Language Selection

English French German Italian Portuguese Spanish

Security

Security: Patches, QualPwn, Overhyped KDE 'Threat' and FUD About VLC

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Fedora (hostapd), openSUSE (aubio and spamassassin), Oracle (kernel), Red Hat (augeas, kernel-rt, libssh2, perl, procps-ng, redis:5, and systemd), SUSE (bzip2, evince, kernel, linux-azure, nodejs4, nodejs8, osc, python, python-Twisted, and python3), and Ubuntu (BWA and Mercurial).

  • evil wifi 4 qualcomm – QualPwn – Exploiting Qualcomm Snapdragon via WLAN Wifi and Modem Over The Air

    Researchers discovered the QualPwn vulnerabilities in February and March this year and responsibly reported them to Qualcomm, who then released patches in June and notified OEMs, including Google and Samsung.

    Google just yesterday released security patches for these vulnerabilities as part of its Android Security Bulletin for August 2019. So, you are advised to download the security patches as soon as they are available

    Since Android phones are infamously slow to get patch updates, researchers have decided not to disclose complete technical details or any PoC exploit for these vulnerabilities anytime soon, giving end-users enough time to receive updates from their device manufacturers.

  • KDE4/5 Zero-Day Vulnerability Alert! [Ed: Many steps are needed here (in order to cause actual harm) and also pursuing rogue files from untrusted sources. Linux-hostile sites promoted this nonsense, overhyping it.]

    An unpatched zero-day vulnerability exists in KDE 4 & 5 that could allow attackers to execute code simply by tricking a user into downloading an archive, extracting it, and then opening the folder.

  • What we Can Learn from the Recent VLC Security Vulnerability Fiasco: A Conversation with VideoLAN President Jean-Baptiste Kempf

    About a week ago, the LinuxSecurity staff started tracking a security issue related to VLC, the popular open source media player. Security vulnerabilities are a regular part of the software development lifecycle. These vulnerabilities are identified, then a solution is created and distributed to its users. In this case, it wasn’t completely clear whether that’s what happened, though. We decided to find out.

    On July 23rd, CERT-Bund published a security advisory for the popular open-source VLC media player for a vulnerability that had been fixed for the past 16 months. In the advisory, CERT-Bund warned that VLC media player version 3.0.7.1, the latest build available, contained a critical security vulnerability with a CVSS score of 9.8 out of 10. This warning indicated that the security flaw did not require privilege escalation to exploit.

    It is now evident that many aspects of CERT-Bund’s advisory were incorrect. While a vulnerability did exist, it is in a third party library as opposed to in VLC itself, as security experts incorrectly indicated. It was also fixed over a year ago. The security researcher who reported the vulnerability was using Ubuntu version 18.04, which includes an older, unpatched version of the libebml library. As long as users have VLC 3.0.3 or newer installed, they are protected from the vulnerability. Once the correct information about the security bug was revealed, NIST has downgraded the vulnerability’s rating to a 5.5 (Medium).

Security Leftovers

Filed under
Security
  • Better Encrypted Group Chat

    End-to-end encrypted group messaging is also a hard problem to solve. Existing solutions such as Signal, WhatsApp, and iMessage have inherent problems with scaling, which I’ll discuss in detail, that make it infeasible to conduct group chats of more than a few hundred people. The Message Layer Security (MLS) protocol aims to make end-to-end encrypted group chat more efficient while still providing security guarantees like forward secrecy and post-compromise security.

  • KDE has an unpatched security issue that's been made public [Ed: As KDE clarified, do not run malicious things from malicious sources. This is always common sense; same with Macros.

    However, that might not be good enough. Going by what else Penner also said on Twitter, it's not just .desktop or .directory files as any unknown filetype can be detected by KDE as an application/desktop mimetype making it a lot worse than originally thought. As long as a file contains "[Desktop Entry]" at the top, it seems KDE will have a go at parsing it.

    On top of that, the KDE team were not made aware of the issue before this was all made public. So if you're running KDE, time to be super careful until a patch is out. Hopefully all distributions shipping KDE will be keeping a close eye on this for when a patch is available.

  • Top 20 Best Cybersecurity Courses That You Can Sign Up Now

    Cybersecurity or information security (IT) refers to the practice or process of ensuring the integrity of different networks. In a broad sense, this concept is all about protecting our data, apps, networks or devices from cyber-attacks or unauthorized access. The necessity of securing our networks is increasing day by day. Few people have that master skill to secure the networks. As the increasing demand for cybersecurity specialists, we believe that one of the cybersecurity courses below will enhance your skill.

More Intel Defects (CVE-2019-1125)

Filed under
Hardware
Security

Security: OKLOK 'Smart' Stuff, Worms, KDE FUD and Debian LTS

Filed under
Security
  • Picking the FB50 smart lock (CVE-2019-13143)

    The lock pairs to a phone via Bluetooth, and requires the OKLOK app from the Play/App Store to function. The app requires the user to create an account before further functionality is available. It also facilitates configuring the fingerprint, and unlocking from a range via Bluetooth.

    We had two primary attack surfaces we decided to tackle — Bluetooth (BLE) and the Android app.

  • What is a computer worm? How this self-spreading malware wreaks havoc

    A worm is a form of malware (malicious software) that operates as a self-contained application and can transfer and copy itself from computer to computer.

    It's this ability to operate autonomously, without the need for a host file or to hijack code on the host computer, that distinguishes worms from other forms of malware.

  • Unpatched KDE vulnerability disclosed on Twitter [Ed: CBS hired Catalin Cimpanu to attack GNU/Linux in its tabloid ZDNet like he had done at cesspool site Bleeping Computer. Now he trash-talks KDE, based on a mere "tweet", because of a bug that affects few people while ignoring, as usual, Windows back doors.]
  • Jonas Meurer: debian lts report 2019.07

    This month I was allocated 17 hours. I also had 2 hours left over from Juney, which makes a total of 19 hours. I spent all of them on the following tasks/ issues.

Security: Web Authentication in Firefox for Android, SMS, VPN, Reproducible Builds and GitLab

Filed under
Security
  • Web Authentication in Firefox for Android

    Firefox for Android (Fennec) now supports the Web Authentication API as of version 68. WebAuthn blends public-key cryptography into web application logins, and is our best technical response to credential phishing. Applications leveraging WebAuthn gain new second factor and “passwordless” biometric authentication capabilities. Now, Firefox for Android matches our support for Passwordless Logins using Windows Hello. As a result, even while mobile you can still obtain the highest level of anti-phishing account security.

  • Hackers exploit SMS gateways to text millions of US numbers

    Receive any strange SMS text messages recently?

  • How to make a VPN in under 30 minutes

    VPNs, or Virtual Private Networks, are a popular way to stay safe online.

  • Reproducible Builds in July 2019

    In these reports we outline the most important things that we have been up over the past month. As a quick recap, whilst anyone can inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries.

    The motivation behind the reproducible builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

  • Zero Trust Security Explained

    In this ‘Takeaway’, Mark Loveless explains what is ‘zero trust security. Mark Loveless is Senior Security Engineer at GitLab.

  • You Can’t Trust Anything In The Cloud: Zero Trust Security Explained

    Mark Loveless is Senior Security Engineer at GitLab. In this interview, he talks about zero trust security in the cloud-native world and how cloud has totally changed the security landscape.

Patches for Stable Linux (Kernel) and More Bugfixes/Security Patches

Filed under
Linux
Security

Security: The False Sense of Security, Capital One, and More

Filed under
Security
  • The false sense of security

    The main reason for this mindset could be the omnipresent focus on technology when it comes to information security. However, as discussed in other articles, technology is only a small subset of information security.

    In the following, we present three reasons for a false sense of security when it comes to configuring technology to make it “more secure”.

  • Capital One Hack Exposes Personal Information of About 106 Million

    Capital One Financial Corp. was notified by a third party on July 19 that their data had appeared on the code-hosting site GitHub, which is owned by Microsoft. The McLean, Virginia, company says it immediately notified the FBI.

  • Capital One systems breached by Seattle woman, U.S. says

    While the complaint doesn’t identify the cloud provider that stored the allegedly stolen data, the charging papers mention information stored in S3, a reference to Simple Storage Service, Amazon Web Services’ popular data storage software.

    An AWS spokesman confirmed that the company’s cloud had stored the Capital One data that was stolen, and said it wasn’t accessed through a breach or vulnerability in AWS systems. Prosecutors alleged that the access to the bank data came through a misconfigured firewall protecting one of its applications.

Security: DEF CON 2019, EU Bug Bounty, Buttercup, FUD and Capital One

Filed under
Security
  • DARPA to Present Open-Source, Secure Voting System at DEF CON 2019 [Ed: But DARPA is a prominent back doors proponent. Be suspicious.]
  • EU bug bounty equips FileZilla with fresh round of security patches

    A European Union (EU) supported bug bounty program has helped FileZilla fix numerous security issues, founders of the open source software application announced this week.

    The batch of bugs included one that caused filenames to be interpreted as commands within versions of the FTP client, an issue that was fixed within 24 hours, according to FileZilla founder Tim Kosse.

    A second patched security issue was threatening the application’s memory security if a “custom external LIP address resolver sent invalid chunk sizes”, Kosse explained, resulting in the FileZilla application crashing if enabled by default.

  • Buttercup is an open source password manager for Windows, macOS, Linux, Firefox and Chrome

    There is no shortage in supply when it comes to password managers, but not all of them are open source.

    Buttercup is a free password manager, which is open source and offers cross-platform support. Open source, at least in theory, gives everyone the opportunity to check the source code of applications or services to make sure they are clean, and to compile the applications manually.

  • 6 Challenges In Using Open Source Cybersecurity Tools [Ed: Mentions Equifax but that's a clear case of neglect by a company (for many months), not FOSS developers; proprietary software is a lot worse. Hospitals are being shut down because of Microsoft Windows and its NSA back doors. Not because of FOSS.]

    When it comes to cybersecurity, tools and infrastructure matter a lot in order to battle notorious threats. Companies across the world have of late understood the importance of having strong cybersecurity and are trying every possible tool or software to make it better.

    There are two types of tools — open-sourced and closed-sourced. While most of the companies have been using closed sourced security tools, open-source tools today have also started to gain significant attention and usage. Companies are leveraging open-source productivity software, tools for administrators and developers, and even code libraries that they use to build their own software.

  • 5 experimental cybersecurity trends your business needs to know about [Ed: Again the old Microsoft script which spreads illusions that proprietary software lacks bugs and back doors.]

    Enterprises are increasingly adopting open source software, which also increases the risk of exposure to open source security vulnerabilities, according to CB Insights.

  • The Challenge of Securing Open Source Applications [Ed: Yet another self-promotional piece from a company looking to 'monetise' buds in FOSS or fear of FOSS]
  • What We Can Learn from the Capital One Hack

    On Monday, a former Amazon employee was arrested and charged with stealing more than 100 million consumer applications for credit from Capital One. Since then, many have speculated the breach was perhaps the result of a previously unknown “zero-day” flaw, or an “insider” attack in which the accused took advantage of access surreptitiously obtained from her former employer. But new information indicates the methods she deployed have been well understood for years.

    [...]

    I’m not holding out much hope that we will get such detail officially from Capital One, which declined to comment on the record and referred me to their statement on the breach and to the Justice Department’s complaint against the hacker. That’s probably to be expected, seeing as the company is already facing a class action lawsuit over the breach and is likely to be targeted by more lawsuits going forward.

    But as long as the public and private response to data breaches remains orchestrated primarily by attorneys (which is certainly the case now at most major corporations), everyone else will continue to lack the benefit of being able to learn from and avoid those same mistakes.

Security: GitHub (Microsoft) Lawsuit, LibreOffice FUD From Microsoft Tim, Slackware Patch/Upgrade and Debian LTS

Filed under
Security
  • GitHub "actively encourages" hacking, suit filed against company after Capital One hack says [Mitchel Lewis: "For what it’s worth, Microsoft has the technology to prevent PHI breaches; at least within the Data Loss Prevention component of Exchange."]

    "GitHub had an obligation, under California law, to keep off (or to remove from) its site Social Security numbers and other Personal Information," the suit says.

  • LibreOffice handlers defend suite's security after 'unfortunately partial' patch [Ed: Microsoft propagandist Microsoft Tim still at it, attacking LibrOoffice because of malicious macros one could, in principle, run]

    The Document Foundation, custodian of LibreOffice, has defended the suite's security after attempts to patch a code execution flaw turned out to be "partial".

    "So far in the story of LibreOffice we have been able to patch all security issues before they reached the end user," a spokesperson told The Reg. "For this last one we have a patch for version 6.2.5 which is unfortunately partial because there are other ways to trigger the vulnerability. This is going to be patched in version 6.3, which is out next week, and in 6.2.6."

  • [Slackware] Chromium 76 packages available

    The release earlier this week of Chromium 76 came with a total of 43 security fixes but this new major version of course also sports some real usability changes.

    Most notably: Flash is now disabled by default. It’s no longer sufficient to click an “allow Flash on this page” popup but you need to go into the Chromium settings and override the default. And click in on the Flash element to make it start playing. Even then, the changes you make will not survive the restart of the browser. Google is apparently stepping up its efforts in convincing website developers to switch to HTML5 instead. In 2020 Adobe will stop with Flash anyway, so remaining Flash-powered sites will not survive long.
    Another big behavioral change is that it is no longer possible for web sites to detect that you are browsing in ‘anonymous mode‘. This will make it a lot harder for sites with a ‘pay-wall‘ to block you from accessing their paid content though trial subscriptions.
    And another positive change is that hitting the ‘Esc‘ key to stop a page from loading, is no longer treated as user activation. Meaning that malicious web sites will have more trouble messing with your browser because your ‘Esc‘ keypress is no longer passed to the remote web site.

  • Jonas Meurer: debian lts report 2019.07

    This month I was allocated 17 hours. I also had 2 hours left over from Juney, which makes a total of 19 hours. I spent all of them on the following tasks/ issues.

Security Leftovers

Filed under
Security
  • Best VPN for Ubuntu in 2019 (Full Review)

    Linux is a highly customizable and completely open-source operating system that gives you full control over your computer. The Ubuntu distribution takes that customizability and adds a layer of user-friendliness on top. You get all the security benefits of Linux, only you don’t have to be a command line expert to get things done.

    Even though Ubuntu is more secure than other operating systems, out of the box it doesn’t do much to protect data leaving your device. VPNs bridge that crucial gap by providing encryption for every packet that exits your home network. You’ll get non-local privacy along with a high level of anonymity, all from the comfort of your own Ubuntu system.

  • Cisco's failure to heed whistleblower's warning about security defects in video surveillance software costs the company $8.6m in fines

                       

                         

    There's a lesson here about the people who advocate for allowing companies to decide when defects in their products can be revealed: companies are not trustworthy custodians of bad news about their products, even (especially) when the stakes are high and they face titanic liability for failing to mitigate reported defects.  

  • GitLab Is A Very Powerful Tool For Security: Liz Rice Of Aqua Security

    The ‘Takeaway’ from this interview is that GitLab is a very powerful tool for security. Guest Liz Rice, VP of Open Source Engineering at Aqua Security.

  • Liz Rice On Technology & Culture Of The Cloud Native World

    Liz Rice, VP of Open Source Engineering at Aqua Security sat down with Swapnil Bhartiya at KubeCon and CloudNativeCon, Barcelona, to talk about a wide range of topics.

  • bzip2 and the CVE that wasn’t

    Compiling with the GCC sanitizers and then fuzzing the resulting binaries might find real bugs. But not all such bugs are security issues. When a CVE is filed there is some pressure to treat such an issue with urgency and push out a fix as soon as possible. But taking your time and making sure an issue can be replicated/exploited without the binary being instrumented by the sanitizer is often better.

    This was the case for CVE-2019-12900 “BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors“.

    The bzip2 project had lost the domain which it had used for the last 15 years. And it hadn’t seen an official release since 2010. The bzip2 project homepage, documentation and downloads had already been moved back to sourceware.org. And a new bug tracker, development mailinglist and git repository had been setup. But we were still in the middle of a code cleanup (removing references to the old homepage, updating the manual and adding various cleanups that distros had made to the code) when the CVE was filed.

Syndicate content

More in Tux Machines