Language Selection

English French German Italian Portuguese Spanish

Security

Political Security Inquiry Regarding GNU/Linux and Free Software

Filed under
Linux
Security
  • Republicans seek information on open source security, stability

    Republican members of the US Government's Committee on Energy and Commerce have sought information from the Linux Foundation on the open source software that is most critical to global information infrastructure and the sustainability and stability of the open source software ecosystem.

    Greg Walden, the chairman, and Gregg Harper, chairman of the sub-committee on oversight and investigations, wrote to Linux Foundation chief executive Jim Zemlin on Monday, saying they were seeking the information to gain a deeper understanding of the open source software ecosystem.

  • Lawmakers press Linux on security of open-source software

    The Republicans asked Linux executive director Jim Zemlin whether the foundation has studied which pieces of open-source software are “most critical” to global computer networks and whether it compiled statistics on the usage of open-source software.

  • Lawmakers Seek Input On Addressing Open-Source Software Vulnerabilities

Security: Updates and Drupal's Patch

Filed under
Security
  • Security updates for Monday
  • ‘Highly critical’ CMS bug has left over 1 million sites open to attack [Ed: Scary headline. But having spent hours dealing with this (two of my sites, also some stuff at work), I have heard of nobody that actually got cracked (so far). Nobody.]

    Drupal has marked the security risk as “highly critical” and warns that any visitor to the site could theoretically hack it through remote code execution due to a missing input validation.

  • SD Times news digest: Cloudflare 1.1.1.1, Drupal security vulnerability, and Linux 4.16

    Drupal reveals a security vulnerability within Drupal 7 and 8

    Drupal has announced that there is a vulnerability within Drupal 7.x and 8.x that could allow attackers to exploit attack vectors on Drupal sites, which would leave those sites vulnerable. Drupal is an open source solution for building websites and solutions.

    The company has issued a fix, which can be obtained by installing the most recent version of Drupal 7 or 8 core.

    In addition, the company releasing updates for Drupal 8.3.x and 8.4.x, even though those releases are no longer supported. The company has also stated that the vulnerability affects Drupal 6, which is at End of Life anyway.

    Linux 4.16 is released

    Linus Torvalds has announced the release of Linux 4.16. He claims that this release looks very similar to rc7 due to the fact that half of it is networking. Other new additions in this release are arch fixlets, driver fixes, and updates to documentation. A complete list of new features can be found here.

Security: CopperheadOS, remctl, and Open Source Security Podcast

Filed under
Security
  • Further securing devices running CopperheadOS by using separate Encryption/Lockscreen passphrases

    If you value “vendor-based” security more than freedom, you may consider CopperheadOS an viable alternative to the free but rather insecure Replicant (it requires an unlocked bootloader and is way behind in terms of security patches atm). Personally, I find both neither Replicant nor CopperheadOS perfectly satisfying options, but they are the very best you can have at the moment. In the future, I hope that (1) more devices will be supported by non-Android-based alternatives like postmarketOS and (2) devices which require less blobs such as the Librem 5 (I highly doubt that it will run completely without blobs) will become available.

  • remctl 3.14

    remctl is a client/server protocol supporting remote execution of specific configured commands using GSS-API or ssh for authentication and encryption.

    This is a minimal release that fixes a security bug introduced in 3.12, discovered by Santosh Ananthakrishnan. A remctl client with the ability to run a server command with the sudo configuration option may be able to corrupt the configuration of remctld to run arbitrary commands, although I believe this would be moderately difficult to do. Only remctld (not remctl-shel) is vulnerable, and only if there are commands using the sudo configuration option.

  • Open Source Security Podcast: Episode 90 - Humans and misinformation

Intel's Microcode Update for Spectre Makes a Comeback in Ubuntu's Repositories

Filed under
Security
Ubuntu

After it's been pulled from Ubuntu's repositories in late January at Intel's request due to serious hardware issues reported by numerous users, Inte's microcode update to mitigate the Spectre security vulnerability makes a comeback.

On January 22, 2018, Canonical replaced the Intel microcode firmware versioned 20180108 with the older 20170707 release at Intel's request, thus no longer protecting users' computers against the Spectre security vulnerability that could allow a local attacker to expose sensitive information from kernel memory.

"Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via side-channel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory (CVE-2017-5715)," reads the security advisory.

Read more

Also: Finally extradited from Europe, suspected LinkedIn [cracker] faces US charges

Security: NoScript, Georgia and CFAA, FUD, and MyFitnessPal 'Cloud' Breach

Filed under
Security
  • Firefox 57-59 & Noscript 10 usage guide - 2nd edition

    Noscript is maturing nicely. It is not the all-can-do tool that we had in Firefox before the 57th release, but it is adequate and suitable for most people, and it provides the necessary protection, and more importantly, the necessary quiet you want when browsing the net. Silent, static pages so you can focus on reading and not having your senses assailed any which Web 2.0 or Web 3.0 way. But I guess most people will focus on the security side of things.

    I am using the addon across multiple profiles and systems, and I have not observed any big breakages or bugs. Occasional tiny issues crop here and there, and then vanish a day later. The one that I do remember was a temporary issue with XSS for a brief while, but other than that, it seems to work in a very similar fashion to the old Noscript. Performance is also comparable. And then, there's still more room for improvements and new stuff, which I'm sure will be coming. Hopefully, this was a pleasant read. Take care.

  • Georgia Passes Anti-Infosec Legislation

    Despite the full-throated objections of the cybersecurity community, the Georgia legislature has passed a bill that would open independent researchers who identify vulnerabilities in computer systems to prosecution and up to a year in jail.

    EFF calls upon Georgia Gov. Nathan Deal to veto S.B. 315 as soon as it lands on his desk.

    For months, advocates such as Electronic Frontiers Georgia, have descended on the state Capitol to oppose S.B. 315, which would create a new crime of “unauthorized access” to computer systems. While lawmakers did make a major concession by exempting terms of service violations under the measure—an exception we’ve been asking Congress for years to carve out of the federal Computer Fraud & Abuse Act (CFAA)—the bill stills fall short of ensuring that researchers aren’t targeted by overzealous prosecutors. This has too often been the case under CFAA.

  • Newly Found Malware Deliberately Avoids Government Networks [Ed: So-called 'Malware'. Basically just someone running a script to scan for machines with an open SSH port and truly shitty (if not still-default) password. It is not hard to understand why crackers typically try not to touch government IPs. Governments don't care about cracking (they do it themselves) unless the cracks affect government and immunity/impunity is available only for other "state actors" (crackers taxpayers pay for). Systemic hypocrisy.]
  • Your MyFitnessPal Account Was Almost Certainly Hacked, Change Your Password Now

    If you’re one of the millions of the 150 million MyFitnessPal users, bad news: hackers have your email address, your user name, and your hashed password.

  • MyFitnessPal data breach affects 150 million users, Including fitness wearables

    Digital data thefts are on the rise and sports apparel merchant Under Armour has become the latest victim of the crime. The Baltimore (USA) based company has disclosed that there was a massive data breach into its food and nutrition app and website, MyFitnessPal, system earlier this year. An unauthorized party gained access to the system and was able to acquire data of about 150 million users.

Security: Updates and Kaspersky

Filed under
Security

pfSense 2.4.3-RELEASE now available

Filed under
Security
BSD

We are excited to announce the release of pfSense® software version 2.4.3, now available for new installations and upgrades!

pfSense software version 2.4.3 brings security patches, several new features, support for new Netgate hardware models, and stability fixes for issues present in previous pfSense 2.4.x branch releases.

Read more

Kaspersky Lab researchers puts KLara into open source domain

Filed under
OSS
Security

Further technical and API details can be found on Securelist. The software is open-sourced under GNU General Public License v3.0 and available with no warranty from the developers.

Kaspersky Lab's GitHub account also includes another tool, created and shared by Kaspersky Lab researchers in 2017. Named BitScout, it was created by principal security researcher, Vitaly Kamluk, and can remotely collect vital forensic data such as malware samples without risk of contamination or loss. Further information on BitScout can be found here.

Read more

Security: Meltdown and Spectre, GoScanSSH FUD

Filed under
Security
  • After Meltdown and Spectre, Intel CPUs Are Now Vulnerable to BranchScope Attacks

    According to their paper, even if they are a bit more sophisticated, the BranchScope attacks can do the same damage as the Spectre and Meltdown flaws, in the way that an attacker can exploit the security vulnerability to retrieve sensitive data from the unpatched system, including passwords and encryption keys, by manipulating the shared directional branch predictor.

  • Cleaning up after Spectre and Meltdown: figuring out how badly they slowed down your servers

    That’s the easy part. The real problem is that the patch might slow your system down — particularly if you’re running applications that interact often with the kernel. So you’ll want to know just how much of a hit you’ve taken, and what upgrades you’ll need to get you back to where you should be.

  • GoScanSSH Malware Targets Linux Servers [Ed: No, it does not target Linux. It targets system administrators who use default or very weak passwords.]

    A recently discovered malware family written using the Golang (Go) programming language is targeting Linux servers and using a different binary for each attack, Talos warns.

    Dubbed GoScanSSH because it compromises SSH servers exposed to the Internet, the malware’s command and control (C&C) infrastructure leverages the Tor2Web proxy service to prevent tracking and takedowns.

    The malware operators, Talos believes, had a list of more than 7,000 username/password combinations they would use to authenticate to the servers, after which they would create a unique GoScanSSH binary to upload and execute on the server.

Security: Open Source Alternative to Okta, Severe Apple Flaw, and LWN Articles (Now Outside Paywall)

Filed under
Security
  • Open Source Alternative to Okta®

    Okta® is one of the top providers in the web application SSO (single sign-on) space. It’s a space that has been incredibly important over the last decade, and perhaps, one of the hottest categories in the IT management world. With this much activity, admins often want to know what all of their options with SSO providers are. The challenge for some organizations, though, is finding an open source alternative to Okta.

    Why would an IT organization be interested in an open source web-app SSO solution? Well, to answer that question, we need to take a step back and look at the identity and access management (IAM) space as a whole.

  • Apple macOS Bug Reveals Passwords for APFS Encrypted Volumes in Plaintext

    A severe programming bug has been found in APFS file system for macOS High Sierra operating system that exposes passwords of encrypted external drives in plain text.

    Introduced two years ago, APFS (Apple File System) is an optimized file system for flash and SSD-based storage solutions running MacOS, iOS, tvOS or WatchOS, and promises strong encryption and better performance.

  • A "runtime guard" for the kernel

    While updating kernels frequently is generally considered a security best practice, there are many installations that are unable to do so for a variety of reasons. That means running with some number of known vulnerabilities (along with an unknown number of unknown vulnerabilities, of course), so some way to detect and stop exploits for those flaws may be desired. That is exactly what the Linux Kernel Runtime Guard (LKRG) is meant to do.

    LKRG comes out of the Openwall project that is perhaps best known for its security-enhanced Linux distribution. Alexander Peslyak, or "Solar Designer", who is Openwall's founder and leader is prominent in security circles as well. He announced LKRG at the end of January as "our most controversial project ever". The 0.0 release that was announced was "quite sloppy", Peslyak said in a LKRG 0.1 release announcement on February 9; principal developer Adam "pi3" Zabrocki cleaned things up and added some new features based on ten days of feedback.

  • The strange story of the ARM Meltdown-fix backport

    Alex Shi's posting of a patch series backporting a set of Meltdown fixes for the arm64 architecture to the 4.9 kernel might seem like a normal exercise in making important security fixes available on older kernels. But this case raised a couple of interesting questions about why this backport should be accepted into the long-term-support kernels — and a couple of equally interesting answers, one of which was rather better received than the other.

    The Meltdown vulnerability is most prominent in the x86 world, but it is not an Intel-only problem; some (but not all) 64-bit ARM processors suffer from it as well. The answer to Meltdown is the same in the ARM world as it is for x86 processors: kernel page-table isolation (KPTI), though the details of its implementation necessarily differ. The arm64 KPTI patches entered the mainline during the 4.16 merge window. ARM-based systems notoriously run older kernels, though, so it is natural to want to protect those kernels from these vulnerabilities as well.

    When Shi posted the 4.9 backport, stable-kernel maintainer Greg Kroah-Hartman responded with a pair of questions: why has a separate backport been done when the Android Common kernel tree already contains the Meltdown work, and what sort of testing has been done on this backport? In both cases, the answer illustrated some interesting aspects of how the ARM vendor ecosystem works.

Syndicate content

More in Tux Machines

Linux 4.18 RC2 Released From China

  • Linux 4.18-rc2
    Another week, another -rc. I'm still traveling - now in China - but at least I'm doing this rc Sunday _evening_ local time rather than _morning_. And next rc I'll be back home and over rmy jetlag (knock wood) so everything should be back to the traditional schedule. Anyway, it's early in the rc series yet, but things look fairly normal. About a third of the patch is drivers (drm and s390 stand out, but here's networking and block updates too, and misc noise all over). We also had some of the core dma files move from drivers/base/dma-* (and lib/dma-*) to kernel/dma/*. We sometimes do code movement (and other "renaming" things) after the merge window simply because it tends to be less disruptive that way. Another 20% is under "tools" - mainly due to some selftest updates for rseq, but there's some turbostat and perf tooling work too. We also had some noticeable filesystem updates, particularly to cifs. I'm going to point those out, because some of them probably shouldn't have been in rc2. They were "fixes" not in the "regressions" sense, but in the "missing features" sense. So please, people, the "fixes" during the rc series really should be things that are _regressions_. If it used to work, and it no longer does, then fixing that is a good and proper fix. Or if something oopses or has a security implication, then the fix for that is a real fix. But if it's something that has never worked, even if it "fixes" some behavior, then it's new development, and that should come in during the merge window. Just because you think it's a "fix" doesn't mean that it really is one, at least in the "during the rc series" sense. Anyway, with that small rant out of the way, the rest is mostly arch updates (x86, powerpc, arm64, mips), and core networking. Go forth and test. Things look fairly sane, it's not really all that scary. Shortlog appended for people who want to scan through what changed. Linus
  • Linux 4.18-rc2 Released With A Normal Week's Worth Of Changes
    Due to traveling in China, Linus Torvalds has released the Linux 4.18-rc2 kernel a half-day ahead of schedule, but overall things are looking good for Linux 4.18.

A GTK+ 3 update

  • A GTK+ 3 update
    When we started development towards GTK+ 4, we laid out a plan that said GTK+ 3.22 would be the final, stable branch of GTK+ 3. And we’ve stuck to this for a while. I has served us reasonably well — GTK+ 3 stopped changing in drastic ways, which was well-received, and we are finally seeing applications moving from GTK+ 2.
  • GTK+ 3.24 To Deliver Some New Features While Waiting For GTK4
    While the GNOME tool-kit developers have been hard at work on GTK4 roughly the past two years and have kept GTK3 frozen at GTK+ 3.22, a GTK+ 3.24 release is now being worked on to deliver some new features until GTK+ 4.0 is ready to be released. While GTK+ 4.0 is shaping up well and GTK+ 3.22 was planned to be the last GTK3 stable release, the developers have had second thoughts due to GTK+ 4 taking time to mature. Some limited new features are being offered up in the GTK+ 3.24 release to debut this September.

Finally: First stable release of KBibTeX for KDE Frameworks 5

After almost exactly two years of being work-in-progress, the first stable release of KBibTeX for KDE Frameworks 5 has been published! You can grab the sources at your local KDE mirror. Some distributions like ArchLinux already ship binary packages. After one beta and one release candidate, now comes the final release. You may wonder why this release gets version number 0.8.1 but not 0.8 as expected. This is simply due to the fact that I noticed a bug in CMakeLists.txt when computing version numbers which did not work if the version number just had two fields, i. e. no ‘patch’ version. As the code and the tag of 0.8 was already pushed, I had no alternative than to fix the problem and increase the version number. Otherwise, the ChangeLog (alternative view) is virtually unchanged compared to the last pre-release. Read more

Today in Techrights