Language Selection

English French German Italian Portuguese Spanish

Security

Security: SS7, CSS3 and More

Filed under
Security
  • Another Report Highlights How Wireless SS7 Flaw Is Putting Everyone's Privacy At Risk

    Last year, hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn't new, a 2016 60 minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like like ordinary carrier to carrier chatter among a sea of other, "privileged peering relationships."

    Telecom lobbyists have routinely tried to downplay the flaw after carriers have failed to do enough to stop hackers from exploiting it. In Canada for example, the CBC recently noted how Bell and Rogers weren't even willing to talk about the flaw after the news outlet published an investigation showing how, using only the number of his mobile phone, it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.

  • Firefox And Chrome Bug Leaked Facebook Profile Details For Almost A Year; Now Fixed

    A side-channel vulnerability existed in the implement of the CSS3 feature called “mix-blend-mode.” It allowed an attacker to de-anonymize a Facebook user running Google Chrome or Mozilla Firefox by making them visit a specially crafted website.

    The flaw, now fixed, was discovered last year by the researcher duo Dario Weißer and Ruslan Habalov, and separately by another researcher named Max May.

  • Side-channel attacking browsers through CSS3 features

    With the staggering amount of features that were introduced through HTML5 and CSS3 the attack surface of browsers grew accordingly. Consequently, it is no surprise that interactions between such features can cause unexpected behavior impacting the security of their users. In this article, we describe such a practical attack and the research behind it.

  • Effects of Bring Your Own Device (BYOD) On Cyber Security [Ed: 'sponsored' article]
  • French Security Expert Exposes “Kimbho”: “I Can Access The Messages of All Users”

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • SS7 routing-protocol breach of US cellular carrier exposed customer data

    Short for Signalling System No. 7, SS7 is the routing protocol that allows cell phone users to connect seamlessly from network to network as they travel throughout the world. With little built-in security and no way for carriers to verify one another, SS7 has always posed a potential hole that people with access could exploit to track the real-time location of individual users. In recent years, the threat has expanded almost exponentially, in part because the number of companies with access to SS7 has grown from a handful to thousands. Another key reason: hackers can now abuse the routing protocol not just to geolocate people but, in many cases, to intercept text messages and voice calls.

  • The Bleak State of Federal Government Cybersecurity

    It's a truism by now that the federal government struggles with cybersecurity, but a recent report by the White House's Office of Management and Budget reinforces the dire need for change across dozens of agencies. Of the 96 federal agencies it assessed, it deemed 74 percent either "At Risk" or "High Risk," meaning that they need crucial and immediate improvements.

  • Judge dismisses Kaspersky's lawsuits challenging government ban

    Kollar-Kotelly, however, disagreed with this argument, noting that none of their "alleged harms would be redressed" even if they received a favorable ruling in the case because Congress has already instituted its own government-wide ban on use of Kaspersky products, which President Trump signed in December.

  • Kaspersky Lab To Appeal Court Decision To Dismiss US Ban

    US judges dismiss two lawsuits from Russian firm to overturn American ban on its security products

    Moscow-based Kaspersky Lab has suffered yet another setback in its attempt to convince the world that it is not a stooge for the Russian intelligence services.

    A US federal judge on Wednesday dismissed two lawsuits by Kaspersky Lab, which sought to overturn bans on its security products for the US government.

    It comes after the US Department for Homeland Security last year banned the use Kaspersky products from use by federal government agencies.

  • DHS, Commerce release cyber report on combating botnets

    The latest report largely resembles the draft report issued by the two federal agencies in January, which gave experts from the cybersecurity industry as well as other stakeholders the opportunity weigh in on their findings before releasing the final report.

  • Sonic attacks can bork hard disks and crash Windows and Linux [Ed: Bring up theoretic threats and making it sound like pertaining to the OS]

    Sonic and ultrasonic sounds can disrupt the read and write processes of magnetic hard disk drives, while laptops running Windows or Linux OSes, in some cases at least, required a reboot to work properly after a sonic bombardment.

    Audible sonic sounds do this by causing the head stack in a hard disk drive's assembly to vibrate outside of its normal operating parameters which temporarily stop it from writing data. While ultrasonic sounds create false positives in the disk drive's shock sensor and causes the drive to stop using its head, thereby causing it to stop working and disrupt an OSes normal operation.

  • Top 5 New Open Source Security Vulnerabilities in May 2018 [Ed: Perpetuating the perception of FOSS being full of holes while ignoring proprietary software having many holes as well as back doors]

    We’ve put together a list of May’s top 5 new known open source security vulnerabilities, aggregated by the WhiteSource database, which is updated continuously from the National Vulnerability Database (NVD), and of course a wide number of open source publicly available, peer-reviewed security advisories.

CentOS Linux 7 Receives Important Kernel Security Update That Patches Six Flaws

Filed under
OS
Linux
Red Hat
Security

Being based on the Red Hat Enterprise Linux 7 operating system series, CentOS Linux 7 follows a rolling release model where the user installs once and receives regular updates forever. There's no need to reinstall your healthy CentOS Linux installation when a new release is out, but you should keep it up-to-date at all times.

A new kernel security update was released upstream by Red Hat for the Red Hat Enterprise Linux 7 operating system series, which addresses a total of six security vulnerabilities discovered and reported by various security researchers. The kernel security update is now also available for CentOS Linux 7 users.

Read more

Security: Zephyr, PGP and More

Filed under
Security
  • How the Zephyr Project Is Working to Make IoT Secure

    Fragmentation has been a big problem for IoT since the beginning. Companies were doing their own workarounds, there were no standardizations, and there was no collaborative platform that everyone could work on together. Various open source projects are working to solve this problem, but many factors contribute to the woes of IoT devices. Anas Nashif, Technical Steering Committee (TSC) Chair of the Zephyr project believes that software licensing can help.

    Nashif admits that there are already many open source projects trying to address the domain of embedded devices and microcontrollers. “But none of these projects offered a complete solution in terms of being truly open source or being compatible in terms of having an attractive license that would encourage you actually to use it in your product. Some of these projects are controlled by a single vendor and, as such, don’t have an acceptable governance model that breeds confidence within users,” said Nashif.

    [...]

    Zephyr doesn’t use the Linux kernel. Its kernel comes from Wind River’s VxWorks Microkernel Profile for VxWorks. The first version of Zephyr, which was launched some two years ago, came out with a kernel, an IP stack, L2 stack, and few services. Then Intel decided to open source it. They took a saw to it and cleaned the code, then they started talking to industry leaders, especially The Linux Foundation. The project was launched with Intel, NXP, and Synopsis as launch members.

  • How to Secure Edge Computing

    The notion of edge computing is a relatively nascent one in modern IT. While end user, data center and cloud computing are well understood, Edge computing is still struggling to define itself – and come to terms with some significant security challenges.

  • OpenStack Operators Detail How They Patched for Meltdown, Spectre

    When the Meltdown and Spectre CPU security vulnerabilities were publicly disclosed on Jan. 3, they set off a flurry of activity among IT users and cloud operators around the world. In a panel moderated by eWEEK at the OpenStack Summit in Vancouver, B.C., on May 24, operators detailed how they dealt with patching for Meltdown and why it was a time-consuming process.

    When it comes to OpenStack, no operator in the world is larger than CERN, home of the Large Hadron Collider (LHC) and an OpenStack cloud infrastructure that has approximately 300,000 compute cores. Arne Wiebalck is responsible for the overall operations of CERN's OpenStack cloud, and when vulnerabilities like Meltdown and Spectre appear, it's his responsibility to react and deploy the corresponding fixes.

  • How To Turn PGP Back On As Safely As Possible

    Previously, EFF recommended to PGP users that, because of new attacks revealed by researchers from Münster University of Applied Sciences, Ruhr University Bochum, and NXP Semiconductors, they should disable the PGP plugins in their email clients for now. You can read more detailed rationale for this advice in our FAQ on the topic, but undoubtedly the most frequently asked question has been: how long is for now? When will it be safe to use PGP for email again?

    The TL;DR (although you really should read the rest of this article): coders and researchers across the PGP email ecosystem have been hard at work addressing the problems highlighted by the paper—and after their sterling efforts, we believe some parts are now safe for use, with sufficient precautions.

  • OnePlus 6’s Face Unlock Can Be Fooled By A Photograph

    Do you own a OnePlus 6 or planning to buy one? If yes, you might want to read this one. So apparently, the OnePlus 6’s face unlock method can be tricked by a photograph. A video posted by a Twitter user, shows the phone getting unlocked by a cutout picture of his face.

Security: Updates, FBI, Windows Cameras and More

Filed under
Security
  • Security updates for Wednesday
  • The FBI wants you to do this one thing to your home router, now
  • FBI wants you to reboot your router: What you need to know
  • Did You Restart Your Router Like the FBI Asked?
  • The FBI is warning you to reboot your router to prevent a new attack — here's everything you need to do
  • Mainstream Media Warns of 'Russian Malware', Ignores CIA's Own Virus Development

    The US Federal Bureau of Investigation has warned hackers may have compromised hundreds of thousands of routers and other home network devices the world over with malware. Perhaps predictably, the Russians are said to be behind the ploy - but past experience suggests the true source may lie closer to home.

    In an official statement, the FBI said the virus — ‘VPNFilter' — was being used to launch attacks on infrastructure and render electronic devices useless. Anyone possessing a router is strongly urged by the Bureau to reset their device — the malware works in three stages, and rebooting the router prevents the implementation of the latter two stages.

    "Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware," the Bureau suggested.

  • Securing the container image supply chain

    "Security is hard" is a tautology, especially in the fast-moving world of container orchestration. We have previously covered various aspects of Linux container security through, for example, the Clear Containers implementation or the broader question of Kubernetes and security, but those are mostly concerned with container isolation; they do not address the question of trusting a container's contents. What is a container running? Who built it and when? Even assuming we have good programmers and solid isolation layers, propagating that good code around a Kubernetes cluster and making strong assertions on the integrity of that supply chain is far from trivial. The 2018 KubeCon + CloudNativeCon Europe event featured some projects that could eventually solve that problem. 

    [...]

    The question of container trust hardly seems resolved at all; the available solutions are complex and would be difficult to deploy for Kubernetes rookies like me. However, it seems that Kubernetes could make small improvements to improve security and auditability, the first of which is probably setting the image pull policy to a more reasonable default. In his talk, Mouat also said it should be easier to make Kubernetes fetch images only from a trusted registry instead of allowing any arbitrary registry by default.

    Beyond that, cluster operators wishing to have better control over their deployments should start looking into setting up Notary with an admission controller, maybe Portieris if they can figure out how to make it play with their own Notary servers. Considering the apparent complexity of Grafeas and in-toto, I would assume that those would probably be reserved only to larger "enterprise" deployments but who knows; Kubernetes may be complex enough as it is that people won't mind adding a service or two in there to improve its security. Keep in mind that complexity is an enemy of security, so operators should be careful when deploying solutions unless they have a good grasp of the trade-offs involved.

  • Victorian speed cameras hit by computer virus

    Independent report into WannaCry virus

    An unsuspecting contractor was blamed for introducing the virus into Victoria’s speed camera network sometime in early June 2017. The malware was first detected on 6 June 2017 when 20 cameras crashed along the Hume Highway and remained offline overnight.

    The infected cameras ran on Windows 7. Another company who used Unix-based cameras still suffered thanks to Windows operating system powered site control units. It wasn’t until 14 June that the true cause of the outages was found and over the next two days, engineers worked on a patch to secure the system. Finally, by 22 June, cameras were fully operational and virus-free again.

  • Secret Commands Let Google Access All Your Android Text Messages

    Google is known for hiding easter eggs, and secret features buried deep in its Android OS. However, a weird glitch has appeared on Android which honestly seems more like a bug than an easter egg.

    The glitch shows your text messages in search results by using the Google cards assistant feature. It was reported in a Reddit post which says that typing “the1975..com” into the Google search bar will display all your text messages on the screen.

Security: Git and ARM Patches

Filed under
Security

Security: Updates, Malware and More

Filed under
Security
  • Security updates for Monday
  • Security updates for Tuesday
  • Low-Priced Android Phones Shipped with Pre-installed ‘Cosiloon’ Malware, Says Avast

    Are you thinking about settling for a cheaper Android phone? You might want to reconsider this decision. A study conducted by Avast Threat Labs reports that several Android devices are shipped with malware pre-installed on them.

    The report says that more than 100 countries, including the US, Russia, and the UK have been affected by the adware and malware which is carried by hundreds of such low-cost Android devices, which includes manufacturers like ZTE, myPhone, and Archos.

  • The Benefits of HTTPS for DNS

    DNS over HTTPS (DoH) is entering the last call (right now Working Group, soon IETF wide) stage of IETF standardization. A common discussion I have about it basically boils down to "why not DNS over TLS (DoT)?" (i.e. work that has already been done by the DPRIVE WG). That does seem simpler, after all.

    DoH builds on the great foundation of DoT. The most important part of each protocol is that they provide encrypted and authenticated communication between clients and arbitrary DNS resolvers. DNS transport does get regularly attacked and using either one of these protocols allows clients to protect against such shenanigans. What DoH and DoT have in common is far more important than their differences and for some use cases they will work equally well.

  • Python May Let Security Tools See What Operations the Runtime Is Performing

    In its current form, Python does not allow security tools to see what operations the runtime is performing. Unless one of those operations generates particular errors that may raise a sign of alarm, security and auditing tools are blind that an attacker may be using Python to carry out malicious operations on a system.

  • If Avast Broke Your Windows 10 April Update, Here Is The Fix

    One of the many problems associated with the Windows 10 April Update is because of the Avast antivirus software. A few days ago, some Windows 10 users saw a blank desktop with no icons after upgrading, and Microsoft had to block April Update.

    Later, it was known that the Avast Behavior Shield was incompatible with the April 2018 Update and causing the issue which even left some people with unusable PCs.

  • Avast fixes issues with Windows 10 version 1803 and their antivirus
  • Reproducible Builds: Weekly report #161

Security: Open Source Security Podcast, Windows, USB, SHB and FBI

Filed under
Security
  • Open Source Security Podcast: Episode 98 - When IT decisions kill people

    Josh and Kurt talk about the NTSB report from the fatal Uber crash and what happened with Amazon's Alexa recording then emailing a private conversation. IT decisions now have real world consequences like never before.

  • There are cyber threats to veterans' medical records [iophk: "Windows TCO; infection misattributed to a thumbdrive rather than the managers that signed off on using Microsoft instead of real software"]

    Veterans have also fallen victim of non-targeted cyber intrusions. Cyber criminals routinely attempt to steal personal health records to sell on the dark web, given how valuable such records are. As an example of a non-targeted cyber attack, the Conficker worm infected 104 medical devices at a U.S. Department of Veterans Affairs (VA) hospital in Florida in 2012 simply because a vender [sic] updated the devices with a thumb drive that had unknowingly been infected.

  • USB Reverse Engineering: Down the rabbit hole

    It seems the deeper I went, the more interesting I found the content, and this post grew and grew. Hopefully it will help to shortcut your own journey down this path, and enlighten you to a whole new area of interesting things to hack!

  • Security and Human Behavior (SHB 2018)

    SHB is a small invitational gathering of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, and myself. The 50 or so people in the room include psychologists, economists, computer security researchers, sociologists, political scientists, neuroscientists, designers, lawyers, philosophers, anthropologists, business school professors, and a smattering of others. It's not just an interdisciplinary event; most of the people here are individually interdisciplinary.

  • The FBI tells everybody to reboot their router

Security: The Microsoft Cyber Attack, VPNFilter, Compliance, Docker

Filed under
Security
  • « The Microsoft Cyber Attack » : a German Documentary from the ARD on Relations Between Microsoft and Public Administration Now Available in English

    On February 19th, 2018, the German public broadcaster (ARD) aired a documentary on Microsoft relations with public administrations. Part of the inquiry is about the Open Bar agreement between Microsoft and the French ministry of Defense, including interviews of French Senator Joëlle Garriaud-Maylam, Leïla Miñano, a journalist, and Étienne Gonnu of April.

    The documentary is now available in English thanks to Deutsche Welle (DW), the German public international broadcaster, on its Youtube channel dedicated to documentaries : The Microsoft Cyber Attack. It should be noted that April considers itself as a Free software advocate, rather than open source, as the voice-over suggests.

  • VPNFilter UNIX Trojan – How to Remove It and Protect Your Network

    This article has been created to explain what exactly is the VPNFilter malware and how to secure your network against this massive infection by protecting your router as well as protecting your computers.

    A new malware, going by the name of VPNFilter has reportedly infected over 500 thousand router devices across most widely used brands such as Linksys, MikroTik, NETGEAR as well as TP-Link, mostly used in homes and offices. The cyber-sec researchers at Cisco Talos have reported that the threat is real and it is live, even thought the infected devices are under investigation at the moment. The malware reportedly has something to do with the BlackEnergy malware, which targeted multiple devices in Ukraine and Industrial Control Systems in the U.S.. If you want to learn more about the VPNFilter malware and learn how you can remove it from your network plus protect your network, we advise that you read this article.

  • FBI: Reboot Your Router Now To Fight Malware That Affected 500,000 Routers
  • Compliance is Not Synonymous With Security

    While the upcoming GDPR compliance deadline will mark an unprecedented milestone in security, it should also serve as a crucial reminder that compliance does not equal security. Along with the clear benefits to be gained from upholding the standards enforced by GDPR, PCI DSS, HIPAA, and other regulatory bodies often comes a shift toward a more compliance-centric security approach. But regardless of industry or regulatory body, achieving and maintaining compliance should never be the end goal of any security program. Here’s why:

  • Dialing up security for Docker containers

    Docker containers are a convenient way to run almost any service, but admins need to be aware of the need to address some important security issues.

    Container systems like Docker are a powerful tool for system administrators, but Docker poses some security issues you won't face with a conventional virtual machine (VM) environment. For example, containers have direct access to directories such as /proc, /dev, or /sys, which increases the risk of intrusion. This article offers some tips on how you can enhance the security of your Docker environment.

OpenStack News/Leftovers

Filed under
OSS
Security
  • Canonical founder calls out OpenStack suppliers for ‘lack of focus’ on datacentre cost savings

    The OpenStack supplier community’s reluctance to prioritise the delivery of datacentre cost savings to their users could prove “fatal”, says Canonical co-founder Mark Shuttleworth.

  • OpenStack in transition

    OpenStack is one of the most important and complex open-source projects you’ve never heard of. It’s a set of tools that allows large enterprises ranging from Comcast and PayPal to stock exchanges and telecom providers to run their own AWS-like cloud services inside their data centers. Only a few years ago, there was a lot of hype around OpenStack as the project went through the usual hype cycle. Now, we’re talking about a stable project that many of the most valuable companies on earth rely on. But this also means the ecosystem around it — and the foundation that shepherds it — is now trying to transition to this next phase.

  • Free OpenStack Training Resources
  • How the OpenStack Foundation Is Evolving Beyond Its Roots

    The OpenStack Foundation is in a period of transition as it seeks to enable a broader set of open infrastructure efforts than just the OpenStack cloud project itself.

    In a video interview at the OpenStack Summit here, OpenStack Foundation Executive Director Jonathan Bryce and Chief Operating Officer Mark Collier discussed how the open-source organization is still thriving, even as corporate sponsorship changes and attendance at events declines.

    At the event, Collier said there were approximately 2,600 registered attendees, which is nearly half the number that came to the OpenStack Boston 2017 event. OpenStack's corporate sponsorship has also changed, with both IBM and Canonical dropping from the Platinum tier of membership.

Syndicate content

More in Tux Machines

KDE/Qt: Qt 3D, Kube/Kolab, GSoC, and Atelier (3-D Printing)

  • What a mesh!
    With all the advances being made in Qt 3D, we wanted to create some new examples showing some of what it can do. To get us started, we decided to use an existing learning framework, so we followed the open source Tower Defence course, which you can find at CGCookie. Being a game, it allows an interactive view of everything at work, which is very useful.
  • Last week in Kube
    Perhaps if Windows wasn’t such a PITA there would be more progress
  • GSoC 2018: Week 4 & 5
    The last 2 weeks were mainly dedicatd for reviews and testing and thanks to my mentors, I passed the first evaluation with good work till now. Some significant changes were made on discussion with my mentors during the last 2 weeks in the code and some new features.
  • Giving Atelier some Love
    I work for atelier together with Chris, Lays and Patrick for quite a while, but I was basically being the “guardian angel” of the project being invocked when anything happened or when they did not know how to proceed (are you a guardian angel of a project? we have many that need that) For instance I’v done the skeleton for the plugin system, the buildsystem and some of the modules in the interface, but nothing major as I really lacked the time and also lacked a printer.

Proprietary Software on GNU/Linux

  • Winepak – Install Windows Apps and Games on Linux via Flatpak
    A reason for Linux not being more used as added in the comments section of a recent article is “Adobe and Games“. Well, there is a latest Linux bad guy in town and it is here to comfort us in a cooler way than Wine.
  • Mark Text Markdown Editor Adds Sidebar And Tabs Support
    Mark Text is a somewhat new free and open source Electron Markdown editor for Windows, Mac and Linux, which supports the CommonMark Spec and the GitHub Flavored Markdown Spec. The app features a seamless live preview using Snabbdom as the render engine, multiple edit modes (Typewriter, Source Code and Focus), includes code fence support, light and drak themes, emoji auto-completion, and export to PDF, HTML or styled HTML.
  • Google’s VR180 Creator Makes It Easier to Edit VR Video on Linux
    It’s called “VR180 Creator” (catchy) and the tool aims to make it easier for people to edit video shot on 180-degree and 360-degree devices like the Lenovo Mirage camera (pictured opposite). And boy is just-such a tool needed! VR180 Creator: Easier VR Video Editing Editing VR video is, to be perfectly frank, a pain in the rump end. So by releasing this new, open-source tool for free Google is being rather smart.Anything that makes it easier for consumers and content creators to edit VR on something other than a high-end specialist rig is going to help the format flourish.

Devuan GNU+Linux 2.0.0 "ASCII"

When I am trying out a desktop distribution, what really tends to divide the field of Linux distributions in my mind is not whether the system uses MATE or Plasma, or whether the underlying package manager uses RPM or Deb files. What tends to leave a lasting impression with me is whether the desktop environment, its applications and controls feel like a cooperative, cohesive experience or like a jumble of individual tools that happen to be part of the same operating system. In my opinion Ubuntu running the Unity desktop and Linux Mint's Cinnamon desktop are good examples of the cohesive approach. The way openSUSE's administration tools work together provides another example. Like them or hate them, I think most people can see there is an overall design, a unifying vision, being explored with those distributions. I believe Devuan falls into the other category, presenting the user with a collection of utilities and features where some assembly is still required. This comes across in little ways. For example, many distributions ship Mozilla's Firefox web browser and the Thunderbird e-mail client together as a set, and they generally complement each other. Devuan ships Firefox, but then its counterpart is the mutt console e-mail program which feels entirely out of place with the rest of the desktop software. The PulseAudio sound mixing utility is included, but its system tray companion is not present by default. Even the system installer, which switches back and forth between graphical windows and a text console, feels more like a collection of uncoordinated prompts rather than a unified program or script. Some people may like the mix-and-match approach, but I tend to prefer distributions where it feels like the parts are fitted together to create a unified experience. What I found was that Devuan provided an experience where I had to stop and think about where items were or how I was going to use them rather than having the pieces seamlessly fit together. However, once I got the system set up in a way that was more to my liking, I appreciated the experience provided. Devuan offers a stable, flexible platform. Once I shaped the operating system a little, I found it to be fast, light and capable. Having a fairly large repository of software available along with Flatpak support provided a solid collection of applications on a conservative operating system foundation. It was a combination I liked. In short, I think Devuan has some rough edges and setting it up was an unusually long and complex experience by Linux standards. I certainly wouldn't recommend Devuan to newcomers. However, a day or two into the experience, Devuan's stability and performance made it a worthwhile journey. I think Devuan may be a good alternative to people who like running Debian or other conservative distributions such as Slackware. I suspect I may soon be running Devuan's Raspberry Pi build on my home server where its lightweight nature will be welcome. Read more Also: deepin 15.6 Released With New Features: Get This Beautiful Linux Distro Here

Android Leftovers