Language Selection

English French German Italian Portuguese Spanish

Security

Red Hat Patch Warning

Filed under
Red Hat
Security
  • We Didn't Pull CPU Microcode Update to Pass the Buck
  • Red Hat Will Revert Spectre Patches After Receiving Reports of Boot Issues

    Red Hat is releasing updates that are reverting previous patches for the Spectre vulnerability (Variant 2, aka CVE-2017-5715) after customers complained that some systems were failing to boot.

    "Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems to not boot," the company said yesterday.

    "The latest microcode_ctl and linux-firmware packages are reverting these unstable microprocessor firmware changes to versions that were known to be stable and well tested, released prior to the Spectre/Meltdown embargo lift date on Jan 3rd," Red Had added.

Security: Updates, SOS Fund, IR, ME, and WPA

Filed under
Security
  • Security updates for Friday
  • Seeking SOS Fund Projects

    I’m spending some time over the next few days looking for the next round of projects which might benefit from an SOS Fund security audit.

  • Strong Incident Response Starts with Careful Preparation

    Through working every day with organizations’ incident response (IR) teams, I am confronted with the entire spectrum of operational maturity. However, even in the companies with robust IR functions, the rapidly evolving threat landscape, constantly changing best practices, and surplus of available tools make it easy to overlook important steps during planning. As a result, by the time an incident occurs, it’s too late to improve their foundational procedures.

  • The Intel Management Engine: an attack on computer users' freedom

    Over time, Intel imposed the Management Engine on all Intel computers, removed the ability for computer users and manufacturers to disable it, and extended its control over the computer to nearly 100%. It even has access to the main computer's memory.

  • What Is WPA3, and When Will I Get It On My Wi-Fi?

    WPA2 is a security standard that governs what happens when you connect to a closed Wi-Fi network using a password. WPA2 defines the protocol a router and Wi-Fi client devices use to perform the “handshake” that allows them to securely connect and how they communicate. Unlike the original WPA standard, WPA2 requires implementation of strong AES encryption that is much more difficult to crack. This encryption ensures that a Wi-Fi access point (like a router) and a Wi-Fi client (like a laptop or phone) can communicate wirelessly without their traffic being snooped on.

Meltdown and Spectre Linux Kernel Status - Update

Filed under
Linux
Security

I keep getting a lot of private emails about my previous post previous post about the latest status of the Linux kernel patches to resolve both the Meltdown and Spectre issues.

These questions all seem to break down into two different categories, “What is the state of the Spectre kernel patches?”, and “Is my machine vunlerable?”

Read more

Security: Spectre and Meltdown, Industrial System Sabotage, VDP, Windows in Healthcare

Filed under
Security
  • Some thoughts on Spectre and Meltdown

     

    Contrast that with what happened this time around. Google discovered a problem and reported it to Intel, AMD, and ARM on June 1st. Did they then go around contacting all of the operating systems which would need to work on fixes for this? Not even close. FreeBSD was notified the week before Christmas, over six months after the vulnerabilities were discovered. Now, FreeBSD can occasionally respond very quickly to security vulnerabilities, even when they arise at inconvenient times — on November 30th 2009 a vulnerability was reported at 22:12 UTC, and on December 1st I provided a patch at 01:20 UTC, barely over 3 hours later — but that was an extremely simple bug which needed only a few lines of code to fix; the Spectre and Meltdown issues are orders of magnitude more complex.  

  • Menacing Malware Shows the Dangers of Industrial System Sabotage

     

    At the S4 security conference on Thursday, researchers from the industrial control company Schneider Electric, whose equipment Triton targeted, presented deep analysis of the malware—only the third recorded cyberattack against industrial equipment. Hackers [sic] were initially able to introduce malware into the plant because of flaws in its security procedures that allowed access to some of its stations, as well as its safety control network.

  • 25 per cent of hackers don't report bugs due to lack of disclosure policies

     

    One of the standout discoveries was that almost 25 per cent of respondents said they were unable to disclose a security flaw because the bug-ridden company in question lacked a vulnerability disclosure policy (VDP).

  • 'Professional' hack [sic] on Norwegian health authority compromises data of three million patients [iophk: "Windows TCO"]

Security: Updates, Secure Contexts, EFF, Google, Fedora

Filed under
Security

Security: Back Doors, Bugs in Chips, Botnets, and Windows in Hospitals

Filed under
Security

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • Latvia's e-health system hit by cyberattack from abroad

    Latvia said its new e-health system was on Tuesday hit by a large-scale cyberattack that saw thousands of requests for medical prescriptions pour in per second from more than 20 countries in Africa, the Caribbean and the European Union.

    No data was compromised, according to health officials, who immediately took down the site, which was launched earlier this month to streamline the writing of prescriptions in the Baltic state.

    "It is clear that it was a planned attack, a widespread attack—we might say a specialised one—as it emanated from computers located in various different countries, both inside the European Union and outside Europe," state secretary Aivars Lapins told reporters.

    "We received thousands of requests in a very short space of time. That's not the normal way the system works," he said, adding that an investigation is under way.

  • Linux Lite Developer Creates Automated Spectre/Meltdown Checker for Linux OSes

    The developer of the Ubuntu-based Linux Lite distribution has created a script that makes it easier for Linux users to check if their systems are vulnerable to the Meltdown and Spectre security flaws.

    As we reported last week, developer Stéphane Lesimple created an excellent script that would check if your Linux distribution's kernel is patched against the Meltdown and Spectre security vulnerabilities that have been publicly disclosed earlier this month and put billions of devices at risk of attacks.

  • Purism Releases Meltdown and Spectre Patches for Its Librem Linux Laptops

    Purism, the computer technology company behind the privacy-focused, Linux-based Librem laptops and the upcoming smartphone, released patches for the Meltdown and Spectre security vulnerabilities.

    The company was one of the first Linux OEMs and OS vendor to announce that it's working on addressing both the Meltdown and Spectre security exploits on his Linux laptops. Meltdown and Spectre have been unearthed in early January and they are two severe hardware bugs that put billions of devices at risk of attacks.

  • Facebook Awards Security Researchers $880,000 in 2017 Bug Bounties

    Facebook is hardly a small organization, with large teams of engineers and security professionals on staff. Yet even Facebook has found that it can profit from expertise outside of the company, which is why the social networking giant has continued to benefit from its bug bounty program.

    In 2017, Facebook paid out $880,000 to security researchers as part of its bug bounty program. The average reward payout in 2017 was $1,900, up from $1,675 in 2016.

  • Multicloud Deployments Create Security Challenges, F5 Report Finds

OSS Leftovers and Security

Filed under
OSS
Security
  • How to get all the benefits of open source software

    Open source software continues its meteoric rise, as more and more large enterprises weave open source code into various areas of their operations, increasingly shunning the big-name, proprietary software vendors.

    In fact, according to open source software development company, Sonatype, represented locally by 9TH BIT Consulting, 7,000 new open source software projects kick-off around the world every week, while 70,000 new open source components are released. Accessing this massive ‘hivemind’ of software development expertise is a highly attractive prospect for CIOs and business managers in all industries.

  • What is open source?

    What is open source software and how do vendors make their money? We answer your questions

    Open source is the foundation of modern technology. Even if you don't know what it is, chances are you've already used it at least once today. Open source technology helped build Android, Firefox, and even the Apache HTTP server, and without it, the internet as we know it would simply not exist.

    The central idea behind open source is a simple one: many hands make light work. In short, the more people you have working on something, the quicker and easier it is to do. As it applies to software development, this means opening projects up to the public to let people freely access, read and modify the source code.

  • Open Source Initiative Announces New Partnership With Adblock Plus

    Adblock Plus, the most popular Internet ad blocker today, joins The Open Source Initiative® (OSI) as corporate sponsors. Since its very first version, Adblock Plus has been an open source project that has developed into a successful business with over 100 million users worldwide. As such, the German company behind it, eyeo GmbH, has decided it is time to give back to the open source community.

    Founded in 1998, the OSI protects and promotes open source software, development and communities, championing software freedom in society through education, collaboration, and infrastructure. Adblock Plus is an open source project that aims to rid the Internet of annoying and intrusive online advertising. Its free web browser extensions (add-ons) put users in control by letting them block or filter which ads they want to see.

  • What if Open-Source Software Can Replace Dozens of Multi-Billion Dollar Companies? That is Exactly What Origin Protocol Wants to do Using Blockchain
  • Bonitasoft gets cute on AWS for low-code BPM

    There has been an undeniable popularisation of so-called ‘low-code’ programming platforms.

    This is a strain of technology designed to provide automated blocks of functionality that can be brought together by non-technical staff to perform specific compute and analysis tasks to serve their own business objectives.

  • Red Hat Certification: for developers too!

    Red Hat’s certification program provides validation of IT professionals’ skills and knowledge using our subscription products. Red Hat’s certifications carry credibility in the market because they are all earned by taking one or more hands-on, practical exams that last multiple hours. Like most programs offered by technology vendors, our most familiar certifications are those for system administrators.

  • LXD Weekly Status #30

    The main highlight for this week was the inclusion of the new proxy device in LXD, thanks to the hard work of some University of Texas students!

    The rest of the time was spent fixing a number of bugs, working on various bits of kernel work, getting the upcoming clustering work to go through our CI process and preparing for a number of planning meetings that are going on this week.

  • GitHub Alternative SourceForge Vies for Comeback with Redesigned Site

    SourceForge wants to be more than just another GitHub alternative, but an additional repository for developers to utilize to help gain users.

  • The Clock Is Ticking for Chip Flaw Fixes to Start Working

    Cures for the pervasive Meltdown and Spectre chip flaws aren’t working, and hacks may soon be incoming.

  • Intel: No Financial Meltdown

    Yves here. It is telling that the very measured Bruegel website is pretty bothered that Intel looks likely to get away with relatively little in the way of financial consequences as a result of its Spectre and Meltdown security disasters. This is a marked contrast with Volkswagen, where the company paid huge fines and executives went to jail.

    However, it was the US that went after a foreign national champion. The US-dominated tech press is still frustratingly given the Intel train wrecks paltry coverage relative to their importance.

  • CIP related work during the second half of 2017

    As you probably know by now, I have been involved in the Civil Infrastructure Project (CIP), a Linux Foundation Initiative formed in 2016, representing Codethink, a founder Member and coordinating the engineering work in two areas within the project:

Security Leftovers

Filed under
Security

Security: Updates, WordPress, Hardware Patches, and Open Source Security Podcast

Filed under
Security
  • Security updates for Tuesday
  • WordPress 4.9.2 Security and Maintenance Release

    WordPress 4.9.2 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

    An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress.

  • Debian-Based SolydXK Linux OS Receives Patch for Meltdown Security Vulnerability

    The Debian-based SolydXK Linux operating system has been updated today with patches for the Meltdown security vulnerability, as well as various other new features and improvements.

    To mitigate the Meltdown security exploit that allows a locally installed program to access the memory, including the kernel memory, and steal sensitive information like passwords and encryption keys, the SolydXK 201801 ISO images are now powered by the latest kernel release with patches against this vulnerability.

  • Chakra GNU/Linux Now Patched Against Meltdown & Spectre Security Vulnerabilities

    It's time for users of the Chakra GNU/Linux operating system to patch their systems against the Meltdown and Spectre security vulnerabilities as new kernel updates landed today in the repos.

    Publicly disclosed earlier this month, the Meltdown and Spectre security vulnerabilities are affecting us all, but OS vendors and OEMs are trying their best to mitigate them so that no user can be the victim of attacks where their sensitive data is at risk of getting in the hands of the wrong person.

  • Open Source Security Podcast: Episode 78 - Risk lessons from Hawaii
Syndicate content

More in Tux Machines

Red Hat changes its open-source licensing rules

From outside programming circles, software licensing may not seem important. In open-source, though, licensing is all important. So, when leading Linux company Red Hat announces that -- from here on out -- all new Red Hat-initiated open-source projects that use the GNU General Public License(GPLv2) or GNU Lesser General Public License (LGPL)v2.1 licenses will be expected to supplement the license with GPL version 3 (GPLv3)'s cure commitment language, it's a big deal. Read more

Android Leftovers

Gentoo-Based Porteus Kiosk 4.7 Brings More Mitigations Against Spectre Flaws

Powered by the long-term supported Linux 4.14.50 kernel, Porteus Kiosk 4.7.0 is the second release of the operating system in 2018 and comes five months after version 4.6 to introduce more mitigations against the Spectre security vulnerabilities, though the next-gen Spectre flaws require microcode firmware updates for Intel CPUs. "Newly discovered "Spectre Next Generation" vulnerabilities require updated microcode from Intel which is not available yet. Please consider enabling automatic updates service for your kiosks to receive latest fixes and patches as soon as they become available," reads today's announcement. Read more

Linspire 8 Enters Development Based on Ubuntu 18.04 LTS, Freespire 3.0.9 Is Out

Freespire 3.0.9 is a small incremental update of the free and open-source GNU/Linux distribution that includes all the latest security and software updates released upstream until June 11, 2018. It also introduces new light and dark modes, a full instance of the Calligra office suite, and replaces Mozilla Thunderbird with Kontact. The developers recommend all users running the Freespire 3.0 operating system series on their personal computers to run a system-wide update if they want to upgrade to Freespire 3.0.9 and receive all the latest changes. On the other hand, new users are encouraged to download the Freespire 3.0.9 ISO image. Read more Also: Linspire 8.0 Alpha 1 Released