Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail

    Attackers working on behalf of the Iranian government collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets’ level of operational security, researchers with security firm Certfa Lab said in a blog post. The emails contained a hidden image that alerted the attackers in real time when targets viewed the messages. When targets entered passwords into a fake Gmail or Yahoo security page, the attackers would almost simultaneously enter the credentials into a real login page. In the event targets’ accounts were protected by 2fa, the attackers redirected targets to a new page that requested a one-time password.

  • Ships are just giant floating computers, filled with ransomware, BadUSB, and worms

    The document recounts incidents in which infected ships were stranded because malware caused their computerized navigation to fail, and there were no paper charts to fall back on; incidents where fleet owners paid off ransomware demands to keep ships at sea safe, and where the entire digital infrastructure of a ship at sea failed due to malware that spread thanks to weak passwords.

  • Are Chinese spying fears just paranoia?

    The arrest of Meng Wanzhou, the chief financial officer of Chinese telecoms giant Huawei, and the daughter of its founder, Ren Zhengfei, has highlighted growing fears in the West about China’s ascendancy in advanced technology sectors that will increasingly underpin the global economy. Meng’s arrest (in Vancouver, on a US arrest warrant) is not related to corporate espionage, let alone state espionage.

    Rather, she is accused of using a Huawei subsidiary called Skycom to evade US sanctions on Iran between 2009 and 2014. US prosecutors allege she publicly misrepresented Skycom as being a separate company from Huawei, and deceived banks about the true relationship between the two companies. But although the Meng case is not about spying, it reflects a growing unease among Western policymakers that has been brewing for years. Should the West trust a Chinese telecoms giant to supply us with critical infrastructure?

  • Notes on Build Hardening

    Modern languages (Java, C#, Go, Rust, JavaScript, Python, etc.) are inherently "safe", meaning they don't have "buffer-overflows" or related problems.

    However, C/C++ is "unsafe", and is the most popular language for building stuff that interacts with the network. In other cases, while the language itself may be safe, it'll use underlying infrastructure ("libraries") written in C/C++. When we are talking about hardening builds, making them safe or security, we are talking about C/C++.

    In the last two decades, we've improved both hardware and operating-systems around C/C++ in order to impose safety on it from the outside. We do this with options when the software is built (compiled and linked), and then when the software is run.

  • Survey Results: Open-Source Repo Managers Should Get Paid

    We asked, you answered: Yes, developers should be paid for open-source repositories they maintain.

    Last week, we asked you whether open-source repository maintainers should be compensated for their time. The catalyst for our survey was an instance where an overworked maintainer for a very popular JavaScript framework decided to bring others in to help them manage the repo. In doing so, one of the managers surreptitiously linked to an outside repo that was pinching cryptocurrency data.

    All indications are the new manager knew what they were doing. The library’s main manager claims they were simply unprepared to continue managing a burdensome repository for free, so they sought help. Open source, after all, is the exchange of data without being compensated.

RISC-V Will Stop Hackers Dead From Getting Into Your Computer

Filed under
Hardware
OSS
Security

The greatest hardware hacks of all time were simply the result of finding software keys in memory. The AACS encryption debacle — the 09 F9 key that allowed us to decrypt HD DVDs — was the result of encryption keys just sitting in main memory, where it could be read by any other program. DeCSS, the hack that gave us all access to DVDs was again the result of encryption keys sitting out in the open.

Because encryption doesn’t work if your keys are just sitting out in the open, system designers have come up with ingenious solutions to prevent evil hackers form accessing these keys. One of the best solutions is the hardware enclave, a tiny bit of silicon that protects keys and other bits of information. Apple has an entire line of chips, Intel has hardware extensions, and all of these are black box solutions. They do work, but we have no idea if there are any vulnerabilities. If you can’t study it, it’s just an article of faith that these hardware enclaves will keep working.

Now, there might be another option. RISC-V researchers are busy creating an Open Source hardware enclave. This is an Open Source project to build secure hardware enclaves to store cryptographic keys and other secret information, and they’re doing it in a way that can be accessed and studied. Trust but verify, yes, and that’s why this is the most innovative hardware development in the last decade.

Read more

Security Leftovers

Filed under
Security
  • Thoughts on bootstrapping GHC

    I am returning from the reproducible builds summit 2018 in Paris. The latest hottest thing within the reproducible-builds project seems to be bootstrapping: How can we build a whole operating system from just and only source code, using very little, or even no, binary seeds or auto-generated files. This is actually concern that is somewhat orthogonal to reproducibility: Bootstrappable builds help me in trusting programs that I built, while reproducible builds help me in trusting programs that others built.

    And while they make good progress bootstrapping a full system from just a C compiler written in Scheme, and a Scheme interpreter written in C, that can build each other (Janneke’s mes project), and there are plans to build that on top of stage0, which starts with a 280 bytes of binary, the situation looks pretty bad when it comes to Haskell.

  • No, You Don’t Need Antivirus on a Chromebook
  • Security updates for Friday
  • Inception Attackers Target Europe with Year-old Office Vulnerability
  • Brute Force Attacks Conducted by Cyber Actors
  • IBM protects your cloud container data running under Kubernetes with encryption

    Protecting your stored data on the cloud is a concern, but it's easy enough with encryption. Thanks to SSL, it's simple to protect data in motion on the network. But protecting your data when it's being used on the cloud is not so simple. Enter IBM, which, in partnership with Fortanix, is now providing data-in-use protection for your container workloads running on the IBM Cloud Kubernetes Service with IBM Cloud Data Shield.

    Jason McGee, IBM Cloud Platform VP and CTO, explained the process at KubeCon in Seattle: Data Shield uses Intel Software Guard Extensions (SGX) technology to run code and data in CPU-hardened Trusted Execution Environment (TEE) or enclave. This is a trusted area of memory, where critical aspects of the application functionality are protected by encryption. This helps keep both your code and data private and shielded from would-be hackers.

  • GNOME Security Internship - The Beginning
  • GNOME Security Internship - Update 1
  • Kubernetes Security Authentication Moving Forward With SIG-Auth

    The basic units of organization within the Kubernetes community are the Special Interest Groups that help define and implement new features and capabilities. For security, one of the primary SIGs within Kubernetes is SIG-Auth.

    Kubernetes is a widely used container orchestration platform that is supported on all the major public cloud providers and is also deployed on-premises. In a session at the KubeCon + CloudNativeCon NA 2018 here, the leaders of SIG-Auth outlined how the group works and what the current and future priorities are for the Kubernetes project.

Security: Linux.org and FUD

Filed under
Security

Security: Updates, Reproducible Builds, PlayStation Classic, Microsoft Failures and PhpMyAdmin Patch

Filed under
Security

Security: Updates, Ransomware, and DNS Blame Misplaced

Filed under
Security
  • Security updates for Tuesday
  • Ransomware still dominates the global threat landscape

     

    Ransomware attacks continues as the main world’s main security threat and the most profitable form of malware, but a new global report indicates that despite “copious” numbers of infections daily there’s emerging signs the threat is no longer growing.  

  • Someone messed with Linux.org's DNS to deface the website's homepage [Ed: That's not "deface"' but more like redirect and it's not the site's DNS system but something upstream, another company that's at fault]

    SO IMAGINE YOU REALLY LOVE OPEN SOURCE; you've poured yourself a glass of claret from a wine box and have settled into a night of perusing Linux.org. You feel a tingle of excitement as you type in the URL - you're old skool - but that sours to despair as you see a defaced website greet your eyes.

    Yep, it looks like someone managed to get into the Linux.org website's domain name service (DNS) settings and point the domain to another server that served up a defaced webpage, which depending on when you may have accessed it, greeted visitors with racial slurs, an obscene picture and a protest against the revised Linux kernel developer code of conduct.

Tails 3.11 and Tor Transparency (Financials)

Filed under
Security
Debian

Most Secure Operating Systems, VPN for GNU/Linux, and Latest GNU/Linux FUD

Filed under
GNU
Linux
Security
  • What’s the most secure operating system?

    Linux has a family of different free versions (known as distributions, or distros) to choose from, based on users’ computer skills. If you’re just getting started, check out Mint or Ubuntu. And because Linux is open-source, users can make copies of modified systems and give them away to friends in need.

  • Choose the Right VPN for Linux in 2019
  • Cryptomining campaign pulls new ‘Linux Rabbit’ malware out of its black hat [Ed: No, it's not ‘Linux Rabbit’ but ‘Weak Password Rabbit’; calling it Linux is rather misleading, distracts from the real problem.]
  • Linux malware: is it so hard to get it right? [Ed: Recognising Catalin Cimpaun for what he really is (and has always been): a clickbaiting troll. For CBS to employ him for ZDNet says a lot about the agenda.]

    Once again, so-called security researchers and tech writers have combined to provide misinformation about trojanised SSH scripts which can be run on a Linux server after said server is compromised through a brute-force attack and root status attained. And they call it Linux malware!
    Security firm ESET and ZDNet writer Catalin Cimpanu have both got it wrong in the past — the latter on numerous occasions as he simply does not seem to understand anything about the Linux security model — but both continue to persist in trying to pursue the topic. ESET has gone in the wrong direction on torrent files and clients too.

    Arguably, there is reason to do so: Linux and malware in the same headline do still serve as some kind of clickbait.

    [...]

    Cimpanu was more descriptive, but again made the same fundamental mistake. Malware can be created for any operating system, but the crucial question is how do you get it onto that system?

    [...]

    Cimpanu's former employer, Bleeping Computer, was also prone to screw-ups of this nature. Here is the editor of Bleeping Computer, Lawrence Abrams, expounding on ransomware targeting Linux servers.

    But then Bleeping Computer is a relatively small operation. One would have thought that ZDNet, which has tons of resources, would have a little more editorial quality control.

Security: Google+, Tails, Thunderbolt and More

Filed under
Security
  • Google to Shut Down Google+ 4 Months Earlier After Second Data Hack

    Google+ still hadn’t recovered from the data leak it suffered in October. And now it has to go through the same fortune yet again. The company today announced that a new security loophole found last month can impact 52.5 million users. The data of these users can be taken from the apps that use the API of Google+.

    The data of the 52.5 million users consists of their personal information like name, age, occupation, and email address. Even if the accounts are set on private, developers will be able to access the profile information due to the security bug. Even if the information was set to private, developers had easy access to the data of the users.

  • An evil Penguin grabs the persistence partition’s key of a friend’s Tails operating system
  • Pop the Box

    Let[s] talk a little about this box. In this HTB machine we will see only one port is open and that will be the http one , we will fireup the dirbuster to find the different files and directories inside that website. We will came to know about the phpbash file from where we will be getting code execution. After getting the ever shell we will enumerate more and will be able to find the way to escalate the privileges and became root. This time I have made two video[s] the first one will be on getting our first reverse shell on the box and the second one will be on how we will be able to escalate the privileges. Hope you guys will enjoy it. In last but not the least I have uploaded some file[s] from which you will be able to learn about bash scripting, python and you will learn about the cronjob working.

  • Linux 4.21 Will Better Protect Against Malicious Thunderbolt Devices

    Linux 4.21 is set to further improve the system security around potentially malicious Thunderbolt devices.

    The new protection with Linux 4.21 is the enabling of IOMMU-based direct memory access (DMA) protection from devices connected via Thunderbolt. PCI Express Address Translation Services (PCIe ATS) is also disabled to prevent possibly bypassing that IOMMU protection, per this pull.

Security: Updates, Best VPNs for GNU/Linux, and Google+ Chaos Again

Filed under
Security
  • Security updates for Monday
  • Best VPNs for Linux
  • After a Second Data Leak, Google+ Will Shut Down in April Instead of August

    Back in October, a security hole in Google+’s APIs lead Google to announce it was shutting down the service. Now, a second data leak has surfaced, causing the company to move the shutdown up by four months.

    This new data leak is quite similar to the first one: profile information such as name, email address, age, and occupation was exposed to developers, even for private profiles. It’s estimated that upwards of 52 million users were affected by this leak. The good news is that while the first hole was open for three years, this one was only an issue for six days, from November 7th to the 13th, 2018.

Syndicate content

More in Tux Machines

Linux 4.20--rc76

Well, that's more like it. This is a *tiny* rc7, just how I like it. Maybe it's because everybody is too busy prepping for the holidays, and maybe it's because we simply are doing well. Regardless, it's been a quiet week, and I hope the trend continues. The patch looks pretty small too, although it's skewed by a couple of bigger fixes (re-apply i915 workarounds after reset, and dm zoned bio completion fix). Other than that it's mainly all pretty small, and spread out (usual bulk of drivers, but some arch updates, filesystem fixes, core fixes, test updates..) Read more Also: Linux 4.20-rc7 Kernel Released - Linux 4.20 Should Be Released In Time For Christmas

Android Leftovers

1080p Linux Gaming Performance - NVIDIA 415.22 vs. Mesa 19.0-devel RADV/RadeonSI

Stemming from the recent Radeon RX 590 Linux gaming benchmarks were some requests to see more 1080p gaming benchmarks, so here's that article with the low to medium tier graphics cards from the NVIDIA GeForce and AMD Radeon line-up while using the latest graphics drivers on Ubuntu 18.10. This round of benchmarking was done with the GeForce GTX 980, GTX 1060, GTX 1070, and GTX 1070 Ti using the newest 415.22 proprietary graphics driver. On the AMD side was using the patched Linux 4.20 kernel build (for RX 590 support) paired with Mesa 19.0-devel via the Padoka PPA while testing the Radeon RX 580 and RX 590. Read more

Sparky SU 0.1.0

This tool provides Yad based front-end for su (spsu) allowing users to give a password and run graphical commands as root without needing to invoke su in a terminal emulator. It can be used as a Gksu replacement to run any application as root. Read more