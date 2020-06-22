Language Selection

English French German Italian Portuguese Spanish

Security: Compliance, CISO, Patches, Principles for Making Your Linux System More Secure and TPM

Submitted by Roy Schestowitz on Wednesday 24th of June 2020 01:08:30 AM Filed under
Security
  • What enterprise developers need to know about security and compliance

    One of the luxuries of my job is that I get to speak to and work with a range of IT people employed by U.S. federal and state government agencies. That range includes DevOps engineers, developers, sysadmins, database administrators, and security professionals. Everyone I talk to, even security professionals, says that IT security and compliance can be imprecise, subjective, overwhelming, and variable—especially in the federal government.

  • Josh Bressers: The ineffective CISO

    I’ve been thinking about this one for a while. I’ve seen some CISOs who are amazing at what they do, and I’ve seen plenty that can’t get anything done. After working with one that I think is particularly good lately, I’ve made some observations that has changed my mind about the modern day CISO reporting structure.

    The TL;DR of this post is if you have a CISO that claims they can only get their job done if they report to the board or CEO, you have an ineffective CISO.

    All change, even change in our organizations tends to obey Newton’s Third Law of motion. For every action there must be an equal and opposite action. Change happens because there is something driving that change. Change doesn’t happen because someone is complaining about it. A CEO demanding action could be your incentive. Maybe you need better security posture to help sales. Maybe you had an incident and making sure it never happens again is a driver.

    What’s the inception for security change in your organization? If bad security is holding back sales, that’s easy to understand. But what happens when there isn’t an obvious need for security? All change in an organization, especially security change, will be the result of some other action. In our case we are going to call that action our incentive.

  • Security updates for Tuesday

    Security updates have been issued by CentOS (thunderbird), Debian (wordpress), Fedora (ca-certificates, kernel, libexif, and tomcat), openSUSE (chromium, containerd, docker, docker-runc, golang-github-docker-libnetwork, fwupd, osc, perl, php7, and xmlgraphics-batik), Oracle (unbound), Red Hat (containernetworking-plugins, dpdk, grafana, kernel, kernel-rt, kpatch-patch, libexif, microcode_ctl, ntp, pcs, and skopeo), Scientific Linux (unbound), SUSE (kernel, mariadb, mercurial, and xawtv), and Ubuntu (mutt and nfs-utils).

  • Principles for Making Your Linux System More Secure

    Security by design not only makes for a securer system, it also provides a better understanding of how your Linux system is constructed. Here are 10 of the most common security by design principles.

    To many users, security is a matter of using the right tools – a matter, for instance, of setting up a firewall or perhaps an antivirus application. Such tools should be part of any security policy, but they are lacking in two important ways. First, they do not add up to any coherent understanding of security. Users install these tools, but without much understanding of the security principles that lie behind them. Second, many are reactive tools, designed to respond to an intrusion, rather than prevent them in the first place. A more fruitful approach is security by design, which offers basic approaches to writing software or configuring a system.

    [...]

    Open Design

    One major advantage of free software is that development is public. Anyone can access the code, and the engineering standards are freely available, which means that with open design there is a greater chance of improvements or of bugs being detected. This principle was expressed in Eric S. Raymond’s The Cathederal and the Bazaar as “given enough eyeballs, all bugs are shallow.” It is named Linus’s Law in honor of Linus Torvalds.

    The opposite of open design is security by obscurity, which is frequently considered a practice of proprietary software development. Instead of reporting a bug as soon as it discovered – the common practice in free software – security by obscurity delays reporting the bug until a patch is released. The problem with this practice is that no one knows if the bug is exploited during the wait for the patch, which can take months. By contrast, open design provides an incentive to write a speedy patch and allows more than one person or team to write a patch. Open design is not foolproof, and it is not always followed, but at the very least, it minimizes security risks.

  • TCG Pushes for Security in Embedded, Automotive, and IoT Systems with Complete TPM 2.0 Software Stack

    The completed TCG TSS Stack standard now supports a wide range of devices making it possible to integrate the TPM 2.0 as a turnkey solution and to achieve interoperability for platform security, network communication, and data exchange.

»

More in Tux Machines

Mozilla: Tor Browser, Apple Stuff and Firefox 78 Credits

  • Promote your Onion site with the Onion-Location HTTP header

    The Tor Browser anonymizes web browsing using multi-hop network routing featuring layered encryption (the “Onion network”). You can picture it like that trope in action movies where they’re tracing a network intrusion back through multiple server locations scattered all over a world map. (Except that the reverse tracing isn’t a thing and the Onion network’s encryption prevents any meaningful interception.)

  • Update on Firefox Support for macOS 10.9, 10.10 and 10.11

    On June 30th, macOS 10.9, 10.10 and 10.11 users will automatically be moved to the Firefox Extended Support Release (ESR). While Apple doesn’t have an official policy governing security updates for older macOS releases, their ongoing practice has been to support the most recent three releases (i.e. version N, N-1, and N-2). The last security update applicable to macOS 10.11 was made available nearly 2 years ago in July 2018 (https://support.apple.com/en-us/HT201222). Unsupported operating systems receive no security updates, have known exploits, and can be dangerous to use, which makes it difficult and less than optimal to maintain Firefox for those versions.

  • Welcoming Safari to the WebExtensions Community

    Browser extensions provide a convenient and powerful way for people to take control of how they experience the web. From blocking ads to organizing tabs, extensions let people solve everyday problems and add whimsy to their online lives. At yesterday’s WWDC event, Apple announced that Safari is adopting a web-based API for browser extensions similar to Firefox’s WebExtensions API. Built using familiar web technologies such as JavaScript, HTML, and CSS, the API makes it easy for developers to write one code base that will work in Firefox, Chrome, Opera, and Edge with minimal browser-specific changes. We’re excited to see expanded support for this common set of browser extension APIs. [...] Interested in porting your browser extension to Safari? Visit MDN to see which APIs are currently supported. Developers can start testing the new API in Safari 14 using the seed build for macOS Big Sur. The API will be available in Safari 14 on macOS Mojave and macOS Catalina in the future.

  • Firefox 78 new contributors

    With the release of Firefox 78, we are pleased to welcome the 34 developers who contributed their first code change to Firefox in this release, 28 of whom were brand new volunteers!

Devices/Embedded: Vecow, Arm/Linux, TASMOTA and Pandauino

  • Up to 21.5-inch touch panels power up with Whiskey Lake

    Vecow’s rugged, 10.1- to 21.5-inch “MTC-7000 Series” touch-panel systems run Linux or Win 10 on an 8th Gen Whiskey Lake CPU and offer 16:9 ratios, up to 32GB RAM, SATA, 2x GbE, 4x USB 3.1 Gen2, DVI-D and DP, and 2x mini-PCIe. Vecow has announced a line of rugged, all-in-one touch-panel computers with 10.1-, 15-, 15.6-, and 21.5-inch 10-point capacitive multi-touch screens. The MTC-7000 Series runs Linux or Windows 10 on quad-core Core processors from Intel’s 8th Gen, 15W TDP Whiskey Lake-U family. Vecow has previously used Whiskey Lake on its 3.5-inch EMBC-3000, which appears to be used as the mainboard for the systems.

  • Linux-based wireless gateway links up to Azure-ready IoT stack

    Cloud of Things’ compact, Arm/Linux based “DeviceTone IoT Gateway” is equipped with MikroBus, LAN, GPIO, WiFi, LTE, NB-IoT, BLE Long Range, and DECT ULE. Both the gateway and an MCU-based “Genie” edge node work with an Azure-certified DeviceTone IoT Suite. We found out about Cloud of Things’ DeviceTone IoT Gateway, DeviceTone Genie edge node, and DeviceTone IoT Suite in an IoT Evolution story headlined “Do we really need another IoT gateway?” One’s initial response might be “hell no,” followed by a swipe left into oblivion. Yet, the story attempts to persuade us we do a new gateway and its name is DeviceTone.

  • TASMOTA Now Supports ESP32 Targets including some Ethernet and Camera Boards

    TASMOTA open-source firmware was initially designed for ESP8266 or ESP8285 based Sonoff home automation devices providing an alternative to eWelink firmware with support for MQTT protocol...

  • Pandauino 644/1284 Narrow are Compact ATmega644/1284 Arduino Boards (Crowdfunding)

    Pandauino 644 Narrow and 1284 Narrow boards powered by Microchip ATmega644 and ATmega1284 8-bit AVR MCU in a compact form factor slightly larger than the official Arduino Nano.

Kernel: Linux Plumbers Conference, kcbench, and FGKASLR

  • Linux Plumbers Conference: Registration for Linux Plumbers Conference 2020 is now open

    Registration is now open for the 2020 edition of the Linux Plumbers Conference (LPC). It will be held August 24 – 28, virtually. Go to the attend page for more information.

  • kcbench, the Linux kernel compile benchmark, version 0.9.0 is out

    Hello, is this thing still on? Looks like I have not blogged here in nearly 10 years. Uhhps. But today there is a reason to write something again: I released kcbench 0.9.0. Kcbench is a simple Linux kernel compile benchmark that downloads the Linux sources and measures the time it takes to build the kernel.

  • FGKASLR Revised For Better Linux Security Via Enhanced Address Space Randomization

    One of many high profile features that didn't make it in time for Linux 5.8 is FGKASLR, Function Granular Kernel Address Space Layout Randomization. Intel's Kristen Carlson Accardi sent out the original FGKASLR patches back in February for enhancing kernel security by providing address space layout randomization on a function level rather than just changing out the base address of the kernel. Function reordering is used on top of KASLR to make relative addresses within the kernel far less predictable. This reordering is done at boot time.

today's howtos

More on Tux Machines: AboutGalleryForumBlogsSearchNewsRSS Feed

Part of Bytes Media ● Sister sites below.

TechBytes Techrights button

Powered by Drupal, an open source content management system

Content available under CC-BY-SA CC

© by original authors

Powered by CentOS 6.5 (GNU/Linux), Varnish, and Drupal 6