Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Oracle, Cisco, Buzzwords and Wi-Fi 'Hacking'

Filed under
Security

Gentoo News: Nitrokey partners with Gentoo Foundation to equip developers with USB keys

Filed under
Gentoo
Security

The Gentoo Foundation has partnered with Nitrokey to equip all Gentoo developers with free Nitrokey Pro 2 devices. Gentoo developers will use the Nitrokey devices to store cryptographic keys for signing of git commits and software packages, GnuPG keys, and SSH accounts.

Thanks to the Gentoo Foundation and Nitrokey’s discount, each Gentoo developer is eligible to receive one free Nitrokey Pro 2. To receive their Nitrokey, developers will need to register with their @gentoo.org email address at the dedicated order form.

A Nitrokey Pro 2 Guide is available on the Gentoo Wiki with FAQ & instructions for integrating Nitrokeys into developer workflow.

Read more

The Ecuadorean Authorities Have No Reason to Detain Free Software Developer Ola Bini

Filed under
Development
OSS
Security

Hours after the ejection of Julian Assange from the London Ecuadorean embassy last week, police officers in Ecuador detained the Swedish citizen and open source developer Ola Bini. They seized him as he prepared to travel from his home in Quito to Japan, claiming that he was attempting to flee the country in the wake of Assange’s arrest. Bini had, in fact, booked the vacation long ago, and had publicly mentioned it on his twitter account before Assange was arrested.

Ola’s detention was full of irregularities, as documented by his lawyers. His warrant was for a “Russian hacker” (Bini is neither); he was not read his rights, allowed to contact his lawyer nor offered a translator.

The charges against him, when they were finally made public, are tenuous. Ecuador’s general prosecutor has stated that Bini was accused of “alleged participation in the crime of assault on the integrity of computer systems” and attempts to destabilize the country. The “evidence” seized from Ola’s home that Ecuadorean police showed journalists to demonstrate his guilt was nothing more than a pile of USB drives, hard drives, two-factor authentication keys, and technical manuals: all familiar property for anyone working in his field.

Ola is a free software developer, who worked to improve the security and privacy of the Internet for all its users. He has worked on several key open source projects, including JRuby, several Ruby libraries, as well as multiple implementations of the secure and open communication protocol OTR. Ola’s team at ThoughtWorks contributed to Certbot, the EFF-managed tool that has provided strong encryption for millions of websites around the world.

Like many people working on the many distributed projects defending the Internet, Ola has no need to work from a particular location. He traveled the world, but chose to settle in Ecuador because of his love of that country and of South America in general. At the time of his arrest, he was putting down roots in his new home, including co-founding Centro de Autonomia Digital, a non-profit devoted to creating user-friendly security tools, based out of Ecuador’s capital, Quito.

Read more

Security: Updates, Spectre/Meltdown and Why Not to Install Software Packages From the Internet

Filed under
Security
  • Security updates for Tuesday
  • Revised Patches Out For New Kernel "mitigations=" Option For Toggling Spectre/Meltdown [Ed: Profoundly defective chips aren't being recalled/replaced (or even properly fixed). All the cost is being passed to the victim, the client, who should instead be compensated. Corporate greed has no bounds. They also hide NSA back doors in these chips. Imperial.]

    The effort to provide a more convenient / easy to remember kernel option for toggling Spectre/Meltdown mitigations is out with a second revision and they have also shortened the option to remember.

    See the aforelinked article if the topic is new to you, but this is about an arguably long overdue ability to easily control the Spectre/Meltdown behavior -- or configurable CPU mitigations in general to security vulnerabilities -- via a single kernel flag/switch. For the past year and a half of Spectre/Meltdown/L1TF mitigations there has been various different flags to tweak the behavior of these mitigations but not offering a single, easy-to-remember switch if say wanting to disable them in the name of restoring/better performance.

  • Why Not Install Software Packages From The Internet

    Someone from the Internet has told you not to execute random scripts you find on the Internet and now you're reading why we shouldn't install software packages from the Internet. Or more specifically, the aim of this article is why it's wise to stick to distribution maintained packages and not those latest software packages we find out there on the Internet even if it's distributed by the official brand's page.
    However, it's okay to download software packages that are not available on the distribution repository but not vice versa. Read on below to learn more about why.

Debian Web Team, Debian Long Term Support, and Security Leftovers

Filed under
Security
Debian
  • Debian Web Team Sprint 2019

    The Debian Web team held a sprint for the first time, in Madrid (Spain) from March 15th to March 17th, 2019.

    We discussed the status of the Debian website in general, review several important pages/sections and agreed on many things how to improve them.

  • Freexian’s report about Debian Long Term Support, March 2019

    Like each month, here comes a report about the work of paid contributors to Debian LTS.

  • Raphaël Hertzog: Freexian’s report about Debian Long Term Support, March 2019

    Like each month, here comes a report about the work of paid contributors to Debian LTS.

  • Your Favorite Ad Blocker Can Be Exploited To Infect PCs With Malicious Code

    In July 2018, the popular Adblock Plus software released its version 3.2 that brought a new feature called $rewrite. This feature allowed one to change the filter rules and decide which content got blocked and which didn’t. It was said that often there are content elements that are difficult to block. This feature was soon implemented by AdBlock as well as uBlock.

    In a troubling development, it has been revealed that this filter option can be exploited by notorious actors to inject arbitrary code into the web pages. With more than 100 million users of these ad blocking tools, this exploit has great potential to harm the web users.

  • Adblock Plus filter lists may execute arbitrary code in web pages

    A new version of Adblock Plus was released on July 17, 2018. Version 3.2 introduced a new filter option for rewriting requests. A day later AdBlock followed suit and released support for the new filter option. uBlock, being owned by AdBlock, also implemented the feature.

    Under certain conditions the $rewrite filter option enables filter list maintainers to inject arbitrary code in web pages.

    The affected extensions have more than 100 million active users, and the feature is trivial to exploit in order to attack any sufficiently complex web service, including Google services, while attacks are difficult to detect and are deployable in all major browsers.

  • Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong.

    The disputes ares playing out in court. In a closely watched legal battle, Mondelez sued Zurich Insurance last year for a breach of contract in an Illinois court, and Merck filed a similar suit in New Jersey in August. Merck sued more than 20 insurers that rejected claims related to the NotPetya attack, including several that cited the war exemption. The two cases could take years to resolve.

    The legal fights will set a precedent about who pays when businesses are hit by a cyberattack blamed on a foreign government. The cases have broader implications for government officials, who have increasingly taken a bolder approach to naming-and-shaming state sponsors of cyberattacks, but now risk becoming enmeshed in corporate disputes by giving insurance companies a rationale to deny claims.

Security: DARPA, Updates, Microsoft Windows Incidents and Outlook Fiasco

Filed under
Security
  • DARPA Making An Anonymous And Hack-Proof Mobile Communication System

    The United States’ Defense Advanced Research Projects Agency, or DARPA, develops technologies that are deployed by the US army and sometimes the agency makes the technologies available for civilians as well. DARPA is behind many breakthrough technologies, including the internet itself, GPS, Unix, and Tor.

    Now, DARPA is currently working on an anonymous, end-to-end mobile communication system that would be attack-resilient and reside entirely within a contested network environment.

  • Security updates for Monday
  • Passwords and Policies | Roadmap to Securing Your Infrastructure
  • Adblock Plus filter lists may execute arbitrary code
  • FBI now investigating "RobinHood" ransomware attack on Greenville computers [Ed: Microsoft Windows TCO]
  • RobinHood Ransomware Is “Honest” And Promises To “Respect Your Privacy”

    The world of cybersecurity is full of surprises. From using Game of Thrones torrents to exploiting popular porn websites — notorious cybercriminals keep coming up with new ways to cause you harm.

    In a related development, a ransomware called RobinHood is spreading havoc in North Carolina, where the ransomware has crippled most city-owned PCs. The FBI is currently investigating the issue along with local authorities.

  • Purism at SCaLE 2019 – Retrospective on Secure PureBoot

    Once again, we were so busy we barely had the time to leave our booth: people were very interested in the Librem 5 devkit hardware, in the latest version of the Librem laptops and PureOS, on having the same apps for the Librem laptops and the Librem 5 phone… so we got to do the full pitch. On a less technical note, our swag was quite a success. People told us they loved our paper notebook and carpenter pencil, and asked questions about the pencils – which, according to Kyle Rankin, Chief Security Officer of Purism, have a section that is “kind of shaped like our logo”, and being carpenter pencils “are designed so you can sharpen them without having to use a proprietary pencil sharpener.” Visitors (and team) loved them for being beautiful, unusual and useful.

  • Hackers could read non-corporate Outlook.com, Hotmail for six months

    Late on Friday, some users of Outlook.com/Hotmail/MSN Mail received an email from Microsoft stating that an unauthorized third party had gained limited access to their accounts and was able to read, among other things, the subject lines of emails (but not their bodies or attachments, nor their account passwords), between January 1 and March 28 of this year. Microsoft confirmed this to TechCrunch on Saturday.

    The hackers, however, dispute this characterization. They told Motherboard that they can indeed access email contents and have shown that publication screenshots to prove their point. They also claim that the hack lasted at least six months, doubling the period of vulnerability that Microsoft has claimed. After this pushback, Microsoft responded that around 6 percent of customers affected by the hack had suffered unauthorized access to their emails and that these customers received different breach notifications to make this clear. However, the company is still sticking to its claim that the hack only lasted three months.

    Not in dispute is the broad character of the attack. Both hackers and Microsoft's breach notifications say that access to customer accounts came through compromise of a support agent's credentials. With these credentials, the hackers could use Microsoft's internal customer support portal, which offers support agents some level of access to Outlook.com accounts. The hackers speculated to Motherboard that the compromised account belonged to a highly privileged user and that this may have been what granted them the ability to read mail bodies. The compromised account has subsequently been locked to prevent any further abuse.

  • Three encryption tools for the cloud

    Safeguard your cloud storage with some preemptive file encryption. Here are three open source tools that get the job done in Linux.

    From a security perspective, cloud storage ought never to have happened. The trouble is, it relies on the ability of users to trust the provider, yet often the only assurance available is the provider’s word. However, the convenience of cloud storage is too great for many companies and individuals to avoid it. Fortunately, security can be regained by users storing only encrypted files.

    Numerous tools exist for encrypting in the cloud. Some are proprietary. However, these solutions also require trust -- they only shift the trust requirement to a third party, and basic security requires the user to verify security for themselves.

Windows Security Circus

Filed under
Microsoft
Security
  • ApparitionSec

    Internet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995.

  • Internet Explorer Flaw Lets Hackers Steal Your Files Even If You Don’t Use It

    Internet Explorer was already useless for most of us, but now it is dangerous to have the obsolete browser on your computer. A security researcher, John Page, found a new security flaw in Internet Explorer that allows hackers to steal data.

  • Internet Explorer exploit lets hackers steal your data even if you never use it

    Finally stopped using Internet Explorer? Good! But, now it’s time to completely delete it from your computer, too. Security researcher John Page has discovered a new security flaw that allows hackers to steal Windows users’ data thanks to Internet Explorer. The craziest part: Windows users don’t ever even have to open the now-obsolete web browser for malicious actors to use the exploit. It just needs to exist on their computer.

FlexiWAN Adopts an 'Open' Slant

Filed under
OSS
Security
  • Stealthy Start-Up Portends 'Second Wave of SD-WAN'
  • The First SD-WAN Open Source Driving the Second Wave of SD-WAN by flexiWAN
  • flexiWAN Launches With Open Source SD-WAN Architecture

    Will open source usher in the second-wave of SD-WAN? Startup flexiWAN's co-founder and CEO Amir Zmora thinks so.

  • FlexiWAN soft launches SD-WAN software based on open source architecture

    Israel-based start-up FlexiWAN has started conducting proof-of-concept trials to test its SD-WAN software product, which aims to use open source architecture as a differentiator. With this approach, the company hopes to attract IT managers by providing more control over the capabilities and elements within their networks.

  • FlexiWAN pushes SD-WAN into an open source architecture

    Among the goals of flexiWAN co-founder and CEO Amir Zmora is to give enterprises and service providers the ability to differentiate their SD-WAN services instead of relying on SD-WAN vendors to define them.

    After years of working in the VoIP space, and after attending numerous industry conferences where SD-WAN was a hot topic, Zmora said that he came to the realization that SD-WAN solutions were closed black boxes that didn't enable innovation.

    [...]

    Chua said he has been waiting to see an open-source approach to SD-WAN. He said there were two elements to SD-WAN; the SD-WAN element and the universal CPE element.

    "So, on the SD-WAN side of things, which is, I think, where he's (Zmora) starting, there are elements in place in open source where you can try to cobble things together to make an SD-WAN solution," Chua said. "So, there's IPSec or an open SSL VPN, firewalls, things like that.

    "What's missing is that cloud control policy elements that aren't quite there. So, there's no open source equivalent, that I know of, on the whole cloud control side for the centralized policies, centralized configuration and of all the different SD-WAN components out there."

Security Leftovers

Filed under
Security
  • Internet Explorer zero-day lets hackers steal files from Windows PCs [Ed: Microsoft Windows has back doors, so this is "small potatoes"]

    A security researcher has published today details and proof-of-concept code for an Internet Explorer zero-day that can allow hackers to steal files from Windows systems.

  • MicroBriefly: The tiniest firewall I have seen – Firewalla

    ...BSD Unix, and about the size of a paperback novel (small by standards of those days). Now, solid state storage (SSD) and low power CPUs are tiny, enough to easily fit in a matchbox or lighter sized device.

  • 'World's First Smart Contract Firewall' for EOS Launched By SlowMist

    Developers of EOSIO, an initiative supported by Block.one, a Cayman Islands-registered open-source software development firm with $4 billion in total funding (to date), have published a blog post, noting they’ve carefully looked into improving smart contract security on EOS.

    According to EOSIO’s blog, published on April 11th, FireWall.X provides an effective set of tools for “protecting smart contracts built” on EOS from “malicious hacks.” As explained by Zhong Qifu, a product manager at SlowMist Technology Co., the firm that developed FireWall.X, the “world’s first firewall” system for smart contracts aims to ensure the security of all EOS-based decentralized applications (dApps).

  • Bootstrap supply chain attack is another attempt to poison the barrel [Ed: Happens in proprietary software but we don't hear about it. Full of back doors.]

    Somebody smuggled something bad into the vast third-party, open-source supply chain we all depend upon.

  • Framing supply chain attacks

    The increase in the demand for innovative software has effectively reshaped the software development industry itself. Today, speed and agility are paramount and development teams are pushed to deliver highly advanced applications in record time — which means that writing every single line of code from the ground up is often not a sustainable practice. As the NIST puts it, “This ecosystem has evolved to provide a set of highly refined, cost-effective, reusable ICT solutions.”.

  • Apache Axis servers vulnerable to RCE due to expired domain
  • Building a data pipeline to defend New York from cyber threats
  • Linux Foundation aims to improve the sustainability and security of open source projects [Ed: Zemlin PAC pushing a Microsoft-led proprietary software effort]
  • Why AV companies are making their technology open source

    Some AV developers are opening source code for their technology, a strategy they can use to collect data and tech from anyone using their code, and which could help bring products to market faster.

    Why it matters: Open source providers are experimenting with how much of their technology to share, while protecting their intellectual property to stay competitive. Their decisions will have lasting implications for how AV technology develops.

  • Open Source Web Application SSO
  • Magento sites under attack through easily exploitable SQLi flaw

    A recently patched SQL injection flaw affecting the popular open-source e-commerce platform Magento is being actively exploited by attackers, so if you haven’t implemented the provided security update or patch, now is the time to do it.

  • A security researcher with a grudge is dropping Web 0days on innocent users

    Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed.

    Over the past week, zeroday vulnerabilities in both the Yuzo Related Posts and Yellow Pencil Visual Theme Customizer WordPress plugins—used by 60,000 and 30,000 websites respectively—have come under attack. Both plugins were removed from the WordPress plugin repository around the time the zeroday posts were published, leaving websites little choice than to remove the plugins. On Friday (three days after the vulnerability was disclosed), Yellow Pencil issued a patch. At the time this post was being reported, Yuzo Related Posts remained closed with no patch available.

Security: Forwarding, Outlook Incident and Systemd Picks Up Support For MACsec

Filed under
Security
  • The Problem with SSH Agent Forwarding

    Put simply: if your jump box is compromised and you use SSH agent forwarding to connect to another machine through it, then you risk also compromising the target machine!

    Instead, you should use either ProxyCommand or ProxyJump (added in OpenSSH 7.3). That way, ssh will forward the TCP connection to the target host via the jump box, meaning that the actual connection happens on your workstation and if someone on the jump box tries to MITM your connection, then you will be warned by the SSH command.

  • Some Outlook Accounts Were Available To Hackers For Several Months

    According to a report by The Verge, a support agent’s account was hacked by unnamed hackers from January 2019 to March 28, 2019, due to which the malicious attackers could get access to several users’ email addresses, folder names, and subject lines of emails on Outlook.

  • Microsoft reveals hackers accessed some Outlook.com accounts for months

    Microsoft has started notifying some Outlook.com users that a hacker was able to access accounts for months earlier this year. The software giant discovered that a support agent’s credentials were compromised for its web mail service, allowing unauthorized access to some accounts between January 1st and March 28th, 2019. Microsoft says the hackers could have viewed account email addresses, folder names, and subject lines of emails, but not the content of emails or attachments.

  • Systemd Picks Up Support For MACsec To Better Secure Ethernet Connections

    Following this week's release of systemd 242, one of the newly-merged features for what will become systemd 243 is support for MACsec within the networkd code.

Syndicate content

More in Tux Machines

Android Leftovers

Kodi 'Leia' 18.2 now available to download with bug fixes and performance improvements

The Kodi Foundation made the release candidate for Kodi 18.2 available last week, and today you can grab the final version. As you’d expect, this is a bug fix release with no major new functionality, but there are a number of notable changes including improvements to the music database performance and a new Codec Factory for Android. Read more

howtos and programming leftovers

Android Leftovers