Language Selection

English French German Italian Portuguese Spanish


Security: Lessons of a Power Station, Red Hat's Product Security Risk Report and Latest Available Updates

Filed under
  • Disbanding of this committee has left Guyana vulnerable to cyber attacks

    ‘The perpetrators of this act requested a ransom of bitcoins (digital money) to remove all encryptions from within the network. GPL has not heeded to, and will not heed to, any such ransom.’

  • Power company still recovering from system hack

    “We were hacked recently and some of our systems are still down and we are working on it,” Sears-Murray told Stabroek News yesterday.

  • Public Utilities Commission prepared to intervene on behalf of this GPL customer

    I write with reference to a letter in the Stabroek News edition of Tuesday, 5th February 2019 captioned, `Power bill skyrocketed with new meter, GPL not providing any answers’, which stated that GPL’s newly installed meter is not producing accurate readings of electricity consumption.

  • A year in review: 2018 Product Security Risk Report

    Each year, Red Hat Product Security reflects back and reviews the vulnerabilities that impacted our products. We’ve shared the results of this analysis in our annual Red Hat Product Security Risk report.

    Looking back, 2018 was a busy year in the field of incident response and vulnerability management. Many high-profile issues were discovered that had broad-reaching impacts to operations in all sectors, from traditional data-centers all the way out to the edges of the cloud. Customers potentially affected by issues with kernels, Kubernetes and others looked to Red Hat to help understand the potential to impact their operations.

  • Security updates for Thursday

WireGuard VPN Tunnel Software Publishes New Snapshot But It Won't Be In Linux 5.1

Filed under

Jason Donenfeld, the lead developer of WireGuard, has released a new snapshot version of this secure VPN tunnel cross-platform software.

WireGuard 0.0.20190227 is the new testing version of this very useful and practical alternative to the likes of OpenVPN. This pre-release version has changes for FreeBSD, various low-level code improvements, mitigating potential side-channel attacks, fixing allocation stalls, fixes for compatibility with older kernel versions, and other changes.

There is also optimizations to help WireGuard to be "much much faster" for operations involving thousands of peers. Jason particularly noted, "Batch peer/allowedip addition and clearing is several orders of magnitude faster now."

Read more

Security: GNOME Security Internship, Supply Chain Security Talk, SHAREit is 'Cracked'

Filed under
  • GNOME Security Internship - The end?

    The first part regarding protecting the system from potentially unwanted new USB devices can be considered completed. Probably now it will requires just bug fixing and minor changes, if necessary. The required merge requests are up.

    The second part regarding limiting the number of usable keys for untrusted keyboards reached a working stage. However it’s still under evaluation which is the best way to achieve it, because even if with the current solution works it doesn’t mean that this is the desirable way to do it.

  • Supply Chain Security Talk [iophk: "warning for Microsoft event; maybe don't want to [attend] despite Bunnie presenting"]

    In the talk, I relay some of my personal trials authenticating my supply chains, then I go into the why of the supply chain attacks to establish some scenarios for evaluating different approaches. The talk attempts to broadly categorize the space of possible attacks, ranging from attacks that cost a penny and a few seconds to pull off to hundreds of thousands of dollars and months. Finally, I try to outline the depth of the supply chain attack surface, highlighting the overall TOCTOU (time of check, time of use) problem that is the supply chain.

  • Critical SHAREit Flaw Gives Attackers Full Access To Device Files

    Data sharing apps like SHAREit and Xender have transformed the way files are shared, since their release a few years ago. The apps transfer files over wifi which is much faster compared to sending files using Bluetooth.

  • High-Severity SHAREit App Flaws Open Files for the Taking

    SHAREit has fixed two flaws in its app that allow bad actors to authenticate their devices and steal files from a victim’s device.

    Two high-severity flaws in the SHAREit Android app allow an attacker to bypass the file transfer application’s device authentication mechanism – and ultimately download content and arbitrary files from the victim’s device, along with a raft of data such as Facebook tokens and cookies.

Security: VFEmail Incident, Spectre Mitigation, Open Source Voting and More

Filed under
  • VFEmail

    As this issue goes to print, news is circulating about a catastrophic hack on the mail provider VFEmail. According to reports, two decades of saved data for all US users is lost – totally wiped out. Email providers are accustomed to getting attacked, and most of the attacks are stopped at the front door. Attackers sometimes get through, in which case, the most common scenario is that they encrypt some data and ask for a ransom. In this case, however, the attacker didn't seem to really want anything, other than a chance to go on a rampage and destroy all the data.

    No attempt was made to deliver ransom demands. The crime did not look like extortion or theft but resembled something more like ordinary vandalism. The attacker careened around the network, reformatting disks and destroying data. Mail servers, file servers, VM servers, database servers, and even backup servers were lost. Although vandalism tends to appear random, this attack seems to have been carefully planned. According to reports, the attacker needed multiple passwords to access all these servers and therefore must have been lurking and listening on the network for some time to acquire the necessary access information.

    I won't solve the mystery in the time it takes to write this column. Too much is unknown at this time. Was the attack from a disturbed loner who just wanted to destroy something? Was it a disgruntled customer or a former employee out for revenge? Was it an inside job? Another possible scenario is that the attacker was a customer with a secret who decided to destroy the evidence by destroying every account, rather than just deleting personal emails and risking leaving a trail.

    The VFEmail attack caught the imagination of the high tech press because it was just so weird. Nefarious as ransomware attacks might be, we are at least able to classify them as being somehow related to the quest for money (which we all secretly understand). A wanton attack of vengeance or vandalism scares us the way we are scared by a tornado or a madman with a knife. This attack underscores the dark reality that the Internet really is an unsafe place. Criminals and sociopaths from all over the world can ride a magic carpet to your front door, and the onus is on you to find the right kind of lock – and to continually change the lock as new techniques render old locks ineffective. It is actually profoundly strange that our whole economy and trillions of dollars in business interests are based on this model.

  • Linux Kernel Continues to Offer Mitigation for Spectre Mitigation
  • Open Source Voting

    Attempts by Russia to interfere with US elections have been headline news in the last year. But the problems with the election process in the United States goes deeper than the public generally realizes and includes obsolete, proprietary systems, a lack of funds for upgrades, and near monopolies on voting machines. As the 2020 US elections near, academics are working to provide solutions to these issues – and open source software and hardware are at the core of these solutions, together with modern interface design.

  • OpenShift Commons Briefing: State of Open Source Security Report Review with Liran Tal (Snyk) [Ed: Red Hat is entertaining anti-FOSS and Microsoft-connected FUDsters from Snyk]
  • When an internet emergency strikes

    Research shows that we spend more time on phones and computers than with friends. This means we’re putting out more and more information for hackers to grab. It’s better to be safe than sorry in an internet emergency, but how you prepare depends on the type of emergency you’re facing.

  • Critical WinRAR Flaw Found Actively Being Exploited

    A critical 19-year-old WinRAR vulnerability disclosed last week has now been spotted actively being exploited in a spam campaign spreading malware.

    The campaign, discovered by researchers with 360 Threat Intelligence Center, takes advantage of a path-traversal WinRAR vulnerability, which could allow bad actors to remotely execute malicious code on victims’ machines simply by persuading them to open a file.

  • WinRAR Flaw Being Actively Used To Load Malware In Windows PCs

Thunderclap and Linux

Filed under

Thunderbolt security has been in the news recently: researches presented a set of new vulnerabilities involving Thunderbolt which they named Thunderclap1. The authors built a "fake" network card2) and performed various DMA attacks and were able to temper with memory regions that their network card should have no access to whatsoever. In some way this is not all that surprising because the foundation of Thunderbolt are PCIe tunnels to external hardware and one of the reasons that PCIe is fast is because it can do direct memory access (DMA).

The current primary defense against DMA attacks for Thunderbolt 3 are the security levels: if enabled (the default on most systems) it gives the software the ability to decide on a per device level to allow or deny PCIe tunnels (and with that potentially access to the all the memory via DMA)3. While not protecting from DMA attacks per se it protects from some — maybe the most — prominent threat scenarios4: 1) somebody plugging that evil device into your computer while you are away or 2) you have to plug in a device into your computer that you don't trust, i.e. a projector at a conference. On GNU/Linux boltd will authorize a plugged-in device only if an admin user is logged in and the screen is unlocked. For untrusted environments the authorization by boltd can be disabled, i.e. when you go to a conference, via the GNOME settings panel. The toggle is called "Direct Access" (see screenshot below).

Read more

CentOS 6 and Red Hat Enterprise Linux 6 Get Important Kernel Security Update

Filed under
Red Hat

Marked by the Red Hat Product Security team as having an "Important" security impact, the new kernel security update contains a fix for a race condition vulnerability affecting the raw MIDI kernel driver that could lead to a double-free or double realloc, as well as a fix for a bug that caused apps compiled with GCC 4.4.7 to trigger a segmentation fault.

This kernel update removes a 64k limit check in the page fault handler in applications compiled with GNU Compiler Collection (GCC) version 4.4.7, ensuring the smooth running of these applications without triggering a segmentation fault. However, Red Hat noted that fact that removing the limit check has no impact on the integrity of the kernel itself.

Read more

Security Leftovers

Filed under

Security: SEDC, FastMail, Mozilla, 5G, Lime

Filed under
  • Plain wrong: Millions of utility customers’ passwords stored in plain text

    Those companies service 15 million or so clients (estimated from GIS data and in some cases from PR brags on the utility sites themselves). But the real number of affected Americans could easily be several times that large: SEDC itself claims that more than 250 utility companies use its software.

  • FastMail fears customer exodus due to encryption law

    Melbourne-based secure email provider FastMail says it has begun to see existing customers leave and potential customers go to other providers, and the reason cited is the government's encryption bill.

  • Mozilla may treat Aussie staff as 'insider threats' to code base

    In separate submissions to a senate inquiry examining the now-passed laws, the two technology companies raised concerns about how they could trust their workers.

    Both Mozilla and FastMail worry that individual employees could be targeted by law enforcement to make secret changes to systems.

  • 5G already has its own security flaws

    The first of the vulnerabilities is called Torpedo and exploits a weakness in the paging protocol which alerts your phone to incoming calls or texts. By starting and cancelling a bunch of calls in quick succession, you can send a paging message to the device without actually triggering an alert. Not only does this leave the door open to blocking or inserting messages, but it can also lead to two more attacks.

    These are called Piercer and IMSI-Cracking, which use different methods but achieve the same thing. They let an attacker figure out your unique IMSI (International Mobile Subscriber Identity) number which leaves you wide open to remote eavesdropping, or even less welcome stalking.

  • Lime warns riders about ‘sudden excessive braking’ due to firmware bug

    According to Lime, the bug occurs in “very rare cases,” usually when a rider is going downhill at top speed and hits a pothole or obstacle, the scooter will unexpectedly brake the front wheel, which has led to some riders being injured. Lime says that the issue isn’t common, with less than 0.0045 percent of all Lime rides encountering the problem, but the company is warning customers anyway and noting that they should use extra caution while the issue is being fixed.

Testing Ubuntu 19.04 and IPFire 2.21

Filed under
  • Ubuntu 19.04 Feature Freeze Run Through
  • IPFire 2.21 - Core Update 128 is ready for testing

    we have a great bunch of updates lined up for you with some great features that will improve IPFire's IPsec VPN capabilities and a huge make-over for our Intrusion Prevention System. But before that, we have another maintenance update with a new kernel, introducing TLS 1.3 throughout the whole system and of course a whole package of bug fixes and other improvements.

    Thanks to everyone who has contributed to this Core Update with either sending in patches, testing, reporting bugs and many many other things. I am quite happy to see the team grow slowly and surely!

Security: 4G and 5G, ETS (or eTLS) and the Latest FUD

Filed under
Syndicate content

More in Tux Machines

Graphics: NVIDIA, Nouveau and Vulkan

  • NVIDIA 418.49.04 Linux Driver Brings Host Query Reset & YCbCr Image Arrays
    NVIDIA has issued new Vulkan beta drivers leading up to the Game Developers Conference 2019 as well as this next week there being NVIDIA's GPU Technology Conference (GTC) nearby in California. The only publicly mentioned changes to this weekend's NVIDIA 418.49.04 Linux driver update (and 419.62 on the Windows side) is support for the VK_EXT_host_query_reset and VK_EXT_ycbcr_image_arrays extensions.
  • Nouveau NIR Support Lands In Mesa 19.1 Git
    It shouldn't come as any surprise, but landing today in Mesa 19.1 Git is the initial support for the Nouveau Gallium3D code to make use of the NIR intermediate representation as an alternative to Gallium's TGSI. The Nouveau NIR support is part of the lengthy effort by Red Hat developers on supporting this IR as part of their SPIR-V and compute upbringing. The NIR support is also a stepping stone towards a potential NVIDIA Vulkan driver in the future.
  • Vulkan 1.1.104 Brings Native HDR, Exclusive Fullscreen Extensions
    With the annual Game Developers' Conference (GDC) kicking off tomorrow in San Francisco, Khronos' Vulkan working group today released Vulkan 1.1.104 that comes with several noteworthy extensions. Vulkan 1.1.104 is the big update for GDC 2019 rather than say Vulkan 1.2, but it's quite a nice update as part of the working group's weekly/bi-weekly release regiment. In particular, Vulkan 1.1.104 is exciting for an AMD native HDR extension and also a full-screen exclusive extension.
  • Interested In FreeSync With The RADV Vulkan Driver? Testing Help Is Needed
    Since the long-awaited introduction of FreeSync support with the Linux 5.0 kernel, one of the missing elements has been this variable rate refresh support within the RADV Vulkan driver. When the FreeSync/VRR bits were merged into Linux 5.0, the RadeonSI Gallium3D support was quick to land for OpenGL games but RADV Vulkan support was not to be found. Of course, RADV is the unofficial Radeon open-source Vulkan driver not officially backed by AMD but is the more popular driver compared to their official AMDVLK driver or the official but closed driver in their Radeon Software PRO driver package (well, it's built from the same sources as AMDVLK but currently with their closed-source shader compiler rather than LLVM). So RADV support for FreeSync has been one of the features users have been quite curious about and eager to see.

New Screencasts: Xubuntu 18.04.2, Ubuntu MATE, and Rosa Fresh 11

9 Admirable Graphical File Managers

Being able to navigate your local filesystem is an important function of personal computing. File managers have come a long way since early directory editors like DIRED. While they aren’t cutting-edge technology, they are essential software to manage any computer. File management consists of creating, opening, renaming, moving / copying, deleting and searching for files. But file managers also frequently offer other functionality. In the field of desktop environments, there are two desktops that dominate the open source landscape: KDE and GNOME. They are smart, stable, and generally stay out of the way. These use the widget toolkits Qt and GTK respectively. And there are many excellent Qt and GTK file managers available. We covered the finest in our Qt File Managers Roundup and GTK File Managers Roundup. But with Linux, you’re never short of alternatives. There are many graphical non-Qt and non-Gtk file managers available. This article examines 9 such file managers. The quality is remarkably good. Read more

Slimbook & Kubuntu - Combat Report 6

Here we are gathered, for another episode of drama, thrill and technological escapades in the land of Tux. Starring one Slimbook Pro2 in the main role, with a trusty sidekick called Bionic Beaver of the Kubuntu clan. We've had quite a few episodes so far, and they tell a rather colorful story of progress, beauty and bugs. Over the past few months, I've detailed my usage of the laptop and its operating system in serious, real-life situations, with actual productivity needs and challenges. This isn't just a test, this is running the machine properly. Many things work well, but then, there are problems, too. Of course, you can read all about those in the previous articles, and again, for the sake of simplicity, I'm only going to link to only the last report here. If you're truly intrigued, I'm sure you can find your way around. [..]. I believe the Slimbook - with its Kubuntu brains - is slowly settling down. The one thing that is certain is that system updates bring in small tweaks and fixes all the time, and it's a shame that we can't have that from the very first minute. On the other hand, the system is stable, robust, and there are no regressions. I am quite pleased. But there are still many things that can improved. Small things. The nth-order fun that isn't immediate or obvious, and so people don't see it until they come across a non-trivial use case, and then things start falling apart. This is true for all operating system, it's only the matter of how much. Plasma has made great strides in becoming semi-pro, and I hope it will get better still. Onwards. Read more Also: Krita Interview with Svetlana Rastegina