Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Click Here to Kill Everyone

    With the Internet of Things, we’re building a world-size robot. How are we going to control it?

  • New open source project Trireme aims to secure containers

    A team made of former Cisco and Nuage Networks veterans has developed an open source project it released this week named Trireme that takes an application-centric approach to securing code written in containers.

  • An Introduction to the Shorewall Firewall Tool

    Linux is well known for being a highly secure platform. One of the reasons for said security is the Netfilter system. For those that don’t know, Netfilter is a framework, provided by the Linux kernel, that allows for various networking operations, such as packet filtering, network address translations, port translation, and the ability to block packets from reaching specific locations. For most distributions, Netfilter is implemented through the user-space application, iptables. Although many would agree that iptables is the most powerful security tool you can work with, along with that power comes a level of complexity that stumps many an IT administrator.

    That’s where the likes of Shorewall comes into play. Shorewall is an open source firewalling tool that not only makes the task of network security easier, it also allows for much easier handling of zones. Shorewall uses zones to define different portions of a network. Say, for instance, you want to create a private internal network that can only be accessed by specific machines, a guest network that can be accessed by anyone, a network dedicated to production machines, and a network that can be accessed from machines outside your Local Area Network (LAN). With Shorewall, you can easily do this.

Security News

Filed under
Security
  • Thursday's security advisories
  • The design of Chacha20

    Chacha20 is a secure, fast, and amazingly simple encryption algorithm. It's author Daniel J. Bernstein explains it well in his Salsa20 and Chacha20 design papers (which I recommend), but did not dwell on details experts already know. Filling the gap took me a while.

    Quick summary: Chacha20 is ARX-based hash function, keyed, running in counter mode. It embodies the idea that one can use a hash function to encrypt data.

  • Ransomware completely shuts down Ohio town government [iophk: “Microsoft = lost productivity”]

    These sorts of attacks are becoming more commonplace and, as mentioned before, can be avoided with good backup practices. Sadly not every computer in every hospital, county office or police department is connected to a nicely journaled and spacious hard drive, so these things will happen more and more. Luckily it improves cryptocurrency popularity as these small office finally give up and buy bitcoin to pay their ransom.

  • Windows DRM Social Engineering Attacks & TorBrowser

    HackerHouse have been investigating social engineering attacks performed with Digital Rights Management (DRM) protected media content. Attackers have been performing these attacks in the wild to spread fake codec installers since Microsoft introduced DRM to it’s proprietary media formats. Despite their prevalence we could not find many tools to misuse these formats. We found only a small number of blog posts [2] on identifying the files being used to spread malware. We observed some interesting behaviours during our analysis which we have shared here. DRM is a licensing technology that attempts to prevent unauthorised distribution and restrictive use of a media file. It works by encrypting the video and audio streams with an encryption key and requesting a license (decryption key) from a network server when the file is accessed. As it requires network connectivity it can cause users to make network requests without consent when opening a media file such as a video file or audio file. WMV is using Microsoft Advanced Systems Format (ASF) to store audio and video as objects. This file format consists of objects that are labelled by GUID and packed together to make a media package. A number of tools such as ffmpeg & ASFView support opening, viewing and browsing these objects. There are three objects with the following GUID’s which are of interest for these attacks.

Linux Kernel 3.12.70 Is a Big Patch with Over 220 Improvements, Security Fixes

Filed under
Linux
Security

Jiri Slaby is announcing the release of the 70th maintenance update to the long-term supported Linux 3.12 kernel series, which will be supported for a few more months in 2017.

Read more

Privacy-Focused Tails 2.10 Linux Includes Security Updates, New Tools

Filed under
Linux
Security

The Amnesic Incognito Live System, also known more simply as Tails, is a privacy-focused Linux distribution loaded with tools and features to help users stay somewhat anonymous on the internet. Tails first rose to prominence in 2013 as the Linux distribution used by U.S. National Security Agency (NSA) whistleblower Edward Snowden and reached the 1.0 milestone in April 2014. The latest Tails release is version 2.10, which became generally available Jan. 24, providing users with security patches and some incremental feature updates. Among the new features in the Tails 2.10 release is the Onion Share anonymous file-sharing tool. Staying anonymous online is a core element of Tails, thanks to the integration with the Tor (The Onion Router) network technology. Tor also is updated in the Tails 2.10 release, to version 0.2.9.9 and the included Tor Browser, which is based on Mozilla's Firefox, is updated to version 6.5. To help protect users against online tracking in advertisements, Tails 2.10 now includes the uBlock Origin plugin with the Tor Browser, replacing the AdBlock Plus plugin that had been in previous releases. This slide show examines the important features of the Tails 2.10 release.

Read more

Security News

Filed under
Security
  • Epic Fail: Linux Encryption App, Cryptkeeper, Has Universal Password "p"

    Cryptkeeper is a popular Linux encryption application that’s used to encrypt your valuable data. But, it’s not as safe as you think. A bug has was recently discovered that allows universal decryption using a single letter password “p.” Debian developer Simon McVittie has advised the dev team to take it out of Debian altogether.

  • AppArmor - or: Working for the enemy?

    Some weeks ago, someone asked on the opensuse-wiki mailinglist if it's acceptable to move documentation (in this case about Icecream) from the openSUSE wiki to the upstream repo on github.

  • Spotting vulnerabilities in your open source code [Ed: Inadequate title because the same issues occur in proprietary software and usually remain unfixed]

    ESET researchers have offered programmers a few tips for spotting vulnerable code and how to correct them before they make it into your system.

Security Leftovers

Filed under
Security

Security News

Filed under
Security

  • You're taking the p... Linux encryption app Cryptkeeper has universal password: 'p'

    Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: "p".

    The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated 'p' keypress – instead, it sets passwords for folders to just that letter.

  • Reproducible Builds: week 92 in Stretch cycle

    John Gilmore wrote an interesting mail about how Cygnus.com worked on reproducible builds in the early 1990s. (It's eye opening to see how the dealt with basically the very same problems we're dealing with today, how they solved them and then to realize that most of this has been forgotten and bit-rotted in the last 20 years. How will we prevent history repeating it)self here?)

  • MongoDB ransom attacks continue to plague administrators

    Earlier this month, Salted Hash reported on a surge in attacks against publicly accessible MongoDB installations.

    Since January 3, the day of that first report, the number of victims has climbed from about 200 databases to more than 40,000. In addition to MongoDB, those responsible for the attacks have started targeting Elasticsearch and CouchDB.

    No matter the platform being targeted, the message to the victim is the same; send a small Bitcoin payment to the listed address, or forever lose access to your files.

OPNsense 17.1 “Eclectic Eagle” Released

Filed under
Security
BSD

The OPNsense team is proud to announce the final availability of version 17.1, nicknamed “Eclectic Eagle”. This major release features FreeBSD 11.0, the SSH remote installer, new languages Italian / Czech / Portuguese, state-of-the-art HardenedBSD security features, PHP 7.0, new plugins for FTP Proxy / Tinc VPN / Let’s Encrypt, native PAM authentication against e.g. 2FA (TOTP), as well a rewritten Nano-style card images that adapt to media size to name only a few.

Read more

Security Leftovers

Filed under
Security
  • Linux.Proxy.10 infects thousands of devices with standard settings
  • 4 ways to improve your security online right now

    Regardless of how monumental a task digital security can seem, you can lay a strong foundation when you get started. Remember that being secure is an ongoing process, rather than a state of being. Keep the tools you use up to date and periodically check your habits and tools to ensure your security is the best it can be. Security doesn't have to be overly complex if you take it one step at a time.

  • Security advisories for Monday
  • Linux Security Threats: Attack Sources and Types of Attacks

    In part 1 of this series, we discussed the seven different types of hackers who may compromise your Linux system. White hat and black hat hackers, script kiddies, hacktivists, nation states, organized crime, and bots are all angling for a piece of your system for their own nefarious/various reasons.

  • OpenSSL issues new patches as Heartbleed still lurks [Ed: Dramatic sensationalism from IDG again, with FUD logo created by a Microsoft-connected firm]

    The OpenSSL Project has addressed some moderate-severity security flaws, and administrators should be particularly diligent about applying the patches since there are still 200,000 systems vulnerable to the Heartbleed flaw.

  • Linux: The 10 best privacy and security distributions

    Privacy has become an important issue for many users as corporations and governments stop at nothing to gather personal information. But Linux users do have some choices when it comes to distributions that help protect their privacy and security.

  • openssh authorized_keys "restrict" option lessens worries

    Starting with OpenSSH 7.2, a new “restrict” option for authorized_keys lines has become available. It sets all available restrictions that the current OpenSSH version can do (like no-agent-forwarding, no-x11-forwarding etc). One can individually turn on those features again by corresponding new options.

Security News

Filed under
Security
  • ATM ‘Shimmers’ Target Chip-Based Cards

    Several readers have called attention to warnings coming out of Canada about a supposedly new form of card skimming called “shimming” that targets chip-based credit and debit cards. Shimming attacks are not new (KrebsOnSecurity first wrote about them in August 2015), but they are likely to become more common as a greater number of banks in the United States shift to issuing chip-based cards. Here’s a brief primer on shimming attacks, and why they succeed.

  • Senior journo slams 'frustrating' Windows 10 updates

    A senior editor at the American technology news website Cnet has slammed Microsoft over what he calls the most "frustrating" thing about Windows 10: the update process that happens automatically and cannot be stopped by users.

    Sean Hollister wrote about issues that he had faced and also problems encountered by a large number of Windows 10 users, all of whom had lost work or been forced to interrupt their schedules due to a Windows 10 update.

  • Does Trump's Old Android Phone Pose Major Security Threat?

    Donald Trump is a big fan of the phones in the White House. “These are the most beautiful phones I’ve ever used in my life,” he told the New York Times in an interview this week. It’s not their aesthetics he’s drawn to, but the security built into the system that ensures no one is tapping his calls.

  • President Trump's Insecure Android

    Once compromised, the phone becomes a bug—even more catastrophic than Great Seal—able to record everything around it and transmit the information once it reattaches to the network. And to be clear even a brand new, fully updated Android or iPhone is insufficient: The President of the United States is worth a great many multiples of expensive zero-day exploits.

  • Everything you know about security is wrong, stop protecting your empire!

    Let’s start with AV. A long time ago everyone installed an antivirus application. It’s just what you did, sort of like taking your vitamins. Most people can’t say why, they just know if they didn't do this everyone would think they're weird. Here’s the question for you to think about though: How many times did your AV actually catch something? I bet the answer is very very low, like number of times you’ve seen bigfoot low. And how many times have you seen AV not stop malware? Probably more times than you’ve seen bigfoot. Today malware is big business, they likely outspend the AV companies on R&D. You probably have some control in that phone book sized policy guide that says you need AV. That control is quite literally wasting your time and money. It would be in your best interest to get it changed.

    Usability vs security is one of my favorite topics these days. Security lost. It’s not that usability won, it’s that there was never really a battle. Many of us security types don’t realize that though. We believe that there is some eternal struggle between security and usability where we will make reasonable and sound tradeoffs between improving the security of a system and adding a text field here and an extra button there. What really happened was the designers asked to use the bathroom and snuck out through the window. We’re waiting for them to come back and discuss where to add in all our great ideas on security.

  • Reproducible Builds: week 91 in Stretch cycle

    Verifying Software Freedom with Reproducible Builds will be presented by Vagrant Cascadian at Libreplanet2017 in Boston, March 25th-26th.

  • Linux devices with standard settings infected by Linux.Proxy.10 malware

    Linux operating system was once known to be the most secure OS in the world, but things have changed since security researchers have found malware like Mirai and Bashlite infecting Linux-devices turning them into DDoS botnets. Now, another malware has been discovered targeting Linux.

Syndicate content

More in Tux Machines

GNOME 3.25.3 Released, GTK Development

  • GNOME 3.25.3 Now Available
    GNOME 3.25.3 is now available as the latest stepping stone towards September's release of GNOME 3.26.
  • GNOME 3.26 Desktop Environment Development Continues, New Milestone Is Out Now
    Matthias Clasen has informed the community via an email announcement that the third milestone of the upcoming GNOME 3.26 desktop environment is now ready for public testing. After a one day delay, GNOME 3.25.3 is now available, and it's the third development release of the upcoming GNOME 3.26 desktop environment that could be used by default in popular GNU/Linux distributions, such as the Ubuntu 17.10 (Artful Aardvark) or Fedora 27, both due for release later this year. It brings a bunch of updates and new features to several of its components and apps.
  • Eight years since first release and still no usable theme?
    Well, let me be frank. Ever since gtk-3.0 I've been skeptical of it, especially of the theming aspect. In gtk-2 we had (and still have) many themes ranging from trash to excellent, almost every kind of taste could have been satisfied. Not so in gtk-3. First issue is constant changes to theming API, meaning that despite there being hundreds of themes, only handful of them actually work right :( And among them, I still have yet to find one that would work on my fairly usual 15,6″ laptop screen with 1366×768 px resolution. Basicaly I have two issues.

Microsoft Dirty Tricks and Entryism

Security: Windows Causes Chaos, Routers With Back Doors, Patching of UNIX/Linux

  • Traffic lights in Australia hit by WannaCry ransomware [Ed: Well, who uses Microsoft Windows to manage traffic?!?!]

    Radio station 3aw reports that dozens of pole based traffic calming measures are infected and that this came as a surprise to the local minister and Road Safety Camera Commissioner when radio reporters told him about it.

  • Honda shuts down factory after finding NSA-derived Wcry in its networks
    The WCry ransomware worm has struck again, this time prompting Honda Company to halt production in one of its Japan-based factories after finding infections in a broad swath of its computer networks, according to media reports. The automaker shut down its Sayama plant northwest of Tokyo on Monday after finding that WCry had affected networks across Japan, North America, Europe, China, and other regions, Reuters reported Wednesday. Discovery of the infection came on Sunday, more than five weeks after the onset of the NSA-derived ransomware worm, which struck an estimated 727,000 computers in 90 countries. The mass outbreak was quickly contained through a major stroke of good luck. A security researcher largely acting out of curiosity registered a mysterious domain name contained in the WCry code that acted as a global kill switch that immediately halted the self-replicating attack.
  • GhostHook: CyberArk finds new way to attack Windows 10

    Researchers at CyberArk Labs have discovered a new way of gaining access to the innards of Windows 10 64-bit systems that can bypass existing safeguards, including the kernel patch protection known as PatchGuard that Microsoft developed to improve system security.

  • John McAfee claims 'every router in America has been compromised' by hackers and spies

    Technology pioneer John McAfee believes that every home internet router in America is wide open to cyberattacks by criminal hackers and intelligence agencies. He makes the claim speaking after revelations from WikiLeaks that the Central Intelligence Agency (CIA) targets the devices.

  • 'Stack Clash' Smashed Security Fix in Linux
    What's old is new again: an exploit protection mechanism for a known flaw in the Linux kernel has fallen to a new attack targeting an old problem.
  • Continuous defence against open source exploits
    Register for next month's expo for the public sector DevOps community to hear key speakers from the front line of public sector digital transformation and see the latest technologies at first hand. Andrew Martin, DevOps lead in a major government department, has been added to the line-up of speakers to talk about the importance of getting the approach to security right with open source software.
  • IoT goes nuclear: creating a ZigBee chain reaction [iophk: "use 6lowpan instead"]

    If plugging in an infected bulb is too much hassle, the authors also demonstrate how to take over bulbs by war-driving around in a car, or by war-flying a drone.

  • Passengers given a freight as IT glitch knocks out rail ticket machines

    The network of machines are operated by the individual franchises, but share a common infrastructure from German software company Scheidt and Bachmann.

OpenBSD Development News

  • OpenBSD now has Trapsleds to make life harder for ROPers
  • Historical: My first OpenBSD Hackathon

    I was a nobody. With some encouragement, enough liquid courage to override my imposter syndrome, and a few hours of mentoring, I'm now doing big projects. The next time you're sitting at a table with someone new to your field, ask yourself: how can you encourage them? You just might make the world better.

    Thank you Dale. And thank you Theo.

  • Finish the link-kit job
    We've had the linkkit components in the tree for a while, but it has taken nearly 20 rounds between rpe/tb/myself to get the last few bits finished. So that the link kit is cleanly used at reboot, but also fits in with the practices kernel developers follow.