Language Selection

English French German Italian Portuguese Spanish

Security

Security: SSL, Microsoft Windows TCO, Security Breach Detection and SIM Hijackers

Filed under
Security
  • Why Does Google Chrome Say Websites Are “Not Secure”?

    Starting with Chrome 68, Google Chrome labels all non-HTTPS websites as “Not Secure.” Nothing else has changed—HTTP websites are just as secure as they’ve always been—but Google is giving the entire web a shove towards secure, encrypted connections.

  • Biggest Voting Machine Maker Admits -- Ooops -- That It Installed Remote Access Software After First Denying It [Ed: Microsoft Windows TCO]

    We've been covering the mess that is electronic voting machines for nearly two decades on Techdirt, and the one thing that still flummoxes me is how are they so bad at this after all these years? And I don't mean "bad at security" -- though, that's part of it -- but I really mean "bad at understanding how insecure their machines really are." For a while everyone focused on Diebold, but Election Systems and Software (ES&S) has long been a bigger player in the space, and had just as many issues. It just got less attention. There was even a brief period of time where ES&S bought what remained of Diebold's flailing e-voting business before having to sell off the assets to deal with an antitrust lawsuit by the DOJ.

    What's incredible, though, is that every credible computer security person has said that it is literally impossible to build a secure fully electronic voting system -- and if you must have one at all, it must have a printed paper audit trail and not be accessible from the internet. Now, as Kim Zetter at Motherboard has reported, ES&S -- under questioning from Senator Ron Wyden -- has now admitted that it installed remote access software on its voting machines, something the company had vehemently denied to the same reporter just a few months ago.

  • Bringing cybersecurity to the DNC [Ed: Microsoft Windows TCO. Microsoft Exchange was used.]

    When Raffi Krikorian joined the Democratic National Committee (DNC) as chief technology officer, the party was still reeling from its devastating loss in 2016 — and the stunning cyberattacks that resulted in high-level officials’ emails being embarrassingly leaked online.

  • Getting Started with Successful Security Breach Detection

    Organizations historically believed that security software and tools were effective at protecting them from hackers. Today, this is no longer the case, as modern businesses are now connected in a digital global supply ecosystem with a web of connections to customers and suppliers. Often, organizations are attacked as part of a larger attack on one of their customers or suppliers. They represent low hanging fruit for hackers, as many organizations have not invested in operationalizing security breach detection.

    As this new reality takes hold in the marketplace, many will be tempted to invest in new technology tools to plug the perceived security hole and move on with their current activities. However, this approach is doomed to fail. Security is not a "set it and forget it" type of thing. Defending an organization from a breach requires a careful balance of tools and operational practices -- operational practices being the more important element.

  • The SIM Hijackers

    By hijacking Rachel’s phone number, the hackers were able to seize not only Rachel’s Instagram, but her Amazon, Ebay, Paypal, Netflix, and Hulu accounts too. None of the security measures Rachel took to secure some of those accounts, including two-factor authentication, mattered once the hackers took control of her phone number.

At Rest Encryption

Filed under
Security

There are many steps you can take to harden a computer, and a common recommendation you'll see in hardening guides is to enable disk encryption. Disk encryption also often is referred to as "at rest encryption", especially in security compliance guides, and many compliance regimes, such as PCI, mandate the use of at rest encryption. This term refers to the fact that data is encrypted "at rest" or when the disk is unmounted and not in use. At rest encryption can be an important part of system-hardening, yet many administrators who enable it, whether on workstations or servers, may end up with a false sense of security if they don't understand not only what disk encryption protects you from, but also, and more important, what it doesn't.

Read more

Linux Security

Filed under
Linux
Security
  • Security updates for Wednesday
  • PTI Support To Address Meltdown Nearing The Finish Line For x86 32-bit Linux

    While Page Table Isolation (PTI/KPTI) has been available since the Meltdown CPU vulnerability was disclosed at the start of the year, that's been for x86_64 Linux while the x86 32-bit support has remained a work-in-progress and only relatively recently has come together.

    Joerg Roedel sent out the eighth version of the x86-32 PTI patches today, which address feedback following a good round of review. This latest page table isolation work for x86 32-bit address more developer feedback and tidies up some of the code.

  • Linux To Better Protect Entropy Sent In From User-Space

    Fedora has begun utilizing a user-space jitter entropy daemon for feeding entropy to the kernel at boot time in case not enough is available for the kernel's random needs. But with that approach not being from a true hardware random number generator, a patch worked out by veteran Linux kernel developer Ted Ts'o will mix in RdRand entropy.

    Fedora has resorted to a user-space jitter entropy daemon to workaround slow boot times on a sub-set of systems/VMs when using recent kernels. A change was made to the kernel earlier this year for addressing CVE-2018-1108, which is about a weakness in the kernel's random seed data whereby early processes in the boot sequence could not have random enough data. But the fix dramatically slows down systems booting by waiting until sufficient entropy is available. This is problematic particularly for VMs where virtio-rng is not present. For some users, they can't get the system(s) booted on affected kernels unless tapping on keyboard keys enough times for generating sufficient entropy.

  • Linux 4.17.8

    I'm announcing the release of the 4.17.8 kernel.

    This is to fix the i386 issue that was in the 4.17.7 release.  All should be fine now.

  • SPECTRE Variant 1 scanning tool
  • When your software is used way after you EOL it.

    One of my first jobs was working on a satellite project called ALEXIS at Los Alamos National Laboratory and had been part of a Congressional plan to explore making space missions faster and cheaper. This meant the project was a mix-mash of whatever computer systems were available at the time. Satellite tracking was planned on I think a Macintosh SE, the main uploads and capture were a combination of off the shelf hardware and a Sparc 10. Other analysis was done on spare Digital and SGI Irix systems. It was here I really learned a lot about system administration as each of those systems had their own 'quirks' and ways of doing things.

    I worked on this for about a year as a Graduate Research Assistant, and learned a lot about how many projects in science and industrial controls get 'frozen' in place way longer than anyone writing the software expects. This is because at a certain point the device becomes cheaper to keep running than replace or even updating. So when I was watching this USGS video this morning,

Red Hat and CentOS Fix Kernel Bug in Latest OS Versions, Urge Users to Update

Filed under
OS
Red Hat
Security

It would appear the there was a bug in the previous Linux kernel update for the Red Hat Enterprise Linux 7.5 and CentOS Linux 7.5 releases, which was released to address the Spectre V4 security vulnerability, making connection tracking information to not function correctly, which could lead to connectivity loss and leaking of configuration properties related to the respective connection tracking into other namespaces.

"Previously, the connection tracking information was not cleared properly for packets forwarded to another network namespace," said Red Hat in an advisory. "Packets that were marked with the "NOTRACK" target in one namespace were excluded from connection tracking even in the new namespace. Consequently, a loss of connectivity occasionally occurred, depending on the packet filtering ruleset of the other network namespaces."

Read more

Also: Red Hat Open-Sources Scanner That Checks Linux Binaries For Spectre V1 Potential

Red Hat Continues Driving Wonderful Innovations In Fedora Workstation

Security: Back Doors in Voting Machines, Two-Factor Authentication, Introduction to Cybersecurity, and Reproducible Builds

Filed under
Security
  • Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States

    The nation's top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them.

    In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006," which was installed on the election-management system ES&S sold them.

    The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. "None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software," the spokesperson said.

  • PSA: Make Sure You Have a Backup for Two-Factor Authentication
  • An Introduction to Cybersecurity: The First Five Steps

    You read all these headlines about the latest data breaches, and you worry your organization could be next.

    After all, if TalkTalk, Target, and Equifax can’t keep their data safe, what chance do you have?

    Well, thankfully, most organizations aren’t quite as high profile as those household names, and probably don’t receive quite so much attention from cybercriminals. At the same time, though, no organization is so small or insignificant that it can afford to neglect to take sensible security measures.

    If you’re just starting to take cybersecurity seriously, here are five steps you can take to secure your organization more effectively than 99 percent of your competitors.

  • Reproducible Builds: Weekly report #168

Security Leftovers

Filed under
Security

Red Hat Looks Beyond Docker for Container Technology

Filed under
Server
Security

While Docker Inc and its eponymous container engine helped to create the modern container approach, Red Hat has multiple efforts of its own that it is now actively developing.

The core component for containers is the runtime engine, which for Docker is the Docker Engine which is now based on the Docker-led containerd project that is hosted at the Cloud Native Computing Foundation (CNCF). Red Hat has built its own container engine called CRI-O, which hit its 1.0 release back in October 2017.

For building images, Red Hat has a project called Buildah, which reached its 1.0 milestone on June 6.

Read more

Containers: The Update Framework (TUF), Nabla, and Kubernetes 1.11 Release

Filed under
Server
Security
  • How The Update Framework Improves Software Distribution Security

    In recent years that there been multiple cyber-attacks that compromised a software developer's network to enable the delivery of malware inside of software updates. That's a situation that Justin Cappos, founder of The Update Framework (TUF) open-source project, has been working hard to help solve.

    Cappos, an assistant professor at New York University (NYU), started TUF nearly a decade ago. TUF is now implemented by multiple software projects, including the Docker Notary project for secure container application updates and has implementations that are being purpose-built to help secure automotive software as well.

  • IBM's new Nabla containers are designed for security first

    Companies love containers because they enable them to run more jobs on servers. But businesses also hate containers, because they fear they're less secure than virtual machines (VM)s. IBM thinks it has an answer to that: Nabla containers, which are more secure by design than rival container concepts.

    James Bottomley, an IBM Research distinguished engineer and top Linux kernel developer, first outlines that there are two kind of fundamental kinds of container and virtual machine (VM) security problems. These are described as Vertical Attack Profile (VAP) and Horizontal Attack Profile (HAP).

  • [Podcast] PodCTL #42 – Kubernetes 1.11 Released

    Like clockwork, the Kubernetes community continues to release quarterly updates to the rapidly expanding project. With the 1.11 release, we see a number of new capabilities being added across a number of different domains – infrastructure services, scheduling services, routing services, storage services, and broader CRD versioning capabilities that will improve the ability to not only deploy Operators for the platform and applications. Links for all these new features, as well as in-depth blog posts from Red Hat and the Kubernetes community are included in the show notes.

    As always, it’s important to remember that not every new feature being released is considered “General Availability”, so be sure to check the detailed release notes before considering the use of any feature in a production or high-availability environment.

Security: Containers, Tron, Back Doors, GandCrab, Bastille Day

Filed under
Security
  • A New Method of Containment: IBM Nabla Containers

    In the previous post about Containers and Cloud Security, I noted that most of the tenants of a Cloud Service Provider (CSP) could safely not worry about the Horizontal Attack Profile (HAP) and leave the CSP to manage the risk.  However, there is a small category of jobs (mostly in the financial and allied industries) where the damage done by a Horizontal Breach of the container cannot be adequately compensated by contractual remedies.  For these cases, a team at IBM research has been looking at ways of reducing the HAP with a view to making containers more secure than hypervisors.  For the impatient, the full open source release of the Nabla Containers technology is here and here, but for the more patient, let me explain what we did and why.  We’ll have a follow on post about the measurement methodology for the HAP and how we proved better containment than even hypervisor solutions.

    [...]

    Like most sandbox models, the Nabla containers approach is an alternative to namespacing for containment, but it still requires cgroups for resource management.  The figures show that the containment HAP is actually better than that achieved with a hypervisor and the performance, while being marginally less than a namespaced container, is greater than that obtained by running a container inside a hypervisor.  Thus we conclude that for tenants who have a real need for HAP reduction, this is a viable technology.

  • Measuring the Horizontal Attack Profile of Nabla Containers
  • Tron (TRX) Gives $25,000 to 5 Developers Who Spotted Bugs in Open-Source Code

    Just a couple of days ago, Binance – a very popular digital currency trading platform – credited the Binance account of thirty-one selected Tron (TRX) traders with five million TRX tokens. Recently, the Tron Foundation has also announced it gave away $25k to five developers that are actively working to redefine the community of Tron.

  • Open Source Security Podcast: Episode 105 - More backdoors in open source
  • GandCrab v4.1 Ransomware and the Speculated SMB Exploit Spreader [Ed: Microsoft's collaboration with the NSA on back doors is a gift to keeps giving.... to crackers.]
  • Rewritten GandCrab Ransomware Targets SMB Vulnerabilities To Attack Faster

    GandCrab ransomware, which has created a hullabaloo in the cybersecurity industry by constantly evolving, has yet again caused a commotion. The latest version of the ransomware attacks system using SMB exploit spreader via compromised websites. The ransomware is adding new features every day to target different countries.

    The attackers behind the ransomware are scanning the whole internet to find the vulnerable websites to unleash the attack. The latest version features a long hard-coded list of websites that were compromised and were used to connect with it.

  • France’s cyber command marched in Paris’s Bastille Day Parade for the first time

     

    For the first time, France’s military cyber command marched in this year’s Bastille Day parade on the Champs Elysees in Paris, alongside other units in the nation’s armed forces. The military noted that it’s a recognition of the advances that the unit has made since its formation last year, and reinforces that “cyber defense remains a national priority.”
     

    French defense minister Jean-Yves Le Drian announced the formation of COMCYBER in December 2016, noting that the emergence of state actors operating in cyberspace was a new way to approach warfare. The command brought all of the nation’s soldiers focused on cyber defense under one command, with three main tasks: cyber intelligence, protection, and offense.  

  • Should I let my staff choose their own kit and, if so, how?

Security Leftovers

Filed under
Security
  • Data breaches show we’re only three clicks away from anarchy

    An IT glitch afflicting BP petrol stations for three hours last Sunday evening might not sound like headline news. A ten-hour meltdown of Visa card payment systems in June was a bigger story — as was the notorious TSB computer upgrade cock-up that started on 20 April, which was still afflicting customers a month later and was reported this week to be causing ruptures between TSB and its Spanish parent Sabadell.

    Meanwhile, what do Fortnum & Mason, Dixons Carphone, Costa Coffee and its sister company Premier Inn have in common with various parts of the NHS? The answer is that they have all suffered recent large-scale ‘data breaches’ that may have put private individuals’ information at risk. IT Governance, a blog that monitors international news stories in this sphere, came up with a global figure of 145 million ‘records leaked’ last month alone. Such leaks are daily events everywhere — and a lesson of the TSB story was that cyber fraudsters are waiting to attack wherever private data becomes accessible, whether because of computer breakdown or lax data protection.

  • UK security researcher Hutchins makes renewed bid for freedom

    British security researcher Marcus Hutchins, who was arrested by the FBI last August over alleged charges of creating and distributing a banking trojan, has made a fresh bid to go free, claiming that the US has no territorial jurisdiction to file charges against him for alleged crimes committed elsewhere.

  • Common Ground: For Secure Elections and True National Security

    An open letter by Gloria Steinem, Noam Chomsky, John Dean, Governor Bill Richardson, Walter Mosley, Michael Moore, Valerie Plame, and others.

Syndicate content

More in Tux Machines

Today in Techrights

Security: SSL, Microsoft Windows TCO, Security Breach Detection and SIM Hijackers

  • Why Does Google Chrome Say Websites Are “Not Secure”?
    Starting with Chrome 68, Google Chrome labels all non-HTTPS websites as “Not Secure.” Nothing else has changed—HTTP websites are just as secure as they’ve always been—but Google is giving the entire web a shove towards secure, encrypted connections.
  • Biggest Voting Machine Maker Admits -- Ooops -- That It Installed Remote Access Software After First Denying It [Ed: Microsoft Windows TCO]
    We've been covering the mess that is electronic voting machines for nearly two decades on Techdirt, and the one thing that still flummoxes me is how are they so bad at this after all these years? And I don't mean "bad at security" -- though, that's part of it -- but I really mean "bad at understanding how insecure their machines really are." For a while everyone focused on Diebold, but Election Systems and Software (ES&S) has long been a bigger player in the space, and had just as many issues. It just got less attention. There was even a brief period of time where ES&S bought what remained of Diebold's flailing e-voting business before having to sell off the assets to deal with an antitrust lawsuit by the DOJ. What's incredible, though, is that every credible computer security person has said that it is literally impossible to build a secure fully electronic voting system -- and if you must have one at all, it must have a printed paper audit trail and not be accessible from the internet. Now, as Kim Zetter at Motherboard has reported, ES&S -- under questioning from Senator Ron Wyden -- has now admitted that it installed remote access software on its voting machines, something the company had vehemently denied to the same reporter just a few months ago.
  • Bringing cybersecurity to the DNC [Ed: Microsoft Windows TCO. Microsoft Exchange was used.]
    When Raffi Krikorian joined the Democratic National Committee (DNC) as chief technology officer, the party was still reeling from its devastating loss in 2016 — and the stunning cyberattacks that resulted in high-level officials’ emails being embarrassingly leaked online.
  • Getting Started with Successful Security Breach Detection
    Organizations historically believed that security software and tools were effective at protecting them from hackers. Today, this is no longer the case, as modern businesses are now connected in a digital global supply ecosystem with a web of connections to customers and suppliers. Often, organizations are attacked as part of a larger attack on one of their customers or suppliers. They represent low hanging fruit for hackers, as many organizations have not invested in operationalizing security breach detection. As this new reality takes hold in the marketplace, many will be tempted to invest in new technology tools to plug the perceived security hole and move on with their current activities. However, this approach is doomed to fail. Security is not a "set it and forget it" type of thing. Defending an organization from a breach requires a careful balance of tools and operational practices -- operational practices being the more important element.
  • The SIM Hijackers

    By hijacking Rachel’s phone number, the hackers were able to seize not only Rachel’s Instagram, but her Amazon, Ebay, Paypal, Netflix, and Hulu accounts too. None of the security measures Rachel took to secure some of those accounts, including two-factor authentication, mattered once the hackers took control of her phone number.

GNU/Linux Desktops/Laptops and Windows Spying

  • Changes [Pop!_OS]

    For the last 12 years, my main development machine has been a Mac. As of last week, it’s a Dell XPS 13 running Pop!_OS 18.04.

    [...]

    Take note: this is the first operating system I’ve used that is simpler, more elegant, and does certain things better than macOS.

  • System76 Opens Manufacturing Facility to Build Linux Laptops
    As it turns out, System76 is making the transition from a Linux-based computer seller, into a complete Linux-based computer manufacturer. The Twitter photos are from their new manufacturing facility. This means that System76 will no longer be slapping their logo on other company’s laptops and shipping them out, but making their own in-house laptops for consumers.
  • Extension adding Windows Timeline support to third-party browsers should have raised more privacy questions
    Windows Timeline is a unified activity history explorer that received a prominent placement next to the Start menu button in Windows 10 earlier this year. You can see all your activities including your web browser history and app activity across all your Windows devices in one place; and pickup and resume activities you were doing on other devices. This is a useful and cool feature, but it’s also a privacy nightmare. You may have read about a cool new browser extension that adds your web browsing history from third-party web browsers — including Firefox, Google Chrome, Vivaldi, and others — to Windows Timeline. The extension attracted some media attention from outlets like MSPoweruser, Neowin, The Verge, and Windows Central.

Public money, public code? FSFE spearheads open-source initiative

Last September, the non-profit Free Software Foundation Europe (FSFE) launched a new campaign that calls for EU-wide legislation that requires publicly financed software developed for the public sector to be made publicly available under a free and open-source software license. According to the ‘Public Money, Public Code’ open letter, free and open-source software in the public sector would enable anyone to “use, study, share, and improve applications used on a daily basis”. The initiative, says the non-profit, would provide safeguards against public sector organizations being locked into services from specific companies that use “restrictive licenses” to hinder competition. The FSFE also says the open-source model would help improve security in the public sector, as it would allow backdoors and other vulnerabilities to fixed quickly, without depending on one single service provider. Since its launch, the Public Money, Public Code initiative has gained the support of 150 organizations, including WordPress Foundation, Wikimedia Foundation, and Tor, along with nearly 18,000 individuals. With the initiative now approaching its first anniversary, The Daily Swig caught up with FSFE spokesperson Paul Brown, who discussed the campaign’s progress. Read more