Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Zerologon – hacking Windows servers with a bunch of zeros

    The big, bad bug of the week is called Zerologon.

    As you can probably tell from the name, it involves Windows – everyone else talks about logging in, but on Windows you’ve always very definitely logged on – and it is an authentication bypass, because it lets you get away with using a zero-length password.

    You’ll also see it referred to as CVE-2020-1472, and the good news is that it was patched in Microsoft’s August 2020 update.

  • Rethinking Security on Linux: evaluating Antivirus & Password Manager solutions

    Recently I had an experience that let me re-evaluate my approach to Security on Linux. I had updated my Desktop computer to the latest openSUSE Leap (15.2) version. I also installed the proprietary Nvidia drivers. At random points during the day I experienced a freeze of my KDE desktop. I cannot move my mouse or type on my keyboard. It probably involves Firefox, because I always have Firefox open during these moments. So for a couple of days, I try to see in my logs what is going on. In /var/log/messages (there is a very nice YaST module for that) you can see the latest messages.

    Suddenly I see messages that I cannot explain. Below, I have copied some sample log lines that give you an impression of what was happening. I have excluded the lines with personal information. But to give you an impression: I could read line for line the names, surnames, addresses and e-mail addresses of all my family members in the /var/log/messsages file.

    [...]

    I needed to find out what was happening. I needed to know if a trojan / mallware was trying to steal my personal information. So I tried searching for the ZIP archive which was referenced. This might still be stored somewhere on my PC. I used KFind to lookup all files which were created in the last 8 hours. And then I found a lot of thumbnail files which were created by… Gwenview. Stored in a temp folder.

    I started to realize that it might not be a hack, but something that was rendering previews, just like in Gwenview. I checked Dolphin and detected that I had the preview function enabled. I checked the log files again. Indeed, whenever I had opened a folder with Dolphin, all Word and Excel files in that folder were ‘processed’. I browsed several folders after deleting Calligra and there were no more log lines added. I re-installed the Calligra suite and noticed the calligra-extras-dolphin package. I browsed the same folders and indeed, the log lines started appearing all over again. I had found the culprit. It wasn’t a hack.

  • New vulnerabilities allow hackers to bypass MFA for Microsoft 365

    Critical vulnerabilities in multi-factor authentication (MFA) implementation in cloud environments where WS-Trust is enabled could allow attackers to bypass MFA and access cloud applications such as Microsoft 365 which use the protocol according to new research from Proofpoint.

    As a result of the way Microsoft 365 session login is designed, an attacker could gain full access to a target's account including their mail, files, contacts, data and more. At the same time though, these vulnerabilities could also be leveraged to gain access to other cloud services from Microsoft including production and development environments such as Azure and Visual Studio.

    Proofpoint first disclosed the these vulnerabilities publicly at its virtual user conference Proofpoint Protect but they have like existed for years. The firm's researchers tested several Identity Provider (IDP) solutions, identified those that were susceptible and resolved the security issues.

  • NIST Password Guidelines

    The National Institute of Standards and Technology (NIST) defines security parameters for Government Institutions. NIST assists organizations for consistent administrative necessities. In recent years, NIST has revised the password guidelines. Account Takeover (ATO) attacks have become a rewarding business for cybercriminals. One of the members of the top management of NIST expressed his views about traditional guidelines, in an interview “producing passwords that are easy to guess for bad guys are hard to guess for legitimate users.” (https://spycloud.com/new-nist-guidelines). This implies that the art of picking the most secure passwords involves a number of human and psychological factors. NIST has developed the Cybersecurity Framework (CSF) to manage and overcome security risks more effectively.

  • Steps of the cyber kill chain

    The cyber kill chain (CKC) is a traditional security model that describes an old-school scenario, an external attacker taking steps to penetrate a network and steal its data-breaking down the attack steps to help organizations prepare. CKC is developed by a team known as the computer security response team. The cyber kill chain describes an attack by an external attacker trying to get access to data within the perimeter of the security

    Each stage of the cyber kill chain shows a specific goal along with that of the attacker Way. Design your Cyber Model killing chain surveillance and response plan is an effective method, as it focuses on how the attacks happen. Stages include,

  • Security updates for Friday

    Security updates have been issued by Arch Linux (chromium and netbeans), Oracle (mysql:8.0 and thunderbird), SUSE (rubygem-rack and samba), and Ubuntu (apng2gif, gnupg2, libemail-address-list-perl, libproxy, pulseaudio, pure-ftpd, samba, and xawtv).

  • The new BLESA Bluetooth security flaw can keep billions of devices vulnerable

    Billions of smartphones, tablets, laptops, and Linux-based IoT devices are now using Bluetooth software stacks that are potentially susceptible a new security flaw. Titled as BLESA (Bluetooth Low Energy Spoofing Attack), the vulnerability impacts devices running the Bluetooth Low Energy (BLE) protocol.

  • Are you backing up ransomware with your data?
  •              

  • German Hospital Hacked, Patient Taken to Another City Dies

                     

                       

    German authorities said Thursday that what appears to have been a misdirected hacker attack caused the failure of IT systems at a major hospital in Duesseldorf, and a woman who needed urgent admission died after she had to be taken to another city for treatment.

  •  

  • Woman dies during a ransomware attack on a German hospital [iophk: Windows kills]

                     

                       

    The cyberattack was not intended for the hospital, according to a report from the German news outlet RTL. The ransom note was addressed to a nearby university. The attackers stopped the attack after authorities told them it had actually shut down a hospital.

  •                

  • Windows Exploit Released For Microsoft ‘Zerologon’ Flaw

                     

                       

    Proof-of-concept (PoC) exploit code has been released for a Windows flaw, which could allow attackers to infiltrate enterprises by gaining administrative privileges, giving them access to companies’ Active Directory domain controllers (DCs).

                       

    The vulnerability, dubbed “Zerologon,” is a privilege-escalation glitch (CVE-2020-1472) with a CVSS score of 10 out of 10, making it critical in severity. The flaw was addressed in Microsoft’s August 2020 security updates. However, this week at least four public PoC exploits for the flaw were released on Github, and on Friday, researchers with Secura (who discovered the flaw) published technical details of the vulnerability.

More in Tux Machines

today's leftovers

  • The General Purpose Computer In Your Pocket – Purism

    Computers have us surrounded. Just about every piece of consumer electronics these days puts “smart” in front of the name, which means they embedded a computer that runs specialized software. The “smart” trend started with “smartphones” which marketers started calling cellular phones once they got powerful enough processors to run a general-purpose operating system and applications. The name “smartphone” was intended to differentiate them from “feature phones” which had a limited set of additional applications (calculator, SMS application, possibly a music player or a limited web browser). Feature phones were designed to make phone calls and send text messages, but smartphones were actually general-purpose computers that happened to have a phone and SMS application on them. Today, a majority of people hardly ever use their smartphone as a phone and instead use it to chat, browse the web, and run applications–the same things they do on their desktop or laptop computers. Your smartphone is a pocket-sized general-purpose computer that’s more powerful than desktop computers from not that long ago, yet smartphones are prevented from realizing their full potential, are still marketed as special-purpose computers, and most people think of them that way. Why? One of the neatest tricks Big Tech ever pulled was convincing people that phones weren’t general-purpose computers and should have different rules than laptops or desktops. These rules conveniently give the vendor more control so that you don’t own a smartphone so much as you rent it. Now that the public has accepted these new rules for phones, vendors are starting to apply the same rules to laptops and desktops. [...] When you bought a computer starting in the `90s you generally expected to get operating system upgrades for the life of the computer. In the Windows world you normally could upgrade to the next version of Windows years later, and you’d only replace hardware after the OS upgrades and applications got so bloated (along with the spyware) that the computer was too slow to use. Of course, those “slow” computers then got a new life for many more years after installing Linux on them. Now imagine a computer that only lasted two or three years, after which you would no longer get OS and security updates. Even though the hardware was still fast enough to run the OS, if you cared about security you’d be forced to upgrade. That’s the situation we have with Android phones today. If you are lucky your vendor will let you update to the next version of Android at least once, and receive general updates for two years or three years. If you are unlucky your device may never upgrade to the next Android OS. Even flagship Google phones only promise OS updates three years from the date the phone first was sold and security updates for only 18 months after they stop selling a device. For instance, at the time of this article, Pixel 2 owners just lost guaranteed OS and security updates.

  • Mac vs PC: The next major tech shift | INTHEBLACK

    There is another option for those with older systems – or even new Intel-based systems for that matter: move to Linux. This OS powers about 70 per cent of the world’s web servers. It is popular among software developers and other high-end users, though its overall share of desktop and laptop computers is tiny. Yet, this does not mean Linux is just for experts. Linux is free and open-source, with large communities of developers that provide regular updates. As a result, it is efficient, secure and offers plenty of choices, with hundreds of different versions (called “distributions”) available. Linux wasn’t always the friendliest OS to install and use, but mainstream distributions, such as Ubuntu and Fedora, are now much easier to install. There’s a choice of graphical user interfaces to choose from, including Elementary OS’s macOS-like experience. For those with old systems, the lightweight Ubuntu variant Xubuntu is one of many options. Businesses that need fast, guaranteed support can pay for it from the likes of Red Hat Linux. There are thousands of Linux applications to choose from. Many, such as office suite LibreOffice, either come bundled with distributions or are easy to install via “repositories”. Alternatively, a Linux tool called WINE can run many Windows apps – or you can dual-boot Linux with Windows or macOS. There is no denying that Windows and macOS users will face a learning curve, but at least they can try Linux first. Many versions are available as “live distributions”, meaning you can run them off a USB stick or DVD. Then, if you like one, you can install it on your computer. Just remember to back up your files first. Alternatively, you can buy a laptop or computer with Linux pre-installed from a speciality provider, such as Purism or Linux Now. Lenovo also has announced greater support for Linux on its systems.

  • Various software updates in FreeBSD

    On an average day, I make use of a few dozen or more Open Source projects, and contribute to one or two (notably Calamares and KDE, but it varies wildly). When I wear my FreeBSD packaging hat, I tend to drive-by contribute to many more projects because there’s compatibility or C++-style fixes to apply. And I try to keep up with releases, some of which I’ll highlight here.

  • Arduino Blog » This aerial system launches Nano 33 BLE Sense darts for data collection

    Sensor deployment via unmanned aerial vehicles is an interesting concept. Up until now, you’ve had two options: use a drone that drops sensors onto the ground, or one with some kind of manipulator to stick them in particular place. However, researchers at Imperial College London have been studying a third approach, which shoots sensor pods from an aerial platform like darts. The system utilizes a compressed spring, along with a shape-memory alloy (SMA) trigger to fling the sensor pods at a nearby surface, at up to a four-meter range. The actual sensor package used here is an Arduino Nano 33 BLE Sense, allowing for a variety of measurements without extra hardware in hazardous environments or inaccessible locations. Several methods of attachment were proposed, including magnets and chemical bonding, but the experiment’s research paper focuses on dart-like wood attachment, since this would require the most force.

  • Whiskey Lake embedded PC has dual hot-swap SATA

    Axiomtek’s fanless, rugged “eBOX630-528-FL” runs Linux or Win 10 on Intel’s 8th Gen UE-series with up to 32GB DDR4, 2x hot-swap SATA bays, 3x GbE, 6x USB, 4x COM, 2x HDMI, and 2x mini-PCIe. The eBOX630-528-FL may be the quintessential, mid-range Intel-based embedded PC of 2020. With a 15W TDP 8th Gen Whiskey Lake-UE processor that falls between the low-power Apollo Lake Atom and high-end, power-sucking Coffee Lake, the fanless, ruggedized system supports a wide range of embedded applications including smart production, machine automation, product testing, smart warehouse, and AIoT-related.

  • WordPress 5.5.3 Maintenance Release

    WordPress 5.5.3 is now available. This maintenance release fixes an issue introduced in WordPress 5.5.2 which makes it impossible to install WordPress on a brand new website that does not have a database connection configured. This release does not affect sites where a database connection is already configured, for example, via one-click installers or an existing wp-config.php file. [...] These themes and plugins were not activated and therefore remain non-functional unless you installed them previously. It is safe to delete these features should you prefer not to use them. If you are not on 5.5.2, or have auto-updates for minor releases disabled, please manually update to the 5.5.3 version by downloading WordPress 5.5.3 or visiting Dashboard → Updates and click “Update Now.”

  • RT-Thread launches developer event

    RT-Thread is an open source embedded real-time operating system (RTOS) providing a wide range of components along with more than 250 software packages (and counting) for the Internet of Things (IoT). In previous Opensource.com articles, the RT-Thread project has demonstrated how to code hardware with an RTOS and how to program for IoT using open source tools. Great things in open source are never done by one person; they're done by a group of people working together. And if you want to get started with embedded programming or you're looking for an RTOS for your embedded project, RT-Thread wants to collaborate with you! Today, we're pleased to announce that we've teamed up with Programming For Beginners to hold a developer event. We're looking for developers who have ideas, ambitions, and excitement for the open source hardware.

  • Sandstorm: A Complete Open-source Platform with A Rich Ecosystem for Enterprise

    It's a nightmare for many companies and enterprise technical departments to run the required apps separately, keep up with the maintenance, auditing logs and manage their updates. Especially the ones with low IT resources or complex structure. It's not resources-effective approach neither secure. Despite it requires a dedicated team of DevOps to keep up, It is also a challenge for company identity management, access management and compliance. Here it comes Sandstorm, An open-source solution that is designed specifically to resolve these issue and boost enterprise, developers, DevOps and individuals productivity. In this article we will guide you through this amazing application, explaining how it works, listing its features and the best use-cases for it.

  • Xen Summit Keynote: Your self-driving car is awesome. . .because of open source software like Xen - Xen Project

    In his keynote speech, Robin Randhawa, Technical Director at ARM, gives an overview of how many innovations happening in the automotive industry are made possible due to open source software, including Xen. Robin is part of the open source division within ARM. In his talk, Robin outlines how ARM’s place in Vehicle Autonomy, as well as the ecosystem around it and the role Open source software plays.

  • The Linux Foundation wants to help combat COVID-19 with free, open source apps to tell people when they've been exposed to the virus [Ed: Linux Foundation is an enemy of privacy. Linux Foundation actively helps companies that exploit a virus to push surveillance agenda.]

Programming Leftovers

  • 5 Outstanding Open-Source Projects Which Have Just One Source File

    Programmers write code in different ways according to their preference and type of the particular project. If a software project is quite large and growing, we usually decompose the whole thing into several files to achieve maintainability. However, programmers often turn awesome ideas into single-file open-source projects amazingly.

  • Jussi Pakkanen/Nibble Stew: How to build dependencies as Meson subprojects using SDL as an example

    Today we released version 0.56.0 of the Meson build system. This is an especially important release as it marks the 10 000th commit since the start of the project. A huge thank you to everyone who has contributed their time and effort, this project would not exist without all of you. However in this post we are not going to talk about that, those interested can find further details in the release notes. Instead we are going to be talking about how to build your dependencies from source on every platform without needing anything other than Meson. Last month I had a lightning talk at CppCon about this way of managing dependencies: Since then there have been many improvements to the workflow for a smoother experience. To demonstrate this I upgraded the sample program to use SDL Mixer and SDL Image instead of relying on plain SDL.

  • Abstraction: The Journey from Memory Tubes to JavaScript Memory Management

    While reading George Dyson’s computer history book Turing’s Cathedral earlier this year, I was struck by how physical the act of programming was back in the 1940s and 50s, when the age of computers began. Take a close look at the lead image of this post, borrowed from Dyson’s book, which shows John von Neumann and the MANIAC computer in 1952. At hip level in the photo are a group of Williams cathode-ray memory tubes, each one storing 1,024 bits. There were 40 tubes, so the total capacity was 40,960 bits (5 kilobytes!) What’s even more remarkable than the fact that von Neumann could touch the memory tubes, is that he was also able to see what was happening inside the tubes. “In the foreground [of the photo] is the 7-inch-diameter 41st monitor stage, allowing the contents of the memory to be observed while in use,” wrote Dyson. When von Neumann and his colleagues programmed the MANIAC, they were acutely aware of what was happening inside the machine. They had to understand precisely how memory worked, in order to physically manipulate it. “Every memory location had to be specified at every step,” explained Dyson, “and the position of the significant digits adjusted as a computation progressed.”

  • A Journey Through Memory Management

    Since that time, MacManus notes, “we’ve gone from having to program instructions—using machine language, no less—into a cathode-ray memory tube, to 80% of the time copying and pasting reusable modules into an internet service (and having no idea where in the world it will actually get computed). [...] Since that time, MacManus notes, “we’ve gone from having to program instructions—using machine language, no less—into a cathode-ray memory tube, to 80% of the time copying and pasting reusable modules into an internet service (and having no idea where in the world it will actually get computed).

  • The accelerating adoption of Julia [LWN.net]

    The Julia programming language has seen a major increase in its use and popularity over the last few years. We last looked at it two years ago, around the time of the Julia 1.0 release. Here, we will look at some of the changes since that release, none of which are major, as well as some newer resources for learning the language, but the main focus of this article is a case study that is meant to help show why the language has been taking off. A follow-up article will introduce a new computational notebook for Julia, called Pluto, that is akin to Jupyter notebooks. Julia is a programming language that was first released in 2012; its implementation is released under the MIT license. It is a general-purpose language, but with a particular suitability for scientific programming and numerical work. Julia is a dynamic language, with an interactive mode and easy-to-learn syntax that is simple for novice programmers; it also has deeper layers of sophistication for the expert. The language allows introspection and metaprogramming, with Lisp-like macros, an optional Lisp syntax, and access to syntax-tree and assembly-language views of functions. It features a rich type system with performant user-defined types, multiple dispatch of functions, and several flavors of concurrent programming built in. Julia recently passed a kind of popularity milestone, breaking into the top 20 in the IEEE Spectrum list of programming languages. Beyond that, the language is being adopted in many new research projects, such as: the Climate Machine, the computational engine used by the Caltech Climate Modeling Alliance; a new space weather forecasting initiative, funded by the NSF; quantum machine learning; drug development; and a computational collaboration called Celeste to create a massive star map of the universe. Professor Mykel Kochenderfer is the creator of an international standard aircraft collision avoidance system, ACAS X. In an email interview, he told me that the Julia version of his system runs as fast as a previous version he wrote in highly optimized C++. Since he wrote the Julia version intending it to merely document the algorithm, this was a surprise. He was able to replace the C++ version with the easier to read and maintain Julia code. The recently concluded annual Julia conference, online this year, naturally, was a good indicator of the audience that Julia is attracting. The presentations (YouTube videos) that one would expect of various computer science topics were outweighed by talks about applications to scientific research in an impressive variety of fields. A recurring theme was the way that the language facilitated collaboration and code reuse, giving scientists an opportunity to take advantage of the packages and algorithms of others.

  • What is coming in PHP 8 [LWN.net]

    Recently, PHP 8 release candidate 2 was posted by the project. A lot of changes are coming with this release, including a just-in-time compiler, a good number of backward-compatibility breaks, and new features that developers have been requesting for years. Now that the dust has settled, and the community is focusing on squashing bugs for the general-availability release scheduled for November 26, it's a good time to look at what to expect. [...] To a certain degree, PHP 8 represents a departure from the project's past. Historically, the community has placed a high value on backward compatibility, even between major releases. This doesn't seem to have been as much of a concern for this release, judging by the upgrade notes. With the scope and quantity of backward-incompatible changes, even relatively modern PHP applications will require a little tweaking to bring them up to speed. The community has expended considerable effort in making PHP 8 into a more consistent language, both in terms of behaviors and syntax. Four separate proposals with a focus on making PHP into a more consistent language — in terms of behavior and syntax — have been implemented. These changes generally concern themselves with edge cases or preexisting quirks of the language; there are, however, a few notable changes worth mentioning explicitly.

  • Remi Collet: PHP version 7.3.24 and 7.4.12

    RPMs of PHP version 7.4.12 are available in remi repository for Fedora 32-33 and remi-php74 repository for Fedora 31 and Enterprise Linux ≥ 7 (RHEL, CentOS). RPMs of PHP version 7.3.24 are available in remi repository for Fedora 31 and remi-php73 repository for Enterprise Linux ≥ 6 (RHEL, CentOS).

  • How to Check If a Value Exists in An Array in PHP – TecAdmin

    Q. How do I check if a specific value exists in an array in PHP. Write a sample PHP program to check if a value exists in an array.

  • What's new in Fabric8 Kubernetes Java client 4.12.0 - Red Hat Developer

    The recent Fabric8 Kubernetes Java client 4.12.0 release includes many new features and bug fixes. This article introduces the major features we’ve added between the 4.11.0 and 4.12.0 releases. I will show you how to get started with the new VolumeSnapshot extension, CertificateSigningRequests, and Tekton triggers in the Fabric8 Tekton client (to name just a few). I’ll also point out several minor changes that break backward compatibility with older releases. Knowing about these changes will help you avoid problems when you upgrade to the latest version of Fabric8’s Java client for Kubernetes or Red Hat OpenShift.

  • Video of EIRSAT-1 talk

    This followed by a detailed proposal as to how amateur radio operators can contribute to ground station operations via SatNOGs and gr_satellites GNU Radio

IBM Red Hat vs. SUSE: How do these Linux distributions stack up?

IBM Red Hat and SUSE are the leading vendors in the open source enterprise Linux market, but how do these two builds compare? Learn the history of IBM Red Hat vs. SUSE and compare numerous criteria -- including the architectures each supports and how each distribution addresses the learning curve -- as well as product support offerings, pricing and certifications. Like other Linux distributions, RHEL and SUSE both support a comprehensive set of commands. When comparing these two distributions, it's worth noting that, although some commands are common to all Linux distributions, IBM Red Hat and SUSE also have their own command sets. Additionally, the commands these Linux distributions support tend to evolve over time. [...] Like any Linux distribution, SLES has a significant learning curve, particularly for those who are new to Linux OSes. However, SUSE does offer comprehensive training resources, including online and in-person classes. SLES is sold as a one- or three-year subscription. The subscription cost is based on the number of sockets or VMs, the architecture and the support option the organization selects. A one-year subscription for an x86/x64 OS running on one to two sockets or one to two VMs with Standard support starts at $799. SUSE offers two support options: Standard and Priority. Its Standard support plan includes assistance with software upgrades and updates, as well as unlimited technical support via chat, phone or web. Support is available 12 hours per day, five days per week, with a two-hour response time for Severity 1 issues and a four-hour response time for Severity 2 issues. Read more Also: Simply NUC mini data center > Tux-Techie

LibreOffice 7.1 Layout Updates and "typical errors when creating presentation templates"

  • [LibreOffice 7.1] Layout updates

    You know the LibreOffice community work hard on the LibreOffice 7.1 Christmas release. Did you know that LibreOffice has 7 different UI Layouts? With the next release, our uses will be informed after the installation. Thanks to Heiko for the new dialog.

  • Your typical errors when creating presentation templates. Part 1

    Try click somewhere on slide in area with rectangles. You can select any from these rectangles include the largest grey rectangle that author used as background for all composition. Its all are just shapes! This is an absolutely wrong way when you create a presentation template!