Language Selection

English French German Italian Portuguese Spanish

Security

Security: Shadow Brokers, GitHub, SgxSpectre, DDoS Method Adds Extortion

Filed under
Security
  • Shadow Brokers the reason why Kaspersky Lab is in the US doghouse

    At times, it does not pay to be the brightest kid on the block. But Kaspersky Lab, which has been in forefront of A-V research for some time, would have got away even with this, had it not been for a catastrophic leak of Windows vulnerabilities crafted by the NSA via a group that has called itself the Shadow Brokers.

  • 1.35Tbps: GitHub Faced World’s Biggest Ever DDoS Attack

    Just recently, GitHub, the most famous code sharing and hosting platform, faced the world’s most powerful DDoS attack. As per GitHub, the website was unavailable for about 5 minutes (17:21 to 17:26 UTC) on February 28th as a result of this massive torrent of 1.2 Tbps traffic targetting the site all at once.

  • SgxSpectre Exploits Recent Intel CPU Flaw And Leaks “Enclave” Secrets
  • Powerful New DDoS Method Adds Extortion

    Memcached communicates using the User Datagram Protocol or UDP, which allows communications without any authentication — pretty much anyone or anything can talk to it and request data from it.

    Because memcached doesn’t support authentication, an attacker can “spoof” or fake the Internet address of the machine making that request so that the memcached servers responding to the request all respond to the spoofed address — the intended target of the DDoS attack.

    Worse yet, memcached has a unique ability to take a small amount of attack traffic and amplify it into a much bigger threat. Most popular DDoS tactics that abuse UDP connections can amplify the attack traffic 10 or 20 times — allowing, for example a 1 mb file request to generate a response that includes between 10mb and 20mb of traffic.

Security: IOTA, Ethereum, GitHub, IPv6

Filed under
Security
  • Cryptographers Urge People to Abandon IOTA After Leaked Emails

    This past weekend, multiple prominent security researchers and academic cryptographers took to Twitter to paint a big black mark on the cryptocurrency project, IOTA. The posts implore investors not to hold the currency and researchers not to collaborate on enhancing the security of the system.

    An outcry was triggered shortly after a chain of private emails sent among the IOTA team and a group of external security researchers was made public, exposing the developers’ response to the disclosure of a critical flaw in one of their cryptographic building blocks. The correspondence, which ended with vague threats of legal action by IOTA founder, Sergey Ivancheglo, against a member of the Boston University security group, has prompted many academic researchers to denounce the entire project.

  • Ethereum’s smart contracts are full of holes

    Computer programs that run on blockchains are shaking up the financial system. But much of the hype around what are called smart contracts is just that. It’s a brand-new field. Technologists are just beginning to figure out how to design them so they can be relied on not to lose people’s money, and—as a new survey of Ethereum smart contracts illustrates—security researchers are only now coming to terms with what a smart-contract vulnerability even looks like.

  • GitHub Survived the Biggest DDoS Attack Ever Recorded

    On Wednesday, at about 12:15 pm ET, 1.35 terabits per second of traffic hit the developer platform GitHub all at once. It was the most powerful distributed denial of service attack recorded to date—and it used an increasingly popular DDoS method, no botnet required.

    GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off.

  • It's begun: 'First' IPv6 denial-of-service attack puts IT bods on notice

    What's claimed to be the first IPv6-based distributed denial-of-service attack has been spotted by internet engineers who warn it is only the beginning of what could become the next wave of online disruption.

    Network guru Wesley George noticed the strange traffic earlier this week as part of a larger attack on a DNS server in an effort to overwhelm it. He was taking packet captures of the malicious traffic as part of his job at Neustar's SiteProtect DDoS protection service when he realized there were "packets coming from IPv6 addresses to an IPv6 host."

    The attack wasn't huge – unlike this week's record-breaking 1.35Tbps attack on GitHub – and it wasn't using a method that is exclusive to IPv6, but it was sufficiently unusual and worrying to flag to the rest of his team.

Security: Updates, UEFI 'Secure' Boot, ​Memcached DDoS, Security in the Modern Data Center and the Latest FOSS From Sonatype

Filed under
Security
  • Security updates for Friday
  • [Slackware] Security updates for OpenJDK 7 and 8
  • The Linux Kernel Prepares To Be Further Locked Down When Under UEFI Secure Boot

    For more than the past year we have reported on kernel work to further lock down the Linux kernel with UEFI Secure Boot and it's looking now like that work may finally be close to being mainlined.

    Among the further restrictions that would be placed on the Linux kernel when running with UEFI Secure Boot enabled is blocking access to kernel module parameters that end up dealing with hardware settings, blocking access to some areas of /dev that could manipulate the kernel or hardware state, etc.

  • ​Memcached DDoS: The biggest, baddest denial of service attacker yet

    We've been seeing a rise of ever bigger Distributed Denial of Service (DDoS) attacks for years now. But, now a new attack method, Memcrashed, can blast your site with over a terabyte of traffic. Good luck standing up to that volume of abuse!

    Memcrashed works by exploiting the memcached program. Memcached is an open-source, high-performance, distributed, object-caching system. It's commonly used by social networks such as Facebook and its creator LiveJournal as an in-memory key-value store for small chunks of arbitrary data. It's the program that enables them to handle their massive data I/O. It's also used by many to cache their web-server-session data to speed up their sites -- and that's where the trouble starts.

  • Security in the Modern Data Center
  • One in Eight Open Source Components Contain Flaws [Ed: What about proprietary software? Not worth ever debating in the media? Phil Muncaster uses dramatic headline as a form of marketing for Sonatype.]

    For example, 145,000 downloads of vulnerable versions of Apache Commons Collections were recorded in the UK in 2017 – vulnerabilities connected to ransomware attacks in the wild.

What's New in Qubes 4

Filed under
OS
Security

I've been using Qubes as my primary desktop for more than two years, and I've written about it previously in my Linux Journal column, so I was pretty excited to hear that Qubes was doing a refactor of its own in the new 4.0 release. As with most refactors, this one caused some past features to disappear throughout the release candidates, but starting with 4.0-rc4, the release started to stabilize with a return of most of the features Qubes 3.2 users were used to. That's not to say everything is the same. In fact, a lot has changed both on the surface and under the hood.

Although Qubes goes over all of the significant changes in its Qubes 4 changelog, instead of rehashing every low-level change, I want to highlight just some of the surface changes in Qubes 4 and how they might impact you whether you've used Qubes in the past or are just now trying it out.

Read more

Security: FOSS Updates, PS4 and Media Trying to Associate FOSS With Crime

Filed under
Security

Security: ARPAnet, Android, Intel, Cryptojacking and More

Filed under
Security
  • "Nobody cared about security"

     

    In the long run, however, the more significant reason why the ARPAnet and early Internet lacked security was not that it wasn't needed, nor that it would have made development of the network harder, it was that implementing security either at the network or the application level would have required implementing cryptography. At the time, cryptography was classified as a munition. Software containing cryptography, or even just the hooks allowing cryptography to be added, could only be exported from the US with a specific license. Obtaining a license involved case-by-case negotiation with the State Department. In effect, had security been a feature of the ARPAnet or the early Internet, the network would have to have been US-only. Note that the first international ARPAnet nodes came up in 1973, in Norway and the UK.

  • ​The 10 best ways to secure your Android phone

    The most secure smartphones are Android smartphones. Don't buy that? Apple's latest version of iOS 11 was cracked a day -- a day! -- after it was released.

    So Android is perfect? Heck no!

    Android is under constant attack and older versions are far more vulnerable than new ones. Way too many smartphone vendors still don't issue Google's monthly Android security patches in a timely fashion, or at all. And, zero-day attacks still pop up.

  • Not Getting Android OS Updates? Here’s How Google Is Updating Your Device Anyway

    Android updates are a still a point of contention among die-hard fans, because most manufacturers don’t keep updated with the latest offerings from Google. But just because your phone isn’t getting full OS updates doesn’t mean it’s totally out of date.

    While some major features still require full version updates, Google has a system in place that keeps many handsets at least somewhat relevant with Google Play Services. The company can squash certain bugs and even introduce new features just by updating Play Services.

  • Intel Finally Releases Spectre Patches for Broadwell and Haswell Processors
  • How to Defend Servers Against Cryptojacking

    Cryptojacking has become one of the most active and pervasive threats in recent years. In a cryptojacking attack, a cryptocurrency mining script is injected into a server or a webpage to take advantage of the victim system's CPU power.

  • 8 Startups Raise Money to Secure Everything From ICS to Home Networks
  • Sonatype Makes Nexus Firewall Available to 10 Million Developers

Security: Updates, Open Source Security Podcast, PGP, and 'DevSecOps'

Filed under
Security

Security: “Medjacking”, Exploding e-Cigarettes, and Linux FUD

Filed under
Security
  • “Medjacked”: Could Hackers Take Control of Pacemakers and Defibrillators—or Their Data?

    Are high-tech medical devices vulnerable to hacks? Hackers have targeted them for years, according to a new article in the Journal of the American College of Cardiology. But Dr. Dhanunjaya Lakkireddy, senior author of the paper, says hackers have harmed no one so far.

  • Exploding e-Cigarettes Are a Growing Danger to Public Health

    Whatever their physiological effects, the most immediate threat of these nicotine-delivery devices comes from a battery problem called thermal runaway

    [...]

    Exploding cigarettes sound like a party joke, but today’s version isn’t funny at all. In fact, they are a growing danger to public health. Aside from mobile phones, no other electrical device is so commonly carried close to the body. And, like cellphones, e-cigarettes pack substantial battery power. So far, most of the safety concerns regarding this device have centered on the physiological effects of nicotine and of the other heated, aerosolized constituents of the vapor that carries nicotine into the lungs. That focus now needs to be widened to include the threat of thermal runaway in the batteries, especially the lithium-ion variety.

  • Uh, oh! Linux confuses Bleeping Computer again

    The tech website Bleeping Computer, which carries news about security and malware, has once again demonstrated that when it comes to Linux, its understanding of security is somewhat lacking.

    What makes the current case surprising is the fact that the so-called security issue which the website chose to write about had already been ripped to pieces by senior tech writer Stephen Vaughan-Nicholls four days earlier.

    Called Chaos, the vulnerability was touted by a firm known as GoSecure as one that would allow a backdoor into Linux servers through SSH.

  • Are Mac and Linux users safe from ransomware?

    Ransomware is currently not much of a problem for Linux systems. A pest discovered by security researchers is a Linux variant of the Windows malware ‘KillDisk’. However, this malware has been noted as being very specific; attacking high profile financial institutions and also critical infrastructure in Ukraine. Another problem here is that the decryption key that is generated by the program to unlock the data is not stored anywhere, which means that any encrypted data cannot be unlocked, whether the ransom is paid or not. Data can still sometimes be recovered by experts like Ontrack, however timescales, difficulty and success rates depend on the exact situation and strain of ransomware.

Security: Updates, Reproducible Builds, Spectre/Meltdown, 'Serverless' Security

Filed under
Security
  • Security updates for Tuesday
  • Reproducible Builds: Weekly report #148
  • Fixing Spectre/Meltdown in [Slackware] 14.2
  • Intel didn't tell CERTS, govs, about Meltdown and Spectre because they couldn't help fix it

    Letters sent to the United States Congress by Intel and the other six companies in the Meltdown/Spectre disclosure cabal have revealed how and why they didn't inform the wider world about the dangerous chip design flaws.

    Republican members of the House Energy and Commerce Committee sent letters to the seven in January, to seek answers about the reasons they chose not to disclose the flaws and whether they felt their actions were responsible and safe.

    All the letters go over old ground: Google Project Zero spotted the design errors, told Intel, which formed a cabal comprising itself, Google, AMD, Arm, Apple, Amazon and Microsoft. The gang of seven decided that Project Zero's 90-day disclosure deadline had to be extended to January, then spoke to others to help them prepare fixes. But stray posts and sharp-eyed Reg hacks foiled that plan as we broke the news on January 3rd.

  • Serverless Security: What's Left to Protect? [Ed: "Serverless" is a junk buzzword; it's server-'full' and it just means passing one's server or control/access to that server to some other company, which occasionally gets cracked too.]

    Serverless is an exciting development in the modern infrastructure world. It brings with it the promise of dramatically reduced system costs, simpler and cheaper total cost of ownership, and highly elastic systems that can seamlessly scale to what old-timers (like me) call a “Slashdot moment” – a large and immediate spike in traffic.

    The cost savings Serverless offers greatly accelerated its rate of adoption, and many companies are starting to use it in production, coping with less mature dev and monitoring practices to get the monthly bill down. Such a trade off makes sense when you balance effort vs reward, but one aspect of it is especially scary – security.

    This article aims to provide a broad understanding of security in the Serverless world. We’ll consider the ways in which Serverless improves security, the areas where it changes security, and the security concerns it hurts.

Security: Spectre & Meltdown Fixes/Optimizations, 'SecOps', Harvesting Passwords by Mistake and More

Filed under
Security
  • Linux 4.16 Receives More Spectre & Meltdown Fixes/Optimizations

    The in-development Linux 4.16 kernel has already received a few rounds of updates for the mitigation work on the Spectre and Meltdown CPU vulnerabilities while more is on the way.

    Thomas Gleixner today sent in another batch of "x86/pti" updates for Linux 4.16 in further addressing these CPU security vulnerabilities that were made public in early January.

  • SecOps Spends Its Days Monitoring

    Developers, Security and Operations: DevSecOps. The operations part of the term usually refers to IT operations. However, today narrows in on SecOps, that work in security operations centers (SOCs) and cyber incident response teams (CIRTs). The Cyentia Institute’s survey of 160 of these security analysts shows they face some of the same challenges developers and IT operations teams do. They spend more time on monitoring than any other activity, but they much rather solve problems and “hunt” new threats. SecOps does not like reporting or something called Shift Ops — the actual details of change control and making sure the team doesn’t burn out. Given the shortage of information security professionals, it is concerning that only 45 percent of respondents said their job experience was meeting their expectations.

  • Covert 'Replay Sessions' Have Been Harvesting Passwords by Mistake

     

    Bulk data collection is always a privacy red flag. But the Princeton research group that first published findings about session replay scripts has uncovered a troubling series of situations where seemingly well-intentioned safeguards fail, leading to an unacceptable level of exposure.

  • How to Check if Your Password Has Been Stolen
  • More than half of IT pros believe their organization was breached at least once in 2017
Syndicate content

More in Tux Machines

Critical Live Boot Bug Fixed and Ubuntu 18.04 is Finally Released

A critical bug in live boot session delayed Ubuntu 18.04 LTS release for several hours. The bug has been fixed and the ISO are available to download. Read more

Nintendo Switch hack + Dolphin Emulator could bring GameCube and Wii game support

This week security researchers released details about a vulnerability affecting NVIDIA Tegra X1 processors that makes it possible to bypass secure boot and run unverified code on some devices… including every Nintendo Switch game console that’s shipped to date. Among other things, this opens the door for running modified versions of Nintendo’s firmware, or alternate operating systems such as a GNU/Linux distribution. And if you can run Linux… you can also run Linux applications. Now it looks like one of those applications could be the Dolphin emulator, which lets you play Nintendo GameCube and Wii games on a computer or other supported devices. Read more

Openwashing Leftovers

Linux Foundation: New Members, Cloud Foundry, and Embedded Linux Conference + OpenIoT Summit

  • 41 Organizations Join The Linux Foundation to Support Open Source Communities With Infrastructure and Resources
    The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the addition of 28 Silver members and 13 Associate members. Linux Foundation members help support development of the shared technology resources, while accelerating their own innovation through open source leadership and participation. Linux Foundation member contributions help provide the infrastructure and resources that enable the world's largest open collaboration communities.
  • Cloud Foundry for Developers: Architecture
    Back in the olden days, provisioning and managing IT stacks was complex, time-consuming, and error-prone. Getting the resources to do your job could take weeks or months. Infrastructure-as-a-Service (IaaS) was the first major step in automating IT stacks, and introduced the self-service provisioning and configuration model. VMware and Amazon were among the largest early developers and service providers. Platform-as-a-Service (PaaS) adds the layer to IaaS that provides application development and management. Cloud Foundry is for building Platform as a Service (PaaS) projects, which bundle servers, networks, storage, operating systems, middleware, databases, and development tools into scalable, centrally-managed hardware and software stacks. That is a lot of work to do manually, so it takes a lot of software to automate it.
  • Jonathan Corbet on Linux Kernel Contributions, Community, and Core Needs
    At the recent Embedded Linux Conference + OpenIoT Summit, I sat down with Jonathan Corbet, the founder and editor-in-chief of LWN to discuss a wide range of topics, including the annual Linux kernel report. The annual Linux Kernel Development Report, released by The Linux Foundation is the evolution of work Corbet and Greg Kroah-Hartman had been doing independently for years. The goal of the report is to document various facets of kernel development, such as who is doing the work, what is the pace of the work, and which companies are supporting the work.