Language Selection

English French German Italian Portuguese Spanish

Security

Microsoft Flaws and Windows Back Doors (Coordinated with NSA) Show Their Cost/Toll

Filed under
Microsoft
Security

Security: 0-Days and Back Doors

Filed under
Security

Security: Windows/NSA Back Doors and Exploits (EternalBlue), Rust Flaw, Roughtime, DDOS Hype and "The Lucy Gang"

Filed under
Security
  • Leaked NSA Exploits Shifting From Ransomware To Cryptocurrency Mining

    This report, from Zack Whittaker at TechCrunch, says there's really no endpoint in sight for the unintended consequences of exploit hoarding. But at this point, it's really no longer the NSA or Microsoft to blame for the continued rampage. Stats from Shodan show more than 300,000 unpatched machines in the United States alone.

    EternalBlue-based malware still runs rampant, but the focus has shifted from ransom to cryptocurrency. An unnamed company recently watched the NSA's exploit turn its computers into CPU ATMs.

    [...]

    There will never be a full accounting of the damage done. Yes, the NSA never thought its secret stash would go public, but that doesn't excuse its informal policy of never disclosing massive vulnerabilities until it's able to wring every last piece of intel from their deployment. And there's a chance this will happen again in the future if the agency isn't more proactive on the disclosure front. It was foolhardy to believe its tools would remain secret indefinitely. It's especially insane to believe this now.

  • The Rust Programming Language Blog: Security advisory for the standard library

    The Rust team was recently notified of a security vulnerability affecting the standard library’s str::repeat function. When passed a large number this function has an integer overflow which can lead to an out of bounds write. If you are not using str::repeat, you are not affected.

    We’re in the process of applying for a CVE number for this vulnerability. Fixes for this issue have landed in the Rust repository for the stable/beta/master branches. Nightlies and betas with the fix will be produced tonight, and 1.29.1 will be released on 2018-09-25 with the fix for stable Rust.

  • Cloudflare Secures Time With Roughtime Protocol Service

    If time is money, then how important is it to secure the integrity of time itself? Time across many computing devices is often synchronized via the Network Time Protocol (NTP), which isn't a secure approach, but there is another option.

    On Sept. 21, Cloudflare announced that it is deploying a new authenticated time service called Roughtime, in an effort to secure certain timekeeping efforts. The publicly available service is based on an open-source project of the same name that was started by Google.

    "NTP is the dominant protocol used for time synchronisation and, although recent versions provide for the possibility of authentication, in practice that‘s not used," Google's project page for Roughtime states. " Most computers will trust an unauthenticated NTP reply to set the system clock meaning that a MITM [man-in-the-middle] attacker can control a victim’s clock and, probably, violate the security properties of some of the protocols listed above."

  • DDoS Vulnerability Can Disrupt The Whole Bitcoin Infrastructure [Ed: Latest FUD about Bitcoin. A DDOS attack can disrupt anything at sufficient capacity levels, including Wall Street and ANY financial market.]
  • Crippling DDoS vulnerability put the entire Bitcoin market at risk
  • This Russian botnet mimics your click to prevent Android device factory resets

    According to researchers from Check Point, the botnet has been developed by a group of Russian-speaking hackers known as "The Lucy Gang," and demos have already been provided to potential subscribers to the system looking for Malware-as-a-Service (MaaS) solutions.

    Botnets are a thorn in the side for cybersecurity firms, hosting providers, and everyday businesses alike. The systems are made up of enslaved devices including mobile devices, Internet of Things (IoT) gadgets, and PCs.

Security: Updates, Mirai and Singapore's Massive Breach

Filed under
Security
  • Security updates for Friday
  • Mirai botnet hackers [sic] avoid jail time by helping FBI

    The three men, Josiah White, 21, Dalton Norman, 22, and Paras Jha, 22, all from the US, managed to avoid the clink by providing "substantial assistance in other complex cybercrime investigations", according to the US Department of Justice. Who'd have thought young hacker [sic] types would roll over and show their bellies when faced with prison time....

  • A healthcare IT foundation built on gooey clay

    Today, there was a report from the Solicitor General of Singapore about the data breach of the SingHealth systems that happened in July.

    These systems have been in place for many years. They are almost exclusively running Microsoft Windows along with a mix of other proprietary software including Citrix and Allscript. The article referred to above failed to highlight that the compromised “end-user workstation” was a Windows machine. That is the very crucial information that always gets left out in all of these reports of breaches.

    I have had the privilege of being part of an IT advisory committee for a local hospital since about 2004 (that committee has disbanded a couple of years ago, btw).

    [...]

    Part of the reason is because decision makers (then and now) only have experience in dealing with proprietary vendor solutions. Some of it might be the only ones available and the open source world has not created equivalent or better offerings. But where there are possibly good enough or even superior open source offerings, they would never be considered – “Rather go with the devil I know, than the devil I don’t know. After all, this is only a job. When I leave, it is someone else’s problem.” (Yeah, I am paraphrasing many conversations and not only from the healthcare sector).

    I recall a project that I was involved with – before being a Red Hatter – to create a solution to create a “computer on wheels” solution to help with blood collection. As part of that solution, there was a need to check the particulars of the patient who the nurse was taking samples from. That patient info was stored on some admission system that did not provide a means for remote, API-based query. The vendor of that system wanted tens of thousands of dollars to just allow the query to happen. Daylight robbery. I worked around it – did screen scrapping to extract the relevant information.

    Healthcare IT providers look at healthcare systems as a cashcow and want to milk it to the fullest extent possible (the end consumer bears the cost in the end).

    Add that to the dearth of technical IT skills supporting the healthcare providers, you quickly fall into that vendor lock-in scenario where the healthcare systems are at the total mercy of the proprietary vendors.

Security: Updates, NewEgg Breach, "Master Password" and CLIP OS

Filed under
Security
  • Security updates for Thursday
  • NewEgg cracked in breach, hosted card-stealing code within its own checkout

    The popular computer and electronics Web retailer NewEgg has apparently been hit by the same payment-data-stealing attackers who targeted TicketMaster UK and British Airways. The attackers, referred to by researchers as Magecart, managed to inject 15 lines of JavaScript into NewEgg's webstore checkout that forwarded credit card and other data to a server with a domain name that made it look like part of NewEgg's Web infrastructure. It appears that all Web transactions over the past month were affected by the breach.

  • "Master Password" Is A Password Manager Alternative That Doesn't Store Passwords

    Master Password is a different way of using passwords. Instead of the "know one password, save all others somewhere" way of managing passwords used by regular password managers, Master Password's approach is "know one password, generate all the others".

  • French cyber-security agency open-sources CLIP OS, a security hardened OS

    The National Cybersecurity Agency of France, also known as ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information), has open-sourced CLIP OS, an in-house operating system its engineers had developed to address the needs of the French government administration.

    In a press release, ANSSI described CLIP OS as a "Linux-based operating system [that] incorporates a set of security mechanisms that give it a very high level of resistance to malicious code and allow it to protect sensitive information."

Purism Launches First Security Key with Tamper Evident Protection for Laptops

Filed under
OSS
Security

Developed in partnership with Nitrokey, a company known for manufacturing open-source USB keys that enable secure encryption and signing of data for laptops, Purism's Librem Key is dedicated to Librem laptop users, allowing them to store up to 4096-bit RSA keys and up to 512-bit ECC keys on the security key, as well as to securely generate new keys directly on the device. Librem Key integrates with the secure boot process of the latest Librem 13 and 15 laptops.

"It’s not feasible or healthy to monitor your computing devices every second - and that's especially the case when you travel," says Kyle Rankin, Chief Security Officer at Purism. "With the Librem Key, we are giving Librem users the keys to completely lock their computer if they're in an unfamiliar network environment in the same way one would want to have the keys to their car if they needed to drive to an unfamiliar neighborhood."

Read more

Q&A—Red Hat's Brian Gracely on open source and doubling down on Kubernetes

Filed under
Red Hat
OSS
Security

I think a couple of things. I think in general, in terms of filling technology holes and driving new innovation, open source has no problems and no lack of projects right now. In fact, probably the biggest thing we hear from a lot of companies is it's great that there's so much out there, how do we keep up with all of them?

Right now, I think there's a general sentiment from a lot of enterprise companies, telco companies and so-forth that most of innovation that's happening these days are in open source, moreso than it is coming from many vendors. So on one hand, that's a really good thing, a really positive thing.

The flip side of that is, because there's so much going on and there's so many things happening so fast. Open source has never been known for being the people that sit and finish up projects. They've always sort of gotten it to a good solid point that does 80% of what you want it to do, or it works well enough but there's not great interfaces and things on it.

Read more

WireGuard Picks Up A Simpler Kconfig, Zinc Crypto Performance Fix

Filed under
Linux
Security

WireGuard lead developer Jason Donenfeld sent out the fifth revision of the WireGuard and Zinc crypto library patches this week. They've been coming in frequently with a lot of changes with it looking like this "secure VPN tunnel" could reach the Linux 4.20~5.0 kernel.

With the WireGuard v5 patches there are various low-level code improvements, a "saner" and simpler Kconfig build-time configuration options, a performance regression for tcrypt within the Zinc crypto code has been fixed and is now even faster than before, and there is also now a nosimd module parameter to disable the use of SIMD instructions.

Read more

BlackArch Linux Ethical Hacking OS Now Has More Than 2000 Hacking Tools

Filed under
GNU
Linux
Security

The BlackArch Linux penetration testing and ethical hacking computer operating system now has more than 2000 tools in its repositories, announced the project's developers recently.

Used by thousands of hundreds of hackers and security researchers all over the world, BlackArch Linux is one of the most acclaimed Linux-based operating systems for hacking and other security-related tasks. It has its own software repositories that contain thousands of tools.

The OS is based on the famous Arch Linux operating system and follows a rolling release model, where users install once and receive updates forever, or at least until they do something that can't be repaired and need to reinstall.

Read more

Debian Patches for Intel's Defects, Canonical to Fix Ubuntu Security Flaws for a Fee

Filed under
Security
Debian
Ubuntu
  • Debian Outs Updated Intel Microcode to Mitigate Spectre V4 and V3a on More CPUs

    The Debian Project released an updated Intel microcode firmware for users of the Debian GNU/Linux 9 "Stretch" operating system series to mitigate two of the latest Spectre vulnerabilities on more Intel CPUs.

    Last month, on August 16, Debian's Moritz Muehlenhoff announced the availability of an Intel microcode update that provided Speculative Store Bypass Disable (SSBD) support needed to address both the Spectre Variant 4 and Spectre Variant 3a security vulnerabilities.

    However, the Intel microcode update released last month was available only for some types of Intel CPUs, so now the Debian Project released an updated version that implements SSBD support for additional Intel CPU models to mitigate both Spectre V4 and V3a on Debian GNU/Linux 9 "Stretch" systems.

  • Announcing Extended Security Maintenance for Ubuntu 14.04 LTS – “Trusty Tahr” [Ed: Canonical looking to profit from security flaws in Ubuntu like Microsoft does in Windows.]

    Ubuntu is the basis for the majority of cloud-based workloads today. With over 450 million public cloud instances launched since the release of Ubuntu 16.04 LTS, a number that keeps accelerating on a day-per-day basis since, many of the largest web-scale deployments are using Ubuntu. This includes financial, big data, media, and many other workloads and use cases, which rely on the stability and continuity of the underlying operating system to provide the mission-critical service their customers rely on.

    Extended Security Maintenance (ESM) was introduced for Ubuntu 12.04 LTS as a way to extend the availability of critical and important security patches beyond the nominal End of Life date of Ubuntu 12.04. Organisations use ESM to address security compliance concerns while they manage the upgrade process to newer versions of Ubuntu under full support. The ability to plan application upgrades in a failsafe environment continues to be cited as the main value for adoption of ESM. With the End of Life of Ubuntu 14.04 LTS in April 2019, and to support the planning efforts of developers worldwide, Canonical is announcing the availability of ESM for Ubuntu 14.04.

  • Canonical Announces Ubuntu 14.04 LTS (Trusty Tahr) Extended Security Maintenance

    Canonical announced today that it would extend its commercial Extended Security Maintenance (ESM) offering to the Ubuntu 14.04 LTS (Trusty Tahr) operating system series starting May 2019.

    Last year on April 28, 2017, when the Ubuntu 12.04 LTS (Precise Pangolin) operating system series reached end of life, Canonical announced a new way for corporate users and enterprises to receive security updates if they wanted to keep their current Ubuntu 12.04 LTS installations and had no plans to upgrade to a newer LTS (Long Term Support) release. The offering was called Extended Security Maintenance (ESM) and had a great success among businesses.

Syndicate content

More in Tux Machines

LAS 2018

  • LAS 2018
    This month I was at my second Libre Application Summit in Denver. A smaller event than GUADEC but personally was my favorite conference so far. One of the main goals of LAS has been to be a place for multiple platforms to discuss the desktop space and not just be a GNOME event. This year two KDE members, @aleixpol and Albert Astals Cid, who spoke about release cycle of KDE Applications, Plasma, and the history of Qt. It is always interesting to see how another project solves the same problems and where there is overlap. The elementary folks were there since this is @cassidyjames home turf who had a great “It’s Not Always Techincal” talk as well as a talk with @danrabbit about AppCenter which are both very important areas the GNOME Project needs to improve in. I also enjoyed meeting a few other community members such as @Philip-Scott and talk about their use of elementary’s platform.
  • Developer Center Initiative – Meeting Summary 21st September
    Since last blog post there’s been two Developer Center meetings held in coordination with LAS GNOME Sunday the 9th September and again Friday the 21st September. Unfortunately I couldn’t attend the LAS GNOME meeting, but I’ll cover the general progress made here.

The "Chinese EPYC" Hygon Dhyana CPU Support Still Getting Squared Away For Linux

Back in June is when the Linux kernel patches appeared for the Hygon Dhyana, the new x86 processors based on AMD Zen/EPYC technology licensed by Chengdu Haiguang IC Design Co for use in Chinese data-centers. While the patches have been out for months, they haven't reached the mainline kernel quite yet but that might change next cycle. The Hygon Dyhana Linux kernel patches have gone through several revisions and the code is mostly adapting existing AMD Linux kernel code paths for Zen/EPYC to do the same on these new processors. While these initial Hygon CPUs appear to basically be re-branded EPYC CPUs, the identifiers are different as rather than AMD Family 17h, it's now Family 18h and the CPU Vendor ID is "HygonGenuine" and carries a new PCI Express device vendor ID, etc. So the different areas of the kernel from CPUFreq to KVM/Xen virtualization to Spectre V2 mitigations had to be updated for the correct behavior. Read more

Good Support For Wayland Remote Desktop Handling On Track For KDE Plasma 5.15

The KDE Plasma 5.15 release due out next year will likely be in good shape for Wayland remote desktop handling. The KDE Plasma/KWin developers have been pursuing Wayland remote desktop support along a similar route to the GNOME Shell camp by making use of PipeWire and the XDG-Desktop-Portal. Bits are already in place for KDE Plasma 5.13 and the upcoming 5.14 release, but for the 5.15 release is now where it sounds like the support may be in good shape for end-users. Read more

Linux developers threaten to pull “kill switch”

Linux powers the internet, the Android in your pocket, and perhaps even some of your household appliances. A controversy over politics is now seeing some of its developers threatening to withdraw the license to all of their code, potentially destroying or making the whole Linux kernel unusable for a very long time. Read more