Language Selection

English French German Italian Portuguese Spanish

Security

Security: Flawed Government Sites, Windows Disasters, and an SSH Tarpit

Filed under
Security
  • Thousands of security flaws found on UK government websites

     

    Of the 3220 domain names registered under the .gov.uk domain ending – encompassing everything from central government departments to local and district councils – 524 have unpatched vulnerabilities. In total, the 524 insecure websites, including the National Archives, the Scottish prosecution service and the Health and Safety Executive, have about 7200 vulnerabilities between them.

  • [Windows] Ransomware Forces Two Chemical Companies to Order ‘Hundreds of New Computers’ [iophk: "those who signed off on deploying Windows in a production environment need to be brought to justice;"]

     

    On the day of the attack, some of the companies’ Windows computers were hit with a blue screen error and their files encrypted, said the current employee, who asked to remain anonymous as they were not authorized to speak to the press.  

  •  

  • Endlessh: an SSH Tarpit

     

    This program opens a socket and pretends to be an SSH server. However, it actually just ties up SSH clients with false promises indefinitely — or at least until the client eventually gives up. After cloning the repository, here’s how you can try it out for yourself (default port 2222):

Security: Privacy, GitHub 'Leaks', Network Security, Android and More

Filed under
Security
  • Ways to safeguard your privacy on the Net
  • Over 100,000 GitHub repos have leaked API or cryptographic keys
  • What Is Network Security? Types of Network Security - EC-Council Official Blog

    Over the past decade, the world has become more interconnected, with the advancement of new networking technologies. Similarly, our dependency on the Internet has reached an unimaginable level. A huge amount of personal, commercial, and confidential data is stored on either private or openly accessible networks. The significance of this intellectual data reflects the importance of network security in our lives. The probable threats to this data are sometimes not easy to detect or prevent. Conversely, the victims face a tough time in terms of time spent to recover the compromised data and money lost due to financial theft.

  • An Android Vulnerability Went Unfixed for Over Five Years
  • Meet the new generation of white hats

    The people who contribute and help maintain open source projects are pretty passionate about being proactive members of the community. They believe in helping to make the projects better and stronger for others to use. These discoveries have wide-reaching effects since open source projects easily find their way into large commercial products that depend on open source projects to help solve problems and add features that in-house developers would have to otherwise write themselves.

    Getting involved in finding vulnerabilities in open source projects can also be a great way for new researchers who are hoping to enter the security field can enhance their resume, which in turn will help them in the job hunt down the line.

  • 5 essential router security settings you need to check now

    The bad news: most people don’t give a second thought to their routers. This lack of know-how puts a lot of households in a dangerous position. The United States Computer Emergency Readiness Team (US-CERT) has issued an alert about Russian state-supported hackers carrying out attacks against a large number of home routers in the U.S.

Security: Fizz, Ghidra, NPK and Nitrokey Fido U2F

Filed under
Security
  • 'Critical' Denial-of-Service Bug Patched in Facebook Fizz

    A critical denial-of-service (DoS) vulnerability was found in Facebook Fizz, the social media giant's open source implementation of the Transport Layer Security (TLS) protocol, Semmle reports.

  • Facebook patches denial-of-service flaw in its open-source Fizz TLS implementation

    Facebook last month patched a critical denial-of-service vulnerability in Fizz, its open-source implementation for Transport Layer Security protocol TLS 1.3, researchers have reported.

    Unauthenticated remote attackers could exploit the flaw to create an “infinite loop,” causing the web service to be unavailable for other users and thus disrupting service, according to a March 19 blog post from Semmle, whose researcher Kevin Backhouse uncovered the issue.

    And because Facebook made Fizz’s source code available for public use last August, other web services can potentially be attacked this way as well if they fail to apply secure updates.

  • NSA Opts for Open-Source Sleuthing of Cyber Threats

    Cyber security is taking an open-source step forward with the National Security Agency's release of tools designed to reverse-engineer malware that holds people and companies hostage when their systems become infected.

    Unveiled at the recent RSA security conference in San Francisco, the NSA's Ghidra application for disassembling machine-instruction code covers a spectrum of operating systems and chip architectures for data centers and devices alike. By making the tool an open source kit, the Defense Department's top secret data intelligence agency is enlisting private developers to help it fight cyber crime.

  • Coalfire Labs Develops Open Source Password Cracking Tool

    Coalfire, a trusted provider of cybersecurity advisory and assessment services, announced today that the Coalfire Labs Research and Development (R&D) team released NPK, an open source tool that provides unprecedented password cracking capabilities to break the security surrounding hashed passwords.

    The distributed hash-cracking platform is built entirely of serverless components in Amazon Web Services (AWS) including Cognito, DynamoDB, and S3. It leverages the exceptionally powerful GPU instances in AWS to bring staggering hash cracking performance to a price tier in reach of a weekend tinkerer. It was designed for easy deployment and flexible usage.

  • Nitrokey Fido U2F Review & Rating

    The Nitrokey Fido U2F security key delivers two-factor authentication for the most popular sites on the web, and does so with impressive open-source bona fides.

Chrome OS to bring Android VPN support for Linux apps on Chromebooks

Filed under
OS
Android
GNU
Linux
Google
Security

Back in February, I noted that the Chromium team was working to add VPN support in Linux containers running on Chromebooks. Now there appears to be a second VPN option in the works: As spotted by 9to5 Google, there’s an effort to extend any Android-based VPN apps to Linux.

Read more

Also: Guide to reasonable privacy on Android

Security Leftovers

Filed under
Security
  • Netgate® Advances TNSR™ Open Source Secure Networking with Release 19.02
  • Using an OpenBSD Router with AT&T U-Verse

    I upgraded to AT&T's U-verse Gigabit internet service in 2017 and it came with an Arris BGW-210 as the WiFi AP and router. The BGW-210 is not a terrible device, but I already had my own Airport Extreme APs wired throughout my house and an OpenBSD router configured with various things, so I had no use for this device. It's also a potentially-insecure device that I can't upgrade or fully disable remote control over.

    Fully removing the BGW-210 is not possible as we'll see later, but it is possible to remove it from the routing path. This is how I did it with OpenBSD.

  • Report: EU to reject ban on Huawei [iophk: "for a minuscule fraction of the price, the countries could add wireless to openbsd and have done with the question permanently"]

    Citing four unnamed sources familiar with the decision, the outlet reported that Andrus Ansip, the European Commission’s digital chief, will present his recommendation next week.

    The proposal will reportedly advise member states to adopt the EU’s cybersecurity guidelines to coordinate and share information on their wireless networks.

    According to Reuters, the plan would be to allow countries to decide for themselves whether to ban Huawei.

  • Exclusive: EU to drop threat of Huawei ban but wants 5G risks monitored - sources

    European digital chief Andrus Ansip will present the recommendation on Tuesday. While the guidance does not have legal force, it will carry political weight which can eventually lead to national legislation in European Union countries.

  • Cybercriminals target the UK police force with ransomware [iophk: "Windows endangers whole countries, divest from proprietary software now; however, using Twitter in place of a public form of communication is stupid and probably illegal."]

    The organisation represents 119,000 police officers across England and Wales, and revealed it had been hit by ransomware in a statement on Twitter, complete with the thoroughly uncatchy #PFEWCyberAttack hashtag. The attack was reported on March 11, within the three days required under European law.

  • DARPA takes on election security with open source

    The defense research agency is exploring the feasibility of locking down election systems with open-source software and secure hardware.

  • DARPA to Develop $10 Million Open Source Voting System

    The US election might be different in 2020 thanks to a project by DARPA (Defense Advanced Research Projects Agency), the US Department of Defense research division, aiming at bullet-proofing voting machines by moving away from proprietary software that can’t be properly evaluated for bugs, writes Motherboard.

Webauthn in Linux with a TPM via the HID gadget

Filed under
GNU
Linux
Security

Account security on the modern web is a bit of a nightmare. Everyone understands the need for strong passwords which are different for each account, but managing them is problematic because the human mind just can’t remember hundreds of complete gibberish words so everyone uses a password manager (which, lets admit it, for a lot of people is to write it down). A solution to this problem has long been something called two factor authentication (2FA) which authenticates you by something you know (like a password) and something you posses (like a TPM or a USB token). The problem has always been that you ideally need a different 2FA for each website, so that a compromise of one website doesn’t lead to the compromise of all your accounts.

Enter webauthn. This is designed as a 2FA protocol that uses public key cryptography instead of shared secrets and also uses a different public/private key pair for each website. Thus aspiring to be a passwordless secure scalable 2FA system for the web. However, the webauthn standard only specifies how the protocol works when the browser communicates with the remote website, there’s a different standard called FIDO or U2F that specifies how the browser communicates with the second factor (called an authenticator in FIDO speak) and how that second factor works.

It turns out that the FIDO standards do specify a TPM as one possible backend, so what, you might ask does this have to do with the Linux Gadget subsystem? The answer, it turns out, is that although the standards do recommend a TPM as the second factor, they don’t specify how to connect to one. The only connection protocols in the Client To Authenticator Protocol (CTAP) specifications are USB, BLE and NFC. And, in fact, the only one that’s really widely implemented in browsers is USB, so if you want to connect your laptop’s TPM to a browser it’s going to have to go over USB meaning you need a Linux USB gadget. Conspiracy theorists will obviously notice that if the main current connector is USB and FIDO requires new USB tokens because it’s a new standard then webauthn is a boon to token manufacturers.

Read more

Security: Cryptocurrency Fears and New Browser Holes

Filed under
Security

Security: Updates, VPN, BleachBit, TenFourFox and Steam

Filed under
Security
  • Security updates for Friday
  • Linux apps on Chrome OS will soon support Android-based VPN connections

    Google is finally fixing Chrome OS's inability to protect Linux apps with a VPN, like the ones downloadable from the Play Store.

  • BleachBit 2.2

    Designed for Linux and Windows systems, it wipes clean thousands of applications including Firefox, Internet Explorer, Adobe Flash, Google Chrome, Opera, Safari, and more. Beyond simply deleting files, BleachBit includes advanced features such as shredding files to prevent recovery, wiping free disk space to hide traces of files deleted by other applications, and vacuuming Firefox to make it faster. Better than free, BleachBit is open source.

  • Stand by for urgent security update

    Pwn2Own came and went and Firefox fell with it. The __proto__ vulnerability seems exploitable in TenFourFox, though it would require a PowerPC-specific attack to be fully weaponized, and I'm currently evaluating the other bug. Builds ("FPR13 SPR1") including fixes for either or both depending on my conclusions will be issued within the next couple days.

  • Steam vulnerability exposed users to account hijacking and malware [Ed: proprietary software cannot hide its holes for very long (or until it's too late to hide)]

Security Leftovers

Filed under
Security

Security: Updates, Windows, Medtronic and FUD

Filed under
Security
  • Security updates for Thursday
  • Norwegian firm attack likely through Microsoft Active Directory: claim

    The Windows network at the Norwegian aluminium maker Norsk Hydro was probably infiltrated by attackers who planted the LockerGoga ransomware using something like scheduled tasks or services in Microsoft's Active Directory, a British security expert says.

  • Microsoft starts notifying Windows 7 users about end of support

    Microsoft’s end of support date means that Windows 7 users will no longer receive security updates, and the company wants consumers to upgrade to Windows 10 PCs instead. While the notification doesn’t mention Windows 10, Microsoft links to a new Windows 7 site that encourages consumers to upgrade their PCs.

  • Critical flaw lets [attackers] control lifesaving devices implanted inside patients

    The federal government on Thursday warned of a serious flaw in Medtronic cardio defibrillators that allows attackers to use radio communications to surreptitiously take full control of the lifesaving devices after they are implanted in a patient.

    Defibrillators are small, surgically implanted devices that deliver electrical shocks to treat potentially fatal irregular heart rhythms. In recent decades, doctors have increasingly used radios to monitor and adjust the devices once they're implanted rather than using older, costlier, and more invasive means. An array of implanted cardio defibrillators made by Medtronic rely on two types of radio-based consoles for initial setup, periodic maintenance, and regular monitoring. Doctors use the company's CareLink Programmer in clinics, while patients use the MyCareLink Monitor in homes to regularly ensure the defibrillators are working properly.

  • New vulnerability reporting platform aims to make open source safer [Ed: Ad disguised as an article for firm that works with Microsoft and never speaks about back doors in proprietary software]
Syndicate content

More in Tux Machines

COBOL, C, C++ all due for updates in early 2020s

You have never heard of Chris Tandy, a Toronto-based programmer for IBM since 1985, but his work in standardizing computer programming languages is vital to everything you do as a software developer. Tandy chairs the American INCITS PL22 group and is an officer in the global ISO/IEC JTC 1/SC 22 committee, which are the primary standards bodies responsible not only for pivotal languages such as COBOL, C, and C++, but also for historic ones like Ada, APL (famously named as "A Programming Language"), and Fortran. They also deal in esoterica—try your hand at coding in PL/1 or REXX. Future versions of the COBOL standard are now entirely in ISO hands, while before it was mostly an American project, Tandy explained. The ISO working group members intend to have the next version, known as an FDIS (final draft international standard), done in 2020. Read more Also: GNU patch another_hunk Function Double-Free Vulnerability [CVE-2018-6952]

Kdenlive Video Editor 19.04 Arrives with Major Changes in Tow

A major update to the Kdenlive video editor is now available for download. Kdenlive 19.04 ships as part of KDE Applications 19.04, released on April 19. This is the vaunted “refactoring” release we’ve written lots about, as the release announcement explains further: “Kdenlive has gone through an extensive re-write of its core code as more than 60% of its internals has changed, improving its overall architecture.” Read more

Security Leftovers

10 Best Linux Password Managers

Password managers are applications created to enable users to keep their passwords in a single place and absolve themselves of the need to remember every single one of their passwords. They, in turn, encourage clients to use passwords that are as complex as possible and remember a single master password. Modern password managers even go an extra mile to keep other information such as card details, files, receipts, etc. safely locked away from prying eyes. You might be wondering which password manager app will work best on your Linux machine and I am here to answer your question with my list of the 10 best Linux password managers. Read more