Language Selection

English French German Italian Portuguese Spanish

Security

Security: VLC, YubiKey and Voting Machines

Filed under
Security
  • VLC Media Player Allows Desktop Takeover Via Malicious Video Files

    Two high-risk vulnerabilities in the VLC media player could allow an adversary to craft a malicious .MKV video file that could be used in an attack to gain control of the victim’s PC. The flaws were made public Monday by the developer of the open-source VLC media player, VideoLAN project, who also made patches available to mitigate the issues.

  • Yubico YubiKey 5Ci Review & Rating

    The YubiKey 5Ci is Yubico's latest attempt to bring hardware two-factor authentication to iOS with a double-headed USB-C and Apple Lightning device

  • Los Angeles County voting system pits cybersecurity vs. disability advocates

    Some advocates for open source election systems are concerned, though, that L.A. County hasn't actually released its code yet - and plans to release it only to some vetted groups, not to the public at large.

Security Leftovers

Filed under
Security
  • Security Researchers Find Several Bugs in Nest Security Cameras

    Researchers Lilith Wyatt and Claudio Bozzato of Cisco Talos discovered the vulnerabilities and disclosed them publicly on August 19. The two found eight vulnerabilities that are based in the Nest implementation of the Weave protocol. The Weave protocol is designed specifically for communications among Internet of Things or IoT devices.

  • Better SSH Authentication with Keybase

    With an SSH CA model, you start by generating a single SSH key called the CA key. The public key is placed on each server and the server is configured to trust any key signed by the CA key. This CA key is then used to sign user keys with an expiration window. This means that signed user keys can only be used for a finite, preferably short, period of time before a new signature is needed. This transforms the key management problem into a user management problem: How do we ensure that only certain people are able to provision new signed SSH keys?

  • Texas ransomware attacks deliver wake-up call to cities [iophk: Windows TCO]

    The Texas Department of Information Resources has confirmed that 22 Texas entities, mostly local governments, have been hit by the ransomware attacks that took place late last week. The department pointed to a “single threat actor” as being responsible for the attacks, which did not impact any statewide systems.

  • Texas Ransomware Attack

    On Security Now, Steve Gibson talks about a huge ransomware attack. 23 cities in Texas were hit with a well-coordinated ransomware attack last Friday, August 16th.

  • CVE-2019-10071: Timing Attack in HMAC Verification in Apache Tapestry

    Apache Tapestry uses HMACs to verify the integrity of objects stored on the client side. This was added to address the Java deserialization vulnerability disclosed in CVE-2014-1972. In the fix for the previous vulnerability, the HMACs were compared by string comparison, which is known to be vulnerable to timing attacks.

Cryptocurrency OS Makes It Easy to Buy and Spend Digital Cash

Filed under
Reviews
Security

Cryptocurrency OS is a specialty Linux distribution that serves a niche user market destined to grow as the crypto economy continues to develop. This distro is packed with all the tools you need to create and manage your crypto accounts. It also is a fully functional Linux operating system. It is easy to use this distro as your daily computing platform.

Read more

Security Leftovers

Filed under
Security
  • Cryptojacking Code Found in 11 Open Libraries, Thousands Infected

    A cryptojacking code was found in 11 open-source code libraries written in Ruby, which have been downloaded thousands of times.
    Hackers downloaded the software, infected it with malware, and subsequently reposted it on the RubyGems platform, industry news outlet Decrypt reported on Aug. 21.

  • Malicious cryptojacking code found in 11 Ruby libraries

    Cryptojacking software has been found in 11 code libraries for the programming language Ruby—exposing thousands of people.

    The latest heist, discovered yesterday on code repository Github made use of a package manager called RubyGems, a popular program that allows developers to upload and share improvements on existing pieces of software.

  • Cryptojacking Scripts Found in 11 Open-Source Code Libraries

    According to a Decrypt report, the malware was discovered on Tuesday inside Github code repository, infecting the language manager called RubyGems.

  • First‑of‑its‑kind spyware sneaks into Google Play
  • Open-source spyware bypasses Google Play defenses — twice

    Radio Balouch — the app in question — is a legitimate radio application serving Balouchi music enthusiasts, except that it also included AhMyth, a remote access espionage tool that has been available on GitHub as an open-source project since late 2017.

    Lukas Stefanko, ESET researcher who uncovered the campaign, said the app was uploaded twice on Google Play — once on July 2 and a second time on July 13 — only to be swiftly removed by Google within 24 hours upon being alerted by the security team. It continues to be available on third-party app stores.

    While the service’s dedicated website “radiobalouch.com” is no longer accessible, the attackers also seem to have promoted the app on Instagram and YouTube. The app, in total, attracted over 100 installs.

  • 61 impacted versions of Apache Struts left off security advisories

    Security researchers have reviewed security advisories for Apache Struts and found that two dozen of them inaccurately listed affected versions for the open-source development framework.

    The advisories have since been updated to reflect vulnerabilities in an additional 61 unique versions of Struts that were affected by at least one previously disclosed vulnerability but left off the security advisories for those vulnerabilities.

  • Sectigo Sponsors Automated Certificate Issuance and Renewal in Electronic Frontier Foundation’s Certbot Open Source Software Tool

    Sectigo, the world’s largest commercial Certificate Authority (CA) and a provider of purpose-built and automated PKI management solutions, today announced its sponsorship of Electronic Frontier Foundation’s (EFF) free, open source software tool, Certbot, to support efforts to encrypt the entire internet and build a network that is more structurally private, safe, and protected against censorship.

Linux Foundation: Automotive Grade Linux Announcement and Calling Surveillance Operations "Confidential Computing"

Filed under
Linux
OSS
Security
  • Automotive Grade Linux Announces New Instrument Cluster Expert Group and UCB 8.0 Code Release

    Automotive Grade Linux (AGL), an open source project developing a shared software platform for in-vehicle technology, today announced a new working group focused on Instrument Cluster solutions, as well as the latest code release of the AGL platform, the UCB 8.0.

    The AGL Instrument Cluster Expert Group (EG) is working to reduce the footprint of AGL and optimize the platform for use in lower performance processors and low-cost vehicles that do not require an entire infotainment software stack. Formed earlier this year, the group plans to release design specifications later this year with an initial code release in early 2020.

    “AGL is now supported by nine major automotive manufacturers, including the top three producers by worldwide volume, and is currently being used in production for a range of economy and luxury vehicles” said Dan Cauchy, Executive Director of Automotive Grade Linux at the Linux Foundation. “The new Instrument Cluster Expert Group, supported by several of these automakers, will expand the use cases for AGL by enabling the UCB platform to support solutions for lower-cost vehicles, including motorcycles.”

  • Shhh! Microsoft, Intel, Google and more sign up to the Confidential Computing Consortium

    The Linux Foundation has signed up the likes of Microsoft and Google for its Confidential Computing Consortium, a group with the laudable goal of securing sensitive data.

    The group – which also includes Alibaba, Arm, Baidu, IBM, Intel, Red Hat, Swisscom and Tencent – will be working on open-source technologies and standards to speed the adoption of confidential computing.

    The theory goes that while approaches to encrypting data at rest and in transit have supposedly been dealt with, assuming one ignores the depressingly relentless splurts of user information from careless vendors, keeping it safe while in use is quite a bit more challenging. Particularly as workloads spread to the cloud and IoT devices.

  • Tech giants come together to form cloud security watchdog

    Some of the world’s biggest technology companies are joining forces to improve the security of files in the cloud. This includes Google, IBM, Microsoft, Intel, and many others.

    The news first popped up on the Linux Foundation, where it was said that the Confidential Computing Consortium will work to bring industry standards and identify the proper tools to encrypt data used by apps, devices and online services.

    At the moment, cloud security solutions focus to protect data that’s either resting, or is in transit. However, when the data is being used is “the third and possibly most challenging step to providing a fully encrypted lifecycle for sensitive data.”

  • Tech firms join forces to boost cloud security

    Founding members of the group – which unites hardware suppliers, cloud providers, developers, open source experts and academics – include Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom and Tencent.

    [...]

    “The earliest work on technologies that have the ability to transform an industry is often done in collaboration across the industry and with open source technologies,” said Jim Zemlin, executive director at the Linux Foundation.

    “The Confidential Computing Consortium is a leading indicator of what is to come for security in computing and will help define and build open technologies to support this trust infrastructure for data in use.”

  • Google, Intel and Microsoft form data protection consortium
  • Intel Editorial: Intel Joins Industry Consortium to Accelerate Confidential Computing

    Leaders in information and infrastructure security are well versed in protecting data at-rest or in-flight through a variety of methods. However, data being actively processed in memory is another matter. Whether running on your own servers on-prem, in an edge deployment, or in the heart of a cloud service provider’s data center, this “in-use” data is almost always unencrypted and potentially vulnerable.

  • Confidential Computing: How Big Tech Companies Are Coming Together To Secure Data At All Levels

    Data today moves constantly from on-premises to public cloud and the edge, which is why it is quite challenging to protect. While there are standards available that aim to protect data when it is in rest and transit, standards related to protecting it when in use do not exist. Protecting data while in use is called confidential computing, which the Confidential Computing Consortium is aiming to create across the industry.

    The Confidential Computing Consortium, created under the Linux Foundation, will work to build up guidelines, systems and tools to ensure data is encrypted when it’s being used by applications, devices and online services. The consortium says that encrypting data when in use is “the third and possibly most challenging step to providing a fully encrypted lifecycle for sensitive data.” Members focused on the undertaking are Alibaba, ARM, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom and Tencent.

  • IT giants join forces for full-system data security

    Apple is conspiciously missing from the consortium, despite using both Intel hardware and inhouse designed ARM-based processors.

    Of the first set of commitments, Intel will release its Software Guard Extensions (SGX) software development kit as open source through the CCC.

  • Google, Intel, and Microsoft partner to improve cloud security

    Some of the biggest names in tech have banded together in an effort to promote industry-wide security standards for protecting data in use.

  • Alibaba, Baidu, Google, Microsoft, Others Back Confidential Computing Consortium

    The Confidential Computing Consortium aims to help define and accelerate open-source technology that keeps data in use secure. Data typically gets encrypted by service providers, but not when it’s in use. This consortium will focus on encrypting and processing the data “in memory” to reduce the exposure of the data to the rest of the system. It aims to provide greater control and transparency for users.

  • Microsoft, Intel and others are doubling down on open source Linux security

    In other words, the operating system could be compromised by some kind of malware, but the data being used in a program would still be encrypted, and therefore safe from an attacker.

  • Microsoft, Intel, and Red Hat Back Confidential Computing

    The Linux Foundation’s latest project tackles confidential computing with a group of companies that reads like a who’s who of cloud providers, chipmakers, telecom operators, and other tech giants.

    Today at the Open Source Summit the Linux Foundation said it will form a new group called the Confidential Computing Consortium. Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom, and Tencent all committed to work on the project, which aims to accelerate the adoption of confidential computing.

Security: One More Steam Windows Client Local Privilege Escalation 0day, New FOSS Patches, Major Metapackage Makeover in Kali and Securing Crypto Wallets

Filed under
Security
  • One more Steam Windows Client Local Privilege Escalation 0day

    Not long ago I published an article about Steam vulnerability. I received a lot of feedback. But Valve didn’t say a single word, HackerOne sent a huge letter and, mostly, kept silence. Eventually things escalated with Valve and I got banned by them on HackerOne — I can no longer participate in their vulnerability rejection program (the rest of H1 is still available though).

    You can read the story in more detail in previous article, here is a couple of words about current situation.

    And it’s sad and simple — Valve keeps failing. Last patch, that should have solved the problem, can be easily bypassed (https://twitter.com/general_nfs/status/1162067274443833344) so the vulnerability still exists. Yes, I’ve checked, it works like a charm.

    But this article is not about an old vulnerability, it’s about new one. Since Valve decided to read a public report instead of private report one more time, I won’t take that pleasure away from them.

  • Security updates for Thursday

    Security updates have been issued by Fedora (nginx), openSUSE (ImageMagick and putty), Red Hat (Ansible, atomic-openshift-web-console, ceph, and qemu-kvm-rhev), SUSE (kvm, libssh2_org, postgresql96, qemu, and wavpack), and Ubuntu (libzstd and openjpeg2).

  • Major Metapackage Makeover

    With our 2019.3 Kali release imminent, we wanted to take a quick moment to discuss one of our more significant upcoming changes: our selection of metapackages. These alterations are designed to optimize Kali, reduce ISO size, and better organize metapackages as we continue to grow.

    Before we get into what’s new, let’s briefly recap what a metapackage is. A metapackage is a package that does not contain any tools itself, but rather is a dependency list of normal packages (or other metapackages). This allows us to group related tools together. For instance, if you want to be able to access every wireless tool, simply install the kali-tools-wireless metapackage.

  • Securing Your Crypto Wallet

    When it came time to create my CryptocurrencyOS, based on Linux Mint I wanted to solve some practical user and security issues. The end result was for people to have their own crypto wallets in a secure, opensource, environment and encourage more adoption of cryptocurrency. I applied some of my experience with some of the products I developed for compevo and Techrich.

    The first problem is that a lot of people don’t even know how to find or download a wallet (at least safely, since there are a lot of fake / malware wallets that steal people’s coins). If they don’t know how to avoid the above, then how would they be able to secure their computer?

Red Hat Enterprise Linux 6 and CentOS 6 Receive Important Kernel Security Update

Filed under
Linux
Red Hat
Security

The new Linux kernel security update is marked by the Red Hat Product Security team as having an "Important" security impact due to the fact that it patches several critical flaws, including the Spectre SWAPGS gadget vulnerability (CVE-2019-1125) affecting x86 processors.

Also patched are a security vulnerability (CVE-2019-5489) leading to page cache side-channel attacks, an issue in the Salsa20 encryption algorithm that could allow local attackers to cause a denial of service (CVE-2017-17805), and a flaw (CVE-2018-17972) that let unprivileged users inspect kernel stacks of arbitrary tasks.

Read more

Useful security software from the Snap Store

Filed under
Security
Ubuntu

Once upon a time, password management was a simple thing. There were few services around, the Internet was a fairly benign place, and we often used the same combo of username and password for many of them. But as the Internet grew and the threat landscape evolved, the habits changed.

In the modern Web landscape, there are thousands of online services, and many sites also require logins to allow you to use their full functionality. With data breaches a common phenomenon nowadays, tech-savvy users have adopted a healthier practice of avoiding credentials re-use. However, this also creates a massive administrative burden, as people now need to memorize hundreds of usernames and their associated passwords.

The solution to this fairly insurmountable challenge is the use of secure, encrypted digital password wallets, which allow you to keep track of your endless list of sites, services and their relevant credentials.

KeePassXC does exactly that. The program comes with a simple, fairly intuitive interface. On first run, you will be able to select your encryption settings, including the ability to use KeePassXC in conjunction with a YubiKey. Once the application is configured, you can then start adding entries, including usernames, passwords, any notes, links to websites, and even attachments. The contents are stored in a database file, which you can easily port or copy, so you also gain an element of extra flexibility – as well as the option to back up your important data.

Read more

Also: US Hangs Tough on Restricting Huawei’s Participation in Standards Development

11 Best Linux Distro for hacking and programming

Filed under
Development
Linux
Security

When it comes to choosing a Linux distribution for hacking or programming, there are a number of points that you should keep in mind. The operating system should run smoothly on your system, and if you are installing one on your primary computer, you should always go for the one that you know how to use properly.

But using an operating system for more specific purposes like cybersecurity, which I have discussed here, isn’t that straightforward.

Kali Linux is one of the best cybersecurity operating systems, but there are many which offer more streamlined functionalities. I recommend you to try out at least a few of the most intriguing Kali Linux alternatives I have discussed here before you finally make your decision.
So that was my list of top 10 Kali Linux alternatives, that is worth your time. Do you have anything to add? Feel free to comment on the same down below.

Read more

Security Leftovers

Filed under
Security
  • NSA Researchers Talk Development, Release of Ghidra SRE Tool

    The National Security Agency released its classified Ghidra software reverse-engineering (SRE) tool as open source to the cybersecurity community on April 4. NSA researchers Brian Knighton and Chris Delikat shared how Ghidra was built and the process of releasing it at Black Hat 2019. Ghidra is a framework developed by the NSA’s Research Directorate for the agency’s cybersecurity mission. It’s designed to analyze malicious code to give security pros a better understanding of potential vulnerabilities in their networks and systems.

  • Linux Is Being Hit with Zero-Day Exploits/ Zero-Day Attacks [Ed: This is not news. If you have a system that is unpatched for months, despite many warnings, it is a risk, no matter the OS/kernel.]

    It was once the popular opinion that Linux was immune to zero-day exploits. However, even before the Equifax exploit, vulnerabilities were found in Linux distributions like Fedora and Ubuntu. In particular, back in 2016, a security researcher discovered that you could exploit a Linux system by playing a specific music file. Then, in 2017, a group of attackers used Struckshock vulnerability to carry on the attack on Equifax. These zero-day attacks are Advanced Persistent Attacks that exploit recently discovered vulnerabilities. Read on to learn more about what are zero-day exploits and how they can affect a Linux system.

  • Intel, Google, Microsoft, and Others Launch Confidential Computing Consortium for Data Security

    Major tech companies including Alibaba, Arm, Baidu, IBM, Intel, Google Cloud, Microsoft, and Red Hat today announced intent to form the Confidential Computing Consortium to improve security for data in use.

  • Intel, Google, Microsoft, and others launch Confidential Computing Consortium for data security

    Major tech companies including Alibaba, Arm, Baidu, IBM, Intel, Google Cloud, Microsoft, and Red Hat today announced intent to form the Confidential Computing Consortium to improve security for data in use. Established by the Linux Foundation, the organization plans to bring together hardware vendors, developers, open source experts, and others to promote the use of confidential computing, advance common open source standards, and better protect data.

    “Confidential computing focuses on securing data in use. Current approaches to securing data often address data at rest (storage) and in transit (network), but encrypting data in use is possibly the most challenging step to providing a fully encrypted lifecycle for sensitive data,” the Linux Foundation said today in a joint statement. “Confidential computing will enable encrypted data to be processed in memory without exposing it to the rest of the system and reduce exposure for sensitive data and provide greater control and transparency for users.”

Syndicate content

More in Tux Machines

Linux Candy: ASCIIQuarium – embrace marine life from the terminal

Who loves eye candy? Don’t be shy — you can raise both hands!! Linux Candy is a new series of articles covering interesting eye candy software. We’re only going to feature open-source software in this series. I’m not going to harp on about the tired proverb “All work and no play makes Jack a dull boy”. But there’s a certain element of truth here. If you spend all day coding neural networks, mastering a new programming language, sit in meetings feeling bored witless, you’ll need some relief at the end of the day. And what better way by making your desktop environment a bit more memorable. Read more

Bookworm is a light-weight eBook reader for Linux

While Calibre has a built-in reader, and is the absolute best when it comes to managing and converting eBooks, some people may prefer an alternative when it comes to reading ebooks. Bookworm, a lightweight ebook reader for Linux, offers a minimalist experience. Developed for Elementary OS, Bookworm is also available for other Linux distributions such as Ubuntu or OpenSUSE. Options to install from source or flatpack are provided as well. Read more

Review: Drauger OS 7.4.1, and EndeavourOS 2019.07.15

This week I once again turned to the DistroWatch waiting list to sample new items I had not tried before. Near the top of the list of projects waiting for evaluation was Drauger OS, a Linux distribution based on Xubuntu. The project uses the Xfce desktop environment and is built to run on 64-bit (x86_64) computers. The project places a strong focus on offering easy access to games and, correspondingly, good desktop performance. To this end, Drauger ships with Steam installed by default, along with WINE and PlayOnLinux. Drauger OS also comes with the modified, low-latency, Liquorix Linux kernel, which is based off the ZEN kernel. According to the project's documentation, the distribution can run on UEFI-enabled machines, but booting in legacy BIOS mode is recommended. The documentation also mentions that in place of the regular Xubuntu installer, Drauger uses the System Install utility to copy the operating system from the live media to the local hard drive. While most of the project's listed features are technical in nature, one of the main talking points goes a bit over the top when describing Drauger's security advantage: "Drauger OS is far more secure than the leading desktop operating system. This means that you can game without fear of trolls hacking into your computer, getting a virus, or losing your data." Of course Linux systems can be hacked and certainly may lose data due to various bugs, security breaches or hardware failure. The developers' claims strike me as being optimistic, at best. Drauger is available in one edition and the distribution's ISO file is a 3.2GB download. Booting from the disc brings up a menu asking if we would like to run a live desktop session or launch a system installer. The live option shows the Ubuntu boot screen, which identifies the distribution as "Ubuntu 7.4.1". The system then presents us with a graphical login screen where we are given the choice of using a "user" account or a "guest" account. In either case we can sign in without a password. Drauger's live mode uses the Xfce 4.12 desktop. Once the desktop loads, a welcome screen appears, showing buttons that open links to the distribution's website, launch a tool for installing third-party drivers, open a readme file, and link to some on-line resources. There is also a tutorial button which opens a series of pop-up messages about the desktop elements. We can only move forward through the tutorial tips one at a time, and cannot go back to previous pop-ups. The Additional Drivers button opens the Ubuntu software sources, updates and driver utility. On-line resources and documentation are opened in the Firefox web browser. The welcome window is pretty straight forward to use and navigate and I like that we are put in touch with both on-line and off-line resources. Read more

GNU Guile 2.9.4 (beta) released

We are delighted to announce GNU Guile 2.9.4, the fourth beta release in preparation for the upcoming 3.0 stable series. See the release announcement for full details and a download link. This release enables inlining of references to top-level definitions within a compilation unit, speeding up some programs by impressive amounts. It also improves compilation of floating-point routines like sin, implements the Ghuloum/Dybvig "Fixing Letrec (reloaded)" algorithm, and allows mixed definitions and expressions within lexical contours, as is the case at the top level. Try it out, it's good times! GNU Guile 2.9.4 is a beta release, and as such offers no API or ABI stability guarantees. Users needing a stable Guile are advised to stay on the stable 2.2 series. Experience reports with GNU Guile 2.9.4, good or bad, are very welcome; send them to guile-devel@gnu.org. If you know you found a bug, please do send a note to bug-guile@gnu.org. Happy hacking! Read more