Language Selection

English French German Italian Portuguese Spanish

Security

Security: Hotel Wi-Fi, Updates, Beyond Passwords, Dependencies

Filed under
Security
  • You Know What? Go Ahead and Use the Hotel Wi-Fi

     

    This advice comes with plenty of qualifiers. If you’re planning to commit crimes online at the Holiday Inn Express, or to visit websites that you’d rather people not know you frequented, you need to take precautionary steps that we’ll get to in a minute. Likewise, if you’re a high-value target of a sophisticated nation state—look at you!—stay off of public Wi-Fi at all costs. (Also, you’ve probably already been hacked some other way, sorry.)
     

    But for the rest of us? You’re probably OK. That’s not because hotel and airport Wi-Fi networks have necessarily gotten that much more secure. The web itself has.

  • Security updates for Monday
  • Beyond Passwords: 2FA, U2F and Google Advanced Protection
  • Dependencies in open source

    The topic of securing your open source dependencies just seems to keep getting bigger and bigger. I always expect it to get less attention for some reason, and every year I’m wrong about what’s happening out there. I remember when I first started talking about this topic, nobody really cared about it. It’s getting a lot more traction these days, especially as we see stories about open source dependencies being wildly out of date and some even being malicious backdoors.

    So what does it really mean to have dependencies? Ignoring the topic of open source for a minute, we should clarify what a dependency is. If you develop software today, there’s no way you build everything yourself. Even if you’re writing something in a low level language there are other libraries you rely on to do certain things for you. Just printing “hello world” calls into another library to actually print the text on the screen. Nobody builds at this level outside of a few select low level projects. Because of this we use code and applications that someone else wrote. If your business is about selling something online, writing your own web server would be a massive cost. It’s far cheaper to find a web server someone else wrote. The web server would be a dependency. If the web server is open source (which is probably is), we would call that an open source dependency.

Linux kernel Spectre V2 defense fingered for massively slowing down unlucky apps on Intel Hyper-Thread CPUs

Filed under
Linux
Security

Linux supremo Linus Torvalds has voiced support for a kernel patch that limits a previously deployed defense against Spectre Variant 2, a data-leaking vulnerability in modern processors.

Specifically, the proposed patch disables a particular Spectre V2 defense mechanism by default, rather than switching it on automatically. And here's the reason for that suggested change: code runs up to 50 per cent slower on Intel CPUs that use Hyper-Threading with the security defense enabled.

For those not in the know, Hyper-Threading is Chipzilla's implementation of simultaneous multi-threading (SMT), which splits individual CPU cores into two hardware threads. Thus, each core can mostly run two strands of software at the same time. That means a, say, 12-core processor would have 24 hardware threads, effectively presenting itself as a 24-core chip to the operating system and software.

Read more

Also: RADV Lands Another Fast Clear Optimization, Helping An Operation 18x

Security: Facebook/Instagram Breach and More FUD From Microsoft's Friends at WhiteSource

Filed under
Security

Security: Cracking, Fingerprinting and Open Source Security Podcast

Filed under
Security
  • 50 countries vow to fight cybercrime - US, Russia don’t

    Fifty nations and over 150 tech companies pledged Monday to do more to fight criminal activity on the internet, including interference in elections and hate speech. But the United States, Russia and China are not among them.

    The group of governments and companies pledged in a document entitled the “Paris call for trust and security in cyberspace” to work together to prevent malicious activities like online censorship and the theft of trade secrets.

  • Researchers Find Critical Vulnerability In Optical In-Display Fingerprint Sensors, Allowed Attackers To Unlock Devices Instantly

    In-Display Fingerprint sensors seem like an upcoming trend in smartphones. Conventional fingerprint sensors have become quite reliable over the years, but it’s still limited by design. With conventional fingerprint sensors, you need to locate the sensor and then unlock your phone. With the scanner placed under the display, unlocking the device feels much more natural. The technology is still in its infancy and hasn’t really matured yet, but a few companies like OnePlus have already put out phones with In-Display fingerprint sensors.

    Optic sensors used in most of the In-Display fingerprint scanners these days aren’t very accurate and some researchers even discovered a big vulnerability in them, which was patched recently. The vulnerability discovered by Tencent’s Xuanwu Lab gave attackers a free pass, allowing them to bypass the lock screen completely.

    Yang Yu, a researcher from the same team stated that this was a persistent problem present in every In-Display Fingerprint scanner module they tested, also adding that the vulnerability is a design fault of In-display fingerprint sensors.

  • Open Source Security Podcast: Episode 123 - Talking about Kubernetes and container security with Liz Rice

    Josh and Kurt talk to Liz Rice about Kubernetes and container security. How did we get where we are today, what's new and exciting today, and where do we think things are going.

Goa to train teachers in new open-source software apps for cyber security

Filed under
OSS
Security

After working with Google India for wider adoption of internet safety in schools two years ago, Goa education agencies will implement another project to train computer, information and communication technology school and higher secondary teachers in new open-source software applications for cyber security integration.

The State Board of Secondary and Higher Secondary Education and Goa State Council Educational Research and Training (GSCERT) have decided to begin the second programme with over 650 computer teachers from December 4 to 18, Mr. Ajay Jadhav, Board of Study member and coordinator of the first project with Google, said on Friday. The cyber security training syllabus has been worked out and 18 resource persons are ready for the project.

Read more

Security: Japan's Top Cybersecurity Official, SuperCooKey, Information Breach on HealthCare.gov

Filed under
Security
  • Security News This Week: Japan's Top Cybersecurity Official Has Never Used a Computer
  • SuperCooKey – A SuperCookie Built Into TLS 1.2 and 1.3

    TLS 1.3 has a heavily touted feature called 0-RTT that has been paraded by CloudFlare as a huge speed benefit to users because it allows sessions to be resumed quickly from previous visits. This immediately raised an eyebrow for me because this means that full negotiation is not taking place.

    After more research, I’ve discovered that 0-RTT does skip renegotiation steps that involve generating new keys.

    This means that every time 0-RTT is used, the server knows that you’ve been to the site before, and it knows all associated IPs and sign-in credentials attached to that particular key.

  • Information Breach on HealthCare.gov

    In October 2018, a breach occurred within the Marketplace system used by agents and brokers. This breach allowed inappropriate access to the personal information of approximately 75,000 people who are listed on Marketplace applications.

Security Leftovers

Filed under
Security

Security: SMS, Patches, Android, Spam and 'Smart' Things

Filed under
Security
  • A leaky database of SMS text messages exposed password resets and two-factor codes

    A security lapse has exposed a massive database containing tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more.

    The exposed server belongs to Voxox (formerly Telcentris), a San Diego, Calif.-based communications company. The server wasn’t protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages.

    For Sébastien Kaul, a Berlin-based security researcher, it didn’t take long to find.

    Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to to one of Voxox’s own subdomains. Worse, the database — running on Amazon’s Elasticsearch — was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.

  • Security updates for Friday
  • Google: Android Pie Updates Will Be A Lot Faster With Project Treble
  • Frustrating spammers
  • Tracking and snooping on a million kids

    With a couple of watches paired to different testing phones, I had a play with various authorisation and Insecure Direct Object Reference, IDOR, attacks.

    The only check the API appears to perform is matching the UID with the session_token, so simply changing the family_id in the get_watch_data_latest action, shown ibelow, allows an attacker to return the watch location and device_id associated with that family.

5 Easy Tips for Linux Web Browser Security

Filed under
Linux
Security
Web

If you use your Linux desktop and never open a web browser, you are a special kind of user. For most of us, however, a web browser has become one of the most-used digital tools on the planet. We work, we play, we get news, we interact, we bank… the number of things we do via a web browser far exceeds what we do in local applications. Because of that, we need to be cognizant of how we work with web browsers, and do so with a nod to security. Why? Because there will always be nefarious sites and people, attempting to steal information. Considering the sensitive nature of the information we send through our web browsers, it should be obvious why security is of utmost importance.

So, what is a user to do? In this article, I’ll offer a few basic tips, for users of all sorts, to help decrease the chances that your data will end up in the hands of the wrong people. I will be demonstrating on the Firefox web browser, but many of these tips cross the application threshold and can be applied to any flavor of web browser.

Read more

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

Linux 4.20--rc76

Well, that's more like it. This is a *tiny* rc7, just how I like it. Maybe it's because everybody is too busy prepping for the holidays, and maybe it's because we simply are doing well. Regardless, it's been a quiet week, and I hope the trend continues. The patch looks pretty small too, although it's skewed by a couple of bigger fixes (re-apply i915 workarounds after reset, and dm zoned bio completion fix). Other than that it's mainly all pretty small, and spread out (usual bulk of drivers, but some arch updates, filesystem fixes, core fixes, test updates..) Read more Also: Linux 4.20-rc7 Kernel Released - Linux 4.20 Should Be Released In Time For Christmas

Android Leftovers

1080p Linux Gaming Performance - NVIDIA 415.22 vs. Mesa 19.0-devel RADV/RadeonSI

Stemming from the recent Radeon RX 590 Linux gaming benchmarks were some requests to see more 1080p gaming benchmarks, so here's that article with the low to medium tier graphics cards from the NVIDIA GeForce and AMD Radeon line-up while using the latest graphics drivers on Ubuntu 18.10. This round of benchmarking was done with the GeForce GTX 980, GTX 1060, GTX 1070, and GTX 1070 Ti using the newest 415.22 proprietary graphics driver. On the AMD side was using the patched Linux 4.20 kernel build (for RX 590 support) paired with Mesa 19.0-devel via the Padoka PPA while testing the Radeon RX 580 and RX 590. Read more

Sparky SU 0.1.0

This tool provides Yad based front-end for su (spsu) allowing users to give a password and run graphical commands as root without needing to invoke su in a terminal emulator. It can be used as a Gksu replacement to run any application as root. Read more