Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • Jelle Van der Waa: Mini DebConf Hamburg 2019

    The reproducible builds project was invited to join the mini DebConf Hamburg sprints and conference part. I attended with the intention to get together to work on Arch Linux reproducible test setup improvements, reproducing more packages and comparing results.

    The first improvement was adding JSON status output for Arch Linux and coincidently also OpenSUSE and in the future Alpine the commit can be viewed here. The result was deployed and the Arch Linux JSON results are live.

    The next day, I investigated why Arch Linux's kernel is not reproducible.

  • Rogue Raspberry Pi allowed hackers to infiltrate NASA's systems [iophk: "article is missing any relevant details, lack of bureaucracy was not the cause here unlike what is asserted]

    That's according to a recent audit by the agency's Office of Inspector General, which reveals a number of security weaknesses affecting its Jet Propulsion Laboratory (JPL).

    The report claims that multiple IT security control weaknesses "reduce JPL's ability to prevent, detect and mitigate attacks targeting its systems and networks" while "exposing NASA systems and data to exploitation by cybercriminals".

  • Hacking Hardware Security Modules

    This highly technical presentation targets an HSM manufactured by a vendor whose solutions are usually found in major banks and large cloud service providers. It will demonstrate several attack paths, some of them allowing unauthenticated attackers to take full control of the HSM. The presented attacks allow retrieving all HSM secrets remotely, including cryptographic keys and administrator credentials. Finally, we exploit a cryptographic bug in the firmware signature verification to upload a modified firmware to the HSM. This firmware includes a persistent backdoor that survives a firmware update.

  • The looming threat of malicious backdoors in software source code

    The history of backdoors in source code has largely been about managing insider threats. For example, a rogue developer looking to sabotage the organization. What’s changed is that increasingly well-funded nation-state attackers can afford to take a much longer-term view. This means writing useful code with backdoors planted deep inside it, making the code widely available, and waiting to see who adopts it.

  • A Florida city paid a $600,000 bitcoin ransom to hackers who took over its computers — and it's a massive alarm bell for the rest of the US [iophk: "Windows TCO"]

    A Florida city's council voted to pay a ransom of $600,000 in Bitcoin to [crackers] that targeted its computer systems — and the payout is a sign of how unprepared much of the US is to deal with a coming wave of cyberattacks.

Security: John Deere, Windows, Debian, Ubuntu, and Mozilla Firefox

Filed under
Security
  • John Deere's Promotional USB Drive Hijacks Your Keyboard

    “The device itself, it’s pretty ingenious, actually,” the Reddit user said. “It’s an HID-compliant keyboard that, when connected detects what platform it’s on and automatically sends a keyboard shortcut to open a browser, and then it barfs the link into the address bar.”

  • New Variant of the Houdini Worm Emerges

    WSH RAT is currently being offered as a subscription, at $50 per month. The malware operators are actively marketing the malware as compatible with all Windows XP to Windows 10 releases, featuring automatic startup methods, and various remote access, evasion, and stealing capabilities.

  • Debian's Intel MDS Mitigations Are Available for Sandy Bridge Server/Core-X CPUs

    The Debian Project recently announced the general availability of a new security update for the intel-microcode firmware to patch the recently disclosed Intel MDS (Microarchitectural Data Sampling) vulnerabilities on more Intel CPUs.

    Last month, on May 14th, Intel disclosed four new security vulnerabilities affecting many of its Intel microprocessor families. The tech giant was quick to release updated microcode firmware to mitigate these flaws, but not all the processor families were patched.

  • Canonical Outs New Linux Kernel Live Patch for Ubuntu 18.04 LTS and 16.04 LTS

    Canonical released a new Linux kernel live patch for the Ubuntu 18.04 LTS (Bionic Beaver) and Ubuntu 16.04 LTS (Xenial Xerus) operating system series to address the recently disclosed TCP Denial of Service (DoS) vulnerabilities.

    Coming hot on the heels of the recent Linux kernel security updates published earlier this week for all supported Ubuntu releases, the new Linux kernel live patch is only targeted at Ubuntu versions that support the kernel live patch and are long-term supported, including Ubuntu 18.04 LTS (Bionic Beaver) and Ubuntu 16.04 LTS (Xenial Xerus).

  • Firefox Users Warned to Patch Critical Flaw

    Mozilla is urging users of its Firefox browsers to update them immediately to fix a critical zero-day vulnerability. Anyone using Firefox on a Windows, macOS or Linux desktop is at risk.

    The vulnerability, CVE-2019011707, is a type confusion in Array.pop. It has been patched in Firefox 67.0.3 and Firefox ESR 60.7.1.

    Mozilla announced the patch Tuesday, but the vulnerability was discovered by Samuel Groß of Google Project Zero on April 15.

    Mozilla implemented the fix after digital currency exchange Coinbase reported exploitation of the vulnerability for targeted spearphishing attacks.

    "On Monday, June 17, 2019, Coinbase reported a vulnerability used as part of targeted attacks for a spear phishing campaign," Selena Deckelmann, senior director, Firefox Browser Engineering, told TechNewsWorld. "In less than 24 hours, we released a fix for the exploit."

Tails 3.14.1 is out

Filed under
GNU
Linux
Security
Web
Debian

This release is an emergency release to fix a critical security vulnerability in Tor Browser.

It also fixes other security vulnerabilities. You should upgrade as soon as possible.

Read more

Also: It's Time to Switch to a Privacy Browser

Latest Security FUD

Filed under
Security

Security: National Security Agency (NSA) in Coreboot and NSA Back Doors in Microsoft Windows Out of Control

Filed under
Security
  • The NSA Is Looking To Contribute To A New x86 Security Feature To Coreboot

    The US National Security Agency (NSA) has developers contributing to the Coreboot project.

    Eugene Myers of the NSA under the Information Assurance Research, NSA/CSS Research Directorate, has been leading some work on an STM/PE implementation for Coreboot.

  • Coreboot Adds Support For Apollolake-Powered UP-Squared SBC Maker Board

    Coreboot now supports the UP Squared, the new single board computer / maker board based on an Intel Apollo Lake SoC.

    Not to be confused with the $35 Atomic Pi Intel SBC that aims to compete directly with the Raspberry Pi, the UP Squared is a higher-tier ~$150 board with more connectivity and options. The UP Squared offers dual Gigabit Ethernet, HDMI / DP, eMMC, mini-PCIe x1, MIPI CSI, 40-pin header, two USB 3.0 ports, and other options. Both Microsoft Windows and an assortment of Linux distributions are supported.

  • All-In-One Malware ‘Plurox’ Can Hack Your PC In ‘Three Different Ways’ [Ed: When you mean to say Microsoft Windows (with its NSA back doors) but instead you say "PC" as if Microsoft has nothing to do with it]

    The SMB plugin mentioned previously is essentially a repackaged NSA exploit called EternalBlue that was publicly leaked in 2017.

    The plugin allows bad actors to scan local networks and spread the malware to vulnerable workstations via the SMB protocol (running the EternalBlue exploit).

    But that’s not all. UPnP is actually the sneakiest and most nasty plugin among all. It creates port forwarding rules on the local network of a compromised system and uses it to build backdoors into enterprise networks bypassing firewalls and other security measures in place.

  • Windows 10 gets a lot of little fixes – and Microsoft reminds us it’ll start to force updates [Ed: Forced NSA back doors. Gone are the days of controlling our PCs if they contain proprietary software because "for our security/safety" (of course!) remote software modifications will be imposed on us.]

Security: Updates, Containers, Compilers and More

Filed under
Security

Security: Mozilla Patch for Firefox and Getting Started with OpenSSL

Filed under
Security
  • Zero-Day Flaw In Firefox Is Getting Exploited By Hackers; Update Now!

    Mozilla has issued a warning of a zero-day flaw in Firefox browser that is currently being exploited in the wild. But the good news is that an emergency patch has been released for the same so you should update your browser now!

    The vulnerability was discovered by Google’s Project Zero security team...

  • Security vulnerabilities fixed in Firefox 67.0.3 and Firefox ESR 60.7.1

    A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

  • Getting started with OpenSSL: Cryptography basics

    This article is the first of two on cryptography basics using OpenSSL, a production-grade library and toolkit popular on Linux and other systems. (To install the most recent version of OpenSSL, see here.) OpenSSL utilities are available at the command line, and programs can call functions from the OpenSSL libraries. The sample program for this article is in C, the source language for the OpenSSL libraries.

    The two articles in this series cover—collectively—cryptographic hashes, digital signatures, encryption and decryption, and digital certificates. You can find the code and command-line examples in a ZIP file from my website.

    Let’s start with a review of the SSL in the OpenSSL name.

NSA Back Doors in Windows Causing Chaos While Media is Obsessing Over DoS Linux Bug

Filed under
Microsoft
Security
  • U.S. Government Announces Critical Warning For Microsoft Windows Users

    The United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has gone public with a warning to Microsoft Windows users regarding a critical security vulnerability. By issuing the "update now" warning, CISA has joined the likes of Microsoft itself and the National Security Agency (NSA) in warning Windows users of the danger from the BlueKeep vulnerability.

    This latest warning, and many would argue the one with most gravitas, comes hot on the heels of Yaniv Balmas, the global head of cyber research at security vendor Check Point, telling me in an interview for SC Magazine UK that "it's now a race against the clock by cyber criminals which makes this vulnerability a ticking cyber bomb." Balmas also predicted that it will only be "a matter of weeks" before attackers started exploiting BlueKeep.

    The CISA alert appears to confirm this, stating that it has, "coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep." That it can confirm a remote code execution on Windows 2000 might not sound too frightening, this is an old operating system after all, it would be unwise to classify this as an exercise in fear, uncertainty and doubt. Until now, the exploits that have been developed, at least those seen in operation, did nothing more than crash the computer. Achieving remote code execution brings the specter of the BlueKeep worm into view as it brings control of infected machines to the attacker.

  • Netflix uncovers SACK Panic vuln that can bork Linux-based systems

Security Leftovers

Filed under
Security
  • Microsoft & Pentagon are quietly hijacking US elections (by Lee Camp)

    Good news, folks! We have found the answer to the American rigged and rotten election system.
    The most trustworthy of corporations recently announced it is going to selflessly and patriotically secure our elections. It’s a small company run by vegans and powered by love. It goes by the name “Microsoft.” (You’re forgiven for never having heard of it.)

    The recent headlines were grandiose and thrilling:

    “Microsoft offers software tools to secure elections.”

    “Microsoft aims to modernize and secure voting with ElectionGuard.”

    Could anything be safer than software christened “ElectionGuard™”?! It has “guard” right there in the name. It’s as strong and trustworthy as the little-known Crotch Guard™ – an actual oil meant to be sprayed on one’s junk. I’m unclear as to why one sprays it on one’s junk, but perhaps it’s to secure your erections? (Because they’ve been micro-soft?)

  • Netflix Researchers Just Fixed 4 Severe Linux And FreeBSD Vulnerabilities
  • Netflix Uncovers TCP Bugs Within The Linux & FreeBSD Kernels

    As Netflix's first security bulletin for 2019, they warned of TCP-based remote denial of service vulnerabilities affecting both Linux and FreeBSD. These vulnerabilities are rated "critical" but already being corrected within the latest Git code.

Syndicate content

More in Tux Machines

Software: TenFourFox/Firefox, Linux Boot Loaders, Viber Alternatives, Switchconf, and HowTos

  • Clean out your fonts, people

    Thus, the number of fonts you have currently installed directly affects TenFourFox's performance, and TenFourFox is definitely not the only application that needs to know what fonts are installed. If you have a large (as in several hundred) number of font files and particularly if you are not using an SSD, you should strongly consider thinning them out or using some sort of font management system. Even simply disabling the fonts in Font Book will help, because under the hood this will move the font to a disabled location, and TenFourFox and other applications will then not have to track it further.

  • Some Of The Linux Boot Loaders
  • Best 4 Viber Alternatives Available to Download with Open-Source License

    We all know what Signal is. By using this app, you can easily talk to your friends without all the SMS fees. You can also create groups, share media and all kinds of attachments – it’s all private. The server never gets access to your messages. However, if you don’t like this app, we come with the best 5 alternatives for it.

  • New release of switchconf 0.0.16

    I have moved the development of switchconf from a private svn repo to a git repo in salsa: https://salsa.debian.org/debian/switchconf Created a virtual host called http://software.calhariz.com were I will publish the sources of the software that I take care. Updated the Makefile to the git repo and released version 0.0.16.

  • How To Install VirtualBox Guest Additions on Ubuntu 18.04
  • How To Install Proxmox VE Hypervisor

OSS Leftovers

  • How open source and AI can take us to the Moon, Mars, and beyond

    Research institutions and national labs across the globe are pouring hundreds of thousands of research hours into every conceivable aspect of space science. And, overwhelmingly, the high performance computing (HPC) systems used for all research are running open source software. In fact, 100% of the current TOP500 supercomputers run on some form of Linux. Therefore, it’s likely that the future of space exploration will be built on the open source philosophy of knowledge sharing and collaboration among researchers and developers. Success will depend on the adoption of open technologies to stimulate collaboration among nations, as well as advances in the field of AI and machine learning. Although these are ambitious objectives that could take several years to fully implement, we are already seeing great progress: open source software is already running in space, AI and machine learning is used in spacecraft communications and navigation, and the number of commercial companies interested in the space economy is growing.

  • ElectrifAi launches AI industry’s first open source machine learning platform

    With the new platform, ElectrifAi’s data scientists – as well as those of its customers – can code and access data in any programming language. According to ElectrifAi, the incorporation of Docker Containers and Kubernetes enables the firm to build and deploy hybrid cloud enterprise solutions at scale.

  • The development of the open source platform – An industry perspective

    There has been much dialog, but not much action with regard to the evolution of retail trading platforms in recent years. For many brokerages, relying on the status quo which represents an unholy alliance between third party vendor MetaQuotes, thereby disabling a broker from owning its own client base or infrastructure and becoming subservient to an affiliate marketing platform rather than empowered by a multi-faceted trading platform, remains. FinanceFeeds has attended numerous meetings with brokerage senior executives across the globe, all of whom understand the value and importance of going down the multi-asset product expansion route, and almost all of whom understand the clear virtues of having a bespoke user interface which engenders a loyal customer base, enables brokers to own the entire intellectual property base of its business – which let’s face it is why entrepreneurs start businesses in the first place – and offer differentiating services to specific audiences. A simple glance at the continuity and geographic location of client bases of companies such as Hargreaves Lansdown or CMC Markets, and the absolute lack of reliance on affiliate networks is testimony to that. This week, Richard Goers, CEO of Australian professional trading platform development company ManagedLeverage spoke out about a continuing issue which is something that has been prominent in the viewpoint of FinanceFeeds for some years, that being the development of open source platforms.

  • Break Up Your Innovation Program, If You Want It To Survive

    With open-source software, problems are solved faster than by any other means.

  • Don’t be fooled by the [Internet]: this week in tech, 20 years ago

    One thing I wanted to say is, don’t be fooled by the internet. It’s cool to get on the computer, but don’t let the computer get on you. It’s cool to use the computer, don’t let the computer use you. Y’all saw The Matrix. There’s a war going on. The battlefield’s in the mind. And the prize is the soul. So just be careful. Be very careful. Thank you.

  • How Suse is taking open source deeper into the enterprise

    The diversity in the open source software world can be a boon and a bane to wider adoption in the enterprise. After all, without the right knowhow, it can be hard to figure out how they are going to work together on existing infrastructure – and if the chosen projects will eventually survive. That’s where open source companies such as Suse step in. While smaller than US-based rival Red Hat, Suse has found its footing in identifying and supporting open source projects that help to run mission-critical enterprise workloads, improve developer productivity and solve business problems in industries such as retail.

  • SUSE joins iRODS Consortium

    iRODS is open source storage data management software for data discovery, workflow automation, secure collaboration, and data virtualization. By creating a unified namespace and a metadata catalog of all the data and users within a storage environment, the iRODS rule engine allows users to automate data management. [...] Alan Clark, SUSE CTO Office lead focused on Industry Initiatives and Emerging Standards and chairman of the OpenStack Foundation board of directors, said, “SUSE is excited to join the iRODS Consortium, lending our open source technical expertise to help advance the iRODS data management software. The integration with SUSE Enterprise Storage helps customers lower total cost of ownership, leveraging commodity hardware to support their iRODS-managed storage environments. As a leading provider of open source software, SUSE helps our customers leverage the latest open source technologies for application delivery and software-defined infrastructure. SUSE tests and hardens our solutions, ensuring they are enterprise ready and backed by our superior support experience.”

  • Cortex Command Goes Open Source, Gets LAN Support

    To help facilitate future community development, Data Realms have released the game’s source code.

  • Why Open Source Matters For Chinese Tech Firms?

    As companies plow more and more investment into AI research, China has finally woken up to the realisation of open source and how it can shape the development of a field that’s becoming increasingly attractive. Over the last few years, open-source has become the foundation of innovation — and the major contributions come from tech giants like Facebook, Microsoft, Google, Uber and Amazon among others. In November 2015, Google made an unparalleled move by open-sourcing its software library — which now rivals Torch, Caffe and Theano. These are the open-source lessons that big Chinese companies seem to be learning fast. Traditionally, Chinese firms have trailed behind their US counterparts when it comes to the contributions from the US and Europe, but that’s changing now. Over a period of time, Chinese tech companies are trying to grow their influence in the open-source world by building a robust ecosystem. Not only that, they have learnt that open-sourcing tech can help attract great ML talent and increasingly it is also making good business sense. At a time when the AI tool stack is evolving, enterprises are rushing to grab a pie and provide a unified software and hardware technology stack. Internet and cloud Chinese tech giants have woken up to the promise of open source and AI-related datasets and models can serve the bigger business goals of the companies.

  • How Open Source Alluxio Is Democratizing Data Orchestration

    Alluxio is one of the many leading open-source projects/companies – including Spark and Mesosphere – that emerged from UC Berkeley Labs. Haoyuan (H.Y.) Li Founder, Chairman and CTO of Alluxio, sat down with Swapnil Bhartiya, Editor-in-Chief of TFIR to discuss how Alluxio is providing new ways for organizations to manage data at scale with its data orchestration platform. Alluxio’s data orchestration layer has increased efficiency by four times, so companies are finding that work that used to take one year now takes three months. For many enterprise companies, the path to the cloud starts with an intermediate step of a hybrid cloud approach, Li said. He also sees widespread enterprise adoption of a multi-cloud strategy.

  • Cloudera Moves To All-Open Source Model In Major Shift

    Amidst financial troubles and departure of chief executive Tom Reilly, company says it wants to emulate success of pure open source pioneer Red Hat.

  • Cloudera Follows Hortonworks' Open Source Lead

    Trying to survive the carnage AWS and the like are causing in the Big Data space, Cloudera is open sourcing its entire product line. [...] Less than six months after closing its merger with Hortonworks, the Big Data company Cloudera has announced it's going all open source.

Database News on YugaByte Going for Apache 2.0 Licence

  • YugaByte Becomes 100% Open Source Under Apache 2.0 License

    YugaByte, a provider of open source distributed SQL databases, announced that YugaByte DB is now 100% open source under the Apache 2.0 license, bringing previously commercial features into the open source core. The transition breaks the boundaries between YugaByte’s Community and Enterprise editions by bringing previously commercial-only, closed-source features such as Distributed Backups, Data Encryption, and Read Replicas into the open source core project distributed under the permissive Apache 2.0 license. Starting immediately, there is only one edition of YugaByte DB for developers to build their business-critical, cloud-native applications.

  • YugaByte's Apache 2.0 License Delivers 100% Open Source Distributed SQL Database

    YugaByte, the open source distributed SQL databases comapny, announced that YugaByte DB is now 100 percent open source under the Apache 2.0 license, bringing previously commercial features into the open source core. The move, in addition to other updates available now through YugaByte DB 1.3, allows users to more openly collaborate across what is now the world’s most powerful open source distributed SQL database.

  • SD Times Open-Source Project of the Week: YugaByte DB

    This week’s SD Times Open Source Project of the Week is the newly open-sourced YugaByte DB, which allows users to better collaborate on the distributed SQL database. The move to the open-source core project distributed under the Apache 2.0 license makes previously closed-sourced features such as distributed backups, data encryption and read replicas more accessible, according to the team. By doing this, YugaByte plans to break the boundaries between YugaByte’s Community and Enterprise editions. “YugaByte DB combines PostgreSQL’s language breadth with Oracle-like reliability, but on modern cloud infrastructure. With our licensing changes, we have removed every barrier that developers face in adopting a business-critical database and operations engineers face in running a fleet of database clusters, with extreme ease,” said Kannan Muthukkaruppan, co-founder and CEO of YugaByte.

Programming: Ruby, NativeScript, Python, Rust/C/C++ FUD From Microsoft