You are here

Agreguesi i feed

Get serious about consumer data protection - Mar, 21/08/2018 - 11:28pd The idea that organizations should be doing more to protect the personal data they hold about individuals has been gaining ground in recent years. The European Union's General Data Protection Regulation (GDPR) sparked a scramble to operationalize data management and security.

Ohio Man Sentenced to 15 Years for BEC Scam - Mar, 21/08/2018 - 11:24pd Chief US District Judge Janet Hall last week sentenced Olumuyiwa Adejumo to 15 years in federal prison for his role in a business email compromise scheme targeting organizations in the United States. His sentence will be followed by 3 years of supervised release.

Augusta Health Center Reveals Historic Breach - Mar, 21/08/2018 - 11:20pd A leading US healthcare organization (HCO) has admitted that a phishing attack last September may have led to the compromise of highly sensitive data on nearly half a million patients.

next-20180821: linux-next

Kernel Linux - Mar, 21/08/2018 - 5:50pd
Version:next-20180821 (linux-next) Released:2018-08-21

The Fridge: Ubuntu Weekly Newsletter Issue 541

Planet Ubuntu - Mar, 21/08/2018 - 1:52pd

Welcome to the Ubuntu Weekly Newsletter, Issue 541 for the week of August 12 – 18, 2018. The full version of this issue is available here.

In this issue we cover:

The Ubuntu Weekly Newsletter is brought to you by:

  • Krytarik Raido
  • Bashing-om
  • Chris Guiver
  • Wild Man
  • And many others

If you have a story idea for the Weekly Newsletter, join the Ubuntu News Team mailing list and submit it. Ideas can also be added to the wiki!

Except where otherwise noted, this issue of the Ubuntu Weekly Newsletter is licensed under a Creative Commons Attribution ShareAlike 3.0 License

Jono Bacon: Video: How to Manage and Work With Difficult Personalities

Planet Ubuntu - Hën, 20/08/2018 - 9:36md

Every organization, community, and family has difficult people in them. Some get overly agitated, some are not constructive in their criticism, some rub other people up the wrong way, some always commit but never deliver, and other traits.

In my new video I share some details for how to manage these types of personalities. I share some golden rules for handling them, how to analyze the situation well, and a method for building a resolution and solving problems.

Here it is:

Can’t see it? Watch it here.

The post Video: How to Manage and Work With Difficult Personalities appeared first on Jono Bacon.

Kees Cook: security things in Linux v4.18

Planet Ubuntu - Hën, 20/08/2018 - 8:29md

Previously: v4.17.

Linux kernel v4.18 was released last week. Here are details on some of the security things I found interesting:

allocation overflow detection helpers
One of the many ways C can be dangerous to use is that it lacks strong primitives to deal with arithmetic overflow. A developer can’t just wrap a series of calculations in a try/catch block to trap any calculations that might overflow (or underflow). Instead, C will happily wrap values back around, causing all kinds of flaws. Some time ago GCC added a set of single-operation helpers that will efficiently detect overflow, so Rasmus Villemoes suggested implementing these (with fallbacks) in the kernel. While it still requires explicit use by developers, it’s much more fool-proof than doing open-coded type-sensitive bounds checking before every calculation. As a first-use of these routines, Matthew Wilcox created wrappers for common size calculations, mainly for use during memory allocations.

removing open-coded multiplication from memory allocation arguments
A common flaw in the kernel is integer overflow during memory allocation size calculations. As mentioned above, C doesn’t provide much in the way of protection, so it’s on the developer to get it right. In an effort to reduce the frequency of these bugs, and inspired by a couple flaws found by Silvio Cesare, I did a first-pass sweep of the kernel to move from open-coded multiplications during memory allocations into either their 2-factor API counterparts (e.g. kmalloc(a * b, GFP...) -> kmalloc_array(a, b, GFP...)), or to use the new overflow-checking helpers (e.g. vmalloc(a * b) -> vmalloc(array_size(a, b))). There’s still lots more work to be done here, since frequently an allocation size will be calculated earlier in a variable rather than in the allocation arguments, and overflows happen in way more places than just memory allocation. Better yet would be to have exceptions raised on overflows where no wrap-around was expected (e.g. Emese Revfy’s size_overflow GCC plugin).

Variable Length Array removals, part 2
As discussed previously, VLAs continue to get removed from the kernel. For v4.18, we continued to get help from a bunch of lovely folks: Andreas Christoforou, Antoine Tenart, Chris Wilson, Gustavo A. R. Silva, Kyle Spiers, Laura Abbott, Salvatore Mesoraca, Stephan Wahren, Thomas Gleixner, Tobin C. Harding, and Tycho Andersen. Almost all the rest of the VLA removals have been queued for v4.19, but it looks like the very last of them (deep in the crypto subsystem) won’t land until v4.20. I’m so looking forward to being able to add -Wvla globally to the kernel build so we can be free from the classes of flaws that VLAs enable, like stack exhaustion and stack guard page jumping. Eliminating VLAs also simplifies the porting work of the stackleak GCC plugin from grsecurity, since it no longer has to hook and check VLA creation.

Kconfig compiler detection
While not strictly a security thing, Masahiro Yamada made giant improvements to the kernel’s Kconfig subsystem so that kernel build configuration now knows what compiler you’re using (among other things) so that configuration is no longer separate from the compiler features. For example, in the past, one could select CONFIG_CC_STACKPROTECTOR_STRONG even if the compiler didn’t support it, and later the build would fail. Or in other cases, configurations would silently down-grade to what was available, potentially leading to confusing kernel images where the compiler would change the meaning of a configuration. Going forward now, configurations that aren’t available to the compiler will simply be unselectable in Kconfig. This makes configuration much more consistent, though in some cases, it makes it harder to discover why some configuration is missing (e.g. CONFIG_GCC_PLUGINS no longer gives you a hint about needing to install the plugin development packages).

That’s it for now! Please let me know if you think I missed anything. Stay tuned for v4.19; the merge window is open. :)

© 2018, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

Corporate pre-crime: The ethics of using AI to identify future insider threats - Hën, 20/08/2018 - 12:07md To protect corporate networks against malware, data exfiltration and other threats, security departments have systems in place to monitor email traffic, URLs and employee behaviors. With artificial intelligence (AI) and machine learning, this data can also be used to make predictions.

UK hacking prosecutions plummet with only 47 charges recorded last year - Hën, 20/08/2018 - 12:01md Cyberattacks are now a daily occurrence and hardly a week goes by when we don't hear of a major data breach -- but despite rising numbers of hacking events, prosecutions rates are falling in the United Kingdom.

The Rise of Bespoke Ransomware - Dje, 19/08/2018 - 11:53pd Drawing from a recent study by SophosLabs, Principal Research Scientist Chester Wisniewski highlights a shift to the rise of more targeted and sophisticated ransomware threats, such as SamSam.

Australian Teen Hacked Apple Network - Dje, 19/08/2018 - 11:48pd An Australian teenager hacked into Apple's enterprise computer network, making off with 90 gigabytes of data before being discovered. He also accessed an undisclosed number of customer accounts during his year-long intrusion.

The state of cybersecurity at small organizations - Sht, 18/08/2018 - 3:39md ESG recently completed a research survey of 400 cybersecurity and IT professionals working at small organizations (i.e. 50 to 499 employees) in North America. As you can imagine, these firms tend to have a small staff responsible for cybersecurity and IT, reporting to business management rather than CIOs or CISOs. (Note: I am an employee of ESG.)

The 5 Challenges of Detecting Fileless Malware Attacks - Sht, 18/08/2018 - 3:34md Fileless malware attacks can be seen as the perfect crime of opportunity. The initial vector of an attack appears as a seemingly innocuous business email with a link to a bill or other update.

4.18.3: stable

Kernel Linux - Sht, 18/08/2018 - 10:49pd
Version:4.18.3 (stable) Released:2018-08-18 Source:linux-4.18.3.tar.xz PGP Signature:linux-4.18.3.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-4.18.3

4.17.17: stable

Kernel Linux - Sht, 18/08/2018 - 10:48pd
Version:4.17.17 (stable) Released:2018-08-18 Source:linux-4.17.17.tar.xz PGP Signature:linux-4.17.17.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-4.17.17

4.14.65: longterm

Kernel Linux - Sht, 18/08/2018 - 10:48pd
Version:4.14.65 (longterm) Released:2018-08-18 Source:linux-4.14.65.tar.xz PGP Signature:linux-4.14.65.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-4.14.65

4.9.122: longterm

Kernel Linux - Sht, 18/08/2018 - 10:47pd
Version:4.9.122 (longterm) Released:2018-08-18 Source:linux-4.9.122.tar.xz PGP Signature:linux-4.9.122.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-4.9.122

4.4.150: longterm

Kernel Linux - Sht, 18/08/2018 - 10:45pd
Version:4.4.150 (longterm) Released:2018-08-18 Source:linux-4.4.150.tar.xz PGP Signature:linux-4.4.150.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-4.4.150

3.18.119: longterm

Kernel Linux - Pre, 17/08/2018 - 8:54md
Version:3.18.119 (EOL) (longterm) Released:2018-08-17 Source:linux-3.18.119.tar.xz PGP Signature:linux-3.18.119.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-3.18.119

Ubuntu Podcast from the UK LoCo: S11E23 – Twenty-Three Tales - Ubuntu Podcast

Planet Ubuntu - Pre, 17/08/2018 - 4:00md

We’ve been upgrading RAM and tooting in the fediverse. We discuss Hollywood embracing open source, a new release of LibreOffice, pacemakers getting hacked and fax machines becoming selfaware and taking over the planet. We also round up the community news and events.

It’s Season 11 Episode 23 of the Ubuntu Podcast! Alan Pope, Mark Johnson and Martin Wimpress are connected and speaking to your brain.

In this week’s show:

That’s all for this week! You can listen to the Ubuntu Podcast back catalogue on YouTube. If there’s a topic you’d like us to discuss, or you have any feedback on previous shows, please send your comments and suggestions to or Tweet us or Comment on our Facebook page or comment on our Google+ page or comment on our sub-Reddit.


Subscribe to AlbLinux agreguesi