Language Selection

English French German Italian Portuguese Spanish

Security

Security Updates, Freexian's Debian LTS Initiative, and Keeping Kali Linux on Top

Filed under
Security
  • Security updates for Tuesday

    Security updates have been issued by Debian (linux-4.9, proftpd-dfsg, rrdtool, and zsh), Fedora (kernel), openSUSE (cacti, cacti-spine, mariadb, and ppp), Red Hat (kernel, qemu-kvm, qemu-kvm-ma, and ruby), Slackware (seamonkey), SUSE (kernel, libpng16, ovmf, python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer, and python36), and Ubuntu (libpam-radius-auth, OpenSMTPD, and ppp).

  • Now the gap in the Critical Ghostcat patch:” Apache-Tomcat-release from 6.0 to
  • Debian LTS work, February 2020

    I was assigned 20 hours of work by Freexian's Debian LTS initiative and worked 19.25 hours this month, so I will carry over 0.75 hours to March.

    I prepared and, after review, released Linux 3.16.82. I then rebased the Debian package onto that, but haven't yet sent a request for testing. I have started preparing and testing the next update to Linux 3.16.

  • ‘We’re our own focus group’ – Ning Wang on security certification, training, and keeping Kali Linux on top

    If offense is the best defense, then penetration tests are the ultimate indicator of an organization’s security posture.

    And as companies around the world look to bolster their cyber resilience by proactively asking security pros to test their systems for vulnerabilities, this has underscored the need for companies like Offensive Security.

    Founded in 2006, Offensive Security offers a range of ethical hacking certification courses, while also funding and maintaining Kali Linux, the popular Debian-based Linux distribution designed for digital forensics and pen testers.

    The Daily Swig caught up with Ning Wang, Offensive Security’s CEO since January 2019, to find out about her eventful first year at the helm.

    Wang, who has a physics PhD and joined the company from bug bounty platform HackerOne, also discusses the recent update to Kali Linux, countering improvements in defensive tools, and dispelling myths around what it means to be a ‘hacker’.

Project Rubicon: The NSA Secretly Sold Flawed Encryption For Decades

Filed under
Security

There have been a few moments in the past few years, when a conspiracy theory is suddenly demonstrated to be based in fact. Once upon a time, it was an absurd suggestion that the NSA had data taps in AT&T buildings across the country. Just like Snowden’s revelations confirmed those conspiracy theories, a news in February confirmed some theories about Crypto AG, a Swiss cryptography vendor.

The whole story reads like a cold-war era spy thriller, and like many of those novels, it all starts with World War II. As a result of a family investment, Boris Hagelin found himself at the helm of Aktiebolaget Cryptograph, later renamed to Crypto AG (1952), a Swedish company that built and sold cipher machines that competed with the famous Enigma machine. At the start of the war, Hagelin decided that Sweden was not the place to be, and moved to the United States. This was a fortuitous move, as it allowed Hagelin to market his company’s C-38 cipher machine to the US military. That device was designated the M-209 by the army, and became the standard in-the-field encryption machine.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Monday

    Security updates have been issued by Arch Linux (chromium and webkit2gtk), Debian (collabtive, dojo, firebird2.5, gst-plugins-base0.10, libapache2-mod-auth-openidc, openjdk-7, php5, python-bleach, and rrdtool), Fedora (kernel, kernel-headers, kernel-tools, mingw-openjpeg2, and openjpeg2), Mageia (hiredis, kernel, rsync, wireshark, and zsh), openSUSE (cacti, cacti-spine, libexif, proftpd, python-azure-agent, python3, and webkit2gtk3), Oracle (ppp), SUSE (permissions), and Ubuntu (libarchive).

  • PSA: jQuery is bad for the security of your project

    For some time I thought that jQuery was a thing of the past, only being used in old projects for legacy reasons. I mean, there are now so much better frameworks, why would anyone stick with jQuery and its numerous shortcomings? Then some colleagues told me that they weren’t aware of jQuery’s security downsides. And I recently discovered two big vulnerabilities in antivirus software 1 2 which existed partly due to excessive use of jQuery. So here is your official public service announcement: jQuery is bad for the security of your project.

    By that I don’t mean that jQuery is inherently insecure. You can build a secure project on top of jQuery, if you are sufficiently aware of the potential issues and take care. However, the framework doesn’t make it easy. It’s not secure by default, it rather invites programming practices which are insecure. You have to constantly keep that in mind and correct for it. And if don’t pay attention just once you will end up with a security vulnerability.

    [...]

    You might have noticed a pattern above which affects many jQuery functions: the same function will perform different operations depending on the parameters it receives. You give it something and the function will figure out what you meant it to do. The jQuery() function will accept among other things a selector of the element to be located and HTML code of an element to be created. How does it decide which one of these fundamentally different operations to perform, with the parameter being a string both times? The initial logic was: if there is something looking like an HTML tag in the contents it must be HTML code, otherwise it’s a selector.

    And there you have the issue: often websites want to find an element by selector but use untrusted data for parts of that selector. So attackers can inject HTML code into the selector and trick jQuery into substituting the safe “find element” operation by a dangerous “create a new element.” A side-effect of the latter would be execution of malicious JavaScript code, a typical client-side XSS vulnerability.

    It took until jQuery 1.9 (released in 2013) for this issue to be addressed. In order to be interpreted as HTML code, a string has to start with < now. Given incompatible changes, it took websites years to migrate to safer jQuery versions. In particular, the Addons.Mozilla.Org website still had some vulnerabilities in 2015 going back to this 1 2.

    The root issue that the same function performs both safe and dangerous operations remains part of jQuery however, likely due to backwards compatibility constrains. It can still cause issues even now. Attackers would have to manipulate the start of a selector which is less likely, but it is still something that application developers have to keep in mind (and they almost never do). This danger prompted me to advise disabling jQuery.parseHTML some years ago.

  • FuzzBench: Google Gets Into Fuzzer Benchmarking

    Google's latest work on the code fuzzing front for improving code security is FuzzBench, a benchmark for fuzzers.

    Google has made many contributions to code fuzzing and improving open-source security from continually fuzzing the Linux kernel to acquiring GraphicsFuzz to developing OSS-Fuzz. By Google's own numbers, they say they have found tens of thousands of bugs thanks to code fuzzers.

  • FuzzBench: Fuzzer Benchmarking as a Service

    Fuzzing is an important bug finding technique. At Google, we’ve found tens of thousands of bugs (1, 2) with fuzzers like libFuzzer and AFL. There are numerous research papers that either improve upon these tools (e.g. MOpt-AFL, AFLFast, etc) or introduce new techniques (e.g. Driller, QSYM, etc) for bug finding. However, it is hard to know how well these new tools and techniques generalize on a large set of real world programs. Though research normally includes evaluations, these often have shortcomings—they don't use a large and diverse set of real world benchmarks, use few trials, use short trials, or lack statistical tests to illustrate if findings are significant. This is understandable since full scale experiments can be prohibitively expensive for researchers. For example, a 24-hour, 10-trial, 10 fuzzer, 20 benchmark experiment would require 2,000 CPUs to complete in a day.

  • Wi-Fi kit spilling data with bad crypto – Huawei, eh? No, it's Cisco. US giant patches Krook spy-hole bug in network gear

    It looks like Switchzilla is moving swiftly to clear up the Krook bug discovered by ESET.

    Just hours after the researchers delivered their findings in a report, Cisco gave its own advisory on the Wi-Fi data snooping flaw.

    "Multiple Cisco wireless products are affected by this vulnerability," the advisory stated.

    "Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability."

Fear, Uncertainty, and Doubt - the Barriers to Router Freedom in Germany

Filed under
OSS
Security

Consider this hypothetical scenario: you moved house. Apart from all the stress of packing, transporting, and unpacking all your stuff at your new home, you also had to deal with getting utilities connected. The electric company turned out to be difficult to deal with: they said you had to change your TV set, toaster, refrigerator and most of your lamps.

They said that they couldn't guarantee you would have electricity at all unless you bought a whole new set of appliances from them. You don't understand: your stuff worked perfectly fine in your old place.

The water company was not much better. They told you that your old washing machine was "not supported" and that you would even have to change your toothbrush or you risked polluting the water network of the whole city for some unexplained reason. We are guessing you would no doubt find this scenario very hard to believe. We do not blame you: it is silly beyond the believable.

[...]

In December of the same year, I moved to a new city and chose a business cable Internet connection offered Unitymedia (meanwhile largely incorporated by Vodafone). After several calls, a technician finally visited my new home and successfully installed the ISP's default modem. Of course, I immediately noted that I wanted to use my own router. The technician told me that this was not allowed.

In a call with the service hotline, after defending some of the already mentioned soft barriers, I learnt that one of the features I had ordered, a static IPv4 address, is not available when using an own router, apparently because the address could only be mapped to their devices – even though my own router was the exact same model.

Although I am now able to use my own router (after a long series of hotline calls and waiting), I still cannot use an essential feature I ordered. This is a "hard barrier" because customers who want to exercise their freedom of choice are treated worse. At least I can enjoy the freedom of using equipment which I own and which I can control, but I will report this misconduct by my ISP to the national Federal Network Agency and a consumer protection organisation (see below).

Read more

Security Leftovers

Filed under
Security

Security and FUD: Updates, Keeper, WireGuard and Concerns About 2038

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by CentOS (java-1.7.0-openjdk and ppp), Debian (libimobiledevice, libusbmuxd, and pure-ftpd), Fedora (caddy, firejail, golang-github-gorilla-websocket, golang-vitess, hugo, mingw-libpng, php, and proftpd), openSUSE (chromium, enigmail, ipmitool, libsolv, libzypp, zypper, weechat, and yast2-rmt), Oracle (java-1.7.0-openjdk and ppp), Red Hat (java-1.7.0-openjdk and ppp), Scientific Linux (java-1.7.0-openjdk and ppp), and SUSE (java-1_8_0-ibm, kernel, mariadb, mariadb-100, openssl, php5, python, rsyslog, and texlive-filesystem). 

  • Keeper – A Robust, Security-Centric Password Manager [Ed: This 'article' from FOSSmint (not FOSS) is referral SPAM. Proprietary software promoted for a fee. This -- yes, this -- is what kills journalism.]

    We’ve covered several password managers over the years with popular names like RememBear, Buttercup, Pass, and Enpass, and I am happy about the positive feedback from readers over the years.

    Today, I would like to introduce you to a strong password generator and security-centric manager application and it goes by the convenient name of Keeper.

    Keeper is a top-rated freemium password manager designed to provide personal users, families, students, and businesses with a reliable application for generating strong passwords as well as storing them while ensuring protection from cyberthreats and password-related data breaches.

  • WireGuard – A Fast, Modern and Secure VPN Tunnel for Linux

    WireGuard is a modern, secure, cross-platform and general-purpose VPN implementation that uses state-of-the-art cryptography. It aims to be speedy, simpler, leaner and more functional than IPsec and it intends to be more performant than OpenVPN.

    It is designed for use in various circumstances and can be deployed on embedded interfaces, fully loaded backbone routers, and supercomputers alike; and runs on Linux, Windows, macOS, BSD, iOS, and Android operating systems.

    It presents an extremely basic yet powerful interface that aims to be simple, as easy to configure and deploy as SSH. Its key features include a simple network interface, crypto key routing, built-in roaming and container support.

    Note that at the time of writing, it is under heavy development: some of its parts are working toward a stable 1.0 release, while others are already there (working fine).

  • Modern Computers Might Stop Working on January 19, 2038

    Nearly every computer in the history of computers keep time using a 32-bit integer, counting forward from 00:00:00 UTC on the 1st of January 1970, referred to as the epoch. This instant of time was set as the standard for modern computing systems, but there's a major problem. Seven seconds after 3:14 am UTC on the 19th of January 2038, the 32-bit integer storing this time data will run out of positions.

    The problem is similar to the Y2K issue where a 2-digit value could no longer be used to encode the years 2000 or later, but different in that this 32-bit bug is related to Unix-like systems and the Unix time format.

    These similarities to the Y2K bug have widely lead to the 2038 problem being known as the Unix Millennium Bug.

    [...]

    Embedded systems like those in cars and appliances are designed to last the lifecycle of the device without a software update. Connected electronics can be quickly fixed with a software update when the time comes, but these embedded systems will likely wreak the most havoc in 2038 since most won't be updated.

    One option is to change the data storage system of the 32-bit integer to an unsigned 32-bit integer. This would theoretically allow for date storage all the way to 2106, but any system that used a date prior to 1970 would run into issues accessing this data.

    If we increased the data storage to 64-bit, we would run into compatibility storage issues between older systems that only use 32-bit data storage.

    There's no current universal solution to the problem and even the most widely accepted fixes still have bugs in certain usage areas. There is positive news at the end of this.

Security scandal around WhatsApp shows the need for decentralised messengers and digital sovereignty

Filed under
OSS
Security

The recent security scandal around WhatsApp and access to the content of private groups shows that there is an urgent need for action with regard to secure communication.
Links to private chat groups in the proprietary WhatsApp messenger can be used to show the communication and private data of group members, even if you are not a member. The links could be found on various search engines. Even if they are removed from search results, links still work and give access to private group communication. Among these groups are also administrations like civil servants of the Indonesian Ministry of Finance. This case shows again that digital sovereignty is crucial for states and administrations. The security breach was first reported by Deutsche Welle.

In order to establish trustworthy and secure communication, governments need to strengthen interoperable Free Software solutions using Open Standards and enable decentralisation. This helps administrations as well as individuals to protect their privacy and empowers them to have control of the technology they use. The software is already in place and was used by most of the internet users before Google and Facebook joined the market: XMPP! This open protocol, also known as Jabber, has been developed by the Free Software community since 1999. Thanks to Open Standards it is possible to communicate with people who use a completely different client software and XMPP server. You are even able to communicate with other services like ICQ or AIM - some might remember. XMPP has also been used by tech enterprises like Facebook and Google for their chat systems, but both eventually switched to isolated proprietary solutions, so XMPP has been forgotten by many users.

Read more

Security, Proprietary Software and Openwashing

Filed under
Software
Security
  • Linux 4.4.215 / 4.9.215 / 4.14.172 / 5.5.7 Kernels Bringing Intel KVM Security Fix

    A few days back we reported on a security vulnerability within Intel's KVM virtualization code for the Linux kernel. That vulnerability stems from unfinished kernel code and was fixed for Linux 5.6 Git and is now being back-ported to the 4.4 / 4.9 / 4.14 / 5.5 supported kernels.

    Back on Monday when the CVE-2020-2732 patches first came to light, little was publicly known about the issue but that it stemmed from incomplete code in the vmx_check_intercept functionality in not checking all possible intercepts and in turn could end up emulating instructions that should be disabled by the hypervisor.

  • Let's Encrypt Has Issued a Billion Certificates

    We issued our billionth certificate on February 27, 2020. We’re going to use this big round number as an opportunity to reflect on what has changed for us, and for the Internet, leading up to this event. In particular, we want to talk about what has happened since the last time we talked about a big round number of certificates - one hundred million.

    One thing that’s different now is that the Web is much more encrypted than it was. In June of 2017 approximately 58% of page loads used HTTPS globally, 64% in the United States. Today 81% of page loads use HTTPS globally, and we’re at 91% in the United States! This is an incredible achievement. That’s a lot more privacy and security for everybody.

    Another thing that’s different is that our organization has grown a bit, but not by much! In June of 2017 we were serving approximately 46M websites, and we did so with 11 full time staff and an annual budget of $2.61M. Today we serve nearly 192M websites with 13 full time staff and an annual budget of approximately $3.35M. This means we’re serving more than 4x the websites with only two additional staff and a 28% increase in budget. The additional staff and budget did more than just improve our ability to scale though - we’ve made improvements across the board to provide even more secure and reliable service.

    Nothing drives adoption like ease of use, and the foundation for ease of use in the certificate space is our ACME protocol. ACME allows for extensive automation, which means computers can do most of the work. It was also standardized as RFC 8555 in 2019, which allows the Web community to confidently build an even richer ecosystem of software around it. Today, thanks to our incredible community, there is an ACME client for just about every deployment environment. Certbot is one of our favorites, and they’ve been working hard to make it even easier for people to use.

  • The “Cloud Snooper” malware that sneaks into your Linux servers [Ed: Sophos citing itself, hyping up the threat is installing malicious software on one's own server]

    SophosLabs has just published a detailed report about a malware attack dubbed Cloud Snooper.

    The reason for the name is not so much that the attack is cloud-specific (the technique could be used against pretty much any server, wherever it’s hosted), but that it’s a sneaky way for cybercrooks to open up your server to the cloud, in ways you very definitely don’t want, “from the inside out”.

    The Cloud Snooper report covers a whole raft of related malware samples that our researchers found deployed in combination.

  • OpenSMTPD Email Server Vulnerability Threatens Many Linux and BSD Systems [Ed: It is this package, not the operating systems (GNU/Linux rarely uses this)]

    A critical vulnerability has been discovered in the OpenBSD email server OpenSMTPD. Exploiting the flaw could allow remote code execution attacks. The seriousness of the vulnerability poses a threat to the integrity of OpenBSD and Linux systems.

  • A billion Wi-Fi devices suffer from a newly discovered security fla

    More than a billion internet-connected devices—including Apple's iPhone and Amazon's Echo—are affected by a security vulnerability that could allow [attackers] to spy on traffic sent over Wi-Fi.

  • New ‘Haken’ Malware Found On Eight Apps In Google Play Store

    Eight apps – mostly camera utilities and children’s games – were discovered spreading a new malware strain that steals data and signs victims up for expensive premium services.

  •                            

  • What does it take to commit to 100% open source?

                                 

                                   

    While experts in the database market in particular agree that open source is becoming the norm, the question remains, just how open is this sector’s open-source software? Can software providers realistically succeed with a company that’s 100% open source? Furthermore, would a proprietary infrastructure software provider with a freemium tier be able to achieve the same benefits as those committing to open source?

                                   

    The short answer is, yes — a proprietary infrastructure software company with a freemium tier could theoretically achieve the same benefits as companies going fully open source. However, it’s important to recognize that it would take a freemium model company a significantly longer period of time for its software to mature to the same level as that of an open-source company. Also, the loss of collaborative development and slower feedback loops would likely lead to a higher probability of the software never achieving market traction and ultimately fading away into oblivion.

  • Mirantis: Balancing Open Source With Guardrails

    Mirantis, an open infrastructure company that rose to popularity with its OpenStack offering, is now moving into the Kubernetes space very aggressively. Last year, the company acquired the Docker Enterprise business from Docker. This week, it announced that they were hiring the Kubernetes experts from the Finnish company Kontena and established a Mirantis office in Finland, expanding the company’s footprint in Europe. Mirantis already has a significant presence in Europe due to large customers such as Bosch and Volkswagen.

IPFire 2.25 - Core Update 142 is available for testing

Filed under
GNU
Linux
Security

Only days after finally releasing our new DNS stack in IPFire 2.25 - Core Update 141, we are ready to publish the next update for testing: IPFire 2.25 - Core Update 142.

This update comes with many features that massively improve the security and hardening of the IPFire operating system. We have also removed some more components of the systems that are no longer needed to shrink the size of the operating system on disk.

We have a huge backlog of changes that are ready for testing in a wider audience. Hopefully we will be able to deliver those to you in a swift series of Core Updates. Please help us testing, or if you prefer, send us a donation so that we can keep working on these things.

Read more

Security: Patches, Whonix, IPFire and More

Filed under
Security
  • Security updates for Thursday

    Security updates have been issued by CentOS (kernel, ksh, python-pillow, and thunderbird), Debian (opensmtpd, proftpd-dfsg, and rake), Fedora (NetworkManager-ssh), openSUSE (chromium), and SUSE (libexif, mariadb, ovmf, python3, and squid). 

  • Whonix VirtualBox 15.0.0.8.9 - Point Release! - vanguards; TCP ISN Leak Protection; Extensive Hardening!

    This is a point release.

    Download Whonix for VirtualBox:

  • Build your career in Computer Forensics: List of Digital Forensic Tools - Part I

    Digital devices are present everywhere and considered to be the primary source of evidence in the case of cybercrime. Out of all the devices, phones and laptops are the top weapons used in cybercrimes. Regardless of who the device belonged to, either the victim or suspect, it offers an abundance of data to investigate the crime. But retrieving evidence from these devices in a secure environment can be very challenging. To overcome the time constraint and other complications, cyber forensic professionals use digital forensic tools.  

  • What are Open Source Security Approaches? With Examples

    Open source security approaches enable organizations to secure their applications and networks while avoiding expensive proprietary security offerings. 

    An open source approach allows organizations to secure their applications across cloud providers and other platforms using platform-agnostic APIs. These APIs are written by contributors to the open source software code while cloud providers may use open source code that allows the open APIs to connect to the cloud.

    Open source approaches, for security or not, also bring in collaboration across an industry. It isn’t just one organization that benefits from a program or technology, but everyone who contributes to and uses it.

    The open source projects and programs used as examples in this article come from two major open source entities: The Linux Foundation and the Cloud Native Computing Foundation (CNCF). The two also work closely together to further the projects under their purview.

  • Cloud Snooper: Hackers Using Linux Kernel Driver To Attack Cloud Server [Ed: So, if you install malicious software in Linux, due to recklessness or sabotage, it'll do malicious things. How is that a Linux weakness?]

    Whether you’re a Linux user or not, you must have heard the buzzword about the Linux — “Best OS for security.” Well, it is true, but being a computer program, Linux also has some downside that challenges its security.

    Talking about the security risks, recently, SophosLab published a report about a new malware dubbed Cloud Snooper, that can compromise the security of any Linux or other OS based servers by deploying a kernel driver.

  • IPFire on AWS: Update to IPFire 2.25 - Core Update 141

    Today, we have updated IPFire on AWS to IPFire 2.25 - Core Update 141 - the latest official release of IPFire.

    Since IPFire is available on AWS, we are gaining more and more users who are securing their cloud infrastructure behind an easy to configure, yet fast and secure firewall.

    This update adds the rewritten DNS stack and brings many bug fixes to the cloud.

Syndicate content

More in Tux Machines

Chrome OS Terminal App Gains New Features, Makes Working with Linux Easier

As spotted by the focally-blessed hawks at Android Police, Chrome OS 83 (currently on the developer channel) ships with an updated terminal app boasts a solid set of welcome new features. If you’re unfamiliar with it, the Chrome OS terminal app is available to users of Chrome OS on compatible Chromebooks who opt-in to the Linux (beta) feature. The feature (through the power of containers) provides a full Linux development environment in which they can apt install popular open software like GIMP, LibreOffice, and, yes, even Mozilla Firefox on a Chromebook and run them alongside other software, native software. Read more

Android Leftovers

What is better than GNOME, in what ways

Gnome is a fantastic way to run your desktop but it is not right for everyone. Maybe, you may like to switch to another for specific tasks. For performance reasons, user and computer, you may want another desktop. This is particularly interesting for people who work with specific activities. A programmer becomes accustomed to using the keyboard and a graphic designer may need more power. In this post you will hear about some other desktop environments and their benefits and drawbacks. Read more

Android Leftovers