Security: No system is 100% hacker-proof
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
Security: No system is 100% hacker-proof
Hello, folks.
Some of you will have read the linked article already. It is the result of this year's Pwn2Own competition:
Pwn2Own 2021 - Schedule and Live Results
As this is the Linux Mint forum and as the main Linux Mint edition is based on Ubuntu, you might like to watch out specifically for the successful privilege escalation attacks executed against Ubuntu, when reading the article.
Best regards,
Karl
Some of you will have read the linked article already. It is the result of this year's Pwn2Own competition:
Pwn2Own 2021 - Schedule and Live Results
As this is the Linux Mint forum and as the main Linux Mint edition is based on Ubuntu, you might like to watch out specifically for the successful privilege escalation attacks executed against Ubuntu, when reading the article.
Best regards,
Karl
Last edited by LockBot on Wed Dec 07, 2022 4:01 am, edited 1 time in total.
Reason: Topic automatically closed 30 days after creation. New replies are no longer allowed.
Reason: Topic automatically closed 30 days after creation. New replies are no longer allowed.
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 792 days now.
Lifeline
- Pjotr
- Level 24
- Posts: 20136
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: Security: No system is 100% hacker-proof
You mean to say that those attacks will be carried out when reading that article?
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: Security: No system is 100% hacker-proof
Pjotr, you know pretty well that reading the article will not trigger any attacks on our machines. Karl
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 792 days now.
Lifeline
Re: Security: No system is 100% hacker-proof
But the attacks will still happen simultaneously with us reading the article?! Waaah! Don't read it!
Re: Security: No system is 100% hacker-proof
At my age now, i realise i could have missed something in the reading of this article, but in order to do these "privilege escalation attacks" as described, don't the "perpertrators" need to have "physical access" to the machines in question to accomplish this feat ???...Just asking...DAMIENAs this is the Linux Mint forum and as the main Linux Mint edition is based on Ubuntu, you might like to watch out specifically for the successful privilege escalation attacks executed against Ubuntu, when reading the article.
Re: Security: No system is 100% hacker-proof
Not necessarily physical but "local escalation of privilege" does mean having access as a regular user already.
Re: Security: No system is 100% hacker-proof
It is quite insulting:
SUCCESS - Ryota used an OOB access bug to go from a standard user to root on Ubuntu Desktop. He earns $30,000
SUCCESS - The DEVCORE team combined an authentication bypass and a local privilege escalation to complete take over the Exchange server. They earn $200,000
-=t42=-
Re: Security: No system is 100% hacker-proof
I'd say. As if latter would not have much bigger impact than twenty-thirds former...
Re: Security: No system is 100% hacker-proof
Mentioned in the article Ubuntu OOB (out-of-bounds) access bugs are the kernel vulnerabilities, which allows local attacker to escalate privileges on affected kernels. in case of Ryota Shiga it affects any distribution with non-patched kernels from 4.9 to 4.13. ZDI-20-1440
-=t42=-
Re: Security: No system is 100% hacker-proof
Hi, t42.
As I understand, the pre-requisite within the pwn2own competition is that the teams have found and use vulnerabilities, so far unknown.
Provided my understanding is correct, it is unlikely that the way how they escalated their privileges and gained root access on Ubuntu during the competition has already been disclosed before the competition in the linked article.
Or did I just misunderstand and the article was only meant to give an example that such vulnerabilities exist and have already been exploited successfully in the recent past?
Karl
As I understand, the pre-requisite within the pwn2own competition is that the teams have found and use vulnerabilities, so far unknown.
Provided my understanding is correct, it is unlikely that the way how they escalated their privileges and gained root access on Ubuntu during the competition has already been disclosed before the competition in the linked article.
Or did I just misunderstand and the article was only meant to give an example that such vulnerabilities exist and have already been exploited successfully in the recent past?
Karl
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 792 days now.
Lifeline
Re: Security: No system is 100% hacker-proof
It's all zero-day by definition and not publicly disclosed. So unlucky guy Billy doesn't received any money as the bug was known to the vendor (but not to public) already.
-=t42=-
- Portreve
- Level 13
- Posts: 4870
- Joined: Mon Apr 18, 2011 12:03 am
- Location: Within 20,004 km of YOU!
- Contact:
Re: Security: No system is 100% hacker-proof
I have a solution:
Karlchen can type up a post here which recounts in detail every salient point made in the Pwn2Own article. That way, there's no chance that a news-bearing attack vector web site can affect us.
Well, that's so long as he doesn't also decide to unleash the Irish Virus on us and someone here is susceptible to it.
Karlchen can type up a post here which recounts in detail every salient point made in the Pwn2Own article. That way, there's no chance that a news-bearing attack vector web site can affect us.
Well, that's so long as he doesn't also decide to unleash the Irish Virus on us and someone here is susceptible to it.
Flying this flag in support of freedom 🇺🇦
Recommended keyboard layout: English (intl., with AltGR dead keys)
Podcasts: Linux Unplugged, Destination Linux
Also check out Thor Hartmannsson's Linux Tips YouTube Channel
Recommended keyboard layout: English (intl., with AltGR dead keys)
Podcasts: Linux Unplugged, Destination Linux
Also check out Thor Hartmannsson's Linux Tips YouTube Channel
Re: Security: No system is 100% hacker-proof
Dang! I'm sitting in a cafe right now and forgot my tinfoil hat!
For every complex problem there is an answer that is clear, simple, and wrong - H. L. Mencken
Re: Security: No system is 100% hacker-proof
Here's the answer, the only foolproof way to avoid being hacked. Buy a computer. Take it home. Never ever take it out of the box. Anything else, on any OS, entails some risk.
For every complex problem there is an answer that is clear, simple, and wrong - H. L. Mencken
- RollyShed
- Level 8
- Posts: 2441
- Joined: Sat Jan 12, 2019 8:58 pm
- Location: South Island, New Zealand
- Contact:
Re: Security: No system is 100% hacker-proof
It sounds a bit like the phone call a day ago from India, though they said they were "just up the road". My computer was upsetting the nation wide local phone company, 7000 instances they said. We don't use that provider. Please press the Win key an "r".
This of course does nothing on Linux. They are too stupid to ask what system you are using.
As this didn't do anything I was passed to a supervisor and asked to search for a website providing software for remote computer control. The third Google option down was an article about how someone had got hacked. I should have told him I'd installed it and carried on having my cup of coffee and reading my book.
As it was I only managed to waste 25 minutes of their time.
Somewhere it was reported that the record is an hour and a half keeping them on a call. I've not managed that.... yet.
This of course does nothing on Linux. They are too stupid to ask what system you are using.
As this didn't do anything I was passed to a supervisor and asked to search for a website providing software for remote computer control. The third Google option down was an article about how someone had got hacked. I should have told him I'd installed it and carried on having my cup of coffee and reading my book.
As it was I only managed to waste 25 minutes of their time.
Somewhere it was reported that the record is an hour and a half keeping them on a call. I've not managed that.... yet.
-
- Level 12
- Posts: 4286
- Joined: Tue May 28, 2019 4:27 pm
Re: Security: No system is 100% hacker-proof
I had a long conversation with a pleasant gentleman who rang me (I suspect from far away).RollyShed wrote: ⤴Wed Aug 17, 2022 6:23 pm It sounds a bit like the phone call a day ago from India, though they said they were "just up the road". My computer was upsetting the nation wide local phone company, 7000 instances they said. We don't use that provider. Please press the Win key an "r".
This of course does nothing on Linux. They are too stupid to ask what system you are using.
As this didn't do anything I was passed to a supervisor and asked to search for a website providing software for remote computer control. The third Google option down was an article about how someone had got hacked. I should have told him I'd installed it and carried on having my cup of coffee and reading my book.
As it was I only managed to waste 25 minutes of their time.
Somewhere it was reported that the record is an hour and a half keeping them on a call. I've not managed that.... yet.
We chatted about a virus on my window.
A good 20 minutes we spent trying to find it. Then for some reason he just put the phone down.
I hope he finds a virus on someone else's window one day. What a nice chat.
Re: Security: No system is 100% hacker-proof
What an odd reason to dig up an old topic.
If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
- RollyShed
- Level 8
- Posts: 2441
- Joined: Sat Jan 12, 2019 8:58 pm
- Location: South Island, New Zealand
- Contact:
Re: Security: No system is 100% hacker-proof
I had one recently on my cell phone while riding home on my bicycle. He wanted the email address. I told him to get it off the website (not naming the site). Where was he? Darwin he said. I presume tunnelled through Darwin from India so anyone who blocks calls from outside Australia and New Zealand will still get his calls.gittiest personITW wrote: ⤴Thu Aug 18, 2022 12:27 pmI had a long conversation with a pleasant gentleman who rang me (I suspect from far away).
After telling him to look on the website, I next told him the batteries were going flat on the cell phone and hung up.
A while ago, having trouble making out what was being said, I asked for someone who spoke English. They hung up after that request.
NOTE - this is all 100% hacker-proofing a system.
- antikythera
- Level 15
- Posts: 5721
- Joined: Thu Jul 02, 2020 12:52 pm
- Location: Cymru
Re: Security: No system is 100% hacker-proof
Embedded Realtek chips in routers and IoT devices are vulnerable to remote attack, they can be patched via firmware updates but you are reliant on the manufacturers getting their backsides in gear to release such updates.
https://www.realtek.com/images/safe-rep ... -27255.pdf
https://www.realtek.com/images/safe-rep ... -27255.pdf
I’ll tell you a DNS joke but be advised, it could take up to 24 hours for everyone to get it.