Language Selection

English French German Italian Portuguese Spanish

Security

Security: Twitter, Updates, Microsoft Hole in Containers

Filed under
Security

Canonical to Send Notifications to Snap Developers for Ubuntu Security Updates

Filed under
Security
Ubuntu

If you're a Snap app developer, you'll be glad to know that Canonical will now send you alerts via email everytime new Ubuntu Security Notices (USNs) are published and contain details about security fixes for the staged packages in the Snap. This will work only if you use "stage-packages" in Snap's snapcraft.yaml configuration file.

"Once a day, the service examines snaps that have manifest.yaml files for their currently published channels/tracks and checks whether USNs have been issued for the versions of the staged packages in the snap. If any snap revisions are affected, the tool will generate a report to send via email," said Canonical in a blog post.

Read more

Twitter Security Problem and Possible Breach

Filed under
Security
  • Twitter: No big deal, but everyone needs to change their password

    Twitter is ringing in World Password Day by notifying its users, all 330 million of them, that their login credentials were left unencrypted in an internal log file and should be changed.

    Chief technology officer Parag Agrawal broke the news on Wednesday that its internal team had found that, while passwords are usually stored scrambled by encryption, something had caused at least one log to record them in plaintext.

    [...]

    The timing of the disclosure is particularly bad for Twitter, as much of the internet is today observing World Password Day by raising awareness of good password management practices and safe storage.

    Certainly this was not the type of exposure Twitter was seeking, particularly as it tries to beef up its protection of user data in the wake of the Cambridge Analytica data-harvesting scandal.

  • Twitter says bug led to passwords stored in plaintext

    Twitter has advised its 330+ million users to change their passwords, following the discovery of a bug that stored passwords in plaintext.

  • Twitter Wants 336 Million Users To Change Passwords, Bug Exposed Them In Plain Text

    The microblogging site Twitter is advising its 336 million users to change their account passwords immediately. The reason, a bug in their system exposed the passwords in plain text.

    According to a blog post, the bug (now fixed) existed in the hashing process that is used to secure account passwords by turning them into random numbers and characters.

Security and Snaps

Filed under
Security
Ubuntu
  • Security updates for Thursday
  • Introducing developer notifications for snap security updates

    For some time, we’ve wanted a mechanism to alert snap publishers to security updates which affect their snaps. All the pieces have come together and we are now sending alerts via email. Stated more precisely, publishers who use ‘stage-packages’ in their snapcraft.yaml will now be alerted when Ubuntu Security Notices (USNs) have been issued for their staged packages. An example report looks like this:

  • Ubuntu Podcast from the UK LoCo: S11E09 – Nine Lives to Die - Ubuntu Podcast

    This week we made a snap of Linux Tycoon, one of us has been moonlighting on another podcast and went to UbuCon Europe 2018. We discuss the release of the AtariBox, the release of Rise of the Tomb Raider for Linux, Iran blocking Telegram and round up the community news.

Security: Schneider, Volkswagen, Audi, Drupalgeddon, Microsoft and DMCA

Filed under
Security

Security: Updates, Patches and Bitwarden

Filed under
Security
  • Security updates for Wednesday
  • CVE-2018-8781: 8-Year-Old Linux Kernel Bug Discovered
  • A critical security flaw in popular industrial software put power plants at risk

    A severe vulnerability in a widely used industrial control software could have been used to disrupt and shut down power plants and other critical infrastructure.

    Researchers at security firm Tenable found the flaw in the popular Schneider Electric software, used across the manufacturing and power industries, which if exploited could have allowed a skilled attacker to attack systems on the network.

    It's the latest vulnerability that risks an attack to the core of any major plant's operations at a time when these systems have become a greater target in recent years. The report follows a recent warning, issued by the FBI and Homeland Security, from Russian hackers.

    [...]

    He explained that the stack-based buffer overflow attack can be leveraged in several malicious ways. First, an attacker can use the vulnerability to trigger a denial-of-service event by crashing the software, locking out remote administrators from their central operations. The bug can also be used to gain a foothold further into the network -- as well as other industrial devices -- or even send instructions to some physical control systems in the plant or unit.

  • Bitwarden: The Secure, Open Source Password Manager You're Looking For

    I was recently looking to migrate my passwords to an open source, cross platform password manager that sync passwords but also allows accessing passwords offline, and I discovered Bitwarden, which is advertised as an "open source password management solution for individuals, teams, and business organizations".

    After using it for about a week, I can tell you that Bitwarden is probably the best open source alternative to LastPass. It comes with browser support, cloud password (as well as notes and credit card information) synchronization, 2FA, can be self hosted, it's cross-platform, and easy to use.

Security: The Internet Of Broken Things, Aadhaar, and Kali Linux Under Microsoft Back Doors

Filed under
Security
  • Princeton Project Aims To Secure The Internet Of Broken, Shitty Things

    Year after year, we're installing millions upon millions of "internet of things" devices on home and business networks that have only a fleeting regard for security or privacy. The width and depth of manufacturer incompetence on display can't be understated. Thermostats that prevent you from actually heating your home. Smart door locks that make you less secure. Refrigerators that leak Gmail credentials. Children's toys that listen to your kids' prattle, then (poorly) secure said prattle in the cloud. Cars that could, potentially, result in your death.

    The list goes on and on, and it grows exponentially by the week, especially as such devices are quickly compromised and integrated into massive new botnets.

  • Mozilla Statement on Recent Reports of Aadhaar Data Being Breached (again)

    Mozilla is deeply alarmed by recent reports that it is possible to purchase editing rights to the Aadhaar database for a mere 2,000 rupees.

    Mozilla has long argued that the Aadhaar lacks critical safeguards. With the demographic data reportedly compromised, it is hard to see how Aadhaar can be trusted for authentication. Access to myriad vital public and private services which require Aadhaar for more than a billion Indians is now at risk.

  • How to: Install Kali Linux on Windows 10
  • Kali Linux installation on Windows 10

Security: Updates, Reproducible Builds, FacexWorm and CCCongress

Filed under
Security

Working around Intel Hardware Flaws

Filed under
Linux
Hardware
Security

Efforts to work around serious hardware flaws in Intel chips are ongoing. Nadav Amit posted a patch to improve compatibility mode with respect to Intel's Meltdown flaw. Compatibility mode is when the system emulates an older CPU in order to provide a runtime environment that supports an older piece of software that relies on the features of that CPU. The thing to be avoided is to emulate massive security holes created by hardware flaws in that older chip as well.

In this case, Linux is already protected from Meltdown by use of PTI (page table isolation), a patch that went into Linux 4.15 and that was subsequently backported all over the place. However, like the BKL (big kernel lock) in the old days, PTI is a heavy-weight solution, with a big impact on system speed. Any chance to disable it without reintroducing security holes is a chance worth exploring.

Nadav's patch was an attempt to do this. The goal was "to disable PTI selectively as long as x86-32 processes are running and to enable global pages throughout this time."

Read more

Also: ZFS vs XFS

Security: Attacks on Hospital, NHS Pays Microsoft After Getting Cracked Due to Microsoft, Other Windows Problems

Filed under
Microsoft
Security
  • This Russian Company Sells Zero-Day Exploits for Hospital Software

    Moscow-based Gleg provides zero-day exploits for medical software, and those in the medical industry are concerned about disclosure. But the exploits themselves may not be all that important in real world attacks.

  • NHS will upgrade all systems to Windows 10 following WannaCry outbreak [Ed: NHS rewards Microsoft after its back doors killed many British people. iophk: "Vista 10 was still vulnerable, just low market-share at the time; vendor lock-in through centralisation is harder to break out of"]

    "The introduction of a centralised Windows 10 agreement will ensure a consistent approach to security that also enables the NHS to rapidly modernise its IT infrastructure."

  • This Code On USB Can Trigger BSOD Even On Locked Windows PCs

    In the past, we’ve told you about the perils of picking any random USB drive and using it. It might contain malware and dangerous scripts to target your online accounts. A Bitdefender security researcher, Marius Tivadar, has underlined the importance of this issue with his proof-of-concept code (Via: CSO Online).

  • PoC code triggers BSOD on vulnerable Windows boxes even if PC is locked

    A malware researcher published proof-of-concept code that, when put on a USB stick, can trigger the dreaded Blue Screen of Death on various versions of Windows even if the system is locked.

    Bitdefender’s Marius Tivadar discovered a vulnerability in the way that Windows handles NTFS file system images. When publishing the proof-of-concept code on GitHub, he explained, “One can generate Blue Screen of Death using a handcrafted NTFS image. This denial-of-service type of attack can be driven from user mode, limited user account or Administrator. It can even crash the system if it is in locked state.”

  • Federal 'turf war' complicates cybersecurity efforts

    While Homeland Security is broadly recognized as the main agency defending federal networks and critical national assets from cyberattacks, individual agencies also play a major role in guarding their own networks and personnel from malicious cyber actors.

Syndicate content

More in Tux Machines

EXT4 fscrypt vs. eCryptfs vs. LUKS dm-crypt Benchmarks

Given the recent advancements of the EXT4 file-system with its native file-system encryption support provided by the fscrypt framework, here are benchmarks comparing the performance of an EXT4 file-system with no encryption, fscrypt-based encryption, eCryptfs-based encryption, and a LUKS dm-crypt encrypted volume. Read more

Debian GNU/Linux 8 "Jessie" Has Reached End of Security Support, Upgrade Now

Released more than three years ago, on April 25, 2015, Debian GNU/Linux 8 "Jessie" is currently considered the "oldstable" Debian branch since the release of the Debian GNU/Linux 9 "Stretch" operating system series precisely a year ago, on June 17, 2017. As such, Debian GNU/Linux 8 "Jessie" has now reached end of life and will no longer receive regular security support beginning June 17, 2018. Security support for Debian GNU/Linux 8 "Jessie" will be handed over to the Debian LTS team now that LTS (Long Term Support) support has ended for Debian GNU/Linux 7 "Wheezy" on May 31, 2018. Debian GNU/Linux 8 "Jessie" will start receiving additional support from the Debian LTS project starting today, but only for a limited number of packages and architectures like i386, amd64, armel, and armhf. Read more

openSUSE Tumbleweed Is Now Powered by Linux Kernel 4.17, KDE Plasma 5.13 Landed

As of today, the openSUSE Tumbleweed rolling operating system is now powered by the latest and most advanced Linux 4.17 kernel series, which landed in the most recent snapshot released earlier. Tumbleweed snapshot 20180615 was released today, June 17, 2018, and it comes only two days after snapshot 20180613, which added the Mesa 18.1.1 graphics stack and KDE Plasma 5.13 desktop environment, along with many components of the latest KDE Applications 18.04.2 software suite. Today's snapshot 20180615 continued upgrading the KDE Applications software suite to version 18.04.2, but it also upgraded the kernel from Linux 4.16.12 to Linux 4.17.1. As such, OpenSuSE Tumbleweed is now officially powered by Linux kernel 4.17, so upgrading your installs as soon as possible would be a good idea. Read more

today's howtos and leftovers