensuring that only trusted applications run concurrently on siblings of a core. Their scheduler also tries to be smart about not using SMT/HT in areas where it could degrade performance.

Security: FOSS Updates, Windows Spying as 'Security', Linux Package Management

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (curl, dnsmasq, and golang-go.crypto), Mageia (docker, firefox, flash-player-plugin, ghostscript, links, squid, sympa, tcpflow, thunderbird, and znc), openSUSE (srt), Oracle (.NET Core, kernel, libwmf, and poppler), Scientific Linux (firefox), SUSE (cri-o, curl, java-1_8_0-ibm, python-SQLAlchemy, and python-urllib3), and Ubuntu (curl and expat).

  • Microsoft Issues New Windows 10 Update Warning

    Meanwhile, the Windows Latest reports the Start menu stops working for some users who have upgraded to KB4515384 with Windows 10 delivering the following errors: “We’ll try to fix it the next time you sign in” and “Critical Error - Your Start menu isn’t working”

  • Heads up: Microsoft is back to snooping with this month’s Win7 and 8.1 'security-only' patches

    Two months ago, the July Win7 security-only patch was found to install telemetry software, triggered by newly installed scheduled tasks called ProgramDataUpdater, Microsoft Compatibility Appraiser, and AitAgent. As best I can tell, Microsoft never admitted that its security-only patch dropped a telemetry component.

    The August security-only update didn’t include that bit of snooping, so it looked like the July snooping was a one-off aberration.

    Now we’re learning that the September security-only patches for both Win 7 and Win 8.1 have this, shall we say, feature.

    [...]

    What information is Microsoft collecting? I don’t know. Telemetry is frequently downplayed as being largely uninteresting blobs of unattributed data. If that’s the case, why is Microsoft collecting it now, after all these years? It hasn’t even acknowledged (as best I can tell) that it's collecting it via security-only patches.

  • Security Issues with PGP Signatures and Linux Package Management

    In discussions around the PGP ecosystem one thing I often hear is that while PGP has its problems, it's an important tool for package signatures in Linux distributions. I therefore want to highlight a few issues I came across in this context that are rooted in problems in the larger PGP ecosystem.

    Let's look at an example of the use of PGP signatures for deb packages, the Ubuntu Linux installation instructions for HHVM. HHVM is an implementation of the HACK programming language and developed by Facebook. I'm just using HHVM as an example here, as it nicely illustrates two attacks I want to talk about, but you'll find plenty of similar installation instructions for other software packages. I have reported these issues to Facebook, but they decided not to change anything.

Security Leftovers

Filed under
Security
  • The New Target That Enables Ransomware Hackers to Paralyze Dozens of Towns and Businesses at Once

    On July 3, employees at Arbor Dental in Longview, Washington, noticed glitches in their computers and couldn’t view X-rays. Arbor was one of dozens of dental clinics in Oregon and Washington stymied by a ransomware attack that disrupted their business and blocked access to patients’ records.

    But the hackers didn’t target the clinics directly. Instead, they infiltrated them by exploiting vulnerable cybersecurity at Portland-based PM Consultants Inc., which handled the dentists’ software updates, firewalls and data backups. Arbor’s frantic calls to PM went to voicemail, said Whitney Joy, the clinic’s office coordinator.

  • If you're not using SSH certificates you're doing SSH wrong

    None of these issues are actually inherent to SSH. They're actually problems with SSH public key authentication. The solution is to switch to certificate authentication.

    SSH certificate authentication makes SSH easier to use, easier to operate, and more secure.

  • Your phone can be [cracked] - and there's nothing you can do about it

    Finally, another benefit of Simjacker from the attacker's perspective is that many of its attacks seems to work independent of handset types, as the vulnerability is dependent on the software on the UICC and not the device. We have observed devices from nearly every manufacturer being successfully targeted to retrieve location: Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards. One important note is that for some specific attacks handset types do matter. Some, such as setting up a call, require user interaction to confirm, but this is not guaranteed and older phones or devices with no keypad or screens (such as IoT device) may not even ask for this.

Security Leftovers

Filed under
Security
  • Security updates for Thursday

    Security updates have been issued by Arch Linux (exim, firefox, and webkit2gtk), Debian (libonig and opensc), Fedora (cobbler), Oracle (firefox and kernel), Red Hat (flash-plugin, kernel, kernel-rt, rh-maven35-jackson-databind, rh-nginx110-nginx, and rh-nginx112-nginx), Scientific Linux (kernel), Slackware (curl, mozilla, and openssl), SUSE (ceph, libvirt, and python-Werkzeug), and Ubuntu (vlc and webkit2gtk).

  • Android 10 Gets Its First Security Patch, 49 Security Vulnerabilities Fixed

    Google has released the Android Security Patch for September 2019 to address the most important security vulnerabilities and bugs discovered since August 2019, which also happens to be the first security patch for the recently released Android 10 operating system.

    Consisting of the 2019-09-01 and 2019-09-05 security patch levels, the Android Security Patch for September 2019 addresses a total of 49 security vulnerabilities across various core Android components, including Framework, Media framework, System, kernel components, Nvidia components, and Qualcomm components, including closed-source ones. The most critical flaw fixed in this patch may allow remote attackers to execute code.

  • Infrastructure Updates

    This is a post to the developers and other people who contribute to the IPFire project and have an account on our infrastructure.

    Since we have rolled out loads of changes recently, some change in client configuration is required. This was announced on the development mailing list, but for those who have missed it, here is a little blog post.

  • Accessing SELinux policy documentation

    There are many excellent man pages for the confined domains included with SELinux policy. These man pages describe booleans and context types for each domain. They also include sample semanage commands for adding context mappings, changing booleans, and more.

    Unfortunately for the sysadmin getting started with SELinux configuration, these man pages are often not installed by default. The SELinux policy man pages are available from two locations. The upstream Reference Policy repo has a handful of pre-built man pages. The rest can be generated from the policy content with a tool found in the policycoreutils-devel package.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Fedora (python38), openSUSE (nginx, nodejs10, nodejs8, python-Twisted, python-Werkzeug, SDL2_image, SDL_image, and util-linux and shadow), Oracle (firefox and nghttp2), Red Hat (.NET Core, firefox, kernel, libwmf, pki-deps:10.6, and poppler), Scientific Linux (firefox), SUSE (ghostscript, libgcrypt, podman, python-SQLAlchemy, qemu, and webkit2gtk3), and Ubuntu (curl, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, systemd, and tomcat8). 

  • Duty Of Care

    Put differently, when Toyota recalls hundreds of thousands of cars for potential defects in which exactly zero people were harmed, we consider that responsible stewardship of their product.

  • The California Consumer Privacy Act

    Next January, California is set to have one of the strongest laws in the nation, passed last year with unusual bi-partisan support, seeking to add some first-of-their-kind state protections over our personal data. It is called the California Consumer Privacy Act (CCPA) of 2018. It nicely reflects the fact that our state is one of the only states in the country whose constitution in Article 1, Section 1, actually contains an express right of privacy guaranteed to all Californians.

    This past year, since the bill’s passage, Purism has worked tirelessly–and dedicated substantial staff resources–to help make sure the new law is not substantially thrashed by Big Tech’s huge army before the fledgling law can even take effect: an army of highly-paid lobbyists. The stakes for Big Tech are large, but the stakes for consumer privacy, and for Purism’s philosophy of consumer privacy protection and control, are so much bigger.

    To try to stem the extraordinary political muscle of Big Tech in Sacramento, Purism has worked in close collaboration with California’s top privacy protection groups including the ACLU, EFF, Consumers Union, Common Sense Kids Action and the Privacy Rights Clearinghouse, and many others to try to stop the onslaught of Big Tech-sponsored bills seeking to vitiate the new law.

    Our CEO has testified in legislative hearings against the weakening measures, and has recently co-written a powerful editorial published in the Mercury News, the newspaper in the backyard of Big Tech in Silicon Valley, against these bills. As Purism’s legislative advocate, I have met with key California legislators to try to thwart Big Tech’s predictable onslaught against this new law.

  • Equifax Victims Jump Through Hoops To Nab Settlement Money They Won't Get Anyway

    So we've noted that the FTC's settlement over the Equifax hack that exposed the public data of 147 million Americans is a bit of a joke. The FTC originally promised that impacted users would be able to nab 10 years of free credit reporting or a $125 cash payout if users already subscribed to a credit reporting service. But it didn't take long for the government to backtrack, claiming it was surprised by the number of victims interested in modest compensation, while admitting the settlement failed to set aside enough money to pay even 248,000 of the hack's 147 million victims.

It's 2019, and Windows PCs can be pwned via a shortcut file, a webpage, an evil RDP server...

Filed under
Security

It will be a busy day for admins and users of Windows PCs and servers, as Microsoft has released updates for a total of 80 CVE-listed bugs.

Among the more serious issues addressed this month are CVE-2019-1215 and CVE-2019-1214, a pair of elevation-of-privilege vulnerabilities that have been under active attack in the wild.

In both cases, experts say, miscreants are going after older machines. CVE-2019-1215 preys on Winsock, specifically ws2ifsl.sys, a service that has been targeted by malware since 2007, while the exploit for CVE-2019-1214 is largely looking to target Windows 7 boxes. These flaws can give malware on a machine admin-level access to hijack the whole box.

Read more

Security Leftovers

Filed under
Security
  • Exim patches a major security bug found in all versions that left millions of Exim servers vulnerable to security attacks [Ed: If only we saw similar headlines about Microsoft Windows each time a hole was found in Photoshop...]

    A vulnerability was found in all the versions of Exim, a mail transfer agent (MTA), that when exploited can let attackers run malicious code with root privileges.

  • KeePass Password Safe 2.43

    KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).

    KeePass is really free, and more than that: it is open source (OSI certified). You can have a look at its full source and check whether the encryption algorithms are implemented correctly.

  • Live Patching Case Study of GESIS

    You can save time and resources by using Live Patching. GESIS is one of the many organizations who achieved excellent results using SUSE Linux Enterprise Live Patching. Here we outline some of those results so you can make an assessment about how these can apply to your environment.

  • Linux Kernel flexcop_usb_probe Function NULL Pointer Dereference Vulnerability [CVE-2019-15291]

    A vulnerability in the Linux Kernel could allow a local attacker to cause a denial of service (DoS) condition on a targeted system.

    The vulnerability is due to a NULL pointer dereference condition that exists in the flexcop_usb_probe function, as defined in the drivers/media/usb/b2c2/flexcop-usb.c source code file of the affected software.

    An attacker with physical access to a targeted system could exploit this vulnerability by inserting a USB device that submits malicious input to the targeted system. A successful exploit could cause a DoS condition on the system.

  • Here's How Vivaldi for Android Protects Your Privacy and Keeps Your Data Secure

    After announcing the Vivaldi for Android mobile web browser, Vivaldi Technologies shared with us some details on how they managed to build a secure and privacy-aware browser on Android.
    We all know that Google's Android mobile operating system ships with a built-in web browser core, which is based on the same code that Google Chrome was built it. This internal browser core lets users view basic web pages when setting up their Android device for the first time.

    Once the device is all set up, most probably the user has installed his favorite web browser app from the Play store. This is where Vivaldi for Android comes to fill the gap, as it's not using Android's built-in browser core, which makes it secure and privacy-aware.

Syndicate content

More in Tux Machines

SUSE: YaST Development Sprint 84 and SUSE 'in Space'

  • Highlights of YaST Development Sprint 84

    The YaST Team finished yet another development sprint last week and we want to take the opportunity to let you all glance over the engine room to see what’s going on. Today we will confess an uncomfortable truth about how we manage the Qt user interface, will show you how we organize our work (or at least, how we try to keep the administrative part of that under control) and will give you a sneak peak on some upcoming YaST features and improvements. Let’s go for it!

  • Lunar Vacation Planning

    HPE, one of SUSE’s most important partners in High-Performance Computing and the advancement of science and technology, is now building NASA’s new supercomputer named “Aitken” to support Artemis and future human missions to the moon. HPE’s “Aitken” supercomputer will be built at NASA’s Ames Research Center and will run SUSE Linux Enterprise HPC (co-located where the Pleiades supercomputer – also SUSE-based – has been advancing research for several years). Aitken will run extremely complex simulations for entry, descent and landing on the moon as part of the Artemis program. The missions include landing the next humans on the lunar south polar region by 2024 (on the rim of the Shackleton crater, which experiences constant indirect sunlight for a toasty -300 degrees Fahrenheit).

today's howtos

Flathub vs. Snap Store: Which App Store Should You Use?

Linux package management has come a long way from the nightmare it used to be. Still, the package managers provided by distributions aren’t always perfect. The Snap and Flatpak formats have made it much easier to install software no matter what distro you’re running. Both Snap and Flatpak files are often available on a given app’s website, but both of these formats have their own centralized marketplaces. Which one is right for you? It’s not an easy question to answer. Read more

GhostBSD 19.09 Now Available

GhostBSD 19.09 has some considerable changes happened, like moving the system to STABLE instead of CURRENT for ABI stability with the integration of the latest system update developed by TrueOS. This also means that current users will need to reinstall GhostBSD unless they were running on the development version of GhostBSD 19.09. GhostBSD 19.09 marks the last major changes the breaks updates for software and system upgrade. Read more