Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Ubuntu EoL, Passwords and More

Filed under
Security
  • Security updates for Friday
  • Ubuntu 17.10 (Artful Aardvark) End of Life reached on July 19 2018
  • Hacked Passwords Being Used In Blackmail Attempt -- Expect More Of This

    This was immediately obvious as a scam from a hacked database of passwords. Besides the fact that I haven't used that particular password in ages (and even when I did, it was the password I used for "unimportant" sites), there are a whole bunch of other reasons why it was obvious that the email was fake and it would be literally impossible for the person to have whatever it was they claimed to have on me. I found it funny enough that I reached out to some other folks to see if this was getting around, and a few people told me they'd seen similar ones, noting that the final note about sending it to "9 friends" appeared to be an increase from the usual of "5" that they had seen before.

    Indeed, Brian Krebs, who is always on top of these things, wrote a story about how a bunch of people got these emails last week. That one only asked for $1400, and also promised to send it to 5 friends. It has a few other slight differences to the one I received, but is pretty clearly sent by the same person/team of people with just a few modifications. Like the ones that Krebs reported on, mine appeared to come from an outlook.com email address. As Krebs notes, he expects that this particular scam is about to get a lot more popular, and will probably use a lot more recent set of passwords:

  • Hacker Summer Camp 2018: Cyberwar?

    I actually thought I was done with the pre-con portion of my Hacker Summer Camp blog post series, but it turns out that people wanted to know more about “the most dangerous network in the world”. Specifically, I got questions about how to protect yourself in this hostile environment, like whether people should bring a burner device, how to avoid getting hacked, what to do after the con, etc.

    [...]

    There’s never a guarantee of security, but with updated devices & good security hygiene, you can survive the DEF CON networks.

  • Amazon, Reddit And Others Fail To Warn Us About Dumb Passwords

    Believe it or not, there is still a large number of people who use passwords such as “password,” “password123”, “[dog’s name]1” and others along the same lines. And in the era of sophisticated hacking, these passwords are not exactly “safe.”

  • Decade of research shows little improvement in password guidance

Security: Updates, First PGPainless Release, and 'The Cloud'

Filed under
Security
  • Security updates for Thursday
  • First PGPainless Release!

    PGPainless 0.0.1-alpha1 is the first non-snapshot release and is available from maven central. It was an interesting experience to go through the process of creating a release and I’m looking forward to have many more releases in the future Smile

    The current release contains a workaround for the bug I described in an earlier blog post. The issue was, that bouncycastle wouldn’t mark the public sub keys of a secret key ring as sub keys, which results in loss of keys if the user tries to create a public key ring from the exported public keys. My workaround fixes the issue by iterating through all sub keys of an existing key ring and converting the key packages of subkeys to subkey packages. The code is also available as a gist.

  • Thousands of US voters' data exposed by robocall firm

    A Virginia-based political campaign and robocalling company, which claims it can "reach thousands of voters instantly," left a huge batch of files containing hundreds of thousands of voter records on a public and exposed Amazon S3 bucket that anyone could access without a password. 

    The bucket contained close to 2,600 files, including spreadsheets and audio recordings, for several US political campaigns.

    Kromtech Security's Bob Diachenko, who discovered the exposed data and blogged his findings, shared prior to publication several screenshots of data, packed with voters' full names, home addresses, and political affiliations.

  • Another Day, Another Pile Of Voter Data Left Laying Around On A Public Server

    Leaving private voter or customer data easily accessible on a public-facing server is the hot new fashion trend. You'll recall that it's a problem that has plagued the Defense Department, GOP data firm Deep Root Analytics (198 million voter records exposed), Verizon's marketing partners (6 million users impacted), Time Warner Cable (4 million users impacted), and countless other companies or partners that failed to implement even basic security practices. And it's a trend that shows no sign of slowing down despite repeated, similar stories (much of it thanks to analysis by security researcher Chris Vickery).

    This week yet another pile of private voter data was left publicly accessible for anybody to peruse. According to analysis by Kromtech Security’s Bob Dianchenko, a Virginia-based political consulting and robocalling company by the name of Robocent publicly exposed 2,600 files, including voter file spreadsheets (including voter phone numbers, names, addresses, political affiliations, gender, voting districts and more) and audio recordings for a number of political campaigns.

Security: Spectre V1, Gentoo, Google’s Servers and Denuvo DRM

Filed under
Security
  • Spectre V1 defense in GCC
  • Signing and distributing Gentoo

    The compromise of the Gentoo's GitHub mirror was certainly embarrassing, but its overall impact on Gentoo users was likely fairly limited. Gentoo and GitHub responded quickly and forcefully to the breach, which greatly limited the damage that could be done; the fact that it was a mirror and not the master copy of Gentoo's repositories made it relatively straightforward to recover from. But the black eye that it gave the project has led some to consider ways to make it even harder for an attacker to add malicious content to Gentoo—even if the distribution's own infrastructure were to be compromised.

    Unlike other distributions, Gentoo is focused on each user building the software packages they want using the Portage software-management tool. This is done by using the emerge tool, which is the usual interface to Portage. Software "packages" are stored as ebuilds, which are sets of files that contain the information and code needed by Portage to build the software. The GitHub compromise altered the ebuilds for three packages to add malicious content so that users who pulled from those repositories would get it.

    Ebuilds are stored in the /usr/portage directory on each system. That local repository is updated using emerge --sync (which uses rsync under the hood), either from Gentoo's infrastructure or one of its mirrors. Alternatively, users can use emerge-webrsync to get snapshots of the Gentoo repository, which are updated daily. Snapshots are individually signed by the Gentoo infrastructure OpenPGP keys, while the /usr/portage tree is signed by way of Manifest files that list the hash of each file in a directory. The top-level Manifest is signed by the infrastructure team, so following and verifying the chain of hashes down to a particular file (while also making sure there are no unlisted files) ensures that the right files are present in the tree.

  • Here’s How Hackers Are Using Google’s Servers To Host Malware For Free
  • Pirates Punish Denuvo-Protected Games With Poor Ratings

    Denuvo's anti-piracy technology is a thorn in the side of game pirates. While it has been defeated on several occasions recently, the strict anti-piracy measures have not been without consequence. According to new research, Denuvo has frustrated pirates to a point where they sabotage reviews on Metacritic, leading to significantly lower ratings for protected games.

Security: SSL, Microsoft Windows TCO, Security Breach Detection and SIM Hijackers

Filed under
Security
  • Why Does Google Chrome Say Websites Are “Not Secure”?

    Starting with Chrome 68, Google Chrome labels all non-HTTPS websites as “Not Secure.” Nothing else has changed—HTTP websites are just as secure as they’ve always been—but Google is giving the entire web a shove towards secure, encrypted connections.

  • Biggest Voting Machine Maker Admits -- Ooops -- That It Installed Remote Access Software After First Denying It [Ed: Microsoft Windows TCO]

    We've been covering the mess that is electronic voting machines for nearly two decades on Techdirt, and the one thing that still flummoxes me is how are they so bad at this after all these years? And I don't mean "bad at security" -- though, that's part of it -- but I really mean "bad at understanding how insecure their machines really are." For a while everyone focused on Diebold, but Election Systems and Software (ES&S) has long been a bigger player in the space, and had just as many issues. It just got less attention. There was even a brief period of time where ES&S bought what remained of Diebold's flailing e-voting business before having to sell off the assets to deal with an antitrust lawsuit by the DOJ.

    What's incredible, though, is that every credible computer security person has said that it is literally impossible to build a secure fully electronic voting system -- and if you must have one at all, it must have a printed paper audit trail and not be accessible from the internet. Now, as Kim Zetter at Motherboard has reported, ES&S -- under questioning from Senator Ron Wyden -- has now admitted that it installed remote access software on its voting machines, something the company had vehemently denied to the same reporter just a few months ago.

  • Bringing cybersecurity to the DNC [Ed: Microsoft Windows TCO. Microsoft Exchange was used.]

    When Raffi Krikorian joined the Democratic National Committee (DNC) as chief technology officer, the party was still reeling from its devastating loss in 2016 — and the stunning cyberattacks that resulted in high-level officials’ emails being embarrassingly leaked online.

  • Getting Started with Successful Security Breach Detection

    Organizations historically believed that security software and tools were effective at protecting them from hackers. Today, this is no longer the case, as modern businesses are now connected in a digital global supply ecosystem with a web of connections to customers and suppliers. Often, organizations are attacked as part of a larger attack on one of their customers or suppliers. They represent low hanging fruit for hackers, as many organizations have not invested in operationalizing security breach detection.

    As this new reality takes hold in the marketplace, many will be tempted to invest in new technology tools to plug the perceived security hole and move on with their current activities. However, this approach is doomed to fail. Security is not a "set it and forget it" type of thing. Defending an organization from a breach requires a careful balance of tools and operational practices -- operational practices being the more important element.

  • The SIM Hijackers

    By hijacking Rachel’s phone number, the hackers were able to seize not only Rachel’s Instagram, but her Amazon, Ebay, Paypal, Netflix, and Hulu accounts too. None of the security measures Rachel took to secure some of those accounts, including two-factor authentication, mattered once the hackers took control of her phone number.

At Rest Encryption

Filed under
Security

There are many steps you can take to harden a computer, and a common recommendation you'll see in hardening guides is to enable disk encryption. Disk encryption also often is referred to as "at rest encryption", especially in security compliance guides, and many compliance regimes, such as PCI, mandate the use of at rest encryption. This term refers to the fact that data is encrypted "at rest" or when the disk is unmounted and not in use. At rest encryption can be an important part of system-hardening, yet many administrators who enable it, whether on workstations or servers, may end up with a false sense of security if they don't understand not only what disk encryption protects you from, but also, and more important, what it doesn't.

Read more

Linux Security

Filed under
Linux
Security
  • Security updates for Wednesday
  • PTI Support To Address Meltdown Nearing The Finish Line For x86 32-bit Linux

    While Page Table Isolation (PTI/KPTI) has been available since the Meltdown CPU vulnerability was disclosed at the start of the year, that's been for x86_64 Linux while the x86 32-bit support has remained a work-in-progress and only relatively recently has come together.

    Joerg Roedel sent out the eighth version of the x86-32 PTI patches today, which address feedback following a good round of review. This latest page table isolation work for x86 32-bit address more developer feedback and tidies up some of the code.

  • Linux To Better Protect Entropy Sent In From User-Space

    Fedora has begun utilizing a user-space jitter entropy daemon for feeding entropy to the kernel at boot time in case not enough is available for the kernel's random needs. But with that approach not being from a true hardware random number generator, a patch worked out by veteran Linux kernel developer Ted Ts'o will mix in RdRand entropy.

    Fedora has resorted to a user-space jitter entropy daemon to workaround slow boot times on a sub-set of systems/VMs when using recent kernels. A change was made to the kernel earlier this year for addressing CVE-2018-1108, which is about a weakness in the kernel's random seed data whereby early processes in the boot sequence could not have random enough data. But the fix dramatically slows down systems booting by waiting until sufficient entropy is available. This is problematic particularly for VMs where virtio-rng is not present. For some users, they can't get the system(s) booted on affected kernels unless tapping on keyboard keys enough times for generating sufficient entropy.

  • Linux 4.17.8

    I'm announcing the release of the 4.17.8 kernel.

    This is to fix the i386 issue that was in the 4.17.7 release.  All should be fine now.

  • SPECTRE Variant 1 scanning tool
  • When your software is used way after you EOL it.

    One of my first jobs was working on a satellite project called ALEXIS at Los Alamos National Laboratory and had been part of a Congressional plan to explore making space missions faster and cheaper. This meant the project was a mix-mash of whatever computer systems were available at the time. Satellite tracking was planned on I think a Macintosh SE, the main uploads and capture were a combination of off the shelf hardware and a Sparc 10. Other analysis was done on spare Digital and SGI Irix systems. It was here I really learned a lot about system administration as each of those systems had their own 'quirks' and ways of doing things.

    I worked on this for about a year as a Graduate Research Assistant, and learned a lot about how many projects in science and industrial controls get 'frozen' in place way longer than anyone writing the software expects. This is because at a certain point the device becomes cheaper to keep running than replace or even updating. So when I was watching this USGS video this morning,

Red Hat and CentOS Fix Kernel Bug in Latest OS Versions, Urge Users to Update

Filed under
OS
Red Hat
Security

It would appear the there was a bug in the previous Linux kernel update for the Red Hat Enterprise Linux 7.5 and CentOS Linux 7.5 releases, which was released to address the Spectre V4 security vulnerability, making connection tracking information to not function correctly, which could lead to connectivity loss and leaking of configuration properties related to the respective connection tracking into other namespaces.

"Previously, the connection tracking information was not cleared properly for packets forwarded to another network namespace," said Red Hat in an advisory. "Packets that were marked with the "NOTRACK" target in one namespace were excluded from connection tracking even in the new namespace. Consequently, a loss of connectivity occasionally occurred, depending on the packet filtering ruleset of the other network namespaces."

Read more

Also: Red Hat Open-Sources Scanner That Checks Linux Binaries For Spectre V1 Potential

Red Hat Continues Driving Wonderful Innovations In Fedora Workstation

Security: Back Doors in Voting Machines, Two-Factor Authentication, Introduction to Cybersecurity, and Reproducible Builds

Filed under
Security
  • Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States

    The nation's top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them.

    In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006," which was installed on the election-management system ES&S sold them.

    The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. "None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software," the spokesperson said.

  • PSA: Make Sure You Have a Backup for Two-Factor Authentication
  • An Introduction to Cybersecurity: The First Five Steps

    You read all these headlines about the latest data breaches, and you worry your organization could be next.

    After all, if TalkTalk, Target, and Equifax can’t keep their data safe, what chance do you have?

    Well, thankfully, most organizations aren’t quite as high profile as those household names, and probably don’t receive quite so much attention from cybercriminals. At the same time, though, no organization is so small or insignificant that it can afford to neglect to take sensible security measures.

    If you’re just starting to take cybersecurity seriously, here are five steps you can take to secure your organization more effectively than 99 percent of your competitors.

  • Reproducible Builds: Weekly report #168

Security Leftovers

Filed under
Security

Red Hat Looks Beyond Docker for Container Technology

Filed under
Server
Security

While Docker Inc and its eponymous container engine helped to create the modern container approach, Red Hat has multiple efforts of its own that it is now actively developing.

The core component for containers is the runtime engine, which for Docker is the Docker Engine which is now based on the Docker-led containerd project that is hosted at the Cloud Native Computing Foundation (CNCF). Red Hat has built its own container engine called CRI-O, which hit its 1.0 release back in October 2017.

For building images, Red Hat has a project called Buildah, which reached its 1.0 milestone on June 6.

Read more

Syndicate content

More in Tux Machines

A Fresh Look At The PGO Performance With GCC 8

It's been a while since we last ran some GCC PGO benchmarks, the Profile Guided Optimizations or feedback-directed optimization technique that makes use of profiling data at run-time to improve performance of re-compiled binaries. Here are some fresh benchmarks of GCC PGO impact on a Xeon Scalable server while using the newly-released GCC 8.2 release candidate. With it being a while since our last roundabout with GCC PGO benchmarking and also a reader recently inquiring about PTS PGO testing, I ran some new tests. For those not familiar with PGO, it basically involves first compiling the code with the relevant PGO/profiling flags, running the workload under test to generate the profiling data, and then re-compiling the software while feeding that profiling data into the compiler so it can make better optimization choices. This profile-guided feedback can be quite beneficial to the compiler for making wiser code generation choices based upon that run-time data. Firefox, Chrome, and other popular software packages have been relying upon PGO-optimized release binaries for a while to offer greater performance. Read more Also: A 3.3x Performance Improvement For FLAC Audio Encoding On POWER 64-bit

Graphics: Intel/DRM-Next, ATI/AMD, and NVIDIA

  • Intel Squeezes Final Batch Of Linux 4.19 DRM Changes, Lands Icelake Display Compression
    Last week Intel sent in a "final" batch of i915 DRM driver feature updates to DRM-Next for the upcoming Linux 4.19 kernel cycle but it turns out there is one more batch of changes now focused on landing. Intel open-source graphics driver developer Rodrigo Vivi submitted their final pull request of new material for Linux 4.19.
  • 2018 Brings A New Linux X.Org Display Driver Update For The ATI RAGE 128
    Last month I wrote about a new attempt at improving the ATI RAGE 128 X.Org driver... Yes, for the for the Rage graphics cards from the late 90's in the days of AGP and PCI where core/memory clock speeds were commonly in the double digits... If you are a hobbyist fond of these vintage graphics cards and are still running with these OpenGL 1.1~1.2 capable GPUs, there is a new X.Org driver update.
  • AMDGPU Gets More Features For Linux 4.19 Kernel
    On top of AMDGPU improvements/features already staged for Linux 4.19, the AMD folks on Thursday sent in their seemingly last set of feature updates to DRM-Next ahead of the Linux 4.19 kernel merge window. There is certainly a lot of new DRM material queuing for Linux 4.19: if you are behind on your Phoronix reading, there will be a DRM recap next week or so on Phoronix with the cutoff for new DRM-Next material hitting its end for the upcoming 4.19 window. Thursday's Radeon/AMDGPU update just adds to this big list of changes.
  • AMDVLK Vulkan Driver Plumbs New Extensions, Lands A Number Of Fixes
    The AMD folks maintaining their official Vulkan driver code have done their common end-of-week code dump into the open-source AMDVLK Linux Vulkan driver repository across the PAL, XGL, LLVM, and SPVGEN code-bases.
  • NVIDIA 396.45 Linux Driver Fixes Vulkan Direct-To-Display & Multi-Threaded EGL Apps
    The NVIDIA Unix developers have released the 396.45 binary display driver today with just two listed bug-fixes. The NVIDIA 396.45 Linux driver has improved recovery for Vulkan direct-to-display applications (such as VR compositors or other use-cases where the Vulkan application is taking directly control of the display output) when the application hangs or crashes. This is good news in case of a problematic Linux VR experience that the display should be restored more gracefully.
  • NVIDIA pushed out two new Linux drivers recently with 396.45 and 390.77
    NVIDIA are pushing forward with improving their Linux driver in many areas, with two driver series seeing updated in the past week. The first is the 390.77 driver, part of their "long-lived branch release".

How Linux Makes Your Life Easier

There is a popular myth that Linux is complicated and hard to use by a non-techie. While there are distros and advanced Linux functionality that do require tech skills, this doesn’t mean Linux is hard to use. On the contrary, there are lots of things in the philosophy and functionality of Linux that make a user’s life easier. Read more

Containers: IBM, Yan Vugenfirer and HPC

  • IBM attempts to graft virtual machine security onto container flexibility
    IBM researchers have developed a new flavor of software container in an effort to create code that's more secure than Docker and similar shared kernel container systems. Docker and its ilk are considered less secure than VMs because the compromise of a shared kernel puts all associated containers at risk. With VMs, the kernel is separate from the host kernel, which reduces the risk of collateral damage.
  • Using Linux Containers to Manage Embedded Build Environments
    Linux container technology has been proposed by companies like Resin.io as a simpler and more secure way to deploy embedded devices. And, Daynix Computing has developed an open source framework called Rebuild that uses Linux containers in the build management process of embedded IoT development. At the 2017 Open Source Summit, Daynix “virtualization expert” Yan Vugenfirer gave a presentation on Rebuild called “How Linux Containers can Help to Manage Development Environments for IoT and Embedded Systems.” Vugenfirer started by reminding the audience of the frustrations of embedded development, especially when working with large, complex projects. “You’re dealing with different toolchains, SDKs, and compilers all with different dependencies,” he said. “It gets more complicated if you need to update packages, or change SDKs, or run a codebase over several devices. The code may compile on your machine, but there may be problems in the build server or in the CI (continuous integration) server.”
  • Building Containers with HPC Container Maker
    Containers package entire workflows, including software, libraries, and even data, into a single file. The container can then be run on any compatible hardware that can run the container type, regardless of the underlying operating system. Containers are finding increased utility in the worlds of scientific computing, deep learning, HPC, machine learning, and artificial intelligence, because they are reproducible, portable (mobility of compute), user friendly (admins don’t have to install everything), and simple, and they isolate resources, reduce complexity (reduction in dependencies), and make it easy to distribute the application and dependencies. Using containers, you have virtually everything you need in a single file, including a base operating system (OS), the application or workflow (multiple applications), and all of the dependencies. Sometimes the data is also included in the container, although it is not strictly necessary because you can mount filesystems with the data from the container.