Language Selection

English French German Italian Portuguese Spanish

Security

Security: Back Doors in Voting Machines, Two-Factor Authentication, Introduction to Cybersecurity, and Reproducible Builds

Filed under
Security
  • Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States

    The nation's top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them.

    In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006," which was installed on the election-management system ES&S sold them.

    The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. "None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software," the spokesperson said.

  • PSA: Make Sure You Have a Backup for Two-Factor Authentication
  • An Introduction to Cybersecurity: The First Five Steps

    You read all these headlines about the latest data breaches, and you worry your organization could be next.

    After all, if TalkTalk, Target, and Equifax can’t keep their data safe, what chance do you have?

    Well, thankfully, most organizations aren’t quite as high profile as those household names, and probably don’t receive quite so much attention from cybercriminals. At the same time, though, no organization is so small or insignificant that it can afford to neglect to take sensible security measures.

    If you’re just starting to take cybersecurity seriously, here are five steps you can take to secure your organization more effectively than 99 percent of your competitors.

  • Reproducible Builds: Weekly report #168

Security Leftovers

Filed under
Security

Red Hat Looks Beyond Docker for Container Technology

Filed under
Server
Security

While Docker Inc and its eponymous container engine helped to create the modern container approach, Red Hat has multiple efforts of its own that it is now actively developing.

The core component for containers is the runtime engine, which for Docker is the Docker Engine which is now based on the Docker-led containerd project that is hosted at the Cloud Native Computing Foundation (CNCF). Red Hat has built its own container engine called CRI-O, which hit its 1.0 release back in October 2017.

For building images, Red Hat has a project called Buildah, which reached its 1.0 milestone on June 6.

Read more

Containers: The Update Framework (TUF), Nabla, and Kubernetes 1.11 Release

Filed under
Server
Security
  • How The Update Framework Improves Software Distribution Security

    In recent years that there been multiple cyber-attacks that compromised a software developer's network to enable the delivery of malware inside of software updates. That's a situation that Justin Cappos, founder of The Update Framework (TUF) open-source project, has been working hard to help solve.

    Cappos, an assistant professor at New York University (NYU), started TUF nearly a decade ago. TUF is now implemented by multiple software projects, including the Docker Notary project for secure container application updates and has implementations that are being purpose-built to help secure automotive software as well.

  • IBM's new Nabla containers are designed for security first

    Companies love containers because they enable them to run more jobs on servers. But businesses also hate containers, because they fear they're less secure than virtual machines (VM)s. IBM thinks it has an answer to that: Nabla containers, which are more secure by design than rival container concepts.

    James Bottomley, an IBM Research distinguished engineer and top Linux kernel developer, first outlines that there are two kind of fundamental kinds of container and virtual machine (VM) security problems. These are described as Vertical Attack Profile (VAP) and Horizontal Attack Profile (HAP).

  • [Podcast] PodCTL #42 – Kubernetes 1.11 Released

    Like clockwork, the Kubernetes community continues to release quarterly updates to the rapidly expanding project. With the 1.11 release, we see a number of new capabilities being added across a number of different domains – infrastructure services, scheduling services, routing services, storage services, and broader CRD versioning capabilities that will improve the ability to not only deploy Operators for the platform and applications. Links for all these new features, as well as in-depth blog posts from Red Hat and the Kubernetes community are included in the show notes.

    As always, it’s important to remember that not every new feature being released is considered “General Availability”, so be sure to check the detailed release notes before considering the use of any feature in a production or high-availability environment.

Security: Containers, Tron, Back Doors, GandCrab, Bastille Day

Filed under
Security
  • A New Method of Containment: IBM Nabla Containers

    In the previous post about Containers and Cloud Security, I noted that most of the tenants of a Cloud Service Provider (CSP) could safely not worry about the Horizontal Attack Profile (HAP) and leave the CSP to manage the risk.  However, there is a small category of jobs (mostly in the financial and allied industries) where the damage done by a Horizontal Breach of the container cannot be adequately compensated by contractual remedies.  For these cases, a team at IBM research has been looking at ways of reducing the HAP with a view to making containers more secure than hypervisors.  For the impatient, the full open source release of the Nabla Containers technology is here and here, but for the more patient, let me explain what we did and why.  We’ll have a follow on post about the measurement methodology for the HAP and how we proved better containment than even hypervisor solutions.

    [...]

    Like most sandbox models, the Nabla containers approach is an alternative to namespacing for containment, but it still requires cgroups for resource management.  The figures show that the containment HAP is actually better than that achieved with a hypervisor and the performance, while being marginally less than a namespaced container, is greater than that obtained by running a container inside a hypervisor.  Thus we conclude that for tenants who have a real need for HAP reduction, this is a viable technology.

  • Measuring the Horizontal Attack Profile of Nabla Containers
  • Tron (TRX) Gives $25,000 to 5 Developers Who Spotted Bugs in Open-Source Code

    Just a couple of days ago, Binance – a very popular digital currency trading platform – credited the Binance account of thirty-one selected Tron (TRX) traders with five million TRX tokens. Recently, the Tron Foundation has also announced it gave away $25k to five developers that are actively working to redefine the community of Tron.

  • Open Source Security Podcast: Episode 105 - More backdoors in open source
  • GandCrab v4.1 Ransomware and the Speculated SMB Exploit Spreader [Ed: Microsoft's collaboration with the NSA on back doors is a gift to keeps giving.... to crackers.]
  • Rewritten GandCrab Ransomware Targets SMB Vulnerabilities To Attack Faster

    GandCrab ransomware, which has created a hullabaloo in the cybersecurity industry by constantly evolving, has yet again caused a commotion. The latest version of the ransomware attacks system using SMB exploit spreader via compromised websites. The ransomware is adding new features every day to target different countries.

    The attackers behind the ransomware are scanning the whole internet to find the vulnerable websites to unleash the attack. The latest version features a long hard-coded list of websites that were compromised and were used to connect with it.

  • France’s cyber command marched in Paris’s Bastille Day Parade for the first time

     

    For the first time, France’s military cyber command marched in this year’s Bastille Day parade on the Champs Elysees in Paris, alongside other units in the nation’s armed forces. The military noted that it’s a recognition of the advances that the unit has made since its formation last year, and reinforces that “cyber defense remains a national priority.”
     

    French defense minister Jean-Yves Le Drian announced the formation of COMCYBER in December 2016, noting that the emergence of state actors operating in cyberspace was a new way to approach warfare. The command brought all of the nation’s soldiers focused on cyber defense under one command, with three main tasks: cyber intelligence, protection, and offense.  

  • Should I let my staff choose their own kit and, if so, how?

Security Leftovers

Filed under
Security
  • Data breaches show we’re only three clicks away from anarchy

    An IT glitch afflicting BP petrol stations for three hours last Sunday evening might not sound like headline news. A ten-hour meltdown of Visa card payment systems in June was a bigger story — as was the notorious TSB computer upgrade cock-up that started on 20 April, which was still afflicting customers a month later and was reported this week to be causing ruptures between TSB and its Spanish parent Sabadell.

    Meanwhile, what do Fortnum & Mason, Dixons Carphone, Costa Coffee and its sister company Premier Inn have in common with various parts of the NHS? The answer is that they have all suffered recent large-scale ‘data breaches’ that may have put private individuals’ information at risk. IT Governance, a blog that monitors international news stories in this sphere, came up with a global figure of 145 million ‘records leaked’ last month alone. Such leaks are daily events everywhere — and a lesson of the TSB story was that cyber fraudsters are waiting to attack wherever private data becomes accessible, whether because of computer breakdown or lax data protection.

  • UK security researcher Hutchins makes renewed bid for freedom

    British security researcher Marcus Hutchins, who was arrested by the FBI last August over alleged charges of creating and distributing a banking trojan, has made a fresh bid to go free, claiming that the US has no territorial jurisdiction to file charges against him for alleged crimes committed elsewhere.

  • Common Ground: For Secure Elections and True National Security

    An open letter by Gloria Steinem, Noam Chomsky, John Dean, Governor Bill Richardson, Walter Mosley, Michael Moore, Valerie Plame, and others.

Containers or virtual machines: ​Which is more secure? The answer will surprise you

Filed under
Server
Security

Are virtual machines (VM) more secure than containers? You may think you know the answer, but IBM Research has found containers can be as secure, or more secure, than VMs.

James Bottomley, an IBM Research Distinguished Engineer and top Linux kernel developer, writes: "One of the biggest problems with the current debate about Container vs Hypervisor security is that no-one has actually developed a way of measuring security, so the debate is all in qualitative terms (hypervisors 'feel' more secure than containers because of the interface breadth) but no-one actually has done a quantitative comparison." To meet this need, Bottomley created Horizontal Attack Profile (HAP), designed to describe system security in a way that it can be objectively measured. Bottomley has discovered that "a Docker container with a well crafted seccomp profile (which blocks unexpected system calls) provides roughly equivalent security to a hypervisor."

Read more

Red Hat Enterprise Linux 6 & CentOS 6 Patched Against Spectre V4, Lazy FPU Flaws

Filed under
Red Hat
Security

Users of the Red Hat Enterprise Linux 6 and CentOS Linux 6 operating system series received important kernel security updates that patch some recently discovered vulnerabilities.

Now that Red Hat Enterprise Linux 7 and CentOS Linux 7 operating system series were patched against the Spectre Variant 4 (CVE-2018-3639) security vulnerability, as well as the Lazy FPU State Save/Restore CPU flaw, it's time for Red Hat Enterprise Linux 6 and CentOS Linux 6 to receive these important security updates, which users can now install them on their computers.

Read more

Nintendo Found a Way to Patch an Unpatchable Coldboot Exploit in Nintendo Switch

Filed under
Security
Gadgets

If you plan on buying a Nintendo Switch gaming console to run Linux on it using the "unpatchable" exploit publicly disclosed a few months ago, think again because Nintendo reportedly fixed the security hole.

Not long ago, a team of hackers calling themselves ReSwitched publicly disclosed a security vulnerability in the Nvidia Tegra X1 chip, which they called Fusée Gelée and could allow anyone to hack a Nintendo Switch gaming console to install a Linux-based operating system and run homebrew code and apps using a simple trick.

Read more

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

Games: HITMAN and Atari VCS

More Android Leftovers

  • A Look at Google's Project Fi
    Project Fi is a play on the term "WiFi" and is pronounced "Project Fye", as opposed to "Project Fee", which is what I called it at first. Several features set Project Fi apart from other cell-phone plans. First, Project Fi uses towers from three carriers: T-Mobile, US Cellular and Sprint. When using supported hardware, Project Fi constantly monitors signal strength and seamlessly transitions between the various towers. Depending on where you live, this can mean constant access to the fastest network or a better chance of having any coverage at all. (I'm in the latter group, as I live in a rural area.)
  • OnePlus 5 and 5T's latest OxygenOS Open Beta bring Google Lens support
    While the last OxygenOS Open Beta update for the OnePlus 5 and OnePlus 5T was a significant upgrade bringing support for Project Treble, the latest versions for both devices offer smaller changes.
  • Google EU fine over Android likely this week
     

    The European Commission, the executive arm of the EU, normally makes such announcements on a Wednesday.

  • Moment of truth for Google as record EU antitrust fine looms
     

    It comes just over a year after the Commission slapped a landmark 2.4-billion-euro ($2.8 billion) penalty on Google, a unit of Alphabet Inc, for favoring its shopping service over those of competitors.  

    The EU penalty is likely to exceed the 2017 fine because of the broader scope of the Android case, sources familiar with the matter have told Reuters.  

OSS Leftovers

  • Medellín WordPress User Group Celebrates Open Source CMS Platform’s 15th Anniversary
    Medellín is well known for its innovative technology scene, with many active software and information technology user groups. One of those is the user group centered around open source content management software WordPress. A year ago the user group hosted Colombia’s first Wordcamp function, supported by the global WordPress community, and the user group recently gathered to celebrate the 15th anniversary of the first WordPress open source software release that took place May 27, 2003. WordPress is an free, open source software platform that allows amateur and professional users to create websites without writing programming code. Over the years it has grown into a powerful platform robust enough to run enterprise websites in many cases. For example, Finance Colombia runs on WordPress software.
  • Training: Embedded Linux and Security training day – Reading
    Providing detailed hands-on training, it is targeted at embedded engineers looking for an introduction to key embedded Linux and Security topics.
  • Amazing solar panel device that could change the world goes open source
    An innovative and simple solar panel efficiency device has just gone open source in order to get renewable energy to those who need it most. When you picture solar power, you might think of the enormous Ivanpah solar power plant in California (the largest in the world) or huge tracts of land in other sun-drenched parts of the globe. But not everyone has access to such enormous grids and particularly in remote villages in developing nations, there is only a need for a single or small group of solar panels that could maintain maximum efficiency to sustain a family or the village itself.
  • Meet the man in charge of Arduino

    I went to visit the Interaction Design Institute of Ivrea – a school that was started just six months before I went to visit them – and they asked me if I knew someone who could teach electronics to designers and to ask this question to my colleagues at the Politecnico.

    I went back and they said “No! Teaching electronics to designers? For us?” Those were guys working on highly sophisticated FGPAs, so they didn’t care about designers. I thought about Massimo – he had a real passion for electronics and he worked as a CTO for an internet provider at that point in time. I said, “Massimo, you could be the right person for this type of engagement – they’re designers, you love design, and you know electronics.” I introduced Massimo to the school and they hired him. That’s how the story started. When he was teaching at the Design Institute of Ivrea, they started the Arduino project as a way to standardise the electronics projects the students were doing. I introduced Massimo to the school and they invented Arduino, so I’m sort of the great-grandfather to some extent.

  • pinp 0.0.6: Two new options
    A small feature release of our pinp package for snazzier one or two column vignettes get onto CRAN a little earlier. It offers two new options. Saghir Bashir addressed a longer-standing help needed! issue and contributed code to select papersize options via the YAML header. And I added support for the collapse option of knitr, also via YAML header selection. A screenshot of the package vignette can be seen below. Additional screenshots of are at the pinp page.
  • OpenMP 5.0 Public Draft Released
    The public draft of the OpenMP 5.0 SMP programming standard is now available for review ahead of the specification's expected stable release before the end of 2018. OpenMP 5.0 is expected to succeed the OpenMP 4.5 parallel programming standard in Q4'2018, but for ironing out any last minute issues and allowing more compiler developers to begin implementing the standard, the public draft is now available.

FUD, EEE, and Openwashing