Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, UEFI 'Secure' Boot, ​Memcached DDoS, Security in the Modern Data Center and the Latest FOSS From Sonatype

Filed under
Security
  • Security updates for Friday
  • [Slackware] Security updates for OpenJDK 7 and 8
  • The Linux Kernel Prepares To Be Further Locked Down When Under UEFI Secure Boot

    For more than the past year we have reported on kernel work to further lock down the Linux kernel with UEFI Secure Boot and it's looking now like that work may finally be close to being mainlined.

    Among the further restrictions that would be placed on the Linux kernel when running with UEFI Secure Boot enabled is blocking access to kernel module parameters that end up dealing with hardware settings, blocking access to some areas of /dev that could manipulate the kernel or hardware state, etc.

  • ​Memcached DDoS: The biggest, baddest denial of service attacker yet

    We've been seeing a rise of ever bigger Distributed Denial of Service (DDoS) attacks for years now. But, now a new attack method, Memcrashed, can blast your site with over a terabyte of traffic. Good luck standing up to that volume of abuse!

    Memcrashed works by exploiting the memcached program. Memcached is an open-source, high-performance, distributed, object-caching system. It's commonly used by social networks such as Facebook and its creator LiveJournal as an in-memory key-value store for small chunks of arbitrary data. It's the program that enables them to handle their massive data I/O. It's also used by many to cache their web-server-session data to speed up their sites -- and that's where the trouble starts.

  • Security in the Modern Data Center
  • One in Eight Open Source Components Contain Flaws [Ed: What about proprietary software? Not worth ever debating in the media? Phil Muncaster uses dramatic headline as a form of marketing for Sonatype.]

    For example, 145,000 downloads of vulnerable versions of Apache Commons Collections were recorded in the UK in 2017 – vulnerabilities connected to ransomware attacks in the wild.

What's New in Qubes 4

Filed under
OS
Security

I've been using Qubes as my primary desktop for more than two years, and I've written about it previously in my Linux Journal column, so I was pretty excited to hear that Qubes was doing a refactor of its own in the new 4.0 release. As with most refactors, this one caused some past features to disappear throughout the release candidates, but starting with 4.0-rc4, the release started to stabilize with a return of most of the features Qubes 3.2 users were used to. That's not to say everything is the same. In fact, a lot has changed both on the surface and under the hood.

Although Qubes goes over all of the significant changes in its Qubes 4 changelog, instead of rehashing every low-level change, I want to highlight just some of the surface changes in Qubes 4 and how they might impact you whether you've used Qubes in the past or are just now trying it out.

Read more

Security: FOSS Updates, PS4 and Media Trying to Associate FOSS With Crime

Filed under
Security

Security: ARPAnet, Android, Intel, Cryptojacking and More

Filed under
Security
  • "Nobody cared about security"

     

    In the long run, however, the more significant reason why the ARPAnet and early Internet lacked security was not that it wasn't needed, nor that it would have made development of the network harder, it was that implementing security either at the network or the application level would have required implementing cryptography. At the time, cryptography was classified as a munition. Software containing cryptography, or even just the hooks allowing cryptography to be added, could only be exported from the US with a specific license. Obtaining a license involved case-by-case negotiation with the State Department. In effect, had security been a feature of the ARPAnet or the early Internet, the network would have to have been US-only. Note that the first international ARPAnet nodes came up in 1973, in Norway and the UK.

  • ​The 10 best ways to secure your Android phone

    The most secure smartphones are Android smartphones. Don't buy that? Apple's latest version of iOS 11 was cracked a day -- a day! -- after it was released.

    So Android is perfect? Heck no!

    Android is under constant attack and older versions are far more vulnerable than new ones. Way too many smartphone vendors still don't issue Google's monthly Android security patches in a timely fashion, or at all. And, zero-day attacks still pop up.

  • Not Getting Android OS Updates? Here’s How Google Is Updating Your Device Anyway

    Android updates are a still a point of contention among die-hard fans, because most manufacturers don’t keep updated with the latest offerings from Google. But just because your phone isn’t getting full OS updates doesn’t mean it’s totally out of date.

    While some major features still require full version updates, Google has a system in place that keeps many handsets at least somewhat relevant with Google Play Services. The company can squash certain bugs and even introduce new features just by updating Play Services.

  • Intel Finally Releases Spectre Patches for Broadwell and Haswell Processors
  • How to Defend Servers Against Cryptojacking

    Cryptojacking has become one of the most active and pervasive threats in recent years. In a cryptojacking attack, a cryptocurrency mining script is injected into a server or a webpage to take advantage of the victim system's CPU power.

  • 8 Startups Raise Money to Secure Everything From ICS to Home Networks
  • Sonatype Makes Nexus Firewall Available to 10 Million Developers

Security: Updates, Open Source Security Podcast, PGP, and 'DevSecOps'

Filed under
Security

Security: “Medjacking”, Exploding e-Cigarettes, and Linux FUD

Filed under
Security
  • “Medjacked”: Could Hackers Take Control of Pacemakers and Defibrillators—or Their Data?

    Are high-tech medical devices vulnerable to hacks? Hackers have targeted them for years, according to a new article in the Journal of the American College of Cardiology. But Dr. Dhanunjaya Lakkireddy, senior author of the paper, says hackers have harmed no one so far.

  • Exploding e-Cigarettes Are a Growing Danger to Public Health

    Whatever their physiological effects, the most immediate threat of these nicotine-delivery devices comes from a battery problem called thermal runaway

    [...]

    Exploding cigarettes sound like a party joke, but today’s version isn’t funny at all. In fact, they are a growing danger to public health. Aside from mobile phones, no other electrical device is so commonly carried close to the body. And, like cellphones, e-cigarettes pack substantial battery power. So far, most of the safety concerns regarding this device have centered on the physiological effects of nicotine and of the other heated, aerosolized constituents of the vapor that carries nicotine into the lungs. That focus now needs to be widened to include the threat of thermal runaway in the batteries, especially the lithium-ion variety.

  • Uh, oh! Linux confuses Bleeping Computer again

    The tech website Bleeping Computer, which carries news about security and malware, has once again demonstrated that when it comes to Linux, its understanding of security is somewhat lacking.

    What makes the current case surprising is the fact that the so-called security issue which the website chose to write about had already been ripped to pieces by senior tech writer Stephen Vaughan-Nicholls four days earlier.

    Called Chaos, the vulnerability was touted by a firm known as GoSecure as one that would allow a backdoor into Linux servers through SSH.

  • Are Mac and Linux users safe from ransomware?

    Ransomware is currently not much of a problem for Linux systems. A pest discovered by security researchers is a Linux variant of the Windows malware ‘KillDisk’. However, this malware has been noted as being very specific; attacking high profile financial institutions and also critical infrastructure in Ukraine. Another problem here is that the decryption key that is generated by the program to unlock the data is not stored anywhere, which means that any encrypted data cannot be unlocked, whether the ransom is paid or not. Data can still sometimes be recovered by experts like Ontrack, however timescales, difficulty and success rates depend on the exact situation and strain of ransomware.

Security: Updates, Reproducible Builds, Spectre/Meltdown, 'Serverless' Security

Filed under
Security
  • Security updates for Tuesday
  • Reproducible Builds: Weekly report #148
  • Fixing Spectre/Meltdown in [Slackware] 14.2
  • Intel didn't tell CERTS, govs, about Meltdown and Spectre because they couldn't help fix it

    Letters sent to the United States Congress by Intel and the other six companies in the Meltdown/Spectre disclosure cabal have revealed how and why they didn't inform the wider world about the dangerous chip design flaws.

    Republican members of the House Energy and Commerce Committee sent letters to the seven in January, to seek answers about the reasons they chose not to disclose the flaws and whether they felt their actions were responsible and safe.

    All the letters go over old ground: Google Project Zero spotted the design errors, told Intel, which formed a cabal comprising itself, Google, AMD, Arm, Apple, Amazon and Microsoft. The gang of seven decided that Project Zero's 90-day disclosure deadline had to be extended to January, then spoke to others to help them prepare fixes. But stray posts and sharp-eyed Reg hacks foiled that plan as we broke the news on January 3rd.

  • Serverless Security: What's Left to Protect? [Ed: "Serverless" is a junk buzzword; it's server-'full' and it just means passing one's server or control/access to that server to some other company, which occasionally gets cracked too.]

    Serverless is an exciting development in the modern infrastructure world. It brings with it the promise of dramatically reduced system costs, simpler and cheaper total cost of ownership, and highly elastic systems that can seamlessly scale to what old-timers (like me) call a “Slashdot moment” – a large and immediate spike in traffic.

    The cost savings Serverless offers greatly accelerated its rate of adoption, and many companies are starting to use it in production, coping with less mature dev and monitoring practices to get the monthly bill down. Such a trade off makes sense when you balance effort vs reward, but one aspect of it is especially scary – security.

    This article aims to provide a broad understanding of security in the Serverless world. We’ll consider the ways in which Serverless improves security, the areas where it changes security, and the security concerns it hurts.

Security: Spectre & Meltdown Fixes/Optimizations, 'SecOps', Harvesting Passwords by Mistake and More

Filed under
Security
  • Linux 4.16 Receives More Spectre & Meltdown Fixes/Optimizations

    The in-development Linux 4.16 kernel has already received a few rounds of updates for the mitigation work on the Spectre and Meltdown CPU vulnerabilities while more is on the way.

    Thomas Gleixner today sent in another batch of "x86/pti" updates for Linux 4.16 in further addressing these CPU security vulnerabilities that were made public in early January.

  • SecOps Spends Its Days Monitoring

    Developers, Security and Operations: DevSecOps. The operations part of the term usually refers to IT operations. However, today narrows in on SecOps, that work in security operations centers (SOCs) and cyber incident response teams (CIRTs). The Cyentia Institute’s survey of 160 of these security analysts shows they face some of the same challenges developers and IT operations teams do. They spend more time on monitoring than any other activity, but they much rather solve problems and “hunt” new threats. SecOps does not like reporting or something called Shift Ops — the actual details of change control and making sure the team doesn’t burn out. Given the shortage of information security professionals, it is concerning that only 45 percent of respondents said their job experience was meeting their expectations.

  • Covert 'Replay Sessions' Have Been Harvesting Passwords by Mistake

     

    Bulk data collection is always a privacy red flag. But the Princeton research group that first published findings about session replay scripts has uncovered a troubling series of situations where seemingly well-intentioned safeguards fail, leading to an unacceptable level of exposure.

  • How to Check if Your Password Has Been Stolen
  • More than half of IT pros believe their organization was breached at least once in 2017

Security: Updates, Back Doors, ASLR on Linux, Olympic Destroyer, Let's Encrypt

Filed under
Security
  • Security updates for Monday
  • Developer gets prison after admitting backdoor was made for malice

    An Arkansas man has been sentenced to serve almost three years in federal prison for developing advanced malware that he knew would be used to steal passwords, surreptitiously turn on webcams, and conduct other unlawful actions on infected computers.

  • New bypass and protection techniques for ASLR on Linux

    Many important application functions are implemented in user space. Therefore, when analyzing the ASLR implementation mechanism, we also analyzed part of the GNU Libc (glibc) library, during which we found serious problems with stack canary implementation. We were able to bypass stack canary protection and execute arbitrary code by using ldd.

    This whitepaper describes several methods for bypassing ASLR in the context of application exploitation.

  • Who Wasn’t Responsible for Olympic Destroyer?

    Evidence linking the Olympic Destroyer malware to a specific threat actor group is contradictory, and does not allow for unambiguous attribution. The threat actor responsible for the attack has purposefully included evidence to frustrate analysts and lead researchers to false attribution flags. This false attribution could embolden an adversary to deny an accusation, publicly citing evidence based upon false claims by unwitting third parties. Attribution, while headline grabbing, is difficult and not an exact science. This must force one to question purely software-based attribution going forward.

  • A Technical Deep Dive: Securing the Automation of ACME DNS Challenge Validation

    Earlier this month, Let's Encrypt (the free, automated, open Certificate Authority EFF helped launch two years ago) passed a huge milestone: issuing over 50 million active certificates. And that number is just going to keep growing, because in a few weeks Let's Encrypt will also start issuing “wildcard” certificates—a feature many system administrators have been asking for.

Spectre and Meltdown Mitigations Now Available for FreeBSD and OpenBSD Systems

Filed under
Security
BSD

More than a month since their public discloser the nasty Meltdown and Spectre security vulnerability have now been fixed for various BSD operating systems including FreeBSD and OpenBSD.

FreeBSD announced last month that it was made aware of the Spectre and Meltdown security vulnerabilities discovered by various researchers from Google's Project Zero, Graz University of Technology, Cyberus Technology, and others in late December 2017 to have time to fix them for their BSD-powered operating system.

Read more

Also: Pledge: OpenBSD’s defensive approach to OS Security

Syndicate content

More in Tux Machines

Linux 4.17-rc7

So this week wasn't as calm as the previous weeks have been, but despite that I suspect this is the last rc. This week we had the whole "spectre v4" thing, and yes, the fallout from that shows up as part of the patch and commit log. But it's not actually dominant: the patch is pretty evenly one third arch updates, one third networking updates, and one third "rest". The arch updates are largely - although not exclusively - spectre v4. The networking stuff is mostly network drivers, but there's some core networking too. And "the rest" is just that - misc drivers (rdma, gpu, other), documentation, some vfs, vm, bpf, tooling.. The bulk of it is really pretty trivial one-liners, and nothing looks particularly scary. Let's see how next week looks, but if nothing really happens I suspect we can make do without an rc8. Shortlog appended as usual. Go out and test. Read more

Today in Techrights

Libre Hardware

  • Flash your Libre Firmware with a Libre Programmer
    Whether or not you personally agree with all the ideals of the Free Software Foundation (FSF), you’ve got to give them credit: they don’t mess around. They started by laying the groundwork for a free and open source operating system, then once that dream was realized, started pushing the idea of replacing proprietary BIOS firmware with an open alternative such as Libreboot. But apparently, even that’s not enough, as there’s still more freedom to be had. We’re playing 4D Libre Chess now, folks. [...] Luckily, the FSF has just awarded the Zerocat Chipflasher their “Respects Your Freedom” certification, meaning every element of the product is released under a free license for your hacking enjoyment.
  • Coreboot Picks Up Support For Another Eight Year Old Intel Motherboard
    If by chance you happen to have an Intel DG41WV motherboard, it's now supported by mainline Coreboot so you can free the system down to the BIOS. The DG41WV motherboard comes from the LGA-775 days with an Intel G41 Eaglelake chipset back when DDR3-1066 was great, motherboards topped out with 4GB of RAM, four USB 2.0 ports were suitable, and motherboard PCBs were much less fashionable. The DG41WV was a micro-ATX board and a decent choice for the times to pair with a CPU like the Core 2 Duo or Core 2 Quad.

Events: KubeCon, openSUSE Conference 2018 and Hacker Summer Camp 2018

  • Diversity, education, privilege and ethics in technology
    And that is the ultimate fraud: to make the world believe we are harmless little boys, so repressed that we can't communicate properly. We're so sorry we're awkward, it's because we're all somewhat on the autism spectrum. Isn't that, after all, a convenient affliction for people that would not dare to confront the oppression they are creating? It's too easy to hide behind such a real and serious condition that does affect people in our community, but also truly autistic people that simply cannot make it in the fast-moving world the magical rain man is creating. But the real con is hacking power and political control away from traditional institutions, seen as too slow-moving to really accomplish the "change" that is "needed". We are creating an inextricable technocracy that no one will understand, not even us "experts". Instead of serving the people, the machine is at the mercy of markets and powerful oligarchs. A recurring pattern at Kubernetes conferences is the KubeCon chant where Kelsey Hightower reluctantly engages the crowd in a pep chant: When I say 'Kube!', you say 'Con!' 'Kube!' 'Con!' 'Kube!' 'Con!' 'Kube!' 'Con!' Cube Con indeed... I wish I had some wise parting thoughts of where to go from here or how to change this. The tide seems so strong that all I can do is observe and tell stories. My hope is that the people that need to hear this will take it the right way, but I somehow doubt it. With chance, it might just become irrelevant and everything will fix itself, but somehow I fear things will get worse before they get better.
  • openSUSE Conference 2018
    This year openSUSE conference was held in Prague and, thanks to both my employer and openSUSE conference organizers, I've been able to spend almost a full day there. I've headed to Prague with a Fleet Commander talk accepted and, as openSUSE Leap 15.0 was released Yesterday, also with the idea to show an unattended ("express") installation of the "as fresh as possible" Leap 15.0 happening on GNOME Boxes. The conference was not so big, which helped to easy spot some old friends (Fridrich Strba, seriously? Meeting you after almost 7 years ... I have no words to describe my happiness on seeing you there!), some known faces (as Scott, with whom I just meet at conferences :-)) and also meet some people who either helped me a lot in the past (here I can mention the whole autoyast team who gave me some big support when I was writing down the autoinst.xml for libosinfo, which provides the support to do openSUSE's express installations via GNOME Boxes) or who have some interest in some of the work I've been doing (as Richard Brown who's a well-know figure around SUSE/openSUSE community, a GNOME Boxes user and also an enthusiastic supporter of our work done in libosiinfo/osinfo-db).
  • Hacker Summer Camp 2018: Prep Guide
    For those unfamiliar with the term, Hacker Summer Camp is the combination of DEF CON, Black Hat USA, and BSides Las Vegas that takes place in the hot Las Vegas sun every summer, along with all the associated parties and side events. It’s the largest gathering of hackers, information security professionals and enthusiasts, and has been growing for 25 years. In this post, I’ll present my views on how to get the most out of your 2018 trip to the desert, along with tips & points from some of my friends.