Language Selection

English French German Italian Portuguese Spanish

Security

Canonical Releases Kernel Security Updates for Ubuntu 17.10 and Ubuntu 16.04 LTS

Filed under
Security
Ubuntu

For Ubuntu 17.10 (Artful Aardvark) users, today's security update addresses a bug (CVE-2018-8043) in Linux kernel's Broadcom UniMAC MDIO bus controller driver, which improperly validated device resources, allowing a local attacker to crash the vulnerable system by causing a denial of service (DoS attack).

For Ubuntu 16.04 LTS (Xenial Xerus) users, the security patch fixes a buffer overread vulnerability (CVE-2017-13305) in Linux kernel's keyring subsystem and an information disclosure vulnerability (CVE-2018-5750) in the SMBus driver for ACPI Embedded Controllers. Both issues could allow a local attacker to expose sensitive information.

Read more

Security: Updates, Reproducible Builds, Match.com and More

Filed under
Security
  • Security updates for Tuesday
  • Reproducible Builds: Weekly report #156
  • A Match.com glitch reactivated a bunch of old profiles, raising concerns about user data

    A Match Group spokesperson confirmed that a “limited number” of old accounts had been accidentally reactivated recently and that any account affected received a password reset. Match.com’s current privacy statement, which was last updated in 2016, says that the company can “retain certain information associated with your account” even after you close it. But that Match Group spokesperson also told The Verge that the company plans to roll out a new privacy policy “in the next month or so,” in order to comply with the EU’s General Data Protection Regulation (GDPR); under the new policy, all those years-old accounts will be deleted. The Verge has requested clarification on which accounts will qualify for deletion, and what “deletion” will specifically entail, but has not received a response as of press time.

  • New hacks siphon private cryptocurrency keys from airgapped wallets

    Like most of the other attacks developed by Ben-Gurion University professor Mordechai Guri and his colleagues, the currency wallet exploits start with the already significant assumption that a device has already been thoroughly compromised by malware. Still, the research is significant because it shows that even when devices are airgapped—meaning they aren't connected to any other devices to prevent the leaking of highly sensitive data—attackers may still successfully exfiltrate the information. Past papers have defeated airgaps using a wide array of techniques, including electromagnetic emissions from USB devices, radio signals from a computer's video card, infrared capabilities in surveillance cameras, and sounds produced by hard drives.

  • New hacker group targets US health-care industry, researchers say

    The group, which Symantec has named “Orangeworm,” has been installing backdoors in large international corporations based in the U.S., Europe and Asia that operate in the health-care sector.

    Among its victims are health-care providers and pharmaceutical companies, as well as IT companies and equipment manufacturers that work for health organizations.

AV Linux Multimedia-Focused OS Gets New Stable Release with Meltdown Patches

Filed under
GNU
Linux
Security

AV Linux, the open-source GNU/Linux distribution designed for multimedia content creation, has been updated recently to version 2018.4.2, a release that adds Meltdown mitigations, updated components, and various other enhancements.

Probably the most important change in the AV Linux 2018.4.2 release is the implementation of the KPTI (Kernel page-table isolation) patch to protect users against the Meltdown security vulnerability, but only for 64-bit installations. The distribution is now powered by the long-term supported Linux 4.9.76 kernel, and users can disable the KPTI patch at boot.

Read more

Nearly 15 million Nintendo Switches are now hackable (other NVIDIA Tegra X1 devices too)

Filed under
GNU
Linux
Security
Gaming
Gadgets

Earlier this year hackers started to show evidence of an exploit that allowed you to load custom software on a Nintendo Switch game console. Theoretically that opens the door for homebrew applications, modified games, or even running an alternate operating system such as a GNU/Linux distribution on Nintendo’s latest game system. It could also make it possible to run pirated games, which is why console makers usually don’t encourage this sort of thing.

But now a team of hackers called ReSwitched have described a bootrom vulnerability called Fusée Gelée that makes it possible for anyone to hack a Nintendo Switch… assuming you’re willing to do a little hardware hacking too.

Read more

today's leftovers

Filed under
Security
  • Discovery of Terminal app for Chrome OS suggests future support for Linux software

    Chrome OS is a fairly flexible operating system, and its support for Android apps via the Google Play Store opens up a world of software. It has been thought -- and hoped -- for some time that Linux support might be on its way, and this is looking increasingly likely.

    A Terminal app has appeared in the Chrome OS dev channel, strongly suggesting that support for Linux applications could well be on the horizon -- something which will give Chromebooks a new appeal.

  • Put Wind into your Deployments with Kubernetes and Helm

    I’m a Software Engineer. Every day, I come into work and write code. That’s what I’m paid to do. As I write my code, I need to be confident that it’s of the highest quality. I can test it locally, but anyone who’s ever heard the words, “...but it works on my machine,” knows that’s not enough. There are huge differences between my local environment and my company’s production systems, both in terms of scale and integration with other components. Back in the day, production systems were complex, and setting them up required a deep knowledge of the underlying systems and infrastructure. To get a production-like environment to test my code, I would have to open a ticket with my IT department and wait for them to get to it and provision a new server (whether physical or virtual). This was a process that took a few days at best. That used to be OK when release cycles were several months apart. Today, it’s completely unacceptable.

  • KDE Plasma 5.13 Desktop Environment Promises Much Better Wayland Support

    The adoption of the next-generation Wayland display server amongst Linux-based operating systems is slowly, but surely, changing the Linux world for better.

    While most of the popular GNU/Linux distributions out there are shy on adopting Wayland by default, major Linux desktop environments like GNOME and KDE continue to offer improved Wayland support with each new major release.

    KDE Plasma 5.13 is being worked on these days, and KDE developer Roman Gilg reported over the weekend on the progress, so far, on the Plasma Wayland component for the next major release, which looks to be pretty promising.

    One of the most significant changes implemented in Plasma Wayland for KDE Plasma 5.13 is the ability to run more Linux apps on the Wayland display manager, either as native Wayland clients or as Xwayland clients.

  • [Mageia] Weekly Roundup 2018 – Week 16

    Work on the LXQt packages is still ongoing; watch this space for Great Plasma Update news.

  • Ubuntu Weekly Newsletter Issue 524
  • Is English Wikipedia’s ‘rise and decline’ typical?

    The figure comes from “The Rise and Decline of an Open Collaboration System,” a well-known 2013 paper that argued that Wikipedia’s transition from rapid growth to slow decline in 2007 was driven by an increase in quality control systems. Although many people have treated the paper’s finding as representative of broader patterns in online communities, Wikipedia is a very unusual community in many respects. Do other online communities follow Wikipedia’s pattern of rise and decline? Does increased use of quality control systems coincide with community decline elsewhere?

  • Two DMV Startups Are Updating an Open Source Security System to Prevent Data Hacks
  • Comprehensive Android Binary Scans Find Known Security Vulnerabilities in 1 Out of Every 5 of the 700 Most Popular Apps on Google Play Store [Ed: Insignary is again badmouthing FOSS platforms as a form of marketing that's basically disguised as 'research' or 'study']
  • Ryzen Stability Issues Are Still Affecting Some FreeBSD Users

    While in recent months there have been some improvements to FreeBSD that have helped yield greater reliability in running AMD Ryzen processors on this BSD operating system, some users are still reporting hard to diagnose stability problems on FreeBSD.

    For some, FreeBSD on Ryzen is still leading to lock-ups, even while the system may be idle. Also making it hard to debug, for some they can trigger a lock-up within an hour of booting their system while for others they may be able to make it a week or two before hitting any stability problem.

  • 6 DevOps trends to watch in 2018

    Here at Loggly, we live and breathe logs and uncovering underlying data. It probably comes as no surprise that we’re passionate about the future of log analysis and metric monitoring. Communicating with key subject matter experts in the DevOps space plays an important role in helping us understand where the industry is headed.

  • Trouble in techno hippie paradise

    Another interesting point: while the number of people addicted to nicotine has been going down globally lately, the number of network addicts has outnumbered those by far now. And yet the long term effects of being online almost 24/365 have not yet been researched at all. The cigarette companies claimed that most doctors smoke. The IT industry claims it's normal to be online. What's your wakeup2smartphone time? Do you check email every day?

Security: Updates, Trustjacking, Breach Detection

Filed under
Security
  • Security updates for Monday
  • iOS Trustjacking – A Dangerous New iOS Vulnerability

    An iPhone user's worst nightmare is to have someone gain persistent control over his/her device, including the ability to record and control all activity without even needing to be in the same room. In this blog post, we present a new vulnerability called “Trustjacking”, which allows an attacker to do exactly that.

    This vulnerability exploits an iOS feature called iTunes Wi-Fi sync, which allows a user to manage their iOS device without physically connecting it to their computer. A single tap by the iOS device owner when the two are connected to the same network allows an attacker to gain permanent control over the device. In addition, we will walk through past related vulnerabilities and show the changes that Apple has made in order to mitigate them, and why these are not enough to prevent similar attacks.

  • What Is ‘Trustjacking’? How This New iOS Vulnerability Allows Remote Hacking?

    This new vulnerability called trustjacking exploits a convenient WiFi feature, which allows iOS device owners to manage their devices and access data, even when they are not in the same location anymore.

  • Breach detection with Linux filesystem forensics

    Forensic analysis of a Linux disk image is often part of incident response to determine if a breach has occurred. Linux forensics is a different and fascinating world compared to Microsoft Windows forensics. In this article, I will analyze a disk image from a potentially compromised Linux system in order to determine the who, what, when, where, why, and how of the incident and create event and filesystem timelines. Finally, I will extract artifacts of interest from the disk image.

    In this tutorial, we will use some new tools and some old tools in creative, new ways to perform a forensic analysis of a disk image.

Security: IBM, Windows Freezes, 2FA and More

Filed under
Security

Security: Twitter and Facebook

Filed under
Security
  • Twitter banned Kaspersky Lab from advertising in Jan

     

    Twitter has banned advertising from Russian security vendor Kaspersky Lab since January, the head of the firm, Eugene Kaspersky, has disclosed.  

  • When you go to a security conference, and its mobile app leaks your data

     

    A mobile application built by a third party for the RSA security conference in San Francisco this week was found to have a few security issues of its own—including hard-coded security keys and passwords that allowed a researcher to extract the conference's attendee list. The conference organizers acknowledged the vulnerability on Twitter, but they say that only the first and last names of 114 attendees were exposed.

  • The Security Risks of Logging in With Facebook

     

    In a yet-to-be peer-reviewed study published on Freedom To Tinker, a site hosted by Princeton's Center for Information Technology Policy, three researchers document how third-party tracking scripts have the capability to scoop up information from Facebook's login API without users knowing. The tracking scripts documented by Steven Englehardt, Gunes Acar, and Arvind Narayanan represent a small slice of the invisible tracking ecosystem that follows users around the web largely without their knowledge.

  • Facebook Login data hijacked by hidden JavaScript trackers

     

    If you login to websites through Facebook, we've got some bad news: hidden trackers can suck up more of your data than you'd intended to give away, potentially opening it up to abuse.

Security: Updates, IBM, Elytron and Container Vulnerability Scanning

Filed under
Security
  • Security updates for Friday
  • IBM Security launches open-source AI

    IBM Security unveiled an open-source toolkit at RSA 2018 that will allow the cyber community to test their AI-based security defenses against a strong and complex opponent in order to help build resilience and dependability into their systems.

  • Elytron: A New Security Framework in WildFly/JBoss EAP

    Elytron is a new security framework that ships with WildFly version 10 and Red Hat JBoss Enterprise Application Platform (EAP) 7.1. This project is a complete replacement of PicketBox and JAAS. Elytron is a single security framework that will be usable for securing management access to the server and for securing applications deployed in WildFly. You can still use the legacy security framework, which is PicketBox, but it is a deprecated module; hence, there is no guarantee that PicketBox will be included in future releases of WildFly. In this article, we will explore the components of Elytron and how to configure them in Wildfly.

  • PodCTL #32 – Container Vulnerability Scanning

Security Leftovers

Filed under
Security
  • Hackers once stole a casino's high-roller database through a thermometer in the lobby fish tank

    Hackers are increasingly targeting "internet of things" devices to access corporate systems, using things like CCTV cameras or air-conditioning units, according to the CEO of a cybersecurity firm.

    The internet of things refers to devices hooked up to the internet, and it has expanded to include everything from household appliances to widgets in power plants.

    Nicole Eagan, the CEO of Darktrace, told the WSJ CEO Council Conference in London on Thursday: "There's a lot of internet-of-things devices, everything from thermostats, refrigeration systems, HVAC systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface, and most of this isn't covered by traditional defenses."

  • Certificate Transparency and HTTPS

    CT stands for “Certificate Transparency” and, in simple terms, means that all certificates for websites will need to be registered by the issuing Certificate Authority (CA) in at least two public Certificate Logs.

  • Security updates for Thursday
  • IBM introduces open-source library for protecting AI systems
  • How to combine SSH key authentication and two-factor authentication on Linux
  • openSUSE Heroes loves Let’s Encrypt™ – Expect certificate exchange

    openSUSE loves Let's Encrypt™

    Maybe some of you noticed, that our certificate *.opensuse.org on many of services will expire soon (on 2018-04-23).

    As we noticed that – as well – we decided to put a bit of work into this topic and we will use Let’s Encrypt certificates for the encrypted services of the openSUSE community.

    This is just a short notice / announcement for all of you, that we are working on this topic at the moment. We will announce, together with the deployment of the new certificate, the regarding hashes and maybe some further information on our way of implementing things.

Syndicate content

More in Tux Machines

5 top Blender video tutorials for beginners

Blender is a complex piece of software that is capable of producing extremely high-quality visuals for all manner of visual art purposes, from video games to product visualization. Of course, that power needs to be wielded by a controlled hand. Otherwise, you'll end up with a mush of digital geometry that makes no sense at all. These days, video tutorials are the educational tool of choice for most people. I'm going to give you five of the best free beginner video tutorials for Blender currently available. I recommend you watch all of them. They all cover a lot of the same information. However, every instructor has a different way of presenting. Stick with the one that clicks with you. Read more

Cinnamon 3.8 Desktop Environment Released with Python 3 Support, Improvements

Scheduled to ship with the upcoming Linux Mint 19 "Tara" operating system series this summer, the Cinnamon 3.8 desktop environment is now available for download and it's a major release that brings numerous improvements, new features, and lots of Python 3 ports for a bunch of components. Among the components that got ported to Python 3 in the Cinnamon 3.8 release, we can mention cinnamon-settings, cinnamon-menu-editor, cinnamon-desktop-editor, cinnamon-settings-users, melange, background slideshow, the switch editor and screensaver lock dialogs, desktop file generation scripts, as well as all the utilities. Read more

Canonical Releases Kernel Security Updates for Ubuntu 17.10 and Ubuntu 16.04 LTS

For Ubuntu 17.10 (Artful Aardvark) users, today's security update addresses a bug (CVE-2018-8043) in Linux kernel's Broadcom UniMAC MDIO bus controller driver, which improperly validated device resources, allowing a local attacker to crash the vulnerable system by causing a denial of service (DoS attack). For Ubuntu 16.04 LTS (Xenial Xerus) users, the security patch fixes a buffer overread vulnerability (CVE-2017-13305) in Linux kernel's keyring subsystem and an information disclosure vulnerability (CVE-2018-5750) in the SMBus driver for ACPI Embedded Controllers. Both issues could allow a local attacker to expose sensitive information. Read more

Security: Updates, Reproducible Builds, Match.com and More

  • Security updates for Tuesday
  • Reproducible Builds: Weekly report #156
  • A Match.com glitch reactivated a bunch of old profiles, raising concerns about user data

    A Match Group spokesperson confirmed that a “limited number” of old accounts had been accidentally reactivated recently and that any account affected received a password reset. Match.com’s current privacy statement, which was last updated in 2016, says that the company can “retain certain information associated with your account” even after you close it. But that Match Group spokesperson also told The Verge that the company plans to roll out a new privacy policy “in the next month or so,” in order to comply with the EU’s General Data Protection Regulation (GDPR); under the new policy, all those years-old accounts will be deleted. The Verge has requested clarification on which accounts will qualify for deletion, and what “deletion” will specifically entail, but has not received a response as of press time.

  • New hacks siphon private cryptocurrency keys from airgapped wallets

    Like most of the other attacks developed by Ben-Gurion University professor Mordechai Guri and his colleagues, the currency wallet exploits start with the already significant assumption that a device has already been thoroughly compromised by malware. Still, the research is significant because it shows that even when devices are airgapped—meaning they aren't connected to any other devices to prevent the leaking of highly sensitive data—attackers may still successfully exfiltrate the information. Past papers have defeated airgaps using a wide array of techniques, including electromagnetic emissions from USB devices, radio signals from a computer's video card, infrared capabilities in surveillance cameras, and sounds produced by hard drives.

  • New hacker group targets US health-care industry, researchers say

    The group, which Symantec has named “Orangeworm,” has been installing backdoors in large international corporations based in the U.S., Europe and Asia that operate in the health-care sector.

    Among its victims are health-care providers and pharmaceutical companies, as well as IT companies and equipment manufacturers that work for health organizations.