Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security

           

  • DNS configuration recommendations for IPFire users

    If you are familiar with IPFire, you might have noticed DNSSEC validation is mandatory, since it defeats entire classes of attacks. We receive questions like "where is the switch to turn off DNSSEC" on a regular basis, and to say it once and for all: There is none, and there will never be one. If you are running IPFire, you will be validating DNSSEC. Period.

    Another question frequently asked is why IPFire does not support filtering DNS replies for certain FQDNs, commonly referred to as a Response Policy Zone (RPZ). This is because an RPZ does what DNSSEC attempts to secure users against: Tamper with DNS responses. From the perspective of a DNSSEC-validating system, a RPZ will just look like an attacker (if the queried FQDN is DNSSEC-signed, which is what we strive for as much of them as possible), thus creating a considerable amount of background noise. Obviously, this makes detecting ongoing attacks very hard, most times even impossible - the haystack to search just becomes too big.

    Further, it does not cover direct connections to hardcoded IP addresses, which is what some devices and attackers usually do, as it does not rely on DNS to be operational and does not leave any traces. Using an RPZ will not make your network more secure, it just attempts to cover up the fact that certain devices within it cannot be trusted.

    Back to DNSSEC: In case the queried FQDNs are signed, forged DNS replies are detected since they do not match the RRSIG records retrieved for that domain. Instead of being transparently redirected to a fradulent web server, the client will only display a error message to its user, indicating a DNS lookup failure. Large-scale attacks by returning forged DNS replies are frequently observed in the wild (the DNSChanger trojan is a well-known example), which is why you want to benefit from validating DNSSEC and more and more domains being signed with it.

  • Security updates for Tuesday

    Security updates have been issued by Debian (libx11, webkit2gtk, and zabbix), Fedora (webkit2gtk3), openSUSE (claws-mail, ghostscript, and targetcli-fb), Red Hat (dbus, kpatch-patch, postgresql-jdbc, and python-pillow), Scientific Linux (libvncserver and postgresql-jdbc), SUSE (kernel and python-rtslib-fb), and Ubuntu (ghostscript, sqlite3, squid3, and webkit2gtk). 

  •        

  • Official 1Password Linux App is Available for Testing

    An official 1Password Linux app is on the way, and brave testers are invited to try an early development preview.

    1Password is a user-friendly (and rather popular) cross-platform password manager. It provides mobile apps and browser extensions for Windows, macOS, Android, iOS, Google Chrome, Edge, Firefox — and now a dedicated desktop app for Linux, too.

  •        

  • FBI Warns of Increased DDoS Attacks

    The Federal Bureau of Investigation warned in a “private industry notification” last week that attackers are increasingly using amplification techniques in distributed denial-of-service attacks. There has been an uptick in attack attempts since February, the agency’s Cyber Division said in the alert.
    An amplification attack occurs when attackers send a small number of requests to a server and the server responds with numerous responses. The attackers spoof the IP address to make it look like the requests are coming from a specific victim, and the resulting responses overwhelms the victim’s network.

    “Cyber actors have exploited built-in network protocols, designed to reduce computation overhead of day-to-day system and operational functions to conduct larger and more destructive distributed denial-of-service amplification attacks against US networks,” the FBI alert said. Copies of the alert were posted online by several recipients, including threat intelligence company Bad Packets.

  • NSA issues BootHole mitigation guidance

    Following the disclosure of a widespread buffer-flow vulnerability that could affect potentially billions of Linux and Windows-based devices, the National Security Agency issued a follow-up cybersecurity advisory highlighting the bug and offering steps for mitigation.

    The vulnerability -- dubbed BootHole -- impacts devices and operating systems that use signed versions of the open-source GRUB2 bootloader software found in most Linux systems. It also affects any system or device using Secure Boot -- a root firmware interface responsible for validating the booting process -- with Microsoft's standard third party certificate authority. The vulnerability enables attackers to bypass Secure Boot to allow arbitrary code execution and “could be used to install persistent and stealthy bootkits,” NSA said in a press statement.

More in Tux Machines

Proprietary Software: Todoist, FreeOffice, and Even Worse

  • Todoist Takes on Trello with New Kanban Board Feature

    Todoist now has a Kanban board feature similar to that made popular by Trello. Kanban boards are an effective project management tool designed to make it easier to organise tasks within projects and get an overview of overall project status. While Kanban boards aren’t super fancy they are, for some, super useful. “A more visual way to organize your projects. Drag tasks between sections, visualize your progress, and simplify your teamwork,” Todoist say of the feature.

  • SoftMaker FreeOffice: A cross-platform Office suite that’s fully compatible to MS Office

    Most Linux users are well-acquainted with LibreOffice – many distributions have it pre-installed. Fewer know its powerful alternative: FreeOffice is a full-fledged office solution with full support for Microsoft Office file formats. It consists of a word processor, a spreadsheet and a presentation program. True to its name, FreeOffice is fully free and available for Linux in 32-bit and 64-bit versions. FreeOffice is far from a LibreOffice clone. The software is being developed by a German software company with a history going all the way back to 1987. Due to its background, FreeOffice has far more in common with Microsoft Office than with LibreOffice.

  • Cutting corners on cybersecurity can leave costly holes [iophk: Windows TCO]

    Such attacks can paralyse an organisation as it weighs up concerns over prolonged business interruption, reputational damage and data protection responsibilities against the financial impact and the ethical implications of capitulating to the demands. The decision to pay or not to pay is very much the question – especially when university budgets are so tight.

    The advice of the NCSC, as well as Jisc, is very clear: do not pay! A range of reasons are cited, but the prime one is the inability of institutions to be sure that the [attacker] will undo the damage and not exploit the data breach at a later date. Those who pay up justify doing so on the grounds of business criticality and expediency. They also rely on the “honour among thieves” paradigm that [attackers] will stick to their word so that victims of future attacks will also feel confident in paying up.

  • As critics call for deplatforming, defunding, and prosecution over Leila Khaled discussion, San Francisco State University president gets it right

    Yesterday, Zoom refused to allow the university to use its service for the discussion — a cancellation praised by FCC Commissioner Brendan Carr, who said there was no “need to hear both sides.” It is not yet clear whether the organizers of the event will switch to another channel of communication.

Android Leftovers

Security: Patches, Ease of Use and Debian Key Signing

  • Security updates for Wednesday

    Security updates have been issued by openSUSE (libetpan, libqt4, lilypond, otrs, and perl-DBI), Red Hat (kernel-rt), Slackware (seamonkey), SUSE (grafana, libmspack, openldap2, ovmf, pdns, rubygem-actionpack-5_1, and samba), and Ubuntu (debian-lan-config, ldm, libdbi-perl, and netty-3.9).

  • Balancing Linux security with usability

    Building an operating system is a difficult balance, and a Linux distribution is no different. You need to consider the out-of-the-box functionality that most people are going to want, and accessibility for a wide swath of administrators' skillsets. If you make your distro very secure, but a newbie sysadmin can't figure out how to work with it…well, they're going to find an easier distribution to go learn on, and now you've lost that admin to another distribution. So it's really no surprise that, right after install time, most Linux distributions need a little bit of tweaking to lock them down. This has gotten better over the years, as the installers themselves have gotten easier to use and more feature-rich. You can craft a pretty custom system right from the GUI installer. A base Red Hat Enterprise Linux (RHEL) system, for example, if you've chosen the base package set, is actually pretty light on unnecessary services and packages. There was a time when that was not true. Can you imagine passwords being hashed, but available in /etc/password for any user to read? Or all system management being carried out over Telnet? SSH wasn't even on, by default. Host-based firewall? Completely optional. So, 20 years ago, locking down a newly installed Linux system meant a laundry list of tasks. Luckily, as computing has matured, so has the default install of just about any operating system.

  • Key signing in the pandemic era

    The pandemic has changed many things in our communities, even though distance has always played a big role in free software development. Annual in-person gatherings for conferences and the like are generally paused at the moment, but even after travel and congregating become reasonable again, face-to-face meetings may be less frequent. There are both positives and negatives to that outcome, of course, but some rethinking will be in order if that comes to pass. The process of key signing is something that may need to change as well; the Debian project, which uses signed keys, has been discussing the subject. In early August, Enrico Zini posted a note to the debian-project mailing list about people who are trying to get involved in Debian, but who are lacking the necessary credentials in the form of an OpenPGP key signed by other Debian project members. The requirements for becoming a Debian Maintainer (DM) or Debian Developer (DD) both involve keys with signatures from existing DDs; two signatures for becoming a DD or one for becoming a DM. Those are not the only steps toward becoming formal members of Debian, but they are ones that may be hampering those who are trying to do so right now. DDs and DMs use their keys to sign packages that are being uploaded to the Debian repository, so the project needs to have some assurance that the keys are valid and are controlled by someone that is not trying to undermine the project or its users. In addition, votes in Debian (for project leaders and general resolutions) are made using the keys. They are a fundamental part of the Debian infrastructure.

KDDockWidgets 1.0 has been released

KDDockWidgets is an advanced docking system for Qt, with features that are not available in QDockWidget. See our first blog post, for a quick introduction and the motivation for a new docking framework. We’ve come a long way since the initial announcement of KDDockWidgets. The 1.0 release represents the culmination of one year of using the library in production for five different huge projects — one year of incorporating real feedback in the form of new features, bug fixes, or simply making the framework more customizable. Read more