Language Selection

English French German Italian Portuguese Spanish

Security

MongoDB Misconfiguration and Ransom, NSA Windows Cracking

Filed under
Security

Security News

Filed under
Security
  • 6 ways to secure air-gapped computers from data breaches

    How do you avoid this? Depending upon the nature of the data contained within the air-gapped system, you should only allow certain staff members access to the machine. This might require the machine to be locked away in your data center or in a secured room on the premises. If you don't have a data center or a dedicated room that can be locked, house the computer in the office of a high-ranking employee.

  • Possibly Smart, Possibly Stupid, Idea Regarding Tor & Linux Distributions

    I will admit that I have not fully thought this through yet, so I am
    writing this in the hope that other folk will follow up, share their
    experiences and thoughts.

    So: I have installed a bunch of Tor systems in the past few months -
    CentOS, Ubuntu, Raspbian, Debian, OSX-via-Homebrew - and my abiding
    impression of the process is one of "friction".

    Before getting down to details, I hate to have to cite this but I have been
    a coder and paid Unix sysadmin on/off since 1988, and I have worked on
    machines with "five nines" SLAs, and occasionally on boxes with uptimes of
    more than three years; have also built datacentres for Telcos, ISPs and
    built/setup dynamic provisioning solutions for huge cluster computing. The
    reason I mention this is not to brag, but to forestall

  • [Older] Introducing rkt’s ability to automatically detect privilege escalation attacks on containers

    Intel's Clear Containers technology allows admins to benefit from the ease of container-based deployment without giving up the security of virtualization. For more than a year, rkt's KVM stage1 has supported VM-based container isolation, but we can build more advanced security features atop it. Using introspection technology, we can automatically detect a wide range of privilege escalation attacks on containers and provide appropriate remediation, making it significantly more difficult for attackers to make a single compromised container the beachhead for an infrastructure-wide assault.

  • Diving back into coreboot development

    Let me first introduce myself: I’m Youness Alaoui, mostly known as KaKaRoTo, and I’m a Free/Libre Software enthusiast and developer. I’ve been hired by Purism to work on porting coreboot to the Librem laptops, as well as to try and tackle the Intel ME issue afterwards.

    I know many of you are very excited about the prospect of having coreboot running on your Librem and finally dropping the proprietary AMI BIOS that came with it. That’s why I’ll be posting reports here about progress I’m making—what I’ve done so far, and what is left to be done.

  • Web databases hit in ransom attacks

    Gigabytes of medical, payroll and other data held in MongoDB databases have been taken by attackers, say security researchers.

  • Why HTTPS for Everything?

    HTTPS enables privacy and integrity by default. It is going to be next big thing. The internet’s standards bodies, web browsers, major tech companies, and the internet community of practice have all come to understand that HTTPS should be the baseline for all web traffic. Ultimately, the goal of the internet community is to establish encryption as the norm, and to phase out unencrypted connections. Investing in HTTPS makes it faster, cheaper, and easier for everyone.

Security Leftovers

Filed under
Security
  • Security updates for Friday
  • Linux KillDisk Ransomware Can't Decrypt

    Disk-wiping malware known as KillDisk, which has previously been used in hack attacks tied to espionage operations, has been given an update. Now, the malware works on Linux as well as Windows systems and also includes the ability to encrypt files, demand a bitcoin ransom and leave Linux systems unbootable.

  • GNU Officially Boots Libreboot

    FSF and GNU decide to grant Libreboot lead developer Leah Rowe’s wishes. The project is no longer a part of GNU says RMS.

Security News

Filed under
Security

Security News

Filed under
Security
  • 8 Docker security rules to live by

    Odds are, software (or virtual) containers are in use right now somewhere within your organization, probably by isolated developers or development teams to rapidly create new applications. They might even be running in production. Unfortunately, many security teams don’t yet understand the security implications of containers or know if they are running in their companies.

    In a nutshell, Linux container technologies such as Docker and CoreOS Rkt virtualize applications instead of entire servers. Containers are superlightweight compared with virtual machines, with no need for replicating the guest operating system. They are flexible, scalable, and easy to use, and they can pack a lot more applications into a given physical infrastructure than is possible with VMs. And because they share the host operating system, rather than relying on a guest OS, containers can be spun up instantly (in seconds versus the minutes VMs require).

  • Zigbee Writes a Universal Language for IoT

    The nonprofit Zigbee Alliance today unveiled dotdot, a universal language for the Internet of Things (IoT).

    The group says dotdot takes the IoT language at Zigbee’s application layer and enables it to work across different networking technologies.

  • $25,000 Prize Offered in FTC IoT Security Challenge

    It appears as if the Federal Trade Commission is getting serious about Internet of Things security issues -- and it wants the public to help find a solution. The FTC has announced a contest it's calling the "IoT Home Inspector Challenge." What's more, there's a big payoff for the winners, with the Top Prize Winner receiving up to $25,000 and each of a possible three "honorable Mentions" getting $3,000. Better yet, winners don't have to fork over their intellectual property rights, and will retain right to their submissions.

    Of course, the FTC is a federal agency, and with a change of administrations coming up in a couple of weeks, it hedges its bet a bit with a caveat: "The Sponsor retains the right to make a Prize substitution (including a non-monetary award) in the event that funding for the Prize or any portion thereof becomes unavailable." In other words, Obama has evidently given the go-ahead, but they're not sure how Trump will follow through.

  • LG threatens to put Wi-Fi in every appliance it releases in 2017

    In the past few years, products at CES have increasingly focused on putting the Internet in everything, no matter how "dumb" the device in question is by nature. It's how we've ended up with stuff like this smart hairbrush, this smart air freshener, these smart ceiling fans, or this $100 pet food bowl that can order things from Amazon.

  • Ex-MI6 Boss: When It Comes To Voting, Pencil And Paper Are 'Much More Secure' Than Electronic Systems

    Techdirt has been worried by problems of e-voting systems for a long time now. Before, that was just one of our quaint interests, but over the last few months, the issue of e-voting, and how secure it is from hacking, specifically hacking by foreign powers, has become a rather hot topic. It's great that the world has finally caught up with Techdirt, and realized that e-voting is not just some neat technology, and now sees that democracy itself is at play. The downside is that because the stakes are so high, the level of noise is too, and it's really hard to work out how worried we should be about recent allegations, and what's the best thing to do on the e-voting front.

  • Five things that got broken at the oldest hacking event in the world

    Chaos Communications Congress is the world’s oldest hacker conference, and Europe’s largest. Every year, thousands of hackers gather in Hamburg to share stories, trade tips and discuss the political, social and cultural ramifications of technology.

    As computer security is a big part of the hacker world, they also like to break things. Here are five of the most important, interesting, and impressive things broken this time.

Security News

Filed under
Security
  • KillDisk Ransomware Now Targets Linux, Prevents Boot-Up, Has Faulty Encryption
  • KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt
  • lecture: What could possibly go wrong with (insert x86 instruction here)? [Ed: video]

    Hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputting a result. However, the internal state of the hardware leaks information about the programs that are executing. In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. Beyond classical cache-based side-channel attacks, we demonstrate how to perform cache attacks without a single memory access, as well as how to bypass kernel ASLR. This talk does not require any knowledge about assembly. We promise.

    When hunting for bugs, the focus is mostly on the software layer. On the other hand, hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputing a result. However, the internal state of the hardware leaks information about the programs that are running. Unlike software bugs, these bugs are not easy to patch on current hardware, and manufacturers are also reluctant to fix them in future generations, as they are tightly tied with performance optimizations.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • MongoDB Data Being Held For Ransom

    If you're using MongoDB, you might want to check to make sure you have it configured properly -- or better yet, that you're running the latest and greatest -- to avoid finding it wiped and your data being held for ransom.

    A hacker who goes by the name Harak1r1 is attacking unprotected MongoDB installations, wiping their content and installing a ransom note in place of the the stolen data. The cost to get the data returned is 0.2 bitcoin, which comes to about $203. If that sounds cheap, it isn't. Not if you're deploying multiple Mongo databases and they all get hit -- which has been happening.

Security News

Filed under
Security

Security Leftovers

Filed under
Security
  • Tuesday's security updates
  • Musl 1.1.16 Released, Fixes CVE Integer Overflow, s390x Support

    A new version of the musl libc standard library is available for those interested in this lightweight alternative to glibc and others.

    Musl 1.1.16 was released to fix CVE-2016-8859, an under-allocation bug in regexec with an integer overflow. Besides this CVE, Musl 1.1.16 improves overflow handling as part of it and has also made other noteworthy bug fixes.

  • musl 1.1.16 release
  • Looks like you have a bad case of embedded libraries

    A long time ago pretty much every application and library carried around its own copy of zlib. zlib is a library that does really fast and really good compression and decompression. If you’re storing data or transmitting data, it’s very likely this library is in use. It’s easy to use and is public domain. It’s no surprise it became the industry standard.

  • Deprecation of Insecure Algorithms and Protocols in RHEL 6.9

    Cryptographic protocols and algorithms have a limited lifetime—much like everything else in technology. Algorithms that provide cryptographic hashes and encryption as well as cryptographic protocols have a lifetime after which they are considered either too risky to use or plain insecure. In this post, we will describe the changes planned for the 6.9 release of Red Hat Enterprise Linux 6, which is already on Production Phase 2.

  • lecture: Million Dollar Dissidents and the Rest of Us [Ed: video]

    In August 2016, Apple issued updates to iOS and macOS that patched three zero-day vulnerabilities that were being exploited in the wild to remotely install persistent malcode on a target’s device if they tapped on a specially crafted link. We linked the vulnerabilities and malcode to US-owned, Israel-based NSO Group, a government-exclusive surveillance vendor described by one of its founders as “a complete ghost”.

    Apple’s updates were the latest chapter in a yearlong investigation by Citizen Lab into a UAE-based threat actor targeting critics of the UAE at home and around the world. In this talk, we will explain how Citizen Lab discovered and tracked this threat actor, and uncovered the first publicly-reported iOS remote jailbreak used in the wild for mobile espionage. Using the NSO case, we will detail some of the tools and techniques we use to track these groups, and how they try to avoid detection and scrutiny. This investigation is Citizen Lab’s latest expose into the abuse of commercial “lawful intercept” malcode.

  • Class Breaks

    There's a concept from computer security known as a class break. It's a particular security vulnerability that breaks not just one system, but an entire class of systems. Examples might be a vulnerability in a particular operating system that allows an attacker to take remote control of every computer that runs on that system's software. Or a vulnerability in Internet-enabled digital video recorders and webcams that allow an attacker to recruit those devices into a massive botnet.

    It's a particular way computer systems can fail, exacerbated by the characteristics of computers and software. It only takes one smart person to figure out how to attack the system. Once he does that, he can write software that automates his attack. He can do it over the Internet, so he doesn't have to be near his victim. He can automate his attack so it works while he sleeps. And then he can pass the ability to someone­ -- or to lots of people -- ­without the skill. This changes the nature of security failures, and completely upends how we need to defend against them.

GNU/Linux CVEs

Filed under
GNU
Linux
Security
  • Android, Debian & Ubuntu Top List Of CVE Vulnerabilities In 2016[Ed: while Microsoft lies]

    On a CVE basis for the number of distinct vulnerabilities, Android is ranked as having the most vulnerability of any piece of software for 2016 followed by Debian and Ubuntu Linux while coming in behind them is the Adobe Flash Player.

    The CVEDetails.com tracking service has compiled a list of software with the most active CVEs. The list isn't limited to just operating systems but all software with Common Vulnerabilities and Exposures.

  • Using systemd for more secure services in Fedora

    The AF_PACKET local privilege escalation (also known as CVE-2016-8655) has been fixed by most distributions at this point; stable kernels addressing the problem were released on December 10. But, as a discussion on the fedora-devel mailing list shows, systemd now provides options that could help mitigate CVE-2016-8655 and, more importantly, other vulnerabilities that remain undiscovered or have yet to be introduced. The genesis for the discussion was a blog post from Lennart Poettering about the RestrictAddressFamilies directive, but recent systemd versions have other sandboxing features that could be used to head off the next vulnerability.

    Fedora project leader Matthew Miller noted the blog post and wondered if the RestrictAddressFamilies directive could be more widely applied in Fedora. That directive allows administrators to restrict access to the network address families a service can use. For example, most services do not require the raw packet access that AF_PACKET provides, so turning off access to that will harden those services to some extent. But Miller was also curious if there were other systemd security features that the distribution should be taking advantage of.

Syndicate content

More in Tux Machines

Games for GNU/Linux

Today in Techrights

Why OpenStack is the wrong cloud for Red Hat to be building its future on

Just because one can make money from OpenStack doesn't mean one should. Red Hat, on its recent earnings call, gladly assumed the title of "Red Hat of OpenStack," meaning the "vendor that does certification and confidently allow[s] both hardware and software vendors to participate in the ecosystem." In a similar vein, I've called OpenStack Red Hat's "Linux moment," a chance to productize the growing cloud movement. Read more

Linux 4.10.7

I'm announcing the release of the 4.10.7 kernel. All users of the 4.10 kernel series must upgrade. The updated 4.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.10.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-st... Read more Also: Linux 4.9.19 Linux 4.4.58