Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Security advisories for Thursday
  • More information about Dirty COW (aka CVE-2016-5195)

    The security hole fixed in the stable kernels released today has been dubbed Dirty COW (CVE-2016-5195) by a site devoted to the kernel privilege escalation vulnerability. There is some indication that it is being exploited in the wild. Ars Technica has some additional information. The Red Hat bugzilla entry and advisory are worth looking at as well.

  • CVE-2016-5195

    My prior post showed my research from earlier in the year at the 2016 Linux Security Summit on kernel security flaw lifetimes. Now that CVE-2016-5195 is public, here are updated graphs and statistics. Due to their rarity, the Critical bug average has now jumped from 3.3 years to 5.2 years. There aren’t many, but, as I mentioned, they still exist, whether you know about them or not. CVE-2016-5195 was sitting on everyone’s machine when I gave my LSS talk, and there are still other flaws on all our Linux machines right now. (And, I should note, this problem is not unique to Linux.) Dealing with knowing that there are always going to be bugs present requires proactive kernel self-protection (to minimize the effects of possible flaws) and vendors dedicated to updating their devices regularly and quickly (to keep the exposure window minimized once a flaw is widely known).

  • “Most serious” Linux privilege-escalation bug ever is under active exploit (updated)

    While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.

  • Linux users urged to protect against 'Dirty COW' security flaw

    Organisations and individuals have been urged to patch Linux servers immediately or risk falling victim to exploits for a Linux kernel security flaw dubbed ‘Dirty COW'.

    This follows a warning from open source software vendor Red Hat that the flaw is being exploited in the wild.

    Phil Oester, the Linux security researcher who uncovered the flaw, explained to V3 that the exploit is easy to execute and will almost certainly become more widely used.

    "The exploit in the wild is trivial to execute, never fails and has probably been around for years - the version I obtained was compiled with gcc 4.8," he said.

  • Hackers Hit U.S. Senate GOP Committee

    The national news media has been consumed of late with reports of Russian hackers breaking into networks of the Democratic National Committee. Lest the Republicans feel left out of all the excitement, a report this past week out of The Netherlands suggests Russian hackers have for the past six months been siphoning credit card data from visitors to the Web storefront of the National Republican Senatorial Committee (NRSC).

    [...]

    Dataflow markets itself as an “offshore” hosting provider with presences in Belize and The Seychelles. Dataflow has long been advertised on Russian-language cybercrime forums as an offshore haven that offers so-called “bulletproof hosting,” a phrase used to describe hosting firms that court all manner of sites that most legitimate hosting firms shun, including those that knowingly host spam and phishing sites as well as malicious software.

    De Groot published a list of the sites currently present at Dataflow. The list speaks for itself as a collection of badness, including quite a number of Russian-language sites selling synthetic drugs and stolen credit card data.

    According to De Groot, other sites that were retrofitted with the malware included e-commerce sites for the shoe maker Converse as well as the automaker Audi, although he says those sites and the NRSC’s have been scrubbed of the malicious software since his report was published.

    But De Groot said the hackers behind this scheme are continuing to find new sites to compromise.

    “Last Monday my scans found about 5,900 hacked sites,” he said. “When I did another scan two days later, I found about 340 of those had been fixed, but that another 170 were newly compromised.”

  • Thoughts on the BTB Paper

    The Branch Target Buffer (BTB) whitepaper presents some interesting information. It details potential side-channel attacks by utilizing timing attacks against the branch prediction hardware present in Intel Haswell processors. The article does not mention Intel processors later than Haswell, such as Broadwell or Skylake.

    Side-channel attacks are always interesting and fun. Indeed, the authors have stumbled into areas that need more research. Their research can be applicable in certain circumstances.

    As a side-note, KASLR in general is rather weak and can be considered a waste of time[1]. The discussion why is outside the scope of this article.

Linux users urged to protect against 'Dirty COW' security flaw

Filed under
Linux
Red Hat
Security

Organisations and individuals have been urged to patch Linux servers immediately or risk falling victim to exploits for a Linux kernel security flaw dubbed ‘Dirty COW'.

This follows a warning from open source software vendor Red Hat that the flaw is being exploited in the wild.

Phil Oester, the Linux security researcher who uncovered the flaw, explained to V3 that the exploit is easy to execute and will almost certainly become more widely used.

"The exploit in the wild is trivial to execute, never fails and has probably been around for years - the version I obtained was compiled with gcc 4.8," he said.

Read more

Also: New Debian Linux Kernel Update Addresses "Dirty COW" Bug, Three Security Issues

Why Security Distributions Use Debian

Filed under
Security
Debian

What do distributions like Qube OS, Subgraph, Tails, and Whonix have in common? Besides an emphasis on security and privacy, all of them are Debian derivatives -- and, probably, this common origin is not accidental.

At first, this trend seems curious. After all, other distributions ranging from Slackware and Gentoo to Arch Linux all emphasize security and privacy in their selection of tools. In particular, Fedora's SE Linux can be so restrictive that some users would rather disable it than learn how to configure it. By contrast, while Debian carries many standard security and privacy tools, it has seldom emphasized them.

Similarly, Debian's main branch consists of only free and open source software, its contrib and non-free branches not being official parts of the distribution. With many security experts favoring the announcement of vulnerabilities and exploit code rather than relying on security through obscurity, the way that many pieces of proprietary software do, this transparency has obvious appeal.

Yet although the advantage of free software to security and privacy is that the code can be examined for backdoors and malware, this advantage is hardly unique to Debian. To one or degree another, it is shared by all Linux distributions.

Read more

More from Susan: Why Use Linux, Systemd Complications, Debian's Security

Security News

Filed under
Security
  • Security advisories for Wednesday
  • Security bug lifetime

    In several of my recent presentations, I’ve discussed the lifetime of security flaws in the Linux kernel. Jon Corbet did an analysis in 2010, and found that security bugs appeared to have roughly a 5 year lifetime. As in, the flaw gets introduced in a Linux release, and then goes unnoticed by upstream developers until another release 5 years later, on average. I updated this research for 2011 through 2016, and used the Ubuntu Security Team’s CVE Tracker to assist in the process. The Ubuntu kernel team already does the hard work of trying to identify when flaws were introduced in the kernel, so I didn’t have to re-do this for the 557 kernel CVEs since 2011.

  • Reproducible Builds: week 77 in Stretch cycle

    After discussions with HW42, Steven Chamberlain, Vagrant Cascadian, Daniel Shahaf, Christopher Berg, Daniel Kahn Gillmor and others, Ximin Luo has started writing up more concrete and detailed design plans for setting SOURCE_ROOT_DIR for reproducible debugging symbols, buildinfo security semantics and buildinfo security infrastructure.

  • Veracode security report finds open source components behind many security vulnerabilities [Ed: not a nice firm]

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Tuesday's security updates
  • Critical flaws found in open-source encryption software VeraCrypt [Ed: TrueCrypt was never really FOSS]

    A new security audit has found critical vulnerabilities in VeraCrypt, an open-source, full-disk encryption program that's the direct successor of the widely popular, but now defunct, TrueCrypt.

    Users are encouraged to upgrade to VeraCrypt 1.19, which was released Monday and includes patches for most of the flaws. Some issues remain unpatched because fixing them requires complex changes to the code and in some cases would break backward compatibility with TrueCrypt.

    However, the impact of most of those issues can be avoided by following the safe practices mentioned in the VeraCrypt user documentation when setting up encrypted containers and using the software.

  • Veracode: open source is creating 'systematic risks' across companies and industries [Ed: this company routinely smears FOSS]

    SECURITY FIRM VERACODE has released a damning report into open source and third-party software components and warned that, for example, almost all Java applications are blighted with at least one problem.

  • Why is Java so insecure? Buggy open source components take the blame

    Open-source and Java components used in applications remain a weak spot for the enterprise, according to a new analysis.

    Java applications in particular are posing a challenge, with 97 percent of these applications containing a component with at least one known vulnerability, according to a new report from code-analysis security vendor Veracode.

  • Parrot Security 3.2 “CyberSloop” Ethical Hacking Linux Distro Available For Download

    Earlier this year, I prepared a list of the top operating systems used for ethical hacking purposes. In that list, Parrot Security OS ranked at #2. It’s developed by Frozenbox Network and released under the GNU/GPL v3 license. A couple of days ago, Parrot Security 3.2 ethical hacking Linux distro arrived. The new version of this popular operating system is codenamed CyberSloop and it’s based on the Debian GNU/Linux 9 Stretch.

    Parrot Security 3.1 version arrived long back in July. Compared to that, the new version has taken a while due to some buggy packages in the Debian Testing repository that Parrot Security team had to fix themselves. In particular, the bug being discussed here is the latest GTK updates that broke the MATE interface.

  • Linux-run IoT devices under attack by NyaDrop [Ed: Devices with open ports and identical passwords across the board are not secure; not “Linux” issue]

    Internet of Things (IoT) devices running on the open-source Linux OS are under attack from NyaDrop.

    The attack loads malware on IoT devices lacking appropriate security after brute forcing default login credentials, according to a report by David Bisson for Graham Cluley Security News. The code achieves this by parsing its list of archived usernames and passwords. Once authenticated, NyaDrop is installed. The lightweight binary then loads other malware onto the infected device.

Canonical Now Offering Live Kernel Patching Services, Free for Up to Three PCs

Filed under
Security
Ubuntu

Today, October 18, 2016, Canonical informs us, through Dustin Kirkland, about a new interesting feature for Ubuntu Linux, which users can enable on their current installations.

Read more

Also: Canonical Rolls Out Its Own Kernel Livepatching Service For Ubuntu

Security News

Filed under
Security
  • Security advisories for Monday
  • NyaDrop exploiting Internet of Things insecurity to infect Linux devices with malware

    A Linux threat known as NyaDrop is exploiting a lack of security in Internet of Things (IoT) devices to infect them with malware.

    A NyaDrop attack begins with the threat attempting to brute force the default login credentials of internet-exposed IoT device running Linux. It does so by running through its list of stored usernames and passwords, a collection which is no doubt similar to that of the Mirai botnet.

  • Smart cities: 5 security areas CIO should watch

    New worms designed to attach to IoT devices will emerge − and they could wreck more havoc given the extended reach of the new converged networks.

    Conficker is an example of a worm that spread on PC’s in 2008 and is still persistent and prevalent in 2016.

    Likewise, worms and viruses that can propagate from device to device can be expected to emerge – particularly with mobile and the Android operating system.

    Embedded worms will spread by leveraging and exploiting vulnerabilities in the growing IoT and mobile attack surface. The largest botnet FortiGuard labs has witnessed is in the range of 15 million PCs.

Happy 15th Birthday Red Hat Product Security

Filed under
Red Hat
Security

This summer marked 15 years since we founded a dedicated Product Security team for Red Hat. While we often publish information in this blog about security technologies and vulnerabilities, we rarely give an introspection into the team itself. So I’d like, if I may, to take you on a little journey through those 15 years and call out some events that mean the most to me; particularly what’s changed and what’s stayed the same. In the coming weeks some other past and present members of the team will be giving their anecdotes and opinions too. If you have a memory of working with our team we’d love to hear about it, you can add a comment here or tweet me.

Read more

Syndicate content

More in Tux Machines

Linux Mint 18.1 'Serena' KDE Edition Beta is available for download now

A Beta release for Linux Mint 18.1 'Serena' KDE is here. There are already versions available featuring other desktop environments, such as Cinnamon, Mate, and Xfce. You'd think that would be enough, but no! Apparently a fourth edition is needed. Some people feel that a KDE version is a waste of resources, but either way, here we are. So what is new? The KDE Plasma 5.8 desktop environment is the star of the show -- after all, if you do not want KDE, you wouldn't choose this version. The shipping Linux kernel is 4.4.0-53, which is surprisingly outdated. Ubuntu-based operating systems are never known for being bleeding-edge, however. Read more

64-bit Raspberry Pi Compute Module 3 ships for $25 to $30

The Raspberry Pi Compute Module 3 has arrived with 1GB RAM and the same quad-core -A53 SoC as the RPi 3, available for $30, or $25 without 4GB eMMC. Raspberry Pi Trading’s first 64-bit computer-on-module version of their flagship single board computer has finally arrived. Despite the name, the Raspberry Pi Compute Module 3 (CM3) is only the second generation of the CM1. Its name syncs up with the Raspberry Pi 3 Model B SBC, which uses the same quad-core, 64-bit Broadcom SoC. The CM3 is now shipping in $30 Standard (4GB eMMC) or $25 Lite versions, while the CM1 drops in price to $25. Read more

Panasonic Toughpad Rugged Tablet Muscles into Android Space

Panasonic Jan. 12 unveiled a new tablet in its Toughpad series of devices designed for the corporate world. But unlike so many other rugged Panasonic machines, the FZ-A2 doesn’t run Windows. Instead, the device is running on Google’s Android Marshmallow, an operating system not typically associated with rugged PCs and mobile devices designed for rough-and-tumble field-service work. But the FZ-A2 is just the latest model in Panasonic's expanding line of Android tablets. This new Toughpad includes several corporate-friendly features such as robust security, a hot-swappable battery and plenty of ports that allow connection to a wide range of accessories. The Toughpad is launching at a time when market reports have consistently shown a steady decline in popularity of tablets. But Panasonic says its device is coming along at the right time. This slide show will take a look at the Toughpad to see whether its features will convince field-service workers and corporate hardware buyers that the tablet really is as appealing a buy as Panasonic claims it is. Read on to learn more about Panasonic’s FZ-A2 Toughpad. Read more

LXQt Spin Proposed For Fedora 26

A new spin/flavor has been proposed for Fedora 26, one integrating the LXQt desktop environment. For those late to the party, LXQt is the formation of the LXDE and Razor-qt projects and built around the Qt5 tool-kit. Fedora currently has an LXDE spin while this proposed Fedora LXQt would continue to co-exist alongside the existing LXDE version. Christian Dersch who proposed the LXQt spin explained, "LXDE spin will exist until its maintainer will stop it, LXQt is independent from LXDE spin. So nobody is forced to change ;) Also both projects are maintained upstream so there is no reason to drop anything here." Read more Also: F26 Self Contained Change: LXQt Spin