Language Selection

English French German Italian Portuguese Spanish

Security

Meltdown and Spectre Linux Kernel Status - Update

Filed under
Linux
Security

I keep getting a lot of private emails about my previous post previous post about the latest status of the Linux kernel patches to resolve both the Meltdown and Spectre issues.

These questions all seem to break down into two different categories, “What is the state of the Spectre kernel patches?”, and “Is my machine vunlerable?”

Read more

Security: Spectre and Meltdown, Industrial System Sabotage, VDP, Windows in Healthcare

Filed under
Security
  • Some thoughts on Spectre and Meltdown

     

    Contrast that with what happened this time around. Google discovered a problem and reported it to Intel, AMD, and ARM on June 1st. Did they then go around contacting all of the operating systems which would need to work on fixes for this? Not even close. FreeBSD was notified the week before Christmas, over six months after the vulnerabilities were discovered. Now, FreeBSD can occasionally respond very quickly to security vulnerabilities, even when they arise at inconvenient times — on November 30th 2009 a vulnerability was reported at 22:12 UTC, and on December 1st I provided a patch at 01:20 UTC, barely over 3 hours later — but that was an extremely simple bug which needed only a few lines of code to fix; the Spectre and Meltdown issues are orders of magnitude more complex.  

  • Menacing Malware Shows the Dangers of Industrial System Sabotage

     

    At the S4 security conference on Thursday, researchers from the industrial control company Schneider Electric, whose equipment Triton targeted, presented deep analysis of the malware—only the third recorded cyberattack against industrial equipment. Hackers [sic] were initially able to introduce malware into the plant because of flaws in its security procedures that allowed access to some of its stations, as well as its safety control network.

  • 25 per cent of hackers don't report bugs due to lack of disclosure policies

     

    One of the standout discoveries was that almost 25 per cent of respondents said they were unable to disclose a security flaw because the bug-ridden company in question lacked a vulnerability disclosure policy (VDP).

  • 'Professional' hack [sic] on Norwegian health authority compromises data of three million patients [iophk: "Windows TCO"]

Security: Updates, Secure Contexts, EFF, Google, Fedora

Filed under
Security

Security: Back Doors, Bugs in Chips, Botnets, and Windows in Hospitals

Filed under
Security

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • Latvia's e-health system hit by cyberattack from abroad

    Latvia said its new e-health system was on Tuesday hit by a large-scale cyberattack that saw thousands of requests for medical prescriptions pour in per second from more than 20 countries in Africa, the Caribbean and the European Union.

    No data was compromised, according to health officials, who immediately took down the site, which was launched earlier this month to streamline the writing of prescriptions in the Baltic state.

    "It is clear that it was a planned attack, a widespread attack—we might say a specialised one—as it emanated from computers located in various different countries, both inside the European Union and outside Europe," state secretary Aivars Lapins told reporters.

    "We received thousands of requests in a very short space of time. That's not the normal way the system works," he said, adding that an investigation is under way.

  • Linux Lite Developer Creates Automated Spectre/Meltdown Checker for Linux OSes

    The developer of the Ubuntu-based Linux Lite distribution has created a script that makes it easier for Linux users to check if their systems are vulnerable to the Meltdown and Spectre security flaws.

    As we reported last week, developer Stéphane Lesimple created an excellent script that would check if your Linux distribution's kernel is patched against the Meltdown and Spectre security vulnerabilities that have been publicly disclosed earlier this month and put billions of devices at risk of attacks.

  • Purism Releases Meltdown and Spectre Patches for Its Librem Linux Laptops

    Purism, the computer technology company behind the privacy-focused, Linux-based Librem laptops and the upcoming smartphone, released patches for the Meltdown and Spectre security vulnerabilities.

    The company was one of the first Linux OEMs and OS vendor to announce that it's working on addressing both the Meltdown and Spectre security exploits on his Linux laptops. Meltdown and Spectre have been unearthed in early January and they are two severe hardware bugs that put billions of devices at risk of attacks.

  • Facebook Awards Security Researchers $880,000 in 2017 Bug Bounties

    Facebook is hardly a small organization, with large teams of engineers and security professionals on staff. Yet even Facebook has found that it can profit from expertise outside of the company, which is why the social networking giant has continued to benefit from its bug bounty program.

    In 2017, Facebook paid out $880,000 to security researchers as part of its bug bounty program. The average reward payout in 2017 was $1,900, up from $1,675 in 2016.

  • Multicloud Deployments Create Security Challenges, F5 Report Finds

OSS Leftovers and Security

Filed under
OSS
Security
  • How to get all the benefits of open source software

    Open source software continues its meteoric rise, as more and more large enterprises weave open source code into various areas of their operations, increasingly shunning the big-name, proprietary software vendors.

    In fact, according to open source software development company, Sonatype, represented locally by 9TH BIT Consulting, 7,000 new open source software projects kick-off around the world every week, while 70,000 new open source components are released. Accessing this massive ‘hivemind’ of software development expertise is a highly attractive prospect for CIOs and business managers in all industries.

  • What is open source?

    What is open source software and how do vendors make their money? We answer your questions

    Open source is the foundation of modern technology. Even if you don't know what it is, chances are you've already used it at least once today. Open source technology helped build Android, Firefox, and even the Apache HTTP server, and without it, the internet as we know it would simply not exist.

    The central idea behind open source is a simple one: many hands make light work. In short, the more people you have working on something, the quicker and easier it is to do. As it applies to software development, this means opening projects up to the public to let people freely access, read and modify the source code.

  • Open Source Initiative Announces New Partnership With Adblock Plus

    Adblock Plus, the most popular Internet ad blocker today, joins The Open Source Initiative® (OSI) as corporate sponsors. Since its very first version, Adblock Plus has been an open source project that has developed into a successful business with over 100 million users worldwide. As such, the German company behind it, eyeo GmbH, has decided it is time to give back to the open source community.

    Founded in 1998, the OSI protects and promotes open source software, development and communities, championing software freedom in society through education, collaboration, and infrastructure. Adblock Plus is an open source project that aims to rid the Internet of annoying and intrusive online advertising. Its free web browser extensions (add-ons) put users in control by letting them block or filter which ads they want to see.

  • What if Open-Source Software Can Replace Dozens of Multi-Billion Dollar Companies? That is Exactly What Origin Protocol Wants to do Using Blockchain
  • Bonitasoft gets cute on AWS for low-code BPM

    There has been an undeniable popularisation of so-called ‘low-code’ programming platforms.

    This is a strain of technology designed to provide automated blocks of functionality that can be brought together by non-technical staff to perform specific compute and analysis tasks to serve their own business objectives.

  • Red Hat Certification: for developers too!

    Red Hat’s certification program provides validation of IT professionals’ skills and knowledge using our subscription products. Red Hat’s certifications carry credibility in the market because they are all earned by taking one or more hands-on, practical exams that last multiple hours. Like most programs offered by technology vendors, our most familiar certifications are those for system administrators.

  • LXD Weekly Status #30

    The main highlight for this week was the inclusion of the new proxy device in LXD, thanks to the hard work of some University of Texas students!

    The rest of the time was spent fixing a number of bugs, working on various bits of kernel work, getting the upcoming clustering work to go through our CI process and preparing for a number of planning meetings that are going on this week.

  • GitHub Alternative SourceForge Vies for Comeback with Redesigned Site

    SourceForge wants to be more than just another GitHub alternative, but an additional repository for developers to utilize to help gain users.

  • The Clock Is Ticking for Chip Flaw Fixes to Start Working

    Cures for the pervasive Meltdown and Spectre chip flaws aren’t working, and hacks may soon be incoming.

  • Intel: No Financial Meltdown

    Yves here. It is telling that the very measured Bruegel website is pretty bothered that Intel looks likely to get away with relatively little in the way of financial consequences as a result of its Spectre and Meltdown security disasters. This is a marked contrast with Volkswagen, where the company paid huge fines and executives went to jail.

    However, it was the US that went after a foreign national champion. The US-dominated tech press is still frustratingly given the Intel train wrecks paltry coverage relative to their importance.

  • CIP related work during the second half of 2017

    As you probably know by now, I have been involved in the Civil Infrastructure Project (CIP), a Linux Foundation Initiative formed in 2016, representing Codethink, a founder Member and coordinating the engineering work in two areas within the project:

Security Leftovers

Filed under
Security

Security: Updates, WordPress, Hardware Patches, and Open Source Security Podcast

Filed under
Security
  • Security updates for Tuesday
  • WordPress 4.9.2 Security and Maintenance Release

    WordPress 4.9.2 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

    An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress.

  • Debian-Based SolydXK Linux OS Receives Patch for Meltdown Security Vulnerability

    The Debian-based SolydXK Linux operating system has been updated today with patches for the Meltdown security vulnerability, as well as various other new features and improvements.

    To mitigate the Meltdown security exploit that allows a locally installed program to access the memory, including the kernel memory, and steal sensitive information like passwords and encryption keys, the SolydXK 201801 ISO images are now powered by the latest kernel release with patches against this vulnerability.

  • Chakra GNU/Linux Now Patched Against Meltdown & Spectre Security Vulnerabilities

    It's time for users of the Chakra GNU/Linux operating system to patch their systems against the Meltdown and Spectre security vulnerabilities as new kernel updates landed today in the repos.

    Publicly disclosed earlier this month, the Meltdown and Spectre security vulnerabilities are affecting us all, but OS vendors and OEMs are trying their best to mitigate them so that no user can be the victim of attacks where their sensitive data is at risk of getting in the hands of the wrong person.

  • Open Source Security Podcast: Episode 78 - Risk lessons from Hawaii

Security: Hospital With Windows, Reproducible Builds, Intel, Transmission and More

Filed under
Security
  • Hospital [sic] sent offline as hackers infect systems with ransomware, demand payment [iophk: "Windows"]
  • Reproducible Builds: Weekly report #142
  • Spectre and Meltdown patches causing trouble as realistic attacks get closer

    Applications, operating systems, and firmware all need to be updated to defeat Meltdown and protect against Spectre, two attacks that exploit features of high-performance processors to leak information and undermine system security. The computing industry has been scrambling to respond after news of the problem broke early a few days into the new year.

    But that patching is proving problematic. The Meltdown protection is revealing bugs or otherwise undesirable behavior in various drivers, and Intel is currently recommending that people cease installing a microcode update it issued to help tackle the Spectre problem. This comes as researchers are digging into the papers describing the issues and getting closer to weaponizing the research to turn it into a practical attack. With the bad guys sure to be doing the same, real-world attacks using this research are sure to follow soon.

  • Finnish firm detects new Intel security flaw

    new security flaw has been found in Intel hardware which could enable hackers to access corporate laptops remotely, Finnish cybersecurity specialist F-Secure said on Friday.

    F-Secure said in a statement that the flaw had nothing to do with the "Spectre" and "Meltdown" vulnerabilities recently found in the micro-chips that are used in almost all computers, tablets and smartphones today.

    Rather, it was an issue within Intel Active Management Technology (AMT), "which is commonly found in most corporate laptops, (and) allows an attacker to take complete control over a user's device in a matter of seconds," the cybersecurity firm said.

  • What is RubyMiner? New malware found targeting Windows and Linux servers to mine cryptocurrency
  • BitTorrent flaw could let hackers take control of Windows, Linux PCs

    According to Project Zero, the client is vulnerable to a DNS re-binding attack that effectively tricks the PC into accepting requests via port 9091 from malicious websites that it would (and should) ordinarily ignore.

  • BitTorrent critical flaw allows hackers to remotely control users' computers

    A critical flaw in the popular Transmission BitTorrent app could allow hackers to remotely control users' computers. The flaw, uncovered by Google Project Zero security researchers, allows websites to execute malicious code on users' devices. Researchers also warned that BitTorrent clients could be susceptible to attacks as well if the flaw is leveraged.

Security: Purism, Intel, Wi-Fi, iOS

Filed under
Security
  • Purism patches Meltdown and Spectre variant 2, both included in all new Librem laptops

    Purism has released a patch for Meltdown (CVE-2017-5754, aka variant 3) as part of PureOS, and includes this latest PureOS image as part of all new Librem laptop shipments. Purism is also providing a microcode update for Intel processors to address Spectre variant 2 (CVE-2017-5715).

  • Intel Fumbles Its Patch for Chip Flaw

    Intel is quietly advising some customers to hold off installing patches that address new security flaws affecting virtually all of its processors. It turns out the patches had bugs of their own.

  • Wi-Fi Alliance announces WPA3 to secure modern networks

    The Consumer Electronics Show (CES) is an odd place to announce an enterprise product, but the Wi-Fi Alliance used the massive trade show — which has more or less taken over where Comdex left off — to announce a major upgrade to Wi-Fi security.

    The alliance announced the Wi-Fi Protected Access 3 (WPA3), a new standard of Wi-Fi security that greatly increases the security capabilities of the wireless standard. WPA2, which is the current standard in wireless security, has been around for 14 years, so this is way overdue.

  • More iOS 11 Jailbreak Tweaks Could Be Released by the Weekend

    The Electra jailbreak tool is better than LiberiOS because it comes with Substitute. This is the alternative to Cydia substrate that was first developed by Comex. This would allow users to install and use jailbreak tweaks compatible to iOS 11.

Syndicate content

More in Tux Machines

Games: DRAG, Geneshift, Balloonatics and More

Tumbleweed Update

  • Tumbleweed Rolls Forward with New versions of Mesa, Squid, Xen
    This week provided a pretty healthy amount of package updates for openSUSE’s rolling distribution Tumbleweed. There were three snapshots released since the last blog and some of the top packages highlighted this week are from Mesa, Squid, Xen and OpenSSH. The Mesa update from version 17.2.6 to 17.3.2 in snapshot 20180116 provided multiple fixes in the RADV Vulkan driver and improvements of the GLSL shader cache. The Linux Kernel provides some fixes for the security vulnerabilities of Meltdown in version 4.14.13 and added a prevent buffer overrun on memory hotplug during migration for KVM with s390. The snapshot had many more package updates like openssh 7.6p1, which tightened configuration access rights. A critical fix when updating Flatpak packages live was made with the gnome-software version 3.26.4 update. File systems package btrfsprogs 4.14.1 provided cleanups and some refactoring while wireshark 2.4.4 made some fixes for dissector crashes. Xen 4.10.0_10 added a few patches. Rounding out the snapshot, ModemManager 1.6.12 fixed connection state machine when built against libqmi and blacklisted a few devices to include some Pycom devices.
  • openSUSE Tumbleweed Rolls To Mesa 17.3, Linux 4.14.13
    OpenSUSE has continued rolling in the new year with several key package updates in January. Exciting us a lot is that openSUSE Tumbleweed has migrated from Mesa 17.2 to now Mesa 17.3. Mesa 17.3.2 is the version currently in openSUSE's rolling-release.

India Digital Open Summit 2018

Compact Quark-based embedded computer sells for $120

Advantech’s “UBC-222” is an embedded computer that runs Yocto Linux on an Intel Quark X1000 with up to 1GB DDR3, dual 10/100 LAN ports, and a mini-PCIe socket with LTE-ready SIM slot. Read more