Language Selection

English French German Italian Portuguese Spanish

Security

Linux users urged to protect against 'Dirty COW' security flaw

Filed under
Linux
Red Hat
Security

Organisations and individuals have been urged to patch Linux servers immediately or risk falling victim to exploits for a Linux kernel security flaw dubbed ‘Dirty COW'.

This follows a warning from open source software vendor Red Hat that the flaw is being exploited in the wild.

Phil Oester, the Linux security researcher who uncovered the flaw, explained to V3 that the exploit is easy to execute and will almost certainly become more widely used.

"The exploit in the wild is trivial to execute, never fails and has probably been around for years - the version I obtained was compiled with gcc 4.8," he said.

Read more

Also: New Debian Linux Kernel Update Addresses "Dirty COW" Bug, Three Security Issues

Why Security Distributions Use Debian

Filed under
Security
Debian

What do distributions like Qube OS, Subgraph, Tails, and Whonix have in common? Besides an emphasis on security and privacy, all of them are Debian derivatives -- and, probably, this common origin is not accidental.

At first, this trend seems curious. After all, other distributions ranging from Slackware and Gentoo to Arch Linux all emphasize security and privacy in their selection of tools. In particular, Fedora's SE Linux can be so restrictive that some users would rather disable it than learn how to configure it. By contrast, while Debian carries many standard security and privacy tools, it has seldom emphasized them.

Similarly, Debian's main branch consists of only free and open source software, its contrib and non-free branches not being official parts of the distribution. With many security experts favoring the announcement of vulnerabilities and exploit code rather than relying on security through obscurity, the way that many pieces of proprietary software do, this transparency has obvious appeal.

Yet although the advantage of free software to security and privacy is that the code can be examined for backdoors and malware, this advantage is hardly unique to Debian. To one or degree another, it is shared by all Linux distributions.

Read more

More from Susan: Why Use Linux, Systemd Complications, Debian's Security

Security News

Filed under
Security
  • Security advisories for Wednesday
  • Security bug lifetime

    In several of my recent presentations, I’ve discussed the lifetime of security flaws in the Linux kernel. Jon Corbet did an analysis in 2010, and found that security bugs appeared to have roughly a 5 year lifetime. As in, the flaw gets introduced in a Linux release, and then goes unnoticed by upstream developers until another release 5 years later, on average. I updated this research for 2011 through 2016, and used the Ubuntu Security Team’s CVE Tracker to assist in the process. The Ubuntu kernel team already does the hard work of trying to identify when flaws were introduced in the kernel, so I didn’t have to re-do this for the 557 kernel CVEs since 2011.

  • Reproducible Builds: week 77 in Stretch cycle

    After discussions with HW42, Steven Chamberlain, Vagrant Cascadian, Daniel Shahaf, Christopher Berg, Daniel Kahn Gillmor and others, Ximin Luo has started writing up more concrete and detailed design plans for setting SOURCE_ROOT_DIR for reproducible debugging symbols, buildinfo security semantics and buildinfo security infrastructure.

  • Veracode security report finds open source components behind many security vulnerabilities [Ed: not a nice firm]

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Tuesday's security updates
  • Critical flaws found in open-source encryption software VeraCrypt [Ed: TrueCrypt was never really FOSS]

    A new security audit has found critical vulnerabilities in VeraCrypt, an open-source, full-disk encryption program that's the direct successor of the widely popular, but now defunct, TrueCrypt.

    Users are encouraged to upgrade to VeraCrypt 1.19, which was released Monday and includes patches for most of the flaws. Some issues remain unpatched because fixing them requires complex changes to the code and in some cases would break backward compatibility with TrueCrypt.

    However, the impact of most of those issues can be avoided by following the safe practices mentioned in the VeraCrypt user documentation when setting up encrypted containers and using the software.

  • Veracode: open source is creating 'systematic risks' across companies and industries [Ed: this company routinely smears FOSS]

    SECURITY FIRM VERACODE has released a damning report into open source and third-party software components and warned that, for example, almost all Java applications are blighted with at least one problem.

  • Why is Java so insecure? Buggy open source components take the blame

    Open-source and Java components used in applications remain a weak spot for the enterprise, according to a new analysis.

    Java applications in particular are posing a challenge, with 97 percent of these applications containing a component with at least one known vulnerability, according to a new report from code-analysis security vendor Veracode.

  • Parrot Security 3.2 “CyberSloop” Ethical Hacking Linux Distro Available For Download

    Earlier this year, I prepared a list of the top operating systems used for ethical hacking purposes. In that list, Parrot Security OS ranked at #2. It’s developed by Frozenbox Network and released under the GNU/GPL v3 license. A couple of days ago, Parrot Security 3.2 ethical hacking Linux distro arrived. The new version of this popular operating system is codenamed CyberSloop and it’s based on the Debian GNU/Linux 9 Stretch.

    Parrot Security 3.1 version arrived long back in July. Compared to that, the new version has taken a while due to some buggy packages in the Debian Testing repository that Parrot Security team had to fix themselves. In particular, the bug being discussed here is the latest GTK updates that broke the MATE interface.

  • Linux-run IoT devices under attack by NyaDrop [Ed: Devices with open ports and identical passwords across the board are not secure; not “Linux” issue]

    Internet of Things (IoT) devices running on the open-source Linux OS are under attack from NyaDrop.

    The attack loads malware on IoT devices lacking appropriate security after brute forcing default login credentials, according to a report by David Bisson for Graham Cluley Security News. The code achieves this by parsing its list of archived usernames and passwords. Once authenticated, NyaDrop is installed. The lightweight binary then loads other malware onto the infected device.

Canonical Now Offering Live Kernel Patching Services, Free for Up to Three PCs

Filed under
Security
Ubuntu

Today, October 18, 2016, Canonical informs us, through Dustin Kirkland, about a new interesting feature for Ubuntu Linux, which users can enable on their current installations.

Read more

Also: Canonical Rolls Out Its Own Kernel Livepatching Service For Ubuntu

Security News

Filed under
Security
  • Security advisories for Monday
  • NyaDrop exploiting Internet of Things insecurity to infect Linux devices with malware

    A Linux threat known as NyaDrop is exploiting a lack of security in Internet of Things (IoT) devices to infect them with malware.

    A NyaDrop attack begins with the threat attempting to brute force the default login credentials of internet-exposed IoT device running Linux. It does so by running through its list of stored usernames and passwords, a collection which is no doubt similar to that of the Mirai botnet.

  • Smart cities: 5 security areas CIO should watch

    New worms designed to attach to IoT devices will emerge − and they could wreck more havoc given the extended reach of the new converged networks.

    Conficker is an example of a worm that spread on PC’s in 2008 and is still persistent and prevalent in 2016.

    Likewise, worms and viruses that can propagate from device to device can be expected to emerge – particularly with mobile and the Android operating system.

    Embedded worms will spread by leveraging and exploiting vulnerabilities in the growing IoT and mobile attack surface. The largest botnet FortiGuard labs has witnessed is in the range of 15 million PCs.

Happy 15th Birthday Red Hat Product Security

Filed under
Red Hat
Security

This summer marked 15 years since we founded a dedicated Product Security team for Red Hat. While we often publish information in this blog about security technologies and vulnerabilities, we rarely give an introspection into the team itself. So I’d like, if I may, to take you on a little journey through those 15 years and call out some events that mean the most to me; particularly what’s changed and what’s stayed the same. In the coming weeks some other past and present members of the team will be giving their anecdotes and opinions too. If you have a memory of working with our team we’d love to hear about it, you can add a comment here or tweet me.

Read more

Security Leftovers

Filed under
Security
  • Alpine edge has switched to libressl

    We decided to replace openssl with libressl because we believe it is a better library. While OpenSSL is trying to fix the broken code, libressl has simply removed it.

  • German nuclear plant infected with computer viruses, operator says

    A nuclear power plant in Germany has been found to be infected with computer viruses, but they appear not to have posed a threat to the facility’s operations because it is isolated from the internet, the station’s operator said on Monday.

    The Gundremmingen plant, located about 120 km northwest of Munich, is run by the German utility RWE.

    The viruses, which include “W32.Ramnit” and “Conficker”, were discovered at Gundremmingen’s B unit in a computer system retrofitted in 2008 with data visualisation software associated with equipment for moving nuclear fuel rods, RWE said.

  • The Slashdot Interview With Security Expert Mikko Hypponen: 'Backupception'

    Mikko Hypponen, Chief Research Officer at security firm F-Secure, has answered a range of your questions. Read on to find his insight on the kind of security awareness training we need, whether anti-virus products are relevant anymore, and whether we have already lost the battle to bad guys. Bonus: his take on whether or not you should take backups of your data.

  • SourceClear Brings Secure Continuous Delivery to the Developer Workflow [Ed: I don't trust them; they're Microsoft connected with a negative track record]
  • Serious security: Three changes that could turn the tide on hackers

    The state of tech security is currently so dire that it feels like anything you have ever stored on a computer, or a company or government has ever stored about you, has already been hacked into by somebody.

  • Crypto needs more transparency, researchers warn

    Researchers with at the French Institute for Research in Computer Science and Automation (INRIA) and the University of Pennsylvania have called for security standards-setters to publish the seeds for the prime numbers on which their standards rely.

    The boffins also demonstrated again that 1,024-bit primes can no longer be considered secure, by publishing an attack using “special number field sieve” (SNFS) mathematics to show that an attacker could create a prime that looks secure, but isn't.

    Since the research is bound to get conspiracists over-excited, it's worth noting: their paper doesn't claim that any of the cryptographic primes it mentions have been back-doored, only that they can no longer be considered secure.

    “There are opaque, standardised 1024-bit and 2048-bit primes in wide use today that cannot be properly verified”, the paper states.

    Joshua Fried and Nadia Heninger (University of Pennsylvania) worked with Pierrick Gaudry and Emmanuel Thomé (INRIA at the University of Lorraine on the paper, here.

    They call for 2,048-bit keys to be based on “standardised primes” using published seeds, because too many crypto schemes don't provide any way to verify that the seeds aren't somehow back-doored.

  • Is Let’s Encrypt the Largest Certificate Authority on the Web?

    By the time you read this, Let’s Encrypt will have issued its 12 millionth certificate, of which 6 million are active and unexpired. With these milestones, Let’s Encrypt now appears to us to be the the Internet’s largest certificate authority—but a recent analysis by W3Techs said we were only the third largest. So in this post we investigate: how big is Let’s Encrypt, really?

Syndicate content

More in Tux Machines

Leftovers: Software

  • [Video] Linux Audio Programs Compared 2017
    I made this video for those that are new to, or just interested in making music on the Linux OS. I go over the features, goods and bads of Rosegarden, LMMS, Ardour, Mixbus, and EnergyXT, as well as touch on Qtractor. I don't don't go much into details of the particular versions I am using, but the video was made in the early part of 2017 and I'm running Ubuntu 16.04LTS.
  • Green Recorder: A Simple Desktop/Screen Recorder for Linux
    Green Recorder is a simple, open source desktop recorder developed for Linux systems built using Python, GTK and FFmpeg. It supports most of the Linux desktop environments such as Unity, Gnome, Cinnamon, Mate, Xfce and so on. Recently it has been updated to work with Wayland too in Gnome session.
  • Komorebi: A New Way To Enhance Your Desktop Using Animated/Parallax Wallpapers
    In past there were applications that allowed us to run videos/Gif as wallpaper on the desktop and make desktop look much cooler but than all of sudden the development of such Apps stopped and I can't name any App that exist for this purpose. Komorebi is fairly new application designed to make your desktop experience much better and make desktop cool as well, we can say it is kind of 'live wallpaper' situation here or 3D wallpaper. It is developed by Abe Masri and available under GPL license for free.
  • Stacer Sytem Optimizer: A Must Have Application For Ubuntu/Linux Mint
    There are multiple ways to optimize your Linux, the most geeky way is using Terminal, there are also applications available that performs such actions like Bleachbit, Ubuntu cleaner and so on. Stacer is simple, open-source, quick and new application designed to offer you all-in-one optimizer for your Ubuntu/Linux Mint (It's alternative to CCleaner but only for Linux).
  • Qtox: Open Source and Fully Secure Skype Replacement for Linux
    Long years ago, we've talked about a Skype alternative called Tox which was still in its early developmental stages. Tox was supposed to become the anti-thesis of Skype by being a fully open-source video and voice chat client that placed user privacy and security at its center. Well, guess what, there are now fully active and well-maintained chat clients that are built on top of Tox protocol. qTox is one of them.
  • Rclone 1.36 Released With SFTP And Local Symlinks Support, More
    Rclone 1.36 was released recently, bringing support for SFTP, local symbolic links support, mount improvements, along with many other new features and bug fixes. For those not familiar with Rclone, this is a cross-platform command line tool for synchronizing files and folders to multiple cloud storages, which supports Dropbox, Google Drive, Amazon S3, Amazon Drive, Microsoft One Drive, Yandex Disk, and more. It can be used to sync files either from your machine or from one cloud storage to another.
  • Streamlink Twitch GUI 1.2.0 Adds Support For Communities And Team Pages, Basic Hotkeys
    Streamlink Twitch GUI (previously Livestreamer Twitch GUI) is a multi-platform Twitch.tv browser. The application is powered by Node.js, Chromium and Streamlink, though it can still use Livestreamer (which is no longer maintained) too.
  • Code Editor `Brackets` 1.9 Released, Available In PPA
    Brackets is a free, open source code editor focused on front-end web development (HTML, CSS and JavaScript).
  • Terminix Terminal Emulator Renamed To Tilix, Sees New Bugfix Release
    [Quick update] Terminix, a GTK3 tiling terminal emulator, has been renamed to Tilix due to some trademark issues.

today's howtos

Games and CodeWeavers/Wine

  • A Snapshot of Linux Gamers, Just One Year Ago
    It’s about time we share the analysis of that Q1 2016 survey (fielding occured in March last year), especially as we are about to launch the Q1 2017 one pretty, pretty soon. That way we will be able to compare how things have changed over the course of 12 months. As usual, the whole disclaimer about online surveys is valid here (data is only as good as your n size, the appropriateness of your sampling, and the quality of the responses, etc…), but assuming it’s not all that bad and all that unreliable, let’s dig in the results. As a reminder, most of the respondents for this survey were recruited through the r/linux and r/linux_gaming subreddits, as well as the readership of BoilingSteam. This is not our first survey, and you can see our previous ones done in the second quarter of 2015, and the following one in the last quarter of 2015.
  • Slime-san Coming To PC, Mac and Linux
    Headup Games and Fabraz proudly announce their upcoming action-platformer Slime-san for PC, Mac and Linux via Steam & Humble Bundle. Console releases will follow soon after. Jump and slime your way through 100 levels in a unique 5-colored, pixelated world and escape from a giant worm’s innards. Get your shopping done in Slumptown, a town full of survivors within the worm. Unlock different play styles, outfits, shaders and even multiplayer mini-games! Slime-san is developed by Fabraz, an independent development studio that also released the critically-acclaimed games Cannon Crasha and Planet Diver. Slime-san was minding his own business, sliming around in a peaceful forest when suddenly…A giant worm appeared and gobbled him up! Now deep within the worm’s belly, Slime-san has to face a decision: Be digested by the incoming wall of stomach acid... Or jump, slide and slime his way through the worm's intestines and back out its mouth!
  • CodeWeavers Announces CrossOver 16.2.0
  • The Wine Revolution is ON!
    As you know Codeweavers (and other WINE contributors) have been working on DX11 support for a while – they were supposed to have DX11 support by the end of 2016, but as with all complex projects, timelines tend to slip and only very DX11 titles could run a few months ago. Since then, there was no major announcement, but it seems that the progress has been very significant in the recent WINE versions (2.3 is already out).

Leftovers: KDE