Language Selection

English French German Italian Portuguese Spanish

Security

Tails 3.14.1 is out

Filed under
GNU
Linux
Security
Web
Debian

This release is an emergency release to fix a critical security vulnerability in Tor Browser.

It also fixes other security vulnerabilities. You should upgrade as soon as possible.

Read more

Also: It's Time to Switch to a Privacy Browser

Latest Security FUD

Filed under
Security

Security: National Security Agency (NSA) in Coreboot and NSA Back Doors in Microsoft Windows Out of Control

Filed under
Security
  • The NSA Is Looking To Contribute To A New x86 Security Feature To Coreboot

    The US National Security Agency (NSA) has developers contributing to the Coreboot project.

    Eugene Myers of the NSA under the Information Assurance Research, NSA/CSS Research Directorate, has been leading some work on an STM/PE implementation for Coreboot.

  • Coreboot Adds Support For Apollolake-Powered UP-Squared SBC Maker Board

    Coreboot now supports the UP Squared, the new single board computer / maker board based on an Intel Apollo Lake SoC.

    Not to be confused with the $35 Atomic Pi Intel SBC that aims to compete directly with the Raspberry Pi, the UP Squared is a higher-tier ~$150 board with more connectivity and options. The UP Squared offers dual Gigabit Ethernet, HDMI / DP, eMMC, mini-PCIe x1, MIPI CSI, 40-pin header, two USB 3.0 ports, and other options. Both Microsoft Windows and an assortment of Linux distributions are supported.

  • All-In-One Malware ‘Plurox’ Can Hack Your PC In ‘Three Different Ways’ [Ed: When you mean to say Microsoft Windows (with its NSA back doors) but instead you say "PC" as if Microsoft has nothing to do with it]

    The SMB plugin mentioned previously is essentially a repackaged NSA exploit called EternalBlue that was publicly leaked in 2017.

    The plugin allows bad actors to scan local networks and spread the malware to vulnerable workstations via the SMB protocol (running the EternalBlue exploit).

    But that’s not all. UPnP is actually the sneakiest and most nasty plugin among all. It creates port forwarding rules on the local network of a compromised system and uses it to build backdoors into enterprise networks bypassing firewalls and other security measures in place.

  • Windows 10 gets a lot of little fixes – and Microsoft reminds us it’ll start to force updates [Ed: Forced NSA back doors. Gone are the days of controlling our PCs if they contain proprietary software because "for our security/safety" (of course!) remote software modifications will be imposed on us.]

Security: Updates, Containers, Compilers and More

Filed under
Security

Security: Mozilla Patch for Firefox and Getting Started with OpenSSL

Filed under
Security
  • Zero-Day Flaw In Firefox Is Getting Exploited By Hackers; Update Now!

    Mozilla has issued a warning of a zero-day flaw in Firefox browser that is currently being exploited in the wild. But the good news is that an emergency patch has been released for the same so you should update your browser now!

    The vulnerability was discovered by Google’s Project Zero security team...

  • Security vulnerabilities fixed in Firefox 67.0.3 and Firefox ESR 60.7.1

    A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

  • Getting started with OpenSSL: Cryptography basics

    This article is the first of two on cryptography basics using OpenSSL, a production-grade library and toolkit popular on Linux and other systems. (To install the most recent version of OpenSSL, see here.) OpenSSL utilities are available at the command line, and programs can call functions from the OpenSSL libraries. The sample program for this article is in C, the source language for the OpenSSL libraries.

    The two articles in this series cover—collectively—cryptographic hashes, digital signatures, encryption and decryption, and digital certificates. You can find the code and command-line examples in a ZIP file from my website.

    Let’s start with a review of the SSL in the OpenSSL name.

NSA Back Doors in Windows Causing Chaos While Media is Obsessing Over DoS Linux Bug

Filed under
Microsoft
Security
  • U.S. Government Announces Critical Warning For Microsoft Windows Users

    The United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has gone public with a warning to Microsoft Windows users regarding a critical security vulnerability. By issuing the "update now" warning, CISA has joined the likes of Microsoft itself and the National Security Agency (NSA) in warning Windows users of the danger from the BlueKeep vulnerability.

    This latest warning, and many would argue the one with most gravitas, comes hot on the heels of Yaniv Balmas, the global head of cyber research at security vendor Check Point, telling me in an interview for SC Magazine UK that "it's now a race against the clock by cyber criminals which makes this vulnerability a ticking cyber bomb." Balmas also predicted that it will only be "a matter of weeks" before attackers started exploiting BlueKeep.

    The CISA alert appears to confirm this, stating that it has, "coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep." That it can confirm a remote code execution on Windows 2000 might not sound too frightening, this is an old operating system after all, it would be unwise to classify this as an exercise in fear, uncertainty and doubt. Until now, the exploits that have been developed, at least those seen in operation, did nothing more than crash the computer. Achieving remote code execution brings the specter of the BlueKeep worm into view as it brings control of infected machines to the attacker.

  • Netflix uncovers SACK Panic vuln that can bork Linux-based systems

Security Leftovers

Filed under
Security
  • Microsoft & Pentagon are quietly hijacking US elections (by Lee Camp)

    Good news, folks! We have found the answer to the American rigged and rotten election system.
    The most trustworthy of corporations recently announced it is going to selflessly and patriotically secure our elections. It’s a small company run by vegans and powered by love. It goes by the name “Microsoft.” (You’re forgiven for never having heard of it.)

    The recent headlines were grandiose and thrilling:

    “Microsoft offers software tools to secure elections.”

    “Microsoft aims to modernize and secure voting with ElectionGuard.”

    Could anything be safer than software christened “ElectionGuard™”?! It has “guard” right there in the name. It’s as strong and trustworthy as the little-known Crotch Guard™ – an actual oil meant to be sprayed on one’s junk. I’m unclear as to why one sprays it on one’s junk, but perhaps it’s to secure your erections? (Because they’ve been micro-soft?)

  • Netflix Researchers Just Fixed 4 Severe Linux And FreeBSD Vulnerabilities
  • Netflix Uncovers TCP Bugs Within The Linux & FreeBSD Kernels

    As Netflix's first security bulletin for 2019, they warned of TCP-based remote denial of service vulnerabilities affecting both Linux and FreeBSD. These vulnerabilities are rated "critical" but already being corrected within the latest Git code.

Latest Security FUD in the Media

Filed under
Security

Security Leftovers

Filed under
Security
  • Microsoft Warns about Worm Attacking Exim Servers on Azure [Ed: Microsoft should also warn "customers" of Windows back doors for the NSA, but it does not (this one was patched ages ago; the Microsoft back doors aren't). Shouldn't Microsoft ask its proxies and partners, as usual, to come up with buzzwords and logos and Web sites for bugs in FOSS, then talk about how FOSS is the end of the world?]
  • The Highly Dangerous 'Triton' [Attackers] Have Probed the US Grid [Ed: It's Windows]

     

    Over the past several months, security analysts at the Electric Information Sharing and Analysis Center (E-ISAC) and the critical-infrastructure security firm Dragos have been tracking a group of sophisticated [attackers] carrying out broad scans of dozens of US power grid targets, apparently looking for entry points into their networks. Scanning alone hardly represents a serious threat. But these [attackers], known as Xenotime—or sometimes as the Triton actor, after their signature malware—have a particularly dark history. The Triton malware was designed to disable the so-called safety-instrument systems at Saudi Arabian oil refinery Petro Rabigh in a 2017 cyberattack, with the apparent aim of crippling equipment that monitors for leaks, explosions, or other catastrophic physical events. Dragos has called Xenotime "easily the most dangerous threat activity publicly known."

  • A Researcher Found a Bunch of Voting Machine Passwords Online

    A little more than a week ago, the Department of Homeland Security confirmed that it was going to forensically analyze computer equipment associated with part of the 2016 elections in North Carolina in association with questions about Russian hacking. The news prompted an information security researcher to announce that he’d found evidence of other election security issues in North Carolina last fall, which he’d kept quiet until now.

    Chris Vickery, the director of cyber-risk research at UpGuard, a cybersecurity services firm, tweeted June 7 that he had found an unlocked online repository that contained what he said were passwords for touchscreen voting machines. The repository, he said, also contained other information, including serial numbers for machines that had modems, which theoretically could have allowed them to connect to the internet.

    Vickery said that after he found the open repository in September 2018, he immediately told state officials, who locked the file. State officials have told Mother Jones that the passwords were nearly 10 years old and encrypted—a claim disputed by Vickery and a Democratic technology consultant in North Carolina—but admitted that the file shouldn’t have been publicly available online.

  • TPM now stands for Tiny Platform Module: TCG shrinks crypto chip to secure all the Things [Ed: Misusing the word "trust" to obliterate computer freedom and general-purpose computing]

    The Trusted Computing Group (TCG), a nonprofit developing hardware-based cybersecurity tools, has started work on the "world's tiniest" Trusted Platform Module (TPM).

    TPMs are silicon gizmos designed to protect devices by verifying the integrity of essential software – like firmware and BIOS − and making sure no dodgy code has been injected into the system prior to boot.

    These are widely used to protect servers. Now TCG wants to adopt the technology for devices that are so small that the inclusion of a full TPM chip might be impractical due to cost, space and power considerations.

    The first tiny TPM prototype, codenamed Radicle, was demonstrated last week at a TCG members' meeting in Warsaw, Poland.

    [...]

    We have to mention that for years, TCG and its TPMs were criticised by the open-source software community, which suspected the tech could be used for vendor lock-in – GNU father Richard Stallman called trusted computing "treacherous computing", but it looks like his worst fears have not come to pass.

    That doesn't mean TPMs haven't seen their share of dark days: back in 2017, it emerged that security chips made by Infineon contained a serious flaw, with experts estimating that 25 to 30 per cent of all TPMs used globally were open to attack.

  • What Is a Buffer Overflow

    A buffer overflow vulnerability occurs when you give a program too much data. The excess data corrupts nearby space in memory and may alter other data. As a result, the program might report an error or behave differently. Such vulnerabilities are also called buffer overrun.

    Some programming languages are more susceptible to buffer overflow issues, such as C and C++. This is because these are low-level languages that rely on the developer to allocate memory. Most common languages used on the web such as PHP, Java, JavaScript or Python, are much less prone to buffer overflow exploits because they manage memory allocation on behalf of the developer. However, they are not completely safe: some of them allow direct memory manipulation and they often use core functions that are written in C/C++.

  • Any iPhone can be hacked

    Apple’s so called secure iPhones can be turned over by US coppers using a service promoted by an Israeli security contractor.

    Cellebrite publicly announced a new version of its product known as a Universal Forensic Extraction Device or UFED, one that it's calling UFED Premium. In marketing that update, it says that the tool can now unlock any iOS device cops can lay their hands on, including those running iOS 12.3.

    Cellebrite claims UFED Premium can extract files from many recent Android phones as well, including the Samsung Galaxy S9 but no-one ever called them secure and safe.

    What is unusual is that Cellebrite is making  broad claims about turning over Apple gear. This is not a cat-and-mouse claim where they exploit a tiny flaw which one day might be fixed. It would appear that Cellebrite has its paw on a real howler.

  • Cellebrite Claims It Can Unlock ‘Any’ iPhone And iPad, 1.4 Billion Apple Devices Hackable

    Israel-based Cellebrite has announced a new version of its system Universal Forensic Extraction Device (UFED) — UFED Premium — which is capable of unlocking any iPhone, high-end Android device, or an iPad.

    The forensics company has suggested that UFED Premium is meant to help the police in unlocking iPhones and Android smartphones and getting data from locked smartphones.

  • Web-based DNA sequencers getting compromised through old, unpatched flaw

    DnaLIMS is developed by Colorado-based dnaTools. It provides software tools for processing and managing DNA sequencing requests.

    These tools use browsers to access a UNIX-based web server on the local network, which is responsible for managing all aspects of DNA sequencing.

    A simple Google search shows that dnaLIMS is used by a number of scientific, academic and medical institutions.

  • Generrate Cryptographically Secure RANDOM PASSWORD
  • DMARC, mailing list, yahoo and gmail

    Gmail was blocking one person’s email via our list (he sent that using Yahoo and from his iPhone client), and caused more than 1700 gmail users in our list in the nomail block unless they check for the mailman’s email and click to reenable their membership.

    I panicked for a couple of minutes and then started manually clicking on the mailman2 UI for each user to unblock them. However, that was too many clicks. Suddenly I remembered the suggestion from Saptak about using JavaScript to do this kind of work. Even though I tried to learn JavaScript 4 times and failed happily, I thought a bit searching on Duckduckgo and search/replace within example code can help me out.

  • Tired of #$%& passwords? Single Sign-on could be savior

    So how is single sign-on more secure, if Facebook is in charge? It's not, say security experts. "They’ve shown they can’t be trusted with our information," says Rudis.

  • Are SSO Buttons Like “Sign-in With Apple” Better Than Passwords?

    Apple recently announced a new product that could prevent users from giving away their email ID to every other site on the internet. It’s expected to launch sometime later in 2019.

    Called “Sign-in with Apple,” it is similar to other Single Sign-on services provided by Google and Facebook. The button lets you login to websites without creating a new user account every time.

  • App Makers Are Mixed on ‘Sign In With Apple’

    But other app makers have mixed feelings on what Apple has proposed. I spoke to a variety of developers who make apps for iOS and Android, one of whom asked to remain anonymous because they aren’t authorized to speak on behalf of their employer. Some are skeptical that Sign In with Apple will offer a solution dramatically different from what’s already available through Facebook or Google. Apple’s infamous opacity around new products means the app makers don’t have many answers yet as to how Apple’s sign in mechanism is going to impact their apps. And one app maker went as far as referring to Apple’s demand that its sign-in system be offered if any other sign-in systems are shown as “petty.”

  • Chinese Cyberattack Hits Telegram, App Used by Hong Kong Protesters

    “This case was not an exception,” he wrote.

    The Hong Kong police made their own move to limit digital communications. On Tuesday night, as demonstrators gathered near Hong Kong’s legislative building, the authorities arrested the administrator of a Telegram chat group with 20,000 members, even though he was at his home miles from the protest site.

  • Security News This Week: Telegram Says China Is Behind DDoS

    As protests erupted in the streets of Hong Kong this week, over a proposed law that would allow criminal suspects to be extradited to mainland China, the secure messaging app Telegram was hit with a massive DDoS attack. The company tweeted on Wednesday that it was under attack. Then the app’s founder and CEO Pavel Durov followed up and suggested the culprits were Chinese state actors. He tweeted that the IP addresses for the attackers were coming from China. “Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram). This case was not an exception,” he added. As Reuters notes, Telegram was DDoSed during protests in China in 2015, as well. Hong Kong does not face the strict [Internet] censorship that exists in mainland China, although activists have expressed concern about increased pressure from Beijing on the region.

  • Nextcloud signs public letter, opposing German plan to force decryption of chat
Syndicate content

More in Tux Machines

Android Leftovers

Firefox 69 Beta On Linux Bringing Better Performance

With the recent release of Mozilla Firefox 68 there are some nice WebRender performance improvements that Linux users can enjoy. But with Firefox 69 now in beta there is even better performance, including when enabling WebRender on Linux. Given the recent Firefox 68.0 release and Firefox 69.0 being promoted to beta, I ran some fresh browser benchmarks for checking out the current state of Mozilla's Linux performance from the Ubuntu desktop. The official Mozilla Firefox binaries for Linux x86_64 67.0.4, 68.0, and 69.0b3 were tested on the same system in a variety of browser benchmarks. Read more

today's leftovers

  • Btrfs Gets Cleaned Up & Code Refactoring For Linux 5.3

    David Sterba sent in the Btrfs file-system updates on Monday for the Linux 5.3 kernel. Btrfs for Linux 5.3 doesn't present any shiny new features but is mostly focused on bug fixes and low-level code improvements. One of the internal changes worth pointing out for Btrfs is changing its CRC32C usage so that it can be hardware-assisted on more architectures where native instructions or optimized code paths are available. More Btrfs code has also been positioned for more checksum algorithms moving forward.

  • g_array_binary_search in GLib 2.61.2

    The final API so far in this mini-series on new APIs in the GLib 2.62 series is g_array_binary_search(), put together by Emmanuel Fleury and based on code by Christian Hergert. It’s due to be released in 2.61.2 soon. But first, a reminder about GLib version numbering. Like the rest of GNOME’s official module set, GLib follows an odd/even versioning scheme, where every odd minor version number, like 2.61.x, is an unstable release building up to an even minor version number, like 2.62.x, which is stable. APIs may be added in unstable releases. They may be modified or even removed (if they haven’t been in a stable release yet). So all of the APIs I’ve blogged about recently still have a chance to be tweaked or dropped if people find problems with them. So if you see a problem or think that one of these APIs would be awkward to use in some way, please say, sooner rather than later! They need fixing before they’re in a stable release.

  • Rabimba: ARCore and Arkit: What is under the hood : Anchors and World Mapping (Part 1)

    Some of you know I have been recently experimenting a bit more with WebXR than a WebVR and when we talk about mobile Mixed Reality, ARkit and ARCore is something which plays a pivotal role to map and understand the environment inside our applications. I am planning to write a series of blog posts on how you can start developing WebXR applications now and play with them starting with the basics and then going on to using different features of it. But before that, I planned to pen down this series of how actually the "world mapping" works in arcore and arkit. So that we have a better understanding of the Mixed Reality capabilities of the devices we will be working with.

  • 10 Best Automated Backup Plugins for WordPress in 2019

    As an online business owner and/or site administrator it is important that you are always ahead of probable data damage by having a data contingency plan. On WordPress, this process has been simplified for all levels of users in the form of backup plugins that can enable you to automate full or partial backups which you can easily restore from later on. Today, we bring you a list of the 10 best plugins for backing up your WordPress site. They all feature a clean modern UI, in active development with millions of downloads, and most of them are 100% free!

today's howtos and software bits