Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • A [Windows] virus has thrown Philadelphia’s court system into chaos

     

    Since May 21st, a virus has shut down Philadelphia’s online court system, bringing network access to a standstill. The problems started unexpectedly: suddenly, no one could seem to access the system to file documents. “It wasn’t working,” says Rachel Gallegos, a senior staff attorney with the civil legal aid organization Community Legal Services. “I thought it was my computer.”

  • Linux Command-Line Editors Vulnerable to High-Severity Bug

     

    Vim and Neovim have both released patches for the bug (CVE-2019-12735) that the National Institute of Standards and Technology warns, “allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline.”
     

    “Beyond patching, it’s recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines,” the researcher said.

  • Beware Linux users! Vulnerability in Vim or Neovim Editor could compromise your Linux
  • The bits and bytes of PKI

    In two previous articles—An introduction to cryptography and public key infrastructure and How do private keys work in PKI and cryptography?—I discussed cryptography and public key infrastructure (PKI) in a general way. I talked about how digital bundles called certificates store public keys and identifying information. These bundles contain a lot of complexity, and it's useful to have a basic understanding of the format for when you need to look under the hood.

  • Update Uncertainty | TechSNAP 405

    We explore the risky world of exposed RDP, from the brute force GoldBrute botnet to the dangerously worm-able BlueKeep vulnerability.

    Plus the importance of automatic updates, and Jim’s new backup box.

  • Microsoft's June 2019 Patch Tuesday fixes many of SandboxEscaper's zero-days

    Microsoft has published today its monthly roll-up of security updates, known as Patch Tuesday. This month, the OS maker has patched 88 vulnerabilities, among which 21 received a rating of "Critical," the company's highest severity ranking.

    Furthermore, the May 2019 Patch Tuesday also included fixes for four of the five zero-days that a security researcher and exploit seller by the name of SandboxEscaper published online over the course of the last month.

  • Researchers use Rowhammer bit flips to steal 2048-bit crypto key [Ed: Mass slanderer and FUDmeister from Ars Technica (he got sued for his style) recalls Rowhammer (which is more theoretical a risk then a real one)]
  • RAMBleed Attack Can Steal Sensitive Data From Computer Memory[Ed: Rowhammer was mentioned by another site of FUDmeisters (one of whom CBS hired for clickbait)]

Security: Updates, Microsoft TCO and Red Hat Enterprise Linux 8

Filed under
Security
  • Security updates for Tuesday
  • Hack Brief: [Attackers] [Copied] a Border Agency Database of Traveler Photos [iophk: "Microsoft TCO"]

    In its rush to gather biometric data from travelers in the US, Customs and Border Protection has apparently neglected basic safeguards to protect it. One of its subcontractors was recently breached, leaving photos of travelers and license plates in the hands of [attackers].

    The Washington Post first reported the incident, whose full scope remains unclear. But the [attack] has raised sharp questions about the agency’s already controversial push for biometrics. Facial recognition scans have become more routine at airports; CBP wants it in the top 20 US airports by 2021.

  • Consistent PKCS #11 support in Red Hat Enterprise Linux 8

    In recent years, there have been a number of security issues taking advantage of flaws in applications and even computer processors. These opened new attack vectors or made some others more viable and exploitable than before. We can talk about timing differences, cache access patterns and other side-channel attacks that can be exploited either locally, from the same machine or even over the network to read or reconstruct our secrets.

    Keeping secret information storage isolated from other unrelated applications on a single system is a long-standing data protection technique. Storage isolation is usually implemented in software by isolating processes, applications, containers or virtual machines running on the same physical machine. Hardware tokens are taking this principle to another level, providing the physical isolation of the secret information, which has the potential to improve security significantly. Working with external hardware for storing secrets in an operating system historically has been difficult for system administrators and end users, and this is what we are improving in Red Hat Enterprise Linux 8.

Security Leftovers

Filed under
Security
  • Report: Response to the Consultation on the Government's regulatory proposals regarding consumer Internet of Things (IoT) security

    Open Rights Group (ORG) is a UK-based digital campaigning organisation working to protect fundamental rights to privacy and free speech online. With over 3,000 active supporters, we are a grassroots organisation with local groups across the UK.

    We are a project partner to Values and Ethics in Responsible Technology in Europe (VIRT-EU) – a European project funded by the Horizon 2020 program. VIRT-EU’s mission is to foster ethical thinking in IoT development. The following comments stem predominantly from our experience accumulated in the course of that project.

    We address the consultation questions in order below, omitting questions 7, 8 and 9 as these lie outside our remit.

    1. Do you agree that the Government should take powers to regulate on the security of consumer IoT products? If yes, do you agree with the proposed legislative approach?

    We welcome the proposal to create primary legislation to introduce enhanced security for consumers using IoT devices. We also support the approach of making some requirements mandatory in the first instance with a longer strategy.

  • 'This Is a Bombshell': Facial Recognition Data Collected by US Customs Agency Hacked

    "This is a bombshell," said Evan Greer, deputy director of the advocacy group Fight fight for the Future, in response to the reporting. "Even if you 100% trust the US government with your biometric information (which you shouldn't) this is a reminder that once your face is scanned and stored in a database, it's easily shared across government agencies, stolen by hackers, other governments, etc."

    Buzzfeed, also among the first to report on the breach on Monday, noted that the "cyberattack comes amid the ongoing rollout of CBP's "biometric entry-exit system," the government initiative to biometrically verify the identities of all travelers crossing US borders." As BuzzFeed News reported Citing earlier reporting, Buzzfeed pointed out that "CBP is scrambling to implement the initiative with the goal of using facial recognition technology on '100 percent of all international passengers,' including American citizens, in the top 20 US airports by 2021."

  • What you need to know about the MDS vulnerability and Red Hat Virtualization

    A new series of vulnerabilities in Intel processors, known as Microarchitectural Data Sampling, or more simply MDS, was recently made public and Red Hat released information about how the vulnerabilities affect our software and how to protect your organization.

    In the simplest terms, MDS is a vulnerability in Intel processors similar to Spectre and Meltdown; it allows a guest to read protected memory from anywhere on the host or guest. To mitigate the risks exposed by MDS, a combination of updated microcode, updated kernel(s), patches, and administrator action will need to be taken for both the hypervisors and virtual machines in your Red Hat Virtualization deployment. Unlike some similar vulnerabilities, simply disabling SMT and/or hyper-threading is not enough to protect your applications.

  • 5 reasons chaos engineering is indispensable to the CISO

    Security leaders, including the chief information security officer (CISO), are challenged to continuously demonstrate their role within the company's value stream as part of improving security. In doing so, a growing number of security organizations are shifting toward a more "applied security mode," leading many to rethink our traditional practices and question their effectiveness in today's high-velocity, software-driven world.

  • Wireless Security | Roadmap to Securing Your Infrastructure
  • IPFire on AWS: Update to IPFire 2.23 - Core Update 132

    Today, we have updated IPFire on AWS to IPFire 2.23 - Core Update 132 - the latest official release of IPFire.

    This update brings you the new Intrusion Prevention System out-of-the-box as well as updates to the whole system.

  • Amitabh Bachchan’s Twitter Account “Hacked” And DP Got Changed

Securing the Kernel Stack

Filed under
Linux
Security

The Linux kernel stack is a tempting target for attack. This is because the kernel needs to keep track of where it is. If a function gets called, which then calls another, which then calls another, the kernel needs to remember the order they were all called, so that each function can return to the function that called it. To do that, the kernel keeps a "stack" of values representing the history of its current context.

If an attacker manages to trick the kernel into thinking it should transfer execution to the wrong location, it's possible the attacker could run arbitrary code with root-level privileges. Once that happens, the attacker has won, and the computer is fully compromised. And, one way to trick the kernel this way is to modify the stack somehow, or make predictions about the stack, or take over programs that are located where the stack is pointing.

Protecting the kernel stack is crucial, and it's the subject of a lot of ongoing work. There are many approaches to making it difficult for attackers to do this or that little thing that would expose the kernel to being compromised.

Read more

Also: AMD Zen 2 + Radeon RX 5700 Series For Linux Expectations

EFF and Open Rights Group Defend the Right to Publish Open Source Software to the UK Government

Filed under
OSS
Security
Legal

EFF and Open Rights Group today submitted formal comments to the British Treasury, urging restraint in applying anti-money-laundering regulations to the publication of open-source software.

The UK government sought public feedback on proposals to update its financial regulations pertaining to money laundering and terrorism in alignment with a larger European directive. The consultation asked for feedback on applying onerous customer due diligence regulations to the cryptocurrency space as well as what approach the government should take in addressing “privacy coins” like Zcash and Monero. Most worrisome, the government also asked “whether the publication of open-source software should be subject to [customer due diligence] requirements.”

We’ve seen these kind of attacks on the publication of open source software before, in fights dating back to the 90s, when the Clinton administration attempted to require that anyone merely publishing cryptography source code obtain a government-issued license as an arms dealer. Attempting to force today’s open-source software publishers to follow financial regulations designed to go after those engaged in money laundering is equally obtuse.

Read more

Security: Updates, Flaws and Chromium Update on Slackware

Filed under
Security
  • Security updates for Monday
  • Lessons From Global Cybersecurity Breaches For Your Next M&A
  • Cryptocurrency attack thwarted by npm team

    Cryptocurrency users narrowly escaped losing all their funds last week after an attacker poisoned a digital wallet with malicious code that stole their blockchain access details.

    The attacker injected malicious code into Agama, a cryptocurrency wallet created by Komodo. If successful, they could have stolen around $13m of Komodo’s KMD cryptocurrency, which is a privacy-centric coin. Luckily, they were thwarted by quick action from both Komodo and software repository npm.

  • Firefox fires blocks at trackers, Exim tackles 7-day remote flaw, and RDP pops up yet again

    Are you running the latest version (4.9.2) of Exim on your Linux box? If so, you can go ahead and skip down to the next item, because you're already clear of danger.

    Everyone else may want to consider updating, because older versions of the Linux mail server have been found to contain a command execution vulnerability that has now been confirmed to be remotely exploitable.

    The bug, initially thought only to be locally exploitable, was first addressed in February of this year when the latest Exim build was released. At the time, it was not considered to be a major security issue, but rather a minor bug that wouldn't need to be addressed in older versions.

  • Chromium 75 available as Slackware packages (32bit and 64bit)

    The Chromium 75 sources were released last week by Google, and this new major release contains 42 fixes for security issues. A couple of them are serious enough that you are encouraged to update to the new 75 release ASAP.

    In terms of functionality, not much changed in Chromium 75, but there is one interesting addition that you may want to try if you read a lot of content online. It’s called “Reader Mode” and is still disabled by default, You can enable it through the Chrome flag “chrome://flags/#enable-reader-mode“. The reader mode strips away page clutter like buttons, background images and changes the page layout for better readability.

IPFire Open-Source Linux Firewall Now Patched Against Intel MDS Vulnerabilities

Filed under
OSS
Security

IPFire 2.23 Core Update 132 is more like an emergency release that ships with an updated Linux kernel, version 4.14.120, which is patched against the recently disclosed Intel MDS (Microarchitectural Data Sampling) security vulnerabilities known as RIDL, Fallout, and ZombieLoad, as well as an updated intel-microcode firmware, version 20190514.

"Additionally, to mitigate this bug which cannot be fixed at all, SMT is disabled by default on all affected processors which has significant performance impacts," said Michael Tremer in the release announcement. "Please note, that Intel unfortunately is not releasing microcode for all processors any more and so you might still be vulnerable. To apply the fixes, please reboot your system."

Read more

Security: Windows Back Doors, China Plans to Create a Technology Security Management System and More

Filed under
Security
  • Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware

    But according to Joe Stewart, a seasoned malware analyst now consulting with security firm Armor, the malicious software used in the Baltimore attack does not contain any Eternal Blue exploit code. Stewart said he obtained a sample of the malware that he was able to confirm was connected to the Baltimore incident.

  • China Plans to Create a Technology Security Management System

    The National Development and Reform Commission has been tasked with setting up the list system which aims to “more effectively forestall and defuse national security risks,” Xinhua reported on Saturday. Details on the measures will be provided in the near future, according to the news agency.

  • BGP event sends European mobile traffic through China Telecom for 2 hours

    The incident started around 9:43am UTC on Thursday (2:43am California time). That's when AS21217, the autonomous system belonging to Switzerland-based data center colocation company Safe Host, improperly updated its routers to advertise it was the proper path to reach what eventually would become more than 70,000 Internet routes comprising an estimated 368 million IP addresses. China Telecom's AS4134, which struck a network peering arrangement with Safe Host in 2017, almost immediately echoed those routes rather than dropping them, as proper BGP filtering practices dictate. In short order, a large number of big networks that connect to China Telecom began following the route.

    The result: much of the traffic destined for telecommunications providers using the affected IP addresses passed through China Telecom equipment before either being sent to their final stop or being dropped during long waits caused by the roundabout paths. [...]

  • Fortune 500 company Tech Data leaks 264GB of private data

    While the card numbers were obfuscated, the data wasn't encrypted, and it's possible there's more than this: going through an entire 264GB file is somewhat time-consuming, after all. The site did say the sample its reporters saw contained "tens of thousands of customers," and it was a fraction of the larger database.

    This data was kept on a server for support agents to look at for troubleshooting purposes, but the company had neglected to put a password on it - meaning anybody with access to a web browser could look at the logs at will.

  • An Open Source Program Aims to Help Idaho Shore Up Cyberdefenses

    The mitigation of phishing is a top priority for Idaho, said ITS Administrator Jeff Weak. Phishing is the practice of sending emails that appear to be from a reputable source but hide malware links or try to convince users to reveal personal or system information.

    “Phishing, in general, that’s our biggest threat because we can stop a lot of the payload of most malware coming through. We have multiple layers of detection going through our email system so it will strip out virtually anything that looks out of place,” Weak said. “Where that gets tricky is in hyperlinks and things of that nature that look natural to an email or if it’s embedded into another link inside of a Word document, for example.”

    Idaho is currently in its second year of mandated cybersecurity training for state employees, he said. The learning modules, provided by KnowBe4, include a phishing course. One goal is to educate personnel on differentiating emails that make it past current cyberdefenses and into their inboxes.

  • Malicious Actors Create “Frankenstein Monsters” by Combining Open Source Components [Ed: TechNadu has somehow managed to blame security issues in Windows (which is insecure by design) on "open source"; amazing spin]

    Examples of these open source and freely available components include a tool that leverages MSBuild to execute a PowerShell command, another GitHub hosted project called Fruityc2 that is used to build stagers, the “PowerShell Empire”, and an article to help the attackers detect whether their software is running in a virtual machine or not. The reason for using open source tools is not only because they are free and readily available, but also because they feature higher operational security and make the malicious activities and the group behind them harder to detect. Custom tools on the other side leave unique traces, as they are developed by specific groups of hackers.

  • Checkmarx Makes SCA Market Waves with Enhanced Open Source Security Offering

Security Leftovers

Filed under
Security
  • Millions of machines affected by command execution flaw in Exim mail server

    The flaw, which dates back to version 4.87 released in April 2016, is trivially exploitable by local users with a low-privileged account on a vulnerable system running with default settings. All that's required is for the person to send an email to "${run{...}}@localhost," where "localhost" is an existing local domain on a vulnerable Exim installation. With that, attackers can execute commands of their choice that run with root privileges.

  • Fortune 500 firm Tech Data leaks 264Gb of data online

    Security researchers from virtual private network firm vpnMentor have found an unsecured server belonging to American multinational tech vendor Data Tech online, containing 264GB of data about its client servers, invoices, SAP integrations and plaintext passwords.

  • Android malware once found a way onto phones before they even shipped

    Today, Google posted what amounts to a case study of some very persistent and clever hackers who kept trying to get malware on Android phones. It’s about the “Triada family” of apps designed to put spam and ads on a device. After a brief history of how it started in 2016 and an overview of how early versions worked, Google got to the surprising turn in the story: Triada devised a method to get malware on Android phones virtually at the factory, before customers had even opened the box or even installed a single app.

  • Google details Triada malware – three years after it was reported!

    Three years after it was first reported by Russian security firm Kaspersky ((formerly Kaspersky Lab), Google has suddenly decided to confirm a report that the firmware updates of some Android devices were compromised through their supply chain so that they could be infected with malware.

Security: Cracking and Patching

Filed under
Security
  • NYS and IFMIS among government websites hacked

    The National Youth Service (NYS) and Integrated Financial Management System (IFMIS) are among host of government websites that were Monday attacked by an Indonesia hacker group, Kurd Electronic Team.

    The portals were attacked in the morning with hackers placing their logo on the landing pages, in a clear indication they have taken control of the site.

    All the hacked websites are on servers powered by the Unix-based FreeBSD operating system.

  • Security updates for Friday
  • Action required! Exim mail servers need urgent patching
  • VideoLAN releases VLC 3.0.7

    The new 3.0.7 release for the VideoLAN multimedia player VLC was tagged in git almost two weeks ago but it took until today to find official tarballs on their web site. By the looks of the git log I can only assume that the VideoLAN developers needed to fix some annoying post-release bugs first.
    The ChangeLog documents that the focus of the developers is mostly on the Android, MacOS and Windows platforms, presumably because that is where most of the issues are found? Also – through sponsoring by the European Commission’s EU-FOSSA2 program – more than 35 security bugs were fixed.
    So I built new ‘vlc‘ packages for Slackware 14.2 and -current yesterday and uploaded them to my repository. Between the previous 3.0.6 and this 3.0.7 release I updated some of the packages’ internal libraries: bluray, dav1d, dvdnav, ebml, matroska. If you want to know what you can expect from the VLC 3.x releases (as opposed to the 2.x releases which took way too many years to get obsoleted) you can read this older article on my blog.

Syndicate content

More in Tux Machines

First Release Candidate of Linux 5.3

  • Linux 5.3-rc1
    It's been two weeks, and the merge window is over, and Linux 5.3-rc1
    is tagged and pushed out.
    
    This is a pretty big release, judging by the commit count. Not the
    biggest ever (that honor still goes to 4.9-rc1, which was
    exceptionally big), and we've had a couple of comparable ones (4.12,
    4.15 and 4.19 were also big merge windows), but it's definitely up
    there.
    
    The merge window also started out pretty painfully, with me hitting a
    couple of bugs in the first couple of days. That's never a good sign,
    since I don't tend to do anything particularly odd, and if I hit bugs
    it means code wasn't tested well enough. In one case it was due to me
    using a simplified configuration that hadn't been tested, and caused
    an odd issue to show up - it happens. But in the other case, it really
    was code that was too recent and too rough and hadn't baked enough.
    The first got fixed, the second just got reverted.
    
    Anyway, despite the rocky start, and the big size, things mostly
    smoothed out towards the end of the merge window. And there's a lot to
    like in 5.3. Too much to do the shortlog with individual commits, of
    course, so appended is the usual "mergelog" of people I merged from
    and a one-liner very high-level "what got merged". For more detail,
    you should go check the git tree.
    
    As always: the people credited below are just the people I pull from,
    there's about 1600 individual developers (for 12500+ non-merge
    commits) in this merge window.
    
    Go test,
    
                Linus
    
  • Linux 5.3-rc1 Debuts As "A Pretty Big Release"

    Just as expected, Linus Torvalds this afternoon issued the first release candidate of the forthcoming Linux 5.3 kernel. It's just not us that have been quite eager for Linux 5.3 and its changes. Torvalds acknowledged in the 5.3-rc1 announcement that this kernel is indeed a big one: "This is a pretty big release, judging by the commit count. Not the biggest ever (that honor still goes to 4.9-rc1, which was exceptionally big), and we've had a couple of comparable ones (4.12, 4.15 and 4.19 were also big merge windows), but it's definitely up there."

  • The New Features & Improvements Of The Linux 5.3 Kernel

    The Linux 5.3 kernel merge window is expected to close today so here is our usual recap of all the changes that made it into the mainline tree over the past two weeks. There is a lot of changes to be excited about from Radeon RX 5700 Navi support to various CPU improvements and ongoing performance work to supporting newer Apple MacBook laptops and Intel Speed Select Technology enablement.

today's howtos and programming bits

  • How to fix Ubuntu live USB not booting
  • How to Create a User Account Without useradd Command in Linux?
  • Container use cases explained in depth
  • Containerization and orchestration concepts explained
  • Set_env.py

    A good practice when writing complicated software is to put in lots of debugging code. This might be extra logging, or special modes that tweak the behavior to be more understandable, or switches to turn off some aspect of your test suite so you can focus on the part you care about at the moment. But how do you control that debugging code? Where are the on/off switches? You don’t want to clutter your real UI with controls. A convenient option is environment variables: you can access them simply in the code, your shell has ways to turn them on and off at a variety of scopes, and they are invisible to your users. Though if they are invisible to your users, they are also invisible to you! How do you remember what exotic options you’ve coded into your program, and how do you easily see what is set, and change what is set?

  • RPushbullet 0.3.2

    A new release 0.3.2 of the RPushbullet package is now on CRAN. RPushbullet is interfacing the neat Pushbullet service for inter-device messaging, communication, and more. It lets you easily send alerts like the one to the left to your browser, phone, tablet, … – or all at once. This is the first new release in almost 2 1/2 years, and it once again benefits greatly from contributed pull requests by Colin (twice !) and Chan-Yub – see below for details.

  • A Makefile for your Go project (2019)

    My most loathed feature of Go was the mandatory use of GOPATH: I do not want to put my own code next to its dependencies. I was not alone and people devised tools or crafted their own Makefile to avoid organizing their code around GOPATH.

  • Writing sustainable Python scripts

    Python is a great language to write a standalone script. Getting to the result can be a matter of a dozen to a few hundred lines of code and, moments later, you can forget about it and focus on your next task. Six months later, a co-worker asks you why the script fails and you don’t have a clue: no documentation, hard-coded parameters, nothing logged during the execution and no sensible tests to figure out what may go wrong. Turning a “quick-and-dirty” Python script into a sustainable version, which will be easy to use, understand and support by your co-workers and your future self, only takes some moderate effort. 

  • Notes to self when using genRSS.py

The Status of Fractional Scaling (HiDPI) Between Windows & Linux

There’s a special type of displays commonly called “HiDPI“, which means that the number of pixels in the screen is doubled (vertically and horizontally), making everything drawn on the screen look sharper and better. One of the most common examples of HiDPI are Apple’s Retina displays, which do come with their desktops and laptops. However, one issue with HiDPI is that the default screen resolutions are too small to be displayed on them, so we need what’s called as “scaling”; Which is simply also doubling the drawn pixels from the OS side so that they can match that of the display. Otherwise, displaying a 400×400 program window on a 3840×2160 display will give a very horrible user experience, so the OS will need to scale that window (and everything) by a factor of 2x, to make it 800×800, which would make it better. Fractional scaling is the process of doing the previous work, but by using fractional scaling numbers (E.g 1.25, 1.4, 1.75.. etc), so that they can be customized better according to the user’s setup and needs. Now where’s the issue, you may ask? Windows operating system has been supporting such kind of displays natively for a very long time, but Linux distributions do lack a lot of things in this field. There are many drawbacks, issues and other things to consider. This article will take you in a tour about that. Read more Also: Vulkan 1.1.116 Published With Subgroup Size Control Extension

Android Leftovers