Language Selection

English French German Italian Portuguese Spanish

Security

Security: Charter Cracked, Code Injections, Android Updates and Various FOSS Updates

Filed under
Security
  • Charter Spectrum Security Flaw Exposes Private Data Of Millions Of Subscribers

    Last year you'll recall that the cable and broadband industry lobbied the government to kill off broadband privacy rules at the FCC. The rules were fairly basic, requiring that ISPs and cable operators clearly disclose what data is being collected and sold, but also provide working opt out tools for users who didn't want to participate. The rules also contained restrictions requiring that consumers opt in to more sensitive data collection (financial), as well as some requirements that ISPs and cable ops adhere to standard security procedures, and quickly inform consumers when their private data was exposed by a hacker.

    In recent months, the cable industry has been showcasing how it's simply not very good at keeping its websites secure. Comcast, for example, has seen three privacy breaches in almost as many months, with security researcher Ryan Stevenson discovering numerous, previously-unreported vulnerabilities that potentially exposed the the partial home addresses and Social Security numbers of more than 26.5 million Comcast customers.

  • What is Code Injection on Windows?

    Code injection is common on Windows. Applications “inject” pieces of their own code into another running process to modify its behavior. This technique can be used for good or evil, but either way it can cause problems.

  • You Should Pay Attention to These Android Manufacturers if You Care About Updates

    The Android update landscape is a disaster that has plagued the OS for years. “Fragmentation” is a common complaint against Android, but some manufacturers are starting to take the necessary steps to correct this years-long problem.

  • Security updates for Monday

Ubuntu and CentOS Are Undoing a GNOME Security Feature

Filed under
GNOME
Security

Current versions of Ubuntu and CentOS are disabling a security feature that was added to the GNOME desktop environment last year.

The feature's name is Bubblewrap, which is a sandbox environment that the GNOME Project added to secure GNOME's thumbnail parsers in July 2017, with the release of GNOME 3.26.

Read more

Also: Open Source Security Podcast: Episode 111 - The TLS 1.3 and DNS episode

Security: OpenSSH, Sprint, Hacker Summer Camp 2018, Seagate, Apache Struts and Intel's Notorious RNG in Systemd

Filed under
Security
  • About OpenSSH "user enumeration" / CVE-2018-15473

    Regarding CVE-2018-15473: a few people have asked why we just committed
    a fix for this without any secrecy or treating it as a security
    problem. The reason is that I and the other OpenSSH developers don't
    consider this class of bug a significant vulnerability - it's a partial
    disclosure of non-sensitive information.

    We have and will continue to fix bugs like this when we are made aware
    of them and when the costs of doing so aren't too high, but we aren't
    going to get excited about them enough to apply for CVEs or do security
    releases to fix them. The following explains our reasoning.

  • Weak passwords let a hacker [sic] access internal Sprint staff portal

    Using two sets of weak, easy-to-guess usernames and passwords, a security researcher accessed an internal Sprint staff portal. Because the portal’s log-in page didn’t use two-factor authentication, the researcher — who did not want to be named — navigated to pages that could have allowed access customer account data.

  • Hacker Summer Camp 2018: Wrap-Up

    I meant to write this post much closer to the end of Hacker Summer Camp, but to be honest, I’ve been completely swamped with getting back into the thick of things. However, I kept feeling like things were “unfinished”, so I thought I’d throw together at least a few thoughts from this year.

  • SQL Injection Vulnerabilities in Seagate Personal Cloud Media Server allow Retrieval of Private Data

    The Seagate Media Server is a UPnp / DLNA Network Attached Storage mechanism incorporated into the Seagate Personal Cloud for individual level use. In an advisory on the IoT security bug hunt website Summer of Pwnage, several SQL injection vulnerabilities in the Seagate Media Server were discovered and discussed, risking the retrieval and modification of personal data stored in the database used by the media server.

    The Seagate Personal Cloud is a cloud storage facility that is used to store photos, videos, and other kinds of multimedia in its media server. As personal data is uploaded into this cloud, it is protected with authorization checks and password security, but within its layout, a public folder exists to which unauthorized users have the right to upload data and files.

  • Remote Code Execution Vulnerability in Apache Struts 2.x Resolved in Update

    In an advisory published on the Confluence website maintained by the ASF community, a remote code execution vulnerability in the Apache Struts 2.x was discovered and elaborated upon by Yasser Zamani. The discovery was made by Man Yue Mo of the Semmle Security research team. The vulnerability has since been given the label CVE-2018-11776. It is found to affect the Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 with possible remote code execution exploit opportunities.

  • Systemd Will Now Use RdRand Directly If The Kernel Can't Deliver Entropy [Ed: So systemd will use Intel's notorious back door, the RNG which BSD developers continuously distrust and reject. First Speck in the kernel (4.17) thanks to Google and now this.]

    Systemd will now resort to using Intel's RdRand hardware random number generator directly if the Linux kernel is unable to provide the init system with sufficient entropy.

    This systemd change stems from the issue of the Linux boot process getting stuck if there's not enough entropy due to a kernel change to eliminate CVE-2018-1108 over early boot processes potentially having weak random seed data. With systemd's random-util change, systemd will now use RdRand directly if the kernel can't provide any randomness, rather than having to block/stall.

Security: Intel Defects and Distraction, T-Mobile Cracked, Gentoo Improves Security

Filed under
Security

Security: Intel Hyper-Threading, Gartner's Rant, and More Mirai Scaremongering

Filed under
Security
  • OpenBSD Co-Founder Drops Hyper-Threading Support to Mitigate Foreshadow Attacks

    Theo de Raadt, an OpenBSD co-founder has officially announced that the open-source operating system will not utilize Hyper-threading for Intel processors. He complains that Intel isn't telling them about upcoming discovered threats and the steps that an OS developer needs to take to mitigate against TLBleed and T1TF; otherwise known as "Foreshadow." He has dropped support for older versions of OpenBSD and asks users to upgrade to version 6.4 as he doesn't have the manpower to backport the changes.

  • Intel Hyper-Threading Accused of Being a Security Threat

    Following the reveal of the Foreshadow (L1TF) Intel CPU flaw, as well as the previous TLBleed flaw, Theo de Raadt, founder of OpenBSD, which makes a free, multi-platform, UNIX-like operating system, recommended everyone completely disable Intel’s Hyper-Threading in BIOS before hackers start taking advantage of it.

    [...]

    We’ve seen over the past few months that the Meltdown and Spectre flaws were not a one-time vulnerability that we could patch once and then forget about. Multiple Spectre-like speculative execution flaws have been found since Meltdown and Spectre was revealed earlier this year, and chances are we’ll continue to see more of them until the entire class of speculative execution bugs are fixed at the CPU architecture level.

    de Raadt also believes that Hyper-Threading itself will exacerbate most of the speculative execution bugs in the future, which is why now is the best time to disable it. He also recommended updating your BIOS firmware if you can.

    The OpenBSD founder criticized Intel over not being very transparent about how it intends to fix these speculative execution flaws once and for all and also about not properly documenting which operating systems are supposed to do to mitigate these bugs. The OpenBSD team had to learn how to research and develop their own mitigations based on what other operating systems were doing without much help from Intel.

  • A Rant on Single Function Security Tools
  • Mirai Variant Cross-Compiles Attack Code with Aboriginal Linux [Ed: This malware relies on systems being compromised in the first place, e.g. due to default password that's uniform]
  • Mirai IoT Malware Variant Abuses Linux Cross-Compilation Framework

US Election Security

Filed under
Security
  • No, a Teen Did Not Hack a State Election

    Headlines from Def Con, a hacking conference held this month in Las Vegas, might have left some thinking that infiltrating state election websites and affecting the 2018 midterm results would be child’s play.

    Articles reported that teenage hackers at the event were able to “crash the upcoming midterm elections” and that it had taken “an 11-year-old hacker just 10 minutes to change election results.” A first-person account by a 17-year-old in Politico Magazine described how he shut down a website that would tally votes in November, “bringing the election to a screeching halt.”

    But now, elections experts are raising concerns that misunderstandings about the event — many of them stoked by its organizers — have left people with a distorted sense of its implications.

    In a website published before r00tz Asylum, the youth section of Def Con, organizers indicated that students would attempt to hack exact duplicates of state election websites, referring to them as “replicas” or “exact clones.” (The language was scaled back after the conference to simply say “clones.”)

  • If It Doesn't Have Paper Backups and Automatic Audits, It's Not an Election Security Bill

    Right now, the U.S. Senate is debating an issue that’s critical to our democratic future: secure elections. Hacking attacks were used to try to undermine the 2016 U.S. election, and in recent years, elections in Latin America and Ukraine were also subject to cyber attacks.

    It only makes sense to harden the security of U.S. voting machines, which are perhaps the most direct route to impacting an election’s results. But the current bill that’s advancing in the Senate, the Secure Elections Act, is no solution at all. If it isn’t strengthened dramatically, senators should vote against this deeply flawed bill.

    The best solution to stop a possible hack of voting machines is clear: all machines must use a paper trail that’s regularly audited. Many states with voting machines already use paper, but more than a dozen are using at least some machines that provide no paper trail. In five states—New Jersey, Delaware, South Carolina, Georgia, and Louisiana—not a single jurisdiction has a paper trail.

Security: Huawei, Intel, DNC, End of Life Microsoft

Filed under
Security
  • Huawei slams Australia ban as being 'politically motivated'

    Australia's decision to ban Huawei Technologies from playing a role in the country's 5G networks is "politically motivated, not the result of a fact-based, transparent, or equitable decision-making process", a spokesperson from the company's headquarters in Shenzhen says.

  • Huawei ban: China asks Australia to drop 'ideological bias'

    The Chinese Government has told its Australian counterpart to get rid of its "ideological biases" and create a "fair environment" for business in the country in the wake of the 5G ban imposed on Chinese companies Huawei Technologies and ZTE Corporation.

  • Australia's Huawei ban meant to please Uncle Sam

    For more than a few decades now, Huawei has been supplying telecommunications equipment to all parts of the world, 170 countries in all. Chances are that if there were any backdoors planted in that equipment, then some man or woman in some part of the world would have cottoned onto it.

  • Disable SMT/Hyperthreading in all Intel BIOSes

    Solving these bugs requires new cpu microcode, a coding workaround,
    *AND* the disabling of SMT / Hyperthreading.

    SMT is fundamentally broken because it shares resources between the two
    cpu instances and those shared resources lack security differentiators.
    Some of these side channel attacks aren't trivial, but we can expect
    most of them to eventually work and leak kernel or cross-VM memory in
    common usage circumstances, even such as javascript directly in a
    browser.

    There will be more hardware bugs and artifacts disclosed. Due to the
    way SMT interacts with speculative execution on Intel cpus, I expect SMT
    to exacerbate most of the future problems.

  • Why the DNC Thought a Phishing Test Was a Real Attack [iophk: "turns out all the disinformation yesterday was just that -- disinformation; fat chance of the facts getting as much coverage though"]

    Lookout had alerted the DNC as well as DigitalOcean—the server company hosting the imposter—within hours of the fake site going live. The incident was initially touted as a success: A cyberespionage campaign thwarted before any data was stolen. Now, it instead raises questions about how a covert phishing simulation could have taken an understandably guarded group totally unaware.

  • Nearly half of English councils are using end of life server software

    Although the vast majority (between 88 and 94 per cent, depending on product) say that they intend to upgrade inside two years, by using such outdated software in the meantime, they continue to run the gauntlet of potential zero-day vulnerabilities with the power to bring down the entire infrastructure of the council.

Security: Photoshop Holes, Mirai FUD, and OpenSSH FUD

Filed under
Security
  • Adobe Patches 2 Code Execution Vulnerabilities in Photoshop CC 2017 & 2018

    Hot off the discovery board is news of two important vulnerabilities that have been found in Adobe’s Photoshop CC versions 19.1.5 and prior for the 2018 edition and versions 18.1.5 and prior for the 2017 edition. The discovery of these vulnerabilities was made by a Fortinet security researcher, Kushal Arvind Shah, but nothing has been officially released in the level of detail expected for CVE vulnerabilities.

    It appears that a combined update has been rolled out through the Adobe Creative Cloud for the respective editions and versions of Adobe Photoshop CC 2018 / 2017 to patch the two found vulnerabilities. The flaws are seen to impact the said versions of the software on both the Windows operating system and the Apple Mac operating system.

  • New Mirai Variants Leverage Open Source Project [Ed: DarkReading looking to blame "Open Source" because yes, people can craft things with FOSS. Sometimes even malicious things.]

    Mirai, the IoT botnet responsible for enormous DDoS attacks in 2016, has continued to evolve: it's now leveraging an open-source project named Aboriginal Linux to make cross-compiling the malicious code easier, more effective, and less prone to error.

  • Mirai leveraging Aboriginal Linux to target multiple platforms [Ed: Did Steve Ragan copy Catalin Cimpanu (below) or the other way around (almost identical spin)?]
  • Mirai IoT Malware Uses Aboriginal Linux to Target Multiple Platforms
  • Mirai botnet strikes again: This time it's going after a specific open source project [Ed: So, long story short, devices with holes or hand-coded passwords in them are blamed on "Linux" and/or "Open Source"]
  • Vulnerability in OpenSSH “for two decades” (no, the sky isn’t falling!) [Ed: Responding to the likes of Catalin Cimpanu]

    The OpenSSH software came out of the super-security-conscious operating system project OpenBSD, the “free, functional and secure” operating system that boasts on its website that it’s suffered “only two remote holes in the default install, in a heck of a long time!”

    Compared to the average Linux distro, or Windows, or macOS, or pretty much any mobile phone you care to mention, that isn’t an idle boast, even if it’s not the sort of claim a traditional marketing department might go for.

Security: Updates, Windows, Huawei, Election

Filed under
Security

Intel 'gags' Linux distros from revealing performance hit from Spectre patches

Filed under
GNU
Linux
Security

Open-source champion Bruce Perens has called out Intel for adding a new restriction to its software license agreement along with its latest CPU security patches to prevent developers from publishing software benchmark results.

The new clause appears to be a move by Intel to legally gag developers from revealing performance degradation caused by its mitigations for Spectre and Foreshadow or 'L1 Terminal Fault' (L1FT) flaw speculative attacks.

"You will not, and will not allow any third party to ... publish or provide any software benchmark or comparison test results," Intel's new agreement states.

The new term appeared with the fixes for 'L1 Terminal Fault' that were recently delivered to Microsoft and Linux distributions.

Read more

Syndicate content

More in Tux Machines

Security: Updates, Reproducible Builds, Microsoft's Spying Marketed as 'Security', and Xbash Hype

Games: Distance, Ballistic Overkill, GOG, Valve, and Wolfenstein: The Old Blood

today's howtos

Cozy Is A Nice Linux Audiobook Player For DRM-Free Audio Files

You could use any audio player to listen to audiobooks, but a specialized audiobook player like Cozy makes everything easier, by remembering your playback position and continuing from where you left off for each audiobook, or by letting you set the playback speed of each book individually, among others. The Cozy interface lets you browse books by author, reader or recency, while also providing search functionality. Books front covers are supported by Cozy - either by using embedded images, or by adding a cover.jpg or cover.png image in the book folder, which is automatically picked up and displayed by Cozy. When you click on an audiobook, Cozy lists the book chapters on the right, while displaying the book cover (if available) on the left, along with the book name, author and the last played time, along with total and remaining time: Read more