Language Selection

English French German Italian Portuguese Spanish

Security

Security: Privacy, GitHub 'Leaks', Network Security, Android and More

Filed under
Security
  • Ways to safeguard your privacy on the Net
  • Over 100,000 GitHub repos have leaked API or cryptographic keys
  • What Is Network Security? Types of Network Security - EC-Council Official Blog

    Over the past decade, the world has become more interconnected, with the advancement of new networking technologies. Similarly, our dependency on the Internet has reached an unimaginable level. A huge amount of personal, commercial, and confidential data is stored on either private or openly accessible networks. The significance of this intellectual data reflects the importance of network security in our lives. The probable threats to this data are sometimes not easy to detect or prevent. Conversely, the victims face a tough time in terms of time spent to recover the compromised data and money lost due to financial theft.

  • An Android Vulnerability Went Unfixed for Over Five Years
  • Meet the new generation of white hats

    The people who contribute and help maintain open source projects are pretty passionate about being proactive members of the community. They believe in helping to make the projects better and stronger for others to use. These discoveries have wide-reaching effects since open source projects easily find their way into large commercial products that depend on open source projects to help solve problems and add features that in-house developers would have to otherwise write themselves.

    Getting involved in finding vulnerabilities in open source projects can also be a great way for new researchers who are hoping to enter the security field can enhance their resume, which in turn will help them in the job hunt down the line.

  • 5 essential router security settings you need to check now

    The bad news: most people don’t give a second thought to their routers. This lack of know-how puts a lot of households in a dangerous position. The United States Computer Emergency Readiness Team (US-CERT) has issued an alert about Russian state-supported hackers carrying out attacks against a large number of home routers in the U.S.

Security: Fizz, Ghidra, NPK and Nitrokey Fido U2F

Filed under
Security
  • 'Critical' Denial-of-Service Bug Patched in Facebook Fizz

    A critical denial-of-service (DoS) vulnerability was found in Facebook Fizz, the social media giant's open source implementation of the Transport Layer Security (TLS) protocol, Semmle reports.

  • Facebook patches denial-of-service flaw in its open-source Fizz TLS implementation

    Facebook last month patched a critical denial-of-service vulnerability in Fizz, its open-source implementation for Transport Layer Security protocol TLS 1.3, researchers have reported.

    Unauthenticated remote attackers could exploit the flaw to create an “infinite loop,” causing the web service to be unavailable for other users and thus disrupting service, according to a March 19 blog post from Semmle, whose researcher Kevin Backhouse uncovered the issue.

    And because Facebook made Fizz’s source code available for public use last August, other web services can potentially be attacked this way as well if they fail to apply secure updates.

  • NSA Opts for Open-Source Sleuthing of Cyber Threats

    Cyber security is taking an open-source step forward with the National Security Agency's release of tools designed to reverse-engineer malware that holds people and companies hostage when their systems become infected.

    Unveiled at the recent RSA security conference in San Francisco, the NSA's Ghidra application for disassembling machine-instruction code covers a spectrum of operating systems and chip architectures for data centers and devices alike. By making the tool an open source kit, the Defense Department's top secret data intelligence agency is enlisting private developers to help it fight cyber crime.

  • Coalfire Labs Develops Open Source Password Cracking Tool

    Coalfire, a trusted provider of cybersecurity advisory and assessment services, announced today that the Coalfire Labs Research and Development (R&D) team released NPK, an open source tool that provides unprecedented password cracking capabilities to break the security surrounding hashed passwords.

    The distributed hash-cracking platform is built entirely of serverless components in Amazon Web Services (AWS) including Cognito, DynamoDB, and S3. It leverages the exceptionally powerful GPU instances in AWS to bring staggering hash cracking performance to a price tier in reach of a weekend tinkerer. It was designed for easy deployment and flexible usage.

  • Nitrokey Fido U2F Review & Rating

    The Nitrokey Fido U2F security key delivers two-factor authentication for the most popular sites on the web, and does so with impressive open-source bona fides.

Chrome OS to bring Android VPN support for Linux apps on Chromebooks

Filed under
OS
Android
GNU
Linux
Google
Security

Back in February, I noted that the Chromium team was working to add VPN support in Linux containers running on Chromebooks. Now there appears to be a second VPN option in the works: As spotted by 9to5 Google, there’s an effort to extend any Android-based VPN apps to Linux.

Read more

Also: Guide to reasonable privacy on Android

Security Leftovers

Filed under
Security
  • Netgate® Advances TNSR™ Open Source Secure Networking with Release 19.02
  • Using an OpenBSD Router with AT&T U-Verse

    I upgraded to AT&T's U-verse Gigabit internet service in 2017 and it came with an Arris BGW-210 as the WiFi AP and router. The BGW-210 is not a terrible device, but I already had my own Airport Extreme APs wired throughout my house and an OpenBSD router configured with various things, so I had no use for this device. It's also a potentially-insecure device that I can't upgrade or fully disable remote control over.

    Fully removing the BGW-210 is not possible as we'll see later, but it is possible to remove it from the routing path. This is how I did it with OpenBSD.

  • Report: EU to reject ban on Huawei [iophk: "for a minuscule fraction of the price, the countries could add wireless to openbsd and have done with the question permanently"]

    Citing four unnamed sources familiar with the decision, the outlet reported that Andrus Ansip, the European Commission’s digital chief, will present his recommendation next week.

    The proposal will reportedly advise member states to adopt the EU’s cybersecurity guidelines to coordinate and share information on their wireless networks.

    According to Reuters, the plan would be to allow countries to decide for themselves whether to ban Huawei.

  • Exclusive: EU to drop threat of Huawei ban but wants 5G risks monitored - sources

    European digital chief Andrus Ansip will present the recommendation on Tuesday. While the guidance does not have legal force, it will carry political weight which can eventually lead to national legislation in European Union countries.

  • Cybercriminals target the UK police force with ransomware [iophk: "Windows endangers whole countries, divest from proprietary software now; however, using Twitter in place of a public form of communication is stupid and probably illegal."]

    The organisation represents 119,000 police officers across England and Wales, and revealed it had been hit by ransomware in a statement on Twitter, complete with the thoroughly uncatchy #PFEWCyberAttack hashtag. The attack was reported on March 11, within the three days required under European law.

  • DARPA takes on election security with open source

    The defense research agency is exploring the feasibility of locking down election systems with open-source software and secure hardware.

  • DARPA to Develop $10 Million Open Source Voting System

    The US election might be different in 2020 thanks to a project by DARPA (Defense Advanced Research Projects Agency), the US Department of Defense research division, aiming at bullet-proofing voting machines by moving away from proprietary software that can’t be properly evaluated for bugs, writes Motherboard.

Webauthn in Linux with a TPM via the HID gadget

Filed under
GNU
Linux
Security

Account security on the modern web is a bit of a nightmare. Everyone understands the need for strong passwords which are different for each account, but managing them is problematic because the human mind just can’t remember hundreds of complete gibberish words so everyone uses a password manager (which, lets admit it, for a lot of people is to write it down). A solution to this problem has long been something called two factor authentication (2FA) which authenticates you by something you know (like a password) and something you posses (like a TPM or a USB token). The problem has always been that you ideally need a different 2FA for each website, so that a compromise of one website doesn’t lead to the compromise of all your accounts.

Enter webauthn. This is designed as a 2FA protocol that uses public key cryptography instead of shared secrets and also uses a different public/private key pair for each website. Thus aspiring to be a passwordless secure scalable 2FA system for the web. However, the webauthn standard only specifies how the protocol works when the browser communicates with the remote website, there’s a different standard called FIDO or U2F that specifies how the browser communicates with the second factor (called an authenticator in FIDO speak) and how that second factor works.

It turns out that the FIDO standards do specify a TPM as one possible backend, so what, you might ask does this have to do with the Linux Gadget subsystem? The answer, it turns out, is that although the standards do recommend a TPM as the second factor, they don’t specify how to connect to one. The only connection protocols in the Client To Authenticator Protocol (CTAP) specifications are USB, BLE and NFC. And, in fact, the only one that’s really widely implemented in browsers is USB, so if you want to connect your laptop’s TPM to a browser it’s going to have to go over USB meaning you need a Linux USB gadget. Conspiracy theorists will obviously notice that if the main current connector is USB and FIDO requires new USB tokens because it’s a new standard then webauthn is a boon to token manufacturers.

Read more

Security: Cryptocurrency Fears and New Browser Holes

Filed under
Security

Security: Updates, VPN, BleachBit, TenFourFox and Steam

Filed under
Security
  • Security updates for Friday
  • Linux apps on Chrome OS will soon support Android-based VPN connections

    Google is finally fixing Chrome OS's inability to protect Linux apps with a VPN, like the ones downloadable from the Play Store.

  • BleachBit 2.2

    Designed for Linux and Windows systems, it wipes clean thousands of applications including Firefox, Internet Explorer, Adobe Flash, Google Chrome, Opera, Safari, and more. Beyond simply deleting files, BleachBit includes advanced features such as shredding files to prevent recovery, wiping free disk space to hide traces of files deleted by other applications, and vacuuming Firefox to make it faster. Better than free, BleachBit is open source.

  • Stand by for urgent security update

    Pwn2Own came and went and Firefox fell with it. The __proto__ vulnerability seems exploitable in TenFourFox, though it would require a PowerPC-specific attack to be fully weaponized, and I'm currently evaluating the other bug. Builds ("FPR13 SPR1") including fixes for either or both depending on my conclusions will be issued within the next couple days.

  • Steam vulnerability exposed users to account hijacking and malware [Ed: proprietary software cannot hide its holes for very long (or until it's too late to hide)]

Security Leftovers

Filed under
Security

Security: Updates, Windows, Medtronic and FUD

Filed under
Security
  • Security updates for Thursday
  • Norwegian firm attack likely through Microsoft Active Directory: claim

    The Windows network at the Norwegian aluminium maker Norsk Hydro was probably infiltrated by attackers who planted the LockerGoga ransomware using something like scheduled tasks or services in Microsoft's Active Directory, a British security expert says.

  • Microsoft starts notifying Windows 7 users about end of support

    Microsoft’s end of support date means that Windows 7 users will no longer receive security updates, and the company wants consumers to upgrade to Windows 10 PCs instead. While the notification doesn’t mention Windows 10, Microsoft links to a new Windows 7 site that encourages consumers to upgrade their PCs.

  • Critical flaw lets [attackers] control lifesaving devices implanted inside patients

    The federal government on Thursday warned of a serious flaw in Medtronic cardio defibrillators that allows attackers to use radio communications to surreptitiously take full control of the lifesaving devices after they are implanted in a patient.

    Defibrillators are small, surgically implanted devices that deliver electrical shocks to treat potentially fatal irregular heart rhythms. In recent decades, doctors have increasingly used radios to monitor and adjust the devices once they're implanted rather than using older, costlier, and more invasive means. An array of implanted cardio defibrillators made by Medtronic rely on two types of radio-based consoles for initial setup, periodic maintenance, and regular monitoring. Doctors use the company's CareLink Programmer in clinics, while patients use the MyCareLink Monitor in homes to regularly ensure the defibrillators are working properly.

  • New vulnerability reporting platform aims to make open source safer [Ed: Ad disguised as an article for firm that works with Microsoft and never speaks about back doors in proprietary software]

Security: AccessEnforcer, Windows Ransomware Does Major Damage, Spammers Send Junk Mail to Thousands of Printers, Google Cleanup and More

Filed under
Security
  • VLANs and More Added to AccessEnforcer UTM Firewall

    AccessEnforcer Version 4.1 also updates firewall's operating system to OpenBSD 6.3. OpenBSD is one of the most secure operating systems in the world. Version 6.3 provides additional mitigations against the Spectre and Meltdown vulnerabilities and also mitigates against return-oriented programming and other memory corruption attacks. 

  • Norwegian aluminium firm slowly recovering from ransomware attack

     

    Norwegian aluminium maker Norsk Hydro says it has made some progress restoring its systems back to normal after being hit by Windows ransomware known as LockerGoGa on Monday evening.  

  • Spammers Send Junk Mail to Thousands of Printers

    Spam has been with us since the very first days of email, but a Russian marketing agency recently took things a stage further by sending good old-fashioned paper-based junk mail over the internet.

    The company claims to have advertised a graphic design course for its client Skillbox using a software bot that searched for online printers. It printed a one-page promotion on every device it found, directing them to a website boasting about its exploits.

    The website for the company's marketing campaign, which I am deliberately not linking to here, explains that "by the 2024", it is "94% likely" that bots will replace accountants, auditors, and financial analysts by the million. Consequently, it says, accountants (or anyone else worried about being replaced by AI) should learn graphic design instead. The stats come from a five-year-old Oxford Martin School report, but that needn't concern us here.

    What's more interesting is another statistic: 600,000. That’s how many printers the marketing agency claim to have clogged up with advertising, according to this report from Graham Cluley.

    [...]

    It wouldn't be the first time that someone had spammed printers online. In December, a hacker calling himself TheHackerGiraffe spammed 50,000 printers promoting popular YouTube celebrity PewDiePie. Other incidents have been much darker. Nazi nerd Andrew Aurenheimer, a.k.a. Weev, sent white supremacist messages to every printer in North America that he could find instead of using Shodan, he used Masscan, which is a mass IP port scanner. 

  • Android clampdown on calls and texts access trashes bunch of apps

    Android looks a little less open now that Google has begun to enforce draconian new rules on accessing a phone's call and text logs.

    Developers have been forced to remove features or in some cases change the fundamental nature of the application. One example is BlackBerry's Hub, an email client which also aggregated notifications from a variety of apps and presented them chronologically in a timeline. This application has lost its ability to includes calls and texts in that timeline.

    Exceptions created by Google don't seem to be honoured, developers complained. One said that an enterprise archiving app – a category specifically exempt from the clampdown – has been broken.

    Another developer, Miroslav Novosvetsky of MobileSoft, rued that he might have to withdraw his Callistics usage monitor app altogether.

  • The martian packet case in our Neutron floating IP setup

    A community member opened a bug the other day related to a weird networking behavior in the Cloud VPS service, offered by the Cloud Services team at Wikimedia Foundation. This VPS hosting service is based on Openstack, and we implement the networking bits by means of Neutron.

    Our current setup is based on Openstack Mitaka (old, I know) and the networking architecture we use is extensively described in our docs. What is interesting today is our floating IP setup, which Neutron uses by means of the Netfilter NAT engine.

    Neutron creates a couple of NAT rules for each floating IP, to implement both SNAT and DNAT. In our setup, if a VM uses a floating IP, then all its traffic to and from The Internet will use this floating IP. In our case, the floating IP range is made of public IPv4 addresses.

Syndicate content

More in Tux Machines

today's howtos

Shows: mintCast 307 and LINUX Unplugged 298

  • mintCast 307 – Encryption Part 1
    This is Leo and with me I have Joe, Moss, and the return of Rob for this episode! We’re recording on Sunday April 21st 2019. First up, in our Wanderings, I talk Kernel 5.0 and transfer speed, Joe reformats and loses Windows but gains NVidia peace of mind, and finally Moss digests more distros and has some success with migrating Kodi Then, our news is filled with updates from top to bottom. In our Innards section, we dive into file and disk encryption.
  • Blame Joe | LINUX Unplugged 298
    This week we discover the good word of Xfce and admit Joe was right all along. And share our tips for making Xfce more modern. Plus a new Debian leader, the end of Scientific Linux, and behind the scenes of Librem 5 apps.

Android Leftovers

Today in Techrights