Language Selection

English French German Italian Portuguese Spanish

Security

Security: KAISER, Coppersmith Attack, Updates, and Web Threats

Filed under
Security
  • KAISER: hiding the kernel from user space

    Since the beginning, Linux has mapped the kernel's memory into the address space of every running process. There are solid performance reasons for doing this, and the processor's memory-management unit can ordinarily be trusted to prevent user space from accessing that memory. More recently, though, some more subtle security issues related to this mapping have come to light, leading to the rapid development of a new patch set that ends this longstanding practice for the x86 architecture.

  • Security updates for Wednesday
  • ROCA: Return Of the Coppersmith Attack

    On October 30, 2017, a group of Czech researchers from Masaryk University presented the ROCA paper at the ACM CCS Conference, which earned the Real-World Impact Award. We briefly mentioned ROCA when it was first reported but haven't dug into details of the vulnerability yet. Because of its far-ranging impact, it seems important to review the vulnerability in light of the new results published recently.

  • Some Websites Are Mining Cryptocurrency Using Your CPU Even When You Close Browser

    The advent of cryptocurrencies was bound to spark the interest of cybercriminals who are always looking to exploit some technology to steal some clicks or install malware. In the recent times, we’ve come across reports of a huge number of websites using your PCU power to mine cryptocurrency; the browser extensions and Android apps aren’t untouched by this epidemic. Developers have also come up with different options to ban this practice altogether.

    In the previous research work conducted by security firms, it was found that a miner could be run as long as the browser was running; close the browser and mining activity stops. However, as per the latest technique spotted by Malwarebytes, some dubious website owners can mine digital coins like Monero even after browser window is closed.

  • Top 10 Common Hacking Techniques You Should Know About

    Using simple hacks, a hacker can know about your personal unauthorized information which you might not want to reveal. Knowing about these common hacking techniques like phishing, DDoS, clickjacking etc., could come handy for your personal safety.

Security: SEC, Intel, Apple, Entropy, and Yahoo

Filed under
Security
  • SEC hack [sic] was preceded by years of warnings about lax cybersecurity

    After the Securities and Exchange Commission (SEC) disclosed in September that its EDGAR corporate filing system had been hacked [sic] a year earlier, Chairman Jay Clayton declared cybersecurity one of his agency's top priorities.

  • Intel's "Management Engine"

    Concern about the ME goes back further. Sparked by a talk given at the Chaos Computer Conference by [Joanna Rutkowska] of the Qubes OS project, back in January 2016 Brian Benchoff at Hackaday wrote:

    Extremely little is known about the ME, except for some of its capabilities. The ME has complete access to all of a computer’s memory, its network connections, and every peripheral connected to a computer. It runs when the computer is hibernating, and can intercept TCP/IP traffic. Own the ME and you own the computer.

  • Here's How to Temporarily Fix the macOS High Sierra Bug That Gives Full Admin Access to Your Mac Sans Password

    A newly discovered bug in macOS High Sierra enables the root superuser on a Mac with a blank password and no security check, essentially giving anyone full access to your Mac.

    Apple is likely already working on a fix, but in the meantime, there's a temporary workaround -- enabling the root user with a password.

  • Anyone Can Hack [sic] MacOS High Sierra Just by Typing "Root"
  • Major Apple security flaw grants admin access on macOS High Sierra without password

    However, The Verge has been able to confirm the major security issue remains present as of MacOS 10.13.1, the current release of High Sierra. When the problem is exploited, the user is authenticated into a “System Administrator” account and is given full ability to view files and even reset or change passwords for pre-existing users on that machine. Apple ID email addresses tied to users on the Mac can be removed and altered, as well. There are likely many more ways that someone taking advantage of the issue could wreak havoc on a Mac desktop or laptop.

  • How Robust is the Randomness?
  • Hacker pleads guilty to huge Yahoo hack, admits helping Russia’s FSB

    A Canadian man has pleaded guilty to hacking charges related to a 2014 spear-phishing operation of Yahoo employees. The hack ultimately compromised 500 million Yahoo accounts.

    The operative, Karim Baratov, appeared in a San Francisco federal court on Tuesday afternoon. He also admitted that his role was to "hack webmail accounts of individuals of interest to the FSB," the Russian internal security service. Baratov then sent those passwords to his alleged co-conspirator, Dmitry Aleksandrovich Dokuchaev.

Security: NSA Leaks, Linux 'Distro' Accidentally Uploaded, and Magento Patches

Filed under
Security
  • Researcher discovers classified Army intel app, data on open public AWS bucket

    After uncovering a massive trove of social media-based intelligence left on multiple Amazon Web Services S3 storage buckets by a Defense Department contractor, the cloud security firm UpGuard has disclosed yet another major cloud storage breach of sensitive intelligence information. This time, the data exposed includes highly classified data and software associated with the Distributed Common Ground System-Army (DCGS-A), an intelligence distribution platform that DOD has spent billions to develop. Specifically, the breach involves software for a cloud-based component of DCGS-A called "Red Disk."

  • Latest NSA Leak Reveals Secret Army Intelligence Project

    The program, led by U.S. Army Intelligence and Security Command, a division of the National Security Agency, was supposed to help the Pentagon get real-time information about what was happening on the ground in Afghanistan in 2013 by collecting data from U.S. computer systems on the ground, according to tech news site ZDNet. But the agency killed the initiative in 2014 because of technical problems that it described in the leaked documents as “a major hindrance to operations.”

  • Top secret Army, NSA data found on public internet due to misconfigured AWS server
  • New details of NSA's Ragtime program appear in leaked files

    A leaked document shines new light on a surveillance program developed by the National Security Agency.

    The program, known as Ragtime, collects the contents of communications, such as emails and text messages, of foreign nationals under the authority of several US surveillance laws.

  • Magento Releases Security Updates for Commerce and Open Source 1.x

    Magento Released two updates today to address some security concerns with Magento 1.x installations. While 2.x received some recent security updates, this is the first 1.x in some time.

Security: Apple, Microsoft, and Human Error (GNU/Linux)

Filed under
Security

KDE’s Goal: Privacy

Filed under
KDE
Security

In the past, KDE software has come a long way in providing privacy tools, but the tool-set is neither comprehensive, nor is privacy its implications widely seen as critical to our success in this area. Setting privacy as a central goal for KDE means that we will put more focus on this topic and lead to improved tools that allow users to increase their level of privacy. Moreover, it will set an example for others to follow and hopefully increase standards across the whole software ecosystem. There is much work to do, and we’re excited to put our shoulder under it and work on it.

Read more

Security: Updates, Uber Crack, NSA Breach, Windows Ransom, Barracuda Networks, US Department of Education

Filed under
Security
  • Security updates for Tuesday
  • Chicago: Uber’s claim that hackers fully deleted stolen data is “nonsensical”

    It has now been a full week since the jaw-dropping revelations that Uber sustained a massive data breach in 2016, which affected more than 57 million people.

    Since November 21, the company has been hit with 10 federal lawsuits (including the two Ars reported on last week). On Monday, the city of Chicago and Cook County also sued Uber in Illinois state court, while numerous senators are now demanding answers as well.

  • Yet another NSA intel breach discovered on AWS. It’s time to worry.

    Once again the US government displays a level of ineptitude that can only be described as ‘Equifaxian‘ in nature. An AWS bucket with 47 viewable files was found configured for “public access,” and containing Top Secret information the government designated too sensitive for our foreign allies to see.

  • Classified US Army and NSA data was stored on an unprotected server
  • New NSA leak exposes Red Disk, the Army's failed intelligence system

    The disk image, when unpacked and loaded, is a snapshot of a hard drive dating back to May 2013 from a Linux-based server that forms part of a cloud-based intelligence sharing system, known as Red Disk. The project, developed by INSCOM's Futures Directorate, was slated to complement the Army's so-called distributed common ground system (DCGS), a legacy platform for processing and sharing intelligence, surveillance, and reconnaissance information.

    Each branch of the military has its own version of the intelligence sharing platform -- the Army's is said to be the largest -- but the Army's system struggled to scale to the number of troops who need it.

    Red Disk was envisioned as a highly customizable cloud system that could meet the demands of large, complex military operations. The hope was that Red Disk could provide a consistent picture from the Pentagon to deployed soldiers in the Afghan battlefield, including satellite images and video feeds from drones trained on terrorists and enemy fighters, according to a Foreign Policy report.

  • World’s Biggest Botnet “Necurs” Sends 12.5 Million Scarab Ransomware Emails

    Once the ransomware infects a machine, it encrypts files and adds “[[email protected]].scarab” extension to affected files. A ransom note with filename “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” is also dropped in the affected directory.

  • Barracuda Networks Acquired by Thoma Bravo in $1.6B Deal
  • Federal student aid site offers one-stop shopping for ID thieves?

    The arrival of the holidays heralds another season soon to arrive: the tax season and, with it, the tax-return fraud season. And while the Internal Revenue Service has made some moves toward stanching the flow of fraudulent tax returns filed by cyber-criminals, another government agency may be offering up fresh fuel to fraudsters' efforts: the US Department of Education.

Security: Intel's Management Engine (ME) and UPS Backdoor Malware

Filed under
Security
  • Potential impact of the Intel ME vulnerability

    Intel's Management Engine (ME) is a small coprocessor built into the majority of Intel CPU chipsets[0]. Older versions were based on the ARC architecture[1] running an embedded realtime operating system, but from version 11 onwards they've been small x86 cores running Minix. The precise capabilities of the ME have not been publicly disclosed, but it is at minimum capable of interacting with the network[2], display[3], USB, input devices and system flash. In other words, software running on the ME is capable of doing a lot, without requiring any OS permission in the process.

    Back in May, Intel announced a vulnerability in the Advanced Management Technology (AMT) that runs on the ME. AMT offers functionality like providing a remote console to the system (so IT support can connect to your system and interact with it as if they were physically present), remote disk support (so IT support can reinstall your machine over the network) and various other bits of system management. The vulnerability meant that it was possible to log into systems with enabled AMT with an empty authentication token, making it possible to log in without knowing the configured password.

    This vulnerability was less serious than it could have been for a couple of reasons - the first is that "consumer"[4] systems don't ship with AMT, and the second is that AMT is almost always disabled (Shodan found only a few thousand systems on the public internet with AMT enabled, out of many millions of laptops). I wrote more about it here at the time.

  • Chinese nationals indicted on federal computer hacking [sic] charges

     

    Beginning in at least 2013, the defendants “and others known and unknown to the grand jury” used spearphishing emails containing malicious attachments or customized malware to hack into networks used by U.S. and foreign businesses, according to the indictment.  

  • Security firm was front for advanced Chinese hacking operation, Feds say

    Wu Yingzhuo, Dong Hao, and Xia Lei face federal charges that they conspired to steal hundreds of gigabytes of data belonging to Siemens AG, Moody’s Analytics, and the GPS technology company Trimble. The indictment, which was filed in September and unsealed on Monday, said the trio used spear phishing e-mails with malicious attachments or links to infect targeted end users. The defendants used customized tools collectively known as the UPS Backdoor Malware to gain and maintain unauthorized access to the targeted companies' networks.

Qubes OS 4.0-rc3 has been released!

Filed under
OS
Security

We’re pleased to announce the third release candidate for Qubes 4.0! Our goal for this release candidate is to improve the stability and reliability of Qubes 4.0, so we’ve prioritized fixing known bugs over introducing new features. Many of the bugs discovered in our previous release candidate are now resolved. A full list of the Qubes 4.0 issues closed so far is available here.

Read more

Open source nameserver used by millions needs patching

Filed under
OSS
Security

Open source DNS software vendor PowerDNS has advised users to patch its "Authoritative" and "Recursor" products, to squish five bugs disclosed today.

None of the bugs pose a risk that PowerDNS might itself be compromised, but this is the DNS: what an attacker can do is fool around with DNS records in various ways.

That can be catastrophic if done right: for example, if a network is tricked into advertising itself as the whole of the Internet, it can be hosed, or if the wrong network promises it's the best way to reach YouTube, then YouTube is blackholed.

Read more

​Long-term Linux support future clarified

Filed under
Linux
Security

In October 2017, the Linux kernel team agreed to extend the next version of Linux's Long Term Support (LTS) from two years to six years, Linux 4.14. This helps Android, embedded Linux, and Linux Internet of Things (IoT) developers. But this move did not mean all future Linux LTS versions will have a six-year lifespan.

As Konstantin Ryabitsev, The Linux Foundation's director of IT infrastructure security, explained in a Google+ post, "Despite what various news sites out there may have told you, kernel 4.14 LTS is not planned to be supported for 6 years. Just because Greg Kroah-Hartman is doing it for 4.4 does not mean that all LTS kernels from now on are going to be maintained for that long."

So, in short, 4.14 will be supported until January 2020, while the 4.4 Linux kernel, which arrived on Jan. 20, 2016, will be supported until 2022. Therefore, if you're working on a Linux distribution that's meant for the longest possible run, you want to base it on Linux 4.4.

Read more

Syndicate content

More in Tux Machines

Node.js 10.9 and npm milestone

  • Open Source Node.js Hits v10, with Better Security, Performance, More
    Speaking of which, the brand-new Node.js 10.0 is expected to soon support npm version 6 (currently Node.js ships with npm 5.7.x). The company npm Inc., which maintains the npm software package management application, today announced that major update, called npm@6. The npm company said its JavaScript software installer tool includes new security features for developers working with open source code.
  • Announcing npm@6
    In coordination with today’s announcement of Node.js v10, we’re excited to announce npm@6. This major update to npm includes powerful new security features for every developer who works with open source code. Read on to understand why this matters.

Openwashing: Sony, Scality and Ericsson

Voyage/Open Autonomous Safety (OAS) Now on GitHub

  • Voyage open-sources autonomous driving safety practices
    Dubbed Open Autonomous Safety, the initiative aims to help autonomous driving startups implement better safety-testing practices. Companies looking to access the documents, safety procedures and test code can do so via a GitHub repository.
  • Open-Sourcing Our Approach to Autonomous Safety
    Without a driver to help identify and mitigate failures, autonomous vehicle systems need incredibly robust safety requirements and an equally comprehensive and well-defined process for analyzing risks and assessing capabilities. Voyage models its safety approach after the ISO 26262 standard for automotive safety, taking the best practices from the automotive industry and applying them to autonomous technology. The automotive industry continues to reach for new levels of safety in manufacturing vehicles, and we are inspired by that approach.
  • Startup Voyage Wants to Open Source Self-Driving Car Safety
    Under what the company calls its Open Autonomous Safety initiative, Voyage is publishing information on its safety procedures, materials, and test code in a series of releases. The goal is to create an open-source library of safety procedures that multiple companies can use as a standard, a Voyage blog post said.
  • This startup’s CEO wants to open-source self-driving car safety testing
    The initial release, which Voyage calls Open Autonomous Safety (OAS), will take the form of a GitHub repository containing documents and code. The functional safety requirements are Voyage's interpretation of the ISO 26262 standard for automotive safety, updated for autonomous vehicles. "This is our internal driving test for any particular software build," says Cameron. "It lets us evaluate our designs and look for the different ways they can fail in the real world."

Programming: Qt 5.9.5 and Jakarta EE