Language Selection

English French German Italian Portuguese Spanish

Security

What's New in Qubes 4

Filed under
OS
Security

I've been using Qubes as my primary desktop for more than two years, and I've written about it previously in my Linux Journal column, so I was pretty excited to hear that Qubes was doing a refactor of its own in the new 4.0 release. As with most refactors, this one caused some past features to disappear throughout the release candidates, but starting with 4.0-rc4, the release started to stabilize with a return of most of the features Qubes 3.2 users were used to. That's not to say everything is the same. In fact, a lot has changed both on the surface and under the hood.

Although Qubes goes over all of the significant changes in its Qubes 4 changelog, instead of rehashing every low-level change, I want to highlight just some of the surface changes in Qubes 4 and how they might impact you whether you've used Qubes in the past or are just now trying it out.

Read more

Security: FOSS Updates, PS4 and Media Trying to Associate FOSS With Crime

Filed under
Security

Security: ARPAnet, Android, Intel, Cryptojacking and More

Filed under
Security
  • "Nobody cared about security"

     

    In the long run, however, the more significant reason why the ARPAnet and early Internet lacked security was not that it wasn't needed, nor that it would have made development of the network harder, it was that implementing security either at the network or the application level would have required implementing cryptography. At the time, cryptography was classified as a munition. Software containing cryptography, or even just the hooks allowing cryptography to be added, could only be exported from the US with a specific license. Obtaining a license involved case-by-case negotiation with the State Department. In effect, had security been a feature of the ARPAnet or the early Internet, the network would have to have been US-only. Note that the first international ARPAnet nodes came up in 1973, in Norway and the UK.

  • ​The 10 best ways to secure your Android phone

    The most secure smartphones are Android smartphones. Don't buy that? Apple's latest version of iOS 11 was cracked a day -- a day! -- after it was released.

    So Android is perfect? Heck no!

    Android is under constant attack and older versions are far more vulnerable than new ones. Way too many smartphone vendors still don't issue Google's monthly Android security patches in a timely fashion, or at all. And, zero-day attacks still pop up.

  • Not Getting Android OS Updates? Here’s How Google Is Updating Your Device Anyway

    Android updates are a still a point of contention among die-hard fans, because most manufacturers don’t keep updated with the latest offerings from Google. But just because your phone isn’t getting full OS updates doesn’t mean it’s totally out of date.

    While some major features still require full version updates, Google has a system in place that keeps many handsets at least somewhat relevant with Google Play Services. The company can squash certain bugs and even introduce new features just by updating Play Services.

  • Intel Finally Releases Spectre Patches for Broadwell and Haswell Processors
  • How to Defend Servers Against Cryptojacking

    Cryptojacking has become one of the most active and pervasive threats in recent years. In a cryptojacking attack, a cryptocurrency mining script is injected into a server or a webpage to take advantage of the victim system's CPU power.

  • 8 Startups Raise Money to Secure Everything From ICS to Home Networks
  • Sonatype Makes Nexus Firewall Available to 10 Million Developers

Security: Updates, Open Source Security Podcast, PGP, and 'DevSecOps'

Filed under
Security

Security: “Medjacking”, Exploding e-Cigarettes, and Linux FUD

Filed under
Security
  • “Medjacked”: Could Hackers Take Control of Pacemakers and Defibrillators—or Their Data?

    Are high-tech medical devices vulnerable to hacks? Hackers have targeted them for years, according to a new article in the Journal of the American College of Cardiology. But Dr. Dhanunjaya Lakkireddy, senior author of the paper, says hackers have harmed no one so far.

  • Exploding e-Cigarettes Are a Growing Danger to Public Health

    Whatever their physiological effects, the most immediate threat of these nicotine-delivery devices comes from a battery problem called thermal runaway

    [...]

    Exploding cigarettes sound like a party joke, but today’s version isn’t funny at all. In fact, they are a growing danger to public health. Aside from mobile phones, no other electrical device is so commonly carried close to the body. And, like cellphones, e-cigarettes pack substantial battery power. So far, most of the safety concerns regarding this device have centered on the physiological effects of nicotine and of the other heated, aerosolized constituents of the vapor that carries nicotine into the lungs. That focus now needs to be widened to include the threat of thermal runaway in the batteries, especially the lithium-ion variety.

  • Uh, oh! Linux confuses Bleeping Computer again

    The tech website Bleeping Computer, which carries news about security and malware, has once again demonstrated that when it comes to Linux, its understanding of security is somewhat lacking.

    What makes the current case surprising is the fact that the so-called security issue which the website chose to write about had already been ripped to pieces by senior tech writer Stephen Vaughan-Nicholls four days earlier.

    Called Chaos, the vulnerability was touted by a firm known as GoSecure as one that would allow a backdoor into Linux servers through SSH.

  • Are Mac and Linux users safe from ransomware?

    Ransomware is currently not much of a problem for Linux systems. A pest discovered by security researchers is a Linux variant of the Windows malware ‘KillDisk’. However, this malware has been noted as being very specific; attacking high profile financial institutions and also critical infrastructure in Ukraine. Another problem here is that the decryption key that is generated by the program to unlock the data is not stored anywhere, which means that any encrypted data cannot be unlocked, whether the ransom is paid or not. Data can still sometimes be recovered by experts like Ontrack, however timescales, difficulty and success rates depend on the exact situation and strain of ransomware.

Security: Updates, Reproducible Builds, Spectre/Meltdown, 'Serverless' Security

Filed under
Security
  • Security updates for Tuesday
  • Reproducible Builds: Weekly report #148
  • Fixing Spectre/Meltdown in [Slackware] 14.2
  • Intel didn't tell CERTS, govs, about Meltdown and Spectre because they couldn't help fix it

    Letters sent to the United States Congress by Intel and the other six companies in the Meltdown/Spectre disclosure cabal have revealed how and why they didn't inform the wider world about the dangerous chip design flaws.

    Republican members of the House Energy and Commerce Committee sent letters to the seven in January, to seek answers about the reasons they chose not to disclose the flaws and whether they felt their actions were responsible and safe.

    All the letters go over old ground: Google Project Zero spotted the design errors, told Intel, which formed a cabal comprising itself, Google, AMD, Arm, Apple, Amazon and Microsoft. The gang of seven decided that Project Zero's 90-day disclosure deadline had to be extended to January, then spoke to others to help them prepare fixes. But stray posts and sharp-eyed Reg hacks foiled that plan as we broke the news on January 3rd.

  • Serverless Security: What's Left to Protect? [Ed: "Serverless" is a junk buzzword; it's server-'full' and it just means passing one's server or control/access to that server to some other company, which occasionally gets cracked too.]

    Serverless is an exciting development in the modern infrastructure world. It brings with it the promise of dramatically reduced system costs, simpler and cheaper total cost of ownership, and highly elastic systems that can seamlessly scale to what old-timers (like me) call a “Slashdot moment” – a large and immediate spike in traffic.

    The cost savings Serverless offers greatly accelerated its rate of adoption, and many companies are starting to use it in production, coping with less mature dev and monitoring practices to get the monthly bill down. Such a trade off makes sense when you balance effort vs reward, but one aspect of it is especially scary – security.

    This article aims to provide a broad understanding of security in the Serverless world. We’ll consider the ways in which Serverless improves security, the areas where it changes security, and the security concerns it hurts.

Security: Spectre & Meltdown Fixes/Optimizations, 'SecOps', Harvesting Passwords by Mistake and More

Filed under
Security
  • Linux 4.16 Receives More Spectre & Meltdown Fixes/Optimizations

    The in-development Linux 4.16 kernel has already received a few rounds of updates for the mitigation work on the Spectre and Meltdown CPU vulnerabilities while more is on the way.

    Thomas Gleixner today sent in another batch of "x86/pti" updates for Linux 4.16 in further addressing these CPU security vulnerabilities that were made public in early January.

  • SecOps Spends Its Days Monitoring

    Developers, Security and Operations: DevSecOps. The operations part of the term usually refers to IT operations. However, today narrows in on SecOps, that work in security operations centers (SOCs) and cyber incident response teams (CIRTs). The Cyentia Institute’s survey of 160 of these security analysts shows they face some of the same challenges developers and IT operations teams do. They spend more time on monitoring than any other activity, but they much rather solve problems and “hunt” new threats. SecOps does not like reporting or something called Shift Ops — the actual details of change control and making sure the team doesn’t burn out. Given the shortage of information security professionals, it is concerning that only 45 percent of respondents said their job experience was meeting their expectations.

  • Covert 'Replay Sessions' Have Been Harvesting Passwords by Mistake

     

    Bulk data collection is always a privacy red flag. But the Princeton research group that first published findings about session replay scripts has uncovered a troubling series of situations where seemingly well-intentioned safeguards fail, leading to an unacceptable level of exposure.

  • How to Check if Your Password Has Been Stolen
  • More than half of IT pros believe their organization was breached at least once in 2017

Security: Updates, Back Doors, ASLR on Linux, Olympic Destroyer, Let's Encrypt

Filed under
Security
  • Security updates for Monday
  • Developer gets prison after admitting backdoor was made for malice

    An Arkansas man has been sentenced to serve almost three years in federal prison for developing advanced malware that he knew would be used to steal passwords, surreptitiously turn on webcams, and conduct other unlawful actions on infected computers.

  • New bypass and protection techniques for ASLR on Linux

    Many important application functions are implemented in user space. Therefore, when analyzing the ASLR implementation mechanism, we also analyzed part of the GNU Libc (glibc) library, during which we found serious problems with stack canary implementation. We were able to bypass stack canary protection and execute arbitrary code by using ldd.

    This whitepaper describes several methods for bypassing ASLR in the context of application exploitation.

  • Who Wasn’t Responsible for Olympic Destroyer?

    Evidence linking the Olympic Destroyer malware to a specific threat actor group is contradictory, and does not allow for unambiguous attribution. The threat actor responsible for the attack has purposefully included evidence to frustrate analysts and lead researchers to false attribution flags. This false attribution could embolden an adversary to deny an accusation, publicly citing evidence based upon false claims by unwitting third parties. Attribution, while headline grabbing, is difficult and not an exact science. This must force one to question purely software-based attribution going forward.

  • A Technical Deep Dive: Securing the Automation of ACME DNS Challenge Validation

    Earlier this month, Let's Encrypt (the free, automated, open Certificate Authority EFF helped launch two years ago) passed a huge milestone: issuing over 50 million active certificates. And that number is just going to keep growing, because in a few weeks Let's Encrypt will also start issuing “wildcard” certificates—a feature many system administrators have been asking for.

Spectre and Meltdown Mitigations Now Available for FreeBSD and OpenBSD Systems

Filed under
Security
BSD

More than a month since their public discloser the nasty Meltdown and Spectre security vulnerability have now been fixed for various BSD operating systems including FreeBSD and OpenBSD.

FreeBSD announced last month that it was made aware of the Spectre and Meltdown security vulnerabilities discovered by various researchers from Google's Project Zero, Graz University of Technology, Cyberus Technology, and others in late December 2017 to have time to fix them for their BSD-powered operating system.

Read more

Also: Pledge: OpenBSD’s defensive approach to OS Security

Security Leftovers

Filed under
Security
  • One-stop counterfeit certificate shops for all your malware-signing needs

    The Stuxnet worm that targeted Iran's nuclear program almost a decade ago was a watershed piece of malware for a variety of reasons. Chief among them, its use of cryptographic certificates belonging to legitimate companies to falsely vouch for the trustworthiness of the malware. Last year, we learned that fraudulently signed malware was more widespread than previously believed. On Thursday, researchers unveiled one possible reason: underground services that since 2011 have sold counterfeit signing credentials that are unique to each buyer.

  • How did OurMine hackers use DNS poisoning to attack WikiLeaks? [Ed: False. They did not attack Wikileaks; they attacked the DNS servers/framework. The corporate media misreported this at the time.

    The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from expert Nick Lewis.

  • Intel didn't give government advance notice on chip flaws

    Google researchers informed Intel of flaws in its chips in June. The company explained in its own letter to lawmakers that it left up to Intel informing the government of the flaws.

    Intel said that it did not notify the government at the time because it had “no indication of any exploitation by malicious actors,” and wanted to keep knowledge of the breach limited while it and other companies worked to patch the issue.

    The company let some Chinese technology companies know about the vulnerabilities, which government officials fear may mean the information was passed along to the Chinese government, according to The Wall Street Journal.

  • Intel hid CPU bugs info from govt 'until public disclosure'

    As iTWire reported recently, Intel faces a total of 33 lawsuits over the two flaws. Additionally, the Boston law firm of Block & Leviton is preparing a class action lawsuit against Intel chief executive Brian Krzanich for allegedly selling a vast majority of his Intel stock after the company was notified of the two security flaws and before they became public.

  • Intel did not tell U.S. cyber officials about chip flaws until made public [iophk: "yeah right"]

    Current and former U.S. government officials have raised concerns that the government was not informed of the flaws before they became public because the flaws potentially held national security implications. Intel said it did not think the flaws needed to be shared with U.S. authorities as hackers [sic] had not exploited the vulnerabilities.

  • LA Times serving cryptocurrency mining script [iophk: "JS"]

    The S3 bucket used by the LA Times is apparently world-writable and an ethical hacker [sic] appears to have left a warning in the repository, warning of possible misuse and asking the owner to secure the bucket.

  • Facebook's Mandatory Malware Scan Is an Intrusive Mess

    When an Oregon science fiction writer named Charity tried to log onto Facebook on February 11, she found herself completely locked out of her account. A message appeared saying she needed to download Facebook’s malware scanner if she wanted to get back in. Charity couldn’t use Facebook until she completed the scan, but the file the company provided was for a Windows device—Charity uses a Mac.

  • Tinder plugs flaw that enabled account takeover using just a phone number

    As Tinder uses Facebook profile pics for its users to lure in a mate or several, the 'dating' app is somewhat tied to the social network. When a swipe-hungry Tinder user comes to login to their account they can either do so via Facebook or use their mobile number.

  • `

Syndicate content

More in Tux Machines

Server/OSS: Data Storage, OpenStack, Nextcloud, Puppet

  • Open Source Storage: 64 Applications for Data Storage
    As data storage needs continue to grow and many organizations move toward software-defined infrastructure, more enterprises are using open source software to meet some of their storage needs. Projects like Hadoop, Ceph, Gluster and others have become very common at large enterprises. Home users and small businesses can also benefit from open source storage software. These applications can make it possible to set up your own NAS or SAN device using industry-standard hardware without paying the high prices vendors charge for dedicated storage appliances. Open source software also offers users the option to set up a cloud storage solution where they have control over security and privacy, and it can also offer affordable options for backup and recovery.
  • OpenStack Moves Beyond the Cloud to Open Infrastructure
    The OpenStack Summit got underway on May 21, with a strong emphasis on the broader open-source cloud community beyond just the OpenStack cloud platform itself. At the summit, the OpenStack Foundation announced that it was making its open-source Zuul continuous development, continuous integration (CI/CD) technology a new top level standalone project. Zuul has been the underlying DevOps CI/CD system that has been used for the past six years, to develop and test the OpenStack cloud platform.
  • OpenStack makes Zuul continuous delivery tool its second indie project
    The OpenStack Foundation has launched its Zuul continuous delivery and integration tool as a discrete project. Zuul is therefore Foundation’s second project other than OpenStack itself. The first was Kata Containers. Making Zuul a standalone effort therefore advance’s the Foundation’s ambition to become a bit like the Linux and Apache Foundations, by nurturing multiple open source projects.
  • OpenStack spins out its Zuul open source CI/CD platform
    There are few open-source projects as complex as OpenStack, which essentially provides large companies with all the tools to run the equivalent of the core AWS services in their own data centers. To build OpenStack’s various systems the team also had to develop some of its own DevOps tools, and, in 2012, that meant developing Zuul, an open-source continuous integration and delivery (CI/CD) platform. Now, with the release of Zuul v3, the team decided to decouple Zuul from OpenStack and run it as an independent project. It’s not quite leaving the OpenStack ecosystem, though, as it will still be hosted by the OpenStack Foundation.
  • Nextcloud 13: How to Get Started and Why You Should
    In its simplest form, the Nextcloud server is "just" a personal, free software alternative to services like Dropbox or iCloud. You can set it up so your files are always accessible via the internet, from wherever you are, and share them with your friends. However, Nextcloud can do so much more. In this article, I first describe what the Nextcloud server is and how to install and set it up on GNU/Linux systems. Then I explain how to configure the optional Nextcloud features, which may be the first steps toward making Nextcloud the shell of a complete replacement for many proprietary platforms existing today, such as Dropbox, Facebook and Skype.
  • Why use Puppet for automation and orchestration
    Puppet the company bills Puppet the automation tool as the de facto standard for automating the delivery and ongoing operation of hybrid infrastructure. That was certainly true at one time: Puppet not only goes back to 2005, but also currently claims 40,000 organizations worldwide as users, including 75 percent of the Fortune 100. While Puppet is still a very strong product and has increased its speed and capabilities over the years, its competitors, in particular Chef, have narrowed the gap. As you might expect from the doyenne of the IT automation space, Puppet has a very large collection of modules, and covers the gamut from CI/CD to cloud-native infrastructure, though much of that functionality is provided through additional products. While Puppet is primarily a model-based system with agents, it supports push operations with Puppet Tasks. Puppet Enterprise is even available as a service on Amazon.

today's howtos

Oregan unveils new middleware for Linux STBs and Android TV

Oregan Networks, a provider of digital TV software services, has announced the launch of a new set-top box client middleware product for pay-TV operators called SparQ. The software is designed to work on the most challenging and resource-limited STB platforms in the field, making it feasible to introduce new OTT content services and applications on customer devices that were deployed as part of the first wave of IPTV and hybrid broadcast deployments. Read more

KDE Development Updates

  • Revisiting my talk at FOSSASIA summit, 2018
    Earlier this year, I had the chance to speak about one of KDE community’s cool projects that is helpding developers erase the line between desktop and mobile/tablet UI’s with ease. I’m referring to the Kirigami UI framework – a set of QtQuick components targetted at the mobile as well as desktop platforms. This is particularly important to KDE and a lot of projects are now migrating towards a Kirigami UI, particularly keeping in mind the ability to run the applications on the Plasma Mobile.
  • This Week in KDE, Part 2 : OYLG, Workspace KCM, Single/Double Click
    Last weekend, I went to İstanbul to attend Özgür Yazılım ve Linux Günleri (Free Software and Linux Days 2018) to represent LibreOffice. We had 3 presentations during the event about LibreOffice Development and The Open Document Format. We had booth setup with stickers, flyers, roll-up etc. These were all thanks to The Document Foundation’s supports! You can find detailed information about the event from here : https://wiki.documentfoundation.org/Events/2018/OYLG2018
  • Watching the Detectives
    For instance, Kevin Ottens has been writing about understanding the KDE community by the “green blobs” method, showing who is active when. Lays Rodrigues has written about using Gource to show Plasma growing up. Nate Graham describes the goings-on in the KDE community nearly every week. Those are, roughly: a metric-, a visual-, and a story-based approach to understanding the community, over different timescales. But understanding of a system doesn’t come from a single dimension, from a single axis of measurement. It comes from mixing up the different views to look the system as a whole.
  • Managing cooking recipes
    I like to cook. And sometimes store my recipes. Over the years I have tried KRecipes, kept my recipes in BasKet notes, in KJots notes, in more or less random word processor documents. I liked the free form entering recipes in various notes applications and word processor documents, but I lacked some kind of indexing them. What I wanted was free-ish text for writing recipes, and some thing that could help me find them by tags I give them. By Title. By how I organize them. And maybe by Ingredient if I don’t know how to get rid of the soon-to-be-bad in my refridgerator.