Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Red Hat Looks Beyond Docker for Container Technology

Filed under
Server
Security

While Docker Inc and its eponymous container engine helped to create the modern container approach, Red Hat has multiple efforts of its own that it is now actively developing.

The core component for containers is the runtime engine, which for Docker is the Docker Engine which is now based on the Docker-led containerd project that is hosted at the Cloud Native Computing Foundation (CNCF). Red Hat has built its own container engine called CRI-O, which hit its 1.0 release back in October 2017.

For building images, Red Hat has a project called Buildah, which reached its 1.0 milestone on June 6.

Read more

Containers: The Update Framework (TUF), Nabla, and Kubernetes 1.11 Release

Filed under
Server
Security
  • How The Update Framework Improves Software Distribution Security

    In recent years that there been multiple cyber-attacks that compromised a software developer's network to enable the delivery of malware inside of software updates. That's a situation that Justin Cappos, founder of The Update Framework (TUF) open-source project, has been working hard to help solve.

    Cappos, an assistant professor at New York University (NYU), started TUF nearly a decade ago. TUF is now implemented by multiple software projects, including the Docker Notary project for secure container application updates and has implementations that are being purpose-built to help secure automotive software as well.

  • IBM's new Nabla containers are designed for security first

    Companies love containers because they enable them to run more jobs on servers. But businesses also hate containers, because they fear they're less secure than virtual machines (VM)s. IBM thinks it has an answer to that: Nabla containers, which are more secure by design than rival container concepts.

    James Bottomley, an IBM Research distinguished engineer and top Linux kernel developer, first outlines that there are two kind of fundamental kinds of container and virtual machine (VM) security problems. These are described as Vertical Attack Profile (VAP) and Horizontal Attack Profile (HAP).

  • [Podcast] PodCTL #42 – Kubernetes 1.11 Released

    Like clockwork, the Kubernetes community continues to release quarterly updates to the rapidly expanding project. With the 1.11 release, we see a number of new capabilities being added across a number of different domains – infrastructure services, scheduling services, routing services, storage services, and broader CRD versioning capabilities that will improve the ability to not only deploy Operators for the platform and applications. Links for all these new features, as well as in-depth blog posts from Red Hat and the Kubernetes community are included in the show notes.

    As always, it’s important to remember that not every new feature being released is considered “General Availability”, so be sure to check the detailed release notes before considering the use of any feature in a production or high-availability environment.

Security: Containers, Tron, Back Doors, GandCrab, Bastille Day

Filed under
Security
  • A New Method of Containment: IBM Nabla Containers

    In the previous post about Containers and Cloud Security, I noted that most of the tenants of a Cloud Service Provider (CSP) could safely not worry about the Horizontal Attack Profile (HAP) and leave the CSP to manage the risk.  However, there is a small category of jobs (mostly in the financial and allied industries) where the damage done by a Horizontal Breach of the container cannot be adequately compensated by contractual remedies.  For these cases, a team at IBM research has been looking at ways of reducing the HAP with a view to making containers more secure than hypervisors.  For the impatient, the full open source release of the Nabla Containers technology is here and here, but for the more patient, let me explain what we did and why.  We’ll have a follow on post about the measurement methodology for the HAP and how we proved better containment than even hypervisor solutions.

    [...]

    Like most sandbox models, the Nabla containers approach is an alternative to namespacing for containment, but it still requires cgroups for resource management.  The figures show that the containment HAP is actually better than that achieved with a hypervisor and the performance, while being marginally less than a namespaced container, is greater than that obtained by running a container inside a hypervisor.  Thus we conclude that for tenants who have a real need for HAP reduction, this is a viable technology.

  • Measuring the Horizontal Attack Profile of Nabla Containers
  • Tron (TRX) Gives $25,000 to 5 Developers Who Spotted Bugs in Open-Source Code

    Just a couple of days ago, Binance – a very popular digital currency trading platform – credited the Binance account of thirty-one selected Tron (TRX) traders with five million TRX tokens. Recently, the Tron Foundation has also announced it gave away $25k to five developers that are actively working to redefine the community of Tron.

  • Open Source Security Podcast: Episode 105 - More backdoors in open source
  • GandCrab v4.1 Ransomware and the Speculated SMB Exploit Spreader [Ed: Microsoft's collaboration with the NSA on back doors is a gift to keeps giving.... to crackers.]
  • Rewritten GandCrab Ransomware Targets SMB Vulnerabilities To Attack Faster

    GandCrab ransomware, which has created a hullabaloo in the cybersecurity industry by constantly evolving, has yet again caused a commotion. The latest version of the ransomware attacks system using SMB exploit spreader via compromised websites. The ransomware is adding new features every day to target different countries.

    The attackers behind the ransomware are scanning the whole internet to find the vulnerable websites to unleash the attack. The latest version features a long hard-coded list of websites that were compromised and were used to connect with it.

  • France’s cyber command marched in Paris’s Bastille Day Parade for the first time

     

    For the first time, France’s military cyber command marched in this year’s Bastille Day parade on the Champs Elysees in Paris, alongside other units in the nation’s armed forces. The military noted that it’s a recognition of the advances that the unit has made since its formation last year, and reinforces that “cyber defense remains a national priority.”
     

    French defense minister Jean-Yves Le Drian announced the formation of COMCYBER in December 2016, noting that the emergence of state actors operating in cyberspace was a new way to approach warfare. The command brought all of the nation’s soldiers focused on cyber defense under one command, with three main tasks: cyber intelligence, protection, and offense.  

  • Should I let my staff choose their own kit and, if so, how?

Security Leftovers

Filed under
Security
  • Data breaches show we’re only three clicks away from anarchy

    An IT glitch afflicting BP petrol stations for three hours last Sunday evening might not sound like headline news. A ten-hour meltdown of Visa card payment systems in June was a bigger story — as was the notorious TSB computer upgrade cock-up that started on 20 April, which was still afflicting customers a month later and was reported this week to be causing ruptures between TSB and its Spanish parent Sabadell.

    Meanwhile, what do Fortnum & Mason, Dixons Carphone, Costa Coffee and its sister company Premier Inn have in common with various parts of the NHS? The answer is that they have all suffered recent large-scale ‘data breaches’ that may have put private individuals’ information at risk. IT Governance, a blog that monitors international news stories in this sphere, came up with a global figure of 145 million ‘records leaked’ last month alone. Such leaks are daily events everywhere — and a lesson of the TSB story was that cyber fraudsters are waiting to attack wherever private data becomes accessible, whether because of computer breakdown or lax data protection.

  • UK security researcher Hutchins makes renewed bid for freedom

    British security researcher Marcus Hutchins, who was arrested by the FBI last August over alleged charges of creating and distributing a banking trojan, has made a fresh bid to go free, claiming that the US has no territorial jurisdiction to file charges against him for alleged crimes committed elsewhere.

  • Common Ground: For Secure Elections and True National Security

    An open letter by Gloria Steinem, Noam Chomsky, John Dean, Governor Bill Richardson, Walter Mosley, Michael Moore, Valerie Plame, and others.

Containers or virtual machines: ​Which is more secure? The answer will surprise you

Filed under
Server
Security

Are virtual machines (VM) more secure than containers? You may think you know the answer, but IBM Research has found containers can be as secure, or more secure, than VMs.

James Bottomley, an IBM Research Distinguished Engineer and top Linux kernel developer, writes: "One of the biggest problems with the current debate about Container vs Hypervisor security is that no-one has actually developed a way of measuring security, so the debate is all in qualitative terms (hypervisors 'feel' more secure than containers because of the interface breadth) but no-one actually has done a quantitative comparison." To meet this need, Bottomley created Horizontal Attack Profile (HAP), designed to describe system security in a way that it can be objectively measured. Bottomley has discovered that "a Docker container with a well crafted seccomp profile (which blocks unexpected system calls) provides roughly equivalent security to a hypervisor."

Read more

Red Hat Enterprise Linux 6 & CentOS 6 Patched Against Spectre V4, Lazy FPU Flaws

Filed under
Red Hat
Security

Users of the Red Hat Enterprise Linux 6 and CentOS Linux 6 operating system series received important kernel security updates that patch some recently discovered vulnerabilities.

Now that Red Hat Enterprise Linux 7 and CentOS Linux 7 operating system series were patched against the Spectre Variant 4 (CVE-2018-3639) security vulnerability, as well as the Lazy FPU State Save/Restore CPU flaw, it's time for Red Hat Enterprise Linux 6 and CentOS Linux 6 to receive these important security updates, which users can now install them on their computers.

Read more

Nintendo Found a Way to Patch an Unpatchable Coldboot Exploit in Nintendo Switch

Filed under
Security
Gadgets

If you plan on buying a Nintendo Switch gaming console to run Linux on it using the "unpatchable" exploit publicly disclosed a few months ago, think again because Nintendo reportedly fixed the security hole.

Not long ago, a team of hackers calling themselves ReSwitched publicly disclosed a security vulnerability in the Nvidia Tegra X1 chip, which they called Fusée Gelée and could allow anyone to hack a Nintendo Switch gaming console to install a Linux-based operating system and run homebrew code and apps using a simple trick.

Read more

Security Leftovers

Filed under
Security

Debian GNU/Linux 9.5 "Stretch" Is Now Available with 100 Security Updates

Filed under
Security
Debian

Coming four months after the previous point release, Debian GNU/Linux 9.5 "Stretch" includes a total of 100 security update and 91 miscellaneous bugfixes for various core components and applications. However, this remains a point release and doesn't represent a new version of the Debian GNU/Linux 9 "Stretch" operating system series, which continues to be updated every day.

"This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included," reads today's announcement.

Read more

Also: Debian 9.5 Released With Security Fixes, Updated Intel Microcode For Spectre V2

Updated Debian 9: 9.5 released

Syndicate content

More in Tux Machines

You Can Now Install Android 8.1 Oreo on Your Raspberry Pi 3 Model B+ Computer

Just two weeks after releasing the first build of his RaspAnd operating system based on Google's Android 8.1 Oreo mobile OS, Arne Exton today announced a new version with support for the Raspberry Pi 3 Model B+ computer. RaspAnd Oreo 8.1 Build 180717 is basically identical with RaspAnd Oreo 8.1 Build 180707 except for the fact that it now also supports the latest Raspberry Pi 3 single-board computer, the Raspberry Pi 3 Model B+, which features a more powerful 1.4GHz 64-bit quad-core processor, dual-band Wi-Fi, Bluetooth LE 4.2, faster Ethernet, and Power-over-Ethernet support. Read more

Linux Foundation and Linux Development

  • Linux Foundation launches LF Energy open source platform
    Launched with support from Europe’s biggest transmission power systems provider and other organizations, LF Energy aims to streamline everything from system operator smart assistants to smart grid control software. It will serve as an umbrella organization that supports collaboration among vendors in the energy sector to advance information and communication technologies (ICT) that impact the energy balance and brings about economic value.
  • FPGA Device Feature List Framework Coming For Linux 4.19
    There's already a new framework coming to Linux 4.19 in the form of Google's Gasket while queued this week is now another new framework: the FPGA Device Feature List.
  • AMDGPU Firmware Updated From 18.20, Vega M Blobs Added
    The latest AMDGPU firmware/microcode binary images for Radeon GPUs have landed in the Linux-Firmware Git tree. Hitting linux-firmware.git minutes ago was the latest batch of AMDGPU firmware files from Bonaire and Hawaii up through Vega 10, Polaris, and Raven hardware. The updated firmware images are the same as what AMD recently shipped with the Radeon Software 18.20 hybrid driver package. No change-logs of what is different about these updated firmware images are currently available, but most of the time it's mostly routine and mundane fixes/updates.
  • Nvidia 390.77 Linux Graphics Driver Improves Compatibility with Latest Kernels
    Nvidia released a new version of its long-lived proprietary display driver for GNU/Linux, FreeBSD, and Solaris systems to add compatibility with recent Linux kernels and fix various bugs. While not a major release, the Nvidia 390.77 proprietary graphics driver brings better compatibility with the latest Linux kernels. However, Nvidia didn't mention if it's now possible to compile its proprietary display drivers with the upcoming Linux 4.18 kernel series or just with the recent Linux 4.17 point releases. In addition to improving compatibility with recent Linux kernels, the Nvidia 390.77 proprietary display driver for Linux-based operating systems addresses a random hang issue that could occur for some users when running Vulkan apps in full-screen mode and flipping was allowed.

today's howtos

Ballerina reinvents cloud-native programming

Ballerina has been inspired by Java, Go, C, C++, Rust, Haskell, Kotlin, Dart, TypeScript, JavaScript, Swift, and other languages. It is an open source project, distributed under the Apache 2.0 license, and you can find its source code in the project's GitHub repository. Read more