Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Word and More

Filed under
Security

Security: Vista10 and uTorrent Holes Found by Google

Filed under
Security
  • Google drops new Edge zero-day as Microsoft misses 90-day deadline

    Google originally shared details of the flaw with Microsoft on 17 November 2017, but Microsoft wasn’t able to come up with a patch within Google’s non-negotiable “you have 90 days to do this” period.

  • Google Goes Public with Another Major Windows 10 Bug

    After revealing an Edge browser vulnerability that Microsoft failed to fix, Google is now back with another disclosure, this time aimed at Windows 10 Fall Creators Update (version 1709), but potentially affecting other Windows versions as well.

    James Forshaw, a security researcher that’s part of Google’s Project Zero program, says the elevation of privilege vulnerability can be exploited because of the way the operating system handles calls to Advanced Local Procedure Call (ALPC).

    This means a standard user could obtain administrator privileges on a Windows 10 computer, which in the case of an attack, could eventually lead to full control over the impacted system.

    But as Neowin noted, this is the second bug discovered in the same function, and both of them, labeled as 1427 and 1428, were reported to Microsoft on November 10, 2017. Microsoft said it fixed them with the release of the February 2018 Patch Tuesday updates, yet as it turns out, only issue 1427 was addressed.

  • uTorrent bugs let websites control your computer and steal your downloads

    The vulnerabilities, according to Project Zero, make it possible for any website a user visits to control key functions in both the uTorrent desktop app for Windows and in uTorrent Web, an alternative to desktop BitTorrent apps that uses a web interface and is controlled by a browser. The biggest threat is posed by malicious sites that could exploit the flaw to download malicious code into the Windows startup folder, where it will be automatically run the next time the computer boots up. Any site a user visits can also access downloaded files and browse download histories.

  • BitTorrent Client uTorrent Suffers Security Vulnerability (Updated)

    BitTorrent client uTorrent is suffering from an as yet undisclosed vulnerability. The security flaw was discovered by Google security researcher Tavis Ormandy, who previously said he would reveal a series of "remote code execution flaws" in torrent clients. BitTorrent Inc. has rolled out a 'patch' in the latest Beta release and hopes to fix the stable uTorrent client later this week.

Security: Updates, Tesla, Chef, SafeRide and More

Filed under
Security

Plasma 5.12.2 bugfix updates for 17.10 backports and 18.04 development release

Filed under
Security

Users of Kubuntu 17.10 Artful Aardvark can now upgrade via our backports PPA to the 2nd bugfix release (5.12.2) of the Plasma 5.12 LTS release series from KDE.

Likewise, testers of our development release 18.04 Bionic Beaver will receive the update imminently.

The full changelog of fixes for 5.12.2 can be found here.

Read more

Security: Reproducible Builds, Windows Phones, Debian, Mageia Identity Security Breach and More

Filed under
Security
  • Reproducible Builds: Weekly report #147
  • Windows Phones Get Cumulative Update KB4074592, PDF Support Now Broken

    Just when you thought Windows 10 Mobile is dead, here’s Microsoft rolling out a new cumulative update for the platform as part of its February patching cycle.

    Windows 10 cumulative update KB4074592, which is also released on PCs running the Creators Update (version 1703) – phones have never received the Fall Creators Update, comes with little changes for mobile devices, though it does something that many users might notice.

    Microsoft doesn’t provide a separate change log for mobile and PC, so the release notes that you can find at the end of the article include all the improvements and security fixes that Microsoft included in KB4074592 for both platforms.

  • Time to Join Extended Long Term Support for Debian 7 Wheezy

    Debian 7 Wheezy LTS period ends on May 31st and some companies asked Freexian if they could get security support past this date. Since about half of the current team of paid LTS contributors is willing to continue to provide security updates for Wheezy, I have started to work on making this possible.

  • Hackers Infiltrated Tesla to Mine Cryptocurrency

    While Elon Musk was busy planning how to launch his Tesla Roadster into the depths of space last month, a hacker was silently using Tesla’s computing power to mine an unknown amount of cryptocurrency.

    The unidentified attackers found their way in through cracks in Tesla’s cloud environment, according to a report issued by RedLock security on February 20. The miners were able to gain access via an unprotected Tesla Kubernete console—an open source system that manages applications. Included on this console were the access credentials to Tesla’s Amazon Web Service. Once they obtained access to the console, the attackers were able to run scripts that allowed them to stealthily mine cryptocurrency.

  • Hacking at EPFL Toastmasters, Lausanne, tonight

    ...remember to turn off your mobile device or leave it at home, you never know when it might ring or become part of a demonstration.

  • Mageia Identity Security Breach

    A user was able to gain access to our LDAP database and has published the email addresses and names, as well as apparent password hashes, of anyone who has signed up to identity.mageia.org. However, the published hashes do not match those on record, and all capitalisation has been removed, so it is not clear that the actual passwords have been compromised. All of the passwords have since been reset as a security precaution. New rules have been added to prevent access to the LDAP server. The sysadmins are investigating how the fields were read, as the configuration should have specifically prevented this.

    The passwords stored by the Mageia LDAP server are hashed and salted, meaning that the full decryption of the password, if they have actually been leaked, into a human-usable format would require significant computing power for safe and complex passwords.

Security: Updates, Nintendo 'Hackers', Microsoft Windows Back Doors, and FlightSimLabs Malware

Filed under
Security
  • Security updates for Tuesday
  • Hackers Release Video Of Nintendo Switch Running A Linux Distro

    When it comes to porting software to potentially unsupported devices, hackers are quite comfortable to push themselves beyond the boundaries set by the manufactures.

  • Epidemic of cryptojacking can be traced to escaped NSA superweapon [Ed: It's a Microsoft Windows issue. All versions of Windows (ME onwards) have NSA back doors]

    It all started when the Shadow Brokers dumped a collection of NSA cyberweapons that the NSA had fashioned from unreported bugs in commonly used software, including versions of Windows. The NSA discovered these bugs and then hoarded them, rather than warning the public and/or the manufacturers about them, in order to develop weapons that turned these bugs into attacks that could be used against the NSA's enemies.

  • Flight Sim Company Embeds Malware to Steal Pirates’ Passwords

    Flight sim company FlightSimLabs has found itself in trouble after installing malware onto users' machines as an anti-piracy measure. Code embedded in its A320-X module contained a mechanism for detecting 'pirate' serial numbers distributed on The Pirate Bay, which then triggered a process through which the company stole usernames and passwords from users' web browsers.

Security: Voting Machines With Windows and Back Doors in Windows Help Crypto-jacking

Filed under
Security
  • Election Security a High Priority — Until It Comes to Paying for New Voting Machines [Ed: Sadly, the US has outsourced its voting machines to a private company whose systems are managed by Microsoft]

    When poll workers arrived at 6 a.m. to open the voting location in Allentown, New Jersey, for last November’s gubernatorial election, they found that none of the borough’s four voting machines were working. Their replacements, which were delivered about four hours later, also failed. Voters had to cast their ballots on paper, which then were counted by hand.

    Machine malfunctions are a regular feature of American elections. Even as worries over cybersecurity and election interference loom, many local jurisdictions depend on aging voting equipment based on frequently obsolete and sometimes insecure technology. And the counties and states that fund elections have dragged their heels on providing the money to buy new equipment.

  • Congress Can Act Right Now to Prevent Interference in the 2018 Elections [Ed: "confidence" is not security]

    To create that confidence the SAFE Act would: [...]

  • America’s Election Meddling Would Indeed Justify Other Countries Retaliating In Kind

    There is still no clear proof that the Russian government interfered with the 2016 U.S. election in any meaningful way. Which is weird, because Russia and every other country on earth would be perfectly justified in doing so.

  • NSA Exploit Now Powering Cryptocurrency Mining Malware [Ed: Microsoft Windows back door]

    You may have been asked if you'd like to try your hand at mining cryptocurrency. You may have demurred, citing the shortage in graphics cards or perhaps wary you were being coaxed into an elaborate Ponzi scheme. So much for opting out. Thanks to the NSA, you may be involved in mining cryptocurrency, but you're likely not seeing any of the benefits.

  • Cryptocurrency-mining criminals that netted $3 million gear up for more

    Separately, researchers from security firm FireEye said attackers, presumably with no relation to the one reported by Check Point, are exploiting unpatched systems running Oracle's WebLogic Server to install cryptocurrency-mining malware. Oracle patched the vulnerability, indexed as CVE-2017-10271, in October.

​Bogus Linux vulnerability gets publicity

Filed under
Security

I am so sick and tired of crap security news about Android and Linux. In the latest example, GoSecure claims it's discovered Chaos: a Stolen Backdoor Rising Again. Yeah. Right. Let's look closer.

First, we have a neat name. Can't have a security bug these days without giving it a sexy name. But, what is it really?

Well, it requires the attacker to break into the target system by "brute-forcing SSH credentials". Wait. What? To get this you need someone to log in to your server!?

Read more

Security Leftovers

Filed under
Security

Security: France, Munich, 'Smart' Meters, MeltdownPrime and SpectrePrime

Filed under
Security
  • Highlights of the French cybersecurity strategy

    First, the document describes that in France cyberdefence and cyberoffence are separated. This is directly opposed to the models employed in Anglo-Saxon countries. But it’s shown as an asset. Key argument: it respects freedoms and civil liberties.

    The document then lists the six general objectives of cyberdefence, namely: prevention, anticipation, protection, detection, attribution, reaction (remediation). The strategy itself is complete, it focuses on civil, military, domestic, external, and international levels. Let’s say it’s a rarity in the business in strategic cybersecurity documents.

    [...]

    The strategy then mentions that one of the solutions could be to release source code and documentation after an end of support date.

  • The Munich Security Conference 2018

    Over the past five decades, the Munich Security Conference (MSC) has become the major global forum for the discussion of security policy. Each February, it brings together more than 450 senior decision-makers from around the world, including heads-of-state, ministers, leading personalities of international and non-governmental organizations, as well as high ranking representatives of industry, media, academia, and civil society, to engage in an intensive debate on current and future security challenges.

  • Smart meters could leave British homes vulnerable to cyber attacks, experts have warned

    New smart energy meters that the Government wants to be installed in millions of homes will leave householders vulnerable to cyber attacks, ministers have been warned.

  • MeltdownPrime and SpectrePrime: Researchers nail exploits

    "The flaws—dubbed Meltdown and Spectre—are in chips made by Intel and other major suppliers. They can allow hackers to steal data from the memory of running apps, including password managers, browsers and emails."

    The authors of the paper on arXiv, Caroline Trippel, Daniel Lustig, and Margaret Martonosi, discuss a tool they developed for "automatically synthesizing microarchitecture-specific programs capable of producing any user-specified hardware execution pattern of interest."

    They said they show "how this tool can be used for generating small microarchitecture-specific programs which represent exploits in their most abstracted form—security litmus tests."

Syndicate content

More in Tux Machines

How to Run Android Apps and Games on Linux

Want to run Android apps on Linux? How about play Android games? Several options are available, but the one that works the best is Anbox, a useful tool that runs your favorite Android apps on Linux without emulation. Here’s how to get it up and running on your Linux PC today. Read more Also: 8 Best Android Apps For Kids To Help Children Learn With Fun | 2018 Edition

SUSE: openSUSE Tumbleweed and SUSE in HPC

  • Krita, Linux Kernel, KDEConnect Get Updated in Tumbleweed
    There have been a few openSUSE Tumbleweed snapshots released in the past two weeks that brought some new features and fixes to users. This blog will go over the past two snapshots. The last snapshot, 20180416, had several packages updated. The adobe-sourceserifpro-fonts package updated to version 2.000; with the change, the fonts were refined to make the Semibold and Bold heavier. Both dbus-1 and dbus-1-x11 were updated to 1.12.6, which fixed some regreations introduced in version 1.10.18 and 1.11.0. The gtk-vnc 0.7.2 package deprecated the manual python2 binding, which will be deleted in the next release, in favor of GObject introspection. Notifications that caused a crash were fixed in kdeconnect-kde 1.3.0. The 4.16.2 Linux Kernel made ip_tunnel, ipv6, ip6_gre, ip6_tunnel and vti6 better to validate user provided tunnel names. Due to a build system failure, not all 4.16.2 binaries were built correctly; this will be resolved in the 20180417 snapshot, which will be released shortly. Krita 4.0.1 had multiple fixes from its major version upgrade. The visual diff and merge tool meld 3.19.0 added new features like a new per-pane status bar with selectors for syntax highlighting and text encoding. Python Imaging Library python-Pillow 5.1.0 removed the freetype-2.9.patch and YaST had several packages with a version bump.
  • SUSE Linux Enterprise High Performance Computing in the SLE 15 Beta Program!
  • SUSE Linux Enterprise 15 Prepares HPC Module
    The upcoming release of SUSE Linux Enterprise 15 is offering an HPC (High Performance Computing) module for development, control, and compute nodes. Today that SLE15-HPC module is now available in beta.

OPNsense 18.1.6

For more than 3 years now, OPNsense is driving innovation through modularising and hardening the code base, quick and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing. Read more

Turris MOX is a Modular & Open Source Router

A company from the Czech Republic is trying to raise money to bring a modular and open source router to the public. It has a number of features that can’t be found in the current line up of routers available for purchase. Read more