Language Selection

English French German Italian Portuguese Spanish

Security

Security: Uber, Replacing x86 Firmware, 'IoT' and Chromebook

Filed under
Security
  • Key Dem calls for FTC to investigate Uber data breach

    A key Democrat is calling on the Federal Trade Commission (FTC) to investigate a massive Uber breach that released data on 57 million people, as well as the company's delay in reporting the cyber incident.

  • Multiple states launch probes into massive Uber breach
  • Replacing x86 firmware with Linux and Go

    The problem, Minnich said, is that Linux has lost its control of the hardware. Back in the 1990s, when many of us started working with Linux, it controlled everything in the x86 platform. But today there are at least two and a half kernels between Linux and the hardware. Those kernels are proprietary and, not surprisingly, exploit friendly. They run at a higher privilege level than Linux and can manipulate both the hardware and the operating system in various ways. Worse yet, exploits can be written into the flash of the system so that they persist and are difficult or impossible to remove—shredding the motherboard is likely the only way out.

  • Connected sex-toy allows for code-injection attacks on a robot you wrap around your genitals

    However, the links included base-64 encoded versions of the entire blowjob file, making it vulnerable to code-injection attacks. As Lewis notes, "I will leave you to ponder the consequences of having an XSS vulnerability on a page with no framebusting and preauthed connection to a robot wrapped around or inside someones genitals..."

  • Chromebook exploit earns researcher second $100k bounty

    For Google’s bug bounty accountants, lightning just struck twice.

    In September 2016, an anonymous hacker called Gzob Qq earned $100,000 (£75,000) for reporting a critical “persistent compromise” exploit of Google’s Chrome OS, used by Chromebooks.

    Twelve months on and the same researcher was wired an identical pay out for reporting – yes! – a second critical persistent compromise of Google’s Chrome OS.

    By this point you might think Google was regretting its 2014 boast that it could confidently double its maximum payout for Chrome OS hacks to $100,000 because “since we introduced the $50,000 reward, we haven’t had a successful submission.”

    More likely, it wasn’t regretting it at all because isn’t being told about nasty vulnerabilities the whole point of bug bounties?

  • Why microservices are a security issue

    And why is that? Well, for those of us with a systems security bent, the world is an interesting place at the moment. We're seeing a growth in distributed systems, as bandwidth is cheap and latency low. Add to this the ease of deploying to the cloud, and more architects are beginning to realise that they can break up applications, not just into multiple layers, but also into multiple components within the layer. Load balancers, of course, help with this when the various components in a layer are performing the same job, but the ability to expose different services as small components has led to a growth in the design, implementation, and deployment of microservices.

Ubuntu 17.10 Users Get Major Kernel Update, 20 Security Vulnerabilities Patched

Filed under
Security

If you're using the latest Ubuntu 17.10 (Artful Aardvark) operating system on your personal computer, you should know that it received it's first major kernel update since the official release back in October 19, 2017. The update addresses a total of 20 security vulnerabilities for Ubuntu 17.10's Linux 4.13 kernel packages, including the Raspberry Pi 2 one.

Among the security issues patched in this update, five are related to Linux kernel's USB subsystem, including a use-after-free vulnerability, which could allow a physically proximate attacker to crash the affected system by causing a denial of service (DoS attack) or possibly execute arbitrary code. Other three are related to the ALSA subsystem, including a race condition.

Read more

Security: Updates, Intel, Uber and HBO

Filed under
Security

Security: Updates, Intel, Torvalds

Filed under
Security
  • Security updates for Tuesday
  • Intel: We've found severe bugs in secretive Management Engine, affecting millions

    Thanks to an investigation by third-party researchers into Intel's hidden firmware in certain chips, Intel decided to audit its firmware and on Monday confirmed it had found 11 severe bugs that affect millions of computers and servers.

    The flaws affect Management Engine (ME), Trusted Execution Engine (TXE), and Server Platform Services (SPS).

  • Open Source Security Podcast: Episode 71 - GitHub's Security Scanner

    Josh and Kurt talk about GitHub's security scanner and Linus' security email. We clarify the esoteric difference between security bugs and non security bugs.

  • Linus Torvalds 'sorry' for swearing, blames popularity of Linux itself

    Linux overlord Linus Torvalds has apologised – a bit – for calling some security-centric kernel contributors “f*cking morons”.

    Torvalds unleashed a profanity-laden rant at Google developer Kees Cook, over the latter's proposal to harden the kernel.

    Another Google security chap, Matthew Garret, asked Torvalds “ Can you clarify a little with regard to how you'd have liked this patchset to look?”

    To which Torvalds responded that “I think the actual status of the patches is fairly good with the default warning.”

pfSense 2.4.2-RELEASE now available

Filed under
Security
BSD

We are excited to announce the release of pfSense® software version 2.4.2, now available for new installations and upgrades!

pfSense software version 2.4.2 is a maintenance release bringing security patches and stability fixes for issues present in previous pfSense 2.4.x branch releases.

pfSense 2.4.2-RELEASE updates and installation images are available now!

Read more

Security: Linux, Free Software Principles, Microsoft and Intel

Filed under
Security
  • Some 'security people are f*cking morons' says Linus Torvalds

    Linux overlord Linus Torvalds has offered some very choice words about different approaches security, during a discussion about whitelisting features proposed for version 4.15 of the Linux kernel.

    Torvalds' ire was directed at open software aficionado and member of Google's Pixel security team Kees Cook, who he has previously accused of idiocy.

    Cook earned this round of shoutiness after he posted a request to “Please pull these hardened usercopy changes for v4.15-rc1.”

  • Free Software Principles

    Ten thousand dollars is more than $3,000, so the motives don't add up for me. Hutchins may or may not have written some code, and that code may or may not have been used to commit a crime. Tech-literate people, such as the readers of Linux Magazine, understand the difference between creating a work and using it to commit a crime, but most of the media coverage – in the UK, at least – has been desperate to follow the paradigm of building a man up only to gleefully knock him down. Even his achievement of stopping WannaCry is decried as "accidental," a word full of self-deprecating charm when used by Hutchins, but which simply sounds malicious in the hands of the Daily Mail and The Telegraph.

  • New warning over back door in Linux

    Researchers working at Russian cyber security firm Dr Web claim to have found a new vulnerability that enables remote attackers to crack Linux installations virtually unnoticed.

    According to the anti-malware company, cyber criminals are getting into the popular open-source operating system via a new backdoor.

    This, they say, is "indirect evidence" that cyber criminals are showing an increasing interest in targeting Linux and the applications it powers.

    The trojan, which it's calling Linux.BackDoor.Hook.1, targets the library libz primarily. It offers compression and extraction capabilities for a plethora of Linux-based programmes.

  • IN CHATLOGS, CELEBRATED HACKER AND ACTIVIST CONFESSES COUNTLESS SEXUAL ASSAULTS
  • Bipartisan Harvard panel recommends hacking [sic] safeguards for elections

     

    The guidelines are intended to reduce risks in low-budget local races as well as the high-stakes Congressional midterm contests next year. Though most of the suggestions cost little or nothing to implement and will strike security professionals as common sense, notorious attacks including the leak of the emails of Hillary Clinton’s campaign chair, John Podesta, have succeeded because basic security practices were not followed.  

  • Intel Chip Flaws Leave Millions of Devices Exposed

     

    On Monday, the chipmaker released a security advisory that lists new vulnerabilities in ME, as well as bugs in the remote server management tool Server Platform Services, and Intel’s hardware authentication tool Trusted Execution Engine. Intel found the vulnerabilities after conducting a security audit spurred by recent research. It has also published a Detection Tool so Windows and Linux administrators can check their systems to see if they're exposed.

Security: MuddyWater, DJI, Updates, Reproducible Builds and Excel

Filed under
Security

Security: FOSS Versus Windows

Filed under
Security

Security: Google and Morgan Marquis-Boire

Filed under
Security

  • Google: 25 per cent of black market passwords can access accounts

    The researchers used Google's proprietary data to see whether or not stolen passwords could be used to gain access to user accounts, and found that an estimated 25 per cent of the stolen credentials can successfully be used by cyber crooks to gain access to functioning Google accounts.

  • Data breaches, phishing, or malware? Understanding the risks of stolen credentials

    Drawing upon Google as a case study, we find 7--25\% of exposed passwords match a victim's Google account.

  • Infosec star accused of sexual assault booted from professional affiliations

    A well-known computer security researcher, Morgan Marquis-Boire, has been publicly accused of sexual assault.

    On Sunday, The Verge published a report saying that it had spoken with 10 women across North America and Marquis-Boire's home country of New Zealand who say that they were assaulted by him in episodes going back years.

    A woman that The Verge gave the pseudonym "Lila," provided The Verge with "both a chat log and a PGP signed and encrypted e-mail from Morgan Marquis-Boire. In the e-mail, he apologizes at great length for a terrible but unspecified wrong. And in the chat log, he explicitly confesses to raping and beating her in the hotel room in Toronto, and also confesses to raping multiple women in New Zealand and Australia."

Security: Amazon, Microsoft, and John Draper

Filed under
Security
  • Amazon security camera could be remotely disabled by rogue couriers

    However, researchers from Rhino Security Labs found attacking the camera's Wi-Fi with a distributed denial of service attack, which sends thousands of information requests to the device, allowed them to freeze the camera. It would then continue to show the last frame broadcast, rather than going offline or alerting the user it had stopped working.

  • Pentagon contractor leaves social media spy archive wide open on Amazon

    A Pentagon contractor left a vast archive of social-media posts on a publicly accessible Amazon account in what appears to be a military-sponsored intelligence-gathering operation that targeted people in the US and other parts of the world.

    The three cloud-based storage buckets contained at least 1.8 billion scraped online posts spanning eight years, researchers from security firm UpGuard's Cyber Risk Team said in a blog post published Friday. The cache included many posts that appeared to be benign, and in many cases those involved from people in the US, a finding that raises privacy and civil-liberties questions. Facebook was one of the sites that originally hosted the scraped content. Other venues included soccer discussion groups and video game forums. Topics in the scraped content were extremely wide ranging and included Arabic language posts mocking ISIS and Pashto language comments made on the official Facebook page of Pakistani politician Imran Khan.

  • Pirated Microsoft Software Enabled NSA Hack says Kaspersky

    Earlier reports accused Kaspersky's antivirus software which was running on the NSA worker's home computer to be the reason behind the Russian spies to access the machine and steal important documents which belonged to NSA hacking unit, Equation Group.

  • Iconic hacker booted from conferences after sexual misconduct claims surface

    John Draper, a legendary figure in the world of pre-digital phone hacking known as "phreaking," has been publicly accused of inappropriate sexual behavior going back nearly two decades.

    According to a new Friday report by BuzzFeed News, Draper, who is also known as "Captain Crunch," acted inappropriately with six adult men and minors between 1999 and 2007 during so-called "energy" exercises, which sometimes resulted in private invitations to his hotel room. There, Draper allegedly made unwanted sexual advances.

    As a result of the new revelations, Draper, 74, is now no longer welcome at Defcon. Michael Farnum, the founder of HOU.SEC.CON, told Ars on Friday afternoon that Draper, who had been scheduled to speak in April 2018, was disinvited.

Syndicate content

More in Tux Machines

today's howtos

Wine 3.11 Released and Turok Remastered Roars on to Linux

  • Wine Announcement
    The Wine development release 3.11 is now available.
  • Wine 3.11 Brings Debugging Support For WoW64 Processes, Better Reporting Of HT CPUs
    Wine 3.11 is now available as the newest bi-weekly development release of this software for running Windows programs/games/applications on Linux and other operating systems. With Wine 3.11 there is better debugger support for WoW64 (Windows 32-bit on Windows 64-bit) processes, support for SHA256/SHA384 hashes inside ECDSA signatures, better reporting of virtual CPU cores via Hyper Threading / SMT, improvements to the standard Task Dialog, and a total of 12 known bug fixes.
  • Turok Remastered Roars on to Linux
    A remastered version of ‘Turok: Dinosaur Hunter’ has arrived on Linux. The game first found fame on the Nintendo 64 back way back in 1997, where it helped define the fledgling first-person shooter genre for an entire generation of gamers. Now a high-definition, remastered port is available to play on Linux, having stomped its way on to the Xbox One in May,

Ubuntu 18.04 Telemetry, Peppermint 9, Linux Mint 19

Chrome OS/Android Leftovers