Language Selection

English French German Italian Portuguese Spanish

Security

Ubuntu maker wants app developers to stop worrying too much about security

Filed under
Security
Ubuntu

Buoyed by the recent Snyk security report that found security vulnerabilities in several container images except Ubuntu’s, the company behind it, Canonical, has published a whole portfolio of hardened images.

Unsurprisingly, Canonical has partnered with Docker to streamline the delivery of the secure portfolio of images through Docker Hub.

“Canonical and Docker will partner together to ensure that hardened free and commercial Ubuntu images will be available to all developer software supply chains for multi-cloud app development,” Docker's Matt Carter wrote in a blog post announcing the collaboration.

Read more

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Israel cyber directorate warns of remotely exploitable Drupal flaw

    A warning has been issued by the Israel National Cyber Directorate about a critical remote code execution flaw in the Drupal content management system.

  • Australian legal industry provider Law In Order hit by Windows ransomware

    Australian end-to-end document and digital solutions provider to the legal industry Law In Order says it has suffered a "cyber security incident" and has had to limit access to most of its website as a precaution.

  • Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending

    VMware explained it has no patch for a critical escalation-of-privileges bug that impacts both Windows and Linux operating systems and its Workspace One.

    The U.S. Cybersecurity and Infrastructure Security Agency is warning of a zero-day bug affecting six VMware products including its Workspace One, Identity Manager and vRealize Suite Lifecycle Manager.

    The critical unpatched bug is a command injection vulnerability.

    In a separate VMware advisory, the company did not indicate whether the vulnerability was under active attack. Tracked as CVE-2020-4006, the bug has a CVSS severity rating of 9.1 out of 10. The company said patches are “forthcoming” and that workarounds “for a temporary solution to prevent exploitation of CVE-2020-4006” are available.

  • Manchester United forced to take systems offline following cyberattack

    Manchester United said in a statement Nov. 20 that it had extensive protocols and procedures in place for such an event and had rehearsed for this risk. It added that “our cyber defenses identified the attack and shut down affected systems to contain the damage and protect data.”

    Media channels including the club’s website, mobile app and streaming service were unaffected by the attack and no personal data is believed to have been stolen.

  • Apple's global security chief and two members of Sheriff's office indicted for alleged bribery
  • iPads for gun permits: Apple global security chief indicted in bribery case

    The head of global security at Apple and two top officials from the Santa Clara County Sheriff's Office and a local business owner have been accused in a grand jury indictment of exchanging bribes for concealed gun permits, the Morgan Hll Times, a newspaper in California, has reported.

  • Apple Security Head Charged With Bribery for Gun Licenses

    A California district attorney accused Apple Inc. Chief Security Officer Thomas Moyer of offering a bribe to state officials for gun licenses, according to indictments issued on Monday.

    Moyer was named along with Santa Clara County Undersherrif Rick Sung and Captain James Jensen in a case that involved offering bribes in return for concealed firearms licenses, according to a court document and a statement from the Santa Clara district attorney’s office.

  • Apple head of security accused of offering iPads as bribes for concealed gun permits

    A California grand jury has indicted Apple’s head of global security on charges that he tried to bribe Santa Clara County officials to procure firearms (CCW) licenses, according to a news release. Santa Clara district attorney Jeff Rosen alleges that Thomas Moyer offered 200 iPads — worth about $70,000 — to Capt. James Jensen and Undersheriff Rick Sung in the Santa Clara County sheriff’s office, in exchange for four concealed firearms licenses for Apple employees.

    The charges came after a two-year investigation. “In the case of four CCW licenses withheld from Apple employees, Undersheriff Sung and Cpt. Jensen managed to extract from Thomas Moyer a promise that Apple would donate iPads to the Sheriff’s Office,” Rosen said in the news release. The iPads were never delivered, according to Rosen’s office, because Sung and Moyer became aware in 2019 that the district attorney was executing a search warrant for the sheriff department’s CCW records.

Security Leftovers

Filed under
Security
  • Why You Should Trust Open Source Software Security | IT Pro

    When it comes to open source vs. proprietary software security, security experts say open source software security sets the bar high.

  • SUSE Private Registry: A safe Harbor for your containers. - SUSE Communities

    SUSE Private Registry provides integration points for container content vulnerability scanning services. Included by default is Trivy, a simple and comprehensive scanner that can search image contents for vulnerabilities in OS packages (for SLES, openSUSE, Alpine, RHEL, CentOS, Debian, and others) as well as many language/framework package managers (like Bundler, Composer, Pipenv, Poetry, npm, yarn, and Cargo).

  • Basics of Kubernetes security – IBM Developer

    Kubernetes is popular among developers and administrators, and the concepts of deploying, scaling, and managing containerized applications are very familiar. However, when production deployments are discussed, one area of Kubernetes that is critical to production deployments is security. It’s important to understand how the platform manages authentication and authorization of users and applications.

    If your Kubernetes cluster holds sensitive information such as bank account details, medical records, or anything confidential, you should take advantage of all the security precautions that Kubernetes offers. In addition, you can use plenty of non-Kubernetes-specific security tools and approaches to add extra security layers.

Cloud Data Encryptor Cryptomator Adds Experimental FUSE Support On Windows, KWallet Integration

Filed under
Security

Cryptomator, a client-side encryption tool for cloud files (and more), has been updated recently with experimental FUSE support on Windows (via WinFSP), KWallet support, vault statistics, and more.

Cryptomator is a free and open source Java tool that provides client-side encryption for your cloud storage files, available for Windows, Mac and Linux. There are also iOS and Android applications - these are open core (a business model for the monetization of commercially produced open-source software), and need to be purchased.

It works with cloud storage services that synchronize with a local directory, like Dropbox, OneDrive (on Linux using e.g. OneDrive Free Client fork) and Google Drive (including using it with Insync). You can choose to either encrypt your whole cloud storage, or only a few sensitive files, in either a single or multiple vaults.

Read more

Security: Patches, Linux Format Special and POWER9 Problems

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by CentOS (firefox), Fedora (chromium, microcode_ctl, mingw-libxml2, seamonkey, and xen), openSUSE (slurm_18_08 and tor), Oracle (thunderbird), SUSE (buildah, firefox, go1.14, go1.15, krb5, microcode_ctl, perl-DBI, podman, postgresql12, thunderbird, ucode-intel, wireshark, wpa_supplicant, and xen), and Ubuntu (firefox and phpmyadmin).

  • Cyber insecurity | Linux Format

    Each year we proclaim it’s time to learn how to hack. But why? Jonni always gets angry at the subversion of the term ‘hacking’ and I can understand why. Hacking is fun, as is finding out how systems work and how to get them to do things they were never meant to do.

    With open source and the Linux ecosystem there’s an abundance of hacking fun to be had, and it’s no wonder all the key tools for learning how to hack – and actually hack – are developed and run out of Linux systems.

    For this year’s look at the world of hacking Jonni’s introducing you to the metasploit framework. This is a playground where you can learn, explore and develop hacking skills. It’s usually paired with Kali Linux, and we’re putting these on the Linux Format DVD, which makes a welcome return.

  • IBM POWER9 CPUs Need To Flush Their L1 Cache Between Privilege Boundaries Due To New Bug

    CVE-2020-4788 is now public and it's not good for IBM and their POWER9 processors... This new vulnerability means these IBM processors need to be flushing their L1 data cache between privilege boundaries, similar to other recent CPU nightmares.

    While IBM POWER9 allows speculatively operating on completely validated data in the L1 cache, when it comes to incompletely validated data that bad things can happen. Paired with other side channels, local users could improperly obtain data from the L1 cache.

    CVE-2020-4788 was made public this morning and is now causing all stable Linux kernel series to receive the mitigation that amounts to hundreds of lines of new code. The mitigation is flushing the L1 data cache for IBM POWER9 CPUs across privilege boundaries -- both upon entering the kernel and on user accesses.

Security Patches in OpenSUSE and SUSE

Filed under
Security
SUSE
  • Two Tumbleweed Snapshots update PostgreSQL, Mesa

    Snapshot 20201117 provides the latest update of packages for the rolling release. Among the packages to update was Mozilla Thunderbird to version 78.4.3; the email client updated a Rust patch and brought in a new feature from a previous minor version that prompts for an address to be used when starting an email from an address book entry with multiple addresses. KDE’s Plasma 5.20.3 stopped the loading of multiple versions of the same plugin in the task manager KSysGuard and there were many other bug fixes for Plasma users. Four months of shell scripts were updated in the hxtools 20201116 version; one of the changes to gpsh changed the tmp location to /var/tmp, which was to avoid saving potentially large files to tmpfs. The Linux Kernel made a jump from 5.9.1 to 5.9.8, which had a change for Btrfs as well as several USB changes. Database package postgresql 13 had its first point release to 13.1, which took care of three Common Vulnerabilities and Exposures and fixed a time test case so it works when the USA is not observing daylight-savings time. The graphical tool for administering virtual machines, virt-manager slimmed down the filesystem device editor User Interface. Text editor vim had a fix for when a crash happens when using a popup window with “latin1” encoding and python 3.8.6 took care of CVE-2019-20916.

  • Guardicore and SUSE partner to help you protect your critical applications - SUSE Communities

    Within the cybersecurity segment, Guardicore stands out from the crowd with its Guardicore Centra Platform disrupting the legacy firewall market by implementing micro-segmentation in your organization. Their software-only approach is decoupled from the physical network, providing a faster alternative to firewalls. Built for the agile enterprise, Guardicore offers greater security and visibility in the cloud, data-center, and endpoint. It also ensures security doesn’t slow you down and thanks to SUSE environments, it allows you to code and deploy on demand

Digital Restrictions (DRM) and Spying, Proprietary Software and (In)Security

Filed under
Security
  • macOS Leaks Application Usage, Forces Apple to Make Hard Decisions

    Last week, users of macOS noticed that attempting to open non-Apple applications while connected to the Internet resulted in long delays, if the applications opened at all. The interruptions were caused by a macOS security service attempting to reach Apple’s Online Certificate Status Protocol (OCSP) server, which had become unreachable due to internal errors. When security researchers looked into the contents of the OCSP requests, they found that these requests contained a hash of the developer’s certificate for the application that was being run, which was used by Apple in security checks.[1] The developer certificate contains a description of the individual, company, or organization which coded the application (e.g. Adobe or Tor Project), and thus leaks to Apple that an application by this developer was opened.

    Moreover, OCSP requests are not encrypted. This means that any passive listener also learns which application a macOS user is opening and when.[2] Those with this attack capability include any upstream service provider of the user; Akamai, the ISP hosting Apple’s OCSP service; or any hacker on the same network as you when you connect to, say, your local coffee shop’s WiFi. A detailed explanation can be found in this article.

  • Microsoft developing ‘Pluton’ security chip for Windows

    Microsoft will work with Intel, Advanced Micro Devices Inc. and Qualcomm Inc. to help them build Pluton into their personal computer processors. Firmware updates to CPU-integrated Pluton chips will be released by Microsoft as part of Windows updates.

  • Microsoft's new 'Pluton' security processor gets buy-in from Intel, AMD

    Advocates of the new security chip, known as Pluton, say it will cut off a key vector for data-stealing attacks: a communication channel between a computing system’s central processing unit (CPU) and another piece of hardware known as the trusted platform module (TPM). In one example of that type of attack, researchers from security company NCC Group in 2018 showed how an attacker could undermine the booting process for “a large number of TPM-enabled computing platforms.”

    The Pluton chip will be built into Windows computers through “future chips” made by AMD, Intel and Qualcomm, Microsoft said. It’s unclear when, exactly, all of that hardware will be on the market. Microsoft would only say that the work is ongoing.

  • Apple Reduces App Store Commission for Small Businesses

    Apple has been getting hit by app developers lately for its commission policy of taking 30 percent of all purchases. It has made a change that makes it seem like it will benefit smaller businesses, but critics say it really doesn’t mean much.

  • Apple spins better than Warnie as it backs down on AppStore commission

    The fact that even a company valued at US$2 trillion (A$2.7 trillion) has to sometimes heed public sentiment has been aptly illustrated by Apple announcing overnight that it would be lowering its take on apps sold from its App Store to 15% for small businesses that pull in less than a million.

  • Nordea [crackers] face prison and hefty fines, court rules [iophk: Windows TCO]

    Ostrobothnia District Court on Tuesday sentenced two men to prison terms as well as fines and compensation payments after finding the pair guilty of [cracking] into Nordea Bank's computer system in an attempt to steal several million euros.

  • The M1 Macs

    Apple, in its keynote last week, emphasized that the M1 MacBook Air has no fan. (Intel-based MacBook Airs most definitely do. The defunct 12-inch no-adjective MacBook was Apple’s only fanless Intel Mac.) Apple’s point there was to brag that the M1 runs so cool that a high-performance MacBook could be designed without one. Some Mac users, I think, mistakenly took this to mean that the Air had an advantage over the M1 MacBook Pro, in that the fanless Air would always run silently, if sometimes slower. I think this assumption was wrong: the M1 MacBook Pro is, to my ears, always silent as well. Whatever its active cooling system is doing, it isn’t making even a whisper of noise.

    No Intel-based laptop with vaguely comparable performance to these machines can possibly match that silence. If you care about noise, the game is already over.

  • Security updates for Thursday

    Security updates have been issued by Arch Linux (chromium and firefox), CentOS (bind, curl, fence-agents, kernel, librepo, libvirt, microcode_ctl, python, python3, qt and qt5-qtbase, resource-agents, and tomcat), Debian (drupal7, firefox-esr, jupyter-notebook, packer, python3.5, and rclone), Fedora (firefox), Mageia (firefox, nss), openSUSE (gdm, kernel-firmware, and moinmoin-wiki), Oracle (net-snmp), SUSE (libzypp, zypper), and Ubuntu (c-ares).

  • We can’t move forward by looking back – Open Source Security

    For the last few weeks Kurt and I have been having a lively conversation about security ratings scales. Is CVSS good enough? What about the Microsoft scale? Are there other scales we should be looking at? What’s good, what’s missing, what should we be talking about.

    There’s been a lot of back and forth and different ideas, over the course of our discussions I’ve come to realize an important aspect of security which is we don’t look forward very often. What I mean by this is there is a very strong force in the world of security to use prior art to drive our future decisions. Except all of that prior art is comically out of date in the world of today.

    An easy example are existing security standards. All of the working groups that build the standards, and ideas the working groups bring to the table, are using ideas from the past to solve problems for the future. You can argue that standards are at best a snapshot of the past, made in the present, to slow down the future. I will elaborate on that “slow down the future” line in a future blog post, for now I just want to focus on the larger problem.

    It might be easiest to use an example, I shall pick on CVSS. The vast majority of ideas and content in a standard such as CVSS is heavily influenced by what once was. If you look at how CVSS scores things, it’s clear a computer in a datacenter was in mind for many of the metrics. That was fine a decade ago, but it’s not fine anymore. Right now anyone overly familiar with CVSS is screaming “BUT CVSS DOESN’T MEASURE RISK IT MEASURES SEVERITY”, which I will say: you are technically correct, nobody cares, and nobody uses it like this. Sit down. CVSS is a perfect example of the theory being out of touch with reality.

  • Linux Foundation, CNCF Launch Kubernetes Security Specialist Certification

CentOS Linux 7 Receives Patches for Latest Intel CPU Vulnerabilities, Update Now

Filed under
Security

CentOS Linux developer and maintainer Johnny Hughes announced today the availability of a new version of the microcode_ctl package that provides Intel CPU microcode updates in the CentOS Linux 7 release to address recent security vulnerabilities.

Being derived from the sources of Red Hat Enterprise Linux, CentOS Linux gets its updates from the upstream repositories. Now, you’re probably already aware of the recently discovered security vulnerabilities affecting some Intel processors, so you’re wondering when the patches will land in CentOS Linux 7. Well, the time is now!

Read more

The 10 Best Linux Anti-Spam Tools and Software in 2020

Filed under
Linux
Security

Linux anti-spam tools are great ways to protect your inbox from flooding with unexpected messages. I know it quite well how frustrating it is to deal with these kinds of spams. They are not only time consuming, but also they are great security threats to your computer. Although, individual users like me don’t have to do that much struggle to fight spams. However, large companies, for example, the service providers, are very prone to spams. You will be surprised to know that almost 45 percent of the emails sent are spams, and it costs a huge sum of money to fight spams.

If you use email services from giant providers like Gmail or Outlook, they will automatically give you spam protection. But if your organization or school uses a custom email service, you must need a spam protection tool. Surprisingly, Linux has a wide range of anti-spam tools that are absolutely free.

Read more

Syndicate content

More in Tux Machines

LibreOffice 7.1 - Top New Features and Release Dates

The upcoming LibreOffice 7.1 is under development. LibreOffice 7.1 Beta 1 is released just a while back. Here we take a look at the LibreOffice 7.1 top new features and release dates. Read more

Android Leftovers

Ubuntu maker wants app developers to stop worrying too much about security

Buoyed by the recent Snyk security report that found security vulnerabilities in several container images except Ubuntu’s, the company behind it, Canonical, has published a whole portfolio of hardened images. Unsurprisingly, Canonical has partnered with Docker to streamline the delivery of the secure portfolio of images through Docker Hub. “Canonical and Docker will partner together to ensure that hardened free and commercial Ubuntu images will be available to all developer software supply chains for multi-cloud app development,” Docker's Matt Carter wrote in a blog post announcing the collaboration. Read more

Assign Actions To Touchpad Gestures On Linux With Touchegg

The application runs in the background, transforming the multi-touch gestures you make on your touchpad into various desktop actions. For example, you can minimize a window by swiping down using 3 fingers, pinch in using 2 fingers to zoom in, etc. This is a demo video recorded by the Touchegg developer (image above credits also go to the dev). Read more