Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Quantum Computers, Liability, Cryptojacking

Filed under
Security
  • Security updates for Friday
  • How Classical Cryptography Will Survive Quantum Computers

    Justin Trudeau, the Canadian prime minister, certainly raised the profile of quantum computing a few notches last year, when he gamely—if vaguely1—described it for a press conference. But we’ve heard a lot about quantum computers in the past few years, as Google, I.B.M., and N.A.S.A., as well as many, many universities, have all been working on, or putting money into, quantum computers for various ends. The N.S.A., for instance, as the Snowden documents revealed, wants to build one for codebreaking, and it seems to be a common belief that if a full-scale, practical quantum computer is built, it could be really useful in that regard. A New Yorker article early this year, for example, stated that a quantum computer “would, on its first day of operation, be capable of cracking the Internet’s most widely used codes.” But maybe they won’t be as useful as we have been led to believe.

  • Can a decentralized open source community properly address security?

    SearchSecurity talks with UC Berkeley Professor Steven Weber about the open source community, the security challenges facing it and the prospect of software liability.

  • Chrome Extension With 100,000 Users Caught Cryptojacking Using Your CPU Power

    The trend of mining cryptocurrency hasn’t gone unnoticed by the notorious minds. This technique to use CPU power to earn digital coins has been repeatedly used by malware creators as well as the website owners who chose to keep their users in the dark. In the latest development, a popular Chrome extension has been spotted as a new player in this game.

    Named Archive Poster, this extension has more than 100,000 users. For the past few weeks, the extension has been deploying an in-browser cryptocurrency miner without showing the users any form of notification or asking for their permission.

Security and DRM Leftovers

Filed under
Security

Security: Nation-State Hacking, Microsoft/WannaCry, End-to-End Encryption, Updates and Client Security

Filed under
Security
  • Nation-State Hacking: 2017 in Review

    If 2016 was the year government hacking went mainstream, 2017 is the year government hacking played the Super Bowl halftime show. It's not Fancy Bear and Cozy Bear making headlines. This week, the Trump administration publicly attributed the WannaCry ransomware attack to the Lazarus Group, which allegedly works on behalf of the North Korean government. As a Presidential candidate, Donald Trump famously dismissed allegations that the Russian government broke into email accounts belonging to John Podesta and the Democratic National Committee, saying it could easily have been the work of a "400 lb hacker" or China. The public calling-out of North Korean hacking appears to signal a very different attitude towards attribution.

    Lazarus Group may be hot right now, but Russian hacking has continued to make headlines. Shortly after the release of WannaCry, there came another wave of ransomware infections, Petya/NotPetya (or, this author's favorite name for the ransomware, "NyetYa"). Petya was hidden inside of a legitimate update to accounting software made by MeDoc, a Ukrainian company. For this reason and others, Petya was widely attributed to Russian actors and is thought to have primarily targeted Ukrainian companies, where MeDoc is commonly used. The use of ransomware as a wiper, a tool whose purpose is to render the computer unusable rather than to extort money from its owner, appears to be one of this year's big new innovations in the nation-state actors' playbook.

  • North Korea asks US for proof of WannaCry claim [iophk: "caused by Microsoft bug doors"]

    A North Korean diplomat has asked the US to provide evidence for its claim that the WannaCry ransomware was created and spread by Pyongyang.

  • Transport-Layer Encryption vs End-to-End Encryption - GIF

    During the course of a digital security training, participants often learn that they should encrypt their information in transit, like emails, chats, messages, and cloud storage. Learners come away from a training with an appreciation for encryption. However, they may not come away learning that there are different ways of using encryption.

    It’s also important for learners to be able to distinguish what the encryption they are using to protect their information does and does not protect against. One way to clarify this conversation is to point out two different types of encryption for their information in transit: transport-layer encryption, and end-to-end encryption.

    HTTPS and VPNs are examples are of transport-layer encryption, which is a way of encrypting data in transit.

  • Security updates for Wednesday
  • Even With the Cloud, Client Security Still Matters

Security: Insecurity, DARPA, Oversight, Uber’s Bug Bounty

Filed under
Security
  • Lack of IT staff leaving companies exposed to hacker attacks [iophk: "very few companies even have an IT staff, usually just Microsoft resellers"]

    According to a recent survey of recruitment agencies, 81% expect a rise in demand for digital security staff, but only 16% saw that the demand would be met.

  • DARPA Triggers Development of The ‘Unhackable’ Computer Morpheus With $3.6 Million

    DARPA (Defense Advanced Research Project Agency), who gave us the early version of the internet is now trying to fix a major problem – computers vulnerable to cyber attacks.

  • Securing the internet of things will be no easy task

    As I testified before House Oversight’s IT subcommittee in early October, many recent, major breaches could have been eliminated or dramatically reduced if some fundamental principles of cyber hygiene had been followed, including constant patching, least privileged, encryption, micro-segmentation and multi-factor authentication.

  • How I Got Paid $0 From the Uber Security Bug Bounty

    So now it’s a completely verified critical security vulnerability, with working POC that will harvest usernames and passwords from an Uber mobile endpoint, and SSL-protected with Uber’s signed certificate. The Uber development team gets involved, and additionally verifies that yes, they can execute arbitrary JavaScript code from any *.cloudfront.net host, so these are three distinct critical severity security issues: reflected XSS, HTML content injection, and a CSP that allows execution of arbitrary JavaScript from any *.cloudfront.net host.

    [...]

    Followed by locking and then closing without payment all of my submitted security reports, so that they can’t be viewed or publicly disclosed.

Security and DRM

Filed under
Security
  • Security updates for a holiday Monday
  • 18 Cyber-Security Trends Organizations Need to Brace for in 2018
  • Seven Awful DRM Moments from the Year (and Two Bright Spots!): 2017 in Review

    The Apollo 1201 project is dedicated to ending all the DRM in the world, in all its forms, in our lifetime. The DRM parade of horribles has been going strong since the Clinton administration stuck America with Section 1201 of the Digital Millennium Copyright Act ("DMCA") in 1998. That law gave DRM special, hazardous legal protection: under that law, you're not allowed to remove DRM, even for a lawful purpose, without risking legal penalties that can include jailtime and even six-figure fines for a first offense.

    That's a powerful legal weapon to dangle in front of the corporations of the world, who've figured out if they add a thin scrim of DRM to their products, they can make it a literal felony to use their products in ways that they don't approve of -- including creative uses, repair, tinkering and security research. (There's an exemption process, but it's burdensome and inadequate to protect many otherwise legal activities.

Grsecurity SLAPP Case Defeated

Filed under
GNU
Security
Legal
  • Kernel hardening group's suit against open source advocate thrown out

    A judge in San Francisco has granted a motion by noted open source advocate Bruce Perens to dismiss a defamation suit filed against him by Grsecurity, a group that supplies a patch for hardening the Linux kernel.

    Magistrate judge Laurel Beeler agreed to Perens' (right, below) motion on Thursday but denied his bid to invoke the anti-SLAPP (Strategic Lawsuit Against Public Participation) law in California.

    This law deals with legal complaints that are directed at stopping public discussion and free speech. California put in place an anti-SLAPP law in 1992.

  • Court Throws Out Libel Lawsuit Brought by Open Source Security

    The defendant Bruce Perens -- who is a respected programmer known for his founding of the Open Source Initiative -- criticized OSS's business model for distributing its security patches on the ground that it violated the open-source license and thus potentially subjected users to liability for copyright infringement or breach of contract. The plaintiffs [sued, basically for defamation -EV]....

Security: Russia, China, Mirai Variant, Firefox and Grsecurity/Perens

Filed under
Security

Security: Russia, China, Mirai Variant, Firefox and Grsecurity/Perens

Filed under
Security

Linux >=4.9: eBPF memory corruption bugs

Filed under
Linux
Security

A few BPF verifier bugs in the Linux kernel, most of which can be used
for controlled memory corruption, have been fixed over the last days.
One of the bugs was introduced in 4.9, the others were only introduced
in 4.14.

The fixes are in the net tree of the Linux kernel
(https://git.kernel.org/pub/scm/linux/kernel/git/davem/net...),
but not in Linus' tree yet.

The following bug was introduced in 4.9:

Read more

Security: NSA Explots, Wi-Fi, and BPF

Filed under
Security
  • Zealot Loads Cryptocurrency Miner on Linux, Windows Machines

    A new Apache Struts campaign that researchers named "Zealot" has come to light in recent weeks. Zealot loads Windows or Linux-based machines by installing a miner for Monero, which has become one of the hottest cryptocurrencies used in recent malware attacks.

  • 8 Best WiFi Hacking Software And Analysis Tools You Should Use In 2018

    Security analysis and penetration testing is an integral part of creating any kind of secure network. This brings us to the WiFi hacking software that could be used for ethically testing a wireless network and make amends. In the past, we’ve already covered the top wireless security apps for Android and now it’s the turn of such tools for your PC. In case you’re looking for a more diverse collection of tools (not for just wireless analysis), you can refer to another list.

  • BPF security issues in Debian

    Since Debian 9 "stretch", we've shipped a Linux kernel supporting the "enhanced BPF" feature which allows unprivileged user space to upload code into the kernel. This code is written in a restricted language, but one that's much richer than the older "classic" BPF. The kernel verifies that the code is safe (doesn't loop, only accesses memory it is supposed to, etc.) before running it. However, this means that bugs in the verifier could allow unsafe programs to compromise the kernel's security.

Syndicate content

More in Tux Machines

Fedora and Red Hat's Finances

GNOME: WebKit, Fleet Commander, Introducing deviced

  • On Compiling WebKit (now twice as fast!)
    Are you tired of waiting for ages to build large C++ projects like WebKit? Slow headers are generally the problem. Your C++ source code file #includes a few headers, all those headers #include more, and those headers #include more, and more, and more, and since it’s C++ a bunch of these headers contain lots of complex templates to slow down things even more. Not fun.
  • Fleet Commander is looking for a GSoC student to help us take over the world
    Fleet Commander has seen quite a lot of progress recently, of which I should blog about soon. For those unaware, Fleet Commander is an effort to make GNOME great for IT administrators in large deployments, allowing them to deploy desktop and application configuration profiles across hundreds of machines with ease through a web administration UI based on Cockpit. It is mostly implemented in Python.
  • Introducing deviced
    Over the past couple of weeks I’ve been heads down working on a new tool along with Patrick Griffis. The purpose of this tool is to make it easier to integrate IDEs and other tooling with GNU-based gadgets like phones, tablets, infotainment, and IoT devices. Years ago I was working on a GNOME-based home router with davidz which sadly we never finished. One thing that was obvious to me in that moment of time was that I’m not doing another large scale project until I had better tooling. That is Builder’s genesis, and device integration is what will make it truly useful to myself and others who love playing with GNU-friendly gadgets.

KDE: Usability & Productivity, AtCore , Krita

  • This week in Usability & Productivity, part 6
  • AtCore takes to the pi
    The Raspberry Pi3 is a small single board computer that costs around $35 (USD). It comes with a network port, wifi , bt , 4 usb ports , gpio pins , camera port , a display out, hdmi, a TRRS for analog A/V out. 1GB of ran and 4 ~1GHz armv8 cores Inside small SOC. Its storage is a microSd card they are a low cost and low power device. The Touchscreen kit is an 800×480 display that hooks to the Gpio for touch and dsi port for video. To hold our hardware is the standard touch screen enclosure that often comes with the screen if you buy it in a kit.
  • Look, new presets! Another Krita 4 development build!
    We’ve been focusing like crazy on the Krita 4 release. We managed to close some 150 bugs in the past month, and Krita 4 is getting stable enough for many people to use day in, day out. There’s still more to be done, of course! So we’ll continue fixing issues and applying polish for at least another four weeks. One of the things we’re doing as well is redesigning the set of default brush presets and brush tips that come with Krita. Brush tips are the little images one can paint with, and brush presets are the brushes you can select in the brush palette or brush popup. The combination of a tip, some settings and a smart bit of coding! Our old set was fine, but it was based on David Revoy‘s earliest Krita brush bundles, and for Krita 4 we are revamping the entire set. We’ve added many new options to the brushes since then! So, many artists are working together to create a good-looking, useful and interesting brushes for Krita 4.

Software: GIMP, Spyder, SMPlayer

  • Five free photo and video editing tools that could save burning a hole in your pocket and take your creativity to the next level
    GIMP stands for the Gnu Image Manipulation Program and is the first word that people usually think about when it comes to free image editors. It’s a raster graphics editor, available on multiple platforms on PC. It has a similar interface to Photoshop: you have your tools on one side, there’s an option for your tool window and then you have your layers window on another side. Perhaps one of the most useful features of GIMP is the option of plugins. There is a wide database for them and there’s a plugin for almost any task you might need to carry out. GIMP is extremely extensive, and it’s the choice of the FOSS community, thanks to the fact that it’s also open source. However, there are also some disadvantages. For example, GIMP has no direct RAW support yet (you have to install a plugin to enable it, which means a split workflow). It also has quite a bit of a learning curve as compared to Photoshop or Lightroom.
  • Introducing Spyder, the Scientific PYthon Development EnviRonment
    If you want to use Anaconda for science projects, one of the first things to consider is the spyder package, which is included in the basic Anaconda installation. Spyder is short for Scientific PYthon Development EnviRonment. Think of it as an IDE for scientific programming within Python.
  • SMPlayer 18.2.2 Released, Install In Ubuntu/Linux Mint Via PPA
    SMPlayer is a free media player created for Linux and Windows, it was released under GNU General Public License. Unlike other players it doesn't require you to install codecs to play something because it carries its own all required codecs with itself. This is the first release which now support MPV and some other features such as MPRIS v2 Support, new theme, 3D stereo filter and more. It uses the award-winning MPlayer as playback engine which is capable of playing almost all known video and audio formats (avi, mkv, wmv, mp4, mpeg... see list).