Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Security Podcast and Google Groups Misconfiguration

Filed under
Google
Security

Security Leftovers

Filed under
Security
  • Sonic & Ultra signals can be used to crash Windows, Linux & hard drives [Ed: Overhyped nonsense. Like bit flippers.]

    It is quite common to have crashed hard drives, which is mainly caused by thermal stress due to excessive, repeated heating and cooling or the physical shock that results from being dropped or knocked. This is especially common in laptops.

  • Ethical hacker, 86, rises to Santander’s challenge

    An 86-year-old ethical hacker managed to create and distribute a fake phishing scam and hack a Wi-Fi hotspot in less than 17 minutes using online guides.

  • More kbuild for reproducible builds
  • Finnish hackers steal casino’s high-roller database by hacking an aquarium

    A casino in North America was recently hacked by a hacker or a group of hackers who used the casinos fish tank as their access point. According to Darktrace CEO, Nicole Eagan, the attackers used the aquarium in the lobby which was connected to a computer with access to the internet. The computer was being used to regulate the temperature and also check the cleanliness of the water in the aquarium.

  • State Websites Are Hackable [sic] — And That Could Compromise Election Security

    Earlier this month, Appsecuri approached FiveThirtyEight and said it found potential flaws on several states’ websites that would allow for information to be tampered with. It provided a number of vulnerabilities to FiveThirtyEight; FiveThirtyEight is only reporting those it could verify with the states affected.

  • [Older] VPNFilter: New Router Malware with Destructive Capabilities

    A new threat which targets a range of routers and network-attached storage (NAS) devices is capable of knocking out infected devices by rendering them unusable. The malware, known as VPNFilter, is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot. VPNFilter has a range of capabilities including spying on traffic being routed through the device. Its creators appear to have a particular interest in SCADA industrial control systems, creating a module which specifically intercepts Modbus SCADA communications.

  • Back to basics: What sysadmins must know about logging and monitoring

    Without system logs, you’re not administering a system; you’re running a black box and hoping for the best. That’s no way to run servers, whether they are physical, virtual, or containerized.

    So, here are some of the basics to keep in mind as you approach server logging in the 21st century. These are all practices that I either use myself or picked up from other sysadmins, including many from the invaluable Reddit/sysadmin group.

  • YubiKey comes to the iPhone with Mobile SDK for iOS and LastPass support

Security Leftovers

Filed under
Security
  • Security updates for Friday
  • 75% of public-facing Redis servers are infected with malware; here's how to fix it [Ed: These figures are extremely questionable and likely just a publicity stunt from Incapsula, which wants to sell its proprietary stuff]
  • Linux Fu: Counter Rotate Keys!

    If you’ve done anything with a modern Linux system — including most variants for the Raspberry Pi — you probably know about sudo. This typically allows an authorized user to elevate themselves to superuser status to do things.

    However, there is a problem. If you have sudo access, you can do anything — at least, anything the sudoers file allows you to do. But what about extremely critical operations? We’ve all seen the movies where launching the nuclear missile requires two keys counter-rotated at the same time and third firing key. Is there an equivalent for Linux systems?

    It isn’t exactly a counter-rotating key, but the sudo_pair project — a prelease open-source project from Square — gives you something similar. The project is a plugin for sudo that allows you to have another user authorize a sudo request. Not only do they authorize it, but they get to see what is happening, and even abort it if something bad is happening.

Security: SS7, CSS3 and More

Filed under
Security
  • Another Report Highlights How Wireless SS7 Flaw Is Putting Everyone's Privacy At Risk

    Last year, hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn't new, a 2016 60 minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like like ordinary carrier to carrier chatter among a sea of other, "privileged peering relationships."

    Telecom lobbyists have routinely tried to downplay the flaw after carriers have failed to do enough to stop hackers from exploiting it. In Canada for example, the CBC recently noted how Bell and Rogers weren't even willing to talk about the flaw after the news outlet published an investigation showing how, using only the number of his mobile phone, it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.

  • Firefox And Chrome Bug Leaked Facebook Profile Details For Almost A Year; Now Fixed

    A side-channel vulnerability existed in the implement of the CSS3 feature called “mix-blend-mode.” It allowed an attacker to de-anonymize a Facebook user running Google Chrome or Mozilla Firefox by making them visit a specially crafted website.

    The flaw, now fixed, was discovered last year by the researcher duo Dario Weißer and Ruslan Habalov, and separately by another researcher named Max May.

  • Side-channel attacking browsers through CSS3 features

    With the staggering amount of features that were introduced through HTML5 and CSS3 the attack surface of browsers grew accordingly. Consequently, it is no surprise that interactions between such features can cause unexpected behavior impacting the security of their users. In this article, we describe such a practical attack and the research behind it.

  • Effects of Bring Your Own Device (BYOD) On Cyber Security [Ed: 'sponsored' article]
  • French Security Expert Exposes “Kimbho”: “I Can Access The Messages of All Users”

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • SS7 routing-protocol breach of US cellular carrier exposed customer data

    Short for Signalling System No. 7, SS7 is the routing protocol that allows cell phone users to connect seamlessly from network to network as they travel throughout the world. With little built-in security and no way for carriers to verify one another, SS7 has always posed a potential hole that people with access could exploit to track the real-time location of individual users. In recent years, the threat has expanded almost exponentially, in part because the number of companies with access to SS7 has grown from a handful to thousands. Another key reason: hackers can now abuse the routing protocol not just to geolocate people but, in many cases, to intercept text messages and voice calls.

  • The Bleak State of Federal Government Cybersecurity

    It's a truism by now that the federal government struggles with cybersecurity, but a recent report by the White House's Office of Management and Budget reinforces the dire need for change across dozens of agencies. Of the 96 federal agencies it assessed, it deemed 74 percent either "At Risk" or "High Risk," meaning that they need crucial and immediate improvements.

  • Judge dismisses Kaspersky's lawsuits challenging government ban

    Kollar-Kotelly, however, disagreed with this argument, noting that none of their "alleged harms would be redressed" even if they received a favorable ruling in the case because Congress has already instituted its own government-wide ban on use of Kaspersky products, which President Trump signed in December.

  • Kaspersky Lab To Appeal Court Decision To Dismiss US Ban

    US judges dismiss two lawsuits from Russian firm to overturn American ban on its security products

    Moscow-based Kaspersky Lab has suffered yet another setback in its attempt to convince the world that it is not a stooge for the Russian intelligence services.

    A US federal judge on Wednesday dismissed two lawsuits by Kaspersky Lab, which sought to overturn bans on its security products for the US government.

    It comes after the US Department for Homeland Security last year banned the use Kaspersky products from use by federal government agencies.

  • DHS, Commerce release cyber report on combating botnets

    The latest report largely resembles the draft report issued by the two federal agencies in January, which gave experts from the cybersecurity industry as well as other stakeholders the opportunity weigh in on their findings before releasing the final report.

  • Sonic attacks can bork hard disks and crash Windows and Linux [Ed: Bring up theoretic threats and making it sound like pertaining to the OS]

    Sonic and ultrasonic sounds can disrupt the read and write processes of magnetic hard disk drives, while laptops running Windows or Linux OSes, in some cases at least, required a reboot to work properly after a sonic bombardment.

    Audible sonic sounds do this by causing the head stack in a hard disk drive's assembly to vibrate outside of its normal operating parameters which temporarily stop it from writing data. While ultrasonic sounds create false positives in the disk drive's shock sensor and causes the drive to stop using its head, thereby causing it to stop working and disrupt an OSes normal operation.

  • Top 5 New Open Source Security Vulnerabilities in May 2018 [Ed: Perpetuating the perception of FOSS being full of holes while ignoring proprietary software having many holes as well as back doors]

    We’ve put together a list of May’s top 5 new known open source security vulnerabilities, aggregated by the WhiteSource database, which is updated continuously from the National Vulnerability Database (NVD), and of course a wide number of open source publicly available, peer-reviewed security advisories.

CentOS Linux 7 Receives Important Kernel Security Update That Patches Six Flaws

Filed under
OS
Linux
Red Hat
Security

Being based on the Red Hat Enterprise Linux 7 operating system series, CentOS Linux 7 follows a rolling release model where the user installs once and receives regular updates forever. There's no need to reinstall your healthy CentOS Linux installation when a new release is out, but you should keep it up-to-date at all times.

A new kernel security update was released upstream by Red Hat for the Red Hat Enterprise Linux 7 operating system series, which addresses a total of six security vulnerabilities discovered and reported by various security researchers. The kernel security update is now also available for CentOS Linux 7 users.

Read more

Security: Zephyr, PGP and More

Filed under
Security
  • How the Zephyr Project Is Working to Make IoT Secure

    Fragmentation has been a big problem for IoT since the beginning. Companies were doing their own workarounds, there were no standardizations, and there was no collaborative platform that everyone could work on together. Various open source projects are working to solve this problem, but many factors contribute to the woes of IoT devices. Anas Nashif, Technical Steering Committee (TSC) Chair of the Zephyr project believes that software licensing can help.

    Nashif admits that there are already many open source projects trying to address the domain of embedded devices and microcontrollers. “But none of these projects offered a complete solution in terms of being truly open source or being compatible in terms of having an attractive license that would encourage you actually to use it in your product. Some of these projects are controlled by a single vendor and, as such, don’t have an acceptable governance model that breeds confidence within users,” said Nashif.

    [...]

    Zephyr doesn’t use the Linux kernel. Its kernel comes from Wind River’s VxWorks Microkernel Profile for VxWorks. The first version of Zephyr, which was launched some two years ago, came out with a kernel, an IP stack, L2 stack, and few services. Then Intel decided to open source it. They took a saw to it and cleaned the code, then they started talking to industry leaders, especially The Linux Foundation. The project was launched with Intel, NXP, and Synopsis as launch members.

  • How to Secure Edge Computing

    The notion of edge computing is a relatively nascent one in modern IT. While end user, data center and cloud computing are well understood, Edge computing is still struggling to define itself – and come to terms with some significant security challenges.

  • OpenStack Operators Detail How They Patched for Meltdown, Spectre

    When the Meltdown and Spectre CPU security vulnerabilities were publicly disclosed on Jan. 3, they set off a flurry of activity among IT users and cloud operators around the world. In a panel moderated by eWEEK at the OpenStack Summit in Vancouver, B.C., on May 24, operators detailed how they dealt with patching for Meltdown and why it was a time-consuming process.

    When it comes to OpenStack, no operator in the world is larger than CERN, home of the Large Hadron Collider (LHC) and an OpenStack cloud infrastructure that has approximately 300,000 compute cores. Arne Wiebalck is responsible for the overall operations of CERN's OpenStack cloud, and when vulnerabilities like Meltdown and Spectre appear, it's his responsibility to react and deploy the corresponding fixes.

  • How To Turn PGP Back On As Safely As Possible

    Previously, EFF recommended to PGP users that, because of new attacks revealed by researchers from Münster University of Applied Sciences, Ruhr University Bochum, and NXP Semiconductors, they should disable the PGP plugins in their email clients for now. You can read more detailed rationale for this advice in our FAQ on the topic, but undoubtedly the most frequently asked question has been: how long is for now? When will it be safe to use PGP for email again?

    The TL;DR (although you really should read the rest of this article): coders and researchers across the PGP email ecosystem have been hard at work addressing the problems highlighted by the paper—and after their sterling efforts, we believe some parts are now safe for use, with sufficient precautions.

  • OnePlus 6’s Face Unlock Can Be Fooled By A Photograph

    Do you own a OnePlus 6 or planning to buy one? If yes, you might want to read this one. So apparently, the OnePlus 6’s face unlock method can be tricked by a photograph. A video posted by a Twitter user, shows the phone getting unlocked by a cutout picture of his face.

Security: Updates, FBI, Windows Cameras and More

Filed under
Security
  • Security updates for Wednesday
  • The FBI wants you to do this one thing to your home router, now
  • FBI wants you to reboot your router: What you need to know
  • Did You Restart Your Router Like the FBI Asked?
  • The FBI is warning you to reboot your router to prevent a new attack — here's everything you need to do
  • Mainstream Media Warns of 'Russian Malware', Ignores CIA's Own Virus Development

    The US Federal Bureau of Investigation has warned hackers may have compromised hundreds of thousands of routers and other home network devices the world over with malware. Perhaps predictably, the Russians are said to be behind the ploy - but past experience suggests the true source may lie closer to home.

    In an official statement, the FBI said the virus — ‘VPNFilter' — was being used to launch attacks on infrastructure and render electronic devices useless. Anyone possessing a router is strongly urged by the Bureau to reset their device — the malware works in three stages, and rebooting the router prevents the implementation of the latter two stages.

    "Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware," the Bureau suggested.

  • Securing the container image supply chain

    "Security is hard" is a tautology, especially in the fast-moving world of container orchestration. We have previously covered various aspects of Linux container security through, for example, the Clear Containers implementation or the broader question of Kubernetes and security, but those are mostly concerned with container isolation; they do not address the question of trusting a container's contents. What is a container running? Who built it and when? Even assuming we have good programmers and solid isolation layers, propagating that good code around a Kubernetes cluster and making strong assertions on the integrity of that supply chain is far from trivial. The 2018 KubeCon + CloudNativeCon Europe event featured some projects that could eventually solve that problem. 

    [...]

    The question of container trust hardly seems resolved at all; the available solutions are complex and would be difficult to deploy for Kubernetes rookies like me. However, it seems that Kubernetes could make small improvements to improve security and auditability, the first of which is probably setting the image pull policy to a more reasonable default. In his talk, Mouat also said it should be easier to make Kubernetes fetch images only from a trusted registry instead of allowing any arbitrary registry by default.

    Beyond that, cluster operators wishing to have better control over their deployments should start looking into setting up Notary with an admission controller, maybe Portieris if they can figure out how to make it play with their own Notary servers. Considering the apparent complexity of Grafeas and in-toto, I would assume that those would probably be reserved only to larger "enterprise" deployments but who knows; Kubernetes may be complex enough as it is that people won't mind adding a service or two in there to improve its security. Keep in mind that complexity is an enemy of security, so operators should be careful when deploying solutions unless they have a good grasp of the trade-offs involved.

  • Victorian speed cameras hit by computer virus

    Independent report into WannaCry virus

    An unsuspecting contractor was blamed for introducing the virus into Victoria’s speed camera network sometime in early June 2017. The malware was first detected on 6 June 2017 when 20 cameras crashed along the Hume Highway and remained offline overnight.

    The infected cameras ran on Windows 7. Another company who used Unix-based cameras still suffered thanks to Windows operating system powered site control units. It wasn’t until 14 June that the true cause of the outages was found and over the next two days, engineers worked on a patch to secure the system. Finally, by 22 June, cameras were fully operational and virus-free again.

  • Secret Commands Let Google Access All Your Android Text Messages

    Google is known for hiding easter eggs, and secret features buried deep in its Android OS. However, a weird glitch has appeared on Android which honestly seems more like a bug than an easter egg.

    The glitch shows your text messages in search results by using the Google cards assistant feature. It was reported in a Reddit post which says that typing “the1975..com” into the Google search bar will display all your text messages on the screen.

Security: Git and ARM Patches

Filed under
Security

Security: Updates, Malware and More

Filed under
Security
  • Security updates for Monday
  • Security updates for Tuesday
  • Low-Priced Android Phones Shipped with Pre-installed ‘Cosiloon’ Malware, Says Avast

    Are you thinking about settling for a cheaper Android phone? You might want to reconsider this decision. A study conducted by Avast Threat Labs reports that several Android devices are shipped with malware pre-installed on them.

    The report says that more than 100 countries, including the US, Russia, and the UK have been affected by the adware and malware which is carried by hundreds of such low-cost Android devices, which includes manufacturers like ZTE, myPhone, and Archos.

  • The Benefits of HTTPS for DNS

    DNS over HTTPS (DoH) is entering the last call (right now Working Group, soon IETF wide) stage of IETF standardization. A common discussion I have about it basically boils down to "why not DNS over TLS (DoT)?" (i.e. work that has already been done by the DPRIVE WG). That does seem simpler, after all.

    DoH builds on the great foundation of DoT. The most important part of each protocol is that they provide encrypted and authenticated communication between clients and arbitrary DNS resolvers. DNS transport does get regularly attacked and using either one of these protocols allows clients to protect against such shenanigans. What DoH and DoT have in common is far more important than their differences and for some use cases they will work equally well.

  • Python May Let Security Tools See What Operations the Runtime Is Performing

    In its current form, Python does not allow security tools to see what operations the runtime is performing. Unless one of those operations generates particular errors that may raise a sign of alarm, security and auditing tools are blind that an attacker may be using Python to carry out malicious operations on a system.

  • If Avast Broke Your Windows 10 April Update, Here Is The Fix

    One of the many problems associated with the Windows 10 April Update is because of the Avast antivirus software. A few days ago, some Windows 10 users saw a blank desktop with no icons after upgrading, and Microsoft had to block April Update.

    Later, it was known that the Avast Behavior Shield was incompatible with the April 2018 Update and causing the issue which even left some people with unusable PCs.

  • Avast fixes issues with Windows 10 version 1803 and their antivirus
  • Reproducible Builds: Weekly report #161
Syndicate content

More in Tux Machines

GNOME Desktop: Flatpak and Random Wallpaper Gnome Extension

  • Flatpak in detail, part 2
    The first post in this series looked at runtimes and extensions. Here, we’ll look at how flatpak keeps the applications and runtimes on your system organized, with installations, repositories, branches, commits and deployments.
  • Flatpak – a history
    I’ve been working on Flatpak for almost 4 years now, and 1.0 is getting closer. I think it might be interesting at this point to take a retrospective look at the history of Flatpak.
  • Random Wallpaper Gnome Extension Changes Your Desktop Background With Images From Various Online Sources
    Random Wallpaper is an extension for Gnome Shell that can automatically fetch wallpapers from a multitude of online sources and set it as your desktop background. The automatic wallpaper changer comes with built-in support for downloading wallpapers from unsplash.com, desktopper.co, wallhaven.cc, as well as support for basic JSON APIs or files. The JSON support is in fact my favorite feature in Random Wallpaper. That's because thanks to it and the examples available on the Random Wallpaper GitHub Wiki, one can easily add Chromecast Images, NASA Picture of the day, Bing Picture of the day, and Google Earth View (Google Earth photos from a selection of around 1500 curated locations) as image sources.

today's howtos

KDE: QtPad, Celebrating 10 Years with KDE, GSoC 2018

  • QtPad - Modern Customizable Sticky Note App for Linux
    In this article, we'll focus on how to install and use QtPad on Ubuntu 18.04. Qtpad is a unique and highly customizable sticky note application written in Qt5 and Python3 tailored for Unix systems.
  • Celebrating 10 Years with KDE
    Of course I am using KDE software much longer. My first Linux distribution, SuSE 6.2 (the precursor to openSUSE), came with KDE 1.1.1 and was already released 19 years ago. But this post is not celebrating the years I am using KDE software. Exactly ten years ago, dear Albert committed my first contribution to KDE. A simple patch for a problem that looked obvious to fix, but waiting for someone to actually do the work. Not really understanding the consequences, it marks the start of my journey within the amazing KDE community.
  • GSoC 2018 – Coding Period (May 28th to June 18th): First Evaluation and Progress with LVM VG
    I got some problems during the last weeks of Google Summer of Code which made me deal with some challenges. One of these challenges was caused by a HD physical problem. I haven’t made a backup of some work and had to rework again in some parts of my code. As I already knew how to proceed, it was faster than the first time. I had to understand how the device loading process is made in Calamares to load a preview of the new LVM VG during its creation in Partition Page. I need to list it as a new storage device in this page and deal with the revert process. I’ve implemented some basic fixes and tried to improve it.

Open Hardware: Good for Your Brand, Good for Your Bottom Line

Chip makers are starting to catch on to the advantages of open, however. SiFive has released an entirely open RISC-V development board. Its campaign on the Crowd Supply crowd-funding website very quickly raised more than $140,000 USD. The board itself is hailed as a game-changer in the world of hardware. Developments like these will ensure that it won't be long before the hardware equivalent of LEGO's bricks will soon be as open as the designs built using them. Read more