Language Selection

English French German Italian Portuguese Spanish

Security

GnuPG 2.2.17 released

Filed under
GNU
Security
Hello!

We are pleased to announce the availability of a new GnuPG release:
version 2.2.17.  This is maintenance release to mitigate the effects of
the denial-of-service attacks on the keyserver network.  See below for a
list changes.


About GnuPG
===========

The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
of the OpenPGP and S/MIME standards.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  The separate library GPGME provides
a uniform API to use the GnuPG engine by software written in common
programming languages.  A wealth of frontend applications and libraries
making use of GnuPG are available.  As an universal crypto engine GnuPG
provides support for S/MIME and Secure Shell in addition to OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom).  It can
be freely used, modified and distributed under the terms of the GNU
General Public License.


Noteworthy changes in version 2.2.17
====================================

  * gpg: Ignore all key-signatures received from keyservers.  This
    change is required to mitigate a DoS due to keys flooded with
    faked key-signatures.  The old behaviour can be achieved by adding
      keyserver-options no-self-sigs-only,no-import-clean
    to your gpg.conf.  [#4607]

  * gpg: If an imported keyblocks is too large to be stored in the
    keybox (pubring.kbx) do not error out but fallback to an import
    using the options "self-sigs-only,import-clean".  [#4591]

  * gpg: New command --locate-external-key which can be used to
    refresh keys from the Web Key Directory or via other methods
    configured with --auto-key-locate.

  * gpg: New import option "self-sigs-only".

  * gpg: In --auto-key-retrieve prefer WKD over keyservers.  [#4595]

  * dirmngr: Support the "openpgpkey" subdomain feature from
    draft-koch-openpgp-webkey-service-07. [#4590].

  * dirmngr: Add an exception for the "openpgpkey" subdomain to the
    CSRF protection.  [#4603]

  * dirmngr: Fix endless loop due to http errors 503 and 504.  [#4600]

  * dirmngr: Fix TLS bug during redirection of HKP requests.  [#4566]

  * gpgconf: Fix a race condition when killing components.  [#4577]

  Release-info: https://dev.gnupg.org/T4606


Getting the Software
====================

Please follow the instructions found at https://gnupg.org/download/ or
read on:

GnuPG 2.2.17 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found at
https://gnupg.org/download/mirrors.html.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.17.tar.bz2 (6560k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.17.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.17_2019... (4185k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.17_2019...

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.

A new version of Gpg4win incluing this version of GnuPG will be released
in a few days.


Read more

Security: Bug Doors, Samba, GitHub Cracks, Microsoft Entryism

Filed under
Security
  • Zoom.us flaw forces users onto video and audio calls

    The macOS client application for the popular audio and video conferencing service Zoom can be made to forcibly join users to calls, activating Mac microphones video cameras without users being asked for permission, a researcher has found.

  • Years late to the SMB1-killing party, Samba finally dumps the unsafe file-sharing protocol version by default

    Samba says its next release will switch off previously on-by-default support for the aging and easily subverted SMB1 protocol. It can be reenabled for those truly desperate to use the godforsaken deprecated protocol version.

    The open-source SMB toolkit's developers say the Samba 4.11 build, currently in preview, will by default set SMB2_02 as the earliest supported version of the Windows file-sharing protocol.

    "This means clients without support for SMB2 or SMB3 are no longer able to connect to smbd (by default)," the 4.11 release notes read.

    "It also means client tools like smbclient and others, as well as applications making use of libsmbclient are no longer able to connect to servers without SMB2 or SMB3 support (by default)."

    Admins will still have the option to allow SMB1 on their servers if they so choose, but support will be turned off by default.

  • The GitHub account of Canonical who developed popular Ubuntu Linux was hacked[Ed: GitHub is Microsoft's responsibility, so speak to Microsoft. Ubuntu needs to delete GitHub.]
  • GitHub account belonging to Ubuntu Linux maker Canonical hacked [Ed: The account belongs to Microsoft actually. The site is entirely owned by it.]

    “Canonical has removed the compromised account from the Canonical organization in GitHub and is still investigating the extent of the breach, but there is no indication at this point that any source code or PII was affected,” the team said.

  • Microsoft to Join Linux Mailing List That Privately Discusses Unpatched Security Issues [Ed: It is pretty revealing that it is mostly Microsoft propaganda sites which push the "Microsoft loves Linux" lie.]

    Microsoft will become a member of the sought after Linux-distros mailing list, which privately discusses non-public security issues. To qualify for the membership, a member must have been submitting fixes for at least a year, with the tech giant’s anniversary and join date on August 5.

  • Microsoft set to join private Linux security mailing list [Ed: Microsoft entryism is progressing inside Linux and Windows promotion sites are pleased.]

    As it stands right now, there are representatives from ALT Linux, Amazon Linux AMI, Arch Linux, Chrome OS, CloudLinux, CoreOS, Debian, Gentoo, Openwall, Oracle, Red Hat, Slackware, SUSE, Ubuntu, and Wind River on the list. According to the list’s information page, issues disclosed here are subject to a maximum embargo period of 14 days but seven days are preferable.

OPNsense 19.7 RC1 released

Filed under
Security
BSD

opnsense

For four and a half years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, HardenedBSD
security, fast adoption of upstream software updates as well as clear
and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project!
We know it would not be the same without you.

Download links, an installation guide[1] and the checksums for the images
can be found below as well.

Read more

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • British Airways faces largest ever data breach fine for 2018 [intrusion]

    The penalty comes from the Information Commissioner’s Office, which says that personal data relating to around half a million passengers was compromised during [an intrusion] incident last year.

  • Seriously, stop using RSA

    Here at Trail of Bits we review a lot of code. From major open source projects to exciting new proprietary software, we’ve seen it all. But one common denominator in all of these systems is that for some inexplicable reason people still seem to think RSA is a good cryptosystem to use. Let me save you a bit of time and money and just say outright—if you come to us with a codebase that uses RSA, you will be paying for the hour of time required for us to explain why you should stop using it.

    RSA is an intrinsically fragile cryptosystem containing countless foot-guns which the average software engineer cannot be expected to avoid. Weak parameters can be difficult, if not impossible, to check, and its poor performance compels developers to take risky shortcuts. Even worse, padding oracle attacks remain rampant 20 years after they were discovered. While it may be theoretically possible to implement RSA correctly, decades of devastating attacks have proven that such a feat may be unachievable in practice.

  • Robot lawnmower thieves thwarted by GPS

    Furthermore, the robot lawnmowers have a limited area in which they operate, so they are useless to thieves, the city's release added.

  • Who’s Behind the GandCrab Ransomware? [iophk: Windows TCO]

    The crooks behind an affiliate program that paid cybercriminals to install the destructive and wildly successful GandCrab ransomware strain announced on May 31, 2019 they were terminating the program after allegedly having earned more than $2 billion in extortion payouts from victims. What follows is a deep dive into who may be responsible for recruiting new members to help spread the contagion.

Security: Patches, Incidents, Microsoft GitHub Issues Blamed on Canonical and More

Filed under
Security
  • Security updates for Monday

    Security updates have been issued by Debian (dosbox, python-django, squid3, and unzip), Fedora (filezilla, libfilezilla, and samba), openSUSE (gvfs), Oracle (kernel), Red Hat (firefox and redhat-virtualization-host), SUSE (bash and libpng16), and Ubuntu (libvirt).

  • Can You Hear Me Now? Staying Connected During a Cybersecurity Incident

    We all know that communication is important. Anyone who's ever been married, had a friend, or held a job knows that's true. While good communication is pretty much universally beneficial, there are times when it's more so than others. One such time? During a cybersecurity incident.

    Incident responders know that communication is paramount. Even a few minutes might mean the difference between closing an issue (thereby minimizing damage) vs. allowing a risky situation to persist longer than it needs to. In fact, communication -- both within the team and externally with different groups -- is one of the most important tools at the disposal of the response team.

    This is obvious within the response team itself. After all, there is a diversity of knowledge, perspective and background on the team, so the more eyes on the data and information you have, the more likely someone will find and highlight pivotal information. It's also true with external groups.

    For example, outside teams can help gather important data to assist in resolution: either technical information about the issue or information about business impacts. Likewise, a clear communication path with decision makers can help "clear the road" when additional budget, access to

  • IoT Developer Orvibo Suffers Major Database Leak

    Recently, we saw a different kind of database leak. This leak did contain usernames and passwords as normal, but instead of them being for online services, they were for IoT devices. This makes it one of the first breaches where people’s physical devices were under threat due to a database leak.

  • Canonical, the company behind the Ubuntu Linux distribution, was hacked; Ubuntu source code unaffected [Ed: No. Microsoft GitHub got cracked. Not Canonical.]

    The unknown attacker(s) used a Canonical owned GitHub account whose credentials were compromised to unauthorizedly access Canonical’s Github account. According to a mirror of the hacked Canonical GitHub account, the hacker created 11 new GitHub repositories in the official Canonical account. The repositories were empty and sequentially named CAN_GOT_HAXXD_1, `with no existing data being changed or deleted.

  • Canonical's GitHub account was briefly compromised [Ed: No, that was Microsoft GitHub]
  • Ubuntu-maker Canonical's GitHub account hacked
  • Canonical’s GitHub Account Gets Hacked, and Its Page Gets Defaced [Ed: That's a Microsoft site, not a Canonical site]
  • Backdoor found in Ruby library for checking for strong passwords [Ed: FOSS catches security mischief fast, but this drama queen from ZDNet won't frame it like that and mostly ignores proprietary software back doors (this one was only downloaded a few hundreds of times, then caught). For instance, Microsoft steals the decryption keys from millions of people who set up disk encryption, but that doesn't seem to bother ZDNet (part of CBS, an advertiser to Microsoft)]
  • D-Link Settles With FTC, Agrees To Fix Its Shoddy Router Security

    While the shoddy Internet of Things sector gets ample heat for being a security and privacy dumpster fire, the traditional network gear sector has frequently been just as bad. A few years ago, for example, hardware vendor Asus was dinged by the FTC for offering paper-mache grade security on the company's residential network routers. The devices were frequently being shipped with easily guessable default usernames and passwords, and contained numerous, often obvious, security vulnerabilities.

    In 2017, the FTC also filed suit against D-Link, alleging many of the same things. According to the FTC, the company's routers and video cameras, which the company claimed were "easy to secure" and delivered "advanced network security," were about as secure as a kitten-guarded pillow fort. Just like the Asus complaint, the FTC stated that D-Link hardware was routinely shipped with easily-guessable default usernames and passwords, making it fairly trivial to compromise the devices and incorporate them into DDoS botnets (or worse).

  • Content Moderation At Scale Is Impossible: The Case Of YouTube And 'Hacking' Videos

    Last week there was a bit of an uproar about YouTube supposedly implementing a "new" policy that banned "hacking" videos on its platform.

    [...]

    Eventually, YouTube responded to all of this and noted a few things: First, and most importantly, the removal of Kozie's videos was a mistake and the videos have been restored. Second, that this wasn't a "new" policy, but rather just the company adding some "examples" to existing policy.

    This raises a few different points. While some will say that since this was just another moderation mistake and therefore it's a non-story, it actually is still an important point in highlighting the impossibility of content moderation at scale. You can certainly understand why someone might decide that videos that explain how to "bypass secure computer systems or steal user credentials and personal data" would be bad and potentially dangerous -- and you can understand the thinking that says "ban it." And, on top of that, you can see how a less sophisticated reviewer might not be able to carefully distinguish the difference between "bypassing secure computer systems" and some sort of fun hacking project like "launching fireworks over WiFi."

    But it also demonstrates that there are different needs for different users -- and having a single, centralized organization making all the decisions about what's "good" and what's "bad," is inherently a problem. Going back to Hutchins' and Halderman's points above, even if the Kinzie video was taken down by mistake, and even if the policy is really supposed to be focused on nefarious hacking techniques, there is still value for security researchers and security professionals to be able to keep on top of what more nefarious hackers are up to.

Security: RememBear, Microsoft, Apple and Linux FUD

Filed under
Security
  • Various RememBear security issues

    AutoFill functionality of password managers is another typical area where security issues are found. RememBear requires a user action to activate AutoFill which is an important preventive measure. Also, AutoFill user interface will be displayed by the native RememBear application, so websites won’t have any way of messing with it. I found multiple other aspects of this functionality to be exploitable however.

    Most importantly, RememBear would not verify that it filled in credentials on the right website (a recent regression according to the developers). Given that considerable time can pass between the user clicking the bear icon to display AutoFill user interface and the user actually selecting a password to be filled in, one cannot really expect that the browser tab is still displaying the same website. RememBear will happily continue filling in the password however, not recognizing that it doesn’t belong to the current website.

    Worse yet, RememBear will try to fill out passwords in all frames of a tab. So if https://malicious.com embeds a frame from https://mybank.com and the user triggers AutoFill on the latter, https://malicious.com will potentially receive the password as well (e.g. via a hidden form). Or even less obvious: if you go to https://shop.com and that site has third-party frames e.g. for advertising, these frames will be able to intercept any of your filled in passwords.

  • Microsoft Confirms This Windows 10 Bug Could Crash VPN Services

    Microsoft has disclosed that a new bug in its Windows 10 OS could mess up with the VPN services running on your machine and show the error code “0xc000005.”

    As per the support page, it’s present in the Remote Access Connection Manager (RASMAN) service that’s required by the VPN services to function properly.

  • Microsoft Issues Warning For 50M Windows 10 Users

    The big one is VPNs. RASMAN handles how Windows 10 connects to the internet and it is a core background task for VPN services to function normally. Given the astonishing growth in VPN usage for everything from online privacy and important work tasks to unlocking Netflix and YouTube libraries, this has the potential to impact heavily on how you use your computer.

    [...]

    Why conservative? Because Microsoft states Windows 10 has been installed on 800M computers worldwide, but that figure is four months old. Meanwhile, the ever-reliable AdDuplex reports Windows 10 1903 accounted for 6.3% of all Windows 10 computers in June (50.4M), but that percentage was achieved in just over a month and their report is 10 days old. Microsoft has listed a complex workaround, but no timeframe has been announced for an actual fix.

  • Google Researcher Finds Nasty iMessage Bug That ‘Bricks’ iPhone

    This specific set of characters, when received on iMessage, can brick the phone — locking you out of everything on it. Once you receive this message, there is no way out of it, other than doing a factory reset. Also, any data that wasn’t backed up would be lost.

    The researcher, Natalie Silvanovich, is part of Google’s Project Zero team that hunts down zero-day vulnerabilities. She discovered the bug in April and explained how it affects iOS devices:

    “On a Mac, this causes soagent to crash and respawn, but on an iPhone, this code is in Springboard. Receiving this message will case Springboard to crash and respawn repeatedly, causing the UI not to be displayed and the phone to stop responding to input.”

  • New Cryptojacking Malware is Targeting Linux Servers [Ed: Attributing to "Linux" everything that can be maliciously installed on it]

    In the last few weeks, multiple cybersecurity research groups reported about the malware and, according to the researchers at Trend Micro, the malware not only targets a vulnerable server but also try to propagate in the entire network.

Canonical GitHub account hacked, Ubuntu source code safe

Filed under
Microsoft
Security
Ubuntu

The GitHub account of Canonical Ltd., the company behind the Ubuntu Linux distribution, was hacked on Saturday, July 6.

"We can confirm that on 2019-07-06 there was a Canonical owned account on GitHub whose credentials were compromised and used to create repositories and issues among other activities," the Ubuntu security team said in a statement.

"Canonical has removed the compromised account from the Canonical organisation in GitHub and is still investigating the extent of the breach, but there is no indication at this point that any source code or PII was affected," it said.

"Furthermore, the Launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub and there is also no indication that it has been affected."

Read more

Security Leftovers

Filed under
Security

Linux Kodachi 6.1 Released, which is based on Xbuntu 18.04 LTS

Filed under
GNU
Linux
Security
Ubuntu

Warith Al Maawali has announced the release of Linux Kodachi 6.1 on July 27, 2019, which is based on Xbuntu 18.04 LTS.

It will provide you with a secure, anti-forensic, and anonymous operating system considering all features that a person who is concerned about privacy would need to have in order to be secure.

Read more

Syndicate content

More in Tux Machines

Today in Techrights

Android Leftovers

GCC vs. Clang Compiler Benchmarks On POWER9 With Raptor's Blackbird

While for Intel x86_64 with the latest compilers it's a very competitive race between LLVM Clang and GCC, how is that battle playing out on the IBM POWER9 front? Using the interesting Raptor Blackbird with IBM POWER9 4-core / 16-thread CPU, here are some recent benchmarks I did between GCC 9, GCC 10, and LLVM Clang 8. Last month using the Raptor Blackbird with quad-core / sixteen thread IBM POWER9 CPU while running Ubuntu 19.10 ppc64le, I ran compiler tests while using GCC 9.1.0 stable, GCC 10.0 snapshot from mid June, and LLVM Clang 8.0.1 as some reference tests for seeing how these compilers are performing for POWER9. All tested compilers were in their release/optimized builds and various POWER-friendly C/C++ benchmarks were carried out for checking on the performance impact of the different generated binaries. Read more

Android Leftovers