Language Selection

English French German Italian Portuguese Spanish

Security

Security: Patches, FUD and Voting Machines

Filed under
Security
  • libssh 0.8.4 and 0.7.6 security and bugfix release

    libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.

  • A Cybersecurity Weak Link: Linux and IoT [Ed: Blaming "Linux" for companies that put default passwords on all their products? Windows has back doors.]
  • Undetectably bypass voting machines' anti-tamper mechanism with a bit of a soda-can

    But University of Michigan grad student Matt Bernhard has demonstrated that he can bypass the tamper-evident seals in seconds, using a shim made from a slice of a soda can. The bypass is undetectable and doesn't damage the seal, which can be resecured after an attacker gains access to the system.

  • Security Seals Used to Protect Voting Machines Can Be Easily Opened With Shim Crafted from a Soda Can

    Bernhard, who is an expert witness for election integrity activists in a lawsuit filed in Georgia to force officials to get rid of paperless voting machines used in that state, said the issue of security ties and seals came up in the lawsuit earlier this year when Fulton County Elections Director Richard Barron told the court that his Georgia county relies on tamper-evident metal and plastic ties to seal voting machines and prevent anyone with physical access to the machines from subverting them while they sit in polling places days before an election.

    [...]

    He noted that defeating ties and seals in non-tamper-evident ways isn’t the only method to wreak havoc on an election in Michigan. The state has a unique law that prohibits ballots from being used in a recount if the number of voters doesn't match the number of ballots cast at a precinct or if the seal on a ballot box is broken or has a different serial number than what it should have. Someone who wanted to wreak havoc on an election or alter an election outcome in Michigan could purposely tamper with ballot box seals in a way that is evident or simply replace them with a seal bearing a different serial number in order to get ballots excluded from a recount. The law came into sharp relief after the 2016 presidential election when Green Party candidate Jill Stein sought to get a statewide recount in Michigan and two other critical swing states and found that some precincts in Wayne County couldn't be recounted because the number of voters who signed the poll books—which get certified with a seal signed by officials—didn't match the number of ballots scanned on the voting machines.

Security: Reproducible Builds, MikroTik, TLS and Updates

Filed under
Security

Security: NHS and Police With Windows

Filed under
Security
  • Wannacry ransomware cost the British National Health Service £92m ($121m)

    Among the most prominent ransomware victims were NHS facilities, including hospitals, across the UK. All told, the epidemic cost the cash-starved health system £92m (£19 in lost output, £73m in IT expenses in the aftermath).

  • WannaCry attack cost cash-strapped NHS an estimated £92m

    Until now, the financial damage caused by the sweeping cyber attack - which it's now been revealed affected 8 per cent of GP clinics and forced the NHS to cancel 19,000 appointments - has been unclear, but the DHSC estimates in a new report that the total figure cost in at £92m.

    WannaCry cost approximately £19 in lost output, while a whopping £73m was racked up in IT costs in the aftermath of the attack, according to the report. Some £72m was spent on restoring systems and data in the weeks after the attack struck.

  • [Old] Ethical [crackers] show that Windows 10 isn’t immune to WannaCry

    And secondly, the exploit they crafted only works against older versions of Windows 10 (pre-Anniversary Update), but that isn’t really the point. It’s about showing the lines along which these sort of exploits can evolve, and reminding folks not to sit back smugly even when the OS they’re running appears to be bulletproof to a new threat.

  • Police body cameras 'could be hacked' [sic] to access confidential data

Kali Linux: What You Must Know Before Using it

Filed under
GNU
Linux
Security

Kali Linux is the industry’s leading Linux distribution in penetration testing and ethical hacking. It is a distribution that comes shipped with tons and tons of hacking and penetration tools and software by default, and is widely recognized in all parts of the world, even among Windows users who may not even know what Linux is.

Because of the latter, many people are trying to get alone with Kali Linux although they don’t even understand the basics of a Linux system. The reasons may vary from having fun, faking being a hacker to impress a girlfriend or simply trying to hack the neighbors’ WiFi network to get a free Internet, all of which is a bad thing to do if you are planning to use Kali Linux.

Read more

Security: 'Cyber' Wars, IPFS, Updates and PHP FUD

Filed under
Security

IPFire 2.21 - Core Update 124 released

Filed under
GNU
Linux
Security

This is the official release announcement for IPFire 2.21 – Core Update 124. It brings new features and immensely improves security and performance of the whole system.

Read more

Security: 'Smart' Locks, Windows in Weapons

Filed under
Security

GNOME's Nautilus Gets Better Google Drive Support, Warns About Security Risks

Filed under
GNOME
Security

The GNOME 3.30 desktop environment is about to get its last scheduled point release, version 3.30.2, which should hit the streets later this month on October 24, and it looks like the Nautilus app was already updated to version 3.30.2, a bugfix release that adds quite a few improvements to the popular file manager.

According to the internal changelog, Nautilus 3.30.2 improves support for opening files stored on Google Drive accounts, improves searching by addressing various crashes, fixes the triple mouse click gesture in the pathbar to minimize the main window, as well as the "/" and "~" characters not opening the location bar.

Read more

Security: Electric-Scooter 'Hacking', Facebook Cracked, National Security Agency (NSA) Looks Into Fuchsia/Android and More

Filed under
Security
  • Inside the Lawless New World of Electric-Scooter Hacking

    If major corporations and voting infrastructure can be hacked, then it stands to reason that one could also, and much more easily, hack a $400 electric scooter. And in their rush to make dockless, app-enabled two-wheelers a way of life across every urban neighborhood worldwide — while throttling the competition — startups Bird, Lime, Scoot, Skip and Spin have caused localized backlashes while putting their tech at risk of both clever and stupid exploits.

    What’s funny is that the companies tend to dismiss these vulnerabilities as insignificant. Lime’s director of government relations and strategic development, Sam Sadle, told the Dallas Observer this summer that theft and vandalism of scooters is rare because they’re so often in use. Reacting to complaints that hacking has become common, he added: “It hasn’t in any way limited our ability to operate in the markets in which we do operate.”

  • How to Find Out if You Were Affected by the Recent Facebook Hack [Ed: Facebook is almost certainly lying/lowballing the number and far more people got cracked]

    Facebook has now confirmed that hackers stole access tokens for “only” 30 million people, not 50 million. For 15 million of those people, the hackers were able to get phone number, email address, or both. And for 14 million more people, the hackers were able to get a lot more information, like username, gender, relationship status, religious, birthday, and a ton of other information including things you’ve searched for.

  • Facebook Revises Data Breach Impact Downward, Provides New Details
  • Google Fuchsia: Here's what the NSA knows about it

    A while back, Google told us Fuchsia is not Linux. There have also been endless rumors, with little hard proof, it will eventually replace Android. Other than that, we don't know much. But the National Security Agency (NSA), of all groups, has been checking into Fuchsia and revealed its findings at the recent North American Linux Security Summit in Vancouver, B.C.

  • Course Review: Adversarial Attacks and Hunt Teaming

    At DerbyCon 8, I had the opportunity to take the “Adversarial Attacks and Hunt Teaming” presented by Ben Ten and Larry Spohn from TrustedSec. I went into the course hoping to get a refresher on the latest techniques for Windows domains (I do mostly Linux, IoT & Web Apps at work) as well as to get a better understanding of how hunt teaming is done. (As a Red Teamer, I feel understanding the work done by the blue team is critical to better success and reducing detection.)

Security: Chinese Crackers, Microsoft's Botched New Updates, Latest FOSS Updates

Filed under
Security
  • Hackers [sic] Are Using Stolen Apple IDs to Swipe Cash in China

    Ant Financial’s Alipay and Tencent Holdings Ltd. warned that cyber-attackers employed stolen Apple IDs to break into customers’ accounts and made off with an unknown amount of cash, in a rare security breach for China’s top digital payments providers.

  • Hackers [sic] loot digital wallets using stolen Apple IDs

    Two Chinese companies are warning customers that [crackers] used stolen Apple IDs to get into their digital payment accounts and steal money.

  • Microsoft October 2018 Patch Slightly Flawed and Unable To fully Rectify Jet Database Engine Vulnerability

    On the 20th of September, Trend Micro’s Zero Day Initiative (ZDI) went public with the information of a remove code execution vulnerability that would allow attackers to use the flawed Jet Database Engine to run macros through Microsoft Office programs and cause malicious activities in the targets computer. We covered this previously, you can read it here.

    Regarding this issue, ZDI released a micro-patch on the 21st September which fixed the vulnerability and urged Microsoft to correct this in the following patch. ZDI then did a review of the October 2018 update by Microsoft and found out that the security flaw while addressed has only limited the vulnerability rather than eliminating it.

  • Security updates for Friday
Syndicate content

More in Tux Machines

Plasma 5.14.2

Today KDE releases a Bugfix update to KDE Plasma 5, versioned 5.14.2. Plasma 5.14 was released in October with many feature refinements and new modules to complete the desktop experience. Read more Also: KDE Plasma 5.14.2 Desktop Environment Improves Firmware Updates, Snap Support

Red Hat and Fedora Leftovers

  • Red Hat: Creativity is risky (and other truths open leaders need to hear)
    Leaders are all too aware of the importance of invention and innovation. Today, the health and wealth of their businesses have become increasingly dependent on the creation of new products and processes. In the digital age especially, competition is more fierce than ever as global markets open and expand. Just keeping pace with change requires a focus on constant improvement and consistent learning. And that says nothing about building for tomorrow.
  • APAC Financial Services Institutions Bank on Red Hat to Enhance Agility
  • APAC banks aim to use open source to enhance agility
  • Huawei CloudFabric Supports Container Network Deployment Automation, Improving Enterprise Service Agility
    At HUAWEI CONNECT 2018, Huawei announced that its CloudFabric Cloud Data Center Solution supports container network deployment automation and will be available for the industry-leading enterprise Kubernetes platform via a new plug-in.
  • Redis Labs Integrates With Red Hat OpenShift, Hits 1B Milestone
    Redis Labs is integrating its enterprise platform as a hosted and managed database service on Red Hat’s OpenShift Container Platform. That integration includes built-in support for Red Hat’s recently launched Kubernetes Operator. The Redis Enterprise integration will allow customers to deploy and manage Redis databases as a stateful Kubernetes service. It will also allow users to run Redis Enterprise on premises or across any cloud environment.
  • Needham & Company Starts Red Hat (RHT) at Buy
  • Fedora Toolbox — Hacking on Fedora Silverblue
    Fedora Silverblue is a modern and graphical operating system targetted at laptops, tablets and desktop computers. It is the next-generation Fedora Workstation that promises painless upgrades, clear separation between the OS and applications, and secure and cross-platform applications. The basic operating system is an immutable OSTree image, and all the applications are Flatpaks. It’s great! However, if you are a hacker and decide to set up a development environment, you immediately run into the immutable OS image and the absence of dnf. You can’t install your favourite tools, editors and SDKs the way you’d normally do on Fedora Workstation. You can either unlock your immutable OS image to install RPMs through rpm-ostree and give up the benefit of painless upgrades; or create a Docker container to get an RPM-based toolbox but be prepared to mess around with root permissions and having to figure out why your SSH agent or display server isn’t working.
  • Fedora 28 : Alien, Steam and Fedora distro.

Raspberry Pi: Hands-on with the updated Raspbian Linux

wrote last week about the new Raspbian Linux release, but in that post I was mostly concerned with the disappearance of the Wolfram (and Mathematica) packages, and I didn't really do justice to the release itself. So now I have continued with installing or upgrading it on all of my Raspberry Pi systems, and this post will concentrate on the process and results from that. First, the new ISO images are available from the Raspberry Pi Downloads page (as always), and the Release Notes have been added to the usual text document. I have only downloaded the plain Raspbian images, I don't bother with the NOOBS images much any more - but the new ISO is included in those as well of course. Please note that the SHA-256 checksum for the images is given on the web page, so be sure to verify that before you continue with the file that you downloaded. If you prefer stronger (or weaker) verification, you can find a PGP signature (and an SHA-1 checksum) on the Raspbian images download page. Read more

Ubuntu: Ubuntu Weekly Newsletter, Release, Official Ubuntu 18.10 T-Shirt and Pop!_OS 18.10 Release

  • Ubuntu Weekly Newsletter Issue 550
  • Ubuntu Weekly Newsletter Issue 550
    Welcome to the Ubuntu Weekly Newsletter, Issue 550 for the week of October 14 – 20, 2018.
  • Ubuntu 18.10 is a Cosmic Cuttlefish of new Linux loveliness
    CANONICAL HAS announced the release of its bi-annual update to the Ubuntu operating system. Ubuntu 18.10, aka Cosmic Cuttlefish, is out now. It's not a long-term version so this is more aimed at individual users, as companies prefer to wait for an LTS to commit. So what's new in this build? Well, one of the biggest bugbears - graphics driver updating - has been addressed, so there'll be no more of all that sideloading the updates nonsense. Canonical has confirmed that this simpler process will get a graphical clicky interface, but not until (probably) version 19.x. But in the meantime, the way Ubuntu uses RAM for graphics has been given a kicking and should be a lot more efficient for migrating gamers.
  • Ubuntu 18.10 Cosmic Cuttlefish is now ready to download
    It’s October which means that we were due an Ubuntu release and Canonical hasn’t failed us this time around. Starting now, users who want to download Ubuntu 18.10 Cosmic Cuttlefish can do so. The latest version of the popular Linux distribution is only supported for nine months, until July 2019, with it being an inter-LTS release, therefore, you may want to consider sticking with Ubuntu 18.04 LTS on your mission-critical systems. Ubuntu 18.10 is no small release; out-of-the-box users will be greeted with a new theme dubbed Yaru and a new icon theme called Suru. It marks the first time that the distribution has received a significant overhaul since Ubuntu 10.10 when Canonical, the firm that makes Ubuntu, decided to throw out the brown colour scheme in favour of the purple, orange, and black theme we’re all now so used to.
  • You Can Now Buy an Official Ubuntu 18.10 T-Shirt
    The reverse of each 100% cotton tee bears the Ubuntu brand mark and text that reads “Cosmic Cuttlefish 18.10”. The shirt is both unisex and available in sizes small through quad XL. This should ensure there’s a comfy fit for virtually everyone (though, alas, not me – I’m an XS, and “small” is just too dang big). As well as making a great xmas gift idea an Ubuntu-loving loved one, the shirt is also a novel way to communicate your computing preferences to the wider world as you go about your shopping in Walmart, or as a certified conversation starter at tech conferences.
  • System76 releases Ubuntu-based Pop!_OS 18.10 Linux distribution
    System76 is making huge moves lately. The company used to just sell re-branded computers running Ubuntu, and while there was nothing wrong with that, it has much more lofty goals. You see, it released its own Ubuntu-based operating system called "Pop!_OS," and now, it is preparing to release its own self-designed and built open source computers. In other words, much like Apple, System76 is maintaining both the software and hardware aspects of the customer experience. While its new hardware is not yet available, the latest version of its operating system is. Following the release of Ubuntu 18.10, Pop!_OS 18.10 is now available for download. While it is based on Ubuntu, it is not merely Canonical's operating system with System76 branding and artwork. Actually, there are some significant customizations that make Pop!_OS its own.