Language Selection

English French German Italian Portuguese Spanish

Security

GnuTLS and reproducible builds

Filed under
GNU
Security
  • [Older] Improving by simplifying the GnuTLS PRNG

    One of the most unwanted baggages for crypto implementations written prior to this decade is the (pseudo-)random generator, or simply PRNG. Speaking for GnuTLS, the random generator was written at a time where devices like /dev/urandom did not come by default on widely used operating systems, and even if they did, they were not universally available, e.g., devices would not be present, the Entropy Gathering Daemon (EGD) was something that was actually used in practice, and was common for software libraries like libgcrypt to include code to gather entropy on a system by running arbitrary command line tools.

  • [Older] GNUtls: GnuTLS 3.5.10

    Released GnuTLS 3.5.11 which is a bug fix release in the stable branch.

  • [Older] Practical basics of reproducible builds

    One issue though: people have to trust me -- and my computer's integrity.
    Reproducible builds could address that.

    My release process is tightly controlled, but is my project reproducible? If not, what do I need? Let's check!

  • [Older] Practical basics of reproducible builds 2

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Alleged Spam King Pyotr Levashov Arrested

    Levashov is currently listed as #7 in the the world’s Top 10 Worst Spammers list maintained by anti-spam group Spamhaus.

  • Oh my Microsoft Word: Dridex hackers exploit unpatched flaw

    Cybercrooks are actively exploiting an unpatched Microsoft Word vulnerability to distribute the Dridex banking trojan, claim researchers.

    Booby-trapped emails designed to spread the cyber-pathogen have been sent to hundreds of thousands of recipients across numerous organisations, according to email security firm Proofpoint.

    The switch to document exploits by the hackers represents a change of tactics by a group that previously leaned heavily on malicious macros to distribute their wares.

  • Critical Word 0-day is only 1 of 3 Microsoft bugs under attack

    A zero-day code-execution vulnerability in Microsoft Office is one of three critical flaws under active attack in the wild [...]

  • Cowardly Microsoft buries critical Hyper-V, WordPad, Office, Outlook, etc security patches in normal fixes

    Microsoft today buried among minor bug fixes patches for critical security flaws that can be exploited by attackers to hijack vulnerable computers.

    In a massive shakeup of its monthly Patch Tuesday updates, the Windows giant has done away with its easy-to-understand lists of security fixes published on TechNet – and instead scattered details of changes across a new portal: Microsoft's Security Update Guide.

  • Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)

    In this blog post we'll continue our journey into gaining remote kernel code execution, by means of Wi-Fi communication alone. Having previously developed a remote code execution exploit giving us control over Broadcom’s Wi-Fi SoC, we are now left with the task of exploiting this vantage point in order to further elevate our privileges into the kernel.

Security Leftovers

Filed under
Security
  • Unraveling the Lamberts Toolkit

    Yesterday, our colleagues from Symantec published their analysis of Longhorn, an advanced threat actor that can be easily compared with Regin, ProjectSauron, Equation or Duqu2 in terms of its complexity.

    Longhorn, which we internally refer to as “The Lamberts”, first came to the attention of the ITSec community in 2014, when our colleagues from FireEye discovered an attack using a zero day vulnerability (CVE-2014-4148). The attack leveraged malware we called ‘BlackLambert’, which was used to target a high profile organization in Europe.

    Since at least 2008, The Lamberts have used multiple sophisticated attack tools against high-profile victims. Their arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools, and wipers. Versions for both Windows and OSX are known at this time, with the latest samples created in 2016.

  • New malware gives CCTV DVRs amnesia
  • Amnesia malware turns DVRs into botnet slaves

    According to a blog post from IT security company Palo Alto Networks, a new variant of the IoT/Linux botnet Tsunami, which it calls Amnesia, targets an unpatched remote code execution vulnerability that was publicly disclosed over a year ago in DVR devices manufactured by TVT Digital and branded by over 70 vendors worldwide.

  • Canadian Web Hosting Deploys Imunify360 to Protect and Secure Linux Servers
  • Simple Server Hardening, Part II

    In my last article, I talked about the classic, complicated approach to server hardening you typically will find in many hardening documents and countered it with some specific, simple hardening steps that are much more effective and take a only few minutes. While discussing how best to harden SSH and sudo can be useful, in a real infrastructure, you also have any number of other services you rely on and also want to harden.

    So instead of choosing specific databases, application servers or web servers, in this follow-up article, I'm going to extend the topic of simple hardening past specific services and talk about more general approaches to hardening that you can apply to software you already have running as well as to your infrastructure as a whole. I start with some general security best practices, then talk about some things to avoid and finally finish up with looking at some areas where sysadmin and security best practices combine.

  • Solaris admins! Look out – working remote root exploit leaked in Shadow Brokers dump

    Now that the sulky Shadow Brokers gang has leaked its archive of stolen NSA exploits, security experts are trawling Uncle Sam's classified attack code – and the results aren't good for anyone using Oracle's Solaris.

    Matthew Hickey, cofounder of British security shop Hacker House, has been going through the dumped files, which once belonged to the spy agency's Equation Group and are now handily mirrored on GitHub. Hickey today identified two key programs – EXTREMEPARR and EBBISLAND – that can escalate a logged-in user's privileges to root, and obtain root access remotely over the network, on Solaris boxes running versions 6 to 10 on x86 and Sparc, and possibly also the latest build, version 11.

Security Leftovers

Filed under
Security
  • Hackers Set Off Dallas' 156 Warning Sirens Dozens Of Times

    So we've talked repeatedly how the shoddy security in most "internet of things" devices has resulted in increasingly-vulnerable home networks, as consumers rush to connect not-so-smart fridges, TVs and tea kettles to the home network. But this failure extends well beyond the home, since these devices have also resulted in historically-large DDoS attacks as this hardware is compromised and integrated into existing botnets (often in just a matter of minutes after being connected to the internet).

    Whether it's the ease in which a decidedly-clumsy ransomware attacker was able to shut down San Francisco's mass transit system, or the fact that many city-connected devices like speed cameras often feature paper mache security, you can start to see why some security experts are worried that there's a dumpster fire brewing that will, sooner rather than later, result in core infrastructure being compromised and, potentially, mass fatalities. If you ask security experts like Bruce Schneier, this isn't a matter of if -- it's a matter of when.

  • OLE 0day affects nearly all versions of Microsoft Word

    McAfee revealed some details of the attack just before the weekend

  • NATO warns of IPv6 security concerns that network intrusion detection systems may miss

    Namely, NIDS such as Bro, Moloch, Snort, and Suricata were found to be ineffective against the researchers’ proofs of concept.

  • Banks scramble to fix old systems as IT 'cowboys' ride into sunset

    The stakes are especially high for the financial industry, where an estimated $3 trillion in daily commerce flows through COBOL systems. The language underpins deposit accounts, check-clearing services, card networks, ATMs, mortgage servicing, loan ledgers and other services.

Security Leftovers

Filed under
Security
  • Security updates for Monday
  • The obvious answer is never the secure answer

    One of the few themes that comes up time and time again when we talk about security is how bad people tend to be at understanding what's actually going on. This isn't really anyone's fault, we're expecting people to go against what is essentially millions of years of evolution that created our behaviors. Most security problems revolve around the human being the weak link and doing something that is completely expected and completely wrong.

    This brings us to a news story I ran across that reminded me of how bad humans can be at dealing with actual risk. It seems that peanut free schools don't work. I think most people would expect a school that bans peanuts to have fewer peanut related incidents than a school that doesn't. This seems like a no brainer, but if there's anything I've learned from doing security work for as long as I have, the obvious answer is always wrong.

  • BrickerBot malware zeroes in on Linux-based IoT devices

    In its 2017 malware forecast, SophosLabs warned that attackers would increasingly target devices connected to the Internet of Things (IoT) – everything from webcams to internet-connecting household appliances. Late last week, we saw another example of how the trend is playing out.

  • Brick House? New Malware Destroys Vulnerable IoT Devices
  • The New BrickerBot Internet of Things Malware
  • IoT malware starts showing destructive behavior
  • Georgia Tech finds subtle Linux vunerability

    Uninitialised variables are a critical attack vector that can be reliably exploited by hackers to launch privilege escalation attacks in the Linux kernel, according to research at the Georgia Institute of Technology.

  • The Root Cause of Input-Based Security Vulnerabilities – Don’t Fear the Grammar

    Input-based attacks like Buffer Overflows, Cross-Site Scripting (XSS), and XXE are common in today’s software. And they do not go away. But why is that? Shouldn’t one assume that existing frameworks handle input correctly, and free developers from struggling with correctly implementing input handling over and over again? Sadly, the answer is no.

Security Leftovers

Filed under
Security

More Security Leftovers

Filed under
Security
  • [Older] Dual-Use Software Criminal Case Not So Novel

    All of this may be moot if the government can’t win its case against Huddleston. The EFF’s Rumold said while prosecutors may have leverage in Shames’s conviction, the government probably doesn’t want to take the case to trial.

  • HOWTO: Fight Cyberwars and Lose

    Russia sought to advance their national interests by engaging in a conflict that was waged purely in the informatics sphere — the theatre of combat operations was entirely cyber. They won. The results of the conflict was a clear and decisive Russian success in multiple ways [...]

  • New IoT/Linux Malware Targets DVRs, Forms Botnet

    The Amnesia botnet targets an unpatched remote code execution vulnerability that was publicly disclosed over a year ago in March 2016 in DVR (digital video recorder) devices made by TVT Digital and branded by over 70 vendors worldwide (a listing of which can be found on the original vulnerability report we’ve linked to).

  • Booby-trapped Word documents in the wild exploit critical Microsoft 0day

    First, it bypasses most exploit mitigations: This capability allows it to work even against Windows 10, which security experts widely agree is Microsoft's most secure operating system to date. Second, unlike the vast majority of the Word exploits seen in the wild over the past few years, this new attack doesn't require targets to enable macros. Last, before terminating, the exploit opens a decoy Word document in an attempt to hide any sign of the attack that just happened.

  • Hacking blamed for emergency sirens blaring across Dallas early Saturday

    We need to get to the bottom of it — what kind of vulnerabilities do we have?

  • Samsung's squashing of malicious Tizen smart TV bugs is turning messy

    After 40 critical vulnerabilities on Samsung's Tizen -- used in smart TVs and smartwatches -- were exposed this week by Israeli researcher Amihai Neiderman, the company is scrambling to patch them.

    But Samsung still doesn't know many of the bugs that need to be patched. It's also unclear when Tizen devices will get security patches, or if older Tizen devices will even get OS updates to squash the bugs.

Security Leftovers

Filed under
Security
  • Apache Struts 2 exploit used to install ransomware on servers [Ed: read carefully. It's a Microsoft Windows issue.]

    Attackers are exploiting a vulnerability patched last month in the Apache Struts web development framework to install ransomware on servers.

    The SANS Internet Storm Center issued an alert Thursday, saying an attack campaign is compromising Windows servers through a vulnerability tracked as CVE-2017-5638.

  • A quick look at the Ikea Trådfri lighting platform

    Overall: as far as design goes, this is one of the most secure IoT-style devices I've looked at. I haven't examined the COAP stack in detail to figure out whether it has any exploitable bugs, but the attack surface is pretty much as minimal as it could be while still retaining any functionality at all. I'm impressed.

  • Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1)

Security Leftovers

Filed under
Security
  • Be careful, Cisco Mobility Express is shipped with some Cisco Aironet devices has a hard-coded password. Fix it!

    The Mobility Express Software shipped with Cisco Aironet 1830 Series and 1850 Series access points has a hard-coded admin-level SSH password.

  • Grasshopper

    Today, April 7th 2017, WikiLeaks releases Vault 7 "Grasshopper" -- 27 documents from the CIA's Grasshopper framework, a platform used to build customized malware payloads for Microsoft Windows operating systems.

    Grasshopper is provided with a variety of modules that can be used by a CIA operator as blocks to construct a customized implant that will behave differently, for example maintaining persistence on the computer differently, depending on what particular features or capabilities are selected in the process of building the bundle. Additionally, Grasshopper provides a very flexible language to define rules that are used to "perform a pre-installation survey of the target device, assuring that the payload will only [be] installed if the target has the right configuration". Through this grammar CIA operators are able to build from very simple to very complex logic used to determine, for example, if the target device is running a specific version of Microsoft Windows, or if a particular Antivirus product is running or not.

  • Preparing enterprise systems for the scriptless Linux exploit
  • Kaspersky warns of spike in 'cheap' ransomware targeting large firms

    The method goes as follows: the criminals would search for an organisation that has an unprotected server with Remote Desktop Protocol (RDP) access, they would guess the password or buy access to it on the black market, and then they would encrypt a node or server manually.

Security Leftovers

Filed under
Security
  • Security updates for Friday
  • Researcher: 90% Of 'Smart' TVs Can Be Compromised Remotely

    So we've noted for some time how "smart" TVs, like most internet of things devices, have exposed countless users' privacy courtesy of some decidedly stupid privacy and security practices. Several times now smart TV manufacturers have been caught storing and transmitting personal user data unencrypted over the internet (including in some instances living room conversations). And in some instances, consumers are forced to eliminate useful features unless they agree to have their viewing and other data collected, stored and monetized via these incredible "advancements" in television technology.

  • Pandavirtualization: Exploiting the Xen hypervisor

    On 2017-03-14, I reported a bug to Xen's security team that permits an attacker with control over the kernel of a paravirtualized x86-64 Xen guest to break out of the hypervisor and gain full control over the machine's physical memory. The Xen Project publicly released an advisory and a patch for this issue 2017-04-04.

    To demonstrate the impact of the issue, I created an exploit that, when executed in one 64-bit PV guest with root privileges, will execute a shell command as root in all other 64-bit PV guests (including dom0) on the same physical machine.

Syndicate content

More in Tux Machines

Today in Techrights

Linux, Graphics, and Linux Foundation

Leftovers: Debian and Ubuntu

  • CD/DVD Image Changes For The Upcoming Debian 9.0 Release
    With Debian 9.0 not being far away from releasing, the Debian CD Images Team has issued an update over their fundamental changes happening for this "Stretch" cycle.
  • The System76 'Galago Pro' laptop looks fantastic, $50 off for a few more days
    The Galago Pro looks like an incredibly stylish device ready for the masses with a slick aluminium casing, instead of the always cheap feeling plastic cases most tend to come with. It's slim, but best of all incredibly light for such a device at 1.3kg (2.87 lbs). It comes with Ubuntu 16.04.2 LTS or Ubuntu 17.04, a speedy 7th Gen Intel in either an i5 7200U or i7 7500U and Intel® HD Graphics 620.
  • Download Ubuntu 17.10 daily builds
    The release schedule for Ubuntu 17.10 has been announced, and you can now download the daily build ISO images as well. Daily builds can be useful to watch the progress of Ubuntu 17.10, but are not recommended for normal usage due to possible bugs and changes.

Leftovers: Software

  • GJS: What’s next?
    In my last post, I went into detail about all the new stuff that GJS brought to GNOME 3.24. Now, it’s time to talk about the near future: what GJS will bring to GNOME 3.26.
  • Sending SMS from Linux Just Got Easier with Latest Indicator KDE Connect Update
    Indicator KDE Connect now has Google Contacts integration, making it even easier to send text messages from the Linux desktop.
  • Cumulus Qt is a Lightweight Weather App for Linux
    Cumulus Qt is a Qt weather app for the Linux desktop. It's lightweight, has a bold, striking design inspired by Stormcloud, and is very customisable.
  • Vivaldi 1.10 Browser Now in Development, Will Introduce Docked Developer Tools
    Vivaldi's Ruarí Ødegaard just informed us a few moments ago that Vivaldi 1.10 will be the next major version of the free and cross-platform web browser based on the latest Chromium technologies, not Vivaldi 2.0 as many of you have hoped. Vivaldi 1.9 just hit the streets the other day as world's first web browser to ship with the Ecosia search engine enabled by default to help reforest the plane, and it now looks like Vivaldi's devs never sleep, and development of Vivaldi 1.10 starts today with the first snapshot, Vivaldi 1.10.829.3, which introduces a long-anticipated feature: Docked Developer Tools!