Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Debian (ffmpeg, smarty3, and strongswan), Fedora (udisks2), openSUSE (flatpak, strongswan, util-linux, and xstream), Oracle (redis:5), Red Hat (java-1.8.0-openjdk, java-11-openjdk, openvswitch2.11, redis:5, redis:6, and rh-redis5-redis), SUSE (flatpak, python-Pygments, python3, strongswan, util-linux, and xstream), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-raspi and strongswan).

  • JavaScript Packing Found in More Than 25% of Malicious Sites
  • Textbook Rental Scam - Schneier on Security

    Here’s a story of someone who, with three compatriots, rented textbooks from Amazon and then sold them instead of returning them. They used gift cards and prepaid credit cards to buy the books, so there was no available balance when Amazon tried to charge them the buyout price for non-returned books. They also used various aliases and other tricks to bypass Amazon’s fifteen-book limit. In all, they stole 14,000 textbooks worth over $1.5 million.

  • Amazon textbook rental service scammed for $1.5m

    A 36-year-old man from Portage, Michigan, was arrested on Thursday for allegedly renting thousands of textbooks from Amazon and selling them rather than returning them.

    Andrew Birge, US Attorney for the Western District of Michigan, said Geoffrey Mark Hays Talsma has been indicted on charges of mail and wire fraud, transporting stolen property across state lines, aggravated identity theft, and lying to the FBI.

    Also indicted were three alleged co-conspirators: Gregory Mark Gleesing, 43, and Lovedeep Singh Dhanoa, 25, both from Portage, Michigan, and Paul Steven Larson, 32, from Kalamazoo, Michigan

    From January 2016 through March 2021, according to the indictment, Talsma rented textbooks from the Amazon Rental program in order to sell them for a profit. The indictment describes what occurred as "a sophisticated fraud scheme."

  • Google Releases Security Updates for Chrome

    Google has released Chrome version 95.0.4638.54 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

    CISA encourages users and administrators to review the Chrome Release Note and apply the necessary update as soon as possible.

Integrity/Availability, Security, and DRM

Filed under
Security
  • Sinclair hit by ransomware attack, TV stations disrupted [iophk: Windows TCO]

    Sinclair Broadcast Group, which operates dozens of TV stations across the U.S., said Monday that some of its servers and work stations were encrypted with ransomware and that data was stolen from its network.

  • Sinclair hit by ransomware attack, TV stations disrupted [iophk: Windows TCO]

    The Hunt Valley, Maryland-based company either owns or operates 21 regional sports network and owns, operates or provides services to 185 television stations in 86 markets.

  • Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink

    For more than a decade now, computer printer manufacturers have been engaged in an endless quest called: "let's be as annoying as humanly possible." That quest, driven by a desire to monopolize and boost the sale of their own printer cartridges, has resulted in all manner of obnoxious DRM and other restrictions designed to make using cheaper, third-party printing cartridges a monumental headache. Often, software or firmware updates have been designed to intentionally grind printing to a halt if you try to use these alternative options.

  • Caskading Failures

    In case you hadn’t heard, Let’s Encrypt’s root certificate expired on September 30th, causing many old applications and devices to reject connections to any site secured by certificates issued by Let’s Encrypt. At Cider and Saddle, all of our services are backed by a Let’s Encrypt wildcard certificate, which we’d configured to automatically renew when needed. We thought that meant we’d be in the clear; after all, we were sure to keep our production system up-to-date, and as long as the system’s CA certificates were fresh, there shouldn’t be any issues.

    We were wrong.

    On October 3rd, one of our community members noticed Cask was throwing 500 errors upon visiting the page. Scrubbing through the logs, it was pretty easy to guess what was going on: [...]

Security Leftovers

Filed under
Security
  • Project Zero: How a simple Linux kernel memory corruption bug can lead to complete system compromise

    This blog post describes a straightforward Linux kernel locking bug and how I exploited it against Debian Buster's 4.19.0-13-amd64 kernel. Based on that, it explores options for security mitigations that could prevent or hinder exploitation of issues similar to this one.

    I hope that stepping through such an exploit and sharing this compiled knowledge with the wider security community can help with reasoning about the relative utility of various mitigation approaches.

    A lot of the individual exploitation techniques and mitigation options that I am describing here aren't novel. However, I believe that there is value in writing them up together to show how various mitigations interact with a fairly normal use-after-free exploit.

    Our bugtracker entry for this bug, along with the proof of concept, is at https://bugs.chromium.org/p/project-zero/issues/detail?id=2125.

    Code snippets in this blog post that are relevant to the exploit are taken from the upstream 4.19.160 release, since that is what the targeted Debian kernel is based on; some other code snippets are from mainline Linux.

    (In case you're wondering why the bug and the targeted Debian kernel are from end of last year: I already wrote most of this blogpost around April, but only recently finished it)

    I would like to thank Ryan Hileman for a discussion we had a while back about how static analysis might fit into static prevention of security bugs (but note that Ryan hasn't reviewed this post and doesn't necessarily agree with any of my opinions). I also want to thank Kees Cook for providing feedback on an earlier version of this post (again, without implying that he necessarily agrees with everything), and my Project Zero colleagues for reviewing this post and frequent discussions about exploit mitigations.

  • Crims target telcos' Linux and Solaris boxes, which don't get enough infosec love [Ed: Microsoft-connected CrowdStrike badmouthing Microsoft's rivals again while mostly ignoring the elephant in the room, Windows with its notorious (and confirmed) back doors]

    A mysterious criminal gang is targeting telcos' Linux and Solaris boxes, because it perceives they aren't being watched by infosec teams that have focussed their efforts on securing Windows.

    Security vendor CrowdStrike claims it's spotted the group and that it "has been consistently targeting the telecommunications sector at a global scale since at least 2016 … to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata." The gang appears to understand telco operations well enough to surf the carrier-to-carrier links that enable mobile roaming, across borders and between carriers, to spread its payloads.

  • Patch PowerShell now, Microsoft tells admins [Ed: Should one feel sorry for fools who put this thing on a GNU/Linux box despite all the warnings including Microsoft's back doors agenda?]

    Microsoft has asked system administrators to patch their PowerShell 7 installations against two vulnerabilities that can allow attackers to bypass Windows Defender Application Control (WDAC) to run arbitrary code, and even gain access to plain text credentials.

  • What’s new in security for Ubuntu 21.10? | Ubuntu

    Ubuntu 21.10 is the latest release of Ubuntu and comes as the last interim release before the forthcoming 22.04 LTS release due in April 2022. As the interim releases are often proving grounds for upcoming features in the LTS releases, this provides a good opportunity to take stock of some of the latest security features delivered in this release, on the road to 22.04 LTS. In this blog post, we will take a look at those features and improvements that add to the overall security of an Ubuntu system and which help to enable your Linux cybersecurity strategy.

Ubuntu 21.04 and 20.04 LTS Users Get New Linux Kernel Security Update, Patch Now

Filed under
Linux
News
Security
Ubuntu

Coming only three weeks after the previous kernel security update, the new one is currently only available for Ubuntu 21.04 (Hirsute Hippo) and Ubuntu 20.04.3 LTS (Focal Fossa) systems running the Linux 5.11 kernel series, and it’s available for all supported architectures and kernel flavors that Ubuntu supports.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Tuesday

    Security updates have been issued by Debian (redmine and strongswan), Fedora (containerd, fail2ban, grafana, moby-engine, and thunderbird), openSUSE (curl, firefox, glibc, kernel, libqt5-qtsvg, rpm, ssh-audit, systemd, and webkit2gtk3), Red Hat (389-ds:1.4, curl, kernel, kernel-rt, redis:5, and systemd), SUSE (util-linux), and Ubuntu (ardour, linux-azure, linux-azure-5.11, and strongswan).

  • Best Open Source Security Tools | eSecurityPlanet

    Over the past quarter of a century, the open source movement has gone from strength to strength. But that success and the openness inherent in the community have led to a major challenge – security. The more software that is developed, the greater the likelihood there is for vulnerabilities.

    To make matters worse, the open source world prides itself on openness and transparency. Therefore, any security vulnerabilities are disclosed publicly. In this age of organized gangs of cybercriminals, that is like placing an ad asking for an attack.

    This has given rise to a large number of open source security tools. They take care of all aspects of the management of security in open source components, examine dependencies, fix bugs in code, and lower risk.

  • Credit card PINs can be guessed even when covering the ATM pad

    Researchers have proven it’s possible to train a special-purpose deep-learning algorithm that can guess 4-digit card PINs 41% of the time, even if the victim is covering the pad with their hands.

    The attack requires the setting up of a replica of the target ATM because training the algorithm for the specific dimensions and key spacing of the different PIN pads is crucially important.

  • Using Machine Learning to Guess PINs from Video - Schneier on Security

    This works even if the person is covering the pad with their hands.

  • Google Developing "SiliFuzz" For Fuzzing CPUs To Uncover Electrical Defects - Phoronix

    With OSS-Fuzz for continuous fuzzing of open-source projects and along with working on the various sanitizers for compilers, Google has been doing a lot for proactively uncovering software defects in key open-source projects. Now though a group of their engineers have been working on SiliFuzz for software aiming to discover new CPU defects.

KDE Plasma 5.23.1, Bugfix Release for October

Filed under
KDE
Security

Today KDE releases a bugfix update to KDE Plasma 5, versioned 5.23.1.

Plasma 5.23 was released in October 2021 with many feature refinements and new modules to complete the desktop experience.

This release adds a week's worth of new translations and fixes from KDE's contributors. The bugfixes are typically small but important and include...

Read more

Security: Microsoft, 'Trustworthy' Computing, and Windows Ransomware

Filed under
Security
  • Microsoft tells sysadmins to update PowerShell 7 to fix flaw that could expose credentials in Linux [Ed: Karma for fools who add Microsoft (NSA back doors partner) stuff inside GNU/Linux]
  • Trustworthy computing in 2021 [Ed: Hardware is becoming more hostile towards the user -- to the point of arrogantly assuming that the people who bought the hardware are the enemy and therefore control over the hardware should be passed over to untrustworthy vendors. It's another example of "defective by design" products.]

    Intel’s EFI evolved into an architecture-neutral variant known as the Unified Extensible Firmware Interface, frequently referred to as UEFI. For the most part, UEFI won against Open Firmware: the only vendor still supporting it being IBM, and only as a legacy compatibility option for their POWER machines. Arguably the demise of Open Firmware was more related to industry standardization on x86 instead of the technical quality of UEFI however.

  • Ransomware Attacks against Water Treatment Plants

    According to a report from CISA last week, there were three ransomware attacks against water treatment plants last year.

Microsoft's very bad year for security: A timeline

Filed under
Microsoft
Security

So far, 2021 has proved to be somewhat of a security annus horribilis for tech giant Microsoft, with numerous vulnerabilities impacting several of its leading services, including Active Directory, Exchange, and Azure. Microsoft is no stranger to being targeted by attackers seeking to exploit known and zero-day vulnerabilities, but the rate and scale of the incidents it has faced since early March has put the tech giant on its back foot for at least a moment or two.

What follows is a timeline of the significant security events that have afflicted Microsoft in 2021, why it remains susceptible to serious vulnerabilities and attacks, and an assessment of its response according to experts from across the cybersecurity sector.

Read more

Security Leftovers

Filed under
Security
  • The Missouri Governor Doesn’t Understand Responsible Disclosure

    The Missouri governor wants to prosecute the reporter who discovered a security vulnerability in a state’s website, and then reported it to the state.

  • Missouri governor vows criminal prosecution of reporter who found flaw in state website • Missouri Independent

    The newspaper agreed to hold off publishing any story while the department fixed the problem and protected the private information of teachers around the state.

  • CISA, FBI, and NSA Release Joint Cybersecurity Advisory on Blackmatter Ransomware

    CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released joint Cybersecurity Advisory (CSA): BlackMatter Ransomware.

    Since July 2021, malicious cyber actors have used BlackMatter ransomware to target multiple U.S. critical infrastructure entities, including a U.S. Food and Agriculture Sector organization. Using an analyzed sample of BlackMatter ransomware and information from trusted third parties, this CSA provides cyber actor tactics, techniques, and procedures and outlines mitigations to improve ransomware protection, detection, and response.

  • Microsoft called out as big malware hoster – thanks to OneDrive and Office 365 abuse [Ed: Microsoft Tim knows that nobody at Microsoft will ever be arrested for deliberate negligence and for serving malware]

    Microsoft has been branded as "the world's best malware hoster for about a decade," thanks to abuse of the Office 365 and Live platform, as well as its slow response to reports by security researchers.

    Infosec expert Kevin Beaumont, who worked at Microsoft as a senior threat intelligence analyst between June 2020 and April 2021, made the comments in response to a report by "cybersec professional" TheAnalyst.

    TheAnalyst noted that a BazarLoader malware campaign was hosting its malware on Microsoft's OneDrive service. "Does Microsoft have any responsibility in this when they KNOWINGLY are hosting hundreds of files leading to this, now for over three days?" they asked.

  • Protecting and storing data for a mobile bank app

    In the Secure a cloud-native application on IBM Cloud for Financial Services code pattern, I showcase how to integrate IBM Cloud Hyper Protect Services in the Example Bank application to encrypt and secure data. To understand the process of integration, you must understand different terminologies such as bring your own key (BYOK), keep your own key (KYOK), key ceremony, database as a service (DBaaS) and envelope encryption. Although you can find information about these key concepts about the Hyper Protect Services scattered across the web, this blog post is my attempt to bring them together into one single point of reference.

    Sensitive data should be stored encrypted in the cloud. However, the key that is used to encrypt and decrypt the data should also be protected. Setting up on-premises hardware security modules (HSMs) can sometimes be hard to manage if you’re not already familiar with it. An inexpensive solution is to use cloud-based storage, but that has its own challenges. In this approach, you can’t be sure that the data is secured as the key that is used to encrypt the data, also known as the data encryption key (DEK), is spread in multiple computers.

    The solution that combines ease of use and cost effectiveness is to use a key management service (KMS) such as IBM Cloud Hyper Protect Crypto Services (HPCS). HPCS provides access to a FIPS 140-2 Level 4 HSM that protects the customer master key and all other keys that are used to encrypt data at rest in IBM Cloud Object Storage, IBM Cloud Hyper Protect DBaaS, IBM Cloud Block Storage, and similar.

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

Plasma 5.23 available for Kubuntu 21.10 (Impish Indri) in backports PPA

We are pleased to announce that Plasma 5.23.1 is now available in our backports PPA for Kubuntu 21.10 (Impish Indri). The release announcement detailing the new features and improvements in Plasma 5.23 can be found here. Read more

Pumpkins, markets, and one bad Apple

Imagine your local farmers market: every Saturday the whole town comes together to purchase fresh and homemade goods, enjoy the entertainment, and find that there is always something for everyone. Whatever you need, you can find it here, and anyone can sign up to have their own little stand. It is a wonderful place, or so it seems. Now, imagine starting out as a pumpkin farmer, and you want to sell your pumpkins at this market. The market owner asks 30% of every pumpkin that you sell. It's steep, but the market owner -- we'll call him Mr. Apple -- owns all the markets in your area, so you have little choice. Let's continue this analogy and imagine that, since it is a little hard for you to make ends meet, you decide to tell your customers that they can come visit you at your farm to purchase pumpkins. Mr. Apple overhears and shuts your stand down. You explain that your business cannot be profitable this way, but the grumpy market owner says that you can either comply or find another place. At the end of your rope, you look for information about starting your own farmers market, but it seems Mr. Apple owns every building in town. In the midst of Apple announcing its new products, attention is drawn away from its ongoing battle to maintain its subjugation over users globally. The Netherlands’ Authority for Consumers and Markets (ACM) last month informed the U.S. technology giant of its decision that the rules around the in-app payment system are anticompetitive, making it the first antitrust regulator to conclude that the company has abused market power in the App Store. And while Apple is appealing this verdict, the European Union is charging the company with another antitrust claim concerning the App Store. Read more

today's howtos

  • How To Install PostgreSQL 14 on Ubuntu 20.04 - howtodojo

    In this tutorial, we learn how to install PostgreSQL 14 on Ubuntu 20.04 (Focal Fossa). PostgreSQL, or usually called Postgres, is an open-source object-relational database management system (ORDBMS) with an emphasis on extensibility and standards compliance. PostgreSQL is ACID-compliant and transactional. It is developed by PostgreSQL Global Development Group (PGDG) that consists of many companies and individual contributors. PostgreSQL released under the terms of PostgreSQL license.

  • How to Install Minikube on CentOS 8 - Unixcop

    Minikube is open source software for setting up a single-node Kubernetes cluster on your local machine. The software starts up a virtual machine and runs a Kubernetes cluster inside of it, allowing you to test in a Kubernetes environment locally. Minikube is a tool that runs a single-node Kubernetes cluster in a virtual machine on your laptop. In this tutorial we will show you how to install Minikube on CentOS 8.

  • How to Install and Secure Redis on Ubuntu 20.04 | RoseHosting

    Redis (short for Remote Dictionary Server), is an open-source in-memory data structure store. It’s used as a flexible, highly available key-value database that maintains a high level of performance. It helps to reduce time delays and increase the performance of your application by accessing in microseconds.

  • How to Upgrade to Ubuntu 21.10 - OMG! Ubuntu!

    If the glowing reviews for the Ubuntu 21.10 release have you intrigued, here’s how to upgrade to Ubuntu 21.10 from an earlier version. Fair warning: this tutorial is super straightforward (the benefits of upgrading after a stable release, rather than a little bit before). Meaning no, you don’t need to be a Linux guru to get going! There are plenty of good reasons to upgrade from Ubuntu 21.04 to Ubuntu 21.10, such as benefiting from a newer Linux kernel, enjoying a new GNOME desktop, sampling the new Yaru Light theme, and getting to go hands-on with an able assortment of updated apps.

  • How to install Adobe Flash Player on a Chromebook

    Today we are looking at how to install Adobe Flash Player on a Chromebook. Please follow the video/audio guide as a tutorial where we explain the process step by step and use the commands below.

  • How to install OnlyOffice on Linux Lite 5.4 - Invidious

    In this video, we are looking at how to install OnlyOffice on Linux Lite 5.4. Enjoy!

  • Jenkins: How to add a JDK version - Anto ./ Online

    This guide will show you how to add a JDK version to Jenkins. If you plan to run a Java build requiring a specific version of the Java Development Kit, you need to do this.

  • Sending EmailsSend them from Linux Terminal? | Linux Journal

    Does your job require sending a lot of emails on a daily basis? And you often wonder if or how you can send email messages from the Linux terminal. This article explains about 6 different ways of sending emails using the Linux terminal. Let’s go through them.

Development version: GIMP 2.99.8 Released

GIMP 2.99.8 is our new development version, once again coming with a huge set of improvements. Read more Some early coverage:

  • GIMP 2.99.8 Released with Clone Tool Tweaks, Support for Windows Ink

    A new development version of GIMP is available to download and it carries some interesting new features. While this isn’t a new stable release — GIMP 2.10.28 is the most recent stable release (and the version you’ll find in Ubuntu 21.10’s archives) — the release of GIMP 2.99.8 is yet another brick in the road to the long-fabled GIMP 3.0 release. And it’s a fairly substantial brick, at that.

  • GIMP 2.99.8 Released As Another Step Toward The Long Overdue GIMP 3.0

    GIMP 3.0 as the GTK3 port of this open-source Adobe Photoshop alternative has been talked about for nearly a decade now and the work remains ongoing. However, out today is GIMP 2.99.8 as the newest development snapshot.