Language Selection

English French German Italian Portuguese Spanish

Security

Sharing, Collaboration and 'Open Source' Tackling Covid-19

Filed under
Security
  • Worcester Polytechnic Institute working on open-source ventilator designs

    Researchers at Worcester (Mass.) Polytechnic Institute (WPI) are touting a design for turning inexpensive bag valve mask (BVM) resuscitators into automated ventilators to aid the fight against the coronavirus outbreak.

    The WPI team is designing the ventilators from readily available, manual BVM resuscitators so that they can fill the gap between the number of ventilators available and the number needed when COVID-19 is expected to peak, according to a news release.

    Anyone with a 3D printer and a background in electronics and mechanical engineering may be able to produce the ventilators for a local hospital, as the researchers intend to make designs of multiple devices and components publicly available. The researchers also believe a manufacturing company can use the designs to make the ventilators quickly and at scale.

  • Will EEs Be the Heroes of the Global Ventilator Shortage?

    As the coronavirus continues to spread, hospitals around the world face a severe shortage of ventilators that alleviate respiratory distress. New York could be short by about 15,000 ventilators to treat the most severe cases, according to The New York Times. In these uncertain times, even carmakers are starting to make ventilators and face masks to help out during the crisis.

    A quick search of ventilators shows that there are many makers around the world who try to build a basic ventilator using readily available materials or 3D-printed parts. Some of these projects are open source to solicit help from experts and enthusiasts all over the world.

    In this article, we’ll briefly look at some of these open-source projects. Some of the projects we assessed in this article include OpenLung BVM Ventilator, the Low-Cost Open Source Ventilator or PAPR, the Rice OEDK Design (or ApolloBVM), and OxyGEN, among others.

    We’ll also take a look at the general challenges that a low-budget open-source ventilator project might face.

  • UF researchers develop low-cost, open-source ventilator

    As the need for ventilators grows as hundreds of thousands of patients are expected to need treatment for COVID-19, a University of Florida professor is working to help meet the demand.

    UF Professor of Anesthesiology Dr. Samsun Lampotang and a team of UF researchers have developed a ventilator that can be made using items from the hardware store.

    As a UF mechanical engineering student decades ago, Lampotang helped respiratory therapist colleagues build a minimal-transport ventilator that became a commercial success. So, when the coronavirus pandemic hit and he heard the desperate international plea for thousands of more ventilators, he set out to build a prototype using plentiful, cheap components that could be copied from an online diagram and a software repository.

  • Triple Eight develops open-source ventilator prototype

    After nearly two weeks of around-the-clock development, Triple Eight Race Engineering has revealed a low-cost ventilator prototype in an effort to help fight the global coronavirus pandemic.

    Following the ill-fated Australian Grand Prix, the Brisbane-based racing team led by Roland Dane suspended its racing operations after government guidelines on social distancing were introduced.

    With the Supercars season on hold, Dane challenged a group of six engineers to conceptualise and develop a ‘worst-case scenario’ ventilator in the event of the virus worsening.

    It took the group of engineers just four days to design and produce the first proof of concept, slowed only by a lack of readily available electrical componentry.

  • Council on Foreign Relations: Time to Open-Source Ventilators
  • Rice University's open-source emergency ventilator design plans freely available

    The plans for Rice University's ApolloBVM, an open-source emergency ventilator design that could help patients in treatment for COVID-19, are now online and freely available to everyone in the world.

    The project first developed by students as a senior design project in 2019 has been brought up to medical grade by Rice engineers and one student, with the help of Texas Medical Center doctors. The device costs less than $300 in parts and can squeeze a common bag valve mask for hours on end.

  • WPI Researchers Developing Open-Source Designs to Speed Creation of Low-Cost Ventilators

    A team of researchers at Worcester Polytechnic Institute (WPI) is creating designs to turn inexpensive and readily available manual, hand-held, bag valve mask (BVM) resuscitators into automated ventilators that could be used to fill the deep gap between the number of life-saving ventilators available and the much larger number that will be needed when COVID-19 is expected to peak.

    The WPI researchers are going to make designs of multiple devices and their components publicly available so anyone with a 3D printer and a background in electronics and mechanical engineering could use them to produce ventilators for their local hospitals. A manufacturing company also could use the designs to produce ventilators quickly and at scale.

    “I just wanted to do something to help,” said Gregory Fischer, professor of robotics engineering and mechanical engineering, and director of the PracticePoint Medical Cyber-Physcial Systems R&D Center, who spearheaded the idea. “A lot of people are trying to contribute, and this is an area where we can make an impact. We’re taking things that are used every day in emergency medicine and finding a way to turn them into safe, reliable, and readily replicable ventilators that can save patients’ lives. And we’re sharing those designs with the world.”

  • For Open-Source Ventilators, Making Them Is the Easy Part

    Last week, when Eric Humphreys heard about the impending need for ventilators to treat the huge influx of Covid-19 patients, he sprang to action. Humphreys used to be an EMT, and he remembered the bag valve mask resuscitators used in ambulances—called by the trademarked name of the leading provider, “Ambu bag”—and thought maybe he could create something like it. He didn’t have much else to do during the shutdown.

    Humpreys is a lifelong maker, working as the director of creative design technology at a production company called Standard Transmission. The company is best known for concocting the intricate Christmas window displays at Macy’s. Working in the now depopulated 20,000-square-foot headquarters in Red Hook, Brooklyn, he began building a DIY breathing machine. “I literally used Christmas parts,” he says.

    The point of a ventilator is to pump air into the lungs of patients who can’t breathe for themselves. The Ambu bag requires an EMT to manually press down on the plastic bladder, forcing the air into the patient. Humpreys rigged a machine to do the pumping. It took him only a couple of days to produce something that mimicked the action of an EMT on an Ambu bag.

  • Globally Scalable Open Source Ventilator Initiative
  • Indian engineers at MIT to develop open-source, low-cost ventilator for US

    One of the most pressing shortages facing hospitals during the COVID-19 emergency is a lack of ventilators. These machines can keep patients breathing when they no longer can on their own, and they can cost around $30,000 each. Now, a rapidly assembled volunteer team of engineers, physicians, computer scientists, and others, centered at MIT, is working to implement a safe, inexpensive alternative for emergency use, which could be built quickly around the world.

  • Hyderabadi in global open source ventilator project

    Amateur radio operators are once again playing a crucial role in times of despair, with some of them, including Hyderabad’s Ashhar Farhan, now in the process of developing an electronic control system for an open-source low-cost ventilator.

    The device was designed by researcher Sem Lampotang and his team at University of Florida using components like PVC pipes and lawn-sprinkler valves. The idea is to create a bare-bones ventilator that could serve in the event of a ventilator shortage anywhere in the world during the Covid-19 pandemic.

  • Medtronic Makes Plans for a Ventilator Open-Source - Nasdaq [Ed: openwashing lies]
  • Professional Ventilator Design Open Sourced Today By Medtronic [Ed: This is a lie and Bob Baddeley helps Medtronic spread false claims from its openwashing press release (above)]
  • Runaway Soldering Irons, Open Source Ventilators, 3D Printed Solder Stencils, And Radar Motion | Hackaday

    Hackaday editors Mike Szczys and Elliot Williams sort through the hardware hacking gems of the week. There was a kerfuffle about whether a ventilator data dump from Medtronics was open source or not, and cool hacks from machine-learning soldering iron controllers to 3D-printing your own solder paste stencils. A motion light teardown shows it’s not being done with passive-infrared, we ask what’s the deal with Tim Berners-Lee’s decentralized internet, and we geek out about keyboards that aren’t QWERTY.

  • Nonprofit releases open source tool for making 3D print reusable protective masks

    A nonprofit initiative aims to put an end to the protective mask shortage that both healthcare workers and the public are facing during the coronavirus pandemic by providing them with tools to make the gear at home.

    Mask Maker released the first medically-approved design for 3D printed protective masks in an open source program that is available online.

    The masks can be created using commonly available materials and hobbyist grade 3D printers for a cost of about $2.00 to $3.00 per unit for materials – and they can be manufactured in just a few hours.

    The finished product is reusable and is equivalent of 300 disposable masks over a two month period.

  • American architects mobilise to make coronavirus face shields for hospital workers
  • How Coronavirus can make open-source movements flourish and fix our healthcare systems

    Birds can be heard chirping loud, as Mark Turrell (CEO at Orcasci, Founder of unDavos) talks to the Data Natives online community from his garden. A squirrel might even jump on his head at any moment, he warns. In this idyllic scene from his home quarantine it might not seem so at first sight, but the entrepreneur, author and contagion expert is worried. And that says a lot, coming from a man who also used to be a spy in Libya and Syria. “We are living in a very unusual time”, he says.

    Turrell was in Davos this year when the coronavirus crisis broke loose in Wuhan. He became alarmed when he learned that the Chinese government had closed Wuhan. “A city of 16 million people, to just shut it down, that is weird”, he tells. “And then I saw, this virus has properties that will make it extremely hard to suppress and extremely hard to defeat.”

  • bjarke ingels group and more architects 3D print face shields for coronavirus medical staff

    showing the power of collaboration, a number of well-known architects have come together to help produce protective visors for hospital workers on the frontline of coronavirus (COVID-19). what began as an initiative by cornell university, led by jenny sabin, has now reached architecture studios across the US in a matter of days. the likes of BIG and KPF are now utilizing their firm’s 3D printers to mass-produce face shields and combat the shortage faced by medical staff.

  • Why isn't the government publishing more data about coronavirus deaths?

    Studying the past is futile in an unprecedented crisis. Science is the answer – and open-source information is paramount

  • [Repeat] Lesson of the Day: ‘D.I.Y. Coronavirus Solutions Are Gaining Steam’

    As the number of cases of Covid-19 grow across the globe, health care workers are facing a serious shortage of critical equipment and supplies needed to treat the coronavirus — from exam gloves to ventilators.

    From Ireland to Seattle, makers and engineers are creating open-source versions of much-needed medical equipment.

    In this lesson, you will learn about do-it-yourself makers who are collaborating to fight the gravest public-health threat of our time. In a Going Further activity, you will consider how you might contribute to the D.I.Y. movement.

  • Three state prison staff test positive; KU partners on open-source plastic mask design
  • Bangladesh's Daffodil University using open-source AI for COVID-19 test with x-ray images

    Researchers at Daffodil International University in Bangladesh are using an open-source Artificial Intelligence technology that can diagnose COVID-19 by using chest x-ray images.

    The university’s Department of Public Health, AI Unit, and Daffodil Group’s Cardio-Care Specialized and General Hospital have jointly launched the system with a 96 percent success rate, according to the researchers.

    The Directorate General of Health Services has cautiously welcomed the initiative saying that more analysis is needed before the technology can be put to use.

    The researchers started working on the technology two and a half months ago after the novel coronavirus emerged in China and a lack of testing kits began straining the public heathcare system the world over, Assistant Professor Sheikh Muhammad Allayar, head of the university’s Department of Multimedia and Creative Technology, told bdnews24.com.

  • Color is launching a high-capacity COVID-19 testing lab and will open-source its design and protocols

    Genomics health technology startup Color is doing its part to address the global COVID-19 pandemic, and has detailed the steps it’s taking to support expansion of testing efforts in a new blog post and letter from CEO Othman Laraki on Tuesday. The efforts include development of a high-throughput lab that can process as many as 10,000 tests per day, with a turnaround time of within 24 hours for reporting results to physicians. In order to provide the most benefit possible from the effort of standing this lab up, Color will also make the design, protocols and specifics of this lab available open-source to anyone else looking to establish high-capacity lab testing.

    [...]

    Color has also made efforts to address COVID-19 response in two other key areas: testing for front-line and essential workers, and post-test follow-up and processing. To address the need for testing for those workers who continue to operate in public-facing roles despite the risks, Color has redirected its enterprise employee base to providing, in tandem with governments and employers, onsite clinical test administration, lab transportation and results reporting with patient physicians.

  • Color to launch COVID-19 testing lab, open-source infrastructure to bolster national response to pandemic

    Color today announced it is launching a high-throughput CLIA-certified COVID-19 testing laboratory integrated with public health tools. The testing facility, based in Burlingame, CA, will begin processing clinical samples to support public health efforts over the coming week, with a near-term goal of performing 10,000 tests per day and a lab turnaround time of 24 hours.

    Color's lab is operating at cost as a public good. The lab's initial testing is backed by philanthropic support from industry leaders and private donors. In addition to increasing capacity for patients, Color is also supporting access to testing for public sector essential personnel and healthcare workers on the front lines of the crisis.

  • COVID-19: Creatives Join Forces to Make Open-source Garments to Fight Disease

    Creatives in the fields of design, fashion and communication of Antwerp have formed a collaboration to fight against the coronavirus. They’re tackling the urgent demand from healthcare workers for protective isolation gowns and coveralls. Are you interested in producing protective garments with these patterns? Are you a virologist or medical protective wear specialist and willing to help them refine requirements?
    Belgium—Creatives tegen Corona, CtC for short, a temporary collaboration between various Antwerp-based creatives, have united their skills and network in support of the healthcare workers in the battle against the worldwide COVID-19 epidemic.
    The collaboration began after members began hearing about the urgent demand from healthcare workers in their own circles. They got together to test and prototype various models of protective isolation gowns and overalls.

  • Don Bosco Tech engineers developing open-source ventilators to help COVID-19 patients
  • Mozilla will fund open source COVID-19-related technology projects

    Have you come up with hardware or software that can help solve a problem that arose from COVID-19 and its worldwide spread? Mozilla is offering up to $50,000 to open source technology projects that are responding to the pandemic in some way.

  • Open-source program to assess and map COVID-19 hazard risk

    Most of the COVID-19 maps that I see are usually into choropleth maps at the country scale, which means that they assume a uniform distribution in each geographical unit. There are some other maps using a point symbology. However, the problem is that usually those points overlap each other. The approach adopted on the other hand, increases the spatial resolution and granularity of information that is conveyed to the people.

    Most of the other COVID-19 maps/applications usually focus purely on confirmed cases/ deaths, while not paying much attention to the quantification of potential risks. For example, if you look at some of the most current maps, you will see that populous countries like India and Nigeria do not yet have a big problem, while their large populations alone increase their risk.

  • Tencent Open-sources Another AI-powered Tool to Help Conduct Preliminary Self-evaluation Regarding COVID-19 Infection

    Tencent Holdings Limited ("Tencent", 00700.HK), announced today to deepen collaboration with the World Health Organization (WHO). As part of the agreement, Tencent will provide technology support to combat the pandemic and open-sources another AI-powered tool today to assist the global fight against the coronavirus outbreak. The COVID-19 self-triage assistant, which is now available on Github for developers around the world, enables preliminary self-evaluation regarding infection of the disease and provides tips on its prevention. Prior to this tool, Tencent open-sourced a COVID-19 live updates module last Friday that has answered six billion pandemic-related queries in China over the past two months.

  • The open source response to Covid-19

    The coronavirus pandemic has exposed shortcomings and fragility in many of our largest and most important institutions. Some leaders have been slow to grasp the nature and severity of the threat, citizens in many countries feel that some aspects of their government’s response or preparedness have been lacking. Faced with untracked spread in the population, generalized lockdowns aiming to suppress the spread of the virus are exacting heavy economic tolls. Companies in many sectors are warning of imminent bankruptcy, seeking bailouts, and many have already embarked on large scale layoffs, resulting in a rise in unemployment unprecedented in its sharpness. Central banks are warming up the printing presses, stepping in with all manner of bailouts, designed to avert specific outcomes that they see as being particularly damaging and therefore worth the cost of avoiding.

Security Leftovers

Filed under
Security
  • Browser makers cite coronavirus, restore support for obsolete TLS 1.0 and 1.1 encryption

    By common agreement, Google's Chrome, Microsoft's Internet Explorer (IE) and Edge, and Mozilla's Firefox were to disable support for TLS 1.0 and 1.1 early in 2020. They, along with Apple - which produces Safari - announced the move a year and a half ago, noting then that the protocols had been made obsolete by TLS 1.2 and 1.3.

    Apple, Google and Mozilla had committed to dropping support in March 2020, while Microsoft had only promised to purge TLS 1.0 and 1.1 sometime during the first half of this year.

    But it was Microsoft that was most detailed about the TLS turnabout. "In light of current global circumstances, we will be postponing this planned change - originally scheduled for the first half of 2020," Karl Pflug, of the Edge developer experience team, wrote in a post to a company blog.

  • Security updates for Friday

    Security updates have been issued by Debian (mediawiki and qbittorrent), Gentoo (gnutls), Mageia (bluez, kernel, python-yaml, varnish, and weechat), Oracle (haproxy and nodejs:12), SUSE (exiv2, haproxy, libpng12, mgetty, and python3), and Ubuntu (libgd2).

  • Google Squashes High-Severity Flaws in Chrome Browser

    Do you use Google Chrome as your web browser? Google has patched high-security vulnerabilities in its Chrome browser, and is rolling out the newest Chrome browser version in the coming days.

    [...]

    As is typical for Chrome updates, Google is initially scant in details of the bugs “until a majority of users are updated with a fix.” It did outline three of the vulnerabilities that were discovered by external researchers, however.

    These included two high-severity vulnerabilities the WebAudio component of Chrome (CVE-2020-6450 and CVE-2020-6451). The WebAudio component is used for processing and synthesizing audio in web applications.

    The flaws tied to CVE-2020-6450 and CVE-2020-6451 are both use-after-free flaws. Use after free is a memory corruption flaw where an attempt is made to access memory after it has been freed. This can cause an array of malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code.

  • How YubiKey Bio could make remote security concerns a thing of the past

    The bottom line is, your office brings a level of built-in security that’s not as readily available at home. Even if your Wi-Fi is WPA2-encrypted with a strong password, the security on your PC and personal accounts likely pales in comparison to the firewalls and intranets inside your office. “This is the perfect scenario for an attacker to thrive in and opens opportunities for social engineering and phishing attacks––making it imperative for businesses to develop a contingency plan that includes securing remote workers,” said Appenzeller. “Enabling multi-factor authentication wherever possible is one of the best ways to protect a remote team and should be a top requirement for a work-from-home policy.”

Security Leftovers

Filed under
Security
  • Security updates for Thursday

    Security updates have been issued by Arch Linux (chromium, kernel, linux-hardened, linux-lts, and pam-krb5), Debian (haproxy, libplist, and python-bleach), Fedora (tomcat), Gentoo (ghostscript-gpl, haproxy, ledger, qtwebengine, and virtualbox), Red Hat (haproxy, nodejs:12, qemu-kvm-rhev, and rh-haproxy18-haproxy), SUSE (memcached and qemu), and Ubuntu (apport).

  • COVID-19 forces browser makers to continue supporting TLS 1.0

    COVID-19 is forcing browser makers including Google and Mozilla to continue supporting the TLS 1.0 and TLS 1.1 protocols.

    In one of the strangest stories of the year, the COVID-19 virus has halted plans by major browsers to drop support for the ageing and insecure Transport Layer Security (TLS) 1.0 and 1.1 protocols.

    Mozilla Firefox and Google’s Chrome developers sneaked out the move in recent days with only Microsoft Edge team bothering to formally announce the sudden reprieve on Tuesday.

    In fairness, with COVID-19 throwing development schedules into minor chaos browser development teams probably have other things on their minds right now anyway.

    While a temporary delay, it’s still an unexpected retreat for an industry which had showed unity in collectively deciding to banish TLS 1.0 and the lesser used TLS 1.1 by early 2020.

  • New TLDs and Automatic link detection was a bad idea

    I've a few more .conf files in /etc which could be interesting in an IT environment, but for the sake of playing with it I registered nsswitch.co at godaddy. I do not want to endorse them in anyway, but for the first year it's only 13.08EUR right now, which is okay to pay for a stupid demo. So if you feel like it, you can probably register something stupid for yourself to play around with. I do not intent to renew this domain next year, so be aware of what happens then with the next owner.

  • In-Store Gift Card Scams Need More Investigation

    Although consumers might think it’s safe to purchase gift cards in-store, scammers are managing to hack those cards’ security codes. “They can actually tamper with the card itself and then recover that so it looks like it’s never been tampered with, or there are some devices that can actually strip the number off the cards,” Stan Prager with GoGeeks told KPTV.

Security Leftovers

Filed under
Security
  • More good news: Medical equipment is still prone to [cracker] attacks [iophk: Windows TCO]

    A new report from Unit 42 says 72% of health care networks mix [Internet] of things (IoT) and information technology assets, allowing malware to spread from users’ computers to vulnerable IoT devices on the same network. The report also offers a lot of data on non-medical IoT attacks.

    There is a 41% rate of attacks exploiting device vulnerabilities, as IT-borne attacks scan through network-connected devices in an attempt to exploit known weaknesses. And Unit 42 has seen a shift from IoT botnets conducting denial-of-service attacks to more sophisticated attacks targeting patient identities, corporate data, and monetary profit via ransomware.

  • Conficker a Twelve Years Old Malware Attack Connected Objects [iophk: Windows TCO]

    Twelve years after its creation Conficker malware is now attacking connected objects. The American firm Palo Alto Networks announces that it has detected Conficker on the connected devices of a hospital, activating a resurgence of the twelve-year-old computer worm. It calls on all owners of connected objects to adopt the security measures recommended by specialists.

    According to a report released Tuesday, March 10, 2020, by IT expert Palo Alto Networks, a twelve years old computer worm called Conficker has recently made a comeback. The latter, which emerged in 2008 by taking advantage of security vulnerabilities in Microsoft’s Windows XP operating system, has generated a whole network of zombie machines.

    In 2009, Conficker reportedly infected up to 15 million machines. Still active, although it is considered a minor phenomenon and without real risk, it still infected some 400,000 computers in 2015. The proliferation of connected objects would have increased this number to 500,000 devices today.

  • [Older] Maastricht Univ. paid €250K to ransomware [attackers]: report [iophk: Windows TCO]

    Maastricht University paid between 200 thousand and 300 thousand euros to [attackers] who had blocked access to the university's digital systems with ransomware, various people involved told the Volkskrant. The university board was forced to pay because the university's backups were also hijacked. The backups [sic] - stored on the university servers - contain research data and data from students and staff from the past decades.

  • [Older] University of Maastricht says it paid [attackers] 200,000-euro ransom [iophk: Windows TCO]

    The University of Maastricht on Wednesday disclosed that it had paid [attackers] a ransom of 30 bitcoin — at the time worth 200,000 euros ($220,000) — to unblock its computer systems, including email and computers, after an attack that unfolded on Dec. 24.

  • [Older] Maastricht University Pays 30 Bitcoins as Ransom to TA505 Group[iophk: Windows TCO]

    A management summary of the Fox-IT report and Maastricht University’s response found that during the time frame of October 15 to 23 December 2019 (inclusive of both dates), the TA505 gained control over multiple servers. Following is the timeline of the events in the leadup to the final ransomware attack: [...]

  • FBI warns Zoom, teleconference meetings vulnerable to hijacking

    “The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language,” the FBI cautioned. “As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts.”

    It’s not just private businesses and children whose meetings could be Zoombombed. Privacy and security issues in conferencing software may also pose risks to national security, as world leaders convene Zoom meetings. In some cases, world leaders such as U.K. Prime Minister Boris Johnson have shared screenshots of their teleconferencing publicly only to reveal Zoom meeting IDs, raising concerns that sensitive information could be compromised.

  • Qakbot malspam sent from an infected Windows host [iophk: Windows TCO]

    Every once in a while, I'll see spambot-style traffic from the Windows hosts I infect in my lab environment. On Tuesday 2020-03-31, this happened during a Qakbot infection. I've covered examining Qakbot traffic before, but that didn't include examples of spambot emails sent from an infected Windows computer. Today's diary provides a quick review of some email examples from spambot traffic by my Qakbot-infected lab host.

  • Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims [iophk: Windows TCO]

    During the analysis, we reversed this strain of Qbot and identified the attacker’s active command and control server, allowing us to determine the scale of the attack. Based on direct observation of the C2 server, thousands of victims around the globe are compromised and under active control by the attackers. Additional information uncovered from the C&C server exposed traces of the threat actors behind this campaign.

    [...]

    Qbot (or Qakbot) was first identified in 2009 and has evolved significantly. It is primarily designed for collecting browsing activity and data related to financial websites. Its worm-like capabilities allow it to spread across an organization’s network and infect other systems.

  • os x ssh fails when using -p flag/a>

    /usr/bin/ssh in macos 10.15.4 hangs if used with the -p flag to specify an alternate port and used with a hostname. This was not present in macos 10.15.3

Security: Software Updates, Kali NetHunter Updates, OpenWRT Bug and Scams That Exploit COVID-19

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Debian (apng2gif, gst-plugins-bad0.10, and libpam-krb5), Fedora (coturn, libarchive, and phpMyAdmin), Mageia (chromium-browser-stable, nghttp2, php, phpmyadmin, sympa, and vim), openSUSE (GraphicsMagick, ldns, phpMyAdmin, python-mysql-connector-python, python-nltk, and tor), Red Hat (advancecomp, avahi, bash, bind, bluez, buildah, chromium-browser, cups, curl, docker, dovecot, doxygen, dpdk, evolution, expat, file, gettext, GNOME, httpd, idm:DL1, ImageMagick, kernel, kernel-rt, lftp, libosinfo, libqb, libreoffice, libsndfile, libxml2, mailman, mariadb, mod_auth_mellon, mutt, nbdkit, net-snmp, nss-softokn, okular, php, podman, polkit, poppler and evince, procps-ng, python, python-twisted-web, python3, qemu-kvm, qemu-kvm-ma, qt, rsyslog, samba, skopeo, squid, systemd, taglib, texlive, unzip, virt:8.1, wireshark, and zziplib), Slackware (gnutls and httpd), and SUSE (glibc, icu, kernel, and mariadb).

  • Kali NetHunter Updates

    Many outstanding discoveries have been made by our vibrant NetHunter community since 2020.1, so we have decided to publish a mid-term release to showcase these amazing developments on selected devices.

    [..].

    The Android 8.1 image is considered the recommended release with a proven track record of supporting NetHunter under the most extreme conditions, including force encryption of the data partition.

    Considering the current maturity of Android 10 for this platform, we would consider this version to be most suited for those who love to experiment and don’t mind getting things working by themselves. We had to edit the vendor fstab file on a laptop to disable force encryption because TWRP didn’t support it at the time of writing. If that doesn’t scare you then this image might be just right for you.

  • OpenWRT code-execution bug puts millions of devices at risk

    For almost three years, OpenWRT—the open source operating system that powers home routers and other types of embedded systems—has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital signature verifications are easy to bypass, a researcher said.

    OpenWRT has a loyal base of users who use the freely available package as an alternative to the firmware that comes installed on their devices. Besides routers, OpenWRT runs on smartphones, pocket computers and even laptops and desktop PCs. Users generally find OpenWRT to be a more secure choice because it offers advanced functions and its source code is easy to audit.

    [...]

    These code-execution exploits are limited in their scope because adversaries must either be in a position to conduct a man-in-the-middle attack or tamper with the DNS server that a device uses to find the update on the Internet. That means routers on a network that has no malicious users and using a legitimate DNS server are safe from attack. Vranken also speculates that packet spoofing or ARP cache poisoning may also make attacks possible, but he cautions that he didn’t test either method.

    Despite the requirements, many networks connect people who are unknown or untrusted by the device operator. What’s more, attacks that replace router settings pointing to a legitimate DNS to a malicious one are a fact of life on the Internet, as in-the-wild attack here, here, here, and here (to name just a few) demonstrate.

  • OpenWRT code-execution bug puts millions of devices at risk

    The headline may be a bit overwrought, though.

  • How Hackers Are Targeting Networks Amidst Coronavirus Threat?

    There is no doubt that COVID-19 has created fear, panic and uncertainty among the public, but it has also opened new possibilities for hackers to increase cyber attacks using different approaches. According to reports in the last few weeks, hackers are taking advantage of the current situation to spread fake news about important information related to government notices, school closures, health risks etc.

Security Leftovers

Filed under
Security
  • Security updates for Tuesday

    Security updates have been issued by Debian (tinyproxy), Fedora (okular), Gentoo (ffmpeg, libxls, and qemu), openSUSE (GraphicsMagick), Red Hat (qemu-kvm-rhev), SUSE (cloud-init and spamassassin), and Ubuntu (bluez, libpam-krb5, linux-raspi2, linux-raspi2-5.3, and Timeshift).

  • Why Understanding CVEs Is Critical for Data Scientists

    CVEs are Common Vulnerabilities and Exposures found in software components. Because modern software is complex with its many layers, interdependencies, data input, and libraries, vulnerabilities tend to emerge over time. Ignoring a high CVE score can result in security breaches and unstable applications.

    Because data scientists work with vast stores of data, they need to take responsibility for the software components they use to minimize risk and protect customer data. A golden rule in security is, wherever valuable data can be found, hackers will go.

    Software developers refer to CVE databases and scores on a regular basis to minimize the risk of using vulnerable components (packages and binaries) in their applications or web pages. They also monitor for vulnerabilities in components they currently use. To reduce the risk of a security breach from open-source packages, data science teams need to take this page from the software developer’s playbook and apply it to their data science and machine learning pipeline.

  • pam-krb5 4.9

    This is a security release fixing a one-byte buffer overflow when relaying prompts from the underlying Kerberos library. All users of my pam-krb5 module should upgrade as soon as possible. See the security advisory for more information.

    There are also a couple more minor security improvements in this release: The module now rejects passwords as long or longer than PAM_MAX_RESP_SIZE (normally 512 octets) since they can be a denial of service attack via the Kerberos string-to-key function, and uses explicit_bzero where available to clear passwords before releasing memory.

  • rethinking openbsd security

    OpenBSD aims to be a secure operating system. In the past few months there were quite a few security errata, however. That’s not too unusual, but some of the recent ones were a bit special. One might even say bad. The OpenBSD approach to security has a few aspects, two of which might be avoiding errors and minimizing the risk of mistakes. Other people have other ideas about how to build secure systems. I think it’s worth examining whether the OpenBSD approach works, or if this is evidence that it’s doomed to failure.

KDE Plasma 5.18.4 LTS Desktop Environment Brings More Than 40 Fixes

Filed under
KDE
Security

Coming three weeks after the Plasma 5.18.3 point release, which introduced a bunch of Flatpak improvements and more than 60 fixes, the KDE Plasma 5.18.4 LTS release is here to add more than 40 bug fixes to various of the desktop environments core components.

Among the changes, there’s improved support for the upcoming Qt 5.15 application framework for Breeze and libksysguard components and better support for the fwupd open-source daemon for installing firmware updates on devices in the Discover package manager.

Flatpak support in Discover was also improved by fixing two issues. Moreover, XSettingsd was added as a runtime dependency to KDE GTK Config, kwallet-pam now works with pam_fscrypt, and KWin now allow the creation of more than one row on the “Virtual Desktops” settings page.

Read more

Critical Linux Kernel Vulnerability Patched in Ubuntu 19.10 and 18.04.4 LTS

Filed under
Linux
Security
Ubuntu

Discovered by Manfred Paul, the security vulnerability (CVE-2020-8835) was found in Linux kernel’s BPF (Berkeley Packet Filter) verifier, which incorrectly calculated register bounds for certain operations.

This could allow a local attacker to either expose sensitive information (kernel memory) or gain administrative privileges and run programs as root user.

The security issue affects all Ubuntu 19.10 (Eoan Ermine) and Ubuntu 18.04.4 LTS (Bionic Beaver) releases running Linux kernel 5.3 on 64-bit, Raspberry Pi, KVM, as well as cloud environments like AWS, Azure, GCP, GKE, and Oracle Cloud.

Read more

WireGuard 1.0.0 for Linux 5.6 Released

Filed under
Linux
Security

Hi folks,

Earlier this evening, Linus released [1] Linus 5.6, which contains our
first release of WireGuard. This is quite exciting. It means that
kernels from here on out will have WireGuard built-in by default. And
for those of you who were scared away prior by the "dOnT uSe tHiS
k0de!!1!" warnings everywhere, you now have something more stable to
work with.

The last several weeks of 5.6 development and stabilization have been
exciting, with our codebase undergoing a quick security audit [3], and
some real headway in terms of getting into distributions.

We'll also continue to maintain our wireguard-linux-compat [2]
backports repo for older kernels. On the backports front, WireGuard
was backported to Ubuntu 20.04 (via wireguard-linux-compat) [4] and
Debian Buster (via a real backport to 5.5.y) [5]. I'm also maintaining
real backports, not via the compat layer, to 5.4.y [6] and 5.5.y [7],
and we'll see where those wind up; 5.4.y is an LTS release.

Meanwhile, the usual up-to-date distributions like Arch, Gentoo, and
Fedora 32 will be getting WireGuard automatically by virtue of having
5.6, and I expect these to increase in number over time.

Enjoy!
Jason

Read more

Also: WireGuard 1.0.0 Christened As A Modern Secure VPN Alternative To OpenVPN/IPsec

Security and FUD

Filed under
Security
  • Surviving the Frequency of Open Source Vulnerabilities

    One hurdle in any roll-your-own Linux platform development project is getting the necessary tools to build system software, application software, and the Linux kernel for your target embedded device. Many developers use a set of tools based on the GNU Compiler Collection, which requires two other software packages: a C library used by the compiler; and a set of tools required to create executable programs and associated libraries for your target device. The end result is a toolchain.

    [...]

    In preference to working on features or product differentiation, developers often spend valuable time supporting, maintaining, and updating a cross-compilation environment, Linux kernel, and root file system. All of which, requires a significant investment of personnel and wide range of expertise.

  • Netgate® Extends Free pfSense® Support and Lowers pfSense Support Subscription Pricing to Aid in COVID-19 Relief

    Free zero-to-ping support, free VPN configuration and connection support, free direct assistance for first responder | front line healthcare agencies, and reduced pfSense TAC support subscription prices all introduced

  • How the hackers are using Open Source Libraries to their advantage [Ed: Conflating hackers with crackers]

    Ben Porter, Chief Product Officer at Instaclustr, writes about how the potential of Open Source Libraries must be balanced with the growing risk of library jacking by hackers.

  • Three Cases Where the Open Source Model Didn't Work [Ed: Lots of anti-GPL FUD and not taking any account of Microsoft crimes, monopoly abuse, bribes and blackmail]

    So, why didn’t the open source model work in these three cases?

    The main reason is that in all of these cases, data structure specs and the description of algorithms are not the most important piece of the picture.

    The root of the problem is in the variety of real-life situations where bugs and failures may occur and lead to a data-loss situations, which is a total no-go in the real world. 

    The open source community is successful, though it has been in create open source programs and platforms, is still no guarantee of industrial-grade software development(3). The core to success in developing a highly reliable solution is a carefully nurtured auto-test environment. This assures a careful track record and in-depth analysis for every failure, as well as effective work-flow, making sure any given bug or failure never repeats. It’s obvious that building such an environment can take years, if not decades, and the main thing here is not to know how something should work according to specs, but to know how and where exactly it fails. In other words, the main problem is not the resources needed to develop the code, the main problem is time needed to build up a reliable test-coverage that will provide a sufficient barrier for data-loss bugs.

    Another problem with open source is that it is usually accompanied by a GPL license. This limits the contribution to such projects almost solely to the open source community itself. One of the major requirements of the GPL license is to disclose changes to source code in case of further distribution, making it pointless for commercial players to participate.

Syndicate content

More in Tux Machines

Programming Literature: Jussi Pakkanen on Meson, Shing Lyu on Rust and "25 Best JavaScript Books for Newbie and Professional"

  • Jussi Pakkanen: Meson manual sales status and price adjustment

    The second part (marked with a line) indicates when I was a guest on CppCast talking about Meson and the book. As an experiment I created a time limited discount coupon so that all listeners could buy it with €10 off. As you can tell from the graph it did have an immediate response, which again proves that marketing and visibility are the things that actually matter when trying to sell any product. After that we have the "new normal", which means no sales at all. I don't know if this is caused by the coronavirus isolation or whether this is the natural end of life for the product (hopefully the former but you can never really tell in advance).

  • Shing Lyu: Lessons learned in writing my first book

    You might have noticed that I didn’t update this blog frequently in the past year. It’s not because I’m lazy, but I focused all my creative energy on writing this book: Practical Rust Projects. The book is now available on Apress, Amazon and O’Reilly. In this post, I’ll share some of the lessons I learned in writing this book. Although I’ve been writing Rust for quite a few years, I haven’t really studied the internals of the Rust language itself. Many of the Rust enthusiasts whom I know seem to be having much fun appreciating how the language is designed and built. But I take more joy in using the language to build tangible things. Therefore, I’ve been thinking about writing a cookbook-style book on how to build practical projects with Rust, ever since I finished the video course Building Reusable Code with Rust. Out of my surprise, I received an email from Steve Anglin, an acquisition editor from Apress, in April 2019. He initially asked me to write a book on the RustPython project. But the project was still growing rapidly thanks to the contributors. I’ve already lost grip on the overall architecture, so I can’t really write much about it. So I proposed the topic I have in mind to Steve. Fortunately, the editorial board accepted my proposal, and we decided to write two books: one for general Rust projects and one for web-related Rust projects. Since this is my first time writing a book that will be published in physical form (or as The Rust Book put it, “dead tree form”), I learned quite a lot throughout the process. Hopefully, these points will help you if you are considering or are already writing your own book.

  • The 25 Best JavaScript Books for Newbie and Professional

    JavaScript is a programming language that is object-oriented and used to make dynamic web pages by adding interactive effects. This client-side scripting language is used by almost 94.5% web pages available on the internet. The language is very easy but also known as one of the most misunderstood programming languages. You should choose the right guidelines so that you can get all the answers to your questions related to JavaScript. Here we will provide you with a list of the best Javascript books so that you can learn JavaScript and never become confused.

today's howtos

This is my shoestring photography setup for image editing

Saving money is not the only major benefit of using inexpensive hardware and free open-source software. Somewhat surprisingly, the more important benefit for me personally is peace of mind. My primary machine is a 9-year old ThinkPad X220 with 4GB RAM and 120GB SSD. I bought it on eBay for around 200 euros, plus about 30 euros for a 120GB SSD. The digiKam application I use for most of my photo management and processing needs cost exactly zero. (I’m the author of the digiKam Recipes book.) I store my entire photo library on a USB 3.0 3TB Toshiba Canvio hard disk I bought for around 113 euros. If any component of my hardware setup fails, I can replace it without any significant impact on my budget. I don’t have to worry about a company deciding to squeeze more money out of me by either forcing me into a paid upgrade or a subscription plan, and I sleep better knowing that I own the software crucial for my photographic workflow. You might think that managing and processing RAW files and photos on a relatively old machine with a paltry amount of RAM is unbearably slow, but it’s not. While Windows would bring the ThinkPad X220 to its knees, the machine briskly runs openSUSE Linux with the KDE graphical desktop environment. The word Linux may send some photographers away screaming, but a modern Linux system is hardly more complicated in use than Windows. Read more

elementary OS: Hera Updates for March, 2020

Fresh on the heels of the AppCenter for Everyone Remote Sprint, we still managed to push out a good amount of updates over the course of March (and early April), bundled up in an OS 5.1.3 update. Let’s dive into what’s new. We continued our quest to make Code the best editor for elementary OS this month. A file’s Git status now shows in its tooltip in the project sidebar, making it easier to understand what the status icons mean—especially if you’re colorblind or just don’t remember. We also added an option for explicit case-sensitive find/replace for those times when you want to find or replace the word foo but not Foo. Read more Also: elementary OS 5.1.3 New Features Revealed