Month: August 2022

Final Thoughts on Ubiquiti

Posted on by Kernel

Last year, I posted a series of articles about a purported “breach” at Ubiquiti. My sole source for that reporting was the person who has since been indicted by federal prosecutors for his alleged wrongdoing – which includes providing false information to the press.

As a result of the new information that has been provided to me, I no longer have faith in the veracity of my source or the information he provided to me. I always endeavor to ensure that my articles are properly sourced and factual.

This time, I missed the mark and, as a result, I would like to extend my sincerest apologies to Ubiquiti, and I have decided to remove those articles from my website.

How to Fix Unable To Locate a Package In Ubuntu 22.04 LTS

Posted on by Kernel

How to Fix Unable To Locate a Package In Ubuntu 22.04 LTS

If you are “Unable to locate the package.” while using Ubuntu then this blog post is for you. In this blog post, we will show you the reason for the error along with the solution too.

How to Fix Unable To Locate a Package In Ubuntu 22.04 LTS

What is the reason for the “Unable to Locate a Package” Error?

Most of the time, you will see this error while trying to install the package in Ubuntu. This happens when Ubuntu is unable to find the package that you are trying to install in your Ubuntu.

Run the following command to update your Ubuntu at first.

sudo apt update

Note: Either the package that you are trying to install is unavailable for that Ubuntu version, or the package is available in the Universe repository, but your Ubuntu is unable to access it.

Sometimes the package is available in-universe repository. So, If you want your Ubuntu to use universe repo then you need to enable universe and multiverse repositories through the following command:

sudo add-apt-repository universe multiverse

 

 

The 4 Most Common OWASP API Security Threats

Posted on by Kernel

The Open Web Application Security Project (OWASP) works to improve the security of software worldwide. OWASP’s well-known Top 10 lists increase awareness about the most critical security risks to web applications.

 

As the foundation for today’s app-driven economy, APIs have risen to the very top of those risks. API usage has exploded and has become ubiquitous across both external-facing and internal applications. To understand and mitigate unique API vulnerabilities and the growing threats against them, OWASP published its inaugural OWASP API Security Top 10.

 

The list provides companies with a good starting point for learning about the common weaknesses and security flaws that can exist within APIs. Of these, the most common are:

  1. BOLA (Broken Object Level Authorisation)
  2. Broken User Authentication
  3. Excessive Data Exposure
  4. Security Misconfiguration

 

BOLA

Accounting for about 40% of all API attacks, broken object level authorisation – or BOLA – represents the most prevalent API threat. Attackers can easily exploit API endpoints that are vulnerable to BOLA by manipulating the ID of an object sent within an API request. Because the server component typically does not fully track the client’s state, these vulnerabilities are extremely common in API-based applications.

BOLA authorization flaws can lead to data exfiltration as well as unauthorised viewing, modification, or destruction of data. BOLA can also lead to full account takeover (ATO).

Automatic static or dynamic testing cannot easily detect BOLA authorisation flaws. Traditional security controls, such as WAFs and API gateways, also miss these types of attacks because they cannot understand API context and so cannot baseline normal API behaviour.

 

Broken User Authentication

Broken user authentication allows attackers to use stolen authentication tokens, credential stuffing, and brute-force attacks to gain unauthorised access to applications. Attackers can take over user accounts, gain unauthorised access to another user’s data, and make unauthorised transactions. Authentication mechanisms present an easy target for attackers, particularly if they are fully exposed or public.

Technical factors that can lead to broken authentication in APIs include, among others, weak password complexity, missing account lockout thresholds, excessively long durations for password/certificate rotations, or use of API keys as the only authentication material.

Because traditional security controls lack the ability to track attack traffic over time, they cannot decipher the different forms of advanced attacks that target authentication.

 

Excessive Data Exposure

APIs often send more information than is needed in an API response and leave it up to the client application to filter the data. However, relying on client-side code to filter sensitive data causes problems, as attackers regularly bypass client-side web and mobile application code and call APIs directly.

In the case of excessive data exposure, attackers hope that the API will provide more information than needed – ideally, information that they can use in more complex attacks. For example, an API request for user information might also produce the admin’s user name, multifactor authentication status, and other data that is completely unnecessary to the original request.

Traditional security scanning and runtime detection tools will sometimes alert on this type of vulnerability, but they are unable to differentiate between legitimate data returned from the API and sensitive data that should not be returned.

 

Security Misconfiguration

Many security misconfigurations exist that often negatively impact API security as a whole and can inadvertently introduce vulnerabilities. Security misconfigurations can include insecure default configurations, incomplete configurations, misconfigured HTTP headers, verbose error messages, open cloud storage, and more.

Misconfigurations enable attackers to gain knowledge of the application and API components during their reconnaissance phase. Attackers can also exploit misconfigurations to pivot their attacks against APIs.

 

Defending Against API Attacks Requires Context

By their nature, APIs expose application logic. Hackers do lots of experimentation to try to identify gaps in that business logic that they can exploit.  The reconnaissance needed to propagate attacks like these take a lot of time. A single API attack can take hours, days, or even weeks to unfold.

To defend against them, organizations must analyse large amounts of API traffic and API activity over time. Spotting abuses, such as BOLA, requires continuous monitoring of millions of API calls and users. Large-scale data analysis, in near real time, is essential to establish a baseline of typical API activity and the anomalies that don’t align – this is the kind of context teams need to spot API abuses.

Differentiating between legitimate requests and requests that lack proper authentication or authorization also requires rich context. Organizations need to analyse all API activity to identify attempts to exfiltrate too much data or gain access to unauthorised private data.

Server- or VM-based API security approaches simply don’t have a broad enough data set over time to identify today’s sophisticated API attacks. Only cloud-scale big data combined with AI and ML can collect, store, and quickly analyse hundreds of attributes across millions of users and API calls and correlate them. Cloud-scale big data provides the breadth and depth of context that organisations need to protect their APIs.

The post The 4 Most Common OWASP API Security Threats appeared first on IT Security Guru.

How 1-Time Passcodes Became a Corporate Liability

Posted on by Kernel

Phishers are enjoying remarkable success using text messages to steal remote access credentials and one-time passcodes from employees at some of the world’s largest technology companies and customer support firms. A recent spate of SMS phishing attacks from one cybercriminal group has spawned a flurry of breach disclosures from affected companies, which are all struggling to combat the same lingering security threat: The ability of scammers to interact directly with employees through their mobile devices.

In mid-June 2022, a flood of SMS phishing messages began targeting employees at commercial staffing firms that provide customer support and outsourcing to thousands of companies. The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication.

The phishers behind this scheme used newly-registered domains that often included the name of the target company, and sent text messages urging employees to click on links to these domains to view information about a pending change in their work schedule.

The phishing sites leveraged a Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website. But because of the way the bot was configured, it was possible for security researchers to capture the information being sent by victims to the public Telegram server.

This data trove was first reported by security researchers at Singapore-based Group-IB, which dubbed the campaign “0ktapus” for the attackers targeting organizations using identity management tools from Okta.com.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations,” Group-IB wrote. “Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

It’s not clear how many of these phishing text messages were sent out, but the Telegram bot data reviewed by KrebsOnSecurity shows they generated nearly 10,000 replies over approximately two months of sporadic SMS phishing attacks targeting more than a hundred companies.

A great many responses came from those who were apparently wise to the scheme, as evidenced by the hundreds of hostile replies that included profanity or insults aimed at the phishers: The very first reply recorded in the Telegram bot data came from one such employee, who responded with the username “havefuninjail.”

Still, thousands replied with what appear to be legitimate credentials — many of them including one-time codes needed for multi-factor authentication. On July 20, the attackers turned their sights on internet infrastructure giant Cloudflare.com, and the intercepted credentials show at least five employees fell for the scam (although only two employees also provided the crucial one-time MFA code).

Image: Cloudflare.com

In a blog post earlier this month, Cloudflare said it detected the account takeovers and that no Cloudflare systems were compromised. But Cloudflare said it wanted to call attention to the phishing attacks because they would probably work against most other companies.

“This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached,” Cloudflare CEO Matthew Prince wrote. “On July 20, 2022, the Cloudflare Security team received reports of employees receiving legitimate-looking text messages pointing to what appeared to be a Cloudflare Okta login page. The messages began at 2022-07-20 22:50 UTC. Over the course of less than 1 minute, at least 76 employees received text messages on their personal and work phones. Some messages were also sent to the employees family members.”

On three separate occasions, the phishers targeted employees at Twilio.com, a San Francisco based company that provides services for making and receiving text messages and phone calls. It’s unclear how many Twilio employees received the SMS phishes, but the data suggest at least four Twilio employees responded to a spate of SMS phishing attempts on July 27, Aug. 2, and Aug. 7.

On that last date, Twilio disclosed that on Aug. 4 it became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.

“This broad based attack against our employee base succeeded in fooling some employees into providing their credentials,” Twilio said. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.”

That “certain customer data” included information on roughly 1,900 users of the secure messaging app Signal, which relied on Twilio to provide phone number verification services. In its disclosure on the incident, Signal said that with their access to Twilio’s internal tools the attackers were able to re-register those users’ phone numbers to another device.

On Aug. 25, food delivery service DoorDash disclosed that a “sophisticated phishing attack” on a third-party vendor allowed attackers to gain access to some of DoorDash’s internal company tools. DoorDash said intruders stole information on a “small percentage” of users that have since been notified. TechCrunch reported last week that the incident was linked to the same phishing campaign that targeted Twilio.

This phishing gang apparently had great success targeting employees of all the major mobile wireless providers, but most especially T-Mobile. Between July 10 and July 16, dozens of T-Mobile employees fell for the phishing messages and provided their remote access credentials.

“Credential theft continues to be an ongoing issue in our industry as wireless providers are constantly battling bad actors that are focused on finding new ways to pursue illegal activities like this,” T-Mobile said in a statement. “Our tools and teams worked as designed to quickly identify and respond to this large-scale smishing attack earlier this year that targeted many companies. We continue to work to prevent these types of attacks and will continue to evolve and improve our approach.”

This same group saw hundreds of responses from employees at some of the largest customer support and staffing firms, including Teleperformanceusa.com, Sitel.com and Sykes.com. Teleperformance did not respond to requests for comment. KrebsOnSecurity did hear from Christopher Knauer, global chief security officer at Sitel Group, the customer support giant that recently acquired Sykes. Knauer said the attacks leveraged newly-registered domains and asked employees to approve upcoming changes to their work schedules.

Image: Group-IB.

Knauer said the attackers set up the phishing domains just minutes in advance of spamming links to those domains in phony SMS alerts to targeted employees. He said such tactics largely sidestep automated alerts generated by companies that monitor brand names for signs of new phishing domains being registered.

“They were using the domains as soon as they became available,” Knauer said. “The alerting services don’t often let you know until 24 hours after a domain has been registered.”

On July 28 and again on Aug. 7, several employees at email delivery firm Mailchimp provided their remote access credentials to this phishing group. According to an Aug. 12 blog post, the attackers used their access to Mailchimp employee accounts to steal data from 214 customers involved in cryptocurrency and finance.

On Aug. 15, the hosting company DigitalOcean published a blog post saying it had severed ties with MailChimp after its Mailchimp account was compromised. DigitalOcean said the MailChimp incident resulted in a “very small number” of DigitalOcean customers experiencing attempted compromises of their accounts through password resets.

According to interviews with multiple companies hit by the group, the attackers are mostly interested in stealing access to cryptocurrency, and to companies that manage communications with people interested in cryptocurrency investing. In an Aug. 3 blog post from email and SMS marketing firm Klaviyo.com, the company’s CEO recounted how the phishers gained access to the company’s internal tools, and used that to download information on 38 crypto-related accounts.

The ubiquity of mobile phones became a lifeline for many companies trying to manage their remote employees throughout the Coronavirus pandemic. But these same mobile devices are fast becoming a liability for organizations that use them for phishable forms of multi-factor authentication, such as one-time codes generated by a mobile app or delivered via SMS.

Because as we can see from the success of this phishing group, this type of data extraction is now being massively automated, and employee authentication compromises can quickly lead to security and privacy risks for the employer’s partners or for anyone in their supply chain.

Unfortunately, a great many companies still rely on SMS for employee multi-factor authentication. According to a report this year from Okta, 47 percent of workforce customers deploy SMS and voice factors for multi-factor authentication. That’s down from 53 percent that did so in 2018, Okta found.

Some companies (like Knauer’s Sitel) have taken to requiring that all remote access to internal networks be managed through work-issued laptops and/or mobile devices, which are loaded with custom profiles that can’t be accessed through other devices.

Others are moving away from SMS and one-time code apps and toward requiring employees to use physical FIDO multi-factor authentication devices such as security keys, which can neutralize phishing attacks because any stolen credentials can’t be used unless the phishers also have physical access to the user’s security key or mobile device.

This came in handy for Twitter, which announced last year that it was moving all of its employees to using security keys, and/or biometric authentication via their mobile device. The phishers’ Telegram bot reported that on June 16, 2022, five employees at Twitter gave away their work credentials. In response to questions from KrebsOnSecurity, Twitter confirmed several employees were relieved of their employee usernames and passwords, but that its security key requirement prevented the phishers from abusing that information.

Twitter accelerated its plans to improve employee authentication following the July 2020 security incident, wherein several employees were phished and relieved of credentials for Twitter’s internal tools. In that intrusion, the attackers used Twitter’s tools to hijack accounts for some of the world’s most recognizable public figures, executives and celebrities — forcing those accounts to tweet out links to bitcoin scams.

“Security keys can differentiate legitimate sites from malicious ones and block phishing attempts that SMS 2FA or one-time password (OTP) verification codes would not,” Twitter said in an Oct. 2021 post about the change. “To deploy security keys internally at Twitter, we migrated from a variety of phishable 2FA methods to using security keys as our only supported 2FA method on internal systems.”

3 Cybersecurity Trends for 2022

Posted on by Kernel

Internet screen security protection

 

As cyber criminals continue to employ increasingly sophisticated methods to breach security protocols within organizations, cybersecurity will remain a major concern for businesses of all sizes. As such, the cost of cybercrime is set to increase with the global cybersecurity market estimated to reach $403.01 billion by 2027 with a compound annual growth rate (CAGR) of 12.5%. This article will look at some of the biggest trends affecting cybersecurity in 2022.

 

Increasing Ransomware Attacks

Ransomware continues to be one of the biggest and most pressing threats to cybersecurity at the moment. Figures from the EU Agency for Cybersecurity reveal that the largest ransomware demand increased from €13 million in 2019 to €62 million in 2021 and it is estimated that last year global ransomware resulted in €18 billion worth of damages. This amounts to 57 times more than in 2015. Visit this site to find out more about how to become cyber security analyst.

Ransomware is malicious software designed to publish or deny a user access to data or a computer system unless they pay a ransom to unlock or decrypt files. Developments in ransomware have also seen the emergence of ransomware as a service (RaaS) allowing cyber criminals to monetize their ransomware on the dark web.

Raas is a business model which sees operators offer affiliates paid subscriptions to their ransomware in order to execute ransomware attacks. Affiliates then make money by earning a percentage from each successful ransom demand. The difficulty in tracking down those involved coupled with the lucrative nature of this model will see Raas continue to grow.

Increased Supply Chain Threats

Attacks on an organization’s supply chains can create massive disruptions to their business and are one of the largest trends affecting cybersecurity in 2022.  A supply chain attack, also known as a third-party or value-chain attack, targets an organization through a trusted third party with access to their systems and data.

The 2020 SolarWinds attack is an example of a supply chain attack that made the headlines. This case involved hackers compromising the company’s software infrastructure and adding malicious code into it. This resulted in over 18,000 SolarWinds customers installing the malicious updates, thereby spreading the malware without detection. Thousands of organizations were affected, including the U.S. government.

Supply chain attacks are popular with cybercriminals as compromised software potentially gives them access to every organization which uses that software.

 

Global Phishing Attacks


Phishing scams continue to be one of the biggest security threats to the IT sector with millions of people falling prey to phishing emails containing malicious URLs. Such emails contain links which are designed to look like an official website but are in fact fraudulent. The COVID-19 pandemic saw cybercriminals take advantage of people’s fears to con them into revealing sensitive information via phishing methods. This was particularly prevalent amongst the elderly.

Phishing attacks are now becoming geo-targeted and more personalized requiring stronger and more comprehensive cybersecurity awareness programs. In geo-based phishing cybercriminals use the location of potential targets to create profiles in much the same way as marketers do when targeting customers. Phishing emails are created in local languages and content is delivered based on the victim’s geolocation to fool them into handing over personal information. 

As cybersecurity trends continue to evolve, the need for continual awareness and training of the threats remains essential for businesses everywhere. 

The post 3 Cybersecurity Trends for 2022 appeared first on IT Security Guru.

Akasa Air Suffers Data Leak on First Day of Operation

Posted on by Kernel

India’s newest commercial airline, Akasa Air, exposed personal data belonging to its customers. The company blamed these data leaks on technical configuration errors.

Ashutosh Barot, a security researcher, added that this issue originated in the account registration process, leading to the exposure of personal information such as gender, email addresses, names, and phone numbers.

The bug was identified on 7th August 2022, the same day that the airline commenced its operations in the country.

Barot wrote in a report that: “[he] found an HTTP request which gave [his] name, email, phone number, gender, etc. in JSON format. [He] immediately changed some parameters in [the] request and was able to see other user’s PII. It took around ~30 minutes to find this issue.”

Once the company had received the report, they temporarily shut down parts of its system to incorporate additional security guardrails. The low-budget airline also reported the incident to the Indian Computer Emergency Response Team (CERT-In).

Akasa Air emphasised that no payment or travel-related details were left accessible. There is also no evidence that the glitch was exploited in the wild whilst exposed.

The airline said that it has directly affected users on the incident, although the scale of the leak remains unclear. Akasa Air added that it “advised users to be conscious of possible phishing attempts.”

 

The post Akasa Air Suffers Data Leak on First Day of Operation appeared first on IT Security Guru.

Pano – Manage Clipboard History in Ubuntu 22.04 / Fedora 36 in New Style

Posted on by Kernel

Need to access your copy & paste history quickly? Forget about GPaste or CopyQ, try Pano!

It’s a cool new clipboard manager for Ubuntu, Fedora, and other Linux with GNOME Desktop, such as Arch and Manjaro.

No system tray indicator or app window, just press your custom keyboard shortcut will bring up the bottom bar with all recent clipboard histories.

The histories are displayed in blocks with different colors. It supports:

  • Code blocks with syntax highlighting.
  • Color codes (hex/rgb)
  • Images with size and resolution information.
  • Links with previews.
  • Texts
  • File Operations (Cut/Copy)

And, each block has a title indicates when it was created, as well as a little close button to delete it from the history.

As the screenshot shows, there’s a input box to search through the history. Or, you may use either left/right keyboard key or 2-finger swipe left/right gestures to browse through them.

Once you click on an item from the list, it copies the content into clipboard and close the bottom bar automatically. You may then paste it to anywhere as you prefer.

Install Pano:

Pano is available as an extension which so far supports only GNOME 42. Which means you needs either Ubuntu 22.04, Fedora 36, Arch/Manjaro with GNOME desktop.

1. Firstly, search for and install “Extension Manager” from Ubuntu Software or Pamac package manager.

Install Extension Manager in Ubuntu 22.04

2. Then, launch the tool by searching from ‘Activities’ overview screen.

3. Finally, search for and install the extension from the ‘Browse’ tab.

After installation, go back to “Installed” tab. Then click on the gear button to open the configuration dialog. Finally, set the global shortcut, how many history items to remember and where to store them.

NOTE: for loading error, try log out and back in to restart GNOME Shell.

For Fedora user, go to the extension web page in the link below and use the ON/OFF switch to install it:

Pano Extension

And, install ‘Gnome Extensions’ app from Gnome Software for accessing the preference dialog.

How to Ping IPv6 Addresses

Posted on by Kernel
How to Ping IPv6 Addresses

Using the ping command is perhaps the most common way to check if a remote server is reachable or not.

By default, the ping command works on the IPv4 address. But what if you need to ping an IPv6 address?

The answer is that you still use the ping command. Yes, the newer versions of the ping command support IPv6 addresses.

ping IPv6_address

If you have a domain name and you want to get the replies from the IPv6, use the ping command like this:

ping -6 domain_name

Alternatively, you can always rely on the ping6 command: 

ping6 ipv6_address_or_domain_name

To successfully ping IPv6 addresses, you need the complete IPv6 flow from that target to your local system.

  • The target should have IPv6 enabled
  • The source and its router should also have IPv6 enabled

Check if you have IPv6 support enabled on your system

To successfully ping an IPv6 address, you also need to have IPv6 enabled on your local system, too. Otherwise, if you try to ping for an IPv6 reply, you’ll get ‘ping: connect: network is unreachable’ error.

sagar@LHB:~$ ping -6 google.com
ping: connect: Network is unreachable

How do you know if you have IPv6 support on your system? Use this command and observe its output:

ip -6 route

This will give the route information for the IPv6 traffic. If you see “default via” in the output, you have a gateway IP set for IPv6:

root@test-server:~# ip -6 route
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0 proto ra metric 1024 expires 1774sec mtu 1500 pref medium

If you see something like this without any information on the route, you don’t have IPv6 support enabled. You should enable it first.

sagar@LHB:~$ ip -6 route
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev wlp0s20f3 proto kernel metric 1024 pref medium

Once you ensure that your local system has IPv6 support, let’s see a thing or two about pinging IPv6 addresses.

Pinging an IPv6 Address using ping command

If you ping a domain, by default, it pings the IPv4 address. Something like this:

How to Ping IPv6 Addresses
The default way of pinging network addresses 

As per the man page of the ping command, you can use -6 option to force the ping command to go for IPv6 addresses.  

ping -6 domain_name

For example, I’d be using the exact address so that you can notice the change in the address that sends the replies.

How to Ping IPv6 Addresses
Using the -6 option to ping IPv6 network address

Saw the difference in address? You are getting replies from the IPv6 address this time.

That’s good with domain names. What if you only have the IPv6 address?

Using Full IPv6 Address

The method is quite easy, append IPv6 address with ping command. yep, that’s it!

ping IPv6_address

IPv6 address of Linuxhandbook is 2606:4700:20::681a:c82, so I’d be using this for example:

How to Ping IPv6 Addresses
Using ping command with IPv6 address 

Using ping6 command to ping IPv6

Earlier, ping command could only use the IPv4 addresses and thus a separate utility called ping6 was created.

On some older Linux versions, ping may not work for IPv6. If that’s the case, use ping6 instead.

ping6 domain_or_IPv6_address
How to Ping IPv6 Addresses
Using the ping6 command to ping the IPv6 address

Final Words

I don’t see the need for using ping6. The ping command has always been my go-to choice while troubleshooting networking issues. I prefer using it for IPv6 as well. One less command to remember.

Feel free to share your ideas and doubts.

How to Set Different Wallpaper for Each Workspace in Ubuntu 22.04

Posted on by Kernel

Want to set different wallpaper for each desktop workspace? You can now do this in Ubuntu and Fedora via a GNOME extension.

This is one of my favorite features when Ubuntu was using Unity as default desktop. After switched back to GNOME, I didn’t find an alternative method to re-implement this feature until I met this extension.

However, this method does not display different wallpapers in overview. Wallpaper applies only when you switched to that desktop (workspace). So, it may be called change wallpaper automatically when switching desktop.

Install the Extension & Set wallpapers in Ubuntu 22.04:

For Ubuntu 22.04, first search for and install “Extension Manager” from Ubuntu Software.

Install Extension Manager in Ubuntu 22.04

Next, press Super (Windows logo) key to open overview, search for and open the tool you just installed.

When it opens, navigate to “Browse” tab, search for and install “Walkpaper2” extension.

Finally, switch back to “Installed” tab, click the gear icon for the extension. In pop-up window, just click on the previous image to open dialog to set new wallpaper.

NOTE: GNOME by default has 2 desktops, and adds more dynamically. To set fixed number of desktop workspaces, go to “Settings -> Multitasking -> Workspaces”.

Set different wallpaper in other GNOME based Linux

For Fedora Workstation 36, Arch and Manjaro with GNOME, simply go the to link below and turn on the ON/OFF switch to install the extension:

Install Walkpaper2

In case you don’t see the ON/OFF switch, follow the link in that page to install web browser extension and refresh it.

To get the settings dialog, install and use “Gnome Extensions” app, either from Gnome Software or via pamac package manager.

There’s another extension with old GNOME support, however lack of versions support for Ubuntu 18.04 and Ubuntu 20.04.