Previous Page
PCLinuxOS Magazine
Article List
Next Page

Short Topix: Use Secure Linux Kernels To Thwart Russian Hackers

by Paul Arnote (parnote)

Think A Smart Lock Should Be In Your Future? Go Fish, Say Majority Of Security Experts

Are you considering using a "smart lock" to secure your house, shed, gate, etc.? You might want to reconsider, according to 73 percent of 549 responding security experts. In an article published by Forbes, their answer was clear: "Get in the sea!"

The PCLinuxOS Magazine reported in the May 2020 Short Topix article about how insecure a "smart lock" was that relied on fingerprints. It has to do, mostly, with only a bare minimum of data points being employed when comparing the "unlocking" fingerprint to the one(s) stored in the device memory. So, when only checking five data points within a complex fingerprint, versus, say, comparing 10 or 20 data points, it becomes a trivial task to fool the fingerprint reader. Of course, when you increase the data points in the pattern, you make the lock more persnickety about granting access.

Locks that use fingerprints aren't the only kind that exhibit vulnerabilities. Other "smart locks" rely on wifi or Bluetooth to lock or unlock. But what happens when your network goes down? What happens in the event of a prolonged power outage? What happens when the network you depend on is a victim of malware or ransomware? What if your "smart lock" depends on a connected smartphone app to work ... and you lose your smartphone? In any/all of these cases, you are effectively locked out of your own house, shed, gate, belongings, etc. In the latter case, your smartphone in the hands of someone who may have taken it, also affords entry to areas you would prefer to keep secure.

Recently, one security expert discovered a vulnerability in a "smart lock" from U-Tec that allowed a hacker to gain access using a smartphone (which many, many people possess) and hacking the MAC address. U-Tec fixed the vulnerability as soon as they were informed, but the incident illustrates just how vulnerable a "smart lock" is.

Of course, there's the other side of the equation, too. Most "dumb locks" (that is, those using a key and tumbler approach) aren't necessarily the most secure things in the world, either. They are vulnerable to "lock bumping," where a special key is used to "bump" the tumblers in a lock into yielding and unlocking. Some locks can easily be bypassed with just an aluminum pop can and a pair of scissors. Don't believe me? Just look on YouTube, where there are TONS of videos showing and explaining the technique. And don't think that lock picks are only available to locksmiths. In less than a minute, I can find over a thousand places on the internet to buy my own set of lock picks, and where they are more than happy and willing to sell me a set.

While "smart locks" represent some interesting and intriguing possibilities, I wouldn't be so quick to jump on the bandwagon just yet. If it were me, I think I'd just let the technology mature a bit/lot more, and let others who adopt the technology in its early stages be the guinea pigs ... and unfortunate victims.

NASA Releases New Batch Of Mars Images For Downloading

Image: NASA

Looking for some new wallpaper that is ... literally ... out of this world?

NASA has released some stunning new images from the 15 year old Mars Reconnaissance Orbiter (MRO), and they certainly don't disappoint. Some of these images represent the most detailed shots we've ever seen of the Red Planet.

The MRO's primary mission is to study the temperatures in Mars' atmosphere, look underground using radar and detect minerals on the planet's surface. And while photography isn't necessarily a part of that primary mission, the spacecraft is probably best known for the awesome images it captures of Mars. Those images captured by the MRO have shaped and transformed our current knowledge of the planet, and what it looks like.

Included in the image collection released for the MRO's 15th anniversary is a closeup image of one of Mars' two moons, Phobos. Another image shows avalanches, while yet another shows the Mars rover, Curiosity, on the Martian surface.

U.S.: FBI, NSA Urge Linux Users To Use Secure Kernel To Thwart Russian Malware

We all know how reliable and secure Linux is, right? Well, before we go any further, let me explain one HUGE detail in this article that might not be quickly apparent: as a PCLinuxOS user, you are secure. The vulnerability detailed in this report exists in Linux kernel 3.6 and lower/older. As a PCLinuxOS user, you are almost certainly using a much, much more recent kernel. The Linux kernel 3.7 was "retired" in March 2013, so we're talking about a quite old Linux kernel here.

The NSA and FBI issued a joint cybersecurity advisory (PDF), news release (HTML), and fact sheet (PDF) detailing the potential malware exploit, named DrovoRub, on August 13, 2020. The malware, from the state-sponsored Russian hacking group known as either Fancy Bear, Strontium, or APT 28 (take your pick ... it's the same group), gets its name from combining Drovo, which means wood or firewood, and Rub, which means to chop or cut.

The NSA and FBI have advised that Linux users should do three things to protect themselves from this malware. First, they should update to Linux Kernel 3.7 or later, "in order to take full advantage of kernel signing enforcement." Second, they should activate UEFI Secure Boot. Third, Linux users should "configure systems to load only modules with a valid digital signature, making it more difficult for an actor to introduce a malicious kernel module into the system."

So, see? As a PCLinuxOS user, you are most assuredly safe and secure. It's EXTREMELY unlikely that you are using a kernel that was retired over seven years ago. However, you know that in some dark, closeted server room somewhere in the world, sits a long forgotten Linux server that just happily keeps chugging along, day after day, year after year, without any updates being performed in years. Many server operators are reluctant to take a server down or offline that is performing its desired/assigned function for a kernel update. It's more of a "if it ain't broke, don't fix it" approach.

So, this "threat" represents the importance of two things for PCLinuxOS users. First, use the most recent kernel that functions with all of your hardware. Newer kernels resolve security vulnerabilities that might have gone unnoticed for quite some time (such as with DrovoRub). Second, keep your system as up-to-date as you possibly can, since many software updates close or resolve security vulnerabilities that are discovered after (sometimes long after) the release of the software. Do you still think it isn't a big deal? See here for all of the vulnerabilities discovered in the Linux Kernel.

The "takeaway" is quite simple. Keep. Your. Computer. Updated. Only by staying one (or a few) steps ahead of the hackers will you guarantee that your data and OS are safe.

Microsoft Tells Users They Can NEVER Uninstall Edge Browser

I remember a post in the PCLinuxOS forum several months back that stated Microsoft wanted to bring their new Chromium-based browser, Edge, to Linux. As you can imagine, the mere suggestion got a decidedly mixed reaction, with most being quite negative reactions. After all, most Linux users are Microsoft refugees, and want as little as possible to do with the Goliath-like (some might argue Medusa-like or Hydra-like) corporation. Trust of Microsoft among Linux users is more shallow than a light coating of rain on pavement. Embrace, extend, and extinguish (EEE) is used by many, many Linux users to describe Microsoft's recent "love" for Linux.

It seems that the negative reaction was probably the right one. Now, Windows 10 users (and even some Windows 7 holdouts) are being told by Microsoft that they will be unable to uninstall the new Edge browser, once installed. Here's the information, directly from Microsoft's support site:

The new version of Microsoft Edge gives users full control over importing personal data from the legacy version of Microsoft Edge. The new version of Microsoft Edge is included in a Windows system update, so the option to uninstall it or use the legacy version of Microsoft Edge will no longer be available.

According to an article from ZDNet, some users are describing the new Edge browser as malware, because of the move. Some users are fearing that the new Edge browser is stealing their Google Chrome browser information.

Does all of this sound familiar? It sure does to me. It harkens back to when Microsoft made Internet Explorer "uninstallable." When was it? Windows 95? Windows 98? Windows XP? It's all such a blur. Microsoft claimed it was an "integral part" of the operating system. There were court cases filed and fought, with Microsoft losing in almost every case. You would have thought that Goliath would have learned its lesson from that fiasco. It has me thinking that it's a whole new group at Microsoft who either don't know, weren't around, weren't born yet, or don't know the history making these boneheaded moves.

Granted, Edge is a fine browser (or so I hear). It should be, based on Chromium, the open source version of Google Chrome. I actually used Chromium for a while when it was available in the PCLinuxOS repository. Without a doubt, it's a far cry better than Internet Explorer ever could be or was. But, to irrevocably impose the browser on unsuspecting users is an overreach of Microsoft's near monopoly of the operating system market.

I don't know about you, but since the announcement earlier in the month of August, my inbox has overflowed with links to articles about how to uninstall/remove the Edge browser from Window 10 systems.

Short Topix Roundup

Do you ever wonder what will happen when there are no more people on the Earth? This article from LiveScience answers that question. It's not a pretty picture, either, given all the trash mankind will leave behind. Just the lack of maintenance of critical infrastructure will bring about swift and sometimes catastrophic changes that will affect whatever comes after humans. We all know what happens, thanks to Chernobyl, when an area is abandoned and left to return to nature. Nature always seems to not only reclaim the area, but it also recharges and repairs the damage, sometimes quickly.

Scientists (think they) know how and when the universe comes to an end. Well, at least one scientist, anyways. No need to worry, however, as this Fox News report informs us that it won't be for another few trillion years. The report is from the Monthly Notices of the Royal Astronomical Society journal. I know I'm just a lay person when it comes to the study of the cosmos, but the report seems, at least to me, to be lacking in what we know happens all of the time. Like, the theory of what happens to matter sucked into a black hole. Or, the fact that stellar nurseries exist all over the universe, continually giving birth to new stars and celestial bodies.

One new upstart company thinks it has come up with the world's most comfortable N95 mask for daily use. The PurMe mask is made of soft silicone, and sports interchangeable filters, ranging from PM2.5 to N95 to P100 filters. It comes in three colors: white, black and clear/transparent. The company claims that the mask allows for use of facial recognition to unlock smartphones, is water resistant, and comfortable to wear. Wearing masks of varying types at my job in the hospital and since the beginning of the current pandemic, I do wonder how comfortable these would be to wear. I've worn N95, KN95, Level 3 surgical masks, Level 1 surgical masks, cloth masks, and neoprene masks. They are all H-O-T to wear, to varying degrees. I can't imagine how hot a silicone mask would be to wear all day.

Previous Page              Top              Next Page