Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • GPS Hack Allows Hackers To Seize Control Of Your Car and Kill it

    A GPS hack present in navigation apps iTrack and Protrack makes it possible to remotely kill your car engines with the flick of a button.

    The hacker goes by the name of L&M and he is only using this exploit to show vulnerabilities in car security systems. He has no intention of causing any real-world harm.

  • Want To “Block” Windows 10 May 2019 Update? Simply Plug In A USB Drive

    very Windows 10 update comes with its own share of weird issues that are often hard to explain and funny at the same time. One such issue plaguing the upcoming Windows 10 May 2019 Update is related to the USB drive.

  • An introduction to AppArmor

    coming more sophisticated, attack frequency is on the rise, and the cost of cybercrime damage is projected to reach $6 trillion annually by 2021. Traditional defensive measures such as firewalls and intrusion detection systems that operate at the network perimeter are no longer enough to protect today’s distributed enterprise networks. Rather, a ‘defence in depth’ approach is required in order to protect all facets of an organisation’s digital infrastructure.

    In an ideal world, applications would be free from security vulnerabilities but, once compromised, even a trusted application can become untrustworthy. AppArmor provides a crucial layer of security around applications. By providing the capability to whitelist an application’s permissible actions, AppArmor enables administrators to apply the principle of least privilege to applications. Once in place, AppArmor can halt attacks and minimise or prevent damage in the event of a breach.

  • SELinux helped to find security bug in build system!

Security Leftovers

Filed under
Security
  • Microsoft will block Windows 10 May 2019 Update installs on PCs with external storage

    A new support document on the Microsoft website explains: "Inappropriate drive reassignment can occur on eligible computers that have an external USB device or SD memory card attached during the installation of the May 2019 update," the company said. "For this reason, these computers are currently blocked from receiving the May 2019 Update."

  • G7 Comes Out in Favor of Encryption Backdoors

    There is a weird belief amongst policy makers that [cracking] an encryption system's key management system is fundamentally different than [cracking] the system's encryption algorithm. The difference is only technical; the effect is the same. Both are ways of weakening encryption.

  • In Push for 2020 Election Security, Top Official Was Warned: Don’t Tell Trump

    Ms. Nielsen left the Department of Homeland Security early this month after a tumultuous 16-month tenure and tensions with the White House. Officials said she had become increasingly concerned about Russia’s continued activity in the United States during and after the 2018 midterm elections — ranging from its search for new techniques to divide Americans using social media, to experiments by [attackers], to rerouting [Internet] traffic and infiltrating power grids.

  • WiFi hotspot app exposed two million passwords in plaintext

    It found that the database of over two million passwords had been left on a cloud server, publicly available and completely unprotected, meaning that anyone who found it could easily download the whole shebang.

    Despite repeated, failed attempts, the developer (Chinese - plus ca change) has not responded to questions on the matter, and in the end, the cloud host, DigitalOcean agreed to take the database down unilaterally.

  • Yubico Security Key: Local 2FA with PAM

    Some time ago, we compared the YubiKey 4C and the Nitrokey Pro which we both use on a daily basis. This time, we show you how you can use a Yubico Security Key with the pluggable authentication module (PAM) on Linux for local two-factor authentication (2FA).

Security: Cumulus Networks, Passwords, Wget, French Government

Filed under
Security
  • Cumulus Networks' new version of NetQ provides real-time telemetry and fabric-wide analytics
  • Once again, it’s 123456: the password that says ‘I give up’

    The essence of most people’s regard for cybersecurity: we’re DOOMED.

    That’s one of the key takeaways from the UK’s National Cyber Security Centre (NCSC), which released the results of its first ever UK cyber survey on Sunday, along with a list of the most craptacular passwords found most often in breached databases.

  • GNU Wget Buffer Overflow Vulnerability [CVE-2019-5953]

    A vulnerability in GNU Wget could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system.

    The vulnerability exists because the affected software performs improper bounds checks, which could result in a buffer overflow condition in the irc.c source code file. An attacker could exploit this vulnerability by persuading a user to retrieve a file that submits malicious input using the wgetcommand. A successful exploit could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.The vendor has confirmed the vulnerability and released software updates.

  • The French Govt's Hand-Rolled Encrypted Messaging Service (Briefly) Allowed Anyone To Pretend They Were A Government Official

    Not only was Robert able to get his faux account validated within two hours of downloading the app, he was also able to obtain plenty of info linked to other government account profiles. On the bright side, the team behind the app reacted quickly to notification of the security flaw and suspended account creation until it could be patched. The French government has also instituted a bug bounty program for Tchap, which will hopefully result in further flaws being addressed before they're exploited by criminals or state-sponsored hackers.

    To be fair, Tchap is still in its "beta" stage. But that's not much comfort considering it was rolled out for use in this state, exposing government employees' personal account info and allowing any outsider to take a seat at the Tchap table just by exploiting the system's less-than-robust validation process.

How to enable SSH access using a GPG key for authentication

Filed under
Linux
Security
HowTos

Many of us are familiar with Secure Shell (SSH), which allows us to connect to other systems using a key instead of a password. This guide will explain how to eliminate SSH keys and use a GNU Privacy Guard (GPG) subkey instead.

Using GPG does not make your SSH connections more secure. SSH is a secure protocol, and SSH keys are secure. Instead, it makes certain forms of key distribution and backup management easier. It also will not change your workflow for using SSH. All commands will continue to work as you expect, except that you will no longer have SSH private keys and you will unlock your GPG key instead.

Read more

Security Leftovers

Filed under
Security
  • How secure are your containerized apps? [Ed: Why does SJVN promote the Microsoft-connected anti-FOSS firm Snyk?]
  • IPFire 2.23 - Core Update 131 is available for testing

    Finally, the next major version of IPFire is ready to testing. We consider our new Intrusion Prevention System such an important change, that we are calling it "IPFire 2.23" from now on. This update also contains a number of other bug fixes and enhancements.

  • How hacking threats spurred secret U.S. blacklist

    U.S. energy regulators are pursuing a risky plan to share with electric utilities a secret "don't buy" list of foreign technology suppliers, according to multiple sources.

    The move reflects the federal government's growing concern that hackers and foreign spies are targeting America's vital energy infrastructure. And it's also raised new questions about the value of top-secret U.S. intelligence if it can't get into the hands of power industry executives who can act on it to avoid high-risk vendors.

    Joseph McClelland, director of the Federal Energy Regulatory Commission's Office of Energy Infrastructure Security, told a Department of Energy advisory committee last month that officials are working on "an open-source procurement list" for utilities to use when deciding where to source their software and equipment.

Security: Updates, One Year With Spectre, Purism Librem Key and Lanner’s 'Security Appliances' With Back-Doored Chips

Filed under
Security
  • Security updates for Tuesday
  • A year with Spectre: a V8 perspective

    On January 3, 2018, Google Project Zero and others disclosed the first three of a new class of vulnerabilities that affect CPUs that perform speculative execution, dubbed Spectre and Meltdown. Using the speculative execution mechanisms of CPUs, an attacker could temporarily bypass both implicit and explicit safety checks in code that prevent programs from reading unauthorized data in memory. While processor speculation was designed to be a microarchitectural detail, invisible at the architectural level, carefully crafted programs could read unauthorized information in speculation and disclose it through side channels such as the execution time of a program fragment.

    When it was shown that JavaScript could be used to mount Spectre attacks, the V8 team became involved in tackling the problem. We formed an emergency response team and worked closely with other teams at Google, our partners at other browser vendors, and our hardware partners. In concert with them, we proactively engaged in both offensive research (constructing proof-of-concept gadgets) and defensive research (mitigations for potential attacks).

  • The Purism Librem Key

    The Librem Key is a new hardware token for improving Linux security by adding a physical authentication factor to booting, login and disk decryption on supported systems. It also has some features that make it a good general-purpose OpenPGP smart card. This article looks at how the Librem Key stacks up against other multi-factor tokens like the YubiKey 5 and also considers what makes the Librem Key a unique trusted-computing tool.

    Purism is a new player in the security key and multi-factor authentication markets. With the introduction of the Librem Key, Purism joins the ranks of other players—such as Yubico, Google, RSA and so on—in providing hardware tokens for multi-factor authentication.

    In addition, like the YubiKey 5 series, the Librem Key also provides OpenPGP support with cryptographic functions that take place securely on-key. This allows users to generate and use GnuPG public and private keys without exposing any secret key material to the host computer where the USB device is attached.

    The Librem Key is based on the German-manufactured Nitrokey Pro 2, but it has been modified to focus on "trusted boot" when used with Purism's Linux laptops. (I take a closer look at what the trusted boot process is and how the Librem Key fits into that process, later in this article.)

  • Atom-based network security appliances focus on industrial control

    Lanner’s Apollo Lake based “LEC-6041” and Bay Trail “LEC-6032” are Linux-supported network security appliances for industrial control monitoring with up to 7x GbE ports, including SFP ports, plus magnetic isolation and extended temp support.

Security: Curl, Two Factor Authentication (2FA) and Hacking With Kali Linux

Filed under
Security
  • Daniel Stenberg: curl + hackerone = TRUE

    There seems to be no end to updated posts about bug bounties in the curl project these days. Not long ago I mentioned the then new program that sadly enough was cancelled only a few months after its birth.

    Now we are back with a new and refreshed bug bounty program! The curl bug bounty program reborn.

  • Liz Fong-Jones on how to secure SSH with Two Factor Authentication (2FA)

    Liz mentions that by adding passphrase encryption, the private keys become resistant to theft when at rest. However, when they are in use, the usability challenges of re-entering the passphrase on every connection means that “engineers began caching keys unencrypted in memory of their workstations, and worse yet, forwarding the agent to allow remote hosts to use the cached keys without further confirmation”.

    The Matrix breach, which took place on April 11 showcases an example of what happens when authenticated sessions are allowed to propagate without a middle-man. The intruder in the Matrix breach had access to the production databases, potentially giving them access to unencrypted message data, password hashes, and access tokens.

  • Hacking With Kali Linux

    Before I talk about the series that I am going to start, let us briefly talk about who should follow this series.

    I know there are so many people out there who are very curious to learn hacking just to hack their partner's social media account. Well, if you are such a person, please listen to me. Hacking is not about getting into somebody's personal life and steal their information. It is illegal.

    Somebody well said - “We need to have a talk on the subject of what's yours and what's mine.”

    So you should not hack information that is not yours.

    ​But if you are a tech enthusiast who wants to make a career as a penetration tester or white hat hacker, this series can be really a good way to start. So for such enthusiasts, I am creating a page where you can follow the series. You can also follow our social media pages so you get a notification when a new informative article comes out.

Security: 'Phone' Gimmicks, GNU/Linux Tools and More

Filed under
Security
  • Guess Who Fooled The Nokia9 PureView – A Pack Of Chewing Gum!

    We are all aware that smartphone security options such as fingerprint scanners and facial recognition aren’t 100% secure. This has been proved further with the case of the Nokia 9 PureView, which appears to have been unlocked by a pack of chewing gum.

    As per a couple of tweets, the Nokia 9 PureView is reportedly getting unlocked via unidentified fingerprints of another user and a pack of chewing gum.

  • Linux Distributions Should Enhance how Sudo Asks for Passwords

    One thing to be noticed from the picture above is that the password is hidden. When users write anything at that time, nothing will be displayed on the screen, not even asterisks. They’ll have to trust that there’s something written in the terminal and just write their passwords and hit Enter.

    Historically, this is done for both ease of implementation and security reasons. It makes it difficult for people standing near your shoulder from knowing your password length. If they don’t know your password length, it would be harder for them to guess it. They can, of course, listen to the keystrokes you are hitting and try to guess how many characters did you hit? But that’s more difficult than just looking at the screen and counting the number of asterisks there.

    Also, when they see that your password is too long, they might not even try to use your computer and guess your password. But if your password is less than few characters, it will give them hope.

    Additionally, in terms of implementation, displaying an asterisk instead of the password character requires more code and work to do. In the terminal, when you write normal commands and you see them in the terminal, it’s because the “echo mode” is set to On, meaning that all characters will be displayed on your screen. In sensitive commands, however, such as sudo or passwd, “echo mode” is set to Off, which simply doesn’t take the extra step of printing those characters to the screen. So that’s less work and code to do, and it went on like that since the Unix days to simply hide the password characters

  • Top 10 Best Linux Password Managers In 2019

    If you are a Linux users and struggling to get a proper password manager then this post is for you. In this post, We have listed the best (at least for us) Linux password managers for you.

  • Your Netflix Bandersnatch Choices Can Be Tracked By Hackers

    Netflix took the video streaming industry by storm when it debuted Black Mirror: Bandersnatch last year. The “choose your own adventure” themed movie puts viewers in charge of the story and flow of the movie. The success of Bandersnatch even led to the creation of a second interactive show ‘You vs. Wild’ featuring Bear Grylls.

  • Proactively Identifying Compromised Passwords | Roadmap to Securing Your Infrastructure

Using Ksplice To Detect Exploit Attempts

Filed under
Linux
Security
HowTos

Ksplice is a very cool technology. Ksplice allows you to patch important security updates to your system without a reboot. The in-memory code is patched as well as on-disk components, closing all the gaps for a security vulnerability. All the while, your applications keep running.

A new feature of Ksplice is Known Exploit Detection. When you patch your system with Ksplice, not only is the security vulnerability closed, but also tripwires are laid down for privilege escalation vulnerabilities. If an attacker attempts to exploit a CVE you’ve patched, Ksplice notifies you.

Ksplice is both protecting your system and alerting you to suspicious activity. Very cool.

Read more

Also: Oracle's Ksplice Live Kernel Patching Picks Up Known Exploit Detection

Security: Windows, Marcus Hutchins, Phishing, OpenVPN, DARPA, DINSIC

Filed under
Security
  • The latest Windows patch is breaking even more PCs with antivirus installed

    Earlier this week we reported that Microsoft halted updates to Windows PCs running Sophos and Avast’s security solutions, following user complaints that their machines were locking up or failing to boot. Since then, the list of known issues for the rogue update was itself updated to acknowledge compatibility issues with Avira and ArcaBit antivirus installed, with Microsoft temporarily blocking updates to those affected systems, too. Today, Ars Technica noticed that Microsoft is investigating compatibility issues for systems with McAfee antivirus installed, though it hasn’t started blocking the April 9 update from those PCs just yet.

  • ‘WannaCry Hero’ Marcus Hutchins Pleads Guilty to Making Banking Malware [iophk: "It looks like they squeezed malware tech with a “plea bargain”. So I would take reports of a guilty plea with a large grain of salt. They probably threatened him with 1000s of years in prison as an alternative. The plea “deal” is not mentioned in the summary, thus misleading the public about the situation."]

    Marcus Hutchins, a security researcher known for helping stop the destructive WannaCry ransomware, plead guilty to hacking crimes on Friday.

    Hutchins was accused of writing a banking malware called Kronos in 2014, after he finished high school. The researcher was arrested in Las Vegas after attending the hacker conference Def Con in 2017. Days later, he plead not guilty in a Milwaukee courtroom. He was scheduled to be tried this summer.

  • Google will begin to block sign-ins from embedded browser frameworks in June

    Phishing — schemes to nab personal data with disguised malicious webpages and emails — constituted more than 70% of all cyber attacks in 2016, according to a Verizon report. In an effort to combat them, Google last year announced it would require users to enable JavaScript during Google Account sign-in so that it could run attack-detecting risk assessments, and today, the company said it’ll begin to block all sign-ins from embedded browser frameworks like Chromium Embedded Framework starting in June.

  • A deeper look into OpenVPN: Security vulnerabilities

    OpenVPN is the backbone of online security. It is supported in many popular virtual private network (VPN) providers such as NordVPN and ExpressVPN, and continues to receive frequent updates well into its 17th year in operation.

    It’s an unwritten rule of information technology, however, that popular security protocols will attract the largest contingent of hackers. As OpenVPN is open source, it is therefore much easier for hackers to locate and exploit security vulnerabilities within the software design.

    Nevertheless, the value of the open-source model is that it promotes open collaboration, thus encouraging other programmers to suggest changes to the design. This way, security vulnerabilities can be communicated directly to the developers, who then have the option to patch the software and eliminate the vulnerability.

  • DARPA’s New/Old Plan for a Hack-Proof Voting Machine

    The Pentagon’s top research arm is working to build a hack-proof voting machine by combining something brand new with something old – specifically, secure open-source hardware and software using advanced cryptography on one end, and good old paper on the other.

    The Defense Advanced Research Projects Agency (DARPA) recently awarded the tech company Galois a $10 million contract for the project, which grew out of a broader agency project to remedy hardware vulnerabilities, the snappily named SSITH, for System Security Integrated Through Hardware and Firmware.

    Galois, which focuses on ensuring the trustworthiness of hardware and software, will design the system, which will start with a different approach used by established voting machine makers, who have come under criticism over the vulnerabilities in their systems, Motherboard reported. For one, it will use open-source software, rather than the proprietary systems used by companies such as Election Systems & Software. It also will use open-source hardware, built from designs developed under the SSITH program.

  • New Attacks (and Old Attacks Made New)

    This is shown again in Fortinet's latest Global Threat Landscape Report for the fourth quarter of 2018, where we reported that exploits that targeted individual organizations — often variations of existing malware or the misuse of FOSS (free/open source software) security tools — continue to grow at a rapid pace: 10% over the quarter, while the number of unique exploits they experienced increased by 5%. This suggests that, despite some reports suggesting that malicious actors follow the same work routines as their victims, cybercriminals didn't take much of a break over the holidays. And as you would expect, all of this malware — especially botnets — is becoming more complex and harder to detect.

  • Security flaw in French government messaging app exposed confidential conversations

    Tchap wasn’t built from scratch. The DINSIC, France’s government agency in charge of all things digital, forked an open-source project called Riot, which is based on an open-source protocol called Matrix.

    In a few words, Matrix is a messaging protocol that features end-to-end encryption. It competes with other protocols, such as the Signal Protocol that is widely used by consumer apps, such as WhatsApp, Signal, Messenger’s secret conversations and Google Allo’s incognito conversions — Messenger and Allo conversations aren’t end-to-end encrypted by default.

  • French Government's 'Secure' WhatsApp Replacement Hacked In Just 90 Minutes

    In order to better protect official conversations, the French government developed its own secure instant messaging alternative to WhatsApp.

Syndicate content

More in Tux Machines

OSS: Huawei and "GNU's Not Unix."

  • Huawei Could Rebuild Trust in Their Products Through Open Source

    Open source code for Huawei equipment would allow nations, companies, and individuals alike to verify that the code is free of malware, and that it contains no obvious security problems.

    Reproducible builds allow everyone to be reassured that the code running on the network devices matches the open source code that is reviewed by the public. This removes another layer of distrust.

    And if you want to protect against the advent of Chinese “malicious updates” you can use multi-party key signature schemes for firmware updates, to ensure that updates are approved by the government/company before they are rolled out.

  • The WIRED Guide to Open Source Software

    The open source software movement grew out of the related, but separate, "free software" movement. In 1983, Richard Stallman, at the time a programmer at the MIT Artificial Intelligence Laboratory, said he would create a free alternative to the Unix operating system, then owned by AT&T; Stallman dubbed his alternative GNU, a recursive acronym for "GNU's Not Unix."

    For Stallman, the idea of "free" software was about more than giving software away. It was about ensuring that users were free to use software as they saw fit, free to study its source code, free to modify it for their own purposes, and free to share it with others. Stallman released his code under a license known as the GNU Public License, or GPL, which guarantees users those four software freedoms. The GPL is a "viral" license, meaning that anyone who creates software based on code licensed under the GPL must also release that derivative code under a GPL license.

GNOME 3.34 Desktop Environment Development Kicks Off with First Snapshot

GNOME 3.34 will be the next major release of the popular free and open-source desktop environment for Linux-based operating systems, expected to hit the streets later this year on September 11th. During its entire development cycle, GNOME 3.34 will be developed under the GNOME 3.33.x umbrella. Work on the GNOME 3.34 desktop environment begun a few weeks ago, after the launch of the GNOME 3.32 "Taipei" desktop environment, which is already the default desktop environment of the recently released Ubuntu 19.04 (Disco Dingo) operating system and other GNU/Linux distributions. Read more

The mysterious history of the MIT License

I say "seemingly straightforward" because the MIT License is one of the most popular licenses used by open source software. The MIT License, Apache License, and BSD license are the main permissive licenses, a term that contrasts with reciprocal licenses like the GPL, which require source code to be made available when software is redistributed. Given its popularity, you'd think the license's inception would be well-documented. I found various clues that added up to a date in the late 1980s but nothing definitive. However, Keith Packard and Jim Gettys jumped on the thread to offer first-hand accounts of the license's creation. In addition to providing early examples of the license, their help also gave me the context to better understand how the license evolved over time. Read more

BSD: A Look at NomadBSD and Audiocasts About BSDs and ZFS

  • NomadBSD, a BSD for the Road
    As regular It’s FOSS readers should know, I like diving into the world of BSDs. Recently, I came across an interesting BSD that is designed to live on a thumb drive. Let’s take a look at NomadBSD. [...] This German BSD comes with an OpenBox-based desktop with the Plank application dock. NomadBSD makes use of the DSB project. DSB stands for “Desktop Suite (for) (Free)BSD” and consists of a collection of programs designed to create a simple and working environment without needing a ton of dependencies to use one tool. DSB is created by Marcel Kaiser one of the lead devs of NomadBSD. Just like the original BSD projects, you can contact the NomadBSD developers via a mailing list.
  • Fun with funlinkat() | BSD Now 295
    Introducing funlinkat(), an OpenBSD Router with AT&T U-Verse, using NetBSD on a raspberry pi, ZFS encryption is still under development, Rump kernel servers and clients tutorial, Snort on OpenBSD 6.4, and more.
  • Snapshot Sanity | TechSNAP 402
    We continue our take on ZFS as Jim and Wes dive in to snapshots, replication, and the magic on copy on write. Plus some handy tools to manage your snapshots, rsync war stories, and more!