Language Selection

English French German Italian Portuguese Spanish


Security: 17 Things

Filed under

A list for protecting yourself and others from the most common and easiest-to-pull-off security crimes.

I spend a lot of time giving information security advice, such as why RMF (Risk Management Framework) is too top-heavy for implementing risk management practices in small or R&D-focused organizations, what the right Apache SSL settings really are or how static analysis can help improve C code. What I'm asked for the most though isn't any of those things; it's the everyday stuff that even non-technical people can do to protect themselves from the looming but nebulous threat of an information security accident.

Read more

Security: CPU Patches, PostgreSQL, Apple 'Back Door'

Filed under
  • Canonical Releases Spectre/Meltdown Patches for Ubuntu 17.10 for Raspberry Pi 2

    Canonical published two security advisories on Thursday to announce the availability of Spectre mitigations for the ARM64 (AArch64) hardware architecture on its Ubuntu 17.10 and Ubuntu 16.04.4 LTS systems.

    In January, Canonical released several kernel updates for Ubuntu 17.10 (Artful Aardvark) and other supported Ubuntu releases with software mitigations against the Spectre and Meltdown security vulnerabilities. These patches were first released for 64-bit (amd64) architectures, and then for 32-bit (i386), PPC64el, and s390x systems.

    Today, the company announced the availability of new kernel updates that address both the Meltdown and Spectre security vulnerabilities for the ARM64 (AArch64) hardware architecture, patching the Raspberry Pi 2 kernel for Ubuntu 17.10, as well as its derivatives.

  • Oracle Patches Spectre for Red Hat

    The Red Hat community has patiently awaited a retpoline kernel implementation that remediates CVE-2017-5715 (Spectre v2) and closes all Meltdown and Spectre vulnerabilities that have captured headlines this year.

    Red Hat's initial fixes rely upon microcode updates for v2 remediation, a decision that leaves the vast majority of AMD64-capable processors in an exploitable state. Intel's new microcode has proven especially problematic; it performs badly and the January 2018 versions were plagued with stability issues that crashed many systems. It is a poor solution to a pressing problem.

  • ​Meet the Scarlett Johansson PostgreSQL malware attack

    t's not the first time an image has been used to give a victim malware, but it may be the first time it's been used so narrowly. According to the security firm Imperva, their StickyDB database management system (DBMS) honeypot has uncovered an attack that places malware, which cryptomines Monero, on PostgreSQL DBMS servers. Its attack vector? An image of Hollywood star Scarlett Johansson.

    Now, you might ask, "How many PostgreSQL DBMS servers are out there on the internet to be attacked?" The answer: "More than you'd expect." A Shodan search revealed almost 710,000 PostgreSQL servers ready to be hacked. It appears there are so many of them because it's way too easy, especially on Amazon Web Services (AWS), to set up PostgreSQL servers without security.

  • This Black Box Can ‘Unlock Your iPhone’ For Cops; Images Leaked

    The debate whether law enforcement agencies should be given exclusive access to iOS-powered Apple devices started when the FBI was unable to unlock San Bernardino shooter’s iPhone. Eventually, FBI found other ways to get inside Apple’s secured digital fortress, through an Israel-based company called Cellebrite.

    In the latest news, we have come across about a new iPhone unlocking device called GrayKey that can be used by law enforcement guys to harvest passcode of an iPhone and other iOS-powered devices such as iPads and iPods.

Security: HIPAA, Updates, Let’s Encrypt

Filed under

Security: Torvalds Rant Over AMD Flaws/Report, Intel Microcode Updates, Yahoo and Kubernetes

Filed under
  • Linus Torvalds Roasts CTS Labs After They Exposed AMD Chip Vulnerabilities

    Just a couple of days back, CTS researchers exposed more than a dozen ‘critical’ vulnerabilities in AMD chips marketed under the brand names Ryzen and Epyc. The company also claimed that a backdoor exists in AMD processors. Their revelation came with a well-decorated website, a whitepaper, and a video.

  • Torvalds wades into CTS Labs' AMD chip security report
  • Linux Torvalds casts shade on CTS Labs' AMD CPU flaw security report
  • Intel Rolls Out Updated, Post-Spectre CPU Microcode (20180312)

    Intel has published the Intel Processor Microcode Package for Linux 20180312 release with the latest improvements around the microcode-based approach for Spectre CPU vulnerability mitigation, succeeding their microcode updates from earlier in the year.

  • Judge Says Yahoo Still On The Hook For Multiple Claims Related To Three Billion Compromised Email Accounts

    A federal judge is going to let a bunch of people keep suing Yahoo over its three-year run of continual compromise. Yahoo had hoped to get the class action suit tossed, stating that it had engaged in "unending" efforts to thwart attacks, but apparently it just wasn't good enough to prevent every single one of its three billion email accounts from falling into the hands of hackers.

  • 3 best practices for securing Kubernetes environments

    The Kubernetes orchestration platform is such a gigantic open source project that its evolution is inherently rapid. The pace of change significantly increases the importance of adhering to security best practices when using the ever-changing Kubernetes platform to automate deployment, scaling, and management of containerized cloud-native applications.

    Ultimately, effective security also supports the entire Kubernetes project, since the technology's overall adoption depends on the confidence and trust that Kubernetes earns and establishes. That said, standard security procedures and practices that work well in traditional environments are often inadequate for securing Kubernetes environments, where traffic is vastly more dynamic, and where there must be security in place around the pods, containers, nodes, and images.

​Linus Torvalds slams CTS Labs over AMD vulnerability report

Filed under

CTS Labs, a heretofore unknown Tel Aviv-based cybersecurity startup, has claimed it's found over a dozen security problems with AMD Ryzen and EPYC processors. Linus Torvalds, Linux's creator, doesnt buy it.

Read more

Security: AMD, Updates, Reproducible Builds and More

Filed under
  • Israeli firm dumps AMD flaws with 24 hours notice

    Security researchers from a previously unknown Israeli company, CTS Labs, have disclosed 13 flaws in AMD processors. All can be taken advantage of only by an attacker who has already gained admin privileges within the system in question.

  • “Backdoor” Found In AMD CPUs, Researchers Discover 13 Critical Vulnerabilities In RYZEN And EPYC
  • Security updates for Wednesday
  • Reproducible Builds: Weekly report #150
  • ACME v2 and Wildcard Certificate Support is Live

    We’re pleased to announce that ACMEv2 and wildcard certificate support is live! With today’s new features we’re continuing to break down barriers for HTTPS adoption across the Web by making it even easier for every website to get and manage certificates.

    ACMEv2 is an updated version of our ACME protocol which has gone through the IETF standards process, taking into account feedback from industry experts and other organizations that might want to use the ACME protocol for certificate issuance and management some day.

    Wildcard certificates allow you to secure all subdomains of a domain with a single certificate. Wildcard certificates can make certificate management easier in some cases, and we want to address those cases in order to help get the Web to 100% HTTPS. We still recommend non-wildcard certificates for most use cases.

  • Samba critical flaws: Patch now but older open instances have 'far worse issues'
  • An overview of online ad fraud

    I have researched various aspects of the online advertisement industry for a while, and one of the fascinating topics that I have come across which I didn’t know too much about before is ad fraud. You may have heard that this is a huge problem as this topic hits the news often, and after learning more about it, I think of it as one of the major threats to the health of the Web, so it’s important for us to be more familiar with the problem.

    People have done a lot of research on the topic but most of the material uses the jargon of the ad industry so they may be inaccessible to those who aren’t familiar with it (I’m learning my way through it myself!) and also you’d need to study a lot to put a broad picture of what’s wrong together, so I decided to summarize what I have learned so far, expressed in simple terms avoiding jargon, in the hopes that it’s helpful. Needless to say, none of this should be taken as official Mozilla policy, but rather this is a hopefully objective summary plus some of my opinions after doing this research at the end.

Security: AMD and Samba Flaws

Filed under

IPFire 2.19 - Core Update 119 released

Filed under

This is the release announcement for IPFire 2.19 – Core Update 119. It updates the toolchain of the distribution and fixes a number of smaller bug and security issues. Therefore this update is another one of a series of general housekeeping updates to make IPFire better, faster and of course more secure!

Read more

Also: NuTyX 10.1 available with cards 2.4.0

Security Leftovers

Filed under
  • Hidden For 6 Years, ‘Slingshot’ Malware Hacks Your PC Through Your Router
  • Security updates for Tuesday
  • Microsoft Admits It Incorrectly Upgraded Some Windows 10 Users to v1709 [Ed: Windows Update is technically (not a joke) a botnet. It takes over people's PCs and hands them over for Microsoft to use up their CPU and bandwidth. Microsoft has ignored users' "update" settings since at least Windows XP days.]

    Microsoft admitted last week that it incorrectly updated some Windows 10 users to the latest version of the Windows 10 operating system —version 1709— despite users having specifically paused update operations in their OS settings.

    The admission came in a knowledge base article updated last week. Not all users of older Windows versions were forcibly updated, but only those of Windows 10 v1703 (Creators Update).

    This is the version where Microsoft added special controls to the Windows Update setting section that allow users to pause OS updates in case they have driver or other hardware issues with the latest OS version.

  • We Still Need More HTTPS: Government Middleboxes Caught Injecting Spyware, Ads, and Cryptocurrency Miners

    Last week, researchers at Citizen Lab discovered that Sandvine's PacketLogic devices were being used to hijack users' unencrypted internet connections, making yet another case for encrypting the web with HTTPS. In Turkey and Syria, users who were trying to download legitimate applications were instead served malicious software intending to spy on them. In Egypt, these devices injected money-making content into users' web traffic, including advertisements and cryptocurrency mining scripts.

    These are all standard machine-in-the-middle attacks, where a computer on the path between your browser and a legitimate web server is able to intercept and modify your traffic data. This can happen if your web connections use HTTP, since data sent over HTTP is unencrypted and can be modified or read by anyone on the network.

    The Sandvine middleboxes were doing exactly this. On Türk Telekom’s network, it was reported that when a user attempted to download legitimate applications over HTTP, these devices injected fake "redirect" messages which caused the user’s browser to fetch the file from a different, malicious, site. Users downloading common applications like Avast Antivirus, 7-Zip, Opera, CCleaner, and programs from had their downloads silently redirected. Telecom Egypt’s Sandvine devices, Citizen Lab noted, were using similar methods to inject money-making content into HTTP connections, by redirecting existing ad links to affiliate advertisements and legitimate javascript files to cryptocurrency mining scripts.

  • Let’s Encrypt takes free “wildcard” certificates live
  • GuardiCore Upgrades Infection Monkey Open Source Cyber Security Testing Tool
  • A Guide To Securing Docker and Kubernetes Containers With a Firewall
  • How IBM Helps Organizations to Improve Security with Incident Response

    Protecting organizations against cyber-security threats isn't just about prevention, it's also about incident response. There are many different organizations that provide these security capabilities, including IBM X-Force Incident Response and Intelligence Services (IRIS), which is led by Wendi Whitmore.

    In the attached video interview Whitmore explains how incident response works and how she helps organizations to define a winning strategy. Succeeding at incident response in Whitmore's view, shouldn't be focused just on prevention but on building a resilient environment.

Security: Slingshot, Symantec Certification Authorities, and DDoS Defense

Filed under
  • Potent malware that hid for six years spread through routers

    Slingshot—which gets its name from text found inside some of the recovered malware samples—is among the most advanced attack platforms ever discovered, which means it was likely developed on behalf of a well-resourced country, researchers with Moscow-based Kaspersky Lab reported Friday. The sophistication of the malware rivals that of Regin—the advanced backdoor that infected Belgian telecom Belgacom and other high-profile targets for years—and Project Sauron, a separate piece of malware suspected of being developed by a nation-state that also remained hidden for years.

  • Distrust of Symantec TLS Certificates

    A Certification Authority (CA) is an organization that browser vendors (like Mozilla) trust to issue certificates to websites. Last year, Mozilla published and discussed a set of issues with one of the oldest and largest CAs run by Symantec. The discussion resulted in the adoption of a consensus proposal to gradually remove trust in all Symantec TLS/SSL certificates from Firefox. The proposal includes a number of phases designed to minimize the impact of the change to Firefox users:

  • How Creative DDOS Attacks Still Slip Past Defenses

    Distributed denial of service attacks, in which hackers use a targeted hose of junk traffic to overwhelm a service or take a server offline, have been a digital menace for decades. But in just the last 18 months, the public picture of DDoS defense has evolved rapidly. In fall 2016, a rash of then-unprecedented attacks caused internet outages and other service disruptions at a series of internet infrastructure and telecom companies around the world. Those attacks walloped their victims with floods of malicious data measured up to 1.2 Tbps. And they gave the impression that massive, "volumetric" DDOS attacks can be nearly impossible to defend against.

Syndicate content

More in Tux Machines

OSS Leftovers

  • What Is Fuchsia, Google’s New Operating System?
    Fuchsia first popped up on the tech world’s radar in mid-2016, when an unannounced open source project from Google appeared on the GitHub repository. According to initial inspection by the technology press, it was designed to be a “universal” operating system, capable of running on everything from low-power smartwatches to powerful desktops. That potentially includes phones, tablets, laptops, car electronics, connected appliances, smarthome hardware, and more.
  • Google created an AI-based, open source music synthesizer
    Move over musicians, AI is here. Google's 'NSynth' neural network is designed to take existing sounds and combine them using a complex, machine learning algorithm. The result? Thousands of new musical sounds, and an instrument you can play them on.
  • March Add(on)ness: uBlock (1) vs Kimetrack (4)
  • TenFourFox FPR6 SPR1 coming
    Stand by for FPR6 Security Parity Release 1 due to the usual turmoil following Pwn2Own, in which the mighty typically fall and this year Firefox did. We track these advisories and always plan to have a patched build of TenFourFox ready and parallel with Mozilla's official chemspill release; I have already backported the patch and tested it internally.
  • GCC 8 Compiler Offering More Helpful Debug Messages, Usability Improvements
    Red Hat's David Malcom has outlined some of the usability improvements coming with the imminent release of GCC 8.
  • Friday Free Software Directory IRC meetup time changed: March 16th starting at 12:00 p.m. EDT/16:00 UTC
  • Your guide to LibrePlanet 2018, wherever you are, March 24-25
    The free software community encompasses the globe, and we strive to make the LibrePlanet conference reflect that. That's why we livestream the proceedings of the conference, and encourage you to participate remotely by both watching and participating in the discussion via IRC.
  • Open Source Advocate Dr. Joshua Pearce Publishes Paper on Inexpensive GMAW Metal 3D Printing
    One of the most outspoken advocates of open source philosophy in the 3D printing industry is Dr. Joshua M. Pearce, Associate Professor, Materials Science & Engineering and Electrical & Computer Engineering for Michigan Technological University (Michigan Tech).
  • ONF Launches Stratum Open-Source SDN Project
    The growing adoption of software-defined networking over the past several years has given a boost to makers of networking white boxes. The separation of the network operating system, control plane and network tasks from the underlying proprietary hardware meant that organizations could run that software on white-box switches and servers that are less expensive than those systems from the likes of Cisco Systems, Juniper Networks, Dell EMC and Hewlett Packard Enterprise. Network virtualization technologies such as software-defined networking (SDN) and network-functions virtualization (NFV) have proven to be a particular boon for hyperscale cloud providers like Google and Facebook and telecommunications companies like AT&T and Verizon, which are pushing increasingly massive amounts of traffic through their growing infrastructures. Being able to use less expensive and easily manageable white boxes from original design manufacturers (ODMs) has helped these organizations keep costs down even as demand rises.

KDE: Discover, Qt Creator, LibAlkimia

  • This week in Discover, part 10
    This week saw many positive changes for Discover, and I feel that it’s really coming into its own. Discover rumbles inexorably along toward the finish line of becoming the most-loved Linux app store!
  • Qt Creator 4.6 RC & Qt 5.11 Beta 2 Released
    The Qt Company has some new software development releases available in time for weekend testing. First up is the Qt Creator 4.6 Release Candidate. Qt Creator 4.6 has been working on better C++17 feature support, Clang-Tidy and Clazy warnings are now integrated into the diagnostic messages for the C++ editor, new filters, and improvements to the model editor.
  • LibAlkimia 7.0.1 with support for MPIR released
    LibAlkimia is a base library that contains support for financial applications based on the Qt C++ framework. One of its main features is the encapsulation of The GNU Multiple Precision Arithmetic Library (GMP) and so providing a simple object to be used representing monetary values in the form of rational numbers. All the mathematical details are hidden inside the AlkValue object.
  • Last Weeks Activity in Elisa and Release Schedule
    Elisa is a music player developed by the KDE community that strives to be simple and nice to use. We also recognize that we need a flexible product to account for the different workflows and use-cases of our users. We focus on a very good integration with the Plasma desktop of the KDE community without compromising the support for other platforms (other Linux desktop environments, Windows and Android). We are creating a reliable product that is a joy to use and respects our users privacy. As such, we will prefer to support online services where users are in control of their data.

SwagArch 18.02 - U Got Swag?

SwagArch sounds like an interesting concept. The aesthetic side of things is reasonable, although brown as a color and a dark theme make for a tricky choice. The fonts are pretty good overall. But the visual element is the least of the distro's problems. SwagArch 18.02 didn't deliver the basics, and that's what made Dedoimedo sad. Network support plus the clock issue, horrible package management and broken programs, those are things that must work perfectly. Without them, the system has no value. So you do get multimedia support and a few unique apps, however that cannot balance out all the woes and problems that I encountered. All in all, Swag needs a lot more work. Also, it will have a tough time competing with Manjaro and Antergos, which are already established and fairly robust Arch spins. Lastly, it needs to narrow down its focus. The overall integration of elements is pretty weak. Eclectic, jumbled, not really tested. 2/10 for now. Let's see how it evolves. Read more

How Open Source Approach is Impacting Science

Dive into the exciting world of Innovative Science to explore and find out about how the Linux-based Operating System and Open Source are playing a significant role in the major scientific breakthroughs that are taking place in our daily lives. Read more