Language Selection

English French German Italian Portuguese Spanish

Security

Purism's Privacy and Security-Focused Librem 5 Linux Phone to Arrive in Q3 2019

Filed under
Linux
Security

Initially planned to ship in early 2019, the revolutionary Librem 5 mobile phone was delayed for April 2019, but now it suffered just one more delay due to the CPU choices the development team had to make to deliver a stable and reliable device that won't heat up or discharge too quickly.

Purism had to choose between the i.MX8M Quad or the i.MX8M Mini processors for their Librem 5 Linux-powered smartphone, but after many trials and errors they decided to go with the i.MX8M Quad CPU as manufacturer NXP recently released a new software stack solving all previous power consumption and heating issues.

Read more

Kernel and Security: BPF, Mesa, Embedded World, Kernel Address Sanitizer and More

Filed under
Security
  • Concurrency management in BPF

    In the beginning, programs run on the in-kernel BPF virtual machine had no persistent internal state and no data that was shared with any other part of the system. The arrival of eBPF and, in particular, its maps functionality, has changed that situation, though, since a map can be shared between two or more BPF programs as well as with processes running in user space. That sharing naturally leads to concurrency problems, so the BPF developers have found themselves needing to add primitives to manage concurrency (the "exchange and add" or XADD instruction, for example). The next step is the addition of a spinlock mechanism to protect data structures, which has also led to some wider discussions on what the BPF memory model should look like.

    A BPF map can be thought of as a sort of array or hash-table data structure. The actual data stored in a map can be of an arbitrary type, including structures. If a complex structure is read from a map while it is being modified, the result may be internally inconsistent, with surprising (and probably unwelcome) results. In an attempt to prevent such problems, Alexei Starovoitov introduced BPF spinlocks in mid-January; after a number of quick review cycles, version 7 of the patch set was applied on February 1. If all goes well, this feature will be included in the 5.1 kernel.

  • Intel Ready To Add Their Experimental "Iris" Gallium3D Driver To Mesa

    For just over the past year Intel open-source driver developers have been developing a new Gallium3D-based OpenGL driver for Linux systems as the eventual replacement to their long-standing "i965 classic" Mesa driver. The Intel developers are now confident enough in the state of this new driver dubbed Iris that they are looking to merge the driver into mainline Mesa proper. 

    The Iris Gallium3D driver has now matured enough that Kenneth Graunke, the Intel OTC developer who originally started Iris in late 2017, is looking to merge the driver into the mainline code-base of Mesa. The driver isn't yet complete but it's already in good enough shape that he's looking for it to be merged albeit marked experimental.

  • Hallo Nürnberg!

    Collabora is headed to Nuremberg, Germany next week to take part in the 2019 edition of Embedded World, "the leading international fair for embedded systems". Following a successful first attendance in 2018, we are very much looking forward to our second visit! If you are planning on attending, please come say hello in Hall 4, booth 4-280!

    This year, we will be showcasing a state-of-the-art infrastructure for end-to-end, embedded software production. From the birth of a software platform, to reproducible continuous builds, to automated testing on hardware, get a firsthand look at our platform building expertise and see how we use continuous integration to increase productivity and quality control in embedded Linux.

  • KASAN Spots Another Kernel Vulnerability From Early Linux 2.6 Through 4.20

    The Kernel Address Sanitizer (KASAN) that detects dynamic memory errors within the Linux kernel code has just picked up another win with uncovering a use-after-free vulnerability that's been around since the early Linux 2.6 kernels.

    KASAN (along with the other sanitizers) have already proven quite valuable in spotting various coding mistakes hopefully before they are exploited in the real-world. The Kernel Address Sanitizer picked up another feather in its hat with being responsible for the CVE-2019-8912 discovery.

  • io_uring, SCM_RIGHTS, and reference-count cycles

    The io_uring mechanism that was described here in January has been through a number of revisions since then; those changes have generally been fixing implementation issues rather than changing the user-space API. In particular, this patch set seems to have received more than the usual amount of security-related review, which can only be a good thing. Security concerns became a bit of an obstacle for io_uring, though, when virtual filesystem (VFS) maintainer Al Viro threatened to veto the merging of the whole thing. It turns out that there were some reference-counting issues that required his unique experience to straighten out.
    The VFS layer is a complicated beast; it must manage the complexities of the filesystem namespace in a way that provides the highest possible performance while maintaining security and correctness. Achieving that requires making use of almost all of the locking and concurrency-management mechanisms that the kernel offers, plus a couple more implemented internally. It is fair to say that the number of kernel developers who thoroughly understand how it works is extremely small; indeed, sometimes it seems like Viro is the only one with the full picture.

    In keeping with time-honored kernel tradition, little of this complexity is documented, so when Viro gets a moment to write down how some of it works, it's worth paying attention. In a long "brain dump", Viro described how file reference counts are managed, how reference-count cycles can come about, and what the kernel does to break them. For those with the time to beat their brains against it for a while, Viro's explanation (along with a few corrections) is well worth reading. For the rest of us, a lighter version follows.

Security Leftovers

Filed under
Security
  • Wi-Fi ‘Hiding’ Inside USB Cable: A New Security Threat On The Rise?

    Today, the world has become heavily reliant on computers owing to the various advantages they offer. It has thus become imperative that we, as users, remain updated about the various threats that can compromise the security of our data and privacy.

    A recent report published by Hackaday details a new threat that might just compromise the integrity of devices. At first glance, the O.MG cable (Offensive MG Kit) looks like any other USB cable available in the market. It is what lurks within that is a cause for concern.

  • WiFi Hides Inside a USB Cable [Ed: There are far worse things, like USB devices that send a high-voltage payload to burn your whole motherboard. Do not use/insert untrusted devices from dodgy people.]
  • The Insights into Linux Security You May Be Surprised About

    Linux has a strong reputation for being the most secure operating system on the market. It’s been like that for many years, and it doesn’t seem like Windows or macOS are going to overtake it anytime soon. And while the operating system’s reputation is well-deserved, it can also be harmless experienced users.

    The problem is that some seem to put too much trust in the capabilities of Linux by default. As a result, they often don’t pay enough attention to the manual aspect of their security. Linux can help you automate your workflow to a large extent, but it still requires a manual touch to keep things going well. This is even truer when it comes to security.

  • One Identity Bolsters Unix Security with New Release of Authentication Services

    Unix systems (including Linux and Mac OS), by their very nature, have distinct challenges when it comes to security and administration. Because native Unix-based systems are not linked to one another, each server or OS instance requires its own source of authentication and authorization.

  • Book Review – Linux Basics for Hackers

    With countless job openings and growth with no end in sight, InfoSec is the place to be. Many pose the question, “Where do I start?” Over his years of training hackers and eventual security experts across a wide array of industries and occupations, the author ascertains that one of the biggest hurdles that many up-and-coming professional hackers face is the lack of a foundational knowledge or experience with Linux. In an effort to help new practitioners grow, he made the decision to pen a basic ‘How To’ manual, of sorts, to introduce foundational concepts, commands and tricks in order to provide instruction to ease their transition into the world of Linux. Out of this effort, “Linux Basics for Hackers” was born.

  • Security updates for Wednesday

Plasma 5.15.1 arrives in Cosmic backports PPA

Filed under
KDE
Security

We are pleased to announce that the 1st bugfix release of Plasma 5.15, 5.15.1, is now available in our backports PPA for Cosmic 18.10.

The release announcement detailing the new features and improvements in Plasma 5.15 can be found here, while the full 5.15.1 bugfix changelog can be found here.

Released along with this new version of Plasma is an update to KDE Frameworks 5.54. (5.55 is currently in testing in Disco 19.04 and may follow in the next few weeks.)

Read more

Security: More Data Breaches, NATO, 'The Internet of Dongs' and Aadhaar 'Leak'

Filed under
Security
  • Millions of Swedish Health Hotline Calls Exposed Online in a Massive Case of Data Breach [Ed: When the state puts back doors in everything, as a matter of law]

    Data breach is becoming quite a nightmare for a lot of people with new breaches coming every now and then. In a recent data breach, millions of calls that were made by the Swedish residents have been exposed online. The Swedes were seeking medical advice through a national health telephone service in order to know more about symptoms and medications.

    According to reports, about 2.7 million conversations amounting to more than 170,000 hours are available online. The data in the conversation is extremely private with people talking about their diseases, symptoms, illness, and giving out their social security numbers. This breach has left the Swedish authorities bewildered as they investigate the whole thing.

    Data of the calls dates back to 2013 and is available for anyone to download and listen. Security expert Mikko Hypponen says that the audio calls were saved as Wav files. These files were left open on an unsecured server. This allowed any person to listen or download the 2.7 million conversations of the Swedish people. No encryption or authentication was required to crack the data making it easily available on the internet.

  • How Easy Is It To Spy On Armies Using Social Media? Uh, Very

    Recently, a NATO research group published a study on just how easy it is to target soldiers online and squeeze them for military intelligence. Posing as the enemy, the group was tasked with finding out as much as they could about an upcoming military exercise using nothing more than social media. Posting targeted Facebook ads as bait, they managed to lure dozens of soldiers into fake Facebook groups.

    While impostor accounts squeezed them for info, other researchers simply used Facebook's "Suggest Friends" feature to get information on their entire units. Having their names and details, the group could track them over other social platforms and mine for dirt -- like how one soldier was happily married on Facebook, but single and ready to mingle on several dating apps.

  • The Internet of Dongs remains a security dumpster-fire -- UPDATED

    Update: Internet of Dongs has produced its own supplementary assessments that delve into more nuance on these devices, they make a good case that Mozilla's criteria are too coarse to assess smart sex toys.

  • Don’t Get Your Valentine an Internet-Connected Sex Toy

    “At the end of the day, this can be serious,” Caltrider says. “These [devices] exist in the world, they're likely to be gifts, and so we wanted to get people to sit back and think, What are the privacy implications?”

  • Aadhaar data leak: Gas company Indane leaves data of 6.7mn customers exposed on its website

    The exposed data was brought to notice by a security expert who wants to remain anonymous. French security researcher Robert Baptiste who goes by the Twitter handle Elliot Alderson used a custom-built Python script to scrape this database and was able to customer data for 11,000 dealers. This data included the name and addresses of customers as well as their Aadhaar numbers. According to Baptiste, he was able to get details of 5.7 mn Indane customers before his script was blocked.

Red Hat on Middleware, RHEL AUDITD, and More Security Issues

Filed under
Red Hat
Server
Security
  • Open Outlook: Middleware (part 1)

    Middleware, both as a term and as a concept, has been around for decades. As a term, like other terms in the Darwinian world of IT jargon, it has followed a typical fashion lifecycle and is perhaps somewhat past its apogee of vogue. As a concept, however, middleware is more relevant than ever, and while a memetic new label hasn't quite displaced the traditional term, the capabilities themselves are still very much at the heart of enterprise application development.

    Middleware is about making both developers and operators more productive. Analogous to standardized, widely-used, proven subassemblies in the manufacture of physical goods such as cars, middleware relieves developers from "reinventing the wheel" so that they can compose and innovate at higher levels of abstraction. For the staff responsible for operating applications in production, at scale, with high reliability and performance, the more such applications use standardized middleware components and services, the more efficient and reliable the running of the application can be.

  • RHEL AUDITD
  • Security updates for Tuesday

Security: Nest Lockout, Moment of Truth for Cyber Insurance, DNS Hijacking Attacks and Australian Cracking

Filed under
Security
  • Nest is locking customers out of accounts until they fix their security

    Emails were sent last night to all users that may have been affected by recent [breaches], with a new password being mandatory, as it tries to avoid the "I'll do it later" attitude that means that often vulnerable passwords remain in use for months or years.

  • A Moment of Truth for Cyber Insurance

    Mondelez’s claim represents just a fraction of the billions of dollars in collateral damage caused by NotPetya, a destructive, indiscriminate cyberattack of unprecedented scale, widely suspected to have been launched by Russia with the aim of hurting Ukraine and its business partners. A compromised piece of Ukrainian accounting software allowed NotPetya to spread rapidly around the world, disrupting business operations and causing permanent damage to property of Mondelez and many others. According to reports, Zurich apparently rejected Mondelez’s claim on the grounds that NotPetya was an act of war and, therefore, excluded from coverage under its policy agreement. If the question of whether and how war risk exemptions apply is left to the courts to decide on a case-by-case basis, this creates a profound source of uncertainty for policyholders about the coverage they obtain.

  • A Deep Dive on the Recent Widespread DNS Hijacking Attacks

    The U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies. But to date, the specifics of exactly how that attack went down and who was hit have remained shrouded in secrecy.

    This post seeks to document the extent of those attacks, and traces the origins of this overwhelmingly successful cyber espionage campaign back to a cascading series of breaches at key Internet infrastructure providers.

  • With elections weeks away, someone “sophisticated” [cracked] Australia’s politicians

    With elections just three months away, Australian Prime Minister Scott Morrison announced on February 18 that the networks of the three major national political parties had been breached by what Australian security officials described as a "sophisticated state actor."

  • Australia's major political parties [cracked] in 'sophisticated' attack ahead of election

    Sources are describing the level of sophistication as "unprecedented" but are unable to say yet which foreign government is behind the attack.

  • Parliament attackers appear to have used Web shells

    Attackers who infiltrated the Australian Parliament network and also the systems of the Liberal, National and Labor Parties appear to have used Web shells – scripts that can be uploaded to a Web server to enable remote administration of a machine.

Security Leftovers

Filed under
Security
  • Firefox Monitor: Mozilla Firefox’s New Safety Feature Will Show You Notifications When You Visit Breached Sites

    Mozilla recently launched Firefox Monitor, a service that allows users to find out if their account has been been part of a data breach and has been compromised. Firefox Monitor provides data from the popular service Have I Been Pwned. Mozilla has been working hard day and night to improve the Firefox browser and as a part of security improvements, comes Firefox Monitors’s integration with the Firefox desktop browsers.

    Back in November last year, Mozilla announced in a blog post that the Firefox Monitor service was being integrated with the Firefox desktop browser to warn users with a notification when visiting sites that were known to be involved in a data breach. The company said that the update was going to be rolled out to all Firefox users in the coming weeks. According to Techdows, as of February 18, 2019, all the Firefox desktop users have received the Firefox Monitor integration update.

  • Vulnerability Scanning – Roadmap to Securing Your Infrastructure
  • 92 Million Accounts Put Up For Sale on the Dark Web by Well Known Hacker Group

    Gnosticplayers has been on fire recently, having put 620 million accounts for sale and then followed it up by another 127 million accounts. The asking price for the first round of data hack was about $20,000 while for the second round it was around $14,500.

  • Security updates for Monday

Kali Linux 2019.1 Release

Filed under
GNU
Linux
Security

Welcome to our first release of 2019, Kali Linux 2019.1, which is available for immediate download. This release brings our kernel up to version 4.19.13, fixes numerous bugs, and includes many updated packages.

Read more

Top 20 Parrot OS Tools

Filed under
GNU
Linux
Security

Parrot Security OS is an Open source lightweight distro based on Debian Testing and also it doesn’t have mere Pentesting tools but it contains everything that Security researchers, security developers or privacy aware people might need. Unlike Kali Linux, it also has anonymity, cryptography and development tools with a loot of cool features. Here we’ll review some famous tools of Parrot Security OS which make it a preferable distribution among others.

Read more

Syndicate content

More in Tux Machines