Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • It's raining patches, Hallelujah! Microsoft and Adobe put out their latest major fixes
  • Reproducible Builds: Weekly report #206
  • Brace yourselves: Exploit published for serious Magento bug allowing card skimming [Updated]

    Attack code was published on Friday that exploits a critical vulnerability in the Magento e-commerce platform, all but guaranteeing it will be used to plant payment card skimmers on sites that have yet to install a recently released patch.

    PRODSECBUG-2198 is a SQL injection vulnerability that attackers can exploit with no authentication required. Hackers could exploit the flaw to take administrative control of administrator accounts, assuming the hackers can download user names and password hashes and crack the hashes. From there, attackers could install the backdoors or skimming code of their choice. A researcher at Web security firm Sucuri said Thursday that company researchers reverse-engineered an official patch released Tuesday and successfully created a working proof-of-concept exploit.

  • Knock and don’t run: the tale of the relentless hackerbots
  • Mozilla Firefox 66.0.3 Now Available for Download on Linux, Windows, and Mac

    Needless to say, there are no new features in this release, as Mozilla typically uses these smaller updates for bug fixes and further performance improvements. New features are usually included in major browser updates.

    As per GHacks, Firefox 66.0.3 addresses performance issues with certain HTML5 games on Pogo.com. The browser should now work correctly when accessing this website and games should no longer run slower than expected on the platform.

  • Mozilla releases Firefox 66.0.3

    Mozilla plans to release Firefox 66.0.3, a minor upgrade to the web browser's stable channel, later today on April 10, 2019.

    Firefox 66.0.3 is the third minor release after the release of Firefox 66.0 in March 2019. Firefox 66.0.1 was a security update to address new vulnerabilities discovered by participants of the Pwn2Own hacking contest, Firefox 66.0.2 a bug fix release that addressed an issue with certain online editors.

  • Mozilla Open Policy & Advocacy Blog: What we think about the UK government’s ‘Online Harms’ white paper

    The UK government has just outlined its plans for sweeping new laws aimed at tackling illegal and harmful content and activity online, described by the government as ‘the toughest internet laws in the world’. While the UK proposal has some promising ideas for what the next generation of content regulation should look like, there are several aspects that would have a worrying impact on individuals’ rights and the competitive ecosystem. Here we provide our preliminary assessment of the proposal, and offer some guidance on how it could be improved.

    According to the UK white paper, companies of all sizes would be under a ‘duty of care’ to protect their users from a broad class of so-called ‘online harms’, and a new independent regulator would be established to police them. The proposal responds to legitimate public policy concerns around how platforms deal with illegal and harmful content online, as well as the general public demand for tech companies to ‘do more’. We understand that in many respects the current regulatory paradigm is not fit for purpose, and we support an exploration of what codified content ‘responsibility’ might look like.

  • Mysterious [Attackers] Hid Their Swiss Army Spyware for 5 Years

    In a talk at the Kaspersky Security Analyst Summit in Singapore Wednesday, Kaspersky security researcher Alexey Shulmin revealed the security firm's discovery of a new spyware framework—an adaptable, modular piece of software with a range of plugins for distinct espionage tasks—that it's calling TajMahal. The TajMahal framework's 80 modules, Shulmin says, comprise not only the typical keylogging and screengrabbing features of spyware, but also never-before-seen and obscure tricks. It can intercept documents in a printer queue, and keep track of "files of interest," automatically stealing them if a USB drive is inserted into the infected machine. And that unique spyware toolkit, Kaspersky says, bears none of the fingerprints of any known nation-state [attacker] group.

  • ‘She lies to everyone’: Feds say Mar-a-Lago intruder had hidden-camera detector in hotel [iophk: "Windows mindset, Windows TCO"]

    A federal prosecutor argued in court Monday that Yujing Zhang, the Chinese woman arrested trying to enter President Donald Trump’s private Mar-a-Lago club in Palm Beach, “lies to everyone she encounters,” adding that a search of her hotel room uncovered more than $8,000 in cash, as well as a “signal-detector” device used to reveal hidden cameras.

  • Thumb drive carried by Mar-a-Lago intruder immediately installed files on a [Windows computer]

     

    The details came to light at a bond hearing on Monday in a Florida federal court. There, a Secret Service agent testified that the malware Zhang carried was capable of infecting a computer as soon as the thumb drive was plugged in. According to a report published Monday by the Miami Herald: [...]

  • Chinese Woman Arrested at Mar-a-Lago Had a Hidden Camera Detector, Prosecutors Say

     

    Mr. Ivanovich testified that the computer analyst who reviewed Ms. Zhang’s devices said that the thumb drive she was carrying had immediately begun installing malware.
     

    “He stated that he had to immediately stop the analysis and shut off his [Windows] computer to halt the corruption,” Mr. Ivanovich said.

  • Chinese Intruder at Mar-a-Lago to Stay in Jail Another Week

     

    Secret Service agent Samuel Ivanovich testified Monday that another agent put the USB drive into his computer and it immediately began to install files. The agent shut down the computer to prevent a possible infection, but Ivanovich couldn’t identify the malware. The device is still being analyzed, Ivanovich said.

  • Mar-a-Lago mystery Chinese malware lady to stay in jail for another week

Security: Updates and Flaws

Filed under
Security
  • Security updates for Tuesday
  • Optimising IoT bandwith with delta updates [Ed: Canonical is pushing proprietary software again; using Snap. These are ads in their blogs… last week a paid press releases for Microsoft.]
  • 6 Kubernetes security questions, answered

    If you’re asking questions about Kubernetes to learn more about the platform, security will be on your list. The good news: both the open source project and the commercial platforms that sit on top of it have plenty of strong security-related features baked in. Moreover, there’s a lively Kubernetes community with a shared interest in the ongoing security of the orchestration tool.

    “The Kubernetes community has had security at the forefront of their minds from the start,” says Wei Lein Dang, VP of products at StackRox.

    As with many technologies, though, the security risks tend to follow the adoption curve. So as the use of containers expands, expect Kubernetes to become an important focal point for security in containerized environments.

  • The security of dependencies

    So you’ve written some software. It’s full of open source dependencies. These days all software is full of open source, there’s no way around it at this point. I explain the background in my previous post.

    Now that we have all this open source, how do we keep up with it? If you’re using a lot of open source in your code there could be one or more updated dependencies per day!

    Step one is knowing what you have. There are a ton of ways to do this, but I’m going to bucket things into 3 areas.

  • Buffer Overflow Vulnerability in TP-Link Routers Can Allow Remote Attackers to Take Control

    Internet routers are among the most ubiquitous devices home and business users depend on every day to carry out communications, banking, shopping and commercial transactions. IBM Security researcher Grzegorz Wypych (aka h0rac) took a closer look at one of the most widespread internet routers in use by consumers nowadays, the TP-Link WR-940, and found that a zero-day buffer overflow vulnerability in the router could allow malicious third parties to take control of the device from a remote location.

  • PoC exploit for Carpe Diem Apache bug released

OpenVPN 3 Linux client - v5 beta released

Filed under
Software
Security

The OpenVPN 3 Linux v5 beta release has just been made available. This is
available in our git repositories [0] and URLs for source tarballs are listed
later in this e-mail. RPM binaries for Fedora and RHEL/CentOS/Scientific
Linux [1] completed the build process quite recently too. Debian and Ubuntu
packages will come in releases just need a few rounds of internal testing and
we will hopefully be able to release them soon too.

Read more

Also: OpenVPN 3 Linux Beta 5 Builds Against OpenSSL By Default, Configuration Improvements

Security: Updates, IPFire 2.21 - Core Update 129, Debian LTS/Freexian and Using Multi-factor Authentication (MFA)

Filed under
Security

Security Leftovers

Filed under
Security

WireGuard Snapshot `0.0.20190406` Available

Filed under
Software
Security
BSD

Hello,

A new snapshot, `0.0.20190406`, has been tagged in the git repository.

Please note that this snapshot is, like the rest of the project at this point
in time, experimental, and does not constitute a real release that would be
considered secure and bug-free. WireGuard is generally thought to be fairly
stable, and most likely will not crash your computer (though it may).
However, as this is a pre-release snapshot, it comes with no guarantees, and
its security is not yet to be depended on; it is not applicable for CVEs.

With all that said, if you'd like to test this snapshot out, there are a
few relevant changes.

== Changes ==

  * allowedips: initialize list head when removing intermediate nodes
  
  Fix for an important regression in removing allowed IPs from the last
  snapshot. We have new test cases to catch these in the future as well.
  
  * wg-quick: freebsd: rebreak interface loopback, while fixing localhost
  * wg-quick: freebsd: export TMPDIR when restoring and don't make empty
  
  Two fixes for FreeBSD which have already been backported into ports.
  
  * tools: genkey: account for short reads of /dev/urandom
  * tools: add support for Haiku
  
  The tools now support Haiku! Maybe somebody is working on a WireGuard
  implementation for it?
  
  * tools: warn if an AllowedIP has a nonzero host part
  
  If you try to run `wg set wg0 peer ... allowed-ips 192.168.1.82/24`, wg(8)
  will now print a warning. Even though we mask this automatically down to
  192.168.1.0/24, usually when people specify it like this, it's a mistake.
  
  * wg-quick: add 'strip' subcommand
  
  The new strip subcommand prints the config file to stdout after stripping
  it of all wg-quick-specific options. This enables tricks such as:
  `wg addconf $DEV <(wg-quick strip $DEV)`.
  
  * tools: avoid unneccessary next_peer assignments in sort_peers()
  
  Small C optimization the compiler was probably already doing.
  
  * peerlookup: rename from hashtables
  * allowedips: do not use __always_inline
  * device: use skb accessor functions where possible
  
  Suggested tweaks from Dave Miller.
  
  * qemu: set framewarn 1280 for 64bit and 1024 for 32bit
  
  These should indicate to us more clearly when we cross the most strict stack
  thresholds expected when using recent compilers with the kernel.
  
  * blake2s: simplify
  * blake2s: remove outlen parameter from final
  
  The blake2s implementation has been simplified, since we don't use any of the
  fancy tree hashing parameters or the like. We also no longer separate the
  output length at initialization time from the output length at finalization
  time.
  
  * global: the _bh variety of rcu helpers have been unified
  * compat: nf_nat_core.h was removed upstream
  * compat: backport skb_mark_not_on_list
  
  The usual assortment of compat fixes for Linux 5.1.

This snapshot contains commits from: Jason A. Donenfeld, Luis Ressel, Samuel 
Neves, Bruno Wolff III, and Alexander von Gluck IV.

As always, the source is available at https://git.zx2c4.com/WireGuard/ and
information about the project is available at https://www.wireguard.com/ .

This snapshot is available in compressed tarball form here:
  https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20190406.tar.xz
  SHA2-256: 2f06f3adf70b95e74a7736a22dcf6e9ef623b311a15b7d55b5474e57c3d0415b
  BLAKE2b-256: 787a01fa3d6a800d7376a04ff57dd16d884a7d3cb99d2f91bfc59895ab759200

A PGP signature of that file decompressed is available here:
  https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20190406.tar.asc
  Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE

If you're a snapshot package maintainer, please bump your package version. If
you're a user, the WireGuard team welcomes any and all feedback on this latest
snapshot.

Finally, WireGuard development thrives on donations. By popular demand, we
have a webpage for this: https://www.wireguard.com/donations/

Thank you,
Jason Donenfeld

Read more

Also: New WireGuard Snapshot Offers FreeBSD Fixes, Other Tweaks

Security: CSS Exfil Protection, Intel, Android and More

Filed under
Security

Security: DNS, Google and Facebook

Filed under
Security
Web
  • Waves of DNS hijacking attempts target mostly D-Link routers

    Waves of DNS hijackings over the past three months, aimed at consumer-grade routers mostly from D-Link, have been diverting traffic from a number of well-known domains and directing them elsewhere.

  • Ongoing DNS hijackings target unpatched consumer routers

    A wave of DNS hijacking attacks that abuse Google's cloud computing service is causing consumer routers to connect to fraudulent and potentially malicious websites and addresses, a security researcher has warned.

  • Hiding in Plain Sight

    Cisco Talos is continually working to ensure that our threat intelligence not only accounts for the latest threats but also new versions of old threats, such as spam. This often means pursuing cybercriminals wherever they congregate. However, instead of wheeling-and-dealing using hidden servers on some mysterious dark web address, a surprisingly large number of cyber scofflaws prefer to operate right out in the open using social media. For example, Facebook is host to dozens of groups that serve as online marketplaces and exchanges for cybercriminals. Talos saw spam from services advertised in these Facebook groups show up in our own telemetry data, indicating a potential impact to Cisco customers from these groups.

    Over the past several months, Cisco Talos has tracked several groups on Facebook where shady (at best) and illegal (at worst) activities frequently take place. The majority of these groups use fairly obvious group names, including "Spam Professional," "Spammer & Hacker Professional," "Buy Cvv On THIS SHOP PAYMENT BY BTC," and "Facebook hack (Phishing)." Despite the fairly obvious names, some of these groups have managed to remain on Facebook for up to eight years, and in the process acquire tens of thousands of group members.

  • Cybercrime On Facebook Is Of Least Concern To Its Executives

    There is no better time for committing Cybercrime on Facebook than right now. At least that’s the intent the platform is displaying with its least bothered attitude.

    Cisco Talos — an online security research group, has released a report showcasing in detail the fearless existence of cybercrime on Facebook.

Security: CVE-2019-5736, Antivirus Programs for Ubuntu, Updates and "Improved Spectre/Meltdown Switches"

Filed under
Security
  • CVE-2019-5736 runc escape vs. SELinux
  • The Best Antivirus Programs for Ubuntu

    Let’s be real here. When it comes to virus threats, Linux is the last thing on a hacker’s mind. However, that doesn’t excuse it from all attack vectors. Though Linux benefits from “security by obscurity,” you still have to worry in some ways. For example, just because Linux can’t run Windows programs (without Wine) doesn’t mean you shouldn’t be cautious.

    These viruses can still be spread, especially if you have a Samba server (Windows file share on Linux) or external devices that regularly interact with both Linux and Windows. You could be inadvertently spreading viruses – not to mention some hackers have recently (though not very frequently) started targeting Linux users directly.

    So what are some of the best antivirus programs for Ubuntu you should use?

  • Security updates for Friday
  • GoBrut Botnet ELF Variant and New C2 Discovered
  • Apache Patches Serious Privilege Escalation Flaw
  • Don't be an April Fool: Update your Android mobes, gizmos to – hopefully – pick up critical security fixes

    Google has released the April edition of its monthly Android security updates, including fixes for three remote-code execution vulnerabilities in the mobile OS.

    This month's batch – now out for Google-branded devices, at least: other Android device manufacturers and carriers push out updates on on their own – includes one batch of fixes for 11 CVE-listed vulnerabilities that everyone should apply, and a second batch for 44 flaws, that should be applied depending on your device's hardware and OS.

  • Improved Spectre/Meltdown Switches Might Finally Come To The Linux Kernel [Ed: These chips are not fixed. They will never be recalled. They are still defective. These are workarounds. Many will never apply the 'fixes' because of their performance toll.]

    By the time the next Linux kernel is released it will have been roughly a year and a half since the Spectre and Meltdown CPU speculative execution vulnerabilities went public and the mitigations started appearing within the kernel. Finally now it's being discussed again by upstream developers over improving the switches / tunable knobs for easily configuring these performance-degrading mitigations.

Security on Android (or Phones for That Matter)

Filed under
Security
  • Kaspersky: Thousands of Android users are being tracked by stalkerware

    Russian security outfit Kaspersky Lab has discovered that more than 58,000 Android-using folks had so-called 'stalkerware' lurking on their devices in 2018, with 35,000 unaware they were being stalked.

    Stalkerware is software that can track a person's gadget and by extension them, as well as snoop on their texts and get live feeds from cameras. It's legal but is pretty damn unethical; nevertheless, it seems to get used a heck of a lot.

  • Kaspersky Lab Will Now Alert Users to 'Stalkerware' Used In Domestic Abuse

    Antivirus company Kaspersky Lab announced that its Android security product will now mark all stalkerware apps as malware, prompting users to delete them.

  • 150 Million Xiaomi Devices Vulnerable To A Major Security Flaw [Ed: How come we never see headlines like, "2 billion PCs vulnerable due to NSA back doors with exploits in the wild"?]

    The purpose of security apps is to protect devices and user data. However, Xiaomi’s pre-installed security app did just the opposite and made its smartphones more vulnerable to attacks.

    The app in question is Xiaomi’s security app, Guard Provider, which uses anti-virus scanners from popular developers like Avast, AVL, and Tencent to scan for the presence of malware.

Syndicate content

More in Tux Machines

OSS Leftovers

  • 8 Best Kodi Sports Addons For Streaming Live Sports In 2019
    Kodi media player is a boon for cord cutters. In an era where subscription-based streaming services are popping left and right, Kodi presents an easy method to watch movies free online. By installing some of the best Kodi addons and top Kodi repositories, you can access hundreds of millions of movies and TV shows.
  • NVMe Driver Now Available
    Due to the awesome work by long-time developer waddlesplash, nightly images after hrev53079 have read/write NVMe support built-in. What is NVMe? For those not keeping up with the latest advances in tech, NVMe is a M.2 form-factor flash-based storage device which attaches directly to the system’s PCI Express bus. These flash devices are present in modern desktops and laptops and offer transfer speeds of several GiB/s. These devices now show up in /dev/disk/nvme/ and are fully useable by Haiku.
  • Haiku OS Picks Up An NVMe Storage Driver
    Back during the BeOS days of the 90's, NVM Express solid-state storage obviously wasn't a thing but the open-source Haiku OS inspired by it now has an NVMe driver. Haiku that aims to be an open-source OS based off BeOS now has support for NVMe SSDs. This driver didn't make last September's Haiku R1 beta but now being found within the latest development code is for NVMe SSD hardware.
  • Join Us In New York City
    OSI Board Directors have broad backgrounds and experience, working in a variety of roles—Chief Open Source Officer, Chief Information Office, Chief Technology Officer, Open Source Program Manager, Community Manager, Developer, Architect, Engineer, Attorney—for both corporations and communities—Clojure Community, Cloud Native Computing Foundation, Debian Project, Free Software Foundation, Github, Google, Kubernetes Community, Microsoft, One Laptop Per Child, Open edX, Oracle, Python Software Foundation, Red Hat, Salesforce, Sun Microsystems , The Document Foundation, Wikimedia, Zalando... and many, many, more.
  • Mozilla Localization (L10N): L10n report: April edition
    The deadline to ship localization updates in Firefox 67 is quickly approaching (April 30). Firefox 68 is going to be an ESR version, so it’s particularly important to ship the best localization possible. The deadline for that will be June 25.
  • Why Companies Open Source Their Software?
    When a company releases its code as open source and contribute it to foundations like CNCF, it literally loses control over the project. What benefit is there in doing so? Why would you want to lose control over the very project you created? Dan Lahl of SAP has an answer: that’s the beauty of Open Source.
  • Avalanche Noise Generator Notes
    I’ll probably go through another iteration of tweaking before final integration, but afaik this is the smallest, lowest power open-source avalanche noise generator to date (slightly smaller than this one).

Software: LibreOffice, X-Gimp, COPR and Tauon Music Box

  • [LibreOffice] menubar updates [updated]
  • X-Gimp 2.10.10 [rev25]
    Image editors are ten-a-penny nowadays, so anything which wants attention from a divided audience needs to offer something quite special. X-Gimp is the portable version of GIMP (or the GNU Image Manipulation Program), which is one of the most powerful free image editors available and is frequently described as being a free alternative to the likes of Photoshop. This is a highly versatile tool which can be used as a basic drawing program but can also be employed to edit digital photographs to a professional level. Despite being free of charge, opting to use GIMP does not mean having to compromise on features. Layers, masks, channels, filters and special effects, in addition to the usual range of editing tools, are all on hand to make image editing as easy as possible. Powerful tools such as the correction mode which allows for the correction of barrel distortion and perspective problems are usually only found in expensive packages but are included here for anyone to try out. Whether you are an amateur digital photographer or a professional graphic artist, GIMP has something to offer you.
  • Fedora Magazine: 4 cool new projects to try in COPR for April 2019
    COPR is a collection of personal repositories for software that isn’t carried in Fedora. Some software doesn’t conform to standards that allow easy packaging. Or it may not meet other Fedora standards, despite being free and open source. COPR can offer these projects outside the Fedora set of packages. Software in COPR isn’t supported by Fedora infrastructure or signed by the project. However, it can be a neat way to try new or experimental software. Here’s a set of new and interesting projects in COPR.
  • Tauon Music Box – Excellent desktop music player
    Over the past few months I’ve covered scores of open source graphical music players. They’ve been a mixed bag. Some are genuinely excellent, others falling short of my (fairly) modest requirements. The music players I’ve mostly reviewed include ncmpy, ncmpc, and Cantata. I’ve also reviewed Nulloy, Museeks, Pragha Music Player, Yarock, qoob, aux.app, MellowPlayer, Kaku, Strawberry, Headset, Qmmp, and the truly sublime musikcube. The vast majority of the music players are GUI software. Continuing my series, here’s a further graphical music player. Bearing the moniker Tauon Music Box (Tauon), it’s based around disposable playlists and the assumption that folders are albums. They are also intended to function as a kind of workspace or to keep different music collections separate. The project instructs users to ensure they have an organized and structured music library, ideally with each album in its own folder. Sound advice. The software is written in the Python programming language. It uses Advanced Linux Sound Architecture (ALSA), not PulseAudio.

COBOL, C, C++ all due for updates in early 2020s

You have never heard of Chris Tandy, a Toronto-based programmer for IBM since 1985, but his work in standardizing computer programming languages is vital to everything you do as a software developer. Tandy chairs the American INCITS PL22 group and is an officer in the global ISO/IEC JTC 1/SC 22 committee, which are the primary standards bodies responsible not only for pivotal languages such as COBOL, C, and C++, but also for historic ones like Ada, APL (famously named as "A Programming Language"), and Fortran. They also deal in esoterica—try your hand at coding in PL/1 or REXX. Future versions of the COBOL standard are now entirely in ISO hands, while before it was mostly an American project, Tandy explained. The ISO working group members intend to have the next version, known as an FDIS (final draft international standard), done in 2020. Read more Also: GNU patch another_hunk Function Double-Free Vulnerability [CVE-2018-6952]

Kdenlive Video Editor 19.04 Arrives with Major Changes in Tow

A major update to the Kdenlive video editor is now available for download. Kdenlive 19.04 ships as part of KDE Applications 19.04, released on April 19. This is the vaunted “refactoring” release we’ve written lots about, as the release announcement explains further: “Kdenlive has gone through an extensive re-write of its core code as more than 60% of its internals has changed, improving its overall architecture.” Read more