Language Selection

English French German Italian Portuguese Spanish

Security

Security: Disclose.io, Adobe, Apple and Instagram

Filed under
Security

,

Latest Speculative Execution 'Bug' (Chip Defect)

Filed under
Linux
Hardware
Security
  • L1 Terminal Fault - The Latest Speculative Execution Side Channel Attack

    Details are still light but a new vulnerability is coming out called the L1 Terminal Fault. It's been described as a "train-wreck" and is another big deal in the security space as the latest speculative side-channel attack vector.

    The CVEs are CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646 but as of writing they have not been made public yet. I just noticed the code hitting the mainline Linux kernel to this "L1TF - L1 Terminal Fault" vulnerability.

  • Ubuntu updates for L1 Terminal Fault vulnerabilities

    Today Intel announced a new side channel vulnerability known as L1 Terminal Fault. Raoul Strackx, Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, Yuval Yarom, and researchers from Intel discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that’s executing on the CPU core. Processors from other vendors are not known to be affected by L1TF.

  • Microsoft Patch Tuesday 17134.228 Enhances Battery Performance and Mitigates L1TF Vulnerability

Security: Reproducible Builds, Firefox, Homebrew, Updates and MacOS

Filed under
Security

Security: OpenPGP, Oracle, DEFCON, Faxploit

Filed under
Security
  • OpenPGP key expiration is not a security measure

    There seems to be some recurring confusion among Gentoo developers regarding the topic of OpenPGP key expiration dates. Some developers seem to believe them to be some kind of security measure — and start arguing about its weaknesses. Furthermore, some people seem to think of it as rotation mechanism, and believe that they are expected to generate new keys. The truth is, expiration date is neither of those.

  • Vulnerability in Java VM Component of Oracle Database allows for Whole System Compromise
  • #DEFCON Vote Hacking Village Refute NASS 'Unfair' Claims

    DEFCON has hit back at criticisms levied at it by the National Association of Secretaries of State (NASS) over the introduction of an area designed to test voting machines.

    In a statement released on 9th August, the NASS said that while it applauded “the goal of DEFCON attendees to find and report vulnerabilities in election systems" it felt it was important to point out that work has been done by states' own information technology teams, and also named the Department of Homeland Security (DHS), the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), the private sector, the National Guard and universities as being involved “to enhance and reinforce their cyber postures with penetration testing, risk and vulnerability assessments and many other tools.”

  • How to hack an election, according to a former NSA hacker

    As we find out more about Russia's interference in the 2016 United States presidential election, former NSA hacker and TrustedSec CEO David Kennedy reveals what it would take to hack an election. Kennedy also reveals how France was able to protect themselves. Following is a transcript of the video.

    David Kennedy: What's interesting with the election systems is that as they become more and more electronic, and people can use computer systems to actively go in and cast your votes at the actual ballots, those are all susceptible to attack.

    What the government has tried to do is a technique called air gapping, which means that they're not supposed to be hooked up to the internet or have the ability to communicate the internet, so they can be not hacked by hackers. Essential databases that are used to count the ballots and actually cast votes is connected to multiple networks and the internet. And we're seeing intrusions occur, and so as we're using electronic voting as a method to conduct actual voter ballots, it's a very, very susceptible system. Most of the systems are out of date. Most of the systems aren't protected against hacks. There's definitely possibilities for other influences to have a direct impact on our elections themselves.

  • Faxploit: Breaking the Unthinkable
  • HP Fax Protocol Flaw Exposes Whole Enterprise Network to Exploit

    Check Point has discovered a new vulnerability in HP’s range of office fax machines that allow hackers to exploit a fax number related flaw and gain access to the remainder of the company’s enterprise network. This exploit is not limited to any one product or any particular company’s setup, but it encompasses all of HP’s office fax machines and all-in-one devices that have a faxing system integrated within them.

Security: 'Smartphones', Aporeto Security, Oracle Holes, Hacknet and Updates

Filed under
Security
  • 25 Smartphone Models Found Shipping With Severe Firmware Flaws: Defcon 2018

    Smartphones from small as well as big OEMs are under the radar. OEMs such as ZTE, Leagoo, and Doogee have been included in the list of insecure Android device manufacturers previously as well. Leagoo and Doogee have been reported to come preinstalled with apps that have banking trojans.

  • Aporeto Security and Red Hat OpenShift in Action

    In this short video, we demonstrate how Aporeto integrates with Red Hat OpenShift and leverages the platform’s native capabilities to extract application identity metadata to enforce security.

    Aporeto enforces security uniformly in hybrid and multi-cloud environments and abstracts away the complexities of the underlying infrastructure. As you leverage OpenShift to expand beyond the data center, you can use Aporeto to extend your security policies no matter where your application and its services run.

  • Oracle has flagged a vulnerability that could “completely compromise” customer databases

    Oracle is calling on its customers to immediately patch a security vulnerability that can lead to “complete compromise of the Oracle Database”.

    The vulnerability was found in the Java VM component of the vendor’s database server, but attacks may “significantly impact additional products”, according to a notice on the US National Vulnerability Database.

  • Hacknet gets 'Educational' pricing plan to help teach students about cyber security

    Although primarily intended for entertainment, Hacknet’s simulation is based on real cyber-security principles, while its user interface implements actual Unix commands

  • Security updates for Monday

Critical Oracle Database Flaw and Lack of Accountability

Filed under
Security

Security: Defcon 2018, Cortana and Windows Updates That Break Windows

Filed under
Security

Tesla Software Code

Filed under
OSS
Security
  • Tesla Will Open-Source Its Vehicle Security Software In Push For Safer Vehicles

    Tesla has also directly communicated with hackers to improve its vehicles’ software. Back in 2016, Keen Security Lab, a white hat hacker group based in China, was able to remotely hack a Model S through a compromised WiFi hotspot, conducting one of the first known instances of a Tesla being hacked. Keen Security Lab contacted Tesla after they successfully compromised the electric car, and Tesla promptly pushed an update to address the vulnerability.

  • Tesla Plans to Open-Source Its Vehicle Security Software for Free to Other Automakers

    Believing he has the best solution, Elon Musk plans to make Tesla’s vehicle security software open source so other automakers can adopt the technology for "a safe self-driving future for all." On top of "specialized encryption" for "multiple sub-systems," future Tesla vehicles will ensure drivers always have "override authority" in the event their cars become "wacky."

  • Elon Musk Plans To Open Source Tesla Software Code

    One of the biggest advantages of open sourcing your software is allowing the independent security researchers to access the code and spot the vulnerabilities that might go unnoticed during the internal auditing.

  • Tesla plans to open source its car security software to other automakers for free

    According to the Electrek, with the rise of autonomous driving and car networking technology, the risk of malicious attacks on cars increased. Tesla CEO Elon Musk believes that the company’s car safety software is the best solution, and he plans to open source car safety software to other automakers for a safer autopilot future.

    Musk has publicly expressed concern about hackers attacking car systems. He said that fully blocking ” hacking” is Tesla’s primary security task.

Security Leftovers

Filed under
Security
  • #DEFCON DHS Says Collaboration Needed for Secure Infrastructure and Elections

    Speaking at DEFCON 26 in Las Vegas on the subject of “Securing our Nation's Election Infrastructure”, Jeanette Manfra, assistant secretary, Office of Cybersecurity and Communications from the Department of Homeland Security stressed the need for public and private sector collaboration.

    She said that “instead of thinking of individual risk and your own part, try to think about enterprise and government as a whole.”

    In terms of critical infrastructure, Manfra said that this is “purely voluntary in the private sector” and includes “everyone working for yourself or your company, and this includes academic institutions and the broader private and public partnership to work together to figure our critical infrastructure.”

    She went on to talk about the concept of collective defense, saying that government is “one player in the community,” and with companies and citizens on the front line with government sectors “we have to share information and be transparent and build trust with individuals and entities that we have not done before.”

  • The Enigma of AI & Cybersecurity

    We've only seen the beginning of what artificial intelligence can do for information security.

    Alan Turing is famous for several reasons, one of which is that he cracked the Nazis' seemingly unbreakable Enigma machine code during World War II. Later in life, Turing also devised what would become known as the Turing test for determining whether a computer was "intelligent" — what we would now call artificial intelligence (AI). Turing believed that if a person couldn't tell the difference between a computer and a human in a conversation, then that computer was displaying AI.

    AI and information security have been intertwined practically since the birth of the modern computer in the mid-20th century. For today's enterprises, the relationship can generally be broken down into three categories: incident detection, incident response, and situational awareness — i.e., helping a business understand its vulnerabilities before an incident occurs. IT infrastructure has grown so complex since Turing's era that it can be months before personnel notice an intrusion.

  • Open-source snafu leaves patient data exposed [Ed: They never generalise like this about proprietary software]

    Researchers at cyber security outfit Project Insecurity discovered dozens of security bugs in the OpenEMR system, which is described as the “most popular open source electronic health records and medical practice management solution”.

    Many of the flaws were classified as being of high severity, leaving patient records and other sensitive information within easy reach of would-be hackers.

    One critical flaw meant that an unauthenticated user was able to bypass the patient portal login simply by navigating to the registration page and modifying the URL, Project Insecurity reported in its findings.

  • Open Source Security Podcast: Episode 109 - OSCon and actionable advice

Source Analysis Research

Filed under
OSS
Security
  • Stylistic analysis can de-anonymize code, even compiled code

     

    A presentation today at Defcon from Drexel computer science prof Rachel Greenstadt and GWU computer sicence prof Aylin Caliskan builds on the pair's earlier work in identifying the authors of software and shows that they can, with a high degree of accuracy, identify the anonymous author of software, whether in source-code or binary form.  

  • Even Anonymous Coders Leave Fingerprints

     

    Rachel Greenstadt, an associate professor of computer science at Drexel University, and Aylin Caliskan, Greenstadt's former PhD student and now an assistant professor at George Washington University, have found that code, like other forms of stylistic expression, are not anonymous. At the DefCon hacking conference Friday, the pair will present a number of studies they've conducted using machine learning techniques to de-anonymize the authors of code samples. Their work could be useful in a plagiarism dispute, for instance, but it also has privacy implications, especially for the thousands of developers who contribute open source code to the world.

Syndicate content

More in Tux Machines

GNOME: NVMe Firmware and GSConnect

  • Richard Hughes: NVMe Firmware: I Need Your Data
    In a recent Google Plus post I asked what kind of hardware was most interesting to be focusing on next. UEFI updating is now working well with a large number of vendors, and the LVFS “onboarding” process is well established now. On that topic we’ll hopefully have some more announcements soon. Anyway, back to the topic in hand: The overwhelming result from the poll was that people wanted NVMe hardware supported, so that you can trivially update the firmware of your SSD. Firmware updates for SSDs are important, as most either address data consistency issues or provide nice performance fixes.
  • Gnome Shell Android Integration Extension GSConnect V12 Released
    GSConnect v12 was released yesterday with changes like more resilient sshfs connections (which should make browsing your Android device from the desktop more reliable), fixed extension icon alignment, along with other improvements. GSConnect is a Gnome Shell extension that integrates your Android device(s) with the desktop. The tool makes use of the KDE Connect protocol but without using any KDE dependencies, keeping your desktop clean of unwanted packages.
  • Linux Release Roundup: Communitheme, Cantata & VS Code
    GSconnect is a magical GNOME extension that lets your Android phone integrate with your Linux desktop. So good, in fact, that Ubuntu devs want to ship it as part of the upcoming Ubuntu 18.10 release (though last I heard it probably just end up in the repos instead). Anyway, a new version of GSconnect popped out this week. GSconnect v12 adds a nifty new features or two, as well as a few fixes here, and a few UI tweaks there.

Red Hat Leftovers

  • Red Hat Advances Container Storage
    Red Hat has moved to make storage a standard element of a container platform with the release of version 3.1 of Red Hat OpenShift Container Storage (OCS), previously known as Red Hat Container Native Storage. Irshad Raihan, senior manager for product marketing for Red Hat Storage, says Red Hat decided to rebrand its container storage offering to better reflect its tight integration with the Red Hat OpenShift platform. In addition, the term “container native” continues to lose relevance given all the different flavors of container storage that now exist, adds Raihan. The latest version of the container storage software from Red Hat adds arbiter volume support to enable high availability with efficient storage utilization and better performance, enhanced storage monitoring and configuration via the Red Hat implementation of the Prometheus container monitoring framework, and block-backed persistent volumes (PVs) that can be applied to both general application workloads and Red Hat OpenShift Container Platform (OCP) infrastructure workloads. Support for PVs is especially critical because to in the case of Red Hat OCS organizations can deploy more than 1,000 PVs per cluster, which helps to reduce cluster sprawl within the IT environment, says Raihan.
  • Is Red Hat Inc’s (NYSE:RHT) ROE Of 20.72% Sustainable?
  • FPgM report: 2018-33

OSS Leftovers

  • Infineon enables open source TSS ESAPI layer
    This is the first open source TPM middleware that complies with the Software Stack (TSS) Enhanced System API (ESAPI) specification of the Trusted Computing Group . “The ease of integration on Linux and other embedded platforms that comes with the release of the TPM 2.0 ESAPI stack speeds up the adoption of TPM 2.0 in embedded systems such as network equipment and industrial systems,” says Gordon Muehl, Global CTO Security at Huawei.
  • Open source RDBMS uses spurred by lower costs, cloud options
    As the volumes of data generated by organizations get larger and larger, data professionals face a dilemma: Must database bills get bigger in the process? And, increasingly, IT shops with an eye on costs are looking to open source RDBMS platforms as a potential alternative to proprietary relational database technologies.
  • Progress open sources ABL code in Spark Toolkit
    New England headquartered application development company Progress is flexing its programmer credentials this month. The Massachusetts-HQ’d firm has now come forward with its Progress Spark Toolkit… but what is it? The Progress Spark Toolkit is a set of open source ABL code combined with some recommended best-practices.
  • Mixing software development roles produces great results
    Most open source communities don’t have a lot of formal roles. There are certainly people who help with sysadmin tasks, testing, writing documentation, and translating or developing code. But people in open source communities typically move among different roles, often fulfilling several at once. In contrast, team members at most traditional companies have defined roles, working on documentation, support, QA, and in other areas. Why do open source communities take a shared-role approach, and more importantly, how does this way of collaborating affect products and customers? Nextcloud has adopted this community-style practice of mixing roles, and we see large benefits for our customers and our users.
  • FOSS Project Spotlight: SIT (Serverless Information Tracker)
    In the past decade or so, we've learned to equate the ability to collaborate with the need to be online. The advent of SaaS clearly marked the departure from a decentralized collaboration model to a heavily centralized one. While on the surface this is a very convenient delivery model, it simply doesn't fit a number of scenarios well. As somebody once said, "you can't FTP to Mars", but we don't need to go as far. There are plenty of use cases here on Earth that are less than perfectly suited for this "online world". Lower power chips and sensors, vessel/offshore collaboration, disaster recovery, remote areas, sporadically reshaping groups—all these make use of central online services a challenge. Another challenge with centralization is somewhat less thought of—building software that can handle a lot of concurrent users and that stores and processes a lot of information and never goes down is challenging and expensive, and we, as consumers, pay dearly for that effort. And not least important, software in the cloud removes our ability to adapt it perfectly for use cases beyond its owner's vision, scope and profitability considerations. Convenience isn't free, and this goes way beyond the price tag.
  • ProtonMail's open source encryption library, OpenPGPjs, passes independent audit
    ProtonMail, the secure email provider, has just had its credentials re-affirmed after its encryption library, OpenPGPjs, passed an independent security audit. The audit was carried out by the respected security firm, Cure53, after the developer community commissioned a review following the release of OpenPGPjs 3.0 back in March.
  • Uber Announces Open Source Fusion.js Framework
    Uber Announces Fusion.js, an open source "Plugin-based Universal Web Framework." In the announcement, Uber senior software engineer Leo Horie explains that Uber builds hundreds of web-based applications, and with web technologies changing quickly and best practices continually evolving, it is a challenge to have hundreds of web engineers leverage modern language features while staying current with the dynamic nature of the web platform. Fusion.js is Uber's solution to this problem.
  •  
  • ASAN And LSAN Work In rr
    AddressSanitizer has worked in rr for a while. I just found that LeakSanitizer wasn't working and landed a fix for that. This means you can record an ASAN build and if there's an ASAN error, or LSAN finds a leak, you can replay it in rr knowing the exact addresses of the data that leaked — along with the usual rr goodness of reverse execution, watchpoints, etc. Well, hopefully. Report an issue if you find more problems.
  • Oracle Open-Sources GraphPipe to Support ML Development
    Oracle on Wednesday announced that it has open-sourced GraphPipe to enhance machine learning applications. The project's goal is to improve deployment results for machine learning models, noted Project Leader Vish Abrams. That process includes creating an open standard. The company has a questionable relationship with open source developers, so its decision to open-source GraphPipe might not receive a flood of interest. Oracle hopes developers will rally behind the project to simplify and standardize the deployment of machine learning models. GraphPipe consists of a set of libraries and tools for following a deployment standard.
  • OERu makes a college education affordable
    Open, higher education courses are a boon to adults who don’t have the time, money, or confidence to enroll in traditional college courses but want to further their education for work or personal satisfaction. OERu is a great option for these learners. It allows people to take courses assembled by accredited colleges and universities for free, using open textbooks, and pay for assessment only when (and if) they want to apply for formal academic credit. I spoke with Dave Lane, open source technologist at the Open Education Resource Foundation, which is OERu’s parent organization, to learn more about the program. The OER Foundation is a nonprofit organization hosted by Otago Polytechnic in Dunedin, New Zealand. It partners with organizations around the globe to provide leadership, networking, and support to help advance open education principles.
  • Tomu Is A Tiny, Open Source Computer That Easily Fits In Your USB Port
    There are a number of USB stick computers available in the market at varying prices. One of them that really stands out is Tomu — a teeny weeny ARM processor that can entirely fit inside your computer’s USB port. Tomu is based on Silicon Labs Happy Gecko EFM32HG309 Arm Cortex-M0+ microcontroller that runs at 25 MHz. It sports 8 kb of RAM and 60 kb of flash onboard. In spite of the small size, it supports two LEDs and two capacitance touch buttons.
  • RcppArmadillo 0.9.100.5.0
    A new RcppArmadillo release 0.9.100.5.0, based on the new Armadillo release 9.100.5 from earlier today, is now on CRAN and in Debian. It once again follows our (and Conrad's) bi-monthly release schedule. Conrad started with a new 9.100.* series a few days ago. I ran reverse-depends checks and found an issue which he promptly addressed; CRAN found another which he also very promptly addressed. It remains a true pleasure to work with such experienced professionals as Conrad (with whom I finally had a beer around the recent useR! in his home town) and of course the CRAN team whose superb package repository truly is the bedrock of the R community.
  • PHP version 7.1.21 and 7.2.9
    RPM of PHP version 7.2.9 are available in remi repository for Fedora 28 and in remi-php72 repository for Fedora 25-27 and Enterprise Linux ≥ 6 (RHEL, CentOS). RPM of PHP version 7.1.21 are available in remi repository for Fedora 26-27 and in remi-php71 repository for Fedora 25 and Enterprise Linux (RHEL, CentOS).

GNU/Linux on Laptops and Desktops

  • Endless OS and Asus, Update on L1TF Exploit, Free Red Hat DevConf.US in Boston, Linux 4.19 Kernel Update
    Some of us may recall a time when ASUS used to ship a stripped down version of Xandros Linux with their line of Eee PC netbooks. Last week, the same company announced that Endless OS will be supporting non-OS offerings of their product. However it comes with a big disclaimer stating that ASUS will not officially support the operating system's compatibility issues.
  • The Chromebook Grows Up
    What started out as a project to provide a cheap, functional, secure and fast laptop experience has become so much more. Chromebooks in general have suffered from a lack of street-cred acceptance. Yes, they did a great job of doing the everyday basics—web browsing and...well, that was about it. Today, with the integration of Android apps, all new and recently built Chrome OS devices do much more offline—nearly as much as a conventional laptop or desktop, be it video editing, photo editing or a way to switch to a Linux desktop for developers or those who just like to do that sort of thing.
  • Windows 10 Linux Distribution Overload? We have just the thing [Ed: Microsoft is still striving to control and master GNU/Linux through malware, Vista 10]
  • What Dropbox dropping Linux support says
    You've probably already heard by now that Dropbox is nixing support for all Linux file systems but unencrypted ext4. When this was announced, much of the open source crowd was up in arms—and rightfully so. Dropbox has supported Linux for a long time, so this move came as a massive surprise.
  • Winds Beautifully Combines Feed Reader and Podcast Player in One Single App
    Billboard top 50 playlist is great for commuting. But I’m a nerd so I mostly prefer podcasts. Day after day, listening to podcasts on my phone has turned into a habit for the better and now, I crave my favorite podcasts even when I’m home, sitting in front of my computer. Thus began, my hunt for the perfect podcast app for Linux. Desktop Linux doesn’t have a huge selection of dedicated podcast applications. Of course, you can use Rhythmbox music player or VLC Media player to download podcasts (is there anything VLC can’t do?). There are even some great command line tools to download podcasts if you want to go down that road.
  • VirtualBox 5.2.18 Maintenance Update fixed VM process termination on RDP client disconnect
    Virtualbox developers released a maintenance update for virtualization solution on the 14th of August, 2018. The latest update raised the version of VirtualBox to 5.2.18. The improvements and additions have been welcomed by several users as it makes the virtualization product even more convenient to use.