Language Selection

English French German Italian Portuguese Spanish


Security News

Filed under
  • Security advisories for Wednesday
  • Security bug lifetime

    In several of my recent presentations, I’ve discussed the lifetime of security flaws in the Linux kernel. Jon Corbet did an analysis in 2010, and found that security bugs appeared to have roughly a 5 year lifetime. As in, the flaw gets introduced in a Linux release, and then goes unnoticed by upstream developers until another release 5 years later, on average. I updated this research for 2011 through 2016, and used the Ubuntu Security Team’s CVE Tracker to assist in the process. The Ubuntu kernel team already does the hard work of trying to identify when flaws were introduced in the kernel, so I didn’t have to re-do this for the 557 kernel CVEs since 2011.

  • Reproducible Builds: week 77 in Stretch cycle

    After discussions with HW42, Steven Chamberlain, Vagrant Cascadian, Daniel Shahaf, Christopher Berg, Daniel Kahn Gillmor and others, Ximin Luo has started writing up more concrete and detailed design plans for setting SOURCE_ROOT_DIR for reproducible debugging symbols, buildinfo security semantics and buildinfo security infrastructure.

  • Veracode security report finds open source components behind many security vulnerabilities [Ed: not a nice firm]

Security Leftovers

Filed under

Security News

Filed under
  • Tuesday's security updates
  • Critical flaws found in open-source encryption software VeraCrypt [Ed: TrueCrypt was never really FOSS]

    A new security audit has found critical vulnerabilities in VeraCrypt, an open-source, full-disk encryption program that's the direct successor of the widely popular, but now defunct, TrueCrypt.

    Users are encouraged to upgrade to VeraCrypt 1.19, which was released Monday and includes patches for most of the flaws. Some issues remain unpatched because fixing them requires complex changes to the code and in some cases would break backward compatibility with TrueCrypt.

    However, the impact of most of those issues can be avoided by following the safe practices mentioned in the VeraCrypt user documentation when setting up encrypted containers and using the software.

  • Veracode: open source is creating 'systematic risks' across companies and industries [Ed: this company routinely smears FOSS]

    SECURITY FIRM VERACODE has released a damning report into open source and third-party software components and warned that, for example, almost all Java applications are blighted with at least one problem.

  • Why is Java so insecure? Buggy open source components take the blame

    Open-source and Java components used in applications remain a weak spot for the enterprise, according to a new analysis.

    Java applications in particular are posing a challenge, with 97 percent of these applications containing a component with at least one known vulnerability, according to a new report from code-analysis security vendor Veracode.

  • Parrot Security 3.2 “CyberSloop” Ethical Hacking Linux Distro Available For Download

    Earlier this year, I prepared a list of the top operating systems used for ethical hacking purposes. In that list, Parrot Security OS ranked at #2. It’s developed by Frozenbox Network and released under the GNU/GPL v3 license. A couple of days ago, Parrot Security 3.2 ethical hacking Linux distro arrived. The new version of this popular operating system is codenamed CyberSloop and it’s based on the Debian GNU/Linux 9 Stretch.

    Parrot Security 3.1 version arrived long back in July. Compared to that, the new version has taken a while due to some buggy packages in the Debian Testing repository that Parrot Security team had to fix themselves. In particular, the bug being discussed here is the latest GTK updates that broke the MATE interface.

  • Linux-run IoT devices under attack by NyaDrop [Ed: Devices with open ports and identical passwords across the board are not secure; not “Linux” issue]

    Internet of Things (IoT) devices running on the open-source Linux OS are under attack from NyaDrop.

    The attack loads malware on IoT devices lacking appropriate security after brute forcing default login credentials, according to a report by David Bisson for Graham Cluley Security News. The code achieves this by parsing its list of archived usernames and passwords. Once authenticated, NyaDrop is installed. The lightweight binary then loads other malware onto the infected device.

Canonical Now Offering Live Kernel Patching Services, Free for Up to Three PCs

Filed under

Today, October 18, 2016, Canonical informs us, through Dustin Kirkland, about a new interesting feature for Ubuntu Linux, which users can enable on their current installations.

Read more

Also: Canonical Rolls Out Its Own Kernel Livepatching Service For Ubuntu

Security News

Filed under
  • Security advisories for Monday
  • NyaDrop exploiting Internet of Things insecurity to infect Linux devices with malware

    A Linux threat known as NyaDrop is exploiting a lack of security in Internet of Things (IoT) devices to infect them with malware.

    A NyaDrop attack begins with the threat attempting to brute force the default login credentials of internet-exposed IoT device running Linux. It does so by running through its list of stored usernames and passwords, a collection which is no doubt similar to that of the Mirai botnet.

  • Smart cities: 5 security areas CIO should watch

    New worms designed to attach to IoT devices will emerge − and they could wreck more havoc given the extended reach of the new converged networks.

    Conficker is an example of a worm that spread on PC’s in 2008 and is still persistent and prevalent in 2016.

    Likewise, worms and viruses that can propagate from device to device can be expected to emerge – particularly with mobile and the Android operating system.

    Embedded worms will spread by leveraging and exploiting vulnerabilities in the growing IoT and mobile attack surface. The largest botnet FortiGuard labs has witnessed is in the range of 15 million PCs.

Happy 15th Birthday Red Hat Product Security

Filed under
Red Hat

This summer marked 15 years since we founded a dedicated Product Security team for Red Hat. While we often publish information in this blog about security technologies and vulnerabilities, we rarely give an introspection into the team itself. So I’d like, if I may, to take you on a little journey through those 15 years and call out some events that mean the most to me; particularly what’s changed and what’s stayed the same. In the coming weeks some other past and present members of the team will be giving their anecdotes and opinions too. If you have a memory of working with our team we’d love to hear about it, you can add a comment here or tweet me.

Read more

Security Leftovers

Filed under
  • Alpine edge has switched to libressl

    We decided to replace openssl with libressl because we believe it is a better library. While OpenSSL is trying to fix the broken code, libressl has simply removed it.

  • German nuclear plant infected with computer viruses, operator says

    A nuclear power plant in Germany has been found to be infected with computer viruses, but they appear not to have posed a threat to the facility’s operations because it is isolated from the internet, the station’s operator said on Monday.

    The Gundremmingen plant, located about 120 km northwest of Munich, is run by the German utility RWE.

    The viruses, which include “W32.Ramnit” and “Conficker”, were discovered at Gundremmingen’s B unit in a computer system retrofitted in 2008 with data visualisation software associated with equipment for moving nuclear fuel rods, RWE said.

  • The Slashdot Interview With Security Expert Mikko Hypponen: 'Backupception'

    Mikko Hypponen, Chief Research Officer at security firm F-Secure, has answered a range of your questions. Read on to find his insight on the kind of security awareness training we need, whether anti-virus products are relevant anymore, and whether we have already lost the battle to bad guys. Bonus: his take on whether or not you should take backups of your data.

  • SourceClear Brings Secure Continuous Delivery to the Developer Workflow [Ed: I don't trust them; they're Microsoft connected with a negative track record]
  • Serious security: Three changes that could turn the tide on hackers

    The state of tech security is currently so dire that it feels like anything you have ever stored on a computer, or a company or government has ever stored about you, has already been hacked into by somebody.

  • Crypto needs more transparency, researchers warn

    Researchers with at the French Institute for Research in Computer Science and Automation (INRIA) and the University of Pennsylvania have called for security standards-setters to publish the seeds for the prime numbers on which their standards rely.

    The boffins also demonstrated again that 1,024-bit primes can no longer be considered secure, by publishing an attack using “special number field sieve” (SNFS) mathematics to show that an attacker could create a prime that looks secure, but isn't.

    Since the research is bound to get conspiracists over-excited, it's worth noting: their paper doesn't claim that any of the cryptographic primes it mentions have been back-doored, only that they can no longer be considered secure.

    “There are opaque, standardised 1024-bit and 2048-bit primes in wide use today that cannot be properly verified”, the paper states.

    Joshua Fried and Nadia Heninger (University of Pennsylvania) worked with Pierrick Gaudry and Emmanuel Thomé (INRIA at the University of Lorraine on the paper, here.

    They call for 2,048-bit keys to be based on “standardised primes” using published seeds, because too many crypto schemes don't provide any way to verify that the seeds aren't somehow back-doored.

  • Is Let’s Encrypt the Largest Certificate Authority on the Web?

    By the time you read this, Let’s Encrypt will have issued its 12 millionth certificate, of which 6 million are active and unexpired. With these milestones, Let’s Encrypt now appears to us to be the the Internet’s largest certificate authority—but a recent analysis by W3Techs said we were only the third largest. So in this post we investigate: how big is Let’s Encrypt, really?

Security News

Filed under
  • Friday's security advisories
  • Metasploit eyeing Linux and usability improvements; iOS support uncertain

    Engineers at Rapid7, which owns the popular Metasploit penetration testing tool, are preparing a variety of enhancements for the ramp-up to version 5.0 in 2017.

    Metasploit evolved in 2003, Rapid7 acquired it from the original developers in 2009, and fourth-generation software debuted in 2011. Metasploit Pro is currently in version 4.2 and costs several thousand dollars for a license; Metasploit Framework currently in version 4.12.33 is open source, officials explained.

  • Self-Checkout Skimmers Go Bluetooth

    This blog has featured several stories about payment card skimming devices designed to be placed over top of credit card terminals in self-checkout lanes at grocery stores and other retailers. Many readers have asked for more details about the electronics that power these so-called “overlay” skimmers. Here’s a look at one overlay skimmer equipped with Bluetooth technology that allows thieves to snarf swiped card data and PINs wirelessly using nothing more than a mobile phone.

    The rather crude video below shows a Bluetooth enabled overlay skimmer crafted to be slipped directly over top of Ingenico iSC250 credit card terminals. These Ingenico terminals are widely used at countless U.S. based merchants; earlier this year I wrote about Ingenico overlay skimmers being found in self-checkout lanes at some WalMart locations.

  • 10-year-old OpenSSH vulnerability caught up in IoT DDoS attacks [iophk: "not an actual ssh problem despite the parrots"]

    THE THREAT WRANGLERS AT Akamai have come up with something new for us to worry about, except that it isn't so much new as a decade old.

    An OpenSSH vulnerability is being used to fuel distributed denial-of-service (DDoS) attacks on the bloody Internet of Things (IoT).

    DDoS attacks are a constant pain, but attacks on the IoT are relatively new. A combination of the two would be a problem, unless you are the kind of company that makes its business discovering this kind of thing.

    "Researchers at Akamai have been monitoring the growth of attacks leveraging IoT devices," said Eric Kobrin, director of adversarial resilience at Akamai, in a blog post about the SSHowDowN Proxy.

  • a single byte write opened a root execution exploit

    As one of the maintainers of the c-ares project I’m receiving mails for suspected security problems in c-ares and this was such a one. In this case, the email with said subject came from an individual who had reported a ChromeOS exploit to Google.

    It turned out that this particular c-ares flaw was one important step in a sequence of necessary procedures that when followed could let the user execute code on ChromeOS from JavaScript – as the root user. I suspect that is pretty much the worst possible exploit of ChromeOS that can be done. I presume the reporter will get a fair amount of bug bounty reward for this.

Syndicate content

More in Tux Machines

GParted Live 0.27.0-1 Disk Partitioning Live CD Out Now, Based on GParted 0.27.0

Just one day after announcing the release of the GParted 0.27.0 open-source partition editor software, Curtis Gedak is informing us about the availability of the GParted Live 0.27.0-1 stable release. Read more

Netrunner Core 16.09 "Avalon" Is Based on Debian GNU/Linux 8, KDE Plasma 5.7.5

Today, October 23, 2016, the development team behind the Debian-based Netrunner GNU/Linux distribution proudly announced the release of Netrunner Core 16.09 "Avalon." Read more