Language Selection

English French German Italian Portuguese Spanish


And More Security Leftovers

Filed under
  • The NyaDrop Trojan for Linux-running IoT Devices
  • Flaw resides in BTB helps bypass ASLR
  • Thoughts on the BTB Paper

    Though the attack might have some merits with regards to KASLR, the attack on ASLR is completely debunked. The authors of the paper didn't release any supporting code or steps for independent analysis and verification. The results, therefore, cannot be trusted until the authors fully open source their work and the work is validated by trusted and independent third parties.

  • Spreading the DDoS Disease and Selling the Cure

    Earlier this month a hacker released the source code for Mirai, a malware strain that was used to launch a historically large 620 Gbps denial-of-service attack against this site in September. That attack came in apparent retribution for a story here which directly preceded the arrest of two Israeli men for allegedly running an online attack for hire service called vDOS. Turns out, the site where the Mirai source code was leaked had some very interesting things in common with the place vDOS called home.

More Security News (and FUD)

Filed under

CVE-2016-5195 Patched

Filed under
  • Linux Kernels 4.8.3, 4.7.9 & 4.4.26 LTS Out to Patch "Dirty COW" Security Flaw

    Today, October 20, 2016, Linux kernel maintainer Greg Kroah-Hartman announced three new maintenance updates for the Linux 4.8, 4.7, and 4.4 LTS kernel series, patching a major security vulnerability.

    Known as "Dirty COW," the Linux kernel vulnerability documented at CVE-2016-5195 is, in fact, a nasty bug that could have allowed local users to write to any file they can read. The worst part is that the security flaw was present in various Linux kernel builds since at least the Linux 2.6.x series, which reached end of life in February this year.

  • Canonical Patches Ancient "Dirty COW" Kernel Bug in All Supported Ubuntu OSes

    As reported earlier, three new Linux kernel maintenance releases arrived for various Linux-based operating systems, patching a critical and ancient bug popularly known as "Dirty COW."

    We already told you that the kernel vulnerability could be used by a local attacker to run programs as an administrator, and it looks like it also affects all supported Ubuntu releases, including Ubuntu 16.10 (Yakkety Yak), Ubuntu 16.04 LTS (Xenial Xerus), Ubuntu 14.04 LTS (Trusty Tahr), and Ubuntu 12.04 LTS (Precise Pangolin), as well as all of their official or unofficial derivatives running the same kernel builds.

Security News

Filed under
  • Security advisories for Thursday
  • More information about Dirty COW (aka CVE-2016-5195)

    The security hole fixed in the stable kernels released today has been dubbed Dirty COW (CVE-2016-5195) by a site devoted to the kernel privilege escalation vulnerability. There is some indication that it is being exploited in the wild. Ars Technica has some additional information. The Red Hat bugzilla entry and advisory are worth looking at as well.

  • CVE-2016-5195

    My prior post showed my research from earlier in the year at the 2016 Linux Security Summit on kernel security flaw lifetimes. Now that CVE-2016-5195 is public, here are updated graphs and statistics. Due to their rarity, the Critical bug average has now jumped from 3.3 years to 5.2 years. There aren’t many, but, as I mentioned, they still exist, whether you know about them or not. CVE-2016-5195 was sitting on everyone’s machine when I gave my LSS talk, and there are still other flaws on all our Linux machines right now. (And, I should note, this problem is not unique to Linux.) Dealing with knowing that there are always going to be bugs present requires proactive kernel self-protection (to minimize the effects of possible flaws) and vendors dedicated to updating their devices regularly and quickly (to keep the exposure window minimized once a flaw is widely known).

  • “Most serious” Linux privilege-escalation bug ever is under active exploit (updated)

    While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.

  • Linux users urged to protect against 'Dirty COW' security flaw

    Organisations and individuals have been urged to patch Linux servers immediately or risk falling victim to exploits for a Linux kernel security flaw dubbed ‘Dirty COW'.

    This follows a warning from open source software vendor Red Hat that the flaw is being exploited in the wild.

    Phil Oester, the Linux security researcher who uncovered the flaw, explained to V3 that the exploit is easy to execute and will almost certainly become more widely used.

    "The exploit in the wild is trivial to execute, never fails and has probably been around for years - the version I obtained was compiled with gcc 4.8," he said.

  • Hackers Hit U.S. Senate GOP Committee

    The national news media has been consumed of late with reports of Russian hackers breaking into networks of the Democratic National Committee. Lest the Republicans feel left out of all the excitement, a report this past week out of The Netherlands suggests Russian hackers have for the past six months been siphoning credit card data from visitors to the Web storefront of the National Republican Senatorial Committee (NRSC).


    Dataflow markets itself as an “offshore” hosting provider with presences in Belize and The Seychelles. Dataflow has long been advertised on Russian-language cybercrime forums as an offshore haven that offers so-called “bulletproof hosting,” a phrase used to describe hosting firms that court all manner of sites that most legitimate hosting firms shun, including those that knowingly host spam and phishing sites as well as malicious software.

    De Groot published a list of the sites currently present at Dataflow. The list speaks for itself as a collection of badness, including quite a number of Russian-language sites selling synthetic drugs and stolen credit card data.

    According to De Groot, other sites that were retrofitted with the malware included e-commerce sites for the shoe maker Converse as well as the automaker Audi, although he says those sites and the NRSC’s have been scrubbed of the malicious software since his report was published.

    But De Groot said the hackers behind this scheme are continuing to find new sites to compromise.

    “Last Monday my scans found about 5,900 hacked sites,” he said. “When I did another scan two days later, I found about 340 of those had been fixed, but that another 170 were newly compromised.”

  • Thoughts on the BTB Paper

    The Branch Target Buffer (BTB) whitepaper presents some interesting information. It details potential side-channel attacks by utilizing timing attacks against the branch prediction hardware present in Intel Haswell processors. The article does not mention Intel processors later than Haswell, such as Broadwell or Skylake.

    Side-channel attacks are always interesting and fun. Indeed, the authors have stumbled into areas that need more research. Their research can be applicable in certain circumstances.

    As a side-note, KASLR in general is rather weak and can be considered a waste of time[1]. The discussion why is outside the scope of this article.

Linux users urged to protect against 'Dirty COW' security flaw

Filed under
Red Hat

Organisations and individuals have been urged to patch Linux servers immediately or risk falling victim to exploits for a Linux kernel security flaw dubbed ‘Dirty COW'.

This follows a warning from open source software vendor Red Hat that the flaw is being exploited in the wild.

Phil Oester, the Linux security researcher who uncovered the flaw, explained to V3 that the exploit is easy to execute and will almost certainly become more widely used.

"The exploit in the wild is trivial to execute, never fails and has probably been around for years - the version I obtained was compiled with gcc 4.8," he said.

Read more

Also: New Debian Linux Kernel Update Addresses "Dirty COW" Bug, Three Security Issues

Why Security Distributions Use Debian

Filed under

What do distributions like Qube OS, Subgraph, Tails, and Whonix have in common? Besides an emphasis on security and privacy, all of them are Debian derivatives -- and, probably, this common origin is not accidental.

At first, this trend seems curious. After all, other distributions ranging from Slackware and Gentoo to Arch Linux all emphasize security and privacy in their selection of tools. In particular, Fedora's SE Linux can be so restrictive that some users would rather disable it than learn how to configure it. By contrast, while Debian carries many standard security and privacy tools, it has seldom emphasized them.

Similarly, Debian's main branch consists of only free and open source software, its contrib and non-free branches not being official parts of the distribution. With many security experts favoring the announcement of vulnerabilities and exploit code rather than relying on security through obscurity, the way that many pieces of proprietary software do, this transparency has obvious appeal.

Yet although the advantage of free software to security and privacy is that the code can be examined for backdoors and malware, this advantage is hardly unique to Debian. To one or degree another, it is shared by all Linux distributions.

Read more

More from Susan: Why Use Linux, Systemd Complications, Debian's Security

Security News

Filed under
  • Security advisories for Wednesday
  • Security bug lifetime

    In several of my recent presentations, I’ve discussed the lifetime of security flaws in the Linux kernel. Jon Corbet did an analysis in 2010, and found that security bugs appeared to have roughly a 5 year lifetime. As in, the flaw gets introduced in a Linux release, and then goes unnoticed by upstream developers until another release 5 years later, on average. I updated this research for 2011 through 2016, and used the Ubuntu Security Team’s CVE Tracker to assist in the process. The Ubuntu kernel team already does the hard work of trying to identify when flaws were introduced in the kernel, so I didn’t have to re-do this for the 557 kernel CVEs since 2011.

  • Reproducible Builds: week 77 in Stretch cycle

    After discussions with HW42, Steven Chamberlain, Vagrant Cascadian, Daniel Shahaf, Christopher Berg, Daniel Kahn Gillmor and others, Ximin Luo has started writing up more concrete and detailed design plans for setting SOURCE_ROOT_DIR for reproducible debugging symbols, buildinfo security semantics and buildinfo security infrastructure.

  • Veracode security report finds open source components behind many security vulnerabilities [Ed: not a nice firm]

Security Leftovers

Filed under

Security News

Filed under
  • Tuesday's security updates
  • Critical flaws found in open-source encryption software VeraCrypt [Ed: TrueCrypt was never really FOSS]

    A new security audit has found critical vulnerabilities in VeraCrypt, an open-source, full-disk encryption program that's the direct successor of the widely popular, but now defunct, TrueCrypt.

    Users are encouraged to upgrade to VeraCrypt 1.19, which was released Monday and includes patches for most of the flaws. Some issues remain unpatched because fixing them requires complex changes to the code and in some cases would break backward compatibility with TrueCrypt.

    However, the impact of most of those issues can be avoided by following the safe practices mentioned in the VeraCrypt user documentation when setting up encrypted containers and using the software.

  • Veracode: open source is creating 'systematic risks' across companies and industries [Ed: this company routinely smears FOSS]

    SECURITY FIRM VERACODE has released a damning report into open source and third-party software components and warned that, for example, almost all Java applications are blighted with at least one problem.

  • Why is Java so insecure? Buggy open source components take the blame

    Open-source and Java components used in applications remain a weak spot for the enterprise, according to a new analysis.

    Java applications in particular are posing a challenge, with 97 percent of these applications containing a component with at least one known vulnerability, according to a new report from code-analysis security vendor Veracode.

  • Parrot Security 3.2 “CyberSloop” Ethical Hacking Linux Distro Available For Download

    Earlier this year, I prepared a list of the top operating systems used for ethical hacking purposes. In that list, Parrot Security OS ranked at #2. It’s developed by Frozenbox Network and released under the GNU/GPL v3 license. A couple of days ago, Parrot Security 3.2 ethical hacking Linux distro arrived. The new version of this popular operating system is codenamed CyberSloop and it’s based on the Debian GNU/Linux 9 Stretch.

    Parrot Security 3.1 version arrived long back in July. Compared to that, the new version has taken a while due to some buggy packages in the Debian Testing repository that Parrot Security team had to fix themselves. In particular, the bug being discussed here is the latest GTK updates that broke the MATE interface.

  • Linux-run IoT devices under attack by NyaDrop [Ed: Devices with open ports and identical passwords across the board are not secure; not “Linux” issue]

    Internet of Things (IoT) devices running on the open-source Linux OS are under attack from NyaDrop.

    The attack loads malware on IoT devices lacking appropriate security after brute forcing default login credentials, according to a report by David Bisson for Graham Cluley Security News. The code achieves this by parsing its list of archived usernames and passwords. Once authenticated, NyaDrop is installed. The lightweight binary then loads other malware onto the infected device.

Syndicate content

More in Tux Machines

More Games for GNU/Linux

  • Humble Gems Bundle Goes Live, Offers Chroma Squad For Peanuts
    Wallets at the ready as Humble Gems Bundle is now live, a pay-what-you-can-be-bothered-to-palooza offering a selection of hitherto undiscovered indie gaming marvels. Alright, they’re all games that you’ve probably heard of before, certainly if you’re an active fan of the indie gaming scene.
  • Civilization 6 Linux Release Teased By Aspyr?
    Recently, Aspyr Media confirmed that they’ll be doing a Civilization 6 Linux release soon. Currently, Civilization 6 is live on both PC and Mac. Will Aspyr Media release concrete details about the Civilization 6 Linux release in the next few days?
  • Playstation 4 Linux Hack May Show 4.01 Vulnerability
    A new video about a Playstation 4 Linux hack may have shown a vulnerability in the 4.01 firmware update that came out for the Playstation 4 a few weeks ago. The hacking news came from a video at the GeekPwn 2016 convention in Shanghai, China, where the hacking was shown via a live demo. In this demo, a pair of Chinese computer users use a Linux computer and the Webkit browser, which is used to inject a certain exploit into the Playstation 4. One cut later, and a command line prompt appears that is then used to play Super Mario Bros. While the first use for it in the live demo is innocuous, the fact that this is even possible points once again to possible holes in the Playstation’s security.
  • PlayStation 4 hack enables Linux on recent Sony firmware
    A showcase event at this week’s GeekPwn conference in Shanghai suggests that Sony’s PlayStation 4 has been hacked, as a recently released video shows the console running an unsanctioned Linux build courtesy of a web browser exploit. While details regarding the hack are not yet known, a browser-based security issue in PS4 firmware version 4.01 could potentially allow users to root the upcoming PlayStation 4 Pro console in order to run unlicensed applications and games.

Red Hat News

Fedora News

  • F24 Updated ISOs available. (Kernel with Dirty Cow Patched)
    It is with great pleasure to announce that the Community run respin team has yet another Updated ISO round. This round carries the 4.7.9-200 kernel along with over 800 MB of updates (avg, some Desktop Environments more, some less) since the Gold release back in June.
  • Fedora-powered computer lab at our university
  • LinuxCon EU 2016
    LinuxCon EU 2016 took place from Oct 4-6 in Berlin, Germany. LinuxCon is one of the biggest FOSS conference where developers, sys admins, architects and all levels of technical talent gather together under one roof for three days. Since I am currently living in Berlin, there was no way I could miss this conference – even though the tickets for attending the full conference were around 1000 euros and way out of my league as a student researcher. Thankfully, I was awarded the Minority scholarship by Linux Foundation to attend the conference (including the talks and workshops) – and also the Women in Open Source Lunch and some other evening events ! I was also a part of the Fedora ‘crew’ at LinuxCon and helping out with Fedora Booth !
  • Fedora at LinuxCon Europe 2016
    The Fedora community has been at all European editions since 2011 and this is a report from the last one, which took place on Oct 4-6.
  • Need a New Wallpaper? Fedora 25 Has You Covered
  • Flatpak 0.6.13 Universal Linux Binary Format Is a Major Update with New Features
    Today, October 25, 2016, Alex Larsson had the great pleasure of announcing the release of Flatpak 0.6.13, a new major update for the universal binary package format for GNU/Linux distributions. For those not in the know, Flatpak is an application container that lets you package your open source project as a standalone binary that can be easily distributed across multiple Linux-based operating systems, independent of the package manager of that particular OS. Flatpak 0.6.13 is now the latest version, coming three weeks after Flatpak 0.6.12, and it looks like it's the biggest so far, bringing app layering support to flatpak-builder, as well as support for extension directories.
  • Flatpak 0.6.13 Released With Many Changes
  • Distributing spotify as a flatpak

Tizen News

  • Samsung Z2 is now available on Flipkart and Snapdeal in India
    With the intention to make Samsung’s latest Tizen based smartphone- the Samsung Z2 reach out to possible customers all across India, the company has now partnered with two more e-commerce giants Flipkart and Snapdeal. This partnership comes just a month after the company started distributing the Z2 via Amazon India prior to which Paytm was the only exclusive online store to get hold of the Smartphone.
  • Samsung Z1 Firmware / Software update for Bangladesh – CPI1
  • Tech Webinar: Knox Tizen Wearable SDK – October 27, 2016
    Here is something for our developer community out there who are Interested in the Knox Tizen Wearable SDK. Tomorrow, there is a special Webinar taking place online entitled Build powerful and secure apps on the Samsung Gear S3. Wearables are growing in popularity in the enterprise space and many businesses are seeing the benefit of Integrating a wearable device into their business processes. In the consumer market they are doing well, as only yesterday we reported that Samsung had a Year over Year growth of 9% to currently have 15% of the smartwatch market, whilst the majority of other vendors saw their market share decline. Apple has been severely hit with almost a 72% decline.
  • Relax, Samsung Gear S3 Still on Schedule for November Release, Despite Note 7 Crisis
    According to a korean report, Samsung are said to be slowing down some of their future projects due to the battery issues encountered by the Note 7. This knock on effect was due to the fact that some of these projects would potentially make use of Cloud and iris recognition technologies that the Note 7 was to come Integrated with. Also Billions of lost dollars in revenue has made the tech giant rethink its approach to future tech.
  • Game: Cyberline Racing for Samsung Z1, Z2 and Z3
  • ARTIK 0 and ARTIK 7, New additions to SAMSUNG ARTIK Smart IoT platform