Language Selection

English French German Italian Portuguese Spanish

Security

Security: Patches, Security Flaws Caused by Compiler Optimisations, Microsoft Updates Break Windows Again

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Fedora (ghostscript, pango, and squirrelmail), openSUSE (libcryptopp, squid, tcpdump, and wireshark), SUSE (flatpak), and Ubuntu (giflib and NLTK).

  • Security flaws caused by compiler optimizations

    An optimizing compiler is one that tries to maximize some attribute(s) of an executable program at the expense of other attribute(s). Usually the goal is to improve performance or code size at the expense of compiler time and the possibility to debug the program at a later stage. Most modern compilers support some sort of optimization. Normally code optimized for performance is the usual preference. In cases where space is a constraint like embedded systems, developers also prefer code optimized for size.

    Code optimization is both an art as well as a science. Various compilers use different techniques for optimizing code.

  • To patch Windows or not: Do you want BlueKeep bug or broken Visual Basic apps?

    Microsoft says apps that use Visual Basic 6 (VB6), VBA, and VBScript "may stop responding with error" after its updates from this Tuesday have been installed.

    "After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an 'invalid procedure call error'," Microsoft says.

    The issue affects all supported versions of Windows 10, Windows 7, Windows 8.1, and their corresponding server versions.

    "Microsoft is presently investigating this issue and will provide an update when available," the company said.

    Microsoft didn't offer an explanation for the problem but it did flag earlier this month that it will move ahead with sunsetting VBScript, by disabling it in IE11 by default via an update in this week's patch.

    "The change to disable VBScript will take effect in the upcoming cumulative updates for Windows 7, 8, and 8.1 on August 13, 2019," Microsoft warned in a blog. The change brought these versions of Windows in line with Windows 10.

Latest Debian GNU/Linux Security Patch Addresses 14 Vulnerabilities, Update Now

Filed under
Linux
Security

Available for the Debian GNU/Linux 10 "Buster" and Debian GNU/Linux 9 "Stretch" operating system series, the new Linux kernel security update addresses a total of 14 vulnerabilities discovered by various security researchers. The Debian Project urges all users to update their installations as soon as possible.

Among the security flaws patched, we can mention a race condition in the libsas subsystem that supports Serial Attached SCSI (SAS) devices, a potential double-free in the block subsystem, as well as two issues that could make it easier for attackers to exploit other vulnerabilities.

Read more

Security: Sphinx, Ransomware, Webmin, YubiKey

Filed under
Security
  • Exposed Sphinx Servers Are No Challenge for Hackers [Ed: That’s the same agency and the same troll site that initially promoted the lies and the FUD about VLC]

    A popular open-source text search server, Sphinx offers impressive performance for indexing and searching data in databases or just in files. It is cross-platform, available for Linux, Windows, macOS, Solaris, FreeBSD, and a few other operating systems.

    [...]

    CERT-Bund posted the warning on Twitter today alerting network operators and providers about the risk of running Sphinx servers with a default configuration that are open on the web.

    The organization highlights that Sphinx lacks any authentication mechanisms. Exposing it on the web gives an attacker the possibility "to read, modify or delete any data stored in the Sphinx database."

  • Ransomware Hits Texas Local Governments [iophk: Windows TCO]

    The attack was observed on the morning of August 16 and appears to have been launched by a single threat actor, the DIR announcement reads.

    The State Operations Center (SOC) was activated soon after the attack reports started to come in, and DIR says that all of the entities that were actually or potentially affected appear to have been identified and notified.

    A total of twenty-three entities have been confirmed as impacted so far, and the responders are working on bringing the affected systems back online.

  • Webmin Backdoored for Over a Year

    The security hole impacts Webmin 1.882 through 1.921, but most versions are not vulnerable in their default configuration as the affected feature is not enabled by default. Version 1.890 is affected in the default configuration. The issue has been addressed with the release of Webmin 1.930 and Usermin version 1.780.

  • The YubiKey 5Ci is the 'first' iOS-compatible security key

    Like other YubiKey options in the 5 series, the YubiKey 5Ci supports multiple authentication protocols, including IDO2/WebAuthn, FIDO U2F, OTP (one-time-password), PIV (Smart Card), and OpenPGP.

Security: Updates, Linux "Lockdown" Patches, Webmin FUD (Mischaracterisation) and Dawn for Security Vulnerabilities in HPC

Filed under
Security
  • Security updates for Tuesday

    Security updates have been issued by Debian (flask), openSUSE (clementine, dkgpg, libTMCG, openexr, and zstd), Oracle (kernel, mysql:8.0, redis:5, and subversion:1.10), SUSE (nodejs6, python-Django, and rubygem-rails-html-sanitizer), and Ubuntu (cups, docker, docker-credential-helpers, kconfig, kde4libs, libreoffice, nova, and openldap).

  • Linux "Lockdown" Patches Hit Their 40th Revision

    The long-running Linux "Lockdown" patches were sent out again overnight for their 40th time but it remains to be seen if these security-oriented patches will be pulled in for the upcoming Linux 5.4 cycle.

    The Linux Lockdown functionality is for restricting access to the kernel and underlying hardware by blocking writes to /dev/mem, restricting PCI BAR and CPU MSR access, disabling system hibernation support, limiting Tracefs, and restricting or outright disabling other functionality that could alter the hardware state or running Linux kernel image.

    Linux Lockdown has been opt-in only and designed for use-cases like honoring UEFI SecureBoot for ensuring nothing nefarious could happen once booted into the operating system by bad actors. Most end-users won't voluntarily want the lockdown mode due to all the restrictions in place, but could be a favor for enterprises and very security conscious users.

  • Backdoor Found in Webmin Utility [Ed: It is not a back door but a bug inserted by a malicious entity rather than the project developers themselves; this incident demonstrates or classically highlights the need for reproducible builds.]

    On August 17, the developer of the popular Webmin and Usermin Unix tools pushed out an update to fix a handful of security issues. Normally that wouldn’t generate an avalanche of interest, but in this case, one of those vulnerabilities was introduced intentionally by someone who was able to compromise the software build infrastructure used by the developers.

  • A New Dawn for Security Vulnerabilities in HPC

    In February 2018, Russian nuclear scientists at the Federal Nuclear Center were arrested for using their supercomputer resources to mine the crypto-currency, Bitcoin. Previously, high-performance computing (HPC) security breaches like this tended to be few and far between. However, recent trends are increasing the vulnerabilities and threats faced by HPC systems.

    Previously, compute clusters enjoyed a level of security through obscurity due to their idiosyncratic architectures in terms of both hardware, with different CPU architectures and networking, and software of often home-grown applications running on Unix-like operating systems. In addition, the reward for compromising a cluster wasn’t all that great. Although hacking into HPC data generated by atomic weapons research and pharmaceutical modelling does present a valuable outcome; meteorological institutes, astrophysics laboratories or other mathematical research is less so.

Security: Hacker Summer Camp, Nexus Repository, Ransomware, Web Server Security

Filed under
Security
  • Hacker Summer Camp 2019: CTFs for Fun & Profit

    Okay, I’m back from Summer Camp and have caught up (slightly) on life. I had the privilege of giving a talk at BSidesLV entitled “CTFs for Fun and Profit: Playing Games to Build Your Skills.” I wanted to post a quick link to my slides and talk about the IoT CTF I had the chance to play.

    I played in the IoT Village CTF at DEF CON, which was interesting because it uses real-world devices with real-world vulnerabilities instead of the typical made-up challenges in a CTF. On the other hand, I’m a little disappointed that it seems pretty similar (maybe even the same) year-to-year, not providing much variety or new learning experiences if you’ve played before.

  • Nexus Repository Now Supports APT

    Beginning with version 3.17, Nexus Repository Manager supports APT (Advanced Package Tool) repositories. APT is a set of tools used to search, install, and manage packages on Debian, Ubuntu, and similar Linux distributions. With this new release, you can now host your own local APT repos. Developers benefit from no longer having to rely on connecting externally to a public repository every time an often-used package is needed.

    In the case of Debian-based Docker containers, the ability to locally cache Debian packages from public repositories can save copious amounts of time when rebuilding your containers. This can do wonders especially for containers built frequently in a CI pipeline and for the more traditional use-case of provisioning virtual machines.

  • Ransomware attack has hit 20 government agencies in Texas [iophk: Windows TCO]

    This week the state of Texas has joined the list of targets. According to Texas’s Department of Information Resources (DIR), more than 20 local government entities have been impacted by a ‘coordinated ransomware attack.’ DIR states that “the Texas Military Department, and the Texas A&M University System’s Cyberresponse and Security Operations Center teams are deploying resources to the most critically impacted jurisdictions.”

    No disclosure has beeen made regarding how much of a payment is being requested, though given recent attacks on other states the amount is likely to be eye-watering. Also absent is any information on which ‘local government entities’ have been affected.

  • Web server security – Part 8: Basic log file analysis

    Tools like lnav (“The Log File Navigator”) allow quicker analysis of log files. Instead of manually searching for attack-like behavior, you can use SQL queries, load and combine multiple files at once, and switch between different views.

    However, keep in mind that not only tools but also underlying processes and organization are important. You must know where log files are stored, how they are created and how long information is available. This requires a basic security concept. Understand the structure of your log files, and use customization of logging rules if available.

Security: Patches, IPFire 2.23 Core Update 135, Kaspersky in the Middle

Filed under
Security
  • Security updates for Monday

    Security updates have been issued by CentOS (kernel and openssl), Debian (ffmpeg, golang-1.11, imagemagick, kde4libs, openldap, and python3.4), Fedora (gradle, hostapd, kdelibs3, and mgetty), Gentoo (adobe-flash, hostapd, mariadb, patch, thunderbird, and vlc), Mageia (elfutils, mariadb, mythtv, postgresql, and redis), openSUSE (chromium, kernel, LibreOffice, and zypper, libzypp and libsolv), Oracle (ghostscript), Red Hat (rh-php71-php), SUSE (bzip2, evince, firefox, glib2, glibc, java-1_8_0-openjdk, polkit, postgresql10, python3, and squid), and Ubuntu (firefox).

  • IPFire 2.23 - Core Update 135 is ready for testing

    after a little break with many things to fight, we are back with a brand new Core Update which is packed with various bug fixes and cleanup of a lot of code.

  • Wladimir Palant: Kaspersky in the Middle - what could possibly go wrong?

    Roughly a decade ago I read an article that asked antivirus vendors to stop intercepting encrypted HTTPS connections, this practice actively hurting security and privacy. As you can certainly imagine, antivirus vendors agreed with the sensible argument and today no reasonable antivirus product would even consider intercepting HTTPS traffic. Just kidding… Of course they kept going, and so two years ago a study was published detailing the security issues introduced by interception of HTTPS connections. Google and Mozilla once again urged antivirus vendors to stop. Surely this time it worked?

    Of course not. So when I decided to look into Kaspersky Internet Security in December last year, I found it breaking up HTTPS connections so that it would get between the server and your browser in order to “protect” you. Expecting some deeply technical details about HTTPS protocol misimplementations now? Don’t worry, I don’t know enough myself to inspect Kaspersky software on this level. The vulnerabilities I found were far more mundane.

Latest KDE Security Vulnerabilities Are Patched in Ubuntu and Debian, Update Now

Filed under
KDE
Security

A couple of weeks ago, the KDE community fixed a security vulnerability discovered by Dominik Penner in the KConfig component, the configuration settings framework of the KDE Plasma desktop environment, which could allow an attacker to execute malicious code through a specially crafted .desktop file included in an archive that was opened in the file manager.

"Dominik Penner discovered that KConfig supported a feature to define shell command execution in .desktop files. If a user is provided with a malformed .desktop file (e.g. if it's embedded into a downloaded archive and it gets opened in a file browser) arbitrary commands could get executed. This update removes this feature," reads the Debian security advisory.

Read more

Tails 4.0 Anonymous Linux OS Enters Beta Based on Debian GNU/Linux 10 "Buster"

Filed under
Security
Debian

Tails 4.0 recently entered beta testing and it's the first release to be based on the just released Debian GNU/Linux 10 "Buster" operating system series, which means that all the pre-installed packages have been updated to newer versions to support the latest hardware components, especially recent Nvidia and ATI/AMD graphics cards, as well as Mac computers.

Tails 4.0 also promises support for Thunderbolt 3 devices, which is now integrated into the latest GNOME 3 desktop environment, with which the upcoming major Tails release will ship by default. Users who own a Thunderbolt device are urged to test the implementation by navigating to Choose Devices > Thunderbolt from the GNOME Settings utility.

Read more

Security: Open Source Security Podcast, Screwed Drivers, and Voting Machines

Filed under
Security
  • Open Source Security Podcast: Episode 157 - Backdoors and snake oil in our cryptography

    Josh and Kurt talk about snakeoil cryptography at Black Hat and the new backdoored cryptography fight. Both of these problems will be with us for a very long time. These are fights worth fighting because it's the right thing to do.

  • Screwed Drivers – Signed, Sealed, Delivered

    Our analysis found that the problem of insecure drivers is widespread, affecting more than 40 drivers from at least 20 different vendors – including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NVIDIA, and Huawei. However, the widespread nature of these vulnerabilities highlights a more fundamental issue – all the vulnerable drivers we discovered have been certified by Microsoft. Since the presence of a vulnerable driver on a device can provide a user (or attacker) with improperly elevated privileges, we have engaged Microsoft to support solutions to better protect against this class of vulnerabilities, such as blacklisting known bad drivers.

  • Most states still aren’t set to audit paper ballots in 2020

    Despite some progress on voting security since 2016, most states in the US aren’t set to require an audit of paper ballots in the November 2020 election, according to a new report out this week from the Brennan Center for Justice.

    The report notes that experts and government officials have spent years recommending states adopt verifiable paper ballots for elections, but a handful still use electronic methods potentially vulnerable to cyberattacks. In 2016, 14 states used paperless machines, although the number today is 11, and the report estimates that no more than eight will use them in the 2020 election.

Security: ECB, Bluetooth and AppArmor Crash Course

Filed under
Security
  • ECB server hacked – Data disclosure of the European Central Bank – Bank hacks from Mexico to Bangladesh

    The Europeans probably do not even know about „what is going on“ and according to ex finance minister of Greece – finance ministers do not have a lot to say in the ECB – the IMF has – there are no recordings of the meetings of „The Eurogroup“ – so transparency over decision making processes is rather bad.

    After all just like the (more or less ideal) „big brother“ the FED it is not under direct democratic influence – does what it wants – every word the FED CEO says is analyzed and influences financial market decisions.

    „One of the sites of the European Central Bank (ECB) has been hacked. The attackers gained access to sensitive users ‚ information, however, the internal system of the Bank has not been compromised.

  • Specification vulnerability in devices that speak Bluetooth is addressed

    The discovery of a flaw in Bluetooth specification that could enable an attack to spy on your information made news this week; the attacker could be able to weaken the encryption of Bluetooth devices and snoop on communications or send falsified ones to take over a device, said The Verge.

  • FrOSCon 2019 - openSUSE booth & AppArmor Crash Course

    Last weekend, I was at FrOSCon - a great Open Source conference in Sankt Augustin, Germany. We (Sarah, Marcel and Sleepy ran the openSUSE booth, answered lots of questions about openSUSE and gave the visitors some goodies - serious and funny (hi OBS team!) stickers, openSUSE hats, backpacks and magazines featuring openSUSE Leap. We also had a big plush geeko, but instead of doing a boring raffle, we played openSUSE Jeopardy where the candidates had to ask the right questions about Linux and openSUSE for the answers I provided.

Syndicate content

More in Tux Machines