Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Monday

    Security updates have been issued by Debian (firefox-esr, gnutls28, and libmtp), Fedora (cyrus-sasl, firefox, glibc, squid, and telnet), Gentoo (firefox), Mageia (dcraw, firefox, kernel, kernel-linus, librsvg, and python-nltk), openSUSE (firefox, haproxy, icu, and spamassassin), Red Hat (nodejs:10, openstack-manila, python-django, python-XStatic-jQuery, and telnet), Slackware (firefox), SUSE (bluez, exiv2, and libxslt), and Ubuntu (firefox).

  • Open Source Security Podcast: Episode 191 - Security scanners are all terrible

    Josh and Kurt talk about security scanners. They're all pretty bad today, but there are some things we can do to make them better. Step one is to understand the problem. Do you know why you're running the scanner and what the reports mean?

  • Misconfigured Docker API Ports Targeted by Kinsing Malware

    Security researchers observed an attack campaign that targeted misconfigured Docker API ports with samples of Kinsing malware.

    According to Aqua Security, the campaign began when it capitalized on an unprotected Docker API port to run a Ubuntu container.

    The command used for creating the Ubuntu container included a shell script “d.sh.” By means of its 600+ lines of code, the shell script began by disabling security measures, clearing logs and disabling other malware and cryptominer samples. It’s then that the command killed rival malicious Docker containers before loading its Kinsing payload.

  • L1d Cache Flush On Context Switch Moves Forward For Linux In Light Of Vulnerabilities

    A new patch series sent out just under one month ago was providing opt-in L1 data cache flushing on context switching. That work has now been revived again and now with documentation added it's clear that this work is being done in response to a recent CVE being made public.

    The patches originally sent out by an Amazon engineer characterized the work as for the "paranoid due to the recent snoop assisted data sampling vulnerabilities, to flush their L1D on being switched out. This protects their data from being snooped or leaked via side channels after the task has context switched out."

More on Docker

  • Docker Users Targeted with Crypto Malware Via Exposed APIs [Ed: People who use things they do not understand can leave holes, but this is not the fault of the software]

    Hackers are attempting to compromise Docker servers en masse via exposed APIs in order to spread cryptocurrency mining malware, according to researchers.

    Aqua Security claimed to have tracked the organized campaign for several months, revealing that thousands of attempts to hijack misconfigured Docker Daemon API ports are taking place almost every single day.

    “In this attack, the attackers exploit a misconfigured Docker API port to run an Ubuntu container with the kinsing malicious malware, which in turn runs a cryptominer and then attempts to spread the malware to other containers and hosts,” it explained.

    The Ubuntu container itself is designed to disable security measures and clear logs, and kills applications on the system including any other malware, as well as downloading the kinsing malware designed to mine for digital currency on the compromised Docker host.

Misconfigured Containers Again Targeted by Cryptominer Malware

  • Misconfigured Containers Again Targeted by Cryptominer Malware

    An attack group is searching for insecure containers exposing the Docker API and then installing a program that attempts to mine cryptocurrency. It's not the first time.
    Attackers are searching for containers that expose a misconfigured port for the Docker API to add another container to do their bidding and run malicious code to mine cryptocurrency, container security firm Aqua Security stated in an April 3 advisory.

    The campaign appears to target containers that allow Docker commands to be executed without authentication, with — in some cases — more than a hundred scans targeting each IP address on the Internet every day. A search using the port-scanning service Shodan revealed that some 6,000 IP addresses may have vulnerable installations of Docker, says Idan Revivo, head of cybersecurity research for Aqua Security.

Kinsing Malware Hits Container API Ports With Thousands...

More on 'Kinsing'

  • If you don't cover your Docker daemon API port you'll have a hell of a time... because cryptocreeps are hunting for it

    Some Docker installations are getting hammered by malware skiddies hoping to mine digital cash using other people's CPU time.

    Infosec outfit Aqua – no, not the Barbie Girl band – said miscreants have spotted that a decent number of Docker deployments are lazily or inadvertently exposing the daemon API port to the public internet with no protection. It's a fairly common error that hackers have exploited in the past to mine digital coins, although lately we're told there have been thousands of infection attempts daily via this interface, all involving a piece of Linux malware dubbed Kinsing.

    "These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date," noted researcher Gal Singer this week.

    "We therefore believe that these attacks are directed by actors with sufficient resources and the infrastructure needed to carry out and sustain such attacks, and that this is not an improvised endeavor."

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Leaving Mozilla and Recalling One's Job in Mozilla

  • yoric.steps.next()

    The web is getting darker. It is being weaponized by trolls, bullies and bad actors and, as we’ve witnessed, this can have extremely grave consequences for individuals, groups, sometimes entire countries. So far, most of the counter-measures proposed by either governments or private actors are even scarier. The creators of the Matrix protocol have recently published the most promising plan I have seen. One that I believe stands a chance of making real headway in this fight, while respecting openness, decentralization, open-source and privacy. I have been offered the opportunity to work on this plan. For this reason, after 9 years as an employee at Mozilla, I’ll be moving to Element, where I’ll try and contribute to making the web a better place. My last day at Mozilla will be October 30th.

  • Working open source | daniel.haxx.se

    I work full time on open source and this is how. Background I started learning how to program in my teens, well over thirty years ago and I’ve worked as a software engineer and developer since the early 1990s. My first employment as a developer was in 1993. I’ve since worked for and with lots of companies and I’ve worked on a huge amount of (proprietary) software products and devices over many years. Meaning: I certainly didn’t start my life open source. I had to earn it. When I was 20 years old I did my (then mandatory) military service in Sweden. After having endured that, I applied to the university while at the same time I was offered a job at IBM. I hesitated, but took the job. I figured I could always go to university later – but life took other turns and I never did. I didn’t do a single day of university. I haven’t regretted it. [...]    I’d like to emphasize that I worked as a contract and consultant developer for many years (over 20!), primarily on proprietary software and custom solutions, before I managed to land myself a position where I could primarily write open source as part of my job. [...] My work setup with Mozilla made it possible for me to spend even more time on curl, apart from the (still going) two daily spare time hours. Nobody at Mozilla cared much about (my work with) curl and no one there even asked me about it. I worked on Firefox for a living. For anyone wanting to do open source as part of their work, getting a job at a company that already does a lot of open source is probably the best path forward. Even if that might not be easy either, and it might also mean that you would have to accept working on some open source projects that you might not yourself be completely sold on. In late 2018 I quit Mozilla, in part because I wanted to try to work with curl “for real” (and part other reasons that I’ll leave out here). curl was then already over twenty years old and was used more than ever before.

Programming: Buzzwords, Meson, Tracealyzer, LLVM, Python and Rust

  • What is DevSecOps? Everything You Need To Know About DevSecOps

    Most people are familiar with the term “DevOps,” but they don’t know how to really utilize it. There’s more to DevOps than just development and operational teams. There’s an essential element of DevOps that is often missing from the equation; IT security. Security should be included in the lifecycle of apps.  The reason you need to include security is that security was once assigned to one team that integrated security near the end-stages of development. Taking such a lax approach to security wasn’t such a problem when apps were developed in months or years. The average development cycle has changed quite a bit, though, and apps can be developed in a matter of days or weeks. Outdated security practices like leaving security too late can bring DevOps initiatives to their knees. 

  •   
  • Nibble Stew: The Meson Manual: Good News, Bad News and Good News

    Starting with good news, the Meson Manual has been updated to a third edition. In addition to the usual set of typo fixes, there is an entirely new chapter on converting projects from an existing build system to Meson. Not only are there tips and tricks on each part of the conversion, there is even guidance on how to get it done on projects that are too big to be converted in one go.

  • Percepio Releases Tracealyzer Visual Trace Diagnostics Solution Version 4.4 with Support for Embedded Linux

    Percepio announced the availability of Tracealyzer version 4.4 with support for embedded Linux. Tracealyzer gives developers insight during software debugging and verification at the system level by enabling visual exploratory analysis from the top down. This makes the software suitable for spotting issues during full system testing and drill down into the details to find the cause. Version 4.4 adds several views optimized for Linux tracing, in addition to a set of visualizations already in Tracealyzer, and leverages Common Trace Format (CTF) and the widely supported LTTng, an open source tracing framework.

  •   
  • LLVM Adds A SPIR-V CPU Runner For Handling GPU Kernels On The CPU - Phoronix

    LLVM has merged an experimental MLIR-based SPIR-V CPU runner that the developers are working towards being able to handle CPU-based execution of GPU kernels.  This new SPIR-V runner is built around the MLIR intermediate representation (Multi-Level Intermediate Representation) with a focus of going from GPU-focused code translated through SPIR-V and to LLVM and then executed on the CPU. The runner focus is similar to that of the MLIR-based runners for NVIDIA CUDA, AMD ROCm, and Vulkan, but just executing on the CPU itself. It was earlier this year LLVM added the MLIR-Vulkan-Runner for handling MLIR on Vulkan hardware. 

  • Python Modulo in Practice: How to Use the % Operator – Real Python

    Python supports a wide range of arithmetic operators that you can use when working with numbers in your code. One of these operators is the modulo operator (%), which returns the remainder of dividing two numbers.

  • Test & Code : Python Testing for Software Engineering 136: Wearable Technology - Sophy Wong

    Wearable technology is not just smart consumer devices like watches and activity trackers. Wearable tech also includes one off projects by designers, makers, and hackers and there are more and more people producing tutorials on how to get started. Wearable tech is also a great way to get both kids and adults excited about coding, electronics, and in general, engineering skills. Sophy Wong is a designer who makes really cool stuff using code, technology, costuming, soldering, and even jewelry techniques to get tech onto the human body.

  • Librsvg's test suite is now in Rust

    Some days ago, Dunja Lalic rewrote the continuous integration scripts to be much faster. A complete pipeline used to take about 90 minutes to run, now it takes about 15 minutes on average. [...] The most complicated thing to port was the reference tests. These are the most important ones; each test loads an SVG document, renders it, and compares the result to a reference PNG image. There are some complications in the tests; they have to create a special configuration for Fontconfig and Pango, so as to have reproducible font rendering. The pango-rs bindings do not cover this part of Pango, so we had to do some things by hand.

ARM32 in Linux and Open Source Hardware Certification

  • ARM32 Page Tables

    As I continue to describe in different postings how the ARM32 start-up sequence works, it becomes necessary to explain in-depth the basic kernel concepts around page tables and how it is implemented on ARM32 platforms. To understand the paging setup, we need to repeat and extend some Linux paging lingo. Some good background is to read Mel Gormans description of the Linux page tables from his book “Understanding the Linux Virtual Memory Manager”. This book was published in 2007 and is based on Mel’s PhD thesis from 2003. Some stuff has happened in the 13 years since then, but the basics still hold. It is necessary to also understand the new layers in the page tables such as the five layers of page tables currently used in the Linux kernel. First a primer: the ARM32 architecture with a classic MMU has 2 levels of page tables and the more recent LPAE (Large Physical Address Extension) MMU has 3 levels of page tables. Only some of the ARMv7 architectures have LPAE, and it is only conditionally enabled, i.e. the machines can also use the classic MMU if they want, they have both. It is not enabled by default on the multi_v7 configuration: your machine has to explicitly turn it on during compilation. The layout is so different that the same binary image can never support both classic and LPAE MMU in the same kernel image.

  • Announcing the Open Source Hardware Certification API – Open Source Hardware Association

    Today we are excited to announce the launch of a read/write API for our Open Source Hardware Certification program. This API will make it easier to apply for certification directly from where you already document your hardware, as well as empower research, visualizations, and explorations of currently certified hardware. OSHWA’s Open Source Hardware Certification program has long been an easy way for creators and users alike to identify hardware that complies with the community definition of open source hardware. Since its creation in 2016, this free program has certified hardware from over 45 countries on every continent except Antarctica. Whenever you see the certification logo on hardware:

LibreOffice: Presentation Size Decreasing and New Presentations About LibreOffice