Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Apple APFS Passwords, WordPress, Microsoft FUD, and Internet of Broken Things

Filed under
Security
  • Security updates for Friday
  • Apple fixes Keychain vulnerability, but only in macOS High Sierra

     

    The zero-day vulnerability in macOS's Keychain has been addressed by Apple, along with some other issues in High Sierra. But other recent versions of the operating system are still vulnerable.  

  • macOS High Sierra bug exposes APFS passwords in plain text

     

    A Brazilian software developer has uncovered a bug in Apple's macOS High Sierra software that exposes the passwords of encrypted Apple File System (APFS) volumes in plain text.

  • The September 2017 WordPress Attack Report

    This edition of the WordPress Attack Report is a continuation of the monthly series we’ve been publishing since December 2016. Reports from the previous months can be found here.

    This report contains the top 25 attacking IPs for September 2017 and their details. It also includes charts of brute force and complex attack activity for the same period, along with a new section revealing changes to the Wordfence real-time IP blacklist throughout the month. We also include the top themes and plugins that were attacked and which countries generated the most attacks for this period.

  • Step aside, Windows! Open source and Linux are IT’s new security headache [Ed: Microsoft propagandist Preston Gralla is back from the woods. The typical spin, lies. Deflection. Windows has back doors.]
  • Sex Toys Are Just As Poorly-Secured As The Rest Of The Internet of Broken Things

    At this point we've pretty well documented how the "internet of things" is a privacy and security dumpster fire. Whether it's tea kettles that expose your WiFi credentials or smart fridges that leak your Gmail password, companies were so busy trying to make a buck by embedding network chipsets into everything, they couldn't be bothered to adhere to even the most modest security and privacy guidelines. As a result, billions upon billions of devices are now being connected to the internet with little to no meaningful security and a total disregard to user privacy -- posing a potentially fatal threat to us all.

Security: Forseti, Updates, FormBook, Kaspersky, and APFS

Filed under
Security

Security: India's Internet, Equifax, and Yahoo!

Filed under
Security

Security: RoboCyberWall, Updates, Dnsmasq, SEC, and Yahoo!

Filed under
Security
  • RoboCyberWall Aims to Block Linux Server Hacks [Ed: ad disguised as an article]
  • Security updates for Wednesday
  • Google Patches Open-Source Flaw, Requires TLD Encryption

    Google has made a couple of notable moves on the security front this week: One, it has patched flaws in a DNS software package known as Dnsmasq; and two, it said it would start requiring encryption for 45 top-level domains (TLDs) that it controls as a registrar.

    Dnsmasq, an open-source package, is widely installed in desktop Linux distributions (like Ubuntu), home routers and IoT devices, and provides functionality for serving DNS, DHCP, router advertisements and network boot. Google discovered seven distinct issues within the kit: three potential remote code executions, one information leak, and three denial of service vulnerabilities affecting the latest version at the project git server as of September 5.

  • SEC hack came as internal security team begged for funding

    Last month, the Securities and Exchange Commission revealed a 2016 breach of a test system that allowed an unknown party to get access to unpublished corporate information in the SEC's Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system. The breach potentially allowed the bad actors to profit from trades based on the information. SEC Chairman Jay Clayton revealed the extent of that breach in a policy statement on the importance of the commission's cyber-security mission. But just a few months before the SEC discovered the initial breach last year, as Reuters reports, members of the SEC's own internal digital forensics and security team wrote a letter bemoaning the lack of support they received from the agency's Office of Information Technology and SEC leadership.

  • Hacks Are Always Worse Than Reported: All Of Yahoo Email Was Hacked In 2013. All. Of. It.

    Given recent and massive stories about data security breaches by some very, very large players in the technology and financial spaces, we have developed a mantra that you should have on repeat in your head any time you read stories about a breach: however big the breach is reported to be initially, it's always bigger. We formulated that 12 years ago and it has continually held true. We saw it with Equifax. We saw it with Deloitte. And you will also likely recall that 2013 and 2014 were not banner years for data security at a little company called Yahoo. Hacks of Yahoo's email platform were reported initially to be in the hundreds of thousands in terms of the number of accounts compromised. As Verizon began negotiating the purchase of Yahoo, that number crept into the hundreds of millions. Eventually, Yahoo settled on a billion compromised accounts resulting from the hacks.

Security: Yahoo 'Search Secrets', Breach Secrets, Bluetooth Woes, and Phishing

Filed under
Security
  • Yahoo Reveals Its Search Secrets, Vespa Tool is Now Available as Open Source

    Oath Inc., the Verizon company that has owned Yahoo since June, announced that Vespa is now available as open source on GitHub. According to a company blog post, making the big data processing and serving engine open source is a step further in Oath’s commitment to opening up its big data infrastructure to developers.

  • If you have a Yahoo account, do this now

    The company, which along with AOL is now part of a Verizon subsidiary called Oath, disclosed Tuesday that a 2013 hack had potentially stolen the information of all of its 3 billion users at the time — or triple the number of vulnerable users it had earlier reported.

  • Yahoo revises number of hacked accounts from 500,000,000 to 3,000,000,000

    Just over a year ago, Yahoo admitted that it had been hacked in 2013, and estimated that 500 million accounts had been compromised (the company blamed state-sponsored actors, and federal prosecutors have indicted two Russian spies for ordering the operation). Now the company has admitted that all three billion of its accounts were affected.

  • Yahoo Says All 3 Billion Accounts Hacked in 2013 Data Theft

    Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications.

  • Bluetooth sex toys are trivial to compromise just by walking around neighborhoods

    Lomas demonstrated the attack by wandering the streets of Berlin, compromising Lovesense Hush buttplugs. He also demonstrated that he could attack and compromise his father's BLE-enabled hearing aid, controlling what sound was played, allowing him to put voices in his father's head, or selectively alter his hearing.

  • Screwdriving. Locating and exploiting smart adult toys

    It’s hopefully well known by now that Bluetooth’s baby brother, BLE, isn’t exactly stellar when it comes to security. What you save in battery life and complexity comes at the price of easy discoverability and exploitability. Whilst BLE does have support for security, it is rarely implemented. When it is implemented it’s often done poorly.

  • Councils attacked over email ‘phishing’

    Banks and other financial institutions, including PayPal and Ebay, have been targeted frequently by crooks, as has the government’s tax collection agency HMRC - which often appears to be the source of emails promising lucrative tax rebates.

    But the government’s National Cyber Security Centre, which is part of GCHQ, has said that fewer than five per cent of other public sector organisations have taken sufficient steps to prevent similar attacks, by using the validation protocol known as DMARC.

OpenSSH 7.6 and FreeBSD 10.4

Filed under
Software
Security
BSD

Security: Updates, Reproducible Builds, Dnsmasq, Leaks, Kaspersky, and Linux LTS

Filed under
Security

Security: Dnsmasq, Other Updates, Equifax Breach, and US DDoS

Filed under
Security

Security: Behind the Masq, CVE-2017-1000253

Filed under
Security
  • Behind the Masq: Yet more DNS, and DHCP, vulnerabilities

    Our team has previously posted about DNS vulnerabilities and exploits. Lately, we’ve been busy reviewing the security of another DNS software package: Dnsmasq. We are writing this to disclose the issues we found and to publicize the patches in an effort to increase their uptake.

    Dnsmasq provides functionality for serving DNS, DHCP, router advertisements and network boot. This software is commonly installed in systems as varied as desktop Linux distributions (like Ubuntu), home routers, and IoT devices. Dnsmasq is widely used both on the open internet and internally in private networks.

  • ​Serious Linux kernel security bug fixed

    Sometimes old fixed bugs come back to bite us. That's the case with CVE-2017-1000253, a Local Privilege Escalation Linux kernel bug.

Debian and Tails: Development Reports and Tails 3.2

Filed under
Security
Debian
  • Monthly FLOSS activity - 2017/09 edition
  • Free Software Efforts (2017W39)

    Here’s my weekly report for week 39 of 2017. In this week I have travelled to Berlin and caught up on some podcasts in doing so. I’ve also had some trouble with the RSS feeds on my blog but hopefully this is all fixed now.

    Thanks to Martin Milbret I now have a replacement for my dead workstation, an HP Z600, and there will be a blog post about this new set up to come next week. Thanks also to Sýlvan and a number of others that made donations towards getting me up and running again. A breakdown of the donations and expenses can be found at the end of this post.

  • My Debian Activities in September 2017

    This month almost the same numbers as last month appeared in the statistics. I accepted 213 packages and rejected 15 uploads. The overall number of packages that got accepted this month was 425.

  • Tails 3.2: Privacy, Security, and Anonymity on the Internet Just Got Easier

    The operating system Ed Snowden used to communicate with journalists when he revealed the size and scope of NSA surveillance in 2013 received a major update Thursday. Tails (which stands for The Amnesic Incognito Live System) is a Linux distribution created and distributed by the Tails Project. Tails is built from the ground up to offer security, privacy, and anonymity to computer users everywhere.

    Tails — which is described by its developers as “privacy for anyone anywhere” — has been around since 2009 and has received the Mozilla Open Source Support Award (2016), the Access Innovation Prize (2014), and the OpenITP award (2013). More importantly, it has been used by dissidents in oppressive nations, activists who feel the need to remain anonymous, whistleblowers, and investigative journalists. In fact, the three journalists most involved in the Snowden revelations all used Tails when communicating with him about NSA surveillance. Snowden insisted on it. In April 2014, Freedom of the Press Foundation reported that Laura Poitras, Glenn Greenwald, and Barton Gellman all told the foundation that Tails was instrumental in allowing them to communicate with Snowden about NSA surveillance while avoiding the very surveillance they were preparing to report on.

Syndicate content

More in Tux Machines

today's howtos

GNOME Development and Events

  • Dependencies with code generators got a lot smoother with Meson 0.46.0
    Most dependencies are libraries. Almost all build systems can find dependency libraries from the system using e.g. pkg-config. Some can build dependencies from source. Some, like Meson, can do both and toggle between them transparently. Library dependencies might not be a fully solved problem but we as a community have a fairly good grasp on how to make them work. However there are some dependencies where this is not enough. A fairly common case is to have a dependency that has some sort of a source code generator. Examples of this include Protocol Buffers, Qt's moc and glib-mkenums and other tools that come with Glib. The common solution is to look up these binaries from PATH. This works for dependencies that are already installed on the system but fails quite badly when the dependencies are built as subprojects. Bootstrapping is also a bit trickier because you may need to write custom code in the project that provides the executables.
  • Expanding Amtk to support GUIs with headerbar
    I initially created the Amtk library to still be able to conveniently create a traditional UI without using deprecated GTK+ APIs, for GNOME LaTeX. But when working on Devhelp (which has a modern UI with a GtkHeaderBar) I noticed that some pieces of information were duplicated in order to create the menus and the GtkShortcutsWindow.
  • GLib/GIO async operations and Rust futures + async/await
    Unfortunately I was not able to attend the Rust+GNOME hackfest in Madrid last week, but I could at least spend some of my work time at Centricular on implementing one of the things I wanted to work on during the hackfest. The other one, more closely related to the gnome-class work, will be the topic of a future blog post once I actually have something to show.
  • Introducing Chafa
  • Infra Hackfest
  • Madrid GNOME+Rust Hackfest, part 3 (conclusion)
    I'm back home now, jetlagged but very happy that gnome-class is in a much more advanced a state than it was before the hackfest. I'm very thankful that practically everyone worked on it!
  • GNOME loves Rust Hackfest in Madrid
    The last week was the GNOME loves Rust hackfest in Madrid. I was there, only for the first two days, but was a great experience to meet the people working with Rust in GNOME a great community with a lot of talented people.
  • GNOME Mutter 3.29.1 Now Works With Elogind, Allows For Wayland On Non-Systemd Distros
    GNOME Mutter 3.29.1 has been released as the first development snapshot of this window manager / compositor in the trek towards GNOME 3.30. Mutter 3.29.1 overshot the GNOME 3.29.1 release by one week, but for being a first development release of a new cycle has some pretty interesting changes. Among the work found in Mutter 3.29.1 includes: - Mutter can now be built with elogind. That is the systemd-logind as its own standalone package. This in turn allows using Mutter with its native Wayland back-end on Linux distributions using init systems besides systemd.

KDE: Plasma Widgets, PIM Update and More

  • 3 Students Accepted for Google Summer of Code 2018
    Since 2006, we have had the opportunity for Google to sponsor students to help out with Krita. For 2018 we have 3 talented students working over the summer. Over the next few months they will be getting more familiar with the Krita code base and working on their projects. They will be blogging about their experience and what they are learning along the way. We will be sure to share any progress or information along the way. Here is a summary of their projects and what they hope to achieve.
  • Plasma widgets – Beltway Bandit Unlimited
    The concept of addons is an interesting one. At some point over the past decade or two, companies developing (successful) software realized that bundling an ever-growing code base into their products in order to meet the spiraling tower of requests from their users would result in unsustainable bloat and complexity that would not warrant the new functionality. And so, the idea of addons was born. Addons come in many flavors – extensions, plugins, applets, scripts, and of course, widgets. A large number of popular programs have incorporated them, and when done with style, the extra functionality becomes as important as the core application itself. Examples that come to mind: Firefox, Notepad++, VLC, Blender. And then, there’s the Plasma desktop environment. Since inception, KDE has prided itself on offering complete solutions, and the last incarnation of its UI framework is no different. Which begs the question, what, how and why would anyone need Plasma widgets? We explore. [...] Conclusion A good mean needs no seasoning, indeed. And Plasma is a proof of that, with the widgets the best example. Remarkably, this desktop environment manages to juggle the million different usage needs and create a balanced compromise that offers pretty much everything without over-simplifying the usage in any particular category. It’s a really amazing achievement, because normally, the sum of all requests is a boring, useless muddle. Plasma’s default showing is rich, layered, complex yet accessible, and consistent. And that means it does not really need any widgets. This shows. The extras are largely redundant, with some brilliant occasional usage models here and there, but nothing drastic or critical that you don’t get out of the box. This makes Plasma different from most other addons-blessed frameworks, as they do significantly benefit from the extras, and in some cases, the extensions and plugins are critical in supplementing the missing basics. And so, if you wonder, whether you’ll embark on a wonderful journey of discovery and fun with Plasma widgets, the answer is no. Plasma offers 99% of everything you may need right there, and the extras are more to keep people busy rather than give you anything cardinal. After all, if it’s missing, it should be an integral part of the desktop environment, and the KDE folks know this. So if you’re disappointed with this article, don’t be. It means the baseline is solid, and that’s where you journey of wonders and adventure should and will be focused. 
  • My KDE PIM Update
    This blog post is long overdue, but now that I’m back home from the KDE PIM Sprint in Toulouse, which took place last weekend, there’s some more news to report.
  • KDAB at QtDay 2018
    QtDay is the yearly Italian conference about Qt and Qt-related technologies. Its 2018 edition (the seventh so far!) will be once more in the beautiful city of Florence, on May 23 and 24. And, once more, KDAB will be there.
  • Google Summer of Code 2018 with KDE
    It’s been 2 days since the GSoC accepted student list was announced and I’m still getting goosebumps thinking about the moment I saw my name on the website. I started contributing to open source after attending a GSoC session in our college by one of our senior and a previous GSoC student with KDE: Aroonav Mishra. I was very inspired by the program and that defined the turning point of my life. [...] Then I came across GCompris and it caught my eye. I started contributing to it and the mentors are really very helpful and supportive. They always guided me whenever I needed any help  or was stuck at anything. Under their guidance, I learnt many things during the period of my contributions. I had never thought I would get this far.

GNU/Linux Distributions