Language Selection

English French German Italian Portuguese Spanish

Security

Security: Patches, Security Flaws Caused by Compiler Optimisations, Microsoft Updates Break Windows Again

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Fedora (ghostscript, pango, and squirrelmail), openSUSE (libcryptopp, squid, tcpdump, and wireshark), SUSE (flatpak), and Ubuntu (giflib and NLTK).

  • Security flaws caused by compiler optimizations

    An optimizing compiler is one that tries to maximize some attribute(s) of an executable program at the expense of other attribute(s). Usually the goal is to improve performance or code size at the expense of compiler time and the possibility to debug the program at a later stage. Most modern compilers support some sort of optimization. Normally code optimized for performance is the usual preference. In cases where space is a constraint like embedded systems, developers also prefer code optimized for size.

    Code optimization is both an art as well as a science. Various compilers use different techniques for optimizing code.

  • To patch Windows or not: Do you want BlueKeep bug or broken Visual Basic apps?

    Microsoft says apps that use Visual Basic 6 (VB6), VBA, and VBScript "may stop responding with error" after its updates from this Tuesday have been installed.

    "After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an 'invalid procedure call error'," Microsoft says.

    The issue affects all supported versions of Windows 10, Windows 7, Windows 8.1, and their corresponding server versions.

    "Microsoft is presently investigating this issue and will provide an update when available," the company said.

    Microsoft didn't offer an explanation for the problem but it did flag earlier this month that it will move ahead with sunsetting VBScript, by disabling it in IE11 by default via an update in this week's patch.

    "The change to disable VBScript will take effect in the upcoming cumulative updates for Windows 7, 8, and 8.1 on August 13, 2019," Microsoft warned in a blog. The change brought these versions of Windows in line with Windows 10.

Latest Debian GNU/Linux Security Patch Addresses 14 Vulnerabilities, Update Now

Filed under
Linux
Security

Available for the Debian GNU/Linux 10 "Buster" and Debian GNU/Linux 9 "Stretch" operating system series, the new Linux kernel security update addresses a total of 14 vulnerabilities discovered by various security researchers. The Debian Project urges all users to update their installations as soon as possible.

Among the security flaws patched, we can mention a race condition in the libsas subsystem that supports Serial Attached SCSI (SAS) devices, a potential double-free in the block subsystem, as well as two issues that could make it easier for attackers to exploit other vulnerabilities.

Read more

Security: Sphinx, Ransomware, Webmin, YubiKey

Filed under
Security
  • Exposed Sphinx Servers Are No Challenge for Hackers [Ed: That’s the same agency and the same troll site that initially promoted the lies and the FUD about VLC]

    A popular open-source text search server, Sphinx offers impressive performance for indexing and searching data in databases or just in files. It is cross-platform, available for Linux, Windows, macOS, Solaris, FreeBSD, and a few other operating systems.

    [...]

    CERT-Bund posted the warning on Twitter today alerting network operators and providers about the risk of running Sphinx servers with a default configuration that are open on the web.

    The organization highlights that Sphinx lacks any authentication mechanisms. Exposing it on the web gives an attacker the possibility "to read, modify or delete any data stored in the Sphinx database."

  • Ransomware Hits Texas Local Governments [iophk: Windows TCO]

    The attack was observed on the morning of August 16 and appears to have been launched by a single threat actor, the DIR announcement reads.

    The State Operations Center (SOC) was activated soon after the attack reports started to come in, and DIR says that all of the entities that were actually or potentially affected appear to have been identified and notified.

    A total of twenty-three entities have been confirmed as impacted so far, and the responders are working on bringing the affected systems back online.

  • Webmin Backdoored for Over a Year

    The security hole impacts Webmin 1.882 through 1.921, but most versions are not vulnerable in their default configuration as the affected feature is not enabled by default. Version 1.890 is affected in the default configuration. The issue has been addressed with the release of Webmin 1.930 and Usermin version 1.780.

  • The YubiKey 5Ci is the 'first' iOS-compatible security key

    Like other YubiKey options in the 5 series, the YubiKey 5Ci supports multiple authentication protocols, including IDO2/WebAuthn, FIDO U2F, OTP (one-time-password), PIV (Smart Card), and OpenPGP.

Security: Updates, Linux "Lockdown" Patches, Webmin FUD (Mischaracterisation) and Dawn for Security Vulnerabilities in HPC

Filed under
Security
  • Security updates for Tuesday

    Security updates have been issued by Debian (flask), openSUSE (clementine, dkgpg, libTMCG, openexr, and zstd), Oracle (kernel, mysql:8.0, redis:5, and subversion:1.10), SUSE (nodejs6, python-Django, and rubygem-rails-html-sanitizer), and Ubuntu (cups, docker, docker-credential-helpers, kconfig, kde4libs, libreoffice, nova, and openldap).

  • Linux "Lockdown" Patches Hit Their 40th Revision

    The long-running Linux "Lockdown" patches were sent out again overnight for their 40th time but it remains to be seen if these security-oriented patches will be pulled in for the upcoming Linux 5.4 cycle.

    The Linux Lockdown functionality is for restricting access to the kernel and underlying hardware by blocking writes to /dev/mem, restricting PCI BAR and CPU MSR access, disabling system hibernation support, limiting Tracefs, and restricting or outright disabling other functionality that could alter the hardware state or running Linux kernel image.

    Linux Lockdown has been opt-in only and designed for use-cases like honoring UEFI SecureBoot for ensuring nothing nefarious could happen once booted into the operating system by bad actors. Most end-users won't voluntarily want the lockdown mode due to all the restrictions in place, but could be a favor for enterprises and very security conscious users.

  • Backdoor Found in Webmin Utility [Ed: It is not a back door but a bug inserted by a malicious entity rather than the project developers themselves; this incident demonstrates or classically highlights the need for reproducible builds.]

    On August 17, the developer of the popular Webmin and Usermin Unix tools pushed out an update to fix a handful of security issues. Normally that wouldn’t generate an avalanche of interest, but in this case, one of those vulnerabilities was introduced intentionally by someone who was able to compromise the software build infrastructure used by the developers.

  • A New Dawn for Security Vulnerabilities in HPC

    In February 2018, Russian nuclear scientists at the Federal Nuclear Center were arrested for using their supercomputer resources to mine the crypto-currency, Bitcoin. Previously, high-performance computing (HPC) security breaches like this tended to be few and far between. However, recent trends are increasing the vulnerabilities and threats faced by HPC systems.

    Previously, compute clusters enjoyed a level of security through obscurity due to their idiosyncratic architectures in terms of both hardware, with different CPU architectures and networking, and software of often home-grown applications running on Unix-like operating systems. In addition, the reward for compromising a cluster wasn’t all that great. Although hacking into HPC data generated by atomic weapons research and pharmaceutical modelling does present a valuable outcome; meteorological institutes, astrophysics laboratories or other mathematical research is less so.

Security: Hacker Summer Camp, Nexus Repository, Ransomware, Web Server Security

Filed under
Security
  • Hacker Summer Camp 2019: CTFs for Fun & Profit

    Okay, I’m back from Summer Camp and have caught up (slightly) on life. I had the privilege of giving a talk at BSidesLV entitled “CTFs for Fun and Profit: Playing Games to Build Your Skills.” I wanted to post a quick link to my slides and talk about the IoT CTF I had the chance to play.

    I played in the IoT Village CTF at DEF CON, which was interesting because it uses real-world devices with real-world vulnerabilities instead of the typical made-up challenges in a CTF. On the other hand, I’m a little disappointed that it seems pretty similar (maybe even the same) year-to-year, not providing much variety or new learning experiences if you’ve played before.

  • Nexus Repository Now Supports APT

    Beginning with version 3.17, Nexus Repository Manager supports APT (Advanced Package Tool) repositories. APT is a set of tools used to search, install, and manage packages on Debian, Ubuntu, and similar Linux distributions. With this new release, you can now host your own local APT repos. Developers benefit from no longer having to rely on connecting externally to a public repository every time an often-used package is needed.

    In the case of Debian-based Docker containers, the ability to locally cache Debian packages from public repositories can save copious amounts of time when rebuilding your containers. This can do wonders especially for containers built frequently in a CI pipeline and for the more traditional use-case of provisioning virtual machines.

  • Ransomware attack has hit 20 government agencies in Texas [iophk: Windows TCO]

    This week the state of Texas has joined the list of targets. According to Texas’s Department of Information Resources (DIR), more than 20 local government entities have been impacted by a ‘coordinated ransomware attack.’ DIR states that “the Texas Military Department, and the Texas A&M University System’s Cyberresponse and Security Operations Center teams are deploying resources to the most critically impacted jurisdictions.”

    No disclosure has beeen made regarding how much of a payment is being requested, though given recent attacks on other states the amount is likely to be eye-watering. Also absent is any information on which ‘local government entities’ have been affected.

  • Web server security – Part 8: Basic log file analysis

    Tools like lnav (“The Log File Navigator”) allow quicker analysis of log files. Instead of manually searching for attack-like behavior, you can use SQL queries, load and combine multiple files at once, and switch between different views.

    However, keep in mind that not only tools but also underlying processes and organization are important. You must know where log files are stored, how they are created and how long information is available. This requires a basic security concept. Understand the structure of your log files, and use customization of logging rules if available.

Security: Patches, IPFire 2.23 Core Update 135, Kaspersky in the Middle

Filed under
Security
  • Security updates for Monday

    Security updates have been issued by CentOS (kernel and openssl), Debian (ffmpeg, golang-1.11, imagemagick, kde4libs, openldap, and python3.4), Fedora (gradle, hostapd, kdelibs3, and mgetty), Gentoo (adobe-flash, hostapd, mariadb, patch, thunderbird, and vlc), Mageia (elfutils, mariadb, mythtv, postgresql, and redis), openSUSE (chromium, kernel, LibreOffice, and zypper, libzypp and libsolv), Oracle (ghostscript), Red Hat (rh-php71-php), SUSE (bzip2, evince, firefox, glib2, glibc, java-1_8_0-openjdk, polkit, postgresql10, python3, and squid), and Ubuntu (firefox).

  • IPFire 2.23 - Core Update 135 is ready for testing

    after a little break with many things to fight, we are back with a brand new Core Update which is packed with various bug fixes and cleanup of a lot of code.

  • Wladimir Palant: Kaspersky in the Middle - what could possibly go wrong?

    Roughly a decade ago I read an article that asked antivirus vendors to stop intercepting encrypted HTTPS connections, this practice actively hurting security and privacy. As you can certainly imagine, antivirus vendors agreed with the sensible argument and today no reasonable antivirus product would even consider intercepting HTTPS traffic. Just kidding… Of course they kept going, and so two years ago a study was published detailing the security issues introduced by interception of HTTPS connections. Google and Mozilla once again urged antivirus vendors to stop. Surely this time it worked?

    Of course not. So when I decided to look into Kaspersky Internet Security in December last year, I found it breaking up HTTPS connections so that it would get between the server and your browser in order to “protect” you. Expecting some deeply technical details about HTTPS protocol misimplementations now? Don’t worry, I don’t know enough myself to inspect Kaspersky software on this level. The vulnerabilities I found were far more mundane.

Latest KDE Security Vulnerabilities Are Patched in Ubuntu and Debian, Update Now

Filed under
KDE
Security

A couple of weeks ago, the KDE community fixed a security vulnerability discovered by Dominik Penner in the KConfig component, the configuration settings framework of the KDE Plasma desktop environment, which could allow an attacker to execute malicious code through a specially crafted .desktop file included in an archive that was opened in the file manager.

"Dominik Penner discovered that KConfig supported a feature to define shell command execution in .desktop files. If a user is provided with a malformed .desktop file (e.g. if it's embedded into a downloaded archive and it gets opened in a file browser) arbitrary commands could get executed. This update removes this feature," reads the Debian security advisory.

Read more

Tails 4.0 Anonymous Linux OS Enters Beta Based on Debian GNU/Linux 10 "Buster"

Filed under
Security
Debian

Tails 4.0 recently entered beta testing and it's the first release to be based on the just released Debian GNU/Linux 10 "Buster" operating system series, which means that all the pre-installed packages have been updated to newer versions to support the latest hardware components, especially recent Nvidia and ATI/AMD graphics cards, as well as Mac computers.

Tails 4.0 also promises support for Thunderbolt 3 devices, which is now integrated into the latest GNOME 3 desktop environment, with which the upcoming major Tails release will ship by default. Users who own a Thunderbolt device are urged to test the implementation by navigating to Choose Devices > Thunderbolt from the GNOME Settings utility.

Read more

Security: Open Source Security Podcast, Screwed Drivers, and Voting Machines

Filed under
Security
  • Open Source Security Podcast: Episode 157 - Backdoors and snake oil in our cryptography

    Josh and Kurt talk about snakeoil cryptography at Black Hat and the new backdoored cryptography fight. Both of these problems will be with us for a very long time. These are fights worth fighting because it's the right thing to do.

  • Screwed Drivers – Signed, Sealed, Delivered

    Our analysis found that the problem of insecure drivers is widespread, affecting more than 40 drivers from at least 20 different vendors – including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NVIDIA, and Huawei. However, the widespread nature of these vulnerabilities highlights a more fundamental issue – all the vulnerable drivers we discovered have been certified by Microsoft. Since the presence of a vulnerable driver on a device can provide a user (or attacker) with improperly elevated privileges, we have engaged Microsoft to support solutions to better protect against this class of vulnerabilities, such as blacklisting known bad drivers.

  • Most states still aren’t set to audit paper ballots in 2020

    Despite some progress on voting security since 2016, most states in the US aren’t set to require an audit of paper ballots in the November 2020 election, according to a new report out this week from the Brennan Center for Justice.

    The report notes that experts and government officials have spent years recommending states adopt verifiable paper ballots for elections, but a handful still use electronic methods potentially vulnerable to cyberattacks. In 2016, 14 states used paperless machines, although the number today is 11, and the report estimates that no more than eight will use them in the 2020 election.

Security: ECB, Bluetooth and AppArmor Crash Course

Filed under
Security
  • ECB server hacked – Data disclosure of the European Central Bank – Bank hacks from Mexico to Bangladesh

    The Europeans probably do not even know about „what is going on“ and according to ex finance minister of Greece – finance ministers do not have a lot to say in the ECB – the IMF has – there are no recordings of the meetings of „The Eurogroup“ – so transparency over decision making processes is rather bad.

    After all just like the (more or less ideal) „big brother“ the FED it is not under direct democratic influence – does what it wants – every word the FED CEO says is analyzed and influences financial market decisions.

    „One of the sites of the European Central Bank (ECB) has been hacked. The attackers gained access to sensitive users ‚ information, however, the internal system of the Bank has not been compromised.

  • Specification vulnerability in devices that speak Bluetooth is addressed

    The discovery of a flaw in Bluetooth specification that could enable an attack to spy on your information made news this week; the attacker could be able to weaken the encryption of Bluetooth devices and snoop on communications or send falsified ones to take over a device, said The Verge.

  • FrOSCon 2019 - openSUSE booth & AppArmor Crash Course

    Last weekend, I was at FrOSCon - a great Open Source conference in Sankt Augustin, Germany. We (Sarah, Marcel and Sleepy ran the openSUSE booth, answered lots of questions about openSUSE and gave the visitors some goodies - serious and funny (hi OBS team!) stickers, openSUSE hats, backpacks and magazines featuring openSUSE Leap. We also had a big plush geeko, but instead of doing a boring raffle, we played openSUSE Jeopardy where the candidates had to ask the right questions about Linux and openSUSE for the answers I provided.

Syndicate content

More in Tux Machines

Android Leftovers

today's leftovers

  • Open Policy Agent: Cloud-native security and compliance

    Every product or service has a unique way of handling policy and authorization: who-can-do-what and what-can-do-what. In the cloud-native world, authorization and policy are more complex than ever before. As the cloud-native ecosystem evolves, there’s a growing need for DevOps and DevSecOps teams to identify and address security and compliance issues earlier in development and deployment cycles. Businesses need to release software on the order of minutes (instead of months). For this to happen, those security and compliance policies—which in the past were written in PDFs or email—need to be checked and enforced by machines. That way, every few minutes when software goes out the door, it’s obeying all of the necessary policies. This problem was at the top of our minds when Teemu Koponen, Torin Sandall, and I founded the Open Policy Agent project (OPA) as a practical solution for the critical security and policy challenges of the cloud-native ecosystem. As the list of OPA’s successful integrations grows—thanks to active involvement by the open source community—the time is right to re-introduce OPA and offer a look at how it addresses business and policy pain points in varied contexts.

  • Eirini: Mapping Code into Containers

    There has been a lot of noise recently about the Project known as Eirini.  I wanted to dig into what this project was in a little more detail. If you weren’t already aware, its goal is to allow Cloud Foundry to use any scheduler but it’s really for allowing the workloads to run directly inside Kubernetes without needing separately scheduled Diego cells to run on top of. There are many reason that this is a fantastic change, but the first and foremost is that having a scheduler run inside another scheduler is begging for headaches. It works, but there are odd edge cases that lead to split-brain decisions. NOTE: There is another project (Quarks) that is working on containerizing the control plane in a way that the entire platform is more portable and requiring significantly less overhead. (As in: you can run Kubernetes, the entire platform, and some work, all on your laptop)  

  • Wayland Buddies | LINUX Unplugged 315

    We spend our weekend with Wayland, discover new apps to try, tricks to share, and dig into the state of the project. Plus System76's new software release, and Fedora's big decision.

  • Kdenlive 19.08 Released with Clip Speed, Project Bin Improvements

    Busy trying to salvage footage from a recent video shoot, I missed the arrival of Kdenlive 19.08, the first major release of this free video editor since its big code revamp earlier this year. And what a release it is! Kdenlive 19.08 builds on the terrific work featured in the various point releases that have been available since April. “This version comes with a big amount of fixes and nifty new features which will lay the groundwork for the 3 point editing system planned for this cycle,” they say in their release announcement. Now, 3-point editing isn’t my bag (if you’re a heavy keyboard user, you might want to look into it) so I’m gonna skip that side of things to highlight a couple of other welcome changes to the project bin.

  • LabPlot's Welcome screen and Dataset feature in the finish line

    Hello Everyone! This year's GSoC is coming to its end. Therefore I think that I should let you know what's been done since my last blog post. I would also like to evaluate the progress I managed to make and the goals set up at the beginning of this project. As I told you in my last post, my main goal, in this last period, was to clean up, properly document, refactor, optimise the code and make it easier to read, so it would be fit to be brought to the master branch and to be used by the community. My next proposition was to search for bugs and fix them, in order to make the implemented features more or less flawless. I can happily state, that I succeeded in this.

  • Distributed Beta Testing Platforms

    Do they exist? Especially as free software? I don’t actually know, but I’ve never seen a free software project use something like what I’ve got in mind. That would be: a website where we could add any number of test scenarios. People who wanted to help would get an account, make a profile with their hardware and OS listed. And then a couple of weeks before we make a release, we’d release a beta, and the beta testers would login and get randomly one of the test scenarios to test and report on. We’d match the tests to OS and hardware, and for some tests, probably try to get the test executed by multiple testers. Frequent participation would lead to badges or something playful like that, they would be able to browse tests, add comments and interact — and we, as developers, we’d get feedback. So many tests executed, so many reported failure or regressions, and we’d be able to improve before the release.

  • GSoC 2019 Final submission

    Since my last blog post the main merge request of my GSoC project has landed and after that I followed up with subsequent bugfixes and also a couple of enhancements to the savestates manager.

  • LXLE 18.04.3 Beta Run Through

    In this video, we are looking at LXLE 18.04.3 Beta.

  • Fedora Update Weeks 31–32

    The branch point also meant that the Change Code Complete deadline was passed. As part of the Go SIG, I was one of the packagers behind the Adopt new Go Packaging Guidelines Change. As mentioned in the last post, this was mostly handled by @eclipseo and the tracker bug was marked complete for it just earlier. I am also behind the Automatic R runtime dependencies Change. As part of this Change, I initiated a mini-rebuild last week of all affected R packages. I will write about that in a separate post. That tracker bug is now Code Complete, though there are a couple FTBFS to fix up. With release monitoring working again, that meant a slew of new bug reports about new package versions being available. This happened just last Friday, so I haven’t had much chance to update everything. I did manage to go through almost all the R packages, except for a few with new dependencies. I also updated one or two Go and Python packages as well.

  • Rugged, Kaby Lake-U based IoT gateway offers Linux BSP

    Axiomtek’s Linux-ready, DIN-rail mounted “ICO500-518” IoT gateway runs on 7th Gen Core U-series CPUs and provides swappable SATA, 4x USB 3.0, 2x GbE, 2x mini-PCIe, and 2x “PIM” slots for options including 8x GbE or isolated serial and CANBus. Axiomtek announced a compact modular edge gateway with ruggedization features for industrial IoT. Applications for the Intel 7th Gen Kaby Lake-U based ICO500-518 include transportation, public utility, smart building, solar energy, and factory automation.

  • 5 Reasons to Use a VM for Development [Ed: Dice promoting the idea that developers should use Windows and keep GNU/Linux in a VM jail using Microsoft's proprietary tools]

    I started using virtual machines (VMs) on my development PC about six years ago; I was keen to learn Linux, having been a Windows developer since the mid-1990s. At first, I used an old Windows PC and installed a Linux distro on it; but I quickly found out that the distro took up a lot of space, and I needed a KVM switch to manage two different PCs. It was all a bit “fiddly,” which is why I began exploring the potential of VMs. Discovering VirtualBox was a godsend, and made things a lot more convenient. Despite all the flak Oracle gets over its databases, MySQL, and Java, Virtual Box remains an excellent and free open-source package.

Ubuntu Touch OTA-10 Officially Released for Ubuntu Phones, Here's What's New

Coming three and a half months after the OTA-9 release, the Ubuntu Touch OTA-10 update is now available with better hardware compatibility for Fairphone 2, Nexus 5, and OnePlus One smartphones by implementing proper camera orientation and audio routing on the Fairphone 2, and fixing audio and video sync problems on the Fairphone 2 and OnePlus One. Additionally, Ubuntu Touch OTA-10 improves the reliability and speed of Wi-Fi based geolocation functionality by removing the "wolfpack" tool, which used the Geoclue service for gathering approximate location data. However, it may take more than 20 minutes for some users to have their location retrieved after updating to Ubuntu Touch OTA-10. Read more

today's howtos