Language Selection

English French German Italian Portuguese Spanish

Security

Why health implants should have open source code

Filed under
OSS
Security

As medical implants become more common, sophisticated and versatile, understanding the code that runs them is vital. A pacemaker or insulin-releasing implant can be lifesaving, but they are also vulnerable not just to malicious attacks, but also to faulty code.

For commercial reasons, companies have been reluctant to open up their code to researchers. But with lives at stake, we need to be allowed to take a peek under the hood.

Over the past few years several researchers have revealed lethal vulnerabilities in the code that runs some medical implants. The late Barnaby Jack, for example, showed that pacemakers could be “hacked” to deliver lethal electric shocks. Jay Radcliffe demonstrated a way of wirelessly making an implanted insulin pump deliver a lethal dose of insulin.

But “bugs” in the code are also an issue. Researcher Marie Moe recently discovered this first-hand, when her Implantable Cardioverter Defibrillator (ICD) unexpectedly went into “safe mode”. This caused her heart rate to drop by half, with drastic consequences.

Read more

Also: Hack Crashes Linux Distros with 48 Characters of Code

Hardware Firewall: Choosing the Right Firewall Distribution

Filed under
GNU
Linux
Security

Over the years I've bought some less than impressive consumer routers, so these days I run my own self-built hardware firewall appliance. Surprisingly, deciding on which option was best for my needs was not as easy as I had hoped.

Building a hardware firewall requires you to decide on the hardware your firewall/router computer operating system will be installed on. Like myself, some people might use an old PC. Others might decide to install their selected firewall operating system onto a rack mount server. However one decides to do this, the completed act of installing this OS onto the dedicated hardware creates a dedicated hardware firewall.

And unlike a software firewall, hardware firewalls serve a single dedicated purpose – to act as a gateway appliance for your network. Having had experience with three popular firewall operating systems in the past, I found that choosing the "right one" is a matter of perspective.

In this article, I'm going to share my experience and overall impressions about those three different firewall solutions. Some of these are highly advanced while others are incredibly easy to use. Each of these solutions share something that I feel good about sharing with my readers. All of the firewalls are easily downloadable without any annoying sign-up pages (I'm looking at you, Sophos).

Read more

Security News

Filed under
Security
  • Security updates for Monday
  • Impossible is impossible!

    Sometimes when you plan for a security event, it would be expected that the thing you're doing will be making some outcome (something bad probably) impossible. The goal of the security group is to keep the bad guys out, or keep the data in, or keep the servers patched, or find all the security bugs in the code. One way to look at this is security is often in the business of preventing things from happening, such as making data exfiltration impossible. I'm here to tell you it's impossible to make something impossible.

    As you think about that statement for a bit, let me explain what's happening here, and how we're going to tie this back to security, business needs, and some common sense. We've all heard of the 80/20 rule, one of the forms is that the last 20% of the features are 80% of the cost. It's a bit more nuanced than that if you really think about it. If your goal is impossible it would be more accurate to say 1% of the features are 2000% of the cost. What's really being described here is a curve that looks like this

  • What is the spc_t container type, and why didn't we just run as unconfined_t?

    If you are on an SELinux system, and run docker with SELinux separation turned off, the containers will run with the spc_t type.

  • The importance of paying attention in building community trust

    Trust is important in any kind of interpersonal relationship. It's inevitable that there will be cases where something you do will irritate or upset others, even if only to a small degree. Handling small cases well helps build trust that you will do the right thing in more significant cases, whereas ignoring things that seem fairly insignificant (or saying that you'll do something about them and then failing to do so) suggests that you'll also fail when there's a major problem. Getting the small details right is a major part of creating the impression that you'll deal with significant challenges in a responsible and considerate way.

    This isn't limited to individual relationships. Something that distinguishes good customer service from bad customer service is getting the details right. There are many industries where significant failures happen infrequently, but minor ones happen a lot. Would you prefer to give your business to a company that handles those small details well (even if they're not overly annoying) or one that just tells you to deal with them?

Systemd bug in the News

Filed under
Linux
Security
  • Systemd bug allows ordinary user to crash Linux systems

    The systemd project is yet to release a fix for a bug that was disclosed on 28 September but at least one GNU/Linux distribution has patched the same.

    The bug, allowing a user to crash a system by using a short command as an ordinary user, was disclosed by a developer named Andrew Ayer.

    After running this command, according to Ayer, "You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system. The system feels generally unstable (e.g. ssh and su hang for 30 seconds since systemd is now integrated with the login system)."

  • Major Linux distributions suffer from the latest system crippling bug

    A system administrator, Andrew Ayer discovered a crippling bug while working with his Linux System. He reported the issue at length in a blogpost pointing out how anyone could crash Systemd by one single tweet. The system will not collapse as soon as the tweet is rendered on screen by the system. Instead, what it meant was that any Linux distribution could be crippled by a command that can fit into one tweet. He even posted a tweet with the command to prove his point.

Down the rabbit hole, part 3: Linux and Tor are key to ensuring privacy, security

Filed under
Linux
Security

So, I’ve decided I need to improve the privacy and security of my life (especially as it relates to computing). And I’ve come to the conclusion that in order to effectively do this, I need to focus on utilizing open source software as much as possible.

What next?

Let’s start at a very simple, basic level: the operating system of my laptop computers (I don’t actually have a desktop currently, but the same ideas will apply) and how they connect to the internet.

Read more

Security News

Filed under
Security
  • security things in Linux v4.7
  • Microsoft warns Windows security fix may break network shares

    The latest of these, Preview Build 14936 – for testers on what Microsoft refers to as the Fast Ring – comes with the usual set of updates, new features, and fixes for things that the previous release managed to break.

    However, what caught our eye was a warning that after updating, users may find that shared devices such as NAS boxes have mysteriously disappeared from the home network folder, and that any previously mapped network drives are unavailable.

    Microsoft offers a fix for this; if you change your network to “private” or “enterprise”, it should start working again.

    It seems that the cause of this hiccup is a fix that Microsoft made earlier in September to address a security hole severe enough that it might allow remote code execution with elevated permissions on an affected system, although this would require an attacker to create a specially crafted request.

    The fix addresses this by, among other things, “correcting how Windows enforces permissions”.

    Windows Insiders are typically no newbies and used to preview builds breaking stuff, but it is likely that this change will find its way into the Windows 10 code everybody else is running sooner or later.

  • Android Devices Are Targeted By New Lockscreen Ransomware

Security Leftovers

Filed under
Security
  • Bug Bounty Hunters Can Earn $1.5 Million For A Successful Jailbreak Of iOS 10
  • How To Ensure Trustworthy, Open Source Elections [Ed: This reminds us Microsoft must be kicked out of election process [1, 2]

    A strong democracy hinges not only on the right to vote but also on trustworthy elections and voting systems. Reports that Russia or others may seek to impact the upcoming U.S. presidential election—most recently, FBI evidence that foreign hackers targeted voter databases in Arizona and Illinois—has brought simmering concerns over the legitimacy of election results to a boil.

  • Source Code for IoT Botnet ‘Mirai’ Released

    The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.

    The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.

Security News

Filed under
Security
  • Your next DDoS attack, brought to you courtesy of the IoT

    The internet is reeling under the onslaught of unprecedented denial-of-service attacks, the sort we normally associate with powerful adversaries like international criminal syndicates and major governments, but these attacks are commanded by penny-ante crooks who are able to harness millions of low-powered, insecure Internet of Things devices like smart lightbulbs to do their bidding.

    Symantec reports on the rising trend in IoT malware, which attack systems that "may not include any advanced security features" and are "designed to be plugged in and forgotten" without "any firmware updates" so that "infection of such devices may go unnoticed by the owner."

    The USA and China are the two countries where people own most of these things, so they're also where most of the malicious traffic originates. Symantec ran a honeypot that recorded attempts to login and compromise a system that presented as a vulnerable IoT device, and found that the most common login attempts used the default passwords of "root" and "admin," suggesting that malware authors have discovered that IoT owners rarely change these defaults. Other common logins include "123456," "test" and "oracle."

  • Meet Linux.Mirai Trojan, a DDoS nightmare
  • Linux.Mirai Trojan Carries Out DDoS Attacks
  • Fears of a hacked election may keep 1 out of every 5 voters home, says report

    Recent hacks of the Democratic National Committee, the Democratic Congressional Campaign Committee and election databases have increased fears that cybercriminals will try to interfere with the upcoming U.S. presidential election.

    Concerns leading up to election day on November 8 could have a real impact on voter turnout, according to a study from cybersecurity firm Carbon Black. More than one in five registered U.S. voters may stay home on election day because of fears about cybersecurity and vote tampering, the study — an online survey of 700 registered voters aged 18-54 — found.

  • Hostile Web Sites

    I was asked whether it would be safe to open a link in a spam message with wget. So here are some thoughts about wget security and web browser security in general.

  • You can crash Linux Systemd with a single Tweet

    System administrator Andrew Ayer has discovered a potentially critical bug in systemd which can bring a vulnerable Linux server to its knees with a single command line.”After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons.

  • How to reignite a flamewar in one tweet (and I still don’t get it)
  • Multiple Linux Distributions Affected By Crippling Bug In Systemd

    System administrator Andrew Ayer has discovered a potentially critical bug in systemd which can bring a vulnerable Linux server to its knees with one command. "After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system." According to the bug report, Debian, Ubuntu, and CentOS are among the distros susceptible to various levels of resource exhaustion. The bug, which has existed for more than two years, does not require root access to exploit.

Security Leftovers

Filed under
Security
  • Let's Encrypt Wants to Help Improve the CA Model

    Let's Encrypt, a non-profit effort that brings free SSL/TLS certificates to the web, was first announced in November 2014 and became a Linux Foundation Collaborative Project in April 2015. To date, it has provided more than 5 million free certificates.

    While having an SSL/TLS certificate to encrypt traffic is an important element of web security, it's not the only one, said Josh Aas, executive director of the Internet Security Research Group and leader of Let's Encrypt.

    "There is a lot in the total picture of what makes a website secure, and we can do a lot to help a certain part of it," he said in a video interview.

  • How to Throw a Tantrum in One Blog Post

    The systemd team has recently patched a local denial of service vulnerability affecting the notification socket, which is designed to be used for daemons to report their lifecycle and health information. Some people have used this as an opportunity to throw a fresh tantrum about systemd.

Security News

Filed under
Security
  • Report: Linux security must be upgraded to protect future tech

    The summit was used to expose a number of flaws in Linux's design that make it increasingly unsuitable to power modern devices. Linux is the operating system that runs most of the modern world. It is behind everything from web servers and supercomputers to mobile phones. Increasingly, it's also being used to run connected Internet of Things (IoT) devices, including products like cars and intelligent robots.

  • security things in Linux v4.6

    Hector Marco-Gisbert removed a long-standing limitation to mmap ASLR on 32-bit x86, where setting an unlimited stack (e.g. “ulimit -s unlimited“) would turn off mmap ASLR (which provided a way to bypass ASLR when executing setuid processes). Given that ASLR entropy can now be controlled directly (see the v4.5 post), and that the cases where this created an actual problem are very rare, means that if a system sees collisions between unlimited stack and mmap ASLR, they can just adjust the 32-bit ASLR entropy instead.

Syndicate content

More in Tux Machines

FFmpeg 3.2.2 "Hypatia" Open-Source Multimedia Framework Released with 30 Fixes

Today, December 6, 2016, the development team behind the powerful, open-source, free, and cross-platform FFmpeg multimedia framework released a new maintenance update in the FFmpeg 3.2 "Hypatia" series. Read more

Ubuntu-Based BackBox Linux 4.7 Is Out with Kernel 4.4 LTS, Updated Hacking Tools

On December 6, 2016, the developers behind the Ubuntu-based, hacking-oriented BlackBox Linux operating system proudly announced the release of BackBox Linux 4.7. Read more

Doyodo RetroEngine Sigma is a Linux-powered classic video game emulation console

The Nintendo NES Classic is quite an amazing console. True, it is not as powerful as modern game systems like Xbox One and PlayStation 4, but it comes pre-loaded with many classic NES titles. Unfortunately, its strength is also its weakness -- those pre-loaded titles are the only games you can play. You cannot load other games, so you are stuck with what you got. Read more

LibreOffice 5.3 Beta 2 to Land Soon as Third Bug Hunting Event Is Held This Week

Today, December 6, 2016, The Document Foundation, through Italo Vignoli, was proud to announce the upcoming third bug hunting session for the LibreOffice 5.3 open-source office suite. Read more