Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Internet Explorer zero-day lets hackers steal files from Windows PCs [Ed: Microsoft Windows has back doors, so this is "small potatoes"]

    A security researcher has published today details and proof-of-concept code for an Internet Explorer zero-day that can allow hackers to steal files from Windows systems.

  • MicroBriefly: The tiniest firewall I have seen – Firewalla

    ...BSD Unix, and about the size of a paperback novel (small by standards of those days). Now, solid state storage (SSD) and low power CPUs are tiny, enough to easily fit in a matchbox or lighter sized device.

  • 'World's First Smart Contract Firewall' for EOS Launched By SlowMist

    Developers of EOSIO, an initiative supported by Block.one, a Cayman Islands-registered open-source software development firm with $4 billion in total funding (to date), have published a blog post, noting they’ve carefully looked into improving smart contract security on EOS.

    According to EOSIO’s blog, published on April 11th, FireWall.X provides an effective set of tools for “protecting smart contracts built” on EOS from “malicious hacks.” As explained by Zhong Qifu, a product manager at SlowMist Technology Co., the firm that developed FireWall.X, the “world’s first firewall” system for smart contracts aims to ensure the security of all EOS-based decentralized applications (dApps).

  • Bootstrap supply chain attack is another attempt to poison the barrel [Ed: Happens in proprietary software but we don't hear about it. Full of back doors.]

    Somebody smuggled something bad into the vast third-party, open-source supply chain we all depend upon.

  • Framing supply chain attacks

    The increase in the demand for innovative software has effectively reshaped the software development industry itself. Today, speed and agility are paramount and development teams are pushed to deliver highly advanced applications in record time — which means that writing every single line of code from the ground up is often not a sustainable practice. As the NIST puts it, “This ecosystem has evolved to provide a set of highly refined, cost-effective, reusable ICT solutions.”.

  • Apache Axis servers vulnerable to RCE due to expired domain
  • Building a data pipeline to defend New York from cyber threats
  • Linux Foundation aims to improve the sustainability and security of open source projects [Ed: Zemlin PAC pushing a Microsoft-led proprietary software effort]
  • Why AV companies are making their technology open source

    Some AV developers are opening source code for their technology, a strategy they can use to collect data and tech from anyone using their code, and which could help bring products to market faster.

    Why it matters: Open source providers are experimenting with how much of their technology to share, while protecting their intellectual property to stay competitive. Their decisions will have lasting implications for how AV technology develops.

  • Open Source Web Application SSO
  • Magento sites under attack through easily exploitable SQLi flaw

    A recently patched SQL injection flaw affecting the popular open-source e-commerce platform Magento is being actively exploited by attackers, so if you haven’t implemented the provided security update or patch, now is the time to do it.

  • A security researcher with a grudge is dropping Web 0days on innocent users

    Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed.

    Over the past week, zeroday vulnerabilities in both the Yuzo Related Posts and Yellow Pencil Visual Theme Customizer WordPress plugins—used by 60,000 and 30,000 websites respectively—have come under attack. Both plugins were removed from the WordPress plugin repository around the time the zeroday posts were published, leaving websites little choice than to remove the plugins. On Friday (three days after the vulnerability was disclosed), Yellow Pencil issued a patch. At the time this post was being reported, Yuzo Related Posts remained closed with no patch available.

More in Tux Machines

GNU/Linux Rising (Latest News)

  • The Envelope Please.......
    Those who have followed Reglue.org over the years know that we place a strong emphasis on STEM topics and education. "STEM" is the given acronym for science, technology, engineering and mathematics. Linux is superbly well-tooled for these purposes and every computer we place with a financially disadvantaged student is Linux-powered. Now, that might sound like a steroid-fueled buzzkill to most, but in researching the online STEM subject matter, we found that we could actually make it fun. Yeah. Science....go figure. [...] Just so you know the dynamics involved in presenting these topics to the Reglue kid, we enabled the bookmark bar under the URL bar in Chromium or Firefox. We offer both browsers and allow the student to choose the default. Within that bookmark bar, we place the links to the subject matter we choose for that student, depending on age and aptitude. Our pool of choices is vast, so narrowing it down took a good bit of time, years actually. With feedback from 388 students, we were able to draw down the most popular websites and personalities within the STEM subject matter we wished to provide.
  • Govt Schools In Kerala To Use Linux-Based Free OS, Saving Rs 3000 Cr
    Kerala, the first 100% literate Indian state is not only known for its beautiful backwaters but also for its education policy which benefits everyone and not just one sector. And now, undertaking one of the most progressive educational reforms, this South-Indian state has declared to welcome open source in a huge way. As per a report by The Hindu, more than 2 lakh computers in schools across the state will soon be powered by the latest version of the Linux-based free Operating System called as [...] that provides a variety of applications for educational and general purposes. The state-owned Kerala Infrastructure and Technology for Education (KITE) has rolled out this new version which is based on the Ubuntu OS LTS edition and includes numerous free applications customised as per the state school curriculum such as DTP (Desktop Publishing) graphics, 3D animation packages, language input tools, video editing, Geographical Information System, image editing software, sound recording, database applications, open source office suite, and various others.
  • Google Extinguishes 'Campfire' Dual-Booting Windows 10 on Chromebooks
    Evidence from last year showed that Google was working on dual-booting Chrome OS alongside “AltOS,” a codename believed to be referring to Windows 10.
  • South Korea Thinks Of Switching From Windows To Linux Platform
    The government has opted for Linux instead of Windows 10 to save a significant amount of money Windows is a paid OS whereas Linux is a free, open-source operating system. It would cost around 780 billion won or 655 million dollars for switching to Linus platform and buying new PCs. Another reason for this change is that the Linux platform has lesser security risks compared to Windows. This is the main factor that most of the enterprise networks around the world uses Linux based OS to run their machines.
  • South Korea Government prefer Linux to Windows 10 [Ed: Microsoft boosters have begun smearing or belittling Korea's plan to move to GNU/Linux]
    A report from the Korean Herald  stated, “Before the government-wide adoption, the ministry said it would test if the system could be run on private networked devices without security risks and if compatibility could be achieved with existing websites and software which have been built to run on Windows.” It is not exactly clear which Linux distribution the South Korean Government are eyeing.
  • Government Planning to Replace Windows 7 with Linux, Not Windows 10 [Ed: Longtime Microsoft propagandists such as  Bogdan Popa will have a dilemma; maintain the lie/perception "Microsoft loves Linux" or viciously attack Linux (which Microsoft bribes governments to reject or, failing that, dump)?]
    While specifics on what Linux distro they want to embrace are not available, it looks like the first step towards this migration to the open-source world is a security audit that should help the government determine if their data is protected or not.
  • Meditations on First ThinkPad: How Lenovo adapts to changes in the PC industry
    Linux and ThinkPads go together, but not at the factory ThinkPads are often the laptop of choice for Linux users, as Lenovo does certify some ThinkPad models for Linux use. Unfortunately, buyers are typically subject to the Windows Tax, resulting in purchased, though unused, licenses. The question of getting Linux installed from the factory "comes up over and over with some of our very important customers, and it is taken very seriously," Paradise noted, adding that Lenovo "provides drivers and a BIOS that is compatible," reiterating that "we get that request a lot."
  • Red Hat CTO: Scalability, usability key RHEL 8 components
    As data center infrastructure grows beyond on-premises facilities, admins and developers need ways to effectively manage hardware through software. With Linux as the standard for many data centers, organizations must find new techniques to use the OS beyond server deployments.

Security: BSDcan, Ransom and Exploits

  • ssh in https

    The wifi network at BSDcan, really the UOttawa network, blocks a bunch of ports. This makes it difficult to connect to outside machines using “exotic” protocols, basically anything except http or https. There are many ways to resolve this, here’s what I did.

  • These firms promise high-tech ransomware solutions—but typically just pay hackers [iophk: “Windows continues to enable entire cottage industries around grifting”]

    Proven Data promised to help ransomware victims by unlocking their data with the “latest technology,” according to company emails and former clients. Instead, it obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit obtained by ProPublica.

    Another US company, Florida-based MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims such as local law enforcement agencies, ProPublica has found. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks. Both firms have used aliases for their workers, rather than real names, in communicating with victims.

  • Google Starts Tracking Zero-Days Exploited in the Wild

    The new project, named 0Day ‘In the Wild’, is basically a spreadsheet that Project Zero uses to track vulnerabilities exploited before they became known to the public or the vendor.

    The spreadsheet currently lists over 100 vulnerabilities exploited in the wild since 2014. The table includes the flaw’s CVE identifier, impacted vendor, impacted product, the type of vulnerability, a brief description, the date of its discovery, the date when a patch was released, a link to the official advisory, a link to a resource analyzing the flaw, and information on attribution.

Top Linux Server Vendors

This article offers a 2019 update on several of the world’s top Linux server vendors, a very important but often mysterious section of the IT world that many people know little or nothing about. This is because Linux and its various flavors, called “distros” (for distributions), are underlying operating systems that run applications on servers and PCs and aren’t adjusted or changed by users as a matter of routine. For public internet servers, Linux is dominant, powering about twice the number of hosts as Windows Server, which is trailed by many smaller players, including traditional mainframe OSes. The supercomputer field is completely dominated by Linux, with 100% of the TOP500 now running on various versions. Internet-based servers' market share can be measured with statistical surveys of publicly accessible servers, such as web servers, mail servers or DNS servers on the Internet: the operating systems powering such servers are found by inspecting raw response messages. This method gives insight only into market share of operating systems that are publicly accessible on the Internet. The Linux OS started out as being exclusive to regular x86 desktop PCs, but it has since found its way into everything from Android phones to Google Chromebooks to those powerful super-servers mentioned above. IT decision-makers in the market for Linux servers should know that the very best Linux distros are tailored to specific types of users. Ubuntu, for instance, is very easy to use, because it’s designed for newbies. On the other hand, Red Hat Enterprise Linux, openSUSE, CentOS and others designed for the data center require a lot more expertise. Read more Also: Red Hat's Jim Whitehurst on the IBM Merger, SUSE and Ubuntu

Games: Deadly Days, Gaming Performance, Creating Evscaperoom

  • Deadly Days, the strategic zombie group-survival rogue-lite keeps on improving
    I'm really starting to like what Deadly Days is turning into. It's an Early Access game about directing a group of survivors through a Zombie apocalypse and it's really taking shape now. I've tested this one on and off since sometime around March last year, back then it was nothing but a shell. An interesting idea but it didn't really go anywhere. Pixelsplit now seem to have firmly found their feet, with each update making parts of the game make more sense, become bigger and more interesting. It's now actually more of a survival game and not just a town exploration game with zombies.
  • Gaming Performance Only Faintly Touched By MDS / Zombie Load Mitigations
    Yesterday I published some initial MDS/Zombieload mitigation impact benchmarks while coming out still later today is much more data looking at the CPU/system performance impact... But is the gaming performance impaired by this latest set of CPU side-channel vulnerabilities? With the Spectre/Meltdown mitigations, the gaming performance fortunately wasn't impaired by those mitigations. In fact, it was pretty much dead flat. With my testing thus far of the MDS/Zombieload mitigations on Linux, there does appear to be a slight difference in the rather CPU-bound scenarios compared to Spectre/Meltdown, but still it should be negligible for gamers. Well, that is at least with the higher-end hardware tested thus far, over the weekend I'll be running some gaming tests on some low-end processors/GPUs.
  • Creating Evscaperoom, part 1
    Over the last month (April-May 2019) I have taken part in the Mud Coder's Guild Game Jam "Enter the (Multi-User) Dungeon". This year the theme for the jam was One Room. The result was Evscaperoom, an text-based multi-player "escape-room" written in Python using the Evennia MU* creation system. You can play it from that link in your browser or MU*-client of choice. If you are so inclined, you can also vote for it here in the jam (don't forget to check out the other entries while you're at it). This little series of (likely two) dev-blog entries will try to recount the planning and technical aspects of the Evscaperoom. This is also for myself - I'd better write stuff down now while it's still fresh in my mind!