Language Selection

English French German Italian Portuguese Spanish

Security

Canonical Apologizes for Ubuntu 14.04 LTS Linux Kernel Regression, Releases Fix

Filed under
Security
Ubuntu

The kernel security update addressed both the L1 Terminal Fault vulnerabilities, as well as two other security flaws (CVE-2018-5390 and CVE-2018-5391) discovered by Juha-Matti Tilli in Linux kernel's TCP and IP implementations, which could allow remote attackers to cause a denial of service.

Unfortunately, on Ubuntu 14.04 LTS (Trusty Tahr) systems, users reported that the mitigations also introduced a regression in the Linux kernel packages, which could cause kernel panics for some users that booted the OS in certain desktop environments.

Read more

Security Leftovers

Filed under
Security
  • Indian Bank Hit in $13.5M Cyberheist After FBI ATM Cashout Warning

    But according to Indian news outlet Dailypionneer.com, there was a second attack carried out on August 13, when the Cosmos Bank hackers transferred nearly $2 million to the account of ALM Trading Limited at Hang Seng Bank in Hong Kong.

  • How to Protect Yourself Against a SIM Swap Attack

    A sobering caveat: If a skilled SIM hijacker targets you, there’s realistically not much you can do to stop them, says Allison Nixon, threat research at security firm Flashpoint. “In most of the cases that we’ve seen, a sufficiently determined attacker can take over someone’s online footprint,” she says.

    That’s because ultimately, the machinations behind SIM swaps are largely out of your control. [...]

  • Open Source Security Podcast: Episode 110 - Review of Black Hat, Defcon, and the effect of security policies

    Josh and Kurt talk about Black Hat and Defcon and how unexciting they have become. What happened with hotels at Defcon, and more importantly how many security policies have 2nd and 3rd level effects we often can't foresee. We end with important information about pizza, bananas, and can openers.

Security: Apple, Microsoft, Linux and New FUD

Filed under
Security
  • The Internet of 200 Kilogram Things: Challenges of Managing a Fleet of Slot Machines

    In a previous post we talked about Finland's Linux powered slot machines. It was mentioned that there are about 20 000 of these machines in total. It turns out that managing and maintaining all those machines is a not as easy as it may first appear.

    In the modern time of The Cloud, 20 thousand machines might not seem like much. Basic cloud management software such as Kubernetes scales to hundreds of thousands, even millions of machines without even breaking a sweat. Having "only" 20 thousand machines may seem like a small and simple thing that can be managed by one intern in their spare time. In reality things get difficult as there are many unique challenges to managing slot machines as opposed to regular servers.

    [...]

    There are roughly two different ways of updating an operating system install: image based updates and package based updates. Neither of these works particularly well in slot machine usage. Games are big, so downloading full images is not feasible, especially for machines that have poor network connections. Package based updates have the major downside that they are not atomic. In desktop and server usage this is not really an issue because you can apply updates at a known good time. For remote devices this does not work because they can be powered off at any time without any warning. If this happens during an upgrade you have a broken machine requiring a physical visit from a maintenance person. As mentioned above this is slow and expensive.

  • Security updates for Friday
  • How to Crack WinRAR Password Protected Files In Simple Steps?
  • A 16-Year-Old Hacked Apple Servers And Stored Data In Folder Named ‘hacky hack hack’

    Apple’s tall claims of keeping your data secured were shown mirror by an Australian teenager when he repeatedly hacked Apple servers and downloaded 90 GB of ‘secure files.’

    As reported by The Age, the teenager hacked Apple’s mainframe multiple times from his home because he was a fan of the iPhone maker company and dreamed of working for Apple.

  • Melbourne teen hacked into Apple's secure computer network, court told
  • SEI CERT releases open-source Source Code Analysis Laboratory for pinpointing vulnerabilities

    The Software Engineering Institute’s (SEI) CERT Division at Carnegie Mellon University released an open-source static analysis aggregator/correlator this week. Source Code Analysis application (SCALe) is designed to find vulnerabilities in application source code via multiple, independent static analysis tools.

  • Two DDoS Friendly Bugs Fixed in Linux Kernel [Ed: It wasn’t even anything critical]

    Maintainers behind the Linux kernel have rolled out patches in the past weeks for two bugs that are just ideal for causing havoc via DDoS attacks.

    Both bugs affect the Linux kernel's TCP stack and are known to trigger excessive resource usage in Linux-based systems.

  • Open-source vulnerabilities which will not die: Who is to blame? [Ed:  Charlie Osborne is amplifying several Microsoft proxies whose sole purpose is to attack and badmouth FOSS to help sell proprietary software]
  • Open Source security comes to GitHub [Ed: Sonatype is helping Microsoft entrap FOSS developers with their proprietary software]

Security: WebAssembly, HTTP Tokens and More

Filed under
Security
  • The Problems and Promise of WebAssembly

    WebAssembly is a format that allows code written in assembly-like instructions to be run from JavaScript. It has recently been implemented in all four major browsers. We reviewed each browser’s WebAssembly implementation and found three vulnerabilities. This blog post gives an overview of the features and attack surface of WebAssembly, as well as the vulnerabilities we found.

    [...]

    Overall, the majority of the bugs we found in WebAssembly were related to the parsing of WebAssembly binaries, and this has been mirrored in vulnerabilities reported by other parties. Also, compared to other recent browser features, surprisingly few vulnerabilities have been reported in it. This is likely due to the simplicity of the current design, especially with regards to memory management.

    There are two emerging features of WebAssembly that are likely to have a security impact. One is threading. Currently, WebAssembly only supports concurrency via JavaScript workers, but this is likely to change. Since JavaScript is designed assuming that this is the only concurrency model, WebAssembly threading has the potential to require a lot of code to be thread safe that did not previously need to be, and this could lead to security problems.

    WebAssembly GC is another potential feature of WebAssembly that could lead to security problems. Currently, some uses of WebAssembly have performance problems due to the lack of higher-level memory management in WebAssembly. For example, it is difficult to implement a performant Java Virtual Machine in WebAssembly. If WebAssembly GC is implemented, it will increase the number of applications that WebAssembly can be used for, but it will also make it more likely that vulnerabilities related to memory management will occur in both WebAssembly engines and applications written in WebAssembly.

  • Detecting Bomb And Guns Using Normal WiFi: Researchers Find A New Way

    The test was able to give out accurate results on 15 different objects ranging in there different categories — Metal, liquid, and non-dangerous items.

    While it’s not clear whether the government will adopt and use the newly developed tracking method in public places, this certainly looks like the best way to stop guns and bombs get into school premises.

  • What OpenShift Online customers should know about L1TF OpenShift SRE Security

    On Aug. 14, 2018, information was released about another set of “speculative execution” issues with Intel microprocessor hardware known as “L1 Terminal Fault”. As with earlier issues like Spectre and Meltdown, this information was coordinated with the release of updated software solutions to help mitigate the issue.

    At the time the embargo was lifted, the OpenShift SRE team worked to begin remediation (detailed below) on all OpenShift Online clusters. All Pro clusters finished remediation shortly before 18h00 EDT August 14, 2018. All Starter clusters were patched as of 23h30 EDT August 14, 2018.

  • L1TF (AKA Foreshadow) Explained in 3 Minutes from Red Hat
  • Google bod wants cookies to crumble and be remade into something more secure

    A key member of the Google Chrome security team has proposed the death of cookies to be replaced with secure HTTP tokens.

    This week Mike West posted his "not-fully-baked" idea on GitHub and asked for comments. "This isn't a proposal that's well thought out, and stamped solidly with the Google Seal of Approval," he warns. "It's a collection of interesting ideas for discussion, nothing more, nothing less."

    So far, people are largely receptive to the idea while pointing to the complexities that exist in trying to replace something that has become an everyday part of online interaction.

  • Mozilla Recommend a Privacy Extension That Is Tracking Your Web History

    Web Security, a Firefox extension with over 200,000 current users, tracks every website users visit and stores that information on a German web server.

    The extension was recommended by Mozilla in a blog post last week about add-ons that improve users’ privacy. Mozilla has since edited the post, removing Web Security.

Security Leftovers

Filed under
Security
  • How to Protect Your PC From the Intel Foreshadow Flaws
  • AT&T Sued After SIM Hijacker Steals $24 Million in Customer's Cryptocurrency

    It has only taken a few years, but the press, public and law enforcement appear to finally be waking up to the problem of SIM hijacking. SIM hijacking (aka SIM swapping or a "port out scam") involves a hacker hijacking your phone number, porting it over to their own device (often with a wireless carrier employee's help), then taking control of your personal accounts. As we've been noting, the practice has heated up over the last few years, with countless wireless customers saying their entire identities were stolen after thieves ported their phone number to another carrier, then took over their private data.

    Sometimes this involves selling valuable Instagram account names for bitcoin; other times it involves clearing out the target's banking or cryptocurrency accounts. Case in point: California authorities recently brought the hammer down on one 20-year-old hacker, who had covertly ported more than 40 wireless user accounts, in the process stealing nearly $5 million in bitcoin.

    One of the problems at the core of this phenomenon is that hackers have either tricked or paid wireless carrier employees to aid in the hijacking, or in some instances appear to have direct access to (apparently) poorly-secured internal carrier systems. That has resulted in lawsuits against carriers like T-Mobile for not doing enough to police their own employees, the unauthorized access of their systems, or the protocols utilized to protect consumer accounts from this happening in the first place.

  • Voting Machine Vendors, Election Officials Continue To Look Ridiculous, As Kids Hack Voting Machines In Minutes
  • Security updates for Thursday

Ubuntu, Debian, RHEL, and CentOS Linux Now Patched Against "Foreshadow" Attacks

Filed under
Red Hat
Security
Debian
Ubuntu

Both Canonical and Red Hat emailed us with regards to the L1 Terminal Fault security vulnerability, which are documented as CVE-2018-3620 for operating systems and System Management Mode (SMM), CVE-2018-3646 for impacts to virtualization, as well as CVE-2018-3615 for Intel Software Guard Extensions (Intel SGX). They affect all Linux-based operating system and machines with Intel CPUs.

"It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS)," reads the Ubuntu security advisory.

Read more

Security Leftovers

Filed under
Security
  • Theo on the latest Intel issues

    Theo de Raadt (deraadt@) posted to the tech@ mailing list with some background on how the latest discovered Intel CPU issues relate to OpenBSD.

    [...]

    These 3 issues (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646) together
    are the currently public artifacts of this one bug.

  • Putting Stickers On Your Laptop Is Probably a Bad Security Idea

    Mitchell said political stickers, for instance, can land you in secondary search or result in being detained while crossing a border. In one case, Mitchell said a hacker friend ended up missing a flight over stickers.

  • Video Shows Hotel Security at DEF CON Joking About Posting Photos of Guests' Belongings to Snapchat

    But the room check captured on video suggests the walkthroughs are subject to abuse by hotel personnel who may use them as opportunity to snoop on guests or take and post images for amusement. And accounts of other searches that involved hotel security staff refusing to show ID or showing insufficient ID, and displaying bullying and threatening behavior to guests in occupied rooms, raises questions about the legality of the searches and the tactics and training of security personnel.

  • Researchers in Finland detect vulnerability in password management software

    Researchers identified a security gap in more than 10 applications used by millions around the world, including an app used by Finland's population registry.

  • Trump ends Obama-era rules on US-led cyberattacks: report

     

    The memorandum required that an extensive interagency process take place before the U.S. government embarks on any cyberattacks. Trump reversed the rules to try and ease some of those restrictions, which critics argued were detrimental to launching the attacks quickly, according to the Journal.

Security: Updates, IPSec, Elections, AWS and Surveillance

Filed under
Security
  • Security updates for Wednesday
  • Cisco, Huawei, ZyXel, and Huawei patch Cryptographic IPSEC IKE Vulnerability
  • 11-year-old shows it’s child’s play to mess with elections

    At the DefCon Voting Village in Las Vegas last year, participants proved it was child’s play to hack voting machines: As Wired reported, within two minutes, democracy-tech researcher Carsten Schürmann used a novel vulnerability to get remote access to a WinVote machine.

    This year, it was literally child’s play: the DefCon village this past weekend invited 50 kids between the ages of 8 and 16 to compromise replicas of states’ websites in the so-called “DEFCON Voting Machine Hacking Village.”

  • Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms

    Both adult and kid hackers demonstrated at DEF CON how the hackable voting machine may be the least of our worries in the 2018 elections.

    Two 11-year-old budding hackers last week at DEF CON in Las Vegas used SQL injection attack code to break into a replica of the Florida Secretary of State's website within 15 minutes, altering vote count reports on the site.

    Meanwhile, further down the hall in the adult Voting Machine Hacking Village at Caesars Palace, one unidentified hacker spent four hours trying to break into a replica database that housed the real, publicly available state of Ohio voter registration roll. He got as far as the secured server — penetrating two layers of firewalls with a Khali Linux pen testing tool — but in the end was unable to grab the data from the database, which included names and birthdates of registered voters.

  • How Netflix Secures AWS Cloud Credentials

    Netflix has long been the poster child for being an "all-in-the-cloud" organization. The streaming media service relies on Amazon Web Services (AWS) for infrastructure and computing resources that it uses to operate.

  • Researchers Reveal Security Vulnerabilities in Tracking Apps

    Millions of users around the world regularly install tracker apps on their Android devices to help them keep track of friends and loved ones. Some of those tracker apps, however, contain vulnerabilities that could potentially enable an attacker to track the users of the apps.

    Researchers from the Fraunhofer Institute for Secure Information Technology detailed 37 vulnerabilities found in 19 mobile tracking apps in a session at Defcon in Las Vegas on Aug. 11. The researchers responsibly disclosed the flaws to Google and noted that, as of the time of their presentation, 12 of the apps had been removed from the Google Play store, leaving seven still publicly available and vulnerable.

    "In this project it was very easy to find vulnerabilities," security researcher Siegfried Rasthofer said. "There were no sophisticated exploits."

L1TF/Foreshadow News and Benchmarks

Filed under
Graphics/Benchmarks
Security
  • Three More Intel Chip Exploits Surface
  • Spectre-like “Foreshadow” Flaw In Intel CPUs Can Leak Your Secrets
  • QEMU 3.0 Brings Spectre V4 Mitigation, OpenGL ES Support In SDL Front-End

    QEMU 3.0 is now officially available. This big version bump isn't due to some compatibility-breaking changes, but rather to simplify their versioning and begin doing major version bumps on an annual basis. As an added bonus, QEMU 3.0 comes at a time of the project marking its 15th year in existence.

    QEMU 3.0 does amount to being a big feature release with a lot of new functionality as well as many improvements. Changes in QEMU 3.0 include Spectre V4 mitigation for x86 Intel/AMD, improved support for nested KVM guests on Microsoft Hyper-V, block device support for active mirroring, improved support for AHCI and SCSI emulation, OpenGL ES support within the SDL front-end, improved latency for user-mode networking, various ARM improvements, some POWER9 / RISC-V / s390 improvements too, and various other new bits.

  • How the L1 Terminal Fault vulnerability affects Linux systems

    Announced just yesterday in security advisories from Intel, Microsoft and Red Hat, a newly discovered vulnerability affecting Intel processors (and, thus, Linux) called L1TF or “L1 Terminal Fault” is grabbing the attention of Linux users and admins. Exactly what is this vulnerability and who should be worrying about it?

  • An Early Look At The L1 Terminal Fault "L1TF" Performance Impact On Virtual Machines

    Yesterday the latest speculative execution vulnerability was disclosed that was akin to Meltdown and is dubbed the L1 Terminal Fault, or "L1TF" for short. Here are some very early benchmarks of the performance impact of the L1TF mitigation on the Linux virtual machine performance when testing the various levels of mitigation as well as the unpatched system performance prior to this vulnerability coming to light.

  • Phoronix Test Suite 8.2 M2 Released With Offline Improvements, L1TF/Foreshadow Reporting

    The second development snapshot of the upcoming Phoronix Test Suite 8.2-Rakkestad to benchmark to your heart's delight on Linux, macOS, Windows, Solaris, and BSD platforms from embedded/SBC systems to cloud and servers.

  • The Linux Benchmarking Continues On The Threadripper 2950X & 2990WX

    While I haven't posted any new Threadripper 2950X/2990WX benchmarks since the embargo expired on Monday with the Threadripper 2 Linux review and some Windows 10 vs. Linux benchmarks, tests have continued under Linux -- as well as FreeBSD.

    I should have my initial BSD vs. Linux findings on Threadripper 2 out later today. There were about 24 hours worth of FreeBSD-based 2990WX tests going well albeit DragonFlyBSD currently bites the gun with my Threadripper 2 test platforms. More on that in the upcoming article as the rest of those tests finish. It's also been a madhouse with simultaneously benchmarking the new Level 1 Terminal Fault (L1TF) vulnerability and the performance impact of those Linux mitigations on Intel hardware will start to be published in the next few hours.

Security: Sonatype, Microsoft, Oracle and Linux

Filed under
Security
Syndicate content

More in Tux Machines

RISC-V and NVIDIA

  • Open-Source RISC-V-Based SoC Platform Enlists Deep Learning Accelerator
    SiFive introduces what it’s calling the first open-source RISC-V-based SoC platform for edge inference applications based on NVIDIA's Deep Learning Accelerator (NVDLA) technology. A demo shown at the Hot Chips conference consists of NVDLA running on an FPGA connected via ChipLink to SiFive's HiFive Unleashed board powered by the Freedom U540, the first Linux-capable RISC-V processor. The complete SiFive implementation is suited for intelligence at the edge, where high-performance with improved power and area profiles are crucial. SiFive's silicon design capabilities and innovative business model enables a simplified path to building custom silicon on the RISC-V architecture with NVDLA.
  • SiFive Announces First Open-Source RISC-V-Based SoC Platform With NVIDIA Deep Learning Accelerator Technology
    SiFive, the leading provider of commercial RISC-V processor IP, today announced the first open-source RISC-V-based SoC platform for edge inference applications based on NVIDIA's Deep Learning Accelerator (NVDLA) technology. The demo will be shown this week at the Hot Chips conference and consists of NVDLA running on an FPGA connected via ChipLink to SiFive's HiFive Unleashed board powered by the Freedom U540, the world's first Linux-capable RISC-V processor. The complete SiFive implementation is well suited for intelligence at the edge, where high-performance with improved power and area profiles are crucial. SiFive's silicon design capabilities and innovative business model enables a simplified path to building custom silicon on the RISC-V architecture with NVDLA.
  • SiFive Announces Open-Source RISC-V-Based SoC Platform with Nvidia Deep Learning Accelerator Technology
    SiFive, a leading provider of commercial RISC-V processor IP, today announced the first open-source RISC-V-based SoC platform for edge inference applications based on NVIDIA’s Deep Learning Accelerator (NVDLA) technology. The demo will be shown this week at the Hot Chips conference and consists of NVDLA running on an FPGA connected via ChipLink to SiFive’s HiFive Unleashed board powered by the Freedom U540, the world’s first Linux-capable RISC-V processor. The complete SiFive implementation is well suited for intelligence at the edge, where high-performance with improved power and area profiles are crucial. SiFive’s silicon design capabilities and innovative business model enables a simplified path to building custom silicon on the RISC-V architecture with NVDLA.
  • NVIDIA Unveils The GeForce RTX 20 Series, Linux Benchmarks Should Be Coming
    NVIDIA CEO Jensen Huang has just announced the GeForce RTX 2080 series from his keynote ahead of Gamescom 2018 this week in Cologne, Germany.
  • NVIDIA have officially announced the GeForce RTX 2000 series of GPUs, launching September
    The GPU race continues on once again, as NVIDIA have now officially announced the GeForce RTX 2000 series of GPUs and they're launching in September. This new series will be based on their Turing architecture and their RTX platform. These new RT Cores will "enable real-time ray tracing of objects and environments with physically accurate shadows, reflections, refractions and global illumination." which sounds rather fun.

today's leftovers

GNOME Shell, Mutter, and Ubuntu's GNOME Theme

Benchmarks on GNU/Linux

  • Linux vs. Windows Benchmark: Threadripper 2990WX vs. Core i9-7980XE Tested
    The last chess benchmark we’re going to look at is Crafty and again we’re measuring performance in nodes per second. Interestingly, the Core i9-7980XE wins out here and saw the biggest performance uplift when moving to Linux, a 5% performance increase was seen opposed to just 3% for the 2990WX and this made the Intel CPU 12% faster overall.
  • Which is faster, rsync or rdiff-backup?
    As our data grows (and some filesystems balloon to over 800GBs, with many small files) we have started seeing our night time backups continue through the morning, causing serious disk i/o problems as our users wake up and regular usage rises. For years we have implemented a conservative backup policy - each server runs the backup twice: once via rdiff-backup to the onsite server with 10 days of increments kept. A second is an rsync to our offsite backup servers for disaster recovery. Simple, I thought. I will change the rdiff-backup to the onsite server to use the ultra fast and simple rsync. Then, I'll use borgbackup to create an incremental backup from the onsite backup server to our off site backup servers. Piece of cake. And with each server only running one backup instead of two, they should complete in record time. Except, some how the rsync backup to the onsite backup server was taking almost as long as the original rdiff-backup to the onsite server and rsync backup to the offsite server combined. What? I thought nothing was faster than the awesome simplicity of rsync, especially compared to the ancient python-based rdiff-backup, which hasn't had an upstream release since 2009.