Language Selection

English French German Italian Portuguese Spanish

Security

Security: Red Teaming, Zero-day Vulnerabilities and Trump Campaign Website

Filed under
Security
  • Best open-source tools for Red Teaming

    A good starting point for building a Red Team toolkit is downloading and installing Kali Linux, as many of the tools mentioned here are included in the default distribution. From there, additional tools can be acquired and added to address specific use cases. When building a toolkit, it’s important not to focus on the network side of the assessment to the exclusion of the physical aspects. A Red Team is also likely expected to try physical attack vectors against the customer’s security and needs to have the appropriate tools for that part of the work as well.

  • What is a zero-day vulnerability?

    Chances are pretty good you've heard the term zero-day vulnerability. The term conjures up images of post-apocalyptic landscapes, where technology has either hit a singularity-level madness, or has reverted back to the days of CRT monitors and green screens. Max Headroom has returned and sand is the new currency.

    Or not.

    Truth be told, zero day is not even remotely as ominous. It is, however, quite serious. In fact, of all the known vulnerabilities, zero day can often pose the most risk. Why? The reason is in the very definition.

  • Trump Campaign Website Left Open to Email Server Hijack

    “The problem is that many developers fail to disable the debug mode after going live, exposing back-end website details like database locations, passwords, secret keys and other sensitive info,” they said.

Security: WireGuard, Birds and Updates

Filed under
Security
  • WireGuard Restored In Android's Google Play Store After Brief But Controversial Removal

    After Google dropped the open-source WireGuard app from their Play Store since it contained a donation link, the app has now been restored within Google's software store for Android users but without the donation option.

    The WireGuard app for Android makes it easy to setup the secure VPN tunnel software on mobile devices, similar to its port to iOS and other platforms. The WireGuard apps are free but have included a donation link to the WireGuard website should anyone wish to optionally make a donation to support the development of this very promising network tech.

  • Letting Birds scooters fly free

    At that point I had everything I need to write a simple app to unlock the scooters, and it worked! For about 2 minutes, at which point the network would notice that the scooter was unlocked when it should be locked and sent a lock command to force disable the scooter again. Ah well.

    So, what else could I do? The next thing I tried was just modifying some STM firmware and flashing it onto a board. It still booted, indicating that there was no sort of verified boot process. Remember what I mentioned about the throttle being hooked through the STM32's analogue to digital converters[3]? A bit of hacking later and I had a board that would appear to work normally, but about a minute after starting the ride would cut the throttle. Alternative options are left as an exercise for the reader.

    Finally, there was the component I hadn't really looked at yet. The Quectel modem actually contains its own application processor that runs Linux, making it significantly more powerful than any of the chips actually running the scooter application[4]. The STM communicates with the modem over serial, sending it an AT command asking it to make an SSL connection to a remote endpoint. It then uses further AT commands to send data over this SSL connection, allowing it to talk to the internet without having any sort of IP stack. Figuring out just what was going over this connection was made slightly difficult by virtue of all the debug functionality having been ripped out of the STM's firmware, so in the end I took a more brute force approach - I identified the address of the function that sends data to the modem, hooked up OpenOCD to the SWD pins on the STM, ran OpenOCD's gdb stub, attached gdb, set a breakpoint for that function and then dumped the arguments being passed to that function. A couple of minutes later and I had a full transaction between the scooter and the remote.

    The scooter authenticates against the remote endpoint by sending its serial number and IMEI. You need to send both, but the IMEI didn't seem to need to be associated with the serial number at all. New connections seemed to take precedence over existing connections, so it would be simple to just pretend to be every scooter and hijack all the connections, resulting in scooter unlock commands being sent to you rather than to the scooter or allowing someone to send fake GPS data and make it impossible for users to find scooters.

  • Security updates for Friday

    Security updates have been issued by Debian (poppler, sudo, and wordpress), Oracle (java-1.8.0-openjdk), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and kernel), and SUSE (kernel and postgresql10).

Can Linux improve ATM security?

Filed under
Linux
Security

While ATM security is not necessarily "life critical" as with many other industries (think transportation, medical and some industrial applications) there are certainly financial and identity theft risks associated with these devices.

Plenty of info is available on the web regarding various ATM attack vectors, estimated number of annual hacks and the cost to the industry. The question we will ponder here is very specific: Would replacing the Windows operating system in an ATM with a Linux-based one improve security? Most experts believe the answer is yes.

Today's ATM looks much like a personal computer on your desk. It runs the world's most popular desktop operating system — Windows —on the world's most popular hardware: Intel motherboards.

But therein lies part of the problem. Being "most popular" means there are few barriers to keeping the bad guys from simulating the internals of a typical ATM. This fact alone makes Windows more prone to attack than alternatives.

Read more

Security: Linux, Docker and Guix

Filed under
Security
  • Unpatched Linux bug may open devices to serious attacks over Wi-Fi

    The flaw is located in the RTLWIFI driver, which is used to support Realtek Wi-Fi chips in Linux devices. The vulnerability triggers a buffer overflow in the Linux kernel when a machine with a Realtek Wi-Fi chip is within radio range of a malicious device. At a minimum, exploits would cause an operating-system crash and could possibly allow a hacker to gain complete control of the computer. The flaw dates back to version 3.10.1 of the Linux kernel released in 2013.

  • Docker Attack Worm Mines for Monero
  • Insecure permissions on profile directory (CVE-2019-18192)

    We have become aware of a security issue for Guix on multi-user systems that we have just fixed (CVE-2019-18192). Anyone running Guix on a multi-user system is encouraged to upgrade guix-daemon—see below for instructions.

    Context

    The default user profile, ~/.guix-profile, points to /var/guix/profiles/per-user/$USER. Until now, /var/guix/profiles/per-user was world-writable, allowing the guix command to create the $USER sub-directory.

    On a multi-user system, this allowed a malicious user to create and populate that $USER sub-directory for another user that had not yet logged in. Since /var/…/$USER is in $PATH, the target user could end up running attacker-provided code. See the bug report for more information.

    This issue was initially reported by Michael Orlitzky for Nix (CVE-2019-17365).

Canonical Outs Linux Kernel Security Update for Ubuntu 19.04 to Patch 9 Flaws

Filed under
Linux
Security
Ubuntu

The new security update for Ubuntu 19.04 is here to patch a total of seven security flaws affecting the Linux 5.0 kernel used by the operating system, including an issue (CVE-2019-15902) discovered by Brad Spengler which could allow a local attacker to expose sensitive information as a Spectre mitigation was improperly implemented in the ptrace susbsystem.

It also fixes several flaws (CVE-2019-14814, CVE-2019-14815, CVE-2019-14816) discovered by Wen Huang in the Marvell Wi-Fi device driver, which could allow local attacker to cause a denial of service or execute arbitrary code, as well as a flaw (CVE-2019-15504) discovered by Hui Peng and Mathias Payer in the 91x Wi-Fi driver, allowing a physically proximate attacker to crash the system.

Read more

Purism Partners with Halo Privacy to Bring Extra Security to Its Linux Devices

Filed under
Linux
Security

Purism is already known for providing top notch security and privacy for its Linux laptops and phones, but with the new partnership with Halo Privacy, the company wants to bring strong cryptography and custom managed attribution techniques to secure communications from direct attacks.

These new, unique security stack provided by Halo Privacy works together with Purism's state-of-the-art security implementations for its Linux devices, including the Librem Key USB security token with tamper detection and PureBoot secure UEFI replacement, to cryptographically guarantee signing of the lowest level of firmware and user's privacy.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Debian (apache2 and unbound), Fedora (opendmarc, runc, and sudo), openSUSE (epiphany, GraphicsMagick, and libopenmpt), Oracle (kernel and sudo), Red Hat (java-1.8.0-openjdk, jss, kernel, kernel-rt, and kpatch-patch), SUSE (crowbar-core, crowbar-openstack, grafana, novnc, openstack-keystone, openstack-neutron, openstack-neutron-lbaas, openstack-nova, openstack-tempest, python-pysaml2, python-urllib3, rubygem-chef, rubygem-easy_diff, sleshammer, libpcap, sudo, and tcpdump), and Ubuntu (aspell and libsdl1.2).

  • Cybersecurity Awareness Month: Increasing our self-awareness so we can improve security

    October has been National Cybersecurity Awareness Month since 2004. According to staysafeonline.org, this initiative was started by the National Cybersecurity Alliance and the US Department of Homeland Security to help all Americans stay safe and secure when online. This month is usually marked with a significant uptick in cybersecurity outreach and training. It’s also the one month of the year when you can get a significant amount of cybersecurity swag such as webcam covers, mugs, and pens. This event has an outward focus to raise awareness of security globally,

    Many other events have come into existence along with this. For example, there are numerous electronics recycling events that now occur in October where people can securely dispose of their old computers. Some municipalities have extended this to include safe disposal of old prescription medications, paints, and other hazardous materials.

    Recent events in the greater technology community, specifically the resignation of Richard Stallman from both MIT and the Free Software Foundation, have become character foils that show us that while we have come a long way, we still have a long way ahead of us to improve.

  • Michael Tremer/IPFire: On quadrupling throughput of our Quality of Service

    There have been improvements to our Quality of Service (or QoS) which have made me very excited.

    Our QoS sometimes was a bottleneck. Enabling it could cut your bandwidth in half if you were unlucky. That normally was not a problem for larger users of IPFire, because if you are running a 1 Gigabit/s connection, you would not need any QoS in the first place, or your hardware was fast enough to handle the extra load.

    For the smaller users this was, however, becoming more and more of a problem. Smaller systems like the IPFire Mini Appliance are designed to be small (the clue is in the name) and to be very energy-efficient. And they are. They are popular with users with a standard DSL connection of up to 100 Megabit/s which is very common in Germany. You have nothing to worry about here. But if you are lucky to have a faster Internet connection, then this hardware and others that we have sold before might be running out of steam. There is only so much you can get out of them.

  • The City Of Baltimore Blew Off A $76,000 Ransomware Demand Only To Find Out A Bunch Of Its Data Had Never Been Backed Up [Ed: Windows]

    The City of Baltimore was hit with a ransomware attack in May of this year. Criminals using remodeled and rebranded NSA exploits (EternalBlue) knocked out a "majority" of the city's servers and crippled many of its applications. More details didn't surface until September when the city's government began reshuffling the budget to cover the expenses of recovering from the attack.

Google: Replacing Google Chrome, AMP and Titan Security Keys

Filed under
Google
Security
Web
  • The top 5 alternatives to Google Chrome

    Google Chrome is the most popular web browser on the market. It provides a user-friendly, easy-to-use interface, with a simple appearance featuring a combined address and search bar with a small space for extensions.

    Chrome also offers excellent interconnectivity on different devices and easy syncing that means that once a user installs the browser on different devices, all their settings, bookmarks and search history come along with it. Virtually all a user does on Google chrome is backed up to Google Cloud.

    Chrome also offers easy connectivity to other Google products, such as Docs, Drive, and YouTube via an “Apps” menu on the bookmarks bar, located just below the address/search bar. Google Translate, one of the best translation applications currently available on the internet, is also included.

  • Google unplugs AMP, hooks it into OpenJS Foundation after critics turn up the volume [Ed: Microsoft Tim on Google passing a bunch of EEE to a foundation headed by a Microsoft ‘mole’, 'open'JS ]

    AMP – which originally stood for Accelerated Mobile Pages though not any more – was launched in 2015, ostensibly to speed up page loading on smartphones. The technology includes AMP HTML, which is a set of performance-optimized web components, and the AMP Cache, which serves validated AMP pages. Most AMP pages are served by Google’s AMP Cache.

  • Google USB-C Titan Security Keys Begin Shipping Tomorrow

    Google announced their new USB-C Titan Security Key will begin shipping tomorrow for offering two-factor authentication support with not only Android devices but all the major operating systems as well.

    The USB-C Titan Security Key is being manufactured by well known 2FA key provider Yubico. This new security key is using the same chip and firmware currently used by Google's existing USB-A/NFC and Bluetooth/NFC/USB Titan Security Key models.

Improved Security and Privacy Indicators in Firefox 70

Filed under
Moz/FF
Security
Web

The upcoming Firefox 70 release will update the security and privacy indicators in the URL bar.

In recent years we have seen a great increase in the number of websites that are delivered securely via HTTPS. At the same time, privacy threats have become more prevalent on the web and Firefox has shipped new technologies to protect our users against tracking.

To better reflect this new environment, the updated UI takes a step towards treating secure HTTPS as the default method of transport for websites, instead of a way to identify website security. It also puts greater emphasis on user privacy.

Read more

Proprietary Software Security and FOSS Patches

Filed under
Security
  • Compromised AWS API Key Allowed Access to Imperva Customer Data

    Imperva has shared more information on how [attackers] managed to obtain information on Cloud Web Application Firewall (WAF) customers, and revealed that the incident involved a compromised administrative API key.

  • Oil Refiner Reports Major IT Incident in Finland

    It’s not yet clear whether the cause is a malfunction or a cyber attack, according to spokeswoman Susanna Sieppi. The issue is under investigation, and it’s too early to estimate when the systems will be fixed, she said by phone.

  • WordPress 5.2.4 Security Release

    WordPress 5.2.4 is now available! This security release fixes 6 security issues.

    WordPress versions 5.2.3 and earlier are affected by these bugs, which are fixed in version 5.2.4. Updated versions of WordPress 5.1 and earlier are also available for any users who have not yet updated to 5.2.

  • Ubuntu Releases Patch for Major ‘sudo’ Security Exploit

    Canonical has issued an urgent security fix to the ‘sudo’ package in the Ubuntu archives following the discovery of a major security flaw.

    A critical fix has rolled out to all users of Ubuntu 16.04 LTS, 18.04 LTS, 19.04 and 19.10 (and one assumes Ubuntu 14.04 ESR too) — just run a sudo apt upgrade to install it.

    But what about the flaw inquisition? Well, if you’re yet to hear about it I appreciate meditative disconnect from social media. The oft toxic waste pools of chatter were with wet with alarm — some manufactured, the rest well weighted — over CVE-2019-14287 when it was announced yesterday, October 14.

  • Security updates for Tuesday

    Security updates have been issued by Debian (sudo and xtrlock), openSUSE (sudo), Red Hat (Single Sign-On), Slackware (sudo), SUSE (binutils, dhcp, ffmpeg, kernel, kubernetes-salt, sudo, and tcpdump), and Ubuntu (sudo).

Syndicate content

More in Tux Machines

CentOS 8.0-1905

CentOS is a community-run project which builds its distribution from the source code of Red Hat Enterprise Linux. The project's goal is to provide a binary compatible, nearly identical experience to Enterprise Linux, but without the commercial support provided by Red Hat. This makes CentOS an attractive option for people who want to have a distribution with long-term support and the same technology Red Hat provides, but feel they do not need vendor support. I reviewed Red Hat Enterprise Linux 8 (RHEL 8), briefly covering the distribution's installer, software and settings management, several of its Workstation features, and a few of its server technologies, such as Cockpit. I ran into several issues during that experience - some of them relating to documentation, some dealing with permission problems, some due to missing applications in the official repositories - and I was curious to see if CentOS would provide the same experience, problems and all. One could assume so given CentOS uses the same source code, but CentOS has its own website and repositories so I thought it would be worth giving it a test run and seeing what differences, if any, I could spot. In particular, I planned to focus on the strengths and weaknesses I observed in the conclusion of my RHEL 8 review. Before I get to my experiences with CentOS 8.0.1905, I feel it is worth mentioning that CentOS is now available in two branches: CentOS Linux, the traditional, fixed release operating system based on RHEL; and CentOS Stream. The new Stream branch is described as a rolling release platform which will fit in somewhere between Fedora and RHEL. The idea appears to be that software and concepts will get their initial testing in Fedora. Then Red Hat will fork a version of Fedora to be the basis of a future RHEL release. Changes and improvements that would normally be made internally within Red Hat prior to the next RHEL will become available for the public to try and comment on in CentOS Stream. Ideally, the plan here seems to be that this will give a larger portion of the community a chance to try new ideas and report issues, giving Red Hat more feedback and a chance to polish their commercial offering. Read more

Docker, Podman and Kubernetes

Graphics: Radeon, Mesa and More

  • Open-Source C.A.S. Vulkan Layer - Similar to Radeon Image Sharpening But For Any GPU

    AMD's Radeon Image Sharpening feature is designed to improve image quality with minimal performance costs. However, it is only supported by Radeon Polaris / Vega / Navi graphics cards and only under Microsoft Windows 10. An independent open-source project has implemented contrast adaptive sharpening support for Vulkan that is similar to Radeon Image Sharpening but will work for any Vulkan-enabled GPU -- including NVIDIA GPUs.

  • MSM+Freedreno Driver Stack Adding Support For The Adreno 510 GPU

    While the MSM+Freedreno open-source graphics driver stack already supports the Adreno 500 and 600 series, one of the GPUs not seeing support until now was the basic Adreno 510. Kernel patches are pending for A510 enablement while the Mesa support was already merged. The Adreno 510 is the graphics processor within the Snapdragon 650, 652, and 653 models and used in lower-end devices. With the kernel and Mesa patches, the Adreno 510 is now working on the likes of the Sony Xperia X and X Compact smartphones.

  • AMD Lands Greater Direct State Access Support Within Mesa

    Landing this week in Mesa 19.3-devel were more functions being implemented around the big OpenGL EXT_direct_state_access extension. OpenGL's direct state access functions are intended to allow more OpenGL state to be accessed/updated directly aside form the selector commands. Using EXT_direct_state_access allows for various efficiency improvements.

Programming Leftovers

  • Codeplay Launches Open-Source 'SYCL Academy' To Learn This Increasingly Popular Standard

    While SYCL has been around for five years as a Khronos standard providing a single-source C++ programming model for exploiting OpenCL, it has yet to reach its prime but demand for it is picking up with Intel working to upstream their SYCL back-end in LLVM, SYCL becoming part of their programming model with oneAPI and Xe Graphics, and other vendors also jumping on the SYCL bandwagon. Codeplay has now provided an open-source SYCL learning code for those interested in this higher-level alternative to straight OpenCL programming.

  • Open-Source Build and Test Tool Bazel Reaches 1.0

    Derived from Google's internal build tool Blaze, Bazel is a build and test tool that offers a human-readable definition language and is particularly aimed at large, multi-language, multi-repositories projects. Originally open-sourced in 2015, Bazel has now reached 1.0. One of the major implications of reaching version 1.0 for Bazel is the promise of greater stability and backward-compatibility guarantees. This has been a historical pain point for Bazel users, who often found themselves in the situation of having to rewrite part of their build rules due to frequent breaking changes in Bazel or its ecosystem. Accordingly, the Bazel team has committed to following semantic versioning for future Bazel releases, meaning only major versions will be allowed to include breaking changes. Furthermore, the team committed to maintaining a minimum stability window of three months between major versions.

  • DevOps Deeper Dive: DevOps Accelerates Open Source Innovation Pace

    That rate of innovation has increased dramatically in the last few years. However, much of that innovation would not have been possible if large swaths of the open source community hadn’t been able to employ best DevOps practices to collaborate, said CloudBees CEO Sacha Labourey. [...] None of this shift has been lost on IT vendors. As the demand for proprietary code slackened, many found it profitable to offer support services for open source software. The more there is to consume, the more the support services contracts grew. Now every vendor from IBM to small IT services providers such as Fairwinds has launched open source projects that help drive demand for IT services expertise. “There’s pain around integrating a lot of disparate open source projects,” said Robert Brennan, director of open source software for Fairwinds. “Organizations may be getting software for free, but there’s usually not a lot of help around.” Now almost every IT vendor in the world is making software engineers available to work on open source projects. All that talent focused on open source projects has led to the development of new platforms such as Jenkins, GitHub, Kubernetes and, more recently, a raft of smaller projects. With the rise of containers and cloud-native applications, open source software projects are entering another era that will see many of those same software engineers leveraging DevOps practices more broadly to drive even more innovative projects at increasingly faster rates.

  • Find your next developer from open source communities

    Meanwhile, demand for data scientists is rising as companies seek AI-based solutions to stay competitive. Demand is reflected in salary offers. Companies competing to hire and retain data experts are offering on average more than US$100,000, making it one of the most highly paid professions in the States. For companies lacking the budget to hire or train in-house staff to fill the role, they may find themselves struggling with maintaining technological infrastructure or moving forward with plans for digitization. Therefore, open source learning and further development of communities could be the solution to this gap. An IBM grant to support open source communities such as Girls Who Code, a non-profit organization offering coding lessons for women in the US, is a step forward to filling in a shortage of software developers.