Language Selection

English French German Italian Portuguese Spanish

Security

OnionShare – Share Files Anonymously

Filed under
Security

In this Digital World, we share our media, documents, important files via the Internet using different cloud storage like Dropbox, Mega, Google Drive and many more. But every cloud storage comes with two major problems, one is the Size and the other Security.

Read<br />
more

Security: AMD and Intel 'Back Doors', Quantum Computing and SELinux

Filed under
Security

Security: Updates, Debian LTS, and OpenSSH

Filed under
Security
  • Security updates for Thursday
  • [Slackware] Security update for OpenJDK7

    IcedTea release manager Andrew Hughes (aka GNU/Andrew) announced the announced a new release for IcedTea. The version 2.6.12 builds OpenJDK 7u161_b01. This release includes the October 2017 security fixes for Java 7. The announcement page contains a list of the security issues that have been fixed with this release. It is recommended that you upgrade your OpenJDK 7 to the latest version. If you have already moved to Java 8 then this article is obviously not relevant for you.

  • My Free Software Activities in November 2017

    Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

  • SSH Mastery” 2nd ed tech reviewers wanted

     

    I’d need any comments back by 2 January 2018.

Security: Wiindows/LockCrypt, Uber Ransom, Windows Botnets and Windows at NSA Causes Leak

Filed under
Security

Security: Intel Management Engine (ME), Snyk FUD, and Latest Security Updates

Filed under
Security
  • Replacing x86 firmware with Linux and Go

    The Intel Management Engine (ME), which is a separate processor and operating system running outside of user control on most x86 systems, has long been of concern to users who are security and privacy conscious. Google and others have been working on ways to eliminate as much of that functionality as possible (while still being able to boot and run the system). Ronald Minnich from Google came to Prague to talk about those efforts at the 2017 Embedded Linux Conference Europe.

    He began by noting that most times he is talking about firmware, it is with his coreboot hat on. But he removed said "very nice hat", since his talk was "not a coreboot talk". He listed a number of people who had worked on the project to "replace your exploit-ridden firmware with a Linux kernel", including several from partner companies (Two Sigma, Cisco, and Horizon Computing) as well as several other Google employees.

    The results they achieved were to drop the boot time on an Open Compute Project (OCP) node from eight minutes to 20 seconds. To his way of thinking, that is "maybe the single least important part" of this work, he said. All of the user-space parts of the boot process are written in Go; that includes everything in initramfs, including init. This brings Linux performance, reliability, and security to the boot process and they were able to eliminate all of the ME and UEFI post-boot activity from the boot process.

  • Interview: Why are open-source security vulnerabilities rising? [Ed: Snyk is a FUD firm. It has been smearing Free software a lot lately in an effort to just sell its services.]
  • Security updates for Wednesday

Security: Andromeda (Windows), NSA Leak (Also Windows), Blockchain in Security

Filed under
Security
  • Global law enforcement operation decimates giant Andromeda botnet

    Developed in September 2011, Andromeda, aka Gamarue or Wauchos, is known for stealing credentials from victims as well as downloading and installing up to 80 different secondary malware programs onto users' systems, including spam bots. Over the last half-year, it has been detected or blocked on an average of more than 1 million machines per month, Europol added.

  • Ex-NSA Worker Pleads Guilty to Taking Classified Data

    Pho worked for the NSA's Tailored Access Operations Unit from 2006 until 2016 and had access to data and documents that included classified and top secret national defense information. "According to the plea agreement, beginning in 2010 and continuing through March 2015, Pho removed and retained U.S. government documents and writings that contained national defense information, including information classified as Top Secret and Sensitive Compartmented Information," the DOJ stated.

  • Is blockchain a security topic?

    What's really interesting is that, if you're thinking about moving to a permissioned blockchain or distributed ledger with permissioned actors, then you're going to have to spend some time thinking about trust. You're unlikely to be using a proof-of-work system for making blocks—there's little point in a permissioned system—so who decides what comprises a "valid" block that the rest of the system should agree on? Well, you can rotate around some (or all) of the entities, or you can have a random choice, or you can elect a small number of über-trusted entities. Combinations of these schemes may also work.

Security: Security Updates, Reproducible Builds, Leaks, FUD, and Botnets

Filed under
Security
  • Security updates for Tuesday
  • Reproducible Builds: Weekly report #136
  • Massive Breach Exposes Keyboard App that Collects Personal Data On Its 31 Million Users

    In the digital age, one of the most popular sayings is—if you're not paying, then you're not the customer, you're the product.
    While downloading apps on their smartphones, most users may not realize how much data they collect on you.
    Believe me; it’s way more than you can imagine.
    Nowadays, many app developers are following irresponsible practices that are worth understanding, and we don't have a better example than this newly-reported incident about a virtual keyboard app.
    A team of security researchers at the Kromtech Security Center has discovered a massive trove of personal data belonging to more than 31 million users of the popular virtual keyboard app, AI.type, accidentally leaked online for anyone to download without requiring any password.

  • Vortex and Bugware Ransomware Use Open Source Tools to Target .NET Users [Ed: 'News' sites continue to frame Microsoft Windows malware as "open source" to distract from the real culprit]

    A pair of ransomware variants called Vortex and Bugware are encrypting victims’ files by using open source repositories and targeting .NET users, researchers warned. Based on an investigation published by Zscaler, those affected by the two families are being hit with demands that, in the case of Vortex, start at $100 and double within less than a week.

  • 100,000-strong botnet built on router 0-day could strike at any time

    Attackers have used an advanced new strain of the Mirai Internet-of-things malware to quietly amass an army of 100,000 home routers that could be used at any moment to wage Internet-paralyzing attacks, a researcher warned Monday.

    Botnet operators have been regularly releasing new versions of Mirai since the source code was openly published 14 months ago. Usually, the new versions contain minor tweaks, many of which contain amateur mistakes that prevent the new releases from having the punch of the original Mirai, which played a key role in a series of distributed denial-of-service attacks that debilitated or temporarily took down Twitter, GitHub, the PlayStation Network and other key Internet services.

  • Germany Preparing Law for Backdoors in Any Type of Modern Device

    German authorities are preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations. The law would target all modern devices, such as cars, phones, computers, IoT products, and more.

    Officials are expected to submit their proposed law for debate this week, according to local news outlet RedaktionsNetzwerk Deutschland (RND).

Security: Management Engine (ME) and WebGoat

Filed under
Security
  • ​Computer vendors start disabling Intel Management Engine

    Hidden inside your Intel-based computer is a mystery program called Management Engine (ME). It, along with Trusted Execution Engine (TXE) and Server Platform Services (SPS), can be used to remotely manage your computer. We know little about Intel ME, except it's based on the Minix operating system and, oh yes, ME is very insecure. Because of this, three computers vendors -- Linux-specific OEMs System76 and Purism and top-tier PC builder Dell -- have decided to offer computers with disabled ME.

    These ME security holes impact millions of computers. ME supports Intel's Active Management Technology (AMT). This is a powerful tool that allows admins to remotely run computers, even when the device is not booted. Let me repeat that: If your PC has power, even if it's not running, it can be attacked. If an attacker successfully exploits these holes, the attacker can run malware that's totally invisible to the operating system.

  • Get These Laptops With Intel ME Chip Disabled From Dell, System76, And Purism

    Intel ME chip which recently became popular is giving sleepless nights to the security community and PC users around the world.

    Why? Because the vulnerabilities in the Management Engine chip, running a closed source variant of MINIX OS, can allow attackers to take complete control of a system without the users noticing.

  • WebGoat Teaches You To Fix Web Application Flaws In Real-time

    Good day, web developers! Today, we are going to discuss about a super useful application that teaches you web application security lessons. Say hello to WebGoat, a deliberately insecure web application developed by OWASP, with the intention of teaching how to fix common web application flaws in real-time with hands-on exercises. This application can be quite useful for those who wants to learn about application security and penetration testing techniques.

    A word of caution: WebGoat is PURELY FOR EDUCATIONAL PURPOSE. It turns your system extremely vulnerable to attackers. So, I insist you to use it in a virtual machine in your local area network. Don’t connect your testing machine to Internet. If you are using it in a production environment either intentionally or unknowingly, your company will definitely fire you. You have been warned!

Security: Blockchains, Disabling Intel ME, Windows, and Mac OS

Filed under
Security
  • Blockchains Are Poised to End the Password Era

    The massive password heists keeping coming, and one thing is certain: the way we prove our identities online is in need of a major upgrade. A growing chorus of technologists and entrepreneurs is convinced that the key to revolutionizing digital identity can be found in the same technology that runs cryptocurrencies.

  • Three Laptop Makers Are Disabling Intel ME

    For years now, security experts warned that Intel’s Management Engine (ME) is at risk of being exploited; ME allows administrators to remotely access a computer and is present within every Intel processor since 2008. Finally – after staying quiet during the period of concern – Intel last month admitted that ME is vulnerable to exploitation. As a result, PC makers are making moves to protect users from said vulnerability. Indeed, Dell, Purism, and Linux PC vendor System76 are all disabling Intel ME on their laptops.

  • Microsoft Breaks Down Windows Update on Windows 7, PCs Hit with Error 80248015

    A number of Windows 7 and Windows Server 2008 systems are experiencing a Windows Update error that prevents them from checking for updates for an unclear reason.

    Posts on the company’s Community forums seem to indicate that the bug first appeared on December 3 and it’s a server-side issue, which means that users might not have anything to do to have this fixed. Instead, Microsoft has remained tight-lipped on the actual cause of the bug, despite the growing number of posts on the said Community thread.

    Checking for updates on the impacted systems fails with error “Windows could not search for new updates,” with some saying that an additional message reading “Windows Update cannot currently check for updates because the service is not running. You may need to restart your computer,” when they click the “Get help with this error” option in Windows Update.

  • Apple’s macOS 10.13.1 Update Brings Back Critical Root Vulnerability

Security: Kaspersky, Updates, .NET

Filed under
Security
Syndicate content

More in Tux Machines

Security: OpenSSL, IoT, and LWN Coverage of 'Intelpocalypse'

  • Another Face to Face: Email Changes and Crypto Policy
    The OpenSSL OMC met last month for a two-day face-to-face meeting in London, and like previous F2F meetings, most of the team was present and we addressed a great many issues. This blog posts talks about some of them, and most of the others will get their own blog posts, or notices, later. Red Hat graciously hosted us for the two days, and both Red Hat and Cryptsoft covered the costs of their employees who attended. One of the overall threads of the meeting was about increasing the transparency of the project. By default, everything should be done in public. We decided to try some major changes to email and such.
  • Some Basic Rules for Securing Your IoT Stuff

    Throughout 2016 and 2017, attacks from massive botnets made up entirely of hacked [sic] IoT devices had many experts warning of a dire outlook for Internet security. But the future of IoT doesn’t have to be so bleak. Here’s a primer on minimizing the chances that your IoT things become a security liability for you or for the Internet at large.

  • A look at the handling of Meltdown and Spectre
    The Meltdown/Spectre debacle has, deservedly, reached the mainstream press and, likely, most of the public that has even a remote interest in computers and security. It only took a day or so from the accelerated disclosure date of January 3—it was originally scheduled for January 9—before the bugs were making big headlines. But Spectre has been known for at least six months and Meltdown for nearly as long—at least to some in the industry. Others that were affected were completely blindsided by the announcements and have joined the scramble to mitigate these hardware bugs before they bite users. Whatever else can be said about Meltdown and Spectre, the handling (or, in truth, mishandling) of this whole incident has been a horrific failure. For those just tuning in, Meltdown and Spectre are two types of hardware bugs that affect most modern CPUs. They allow attackers to cause the CPU to do speculative execution of code, while timing memory accesses to deduce what has or has not been cached, to disclose the contents of memory. These disclosures can span various security boundaries such as between user space and the kernel or between guest operating systems running in virtual machines. For more information, see the LWN article on the flaws and the blog post by Raspberry Pi founder Eben Upton that well describes modern CPU architectures and speculative execution to explain why the Raspberry Pi is not affected.
  • Addressing Meltdown and Spectre in the kernel
    When the Meltdown and Spectre vulnerabilities were disclosed on January 3, attention quickly turned to mitigations. There was already a clear defense against Meltdown in the form of kernel page-table isolation (KPTI), but the defenses against the two Spectre variants had not been developed in public and still do not exist in the mainline kernel. Initial versions of proposed defenses have now been disclosed. The resulting picture shows what has been done to fend off Spectre-based attacks in the near future, but the situation remains chaotic, to put it lightly. First, a couple of notes with regard to Meltdown. KPTI has been merged for the 4.15 release, followed by a steady trickle of fixes that is undoubtedly not yet finished. The X86_BUG_CPU_INSECURE processor bit is being renamed to X86_BUG_CPU_MELTDOWN now that the details are public; there will be bug flags for the other two variants added in the near future. 4.9.75 and 4.4.110 have been released with their own KPTI variants. The older kernels do not have mainline KPTI, though; instead, they have a backport of the older KAISER patches that more closely matches what distributors shipped. Those backports have not fully stabilized yet either. KPTI patches for ARM are circulating, but have not yet been merged.
  • Is it time for open processors?
    The disclosure of the Meltdown and Spectre vulnerabilities has brought a new level of attention to the security bugs that can lurk at the hardware level. Massive amounts of work have gone into improving the (still poor) security of our software, but all of that is in vain if the hardware gives away the game. The CPUs that we run in our systems are highly proprietary and have been shown to contain unpleasant surprises (the Intel management engine, for example). It is thus natural to wonder whether it is time to make a move to open-source hardware, much like we have done with our software. Such a move may well be possible, and it would certainly offer some benefits, but it would be no panacea. Given the complexity of modern CPUs and the fierceness of the market in which they are sold, it might be surprising to think that they could be developed in an open manner. But there are serious initiatives working in this area; the idea of an open CPU design is not pure fantasy. A quick look around turns up several efforts; the following list is necessarily incomplete.
  • Notes from the Intelpocalypse
    Rumors of an undisclosed CPU security issue have been circulating since before LWN first covered the kernel page-table isolation patch set in November 2017. Now, finally, the information is out — and the problem is even worse than had been expected. Read on for a summary of these issues and what has to be done to respond to them in the kernel. All three disclosed vulnerabilities take advantage of the CPU's speculative execution mechanism. In a simple view, a CPU is a deterministic machine executing a set of instructions in sequence in a predictable manner. Real-world CPUs are more complex, and that complexity has opened the door to some unpleasant attacks. A CPU is typically working on the execution of multiple instructions at once, for performance reasons. Executing instructions in parallel allows the processor to keep more of its subunits busy at once, which speeds things up. But parallel execution is also driven by the slowness of access to main memory. A cache miss requiring a fetch from RAM can stall the execution of an instruction for hundreds of processor cycles, with a clear impact on performance. To minimize the amount of time it spends waiting for data, the CPU will, to the extent it can, execute instructions after the stalled one, essentially reordering the code in the program. That reordering is often invisible, but it occasionally leads to the sort of fun that caused Documentation/memory-barriers.txt to be written.

US Sanctions Against Chinese Android Phones, LWN Report on Eelo

  • A new bill would ban the US government from using Huawei and ZTE phones
    US lawmakers have long worried about the security risks posed the alleged ties between Chinese companies Huawei and ZTE and the country’s government. To that end, Texas Representative Mike Conaway introduced a bill last week called Defending U.S. Government Communications Act, which aims to ban US government agencies from using phones and equipment from the companies. Conaway’s bill would prohibit the US government from purchasing and using “telecommunications equipment and/or services,” from Huawei and ZTE. In a statement on his site, he says that technology coming from the country poses a threat to national security, and that use of this equipment “would be inviting Chinese surveillance into all aspects of our lives,” and cites US Intelligence and counterintelligence officials who say that Huawei has shared information with state leaders, and that the its business in the US is growing, representing a further security risk.
  • U.S. lawmakers urge AT&T to cut commercial ties with Huawei - sources
    U.S. lawmakers are urging AT&T Inc, the No. 2 wireless carrier, to cut commercial ties to Chinese phone maker Huawei Technologies Co Ltd and oppose plans by telecom operator China Mobile Ltd to enter the U.S. market because of national security concerns, two congressional aides said. The warning comes after the administration of U.S. President Donald Trump took a harder line on policies initiated by his predecessor Barack Obama on issues ranging from Beijing’s role in restraining North Korea to Chinese efforts to acquire U.S. strategic industries. Earlier this month, AT&T was forced to scrap a plan to offer its customers Huawei [HWT.UL] handsets after some members of Congress lobbied against the idea with federal regulators, sources told Reuters.
  • Eelo seeks to make a privacy-focused phone
    A focus on privacy is a key feature being touted by a number of different projects these days—from KDE to Tails to Nextcloud. One of the biggest privacy leaks for most people is their phone, so it is no surprise that there are projects looking to address that as well. A new entrant in that category is eelo, which is a non-profit project aimed at producing not only a phone, but also a suite of web services. All of that could potentially replace the Google or Apple mothership, which tend to collect as much personal data as possible.

today's howtos

Mozilla: Resource Hogs, Privacy Month, Firefox Census, These Weeks in Firefox

  • Firefox Quantum Eats RAM Like Chrome
    For a long time, Mozilla’s Firefox has been my web browser of choice. I have always preferred it to using Google’s Chrome, because of its simplicity and reasonable system resource (especially RAM) usage. On many Linux distributions such as Ubuntu, Linux Mint and many others, Firefox even comes installed by default. Recently, Mozilla released a new, powerful and faster version of Firefox called Quantum. And according to the developers, it’s new with a “powerful engine that’s built for rapid-fire performance, better, faster page loading that uses less computer memory.”
  • Mozilla Communities Speaker Series #PrivacyMonth
    As a part of the Privacy Month initiative, Mozilla volunteers are hosting a couple of speaker series webinars on Privacy, Security and related topics. The webinars will see renowned speakers talking to us about their work around privacy, how to take control of your digital self, some privacy-security tips and much more.
  • “Ewoks or Porgs?” and Other Important Questions
    You ever go to a party where you decide to ask people REAL questions about themselves, rather than just boring chit chat? Us, too! That’s why we’ve included questions that really hone in on the important stuff in our 2nd Annual Firefox Census.
  • These Weeks in Firefox: Issue 30