Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Red Hat Looks Beyond Docker for Container Technology

Filed under
Server
Security

While Docker Inc and its eponymous container engine helped to create the modern container approach, Red Hat has multiple efforts of its own that it is now actively developing.

The core component for containers is the runtime engine, which for Docker is the Docker Engine which is now based on the Docker-led containerd project that is hosted at the Cloud Native Computing Foundation (CNCF). Red Hat has built its own container engine called CRI-O, which hit its 1.0 release back in October 2017.

For building images, Red Hat has a project called Buildah, which reached its 1.0 milestone on June 6.

Read more

Containers: The Update Framework (TUF), Nabla, and Kubernetes 1.11 Release

Filed under
Server
Security
  • How The Update Framework Improves Software Distribution Security

    In recent years that there been multiple cyber-attacks that compromised a software developer's network to enable the delivery of malware inside of software updates. That's a situation that Justin Cappos, founder of The Update Framework (TUF) open-source project, has been working hard to help solve.

    Cappos, an assistant professor at New York University (NYU), started TUF nearly a decade ago. TUF is now implemented by multiple software projects, including the Docker Notary project for secure container application updates and has implementations that are being purpose-built to help secure automotive software as well.

  • IBM's new Nabla containers are designed for security first

    Companies love containers because they enable them to run more jobs on servers. But businesses also hate containers, because they fear they're less secure than virtual machines (VM)s. IBM thinks it has an answer to that: Nabla containers, which are more secure by design than rival container concepts.

    James Bottomley, an IBM Research distinguished engineer and top Linux kernel developer, first outlines that there are two kind of fundamental kinds of container and virtual machine (VM) security problems. These are described as Vertical Attack Profile (VAP) and Horizontal Attack Profile (HAP).

  • [Podcast] PodCTL #42 – Kubernetes 1.11 Released

    Like clockwork, the Kubernetes community continues to release quarterly updates to the rapidly expanding project. With the 1.11 release, we see a number of new capabilities being added across a number of different domains – infrastructure services, scheduling services, routing services, storage services, and broader CRD versioning capabilities that will improve the ability to not only deploy Operators for the platform and applications. Links for all these new features, as well as in-depth blog posts from Red Hat and the Kubernetes community are included in the show notes.

    As always, it’s important to remember that not every new feature being released is considered “General Availability”, so be sure to check the detailed release notes before considering the use of any feature in a production or high-availability environment.

Security: Containers, Tron, Back Doors, GandCrab, Bastille Day

Filed under
Security
  • A New Method of Containment: IBM Nabla Containers

    In the previous post about Containers and Cloud Security, I noted that most of the tenants of a Cloud Service Provider (CSP) could safely not worry about the Horizontal Attack Profile (HAP) and leave the CSP to manage the risk.  However, there is a small category of jobs (mostly in the financial and allied industries) where the damage done by a Horizontal Breach of the container cannot be adequately compensated by contractual remedies.  For these cases, a team at IBM research has been looking at ways of reducing the HAP with a view to making containers more secure than hypervisors.  For the impatient, the full open source release of the Nabla Containers technology is here and here, but for the more patient, let me explain what we did and why.  We’ll have a follow on post about the measurement methodology for the HAP and how we proved better containment than even hypervisor solutions.

    [...]

    Like most sandbox models, the Nabla containers approach is an alternative to namespacing for containment, but it still requires cgroups for resource management.  The figures show that the containment HAP is actually better than that achieved with a hypervisor and the performance, while being marginally less than a namespaced container, is greater than that obtained by running a container inside a hypervisor.  Thus we conclude that for tenants who have a real need for HAP reduction, this is a viable technology.

  • Measuring the Horizontal Attack Profile of Nabla Containers
  • Tron (TRX) Gives $25,000 to 5 Developers Who Spotted Bugs in Open-Source Code

    Just a couple of days ago, Binance – a very popular digital currency trading platform – credited the Binance account of thirty-one selected Tron (TRX) traders with five million TRX tokens. Recently, the Tron Foundation has also announced it gave away $25k to five developers that are actively working to redefine the community of Tron.

  • Open Source Security Podcast: Episode 105 - More backdoors in open source
  • GandCrab v4.1 Ransomware and the Speculated SMB Exploit Spreader [Ed: Microsoft's collaboration with the NSA on back doors is a gift to keeps giving.... to crackers.]
  • Rewritten GandCrab Ransomware Targets SMB Vulnerabilities To Attack Faster

    GandCrab ransomware, which has created a hullabaloo in the cybersecurity industry by constantly evolving, has yet again caused a commotion. The latest version of the ransomware attacks system using SMB exploit spreader via compromised websites. The ransomware is adding new features every day to target different countries.

    The attackers behind the ransomware are scanning the whole internet to find the vulnerable websites to unleash the attack. The latest version features a long hard-coded list of websites that were compromised and were used to connect with it.

  • France’s cyber command marched in Paris’s Bastille Day Parade for the first time

     

    For the first time, France’s military cyber command marched in this year’s Bastille Day parade on the Champs Elysees in Paris, alongside other units in the nation’s armed forces. The military noted that it’s a recognition of the advances that the unit has made since its formation last year, and reinforces that “cyber defense remains a national priority.”
     

    French defense minister Jean-Yves Le Drian announced the formation of COMCYBER in December 2016, noting that the emergence of state actors operating in cyberspace was a new way to approach warfare. The command brought all of the nation’s soldiers focused on cyber defense under one command, with three main tasks: cyber intelligence, protection, and offense.  

  • Should I let my staff choose their own kit and, if so, how?

Security Leftovers

Filed under
Security
  • Data breaches show we’re only three clicks away from anarchy

    An IT glitch afflicting BP petrol stations for three hours last Sunday evening might not sound like headline news. A ten-hour meltdown of Visa card payment systems in June was a bigger story — as was the notorious TSB computer upgrade cock-up that started on 20 April, which was still afflicting customers a month later and was reported this week to be causing ruptures between TSB and its Spanish parent Sabadell.

    Meanwhile, what do Fortnum & Mason, Dixons Carphone, Costa Coffee and its sister company Premier Inn have in common with various parts of the NHS? The answer is that they have all suffered recent large-scale ‘data breaches’ that may have put private individuals’ information at risk. IT Governance, a blog that monitors international news stories in this sphere, came up with a global figure of 145 million ‘records leaked’ last month alone. Such leaks are daily events everywhere — and a lesson of the TSB story was that cyber fraudsters are waiting to attack wherever private data becomes accessible, whether because of computer breakdown or lax data protection.

  • UK security researcher Hutchins makes renewed bid for freedom

    British security researcher Marcus Hutchins, who was arrested by the FBI last August over alleged charges of creating and distributing a banking trojan, has made a fresh bid to go free, claiming that the US has no territorial jurisdiction to file charges against him for alleged crimes committed elsewhere.

  • Common Ground: For Secure Elections and True National Security

    An open letter by Gloria Steinem, Noam Chomsky, John Dean, Governor Bill Richardson, Walter Mosley, Michael Moore, Valerie Plame, and others.

Containers or virtual machines: ​Which is more secure? The answer will surprise you

Filed under
Server
Security

Are virtual machines (VM) more secure than containers? You may think you know the answer, but IBM Research has found containers can be as secure, or more secure, than VMs.

James Bottomley, an IBM Research Distinguished Engineer and top Linux kernel developer, writes: "One of the biggest problems with the current debate about Container vs Hypervisor security is that no-one has actually developed a way of measuring security, so the debate is all in qualitative terms (hypervisors 'feel' more secure than containers because of the interface breadth) but no-one actually has done a quantitative comparison." To meet this need, Bottomley created Horizontal Attack Profile (HAP), designed to describe system security in a way that it can be objectively measured. Bottomley has discovered that "a Docker container with a well crafted seccomp profile (which blocks unexpected system calls) provides roughly equivalent security to a hypervisor."

Read more

Red Hat Enterprise Linux 6 & CentOS 6 Patched Against Spectre V4, Lazy FPU Flaws

Filed under
Red Hat
Security

Users of the Red Hat Enterprise Linux 6 and CentOS Linux 6 operating system series received important kernel security updates that patch some recently discovered vulnerabilities.

Now that Red Hat Enterprise Linux 7 and CentOS Linux 7 operating system series were patched against the Spectre Variant 4 (CVE-2018-3639) security vulnerability, as well as the Lazy FPU State Save/Restore CPU flaw, it's time for Red Hat Enterprise Linux 6 and CentOS Linux 6 to receive these important security updates, which users can now install them on their computers.

Read more

Nintendo Found a Way to Patch an Unpatchable Coldboot Exploit in Nintendo Switch

Filed under
Security
Gadgets

If you plan on buying a Nintendo Switch gaming console to run Linux on it using the "unpatchable" exploit publicly disclosed a few months ago, think again because Nintendo reportedly fixed the security hole.

Not long ago, a team of hackers calling themselves ReSwitched publicly disclosed a security vulnerability in the Nvidia Tegra X1 chip, which they called Fusée Gelée and could allow anyone to hack a Nintendo Switch gaming console to install a Linux-based operating system and run homebrew code and apps using a simple trick.

Read more

Security Leftovers

Filed under
Security

Debian GNU/Linux 9.5 "Stretch" Is Now Available with 100 Security Updates

Filed under
Security
Debian

Coming four months after the previous point release, Debian GNU/Linux 9.5 "Stretch" includes a total of 100 security update and 91 miscellaneous bugfixes for various core components and applications. However, this remains a point release and doesn't represent a new version of the Debian GNU/Linux 9 "Stretch" operating system series, which continues to be updated every day.

"This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included," reads today's announcement.

Read more

Also: Debian 9.5 Released With Security Fixes, Updated Intel Microcode For Spectre V2

Updated Debian 9: 9.5 released

Syndicate content