Language Selection

English French German Italian Portuguese Spanish

Security

LWN on Security: Updates, fs-verity, Spectre, Qubes OS/CopperheadOS

Filed under
Linux
Security
  • Security updates for Wednesday
  • Protecting files with fs-verity

    The developers of the Android system have, among their many goals, the wish to better protect Android devices against persistent compromise. It is bad if a device is taken over by an attacker; it's worse if it remains compromised even after a reboot. Numerous mechanisms for ensuring the integrity of installed system files have been proposed and implemented over the years. But it seems there is always room for one more; to fill that space, the fs-verity mechanism is being proposed as a way to protect individual files from malicious modification.

    The core idea behind fs-verity is the generation of a Merkle tree containing hashes of the blocks of a file to be protected. Whenever a page of that file is read from storage, the kernel ensures that the hash of the page in question matches the hash in the tree. Checking hashes this way has a number of advantages. Opening a file is fast, since the entire contents of the file need not be hashed at open time. If only a small portion of the file is read, the kernel never has to bother reading and checking the rest. It is also possible to catch modifications made to the file after it has been opened, which will not be caught if the hash is checked at open time.

  • Strengthening user-space Spectre v2 protection

    The Spectre variant 2 vulnerability allows the speculative execution of incorrect (in an attacker-controllable way) indirect branch predictions, resulting in the ability to exfiltrate information via side channels. The kernel has been reasonably well protected against this variant since shortly after its disclosure in January. It is, however, possible for user-space processes to use Spectre v2 to attack each other; thus far, the mainline kernel has offered relatively little protection against such attacks. A recent proposal from Jiri Kosina may change that situation, but there are still some disagreements around the details.

    On relatively recent processors (or those with suitably patched microcode), the "indirect branch prediction barrier" (IBPB) operation can be used to flush the branch-prediction buffer, removing any poisoning that an attacker might have put there. Doing an IBPB whenever the kernel switches execution from one process to another would defeat most Spectre v2 attacks, but IBPB is seen as being expensive, so this does not happen. Instead, the kernel looks to see whether the incoming process has marked itself as being non-dumpable, which is typically only done by specialized processes that want to prevent secrets from showing up in core dumps. In such cases, the process is deemed to be worth protecting and the IBPB is performed.

    Kosina notes that only a "negligible minority" of the code running on Linux systems marks itself as non-dumpable, so user space on Linux systems is essentially unprotected against Spectre v2. The solution he proposes is to use IBPB more often. In particular, the new code checks whether the outgoing process would be able to call ptrace() on the incoming process. If so, the new process can keep no secrets from the old one in any case, so there is no point in executing an IBPB operation. In cases where ptrace() would not succeed, though, the IBPB will happen.

  • Life behind the tinfoil curtain

    Security and convenience rarely go hand-in-hand, but if your job (or life) requires extraordinary care against potentially targeted attacks, the security side of that tradeoff may win out. If so, running a system like Qubes OS on your desktop or CopperheadOS on your phone might make sense, which is just what Konstantin Ryabitsev, Linux Foundation (LF) director of IT security, has done. He reported on the experience in a talk [YouTube video] entitled "Life Behind the Tinfoil Curtain" at the 2018 Linux Security Summit North America.

    He described himself as a "professional Russian hacker" from before it became popular, he said with a chuckle. He started running Linux on the desktop in 1998 (perhaps on Corel Linux, which he does not think particularly highly of) and has been a member of the LF staff since 2011. He has been running Qubes OS on his main workstation since August 2016 and CopperheadOS since September 2017. He stopped running CopperheadOS in June 2018 due to the upheaval at the company, but he hopes to go back to it at some point—"maybe".

Parrot 4.2.2 release notes

Filed under
GNU
Linux
Security

We are proud to announce the release of Parrot 4.2.

It was a very problematic release for our team because of the many important updates under the hood of a system that looks almost identical to its previous release, except for a new background designed by Federica Marasà and a new graphic theme (ARK-Dark).

Read more

Security: Windows, EMC, Apache and Tor

Filed under
Security

Security Leftovers

Filed under
Security
  • Does Publicly Shaming Companies Improve Security?

    ou might think security teams inside big companies hate it when researchers and the press point out vulnerabilities, but that’s not always the case.

    Security teams are just one voice among many, and often they have trouble convincing bosses that security and privacy should be a priority. An embarrassing story in the press can change that quickly.

  • Security updates for Tuesday
  • Mozilla Security Blog: Protecting Mozilla’s GitHub Repositories from Malicious Modification

    At Mozilla, we’ve been working to ensure our repositories hosted on GitHub are protected from malicious modification. As the recent Gentoo incident demonstrated, such attacks are possible.

    Mozilla’s original usage of GitHub was an alternative way to provide access to our source code. Similar to Gentoo, the “source of truth” repositories were maintained on our own infrastructure. While we still do utilize our own infrastructure for much of the Firefox browser code, Mozilla has many projects which exist only on GitHub. While some of those project are just experiments, others are used in production (e.g. Firefox Accounts). We need to protect such “sensitive repositories” against malicious modification, while also keeping the barrier to contribution as low as practical.

    This describes the mitigations we have put in place to prevent shipping (or deploying) from a compromised repository. We are sharing both our findings and some tooling to support auditing. These add the protections with minimal disruption to common GitHub workflows.

    The risk we are addressing here is the compromise of a GitHub user’s account, via mechanisms unique to GitHub. As the Gentoo and other incidents show, when a user account is compromised, any resource the user has permissions to can be affected.

OpenSSL 1.1.1 Is Released

Filed under
OSS
Security

After two years of work we are excited to be releasing our latest version today - OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we are committing to support it for at least five years.

OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0. These statistics just illustrate the amazing vitality and diversity of the OpenSSL community. The contributions didn’t just come in the form of commits though. There has been a great deal of interest in this new version so thanks needs to be extended to the large number of users who have downloaded the beta releases to test them out and report bugs.

Read more

Also: OpenSSL 1.1.1 Released With TLS 1.3 Support, Better Fends Off Side-Channel Attacks

Security Leftovers

Filed under
Security
  • Greens happy big tech has spoken out against encryption backdoors

    Australian Greens' Digital Rights spokesperson Senator Jordon Steele-John says he is thrilled that some of the world's big technology firms have put the privacy of their users ahead of their own profits by condemning the Federal Government's Assistance and Access Bill.

  • Hackers Can Steal a Tesla Model S in Seconds by Cloning Its Key Fob

    Tesla has taken plenty of innovative steps to protect the driving systems of its kitted-out cars against digital attacks. It's hired top-notch security engineers, pushed over-the-internet software updates, and added code integrity checks. But one team of academic hackers has now found that Tesla left its Model S cars open to a far more straightforward form of hacking: stealthily cloning the car's key fob in seconds, opening the car door, and driving away.

    A team of researchers at the KU Leuven university in Belgium on Monday plan to present a paper at the Cryptographic Hardware and Embedded Systems conference in Amsterdam, revealing a technique for defeating the encryption used in the wireless key fobs of Tesla's Model S luxury sedans. With about $600 in radio and computing equipment, they can wirelessly read signals from a nearby Tesla owner's fob. Less than two seconds of computation yields the fob's cryptographic key, allowing them to steal the associated car without a trace. "Today it’s very easy for us to clone these key fobs in a matter of seconds," says Lennert Wouters, one of the KU Leuven researchers. "We can completely impersonate the key fob and open and drive the vehicle."

  • Tesla Model S Can Be Hacked In Seconds With This Raspberry Pi-powered Equipment

    Tesla is the epitome of innovation combined with unmatched features, including utmost comfort and tight security that provides a completely digitized driving experience. However, it seems that hackers are always a step ahead.

    Researchers from KU Leuven University in Belgium were successful in hacking the key fob of the Tesla Model S with equipment worth $600.

  • Reproducible Builds: Weekly report #176
  • Helping IoT developers to assess ethics, privacy, and social impact

    GDPR (General Data Protection Regulation) introduces a mandatory Data Protection Impact Assessment. This is to help organisations to identify and minimise the data protection risks of a project to individuals. But there are other consequences to collecting and using personal data beyond privacy and data protection considerations. We should also be thinking about the ethical and societal outcomes of what we do with data. Open Rights Group (ORG) is exploring these issues as part of the VIRT-EU consortium alongside the London School of Economics, Uppsala University, Polytechnic University of Turin, and Copenhagen Institute for Interaction Design.

    The project is researching Internet of Things (IoT) development and development culture. It is also creating tools and frameworks to help foster ethical thinking among IoT developers. One of these tools will be the Privacy Ethical and Social Impact Assessment (PESIA), which augments and interacts with the Data Protection Impact Assessment from GDPR. The PESIA is being developed predominantly by Alessandro Mantelero at the Polytechnic University of Turin with the help of ORG. It will be a voluntary, self-assessment tool to help organisations who collect and process personal data to assess the wide variety of risks and repercussions related to how they use data.

Security: Updates, Open Source Security Podcast, U2F and RNG

Filed under
Security
  • Security updates for Monday
  • Open Source Security Podcast: Episode 113 - Actual real security advice

    Josh and Kurt talk about actual real world advice. Based on a story about trying to secure political campaigns, if we had to give some security help what should it look like, who should we give it to?

  • Firefox 60, Yubikey, U2F vs my Google Account

    Yes, you can use Firefox 60 in Debian/stretch with your U2F device to authenticate your Google account, but you've to use Chrome for the registration.

  • You Can Now Tell Linux At Boot-Time If You Don't Trust Your CPU Random Number Generator

    Covered on Phoronix back during the Linux 4.19 kernel merge window was the new option for distribution vendors or those compiling their own Linux kernel to decide whether you trust the CPU's random number generator. That compile-time functionality has now been re-worked to allow for a boot-time option so users can more easily indicate whether they trust their own processor's RNG.

    The Linux 4.19 merge window brought the RANDOM_TRUST_CPU Kconfig option for indicating at the kernel's compilation time if you should trust the CPU's built-in hardware random number generator on the likes of AMD, IBM s390/POWER, Intel, and other CPU RNG implementations. The trust worthiness of modern hardware random number generators is hotly debated whether they may be back-doored for use by spy agencies or other rogue actors given past influence by the NSA and other organizations.

Red Hat dev questions why older Linux kernels are patched quietly

Filed under
Linux
Security

A Linux developer who works for the biggest open source vendor Red Hat has questioned why security holes in older Linux kernels — those that are listed as having long-term support — are being quietly patched by senior kernel maintainer Greg Kroah-Hartman, who is more or less deputy to Linux creator Linus Torvalds, without issuing the standard CVE advisories.

Last week, Wade Mealing raised questions with Kroah-Hartman about a specific patch that fixed a flaw that could lead to a denial of service.

Read more

Security: Dell EMC VPlex GeoSynchrony, Fail2ban, Marcus Hutchins, British Airways

Filed under
Security
  • Dell EMC VPlex GeoSynchrony Users Requested to Upgrade to v6.1 to Avoid Insecure File Permissions Vulnerability
  • Fail2ban

    Fail2ban has some good features. I don’t think it will do much good at stopping account compromise as anything that is easily guessed could be guessed using many IP addresses and anything that has a good password can’t be guessed without taking many years of brute-force attacks while also causing enough noise in the logs to be noticed. What it does do is get rid of some of the noise in log files which makes it easier to find and fix problems. To me the main benefit is to improve the signal to noise ratio of my log files.

  • UK security researcher Hutchins claims he once persuaded attacker to stop DDoS

    British security researcher Marcus Hutchins, who is awaiting trial in the US over allegations that he created and help distribute a banking trojan, has claimed that on one occasion in the past he located and contacted an attacker who had launched a massive DDoS attack in the UK, and asked the individual who was behind it to desist from doing so, a request that was ultimately heeded.

  • BA site breach through XSS flaw, says tech firm chief

    The British Airways website breach appears to have been done through a cross-site scripting flaw, according to the chief executive of a Web automation company in the UK.

  • Researcher says BA changed site JavaScript code a day before hack

    A well-known security researcher claims that, between 20 July and 20 August, British Airways changed the third-party JavaScript code it loads on its website as a result of a privacy complaint he had made.

Security: Google and Tesla

Filed under
Security
  • Google and Certbot (Letsencrypt)

    It turns out that Google Safebrowsing had listed those two sites. Visit https://listen.gw90.de/ or https://mail.gw90.de/ today (and maybe for some weeks or months in the future) using Google Chrome (or any other browser that uses the Google Safebrowsing database) and it will tell you the site is “Dangerous” and probably refuse to let you in.

    One thing to note is that neither of those sites has any real content, I only set them up in Apache to get SSL certificates that are used for other purposes (like mail transfer as the name suggests). If Google had listed my blog as a “Dangerous” site I wouldn’t be so surprised, WordPress has had more than a few security issues in the past and it’s not implausible that someone could have compromised it and made it serve up hostile content without me noticing. But the two sites in question have a DocumentRoot that is owned by root and was (until a few days ago) entirely empty, now they have a index.html that just says “This site is empty”. It’s theoretically possible that someone could have exploited a RCE bug in Apache to make it serve up content that isn’t in the DocumentRoot, but that seems unlikely (why waste an Apache 0day on one of the less important of my personal sites). It is possible that the virtual machine in question was compromised (a VM on that server has been compromised before [1]) but it seems unlikely that they would host bad things on those web sites if they did.

    Now it could be that some other hostname under that domain had something inappropriate (I haven’t yet investigated all possibilities). But if so Google’s algorithm has a couple of significant problems, firstly if they are blacklisting sites related to one that had an issue then it would probably make more sense to blacklist by IP address (which means including some coker.com.au entries on the same IP). In the case of a compromised server it seems more likely to have multiple bad sites on one IP than multiple bad subdomains on different IPs (given that none of the hostnames in question have changed IP address recently and Google of course knows this). The next issue is that extending blacklisting doesn’t make sense unless there is evidence of hostile intent. I’m pretty sure that Google won’t blacklist all of ibm.com when (not if) a server in that domain gets compromised. I guess they have different policies for sites of different scale.

  • Google Chrome’s New Password Manager: All You Need To Know & How To Use It [Ed: Google wants you to give it all of your passwords. Foolishly forgetting that, according to Snowden's leaks, the US government too gets access to those]

    Google Chrome Password suggestion

    Similar to other Password managers out there, Chrome has added native support for password suggestions. In other words, when you will type in a new password, Chrome browser will automatically generate a password suggestion for you.

    This undoubtedly leaves out the question of using those puppy names and including your first name in your passwords. Now, don’t ask me why they are considered weak passwords.

  • Google slammed for Chrome change that strips out 'www' from domains [iophk: "machines have names for a reason, this breaks the web"

    Google's move to strip out the www in domains typed into the address bar, beginning with version 69 of its Chrome browser, has drawn an enormous amount of criticism from developers who see the move as a bid to cement the company's dominance of the Web.

  • Tesla Launches Bounty Program; Allows Good Faith Hackers To Inspect Firmware
  • Cory Doctorow: Big Tech: We Can Do Better Than Constitutional Monarchies

    Which brings me to the techlash: the post-Brexit, post-Trump, post-Equifax turning point where suddenly a lot of people start to pay attention to the rules we set for technology users, companies, and practitioners.

    I’m genuinely delighted that this moment has arrived. Tech policy is like climate change: every year we fail to fix it is a year that we accumulate more bad tech debt (insecure systems full of sensitive data and attached to machines, sensors and actuators that can harm or kill us). We are in a race between the point of no return, when it’s too late to fix things, and the point of “peak indifference,” when the number of people who care starts to rise of its own accord, thanks to the gaudy disasters detonating all around us.

    But it’s not enough to do something: we have to do something good. And we’re getting it really wrong.

Syndicate content

More in Tux Machines

Security: 0-Days and Back Doors

OpenShot Video Editor Released 2.4.3 – Here’s What’s New

OpenShot is a cross platform video editor available in Linux, Windows and Mac. This beginner’s friendly to advanced users’ video editor comes with huge set to of tools to create your videos, edit videos, cut, add sliding transitions and many more. The free and open source video editor OpenShot lands with latest release with improvements. Read more

Ubuntu Studio 18.10 Wallpaper Contest Winners

We would like to thank everyone who participated in our wallpaper contest for Ubuntu Studio 18.10! With 487 votes, the top 5 submissions were chosen. The winners can be found at this link. Additionally, we’d like to announce the new default wallpaper for 18.10, designed by Ubuntu Studio developer Eylul Dogruel, and is pictured to the right. Read more

Red Hat Leftovers