Language Selection

English French German Italian Portuguese Spanish

Security

Thunderbird 68.6.0 Released with Huge Bug Fixes and Enhanced Features!

Filed under
Security

Thunderbird 68.6.0 Released Now: Mozilla announced the release of the latest version of Mail Thunderbird 68.6.0. Mozila Thunderbird is an open-source e-mail client, which is used to send and receive emails through secured portal. Thunderbird email client can be seen more commonly on all Linux based operating system. The latest version of Thunderbird is flooded with new features and bug fixes.

Read more

Security and FUD Leftovers

Filed under
Security
  • Google Makes an Open-Source Tool for Linux to Avoid USB Keystroke Attacks [Ed: "A day after researchers declared Linux having more vulnerabilities than Windows" is false. Several lies there. Not researchers and no such thing declared, either.]

    A day after researchers declared Linux having more vulnerabilities than Windows, Google now makes a free tool to be used by Linux systems to avoid potential USB keystroke attacks. The software would be running background to monitor any suspicious activities from a plugged USB, and notify a user about potential attacks. This was published by Google in its GitHub for Linux PCs.

  • 83% of medical imaging devices running on outdated operating systems, report finds

    An overwhelming majority of medical imaging devices are running on old operating systems with little-to-no ability to receive crucial software updates, according to a new report. It’s a small piece of the larger security problem plaguing internet-connected devices.

    That’s according to new research from enterprise security firm Palo Alto Networks which analyzed more than 1.2 million devices stationed across thousands of healthcare institutions in the U.S. The 83% of imaging devices running on outdated platforms represents a large uptick from the 56% figure reported in 2018.

    Imaging devices run on a wide variety of operating systems, such as Linux and Unix, but much of the jump seen over the past few years is attributable to the Windows 7 operating system reaching its end of life, the report authors noted. And these vulnerable in radiology equipment may open the door for criminals to attack the wider healthcare field.

Josh Bressers Assesses Security Scanners

Filed under
Security
    Josh Bressers: The Security Scanner Problem

    Are you running a security scanner? It seems like everyone is doing it, maybe it’s time to get with it. It’s looking like automated security scanning is the next stage in the long winding history of the security industry. If you’ve never run one of these scanners that’s OK. I’m going to explain what they are, how they work, how we’re not using them correctly, and most importantly, what you can do about it. If you are running a scanner I’m either going to tell you why you’re doing it wrong, or why you’re doing it REALLY wrong. If you’re a vendor who builds a security scanner I assure you I understand there is a high probability I am indeed an idiot and don’t know what I’m talking about. I’m sure everything will be fine.

    Automated scanning IS changing the world, but right now it’s not changing it for the better, it’s currently the security industry version of lead paint. The technology is still REALLY new, so it’s important we have proper expectations and work together to make things better. One of the challenges with new technology is understanding what you have now, and more importantly understanding what you need next. Like any tool, if you use it wrong it can make things worse than doing nothing at all. Let’s talk about how to make things better.

    If you’ve never seen the sort of report an automated scanner generates you should probably consider yourself lucky. The best way to describe these reports is if you had a 10 page report that wasn’t very good, then you made 100 copies of every page, shuffled them around a bit and stapled it all together. There are some useful findings in the report, but they’re really hard to find. Expecting anyone to parse a 1000 page report for one or two findings has a terrible return on investment. It’s even less helpful if you send the report to someone else with unrealistic demands, such as requesting they fix all of the findings. By Friday. If you didn’t read the report, why should they?

  • Part 1: Is your security scanner running? You better go catch it!

    This post is the first part in a series on automated security scanners. I explain some of the ideas and goals in the intro post, rather than rehashing that post as filler, just go read it, rehashing content isn’t exciting.

    There are different kinds of security scanners, but the problem with all of them is basically the same. The results returned by the scanners are not good in the same way catching poison ivy is not good. The more you have, the worse it is. The most important thing to understand, and the whole reason I’m writing this series, is that scanners will get better in the future. How they get better will be driven by all of us. If we do nothing, they will get better in a way that might not make our lives easier. If we can understand the current shortcomings of these systems, we can better work with the vendors to improve them in ways that will benefit everyone.

  • Part 2: Scanning the code

    If you just showed up here, go back and start at the intro post, you’ll want the missing context before reading this article.

    The first type of scanner we’re going to cover are source code scanners. It seems fitting to start at the bottom with the code that drives everything. Every software project has source code. It doesn’t matter what language you use. Some is compiled, some interpreted, it’s all still source code. The idea behind a source code scanner is to review the code a human wrote and find potential security problems with it. This sounds easy enough in theory, but it’s extremely difficult in practice.

    Strongly typed languages like C, C++, and Java lend themselves to code scanning. An oversimplified explanation would be a strongly typed language is one where a named variable has to be a certain type. For example if I have a variable named “number” that is a number, I can’t assign a string to it. It can only be a number.

    Weakly typed languages, such as JavaScript and Python are incredibly difficult to properly scan. These are languages where I can assign the string “potato” to my variable named “number”. While weakly typed languages offer great flexibility to developers, they are a nightmare for code scanners.

  • Part 3: Composition scanning

    If you just showed up here, go back and start at the intro post, you’ll want the missing context before reading this article.

    In this post we’re going to talk about a newer type of scanner called a composition scanner. The idea here is when you build an application today it’s never just what you wrote. It also includes source code from a large number of other sources. Usually these other sources are open source.

    A composition scanner will look at your project, specifically the things you didn’t write, and attempt to alert you if you are including components that have known security vulnerabilities. It’s very common to not upgrade the open source we put into our projects. Upgrading is hard and can break things, so doing nothing is easier most of the time. Composition scanners let us see what’s hiding in the depths of our project, sometimes it isn’t very pretty.

    An easy example we can use is if you are including OpenSSL code in your application. Do you know if the version of OpenSSL you are using is still vulnerable to Heartbleed? You probably can’t say for certain if this is true or not, but a composition scanner probably can.

Security Leftovers

Filed under
Security
  • Flaws Riddle Zyxel’s Network Management Software

    Security researchers are warning that networking hardware vendor Zyxel and its Cloud CNM SecuManager software is chock-full of unpatched vulnerabilities that kick open the doors for hackers to exploit. In all, researchers have identified 16 vulnerabilities, ranging from multiple backdoors and default credentials to insecure memory storage.

  • Security updates for Thursday
  • $100K Paid Out for Google Cloud Shell Root Compromise

    A Dutch researcher claimed Google’s very first annual Cloud Platform bug-bounty prize, for a clever container escape exploit.

    Google has awarded its inaugural annual top prize for the Google Cloud Platform (GCP), for vulnerabilities found in the Google Cloud Shell. The find — a container escape that leads to host root access and the ability to use privileged containers — has earned $100,000 for Dutch researcher Wouter ter Maat.

Security Leftovers

Filed under
Security
  • KrØØk WiFi vulnerability affected WiFi encryption on over a billion devices

    Apple described the impact of the kr00k vulnerability as such when they patched this vulnerability in October 2019...

  • Daniel Stenberg: curl 7.69.1 better patch than sorry

    Quite obviously this release was not shipped aligned with our standard 8-week cycle. The reason is that we had too many semi-serious or at least annoying bugs that were reported early on after the 7.69.0 release last week. They made me think our users will appreciate a quick follow-up that addresses them. See below for more details on some of those flaws.

    How can this happen in a project that soon is 22 years old, that has thousands of tests, dozens of developers and 70+ CI jobs for every single commit?

    The short answer is that we don’t have enough tests that cover enough use cases and transfer scenarios, or put another way: curl and libcurl are very capable tools that can deal with a nearly infinite number of different combinations of protocols, transfers and bytes over the wire. It is really hard to cover all cases.

    [...]

    This was an out-of-schedule release but the plan is to stick to the established release schedule, which will have the effect that the coming release window will be one week shorter than usual and the full cycle will complete in 7 weeks instead of 8.

  • Windows has a new wormable vulnerability, and there’s no patch in sight

    Critical bug in Microsoft's SMBv3 implementation published under mysterious circumstances.

  •      

  • You Don't Own What You Buy Episode 9,000: Philips' Light Bulbs Lose Functionality

           

             

    One of the common themes here at Techdirt over the last decade is how in the digital and internet-connected era, the very meaning of "ownership" and "property" has changed -- often for the worse. In the broadband-connected era, firmware updates can often eliminate functionality promised to you at launch, as we saw with the Sony Playstation 3. And with everything now relying on internet-connectivity, companies can often give up on supporting devices entirely, often leaving users with very expensive paperweights as we saw after Google acquired Revolv.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by CentOS (qemu-kvm and sudo), Debian (chromium), Mageia (gpac, libseccomp, and tomcat), openSUSE (gd and postgresql10), Oracle (qemu-kvm), Red Hat (chromium-browser), Scientific Linux (qemu-kvm), Slackware (firefox), and SUSE (ipmitool, java-1_7_0-openjdk, librsvg, and tomcat).

  • The Internet of Things is a security nightmare reveals latest real-world analysis: unencrypted traffic, network crossover, vulnerable OSes

    No less than 98 per cent of traffic sent by internet-of-things (IoT) devices is unencrypted, exposing huge quantities of personal and confidential data to potential attackers, fresh analysis has revealed.

    What’s more, most networks mix IoT devices with more traditional IT assets like laptops, desktops and mobile devices, exposing those networks to malware from both ends: a vulnerable IoT device can infect PCs; and an unpatched laptop could give an attacker access to IoT devices - and vast quantities of saleable data.

    Those are the big conclusions from a real-world test of 1.2 million IoT devices across thousands of physical locations in the United States, carried out by Palo Alto Networks.

  • Microsoft Patch Tuesday, March 2020 Edition

    Microsoft Corp. today released updates to plug more than 100 security holes in its various Windows operating systems and associated software. If you (ab)use Windows, please take a moment to read this post, backup your system(s), and patch your PCs.

Canonical Promotions of TTX Exercises and ESM

Filed under
Security
Ubuntu
  • On Boxing, Tabletop Exercises and Threat Models

    At Canonical we have recently performed a series of cyber tabletop exercises (TTX). A TTX is an information security preparedness drill where a cyber incident scenario is played out to improve your tactics, techniques and procedures (TTPs). When performing a TTX it is important to use the same amount of staff and effort as though a real incident were occuring. This helps to uncover deficiencies in your TTPs and address those issues before a real event occurs. Being as efficient as possible is critical during incident response because as time passes data that can help determine root cause is lost and the attacker may still be causing harm to the environment.

    This past month we performed two TTXs with different groups within Canonical. This type of exercise requires support from the top down, you will be interrupting work for up to a day and it is imperative that the management of each team is behind this effort. At Canonical security is in our DNA and this exercise was performed with full support of everyone within the company.

  • Interana uses ESM to maintain system security while upgrading its customers to Ubuntu 18.04 LTS across public clouds

    Interana, an analytics software provider, enables users to run advanced big data queries on raw customer data and delivers answers in seconds. Their customers include Microsoft, Comcast and Salesforce.

    Interana’s leading-edge platform is based on Ubuntu and deployed directly inside customers’ public cloud environments. This empowers users with some of the fastest analytics capabilities on the market. However, this also means that they have to schedule large-scale data migrations with each client.

Security: Vista 10, Intel, Patches and "Over 80% of Medical Imaging Devices Run on Outdated Operating Systems"

Filed under
Security
  • Windows 10 KB4535996 Update Issues: Crashes, Slowdowns, Audio, More

    Since the release of the Windows 10 KB4535996 cumulative update, Windows users have been reporting numerous problems including boot issues, crashes, performance problems, audio issues, and developer tools no longer working.

    The optional Windows 10 KB4535996 cumulative update was released on February 27th, 2020 and while it resolved some Windows Search issues, it also introduced other issues for users who installed the update.

    Unfortunately with Windows 10 installed on over 900 million PCs, there are always going to be problems for some users when installing a new update such as Windows not booting, the screen flickers, Cortana is broken, or they can no longer launch programs.

  • Meltdown The Sequel strikes Intel chips – and full mitigation against data-meddling LVI flaw will slash performance

    Computer security researchers involved in the discovery of the Meltdown and Spectre vulnerabilities affecting many modern processors have developed a related attack technique called Load Value Injection (LVI).

    The attack relies on microarchitectural data leakage to inject and execute malicious code in a way that breaks the confidentiality of modern Intel systems.

    Chipzilla's processors, already weighed down by defenses deployed against side-channel attacks over the past two years, could get slower still if they try to thwart this latest vulnerability: prototype compiler changes, for full mitigation, have produced performance reductions ranging from 2x to 19x.

  • Say hello to your new best friend 'LVI' - another security flaw in CPUs for Intel

    Oh hell. This comes shortly after Intel had another one announced that was 'unfixable', plus one for AMD too and now this all in the space of a month. Rough time right now, for Intel specifically on this one.

  • Security updates for Tuesday

    Security updates have been issued by Debian (libvpx and network-manager-ssh), Fedora (cacti, cacti-spine, and podman), openSUSE (chromium and python-bleach), Oracle (curl), Red Hat (ansible and qemu-kvm), SUSE (gd, ipmitool, and php7), and Ubuntu (runc and sqlite3). 

  • Over 80% of Medical Imaging Devices Run on Outdated Operating Systems

Security Leftovers

Filed under
Security
  • The Internet Avoided a Minor Disaster Last Week

    Let's Encrypt's work is technical and happens in the background. But in a few short years it has helped make the internet much more secure on a fundamental level. Plenty of companies offer security certificates; Let’s Encrypt just took the audacious step of making them free. A week ago, it issued its billionth certificate.

    But that ubiquity also means that when a pebble drops in the middle of Let’s Encrypt’s pond, the ripples can travel a long way. On February 28, the pebble was a bug that threatened to effectively render 3 million sites nonfunctional in a matter of days.

  • Intel Chip Flaw Proves Unfixable Despite Patches

    "With the chipset key, attackers can decrypt data stored on a target computer and even forge its Enhanced Privacy ID (EPID) attestation, or in other words, pass off an attacker computer as the victim's computer," wrote Positive Technology in the report.

  • Positive Technologies: Unfixable vulnerability in Intel chipsets threatens users and content rightsholders

    By exploiting vulnerability CVE-2019-0090, a local attacker could extract the chipset key stored on the PCH microchip and obtain access to data encrypted with the key. Worse still, it is impossible to detect such a key breach. With the chipset key, attackers can decrypt data stored on a target computer and even forge its Enhanced Privacy ID (EPID) attestation, or in other words, pass off an attacker computer as the victim's computer. EPID is used in DRM, financial transactions, and attestation of IoT devices.

  • Universities ‘need joint security teams to counter cyber threat’

    Universities must create joint cybersecurity teams to protect themselves against ever more sophisticated hacking attempts, according to the vice-president of a Dutch university hit by a ransomware attack over Christmas that forced the institution to pay the equivalent of about £175,000 to criminals.

  • Many New Voting Systems Aren’t Ready for Prime Time

    Put aside, for now, foreign meddling in U.S. elections, social media propaganda and partisan voter suppression. The newest emerging threat to elections in 2020 is new voting systems that have been insufficiently tested and phased in, but have been debuting in many of 2020’s presidential primaries and caucuses.

LXD 3.22 Released- Added Features, Improvements & Bug Fixes

Filed under
Linux
Security

LXD 3.22: Stephene Graber from LXD Team said, ” The LXD Team is very excited to announce the release of LXD 3.22 and you will find VM images Ubuntu, Debian, CentOS, Fedora, and Arch” The latest LXD 3.22 comes with a number of added features, updates, and Bug Fixes for its containers and virtual machines and it is readily available for Download for your Linux Distro.

Read more

Syndicate content

More in Tux Machines

'Open Source' Response to COVID-19

  • Govt to top institutes: offer open source courses, e-learning modules

    The human resource development (HRD) ministry has asked top higher educational institutions, including the Indian Institutes of Technology (IITs), to create e-learning modules for their own use and open source courses to help the larger education ecosystem. The ministry has asked them to adopt credit transfer to bring cohesion among institutions, and make online and offline education seamless, as the world battles the covid-19 pandemic.

  • Engineer Responds to Call with Open-Source, DIY Face Shield

    Like many hospitals and clinics around the country, UW Health in Madison, Wisconsin is facing a shortage of face shields stemming from supply chains challenged by the ongoing COVID-19 threat. However, unlike other communities, UW Health has Lennon Rodgers. Rodgers is the director of the Engineering Design Innovation Lab at the University of Wisconsin. When he received an urgent email asking about his ability to produce 1,000 face shields for UW staff, he went to work. His story was recently chronicled by Wired.com.

  • Designers pitch in to make open-source face shields

    It took less than a week for the director of the University Kansas Center for Design Research and some of his former students and colleagues to crank out an open-source design for a plastic face shield to help protect health care workers battling the COVID-19 pandemic. In just a few days, it has been freely downloaded around the world more than 4,500 times. And 10,000 of the shields already produced locally will soon be available to caregivers in The University of Kansas Health System. What’s more, almost anyone, anywhere with a computer-aided router and a common type of plastic sheeting can rapidly produce more of them.

  • An Open-Source Solution to Get E-Passes During Lockdown Online

    With a 21-day lockdown being imposed across India and the police using excessive force in certain cases to implement a curfew, there is a need to get valid passes as easily as possible to ensure essential services keep functioning during the COVID-19 pandemic. [...] The solution, according to a memo sent out by Sharad Sharma, co-founder iSPIRT, is a software app its volunteers developed in just 72 hours - Anumati. Here's what the app proposes by way of simplifying how to get passes.

Eclipse Theia 1.0

  • The Eclipse Foundation Releases Eclipse Theia 1.0, a True Open Source Alternative to Visual Studio Code
  • Eclipse Releases Open Source Alternative to Visual Studio Code [Ed: Why does everything need to be described in terms of what it is or they are to Microsoft?]

    The Eclipse Foundation has released Eclipse Theia 1.0, which it is promoting as "a true open source alternative" to Microsoft's lightweight Visual Studio Code (VS Code) source code editor. An extensible platform for building multi-language desktop and Web-based IDEs from the same codebase, Theia was started in 2016 as a project by Ericsson and TypeFox, and it became an Eclipse project in 2019. It's now one of the projects in the Eclipse Cloud Development Tools Working Group (ECD WG), an industry collaboration focused on delivering development tools for and in the cloud.

  • Eclipse Theia 1.0 is an open source alternative to VS Code

    The Eclipse Foundation, one of the leading global voices advancing open source software, released Eclipse Theia version 1.0. Intended to be a completely open source alternative to Microsoft’s Visual Studio Code, Eclipse Theia supports multiple languages and combines some of the best features of IDEs into one extensible platform. If the name rings any bells, the Theia project previously began elsewhere. It was initially created by Ericsson and TypeFox (founders of Gitpod and Xtext) in 2016 and moved to The Eclipse Foundation in May of 2018. To celebrate this milestone, explore some of its stand-out features and see what sets it apart from VS Code.

  • Eclipse Releases Theia - Open Source VSCode Alternative

    The Eclipse Foundation has released Theia, described as a true open source alternative to Microsoft’s popular Visual Studio Code. Theia is an extensible platform to develop multi-language Cloud and Desktop IDEs. Theia has been designed to give is an extensible platform to develop multi-language Cloud and Desktop IDE-like products for developers.The project team says it means that as an adopter you don't need to make an upfront decision about whether your new developer product should run in the cloud, on the desktop, or both.

Nate Graham on Latest KDE Improvements

  • This week in KDE: Moar performance!

    Some very nice performance fixes landed this week, which should substantially boost move and copy speeds for local transfers and transfers to and from Samba shares in particular. But that’s not all, and there’s more on the menu…

  • KDE Starts April With Big Performance Jump For Local I/O + 50~95% Faster Samba Transfers

    KDE developers managed to squeeze some long-problematic I/O optimizations into the KDE code-base this week along with other enhancements to make for a nice first week of April. The performance work for kicking off April includes: - 50~95% faster transferring of large files to/from Samba shares. This big speed-up is a Dolphin improvement for a 2012 bug report. This fast-copy support for the Samba code should now allow "mount-level copy performance" thanks to various architectural changes in the code.

Programming Literature: Jussi Pakkanen on Meson, Shing Lyu on Rust and "25 Best JavaScript Books for Newbie and Professional"

  • Jussi Pakkanen: Meson manual sales status and price adjustment

    The second part (marked with a line) indicates when I was a guest on CppCast talking about Meson and the book. As an experiment I created a time limited discount coupon so that all listeners could buy it with €10 off. As you can tell from the graph it did have an immediate response, which again proves that marketing and visibility are the things that actually matter when trying to sell any product. After that we have the "new normal", which means no sales at all. I don't know if this is caused by the coronavirus isolation or whether this is the natural end of life for the product (hopefully the former but you can never really tell in advance).

  • Shing Lyu: Lessons learned in writing my first book

    You might have noticed that I didn’t update this blog frequently in the past year. It’s not because I’m lazy, but I focused all my creative energy on writing this book: Practical Rust Projects. The book is now available on Apress, Amazon and O’Reilly. In this post, I’ll share some of the lessons I learned in writing this book. Although I’ve been writing Rust for quite a few years, I haven’t really studied the internals of the Rust language itself. Many of the Rust enthusiasts whom I know seem to be having much fun appreciating how the language is designed and built. But I take more joy in using the language to build tangible things. Therefore, I’ve been thinking about writing a cookbook-style book on how to build practical projects with Rust, ever since I finished the video course Building Reusable Code with Rust. Out of my surprise, I received an email from Steve Anglin, an acquisition editor from Apress, in April 2019. He initially asked me to write a book on the RustPython project. But the project was still growing rapidly thanks to the contributors. I’ve already lost grip on the overall architecture, so I can’t really write much about it. So I proposed the topic I have in mind to Steve. Fortunately, the editorial board accepted my proposal, and we decided to write two books: one for general Rust projects and one for web-related Rust projects. Since this is my first time writing a book that will be published in physical form (or as The Rust Book put it, “dead tree form”), I learned quite a lot throughout the process. Hopefully, these points will help you if you are considering or are already writing your own book.

  • The 25 Best JavaScript Books for Newbie and Professional

    JavaScript is a programming language that is object-oriented and used to make dynamic web pages by adding interactive effects. This client-side scripting language is used by almost 94.5% web pages available on the internet. The language is very easy but also known as one of the most misunderstood programming languages. You should choose the right guidelines so that you can get all the answers to your questions related to JavaScript. Here we will provide you with a list of the best Javascript books so that you can learn JavaScript and never become confused.