Language Selection

English French German Italian Portuguese Spanish

Security: Telegram, Bounties and More

Filed under
Security
  • Telegram zero-day let hackers spread backdoor and cryptocurrency-mining malware

    A zero-day vulnerability in Telegram Messenger allowed attackers to spread a new form of malware with abilities ranging from creating a backdoor trojan to mining cryptocurrency.

    The attacks take advantage of a previously unknown vulnerability in the Telegram Desktop app for Windows and were spotted being used in the wild by Kaspersky Lab.

    Researchers believe the Russian cybercriminal group exploiting the zero-day were the only ones aware of the vulnerability and have been using it to distribute malware since March 2017 -- although it's unknown how long the vulnerability had existed before that date.

  • More Than 4,000 Government Websites Infected With Covert Cryptocurrency Miner

    The rise of cryptocurrency mining software like Coinhive has been a decidedly double-edged sword. While many websites have begun exploring cryptocurrency mining as a way to generate some additional revenue, several have run into problems if they fail to warn visitors that their CPU cycles are being co-opted in such a fashion. That has resulted in numerous websites like The Pirate Bay being forced to back away from the software after poor implementation (and zero transparency) resulted in frustrated users who say the software gobbled upwards of 85% of their available CPU processing power without their knowledge or consent.

    But websites that don't inform users this mining is happening are just one part of an emerging problem. Hackers have also taken to using malware to embed the mining software into websites whose owners aren't aware that their sites have been hijacked to make somebody else an extra buck. Politifact was one of several websites that recently had to admit its website was compromised with cryptocurrency-mining malware without their knowledge. Showtime was also forced to acknowledge (barely) that websites on two different Showtime domains had been compromised and infected with Coinhive-embedded malware.

  • Why Bug Bounties Matter

    Bugs exist in software. That's a fact, not a controversial statement. The challenge (and controversy) lies in how different organizations find the bugs in their software.

    One way for organizations to find bugs is with a bug bounty program. Bug bounties are not a panacea or cure-all for finding and eliminating software flaws, but they can play an important role.

  • Shell Scripting and Security

    The internet ain't what it used to be back in the old days. I remember being online back when it was known as ARPAnet actually—back when it was just universities and a handful of corporations interconnected. Bad guys sneaking onto your computer? We were living in blissful ignorance then.

    Today the online world is quite a bit different, and a quick glimpse at the news demonstrates that it's not just global, but that bad actors, as they say in security circles, are online and have access to your system too. The idea that any device that's online is vulnerable is more true now than at any previous time in computing history.

  • Security updates for Tuesday
  • Open Source Security Podcast: Episode 82 - RSA, TLS, Chrome HTTP, and PCI

More in Tux Machines

GNOME: NVMe Firmware and GSConnect

  • Richard Hughes: NVMe Firmware: I Need Your Data
    In a recent Google Plus post I asked what kind of hardware was most interesting to be focusing on next. UEFI updating is now working well with a large number of vendors, and the LVFS “onboarding” process is well established now. On that topic we’ll hopefully have some more announcements soon. Anyway, back to the topic in hand: The overwhelming result from the poll was that people wanted NVMe hardware supported, so that you can trivially update the firmware of your SSD. Firmware updates for SSDs are important, as most either address data consistency issues or provide nice performance fixes.
  • Gnome Shell Android Integration Extension GSConnect V12 Released
    GSConnect v12 was released yesterday with changes like more resilient sshfs connections (which should make browsing your Android device from the desktop more reliable), fixed extension icon alignment, along with other improvements. GSConnect is a Gnome Shell extension that integrates your Android device(s) with the desktop. The tool makes use of the KDE Connect protocol but without using any KDE dependencies, keeping your desktop clean of unwanted packages.
  • Linux Release Roundup: Communitheme, Cantata & VS Code
    GSconnect is a magical GNOME extension that lets your Android phone integrate with your Linux desktop. So good, in fact, that Ubuntu devs want to ship it as part of the upcoming Ubuntu 18.10 release (though last I heard it probably just end up in the repos instead). Anyway, a new version of GSconnect popped out this week. GSconnect v12 adds a nifty new features or two, as well as a few fixes here, and a few UI tweaks there.

Red Hat Leftovers

  • Red Hat Advances Container Storage
    Red Hat has moved to make storage a standard element of a container platform with the release of version 3.1 of Red Hat OpenShift Container Storage (OCS), previously known as Red Hat Container Native Storage. Irshad Raihan, senior manager for product marketing for Red Hat Storage, says Red Hat decided to rebrand its container storage offering to better reflect its tight integration with the Red Hat OpenShift platform. In addition, the term “container native” continues to lose relevance given all the different flavors of container storage that now exist, adds Raihan. The latest version of the container storage software from Red Hat adds arbiter volume support to enable high availability with efficient storage utilization and better performance, enhanced storage monitoring and configuration via the Red Hat implementation of the Prometheus container monitoring framework, and block-backed persistent volumes (PVs) that can be applied to both general application workloads and Red Hat OpenShift Container Platform (OCP) infrastructure workloads. Support for PVs is especially critical because to in the case of Red Hat OCS organizations can deploy more than 1,000 PVs per cluster, which helps to reduce cluster sprawl within the IT environment, says Raihan.
  • Is Red Hat Inc’s (NYSE:RHT) ROE Of 20.72% Sustainable?
  • FPgM report: 2018-33

OSS Leftovers

  • Infineon enables open source TSS ESAPI layer
    This is the first open source TPM middleware that complies with the Software Stack (TSS) Enhanced System API (ESAPI) specification of the Trusted Computing Group . “The ease of integration on Linux and other embedded platforms that comes with the release of the TPM 2.0 ESAPI stack speeds up the adoption of TPM 2.0 in embedded systems such as network equipment and industrial systems,” says Gordon Muehl, Global CTO Security at Huawei.
  • Open source RDBMS uses spurred by lower costs, cloud options
    As the volumes of data generated by organizations get larger and larger, data professionals face a dilemma: Must database bills get bigger in the process? And, increasingly, IT shops with an eye on costs are looking to open source RDBMS platforms as a potential alternative to proprietary relational database technologies.
  • Progress open sources ABL code in Spark Toolkit
    New England headquartered application development company Progress is flexing its programmer credentials this month. The Massachusetts-HQ’d firm has now come forward with its Progress Spark Toolkit… but what is it? The Progress Spark Toolkit is a set of open source ABL code combined with some recommended best-practices.
  • Mixing software development roles produces great results
    Most open source communities don’t have a lot of formal roles. There are certainly people who help with sysadmin tasks, testing, writing documentation, and translating or developing code. But people in open source communities typically move among different roles, often fulfilling several at once. In contrast, team members at most traditional companies have defined roles, working on documentation, support, QA, and in other areas. Why do open source communities take a shared-role approach, and more importantly, how does this way of collaborating affect products and customers? Nextcloud has adopted this community-style practice of mixing roles, and we see large benefits for our customers and our users.
  • FOSS Project Spotlight: SIT (Serverless Information Tracker)
    In the past decade or so, we've learned to equate the ability to collaborate with the need to be online. The advent of SaaS clearly marked the departure from a decentralized collaboration model to a heavily centralized one. While on the surface this is a very convenient delivery model, it simply doesn't fit a number of scenarios well. As somebody once said, "you can't FTP to Mars", but we don't need to go as far. There are plenty of use cases here on Earth that are less than perfectly suited for this "online world". Lower power chips and sensors, vessel/offshore collaboration, disaster recovery, remote areas, sporadically reshaping groups—all these make use of central online services a challenge. Another challenge with centralization is somewhat less thought of—building software that can handle a lot of concurrent users and that stores and processes a lot of information and never goes down is challenging and expensive, and we, as consumers, pay dearly for that effort. And not least important, software in the cloud removes our ability to adapt it perfectly for use cases beyond its owner's vision, scope and profitability considerations. Convenience isn't free, and this goes way beyond the price tag.
  • ProtonMail's open source encryption library, OpenPGPjs, passes independent audit
    ProtonMail, the secure email provider, has just had its credentials re-affirmed after its encryption library, OpenPGPjs, passed an independent security audit. The audit was carried out by the respected security firm, Cure53, after the developer community commissioned a review following the release of OpenPGPjs 3.0 back in March.
  • Uber Announces Open Source Fusion.js Framework
    Uber Announces Fusion.js, an open source "Plugin-based Universal Web Framework." In the announcement, Uber senior software engineer Leo Horie explains that Uber builds hundreds of web-based applications, and with web technologies changing quickly and best practices continually evolving, it is a challenge to have hundreds of web engineers leverage modern language features while staying current with the dynamic nature of the web platform. Fusion.js is Uber's solution to this problem.
  •  
  • ASAN And LSAN Work In rr
    AddressSanitizer has worked in rr for a while. I just found that LeakSanitizer wasn't working and landed a fix for that. This means you can record an ASAN build and if there's an ASAN error, or LSAN finds a leak, you can replay it in rr knowing the exact addresses of the data that leaked — along with the usual rr goodness of reverse execution, watchpoints, etc. Well, hopefully. Report an issue if you find more problems.
  • Oracle Open-Sources GraphPipe to Support ML Development
    Oracle on Wednesday announced that it has open-sourced GraphPipe to enhance machine learning applications. The project's goal is to improve deployment results for machine learning models, noted Project Leader Vish Abrams. That process includes creating an open standard. The company has a questionable relationship with open source developers, so its decision to open-source GraphPipe might not receive a flood of interest. Oracle hopes developers will rally behind the project to simplify and standardize the deployment of machine learning models. GraphPipe consists of a set of libraries and tools for following a deployment standard.
  • OERu makes a college education affordable
    Open, higher education courses are a boon to adults who don’t have the time, money, or confidence to enroll in traditional college courses but want to further their education for work or personal satisfaction. OERu is a great option for these learners. It allows people to take courses assembled by accredited colleges and universities for free, using open textbooks, and pay for assessment only when (and if) they want to apply for formal academic credit. I spoke with Dave Lane, open source technologist at the Open Education Resource Foundation, which is OERu’s parent organization, to learn more about the program. The OER Foundation is a nonprofit organization hosted by Otago Polytechnic in Dunedin, New Zealand. It partners with organizations around the globe to provide leadership, networking, and support to help advance open education principles.
  • Tomu Is A Tiny, Open Source Computer That Easily Fits In Your USB Port
    There are a number of USB stick computers available in the market at varying prices. One of them that really stands out is Tomu — a teeny weeny ARM processor that can entirely fit inside your computer’s USB port. Tomu is based on Silicon Labs Happy Gecko EFM32HG309 Arm Cortex-M0+ microcontroller that runs at 25 MHz. It sports 8 kb of RAM and 60 kb of flash onboard. In spite of the small size, it supports two LEDs and two capacitance touch buttons.
  • RcppArmadillo 0.9.100.5.0
    A new RcppArmadillo release 0.9.100.5.0, based on the new Armadillo release 9.100.5 from earlier today, is now on CRAN and in Debian. It once again follows our (and Conrad's) bi-monthly release schedule. Conrad started with a new 9.100.* series a few days ago. I ran reverse-depends checks and found an issue which he promptly addressed; CRAN found another which he also very promptly addressed. It remains a true pleasure to work with such experienced professionals as Conrad (with whom I finally had a beer around the recent useR! in his home town) and of course the CRAN team whose superb package repository truly is the bedrock of the R community.
  • PHP version 7.1.21 and 7.2.9
    RPM of PHP version 7.2.9 are available in remi repository for Fedora 28 and in remi-php72 repository for Fedora 25-27 and Enterprise Linux ≥ 6 (RHEL, CentOS). RPM of PHP version 7.1.21 are available in remi repository for Fedora 26-27 and in remi-php71 repository for Fedora 25 and Enterprise Linux (RHEL, CentOS).

GNU/Linux on Laptops and Desktops

  • Endless OS and Asus, Update on L1TF Exploit, Free Red Hat DevConf.US in Boston, Linux 4.19 Kernel Update
    Some of us may recall a time when ASUS used to ship a stripped down version of Xandros Linux with their line of Eee PC netbooks. Last week, the same company announced that Endless OS will be supporting non-OS offerings of their product. However it comes with a big disclaimer stating that ASUS will not officially support the operating system's compatibility issues.
  • The Chromebook Grows Up
    What started out as a project to provide a cheap, functional, secure and fast laptop experience has become so much more. Chromebooks in general have suffered from a lack of street-cred acceptance. Yes, they did a great job of doing the everyday basics—web browsing and...well, that was about it. Today, with the integration of Android apps, all new and recently built Chrome OS devices do much more offline—nearly as much as a conventional laptop or desktop, be it video editing, photo editing or a way to switch to a Linux desktop for developers or those who just like to do that sort of thing.
  • Windows 10 Linux Distribution Overload? We have just the thing [Ed: Microsoft is still striving to control and master GNU/Linux through malware, Vista 10]
  • What Dropbox dropping Linux support says
    You've probably already heard by now that Dropbox is nixing support for all Linux file systems but unencrypted ext4. When this was announced, much of the open source crowd was up in arms—and rightfully so. Dropbox has supported Linux for a long time, so this move came as a massive surprise.
  • Winds Beautifully Combines Feed Reader and Podcast Player in One Single App
    Billboard top 50 playlist is great for commuting. But I’m a nerd so I mostly prefer podcasts. Day after day, listening to podcasts on my phone has turned into a habit for the better and now, I crave my favorite podcasts even when I’m home, sitting in front of my computer. Thus began, my hunt for the perfect podcast app for Linux. Desktop Linux doesn’t have a huge selection of dedicated podcast applications. Of course, you can use Rhythmbox music player or VLC Media player to download podcasts (is there anything VLC can’t do?). There are even some great command line tools to download podcasts if you want to go down that road.
  • VirtualBox 5.2.18 Maintenance Update fixed VM process termination on RDP client disconnect
    Virtualbox developers released a maintenance update for virtualization solution on the 14th of August, 2018. The latest update raised the version of VirtualBox to 5.2.18. The improvements and additions have been welcomed by several users as it makes the virtualization product even more convenient to use.