Language Selection

English French German Italian Portuguese Spanish

Security

Security: Security Updates, Memcached Bug, and Bug Bounty Program

Filed under
Security
  • Security updates for Monday
  • 70,000 Memcached Servers Can Be Hacked Using Eight-Month-Old Flaws

    Eight months after three critical vulnerabilities were fixed in the memcached open source caching software, there are over 70,000 caching servers directly exposed on the internet that have yet to be patched. Hackers could execute malicious code on them or steal potentially sensitive data from their caches, security researchers warn.

    Memcached is a software package that implements a high performance caching server for storing chunks of data obtained from database and API calls in RAM. This helps speed up dynamic web applications, making it well suited for large websites and big-data projects.

  • Facebook, Ford Foundation & GitHub Donate £229,990 To Open Source Bug Bounty Program

    Facebook, the Ford Foundation and GitHub have donated $100,000 (£76,663) each to the Internet Bug Bounty (IBB), a not-for-profit bug bounty program for core Internet infrastructure and open source software.

    The money will be used to reward hackers who are deemed to have made the Internet more secure, allowing the IBB to expand the scope and impact of its bug bounty program.

Security: Debian Reproducible Builds, DNS Bug

Filed under
Security

More Security Leftovers

Filed under
Security
  • Fingerprint-based detection of DNS hijacks using RIPE Atlas [Warning for PDF]

    DNS hijacking is a real thing happening on the Internet
    ○ We found several RIPE Atlas probes with hijacked DNS resolver
    ○ Some countries have >25% chances of DNS being hijacked

  • How the Swedish administration leaked EU’s secure STESTA intranet to Russia, then tried glossing over it

    The Swedish administration is leaking its secret intranet and databases to Russia, via its Transport Agency, via the IBM cloud, via IBM's subcontractor NCR (formerly AT&T) in Serbia, which is a close Russian military ally. Giving staff in Serbia administrative access to these networks practically guarantees that Russia also has access to the network. The European Union's secure STESTA network is also connected to the leaked intranet. But this is not about geopolitics and who’s allied with whom, but about how an administration tries to quiet down and gloss over an apocalyptically stupid and monstrously damaging data leak.

  • Outsourcing Nightmare

    We had two reports of an ongoing situation in Sweden where confidential information held by the government has been compromised

  • Status update from the Reproducible Builds project

    Since then, we have made considerable progress which has been reported during DebConf 15 and 16 talks as well as other conferences around the world. However, for the sake of information preservation and clear communication we felt the need to write a newer report here.

Security Leftovers

Filed under
Security
  • Putin’s Hackers {sic} Now Under Attack—From Microsoft

     

    Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear. The company’s approach is indirect, but effective. Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like “livemicrosoft[.]net” or “rsshotmail[.]com” that Fancy Bear registers under aliases for about $10 each.  Once under Microsoft’s control, the domains get redirected from Russia’s servers to the company’s, cutting off the hackers {sic} from their victims, and giving Microsoft a omniscient view of that servers’ network of automated spies.

  • NHS Trusts are spending £158,000 a day on new PCs

     

    NHS TRUSTS are splashing £158,000 per day on new PCs and laptops at an average cost of £678 per device, a Freedom of Information (FoI) request has revealed.

  • Twistlock 2.1 Container Security Suite Released

    Twistlock announced the general availability of version 2.1 of their container security product. Highlights of the release include an integrated firewall that understands application traffic, vulnerability detection, secrets management via integration with third party tools, and compliance alerting and enforcement.

  • Security and privacy are the same thing

    It got me thinking about security and privacy. There's not really a difference between the two. They are two faces of the same coin but why isn't always obvious in today's information universe. If a site like Facebook or Google knows everything about you it doesn't mean you don't care about privacy, it means you're putting your trust in those sites. The same sort of trust that makes passwords private.

    The first thing we need to grasp is what I'm going to call a trust boundary. I trust you understand trust already (har har har). But a trust boundary is less obvious sometimes. A security (or privacy) incident happens when there is a breach of the trust boundary. Let's just dive into some examples to better understand this.

Security: Windows 10 Bypass, Slackware OpenJDK Update and More

Filed under
Security
  • [Older] GHOSTHOOK ATTACK BYPASSES WINDOWS 10 PATCHGUARD

    A bypass of PatchGuard kernel protection in Windows 10 has been developed that brings rootkits for the latest version of the OS within reach of attackers.

    Since the introduction of PatchGuard and DeviceGuard, very few 64-bit Windows rootkits have been observed; Windows 10’s security, in particular its mitigations against memory-based attacks, are well regarded. Researchers at CyberArk, however, found a way around PatchGuard through a relatively new feature in Intel processors called Processor Trace (Intel PT).

  • [Slackware] OpenJDK 8 security round-up for July ’17

    Sooner than I anticipated, there is an update for OpenJDK 8. Andrew Hughes (aka GNU/Andrew) announced the release of IcedTea 3.5.0. The new icedtea framework compiles OpenJDK 8 Update 141 Build 15 (8u141_b15). This release includes the official July 2017 security fixes.

  • ROI (Not Security) the Most Immediate IoT Challenge

    According to Defining IoT Business Models, a new report from Canonical, the software company behind the Ubuntu Linux distribution, device security and privacy (45 percent) falls behind quantifying the return of investment (ROI) of their IoT projects (53 percent) as an immediate challenge. Canonical drew its conclusions from a survey of 361 IoT professionals conducted by IoTNow on behalf of the company.

  • Apply the STIG to even more operating systems with ansible-hardening

    Tons of improvements made their way into the ansible-hardening role in preparation for the OpenStack Pike release next month. The role has a new name, new documentation and extra tests.

    The role uses the Security Technical Implementation Guide (STIG) produced by the Defense Information Systems Agency (DISA) and applies the guidelines to Linux hosts using Ansible. Every control is configurable via simple Ansible variables and each control is thoroughly documented.

  • Open Source Flaw 'Devil's Ivy' Puts Millions of IoT Devices at Risk

    Millions of IoT devices are vulnerable to cybersecurity attacks due to a vulnerability initially discovered in remote security cameras, Senrio reported this week.

  • Microsoft’s secret weapon in ongoing struggle against Fancy Bear? Trademark law [Ed: Microsoft should make a start by stopping the addition of back doors to all its software]
  • SECURITY FOR THE SECURITY GODS! SANDBOXING FOR THE SANDBOXING THRONE

    Last year, probably as a distraction from doing anything else, or maybe because I was asked, I started reviewing bugs filed as a result of automated flaw discovery tools (from Coverity to UBSan via fuzzers) being run on gdk-pixbuf.

    Apart from the security implications of a good number of those problems, there was also the annoyance of having a busted image file bring down your file manager, your desktop, or even an app that opened a file chooser either because it was broken, or because the image loader for that format didn't check for the sanity of memory allocations.

Internet Bug Bounty Gets a Boost

Filed under
Security

Security: HTTPBrowser, NfLog, Regin, HammerLoss, Gamker, Grsecurity, and systemd

Filed under
Security
  • 5 New CIA Malware Unveiled By WikiLeaks — HTTPBrowser, NfLog, Regin, HammerLoss, Gamker
  • Security updates for Friday

    Security updates have been issued by Debian (php5 and ruby-mixlib-archive), Fedora (knot, knot-resolver, and spice), Oracle (graphite2 and java-1.8.0-openjdk), Red Hat (graphite2, java-1.6.0-sun, java-1.7.0-oracle, java-1.8.0-openjdk, and java-1.8.0-oracle), Scientific Linux (java-1.8.0-openjdk), and Ubuntu (kernel, linux, linux-raspi2, linux-hwe, and mysql-5.5, mysql-5.7).

  • Hardened usercopy whitelisting

    There are many ways to attempt to subvert an operating-system kernel. One particularly effective way, if it can be arranged, is to attack the operations that copy data between user-space and kernel-space memory. If the kernel can be fooled into copying too much data back to user space, the result can be an information-disclosure vulnerability. Errors in the other direction can be even worse, overwriting kernel memory with attacker-controlled data. The kernel has gained some defenses against this sort of attack in recent development cycles, but there is more work yet to be merged.

    Much of the heap memory used within the kernel is obtained from the slab allocator. The hardened usercopy patch set, merged for the 4.8 kernel, attempts to limit the impact of erroneous copy operations by ensuring that no single operation can cross the boundary between one slab-allocated object and the next. But the kernel gets a lot of large memory objects from the slab allocator, and it is often not necessary to copy the entire object between the kernel and user space. In cases where only part of an object needs to be copied, it would be useful to prevent a rogue copy operation from copying to or from parts of the structure that do not need to be exposed in this way.

  • User=0day considered harmful in systemd

    Validating user input is a long-established security best practice, but there can be differences of opinion about what should be done when that validation fails. A recently reported bug in systemd has fostered a discussion on that topic; along the way there has also been discussion about how much validation systemd should actually be doing and how much should be left up to the underlying distribution. The controversy all revolves around usernames that systemd does not accept, but that some distributions (and POSIX) find to be perfectly acceptable.

    The bug was opened in late June by GitHub user "mapleray". It describes setting up a systemd service file with a "User=0day" entry, which means that the service should run as the 0day user. However, mapleray found that it ran as root instead, which is, at the least, rather surprising. It turns out that usernames starting with a digit are disallowed by systemd—so it ignores the line and puts a warning in the log. Since there is no user specified, systemd falls back running it as the default user: root.

Security: WoSign and StartCom Blacklisted, Symantec Tricked, Windows Back Doors Cause Further Issues, and More

Filed under
Security
  • Google drops the boom on WoSign, StartCom certs for good

    Last August, after being alerted by GitHub's security team that the certificate authority WoSign had errantly issued a certificate for a GitHub domain to someone other than GitHub, Google began an investigation in collaboration with the Mozilla Foundation and a group of security professionals into the company's certificate issuance practices. The investigation uncovered a pattern of bad practices at WoSign and its subsidiary StartCom dating back to the spring of 2015. As a result, Google moved last October to begin distrusting new certificates issued by the two companies, stating "Google has determined that two CAs, WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome."

  • How I tricked Symantec with a Fake Private Key

     

    I registered two test domains at a provider that would allow me to hide my identity and not show up in the whois information. I then ordered test certificates from Symantec (via their brand RapidSSL) and Comodo. These are the biggest certificate authorities and they both offer short term test certificates for free. I then tried to trick them into revoking those certificates with a fake private key.

  • TV station struggling a month after Windows ransomware attack

     

    More than a month after a ransomware attack on their Windows computers, journalists at San Francisco's public TV and radio station KQED are still reduced to doing most of their work manually.  

  • New version of SambaCry spotted in the wild: Linux users urged to update OS
  • Goldilocks Security: Bad, Won’t Work, and Plausible

    Previous posts discussed the security challenge presented by IoT devices, using IP Video Cameras as an example. Now let’s consider some security alternatives...

  • Summer is coming

    Rather than trying to fix the big problems, our time is better spent ignoring the thought leaders and just doing something small. Conferences are important, but not to listen to the leaders. Go find the vendors and attendees who are doing new and interesting things. They are the ones that will make a difference, they are literally the future. Even the smallest bug bounty, feature, or pull request can make a difference. The end goal isn't to be a noisy gasbag, instead it should be all about being useful.

Security: FOSS Advantage, Updates, “Bad Taste” and More

Filed under
Security

Security and DRM: Digital Ballots, Windows Disasters, gSOAP, and DRM on the Web

Filed under
Security
Syndicate content

More in Tux Machines

5 Kubernetes must-reads: Tips and trends

Kubernetes is having a moment – but don’t look for its popularity to wane anytime soon. As enterprises move beyond experimenting and start working in earnest with containers, the number of containers multiply: So do the manual chores. Orchestration tools like Kubernetes add automated help. “Running a few standalone containers for development purposes won’t rob your IT team of time or patience: A standards-based container runtime by itself will do the job,” Red Hat technology evangelist Gordon Haff recently noted. “But once you scale to a production environment and multiple applications spanning many containers, it’s clear that you need a way to coordinate those containers to deliver the individual services. As containers accumulate, complexity grows. Eventually, you need to take a step back and group containers along with the coordinated services they need, such as networking, security, and telemetry.” (See Haff’s full article, How enterprise IT uses Kubernetes to tame container complexity.) Read more

Australian Securities Exchange completes Red Hat migration

The Australian Securities Exchange (ASX) has completed the migration of "mission-critical" legacy applications to the Red Hat JBoss Enterprise Application Platform (JBoss EAP). ASX first deployed JBoss EAP in 2011 to modernise its legacy technologies and to facilitate the introduction of new web applications after it realised its legacy application server platform was becoming increasingly inconsistent, unstable, and expensive. After the initial ASX Online Company migration was complete in 2012, ASX used JBoss EAP to build the ASX.com API, as well as its Sharemarket Game, which gives players the opportunity to learn how the share market works. Read more

Programming/Development: GAPID 1.0 and Atom 1.23

  • Diagnose and understand your app's GPU behavior with GAPID
  • GAPID 1.0 Released As Google's Cross-Platform Vulkan Debugger
    Back in March we wrote about GAPID as a new Google-developed Vulkan debugger in its early stages. Fast forward to today, GAPID 1.0 has been released for debugging Vulkan apps/games on Linux/Windows/Android as well as OpenGL ES on Android. GAPID is short for the Graphics API Debugger and allows for analyzing rendering and performance issues with ease using its GUI interface. GAPID also allows for easily experimenting with code changes to see their rendering impact and allows for offline debugging. GAPID has its own format and capturetrace utility for capturing traces of Vulkan (or GLES on Android too) programs for replaying later on with GAPID.
  • Hackable Text Editor Atom 1.23 Adds Better Compatibility for External Git Tools
    GitHub released Atom 1.23, the monthly update of the open-source and cross-platform hackable text editor application loved by numerous developers all over the world. Including a month's worth of enhancements, Atom 1.23 comes with the ability for packages to register URI handler functions, which can be invoked whenever the user visits a URI that starts with "atom://package-name/," and a new option to hide certain commands in the command palette when registering them via "atom.commands.add." Atom 1.23 also improves the compatibility with external Git tools, as well as the performance of the editor by modifying the behavior of several APIs to no longer make callbacks more than once in a text buffer transaction. Along with Atom 1.23, GitHub also released Teletype 0.4.0, a tool that allows developers to collaborate simultaneously on multiple files.

Red Hat GNU/Linux and More