Language Selection

English French German Italian Portuguese Spanish

Security

Security: Intel Back Door, Hacking a Fingerprint Biometric, Dashlane, Vault 8, Cryptojacking, MongoDB and More

Filed under
Security
  • Recent Intel Chipsets Have A Built-In Hidden Computer, Running Minix With A Networking Stack And A Web Server

    The "Ring-3" mentioned there refers to the level of privileges granted to the ME system. As a Google presentation about ME (pdf) explains, operating systems like GNU/Linux run on Intel chips at Ring 0 level; Ring-3 ("minus 3") trumps everything above -- include the operating system -- and has total control over the hardware. Throwing a Web server and a networking stack in there too seems like a really bad idea. Suppose there was some bug in the ME system that allowed an attacker to take control? Funny you should ask; here's what we learned earlier this year...

    [...]

     Those don't seem unreasonable requests given how serious the flaws in the ME system have been, and probably will be again in the future. It also seems only fair that people should be able to control fully a computer that they own -- and that ought to include the Minix-based computer hidden within.

  •  

     

  • “Game Over!” — Intel’s Hidden, MINIX-powered ME Chip Can Be Hacked Over USB

    Even the creator of MINIX operating system didn’t know that his for-education operating system is on almost every Intel-powered computer.

  • Researchers find almost EVERY computer with an Intel Skylake and above CPU can be owned via USB

     

    Turns out they were right. Security firm Positive Technologies reports being able to execute unsigned code on computers running the IME through USB. The fully fleshed-out details of the attack are yet to be known, but from what we know, it’s bad.

  •  
     

  • Hacking a Fingerprint Biometric
  •  

  • Dashlane Password Manager Now Supports Linux [Ed: But why would anyone with a clue choose to upload his/her passwords?]

    Dashlane, the popular password manager, now supports Linux (and ChromeOS and Microsoft Edge) thanks to new web extension and web app combination.

  • Source Code For CIA’s Spying Tool Hive Released By Wikileaks: Vault 8

    From November 9, Wikileaks has started a new series named Vault 8. As a part of this series, the first leak contains the source code and analysis for Hive software project. Later, the other leaks of this series are expected to contain the source code for other tools as well.

  • Cryptojacking found on 2496 online stores

    Cryptojacking - running crypto mining software in the browser of unsuspecting visitors - is quickly spreading around the web. And the landgrab extends to online stores. The infamous CoinHive software was detected today on 2496 e-commerce sites.

  • 2,500+ Websites Are Now “Cryptojacking” To Use Your CPU Power And Mine Cryptocurrency
  • MongoDB update plugs security hole and sets sights on the enterprise

    Document database-flinger MongoDB has long positioned itself as the dev's best friend, but after ten years it is now fluffing itself up for the enterprise.

    The firm, which went public just last month and hopes to earn up to $220m, has now launched the latest version of its database, which aims to appeal to these bigger customers.

  • How AV can open you to attacks that otherwise wouldn’t be possible [Ed: Any proprietary software put on top of any other software (FOSS included) is a threat and a possible back door]

    Antivirus programs, in many cases, make us safer on the Internet. Other times, they open us to attacks that otherwise wouldn't be possible. On Friday, a researcher documented an example of the latter—a vulnerability he found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control.

    AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker's choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off-limits to the attacker. Six of the affected AV programs have patched the vulnerability after it was privately reported. The remaining brands have yet to fix it, said Florian Bogner, a Vienna, Austria-based security researcher who gets paid to hack businesses so he can help them identify weaknesses in their networks.

  • Estonia arrests suspected FSB agent accused of “computer-related crime”

    Estonian authorities announced this week that they had recently arrested a Russian man suspected of being an agent of the Federal Security Service (FSB) who was allegedly planning "computer-related crime."

    The 20-year-old man, whose identity was not made public, was arrested last weekend in the Estonian border city of Narva as he was trying to return to Russia.

Security: Updates and Intel Back Doors

Filed under
Security

Security Leftovers

Filed under
Security
  • What Is ARP Spoofing? — Attacks, Detection, And Prevention

    Spoofing is often defined as imitating (something) while exaggerating its characteristic features for comic effect. Not in the real world but also in the computer networking world, spoofing is a common practice among notorious users to intercept data and traffic meant for a particular user.

  • New Hope for Digital Identity

    For your inconvenience, every organization's identity system is also a separate and proprietary silo, even if it is built with open-source software and methods. Worse, an organization might have many different silo'd identity systems that know little or nothing about each other. Even an organization as unitary as a university might have completely different identity systems operating within HR, health care, parking, laundry, sports and IT—as well as within its scholastic realm, which also might have any number of different departmental administrative systems, each with its own record of students past and present.

  • Linux has a whole crock of USB vulnerabilities
  • Google Patches KRACK Vulnerability in Android

Security: Vault 8 From Wikileaks, Yahoo and Other Massive Data Leaks

Filed under
Security
  • Vault 8

    Source code and analysis for CIA software projects including those described in the Vault7 series.

    This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components.

    Source code published in this series contains software designed to run on servers controlled by the CIA. Like WikiLeaks' earlier Vault7 series, the material published by WikiLeaks does not contain 0-days or similar security vulnerabilities which could be repurposed by others.

  • Marissa Mayer sounds distraught over Yahoo’s massive data breach

    Former Yahoo CEO Marissa Mayer appeared distraught at a US Senate hearing Wednesday (Nov. 8) on the unprecedented data breaches at the company during her tenure.

    “As you know, Yahoo was the victim of criminal, state-sponsored attacks on its systems, resulting in the theft of certain user information,” Mayer said in her opening remarks, rarely looking up from her notes. “As CEO, these thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users.”

Security: USB. WPA2, Updates, Magento

Filed under
Security

Microsoft and Intel Back Doors

Filed under
Microsoft
Security

10 Most Secure Linux Distros For Complete Privacy & Anonymity | 2017 Edition

Filed under
GNU
Linux
Security

One of the most compelling reasons to use Linux is its ability to deliver a secure computing experience. There are some specialized secure Linux distros for security that add extra layers and make sure that you complete your work anonymously and privately. Some of the popular secure Linux distros for 2017 are Tails, Whoix, Kodachi, etc.

Read more

Ethical Hacking OS Parrot Security 3.9 Officially Out, Parrot 4.0 In the Works

Filed under
OS
Security

Just a minor improvement to the Parrot Security 3.x series of the Linux-based operating system used by security researchers for various pentesting and ethical hacking tasks, Parrot Security OS 3.9 is here with all the latest security patches and bug fixes released upstream in the Debian GNU/Linux repositories.

But it also looks like it ships with some important new features that promise to make the ethical hacking computer operating system more secure and reliable. One of these is a new sandbox system based on the Firejail SUID program and designed to add an extra layer of protection to many apps, protecting users from 0day attacks.

Read more

Latest IPFire 2.19 Linux Firewall Update Patches OpenSSL, Wget Vulnerabilities

Filed under
Linux
Security

Coming only a few days after the Core Update 115 release, which introduced a new IPFire Captive Portal allowing for easy access control of wireless and wired networks, along with updated OpenVPN configuration options, the IPFire 2.19 Core Update 116 release patches important security vulnerabilities.

For starters, the update bumps the OpenSSL version to 1.0.2m, a release that addresses two security flaws affecting modern AMD Ryzen and Intel Broadwell processors, as well as certificate data. More details about the two vulnerabilities are available at CVE-2017-3736 and CVE-2017-3735.

Read more

Security: Marcher, WPA2, Updates, Reproducible Builds and More

Filed under
Security
Syndicate content

More in Tux Machines

GNOME: Belated GUADEC Report, "Is GNOME Just Lazy?"

  • Alberto Ruiz: GUADEC 2017: GNOME’s Renaissance
    This is a blog post I kept as a draft right after GUADEC to reflect on it and the GNOME project but failed to finish and publish until now. Forgive any outdated information though I think the post is mostly relevant still. I’m on my train back to London from Manchester, where I just spent 7 amazing days with my fellow GNOME community members. Props to the local team for an amazing organization, everything went smoothly and people seemed extremely pleased with the setup as far as I can tell and the venues seemed to have worked extremely well. I mostly want to reflect on a feeling that I have which is that GNOME seems to be experiencing a renaissance in the energy and focus of the community as well as the broader interest from other players.
  • EzeeLinux Show 18.5 | Is GNOME Just Lazy?
    GNOME is dropping Active Desktop, Ubuntu is holding back Nautilus and I have been writing a lot of scripts.

Red Hat Hires From Microsoft; Fedora 27 Release Party at Taipei

Devices: Advantech, Tizen, F-Droid

OSS Leftovers

  • Why no more new AND successful FOSS projects in the last ten years?
     

    If you ask me, the new, successful FOSS projects should be project that fix, replace, rewrite, whatever… the really unglamorous, low-level tools, libraries and so on that would make that happen. Yes, I know that this is really unlikely to happen under current business models and until IoT everywhere, new iPhones every year and the like are perceived as higher priorities, regardless of their environmental impacts and, very often, sheer lack of sense.

  • FOSS Backstage - CfP open
    It's almost ten years ago that I attended my first ApacheCon EU in Amsterdam. I wasn't entirely new to the topic of open source or free software. I attended several talks on Apache Lucene, Apache Solr, Hadoop, Tomcat, httpd (I still remember that the most impressive stories didn't necessarily come from the project members, but from downstream users. They were the ones authorized to talk publicly about what could be done with the project - and often became committers themselves down the road.
  • Liveblogging RIT’s FOSS projects class: initial questions for community spelunking
    Stephen Jacobs (SJ) and I are co-teaching “Project in FOSS Development” at RIT this semester, which basically means “hey students, want to get course credit for contributing to a FOSS project?” The class is centered around 5 project sprints of two weeks each. The first 3 weeks of class are preparing for the sprint periods; the week before spring break is a pause to reflect on how sprints are going. Otherwise, class efforts will be centered around executing project work… (aka “getting stuff done”).
  • Design’N’Buy launches All-In-One Designer on Magento Open Source 2.2
    Design’N’Buy announces the launch of their flagship product – the AIOD on Magento Open Source Version 2.2. With the launch of web to print solution on Magento Version 2.2 , Design’N’Buy becomes first event in web to print industry to offer complete eCommerce printing solution for printers on one of the widest and latest technology platform.
  • Singapore: Blockchain startup Bluzelle raises $19.5m through ICO
    Singapore-based decentralised database provider Bluzelle has announced that its initial coin offering (ICO) has raised $19.5 million in funding, according to a press statement.
  • Blockchain Startup Bluzelle Raises $19.5M USD In ICO
    Bluzelle’ advisor list includes the likes of Brian Fox, creator of GNU Bash, Alex Leverington, one of the original Core ethereum developers, Prashant Malik, co-creator of Apache Cassandra and Ryan Fugger, the original creator of the cryptocurrency Ripple.
  • The Document Liberation project announces five new or improved libraries
    The Document Liberation Project has announced five new or improved libraries to export EPUB3 and import AbiWord, MS Publisher, PageMaker and QuarkXPress files.
  • Lawsuit accuses PACER of milking the public for cash in exchange for access
    The federally run online court document access system known as PACER now finds itself listed on a federal docket. Its overseer, the US government, is a defendant in a proposed class-action lawsuit accusing the service of overcharging the public. The suit, brought by three nonprofits on Thursday, claims millions of dollars generated from a recent 25-percent increase in page fees are being illegally spent by the Administrative Office of the Courts (AO). The cost for access is 10 cents per page and up to $3 a document. Judicial opinions are free. This isn't likely to break the bank for some, but to others it adds up and can preclude access to public records. The National Consumer Law Center, the Alliance for Justice, and the National Veterans Legal Services Program also claim in the lawsuit that these fees are illegal because the government is charging more than necessary to keep the PACER system afloat (as is required by Congress).
  • Is the Most Massive, Illegal Paywall in the World About to Come Down?
    A groundbreaking lawsuit is poised to decimate what is arguably the most unjust, destructive, and it now sounds like illegal paywall in the world, the Public Access to Court Electronic Records, PACER. PACER is the federal government court documents repository. Every federal court document, for every case, lives in PACER. It’s essentially a giant FTP document repository with a horrendous search system bolted on, not dissimilar to EDGAR. PACER was created in 1988 to enable access to court records electronically. Initially available only in courthouses the system was expanded to the web in 2001.
  • Codasip Announces Studio 7, Design and Productivity Tools for Rapid Generation of RISC-V Processors
    Codasip, the leading supplier of RISC-V® embedded processor IP, today announced that it has launched the 7th generation of its Studio, the unique IP-design and customization software that allows for fast configuration and optimization of RISCV processors, customer-proprietary processor architectures, and their accompanying software development toolchains.
  • EE4J Code Begins the Journey to Open Source
    The EE4J project, which was created to manage the Eclipse Foundation’s stewardship of Java EE technologies following Oracle’s decision to open source them, is starting to gain traction. Soon after the project was created, EclipseLink and Yasson (the official reference implementation of Java JSON Binding, JSR-367) became the first two projects to be transferred under the EE4J umbrella. As reported in December, the announcement was made that seven more projects were being proposed.