Language Selection

English French German Italian Portuguese Spanish

Security

European Commission improving the security of widely used open source software

Filed under
OSS
Security

Amongst the many benefits of free and open source software, include the economic advantages of code reuse and the sharing of programming costs. For public institutions however, there are more fundamental reasons for embracing the open source model: [...]

Read more

Security: Vista 10 Woes, Linux FUD and More

Filed under
Security
  • Caution: KB4515384 is breaking audio on Windows 10

    If you’ve already installed KB4515384, and you want to try and fix the audio problem before you attempt the uninstall it, there is really only solution that you can try. Open the Control Panel sound settings.

    On the Playback tab, double-click your speakers to open their Properties. The properties window should have an ‘Enhancements’ tab though, it may be missing as in the case of the screenshot below. If the tab is there, go to it and enable all enhancements, and click Apply. Next, disable them all, and click Apply again.

  • Lilocked ransomware (Lilu) affects thousands of Linux-based servers [Ed: This is not about "Linux"; they're repeating ZDNet (tabloid) talking points from their anti-Linux trolls, whom CBS hired to attack Linux (the real issue here is malware being installed)]

    A ransomware strain named Lilocked or Lilu has been affecting thousands of Linux-based servers all over the world since mid-July and the attacks got intensified by the end of August, ZDNet reports.

  • From PowerShell to auditing: Expand your cybersecurity know-how at SANS London 2019 [Ed: PowerShell is used a lot by CRACKERS. Why does The Register associate NSA back-doored stuff with security? (clue/hint: money)]
  • DigitalOcean Continues Working On Linux Core Scheduling To Make HT/SMT Safer

    With Hyper Threading continuing to look increasingly unsafe in data centers / shared computing environments in light of all the speculative execution vulnerabilities exposed thus far particularly with L1TF and MDS having no SMT-secure mitigation, DigitalOcean continues working on their Linux kernel "core scheduling" patches so they can still make use of HT/SMT in a sane and safe manner.

    DigitalOcean's core scheduling work is their way to make Hyper Threading safe by ensuring that only trusted applications run concurrently on siblings of a core. Their scheduler also tries to be smart about not using SMT/HT in areas where it could degrade performance.

Security: FOSS Updates, Windows Spying as 'Security', Linux Package Management

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (curl, dnsmasq, and golang-go.crypto), Mageia (docker, firefox, flash-player-plugin, ghostscript, links, squid, sympa, tcpflow, thunderbird, and znc), openSUSE (srt), Oracle (.NET Core, kernel, libwmf, and poppler), Scientific Linux (firefox), SUSE (cri-o, curl, java-1_8_0-ibm, python-SQLAlchemy, and python-urllib3), and Ubuntu (curl and expat).

  • Microsoft Issues New Windows 10 Update Warning

    Meanwhile, the Windows Latest reports the Start menu stops working for some users who have upgraded to KB4515384 with Windows 10 delivering the following errors: “We’ll try to fix it the next time you sign in” and “Critical Error - Your Start menu isn’t working”

  • Heads up: Microsoft is back to snooping with this month’s Win7 and 8.1 'security-only' patches

    Two months ago, the July Win7 security-only patch was found to install telemetry software, triggered by newly installed scheduled tasks called ProgramDataUpdater, Microsoft Compatibility Appraiser, and AitAgent. As best I can tell, Microsoft never admitted that its security-only patch dropped a telemetry component.

    The August security-only update didn’t include that bit of snooping, so it looked like the July snooping was a one-off aberration.

    Now we’re learning that the September security-only patches for both Win 7 and Win 8.1 have this, shall we say, feature.

    [...]

    What information is Microsoft collecting? I don’t know. Telemetry is frequently downplayed as being largely uninteresting blobs of unattributed data. If that’s the case, why is Microsoft collecting it now, after all these years? It hasn’t even acknowledged (as best I can tell) that it's collecting it via security-only patches.

  • Security Issues with PGP Signatures and Linux Package Management

    In discussions around the PGP ecosystem one thing I often hear is that while PGP has its problems, it's an important tool for package signatures in Linux distributions. I therefore want to highlight a few issues I came across in this context that are rooted in problems in the larger PGP ecosystem.

    Let's look at an example of the use of PGP signatures for deb packages, the Ubuntu Linux installation instructions for HHVM. HHVM is an implementation of the HACK programming language and developed by Facebook. I'm just using HHVM as an example here, as it nicely illustrates two attacks I want to talk about, but you'll find plenty of similar installation instructions for other software packages. I have reported these issues to Facebook, but they decided not to change anything.

Security Leftovers

Filed under
Security
  • The New Target That Enables Ransomware Hackers to Paralyze Dozens of Towns and Businesses at Once

    On July 3, employees at Arbor Dental in Longview, Washington, noticed glitches in their computers and couldn’t view X-rays. Arbor was one of dozens of dental clinics in Oregon and Washington stymied by a ransomware attack that disrupted their business and blocked access to patients’ records.

    But the hackers didn’t target the clinics directly. Instead, they infiltrated them by exploiting vulnerable cybersecurity at Portland-based PM Consultants Inc., which handled the dentists’ software updates, firewalls and data backups. Arbor’s frantic calls to PM went to voicemail, said Whitney Joy, the clinic’s office coordinator.

  • If you're not using SSH certificates you're doing SSH wrong

    None of these issues are actually inherent to SSH. They're actually problems with SSH public key authentication. The solution is to switch to certificate authentication.

    SSH certificate authentication makes SSH easier to use, easier to operate, and more secure.

  • Your phone can be [cracked] - and there's nothing you can do about it

    Finally, another benefit of Simjacker from the attacker's perspective is that many of its attacks seems to work independent of handset types, as the vulnerability is dependent on the software on the UICC and not the device. We have observed devices from nearly every manufacturer being successfully targeted to retrieve location: Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards. One important note is that for some specific attacks handset types do matter. Some, such as setting up a call, require user interaction to confirm, but this is not guaranteed and older phones or devices with no keypad or screens (such as IoT device) may not even ask for this.

Security Leftovers

Filed under
Security
  • Security updates for Thursday

    Security updates have been issued by Arch Linux (exim, firefox, and webkit2gtk), Debian (libonig and opensc), Fedora (cobbler), Oracle (firefox and kernel), Red Hat (flash-plugin, kernel, kernel-rt, rh-maven35-jackson-databind, rh-nginx110-nginx, and rh-nginx112-nginx), Scientific Linux (kernel), Slackware (curl, mozilla, and openssl), SUSE (ceph, libvirt, and python-Werkzeug), and Ubuntu (vlc and webkit2gtk).

  • Android 10 Gets Its First Security Patch, 49 Security Vulnerabilities Fixed

    Google has released the Android Security Patch for September 2019 to address the most important security vulnerabilities and bugs discovered since August 2019, which also happens to be the first security patch for the recently released Android 10 operating system.

    Consisting of the 2019-09-01 and 2019-09-05 security patch levels, the Android Security Patch for September 2019 addresses a total of 49 security vulnerabilities across various core Android components, including Framework, Media framework, System, kernel components, Nvidia components, and Qualcomm components, including closed-source ones. The most critical flaw fixed in this patch may allow remote attackers to execute code.

  • Infrastructure Updates

    This is a post to the developers and other people who contribute to the IPFire project and have an account on our infrastructure.

    Since we have rolled out loads of changes recently, some change in client configuration is required. This was announced on the development mailing list, but for those who have missed it, here is a little blog post.

  • Accessing SELinux policy documentation

    There are many excellent man pages for the confined domains included with SELinux policy. These man pages describe booleans and context types for each domain. They also include sample semanage commands for adding context mappings, changing booleans, and more.

    Unfortunately for the sysadmin getting started with SELinux configuration, these man pages are often not installed by default. The SELinux policy man pages are available from two locations. The upstream Reference Policy repo has a handful of pre-built man pages. The rest can be generated from the policy content with a tool found in the policycoreutils-devel package.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Fedora (python38), openSUSE (nginx, nodejs10, nodejs8, python-Twisted, python-Werkzeug, SDL2_image, SDL_image, and util-linux and shadow), Oracle (firefox and nghttp2), Red Hat (.NET Core, firefox, kernel, libwmf, pki-deps:10.6, and poppler), Scientific Linux (firefox), SUSE (ghostscript, libgcrypt, podman, python-SQLAlchemy, qemu, and webkit2gtk3), and Ubuntu (curl, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, systemd, and tomcat8). 

  • Duty Of Care

    Put differently, when Toyota recalls hundreds of thousands of cars for potential defects in which exactly zero people were harmed, we consider that responsible stewardship of their product.

  • The California Consumer Privacy Act

    Next January, California is set to have one of the strongest laws in the nation, passed last year with unusual bi-partisan support, seeking to add some first-of-their-kind state protections over our personal data. It is called the California Consumer Privacy Act (CCPA) of 2018. It nicely reflects the fact that our state is one of the only states in the country whose constitution in Article 1, Section 1, actually contains an express right of privacy guaranteed to all Californians.

    This past year, since the bill’s passage, Purism has worked tirelessly–and dedicated substantial staff resources–to help make sure the new law is not substantially thrashed by Big Tech’s huge army before the fledgling law can even take effect: an army of highly-paid lobbyists. The stakes for Big Tech are large, but the stakes for consumer privacy, and for Purism’s philosophy of consumer privacy protection and control, are so much bigger.

    To try to stem the extraordinary political muscle of Big Tech in Sacramento, Purism has worked in close collaboration with California’s top privacy protection groups including the ACLU, EFF, Consumers Union, Common Sense Kids Action and the Privacy Rights Clearinghouse, and many others to try to stop the onslaught of Big Tech-sponsored bills seeking to vitiate the new law.

    Our CEO has testified in legislative hearings against the weakening measures, and has recently co-written a powerful editorial published in the Mercury News, the newspaper in the backyard of Big Tech in Silicon Valley, against these bills. As Purism’s legislative advocate, I have met with key California legislators to try to thwart Big Tech’s predictable onslaught against this new law.

  • Equifax Victims Jump Through Hoops To Nab Settlement Money They Won't Get Anyway

    So we've noted that the FTC's settlement over the Equifax hack that exposed the public data of 147 million Americans is a bit of a joke. The FTC originally promised that impacted users would be able to nab 10 years of free credit reporting or a $125 cash payout if users already subscribed to a credit reporting service. But it didn't take long for the government to backtrack, claiming it was surprised by the number of victims interested in modest compensation, while admitting the settlement failed to set aside enough money to pay even 248,000 of the hack's 147 million victims.

It's 2019, and Windows PCs can be pwned via a shortcut file, a webpage, an evil RDP server...

Filed under
Security

It will be a busy day for admins and users of Windows PCs and servers, as Microsoft has released updates for a total of 80 CVE-listed bugs.

Among the more serious issues addressed this month are CVE-2019-1215 and CVE-2019-1214, a pair of elevation-of-privilege vulnerabilities that have been under active attack in the wild.

In both cases, experts say, miscreants are going after older machines. CVE-2019-1215 preys on Winsock, specifically ws2ifsl.sys, a service that has been targeted by malware since 2007, while the exploit for CVE-2019-1214 is largely looking to target Windows 7 boxes. These flaws can give malware on a machine admin-level access to hijack the whole box.

Read more

Security Leftovers

Filed under
Security
  • Exim patches a major security bug found in all versions that left millions of Exim servers vulnerable to security attacks [Ed: If only we saw similar headlines about Microsoft Windows each time a hole was found in Photoshop...]

    A vulnerability was found in all the versions of Exim, a mail transfer agent (MTA), that when exploited can let attackers run malicious code with root privileges.

  • KeePass Password Safe 2.43

    KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).

    KeePass is really free, and more than that: it is open source (OSI certified). You can have a look at its full source and check whether the encryption algorithms are implemented correctly.

  • Live Patching Case Study of GESIS

    You can save time and resources by using Live Patching. GESIS is one of the many organizations who achieved excellent results using SUSE Linux Enterprise Live Patching. Here we outline some of those results so you can make an assessment about how these can apply to your environment.

  • Linux Kernel flexcop_usb_probe Function NULL Pointer Dereference Vulnerability [CVE-2019-15291]

    A vulnerability in the Linux Kernel could allow a local attacker to cause a denial of service (DoS) condition on a targeted system.

    The vulnerability is due to a NULL pointer dereference condition that exists in the flexcop_usb_probe function, as defined in the drivers/media/usb/b2c2/flexcop-usb.c source code file of the affected software.

    An attacker with physical access to a targeted system could exploit this vulnerability by inserting a USB device that submits malicious input to the targeted system. A successful exploit could cause a DoS condition on the system.

  • Here's How Vivaldi for Android Protects Your Privacy and Keeps Your Data Secure

    After announcing the Vivaldi for Android mobile web browser, Vivaldi Technologies shared with us some details on how they managed to build a secure and privacy-aware browser on Android.
    We all know that Google's Android mobile operating system ships with a built-in web browser core, which is based on the same code that Google Chrome was built it. This internal browser core lets users view basic web pages when setting up their Android device for the first time.

    Once the device is all set up, most probably the user has installed his favorite web browser app from the Play store. This is where Vivaldi for Android comes to fill the gap, as it's not using Android's built-in browser core, which makes it secure and privacy-aware.

Security: Scandals, Holes, Patches and IPFire 2.23

Filed under
Security
  • Power Outage For Federal Court Computer System Screws Up Three Months Worth Of Job Applications?!?

    For years, we've talked about what a total joke the federal courts' PACER system is. That's the computer system the federal courts use for accessing court documents. It acts like it was designed in about 1998 and hasn't been touched since (and even when it was designed, it wasn't designed well). But that's not the only fucked up computer system that the federal courts use. A few years back when I was an expert witness in a federal case, I had to make use of a different US court website just to get paid by the government -- and while it's been a few years, I still remember that it required you to use Internet Explorer. Internet Explorer! It had lots of other issues as well.

  • How The Cyber Insurance Industry's Bottom Line Is Fueling Ransomware

    The past decade or so has seen an explosive upward trend for the cyber insurance industry. Given the rise of malware, particularly of ransomware, it's perhaps not surprising that an insurance market sprouted up around that reality. It's gotten to the point that those of us who's day to day business is managing client networks in the SMB space are now regularly fielding requests for how to obtain cyber insurance.

  • Potential 'Mirai-style botnet' could be created via Telestar Digital Radio vulnerabilities

    Two security holes in popular IoT products, relating to telnet, open ports and weak hardcoded passwords reminiscent of the methods used by the Mirai botnet, reveal just how vulnerable IoT devices remain

  • Security updates for Tuesday

    Security updates have been issued by Debian (docker.io, icedtea-web, and trafficserver), openSUSE (opera), Red Hat (bind, firefox, go-toolset:rhel8, kernel, nghttp2, and polkit), SUSE (buildah, curl, java-1_7_1-ibm, and skopeo), and Ubuntu (freetype, memcached, python2.7, python3.4, and python2.7, python3.5, python3.6, python3.7).

  • IPFire 2.23 – Core Update 135 Released

    Michael Tremer has announced the new release of IPFire 2.23 – Core Update 135 on Sep 04, 2019.

Privacy and Security Leftovers

Filed under
Security
  • European regulators to Microsoft: We’re watching you

    The Dutch DPA has taken a long time examining that and other changes Microsoft made, to see whether Windows now complies with the agency’s regulations, as well as with the newer GDPR rules. The DPA concluded that the changes complied with what the DPA originally asked Microsoft to do. But its examination “also brought to light that Microsoft is remotely collecting other data from users. As a result, Microsoft is still potentially in breach of privacy rules,” according to the agency. So the DPA turned over the case to the Irish Data Protection Committee (DPC), because Microsoft’s European operations are headquartered in Ireland. That agency will determine whether Microsoft is violating the GDPR.

  • How Safari and iMessage Have Made iPhones Less Secure

    "If you want to compromise an iPhone, these are the best ways to do it," says independent security researcher Linus Henze of the two apps. Henze gained notoriety as an Apple [cracker] after revealing a macOS vulnerability known as KeySteal earlier this year. He and other iOS researchers argue that when it comes to the security of both iMessage and WebKit—the browser engine that serves as the foundation not just of Safari but all iOS browsers—iOS suffers from Apple's preference for its own code above that of other companies. "Apple trusts their own code way more than the code of others," says Henze. "They just don’t want to accept the fact that they make bugs in their own code, too."

  • Exciting few weeks in the SecureDrop land

    Last month, during Defcon 27, there was a panel about DEF CON to help hackers anonymously submit bugs to the government, interestingly the major suggestion in that panel is to use SecureDrop (hosted by Defcon) so that the researchers can safely submit vulnerabilities to the US government. Watch the full panel discussion to learn more in details.

Syndicate content

More in Tux Machines

An Easy Fix for a Stupid Mistake

I waited a long time for Mageia 7 and for OpenMandriva Lx 4. When both distros arrived, I was very happy. But new distros bring changes, and sometimes it is not easy to adapt. Mageia 7 has been rock-solid: it is doing a great job in my laptop and both in my daughter's desktop and in mine. There is one thing, though. I have been avoiding a strange mesa update that wants to remove Steam. OpenMandriva is also fantastic, but this new release provided options like rock, release, and rolling. When I first installed the distro, I chose rock because I was shying away from the rolling flavor. Eventually, I had to move to rolling because that was the only way in which I could manage to install Steam in both my laptop and desktop machines. Read more

today's leftovers

  • Clear Linux Is Being Used Within Some Automobiles

    Intel's speedy Clear Linux distribution could be running under the hood of your car. While we're fascinated by the performance of Intel's open-source Clear Linux distribution that it offers meaningful performance advantages over other distributions while still focused on security and offering a diverse package set, we often see it asked... who uses Clear Linux? Some argue that Clear Linux is just a toy or technology demo, but it's actually more.

  • Radeon ROCm 2.7.2 Released

    Radeon ROCm 2.7.2 is now available as the newest update to AMD's open-source GPU compute stack for Linux systems. ROCm 2.7.2 is a small release that just fixes the upgrade path when moving from older ROCm releases, v2.7.2 should now be running correctly. This release comes after the recent ROCm 2.7.1 point release that had corrected some components from properly loading the ROC tracer library.

  • How To Install Webmin on Debian 10 Linux
  • GNOME Shell + Mutter Patches Pending For Wayland Fullscreen Compositing Bypass

    There's an exciting patch set to GNOME Shell and Mutter now pending for finally wiring up the full-screen unredirected display / full-screen bypass compositing for helping the performance of full-screen games in particular on Wayland. GNOME on X11 has long supported the full-screen compositing bypass so the window manager / compositor gets out of the way when running full-screen games/applications. That support under Wayland hasn't been in place and thus there is a performance hit for full-screen Wayland-native software. But now thanks to Red Hat's Jonas Ådahl, that infrastructure now appears to be ready.

  • Xabber Server v.0.9 alpha is released

    After almost three years of research, planning and development we're proud to present the first public version of Xabber Server. Server is licensed under GNU AGPL v3 license, source code is available on GitHub. It is a fork of superb open source source XMPP server ejabberd by ProcessOne, with many custom protocol improvements an an all-new management panel.

  • September Edition of Plasma5 for Slackware

    After a summer hiatus during which I only released new packages for KDE Frameworks because they addressed a serious security hole, I am now back in business and just released KDE-5_19.09 for Slackware-current. The packages for KDE-5_19.09 are available for download from my ‘ktown‘ repository. As always, these packages are meant to be installed on a full installation of Slackware-current which has had its KDE4 removed first. These packages will not work on Slackware 14.2. On my laptop with slackware64-current, this new release of Plasma5 runs smooth.

  • Pen-testing duo cuffed for breaking into courthouse that hired them

    Later, the County official discovered that the two men were in fact, hired by the state court administration to try to "access" court records through "various means" to find out potential security vulnerabilities of the electronic court records.

    The state court administration acknowledged that the two men had been hired, but said they were not supposed to physically break into the courthouse.

  • Satellite, GNU Radio and SDR talks released

    Mark M5BOP reports the complete set of amateur radio technical talks from this year's Martlesham Microwave Round Table is now available to watch on YouTube Videos of these MMRT 2019 talks are available: • Practical GNUradio - Heather Lomond M0HMO

  • Destination Linux 138 - GNOME 3.34, Firefox 69, Librem 5, Chromebooks, Signal Messenger & more

    On DL 138 Gnome 3.34 Drops This Week, Super Grub2 Disk 2.04s1 Released, Firefox 69 Released, Purism Librem 5 Shipping, Chromebooks Targeting The Enterprise, Phantom 3D Coming To Linux

  • Agile project management: 10 reasons to use it

    On the road to change, you’ll encounter fear and loathing. People will undoubtedly cling to old ways of working. Successfully making it to the other side will require commitment, passionate change agents, and unwavering leadership. You might wonder – is it really worth it? Leaders who have made the switch to agile project management say that it has delivered benefits both large and small to their organizations, from the rituals that bring their team together – like daily stand-ups – to the results that make their business stronger – like better end products and happier customers.

Linux Kernel and Linux Foundation Leftovers

  • Improve memset
    
    since the merge window is closing in and y'all are on a conference, I
    thought I should take another stab at it. It being something which Ingo,
    Linus and Peter have suggested in the past at least once.
    
  • An Improved Linux MEMSET Is Being Tackled For Possibly Better Performance

    Borislav Petkov has taken to improve the Linux kernel's memset function with it being an area previously criticzed by Linus Torvalds and other prominent developers. Petkov this week published his initial patch for better optimizing the memset function that is used for filling memory with a constant byte.

  • Kernel Address Space Isolation Still Baking To Limit Data Leaks From Foreshadow & Co

    In addition to the work being led by DigitalOcean on core scheduling to make Hyper Threading safer in light of security vulnerabilities, IBM and Oracle engineers continue working on Kernel Address Space Isolation to help prevent data leaks during attacks. Complementing the "Core Scheduling" work, Kernel Address Space Isolation was also talked about at this week's Linux Plumbers Conference in Lisbon, Portugal. The address space isolation work for the kernel was RFC'ed a few months ago as a feature to prevent leaking sensitive data during attacks like L1 Terminal Fault and MDS. The focus on this Kernel ASI is for pairing with hypervisors like KVM as well as being a generic address space isolation framework.

  • The Linux Kernel Is Preparing To Enable 5-Level Paging By Default

    While Intel CPUs aren't shipping with 5-level paging support, they are expected to be soon and distribution kernels are preparing to enable the kernel's functionality for this feature to extend the addressable memory supported. With that, the mainline kernel is also looking at flipping on 5-level paging by default for its default kernel configuration. Intel's Linux developers have been working for several years on the 5-level paging support for increasing the virtual/physical address space for supporting large servers with vast amounts of RAM. The 5-level paging increases the virtual address space from 256 TiB to 128 PiB and the physical address space from 64 TiB to 4 PiB. Intel's 5-level paging works by extending the size of virtual addresses to 57 bits from 48 bits.

  • Interview with the Cloud Foundry Foundation CTO

    In this interview, Chip Childers, the CTO of the Cloud Foundry Foundation talks about some hot topics.

  • Research Shows Open Source Program Offices Improve Software Practices

    Using open source software is commonplace, with only a minority of companies preferring a proprietary-first software policy. Proponents of free and open source software (FOSS) have moved to the next phases of open source adoption, widening FOSS usage within the enterprise as well as gaining the “digital transformation” benefits associated with open source and cloud native best practices. Companies, as well as FOSS advocates, are determining the best ways to promote these business goals, while at the same time keeping alive the spirit and ethos of the non-commercial communities that have embodied the open source movement for years.

  • Linux Foundation Survey Proves Open-Source Offices Work Better

Releasing Slax 9.11.0

New school year has started again and next version of Slax is here too :) this time it is 9.11.0. This release includes all bug fixes and security updates from Debian 9.11 (code name Jessie), and adds a boot parameter to disable console blanking (console blanking is disabled by default). You can get the newest version at the project's home page, there are options to purchase Slax on DVD or USB device, as well as links for free download. Surprisingly for me we skipped 9.10, I am not sure why :) I also experimented with the newly released series of Debian 10 (code name Buster) and noticed several differences which need addressing, so Slax based on Debian 10 is in progress, but not ready yet. Considering my current workload and other circumstances, it will take some more time to get it ready, few weeks at least. Read more Also: Slax 9.11 Released While Re-Base To Debian 10 Is In Development