Language Selection

English French German Italian Portuguese Spanish

Proprietary Software and Security Failures

Filed under
Security
  • Apple has pushed a silent Mac update to remove hidden Zoom web server

    Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission.

    The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom quietly installed on users’ Macs when they installed the app.

  • Microsoft denies it will move production out of China

    Nikkei had also previously reported in June that Apple is similarly considering moving between 15% and 30% of all iPhone production out of China and has asked its major suppliers to weigh up the costs.

  • Microsoft's reseller chief explains why it's angering some of its partners by taking away a key perk: 'We can't afford to run every single partner's organization for free anymore'

    Gavriella Schuster, corporate vice president and One Commercial Partner channel chief at Microsoft, says that while it cost the company practically nothing to provide partners with traditional software, it would be a significant expense for the company to provide cloud services like Office 365 for free.

  • KRP: At least 1,000 devices compromised in data breach in Lahti

    KRP on Tuesday revealed that its pre-trial investigation shows that the unauthorised access detected in the city’s data systems earlier this summer was an organised attack rather than an error by an individual user.

    The attacker or attackers managed to cause damage by actively spreading a malware, compromising at least a thousand devices.

  • GnuPG 2.2.17 released to mitigate attacks on keyservers

    gpg: Ignore all key-signatures received from keyservers. This change is required to mitigate a DoS due to keys flooded with faked key-signatures. The old behaviour can be achieved by adding keyserver-options no-self-sigs-only,no-import-clean to your gpg.conf. [#4607]

  • Security updates for Thursday

    Security updates have been issued by Debian (dosbox and openjpeg2), Oracle (dbus and kernel), Scientific Linux (dbus), Slackware (mozilla), and SUSE (fence-agents, libqb, postgresql10, and sqlite3).

  • What Is Zero Trust Architecture?

    Zero Trust architecture might be popular now, but that doesn’t necessarily mean it’s for you. If you find your needs are met by your current security, you may not want to switch. That said, keep in mind that waiting until you have a security breach isn’t an ideal way to evaluate your security.

  • OpenPGP certificate flooding

    A problem with the way that OpenPGP public-key certificates are handled by key servers and applications is wreaking some havoc, but not just for those who own the certificates (and keys)—anyone who has those keys on their keyring and does regular updates will be affected. It is effectively a denial of service attack, but one that propagates differently than most others. The mechanism of this "certificate flooding" is one that is normally used to add attestations to the key owner's identity (also known as "signing the key"), but because of the way most key servers work, it can be used to fill a certificate with "spam"—with far-reaching effects.

    The problems have been known for many years, but they were graphically illustrated by attacks on the keys of two well-known members of the OpenPGP community, Daniel Kahn Gillmor ("dkg") and Robert J. Hansen ("rjh"), in late June. Gillmor first reported the attack on his blog. It turned out that someone had added multiple bogus certifications (or attestations) to his public key in the SKS key server pool; an additional 55,000 certifications were added, bloating his key to 17MB in size. Hansen's key got spammed even worse, with nearly 150,000 certifications—the maximum number that the OpenPGP protocol will support.

    The idea behind these certifications is to support the "web of trust". If user Alice believes that a particular key for user Bob is valid (because, for example, they sat down over beers and verified that), Alice can so attest by adding a certification to Bob's key. Now if other users who trust Alice come across Bob's key, they can be reasonably sure that the key is Bob's because Alice (cryptographically) said so. That is the essence of the web of trust, though in practice, it is often not really used to do that kind of verification outside of highly technical communities. In addition, anyone can add a certification, whether they know the identity of the key holder or not.

  • FinSpy Malware ‘Returns’ To Steal Data On Both Android And iOS

    As per the researchers, the spyware was again active in 2018 and the latest activity was spotted in Myanmar in June 2019. These implants are capable of collecting personal information such as SMS, Emails, Calendars, Device Locations, Multimedia and even messages from some popular social media apps.

    If you are an iOS user, then the implant is only observed to work on jailbroken devices. If an iOS device is already jailbroken then this spyware can be remotely installed via different mediums like messaging, email, etc. However, the implants have not been observed on the latest version of iOS.

  • New FinSpy iOS and Android implants revealed ITW

    FinSpy is spyware made by the German company Gamma Group. Through its UK-based subsidiary Gamma International Gamma Group sells FinSpy to government and law enforcement organizations all over the world. FinSpy is used to collect a variety of private user information on various platforms. Its implants for desktop devices were first described in 2011 by Wikileaks and mobile implants were discovered in 2012. Since then Kaspersky has continuously monitored the development of this malware and the emergence of new versions in the wild. According to our telemetry, several dozen unique mobile devices have been infected over the past year, with recent activity recorded in Myanmar in June 2019. Late in 2018, experts at Kaspersky looked at the functionally latest versions of FinSpy implants for iOS and Android, built in mid-2018. Mobile implants for iOS and Android have almost the same functionality. They are capable of collecting personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers.

More in Tux Machines

4MLinux 30.1 released.

This is a minor (point) release in the 4MLinux STABLE channel, which comes with the Linux kernel 4.19.69. The 4MLinux Server now includes Apache 2.4.41, MariaDB 10.4.7, and PHP 7.3.9 (see this post for more details). You can update your 4MLinux by executing the "zk update" command in your terminal (fully automatic process). Read more

today's howtos

Disney+ streaming uses draconian DRM, avoid

First of all, as always my opinions are my own, not those of my employer. Since I have 2 children I was happy to learn that the Netherlands would be one of the first countries to get Disney+ streaming. So I subscribed for the testing period, problem all devices in my home run Fedora. I started up Firefox and was greeted with an "Error Code 83", next I tried Chrome, same thing. So I mailed the Disney helpdesk about this, explaining how Linux works fine with Netflix, AmazonPrime video and even the web-app from my local cable provider. They promised to get back to me in 24 hours, the eventually got back to me in about a week. They wrote: "We are familiar with Error 83. This often happens if you want to play Disney + via the web browser or certain devices. Our IT department working hard to solve this. In the meantime, I want to advise you to watch Disney + via the app on a phone or tablet. If this error code still occurs in a few days, you can check the help center ..." this was on September 23th. Read more

Red Hat and IBM Leftovers

  • Why Red Hat supports standards and open source

    Red Hat may be synonymous with open source and the developer community, but the company also actively participates within industry standards processes. For example, it is working closely with the operator-led Common NFVi Telco Taskforce (CNTT), which was initiated in the LFN open source community but has now been embraced by the GSMA, as an attempt to harmonise on the many varied NFV infrastructure solutions and architectures. Furthermore, Red Hat supports the move for greater alignment in NFV software platform domain.

  • Overview of Node-RED 1.0 Release

    Low-code, visual-based programming environments are opening doors for new types of application developers. At the same time, new event-driven architectures are making such environments more responsive. Node-RED, a visual flow-based programming tool, is one such environment attuned to these new development styles. After years of refinement, the open source Node-RED recently hit maturity with a 1.0 release. I chatted with Nicholas O’Leary of IBM, who has pioneered the development of Node-RED. In this article, we’ll discover what this new release encompasses. We’ll also peek into the history of Node-RED, look into some fascinating IoT use cases and estimate the future Node-RED roadmap.

  • Girls Who Code wins IBM's first $50K Open Source Community Grant

    Girls Who Code were the winners of the first $50,000 IBM Open Source Community Grant. Girls Who Code is a nonprofit organization working to increase the number of women working in computer science. Girls Who Code helps girls to learn more about computer science through after-school classes and summer courses. Along with the advancement of IT knowledge, women also gain confidence in their capabilities.

  • IBM launches grant to promote diversity in the open source community

    Announced at this week's All Things Open conference in Raleigh, NC, the grant -- which will be awarded quarterly -- will see the winner receive $25k in cash and $25k in Cloud Credits in order to support their efforts dedicated to education and skill building for women, minorities, and/or under-served communities. The inaugural grant is going to Girls Who Code, a non-profit organization working to increase the number of women working in computer science. [...] Other finalists in this quarter's grant competition were Outreachy (Organized by the Software Freedom Conservancy), which sets up three-month paid internships on open source projects for people who ordinarily might not have those opportunities. And PyLadies, an international mentorship group of the Python Software Foundation, helping women become active in the Python open-source community.

  • Ex-IBM Director Joins Open-Source Blockchain Platform

    ennifer Trelewicz, the former Director of the Systems & Technology Laboratory at IBM, has just joined the open-source and fully decentralised blockchain software, Credits. According to AMB Crypto, Trelewicz has taken the post of Chief Business Officer, under which she is responsible for the external business sector of the firm.

  • IBM Group Sales Down Again But Cloud And Open Source Business Is Positive

    Third quarter results at IBM showed group sales were down 3.9% to $18bn, although revenue from the acquired Red Hat was up a handy 20%. That group drop though masked progress being seen in the cloud, with Cloud & Cognitive Software up 7.8% to $5.3bn. This part of the business includes cloud and data platforms that include Red Hat offerings, cognitive applications and transaction processing platforms. The Global Technology Services segment – that includes infrastructure and cloud services and technology support services – was down 4.1% to $6.7bn. And Global Business Services, which includes consulting, application management and global process services was up 2.2% to $4.1bn – with consulting actually up 5% when broken down.

  • IBM Poised for Another Sales Slide Despite Red Hat Deal: What to Watch

    International Business Machines Corp. is expected to report third-quarter earnings after the market closes Wednesday. The results, which follow a string of quarterly revenue declines, will be the company’s first since it closed its $34 billion purchase of open-source software giant Red Hat. Here’s what to look for: