Language Selection

English French German Italian Portuguese Spanish

Security

Security: Windows 'Fun' at Melbourne and Alleged Phishing by Venezuela’s Government

Submitted by Roy Schestowitz on Friday 22nd of February 2019 08:15:37 PM Filed under
Security
»

Security: Indian Railways and WinRAR

Submitted by Roy Schestowitz on Friday 22nd of February 2019 04:19:14 AM Filed under
Security
  • How I could have hacked lakhs of IRCTC accounts and get access to all your private info including easily cancelling booked tickets
  • Major Flaw Allows Attackers To Cancel Tickets On IRCTC Website

    The website of the Indian Railways has been a subject of ridicule owing to the various security flaws that have been discovered in its website over the years. When it comes to protecting user data, the website has been lacking in many ways.

    The website was previously hacked in 2016 when the details of over 1 crore users were leaked. Last year, Kanishk Sanjani, an ethical hacker had ordered food from the IRCTC website for Rs 7. This vulnerability remained unpatched for well over 7 months even after informing concerned authorities.

  • Web Application Security [Ed: a bit spammy]

    Common targets for web application attacks are content management systems (e.g., WordPress), database administration tools (e.g., phpMyAdmin) and SaaS applications.

  • This 19-Year-Old WinRAR Flaw Lets Hackers Load Malware To PCs

    he popular windows file archival tool WinRAR has been in use for over two decades now. The software is used to view, create, pack and unpack archives in both ZIP and RAR formats. A recent report by The Register has revealed that the tool has a bug that has remained undetected since 2005.

  • WinRAR Has Serious Flaw That Can Load Malware to PCs

    The popular file archiving tool WinRAR has had a bug for at least 14 years that can be exploited to take over your PC.

    The bug can pave the way for archive files that can trigger WinRAR to actually install whatever malware is secretly inside, according to the security firm Check Point, which discovered the software flaw.

    "The exploit works by just extracting an archive, and puts over 500 million users at risk," the company said in a detailed report published on Wednesday.

»

Security Password Managers, Updates, Intel/Linux, 5 Antivirus for Android Devices and Cisco

Submitted by Roy Schestowitz on Friday 22nd of February 2019 03:29:37 AM Filed under
Security
  • Your Password Manager Has A Severe Flaw — But You Should Still Use One [Ed: Yet worse: 1) people putting password managers on platforms with back doors from Apple and Microsoft. 2) people putting all their password "in the cloud".]

    If you are an avid user of password managers, you might just be in for a surprise. A recent study by researchers at the Independent Security Evaluators found that a number of popular password managers were storing master passwords as plain text within the main memory of devices.

    To an expert hacker, this vulnerability is equivalent to getting the keys to multiple accounts as a text document on your computer. The master key of any password manager can be used to gain access to all usernames and passwords being managed by it.

  • Security updates for Thursday
  • Fun Little Tidbits in a Howling Storm (Re: Intel Security Holes)

    Some kernel developers recently have been trying to work around the massive, horrifying, long-term security holes that have recently been discovered in Intel hardware. In the course of doing so, there were some interesting comments about coding practices.

    Christoph Hellwig and Jesper Dangaard Brouer were working on mitigating some of the giant speed sacrifices needed to avoid Intel's gaping security holes. And, Christoph said that one such patch would increase the networking throughput from 7.5 million packets per second to 9.5 million—a 25% speedup.

    To do this, the patch would check the kernel's "fast path" for any instances of dma_direct_ops and replace them with a simple direct call.

    Linus Torvalds liked the code, but he noticed that Jesper and Christoph's code sometimes would perform certain tests before testing the fast path. But if the kernel actually were taking the fast path, those tests would not be needed. Linus said, "you made the fast case unnecessarily slow."

  • 5 Antivirus for Android Devices That You Should Have in 2019
  • Duo Security Digs Into Chrome Extension Security With CRXcavator
»

Purism's Privacy and Security-Focused Librem 5 Linux Phone to Arrive in Q3 2019

Submitted by Rianne Schestowitz on Thursday 21st of February 2019 07:20:11 PM Filed under
Linux
Security

Initially planned to ship in early 2019, the revolutionary Librem 5 mobile phone was delayed for April 2019, but now it suffered just one more delay due to the CPU choices the development team had to make to deliver a stable and reliable device that won't heat up or discharge too quickly.

Purism had to choose between the i.MX8M Quad or the i.MX8M Mini processors for their Librem 5 Linux-powered smartphone, but after many trials and errors they decided to go with the i.MX8M Quad CPU as manufacturer NXP recently released a new software stack solving all previous power consumption and heating issues.

Read more

»

Kernel and Security: BPF, Mesa, Embedded World, Kernel Address Sanitizer and More

Submitted by Roy Schestowitz on Thursday 21st of February 2019 05:23:16 AM Filed under
Security
  • Concurrency management in BPF

    In the beginning, programs run on the in-kernel BPF virtual machine had no persistent internal state and no data that was shared with any other part of the system. The arrival of eBPF and, in particular, its maps functionality, has changed that situation, though, since a map can be shared between two or more BPF programs as well as with processes running in user space. That sharing naturally leads to concurrency problems, so the BPF developers have found themselves needing to add primitives to manage concurrency (the "exchange and add" or XADD instruction, for example). The next step is the addition of a spinlock mechanism to protect data structures, which has also led to some wider discussions on what the BPF memory model should look like.

    A BPF map can be thought of as a sort of array or hash-table data structure. The actual data stored in a map can be of an arbitrary type, including structures. If a complex structure is read from a map while it is being modified, the result may be internally inconsistent, with surprising (and probably unwelcome) results. In an attempt to prevent such problems, Alexei Starovoitov introduced BPF spinlocks in mid-January; after a number of quick review cycles, version 7 of the patch set was applied on February 1. If all goes well, this feature will be included in the 5.1 kernel.

  • Intel Ready To Add Their Experimental "Iris" Gallium3D Driver To Mesa

    For just over the past year Intel open-source driver developers have been developing a new Gallium3D-based OpenGL driver for Linux systems as the eventual replacement to their long-standing "i965 classic" Mesa driver. The Intel developers are now confident enough in the state of this new driver dubbed Iris that they are looking to merge the driver into mainline Mesa proper. 

    The Iris Gallium3D driver has now matured enough that Kenneth Graunke, the Intel OTC developer who originally started Iris in late 2017, is looking to merge the driver into the mainline code-base of Mesa. The driver isn't yet complete but it's already in good enough shape that he's looking for it to be merged albeit marked experimental.

  • Hallo Nürnberg!

    Collabora is headed to Nuremberg, Germany next week to take part in the 2019 edition of Embedded World, "the leading international fair for embedded systems". Following a successful first attendance in 2018, we are very much looking forward to our second visit! If you are planning on attending, please come say hello in Hall 4, booth 4-280!

    This year, we will be showcasing a state-of-the-art infrastructure for end-to-end, embedded software production. From the birth of a software platform, to reproducible continuous builds, to automated testing on hardware, get a firsthand look at our platform building expertise and see how we use continuous integration to increase productivity and quality control in embedded Linux.

  • KASAN Spots Another Kernel Vulnerability From Early Linux 2.6 Through 4.20

    The Kernel Address Sanitizer (KASAN) that detects dynamic memory errors within the Linux kernel code has just picked up another win with uncovering a use-after-free vulnerability that's been around since the early Linux 2.6 kernels.

    KASAN (along with the other sanitizers) have already proven quite valuable in spotting various coding mistakes hopefully before they are exploited in the real-world. The Kernel Address Sanitizer picked up another feather in its hat with being responsible for the CVE-2019-8912 discovery.

  • io_uring, SCM_RIGHTS, and reference-count cycles

    The io_uring mechanism that was described here in January has been through a number of revisions since then; those changes have generally been fixing implementation issues rather than changing the user-space API. In particular, this patch set seems to have received more than the usual amount of security-related review, which can only be a good thing. Security concerns became a bit of an obstacle for io_uring, though, when virtual filesystem (VFS) maintainer Al Viro threatened to veto the merging of the whole thing. It turns out that there were some reference-counting issues that required his unique experience to straighten out.
    The VFS layer is a complicated beast; it must manage the complexities of the filesystem namespace in a way that provides the highest possible performance while maintaining security and correctness. Achieving that requires making use of almost all of the locking and concurrency-management mechanisms that the kernel offers, plus a couple more implemented internally. It is fair to say that the number of kernel developers who thoroughly understand how it works is extremely small; indeed, sometimes it seems like Viro is the only one with the full picture.

    In keeping with time-honored kernel tradition, little of this complexity is documented, so when Viro gets a moment to write down how some of it works, it's worth paying attention. In a long "brain dump", Viro described how file reference counts are managed, how reference-count cycles can come about, and what the kernel does to break them. For those with the time to beat their brains against it for a while, Viro's explanation (along with a few corrections) is well worth reading. For the rest of us, a lighter version follows.

»

Security Leftovers

Submitted by Roy Schestowitz on Wednesday 20th of February 2019 10:54:23 PM Filed under
Security
  • Wi-Fi ‘Hiding’ Inside USB Cable: A New Security Threat On The Rise?

    Today, the world has become heavily reliant on computers owing to the various advantages they offer. It has thus become imperative that we, as users, remain updated about the various threats that can compromise the security of our data and privacy.

    A recent report published by Hackaday details a new threat that might just compromise the integrity of devices. At first glance, the O.MG cable (Offensive MG Kit) looks like any other USB cable available in the market. It is what lurks within that is a cause for concern.

  • WiFi Hides Inside a USB Cable [Ed: There are far worse things, like USB devices that send a high-voltage payload to burn your whole motherboard. Do not use/insert untrusted devices from dodgy people.]
  • The Insights into Linux Security You May Be Surprised About

    Linux has a strong reputation for being the most secure operating system on the market. It’s been like that for many years, and it doesn’t seem like Windows or macOS are going to overtake it anytime soon. And while the operating system’s reputation is well-deserved, it can also be harmless experienced users.

    The problem is that some seem to put too much trust in the capabilities of Linux by default. As a result, they often don’t pay enough attention to the manual aspect of their security. Linux can help you automate your workflow to a large extent, but it still requires a manual touch to keep things going well. This is even truer when it comes to security.

  • One Identity Bolsters Unix Security with New Release of Authentication Services

    Unix systems (including Linux and Mac OS), by their very nature, have distinct challenges when it comes to security and administration. Because native Unix-based systems are not linked to one another, each server or OS instance requires its own source of authentication and authorization.

  • Book Review – Linux Basics for Hackers

    With countless job openings and growth with no end in sight, InfoSec is the place to be. Many pose the question, “Where do I start?” Over his years of training hackers and eventual security experts across a wide array of industries and occupations, the author ascertains that one of the biggest hurdles that many up-and-coming professional hackers face is the lack of a foundational knowledge or experience with Linux. In an effort to help new practitioners grow, he made the decision to pen a basic ‘How To’ manual, of sorts, to introduce foundational concepts, commands and tricks in order to provide instruction to ease their transition into the world of Linux. Out of this effort, “Linux Basics for Hackers” was born.

  • Security updates for Wednesday
»

Plasma 5.15.1 arrives in Cosmic backports PPA

Submitted by Rianne Schestowitz on Wednesday 20th of February 2019 04:40:38 PM Filed under
KDE
Security

We are pleased to announce that the 1st bugfix release of Plasma 5.15, 5.15.1, is now available in our backports PPA for Cosmic 18.10.

The release announcement detailing the new features and improvements in Plasma 5.15 can be found here, while the full 5.15.1 bugfix changelog can be found here.

Released along with this new version of Plasma is an update to KDE Frameworks 5.54. (5.55 is currently in testing in Disco 19.04 and may follow in the next few weeks.)

Read more

»

Security: More Data Breaches, NATO, 'The Internet of Dongs' and Aadhaar 'Leak'

Submitted by Roy Schestowitz on Wednesday 20th of February 2019 08:35:24 AM Filed under
Security
  • Millions of Swedish Health Hotline Calls Exposed Online in a Massive Case of Data Breach [Ed: When the state puts back doors in everything, as a matter of law]

    Data breach is becoming quite a nightmare for a lot of people with new breaches coming every now and then. In a recent data breach, millions of calls that were made by the Swedish residents have been exposed online. The Swedes were seeking medical advice through a national health telephone service in order to know more about symptoms and medications.

    According to reports, about 2.7 million conversations amounting to more than 170,000 hours are available online. The data in the conversation is extremely private with people talking about their diseases, symptoms, illness, and giving out their social security numbers. This breach has left the Swedish authorities bewildered as they investigate the whole thing.

    Data of the calls dates back to 2013 and is available for anyone to download and listen. Security expert Mikko Hypponen says that the audio calls were saved as Wav files. These files were left open on an unsecured server. This allowed any person to listen or download the 2.7 million conversations of the Swedish people. No encryption or authentication was required to crack the data making it easily available on the internet.

  • How Easy Is It To Spy On Armies Using Social Media? Uh, Very

    Recently, a NATO research group published a study on just how easy it is to target soldiers online and squeeze them for military intelligence. Posing as the enemy, the group was tasked with finding out as much as they could about an upcoming military exercise using nothing more than social media. Posting targeted Facebook ads as bait, they managed to lure dozens of soldiers into fake Facebook groups.

    While impostor accounts squeezed them for info, other researchers simply used Facebook's "Suggest Friends" feature to get information on their entire units. Having their names and details, the group could track them over other social platforms and mine for dirt -- like how one soldier was happily married on Facebook, but single and ready to mingle on several dating apps.

  • The Internet of Dongs remains a security dumpster-fire -- UPDATED

    Update: Internet of Dongs has produced its own supplementary assessments that delve into more nuance on these devices, they make a good case that Mozilla's criteria are too coarse to assess smart sex toys.

  • Don’t Get Your Valentine an Internet-Connected Sex Toy

    “At the end of the day, this can be serious,” Caltrider says. “These [devices] exist in the world, they're likely to be gifts, and so we wanted to get people to sit back and think, What are the privacy implications?”

  • Aadhaar data leak: Gas company Indane leaves data of 6.7mn customers exposed on its website

    The exposed data was brought to notice by a security expert who wants to remain anonymous. French security researcher Robert Baptiste who goes by the Twitter handle Elliot Alderson used a custom-built Python script to scrape this database and was able to customer data for 11,000 dealers. This data included the name and addresses of customers as well as their Aadhaar numbers. According to Baptiste, he was able to get details of 5.7 mn Indane customers before his script was blocked.

»

Red Hat on Middleware, RHEL AUDITD, and More Security Issues

Submitted by Roy Schestowitz on Tuesday 19th of February 2019 05:24:10 PM Filed under
Red Hat
Server
Security
  • Open Outlook: Middleware (part 1)

    Middleware, both as a term and as a concept, has been around for decades. As a term, like other terms in the Darwinian world of IT jargon, it has followed a typical fashion lifecycle and is perhaps somewhat past its apogee of vogue. As a concept, however, middleware is more relevant than ever, and while a memetic new label hasn't quite displaced the traditional term, the capabilities themselves are still very much at the heart of enterprise application development.

    Middleware is about making both developers and operators more productive. Analogous to standardized, widely-used, proven subassemblies in the manufacture of physical goods such as cars, middleware relieves developers from "reinventing the wheel" so that they can compose and innovate at higher levels of abstraction. For the staff responsible for operating applications in production, at scale, with high reliability and performance, the more such applications use standardized middleware components and services, the more efficient and reliable the running of the application can be.

  • RHEL AUDITD
  • Security updates for Tuesday
»

Security: Nest Lockout, Moment of Truth for Cyber Insurance, DNS Hijacking Attacks and Australian Cracking

Submitted by Roy Schestowitz on Tuesday 19th of February 2019 10:21:29 AM Filed under
Security
  • Nest is locking customers out of accounts until they fix their security

    Emails were sent last night to all users that may have been affected by recent [breaches], with a new password being mandatory, as it tries to avoid the "I'll do it later" attitude that means that often vulnerable passwords remain in use for months or years.

  • A Moment of Truth for Cyber Insurance

    Mondelez’s claim represents just a fraction of the billions of dollars in collateral damage caused by NotPetya, a destructive, indiscriminate cyberattack of unprecedented scale, widely suspected to have been launched by Russia with the aim of hurting Ukraine and its business partners. A compromised piece of Ukrainian accounting software allowed NotPetya to spread rapidly around the world, disrupting business operations and causing permanent damage to property of Mondelez and many others. According to reports, Zurich apparently rejected Mondelez’s claim on the grounds that NotPetya was an act of war and, therefore, excluded from coverage under its policy agreement. If the question of whether and how war risk exemptions apply is left to the courts to decide on a case-by-case basis, this creates a profound source of uncertainty for policyholders about the coverage they obtain.

  • A Deep Dive on the Recent Widespread DNS Hijacking Attacks

    The U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies. But to date, the specifics of exactly how that attack went down and who was hit have remained shrouded in secrecy.

    This post seeks to document the extent of those attacks, and traces the origins of this overwhelmingly successful cyber espionage campaign back to a cascading series of breaches at key Internet infrastructure providers.

  • With elections weeks away, someone “sophisticated” [cracked] Australia’s politicians

    With elections just three months away, Australian Prime Minister Scott Morrison announced on February 18 that the networks of the three major national political parties had been breached by what Australian security officials described as a "sophisticated state actor."

  • Australia's major political parties [cracked] in 'sophisticated' attack ahead of election

    Sources are describing the level of sophistication as "unprecedented" but are unable to say yet which foreign government is behind the attack.

  • Parliament attackers appear to have used Web shells

    Attackers who infiltrated the Australian Parliament network and also the systems of the Liberal, National and Labor Parties appear to have used Web shells – scripts that can be uploaded to a Web server to enable remote administration of a machine.

»
Syndicate content

More on Tux Machines: AboutGalleryForumBlogsSearchNewsRSS Feed

Part of Bytes Media ● Sister sites below.

TechBytes Techrights button

Powered by Drupal, an open source content management system

Content available under CC-BY-SA CC

© by original authors

Powered by CentOS 6.5 (GNU/Linux), Varnish, and Drupal 6