Language Selection

English French German Italian Portuguese Spanish

Security

Privacy and Security Leftovers

Filed under
Security
  • European regulators to Microsoft: We’re watching you

    The Dutch DPA has taken a long time examining that and other changes Microsoft made, to see whether Windows now complies with the agency’s regulations, as well as with the newer GDPR rules. The DPA concluded that the changes complied with what the DPA originally asked Microsoft to do. But its examination “also brought to light that Microsoft is remotely collecting other data from users. As a result, Microsoft is still potentially in breach of privacy rules,” according to the agency. So the DPA turned over the case to the Irish Data Protection Committee (DPC), because Microsoft’s European operations are headquartered in Ireland. That agency will determine whether Microsoft is violating the GDPR.

  • How Safari and iMessage Have Made iPhones Less Secure

    "If you want to compromise an iPhone, these are the best ways to do it," says independent security researcher Linus Henze of the two apps. Henze gained notoriety as an Apple [cracker] after revealing a macOS vulnerability known as KeySteal earlier this year. He and other iOS researchers argue that when it comes to the security of both iMessage and WebKit—the browser engine that serves as the foundation not just of Safari but all iOS browsers—iOS suffers from Apple's preference for its own code above that of other companies. "Apple trusts their own code way more than the code of others," says Henze. "They just don’t want to accept the fact that they make bugs in their own code, too."

  • Exciting few weeks in the SecureDrop land

    Last month, during Defcon 27, there was a panel about DEF CON to help hackers anonymously submit bugs to the government, interestingly the major suggestion in that panel is to use SecureDrop (hosted by Defcon) so that the researchers can safely submit vulnerabilities to the US government. Watch the full panel discussion to learn more in details.

Security Leftovers

Filed under
Security
  • Critical Exim Flaw Opens Millions of Servers to Takeover [Ed: This repeats the FUD headline from ZDNet's Bleeping Computer hire; no server is known to have been compromised by this yet. They dramatise this.]

    A critical vulnerability found in Exim servers could enable a remote, unauthenticated attacker to execute arbitrary code with root privileges.

  • Google Fortifies Kubernetes Nodes Against Boot Attacks

    Google released a beta version of its Shielded GKE Nodes that prevents an attacker from exploiting vulnerable Kubernetes nodes.

  • Spoofing commits to repositories on GitHub

    The situation that worries me relates to distribution packaging. Debian has a policy that deltas to packages in the stable repository should be as small as possible, targetting fixes by backporting patches from newer releases.

    If you get a bug report on your Debian package with a link to a commit on GitHub, you had better double check that this commit really did come from the upstream author and hasn’t been spoofed in this way. Even if it shows it was authored by the upstream’s GitHub account or email address, this still isn’t proof because this is easily spoofed in git too.

    The best defence against being caught out by this is probably signed commits, but if the upstream is not doing that, you can clone the repository from GitHub and check to see that the commit is on a branch that exists in the upstream repository. If the commit is in another fork, the upstream repo won’t have a ref for a branch that contains that commit.

  • For real this time, get your butt off Python 2: No updates, no nothing after 1 January 2020 [Ed: When Microsoft Tim says "according to Redmonk" he means mostly according to Microsoft (because Redmonk relies on proprietary GitHub for data)]

    Python 2 will sunset on January 1st 2020 – however, many applications have not yet upgraded to version 3, causing the coding lingo's team to mount a communications campaign to persuade devs to port their code.

    Python is the third most popular programming language after JavaScript and Java, according to Redmonk. Its use has been boosted by the strong interest in machine learning, for which Python is well suited, thanks in part to its various AI-related libraries and frameworks.

    Python 2.0 was released in 2000, and Python 3.0, which is not fully backwards compatible, in 2008. The last version of Python 2.x, 2.7, was released in July 2014.

Security: Linux Kernel, Exim, Other Updates and Top 10 Browser Extensions for Ethical Hackers

Filed under
Security
  • Linux Kernel atalk_proc_exit Function Use-After-Free Vulnerability [CVE-2019-15292]

    A vulnerability in the Linux Kernel could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system.

    The vulnerability is due to a use-after-free condition that exists in the atalk_proc_exit function of the affected software. The vulnerability is related to the anet/appletalk/atalk_proc.c, anet/appletalk/ddp.c, and anet/appletalk/sysctl_net_atalk.c source code files. An attacker could exploit this vulnerability by sending a request that submits malicious input to the targeted system. A successful exploit could allow the attacker to execute arbitrary code or cause a DoS condition.

  • Critical Exim flaw opens servers to remote code execution, patch now!

    The Exim mail transfer agent (MTA) is impacted by a critical vulnerability that may allow local or unauthenticated remote attackers to execute programs with root privileges on the underlying system.

  • Security updates for Monday

    Security updates have been issued by Debian (expat, ghostscript, libreoffice, and memcached), Fedora (chromium, grafana, kea, nsd, pdfbox, roundcubemail, and SDL), Gentoo (apache, dbus, exim, libsdl2, pango, perl, vlc, and webkit-gtk), Mageia (dovecot, giflib, golang, icedtea-web, irssi, java-1.8.0-openjdk, libgcrypt, libmspack, mercurial, monit, php, poppler, python-urllib3, rdesktop, SDL12, sdl2, sigil, sqlite3, subversion, tomcat, and zstd), openSUSE (chromium, exim, go1.12, httpie, libmirage, python-SQLAlchemy, and srt), Oracle (firefox, ghostscript, and kernel), SUSE (apache2, mariadb, mariadb-connector-c, postgresql94, python-Django1, python-Pillow, python-urllib3, and qemu), and Ubuntu (exim4).

  • Top 10 Browser Extensions for Ethical Hackers

    Ethical hacking is not just a single skill, it is a whole set of skills and among these skills includes the usage of different tools for different techniques to work faster and with less effort.
    Today we will discuss about the browser extensions that every ethical hacker should use to make its life and hacking a lot easier than before, and we will be talking about the best among them and the purpose of each of them. Some of these extensions will be Chrome-based only, others will be Firefox-based only and some of these will be available for both.

    Now let’s start with those browser extensions:

Security: WebKit Bugs and Open Source Security Podcast

Filed under
Security
  • WebKit Vulnerabilities Facilitate Human Rights Abuses

    Volexity has presented convincing evidence that Chinese state actors have recently abused vulnerabilities in the JavaScriptCore component of WebKit to hack the personal computing devices of Uighur Muslims in the Xinjiang region of China. Mass digital surveillance is a key component of China’s ongoing brutal human rights crackdown in the region.

    This has resulted in a public relations drama that is largely a distraction to the issue at hand. Whatever big-company PR departments have to say on the matter, I have no doubt that the developers working on WebKit recognize the severity of this incident and are grateful to Project Zero, which reported these vulnerabilities and has previously provided numerous other high-quality private vulnerability reports. (Many other organizations deserve credit for similar reports, especially Trend Micro’s Zero Day Initiative.)

  • Open Source Security Podcast: Episode 160 - Disclosing security issues is insanely complicated: Part 2

    Josh and Kurt talk about disclosing security flaws in open source. This is part two of a discussion around how to disclose security issues. This episode focuses on some expectations and behaviors for open source projects as well as researchers trying to disclose a problem to a project.

Security Leftovers

Filed under
Security
  • The stakes are too high for Apple to spin the iPhone exploits

    Here Apple repeats Google’s own original claim, but spins it by connecting it to a line later in Google’s piece about the attack being “en masse.” Reasonable people may disagree about the scope of “en masse,” which means both “a group” and “all together,” but Google certainly did not omit information about the vector of the attack.

  • Report reveals play-by-play of first U.S. grid cyberattack

    The more recent cyberthreat appears to have been simpler and far less dangerous than the [attack] in Ukraine. The March 5 attack hit web portals for firewalls in use at the undisclosed utility. The [attacker] or [attackers] may not have even realized that the online interface was linked to parts of the power grid in California, Utah and Wyoming.

  • Dark times ahead as cybercriminals target power grids

    Power grids in particular are being targeted by state-sponsored cybercriminals, with the intention of causing outages that could bring victimised regions to a screeching halt. Ironically, the more advanced our illuminated world of electronics becomes, the more proficient these cyberattacks will be at sending society back to the Dark Ages.

HowTos, Security and Leftovers

Filed under
Security
Misc
HowTos

Security: MoviePass, Exim and SSH Applications

Filed under
Security
  • MoviePass Left Tens Of Thousands Of Credit Card Numbers Exposed Online

    MoviePass initially seemed like it might be a plausible idea, though recently the outfit has been exposed for being terrible at this whole business thing. The service initially let movie buffs pay $30 a month in exchange for unlimited movie tickets at participating theaters, provided they signed up for a full year of service. But recent reports have made it clear company leaders had absolutely no idea what they were doing, the service was routinely hemorrhaging cash (particularly after an unsustainable price drop to $10), and execs even tried to change user passwords to prevent users from actually using the service.

  • [Debian] Andreas Metzler: exim update

    Testing users might want to manually pull the latest (4.92.1-3) upload of Exim from sid instead of waiting for regular migration to testing. It fixes a nasty vulnerability.

  • Linux Fu: Interactive SSH Applications

    [Drew DeVault] recently wrote up some interesting instructions on how to package up interactive text-based Linux commands for users to access via ssh. At first, this seems simple, but there are quite a few nuances to it and [Drew] does a good job of covering them.

    One easy way — but not very versatile — is to create a user and make the program you want to run the default shell. The example used is to make /usr/bin/nethack the shell and now people can log in as that user and play nethack. Simple, right? However, there are better ways to get there.

Security Leftovers

Filed under
Security
  • Exim marks the spot… of remote code execution: Patch due out today for 'give me root' flaw in mail server

    The widely used Exim email server software is due to be patched today to close a critical security flaw that can be exploited to potentially gain root-level access to the machine.

    The programming blunder can be abused over the network, or internet if the server is public facing, or by logged-in users to completely commandeer vulnerable installations, steal or tamper with data, install spyware, and so on.

    The vulnerability, designated CVE-2019-15846, has been kept under tight wraps. Details of the bug, along with updates to install to address the security weakness, are due to go live today at 1000 UTC. To be safe from the remote-code execution flaw, ensure you are running version 4.92.2 or later, either built from source or obtained from your operating system's package manager.

  • Is Linux Really Immune to Viruses and Malware? Here’s the Truth [Ed: Conveniently overlooks the fact that the user needs to be tricked into installing malware, whereas proprietary software has deliberate back doors and worse issues. Common FUD.]

    One reason people switch to Linux is to have better security. Once you switch to Linux, the thinking goes, you no longer have to worry about viruses and other types of malware. But while this is largely true in practice, desktop Linux isn’t actually all that secure.

  • Thousands of servers infected with new Lilocked (Lilu) ransomware [Ed: Catalin Cimpanu from the CBS tabloid ZDNet says "Researchers spot new ransomware targeting Linux-based servers." It doesn't bother him what takes that ransomware to get installed in the first place.]
  • WireGuard Releases New Snapshot While Not Expected For Linux 5.4 Mainline

    WireGuard 0.0.20190905 was released on Thursday by lead developer Jason Donenfeld.

    WireGuard 0.0.20190905 is the newest snapshot for this secure VPN tunnel that has been making waves in recent years. While WireGuard has been brought to many operating systems and mobile platforms, WireGuard itself is still considered "experimental but fairly stable."

  • WireGuard Snapshot `0.0.20190905` Available
    Hello,
    
    A new snapshot, `0.0.20190905`, has been tagged in the git repository.
    
    Please note that this snapshot is, like the rest of the project at this point
    in time, experimental, and does not constitute a real release that would be
    considered secure and bug-free. WireGuard is generally thought to be fairly
    stable, and most likely will not crash your computer (though it may).
    However, as this is a pre-release snapshot, it comes with no guarantees, and
    its security is not yet to be depended on; it is not applicable for CVEs.
    
    With all that said, if you'd like to test this snapshot out, there are a
    few relevant changes.
    

Qt 5.13.1 Released - Many bugs have been crushed!

Filed under
KDE
Security

I am pleased to announce that Qt 5.13.1 is released today. As a patch release, Qt 5.13.1 does not add any new functionality but provides many bug fixes and other improvements.

Compared to Qt 5.13.0, the new Qt 5.13.1 contains around 500 bug fixes. For details of the most important changes, please check the Change files of Qt 5.13.1.

Note that as a long-term supported release Qt 5.12 LTS receives all the applicable bug fixes as well. We are working on the next patch level release, Qt 5.12.5, to be available in the coming weeks. So unless you need the new functionality provided by Qt 5.13 it is fine to stay using Qt 5.12 LTS and get the relevant bug fixes.

Read more

Security: Patches, Reproducible Builds, and Exim Hole

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (exim4 and firefox-esr), Fedora (lxc, lxcfs, pdfresurrect, python3-lxc, rdesktop, and seamonkey), Oracle (kernel), and SUSE (nginx, python-Werkzeug, SUSE Manager Client Tools, and util-linux and shadow).

  • Reproducible Builds in August 2019

    In these monthly reports we outline the most important things that have happened in the world of Reproducible Builds and we have been up to.

    As a quick recap of our project, whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed to end users or systems as precompiled binaries. The motivation behind the reproducible builds effort is to ensure zero changes have been introduced during these compilation processes. This is achieved by promising identical results are always generated from a given source thus allowing multiple third-parties to come to a consensus on whether a build was changed or even compromised.

  • Critical vulnerability in Exim

    Anybody running the Exim mail system will want to apply the updates that are being released today; there is a remote code-execution vulnerability in its TLS-handling code with a known proof-of-concept exploit.

  • CVE-2019-15846

    If your Exim server accepts TLS connections, it is vulnerable. This does not depend on the TLS libray, so both, GnuTLS and OpenSSL are affected.

Syndicate content

More in Tux Machines

Debian Community Team (CT) and miniDebConf19 Vaumarcu

  • Molly de Blanc: Free software activities (August 2019)

    The Debian Community Team (CT) had a meeting where we discussed some of our activities, including potential new team members!

  • miniDebConf19 Vaumarcus – Oct 25-27 2019 – Call for Presentations

    We’re opening the Call for Presentations for the miniDebConf19 Vaumarcus now, until October 20, so please contribute to the MiniDebConf by proposing a talk, workshop, birds of feather (BoF) session, etc, directly on the Debian wiki: /Vaumarcus/TalkSubmissions We are aiming for talks which are somehow related to Debian or Free Software in general, see the wiki for subject suggestions. We expect submissions and talks to be held in English, as this is the working language in Debian and at this event. Registration is also still open; through the Debian wiki: Vaumarcus/Registration.

New Distro Releases: EasyOS Buster 2.1.3, EasyOS Pyro 1.2.3 and IPFire 2.23 - Core Update 136

  • EasyOS Buster version 2.1.3 released

    EasyOS version 2.1.3, latest in the "Buster" series, has been released. This is another incremental upgrade, however, as the last release announced on Distrowatch is version 2.1, the bug fixes, improvements and upgrades have been considerable since then. So much, that I might request the guys at Distrowatch to announce version 2.1.3.

  • EasyOS Pyro version 1.2.3 released

    Another incremental release of the Pyro series. Although this series is considered to be in maintenance mode, it does have all of the improvements as in the latest Buster release.

  • IPFire 2.23 - Core Update 136 is available for testing

    the summer has been a quiet time for us with a little relaxation, but also some shifted focus on our infrastructure and other things. But now we are back with a large update which is packed with important new features and fixes.

Linux 5.3

  • Linux 5.3
    So we've had a fairly quiet last week, but I think it was good that we
    ended up having that extra week and the final rc8.
    
    Even if the reason for that extra week was my travel schedule rather
    than any pending issues, we ended up having a few good fixes come in,
    including some for some bad btrfs behavior. Yeah, there's some
    unnecessary noise in there too (like the speling fixes), but we also
    had several last-minute reverts for things that caused issues.
    
    One _particularly_ last-minute revert is the top-most commit (ignoring
    the version change itself) done just before the release, and while
    it's very annoying, it's perhaps also instructive.
    
    What's instructive about it is that I reverted a commit that wasn't
    actually buggy. In fact, it was doing exactly what it set out to do,
    and did it very well. In fact it did it _so_ well that the much
    improved IO patterns it caused then ended up revealing a user-visible
    regression due to a real bug in a completely unrelated area.
    
    The actual details of that regression are not the reason I point that
    revert out as instructive, though. It's more that it's an instructive
    example of what counts as a regression, and what the whole "no
    regressions" kernel rule means. The reverted commit didn't change any
    API's, and it didn't introduce any new bugs. But it ended up exposing
    another problem, and as such caused a kernel upgrade to fail for a
    user. So it got reverted.
    
    The point here being that we revert based on user-reported _behavior_,
    not based on some "it changes the ABI" or "it caused a bug" concept.
    The problem was really pre-existing, and it just didn't happen to
    trigger before. The better IO patterns introduced by the change just
    happened to expose an old bug, and people had grown to depend on the
    previously benign behavior of that old issue.
    
    And never fear, we'll re-introduce the fix that improved on the IO
    patterns once we've decided just how to handle the fact that we had a
    bad interaction with an interface that people had then just happened
    to rely on incidental behavior for before. It's just that we'll have
    to hash through how to do that (there are no less than three different
    patches by three different developers being discussed, and there might
    be more coming...). In the meantime, I reverted the thing that exposed
    the problem to users for this release, even if I hope it will be
    re-introduced (perhaps even backported as a stable patch) once we have
    consensus about the issue it exposed.
    
    Take-away from the whole thing: it's not about whether you change the
    kernel-userspace ABI, or fix a bug, or about whether the old code
    "should never have worked in the first place". It's about whether
    something breaks existing users' workflow.
    
    Anyway, that was my little aside on the whole regression thing.  Since
    it's that "first rule of kernel programming", I felt it is perhaps
    worth just bringing it up every once in a while.
    
    Other than that aside, I don't find a lot to really talk about last
    week. Drivers, networking (and network drivers), arch updates,
    selftests. And a few random fixes in various other corners. The
    appended shortlog is not overly long, and gives a flavor for the
    changes.
    
    And this obviously means that the merge window for 5.4 is open, and
    I'll start doing pull requests for that tomorrow. I already have a
    number of them in my inbox, and I appreciate all the people who got
    that over and done with early,
    
                    Linus
    
  • Linux Kernel 5.3 Officially Released, Here's What's New

    Linus Torvalds announced today the release of the Linux 5.3 kernel series, a major that brings several new features, dozens of improvements, and updated drivers. Two months in the works and eight RC (Release Candidate) builds later, the final Linux 5.3 kernel is now available, bringing quite some interesting additions to improve hardware support, but also the overall performance. Linux kernel 5.3 had an extra Release Candidate because of Linus Torvalds' travel schedule, but it also brought in a few needed fixes. "Even if the reason for that extra week was my travel schedule rather than any pending issues, we ended up having a few good fixes come in, including some for some bad Btrfs behavior. Yeah, there's some unnecessary noise in there too (like the speling fixes), but we also had several last-minute reverts for things that caused issues," said Linus Torvalds.

  • Linux 5.3 Kernel Released With AMD Navi Support, Intel Speed Select & More

    Linus Torvalds just went ahead and released the Linux 5.3 kernel as stable while now opening the Linux 5.4 merge window. There was some uncertainty whether Linux 5.3 would have to go into extra overtime due to a getrandom() system call issue uncovered by an unrelated EXT4 commit. Linus ended up reverting the EXT4 commit for the time being.

Kubernetes Leftovers

  • With its Kubernetes bet paying off, Cloud Foundry doubles down on developer experience

    More than 50% of the Fortune 500 companies are now using the open-source Cloud Foundry Platform-as-a-Service project — either directly or through vendors like Pivotal — to build, test and deploy their applications. Like so many other projects, including the likes of OpenStack, Cloud Foundry went through a bit of a transition in recent years as more and more developers started looking to containers — and especially the Kubernetes project — as a platform on which to develop. Now, however, the project is ready to focus on what always differentiated it from its closed- and open-source competitors: the developer experience.

  • Kubernetes in the Enterprise: A Primer

    As Kubernetes moves deeper into the enterprise, its growth is having an impact on the ecosystem at large. When Kubernetes came on the scene in 2014, it made an impact and continues to impact the way companies build software. Large companies have backed it, causing a ripple effect in the industry and impacting open source and commercial systems. To understand how K8S will continue to affect the industry and change the traditional enterprise data center, we must first understand the basics of Kubernetes.

  • Google Cloud rolls out Cloud Dataproc on Kubernetes

    Google Cloud is trialling alpha availability of a new platform for data scientists and engineers through Kubernetes. Cloud Dataproc on Kubernetes combines open source, machine learning and cloud to help modernise big data resource management. The alpha availability will first start with workloads on Apache Spark, with more environments to come.

  • Google announces alpha of Cloud Dataproc for Kubernetes

    Not surprisingly, Google, the company that created K8s, thinks the answer to that question is yes. And so, today, the company is announcing the Alpha release of Cloud Dataproc for Kubernetes (K8s Dataproc), allowing Spark to run directly on Google Kubernetes Engine (GKE)-based K8s clusters. The service promises to reduce complexity, in terms of open source data components' inter-dependencies, and portability of Spark applications. That should allow data engineers, analytics experts and data scientists to run their Spark workloads in a streamlined way, with less integration and versioning hassles.