Language Selection

English French German Italian Portuguese Spanish

Security

Security: Wiindows/LockCrypt, Uber Ransom, Windows Botnets and Windows at NSA Causes Leak

Filed under
Security

Security: Intel Management Engine (ME), Snyk FUD, and Latest Security Updates

Filed under
Security
  • Replacing x86 firmware with Linux and Go

    The Intel Management Engine (ME), which is a separate processor and operating system running outside of user control on most x86 systems, has long been of concern to users who are security and privacy conscious. Google and others have been working on ways to eliminate as much of that functionality as possible (while still being able to boot and run the system). Ronald Minnich from Google came to Prague to talk about those efforts at the 2017 Embedded Linux Conference Europe.

    He began by noting that most times he is talking about firmware, it is with his coreboot hat on. But he removed said "very nice hat", since his talk was "not a coreboot talk". He listed a number of people who had worked on the project to "replace your exploit-ridden firmware with a Linux kernel", including several from partner companies (Two Sigma, Cisco, and Horizon Computing) as well as several other Google employees.

    The results they achieved were to drop the boot time on an Open Compute Project (OCP) node from eight minutes to 20 seconds. To his way of thinking, that is "maybe the single least important part" of this work, he said. All of the user-space parts of the boot process are written in Go; that includes everything in initramfs, including init. This brings Linux performance, reliability, and security to the boot process and they were able to eliminate all of the ME and UEFI post-boot activity from the boot process.

  • Interview: Why are open-source security vulnerabilities rising? [Ed: Snyk is a FUD firm. It has been smearing Free software a lot lately in an effort to just sell its services.]
  • Security updates for Wednesday

Security: Andromeda (Windows), NSA Leak (Also Windows), Blockchain in Security

Filed under
Security
  • Global law enforcement operation decimates giant Andromeda botnet

    Developed in September 2011, Andromeda, aka Gamarue or Wauchos, is known for stealing credentials from victims as well as downloading and installing up to 80 different secondary malware programs onto users' systems, including spam bots. Over the last half-year, it has been detected or blocked on an average of more than 1 million machines per month, Europol added.

  • Ex-NSA Worker Pleads Guilty to Taking Classified Data

    Pho worked for the NSA's Tailored Access Operations Unit from 2006 until 2016 and had access to data and documents that included classified and top secret national defense information. "According to the plea agreement, beginning in 2010 and continuing through March 2015, Pho removed and retained U.S. government documents and writings that contained national defense information, including information classified as Top Secret and Sensitive Compartmented Information," the DOJ stated.

  • Is blockchain a security topic?

    What's really interesting is that, if you're thinking about moving to a permissioned blockchain or distributed ledger with permissioned actors, then you're going to have to spend some time thinking about trust. You're unlikely to be using a proof-of-work system for making blocks—there's little point in a permissioned system—so who decides what comprises a "valid" block that the rest of the system should agree on? Well, you can rotate around some (or all) of the entities, or you can have a random choice, or you can elect a small number of über-trusted entities. Combinations of these schemes may also work.

Security: Security Updates, Reproducible Builds, Leaks, FUD, and Botnets

Filed under
Security
  • Security updates for Tuesday
  • Reproducible Builds: Weekly report #136
  • Massive Breach Exposes Keyboard App that Collects Personal Data On Its 31 Million Users

    In the digital age, one of the most popular sayings is—if you're not paying, then you're not the customer, you're the product.
    While downloading apps on their smartphones, most users may not realize how much data they collect on you.
    Believe me; it’s way more than you can imagine.
    Nowadays, many app developers are following irresponsible practices that are worth understanding, and we don't have a better example than this newly-reported incident about a virtual keyboard app.
    A team of security researchers at the Kromtech Security Center has discovered a massive trove of personal data belonging to more than 31 million users of the popular virtual keyboard app, AI.type, accidentally leaked online for anyone to download without requiring any password.

  • Vortex and Bugware Ransomware Use Open Source Tools to Target .NET Users [Ed: 'News' sites continue to frame Microsoft Windows malware as "open source" to distract from the real culprit]

    A pair of ransomware variants called Vortex and Bugware are encrypting victims’ files by using open source repositories and targeting .NET users, researchers warned. Based on an investigation published by Zscaler, those affected by the two families are being hit with demands that, in the case of Vortex, start at $100 and double within less than a week.

  • 100,000-strong botnet built on router 0-day could strike at any time

    Attackers have used an advanced new strain of the Mirai Internet-of-things malware to quietly amass an army of 100,000 home routers that could be used at any moment to wage Internet-paralyzing attacks, a researcher warned Monday.

    Botnet operators have been regularly releasing new versions of Mirai since the source code was openly published 14 months ago. Usually, the new versions contain minor tweaks, many of which contain amateur mistakes that prevent the new releases from having the punch of the original Mirai, which played a key role in a series of distributed denial-of-service attacks that debilitated or temporarily took down Twitter, GitHub, the PlayStation Network and other key Internet services.

  • Germany Preparing Law for Backdoors in Any Type of Modern Device

    German authorities are preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations. The law would target all modern devices, such as cars, phones, computers, IoT products, and more.

    Officials are expected to submit their proposed law for debate this week, according to local news outlet RedaktionsNetzwerk Deutschland (RND).

Security: Management Engine (ME) and WebGoat

Filed under
Security
  • ​Computer vendors start disabling Intel Management Engine

    Hidden inside your Intel-based computer is a mystery program called Management Engine (ME). It, along with Trusted Execution Engine (TXE) and Server Platform Services (SPS), can be used to remotely manage your computer. We know little about Intel ME, except it's based on the Minix operating system and, oh yes, ME is very insecure. Because of this, three computers vendors -- Linux-specific OEMs System76 and Purism and top-tier PC builder Dell -- have decided to offer computers with disabled ME.

    These ME security holes impact millions of computers. ME supports Intel's Active Management Technology (AMT). This is a powerful tool that allows admins to remotely run computers, even when the device is not booted. Let me repeat that: If your PC has power, even if it's not running, it can be attacked. If an attacker successfully exploits these holes, the attacker can run malware that's totally invisible to the operating system.

  • Get These Laptops With Intel ME Chip Disabled From Dell, System76, And Purism

    Intel ME chip which recently became popular is giving sleepless nights to the security community and PC users around the world.

    Why? Because the vulnerabilities in the Management Engine chip, running a closed source variant of MINIX OS, can allow attackers to take complete control of a system without the users noticing.

  • WebGoat Teaches You To Fix Web Application Flaws In Real-time

    Good day, web developers! Today, we are going to discuss about a super useful application that teaches you web application security lessons. Say hello to WebGoat, a deliberately insecure web application developed by OWASP, with the intention of teaching how to fix common web application flaws in real-time with hands-on exercises. This application can be quite useful for those who wants to learn about application security and penetration testing techniques.

    A word of caution: WebGoat is PURELY FOR EDUCATIONAL PURPOSE. It turns your system extremely vulnerable to attackers. So, I insist you to use it in a virtual machine in your local area network. Don’t connect your testing machine to Internet. If you are using it in a production environment either intentionally or unknowingly, your company will definitely fire you. You have been warned!

Security: Blockchains, Disabling Intel ME, Windows, and Mac OS

Filed under
Security
  • Blockchains Are Poised to End the Password Era

    The massive password heists keeping coming, and one thing is certain: the way we prove our identities online is in need of a major upgrade. A growing chorus of technologists and entrepreneurs is convinced that the key to revolutionizing digital identity can be found in the same technology that runs cryptocurrencies.

  • Three Laptop Makers Are Disabling Intel ME

    For years now, security experts warned that Intel’s Management Engine (ME) is at risk of being exploited; ME allows administrators to remotely access a computer and is present within every Intel processor since 2008. Finally – after staying quiet during the period of concern – Intel last month admitted that ME is vulnerable to exploitation. As a result, PC makers are making moves to protect users from said vulnerability. Indeed, Dell, Purism, and Linux PC vendor System76 are all disabling Intel ME on their laptops.

  • Microsoft Breaks Down Windows Update on Windows 7, PCs Hit with Error 80248015

    A number of Windows 7 and Windows Server 2008 systems are experiencing a Windows Update error that prevents them from checking for updates for an unclear reason.

    Posts on the company’s Community forums seem to indicate that the bug first appeared on December 3 and it’s a server-side issue, which means that users might not have anything to do to have this fixed. Instead, Microsoft has remained tight-lipped on the actual cause of the bug, despite the growing number of posts on the said Community thread.

    Checking for updates on the impacted systems fails with error “Windows could not search for new updates,” with some saying that an additional message reading “Windows Update cannot currently check for updates because the service is not running. You may need to restart your computer,” when they click the “Get help with this error” option in Windows Update.

  • Apple’s macOS 10.13.1 Update Brings Back Critical Root Vulnerability

Security: Kaspersky, Updates, .NET

Filed under
Security

Security: TED Talks, Kaspersky, and NSA

Filed under
Security

Security: Linux/BillGates, Hyped Bug(fix), DNS over TLS

Filed under
Security
  • Notes on Linux/BillGates

    This post will include some notes on Linux/BillGates, hereafter referred to as just ‘BillGates’, and rather than being very in-depth as the previous blog, I will mostly list high-level notes and remediation or disinfection steps. Additionally, after the conclusion, you will find other resources if necessary.

  • Dirty COW redux: Linux devs patch botched patch for 2016 mess

    Linus Torvalds last week rushed a patch into the Linux kernel, after researchers discovered the patch for 2016's Dirty COW bug had a bug of its own.

    Dirty COW is a privilege escalation vulnerability in Linux's “copy-on-write” mechanism, first documented in October 2016 and affecting both Linux and Android systems.

  • New web browsing security tool arrives: DNS over TLS

    Net neutrality is on its death bed. With it gone, ISPs will be able to strip-data-mine your every move on the web. There are answers. One is Tenta's new secure Domain Name System (DNS) resolver, Tenta DNS. This receives and sends the directions to the websites you visit using the secure Transport Layer Security (TLS) protocol.

    DNS is the internet's master phone book. When you type in a website address or click on a link, it turns human-readable domain names into machine-usable IP addresses. If you use your ISP's DNS server, which is the default, the ISP can watch your every move. Even if you use an ordinary third-party DNS server, such as Google Public DNS servers, 8.8.8.8 or 8.8.4.4, and one of Cisco's OpenDNS servers, 208.67.222.222 or 208.67.220.220, your DNS requests are still made in the clear and your ISP can see where you're going.

Goodbyes to Intel Back Doors (System76 and Even Dell)

Filed under
Security
  • Linux Computer Vendor System76 To Disable Intel ME Firmware

    System76, a vendor of Linux-based laptops, PCs, and servers, will join another Linux laptop maker, Purism, as well as Google and the NSA in disabling the Intel Management Engine (ME) firmware, which has recently been found to contain multiple vulnerabilities. Intel ME provides few to no benefits to consumer laptops, but Intel has been integrating it into all all of its chips since 2008 nonetheless.

    [...]

    We’ve only recently discovered, through Positive Technologies, a Russian security firm that has been working on disabling ME, that the NSA was the only one that could disable the ME via an undocumented High Assurance Platform (HAP) mode. This undocumented mode can now also be used to disable ME by Google, Purism, and System76.

  • Linux laptop-flinger says bye-bye to buggy Intel Management Engine

    In a slap to Intel, custom Linux computer seller System76 has said it will be disabling the Intel Management Engine in its laptops.

    Last month, Chipzilla admitted the existence of firmware-level bugs in many of its processors that would allow hackers to spy on and meddle with computers.

    One of the most important vulnerabilities is in the black box coprocessor – the Management Engine – which has its own CPU and operating system that has complete machine control. It's meant for letting network admins remotely log into servers and workstations to fix any problems (such as not being able to boot).

  • Dell also sells laptops with Intel Management Engine disabled

    Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward.

    Those two computer companies are pretty small players in the multi-billion dollar PC industry. But it turns out one of the world’s largest PC companies is also offering customers the option of buying a computer with Intel Management Engine disabled.

    At least three Dell computers can be configured with an “Intel vPro™ – ME Inoperable, Custom Order” option, although you’ll have to pay a little extra for those configurations.

Syndicate content

More in Tux Machines

FLOSSophobia

I have seen it many times. "Linux is a cancer". "Open sauce". "Linuxtard". I even remember the teacher who did not bring a laptop for her presentation and, when I offered her my Linux netbook, she rejected it as if I had presented her something illegal. She tried to use an old Windows computer instead but, when the computer failed, she ended up displaying her presentation with my Linux netbook. Clearly, this teacher's position was not based on ignorance or lack of expertise because she knew Linux existed and all she had to do was to display slides. Her refusal was due to indoctrination: she had learned that Linux and non-Microsoft office suites had to be rejected. Read more

Today in Techrights

Hands on With elementary OS Powered Centurion Nano Laptop by Alpha Store

If you want to buy a new laptop, no doubt you should consider the Centurion line. It will be a good choice for you, Linux aficionado. As well as for your Windows-addicted husband/wife/employees. The Centurion Nano is certainly not a “gamer” laptop. However, besides that particular use case, and for an interesting price, you will get a very competent computer, 100% compatible with Linux and usable for a broad range of tasks. Read more

Tryton and Python Deprecation Warnings

  • Trying Tryton
    The quest to find a free-software replacement for the QuickBooks accounting tool continues. In this episode, your editor does his best to put Tryton through its paces. Running Tryton proved to be a trying experience, though; this would not appear to be the accounting tool we are searching for. Tryton is a Python 3 application distributed under the GPLv3 license. Its home page mentions that it is based on PostgreSQL, but there is support for MySQL and SQLite as well. Tryton, it is said, is "a three-tier high-level general purpose application platform" that is "the core base of a complete business solution providing modularity, scalability and security". The "core base" part of that claim is relevant: Tryton may well be a solid base for the creation of a small-business accounting system, but it is not, out of the box, such a system itself.
  • Who should see Python deprecation warnings?
    As all Python developers discover sooner or later, Python is a rapidly evolving language whose community occasionally makes changes that can break existing programs. The switch to Python 3 is the most prominent example, but minor releases can include significant changes as well. The CPython interpreter can emit warnings for upcoming incompatible changes, giving developers time to prepare their code, but those warnings are suppressed and invisible by default. Work is afoot to make them visible, but doing so is not as straightforward as it might seem. In early November, one sub-thread of a big discussion on preparing for the Python 3.7 release focused on the await and async identifiers. They will become keywords in 3.7, meaning that any code using those names for any other purpose will break. Nick Coghlan observed that Python 3.6 does not warn about the use of those names, calling it "a fairly major oversight/bug". In truth, though, Python 3.6 does emit warnings in that case — but users rarely see them.