Language Selection

English French German Italian Portuguese Spanish

Security

Microsoft Insecurity by Design

Filed under
Microsoft
Security
  • Move over, SolarWinds: 30,000 orgs’ email [cracked] via Microsoft Exchange Server flaws

    Four exploits found in Microsoft’s Exchange Server software have reportedly led to over 30,000 US governmental and commercial organizations having their emails [cracked], according to a report by KrebsOnSecurity. Wired is also reporting “tens of thousands of email servers” [cracked]. The exploits have been patched by Microsoft, but security experts talking to Krebs say that the detection and cleanup process will be a massive effort for the thousands of state and city governments, fire and police departments, school districts, financial institutions, and other organizations that were affected.

  • Microsoft [crack]: White House warns of 'active threat' of email attack

    Microsoft executive Tom Burt revealed the breach in a blog post on Tuesday and announced updates to counter security flaws which he said had allowed [attackers] to gain access to Microsoft Exchange servers.

  • More than 20,000 U.S. organizations compromised through Microsoft flaw: source [iophk: Windows TCO]

    Because installing the patch does not get rid of the back doors, U.S. officials are racing to figure out how to notify all the victims and guide them in their hunt.

    All of those affected appear to run Web versions of email client Outlook and host them on their own machines, instead of relying on cloud providers. That may have spared many of the biggest companies and federal government agencies, the records suggest.

    The federal Cybersecurity and Infrastructure Security Agency did not respond to a request for comment.

  • Don't Breed Crows: How Big Techs Started Out As US Government Projects, And Today They Threaten Democracy

    There is an old Spanish saying that goes like this: "don't breed Crows, they'll sting your eyes," and this saying fits perfectly with the class of American tech companies, the so-called Big Techs.

    Yes, with a few exceptions, most Big Techs were born as projects of the US government, US Army, CIA or NSA. Or, they are entwined with the American government, in one way or another.

    I stress that everything that has been written in this text is not secret. It is available on several websites on the internet, and, there is nothing new here. Just search, and anyone will find this information.

    [...]

    Microsoft The company that was born in 1975 in Albuquerque, New Mexico, as a creator of BASIC interpreters for microcomputers, and then, through a series of misadventures, became the largest software company in existence, also has very deep ties to intelligence agencies.

    Microsoft has been working closely with U.S. intelligence services to allow users' communications to be intercepted, including helping the National Security Agency circumvent the company's own encryption, according to top-secret documents obtained and leaked by Edward Snowden in 2013. These documents show the complicity of several technology companies, in the so-called Prism project.

    [...]

    Now, I invite you to think a little. I've known Microsoft for many years, and this company amasses more flops than hits. Indeed, Microsoft, were it any other company, would have been bankrupt and closed for many years now. But no. It looks like they have a cash printer in Redmond, or does the American government not let the company break, to not lose its source of backdoors ? Something to think about.

    Other than these companies, In-Q-Tel invests in other, little-known companies ranging from video games and virtual reality, to big data and data capture from social networks.

Security Incidents and Microsoft/Proprietary Role

Filed under
Security
  • Dutch research funder operations frozen for a month after [attack] [iophk: Windows TCO]

    The Netherlands Organisation for Scientific Research (NWO), which cannot pay a ransom to the attackers because it is a public body, was scrambling to restore its systems but said its activities would be on ice until at least 15 March.

  • More than 20,000 U.S. organizations compromised through Microsoft flaw: source [iophk: Windows TCO]

    More than 20,000 U.S. organizations have been compromised through a back door installed via recently patched flaws in Microsoft Corp’s email software, a person familiar with the U.S. government’s response said on Friday.

  • White House calls Microsoft email breach an 'active threat'

    Cybersecurity group FireEye said in blog post late Thursday night that [attackers] had been in at least one client’s system since January, and that they had gone after “US-based retailers, local governments, a university, and an engineering firm,” along with a Southeast Asian government and a Central Asian telecom group.

  • We can’t teach in a technological dystopia

    I want to argue here that universities are fostering abusive technologies that replace empowerment with enforcement. There are worries, and much evidence, that we are already giving away too much control to Big Tech companies, which not only have vast appetites for our data, but also harbour ambitions to usurp the role of universities. Google offers courses with certificates it considers equivalent to three-year bachelor’s degrees to people it is hiring, for instance. And US universities such as Duke partner with Google Cloud to deliver large parts of their curriculum as outsourced digital education.

    The problem is not that these services are poor substitutes for in-person education. On the contrary, they are very good at providing a narrow range of outcomes: namely, consistent, efficient training and testing. But that is not the same thing as education.

  • Coursera files for US IPO as edtech booms amid the pandemic

    Revenue rose 59% to $293.5 million for the year ended Dec. 31, 2020, the company said in a filing. Net loss widened to $66.8 million for the year ended Dec. 31, from a $46.7 million loss a year earlier.

Security: Patches, Reproducible Builds, Hijacking of Perl's Site

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Fedora (389-ds-base, dogtag-pki, dpdk, freeipa, isync, openvswitch, pki-core, and screen), Mageia (bind, chromium-browser-stable, gnome-autoar, jasper, openldap, openssl and compat-openssl10, screen, webkit2, and xpdf), Oracle (grub2), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, nodejs:10, and nodejs:12), SUSE (freeradius-server), and Ubuntu (wpa).

  • Reproducible Builds: Reproducible Builds in February 2021

    Welcome to the report from the Reproducible Builds project for February 2021. In our monthly reports, we try to outline the most important things that have happened in the world of reproducible builds. If you are interested in contributing to the project, though, please visit our Contribute page on our website.

    [...]

    A few days earlier, Eric Brewer, Rob Pike, Abhishek Arya, Anne Bertucio and Kim Lewandowski wrote a post on the Google Security Blog proposing an industry-wide framework they call “Know, Prevent, Fix” which aims to improve how the industry might think about vulnerabilities in open source software, including “Consensus on metadata and identity standards” and — more relevant to the Reproducible Builds project — “Increased transparency and review for critical software”...

  • The Hijacking of Perl.com

    For a week we lost control of the Perl.com domain. Now that the incident has died down, we can explain some of what happened and how we handled it. This incident only affected the domain ownership of Perl.com and there was no other compromise of community resources. This website was still there, but DNS was handing out different IP numbers.

    First, this wasn’t an issue of not renewing the domain. That would have been a better situation for us because there’s a grace period.

    Second, to be very clear, I’m just an editor for the website that uses the Perl.com domain. This means that I’m not actually the “injured party” in legal terms. Tom Christiansen is the domain registrant, and should legal matters progress, there’s no reason for me, nor anyone else, to know all of the details. However, I’ve talked to many of the people involved in the process.

Qubes OS 4.0.4 has been released!

Filed under
OS
Security

We’re pleased to announce the release of Qubes OS 4.0.4! This is the fourth stable release of Qubes 4.0.

Read more

Also: XSAs released on 2021-03-04

Proprietary Software and Security Issues: Microsoft Serving Malware, Ransomware, and FUD

Filed under
Microsoft
Security
  • Development on Windows is Painful

    Overall, I think I can at least tolerate this development experience. It's not really the most ideal setup, but it does work and I can get things done with it. It makes me miss NixOS though. NixOS really does ruin your expectations of what a desktop operating system should be. It leaves you with kind of impossible standards, and it can be a bit hard to unlearn them.

    A lot of the software I use is closed source proprietary software. I've tried to fight that battle before. I've given up. When it works, Linux on the desktop is a fantastic experience. Everything works together there. The system is a lot more cohesive compared to the "download random programs and hope for the best" strategy that you end up taking with Windows systems. It's hard to do the "download random programs and hope for the best" strategy with Linux on the desktop because there really isn't one Linux platform to target. There's 20 or something. This is an advantage sometimes, but is a huge pain other times.

    The conclusion here is that there is no conclusion.

  • Malicious Code Bombs Target Amazon, Lyft, Slack, Zillow

    Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository — all of which exfiltrate sensitive information.

    The packages weaponize a proof-of-concept (PoC) code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects.

    Internal developer projects typically use standard, trusted code dependencies that are housed in private repositories. Birsan decided to see what would happen if he created “copycat” packages to be housed instead in public repositories like npm, with the same names as the private legitimate code dependencies.

  • Ryuk ransomware develops worm-like capabilities, France warns

    A new sample of Ryuk ransomware appears to have worm-like capabilities, according to an analysis from the French National Agency for the Security of Information Systems (ANSSI), France’s national cybersecurity agency.

  • FireEye finds evidence Chinese [crackers] exploited Microsoft email app flaw since January [iophk: Windows TCO]

    Cybersecurity group FireEye on Thursday night announced it had found evidence that [crackers] had exploited a flaw in a popular Microsoft email application since as early as January to target groups across a variety of sectors.

    [...]

    Since then, FireEye found evidence that the hackers had gone after an array of victims, including “US-based retailers, local governments, a university, and an engineering firm,” along with a Southeast Asian government and a Central Asian telecom.

  • Does Linux Need Antivirus? [Ed: Avast: Let's badmouth GNU/Linux to make proprietary software sales, with back doors in them, based on the supposition that crap on top of poor practices will somehow yield better results]

Veracrypt – An Open Source Cross-Platform Disk Encryption Tool

Filed under
GNU
Linux
Security

Filesystem/Volume encryption has become paramount to the masses in the IT industry due to the varying advantages it presents including protection of sensitive data, military-grade encryption standards, password keys to prevent unwanted access, and an encrypted file/drive only the encryption software can access among others.

Veracrypt is a cross-platform and open-sources on-the-fly encryption tool that was originally based on Truecrypt’s 7.1a codebase back in June 2013 but has since then matured greatly to become a singular encryption solution that is now dissimilar and incompatible with volumes encrypted with Truecrypt.

Veracrypt is essentially your go-to option for an encryption tool if you’re looking to replace Truecrypt.

Read more

Proprietary Software and (In)Security

Filed under
Security
  • Big Tech firms see tax windfall after Supreme Court ruling on Microsoft

    The Supreme Court ruling said, “The amounts paid by resident Indian end-users/distributors to non-resident computer software manufacturers/suppliers, as consideration for the resale/use of the computer software through EULAs (end user license agreement)/distribution agreements, is not the payment of royalty for the use of copyright in the computer software, and that the same does not give rise to any income taxable in India.”

    This would mean companies need not deduct tax at source as per the Income Tax Act, the court ruled, before adding that this would cover the different models used by companies to operate in India.

  • Post-Cyberattack, Universal Health Services Faces $67M in Losses [iophk: Windows TCO]

    While UHS didn’t mention what kind of attack it suffered, reports pointed to the Ryuk ransomware as the culprit. However, there was no mention of ransomware – or losses incurred from a paid ransom – in the earnings report.

  • Ryuk Ransomware: Now with Worming Self-Propagation

    The variant first emerged in Windows-focused campaigns earlier in 2021, according to the French National Agency for the Security of Information Systems (ANSSI). The agency said that it achieves self-replication by scanning for network shares, and then copying a unique version of the ransomware executable (with the file name rep.exe or lan.exe) to each of them as they’re found.

    “Ryuk looks for network shares on the victim IT infrastructure. To do so, some private IP ranges are scanned: 10.0.0.0/8; 172.16.0.0/16; and 192.168.0.0/16,” according to a recent ANSSI report. “Once launched, it will thus spread itself on every reachable machine on which Windows Remote Procedure Call accesses are possible.”

  • Leveraging digital certificates to protect commercial 5G mobile networks

    Unlike most other communications networks, mobile systems provide no method to verify cryptographically the identity of the other end in the communication. As a result, every single consumer electronic device with a cellular modem communicates with any base station that advertises broadcast messages claiming to be a valid operator, regardless of whether that is true or not. To put this into perspective, cellular networks at layer 2 behave as if your laptop’s browser always accepted self-signed certificates by default, without prompting the user for input on whether to do so in the first place.

    This security challenge is inherent to mobile communications networks and impacts all wireless protocols and generations of cellular networks. Even newer 5G networks fail to prevent mobile devices from inadvertently camping on a malicious base station. This latest protocol provides no means to verify cryptographically the identity of base stations and networks to which a mobile device connects.

    This implies that IMSI catching is still possible in 5G, and indeed, it is. The message “Hey, I am your operator and I forgot your TMSI. Please send me your IMSI” still lacks authentication and integrity protection in 5G. The only difference from LTE is that the concept of IMSI is replaced by the SUPI in 5G, and in place of TMSI, one would be referring to the GUTI.

  • Red Hat Enterprise Linux 8.1 achieves Common Criteria Certification

    Red Hat announced further strengthening of Red Hat Enterprise Linux as a platform of choice for users requiring more secure computing, with Red Hat Enterprise Linux 8.1 achieving Common Criteria Certification.

    The first major security certification for Red Hat Enterprise Linux 8, this validation emphasizes Red Hat’s commitment to supporting customers that use the world’s leading enterprise Linux platform for critical workloads in classified and sensitive deployments.

    For Common Criteria, Red Hat Enterprise Linux 8.1 was certified by the National Information Assurance Partnership (NIAP), with testing and validation completed by Acumen Security, a U.S. government-accredited laboratory.

  • Unpatched Bug in WiFi Mouse App Opens PCs to Attack

    Wireless mouse-utility lacks proper authentication and opens Windows systems to attack.

    The mobile application called WiFi Mouse, which allows users to control mouse movements on a PC or Mac with a smartphone or tablet, has an unpatched bug allowing adversaries to hijack desktop computers, according to researcher Christopher Le Roux who found the flaw.

    Impacted is the Android app’s accompanying WiFi Mouse “server software” that is needed to be installed on a Windows system and allows the mobile app to control a desktop’s mouse movements. The flaw allows an adversary, sharing the same Wi-Fi network, to gain full access to the Windows PC via a communications port opened by the software.

    WiFi Mouse, published by Necta, is available on Google Play and via Apple’s App Store marketplace under the publisher name Shimeng Wang. The only version tested by Le Roux was the Windows 1.7.8.5 version of WiFi Mouse software running on Windows (Enterprise Build 17763) system.

Patches for Multiple New GRUB2 Security Flaws Start Rolling Out to Linux Distros, Update Now

Filed under
Security

Remember last year’s BootHole security vulnerabilities? Well, it looks like no less than eight (8) new security flaws were discovered in the GRUB2 bootloader allowing attackers to bypass UEFI Secure Boot, and it affects almost all GNU/Linux distributions using GRUB2 versions prior to 2.06.

These include CVE-2020-14372, which allows a privileged user to load crafted ACPI tables when Secure Boot is enabled, and CVE-2021-20233, which lets an attacker with local root privileges to drop a small SSDT in /boot/efi and modify grub.cfg to instruct the GRUB bootloader to load said SSDT and overwrite the kernel lockdown configuration, thus enabling the attacker to load unsigned kernel modules and kexec unsigned code.

Read more

Security Patches and Bugs

Filed under
Security
  • Security updates for Wednesday [LWN.net]

    Security updates have been issued by CentOS (bind), Debian (adminer, grub2, spip, and wpa), Mageia (openjpeg2, wpa_supplicant, and xterm), openSUSE (avahi, bind, firefox, ImageMagick, java-1_8_0-openjdk, nodejs10, and webkit2gtk3), Red Hat (container-tools:1.0, container-tools:2.0, grub2, and virt:rhel and virt-devel:rhel), SUSE (bind, gnome-autoar, grub2, and nodejs8), and Ubuntu (python2.7 and wpa).

  • Now-fixed Linux kernel vulnerabilities enabled local privilege escalation (CVE-2021-26708)

    The vulnerabilities could be exploited for local privilege escalation, as confirmed in experiments on Fedora 33 Server. The vulnerabilities, known together as CVE-2021-26708, have received a CVSS v3 base score of 7.0 (high severity).

    These vulnerabilities result from race conditions that were implicitly added with virtual socket multi-transport support. They appeared in Linux kernel version 5.5 in November 2019. The vulnerable kernel drivers (CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS) are shipped as kernel modules in all major GNU/Linux distributions. The vulnerable modules are automatically loaded when an AF_VSOCK socket is created. This ability is available to unprivileged users.

  • Researchers discover and patch Linux kernel vulnerabilities | 2021-03-03

Microsoft Security Issues and Blame-Shifting

Filed under
Microsoft
Security
Syndicate content

More in Tux Machines

Audiocasts/Shows: Open Source Security Podcast, Linux Action News, and SMLR

Review: Artix Linux in 2021

Artix Linux is a fork (or continuation as an autonomous project) of the Arch-OpenRC and Manjaro-OpenRC projects. Artix Linux offers a lightweight, rolling-release operating system featuring alternative init software options, including OpenRC, runit, and s6. The distribution is available in many editions, including Base, Cinnamon, LXDE, LXQt, MATE, KDE Plasma and Xfce. With all of the desktop options, combined with the available init choices, there are 21 editions, not including community spins from which to choose. All editions appear to be built for 64-bit (x86_64) machines. Picking randomly, I selected Artix's Plasma edition featuring the runit init software. The download for this edition is is 1.3GB. Browsing the other editions it looks like most flavours are about 1.1GB to 1.3GB in size, though the minimal Base edition is a compact 618MB. The project's live media boots to the KDE Plasma desktop. On the desktop we find multiple documentation and README icons. There is also an icon for launching the system installer. The default layout places a panel at bottom of the screen where we can find the application menu and system tray. The default wallpaper is a soft blue while the theme for windows and menus is dark with high contrast fonts. [...] Artix Linux is one of those distributions I really enjoy using and yet struggle to review in a meaningful way because it doesn't really go out of its way to introduce new or exciting features and everything works smoothly. The distribution is wonderfully easy to install, offers top-notch performance, and is unusually light on resources. Artix is somewhat minimal, but still ships enough software to be immediately useful right out of the gate. We can browse the web, install packages, view files, and play videos. Meanwhile the application menu isn't cluttered with a lot of extras. The developers clearly expect us to install the functionality we need, while doing a really good job of providing enough for the desktop environment to feel base-line useful right from the start. Artix does a nice job of balancing performance and functionality while also juggling ease of use against not getting in the way. There is a little documentation, but no initial welcome screen or configuration wizards that might distract the user. The one piece I felt was missing was a graphical package manager which would have made it easier to build the extra functionality I wanted on top of the base distribution. However, that one piece aside, I felt as though Artix was really well designed and put together, at lease for someone like me. It's not a distribution geared toward beginners, it's not a "first distro". It is a bit minimal and requires command line knowledge. However, for someone with a little experience with Linux, for someone who doesn't mind the occasional trip to the command line or installing new applications as needed, then Artix provides an excellent experience. It's fast, light, looks (in my opinion) great with the default theme, and elegantly walks the line between minimalism and having enough applications ready to go out of the box to be immediately useful. I'm unusually impressed with how smooth and trouble-free my experience was with this distribution and the fact it offers such a range of desktop and init diversity is all the more appealing. Read more

Alpine Linux Review: Ultimate Distro for Power Users

Alpine Linux is gathering a lot of attention because of its super-small size and focus on security. However, Alpine is different from some of the other lightweight distros we covered on FOSSLinux. It isn’t your typical desktop distribution as it is terminal-based like Arch and is marketed as a “general purpose distro.” It is currently widely adopted as a Docker container thanks to its ultra-small footprint. However, it can be used for all sorts of Linux deployments that benefit from small, resource-efficient Linux distros. Now, that statement might feel too generic. But don’t worry, as we have put together an in-depth and comprehensive review of Alpine Linux, giving you a detailed look at what it has under the hood and how to use it. As such, by the end, you should have a clear understanding of whether you should consider Alpine Linux as your next Linux distro. So without further ado, let’s dive in. Read more

Programming Leftovers

  • How to manipulate strings in bash

    Without explicit support for variable types, all bash variables are by default treated as character strings. Therefore more often than not, you need to manipulate string variables in various fashions while working on your bash script. Unless you are well-versed in this department, you may end up constantly coming back to Google and searching for tips and examples to handle your specific use case. In the spirit of saving your time and thus boosting your productivity in shell scripting, I compile in this tutorial a comprehensive list of useful string manipulation tips for bash scripting. Where possible I will try to use bash's built-in mechanisms (e.g., parameter expansion) to manipulate strings instead of invoking external tools such as awk, sed or grep. If you find any missing tips, feel free to suggest it in the comment. I will be happy to incorporate it in the article.

  • Python Generators

    Python generators are very powerful for handling operations which require large amount of memory.

  • We got lucky

    If you’re having enough production incidents to be able to evaluate your preparation, you’re probably either unlucky or unprepared ;) If you have infrequent incidents you may be well prepared but it’s hard to tell. Chaos engineering experiments are a great way to test your preparation, and practice incident response in a less stressful context. It may seem like a huge leap from your current level of preparation to running automated chaos monkeys in production, but you don’t need to go straight there. Why not start with practice drills? You could have a game host who comes up with a failure scenario. You can work up to chaos in production.

  • React Testing Library – Tutorial with JavaScript Code Examples

    This post will help you to learn what React Testing Library is, and how you can use it to test your React application. This tutorial will assume you already know some basic JavaScript and understand the basics of how React works. React Testing Library is a testing utility tool that's built to test the actual DOM tree rendered by React on the browser. The goal of the library is to help you write tests that resembles how a user would use your application, so that you'll have more confidence that your application work as intended when a real user do use it.

  • Why I Moved From Ops to DevOps (and why you might want to)