NewsADMIN News

News for Admins

Tech News

The Python Clock Has Almost Reached Zero

As of January 1, 2020, Python 2 will reach its end of life. Originally an official date wasn't set, but that has changed to a hard and fast deadline. There's even a countdown clock (https://pythonclock.org/) to tick away the days, hours, minutes, and seconds before we say goodbye to Python 2.

What does this mean? It means a number of critical Python projects will stop supporting version 2 and developers must begin the migration to Python 3 as soon as possible. However, there's a catch. If you get Python from the Ubuntu repositories (for either 16.04 or 18.04), Python 2 will continue to be supported for the lifetime of those releases (regardless of the upstream status of the Python packages). This is due to Python being included in the Main repository for all Ubuntu releases (and derivatives using the same repositories), prior to 19.10.

For all developers who depend upon Python, an official porting guide (https://docs.python.org/3/howto/pyporting.html) has been released for the running of Python 2 code in Python 3. This is crucial, because if your project uses Python 2, it may no longer function properly after January 1, 2020. So porting from Python 2 to Python 3 should be considered a must. To find out what projects have pledged to end support for Python 2, visit the official pledge site (https://python3statement.org/).

Docker Hub Now Supports Two Factor Authentication

Container Image repository, Docker Hub, has added Two Factor Authentication (2FA, https://docs.docker.com/docker-hub/2fa/) to its feature list. The feature falls in line with many other services, wherein users employ a third-party application (such as Google Authenticator or Authy) or via SMS text message. Although this will mean users must always have access to their mobile devices when attempting to log into Docker Hub (which adds an extra step to the login process), it also means an added layer of security will be there to protect their accounts.

The feature is still in beta, but any Docker Hub user can enable the feature by logging into their account and going to Account Settings | Security | Two Factor Authentication.

This new security feature comes on the heels of a massive security breach (April, 2019), where up to 190,000 users' data could have been exposed.

According to Shanea Leven, Senior Director of Product Management at Docker, Inc., "we chose to use one of the more secure models for 2FA: software token (TOTP) authentication." Leven continues, "TOTP requires a little more upfront setup, but once enabled, it is just as simple (if not simpler) than text message-based verification."

Users who access their Docker Hub accounts through the command-line interface (CLI) will also have to create a personal access token, in order to log in from the command line. Once 2FA has been enabled, standard username/password authentication will not work.

Hetzner Launches New Ryzen-Based Dedicated Root Servers

Hetzner is an Internet hosting company and data center operator out of Germany that provides dedicated hosting, shared web hosting, virtual private servers, managed servers, domain names, SSL certificates, storage, and cloud solutions. Recently the company announced the launch of a new line of Ryzen-based dedicated root servers that offer a significant boost in performance for customers across all of their services.

According to Tommy Giesler, Product Manager for Dedicated Root Servers at Hetzner Online, "All four servers are built to handle applications that have high multithreading requirements." He continued to say that "they're also great as general entry level servers for people with heavy workloads."

The new lineup consists of the AX41 and AX41-NVME, which are based on the Ryzen 5 3600 CPU (with 6 cores and 12 threads), and can be combined with either two 2TB HDDs or two 512GB NVMe SSDs. Each of those servers has 64GB of DDR4 RAM. The AX41 and AX41-NVMe start at EUR39.00 a month, with a once-time setup fee of EUR39.00. Customers can opt to upgrade the memory on those servers to ECC RAM for just EUR5.00 a month for increased data integrity.

A step from the base models are the AX51 and AX51-NVMe. These servers are based on the Ryzen 7 3700X (with 8 cores and 16 threads) and can be combined with either two 8TB HDDs or two 1024GB NVMe SSDs. Both models include 64GB of DDR4 ECC RAM. The AX51 and AX51-NVMe are available starting at EUR59.00 a month plus a once-time setup fee of EUR59.00.

Visit https://www.hetzner.com/dedicated-rootserver/matrix-ax for more information about these new servers.

Microsoft Launches Bug Bounty Program to Protect Electronic Voting Machines

More and more democracies are relying on electronic voting machines over paper ballots, and some of these machines remain unacceptably vulnerable to attack.

In order to protect voting machines, Microsoft recently released an open source software development kit called ElectionGuard.

ElectionGuard SDK uses homomorphic encryption (https://en.wikipedia.org/wiki/Homomorphic_encryption) to ensure that votes recorded by electronic systems of any type remain encrypted, secure, and secret. It also allows verifiable and accurate tallying of ballots by any third-party organization without compromising secrecy or security.

The code can run on any voting system hardware and can be integrated into existing (or new) voting system software.

Now Microsoft is taking the security of these machines to the next level by launching a bug bounty program for ElectionGuard.

"Researchers from across the globe, whether full-time cyber security professionals, part-time hobbyists, or students, are invited to discover high-impact vulnerabilities in targeted areas of the ElectionGuard SDK (https://github.com/microsoft/ElectionGuard-SDK) and share them with Microsoft under Coordinated Vulnerability Disclosure (CVD) (https://www.microsoft.com/en-us/msrc/cvd). Eligible submissions with a clear, concise proof of concept (POC) are eligible for awards up to US$15,000," said Jarek Stanley, Senior Program Manager, Microsoft Security Response Center.

Source: https://msrc-blog.microsoft.com/2019/10/18/introducing-the-electionguard-bounty-program/

New Fileless Malware Discovered

Security researchers from Microsoft (https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/) and Cisco Talos have discovered a new malware loader dubbed "Nodersok" and "Divergent," which is being distributed through online advertisements.

According to Microsoft, the Nodersok (and Divergent) campaign has been pestering thousands of machines in the last several weeks, with most targets located in the United States and Europe. "The majority of targets are consumers, but about 3% of encounters are observed in organizations in sectors like education, professional services, healthcare, finance, and retail," said the company in a blog post.

What makes this malware unique, according to the Hacker News (https://thehackernews.com/2019/09/windows-fileless-malware-attack.html) is the fact that "it's an advanced fileless malware, and second, it leverages only legitimate built-in system utilities and third-party tools to extend its functionality and compromise computers, rather than using any malicious piece of code."