Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Thursday

    Security updates have been issued by Arch Linux (firefox, openjpeg2, openssl, qemu, tensorflow, and thunderbird) and Debian (highlight.js).

  • This Week In Security: Deeper Dive Into SolarWinds, Bouncy Castle, And Docker Images [Ed: Microsoft is, as usual, using spin and distortion to blame others for its own incompetence]

    Microsoft has published their analysis of Solorigate, and the details are interesting. The added code was carefully written to blend in with the rest of the code, using the name OrionImprovementBusinessLayer.Initialize, which sounds like a perfectly boring-yet-legitimate function. The actual backdoor is obfuscated using zip compression and base64 encoding.

    Once this bootstrap code begins, it runs a series of checks before actually doing anything malicious. It waits 2 weeks after installation to do anything, and then checks the system domain name for any indication it’s running in a test environment. It then checks for certain security applications, like Wireshark, and refuses to run if they are detected. This series of checks all seem to be an effort to avoid detection, and to only run in a deployed environment. Even the Command and Control URL that the backdoor uses is constructed to appear benign. Beyond this, it seems that the malware simply waited for instructions, and didn’t take any automated actions. All the attacks were performed manually.

    One of the side-effects of the sudden attention given to SolarWinds devices is that a whole slew of other problems will be found and fixed, like CVE-2020-10148, an authentication bypass. The most surprising finding, however, is a *second* backdoor in the SolarWinds code, nicknamed Supernova. It’s possible that this was an earlier backdoor from the same actors as Solarigate, but the current theory is that it’s a backdoor installed by yet another, unrelated attacker.

  • Significant vulnerabilities that crippled IT world this decade (2010-2020)

    he last ten years in the computer and IT security world are crippled with so many vulnerabilities. We saw massive cloud computing adoption and end-users using mobile devices with high speed 4G LTE networks. A threat actor may have exploited such weakness in modern computers and networks. Let us look into top vulnerabilities and the attack surface in this decade (2010-2020) that affected Linux/Unix, macOS, IT, cloud-computing, and computers in general.

  • James Bottomley: Deploying Encrypted Images for Confidential Computing

    At its base, current confidential computing environments are about using encrypted memory to run the virtual machine and guarding the encryption key so that the owner of the host system (the cloud service provider) can’t get access to it. Both SEV and TDX have the encryption technology inside the main memory controller meaning the L1 cache isn’t encrypted (still vulnerable to cache side channels) and DMA to devices must also be done via unencryped memory. This latter also means that both the BIOS and the Operating System of the guest VM must be enlightened to understand which pages to encrypted and which must not. For this reason, all confidential VM systems use OVMF2 to boot because this contains the necessary enlightening. To a guest, the VM encryption looks identical to full memory encryption on a physical system, so as long as you have a kernel which supports Intel or AMD full memory encryption, it should boot.

    Each confidential computing system has a security element which sits between the encrypted VM and the host. In SEV this is an aarch64 processor called the Platform Security Processor (PSP) and in TDX it is an SGX enclave running Intel proprietary code. The job of the PSP is to bootstrap the VM, including encrypting the initial OVMF and inserting the encrypted pages. The security element also includes a validation certificate, which incorporates a Diffie-Hellman (DH) key. Once the guest owner obtains and validates the DH key it can use it to construct a one time ECDH encrypted bundle that can be passed to the security element on bring up. This bundle includes an encryption key which can be used to encrypt secrets for the security element and a validation key which can be used to verify measurements from the security element.

    The way QEMU boots a Q35 machine is to set up all the configuration (including a disk device attached to the VM Image) load up the OVMF into rom memory and start the system running. OVMF pulls in the QEMU configuration and constructs the necessary ACPI configuration tables before executing grub and the kernel from the attached storage device. In a confidential VM, the first task is to establish a Guest Owner (the person whose encrypted VM it is) which is usually different from the Host Owner (the person running or controlling the Physical System). Ownership is established by transferring an encrypted bundle to the Secure Element before the VM is constructed.

  • Chris Lamb: Free software activities in December 2020

    One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

    The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

  • The Future of Software Supply Chain Security – Purism

    All indications are that software supply chain security will be the biggest issue for the security industry in 2021. The largest security story of 2020 was the supply chain compromise of SolarWinds Orion which allowed attackers to ship malicious updates with backdoors to Orion customers with perfectly valid signatures. Once these updates were applied and attackers were in these networks, this access allowed a large-scale attack of government agencies and tech and security companies, perhaps one of the single largest attacks of US networks in history. In some cases the level of compromise was so deep, including compromised administrator credentials, that the general guidance has been for victims to rebuild infrastructure from the ground up.

    Supply chain security is not a new concept (I wrote about how Purism protects the digital supply chain over two years ago) and many researchers have recognized it as a legitimate threat for a long time. Yet the industry overall has been slow to recognize the risk and in fact perverse incentives have led to many in the industry doubling-down on security solutions that rely heavily (in many cases rely entirely) on the exact kind of security measures supply chain hacks defeat.

    The proprietary software industry can’t fix the software supply chain problem because they largely created it and depend on it to maintain control over customers. In this article I’m going to explain how this happened, and what the future of supply chain security looks like.

    [...]

    To improve software supply chain security we need the ability to audit software like we audit food and this requires much more transparency–transparency beyond what proprietary software vendors allow. Tamper seals (code signing) are important, but not close to being sufficient to catch tainted software. As the SolarWinds Orion hack shows, food can be tainted at the factory before it gets into those tamper-sealed jars.

    The software supply chain will get attacked, and third parties and motivated customers must have the ability to detect tainted code quickly, beyond simply relying on their vendor to notice, looking at a tamper seal, or waiting to see if their network gets sick. The best hope we have to improve supply chain security is in the combination of free software and Reproducible Builds.

    [...]

    This is one reason why Purism offers a 100% free software operating system, PureOS, on our computers. By only installing free software, all of the source code in the operating system can be audited by anyone for backdoors or other malicious code. For processed food to be labeled as organic, it must be made only from organic sources, and having our operating system certified as 100% free software means you can trust the software supply chain all the way to the source.

    Reproducible Builds

    Unlike proprietary software, free software can also address the risk from an attacker who can inject malicious code somewhere in the build process before it’s signed. With Reproducible Builds you can download the source code used to build your software, build it yourself, and compare your output with the output you get from a vendor. If the output matches, you can be assured that no malicious code was injected somewhere in the software supply chain and it 100% matches the public code that can be audited for backdoors. Think of it like the combination of a food safety inspector and an independent lab that verifies the nutrition claims on a box of cereal all rolled into one.

    Much of PureOS is already reproducibly built, and we are working so that ultimately all software within PureOS can be reproducibly built starting with the base install and expanding from there. We not only intend on publishing our own reproducible build results, but also tools and guidance so third parties and customers can perform their own audits. That way, customers aren’t limited to learning about supply chain attacks from us, they can audit and detect attacks themselves.

  • Linux To Report MIPS Vulnerabilities But They Often Go Unreported Or Dead Vendors - Phoronix

    The Linux kernel with the likes of ARM and x86 hardware leverage kernel infrastructure for reporting their relevant CPU security mitigations while only now the MIPS kernel code is seeing work to report such vulnerabilities. However, on the MIPS front it's more difficult with some vendors not publicly acknowledging vulnerabilities and other cases of MIPS hardware vendors no longer producing the hardware in question or even in business.

    Sent out yesterday were patches providing MIPS vulnerabilities infrastructure for the Linux kernel, similar to that for other architectures.

  • New Golang worm turns Windows and Linux servers into monero miners [Ed: Typical FUD from clueless and/or dishonest media looking to blame "Linux" (or make it look as awful as back-doored Windows) because some admins misconfigure stuff or choose terrible passwords]

    A new worm written in Golang turns Windows and Linux servers into miners of the cryptocurrency monero.

  • Windows and Linux servers turned into crypto miners [Ed: Same as above]

More in Tux Machines

digiKam 7.7.0 is released

After three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. Read more

Dilution and Misuse of the "Linux" Brand

Samsung, Red Hat to Work on Linux Drivers for Future Tech

The metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. Read more

today's howtos

  • How to install go1.19beta on Ubuntu 22.04 – NextGenTips

    In this tutorial, we are going to explore how to install go on Ubuntu 22.04 Golang is an open-source programming language that is easy to learn and use. It is built-in concurrency and has a robust standard library. It is reliable, builds fast, and efficient software that scales fast. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel-type systems enable flexible and modular program constructions. Go compiles quickly to machine code and has the convenience of garbage collection and the power of run-time reflection. In this guide, we are going to learn how to install golang 1.19beta on Ubuntu 22.04. Go 1.19beta1 is not yet released. There is so much work in progress with all the documentation.

  • molecule test: failed to connect to bus in systemd container - openQA bites

    Ansible Molecule is a project to help you test your ansible roles. I’m using molecule for automatically testing the ansible roles of geekoops.

  • How To Install MongoDB on AlmaLinux 9 - idroot

    In this tutorial, we will show you how to install MongoDB on AlmaLinux 9. For those of you who didn’t know, MongoDB is a high-performance, highly scalable document-oriented NoSQL database. Unlike in SQL databases where data is stored in rows and columns inside tables, in MongoDB, data is structured in JSON-like format inside records which are referred to as documents. The open-source attribute of MongoDB as a database software makes it an ideal candidate for almost any database-related project. This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the MongoDB NoSQL database on AlmaLinux 9. You can follow the same instructions for CentOS and Rocky Linux.

  • An introduction (and how-to) to Plugin Loader for the Steam Deck. - Invidious
  • Self-host a Ghost Blog With Traefik

    Ghost is a very popular open-source content management system. Started as an alternative to WordPress and it went on to become an alternative to Substack by focusing on membership and newsletter. The creators of Ghost offer managed Pro hosting but it may not fit everyone's budget. Alternatively, you can self-host it on your own cloud servers. On Linux handbook, we already have a guide on deploying Ghost with Docker in a reverse proxy setup. Instead of Ngnix reverse proxy, you can also use another software called Traefik with Docker. It is a popular open-source cloud-native application proxy, API Gateway, Edge-router, and more. I use Traefik to secure my websites using an SSL certificate obtained from Let's Encrypt. Once deployed, Traefik can automatically manage your certificates and their renewals. In this tutorial, I'll share the necessary steps for deploying a Ghost blog with Docker and Traefik.