Language Selection

English French German Italian Portuguese Spanish

Security

Security and Microsoft Back/Bug Doors

Filed under
Microsoft
Security
  • Security updates for Friday
  • careful with the chrome HSTS

    I mean, yes, I set the HSTS header, but that was with the same cert that chrome is now insisting can’t be trusted. Why in the world would you permanently store “must have trusted cert” on the basis of an untrusted cert?

  • Hacked NSA tools put Windows users at possible risk

    The hacking group known as Shadow Brokers claims to have released National Security Agency malware designed to break into Windows computers. The software could make millions of Microsoft users vulnerable to malicious parties.

    [...]

    The NSA didn't immediately respond to a request for comment. But this isn't the first US intelligence agency whose tools have been leaked to the public. Just last month, WikiLeaks released techniques it claimed the CIA used for breaking into phones, computers, cars and smart TVs.

  • Leaked NSA point-and-pwn hack tools menace Win2k to Windows 8

    The Shadow Brokers have leaked more hacking tools stolen from the NSA's Equation Group – this time four-year-old exploits that attempt to hijack venerable Windows systems, from Windows 2000 up to Server 2012 and Windows 7 and 8.

    The toolkit puts into anyone's hands – from moronic script kiddies to hardened crims – highly classified nation-state-level weaponry that can potentially compromise and commandeer systems around the world. This is the same powerful toolkit Uncle Sam used once upon a time to hack into and secretly snoop on foreign governments, telcos, banks, and other organizations.

  • Microsoft blocks Kaby Lake and Ryzen PCs from Windows 7, 8 updates

    That means all updates, including security updates, will be unavailable on PCs with brand new hardware running the two older operating systems.

  • Microsoft says U.S. foreign intelligence surveillance requests more than doubled

    Microsoft said it received between 1,000 and 1,499 FISA orders for user content between January and June of 2016, compared to between 0 and 499 during both January-June 2015 as well as the second half of 2015.> Microsoft Corp (MSFT.O) said on Thursday it had received at least a thousand surveillance requests from the U.S. government that sought user content for foreign intelligence purposes during the first half of 2016.

Capsule8 Building Container-Aware Security Platform for Linux

Filed under
Linux
Security

Security startup Capsule8 emerged from its stealth mode in February with a plan to help provide a new model for application container security. In a video interview with eWEEK, Capsule8 CTO Dino Dai Zovi and CEO John Viega explain what's missing from container security today and what they are building to help fill the gap.

"Capsule8 is container-aware, real-time threat protection for Linux-based production environments," Dai Zovi said.

Dai Zovi explained that the company name Capsule8 is a pun on what it does—which is encapsulates security knowledge in software, providing a secure approach to application delivery and deployment.

Read more

An Important Linux Kernel Security Patch Is Available for CentOS 7, Update Now

Filed under
Linux
Red Hat
Security

CentOS maintainer Johnny Hughes has informed the community about the availability of yet another important kernel security update, this time for users of the CentOS Linux 7 operating system series.

Read more

Big Linux bug, low security concerns

Filed under
Linux
Security

This Linux/Android bug sure sounded bad.

The National Institute of Standards and Technology (NIST) and Symantec announced a LinuxKernel ipv4/udp.c bug that made the LinuxKernel 4.4 and earlier vulnerable to remote code-execution. In turn, an attacker could exploit this issue to execute arbitrary code. Worse still, even failed exploits might cause denial-of-service attacks.

There's only one problem with this analysis and the resulting uproar: It's wrong.

Yes, the bug existed. NIST described it as a "critical" bug, and its description makes it sound like it can open Linux and Android-powered devices to attacks via UDP network traffic. The important phrase is "sound like."

Read more

Long Term Support and Security

Filed under
Security
  • Freexian’s report about Debian Long Term Support, March 2017

    Like each month, here comes a report about the work of paid contributors to Debian LTS.

  • Unpatched vulnerability exposes Magento online shops to hacking

    An unpatched vulnerability in the Magento e-commerce platform could allow hackers to upload and execute malicious code on web servers that host online shops.

    The flaw was discovered by researchers from security consultancy DefenseCode and is located in a feature that retrieves preview images for videos hosted on Vimeo. Such videos can be added to product listings in Magento.

    The DefenseCode researchers determined that if the image URL points to a different file, for example a PHP script, Magento will download the file in order to validate it. If the file is not an image, the platform will return a "Disallowed file type" error, but won't actually remove it from the server.

  • NSA's arsenal of Windows hacking tools have leaked

    A new trove of alleged surveillance tools and exploits from the National Security Agency's elite hacking team have been released by the Shadow Brokers' hacking group.

    The group Friday appeared to release tools designed to target Windows PCs and servers, along with presentations and files purporting to detail the agency's methods of carrying out clandestine surveillance.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Is this a Ubuntu-based Botnet deploying Tor Relays and Bridges?
  • Microsoft Word 0-day was actively exploited by strange bedfellows

    A critical Microsoft Word zero-day that was actively exploited for months connected two strange bedfellows, including government-sponsored hackers spying on Russian targets and financially motivated crooks pushing crimeware.

  • Microsoft reduces Patch Tuesday to an incomprehensible mess
  • Nation-State Hackers Go Open Source [Ed: How to associate FOSS with crime? Hmmm… let us think. Our writer Kelly Jackson Higgins can take care of that…]

    Researchers who track nation-state groups say open-source hacking tools increasingly are becoming part of the APT attack arsenal.

    Nation-state hacking teams increasingly are employing open-source software tools in their cyber espionage and other attack campaigns.

  • New release: usbguard-0.7.0

    From all the bug fixes in this release, I’d like to point out one which required a backwards incompatible change and requires an update to existing policies. The Linux USB root hub devices use the kernel version as the bcdDevice attribute value. The value is part of the USB descriptor data which USBGuard uses for computing the device hash and therefore causes the device hash to change on every kernel update. This in turn makes USBGuard rules which rely on this hash to not match and block the device. And because it’s a root hub device that gets blocked, all the other devices get blocked too. The bug fix is simple, reset the bcdDevice value to zero before hashing (applied only for the Linux root hub devices).

Security Leftovers

Filed under
Security
  • Why creating an open-source ecosystem doesn’t mean you’re taking on security risks

    Anyone who uses technology benefits from open-source software. Most applications you use have implemented open-source code to varying degrees. This isn’t just small-time developers that use this code, either. Many large enterprises rely on this software to build their own products and solutions.

    Because of this, any CIO would be wise to have their developers follow the same blueprint. However, some developers have concerns about open-source. In an open environment where any contributor can drop potentially harmful code into the global library, is it safe — or wise — to lean heavily on these development resources?

  • Security updates for Wednesday
  • 9 Ways to Harden Your Linux Workstation After Distro Installation

    So far in this series, we’ve walked through security considerations for your SysAdmin workstation from choosing the right hardware and Linux distribution, to setting up a secure pre-boot environment and distro installation. Now it’s time to cover post-installation hardening.

Tor Security for Android and Desktop Linux

Filed under
Android
Linux
Security

Internet service providers in the United States have just been given the green light to sell usage history of their subscribers by S J Res 34, opening the gates for private subscriber data to become public. The law appears to direct ISPs to provide an "opt-out" mechanism for subscribers to retain private control of their usage history, which every subscriber should complete.

Read more

GnuTLS and reproducible builds

Filed under
GNU
Security
  • [Older] Improving by simplifying the GnuTLS PRNG

    One of the most unwanted baggages for crypto implementations written prior to this decade is the (pseudo-)random generator, or simply PRNG. Speaking for GnuTLS, the random generator was written at a time where devices like /dev/urandom did not come by default on widely used operating systems, and even if they did, they were not universally available, e.g., devices would not be present, the Entropy Gathering Daemon (EGD) was something that was actually used in practice, and was common for software libraries like libgcrypt to include code to gather entropy on a system by running arbitrary command line tools.

  • [Older] GNUtls: GnuTLS 3.5.10

    Released GnuTLS 3.5.11 which is a bug fix release in the stable branch.

  • [Older] Practical basics of reproducible builds

    One issue though: people have to trust me -- and my computer's integrity.
    Reproducible builds could address that.

    My release process is tightly controlled, but is my project reproducible? If not, what do I need? Let's check!

  • [Older] Practical basics of reproducible builds 2
Syndicate content

More in Tux Machines

Tizen News

OSS Leftovers

  • How Open Source Tech Helps Feds Solve Workforce Turnover Issues
    Just as a mainframe from decades ago might be ready for retirement, the IT staff who originally procured and installed that system might also be preparing for a new phase in their lives. It’s up to the current and next generation of government IT employees to prepare for that eventuality, but there are indications they may not be ready, despite evidence that older IT professionals are retiring or will soon be leaving their positions. Unfortunately, a skills gap exists even among younger generation IT workers. Agencies are scrambling to find personnel with expertise in cloud service management, cybersecurity, technical architecture and legacy technologies, such as common business-oriented language (COBOL) and mainframes, among other areas. At the same time that many workers are getting ready to retire, leaving behind a wealth of knowledge, many younger IT professionals are struggling to gain the knowledge they will need to take their agencies into the future.
  • Introducing Fn: “Serverless must be open, community-driven, and cloud-neutral”
    Fn, a new serverless open source project was announced at this year’s JavaOne. There’s no risk of cloud lock-in and you can write functions in your favorite programming language. “You can make anything, including existing libraries, into a function by packaging it in a Docker container.” We invited Bob Quillin, VP for the Oracle Container Group to talk about Fn, its best features, next milestones and more.
  • Debian seminar in Yokohama, 2017/11/18
    I had attended to Tokyo area debian seminar #157. The day’s special guest is Chris Lamb, the Debian Project Leader in 2017. He had attended to Open Compliance Summit, so we invited him as our guest.
  • Overclock Labs bets on Kubernetes to help companies automate their cloud infrastructure
    Overclock Labs wants to make it easier for developers to deploy and manage their applications across clouds. To do so, the company is building tools to automate distributed cloud infrastructure and, unsurprisingly, it is betting on containers — and specifically the Kubernetes container orchestration tools — to do this. Today, Overclock Labs, which was founded two years ago, is coming out of stealth and announcing that it raised a $1.3 million seed round from a number of Silicon Valley angel investors and CrunchFund — the fund that shares a bit of its name and history with TechCrunch but is otherwise completely unaffiliated with the blog you are currently reading.
  • MariaDB Energizes the Data Warehouse with Open Source Analytics Solution
    MariaDB® Corporation, the company behind the fastest growing open source database, today announced new product enhancements to MariaDB AX, delivering a modern approach to data warehousing that enables customers to easily perform fast and scalable analytics with better price performance over proprietary solutions. MariaDB AX expands the highly successful MariaDB Server, creating a solution that enables high performance analytics with distributed storage and parallel processing, and that scales with existing commodity hardware on premises or across any cloud platform. With MariaDB AX, data across every facet of the business is transformed into meaningful and actionable results.
  • AT&T Wants White Box Routers with an Open Operating System [Ed: AT&T wants to openwash its surveillance equipment]
    AT&T says it’s not enough to deploy white box hardware and to orchestrate its networks with the Open Network Automation Platform (ONAP) software. “Each individual machine also needs its own operating system,” writes Chris Rice, senior vice president of AT&T Labs, Domain 2.0 Architecture, in a blog post. To that end, AT&T announced its newest effort — the Open Architecture for a Disaggregated Network Operating System (dNOS).
  • Intel Lands Support For Vector Neural Network Instructions In LLVM
  • p2k17 Hackathon report: Antoine Jacoutot on ports+packages progress
  • GCC 8 Feature Development Is Over
    Feature development on the GCC 8 compiler is over with it now entering stage three of its development process. SUSE's Richard Biener announced minutes ago that GCC 8 entered stage three development, meaning only general bug fixing and documentation updates are permitted.
  • 2018 Is The Year For Open Source Software For The Pentagon
  • Open-source defenders turn on each other in 'bizarre' trademark fight sparked by GPL fall out
    Two organizations founded to help and support developers of free and open-source software have locked horns in public, betraying a long-running quarrel rumbling mostly behind the scenes. On one side, the Software Freedom Law Center, which today seeks to resolve licensing disputes amicably. On the other, the Software Freedom Conservancy, which takes a relatively harder line against the noncompliance of licensing terms. The battleground: the, er, US Patent and Trademark Office. The law center has demanded the cancellation of a trademark held by the conservancy.
  • Open Source Underwater Glider: An Interview with Alex Williams, Grand Prize Winner
    Alex Williams pulled off an incredible engineering project. He developed an Autonomous Underwater Vehicle (AUV) which uses a buoyancy engine rather than propellers as its propulsion mechanism and made the entire project Open Source and Open Hardware.

Programming Leftovers

Security: Linux, Free Software Principles, Microsoft and Intel

  • Some 'security people are f*cking morons' says Linus Torvalds
    Linux overlord Linus Torvalds has offered some very choice words about different approaches security, during a discussion about whitelisting features proposed for version 4.15 of the Linux kernel. Torvalds' ire was directed at open software aficionado and member of Google's Pixel security team Kees Cook, who he has previously accused of idiocy. Cook earned this round of shoutiness after he posted a request to “Please pull these hardened usercopy changes for v4.15-rc1.”
  • Free Software Principles
    Ten thousand dollars is more than $3,000, so the motives don't add up for me. Hutchins may or may not have written some code, and that code may or may not have been used to commit a crime. Tech-literate people, such as the readers of Linux Magazine, understand the difference between creating a work and using it to commit a crime, but most of the media coverage – in the UK, at least – has been desperate to follow the paradigm of building a man up only to gleefully knock him down. Even his achievement of stopping WannaCry is decried as "accidental," a word full of self-deprecating charm when used by Hutchins, but which simply sounds malicious in the hands of the Daily Mail and The Telegraph.
  • New warning over back door in Linux
    Researchers working at Russian cyber security firm Dr Web claim to have found a new vulnerability that enables remote attackers to crack Linux installations virtually unnoticed. According to the anti-malware company, cyber criminals are getting into the popular open-source operating system via a new backdoor. This, they say, is "indirect evidence" that cyber criminals are showing an increasing interest in targeting Linux and the applications it powers. The trojan, which it's calling Linux.BackDoor.Hook.1, targets the library libz primarily. It offers compression and extraction capabilities for a plethora of Linux-based programmes.
  • IN CHATLOGS, CELEBRATED HACKER AND ACTIVIST CONFESSES COUNTLESS SEXUAL ASSAULTS
  • Bipartisan Harvard panel recommends hacking [sic] safeguards for elections
     

    The guidelines are intended to reduce risks in low-budget local races as well as the high-stakes Congressional midterm contests next year. Though most of the suggestions cost little or nothing to implement and will strike security professionals as common sense, notorious attacks including the leak of the emails of Hillary Clinton’s campaign chair, John Podesta, have succeeded because basic security practices were not followed.  

  • Intel Chip Flaws Leave Millions of Devices Exposed
     

    On Monday, the chipmaker released a security advisory that lists new vulnerabilities in ME, as well as bugs in the remote server management tool Server Platform Services, and Intel’s hardware authentication tool Trusted Execution Engine. Intel found the vulnerabilities after conducting a security audit spurred by recent research. It has also published a Detection Tool so Windows and Linux administrators can check their systems to see if they're exposed.