Language Selection

English French German Italian Portuguese Spanish

Security

Spectre/Meltdown Pits Transparency Against Liability: Which is More Important to You?

Filed under
Security

There is a lot of righteous anger directed toward Intel over CPU bugs that were revealed by Spectre/Meltdown. I agree that things could have been handled better, particularly with regards to transparency and the sharing of information among the relevant user communities that could have worked together to deploy effective patches in a timely fashion. People also aren’t wrong that consumer protection laws obligate manufacturers to honor warranties, particularly when a product is not fit for use as represented, if it contains defective material or workmanship, or fails to meet regulatory compliance.

However, as an open source hardware optimist, and someone who someday aspires to see more open source silicon on the market, I want to highlight that demanding Intel return, exchange, or offer rebates on CPUs purchased within a reasonable warranty period is entirely at odds with demands that Intel act with greater transparency in sharing bugs and source code.

Read more

Security: Updates, NSA-Windows, Image Previewer, and CPU Bugs

Filed under
Security
  • Security updates for Thursday
  • Cryptocurrency mining malware infects over 500,000 PCs with NSA exploit

    New cryptocurrency mining viruses have lately spread to infect Windows computers as virtual currency-related malware becomes popular and profitable among cyber criminals.

    The viruses are being spread using same EternalBlue exploit, which has been developed by the US National Security Agency (NSA). The exploit was recently used as part of the worldwide WannaCry ransomware attack.

  • Image Previewer: First Firefox Addon that Injects an In-Browser Miner?

    The Image Previewer addon is promoted by web sites that pretend to be a manual Firefox update, but in reality push a Firefox addon to the visitor. This is done through repeated Javascript alerts and user authentication prompts that push the user into installing the addon directly from the site.

  • Beware! This Is The First Firefox Extension That Injects Crypto Miner In Your Browser
  • ​Linux performance before and after Meltdown and Spectre fixes
  • Spectre/Meltdown Pits Transparency Against Liability: Which is More Important to You?

    There is a lot of righteous anger directed toward Intel over CPU bugs that were revealed by Spectre/Meltdown. I agree that things could have been handled better, particularly with regards to transparency and the sharing of information among the relevant user communities that could have worked together to deploy effective patches in a timely fashion. People also aren’t wrong that consumer protection laws obligate manufacturers to honor warranties, particularly when a product is not fit for use as represented, if it contains defective material or workmanship, or fails to meet regulatory compliance.

    However, as an open source hardware optimist, and someone who someday aspires to see more open source silicon on the market, I want to highlight that demanding Intel return, exchange, or offer rebates on CPUs purchased within a reasonable warranty period is entirely at odds with demands that Intel act with greater transparency in sharing bugs and source code.

    [...]

    The open source community could use the Spectre/Meltdown crisis as an opportunity to reform the status quo. Instead of suing Intel for money, what if we sue Intel for documentation? If documentation and transparency have real value, then this is a chance to finally put that value in economic terms that Intel shareholders can understand. I propose a bargain somewhere along these lines: if Intel releases comprehensive microarchitectural hardware design specifications, microcode, firmware, and all software source code (e.g. for AMT/ME) so that the community can band together to hammer out any other security bugs hiding in their hardware, then Intel is absolved of any payouts related to the Spectre/Meltdown exploits.

  • Reckoning The Spectre And Meltdown Performance Hit For HPC

Security: Spectre and Meltdown, ASUS, Lenovo (Windows)

Filed under
Security

Qubes OS 4.0-rc4 has been released!

Filed under
OS
Security

We’re pleased to announce the fourth release candidate for Qubes 4.0! This release contains important safeguards against the Spectre and Meltdown attacks, as well as bug fixes for many of the issues discovered in the previous release candidate. A full list of the Qubes 4.0 issues closed so far is available here. Further details about this release, including full installation instructions, are available in the Qubes 4.0 release notes. The new installation image is available on the Downloads page.

As always, we’re immensely grateful to our community of testers for taking the time to discover and report bugs. Thanks to your efforts, we’re able to fix these bugs before the final release of Qubes 4.0. We encourage you to continue diligently testing this fourth release candidate so that we can work together to improve Qubes 4.0 before the stable release.

Read more

Security: Updates, Google, Hacking Team, Microsoft-NSA, Django

Filed under
Security
  • Security updates for Wednesday
  • How Did Google Wipe Out 700,000 Malicious Android Apps From Play Store? Using Artificial Intelligence
  • Hacking Team Is Still Alive Thanks to a Mysterious Investor From Saudi Arabia

    The 2015 breach of spyware vendor Hacking Team seemed like it should have ended the company. Hacking Team was thoroughly owned, with its once-secret list of customers, internal emails, and spyware source code leaked online for anyone to see. But nearly three years later, the company trudges on, in large part thanks to a cash influx in 2016 from a mysterious investor who had been publicly unknown until now.

    The hack hurt the company’s reputation and bottom line: Hacking Team lost customers, was struggling to make new ones, and several key employees left. Three years later—after the appearance of this new investor—the company appears to have stopped the bleeding. The company registered around $1 million in losses in 2015, but bounced back with around $600,000 in profits in 2016.

    Motherboard has learned that this apparent recovery is in part thanks to the new investor, who appears to be from Saudi Arabia—and whose lawyer’s name matches that of a prominent Saudi attorney who regularly works for the Saudi Arabian government and facilitates deals between the government and international companies.

  • NSA exploit EternalBlue is back and powering WannaMine cryptojacking malware

    SAY HELLO to WannaMine, the cryptojacking malware that's using leaked NSA hacking tools to infiltrate computers and syphon processor power to crunch calculations needed to 'mine; cryptocurrencies.

    But first a history lesson. You may remember the EternalBlue, a Windows exploit developed by the NSA that was leaked by hacking group Shadow Brokers.

    Pretty soon after the exploit was used to launch the massive WannaCry ransomware attack that locked down NHS systems and affected some 230,000 computers across 150 countries. EternalBlue was then used to spearhead the arguably more dangerous NotPetya attacks.

  • Johnny Hacker hauls out NSA-crafted Server Message Block exploits, revamps 'em

    EternalBlue, EternalSynergy, EternalRomance and EternalChampion formed part of the arsenal of NSA-developed hacking tools that were leaked by the Shadow Brokers group before they were used (in part) to mount the devastating NotPetya cyber attack.

    [...]

    "After that, the exploit module will drop to disk (or use a PowerShell command), explains zerosum0x0, and then copy directly to the hard drive."

  • 10 tips for making the Django Admin more secure

    Offloading the responsibility for making your app secure onto QA testers or an information security office is tempting, but security is everyone's responsibility. The Django Admin is one of our favorite features of Django, but unless it's locked down correctly, it presents opportunities for exploitation. To save your users from compromised data, here are 10 tips to make the Django Admin more secure.

Security: Reproducible Builds, IoT, Code Review, Microsoft Windows Back Doors Cause More Trouble

Filed under
Security
  • Reproducible Builds: Weekly report #144
  • Top 10 IoT Security Threats
  • Code Review Isn't Evil. Security Through Obscurity Is.

    On January 25th, Reuters reported that software companies like McAfee, SAP, and Symantec allow Russian authorities to review their source code, and that "this practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies." The article goes on to explain what source code review looks like and which companies allow source code reviews, and reiterates that "allowing Russia to review the source code may expose unknown vulnerabilities that could be used to undermine U.S. network defenses."

    The spin of this article implies that requesting code reviews is malicious behavior. This is simply not the case. Reviewing source code is an extremely common practice conducted by regular companies as well as software and security professionals to ensure certain safety guarantees of the software being installed. The article also notes that “Reuters has not found any instances where a source code review played a role in a cyberattack.” At EFF, we routinely conduct code reviews of any software that we elect to use.

  • A fast-evolving new botnet could take gadgets in your home to the dark side
  • WannaMine: Another Cryptojacking Malware Fueled By Leaked NSA Exploit Is Rising [Ed: Microsoft Windows + NSA back doors = chaos]

    You might be able to recall the NSA exploit called EternalBlue which was leaked by the hacker group in April last year. The Windows exploit was later used to launch worldwide cyber disaster in the name of WannaCry. Another ransomware, also based on EternalBlue, followed a month later.

  • What is WannaMine? New fileless malware uses NSA's leaked EternalBlue exploit to mine cryptocurrency

    Security researchers have discovered a new strain of malware that uses the National Security Agency's EternalBlue exploit to hijack computers and secretly mine cryptocurrency. In April last year, the exploit was leaked as part of a cache of alleged NSA hacking tools released by the hacker group Shadow Brokers.

    Cybersecurity experts had warned that the exploit would soon be leveraged by other threat actors to power their own sophisticated and likely frequent cyberattacks. Shortly after, the Windows exploit was used to launch the massive global WannaCry and NotPetya ransomware attacks in May and June.

Security: Spectre & Meltdown, Cryptocurrency Mining Malware, Android, and Linux

Filed under
Security
  • Linux Monitoring Tool Detects Meltdown Attacks
  • The Spectre & Meltdown Vulnerability Checker for Linux Is Now in Debian's Repos

    If you want to check to see if your Debian GNU/Linux computer is patched against the Meltdown and Spectre security vulnerabilities, it's now easier than ever to install the original spectre-meltdown-checker script.

    Yes, you're reading it right, you can now install the very useful Spectre and Meltdown vulnerability/mitigation checker for Linux-based operating systems created by developer Stéphane Lesimple from the stable software repositories of the Debian GNU/Linux 9 "Stretch" operating system.

  • Cryptocurrency Mining Malware That Uses an NSA Exploit Is On the Rise

    A computer security exploit developed by the US National Security Agency and leaked by hackers last year is now being used to mine cryptocurrency, and according to cybersecurity experts the number of infections is rising.

    Last April, a hacking group called the Shadow Brokers leaked EternalBlue, a Windows exploit that was developed by the NSA. Less than a month later, EternalBlue was used to unleash a devastating global ransomware attack called WannaCry that infected more than 230,000 computers in 150 countries. A month later, in June, the EternalBlue exploit was again used to cripple networks across the world in an even more sophisticated attack. Now, security researchers are seeing the EternalBlue exploit being used to hijack people’s computers to mine cryptocurrency.

  • How Google fights Android malware

    If you just read the headlines, it sounds like Android is a security mess. There's a report about one Android malware program after another. What's not said is that often these Android viruses require a user to be a sucker to get them. But since a sucker is born every minute, Google does its best to stop malware in its tracks.

  • Linux Kernel 4.15: 'An Unusual Release Cycle'

    Linus Torvalds released version 4.15 of the Linux Kernel on Sunday, again, and for a second version in a row, a week later than scheduled. The culprits for the late release were the Meltdown and Spectre bugs, as these two vulnerabilities forced developers to submit major patches well into what should have been the last cycle. Torvalds was not comfortable rushing the release, so he gave it another week.

    Unsurprisingly, the first big bunch of patches worth mentioning were those designed to sidestep Meltdown and Spectre. To avoid Meltdown, a problem that affects Intel chips, developers have implemented Page Table Isolation (PTI) for the x86 architecture. If for any reason you want to turn this off, you can use the pti=off kernel boot option.

  • 64-bit ARM Gets Mitigations For Spectre & Meltdown With Linux 4.16

    The 64-bit ARM (ARM64 / AArch64) architecture code changes were mailed in a short time ago for the Linux 4.16 kernel and it includes mitigation work for Spectre and Meltdown CPU vulnerabilities.

    The main additions to the ARM64 Linux code for the 4.16 kernel is security changes concerning Variant Two of Spectre and Variant Three (Meltdown). This is the initial work ready for Linux 4.16 at this time while ARM developer Catalin Marinas notes that an improved firmware interface for Variant Two and a method to disable KPTI on ARM64 is coming next week. It's noted that Cavium ThunderX doesn't work with Kernel Page Table Isolation due to hardware erratum.

Security: Updates, Intel, Taxes, Voting and WordPress

Filed under
Security
  • Security updates for Tuesday
  • House chair hits reports of Intel notifying Chinese firms about chip vulnerabilities before US

    Walden's remarks come after the Journal reported that Intel had notified a small group of companies — including Chinese firms — about Spectre and Meltdown vulnerabilities which, if exploited, allow hackers to access sensitive information stored on computers, phones and servers using Intel, AMD and ARM chips.

  • File Your Taxes Before Scammers Do It For You

    Today, Jan. 29, is officially the first day of the 2018 tax-filing season, also known as the day fraudsters start requesting phony tax refunds in the names of identity theft victims. Want to minimize the chances of getting hit by tax refund fraud this year? File your taxes before the bad guys can!

  • Voting-machine makers are already worried about Defcon

    What's worse, he added that "nearly every state is using some machines that are no longer manufactured, and many election officials struggle to find replacement parts." Before millions of electronic votes were cast for the next US president, Norden told press that "everything from software support, replacement parts and screen calibration were at risk."

    So it's no wonder voting machine makers are keen to get their gear off eBay and keep it out of the hands of white-hat hackers equally keen to expose their collective security failings.

  • More than 2,000 WordPress websites are infected with a keylogger

    The keylogger is part of a malicious package that also installs an in-browser cryptocurrency miner that's surreptitiously run on the computers of people visiting the infected sites. Data provided here, here, and here by website search service PublicWWW showed that, as of Monday afternoon, the package was running on 2,092 sites.

Security: Intel, Lenovo, and Windows

Filed under
Security

OPNsense 18.1

Filed under
Security
BSD
  • OPNsense 18.1 released

    For more than 3 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

    We humbly present to you the sum of another major iteration of the OPNsense firewall. Over the second half of 2017 well over 500 changes have made it into this release, nicknamed "Groovy Gecko". Most notably, the firewall NAT rules have been reworked to be more flexible and usable via plugins, which is going to pave the way for subsequent API works on the core firewall functionality. For more details please find the attached list of changes below.

  • OPNsense 18.1 BSD Firewall/Network OS Released

    After hitting the RC phase a few weeks ago, OPNsense 18.1 has been officially released as the latest version of this pfSense-forked network/router-oriented BSD operating system.

    OPNsense 18.1 is based on FreeBSD 11.1 while pulling in the HardenedBSD security changes. OPNsense 18.1 reworks its firewall NAT rules, PHP 7.1 and jQuery 3 are powering the web interface, there is now OpenVPN multi-remote support for clients, IPv6 shared forwarding support, improvements for intrusion detection alerts, a rewritten firewall live log, reverse DNS support for insight reporting, and a variety of new plugins.

Syndicate content

More in Tux Machines

Bang & Olufsen’s RPi add-on brings digital life to old speakers

B&O and HiFiBerry have launched an open source, DIY “Beocreate 4” add-on for the Raspberry Pi that turns vintage speakers into digitally amplified, wireless-enabled smart speakers with the help of a 180-Watt 4-channel amplifier, a DSP, and a DAC. Bang & Olufsen has collaborated with HiFiBerry to create the open source, $189 Beocreate 4 channel amplifier kit. The 180 x 140 x 30mm DSP/DAC/amplifier board pairs with your BYO Raspberry Pi 3 with a goal of upcycling vintage passive speakers. Read more

Gemini PDA will ship with Android, but it also supports Debian, Ubuntu, Sailfish, and Postmarket OS (crowdfunding, work in progress)

The makers of the Gemini PDA plan to begin shipping the first units of their handheld computer to their crowdfunding campaign backers any day now. And while the folks at Planet Computer have been calling the Gemini PDA a dual OS device (with Android and Linux support) from the get go, it turns out the first units will actually just ship with Android. Read more

Red Hat: CO.LAB, Kubernetes/OpenShift, Self-Serving 'Study' and More

Browsers: Mozilla and Iridium

  • Best Web Browser
    When the Firefox team released Quantum in November 2017, they boasted it was "over twice as fast as Firefox from 6 months ago", and Linux Journal readers generally agreed, going as far as to name it their favorite web browser. A direct response to Google Chrome, Firefox Quantum also boasts decreased RAM usage and a more streamlined user interface.
  • Share Exactly What You See On-Screen With Firefox Screenshots
    A “screenshot” is created when you capture what’s on your computer screen, so you can save it as a reference, put it in a document, or send it as an image file for others to see exactly what you see.
  • What Happens when you Contribute, revisited
    I sat down to write a post about my students' experiences this term contributing to open source, and apparently I've written this before (and almost exactly a year ago to the day!) The thing about teaching is that it's cyclic, so you'll have to forgive me as I give a similar lecture here today. I'm teaching two classes on open source development right now, two sections in an introductory course, and another two in a follow-up intermediate course. The students are just starting to get some releases submitted, and I've been going through their blogs, pull requests, videos (apparently this generation likes making videos, which is something new for me), tweets, and the like. I learn a lot from my students, and I wanted to share some of what I'm seeing.
  • Iridium Browser: A Browser for the Privacy Conscience
    Iridium is a web browser based on Chromium project. It has been customized to not share your data and thus keeping your privacy intact.