Language Selection

English French German Italian Portuguese Spanish

Security

Security: Spectre Variant One, Spectre-NG, NTLM and China

Filed under
Security
  • Linux Kernel Hardens Sound Drivers Against Spectre V1 Vulnerability

    As part of fixes landing for the Linux kernel sound drivers, several sound drivers were hardened against Spectre Variant One.

    HDA, Control, OSS, OPL3, and HDSPM were among the ALSA code in the kernel now hardened against potential Spectre Variant One exploitation. Spectre V1 as a reminder is the bounds check bypass vulnerability.

  • Spectre-NG: Security bods uncover eight new 'Spectre-class' flaws in Intel CPUs

    According to the website, Google's Project Zero uncovered one of the flaws, which have been collectively named 'Spectre Next Generation' or 'Spectre-NG', and will publicly reveal it on 7 May, a day ahead of Microsoft's Patch Tuesday.

  • PDF Files Can Silently Leak NTLM Credentials

    Attackers looking to steal the credentials for the NT LAN Manager (NTLM) authentication protocol (which consist of a domain name, a user name, and a one-way hash of the user's password) can do so by abusing a feature where remote documents and files can be embedded inside PDF files.

  • Report: Chinese government is behind a decade of hacks on software companies

    Researchers said Chinese intelligence officers are behind almost a decade's worth of network intrusions that use advanced malware to penetrate software and gaming companies in the US, Europe, Russia, and elsewhere. The hackers have struck as recently as March in a campaign that used phishing emails in an attempt to access corporate-sensitive Office 365 and Gmail accounts. In the process, they made serious operational security errors that revealed key information about their targets and possible location.

Security Leftovers

Filed under
Security
  • Twitter Suggests All of Its 336 Million Users Change Their Passwords After Leaving Them Unprotected

     

    Normally, Twitter protects passwords through a process called hashing, in which it replaces the actual characters of a password with random letters and numbers. The bug allowed passwords to be kept in an “internal log” without hashing so they were stored in their readable text format.

  • When Your Employees Post Passwords Online

     

    Storing passwords in plaintext online is never a good idea, but it’s remarkable how many companies have employees who are doing just that using online collaboration tools like Trello.com. Last week, KrebsOnSecurity notified a host of companies that employees were using Trello to share passwords for sensitive internal resources. Among those put at risk by such activity included an insurance firm, a state government agency and ride-hailing service Uber.  

  • Sci-Hub ‘Pirate Bay For Science’ Security Certs Revoked by Comodo

     

    Sci-Hub, often known as 'The Pirate Bay for Science', has lost control of several security certificates after they were revoked by Comodo CA, the world's largest certification authority. Comodo CA informs TorrentFreak that the company responded to a court order which compelled it to revoke four certificates previously issued to the site.

  • DDoS attacks in Europe 'down 60 per cent' following WebStresser takedown

     

    According to Europol, who headed up the international operation to take down WebStresser, the site had over 136,000 registered users at the time it was shut down and had been responsible for more than four million DDoS attacks in recent years - including one aimed at seven of the UK's biggest banks in November last year.

  • Nigerian Email Scammers Are More Effective Than Ever

     

    On Thursday, the security firm Crowdstrike published detailed findings on Nigerian confraternities, cultish gangs that engage in various criminal activities and have steadily evolved email fraud into a reliable cash cow. The groups, like the notorious Black Axe syndicate, have mastered the creation of compelling and credible-looking fraud emails. Crowdstrike notes that the groups aren’t very regimented or technically sophisticated, but flexibility and camaraderie still allow them to develop powerful scams.

Security: Twitter, Updates, Microsoft Hole in Containers

Filed under
Security

Canonical to Send Notifications to Snap Developers for Ubuntu Security Updates

Filed under
Security
Ubuntu

If you're a Snap app developer, you'll be glad to know that Canonical will now send you alerts via email everytime new Ubuntu Security Notices (USNs) are published and contain details about security fixes for the staged packages in the Snap. This will work only if you use "stage-packages" in Snap's snapcraft.yaml configuration file.

"Once a day, the service examines snaps that have manifest.yaml files for their currently published channels/tracks and checks whether USNs have been issued for the versions of the staged packages in the snap. If any snap revisions are affected, the tool will generate a report to send via email," said Canonical in a blog post.

Read more

Twitter Security Problem and Possible Breach

Filed under
Security
  • Twitter: No big deal, but everyone needs to change their password

    Twitter is ringing in World Password Day by notifying its users, all 330 million of them, that their login credentials were left unencrypted in an internal log file and should be changed.

    Chief technology officer Parag Agrawal broke the news on Wednesday that its internal team had found that, while passwords are usually stored scrambled by encryption, something had caused at least one log to record them in plaintext.

    [...]

    The timing of the disclosure is particularly bad for Twitter, as much of the internet is today observing World Password Day by raising awareness of good password management practices and safe storage.

    Certainly this was not the type of exposure Twitter was seeking, particularly as it tries to beef up its protection of user data in the wake of the Cambridge Analytica data-harvesting scandal.

  • Twitter says bug led to passwords stored in plaintext

    Twitter has advised its 330+ million users to change their passwords, following the discovery of a bug that stored passwords in plaintext.

  • Twitter Wants 336 Million Users To Change Passwords, Bug Exposed Them In Plain Text

    The microblogging site Twitter is advising its 336 million users to change their account passwords immediately. The reason, a bug in their system exposed the passwords in plain text.

    According to a blog post, the bug (now fixed) existed in the hashing process that is used to secure account passwords by turning them into random numbers and characters.

Security and Snaps

Filed under
Security
Ubuntu
  • Security updates for Thursday
  • Introducing developer notifications for snap security updates

    For some time, we’ve wanted a mechanism to alert snap publishers to security updates which affect their snaps. All the pieces have come together and we are now sending alerts via email. Stated more precisely, publishers who use ‘stage-packages’ in their snapcraft.yaml will now be alerted when Ubuntu Security Notices (USNs) have been issued for their staged packages. An example report looks like this:

  • Ubuntu Podcast from the UK LoCo: S11E09 – Nine Lives to Die - Ubuntu Podcast

    This week we made a snap of Linux Tycoon, one of us has been moonlighting on another podcast and went to UbuCon Europe 2018. We discuss the release of the AtariBox, the release of Rise of the Tomb Raider for Linux, Iran blocking Telegram and round up the community news.

Security: Schneider, Volkswagen, Audi, Drupalgeddon, Microsoft and DMCA

Filed under
Security

Security: Updates, Patches and Bitwarden

Filed under
Security
  • Security updates for Wednesday
  • CVE-2018-8781: 8-Year-Old Linux Kernel Bug Discovered
  • A critical security flaw in popular industrial software put power plants at risk

    A severe vulnerability in a widely used industrial control software could have been used to disrupt and shut down power plants and other critical infrastructure.

    Researchers at security firm Tenable found the flaw in the popular Schneider Electric software, used across the manufacturing and power industries, which if exploited could have allowed a skilled attacker to attack systems on the network.

    It's the latest vulnerability that risks an attack to the core of any major plant's operations at a time when these systems have become a greater target in recent years. The report follows a recent warning, issued by the FBI and Homeland Security, from Russian hackers.

    [...]

    He explained that the stack-based buffer overflow attack can be leveraged in several malicious ways. First, an attacker can use the vulnerability to trigger a denial-of-service event by crashing the software, locking out remote administrators from their central operations. The bug can also be used to gain a foothold further into the network -- as well as other industrial devices -- or even send instructions to some physical control systems in the plant or unit.

  • Bitwarden: The Secure, Open Source Password Manager You're Looking For

    I was recently looking to migrate my passwords to an open source, cross platform password manager that sync passwords but also allows accessing passwords offline, and I discovered Bitwarden, which is advertised as an "open source password management solution for individuals, teams, and business organizations".

    After using it for about a week, I can tell you that Bitwarden is probably the best open source alternative to LastPass. It comes with browser support, cloud password (as well as notes and credit card information) synchronization, 2FA, can be self hosted, it's cross-platform, and easy to use.

Security: The Internet Of Broken Things, Aadhaar, and Kali Linux Under Microsoft Back Doors

Filed under
Security
  • Princeton Project Aims To Secure The Internet Of Broken, Shitty Things

    Year after year, we're installing millions upon millions of "internet of things" devices on home and business networks that have only a fleeting regard for security or privacy. The width and depth of manufacturer incompetence on display can't be understated. Thermostats that prevent you from actually heating your home. Smart door locks that make you less secure. Refrigerators that leak Gmail credentials. Children's toys that listen to your kids' prattle, then (poorly) secure said prattle in the cloud. Cars that could, potentially, result in your death.

    The list goes on and on, and it grows exponentially by the week, especially as such devices are quickly compromised and integrated into massive new botnets.

  • Mozilla Statement on Recent Reports of Aadhaar Data Being Breached (again)

    Mozilla is deeply alarmed by recent reports that it is possible to purchase editing rights to the Aadhaar database for a mere 2,000 rupees.

    Mozilla has long argued that the Aadhaar lacks critical safeguards. With the demographic data reportedly compromised, it is hard to see how Aadhaar can be trusted for authentication. Access to myriad vital public and private services which require Aadhaar for more than a billion Indians is now at risk.

  • How to: Install Kali Linux on Windows 10
  • Kali Linux installation on Windows 10

Security: Updates, Reproducible Builds, FacexWorm and CCCongress

Filed under
Security
Syndicate content

More in Tux Machines

Servers: Kubernetes, Oracle's Cloudwashing and Embrace of ARM

  • Bloomberg Eschews Vendors For Direct Kubernetes Involvement
    Rather than use a managed Kubernetes service or employ an outsourced provider, Bloomberg has chosen to invest in deep Kubernetes expertise and keep the skills in-house. Like many enterprise organizations, Bloomberg originally went looking for an off-the-shelf approach before settling on the decision to get involved more deeply with the open source project directly. "We started looking at Kubernetes a little over two years ago," said Steven Bower, Data and Infrastructure Lead at Bloomberg. ... "It's a great execution environment for data science," says Bower. "The real Aha! moment for us was when we realized that not only does it have all these great base primitives like pods and replica sets, but you can also define your own primitives and custom controllers that use them."
  • Oracle is changing how it reports cloud revenues, what's it hiding? [iophk: "probably Microsoft doing this too" (cloudwashing)]
     

    In short: Oracle no longer reports specific revenue for cloud PaaS, IaaS and SaaS, instead bundling them all into one reporting line which it calls 'cloud services and licence support'. This line pulled in 60% of total revenue for the quarter at $6.8 billion, up 8% year-on-year, for what it's worth.

  • Announcing the general availability of Oracle Linux 7 for ARM
    Oracle is pleased to announce the general availability of Oracle Linux 7 for the ARM architecture.
  • Oracle Linux 7 Now Ready For ARM Servers
    While Red Hat officially launched RHEL7 for ARM servers last November, on Friday Oracle finally announced the general availability of their RHEL7-derived Oracle Linux 7 for ARM. Oracle Linux 7 Update 5 is available for ARM 64-bit (ARMv8 / AArch64), including with their new Unbreakable Enterprise Kernel Release 5 based on Linux 4.14.

Graphics: XWayland, Ozone-GBM, Freedreno, X.Org, RadeonSI

  • The Latest Batch Of XWayland / EGLStream Improvements Merged
    While the initial EGLStreams-based support for using the NVIDIA proprietary driver with XWayland was merged for the recent X.Org Server 1.20 release, the next xorg-server release will feature more improvements.
  • Making Use Of Chrome's Ozone-GBM Intel Graphics Support On The Linux Desktop
    Intel open-source developer Joone Hur has provided a guide about using the Chrome OS graphics stack on Intel-based Linux desktop systems. In particular, using the Chrome OS graphics stack on the Linux desktop is primarily about using the Ozone-GBM back-end to Ozone that allows for direct interaction with Intel DRM/KMS support and evdev for input.
  • Freedreno Reaches OpenGL ES 3.1 Support, Not Far From OpenGL 3.3
    The Freedreno Gallium3D driver now supports all extensions required by OpenGL ES 3.1 and is also quite close to supporting desktop OpenGL 3.3.
  • X.Org Is Looking For A North American Host For XDC2019
    If software development isn't your forte but are looking to help out a leading open-source project while logistics and hospitality are where you excel, the X.Org Foundation is soliciting bids for the XDC2019 conference. The X.Org Foundation is looking for proposals where in North America that the annual X.Org Developers' Conference should be hosted in 2019. This year it's being hosted in Spain and with the usual rotation it means that in 2019 they will jump back over the pond.
  • RadeonSI Compatibility Profile Is Close To OpenGL 4.4 Support
    It was just a few days ago that the OpenGL compatibility profile support in Mesa reached OpenGL 3.3 compliance for RadeonSI while now thanks to the latest batch of patches from one of the Valve Linux developers, it's soon going to hit OpenGL 4.4. Legendary open-source graphics driver contributor Timothy Arceri at Valve has posted 11 more patches for advancing RadeonSI's OpenGL compatibility profile support, the alternative context to the OpenGL core profile that allows mixing in deprecated OpenGL functionality. The GL compatibility profile mode is generally used by long-standing workstation software and also a small subset of Linux games.

Software, KDE and GNOME Leftovers

  • Drawing Feynman Diagrams for Fun and Profit with JaxoDraw
    When first developed, theoretical physics was mostly done either with pen and paper or on a chalkboard. Not much thought was given as to how you could render these drawings within a document being written on a computer. JaxoDraw is meant to help fill in that gap in document layout and provide the ability to render these drawings correctly and give output you can use in your own documents. JaxoDraw is written in Java, so it should run under almost any operating system. Unfortunately, it isn't likely to be in the package repository for most distributions, so you'll need to download it from the project's website. But, because it's packaged as a jar file, it's relatively easy to run.
  • Kodi v18 Leia - Alpha 2
    We have been relatively quiet for a while and several months have past since the first pre-release Alpha build. Today we present you the second official Alpha build in this pre-release trilogy. It is a continuation of the first one which was released beginning of March and contains our continous battle against the dark side that consist of bugs and usability problems.
  • Kodi 18 Alpha 2 Released With Stability & Usability Improvements + New Wayland Code
    It's been a few months since the Kodi 18 Alpha while available today is the second alpha release of this major update to the open-source, cross-platform HTPC software. Kodi developers have been spending the past few months working on a range of stability and usability enhancements to this software formerly known as XBMC. Kodi 18's latest additions include live TV viewing improvements, Windows support improvements, continued Android integration enhancements, re-introducing Wayland protocol support, video player enhancements, and more.
  • LibreOffice color selector as GTK widgets
    Here's what the native GTK widget mode for the color picker looks like at the moment under Wayland. A GtkMenuButton displaying a color preview of the currently selected color and a GtkPopover containing the color selection widgetry.
  • TenFourFox FPR8 available
    TenFourFox Feature Parity Release 8 final is now available (downloads, hashes, release notes). There are no changes from the beta except for outstanding security patches. As usual, it will go live Monday night, assuming no changes.
KDE:
  • Latte Dock, Beta 1 for v0.8 (v0.7.95)
    Hello everyone Latte Dock v0.7.95 which is the first beta of v0.8 is here. Latte v0.8 is a huge release and one of its main goals is to make the user feel with it very natural and comfortable. [...] Important for contributors: Beta1 will last 10 days, during these days translators will be able to report string improvements at bugs.kde.org. English isnt my native language, (proof reading / simpler expanations) might be necessary. When Beta2 is released around 3 to 5 July the string freeze will take place. Beta2 period will last 10 more days. So v0.8 is scheduled for 13 to 15 Jully. During all these days improvements and fixes can be landed through review process at kde phabricator.
  • Musing About Communities Size And Activity
    If you remember my previous installment I raised a couple more questions which I pointed out as tougher to address and I'd keep on the side for a while. Well, I decided to look at something simpler in the meantime... which unexpectedly took more time than expected. First I thought I'd try to reproduce the cohesion graph from Paul's Akademy 2014 talk... but it looks like we have a reproducibility issue on that one. However hard I try I don't manage to reproduce it. What I get is very different, so either there's a bug in my tentative script or there was a bug in Paul's script or somehow the input data is different. So one more mysteries to explore, I'm at a loss about what's going on with that one so far.
  • Second Post and First Weekly
    Because of the last one, I have been refactoring related code in the last month. The refactoring is generally completed, with KisDlgInternalColorSelector being the last dependency that haven’t been moved to enable KisPaletteView to be used everywhere needed.
GNOME:
  • Ubuntu Developers Working On Improvements To GNOME Software Store
    Canonical/Ubuntu developers are working on improvements to the GNOME Software "app store" and recently held an in-person design sprint along with one upstream GNOME developer for coming up with improvements. The Ubuntu developers working on improvements to GNOME Software were joined by prolific GNOME contributor Richard Hughes for brainstorming improvements to better GNOME Software over the months to come.
  • App Launching From GNOME Shell Now More Robust Under Memory Pressure & Faster
    Right now on systems with low amounts of available system memory, GNOME Shell can sometimes fail to launch applications due to an error over not being able to allocate memory in the fork process. With the latest rounds of Glib optimizations, this should no longer be the case.
  • GNOME Web Browser is Adding a Reader Mode
    An experimental reader mode will ship in the next version of GNOME Web, aka Epiphany. The feature is already available to try in the latest development builds of the GTK Webkit-based web browser, released this week as part of the GNOME 3.29.3 milestone.

today's howtos