Language Selection

English French German Italian Portuguese Spanish

Security

OpenBSD chief de Raadt says no easy fix for new Intel CPU bug

Filed under
Security
BSD

Recompiling is unlikely to be a catch-all solution for a recently unveiled Intel CPU vulnerability known as TLBleed, the details of which were leaked on Friday, the head of the OpenBSD project Theo de Raadt says.

The details of TLBleed, which gets its name from the fact that the flaw targets the translation lookaside buffer, a CPU cache, were leaked to the British tech site, The Register; the side-channel vulnerability can be theoretically exploited to extract encryption keys and private information from programs.

Read more

Security: Apple Lockdown, More Logo/Brands for Bugs, Other News

Filed under
Security

Security: Apple, OpenVPN, Old Drupal Bugs and More

Filed under
Security

Most secure Linux distros in 2018

Filed under
GNU
Linux
Security

Think of a Linux distribution as a bundle of software delivered together, based on the Linux kernel - a kernel being the core of a system that connects software to hardware and vice versa – with a GNU operating system and a desktop environment, giving the user a visual way to operate the system via a graphical user interface.

Linux has a reputation as being more secure than Windows and Mac OS due to a combination of factors – not all of them about the software.

Firstly, although desktop Linux users are on the up, Linux environments are far less common in the grand scheme of things than Windows devices on personal computers. The Linux community also tends to be more technical. There are technical reasons too, including fundamental differences in the way the distribution architecture tends to be structured.

Nevertheless over the last decade security-focused distributions started to appear, which will appeal to the privacy-conscious user who wants to avoid the worldwide state-sanctioned internet spying that the west has pioneered and where it continues to innovate. Of course, none of these will guarantee your privacy, but they're a good start. Here we list some of them.

It is worth noting that security best practices are often about process rather than the technology, avoiding careless mistakes like missing patches and updates, and using your common sense about which websites you visit, what you download, and what you plug into your computer.

Read more

Canonical Releases AMD Microcode Updates for All Ubuntu Users to Fix Spectre V2

Filed under
Security
Ubuntu

The Spectre microprocessor side-channel vulnerabilities were publicly disclosed earlier this year and discovered to affect billions of devices made in the past two decades. Unearthed by Jann Horn of Google Project Zero, the second variant (CVE-2017-5715) of the Spectre vulnerability is described as a branch target injection attack.

The security vulnerability affects all microprocessors that use branch prediction and speculative execution function, and it can allow unauthorized memory reads via side-channel attacks if the system isn't patched. For example, a local attacker could use it to expose sensitive information, including kernel memory.

Read more

Linux Kernel and Security: LVM2, Containers, AMD

Filed under
Linux
Security
  • LVM2 Begins Work On Major Changes To Logical Volume Management

    LVM2 as the user-space tools for Logical Volume Management (LVM) on Linux is in the process of going through a big re-work.

  • Containers and Cloud Security

    The idea behind this blog post is to take a new look at how cloud security is measured and what its impact is on the various actors in the cloud ecosystem. From the measurement point of view, we look at the vertical stack: all code that is traversed to provide a service all the way from input web request to database update to output response potentially contains bugs; the bug density is variable for the different components but the more code you traverse the higher your chance of exposure to exploitable vulnerabilities. We’ll call this the Vertical Attack Profile (VAP) of the stack. However, even this axis is too narrow because the primary actors are the cloud tenant and the cloud service provider (CSP). In an IaaS cloud, part of the vertical profile belongs to the tenant (The guest kernel, guest OS and application) and part (the hypervisor and host OS) belong to the CSP. However, the CSP vertical has the additional problem that any exploit in this piece of the stack can be used to jump into either the host itself or any of the other tenant virtual machines running on the host. We’ll call this exploit causing a failure of containment the Horizontal Attack Profile (HAP). We should also note that any Horizontal Security failure is a potentially business destroying event for the CSP, so they care deeply about preventing them. Conversely any exploit occurring in the VAP owned by the Tenant can be seen by the CSP as a tenant only problem and one which the Tenant is responsible for locating and fixing. We correlate size of profile with attack risk, so the large the profile the greater the probability of being exploited.

  • Canonical Releases AMD Microcode Updates for All Ubuntu Users to Fix Spectre V2

    Canonical released a microcode update for all Ubuntu users with AMD processors to address the well-known Spectre security vulnerability.

    The Spectre microprocessor side-channel vulnerabilities were publicly disclosed earlier this year and discovered to affect billions of devices made in the past two decades. Unearthed by Jann Horn of Google Project Zero, the second variant (CVE-2017-5715) of the Spectre vulnerability is described as a branch target injection attack.

Unbreakable Enterprise Kernel Release

Filed under
Red Hat
Security
  • Announcing the general availability of the Unbreakable Enterprise Kernel Release 5

    The Unbreakable Enterprise Kernel Release 5 (UEK R5) is a heavily tested and optimized operating system kernel for Oracle Linux 7 Update 5 and later on 64-bit Intel (x86_64) and ARM (aarch64) architectures. It is based on the mainline Linux kernel version 4.14 LTS. This release also updates drivers and includes bug and security fixes.

  • Oracle's Unbreakable Enterprise Kernel R5 Now Officially Ready For x86_64 & AArch64

    Oracle has promoted its Unbreakable Enterprise Kernel Release 5 to general availability for x86_64 and ARM64 (AArch64) architectures.

    Unbreakable Enterprise Kernel Release is their downstream of the Linux kernel that they sprinkle with extra features for security, performance, and extra features. The Unbreakable Enterprise Kernel is paired with Oracle Linux, the company's downstream of Red Hat Enterprise Linux.

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • Hortonworks’ Shaun Bierweiler on Enterprise Open Source’s Security Edge Over Proprietary Software

    Shaun Bierweiler, vice president of U.S. public sector at Hortonworks, told Datanami in an interview published Tuesday about the advantage of adopting an open approach to technology development in the big data space.

    “When you think about integration points, and the various technologies and players coming to market, if you don’t have an open approach and open model and open interfaces, it’s really difficult costly and time-consuming to bring those pieces together,” he said.

  • Best free Linux firewalls of 2018

    A firewall is an important aspect of computer security these days, and most modern routers have one built in, which while helpful, can be difficult to configure. Fortunately there are also distributions (distros) of the free operating system Linux which have been specifically designed to function as firewalls.

    These will generally have much more advanced features than those found on a router, and allow you to have far greater control over keeping your personal or business network safe.

  • The LJ Password Generator Tool
  • Open Source Hardware Cryptocurrency Wallet Unveiled By McAfee And Bitfi

    Global payments tech firm Bitfi has launched the Bitfi Wallet. According to the payments company the hardware wallet is unhackable. Some of the digital currencies that the wallet supports include privacy-oriented virtual currency Monero (XMR) which has not previously had a hardware wallet. The wallet comes with a dashboard consisting of a wireless setup as well as support.

Hyperthreading From Intel Seen as Dodgy, Buggy

Filed under
Graphics/Benchmarks
Hardware
Security
  • Intel Hyper Threading Performance With A Core i7 On Ubuntu 18.04 LTS

    Following the news yesterday of OpenBSD disabling Intel Hyper Threading by default within its OS over security concerns and plans to disable Simultaneous Multi Threading for other processors/architectures too, here are some fresh Intel HT benchmarks albeit on Ubuntu Linux. The OpenBSD developer involved characterized HT/SMT as "doesn't necessarily have a positive effect on performance; it highly depends on the workload. In all likelihood it will actually slow down most workloads if you have a CPU with more than two cores." So here are some benchmarks using a current-generation Intel Core i7 8700K six-core processor with Hyper Threading.

  • SMT Disabled by Default in -current
  • OpenBSD Will Disable Intel Hyper-Threading To Avoid Spectre-Like Exploits

    OpenBSD, an open source operating system that focuses on security, announced that it will disable Intel’s Hyper-Threading (HT) feature so that attackers can no longer employ Spectre-like cache timing attacks.

  • Intel’s hyperthreading blocked on OpenBSD amid hints of new Spectre-like bugs

    The maintainer of open source Unix-like operating system, OpenBSD, has announced that it will disable hyperthreading on Intel CPUs because of security concerns. It claims that simultaneous multithreading creates a potential new attack vector for Spectre-like exploits, and plans to expand its disabling of multithreading technologies to other chip manufacturers in the near future.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • Millions of Streaming Devices Are Vulnerable to a Retro Web Attack

    Sitting in his Chicago apartment, two blocks from Lake Michigan, Dorsey did what anyone with a newfound hacking skill would: He tried to attack devices he owned. Instead of being blocked at every turn, though, Dorsey quickly discovered that the media streaming and smart home gadgets he used every day were vulnerable to varying degrees to DNS rebinding attacks. He could gather all sorts of data from them that he never would have expected.

  • Pros vs Joes CTF: The Evolution of Blue Teams

    Pros v Joes CTF is a CTF that holds a special place in my heart. Over the years, I’ve moved from playing in the 1st CTF as a day-of pickup player (signing up at the conference) to a Blue Team Pro, to core CTF staff. It’s been an exciting journey, and Red Teaming there is about the only role I haven’t held. (Which is somewhat ironic given that my day job is a red team lead.) As Blue teams have just formed, and I’m not currently attached to any single team, I wanted to share my thoughts on the evolution of Blue teaming in this unique CTF. In many ways, this will resemble the Blue Team player’s guide I wrote about 3 years ago, but will be based on the evolution of the game and of the industry itself. That post remains relevant, and I encourage you to read it as well.

    [...]

    It turns out that a lot of the fundamental knowledge necessary in securing a network are just basically system administration fundamentals. Understanding how the system works and how systems interact with each other provides much of the basics of information security.

    On both Windows and Linux, it is useful to understand:

    How to install & update software and operating system updates
    How to change permissions of files
    How to start and stop services
    How to set up a host-based firewall
    Basic Shell Commands
    User administration

Syndicate content

More in Tux Machines

Canonical/Ubuntu Watching You

  • Two-thirds of Ubuntu users are happy to give up data on their PC
    As announced back at the start of the year, Canonical made the decision that Ubuntu would collect data on its user base – and now the initial results of those statistics have been published by the firm, including the headline fact that 67% of users were happy to provide details of their PC (and other bits and pieces). So, this scheme that has been unfavorably compared to Microsoft’s collection of telemetry data in Windows 10, which has long been a point of controversy. However, it appears that the majority of folks are happy to give up their data to the company providing their Linux distribution, and don’t seem perturbed by this prospect.
  • Ubuntu reports 67% of users opt in to on-by-default PC specs slurp [Ed: 33% of Ubuntu users say to Canonical "don't spy on me" and Canonical then counts them, which means that Canonical collects data on them, too]
    However just 33 per cent of the undisclosed number of users Canonical’s analysed didn’t opt in to the slurpage. Which is where things get a little bit weird, because Canonical’s post reports an “Opt In rate”. Yet the data slurpage is selected by default: there’s an active opt out but a passive opt in.
  • The Average Ubuntu Install Takes 18 Minutes (And Other Stats)
    Did you know that the average Ubuntu install takes just 18 minutes? That’s one of several nuggets of information Canonical has collected (and now revealed) thanks to the new “Ubuntu Report” tool included in Ubuntu 18.04 LTS. This tool, when given permission to, collects non-identifiable system data about new Ubuntu installs and upgrades and ferries it back to Canonical for analysis.

Linux Foundation's TODO and New Chinese Ties

  • The Linux Foundation and TODO Group Release Chinese Versions of Open Source Guides for the Enterprise
    -The Linux Foundation, the nonprofit organization enabling mass innovation through open source, has released Chinese translations of 10 Open Source Guides for the Enterprise, created to help executives, open source program managers, developers, attorneys and decision makers learn how to best leverage open source.
  • Tencent joins the Linux Foundation as a platinum member
    Chinese tech giant Tencent has announced it’s joined the Linux Foundation as a platinum member. Tencent is one of a few companies to offer the highest level of support to the Linux Foundation. Other tech companies in this stable include IBM, Microsoft, and Intel, as well as fellow Chinese titan Huawei. As part of the deal, Tencent will take a chair on the Foundation’s board of directors. It has also promised to offer “further support and resources” to the Foundation’s efforts. So far, this has taken the form of Tencent donating several pieces of its software.
  • Tencent becomes a Linux Foundation platinum member to increase its focus on open source
    Tencent, the $500-billion Chinese internet giant, is increasing its focus on open source after it became a platinum member of the Linux Foundation. The company has long been associated with the foundation and Linux generally, it is a founding member of the Linux Foundation’s deep learning program that launched earlier this year, and now as a platinum member (the highest tier) it will take a board of directors seat and work more closely with the organization. That works two ways, with Tencent pledging to offer “further support and resources” to foundation projects and communities, while the Chinese firm itself will also tap into the foundation’s expertise and experience.
  • Tencent Supports Open Source Community With Linux Foundation Platinum Membership
    LinuxCon China -- The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announces Tencent has become the latest Platinum member of the foundation. Tencent is a leading provider of Internet value added services in China, offering some of China's most popular websites, apps and services including QQ, Qzone, Tencent Cloud and Weixin/WeChat.
  • TARS and TSeer Form Open Source Project Communities Under The Linux Foundation to Expand Adoption and Pace of Development
    The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced at LinuxCon + ContainerCon + CloudOpen China in Beijing that TARS, a remote procedure call (RPC) framework, and TSeer, a high availability service discovery, registration and fault tolerance framework, have become Linux Foundation projects. Both projects were initially developed by leading Chinese technology company, Tencent, which open sourced the projects last year. This follows the announcement of Tencent becoming a Platinum member of The Linux Foundation, and reflects the foundation’s growing collaboration with the Chinese open source community.
  • Tencent Becomes Latest Platinum Member of Linux Foundation
    Chinese behemoth looking to cultivate open source ties The Linux Foundation has announced that Tencent has become the latest member to obtain platinum membership. The non-profit American tech company, which is funded by membership payments, uses the funding for sustainable open source projects. Within the foundation, there are three membership tiers, starting from silver to gold, all the way up to platinum where members have to pay $500,000 a year (approx. £377,643) for that category.
  • Tencent Joins The Linux Foundation, Open-Sources Projects
    China's Tencent holding conglomerate that backs a variety of Internet services/products is the latest platinum member of the Linux Foundation.

Events: DebCamp, openSUSE Conference, OSSummit Japan 2018

  • Yes! I am going to...
    Of course, DebCamp is not a vacation, so we expect people that take part of DebCamp to have at least a rough sketch of activities. There are many, many things I want to tackle, and experience shows there's only time for a fraction of what's planned.
  • Dates, Location set for openSUSE Conference 2019
    The openSUSE Project is pleased to announce the location and dates for the 2019 openSUSE Conference. The openSUSE Conference 2019 will return to the Z-Bau in Nuremberg, Germany, and be Friday, May 24, through Sunday, May 26. Planning for the 2019 conference will begin this summer and community members are encouraged to take part in the planning of the conference through the organizing team. The openSUSE Board proposed the idea of having organizing team for openSUSE Conferences last month at oSC18. An email about the organizing team was sent out to the openSUSE-Project mailing list.
  • OSSummit Japan 2018
    Some Debian developers (Jose from Microsoft and Michael from credativ) gave a talk during this event.

Games: Warhammer, Steam, OpenSAGE and Wine