Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Linux Kodachi 6.1 Released, which is based on Xbuntu 18.04 LTS

Filed under
GNU
Linux
Security
Ubuntu

Warith Al Maawali has announced the release of Linux Kodachi 6.1 on July 27, 2019, which is based on Xbuntu 18.04 LTS.

It will provide you with a secure, anti-forensic, and anonymous operating system considering all features that a person who is concerned about privacy would need to have in order to be secure.

Read more

Security Leftovers

Filed under
Security
  • The Week in Tech: What Should Your City Do if It’s Hit by Ransomware? [iophk: No. Cities are seen as low-hanging fruit because many still run MS-Windows]

    Cities are now seen as low-hanging fruit by [attackers], because of “legacy systems and lack of budget” to upgrade, said Jennifer Daffron, a risk researcher at the University of Cambridge. They’re also great places to cause chaos, and [attackers], especially nation-state ones, “love to cause chaos to get street cred,” Mr. Falco said.

  • 4 chilling lessons from a tech hotline scam

    He had a few questions, did a Google search for Yahoo’s small business helpline and called. Little did he know the listed number wasn’t for Yahoo tech support at all. Scammers found a way to push their fake number to the top of his Google search, and Bob was tricked into calling a convincing-sounding technician. When the person on the other end asked for his login information, including password and home address, he didn’t question the request. [...]

  • [Old] Why [attackers] ignore most security flaws

    The reasons they wouldn't can vary. Most [intrusion] is criminal, not espionage, and criminal [attackers] tend to make decisions based on hacking the most computers with the least amount of effort. Not all vulnerabilities are easy to use and not all of the easy to use vulnerabilities are in products that are widely deployed.

  • [Old] What’s the best approach to patching vulnerabilities?

    New research shows that most vulnerabilities aren’t exploited and those that are tend to have a high CVSS score (awarded on the basis of how dangerous and easy to exploit the vulnerability is). So, not surprisingly, the most easily exploited flaws are the ones exploited most frequently.

    What’s more surprising is that there’s apparently no relationship between the proof-of-concept (PoC) exploit code being published publicly online and the start of real-world attacks.

Security: Microsoft/RDP, Misattributed FUD, Linux Patching and LibreOffice Update

Filed under
Security
  • RDP Exposure To The Internet

    The Remote Desktop Protocol, commonly referred to as RDP, is a proprietary protocol developed by Microsoft that is used to provide a graphical means of connecting to a network-connected computer. RDP client and server support has been present in varying capacities in most every Windows version since NT. Outside of Microsoft’s offerings, there are RDP clients available for most other operating systems. If the nitty gritty of protocols is your thing, Wikipedia’s Remote Desktop Protocol article is a good start on your way to a trove of TechNet articles.

    RDP is essentially a protocol for dangling your keyboard, mouse and a display for others to use. As you might expect, a juicy protocol like this has a variety of knobs used to control its security capabilities, including controlling user authentication, what encryption is used, and more. The default RDP configuration on older versions of Windows left it vulnerable to several attacks when enabled; however, newer versions have upped the game considerably by requiring Network Level Authentication (NLA) by default. If you are interested in reading more about securing RDP, UC Berkeley has put together a helpful guide, and Tom Sellers, prior to joining Rapid7, wrote about specific risks related to RDP and how to address them.

  • Golang Malware Targets Linux-Based Servers [Ed: Better headline would say something like, "malware written in some programming language (Go) wants people to foolishly install it on a server and it's compiled for or made compatible with GNU/Linux"]

    A cryptominer campaign has been targeting Linux-based servers using a new Golang malware, according to research published by F5 Labs.

    Though not often seen in the threat landscape, the Golang malware was first identified in mid-2018 and has sustained throughout 2019. Researchers noted the latest operation, which has infected an estimated several thousand machines, began around June 10. The first exploit requests were identified around June 16.

  • Microsoft wants to join private Linux security developer board [Ed: If Linux values security, then it will reject the company that started PRISM with the NSA]

    Microsoft has applied to join a private group of Linux developers responsible for reporting and discussing security issues before they go public.

  • Microsoft bids for behind-the-scenes access to Linux flaws [Ed: They have already taken over parts of the Linux Foundation, so why not this?]

    Request to join security lists come as the firm reveals Linux usage on Azure VMs outweighs Windows usage.

  • [Slackware] LibreOffice 6.2.5 packages available

    Earlier this week, the Document Foundation released version 6.2.5 of their office suite LibreOffice. I have built and uploaded sets of packages for Slackware 14.2 and also for -current, 32bits and 64bits.

    The Document Foundation themselves finally think that 6.2.x is production ready: “… Users in production environments can start evaluating LibreOffice 6.2.5…“. I was already happy with 6.2.4 and I find the capability to open and work with MS Office documents improving all the time.

KeePass open source password manager review

Filed under
Software
Reviews
Security

KeePass is a free and open-source (FOSS) password manager. It is a Windows program, but versions of it are available for all platforms including macOS, iOS, Android, and Linux. KeePass is not hard to use, but it lacks the slick user interfaces offered by many of its commercial rivals.

Syncing across devices also take a little more work than with most password manager apps, but there is a good reason for this. KeePass uses true end-to-end encryption. You create encrypted KeePass (.kdbx) files that, by default, never leave the device they are created on.

They are not stored on a centralized database that can be hacked (as commercial password manger ones often are), and only you hold the encryption keys to them. The main downside of this, of course, is that there is no safety net - no third party that can bail you out if you forget your master password!

Read more

Raspberry Pi 4 and Kali

Filed under
GNU
Linux
Security

We love the Raspberry Pi, and judging by the response we got to a late night tweet we sent out last weekend a lot of you love the Pi too!

Because of that, when the Pi 4 dropped we wanted to get Kali supported on it right away.

Whats new on the Raspberry Pi 4?

The Raspberry Pi 4 is actually a pretty amazing little machine. The Pi has always been known for its low cost and easy accessibility, but with the 4 we can actually throw real performance onto that list as well.

Read more

Security: Updates, DerpTrolling and TCP Patches for Ubuntu

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by SUSE (firefox, mozilla-nss, mozilla-nspr, helm-mirror, libu2f-host, and libu2f-host, pam_u2f) and Ubuntu (bzip2 and irssi).

  • Man Gets Prison For DDoSing Steam, EA, Microsoft, Sony, Nintendo, DOTA2, Riot Games….

    In one of its kind acts, a Utah-based man named Austin Thompson (23) is going to prison for launching DDoS attacks on servers of various gaming companies.

    The hacker, who goes by the online moniker DerpTrolling, compromised the servers of Microsoft Xbox, Sony Play Station, Quake Live, DOTA2, League of Legends, and Steam between December 2013 and January 2014.

  • Hacker who launched DDoS attacks on Sony, EA, and Steam gets 27 months in prison

    At the time, Thompson used the @DerpTrolling Twitter account to announce attacks and take requests for services users wanted him to take down.

    While the hacker had been active since 2011, his most famous stretch of activity was between December 2013 and January 2014, when most of his high-profile DDoS attacks took place, before the account going inactive.

    The attacks caused many online gaming services to go offline, and after seeing DerpTrolling success and the media coverage the hacker got, many other hacking crews followed suit in subsequent years.

  • Ubuntu updates for TCP SACK Panic vulnerabilities

    Issues have been identified in the way the Linux kernel’s TCP implementation processes Selective Acknowledgement (SACK) options and handles low Maximum Segment Size (MSS) values. These TCP SACK Panic vulnerabilities could expose servers to a denial of service attack, so it is crucial to have systems patched.

    Updated versions of the Linux kernel packages are being published as part of the standard Ubuntu security maintenance of Ubuntu releases 16.04 LTS, 18.04 LTS, 18.10, 19.04 and as part of the extended security maintenance for Ubuntu 14.04 ESM users.

    It is recommended to update to the latest kernel packages and consult Ubuntu Security Notices for further updates.

Security: OpenPGP, Cisco, Windows, Magento, Georgia and China

Filed under
Security
  • Someone Is Spamming and Breaking a Core Component of PGP’s Ecosystem

    Last week, contributors to the PGP protocol GnuPG noticed that someone was “poisoning” or “flooding” their certificates. In this case, poisoning refers to an attack where someone spams a certificate with a large number of signatures or certifications. This makes it impossible for the the PGP software that people use to verify its authenticity, which can make the software unusable or break. In practice, according to one of the GnuPG developers targeted by this attack, the hackers could make it impossible for people using Linux to download updates, which are verified via PGP.

    It’s unclear who’s behind these attacks, but the targets are Robert J. Hansen and Daniel Kahn Gillmor, both OpenPGP protocol developers.

    “We've known for a decade this attack is possible. It's now here and it's devastating,” Hansen wrote in his attack post-mortem.

  • Certificates Issued to Huawei Subsidiary Found in Cisco Switches

    Researchers noticed that the firmware for some Cisco switches contains X.509 certificates and associated private keys issued to a US-based subsidiary of Huawei. An investigation by the networking giant revealed that it was an oversight related to the use of an open-source third-party component.

    [...]

    In an informational advisory published on Wednesday, Cisco says its FindIT development team uses OpenDaylight for testing purposes and the certificates should not have been included in production firmware.

  • St John Ambulance becomes latest casualty of a ransomware attack [iophk: those signing off on Windows deployments need to see real jail time]

    Though it's "confident" that data has not been shared outside St John Ambulance, it fessed that the data of everyone who has opened an account, booked or attended a training course until February 2019 was affected.

    This data includes names, courses, contact details, costs, invoicing details and, in some cases, driving licence data. No passwords or credit card details were taken, and no records have been doctored.

  • Magento Patches Flaws Leading to Site Takeover

    Because at one point in the sanitization process sanitized links are injected back into the string via vsprintf(), an additional double quote is injected into the tag, which allows for an attribute injection.

    “This allows an attacker to inject arbitrary HTML attributes into the resulting string. By injecting a malicious onmouseover event handler and a style attribute to make the link an invisible overlay over the entire page, the XSS payload triggers as soon as a victim visits a page that contains such an XSS payload and moves his mouse,” the security firm says.

    Because the method is used to sanitize order cancellation notes, an attacker could exploit the vulnerability to inject arbitrary JavaScript that is triggered when an employee reviews the cancelled order.

  • Server image mystery in Georgia election security case

    The FBI data could reveal whether [attackers] tampered with elections in Georgia because the server in question had a gaping security hole that went unpatched for more than six months before being publicly exposed. Data on the server included passwords used by county officials to access elections management files.

    Technicians at the Center for Elections Systems at Kennesaw State University, which then ran the state’s election system, erased the server’s data on July 7, 2017, less than a week after the voting integrity suit was filed. After the AP reported on it three months later, Kemp denied ordering the data destruction or knowing about it in advance and called it reckless, inexcusable and inept.

    But the FBI had a forensic backup, which it made in March 2017 when it investigated the security hole. The FBI has not responded to repeated requests by the AP to confirm that it continues to possess the data. FBI Atlanta spokeswoman Jenna Sellitto wouldn’t say whether the FBI has examined the data on that image to determine whether any tampering or other malicious activity occurred.

  • Georgia Failed to Subpoena Image of Wiped Elections Server

    Marilyn Marks of the Coalition for Good Governance, a plaintiff in the case, said that if the state failed to secure the data from the FBI — despite informing U.S. District Judge Amy Totenberg in October 2017 of its intent to do so with the subpoena — it clearly has something to hide.

    "If they have destroyed records then it can be presumed that those records would have shown our allegations to be true," Marks said.

    Neither the Secretary of State's office nor an attorney representing it in the case, Josh Belinfante, would say why the subpoena was never filed. Nor would they say whether they had obtained the data through other means for secure safekeeping. The FBI in Atlanta also wouldn't say whether it has provided the state with a copy.

  • Antivirus firms start flagging spyware installed by Chinese border control

    It recently came to light that the border control authority in China's Xinjiang region was installing surveillance software on the phones of tourists without their knowledge or consent. The software apparently kept an eye out for terms that related to Islamic extremism and literature by the Dalai Lama.

9 Open Source Password Managers to Secure Yourself With

Filed under
OSS
Security

People use password managers so that they don’t have to remember all the usernames/passwords of the websites they visit. Instead, they can just remember 1 password, and then access all the other passwords whenever they need. In addition to that, this allows you as a user to increase the length and the complexity of the passwords you use, because now, you no longer have to remember them, so you can make your Facebook’s password something like 21#^#Y3#^2h281+_0H^I@F!##YU&^ with no problem.

Also, some password managers offer other features that you can use. E.g: Auto-fill (automatically fill the passwords when you open the URL in your browser), synchronization between devices, team storage (sharing passwords between multiple people), smartphone integration, various types & tools of encryption, emergency codes.. And so on.

Traditionally, there are many closed-source proprietary password managers, and there are those which are open source. In today’s article, we’ll see 9 open source password managers that you can use to secure yourself.

Read more

Michał Górny (Gentoo) and Daniel Kahn Gillmor (Debian) on OpenPGP Security

Filed under
GNU
Linux
Gentoo
Security
Debian
  • Michał Górny: SKS poisoning, keys.openpgp.org / Hagrid and other non-solutions

    The recent key poisoning attack on SKS keyservers shook the world of OpenPGP. While this isn’t a new problem, it has not been exploited on this scale before. The attackers have proved how easy it is to poison commonly used keys on the keyservers and effectively render GnuPG unusably slow. A renewed discussion on improving keyservers has started as a result. It also forced Gentoo to employ countermeasures. You can read more on them in the ‘Impact of SKS keyserver poisoning on Gentoo’ news item.

    Coicidentally, the attack happened shortly after the launch of keys.openpgp.org, that advertises itself as both poisoning-resistant and GDPR-friendly keyserver. Naturally, many users see it as the ultimate solution to the issues with SKS. I’m afraid I have to disagree — in my opinion, this keyserver does not solve any problems, it merely cripples OpenPGP in order to avoid being affected by them, and harms its security in the process.

    In this article, I’d like to shortly explain what the problem is, and which of the different solutions proposed so far to it (e.g. on gnupg-users mailing list) make sense, and which make things even worse. Naturally, I will also cover the new Hagrid keyserver as one of the glorified non-solutions.

  • Daniel Kahn Gillmor: WKD for debian.org

    By default, this will show you any matching certificate that you already have in your GnuPG local keyring. But if you don't have a matching certificate already, it will fall back to using WKD.

    These certificates are extracted from the debian keyring and published at https://openpgpkey.debian.org/.well-known/debian.org/, as defined in the WKD spec. We intend to keep them up-to-date when ever the keyring-maint team publishes a new batch of certificates. Our tooling uses some repeated invocations of gpg to extract and build the published tree of files.

    Debian is current not implementing the Web Key Directory Update Protocol (and we have no plans to do so). If you are a Debian developer and you want your OpenPGP certificate updated in WKD, please follow the normal procedures for Debian keyring maintenance like you always have.

Syndicate content

More in Tux Machines

KDE: KDevelop 5.3.3 Released, Latte Dock Update and Release of Kaidan 0.4.1

  • KDevelop 5.3.3 released

    We today provide a stabilization and bugfix release with version 5.3.3. This is a bugfix-only release, which introduces no new features and as such is a safe and recommended update for everyone currently using a previous version of KDevelop 5.3. You can find a Linux AppImage as well as the source code archives on our download page. Windows installers are no longer offered, we are looking for someone interested to take care of that.

  • Latte, Documentation and Reports...

    First Latte beta release for v0.9.0 is getting ready and I am really happy about it :) . But today instead of talking for the beta release I am going to focus at two last minute "arrivals" for v0.9; that is Layouts Reports and Documentation. If you want to read first the previous article you can do so at Latte and "Flexible" settings...

  • Kaidan 0.4.1 released!

    After some problems were encountered in Kaidan 0.4.1, we tried to fix the most urgent bugs.

Security: Linux 5.2 Dissection, New Patches, New ZDNet (CBS) FUD and Kali NetHunter App Store

  • Kees Cook: security things in Linux v5.2

    Gustavo A. R. Silva is nearly done with marking (and fixing) all the implicit fall-through cases in the kernel. Based on the pull request from Gustavo, it looks very much like v5.3 will see -Wimplicit-fallthrough added to the global build flags and then this class of bug should stay extinct in the kernel. That’s it for now; let me know if you think I should add anything here. We’re almost to -rc1 for v5.3!

  • Security updates for Wednesday

    Security updates have been issued by Debian (libreoffice), Red Hat (thunderbird), SUSE (ardana and crowbar, firefox, libgcrypt, and xrdp), and Ubuntu (nss, squid3, and wavpack).

  • Malicious Python libraries targeting Linux servers removed from PyPI [Ed: Python does not run only on Linux, but Microsoft-funded sites like ZDNet (CBS) look for ways to blame everything on "Linux", even malicious software that gets caught in the supply chain]
  • Malicious Python Libraries Discovered on PyPI, Offensive Security Launches the Kali NetHunter App Store, IBM Livestreaming a Panel with Original Apollo 11 Technicians Today, Azul Systems Announces OpenJSSE and Krita 4.2.3 Released

    Offensive Security, the creators of open-source Kali Linux, has launched the Kali NetHunter App Store, "a new one stop shop for security relevant Android applications. Designed as an alternative to the Google Play store for Android devices, the NetHunter store is an installable catalogue of Android apps for pentesting and forensics". The press release also notes that the NetHunter store is a slightly modified version of F-Droid: "While F-Droid installs its clients with telemetry disabled and asks for consent before submitting crash reports, the NetHunter store goes a step further by removing the entire code to ensure that privacy cannot be accidentally compromised". See the Kali.org blog post for more details.

Ubuntu/Fedora GNOME Feud and GNOME's Sriram Ramkrishna

  • Fedora, GNOME Software, and snap

    A question about the future of package distribution is at the heart of a disagreement about the snap plugin for the GNOME Software application in Fedora. In a Fedora devel mailing list thread, Richard Hughes raised multiple issues about the plugin and the direction that he sees Canonical taking with snaps for Ubuntu. He plans to remove support for the plugin for GNOME Software in Fedora 31. There are currently two major players for cross-distribution application bundles these days: snaps, which were developed by Canonical for Ubuntu and the Snap Store, and Flatpak, which was developed by Alexander Larsson of Red Hat as part of freedesktop.org. Both systems are available for multiple Linux distributions. They are meant to give an "app-like" experience, where users simply install an application, which comes with any dependencies it has that are not provided by the snap or Flatpak runtime. The GNOME Software application has a snap plugin that, when enabled, supports the distribution, installation, and management of snaps. The Fedora project currently provides the snap plugin as a package in Fedora 30, though it is not installed by default. Hughes is the Fedora maintainer for the plugin; he announced his intention to disable the plugin since, he says, he was told that Canonical was not going to be installing GNOME Software in the next Ubuntu Long Term Support (LTS) release.

  • Molly de Blanc: Meet Sriram Ramkrishna

    Sriram Ramkrishna, frequently known as Sri, is perhaps GNOME’s oldest contributor. He’s been around the community for almost as long as it’s been around! [...] But more than that, GNOME was a project that if you think about it was audacious in its purpose. Building a desktop in 1997 around an operating system that was primitive in terms of user experience, tooling, and experience. I wanted to be part of that.

Mozilla: Android, VR and Rust

  • Recent fixes to reduce backlog on Android phones

    Last week it seemed that all our limited resource machines were perpetually backlogged. I wrote yesterday to provide insight into what we run and some of our limitations. This post will be discussing the Android phones backlog last week specifically. The Android phones are hosted at Bitbar and we split them into pools (battery testing, unit testing, perf testing) with perf testing being the majority of the devices.

  • Q&A: Igniting imaginations and putting VR in the hands of students with Kai Frazier

    When you were in school, you may have taken a trip to a museum or a local park, but you probably never got to see an active volcano or watch great whites hunt. As Virtual Reality grows, this could be the way your kids will learn — using headsets the way we use computers. When you were in school, you may have gone on a trip to the museum, but you probably never stood next to an erupting volcano, watching molten lava pouring down its sides. As Virtual Reality (VR) grows, learning by going into the educational experience could be the way children will learn — using VR headsets the way we use computers. This kind of technology holds huge potential in shaping young minds, but like with most technology, not all public schools get the same access. For those who come from underserved communities, the high costs to technology could widen an already existing gap in learning, and future incomes.

  • This Week in Rust 295 [Ed: Just delete GitHub , Mozila, And why you're at it, stop using proprietary software and imposing it on Rust contributors.]

    This Week in Rust is openly developed on GitHub.

  • How to speed up the Rust compiler in 2019

    libsyntax has three tables in a global data structure, called Globals, storing information about spans (code locations), symbols, and hygiene data (which relates to macro expansion). Accessing these tables is moderately expensive, so I found various ways to improve things.