Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Purism's Coreboot and More

Filed under
Security

Security: Updates, Politics, Back Doors and Planned Failure

Filed under
Security
  • Security updates for Wednesday
  • China slams Australia over 'double standards' in cyber security

    China has taken a swipe at Australia over the country's encryption law, saying it was "baffling" how Canberra could on the one hand claim that other countries posed security threats, while on the other hand engage in acts that endangered the cyber security of other nations.

  • How to (not) fix a security flaw

    A pair of flaws in the web interface for two small-business Cisco routers make for a prime example of the wrong way to go about security fixes. These kinds of flaws are, sadly, fairly common, but the comedy of errors that resulted here is, thankfully, rather rare. Among other things, it shows that vendors may wish to await a real fix rather than to release a small, ineffective band-aid to try to close a gaping hole.

    RedTeam Pentesting GmbH found the flaws in September 2018 and notified Cisco shortly thereafter. The original disclosure date was planned for January 9, but that was postponed until January 23 at Cisco's request. On the latter date, Cisco issued advisories for CVE-2019-1652 and CVE-2019-1653; RedTeam Pentesting released its own advisories, with lots more detail, for CVE-2019-1652 and CVE-2019-1653.

    The flaws are bog standard web-application vulnerabilities. CVE-2019-1652 is a command injection that allows authenticated users (in the web interface) to execute arbitrary Linux commands as root. CVE-2019-1653 allows anyone to request the configuration page from the router, which contains all sorts of interesting information, including user names with hashed passwords, VPN and IPsec secrets, and more. In addition, password hashes are all that is needed to log into the web interface—no cracking required.

    Beyond that, an additional information disclosure flaw, related to CVE-2019-1653, was reported; it uses a debug interface to retrieve a .tgz (gzipped tar) file, encrypted with a known, hard-coded password, from the device. That file contained even more configuration and debugging information as well as etc.tgz and var.tgz with the contents of those directories from the router. In all of the RedTeam Pentesting advisories, curl was used for the proof of concept, though there are lots of other ways to perform the same actions, of course.

    The flaws were found, reported, and fixed; so far, so good—or so it would seem. But on February 7, RedTeam Pentesting found that the fixes shipped by Cisco were, at a minimum, insufficient. Once again, the problems were reported to Cisco, with a disclosure date of March 27. Despite a last-minute request to postpone the disclosure, three new advisories (command injection, configuration information disclosure, and even more configuration information disclosure) were released by RedTeam Pentesting on March 27.

  • Wladimir Palant: Bogus security mechanisms: Encrypting localhost traffic

    Nowadays it is common for locally installed applications to also offer installing browser extensions that will take care of browser integration. Securing the communication between extensions and the application is not entirely trivial, something that Logitech had to discover recently for example. I’ve also found a bunch of applications with security issues in this area. In this context, one has to appreciate RememBear password manager going to great lengths to secure this communication channel. Unfortunately, while their approach isn’t strictly wrong, it seems to be based on a wrong threat assessment and ends up investing far more effort into this than necessary.

    The approach

    It is pretty typical for browser extensions and applications to communicate via WebSockets. In case of RememBear the application listens on port 8734, so the extension creates a connection to ws://localhost:8734. After that, messages can be exchanged in both directions. So far it’s all pretty typical. The untypical part is RememBear using TLS to communicate on top of an unencrypted connection.

    So the browser extension contains a complete TLS client implemented in JavaScript. It generates a client key, and on first connection the user has to confirm that this client key is allowed to connect to the application. It also remembers the server’s public key and will reject connecting to another server.

    Why use an own TLS implementation instead of letting the browser establish an encrypted connection? The browser would verify TLS certificates, whereas the scheme here is based on self-signed certificates. Also, browsers never managed to solve authentication via client keys without degrading user experience.

  • You May Not Be Only Person Seeing Hotel Reservation Booking Details

    Before we go any further, we need to take a look back a few decades ago and realize how much easier the Internet has made booking travel. Remember when you had to call a travel agent to book a hotel room or a flight?

    You could book a hotel if you knew of its existence, but without the Internet, you didn’t know which hotels were located on a certain beach or close to the airport, had you never traveled to the area before. And there was no other way to book flights. Not only did the Internet make booking travel easier, but it left us with so much more control to be able to research all these choices ourselves.

    But Symantec tells us that freedom has come with a price. Hundreds of hotel websites have flaws that leak sensitive information, including your name, phone number, address, confirmation email, and even your passport number. Realize that with this information hackers know your address and when you’ll be gone for an extended period of time.

    Symantec threat researcher Candid Wueest looked at more than 1,500 hotel websites in more than 50 countries. He found two-thirds of them had security issues.

    The Marriott hotel chain has been open about their cyberattacks recently, as has Sheraton, Westin, Starwood, and Wyndham hotels. Marriott admitted last November that hackers had stolen the records of up to 383 million guests. It became one of the largest personal data breaches in history.

Security Leftovers

Filed under
Security
  • It's raining patches, Hallelujah! Microsoft and Adobe put out their latest major fixes
  • Reproducible Builds: Weekly report #206
  • Brace yourselves: Exploit published for serious Magento bug allowing card skimming [Updated]

    Attack code was published on Friday that exploits a critical vulnerability in the Magento e-commerce platform, all but guaranteeing it will be used to plant payment card skimmers on sites that have yet to install a recently released patch.

    PRODSECBUG-2198 is a SQL injection vulnerability that attackers can exploit with no authentication required. Hackers could exploit the flaw to take administrative control of administrator accounts, assuming the hackers can download user names and password hashes and crack the hashes. From there, attackers could install the backdoors or skimming code of their choice. A researcher at Web security firm Sucuri said Thursday that company researchers reverse-engineered an official patch released Tuesday and successfully created a working proof-of-concept exploit.

  • Knock and don’t run: the tale of the relentless hackerbots
  • Mozilla Firefox 66.0.3 Now Available for Download on Linux, Windows, and Mac

    Needless to say, there are no new features in this release, as Mozilla typically uses these smaller updates for bug fixes and further performance improvements. New features are usually included in major browser updates.

    As per GHacks, Firefox 66.0.3 addresses performance issues with certain HTML5 games on Pogo.com. The browser should now work correctly when accessing this website and games should no longer run slower than expected on the platform.

  • Mozilla releases Firefox 66.0.3

    Mozilla plans to release Firefox 66.0.3, a minor upgrade to the web browser's stable channel, later today on April 10, 2019.

    Firefox 66.0.3 is the third minor release after the release of Firefox 66.0 in March 2019. Firefox 66.0.1 was a security update to address new vulnerabilities discovered by participants of the Pwn2Own hacking contest, Firefox 66.0.2 a bug fix release that addressed an issue with certain online editors.

  • Mozilla Open Policy & Advocacy Blog: What we think about the UK government’s ‘Online Harms’ white paper

    The UK government has just outlined its plans for sweeping new laws aimed at tackling illegal and harmful content and activity online, described by the government as ‘the toughest internet laws in the world’. While the UK proposal has some promising ideas for what the next generation of content regulation should look like, there are several aspects that would have a worrying impact on individuals’ rights and the competitive ecosystem. Here we provide our preliminary assessment of the proposal, and offer some guidance on how it could be improved.

    According to the UK white paper, companies of all sizes would be under a ‘duty of care’ to protect their users from a broad class of so-called ‘online harms’, and a new independent regulator would be established to police them. The proposal responds to legitimate public policy concerns around how platforms deal with illegal and harmful content online, as well as the general public demand for tech companies to ‘do more’. We understand that in many respects the current regulatory paradigm is not fit for purpose, and we support an exploration of what codified content ‘responsibility’ might look like.

  • Mysterious [Attackers] Hid Their Swiss Army Spyware for 5 Years

    In a talk at the Kaspersky Security Analyst Summit in Singapore Wednesday, Kaspersky security researcher Alexey Shulmin revealed the security firm's discovery of a new spyware framework—an adaptable, modular piece of software with a range of plugins for distinct espionage tasks—that it's calling TajMahal. The TajMahal framework's 80 modules, Shulmin says, comprise not only the typical keylogging and screengrabbing features of spyware, but also never-before-seen and obscure tricks. It can intercept documents in a printer queue, and keep track of "files of interest," automatically stealing them if a USB drive is inserted into the infected machine. And that unique spyware toolkit, Kaspersky says, bears none of the fingerprints of any known nation-state [attacker] group.

  • ‘She lies to everyone’: Feds say Mar-a-Lago intruder had hidden-camera detector in hotel [iophk: "Windows mindset, Windows TCO"]

    A federal prosecutor argued in court Monday that Yujing Zhang, the Chinese woman arrested trying to enter President Donald Trump’s private Mar-a-Lago club in Palm Beach, “lies to everyone she encounters,” adding that a search of her hotel room uncovered more than $8,000 in cash, as well as a “signal-detector” device used to reveal hidden cameras.

  • Thumb drive carried by Mar-a-Lago intruder immediately installed files on a [Windows computer]

     

    The details came to light at a bond hearing on Monday in a Florida federal court. There, a Secret Service agent testified that the malware Zhang carried was capable of infecting a computer as soon as the thumb drive was plugged in. According to a report published Monday by the Miami Herald: [...]

  • Chinese Woman Arrested at Mar-a-Lago Had a Hidden Camera Detector, Prosecutors Say

     

    Mr. Ivanovich testified that the computer analyst who reviewed Ms. Zhang’s devices said that the thumb drive she was carrying had immediately begun installing malware.
     

    “He stated that he had to immediately stop the analysis and shut off his [Windows] computer to halt the corruption,” Mr. Ivanovich said.

  • Chinese Intruder at Mar-a-Lago to Stay in Jail Another Week

     

    Secret Service agent Samuel Ivanovich testified Monday that another agent put the USB drive into his computer and it immediately began to install files. The agent shut down the computer to prevent a possible infection, but Ivanovich couldn’t identify the malware. The device is still being analyzed, Ivanovich said.

  • Mar-a-Lago mystery Chinese malware lady to stay in jail for another week

Security: Updates and Flaws

Filed under
Security
  • Security updates for Tuesday
  • Optimising IoT bandwith with delta updates [Ed: Canonical is pushing proprietary software again; using Snap. These are ads in their blogs… last week a paid press releases for Microsoft.]
  • 6 Kubernetes security questions, answered

    If you’re asking questions about Kubernetes to learn more about the platform, security will be on your list. The good news: both the open source project and the commercial platforms that sit on top of it have plenty of strong security-related features baked in. Moreover, there’s a lively Kubernetes community with a shared interest in the ongoing security of the orchestration tool.

    “The Kubernetes community has had security at the forefront of their minds from the start,” says Wei Lein Dang, VP of products at StackRox.

    As with many technologies, though, the security risks tend to follow the adoption curve. So as the use of containers expands, expect Kubernetes to become an important focal point for security in containerized environments.

  • The security of dependencies

    So you’ve written some software. It’s full of open source dependencies. These days all software is full of open source, there’s no way around it at this point. I explain the background in my previous post.

    Now that we have all this open source, how do we keep up with it? If you’re using a lot of open source in your code there could be one or more updated dependencies per day!

    Step one is knowing what you have. There are a ton of ways to do this, but I’m going to bucket things into 3 areas.

  • Buffer Overflow Vulnerability in TP-Link Routers Can Allow Remote Attackers to Take Control

    Internet routers are among the most ubiquitous devices home and business users depend on every day to carry out communications, banking, shopping and commercial transactions. IBM Security researcher Grzegorz Wypych (aka h0rac) took a closer look at one of the most widespread internet routers in use by consumers nowadays, the TP-Link WR-940, and found that a zero-day buffer overflow vulnerability in the router could allow malicious third parties to take control of the device from a remote location.

  • PoC exploit for Carpe Diem Apache bug released

OpenVPN 3 Linux client - v5 beta released

Filed under
Software
Security

The OpenVPN 3 Linux v5 beta release has just been made available. This is
available in our git repositories [0] and URLs for source tarballs are listed
later in this e-mail. RPM binaries for Fedora and RHEL/CentOS/Scientific
Linux [1] completed the build process quite recently too. Debian and Ubuntu
packages will come in releases just need a few rounds of internal testing and
we will hopefully be able to release them soon too.

Read more

Also: OpenVPN 3 Linux Beta 5 Builds Against OpenSSL By Default, Configuration Improvements

Security: Updates, IPFire 2.21 - Core Update 129, Debian LTS/Freexian and Using Multi-factor Authentication (MFA)

Filed under
Security

Security Leftovers

Filed under
Security

WireGuard Snapshot `0.0.20190406` Available

Filed under
Software
Security
BSD

Hello,

A new snapshot, `0.0.20190406`, has been tagged in the git repository.

Please note that this snapshot is, like the rest of the project at this point
in time, experimental, and does not constitute a real release that would be
considered secure and bug-free. WireGuard is generally thought to be fairly
stable, and most likely will not crash your computer (though it may).
However, as this is a pre-release snapshot, it comes with no guarantees, and
its security is not yet to be depended on; it is not applicable for CVEs.

With all that said, if you'd like to test this snapshot out, there are a
few relevant changes.

== Changes ==

  * allowedips: initialize list head when removing intermediate nodes
  
  Fix for an important regression in removing allowed IPs from the last
  snapshot. We have new test cases to catch these in the future as well.
  
  * wg-quick: freebsd: rebreak interface loopback, while fixing localhost
  * wg-quick: freebsd: export TMPDIR when restoring and don't make empty
  
  Two fixes for FreeBSD which have already been backported into ports.
  
  * tools: genkey: account for short reads of /dev/urandom
  * tools: add support for Haiku
  
  The tools now support Haiku! Maybe somebody is working on a WireGuard
  implementation for it?
  
  * tools: warn if an AllowedIP has a nonzero host part
  
  If you try to run `wg set wg0 peer ... allowed-ips 192.168.1.82/24`, wg(8)
  will now print a warning. Even though we mask this automatically down to
  192.168.1.0/24, usually when people specify it like this, it's a mistake.
  
  * wg-quick: add 'strip' subcommand
  
  The new strip subcommand prints the config file to stdout after stripping
  it of all wg-quick-specific options. This enables tricks such as:
  `wg addconf $DEV <(wg-quick strip $DEV)`.
  
  * tools: avoid unneccessary next_peer assignments in sort_peers()
  
  Small C optimization the compiler was probably already doing.
  
  * peerlookup: rename from hashtables
  * allowedips: do not use __always_inline
  * device: use skb accessor functions where possible
  
  Suggested tweaks from Dave Miller.
  
  * qemu: set framewarn 1280 for 64bit and 1024 for 32bit
  
  These should indicate to us more clearly when we cross the most strict stack
  thresholds expected when using recent compilers with the kernel.
  
  * blake2s: simplify
  * blake2s: remove outlen parameter from final
  
  The blake2s implementation has been simplified, since we don't use any of the
  fancy tree hashing parameters or the like. We also no longer separate the
  output length at initialization time from the output length at finalization
  time.
  
  * global: the _bh variety of rcu helpers have been unified
  * compat: nf_nat_core.h was removed upstream
  * compat: backport skb_mark_not_on_list
  
  The usual assortment of compat fixes for Linux 5.1.

This snapshot contains commits from: Jason A. Donenfeld, Luis Ressel, Samuel 
Neves, Bruno Wolff III, and Alexander von Gluck IV.

As always, the source is available at https://git.zx2c4.com/WireGuard/ and
information about the project is available at https://www.wireguard.com/ .

This snapshot is available in compressed tarball form here:
  https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20190406.tar.xz
  SHA2-256: 2f06f3adf70b95e74a7736a22dcf6e9ef623b311a15b7d55b5474e57c3d0415b
  BLAKE2b-256: 787a01fa3d6a800d7376a04ff57dd16d884a7d3cb99d2f91bfc59895ab759200

A PGP signature of that file decompressed is available here:
  https://git.zx2c4.com/WireGuard/snapshot/WireGuard-0.0.20190406.tar.asc
  Signing key: AB9942E6D4A4CFC3412620A749FC7012A5DE03AE

If you're a snapshot package maintainer, please bump your package version. If
you're a user, the WireGuard team welcomes any and all feedback on this latest
snapshot.

Finally, WireGuard development thrives on donations. By popular demand, we
have a webpage for this: https://www.wireguard.com/donations/

Thank you,
Jason Donenfeld

Read more

Also: New WireGuard Snapshot Offers FreeBSD Fixes, Other Tweaks

Security: CSS Exfil Protection, Intel, Android and More

Filed under
Security

Security: DNS, Google and Facebook

Filed under
Security
Web
  • Waves of DNS hijacking attempts target mostly D-Link routers

    Waves of DNS hijackings over the past three months, aimed at consumer-grade routers mostly from D-Link, have been diverting traffic from a number of well-known domains and directing them elsewhere.

  • Ongoing DNS hijackings target unpatched consumer routers

    A wave of DNS hijacking attacks that abuse Google's cloud computing service is causing consumer routers to connect to fraudulent and potentially malicious websites and addresses, a security researcher has warned.

  • Hiding in Plain Sight

    Cisco Talos is continually working to ensure that our threat intelligence not only accounts for the latest threats but also new versions of old threats, such as spam. This often means pursuing cybercriminals wherever they congregate. However, instead of wheeling-and-dealing using hidden servers on some mysterious dark web address, a surprisingly large number of cyber scofflaws prefer to operate right out in the open using social media. For example, Facebook is host to dozens of groups that serve as online marketplaces and exchanges for cybercriminals. Talos saw spam from services advertised in these Facebook groups show up in our own telemetry data, indicating a potential impact to Cisco customers from these groups.

    Over the past several months, Cisco Talos has tracked several groups on Facebook where shady (at best) and illegal (at worst) activities frequently take place. The majority of these groups use fairly obvious group names, including "Spam Professional," "Spammer & Hacker Professional," "Buy Cvv On THIS SHOP PAYMENT BY BTC," and "Facebook hack (Phishing)." Despite the fairly obvious names, some of these groups have managed to remain on Facebook for up to eight years, and in the process acquire tens of thousands of group members.

  • Cybercrime On Facebook Is Of Least Concern To Its Executives

    There is no better time for committing Cybercrime on Facebook than right now. At least that’s the intent the platform is displaying with its least bothered attitude.

    Cisco Talos — an online security research group, has released a report showcasing in detail the fearless existence of cybercrime on Facebook.

Syndicate content

More in Tux Machines

OSS: Huawei and "GNU's Not Unix."

  • Huawei Could Rebuild Trust in Their Products Through Open Source

    Open source code for Huawei equipment would allow nations, companies, and individuals alike to verify that the code is free of malware, and that it contains no obvious security problems.

    Reproducible builds allow everyone to be reassured that the code running on the network devices matches the open source code that is reviewed by the public. This removes another layer of distrust.

    And if you want to protect against the advent of Chinese “malicious updates” you can use multi-party key signature schemes for firmware updates, to ensure that updates are approved by the government/company before they are rolled out.

  • The WIRED Guide to Open Source Software

    The open source software movement grew out of the related, but separate, "free software" movement. In 1983, Richard Stallman, at the time a programmer at the MIT Artificial Intelligence Laboratory, said he would create a free alternative to the Unix operating system, then owned by AT&T; Stallman dubbed his alternative GNU, a recursive acronym for "GNU's Not Unix."

    For Stallman, the idea of "free" software was about more than giving software away. It was about ensuring that users were free to use software as they saw fit, free to study its source code, free to modify it for their own purposes, and free to share it with others. Stallman released his code under a license known as the GNU Public License, or GPL, which guarantees users those four software freedoms. The GPL is a "viral" license, meaning that anyone who creates software based on code licensed under the GPL must also release that derivative code under a GPL license.

GNOME 3.34 Desktop Environment Development Kicks Off with First Snapshot

GNOME 3.34 will be the next major release of the popular free and open-source desktop environment for Linux-based operating systems, expected to hit the streets later this year on September 11th. During its entire development cycle, GNOME 3.34 will be developed under the GNOME 3.33.x umbrella. Work on the GNOME 3.34 desktop environment begun a few weeks ago, after the launch of the GNOME 3.32 "Taipei" desktop environment, which is already the default desktop environment of the recently released Ubuntu 19.04 (Disco Dingo) operating system and other GNU/Linux distributions. Read more

The mysterious history of the MIT License

I say "seemingly straightforward" because the MIT License is one of the most popular licenses used by open source software. The MIT License, Apache License, and BSD license are the main permissive licenses, a term that contrasts with reciprocal licenses like the GPL, which require source code to be made available when software is redistributed. Given its popularity, you'd think the license's inception would be well-documented. I found various clues that added up to a date in the late 1980s but nothing definitive. However, Keith Packard and Jim Gettys jumped on the thread to offer first-hand accounts of the license's creation. In addition to providing early examples of the license, their help also gave me the context to better understand how the license evolved over time. Read more

BSD: A Look at NomadBSD and Audiocasts About BSDs and ZFS

  • NomadBSD, a BSD for the Road
    As regular It’s FOSS readers should know, I like diving into the world of BSDs. Recently, I came across an interesting BSD that is designed to live on a thumb drive. Let’s take a look at NomadBSD. [...] This German BSD comes with an OpenBox-based desktop with the Plank application dock. NomadBSD makes use of the DSB project. DSB stands for “Desktop Suite (for) (Free)BSD” and consists of a collection of programs designed to create a simple and working environment without needing a ton of dependencies to use one tool. DSB is created by Marcel Kaiser one of the lead devs of NomadBSD. Just like the original BSD projects, you can contact the NomadBSD developers via a mailing list.
  • Fun with funlinkat() | BSD Now 295
    Introducing funlinkat(), an OpenBSD Router with AT&T U-Verse, using NetBSD on a raspberry pi, ZFS encryption is still under development, Rump kernel servers and clients tutorial, Snort on OpenBSD 6.4, and more.
  • Snapshot Sanity | TechSNAP 402
    We continue our take on ZFS as Jim and Wes dive in to snapshots, replication, and the magic on copy on write. Plus some handy tools to manage your snapshots, rsync war stories, and more!