Language Selection

English French German Italian Portuguese Spanish

Security

Security: 'Smart' Locks, Windows in Weapons

Filed under
Security

GNOME's Nautilus Gets Better Google Drive Support, Warns About Security Risks

Filed under
GNOME
Security

The GNOME 3.30 desktop environment is about to get its last scheduled point release, version 3.30.2, which should hit the streets later this month on October 24, and it looks like the Nautilus app was already updated to version 3.30.2, a bugfix release that adds quite a few improvements to the popular file manager.

According to the internal changelog, Nautilus 3.30.2 improves support for opening files stored on Google Drive accounts, improves searching by addressing various crashes, fixes the triple mouse click gesture in the pathbar to minimize the main window, as well as the "/" and "~" characters not opening the location bar.

Read more

Security: Electric-Scooter 'Hacking', Facebook Cracked, National Security Agency (NSA) Looks Into Fuchsia/Android and More

Filed under
Security
  • Inside the Lawless New World of Electric-Scooter Hacking

    If major corporations and voting infrastructure can be hacked, then it stands to reason that one could also, and much more easily, hack a $400 electric scooter. And in their rush to make dockless, app-enabled two-wheelers a way of life across every urban neighborhood worldwide — while throttling the competition — startups Bird, Lime, Scoot, Skip and Spin have caused localized backlashes while putting their tech at risk of both clever and stupid exploits.

    What’s funny is that the companies tend to dismiss these vulnerabilities as insignificant. Lime’s director of government relations and strategic development, Sam Sadle, told the Dallas Observer this summer that theft and vandalism of scooters is rare because they’re so often in use. Reacting to complaints that hacking has become common, he added: “It hasn’t in any way limited our ability to operate in the markets in which we do operate.”

  • How to Find Out if You Were Affected by the Recent Facebook Hack [Ed: Facebook is almost certainly lying/lowballing the number and far more people got cracked]

    Facebook has now confirmed that hackers stole access tokens for “only” 30 million people, not 50 million. For 15 million of those people, the hackers were able to get phone number, email address, or both. And for 14 million more people, the hackers were able to get a lot more information, like username, gender, relationship status, religious, birthday, and a ton of other information including things you’ve searched for.

  • Facebook Revises Data Breach Impact Downward, Provides New Details
  • Google Fuchsia: Here's what the NSA knows about it

    A while back, Google told us Fuchsia is not Linux. There have also been endless rumors, with little hard proof, it will eventually replace Android. Other than that, we don't know much. But the National Security Agency (NSA), of all groups, has been checking into Fuchsia and revealed its findings at the recent North American Linux Security Summit in Vancouver, B.C.

  • Course Review: Adversarial Attacks and Hunt Teaming

    At DerbyCon 8, I had the opportunity to take the “Adversarial Attacks and Hunt Teaming” presented by Ben Ten and Larry Spohn from TrustedSec. I went into the course hoping to get a refresher on the latest techniques for Windows domains (I do mostly Linux, IoT & Web Apps at work) as well as to get a better understanding of how hunt teaming is done. (As a Red Teamer, I feel understanding the work done by the blue team is critical to better success and reducing detection.)

Security: Chinese Crackers, Microsoft's Botched New Updates, Latest FOSS Updates

Filed under
Security
  • Hackers [sic] Are Using Stolen Apple IDs to Swipe Cash in China

    Ant Financial’s Alipay and Tencent Holdings Ltd. warned that cyber-attackers employed stolen Apple IDs to break into customers’ accounts and made off with an unknown amount of cash, in a rare security breach for China’s top digital payments providers.

  • Hackers [sic] loot digital wallets using stolen Apple IDs

    Two Chinese companies are warning customers that [crackers] used stolen Apple IDs to get into their digital payment accounts and steal money.

  • Microsoft October 2018 Patch Slightly Flawed and Unable To fully Rectify Jet Database Engine Vulnerability

    On the 20th of September, Trend Micro’s Zero Day Initiative (ZDI) went public with the information of a remove code execution vulnerability that would allow attackers to use the flawed Jet Database Engine to run macros through Microsoft Office programs and cause malicious activities in the targets computer. We covered this previously, you can read it here.

    Regarding this issue, ZDI released a micro-patch on the 21st September which fixed the vulnerability and urged Microsoft to correct this in the following patch. ZDI then did a review of the October 2018 update by Microsoft and found out that the security flaw while addressed has only limited the vulnerability rather than eliminating it.

  • Security updates for Friday

Security: National Security at Stake, Too

Filed under
Security
  • Supermicro boards were so bug ridden, why would hackers ever need implants?
  • New U.S. Weapons Systems Are a Hackers’ [sic] Bonanza, Investigators Find

    The report by the Government Accountability Office concluded that many of the weapons, or the systems that control them, could be neutralized within hours. In many cases, the military teams developing or testing the systems were oblivious to the hackingi [sic].

  • Cool Cool Cool Oversight Office Says It's Incredibly Easy To Hack The Defense Dept.'s Weapons Systems

    The GAO points out the DOD has spent more time locking down its accounting systems than its weapons systems, even as the latter has increasingly relied on computer hardware and software to operate. The systems used by the DOD are a melange of commercial and open-source software, which relies on vendors to provide regular updates and patch vulnerabilities. (Unfortunately for the DOD, some vulnerabilities may not have been disclosed to software/hardware vendors by other government agencies like the NSA.) But the DOD gives itself a 21-day window to apply patches and some remote weapons systems may go months without patching because they often need to return from deployment to be patched properly.

    The end result is a network of defense systems riddled with security holes. The GAO says it doesn't take much to commandeer weapons of mass destruction.

Security: Updates, US Weapons Systems, and Voting Risks

Filed under
Security
  • Security updates for Thursday
  • US Weapons Systems Are Easy Cyberattack Targets, New Report Finds

    Specifically, the report concludes that almost all weapons that the DOD tested between 2012 and 2017 have “mission critical” cyber vulnerabilities. “Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report states. And yet, perhaps more alarmingly, the officials who oversee those systems appeared dismissive of the results.

  • Election security groups warn of cyber vulnerabilities for emailed ballots

    Experts from both the private and public sector have warned about the vulnerabilities of online voting for years, but the report comes at a time of heightened alarm about election interference from hostile nation-states or cyber criminals.

Security: WhatsApp, Flatpak and DNS

Filed under
Security
  • Hackers Can Take Control Of Your WhatsApp Just With A Video Call: Update Now

    Natalie Silvanovich, a Google Project Zero security researcher, has uncovered a critical security flaw in WhatsApp. The flaw could allow a notorious actor to make a video call and take complete control of your messaging application.

  • Just Answering A Video Call Could Compromise Your WhatsApp Account
  • New Website Claims Flatpak is a “Security Nightmare”

    A newly launched website is warning users about Flatpak, branding the tech a “security nightmare”.

    The ‘Flatkills.org’ web page takes aim at a number of security claims routinely associated with the fledgling Flatpak app packaging and distribution format.

  • DNS Security Still an Issue

    DNS security is a decades-old issue that shows no signs of being fully resolved. Here's a quick overview of some of the problems with proposed solutions and the best way to move forward.

    ...After many years of availability, DNSSEC has yet to attain significant adoption, even though any security expert you might ask recognizes its value. As with any public key infrastructure, DNSSEC is complicated. You must follow a lot of rules carefully, although some network services providers are trying to make things easier.

    But DNSSEC does not encrypt the communications between the DNS client and server. Using the information in your DNS requests, an attacker between you and your DNS server could determine which sites you are attempting to communicate with just by reading packets on the network.

    So despite best efforts of various Internet groups, DNS remains insecure. Too many roadblocks exist that prevent the Internet-wide adoption of a DNS security solution. But it is time to revisit the concerns.

CentOS 6 and RHEL 6 Get Important Kernel Security Update for FragmentSmack Flaw

Filed under
Red Hat
Security

According to the RHSA-2018:2846 and CESA-2018:2846 security advisories, the new kernel security update is marked as "Important" by Red Hat's security team as it patches two security vulnerabilities (CVE-2018-5391 and CVE-2018-14634) discovered in the Linux kernel packages for the Red Hat Enterprise Linux 6 and CentOS Linux 6 operating system series.

The first security flaw addressed in this important kernel update is CVE-2018-5391, a security vulnerability known as FragmentSmack and discovered in the way Linux kernel handled reassembly of fragmented IPv6 and IPv4 packets, which could allow a remote attacker to cause a denial of service on the vulnerable systems by sending specially crafted packets, leading to a CPU saturation.

Read more

Security: G+, SSH, GAO, Flatpak, Telecommunications (Interception and Access) Act 'Extended', More on China's Alleged Supply Chain Attacks

Filed under
Security
  • Pete Zaitcev: Ding-dong, the witch is dead

    One thing that comes across very strongly is how reluctant people are to run their own infrastructure. For one thing, the danger of a devastating DDoS is absolutely real. And then you have to deal with spam. Those who do not have the experience also tend to over-estimate the amount of effort you have to put into running "dnf update" once in a while.

    Personally, I think that although of course it's annoying, the time wasted on the infra is not that great, or at least it wasn't for me. The spam can be kept under control with a minimal effort. Or, could be addressed in drastic ways. For example, my anime blog simply does not have comments at all. As far as DoS goes, yes, it's a lottery. But then the silo platform can easily die (like G+), or ban you. This actually happens a lot more than those hiding their heads in the sand like to admit. And you don't need to go as far as to admit to your support of President Trump in order to get banned. Anything can trigger it, and the same crazies that DoS you will also try to deplatform you.

  • (SSH) Keys to Unix Security

    Root accounts are the keys to powerful IT systems, the backbone of your entire infrastructure. They use privileged credentials to control shell access, file transfers, or batch jobs that communicate with other computers or apps, often accessed remotely, with local configuration. They can be the trickiest of all types of privileged accounts to secure, particularly if they are based on Unix or Linux.

  • Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable To Attack, GAO Says [iophk: "Windows TCO"]

    Still, the tests cited in the report found "widespread examples of weaknesses in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond, and recover."

    [...]

    In several instances, simply scanning the weapons' computer systems caused parts of them to shut down.

    [...]

    When problems were identified, they were often left unresolved. The GAO cites a test report in which only one of 20 vulnerabilities that were previously found had been addressed. When asked why all of the problems had not been fixed, "program officials said they had identified a solution, but for some reason it had not been implemented. They attributed it to contractor error," the GAO says.

  • Flatpak - a security nightmare

    Let's hope not! Sadly, it's obvious Red Hat developers working on flatpak do not care about security, yet the self-proclaimed goal is to replace desktop application distribution - a cornerstone of linux security.

    And it's not only about these security problems. Running KDE apps in fakepak? Forget about desktop integration (not even font size). Need to input Chinese/Japanese/Korean characters? Forget about that too - fcitx has been broken since flatpak 1.0, never fixed since.

    The way we package and distribute desktop applications on Linux surely needs to be rethinked, sadly flatpak is introducing more problems than it is solving.

  • Encryption bill will hit family violence victims: claim

    In a submission to the public consolation on the draft bill, Carolyn Worth, the manager of SECASA, said the broadening of the Telecommunications (Interception and Access) Act 1979 was unwarranted and would be detrimental to all citizens, especially those with a background of family violence and/or sexual assault.

    The period for public comment on the bill, which is officially known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, ended on 10 September after the draft was released on 14 August.

  • Bloomberg says big US telco hit by hardware tampering

    Apparently undeterred by strong criticism of a supply chain attack story it published last week, Bloomberg has put out another yarn, dealing with a similar theme, this time about a "major US telecommunications company" that allegedly encountered doctored hardware made by the US company Supermicro Computer.

  • RiskIQ Detects and Mitigates New Magecart Supply Chain Attack

    "If you own an e-commerce company, it's best to remove the third-party code from your checkout pages whenever possible," said Yonathan Klijnsma, Head Researcher at RiskIQ. "Many payment service providers have already taken this approach by prohibiting third-party code from running on pages where customers enter their payment information."

Security: Trusting the delivery of Firefox Updates, Reproducible Builds Weekly Report and Security updates for Tuesday

Filed under
Security
  • Trusting the delivery of Firefox Updates

    Providing a web browser that you can depend on year after year is one of the core tenet of the Firefox security strategy. We put a lot of time and energy into making sure that the software you run has not been tampered with while being delivered to you.

    In an effort to increase trust in Firefox, we regularly partner with external firms to verify the security of our products. Earlier this year, we hired X41 D-SEC Gmbh to audit the mechanism by which Firefox ships updates, known internally as AUS for Application Update Service. Today, we are releasing their report.

    Four researchers spent a total of 27 days running a technical security review of both the backend service that manages updates (Balrog) and the client code that updates your browser. The scope of the audit included a cryptographic review of the update signing protocol, fuzzing of the client code, pentesting of the backend and manual code review of all components.

  • Reproducible Builds: Weekly report #180
  • Security updates for Tuesday
Syndicate content

More in Tux Machines

Windows 10 October 2018 Update Performance Against Ubuntu 18.10, Fedora 29

As the latest of our benchmarks using the newly re-released Microsoft Windows 10 October 2018 Update, here are benchmarks of this latest Windows 10 build against seven different Linux distributions on the same hardware for checking out the current performance of these operating systems. For this latest Linux OS benchmarking comparison against Windows, the following platforms were tested: - The Windows 10 April 2018 release as the previous major milestone of Windows 10. - The newest Windows 10 October 2018 build as the latest Windows 10 build from Microsoft. - OpenSUSE Tumbleweed as the openSUSE rolling-release distribution that as of testing was on the Linux 4.18.12 kernel, KDE Plasma 5.14, Mesa 18.1.7, and GCC 8.2.1 atop an XFS home file-system with Btrfs root file-system (the default partitioning scheme). Read more

Android Leftovers

Release of KDE Frameworks 5.51.0

KDE Frameworks are 70 addon libraries to Qt which provide a wide variety of commonly needed functionality in mature, peer reviewed and well tested libraries with friendly licensing terms. For an introduction see the Frameworks 5.0 release announcement. This release is part of a series of planned monthly releases making improvements available to developers in a quick and predictable manner. Read more Also: KDE Frameworks 5.51 Released

Linux 4.19-rc8

As mentioned last week, here's a -rc8 release as it seems needed. There were a lot of "little" pull requests this week, semi-normal for this late in the cycle, but a lot of them were "fix up the previous fix I just sent" which implies that people are having a few issues still. I also know of at least one "bad" bug that finally has a proposed fix, so that should hopefully get merged this week. And there are some outstanding USB fixes I know of that have not yet landed in the tree (I blame me for that...) Anyway, the full shortlog is below, lots of tiny things all over the tree. Please go and test and ensure that all works well for you. Hopefully this should be the last -rc release. Read more Also: Linux 4.19-rc8 Released With A Lot Of "Tiny Things"