Language Selection

English French German Italian Portuguese Spanish

Security

Cryptography in Ubuntu 16.04 and GTK2 Demotion

Filed under
GNOME
Security
Ubuntu
  • Canonical Announces Certified FIPS 140-2 Cryptographic Packages for Ubuntu 16.04

    Canonical announced on Wednesday the availability of officially certified FIPS 140-2 cryptographic packages for the long-term supported Ubuntu 16.04 LTS (Xenial Xerus) operating system series through its Cryptographic Module Validation Program.

    Level 1 FIPS 140-2 cryptographic packages can now be purchased for your Ubuntu 16.04 LTS operating system through Canonical's Ubuntu Advantage service or as a separate, standalone product. Ubuntu Advantage subscribers can already find the FIPS-compliant modules in the Ubuntu Advantage private archive if they use Ubuntu 16.04 LTS (Xenial Xerus) on their PCs.

  • GTK2 demotion
  • Ubuntu Developers Working Towards The Eventual Demotion Of GTK2

    Not only are Ubuntu developers working towards demoting Python 2 on their Linux distribution but they are also working on being able to demote the GTK2 tool-kit from the main archive to universe followed by its eventual removal in the future.

    Matthias Klose is hoping to organize more work towards this slow demotion process of GTK2 and ideally to get some of the issues cleared up ahead of the Ubuntu 18.04 Long-Term Support release in April.

Security: Fuzzing, Windows, and ROBOT

Filed under
Security
  • Language bugs infest downstream software, fuzzer finds

    Developers working in secure development guidelines can still be bitten by upstream bugs in the languages they use.

    That's the conclusion of research presented last week at Black Hat Europe by IOActive's Fernando Arnaboldi.

    As Arnaboldi wrote in his Black Hat Europe paper [PDF]: “software developers may unknowingly include code in an application that can be used in a way that the designer did not foresee. Some of these behaviors pose a security risk to applications that were securely developed according to guidelines.”

  • Kaspersky Antivirus Engine Causing BSOD on Windows 10 Fall Creators Update

    Despite the criticism it received in the United States and in the United Kingdom, Kaspersky continues to be one of the leading security vendors for Windows users across the world, with its software protecting millions of systems powered by Microsoft’s OS.

    But it turns out that some of those whose computers were running the Windows 10 Fall Creators Update and Kaspersky Internet Security 2018 have been hit by a bug causing a Blue Screen of Death (BSOD) since earlier this month.

    BornCity reveals that the issue first appeared earlier this month when some users complained of a BSOD on Windows 10 build 16299.98, which indicates that these systems were running the latest version of the OS with cumulative update KB4051963.

  • ROBOT Attack

    ROBOT is the return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server.

  • ROBOT Attack: 19-Year-Old Bug Returns With More Power To Target Facebook & Paypal

    The attack can compromise a website’s RSA encryption by decrypting the data using the private key of the TLS server. It was possible because of the vulnerability present in the RSA algorithm used in SSL protocol, exploited by Bleichenbacher.

Security: Patch Management, Windows Keyloggers, and Fingerprinting MySQL

Filed under
Security
  • Open Source Patch Management: Options for DIYers [Ed: "Linux comes with patch management," it says, which defeats much of the point of this article...]

    CVE-2017-5638 is the code vulnerability that will long live in the corporate memory of Equifax, the credit ratings agency. A simple patch management system might have kept that vulnerability from turning into one of the most high-profile data breaches in recent memory.

    CVE-2017-5638 is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, an open source application framework for developing Java EE web applications. Remote code execution bugs are generally extremely serious, and for that reason, when the vulnerability was discovered, the Apache Foundation recommended that any developers or users of affected versions of Struts upgrade to later versions that had been patched to close the vulnerability.

  • HP laptops found to have hidden keylogger

    HP said more than 460 models of laptop were affected by the "potential [sic] security vulnerability".

    [...]

    In May, a similar keylogger was discovered in the audio drivers pre-installed on several HP laptop models.

  • Fingerprinting MySQL with scannerl

    The goal here is to identify the version of MySQL running on a remote host.

Security: NSA, Microsoft Debacles, and FOSS Updates

Filed under
Security
  • Script Recovers Event Logs Doctored by NSA Hacking Tool

    Security researchers have found a way to reverse the effects of an NSA hacking utility that deletes event logs from compromised machines.

    Last week, Fox-IT published a Python script that recovers event log entries deleted using the "eventlogedit" utility that's part of DanderSpritz, a supposed NSA cyber-weapon that was leaked online by a hacking group known as the Shadow Brokers.

    According to Fox-IT, they found a flaw in the DanderSpritz log cleaner when they realized the utility does not actually delete event log entries, but only unreferences them, merging entries together.

  • Pre-Installed Keylogger Discovered on Hundreds of HP Laptop Models

    A keylogger that can help record pretty much every keystroke on the computer has been discovered on HP’s devices, with a security researcher revealing that hundreds of laptop models come with this hidden software pre-installed.

    Michael Myng says in an analysis of the keylogger that the malicious code is hiding in the Synaptics Touchpad software and he actually discovered it when looking into ways to control the keyboard backlight on his laptop.

    According to his findings, the keylogger isn’t activated by default, but it can be turned on by any cybercriminals that get access to the system. The list of affected models includes hundreds of laptops like EliteBook, ProBook, Spectre, Zbook, Envy, and Pavilion.

  • Laptop touchpad driver included extra feature: a keylogger [Ed: This is the second time in recent times HP gets caught with keyloggers; This is no accident, it's intentional.]

    Flaws in software often offer a potential path for attackers to install malicious software, but you wouldn't necessarily expect a hardware vendor to include potentially malicious software built right into its device drivers. But that's exactly what a security researcher found while poking around the internals of a driver for a touchpad commonly used on HP notebook computers—a keystroke logger that could be turned on with a simple change to its configuration in the Windows registry.

  • Microsoft Needed 110 Days to Fix Critical Security Bug After First Ignoring It

    Microsoft needed more than 100 days to fix a critical credential leak in Dynamics 365 after the company originally ignored the bug report and only reacted after being warned that details could go public.

    Software engineer Matthias Gliwka explains in a long blog post that he discovered and reported a security flaw in Microsoft’s Customer Relationship Manager and Enterprise Resource Planning software in August, but the software giant refused to fix it on claims that administrator credentials would be required.

    Gliwka says he came across a wildcard transport layer security (TLS) certificate that also included the private key, which would in turn expose communications by anyone who could decrypt traffic. The developer says that extracting the certificate grants access to any sandbox environment, with absolutely no warning or message displayed to clients.

  • UK Spy Agency Finds Severe Flaw in Microsoft Antivirus in Kaspersky Bye-Bye Push
  • Security updates for Monday

Security: OpenSSL, Windows, Gun Safe and Debian

Filed under
Security

WordPress 4.9.1

Filed under
OSS
Security
Debian
  • WordPress hit with keylogger, 5,400 sites infected
  • WORDPRESS 4.9.1

    After a much longer than expected break due to moving and the resulting lack of Internet, plus WordPress releasing a package with a non-free file, the Debian package for WordPress 4.9.1 has been uploaded!

    WordPress 4.9 has a number of improvements, especially around the customiser components so that looked pretty slick. The editor for the customiser now has a series of linters what will warn if you write something bad, which is a very good thing! Unfortunately the Javascript linter is jshint which uses a non-free license which that team is attempting to fix.  I have also reported the problem to WordPress upstream to have a look at.

Microsoft EEE and Holes

Filed under
Microsoft
Security

Security: FUD, Let’s Encrypt, Updates, and 'Nature'

Filed under
Security
  • The Hidden Costs of Open Source Security Software [Ed: Using the Microsoft-connected Black Duck to badmouth FOSS again]
  • Let’s Encrypt Looking Forward to 2018

    Let’s Encrypt had a great year in 2017. We more than doubled the number of active (unexpired) certificates we service to 46 million, we just about tripled the number of unique domains we service to 61 million, and we did it all while maintaining a stellar security and compliance track record. Most importantly though, the Web went from 46% encrypted page loads to 67% according to statistics from Mozilla - a gain of 21 percentage points in a single year - incredible. We’re proud to have contributed to that, and we’d like to thank all of the other people and organizations who also worked hard to create a more secure and privacy-respecting Web.

  • Security updates for Friday
  • 'Nature' Editorial Juxtaposes FOIA Email Release With Illegal Hacking [sic]

    The release of these emails by a person who has a clear point-of-view on the issue, however, has led to yet another discussion of the proper way of publishing raw documents. Nature, one of the more respected and widely read science publishers, mentions the release of these emails in the same breath as emails that were obtained by illegal hacking [sic] in an editorial published this week:

Security: Uber and Windows Debacles

Filed under
Security

Sessions And Cookies – How Does User-Login Work?

Filed under
Security

Facebook, Gmail, Twitter we all use these websites every day. One common thing among them is that they all require you to log in to do stuff. You cannot tweet on twitter, comment on Facebook or email on Gmail unless you are authenticated and logged in to the service.

Read<br />
more

Syndicate content