Language Selection

English French German Italian Portuguese Spanish

Security

Security: WireGuard, SafeBreach and More

Filed under
Security
  • WireGuard Snapshot `0.0.20191012` Available
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    Hello,
    
    A new snapshot, `0.0.20191012`, has been tagged in the git repository.
    
    Please note that this snapshot is a snapshot rather than a final
    release that is considered secure and bug-free. WireGuard is generally
    thought to be fairly stable, and most likely will not crash your
    computer (though it may).  However, as this is a snapshot, it comes
    with no guarantees; it is not applicable for CVEs.
    
    With all that said, if you'd like to test this snapshot out, there are a
    few relevant changes.
    
    == Changes ==
    
      * qemu: bump default version
      * netns: add test for failing 5.3 FIB changes
      
      Kernels 5.3.0 - 5.3.3 crash (and are probably exploitable) via this one liner:
      
      unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table main suppress_prefixlength 0 && ping -f 1234::1'
      
      We fixed this upstream here:
      
      https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=ca7a03c4175366a92cee0ccc4fec0038c3266e26
      
      This is relevant to WireGuard because a very similar sequence of commands is
      used by wg-quick(8).
      
      So, we've now added some tests to catch this code path in the future. While
      the bug here was a random old use-after-free, the test checks the general
      policy routing setup used by wg-quick(8), so that we make sure this continues
      to work with future kernels.
      
      * noise: recompare stamps after taking write lock
      
      We now recompare counters while holding a write lock.
      
      * netlink: allow preventing creation of new peers when updating
      
      This is a small enhancement for wg-dynamic, so that we can update peers
      without readding them if they've already been removed.
      
      * wg-quick: android: use Binder for setting DNS on Android 10
      
      wg-quick(8) for Android now supports Android 10 (Q). We'll be releasing a new
      version of the app for this later today.
    
    This snapshot contains commits from: Jason A. Donenfeld and Nicolas Douma.
    
    As always, the source is available at https://git.zx2c4.com/WireGuard/ and
    information about the project is available at https://www.wireguard.com/ .
    
    This snapshot is available in compressed tarball form here:
      https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20191012.tar.xz
      SHA2-256: 93573193c9c1c22fde31eb1729ad428ca39da77a603a3d81561a9816ccecfa8e
      BLAKE2b-256: d7979c453201b9fb6b1ad12092515b27ea6899397637a34f46e74b52b36ddf56
    
    A PGP signature of that file decompressed is available here:
      https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20191012.tar.asc
      Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE
    
    If you're a snapshot package maintainer, please bump your package version. If
    you're a user, the WireGuard team welcomes any and all feedback on this latest
    snapshot.
    
    Finally, WireGuard development thrives on donations. By popular demand, we
    have a webpage for this: https://www.wireguard.com/donations/
    
    Thank you,
    Jason Donenfeld
    
  • WireGuard 0.0.20191012 Released With Latest Fixes

    WireGuard is still working on transitioning to the Linux kernel's existing crypto API as a faster approach to finally make it into the mainline kernel, but for those using the out-of-tree WireGuard secure VPN tunnel support, a new development release is available.

  • SafeBreach catches vulnerability in controversial HP Touchpoint Analytics software

    Now the feature is embroiled in another minor controversy after security researchers at SafeBreach said they uncovered a new vulnerability. HP Touchpoint Analytics comes preinstalled on many HP devices that run Windows. Every version below 4.1.4.2827 is affected by what SafeBreach found.

    In a blog post, SafeBreach Labs security researcher Peleg Hadar said that because the service is executed as "NT AUTHORITY\SYSTEM," it is afforded extremely powerful permissions that give it wide access.

    "The CVE-2019-6333 vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass Signature Validation Bypassing," Hadar wrote.

    [...]

    The company has long had to defend HP Touchpoint Analytics against critics who say it gives HP unnecessary access to users' systems. When it first became widely noticed in 2017, dozens of users complained that they had not consented to adding the system.

  • Security Tool Sprawl Reaches Tipping Point
  • How trusted digital certificates complement open source security

    Application developers incorporating open source software into their designs may only discover later that elements of this software have left them (and their customers) exposed to cyber-attacks.

  • Securing the Container Supply Chain

Security: SecTor, WhatsApp and Core Infrastructure Initiative (CII)

Filed under
Security
  • #SecTorCa: Millions of Phones Leaking Information Via Tor

    There is a privacy threat lurking on perhaps hundreds of millions of devices, that could enable potential attackers to track and profile users, by using information leaked via the Tor network, even if the users never intentionally installed Tor in the first place.

    In a session at the SecTor security conference in Toronto, Canada on October 10, researchers Adam Podgorski and Milind Bhargava from Deloitte Canada outlined and demonstrated previously undisclosed research into how they were able to determine that personally identifiable information (PII) is being leaked by millions of mobile users every day over Tor.

    The irony of the issue is that Tor is a technology and a network that is intended to help provide and enable anonymity for users. With Tor, traffic travels through a number of different network hops to an eventual exit point in the hope of masking where the traffic originated from. Podgorski said that there are some users that choose to install a Tor browser on their mobile devices, but that’s not the problem. The problem is that Tor is being installed by mobile applications without user knowledge and potentially putting users at risk.

    The researchers explained that they set up several Tor exit nodes, just to see what they could find, and the results were surprising. The researchers found that approximately 30% of all Android devices are transmitting data over Tor.

  • Just a GIF Image Could Have Hacked Your Android Phone Using WhatsApp

    Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight.

    But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone?

  • FLOSS Weekly 550: CII Best Practices Badge Update

    The Linux Foundation (LF) Core Infrastructure Initiative (CII) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice. The CII Best Practices Badge is inspired by the many badges available to projects on GitHub. Consumers of the badge can quickly assess which FLOSS projects are following best practices and as a result are more likely to produce higher-quality secure software.

Digital Restrictions (DRM) Watch

Filed under
Security
Web
Legal
  • One Weird Law That Interferes With Security Research, Remix Culture, and Even Car Repair

    How can a single, ill-conceived law wreak havoc in so many ways? It prevents you from making remix videos. It blocks computer security research. It keeps those with print disabilities from reading ebooks. It makes it illegal to repair people's cars. It makes it harder to compete with tech companies by designing interoperable products. It's even been used in an attempt to block third-party ink cartridges for printers.

    It's hard to believe, but these are just some of the consequences of Section 1201 of the Digital Millennium Copyright Act, which gives legal teeth to "access controls" (like DRM). Courts have mostly interpreted the law as abandoning the traditional limitations on copyright's scope, such as fair use, in favor of a strict regime that penalizes any bypassing of access controls (such as DRM) on a copyrighted work regardless of your noninfringing purpose, regardless of the fact that you own that copy of the work.  

  • One Weird Law That Interferes With Security Research, Remix Culture, and Even Car Repair
  • Spotify is Defective by Design

    I never used Spotify, since it contains DRM. Instead I still buy DRM-free CDs. Most of my audio collection is stored in free formats such as FLAC and Ogg Vorbis, or Red Book in the case of CDs, everything can be played by free players such as VLC or mpd.

    Spotify, which uses a central server, also spies on the listener. Everytime you listen a song, Spotify knows which song you have listened and when and where. By contrast free embedded operating systems such as Rockbox do not phone home. CDs can be baught anonymously and ripped using free software, there is no need for an internet commection.

Tails 4.0 Anonymous OS Release Candidate Out Now with Tor Browser 9.0, Linux 5.3

Filed under
OS
Security

Powered by the latest Linux 5.3.2 kernel, Tails 4.0 Release Candidate is packed with up-to-date technologies to better protect your privacy when surfing the Internet. It comes with the latest alpha version of the upcoming TOR Browser 9.0 anonymous web browser based on Firefox 68.1.0 ESR, as well as the newest Tor 0.4.1.6 release.

Tails 4.0 Release Candidate also updates Electrum to version 3.3.8, which is fully compatible with the current Bitcoin network, and improves the usability of the Tails Greeter by making it easier to select languages, simplifying the list of keyboard layouts, fixing the Formats setting, and preventing additional settings from being applied when clicking on the Cancel or Back buttons.

Read more

Security Leftovers

Filed under
Security
  • HP Flaw Lets Hackers Hijack Your PC: What to Do [Ed: Unless you're a Mono fanatic, you won't have DLLs on your system]

    That's because there's a serious flaw in older versions of Touchpoint Analytics, aka HP Device Health Service, a diagnostic program built into most HP PCs running Windows. A user or a program with administrative rights could use Touchpoint Analytics to silently and permanently install malware at the system level, and a limited-user account could also do so in certain cases.

    [...]

    This kind of DLL switcheroo is known as a DLL injection, and it makes a program do things it shouldn't. PC gamers sometimes use DLL injection to cheat at games, and malicious hackers can use it to make a program run malicious code. (DLL injection works on Macs and Unix/Linux systems as well as on Windows.)

  • Thunderbird Will Start Using OpenPGP Encryption in 2020

    The developers of Thunderbird, one of the most-used free email clients in the world, plan to implement OpenPGP support in 2020.

    Thunderbird used to be made by Mozilla, but the company dropped it a few years ago, and the community took over the project. The email client is still using some of Firefox’s infrastructure.

    Since Thunderbird is an open-source and cross-platform email client, it would make sense to bundle GnuPG software, but the differences in licenses make that impossible (MPL version 2.0 vs. GPL version 3+). The devs have to look for another solution, and the only to make it work is to add OpenPGP.

    Thunderbird users until now only had the option to adopt an add-on called Enigmail, which provides data encryption for both the email client and SeaMonkey. When Thunderbird migrates to a newer code, though, the Enigmail add-on will stop working.

  • Key elements of Patching to consider for Healthcare IT CISOs

    Data breaches that affect businesses of all sizes are now more common than ever, and unsurprisingly this includes Australia. As they become almost a regular affair, healthcare sector is no exception. According to the last quarter Notifiable Data Breaches (NDB) Statistics Report from OAIC, between January to March, the health sector reported 27 per cent of the data breaches, being one of the top industries. Of the 58 notifications over the first quarter, 52 percent was caused by human error, 45 percent was because of malicious or criminal attacks and 3 percent was due to system faults.

    The recent hack events were primarily ransomware attacks, one of the key security vulnerability that allows attackers to plant a malware into unpatched operating systems and legacy systems with the only objective of extorting affected organisations. Reports show that nearly half of reported ransomware attacks are on healthcare institutions. As the privacy violations and data breaches in healthcare industry involves high risks and costs, it is key for healthcare IT administrators to pay close attention to their IT infrastructure and detect security gaps. Here are some crucial elements of patching to consider as a part of the IT security strategy...

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Intimate Details on Healthcare Workers Exposed as Cloud Security Lags

    The database was set to be publicly accessible, and anyone could edit, download or delete data without administrative credentials, he said. That’s worrying given the sensitive nature of the information he found.

    [...]

    Surveying over 3,000 IT and IT security practitioners in Australia, Brazil, France, Germany, India Japan, the United Kingdom and the United States, the data shows that nearly half (48 percent) of organizations have a multi-cloud strategy, with Amazon Web Services (AWS), Microsoft Azure and IBM being the top three. The study found that, on average, organizations use three different cloud service providers, and more than a quarter (28 percent) are using four or more.

    The research also found somewhat schizophrenic attitudes towards security in the cloud. For instance, nearly half of survey respondents (46 percent) believe that storing consumer data in the cloud makes them more of a security risk; and more than half (56 percent) also noted that it poses a compliance risk. However, only 23 percent say security is a factor in selecting a cloud provider.

  • After banning working cryptography and raiding whistleblowers, Australia's spies ban speakers from national infosec conference

    This year, AISA opted to co-organise its annual conference with the Australian Cyber Security Centre, a creature of the same spy agencies that led the crackdown on whistleblowers in June.

    But the ACSC has a very different set of priorities to AISA, which is why it insisted on the cancellation of multiple invited talks at the show, including Thomas Drake, a celebrated NSA whistleblower who was scheduled to give a talk on "the golden age of surveillance, both government and corporate"; and the University of Melbourne's Dr Suelette Dreyfus whose cancelled lecture was on "anonymous whistleblowing technologies like SecureDrop and how they reduce corruption in countries where that is a problem."

    Both speakers have posted their slides, and Bruce Schneier, who gave a keynote at the conference, opened his talk by reading the URLs aloud.

    But the censorship doesn't stop there: ACSC also demanded that invited speaker Ted Ringrose (partner at the Ringrose Siganto law firm) remove criticism in his speech on Australia's ban on working cryptography, going so far as to edit his slides to remove "bias." (Ringrose refused and was allowed to give his original talk as planned).

  • U.S. and U.K. agencies warn consumers to update VPN technologies from Fortinet, Pulse Secure and Palo Alto Networks.

    State-sponsored advanced persistent threat (APT) groups are using flaws in outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse Secure to carry out cyber attacks on targets in the United States and overseas, warned U.S. and U.K. officials.

Security: Updates, Ken Thompson's Unix Password, Microsoft Spying on Everything for 'Security', Cross Site Scripting Fix

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Fedora (chromium), openSUSE (rust and sqlite3), SUSE (dnsmasq, firefox, and kubernetes, patchinfo), and Ubuntu (python2.7, python3.5, python3.6, python3.7).

  • Ken Thompson's Unix password

    Somewhere around 2014 I found an /etc/passwd file in some dumps of the BSD 3 source tree, containing passwords of all the old timers such as Dennis Ritchie, Ken Thompson, Brian W. Kernighan, Steve Bourne and Bill Joy.

    Since the DES-based crypt(3) algorithm used for these hashes is well known to be weak (and limited to at most 8 characters), I thought it would be an easy target to just crack these passwords for fun.

    Well known tools for this are john and hashcat.

    Quickly, I had cracked a fair deal of these passwords, many of which were very weak. (Curiously, bwk used /.,/.,, which is easy to type on a QWERTY keyboard.)

    However, kens password eluded my cracking endeavor. Even an exhaustive search over all lower-case letters and digits took several days (back in 2014) and yielded no result. Since the algorithm was developed by Ken Thompson and Robert Morris, I wondered what’s up there. I also realized, that, compared to other password hashing schemes (such as NTLM), crypt(3) turns out to be quite a bit slower to crack (and perhaps was also less optimized).

    Did he really use uppercase letters or even special chars? (A 7-bit exhaustive search would still take over 2 years on a modern GPU.)

    The topic came up again earlier this month on The Unix Heritage Society mailing list, and I shared my results and frustration of not being able to break kens password.

  • How my application ran away and called home from Redmond

    I recently found a surprising leak vector in Windows 10 installations. We were porting our Beacon Application to Windows and for easy deployment. The plan was to create just one .exe including everything. However we found out that End Point Protection (EPP) solutions didn’t like that at all and we had to go with the MSI installer option. This is a story what happened during the .exe testing.

    I used my personal malware analysis lab for testing the application. My lab is an isolated network environment which has a whitelist based firewall rules. Whitelist firewall is needed to carefully allow specific updates and downloads. The lab already has Beacon Virtual Machine running and it has found issues in the past. All of them are fixed. So this leak was something new!

    [...]

    I researched a bit more and made educated guesses about why this happened. I managed to narrow it down to Microsoft Defender and the “Automatic sample submission” feature.

    [...]

    Microsoft Windows 10 sends all new unique binaries for further analysis to Microsoft by default. They run the executable in an environment where network connectivity is available. This opens interesting data leak vector for attacker and also includes some privacy concerns. It is quite common that even in isolated environments, many of the Microsoft IP address ranges are whitelisted to make sure systems will stay up to date. This enables adversary to leak data via Microsoft services which is extremely juicy covert channel.

  • Enrico Zini: Fixed XSS issue on debtags.debian.org

    Thanks to Moritz Naumann who found the issues and wrote a very useful report, I fixed a number of Cross Site Scripting vulnerabilities on https://debtags.debian.org.

Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit

Filed under
Mac
Moz/FF
Security

A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security vulnerability in the widely used macOS terminal emulator iTerm2. After finding the vulnerability, Mozilla, Radically Open Security (ROS, the firm that conducted the audit), and iTerm2’s developer George Nachman worked closely together to develop and release a patch to ensure users were no longer subject to this security threat. All users of iTerm2 should update immediately to the latest version (3.3.6) which has been published concurrent with this blog post.

Founded in 2015, MOSS broadens access, increases security, and empowers users by providing catalytic support to open source technologists. Track III of MOSS — created in the wake of the 2014 Heartbleed vulnerability — supports security audits for widely used open source technologies like iTerm2. Mozilla is an open source company, and the funding MOSS provides is one of the key ways that we continue to ensure the open source ecosystem is healthy and secure.

iTerm2 is one of the most popular terminal emulators in the world, and frequently used by developers. MOSS selected iTerm2 for a security audit because it processes untrusted data and it is widely used, including by high-risk targets (like developers and system administrators).

Read more

Announce: OpenSSH 8.1 released

Filed under
Security
BSD

OpenSSH 8.1 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly.

Read more

Syndicate content

More in Tux Machines

Android Leftovers

Python Programming Leftovers

  • How to Read SAS Files in Python with Pandas

    In this post, we are going to learn how to read SAS (.sas7dbat) files in Python. As previously described (in the read .sav files in Python post) Python is a general-purpose language that also can be used for doing data analysis and data visualization.

  • Daudin – a Python shell

    A few nights ago I wrote daudin, a command-line shell based on Python. It allows you to easily mix UNIX and Python on the command line.

  • How to Convert Python String to Int and Back to String

    This tutorial describes various ways to convert Python string to int and from an integer to string. You may often need to perform such operations in day to day programming. Hence, you should know them to write better programs. Also, an integer can be represented in different bases, so we’ll explain that too in this post. And there happen to be scenarios where conversion fails. Hence, you should consider such cases as well and can find a full reference given here with examples.

  • Thousands of Scientific Papers May be Invalid Due to Misunderstanding Python

    It was recently discovered that several thousand scientific articles could be invalid in their conclusions because scientists did not understand that Python’s glob.glob() does not return sorted results. This is being reported on by Vice, Slashdot and there’s an interesting discussion going on over on Reddit as well.

Audiocasts/Shows/Screencasts: Open Source Security Podcast, Linux Action News and Manjaro 19.09.28 KDE-DEV Run Through

  • Open Source Security Podcast: Episode 165 - Grab Bag of Microsoft Security News

    Josh and Kurt about a number of Microsoft security news items. They've changed how they are handling encrypted disks and are now forcing cloud logins on Windows users.

  • Linux Action News 127

    Richard Stallman's GNU leadership is challenged by an influential group of maintainers, SUSE drops OpenStack "for the customer," and Google claims Stadia will be faster than a gaming PC. Plus OpenLibra aims to save us from Facebook but already has a miss, lousy news for Telegram, and enormous changes for AMP.

  • GNU World Order 13x42

    On the road during the **All Things Open** conference, Klaatu talks about how to make ebooks from various sources, with custom CSS, using the Pandoc command.

  • Manjaro 19.09.28 KDE-DEV Run Through

    In this video, we are looking at Manjaro 19.09.28 KDE-DEV.

Apple of 2019 is the Linux of 2000

Last week the laptop I use for macOS development said that there is an XCode update available. I tried to install it but it said that there is not enough free space available to run the installer. So I deleted a bunch of files and tried again. Still the same complaint. Then I deleted some unused VM images. Those would free a few dozen gigabytes, so it should make things work. I even emptied the trash can to make sure nothing lingered around. But even this did not help, I still got the same complaint. At this point it was time to get serious and launch the terminal. And, true enough, according to df the disk had only 8 gigabytes of free space even though I had just deleted over 40 gigabytes of files from it (using rm, not the GUI, so things really should have been gone). A lot of googling and poking later I discovered that all the deleted files had gone to "reserved space" on the file system. There was no way to access those files or delete them. According to documentation the operating system would delete those files "on demand as more space is needed". This was not very comforting because the system most definitely was not doing that and you'd think that Apple's own software would get this right. After a ton more googling I managed to find a chat buried somewhere deep in Reddit which listed the magical indentation that purges reserved space. It consisted of running tmutil from the command line and giving it a bunch of command line arguments that did not seem to make sense or have any correlation to the thing that I wanted to do. But it did work and eventually I got XCode updated. After my blood pressure dropped to healthier levels I got the strangest feeling of déjà vu. This felt exactly like using Linux in the early 2000s. Things break at random for reasons you can't understand and the only way to fix it is to find terminal commands from discussion forums, type them in and hope for the best. Then it hit me. Read more