Language Selection

English French German Italian Portuguese Spanish

Security

Security: Reproducible Builds, Windows Phones, Debian, Mageia Identity Security Breach and More

Filed under
Security
  • Reproducible Builds: Weekly report #147
  • Windows Phones Get Cumulative Update KB4074592, PDF Support Now Broken

    Just when you thought Windows 10 Mobile is dead, here’s Microsoft rolling out a new cumulative update for the platform as part of its February patching cycle.

    Windows 10 cumulative update KB4074592, which is also released on PCs running the Creators Update (version 1703) – phones have never received the Fall Creators Update, comes with little changes for mobile devices, though it does something that many users might notice.

    Microsoft doesn’t provide a separate change log for mobile and PC, so the release notes that you can find at the end of the article include all the improvements and security fixes that Microsoft included in KB4074592 for both platforms.

  • Time to Join Extended Long Term Support for Debian 7 Wheezy

    Debian 7 Wheezy LTS period ends on May 31st and some companies asked Freexian if they could get security support past this date. Since about half of the current team of paid LTS contributors is willing to continue to provide security updates for Wheezy, I have started to work on making this possible.

  • Hackers Infiltrated Tesla to Mine Cryptocurrency

    While Elon Musk was busy planning how to launch his Tesla Roadster into the depths of space last month, a hacker was silently using Tesla’s computing power to mine an unknown amount of cryptocurrency.

    The unidentified attackers found their way in through cracks in Tesla’s cloud environment, according to a report issued by RedLock security on February 20. The miners were able to gain access via an unprotected Tesla Kubernete console—an open source system that manages applications. Included on this console were the access credentials to Tesla’s Amazon Web Service. Once they obtained access to the console, the attackers were able to run scripts that allowed them to stealthily mine cryptocurrency.

  • Hacking at EPFL Toastmasters, Lausanne, tonight

    ...remember to turn off your mobile device or leave it at home, you never know when it might ring or become part of a demonstration.

  • Mageia Identity Security Breach

    A user was able to gain access to our LDAP database and has published the email addresses and names, as well as apparent password hashes, of anyone who has signed up to identity.mageia.org. However, the published hashes do not match those on record, and all capitalisation has been removed, so it is not clear that the actual passwords have been compromised. All of the passwords have since been reset as a security precaution. New rules have been added to prevent access to the LDAP server. The sysadmins are investigating how the fields were read, as the configuration should have specifically prevented this.

    The passwords stored by the Mageia LDAP server are hashed and salted, meaning that the full decryption of the password, if they have actually been leaked, into a human-usable format would require significant computing power for safe and complex passwords.

Security: Updates, Nintendo 'Hackers', Microsoft Windows Back Doors, and FlightSimLabs Malware

Filed under
Security
  • Security updates for Tuesday
  • Hackers Release Video Of Nintendo Switch Running A Linux Distro

    When it comes to porting software to potentially unsupported devices, hackers are quite comfortable to push themselves beyond the boundaries set by the manufactures.

  • Epidemic of cryptojacking can be traced to escaped NSA superweapon [Ed: It's a Microsoft Windows issue. All versions of Windows (ME onwards) have NSA back doors]

    It all started when the Shadow Brokers dumped a collection of NSA cyberweapons that the NSA had fashioned from unreported bugs in commonly used software, including versions of Windows. The NSA discovered these bugs and then hoarded them, rather than warning the public and/or the manufacturers about them, in order to develop weapons that turned these bugs into attacks that could be used against the NSA's enemies.

  • Flight Sim Company Embeds Malware to Steal Pirates’ Passwords

    Flight sim company FlightSimLabs has found itself in trouble after installing malware onto users' machines as an anti-piracy measure. Code embedded in its A320-X module contained a mechanism for detecting 'pirate' serial numbers distributed on The Pirate Bay, which then triggered a process through which the company stole usernames and passwords from users' web browsers.

Security: Voting Machines With Windows and Back Doors in Windows Help Crypto-jacking

Filed under
Security
  • Election Security a High Priority — Until It Comes to Paying for New Voting Machines [Ed: Sadly, the US has outsourced its voting machines to a private company whose systems are managed by Microsoft]

    When poll workers arrived at 6 a.m. to open the voting location in Allentown, New Jersey, for last November’s gubernatorial election, they found that none of the borough’s four voting machines were working. Their replacements, which were delivered about four hours later, also failed. Voters had to cast their ballots on paper, which then were counted by hand.

    Machine malfunctions are a regular feature of American elections. Even as worries over cybersecurity and election interference loom, many local jurisdictions depend on aging voting equipment based on frequently obsolete and sometimes insecure technology. And the counties and states that fund elections have dragged their heels on providing the money to buy new equipment.

  • Congress Can Act Right Now to Prevent Interference in the 2018 Elections [Ed: "confidence" is not security]

    To create that confidence the SAFE Act would: [...]

  • America’s Election Meddling Would Indeed Justify Other Countries Retaliating In Kind

    There is still no clear proof that the Russian government interfered with the 2016 U.S. election in any meaningful way. Which is weird, because Russia and every other country on earth would be perfectly justified in doing so.

  • NSA Exploit Now Powering Cryptocurrency Mining Malware [Ed: Microsoft Windows back door]

    You may have been asked if you'd like to try your hand at mining cryptocurrency. You may have demurred, citing the shortage in graphics cards or perhaps wary you were being coaxed into an elaborate Ponzi scheme. So much for opting out. Thanks to the NSA, you may be involved in mining cryptocurrency, but you're likely not seeing any of the benefits.

  • Cryptocurrency-mining criminals that netted $3 million gear up for more

    Separately, researchers from security firm FireEye said attackers, presumably with no relation to the one reported by Check Point, are exploiting unpatched systems running Oracle's WebLogic Server to install cryptocurrency-mining malware. Oracle patched the vulnerability, indexed as CVE-2017-10271, in October.

​Bogus Linux vulnerability gets publicity

Filed under
Security

I am so sick and tired of crap security news about Android and Linux. In the latest example, GoSecure claims it's discovered Chaos: a Stolen Backdoor Rising Again. Yeah. Right. Let's look closer.

First, we have a neat name. Can't have a security bug these days without giving it a sexy name. But, what is it really?

Well, it requires the attacker to break into the target system by "brute-forcing SSH credentials". Wait. What? To get this you need someone to log in to your server!?

Read more

Security Leftovers

Filed under
Security

Security: France, Munich, 'Smart' Meters, MeltdownPrime and SpectrePrime

Filed under
Security
  • Highlights of the French cybersecurity strategy

    First, the document describes that in France cyberdefence and cyberoffence are separated. This is directly opposed to the models employed in Anglo-Saxon countries. But it’s shown as an asset. Key argument: it respects freedoms and civil liberties.

    The document then lists the six general objectives of cyberdefence, namely: prevention, anticipation, protection, detection, attribution, reaction (remediation). The strategy itself is complete, it focuses on civil, military, domestic, external, and international levels. Let’s say it’s a rarity in the business in strategic cybersecurity documents.

    [...]

    The strategy then mentions that one of the solutions could be to release source code and documentation after an end of support date.

  • The Munich Security Conference 2018

    Over the past five decades, the Munich Security Conference (MSC) has become the major global forum for the discussion of security policy. Each February, it brings together more than 450 senior decision-makers from around the world, including heads-of-state, ministers, leading personalities of international and non-governmental organizations, as well as high ranking representatives of industry, media, academia, and civil society, to engage in an intensive debate on current and future security challenges.

  • Smart meters could leave British homes vulnerable to cyber attacks, experts have warned

    New smart energy meters that the Government wants to be installed in millions of homes will leave householders vulnerable to cyber attacks, ministers have been warned.

  • MeltdownPrime and SpectrePrime: Researchers nail exploits

    "The flaws—dubbed Meltdown and Spectre—are in chips made by Intel and other major suppliers. They can allow hackers to steal data from the memory of running apps, including password managers, browsers and emails."

    The authors of the paper on arXiv, Caroline Trippel, Daniel Lustig, and Margaret Martonosi, discuss a tool they developed for "automatically synthesizing microarchitecture-specific programs capable of producing any user-specified hardware execution pattern of interest."

    They said they show "how this tool can be used for generating small microarchitecture-specific programs which represent exploits in their most abstracted form—security litmus tests."

Security Leftovers

Filed under
Security
  • Thousands of FedEx customers' private info exposed in legacy server data breach

    Uncovered by Kromtech Security Center, the parent company of MacKeeper Security, the breach exposed data such as passport information, driver's licenses and other high profile security IDs, all of which were hosted on a password-less Amazon S3 storage server.

  • Correlated Cryptojacking

    they include The City University of New York (cuny.edu), Uncle Sam's court information portal (uscourts.gov), Lund University (lu.se), the UK's Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner's Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), plus a shedload of other .gov.uk and .gov.au sites, UK NHS services, and other organizations across the globe.

    Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.

  • Facebook using 2FA cell numbers for spam, replies get posted to the platform

    Replies ending up as comments appears to be a bizarre bug, but the spamming seems intentional.

  • Swedish Police website hacked [sic] to mine cryptocurrency

    Remember now, it is a Police Force that allowed their website to be hijacked by this simple attack vector. The authority assigned to serve and protect. More specifically, the authority that argues that wiretapping is totally safe because the Police is competent in IT security matters, so there’s no risk whatsoever your data will leak or be mishandled.

    This is one of the websites that were trivially hacked [sic].

    It gives pause for thought.

    It also tells you what you already knew: authorities can’t even keep their own dirtiest laundry under wraps, so the notion that they’re capable or even willing to protect your sensitive data is hogwash of the highest order.

  • New EU Privacy Law May Weaken Security

    In a bid to help domain registrars comply with the GDPR regulations, ICANN has floated several proposals, all of which would redact some of the registrant data from WHOIS records. Its mildest proposal would remove the registrant’s name, email, and phone number, while allowing self-certified 3rd parties to request access to said data at the approval of a higher authority — such as the registrar used to register the domain name.

    The most restrictive proposal would remove all registrant data from public WHOIS records, and would require legal due process (such as a subpoena or court order) to reveal any information supplied by the domain registrant.

  • Intel hit with 32 lawsuits over security flaws

    Intel Corp said on Friday shareholders and customers had filed 32 class action lawsuits against the company in connection with recently-disclosed security flaws in its microchips.

  • The Risks of "Responsible Encryption"

    Federal law enforcement officials in the United States have recently renewed their periodic demands for legislation to regulate encryption. While they offer few technical specifics, their general proposal—that vendors must retain the ability to decrypt for law enforcement the devices they manufacture or communications their services transmit—presents intractable problems that would-be regulators must not ignore.

  • Reviewing SSH Mastery 2nd Ed

    It’s finally out ! Michael W Lucas is one of the best authors of technical books out there. I was curious about this new edition. It is not a reference book, but covers the practical aspects of SSH that I wish everybody knew. Rather than aggregating different articles/blogs on SSH, this book covers 90% of the common use cases for SSH that you will ever encounter.

Security Leftovers

Filed under
Security

Security: Cryptocurrency Mining, Hardware Bugs in HPC, and Dan Goodin's Latest Sensationalism

Filed under
Security
  • Cryptocurrency Mining Company Coinhive Shocked To Learn Its Product Is Being Abused

    So if you haven't noticed, the entire cryptocurrency mining thing has become a bit of an absurd stage play over the last few months. From gamers being unable to buy graphics cards thanks to miners hoping to cash in on soaring valuations, to hackers using malware to covertly infect websites with cryptocurrency miners that use visitors' CPU cycles without their knowledge or consent. As an additional layer of intrigue, some websites have also begun using such miners as an alternative to traditional advertising, though several have already done so without apparently deeming it necessary to inform visitors.

    At the heart of a lot of this drama is crypotcurreny mining software company Coinhive, whose software is popping up in both malware-based and above board efforts to cash in on the cryptocurrency mining craze. Coinhive specifically focuses on using site visitor CPU cycles to help mine Monero. The company's website insists that their product can help websites craft "an ad-free experience, in-game currency or whatever incentives you can come up with." The company says its project has already resulted in the mining of several million dollars worth of Monero (depending on what Monero's worth any given day).

  • Fluid HPC: How Extreme-Scale Computing Should Respond to Meltdown and Spectre

    The Meltdown and Spectre vulnerabilities are proving difficult to fix, and initial experiments suggest security patches will cause significant performance penalties to HPC applications. Even as these patches are rolled out to current HPC platforms, it might be helpful to explore how future HPC systems could be better insulated from CPU or operating system security flaws that could cause massive disruptions. Surprisingly, most of the core concepts to build supercomputers that are resistant to a wide range of threats have already been invented and deployed in HPC systems over the past 20 years. Combining these technologies, concepts, and approaches not only would improve cybersecurity but also would have broader benefits for improving HPC performance, developing scientific software, adopting advanced hardware such as neuromorphic chips, and building easy-to-deploy data and analysis services. This new form of “Fluid HPC” would do more than solve current vulnerabilities. As an enabling technology, Fluid HPC would be transformative, dramatically improving extreme-scale code development in the same way that virtual machine and container technologies made cloud computing possible and built a new industry.

  • Raw sockets backdoor gives attackers complete control of some Linux servers [Ed: Here goes Dan Goodin again (sued for sensationalism), using the term "back door" in relation to Linux when actually referring to already-infected (compromised) machines]

    Once installed, Chaos allows malware operators anywhere in the world to gain complete control over the server via a reverse shell.

Security: Blaming Russia for Windows Back Doors Being Exploited, New Updates, BuckHacker, and More

Filed under
Security
Syndicate content

More in Tux Machines

Introducing the potential new Ubuntu Studio Council

Back in 2016, Set Hallström was elected as the new Team Lead for Ubuntu Studio, just in time for the 16.04 Xenial Long Term Support (LTS) release. It was intended that Ubuntu Studio would be able to utilise Set’s leadership skills at least up until the next LTS release in April 2018. Unfortunately, as happens occasionally in the world of volunteer work, Set’s personal circumstances changed and he is no longer able to devote as much time to Ubuntu Studio as he would like. Therefore, an IRC meeting was held between interested Ubuntu Studio contributors on 21st May 2017 to agree on how to fill the void. We decided to follow the lead of Xubuntu and create a Council to take care of Ubuntu Studio, rather than continuing to place the burden of leadership on the shoulder of one particular person. Unfortunately, although the result was an agreement to form the first Ubuntu Studio Council from the meeting participants, we all got busy and the council was never set up. Read more

today's leftovers

  • My Experience with MailSpring on Linux
    On the Linux Desktop, there are quite a few choices for email applications. Each of these has their own pros and cons which should be weighed depending on one’s needs. Some clients will have MS Exchange support. Others do not. In general, because email is reasonably close to free (and yes, we can thank Hotmail for that) it has been a difficult place to make money. Without a cash flow to encourage developers, development has trickled at best.
  • Useful FFMPEG Commands for Managing Audio and Video Files
  • Set Up A Python Django Development Environment on Debian 9 Stretch Linux
  • How To Run A Command For A Specific Time In Linux
  • Kubuntu 17.10 Guide for Newbie Part 7
  •  
  • Why Oppo and Vivo are losing steam in Chinese smartphone market
    China’s smartphone market has seen intense competition over the past few years with four local brands capturing more than 60 percent of sales in 2017. Huawei Technologies, Oppo, Vivo and Xiaomi Technology recorded strong shipment growth on a year-on-year basis. But some market experts warned that Oppo and Vivo may see the growth of their shipments slow this year as users become more discriminating.
  • iPhones Blamed for More than 1,600 Accidental 911 Calls Since October
    The new Emergency SOS feature released by Apple for the iPhone is the one to blame for no less than 1,600 false calls to 911 since October, according to dispatchers. And surprisingly, emergency teams in Elk Grove and Sacramento County in California say they receive at least 20 such 911 calls every day from what appears to be an Apple service center. While it’s not exactly clear why the iPhones that are probably brought in for repairs end up dialing 911, dispatchers told CBS that the false calls were first noticed in the fall of the last year. Apple launched new iPhones in September 2017 and they went on sale later the same month and in November, but it’s not clear if these new devices are in any way related to the increasing number of accidental calls to 911.
  • Game Studio Found To Install Malware DRM On Customers' Machines, Defends Itself, Then Apologizes
    The thin line that exists between entertainment industry DRM software and plain malware has been pointed out both recently and in the past. There are many layers to this onion, ranging from Sony's rootkit fiasco, to performance hits on machines thanks to DRM installed by video games, up to and including the insane idea that copyright holders ought to be able to use malware payloads to "hack back" against accused infringers. What is different in more recent times is the public awareness regarding DRM, computer security, and an overall fear of malware. This is a natural kind of progression, as the public becomes more connected and reliant on computer systems and the internet, they likewise become more concerned about those systems. That may likely explain the swift public backlash to a small game-modding studio seemingly installing something akin to malware in every installation of its software, whether from a legitimate purchase or piracy.

Server: Benchmarks, IBM and Red Hat

  • 36-Way Comparison Of Amazon EC2 / Google Compute Engine / Microsoft Azure Cloud Instances vs. Intel/AMD CPUs
    Earlier this week I delivered a number of benchmarks comparing Amazon EC2 instances to bare metal Intel/AMD systems. Due to interest from that, here is a larger selection of cloud instance types from the leading public clouds of Amazon Elastic Compute Cloud, Microsoft Azure, and Google Compute Engine.
  • IBM's Phil Estes on the Turbulent Waters of Container History
    Phil Estes painted a different picture of container history at Open Source 101 in Raleigh last weekend, speaking from the perspective of someone who had a front row seat. To hear him tell it, this rise and success is a story filled with intrigue, and enough drama to keep a daytime soap opera going for a season or two.
  • Red Hat CSA Mike Bursell on 'managed degradation' and open data
    As part of Red Hat's CTO office chief security architect Mike Bursell has to be informed of security threats past, present and yet to come – as many as 10 years into the future. The open source company has access to a wealth of customers in verticals including health, finance, defence, the public sector and more. So how do these insights inform the company's understanding of the future threat landscape?
  • Red Hat Offers New Decision Management Tech Platform
    Red Hat (NYSE: RHT) has released a platform that will work to support information technology applications and streamline the deployment of rules-based tools in efforts to automate processes for business decision management, ExecutiveBiz reported Thursday.

Vulkan Anniversary and Generic FBDEV Emulation Continues To Be Worked On For DRM Drivers

  • Vulkan Turns Two Years Old, What Do You Hope For Next?
    This last week marked two years since the debut of Vulkan 1.0, you can see our our original launch article. My overworked memory missed realizing it by a few days, but it's been a pretty miraculous two years for this high-performance graphics and compute API.
  • Generic FBDEV Emulation Continues To Be Worked On For DRM Drivers
    Noralf Trønnes has spent the past few months working on generic FBDEV emulation for Direct Rendering Manager (DRM) drivers and this week he volleyed his third revision of these patches, which now includes a new in-kernel API along with some clients like a bootsplash system, VT console, and fbdev implementation.