Language Selection

English French German Italian Portuguese Spanish

Security: Class Action Lawsuit Against Microsoft, New Patches, KDE FUD/Hype, Local Password Managers Assessed

Filed under
Security
  • Class Action Lawsuits Hopes To Hold GitHub Responsible For Hosting Data From Capital One Breach

    Weird legal theory, but one that could possibly to be stretched to target some of the $7.5 billion Microsoft paid to acquire GitHub. But it takes a lot of novel legal arguments to hold a third party responsible for content posted by a user, even if the content contained a ton of sensitive personal info.

    The lawsuit [PDF] alleges GitHub knew about the contents of this posting since the middle of April, but did not remove it until the middle of July after being notified of its contents by another GitHub user. The theory the law firm is pushing is that GitHub was obligated to scan uploads for "sensitive info" and proactively remove third-party content. The lawsuit argues GitHub is more obligated than most because (gasp!) it encourages hacking and hackers.

  • Security updates for Monday

    Security updates have been issued by Debian (fusiondirectory, gosa, kconfig, kernel, pango1.0, and python-django), Fedora (aubio, icedtea-web, java-1.8.0-openjdk, kernel, kernel-headers, kernel-tools, libslirp, openqa, os-autoinst, and upx), Gentoo (JasPer, libvncserver, and redis), Mageia (cyrus-imapd and php), Oracle (kernel), Red Hat (chromium-browser, cockpit-ovirt, Red Hat Virtualization, and rhvm-appliance), SUSE (ImageMagick, libvirt, python, and wireshark), and Ubuntu (poppler).

  • KDE Linux Desktops Could Get Hacked Without Even Opening Malicious Files [Ed: Hacker News misleading. You actually do need to open a malicious file from an untrusted source. This is similar to the macros issue and to a lesser degree JavaScript.]

    If you are running a KDE desktop environment on your Linux operating system, you need to be extra careful and avoid downloading any ".desktop" or ".directory" file for a while.

    A cybersecurity researcher has disclosed an unpatched zero-day vulnerability in the KDE software framework that could allow maliciously crafted .desktop and .directory files to silently run arbitrary code on a user's computer—without even requiring the victim to actually open it.

  • Recognizing basic security flaws in local password managers

    If you want to use a password manager (as you probably should), there are literally hundreds of them to choose from. And there are lots of reviews, weighing in features, usability and all other relevant factors to help you make an informed decision. Actually, almost all of them, with one factor suspiciously absent: security. How do you know whether you can trust the application with data as sensitive as your passwords?

    Unfortunately, it’s really hard to see security or lack thereof. In fact, even tech publications struggle with this. They will talk about two-factor authentication support, even when discussing a local password manager where it is of very limited use. Or worse yet, they will fire up a debugger to check whether they can see any passwords in memory, completely disregarding the fact that somebody with debug rights can also install a simple key logger (meaning: game over for any password manager).

    Judging security of a password manager is a very complex task, something that only experts in the field are capable of. The trouble: these experts usually work for competing products and badmouthing competition would make a bad impression. Luckily, this still leaves me. Actually, I’m not quite an expert, I merely know more than most. And I also work on competition, a password manager called PfP: Pain-free Passwords which I develop as a hobby. But today we’ll just ignore this.

    So I want to go with you through some basic flaws which you might encounter in a local password manager. That’s a password manager where all data is stored on your computer rather than being uploaded to some server, a rather convenient feature if you want to take a quick look. Some technical understanding is required, but hopefully you will be able to apply the tricks shown here, particularly if you plan to write about a password manager.

More in Tux Machines

Open Source platforms to now help students

The technical institutes in the State are now asked to use free and open-source software developed by a team, headed by the Ministry of Human Resource Development (MHRD). The MHRD has also promoted their FOSSEE (Free and Open Source Software for Education) projects which uses tools so that students can easily use them. Recently, the MHRD made a decision that FOSSEE should be promoted amongst the student community so they can aim at reducing dependency on proprietary software in educational institutions. The MHRD Minister Ramesh Pokhriyal Nishank too took to twitter urging students to use FLOSS tools in various languages to meet academic and research requirements. Read more

today's howtos

  • A guided tour of Linux file system types

    While it may not be obvious to the casual user, Linux file systems have evolved significantly over the last decade or so to make them more resistant to corruption and performance problems. Most Linux systems today use a file system type called ext4. The “ext” part stands for “extended” and the 4 indicates that this is the 4th generation of this file system type. Features added over time include the ability to provide increasingly larger file systems (currently as large as 1,000,000 TiB) and much larger files (up to 16 TiB), more resistance to system crashes and less fragmentation (scattering single files as chunks in multiple locations) which improves performance.

  • Testing the Linux Malware Detect.
  • Kushal Das: Remember to mark drive as removable for tails vm install

    If you are installing Tails into a VM for testing or anything else, always remember to mark the drive as a removable USB drive. Otherwise, the installation step will finish properly, but, you will get errors like the following screenshot while booting from the drive.

  • How to Set DNS Nameservers on Ubuntu 18.04

Security Leftovers

  • NSA Researchers Talk Development, Release of Ghidra SRE Tool

    The National Security Agency released its classified Ghidra software reverse-engineering (SRE) tool as open source to the cybersecurity community on April 4. NSA researchers Brian Knighton and Chris Delikat shared how Ghidra was built and the process of releasing it at Black Hat 2019. Ghidra is a framework developed by the NSA’s Research Directorate for the agency’s cybersecurity mission. It’s designed to analyze malicious code to give security pros a better understanding of potential vulnerabilities in their networks and systems.

  • Linux Is Being Hit with Zero-Day Exploits/ Zero-Day Attacks [Ed: This is not news. If you have a system that is unpatched for months, despite many warnings, it is a risk, no matter the OS/kernel.]

    It was once the popular opinion that Linux was immune to zero-day exploits. However, even before the Equifax exploit, vulnerabilities were found in Linux distributions like Fedora and Ubuntu. In particular, back in 2016, a security researcher discovered that you could exploit a Linux system by playing a specific music file. Then, in 2017, a group of attackers used Struckshock vulnerability to carry on the attack on Equifax. These zero-day attacks are Advanced Persistent Attacks that exploit recently discovered vulnerabilities. Read on to learn more about what are zero-day exploits and how they can affect a Linux system.

  • Intel, Google, Microsoft, and Others Launch Confidential Computing Consortium for Data Security

    Major tech companies including Alibaba, Arm, Baidu, IBM, Intel, Google Cloud, Microsoft, and Red Hat today announced intent to form the Confidential Computing Consortium to improve security for data in use.

  • Intel, Google, Microsoft, and others launch Confidential Computing Consortium for data security

    Major tech companies including Alibaba, Arm, Baidu, IBM, Intel, Google Cloud, Microsoft, and Red Hat today announced intent to form the Confidential Computing Consortium to improve security for data in use. Established by the Linux Foundation, the organization plans to bring together hardware vendors, developers, open source experts, and others to promote the use of confidential computing, advance common open source standards, and better protect data. “Confidential computing focuses on securing data in use. Current approaches to securing data often address data at rest (storage) and in transit (network), but encrypting data in use is possibly the most challenging step to providing a fully encrypted lifecycle for sensitive data,” the Linux Foundation said today in a joint statement. “Confidential computing will enable encrypted data to be processed in memory without exposing it to the rest of the system and reduce exposure for sensitive data and provide greater control and transparency for users.”

Linux-driven modules to showcase new MediaTek AIoT SoCs

Innocomm is prepping an “SB30 SoM” with the new quad -A35 MediaTek i300 followed by an “SB50 SoM” with an AI-equipped, octa-core -A73 and -A53 MediaTek i500. Both modules ship with Linux/Android evaluation kits. Innocomm, which has produced NXP-based compute modules such as the i.MX8M Mini driven WB15 and i.MX8M powered WB10, will soon try on some MediaTek SoCs for size. First up is an SB30 SoM due to launch in October that will run Linux or Android on MediaTek’s 1.5GHz, quad-core, Cortex-A35 based MediaTek i300 (MT8362) SoC. In November, the company plans to introduce an SB50 SoM based on the MediaTek i500 (MT8385). Read more