Language Selection

English French German Italian Portuguese Spanish

Security

Linux and CPU Security

Filed under
Linux
Security
  • 22 essential security commands for Linux

    There are many aspects to security on Linux systems – from setting up accounts to ensuring that legitimate users have no more privilege than they need to do their jobs. This is look at some of the most essential security commands for day-to-day work on Linux systems.

  • CVE-2018-3639: Spectre Variant 4 Vulnerability Affects the Linux Kernel

    A Spectre variant 4 vulnerability has been identified in the Linux kernel and represents a very dangerous threat to all affected machines. All system administrators are urged to apply the latest updates as soon as possible to mitigate any possible impact.

  • Spectre Number 4, STEP RIGHT UP!

    In the continuing saga of Meltdown and Spectre (tl;dr: G4/7400, G3 and likely earlier 60x PowerPCs don't seem vulnerable at all; G4/7450 and G5 are so far affected by Spectre while Meltdown has not been confirmed, but IBM documentation implies "big" POWER4 and up are vulnerable to both) is now Spectre variant 4. In this variant, the fundamental issue of getting the CPU to speculatively execute code it mistakenly predicts will be executed and observing the effects on cache timing is still present, but here the trick has to do with executing a downstream memory load operation speculatively before other store operations that the load does not depend on. If the CPU is convinced to speculatively execute down this victim path incorrectly, it will revert the stores and the register load when the mispredict is discovered, but the loaded address will remain in the L1 cache and be observable through means similar to those in other Spectre-type attacks.

Security and Bugs

Filed under
Security
  • After Meltdown and Spectre, Another Scary Chip Flaw Emerges

    At the same time, though, a larger concern was also looming: Spectre and Meltdown represented a whole new class of attack, and researchers anticipated they would eventually discover other, similar flaws. Now, one has arrived.

  • Email Might Be Impossible To Encrypt
  • Email Is Dangerous

    One week ago, a group of European security researchers warned that two obscure encryption schemes for email were deeply broken. Those schemes, called OpenPGP and S/MIME, are not the kinds of technologies you’re using but don’t know it. They are not part of the invisible and vital internet infrastructure we all rely on.

    This isn’t that kind of story.

    The exploit, called Efail by the researchers who released it, showed that encrypted (and therefore private and secure) email is not only hard to do, but might be impossible in any practical way, because of what email is at its core. But contained in the story of why these standards failed is the story of why email itself is the main way we get hacked, robbed, and violated online. The story of email is also the story of how we lost so much of our privacy, and how we might regain it.

  • Real Security Begins At Home (On Your Smartphone)

    When the FBI sued Apple a couple of years ago to compel Apple's help in cracking an iPhone 5c belonging to alleged terrorist Syed Rizwan Farook, the lines seemed clearly drawn. On the one hand, the U.S. government was asserting its right (under an 18th-century statutory provision called the All Writs Act) to force Apple to develop and implement technologies enabling the Bureau to gather all the evidence that might possibly be relevant in the San Bernardino terrorist-attack case. On the other, a leading tech company challenged the demand that it help crack the digital-security technologies it had painstakingly developed to protect users — a particularly pressing concern given that these days we often have more personal information on our handheld devices than we used to keep in our entire homes.

  • Software fault triggered Telstra mobile network outage

    The blackout was the third in May, with an outage to its triple-zero service occurring on 4 May after a cable between Bowral and Orange in NSW was cut due to lightning. On 1 May, the telco suffered an outage of its NBN services and 4G services.

Security Bugs at CPU Level Again

Filed under
Security
  • Google and Microsoft disclose new CPU flaw, and the fix can slow machines down

    Microsoft and Google are jointly disclosing a new CPU security vulnerability that’s similar to the Meltdown and Spectre flaws that were revealed earlier this year. Labelled Speculative Store Bypass (variant 4), the latest vulnerability is a similar exploit to Spectre and exploits speculative execution that modern CPUs use. Browsers like Safari, Edge, and Chrome were all patched for Meltdown earlier this year, and Intel says “these mitigations are also applicable to variant 4 and available for consumers to use today.”

    However, unlike Meltdown (and more similar to Spectre) this new vulnerability will also include firmware updates for CPUs that could affect performance. Intel has already delivered microcode updates for Speculative Store Bypass in beta form to OEMs, and the company expects them to be more broadly available in the coming weeks. The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won’t see negative performance impacts.

  • Spectre variants 3a and 4

    Intel has, finally, disclosed two more Spectre variants, called 3a and 4. The first ("rogue system register read") allows system-configuration registers to be read speculatively, while the second ("speculative store bypass") could enable speculative reads to data after a store operation has been speculatively ignored. Some more information on variant 4 can be found in the Project Zero bug tracker. The fix is to install microcode updates, which are not yet available.

  • Red Hat Says It'll Soon Fix the Speculative Store Bypass Security Vulnerability

    Red Hat informed us today that they are aware of the recently disclosed Speculative Store Bypass (CVE-2018-3639) security vulnerability and will soon release updates to mitigate the issue on all of its affected products.

    Speculative Store Bypass (CVE-2018-3639) is a security vulnerability recently unearthed by various security researchers from Google and Microsoft, and it appears to be a fourth variant of the Spectre hardware bug publicly disclosed earlier this year in modern microprocessor, and later discovered to affect billions of devices. The Speculative Store Bypass vulnerability appearently lets an unprivileged attacker to bypass restrictions and gain read access to privileged memory.

Security and Bugs

Filed under
Security
  • Open Source Security Podcast: Episode 97 - Automation: Humans are slow and dumb

    Josh and Kurt talk about the security of automation as well as automating security. The only way automation will really work long term is full automation. Humans can't be trusted enough to rely on them to do things right.

  • An introduction to cryptography and public key infrastructure

    Secure communication is quickly becoming the norm for today's web. In July 2018, Google Chrome plans to start showing "not secure" notifications for all sites transmitted over HTTP (instead of HTTPS). Mozilla has a similar plan. While cryptography is becoming more commonplace, it has not become easier to understand. Let's Encrypt designed and built a wonderful solution to provide and periodically renew free security certificates, but if you don't understand the underlying concepts and pitfalls, you're just another member of a large group of cargo cult programmers.

  • Teensafe, A Teen Phone Monitoring App, Leaks Thousands Of Apple ID Passwords

    Teensafe is a monitoring app used by parents for keeping a check on the activities of their children. The app allows parents to access their child’s location, call history, messages, browsing history, and apps downloaded by them without their permission.

  • Teen phone monitoring app leaked thousands of user passwords

    The mobile app, TeenSafe, bills itself as a "secure" monitoring app for iOS and Android, which lets parents view their child's text messages and location, monitor who they're calling and when, access their web browsing history, and find out which apps they have installed.

  • The weirdest bug I’ve found in a compiler: MSVC 2017

    There’s been discussion on cppitertools about the newest MSVC release (15.7) claiming to be fully standards compliant, which led me here.
    The following code fails to compile under MSVC for one reason: the U on lines 4 and 5 is a different name than the T on lines 10 and 11, so the result of the static_assert condition on line 19 is false. (Note that I’m not using std::declval here for simplicity’s sake).

Security/OpenPGP: Purism and Pure FUD From EFF

Filed under
Security
  • Purism's New Purekey OpenPGP Security Token, Windows 10 Now Includes OpenSSH, Vim 8.1 Released and More

    Purism, maker of the security-focused Librem laptops, announced yesterday it has partnered with Nitrokey to create Purekey, "Purism's own OpenPGP security token designed to integrate with its hardware and software. Purekey embodies Purism's mission to make security and cryptography accessible where its customers hold the keys to their own security." You can purchase a Purekey by itself or as an add-on with a laptop order. According to Purism's CSO Kyle Rankin, "By keeping your encryption keys on a Purekey instead of on a hard drive, your keys never leave the tamper-proof hardware. This not only makes your keys more secure from attackers, it makes using your keys on multiple devices more convenient."

  • Encrypted Email and Security Nihilism

    Earlier this week, a group of German researchers published an alarm about newly discovered problems with encrypted email that is creating major controversy in the internet security community. This research — published in a snappy-titled report called EFail — is a valuable and important work highlighting the challenges with email security.

    Unfortunately, many of the responses to this report have been close to the line of "security nihilism:" Throwing your hands in the air and saying that because certain important security measures aren’t perfect, we should abandon them altogether. This is harsh and potentially damaging to the best efforts we currently have to protect email and risks leading people astray when it comes to securing their communications. In fact, there are important things that people can do to protect their email. This post examines the controversy, what people should do to secure their email, and how we might do better in the future.

    Email is a widespread communications tool and people generally expect it to be private. But from a security standpoint, the baseline assumption is that email is "like a postcard:" Anything you write in an email can be read by your email provider (e.g., Google, if you use Gmail) and also by the email provider of the person you send mail to. If those providers (or any of their system administrators or lawyers) want to read your mail, or are hacked, or bribed, or coerced by law enforcement into sharing access, the content of your email is easily accessible to them.

Security and privacy: Do you know what's lurking on your system?

Filed under
Security

The first was the kernel. I ended up hand-crafting a kernel, removing anything I thought was unlikely we'd need, then restarting several times when I discovered that the system wouldn't boot because the things I thought I understood were more … esoteric than I'd realised. I'm not a kernel developer, and this was a salutary lesson in how skilled those folks are. At least, at the time I was doing it, there were less code and fewer options than there are today. On the other hand, I was having to hack back to a required state, and now there are more cut-down kernels and systems to start with than there were back then.

The other piece I left for last was pruning the installed operating system applications and associated utilities. Again, there are cut-down options that are easier to use now than then, but I also had some odd requirements—I believe that we needed Java, for instance, which has, or had …. well let's say a lot of dependencies. Most modern Linux distributions start off by installing lots of pieces so you can get started quickly without having to worry about trying to work out dependencies for every piece of external software you want to run.

Read more

Security: Updates, EFAIL, DHCP, Ubuntu’s Snap Store

Filed under
Security

Security: Updates, Flaws, and Purism

Filed under
Security
  • Security updates for Thursday
  • Critical Linux Flaw Opens the Door to Full Root Access
  • It has been a bad week for encrypted messaging and it’s only Wednesday

    Also on Monday, a different team of researchers disclosed a vulnerability in the desktop version of the Signal messenger. It allowed attackers to send messages containing malicious HTML and JavaScript that would be executed by the app. Signal developers published a security update on Friday, a few hours after the researchers privately notified them of the vulnerability. On Monday, Signal developers issued a new patch after discovering over the weekend that the first one didn’t fully fix the bug. (The incompleteness of the patch was independently and more-or-less simultaneously found by the researchers.)

  • Purism and Nitrokey Partner to Build Purekey for Purism’s Librem Laptops

    Purism, the social purpose corporation which designs and produces security focused hardware and software, has announced today that they are partnering with Nitrokey, maker of Free Software and Open Hardware USB OpenPGP security tokens and Hardware Security Modules (HSMs) to create Purekey, Purism’s own OpenPGP security token designed to integrate with its hardware and software. Purekey embodies Purism’s mission to make security and cryptography accessible where its customers hold the keys to their own security and follows on the heels of their announcement of a partnership with cryptography pioneer and GnuPG maintainer Werner Koch.

  • Purism Expands Its Linux Hardware Portfolio To Include A USB-Based GPG SmartCard

    If Purism didn't have their hands full enough already working to further free Linux laptops and their very ambitious project to get their own Linux smartphone software/hardware shipping next year, they have now expanded their portfolio with the Purekey.

Security: Updates, Russia, RHEL, Thunderbird and More

Filed under
Security

Security: DHCP, System Updates, and Ubuntu Blobs Store

Filed under
Security
  • Protect your Fedora system against this DHCP flaw

    A critical security vulnerability was discovered and disclosed earlier today in dhcp-client. This DHCP flaw carries a high risk to your system and data, especially if you use untrusted networks such as a WiFi access point you don’t own. Read more here for how to protect your Fedora system.

    Dynamic Host Control Protocol (DHCP) allows your system to get configuration from a network it joins. Your system will make a request for DHCP data, and typically a server such as a router answers. The server provides the necessary data for your system to configure itself. This is how, for instance, your system configures itself properly for networking when it joins a wireless network.

    However, an attacker on the local network may be able to exploit this vulnerability. Using a flaw in a dhcp-client script that runs under NetworkManager, the attacker may be able to run arbitrary commands with root privileges on your system. This DHCP flaw puts your system and your data at high risk. The flaw has been assigned CVE-2018-1111 and has a Bugzilla tracking bug.

  • Security updates for Tuesday
  • Potentially Malicious Bytecoin Miner Removed from the Ubuntu Snap Store
  • Canonical on trust and security in the Snap Store

    Here's a posting from Canonical concerning the cryptocurrency-mining app that was discovered in its Snap Store.

  • Canonical finds hidden crypto-miners in the Linux Snap app store

    Last Friday, Canonical, the developer of the popular Ubuntu operating system and owner of the Snapcraft app store, spotted one application surreptitiously mining cryptocurrencies in the background.

Syndicate content

More in Tux Machines

today's howtos

KDE: Qt, Plasma, QML, Usability & Productivity

  • Qt 5.11.1 and Plasma 5.13.1 in ktown ‘testing’ repository
    A couple of days ago I recompiled ‘poppler’ and the packages in ‘ktown’ that depend on it, and uploaded them into the repository as promised in my previous post. I did that because Slackware-current updated its own poppler package and mine needs to be kept in sync to prevent breakage in other parts of your Slackware computer. I hear you wonder, what is the difference between the Slackware poppler package and this ‘ktown’ package? Simple: my ‘poppler’ package contains support for Qt5 (in addition to the QT4 support in the original package) and that is required by other packages in the ‘ktown’ repository.
  • Sixth week of coding phase, GSoC'18
    The Menus API enables the QML Plugin to add an action, separator or menu to the WebView context menu. This API is not similar to the WebExtensions Menus API but is rather Falkonish!
  • This week in Usability & Productivity, part 24
    See all the names of people who worked hard to make the computing world a better place? That could be you next week! Getting involved isn’t all that tough, and there’s lots of support available.

Programming: Python Maths Tools and Java SE

  • Essential Free Python Maths Tools
    Python is a very popular general purpose programming language — with good reason. It’s object oriented, semantically structured, extremely versatile, and well supported. Scientists favour Python because it’s easy to use and learn, offers a good set of built-in features, and is highly extensible. Python’s readability makes it an excellent first programming language. The Python Standard Library (PSL) is the the standard library that’s distributed with Python. The library comes with, among other things, modules that carry out many mathematical operations. The math module is one of the core modules in PSL which performs mathematical operations. The module gives access to the underlying C library functions for floating point math.
  • Oracle's new Java SE subs: Code and support for $25/processor/month
    Oracle’s put a price on Java SE and support: $25 per processor per month, and $2.50 per user per month on the desktop, or less if you buy lots for a long time. Big Red’s called this a Java SE Subscription and pitched it as “a commonly used model, popular with Linux distributions”. The company also reckons the new deal is better than a perpetual licence, because they involve “an up-front cost plus additional annual support and maintenance fees.”

Linux 4.18 RC2 Released From China

  • Linux 4.18-rc2
    Another week, another -rc. I'm still traveling - now in China - but at least I'm doing this rc Sunday _evening_ local time rather than _morning_. And next rc I'll be back home and over rmy jetlag (knock wood) so everything should be back to the traditional schedule. Anyway, it's early in the rc series yet, but things look fairly normal. About a third of the patch is drivers (drm and s390 stand out, but here's networking and block updates too, and misc noise all over). We also had some of the core dma files move from drivers/base/dma-* (and lib/dma-*) to kernel/dma/*. We sometimes do code movement (and other "renaming" things) after the merge window simply because it tends to be less disruptive that way. Another 20% is under "tools" - mainly due to some selftest updates for rseq, but there's some turbostat and perf tooling work too. We also had some noticeable filesystem updates, particularly to cifs. I'm going to point those out, because some of them probably shouldn't have been in rc2. They were "fixes" not in the "regressions" sense, but in the "missing features" sense. So please, people, the "fixes" during the rc series really should be things that are _regressions_. If it used to work, and it no longer does, then fixing that is a good and proper fix. Or if something oopses or has a security implication, then the fix for that is a real fix. But if it's something that has never worked, even if it "fixes" some behavior, then it's new development, and that should come in during the merge window. Just because you think it's a "fix" doesn't mean that it really is one, at least in the "during the rc series" sense. Anyway, with that small rant out of the way, the rest is mostly arch updates (x86, powerpc, arm64, mips), and core networking. Go forth and test. Things look fairly sane, it's not really all that scary. Shortlog appended for people who want to scan through what changed. Linus
  • Linux 4.18-rc2 Released With A Normal Week's Worth Of Changes
    Due to traveling in China, Linus Torvalds has released the Linux 4.18-rc2 kernel a half-day ahead of schedule, but overall things are looking good for Linux 4.18.