Language Selection

English French German Italian Portuguese Spanish

Security

RHEL 6 and CentOS 6 Get Important Kernel Security Update

Filed under
Red Hat
Security

Red Hat Product Security team informs of a new, important Linux kernel security update for all supported Red Hat Enterprise Linux 6 products to address a buffer overflow issue (CVE-2019-17133) found in the generic WiFi ESSID handling implementation. This could allow a system to join a wireless network with an ESSID longer than 32 characters, which could crash the machine.

The second vulnerability (CVE-2019-17055) patched in this kernel update was found in Linux kernel’s AF_ISDN protocol implementation, which could allow unprivileged users to create a raw socket to control the availability of an existing ISDN circuit. The only mitigation for this flaw is blacklisting the kernel module from being loaded.

Read more

New Ubuntu Linux Security Updates Arrive for All Supported Releases

Filed under
Linux
Security
Ubuntu

The new Linux kernel security updates address a KVM hypervisor flaw (CVE-2020-2732) discovered Paulo Bonzini, which could allow an attacker to expose sensitive information. This flaw is affecting all Ubuntu releases and supported kernels, including Ubuntu 19.10, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 14.04 ESM, as well as Linux kernel 5.3, 5.0, 4.15, and 4.4.

Another KVM vulnerability (CVE-2019-3016) was fixed, affecting the Linux 5.3 and 5.0 kernels of Ubuntu 19.10 and Ubuntu 18.04 LTS. This flaw cloud allow an attacker in a guest virtual machine to expose sensitive information by reading memory from another guest VM.

Read more

Security Leftovers

Filed under
Security

Enterprise Linux Red Hat Fixed 85% of Critical Flaws Within 7 Days: Report

Filed under
Linux
Red Hat
Security

But, it is also interesting to note that the security team fixed 41% of critical vulnerabilities within 1 day of the issue becoming public. On average, critical advisories are issued within a week.

Not only that, but 566 RHSAs also addressed the record-breaking 340 important CVEs along with 18% already available within one business day.

Overall, Red Hat Enterprise Linux commits to providing a more stable product with a quick response to the risk. Having strong ties and relationships with other communities, it also resolves the issues in third-party software.

Read more

Security: Patches, Scams, OWASP and More

Filed under
Security
  • Updated packages in the past weeks: Plasma5, gcc_multilib, openjdk7 and more

    I do regular updates of packages in my repository. I focus on the software that is popular, or relevant to Slackware. For the software with a high visibility I usually write a blog post to alert people to the new stuff.
    During the last couple of weeks I have not been writing so much about updates due to personal circumstances, some of it has to do with the Corona outbreak.

    I was also affected the death of Erik Jan Tromp (Slackware’s alphageek) early March just after I visited him for a final time in his apartment in Leeuwarden.

  • How Visa built its own container security solution

    Instead of deploying a combination of commercial solutions and spending resources on getting them to work for its environment, Visa's security team went back to basics and created its own continuous monitoring solution that handles security policy enforcement, incident detection and remediation, a project that earned the company a CSO50 Award for security excellence. Called MASHUP (Micro-services based Adaptive Security Hardening and Usage Platform), the solution takes advantage of the native capabilities that already exist on container orchestration platforms such as cgroups, filesystem access controls, and SELinux policies, and it is primarily built on top of open-source tools and libraries.

  • Hackers Use Fake HIV Test Results As Lure to Infect Computers and Steal Data

    Previously, experts found evidence that online crooks were using the novel coronavirus (COVID-19) as a phishing lure, attempting to exploit fears surrounding the ongoing outbreak.

  • Threat Dragon: OWASP launches desktop version of popular threat modeling tool

    The Open Web Application Security Project (OWASP) has released an installable desktop variant of Threat Dragon, its popular threat modeling application.

    The free and open source Threat Dragon tool includes system diagramming and a rule engine to automatically determine and rank security threats, suggest mitigations, and implement countermeasures.

    The newly launched desktop version is based on Electron. There are installers available for both Windows and macOS, as well as RPM and Debian packages for Linux. Models are stored on the local file system.

    There’s also a web application, with model files stored in GitHub – other storage is planned for the future – and OWASP says it is currently maintaining a working prototype in sync with the master code branch.

  • Open-source options offer increased SOC tool interoperability

    Anecdotal evidence of security operations center (SOC) tool overload is overwhelming — at CSO we hear complaints from industry sources about this problem all the time — but the 2019 SANS SOC Survey attempted to quantify the problem. For most survey respondents, there were roughly equal numbers of SOC analysts as there were full-time employees tasked with maintaining the SOC security tools. That's on top of the expense of purchasing those security tools in the first place.

    [...]

    Since October, 25 organisations have joined the OCA, and the alliance hopes to continue to grow to encompass all the major cybersecurity vendors today. Other members include Indegy, CrowdStrike, Fortinet and ReversingLabs.

    “What we’re trying to do as an industry, if we can align around a common data model and a common set of APIs, then that problem [a lack of interoperable security tools] becomes a much smaller problem than it is today,” Chris Smith, principal engineer at McAfee, tells CSO.

    STIX (Structured Threat Information eXpression) is useful “if you’re threat hunting and you want to query all your other tools for evidence of a certain artefact use STIXShifter to ask that question in a vendor-neutral platform agnostic language,” the GitHub rep said.

    “STIXShifter would be the technology that enables a company to search for an indicator of compromise across multiple tools, data repositories,” Jason Keirstead, chief architect, IBM Security Threat Management, tells CSO. (IBM contributed STIXShifter to the project.) “If that search turns up a compromised device, OpenDXL Ontology would be the mechanism that would be used to issue alerts/notifications across other tools in order to begin remediation.”

  • Warning: Are You Using One Of These 20 Dangerous Smartphone PINs?

    But some PIN codes are much more secure than others, and you might be surprised to find out which are the most easy to guess. You would assume, for example, that a longer PIN code was better, but six digit numbers provide little more security than four digit ones, according to a study by researchers from Ruhr University, the Max Planck Institute for Security and Privacy in Bochum, Germany and George Washington University in the U.S.

  • Binance Adds Open-Source Implementation for Edwards-Curve Digital Signature

    By putting consistent efforts, the development team of Binance is excited for the implementation of a powerful new technology. Binance announces the open-source implementation of a TSS library for Edwards-Curve Digital Signature Algorithm-(ECDSA) which aims to extend support for different blockchains like Cardano, NANO, Stellar Lumens, Waves, and Libra.

    Binance announced the implementation of an open-source Threshold Signature Scheme (TSS) library three months ago, which is considered to be a major step taken by Binance that will further contribute to the development of open-source blockchain. The library is reconcilable with ECDSA-based blockchains, which comprises of Binance Chain, Bitcoin, and Ethereum networks, which is already used to build token swap bridges and more.

Proprietary Software Stories

Filed under
Software
Security
  • Technical trouble spoils Joe Biden's first 'virtual town hall'

    The start time of Friday's "virtual town hall" was pushed back by two hours -- and then it still started 15 minutes late. As those on Zoom waited to watch, the video alternated between confused-looking Democratic Sens. Tammy Duckworth and Dick Durbin of Illinois, as well as Vivek Murthy, the former surgeon general and a member of a committee advising Biden on how to handle campaigning amid a pandemic.

    The event started with brief remarks from Durbin, who wasn't visible to those watching on Zoom.

    Then Biden came on and he was visible, but no one could hear him: His audio was so choppy that it could not be understood. At one point, he stopped and restarted, but the audio problem hadn't been solved.

  • Los Angeles Utility Accused of Cybersecurity Coverup

    The Los Angeles Department of Water and Power has been accused of deliberately keeping widespread gaps in its cybersecurity a secret from regulators in a large-scale coverup involving the city's mayor.

    The allegations were made by Ardent Cyber Solutions LLC, a company hired by the Department of Water and Power (DWP) in April 2019 to perform cybersecurity work.

    In a 10-page claim filed against the city earlier this year, Ardent states that it uncovered an "extremely high number of unpatched vulnerabilities" in the company's "corporate IT network."

  • Apple Closes Most of Its Stores for 2 Weeks

    Apple said it would close most of its retail stores outside mainland China, Hong Kong and Taiwan, becoming one of the first companies to take such a drastic measure to fight the coronavirus outbreak.

    The move signaled that retailers might be the next part of society to shut their doors.

  • [Attackers] had access to European electricity organization’s email server for weeks: report

    The European Network of Transmission System Operators for Electricity (ENTSO-E) said a data breach had been confined to its office network, and that no critical power systems were affected. It didn’t mention how or why the intrusion began.

    But a public analysis of a cybersecurity incident, which multiple people familiar with the matter said matches the details of the ENTSO-E breach, indicates that the attackers were communicating with the victim organization’s email server for more than a month.

  • A Mobile Voting App That's Already in Use Is Filled With Critical Flaws

    Voatz, a mobile voting app that's already been used in several elections in the United States, has more than a dozen critical security flaws, according to a newly released audit. The audit also shows Voatz publicly refuted an MIT report that found flaws in its app even after it received confirmation that it was accurate.

    The audit, which was prepared by cybersecurity firm Trail of Bits for Voatz and Tusk Philanthropies, which has partnered with Voatz on some of its pilot voting projects, found 48 technical vulnerabilities, 16 of which were "high-severity issues."

Security Leftovers

Filed under
Security
  • The next generation of hackers may target your medical implants

    The chilling message flashed across Anya's field of view, blurring everything else in sight. The twenty-six-year-old account executive stared and listened in horror as a malicious intruder activated her auditory cortex, simulating speech deep inside her brain. The voice was gravelly and heavily digitized.

    "Your cloud-connected neuroprosthetic has been compromised, and there's nothing you can do about it! We now control your personal data stream. Oh, and what a stream it is! So many secrets. So many unclean thoughts. You're lucky you were hacked by us and not someone less…tactful.

    "With the access we now have to your thoughts, we could make you do anything. Anything! You have twenty-four hours to pay $7,000 into the untraceable Cryptex account we will provide you or we will publish all of your deepest, darkest secrets for everyone to see! Ha ha ha ha! Don't forget, we now know who your family is, and your employer, and your church, and . . ."

    The dreadful voice fizzled out, the flashing message disappeared, but Anya's vision was still heavily blurred. A different, more tranquil voice began activating her auditory cortex.

    "Your Neurotector Anti-Intrusion Suite has been activated. Please remain calm and do not move while we complete our scan and remove any unauthorized software from your neuroprosthetic."

    Anya breathed deeply, trying to calm her nerves. Thank heaven she had opted for neuro-protection software a year ago! The rampant increase of new cognitive hacking exploits, from false-memory droppers to this sort of snareware, made it essential.

    Anya's vision suddenly cleared and the security software voice returned. "The intruder has been eradicated, and there are no indications of any privacy compromise through outbound transmission. All altered files and memories have been restored. Have a nice day."

  • Linux 5.7 To Bring Mitigation For Intel Gen7 Ivybridge/Haswell "iGPU Leak"

    Back in January "iGPU Leak" was disclosed as CVE-2019-14615 as an information leakage vulnerability affecting Intel's graphics architecture leading to both register and local memory leaks. While Intel "Gen9" graphics were patched right away on the disclosure date and Gen8 Broadwell graphics were already mitigated, Gen7/Gen7.5 graphics took longer... In fact, not until the Linux 5.7 release this spring is there the mitigation for iGPU Leak.

    On the January disclosure date the Intel open-source developers did post Gen7/Gen7.5 patches for Ivybridge/Haswell that killed the graphics performance. Given the hefty performance hits, the patches weren't merged to mainline.

  • Jenkins security: Latest advisory highlights more than 20 vulnerable plugins

    The maintainers of the Jenkins project have issued a security advisory that highlights vulnerabilities in more than 20 plugins for the open source automation server.

    DevOps teams are urged to check the advisory to ensure their continuous integration pipelines are not impacted by any of the flaws, and update their builds where necessary.

    Among the list of now-patched bugs is a sandbox bypass vulnerability impacting the Script Security Plugin, which has nearly 250,000 active installations.

  • How security keeps up when developers drive open source

    Technological transformation is increasingly becoming a competitive differentiator, with businesses across all sectors investing heavily in new platforms, tools, and frameworks. In response, open source has emerged as the most viable, cost-effective and leading-edge solution in enabling organisations to gain the edge in innovation.

    No longer do individual businesses need to purchase or build all the software they need in-house. Instead, developers can now benefit from and build on the work of entire development communities, harnessing their collective power instead of starting from scratch. This is enabling countless new strands of innovation and increasing the speed to market for new products.

    According to research, 69% of IT leaders deem open source as very important to an organisation’s overall enterprise infrastructure software plans. But software development wasn’t always done this way.

Proprietary Software: Microsoft Might Lose Big Contract, Cybercriminals Expoit Coronavirus/COVID-19

Filed under
Software
Security
  • Pentagon Reconsiders Microsoft Contract After Amazon Protest

    U.S. government lawyers said in a court filing this week that the Defense Department "wishes to reconsider its award decision" and take another look at how it evaluated technical aspects of the companies' proposals to run the $10 billion computing project.

    The filing doesn't address Amazon's broader argument that the bidding was improperly influenced by President Donald Trump's dislike of Amazon and its CEO, Jeff Bezos. Bezos owns The Washington Post, a news outlet with which Trump has often clashed.

  • [Attackers] are making malware-infected coronavirus maps to harvest personal information

    A journalist with expertise on cybercrime reported on Thursday that [attackers] are trying to take advantage of the public's concern about the COVID-19 pandemic to infect users' computers with malware.

  • Live Coronavirus Map Used to Spread Malware

    Cybercriminals constantly latch on to news items that captivate the public’s attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cybercrooks have started disseminating real-time, accurate information about global infection rates tied to the Coronavirus/COVID-19 pandemic in a bid to infect computers with malicious software.

Security: Patches, Google, Linux and Intel

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Arch Linux (firefox, golang-golang-x-crypto, kernel, mbedtls, ppp, and python-django), Debian (slirp and yubikey-val), Fedora (firefox, java-1.8.0-openjdk-aarch32, mbedtls, monit, seamonkey, sympa, and zsh), Gentoo (chromium, e2fsprogs, firefox, groovy, postgresql, rabbitmq-c, ruby, and vim), Mageia (ppp), openSUSE (kernel), and SUSE (glibc, kernel, openstack-manila, php5, and squid).

  • 10 Essential Settings to Secure Your Google Account

    After reading the title you might be wondering, “isn’t my Google account already secure?”. Well, yes it is. But on a bad day for you, it is possible for smart bad guys to circumnavigate the default security measures that Google has put on your accounts and that is why it is important to not just manually review those settings but to also implement some more and take specific precautions to reinforce your security.

    Google has a dedicated page listing all the settings and recommendations that will help you to keep your account safe. These settings and recommendations page includes a list of security issues found in your account, 2-factor authentication, recovery phone details, 3rd-party apps with account access, a list of less secure app access, and information about your connected devices.

  • Marc-Etienne Léveillé on Linux malware

    Marc-Etienne Léveillé, senior malware researcher for ESET, talks with CyberScoop Editor-in-Chief Greg Otto about all the different Linux malware he sees being used. Both sophisticated actors and amateur hackers are going after various flaws in the operating system. ”

    We have seen very, very advanced stuff,” Léveillé told CyberScoop at the 2020 RSA Conference. “And we have seen very like low-hanging fruit, like commodity malware. But the most sophisticated Linux malware we’ve studied is called an open SSH backdoor and credential stealer. What it does a very clever way, it tries not to modify the system as less as possible.”

  • Intel Developer's Patch To Let SECCOMP Processes Like Web Browsers Opt Out Of Spectre V4

    Currently the Linux kernel SECCOMP secure computing mode force-enables Spectre protections, which comes with obvious performance implications. When force-enabled, however, processes can't opt-out of the protection if they are not at risk to the likes of Spectre V4 "Speculative Store Bypass" issues. But a simple change being proposed would let such processes opt out if desired.

    Longtime Intel Linux developer Andi Kleen has proposed the change to allow overriding SECCOMP's speculation disable behavior. Rather than force disabling the speculation control, it still would happen by default but not "forced" -- which in turn would let processes opt-out of the behavior due to that semantic change. The PR_SET_SPECULATION prctl can then be used for toggling SSBD and IB behavior.

  • Mitigating new LVI Intel security vulnerability will have big impact on CPU performance

    Implementing full mitigations to address the load value injection (LVI) security vulnerability affecting Intel processors could significantly reduce processor performance and radically slow them down.

    The vulnerability, indexed as CVE-2020-0551, was publically disclosed earlier this week when Intel rolled out a patch to address the flaw.

    The chipmaker said that LVI vulnerability impacts some processors utilising speculative execution feature and could allow an attacker to steal sensitive data from vulnerable systems, via a side channel with local access.

Tor Browser 9.5a7 Released Today! More Speed & Bugs Fixed

Filed under
Security
Web

Tor Browser 9.5a7 Released: Tor is one of the best and most secured browser which allows you to browse the internet by hiding your personal information and data. With Tor browser, you will be able to surf to the website which are not available on the surface web. Yes, you can access the dark & deep websites using Tor browser. You can find more information about Tor browser from their official website.

The developer teams of the Tor browser announced that the Tor Browser 9.5a7 has been released. You can download the latest version of the tor browser 9.5a7 from their official website!

Read more

Syndicate content

More in Tux Machines

Nate Graham on Latest KDE Improvements

  • This week in KDE: Moar performance!

    Some very nice performance fixes landed this week, which should substantially boost move and copy speeds for local transfers and transfers to and from Samba shares in particular. But that’s not all, and there’s more on the menu…

  • KDE Starts April With Big Performance Jump For Local I/O + 50~95% Faster Samba Transfers

    KDE developers managed to squeeze some long-problematic I/O optimizations into the KDE code-base this week along with other enhancements to make for a nice first week of April. The performance work for kicking off April includes: - 50~95% faster transferring of large files to/from Samba shares. This big speed-up is a Dolphin improvement for a 2012 bug report. This fast-copy support for the Samba code should now allow "mount-level copy performance" thanks to various architectural changes in the code.

Programming Literature: Jussi Pakkanen on Meson, Shing Lyu on Rust and "25 Best JavaScript Books for Newbie and Professional"

  • Jussi Pakkanen: Meson manual sales status and price adjustment

    The second part (marked with a line) indicates when I was a guest on CppCast talking about Meson and the book. As an experiment I created a time limited discount coupon so that all listeners could buy it with €10 off. As you can tell from the graph it did have an immediate response, which again proves that marketing and visibility are the things that actually matter when trying to sell any product. After that we have the "new normal", which means no sales at all. I don't know if this is caused by the coronavirus isolation or whether this is the natural end of life for the product (hopefully the former but you can never really tell in advance).

  • Shing Lyu: Lessons learned in writing my first book

    You might have noticed that I didn’t update this blog frequently in the past year. It’s not because I’m lazy, but I focused all my creative energy on writing this book: Practical Rust Projects. The book is now available on Apress, Amazon and O’Reilly. In this post, I’ll share some of the lessons I learned in writing this book. Although I’ve been writing Rust for quite a few years, I haven’t really studied the internals of the Rust language itself. Many of the Rust enthusiasts whom I know seem to be having much fun appreciating how the language is designed and built. But I take more joy in using the language to build tangible things. Therefore, I’ve been thinking about writing a cookbook-style book on how to build practical projects with Rust, ever since I finished the video course Building Reusable Code with Rust. Out of my surprise, I received an email from Steve Anglin, an acquisition editor from Apress, in April 2019. He initially asked me to write a book on the RustPython project. But the project was still growing rapidly thanks to the contributors. I’ve already lost grip on the overall architecture, so I can’t really write much about it. So I proposed the topic I have in mind to Steve. Fortunately, the editorial board accepted my proposal, and we decided to write two books: one for general Rust projects and one for web-related Rust projects. Since this is my first time writing a book that will be published in physical form (or as The Rust Book put it, “dead tree form”), I learned quite a lot throughout the process. Hopefully, these points will help you if you are considering or are already writing your own book.

  • The 25 Best JavaScript Books for Newbie and Professional

    JavaScript is a programming language that is object-oriented and used to make dynamic web pages by adding interactive effects. This client-side scripting language is used by almost 94.5% web pages available on the internet. The language is very easy but also known as one of the most misunderstood programming languages. You should choose the right guidelines so that you can get all the answers to your questions related to JavaScript. Here we will provide you with a list of the best Javascript books so that you can learn JavaScript and never become confused.

today's howtos

This is my shoestring photography setup for image editing

Saving money is not the only major benefit of using inexpensive hardware and free open-source software. Somewhat surprisingly, the more important benefit for me personally is peace of mind. My primary machine is a 9-year old ThinkPad X220 with 4GB RAM and 120GB SSD. I bought it on eBay for around 200 euros, plus about 30 euros for a 120GB SSD. The digiKam application I use for most of my photo management and processing needs cost exactly zero. (I’m the author of the digiKam Recipes book.) I store my entire photo library on a USB 3.0 3TB Toshiba Canvio hard disk I bought for around 113 euros. If any component of my hardware setup fails, I can replace it without any significant impact on my budget. I don’t have to worry about a company deciding to squeeze more money out of me by either forcing me into a paid upgrade or a subscription plan, and I sleep better knowing that I own the software crucial for my photographic workflow. You might think that managing and processing RAW files and photos on a relatively old machine with a paltry amount of RAM is unbearably slow, but it’s not. While Windows would bring the ThinkPad X220 to its knees, the machine briskly runs openSUSE Linux with the KDE graphical desktop environment. The word Linux may send some photographers away screaming, but a modern Linux system is hardly more complicated in use than Windows. Read more