Language Selection

English French German Italian Portuguese Spanish

Security

Canonical Now Offering Live Kernel Patching Services, Free for Up to Three PCs

Filed under
Security
Ubuntu

Today, October 18, 2016, Canonical informs us, through Dustin Kirkland, about a new interesting feature for Ubuntu Linux, which users can enable on their current installations.

Read more

Also: Canonical Rolls Out Its Own Kernel Livepatching Service For Ubuntu

Security News

Filed under
Security
  • Security advisories for Monday
  • NyaDrop exploiting Internet of Things insecurity to infect Linux devices with malware

    A Linux threat known as NyaDrop is exploiting a lack of security in Internet of Things (IoT) devices to infect them with malware.

    A NyaDrop attack begins with the threat attempting to brute force the default login credentials of internet-exposed IoT device running Linux. It does so by running through its list of stored usernames and passwords, a collection which is no doubt similar to that of the Mirai botnet.

  • Smart cities: 5 security areas CIO should watch

    New worms designed to attach to IoT devices will emerge − and they could wreck more havoc given the extended reach of the new converged networks.

    Conficker is an example of a worm that spread on PC’s in 2008 and is still persistent and prevalent in 2016.

    Likewise, worms and viruses that can propagate from device to device can be expected to emerge – particularly with mobile and the Android operating system.

    Embedded worms will spread by leveraging and exploiting vulnerabilities in the growing IoT and mobile attack surface. The largest botnet FortiGuard labs has witnessed is in the range of 15 million PCs.

Happy 15th Birthday Red Hat Product Security

Filed under
Red Hat
Security

This summer marked 15 years since we founded a dedicated Product Security team for Red Hat. While we often publish information in this blog about security technologies and vulnerabilities, we rarely give an introspection into the team itself. So I’d like, if I may, to take you on a little journey through those 15 years and call out some events that mean the most to me; particularly what’s changed and what’s stayed the same. In the coming weeks some other past and present members of the team will be giving their anecdotes and opinions too. If you have a memory of working with our team we’d love to hear about it, you can add a comment here or tweet me.

Read more

Security Leftovers

Filed under
Security
  • Alpine edge has switched to libressl

    We decided to replace openssl with libressl because we believe it is a better library. While OpenSSL is trying to fix the broken code, libressl has simply removed it.

  • German nuclear plant infected with computer viruses, operator says

    A nuclear power plant in Germany has been found to be infected with computer viruses, but they appear not to have posed a threat to the facility’s operations because it is isolated from the internet, the station’s operator said on Monday.

    The Gundremmingen plant, located about 120 km northwest of Munich, is run by the German utility RWE.

    The viruses, which include “W32.Ramnit” and “Conficker”, were discovered at Gundremmingen’s B unit in a computer system retrofitted in 2008 with data visualisation software associated with equipment for moving nuclear fuel rods, RWE said.

  • The Slashdot Interview With Security Expert Mikko Hypponen: 'Backupception'

    Mikko Hypponen, Chief Research Officer at security firm F-Secure, has answered a range of your questions. Read on to find his insight on the kind of security awareness training we need, whether anti-virus products are relevant anymore, and whether we have already lost the battle to bad guys. Bonus: his take on whether or not you should take backups of your data.

  • SourceClear Brings Secure Continuous Delivery to the Developer Workflow [Ed: I don't trust them; they're Microsoft connected with a negative track record]
  • Serious security: Three changes that could turn the tide on hackers

    The state of tech security is currently so dire that it feels like anything you have ever stored on a computer, or a company or government has ever stored about you, has already been hacked into by somebody.

  • Crypto needs more transparency, researchers warn

    Researchers with at the French Institute for Research in Computer Science and Automation (INRIA) and the University of Pennsylvania have called for security standards-setters to publish the seeds for the prime numbers on which their standards rely.

    The boffins also demonstrated again that 1,024-bit primes can no longer be considered secure, by publishing an attack using “special number field sieve” (SNFS) mathematics to show that an attacker could create a prime that looks secure, but isn't.

    Since the research is bound to get conspiracists over-excited, it's worth noting: their paper doesn't claim that any of the cryptographic primes it mentions have been back-doored, only that they can no longer be considered secure.

    “There are opaque, standardised 1024-bit and 2048-bit primes in wide use today that cannot be properly verified”, the paper states.

    Joshua Fried and Nadia Heninger (University of Pennsylvania) worked with Pierrick Gaudry and Emmanuel Thomé (INRIA at the University of Lorraine on the paper, here.

    They call for 2,048-bit keys to be based on “standardised primes” using published seeds, because too many crypto schemes don't provide any way to verify that the seeds aren't somehow back-doored.

  • Is Let’s Encrypt the Largest Certificate Authority on the Web?

    By the time you read this, Let’s Encrypt will have issued its 12 millionth certificate, of which 6 million are active and unexpired. With these milestones, Let’s Encrypt now appears to us to be the the Internet’s largest certificate authority—but a recent analysis by W3Techs said we were only the third largest. So in this post we investigate: how big is Let’s Encrypt, really?

Security News

Filed under
Security
  • Friday's security advisories
  • Metasploit eyeing Linux and usability improvements; iOS support uncertain

    Engineers at Rapid7, which owns the popular Metasploit penetration testing tool, are preparing a variety of enhancements for the ramp-up to version 5.0 in 2017.

    Metasploit evolved in 2003, Rapid7 acquired it from the original developers in 2009, and fourth-generation software debuted in 2011. Metasploit Pro is currently in version 4.2 and costs several thousand dollars for a license; Metasploit Framework currently in version 4.12.33 is open source, officials explained.

  • Self-Checkout Skimmers Go Bluetooth

    This blog has featured several stories about payment card skimming devices designed to be placed over top of credit card terminals in self-checkout lanes at grocery stores and other retailers. Many readers have asked for more details about the electronics that power these so-called “overlay” skimmers. Here’s a look at one overlay skimmer equipped with Bluetooth technology that allows thieves to snarf swiped card data and PINs wirelessly using nothing more than a mobile phone.

    The rather crude video below shows a Bluetooth enabled overlay skimmer crafted to be slipped directly over top of Ingenico iSC250 credit card terminals. These Ingenico terminals are widely used at countless U.S. based merchants; earlier this year I wrote about Ingenico overlay skimmers being found in self-checkout lanes at some WalMart locations.

  • 10-year-old OpenSSH vulnerability caught up in IoT DDoS attacks [iophk: "not an actual ssh problem despite the parrots"]

    THE THREAT WRANGLERS AT Akamai have come up with something new for us to worry about, except that it isn't so much new as a decade old.

    An OpenSSH vulnerability is being used to fuel distributed denial-of-service (DDoS) attacks on the bloody Internet of Things (IoT).

    DDoS attacks are a constant pain, but attacks on the IoT are relatively new. A combination of the two would be a problem, unless you are the kind of company that makes its business discovering this kind of thing.

    "Researchers at Akamai have been monitoring the growth of attacks leveraging IoT devices," said Eric Kobrin, director of adversarial resilience at Akamai, in a blog post about the SSHowDowN Proxy.

  • a single byte write opened a root execution exploit

    As one of the maintainers of the c-ares project I’m receiving mails for suspected security problems in c-ares and this was such a one. In this case, the email with said subject came from an individual who had reported a ChromeOS exploit to Google.

    It turned out that this particular c-ares flaw was one important step in a sequence of necessary procedures that when followed could let the user execute code on ChromeOS from JavaScript – as the root user. I suspect that is pretty much the worst possible exploit of ChromeOS that can be done. I presume the reporter will get a fair amount of bug bounty reward for this.

Parrot Security 3.2 "CyberSloop" Ethical Hacking OS Is Out with Linux Kernel 4.7

Filed under
Security

Today, October 15, 2016, the ParrotSec team unleashed the second point release to the Debian-based Parrot Security 3.x GNU/Linux distribution designed for ethical hackers and security researchers.

Read more

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Thursday's security updates
  • Guile security vulnerability w/ listening on localhost + port
  • Akamai Finds Longtime Security Flaw in 2 Million Devices

    It’s well known that the Internet of Things is woefully insecure, but the most shameful and frustrating part is that some of the vulnerabilities that are currently being exploited could have been eradicated years ago. Now evidence of how these bugs are being used in attacks is calling attention to security holes that are long overdue to be plugged.

    New research released this week from the content delivery network Akamai takes a closer look at how hackers are abusing weaknesses in a cryptographic protocol to commandeer millions of ordinary connected devices—routers, cable modems, satellite TV equipment, and DVRs—and then coordinate them to mount attacks. After analyzing IP address data from its Cloud Security Intelligence platform, Akamai estimates that more than 2 million devices have been compromised by this type of hack, which it calls SSHowDowN. The company also says that at least 11 of its customers—in industries like financial services, retail, hospitality, and gaming—have been targets of this attack.

    The exploited protocol, called Secure Shell (SSH), is commonly used to facilitate remote system access and can be implemented robustly. But many IoT manufacturers either don’t incorporate it or are oblivious to the best practices for SSH when setting up default configurations on their devices. As makers scramble to bring their products to market, these oversights sow widespread insecurity in the foundation of the Internet of Things.

  • IoT Devices as Proxies for Cybercrime

    However, WPS also may expose routers to easy compromise. Read more about this vulnerability here. If your router is among those listed as vulnerable, see if you can disable WPS from the router’s administration page. If you’re not sure whether it can be, or if you’d like to see whether your router maker has shipped an update to fix the WPS problem on their hardware, check this spreadsheet.

    Finally, the hardware inside consumer routers is controlled by software known as “firmware,” and occasionally the companies that make these products ship updates for their firmware to correct security and stability issues. When you’re logged in to the administrative panel, if your router prompts you to update the firmware, it’s a good idea to take care of that at some point. If and when you decide to take this step, please be sure to follow the manufacturer’s instructions to the letter: Failing to do so could leave you with an oversized and expensive paperweight.

    Personally, I never run the stock firmware that ships with these devices. Over the years, I’ve replaced the firmware in various routers I purchased with an open source alternative, such as DD-WRT (my favorite) or Tomato. These flavors generally are more secure and offer a much broader array of options and configurations. Again, though, before you embark on swapping out your router’s stock firmware with an open source alternative, take the time to research whether your router model is compatible, and that you understand and carefully observe all of the instructions involved in updating the firmware.

    Since October is officially National Cybersecurity Awareness Month, it probably makes sense to note that the above tips on router security come directly from a piece I wrote a while back called Tools for a Safer PC, which includes a number of other suggestions to help beef up your personal and network security.

  • Microsoft says hackers have exploited zero-days in Windows 10's Edge, Office, IE; issues fix

    Microsoft's October Patch Tuesday fixes dozens of critical flaws, among them five affecting Internet Explorer, Edge, and Office that have already been under attack.

    Tuesday's update addresses 49 vulnerabilities within 10 security bulletins. Five bulletins are rated as critical and concern remote code execution vulnerabilities affecting Edge, Internet Explorer, Adobe Flash Player, Office, Windows, and Skype for Business.

    According to Microsoft, there were four so-called zero-day flaws, or previously unknown bugs that were being exploited in the wild. However, none has been publicly disclosed before now.

    All these bugs serve as a reminder for users to be cautious when clicking on links or opening attachments from unknown sources.

  • Like it or not, here are ALL your October Microsoft patches

    Redmond kicks off the era of the force-fed security update

    [...]

    Microsoft is kicking off a controversial new security program this month by packaging all of its security updates into a single payload.

    The October security release introduces Redmond's new policy of bundling all security bulletins as one download. While more convenient for end users, who now get just one bundle, the move will irk many administrators, who had preferred to individually test and apply each patch to avoid compatibility problems.

Security News

Filed under
Security
  • Just Too Much Administration – Breaking JEA, PowerShell’s New Security Barrier

    Just Enough Administration (JEA) is a new Windows 10/Server 2016 feature to create granular least privilege policies by granting specific administrative privileges to users, defined by built-in and script-defined PowerShell cmdlets. Microsoft's documentation claimed JEA was a security boundary so effective you did not need to worry about an attacker stealing and misusing the credentials of a JEA user.

    But every JEA role capability example I found Microsoft had published had vulnerabilities that could be exploited to obtain complete system administrative rights, most of them immediately, reliably, and without requiring any special configuration. I find it hard to believe most custom role capabilities created by system administrators in the wild are going to be more secure than these, given the track record of the functionally similar features in Linux, the non-obvious nature of vulnerabilities, and the importance of dangerous cmdlets to routine system troubleshooting and maintenance.

    I recommended Microsoft invert what their JEA articles and documentation said about security. Instead of leading with statements that JEA was a security barrier, users with JEA rights should not be considered administrators, and their credentials do not need to be protected like real administrators with a note that this may not be the case if you are not careful; Microsoft's JEA documentation should lead with statements that JEA should not be treated like a security barrier and users with JEA rights and their credentials should be tightly controlled exactly like normal administrators unless the role capabilities have been strictly audited by security professionals. Additionally, the README files and comments of their example role capabilities should start with stern reminders of this.

  • Thousands of internet-connected devices are a security disaster in the making

    The first problem: many IoT devices, like those cameras, are consumer-oriented, which means their owners don't have a security-conscious IT department. "Individuals do not have the purchasing power of a large corporation," says John Dickson, principal of Denim Group, "so they cannot demand security features or privacy protections that a large corporation can of an a product or software vendor."

    PC Pitstop Vice President of Cyber Security Dodi Glenn points out that many IoT purchasers neglect basic security measures, failing to change passwords from obvious defaults. And even if they did want to secure their devices, there are limits to what they can do: "You can't secure these devices with antivirus applications."

  • A SSHowDowN in security: IoT devices enslaved through 12 year old flaw

    In what researchers call the "Internet of Unpatchable Things," a 12-year-old security flaw is being exploited by attackers in a recent spate of SSHowDowN Proxy attacks.

    The Internet of Things (IoT) is an emerging market full of Wi-Fi and networked devices including routers, home security systems, and lighting products. While the idea of making your home more efficient and automating processes is an appealing one, unfortunately, vendors en masse are considering security as an afterthought for thousands of devices now in our homes, leaving our data vulnerable.

  • Microsoft was unable to meaningfully improve the software

    Documents in a class-action lawsuit against Ford and its original MyFord Touch in-vehicle infotainment (IVI) system reveal that the company's engineers and even its top executive were frustrated with the problematic technology.

    The documents from the 2013 lawsuit show Ford engineers believed the IVI, which was powered by the SYNC operating system launched in 2010, might be "unsaleable" and even described a later upgrade as a "polished turd," according to a report in the Detroit News, which was confirmed by Computerworld.

    The SYNC OS was originally powered by Microsoft software. Microsoft continued releasing software revisions it knew were defective, according to the lawsuit.

    "In the spring of 2011, Ford hired Microsoft to oversee revisions, and hopefully the improvement, of the [software]. But ... Microsoft was unable to meaningfully improve the software, and Ford continued releasing revised software that it knew was still defective," the lawsuit states.

    Last week, a U.S. District Court judge certified the case as a class action.

  • Senator wants nationwide, all-mail voting to counter election hacks

    "It's not a question of if you're going to get hacked—it's when you're going to get hacked."

    Those were the words of Verizon CEO Lowell McAdam as he sought to assure investors last week that the company is still interested in purchasing Yahoo despite the massive data breach of Yahoo consumer accounts.

    Whether McAdam's words ring true for the hodgepodge of election systems across the US is anybody's guess. But in the wake of the Obama administration's announcement that the Russian government directed hacks on the Democratic National Committee and other institutions to influence US elections, a senator from Oregon says the nation should conduct its elections like his home state does: all-mail voting.

  • SourceClear Adds Atlassian Stack to Its Open Source Security Platform

    Open source security company SourceClear said it is integrating Atlassian’s suite of developer tools including Bitbucket Pipelines, JIRA Server, JIRA Cloud, and Bamboo into the company’s open source platform. The integration will result in automated security checks being a part of the developer workflow before they ship code.

Syndicate content

More in Tux Machines

Red Hat Linux Upgrade Pushes New Security, Automation Tools

Red Hat on Tuesday announced the availability of Red Hat Enterprise Linux 7.4 beta. RHEL 7.4 includes new security and compliance features and streamlined automation, along with tools for improved systems administration. This latest upgrade comes nearly three years into the series 7 lifecycle. It continues to provide enterprises with a rich and stable foundation for both existing applications and a new generation of workloads and solutions. Read more

The History of Ubuntu Linux, Canonical's Open Source OS

In October 2004 the first Ubuntu release, Ubuntu 4.10, debuted. Codenamed Warty Warthog because it was rough around the edges, Ubuntu 4.10 inaugurated a tradition of releasing new version of Ubuntu each April and October that Canonical has maintained up to the present -- with the exception of Ubuntu 6.06, which came out a couple of months late in 2006. Ubuntu 4.04 launched six months after Mark Shuttleworth first met with Debian developers to discuss the creation of a new, Debian-based Linux distribution that would emphasize ease-of-use, regular release cycles, accessibility and internationalization. Read more

Tizen News: New Software, Smart TVs, Gear S3

Android Leftovers

  • Pimp your smartphone with the latest Android O Pixel launcher
    If your device is running Android 6.0.1 Marshmallow or above, you can now pimp it out with the latest Google O Pixel launcher. One of the contributors on the XDA Developers forum has recently posted the APK file, which you can install on your smartphone. Before you download the file, make sure your device can install apps that aren’t listed on the Play Store. To do so, open up the Settings menu, tap on Security, and enable the “Unknown sources” option. Once that’s done, all you have to do is download the file and then tap on it in the notification shade to install the launcher on your device.
  • Google is killing off Android's emoji blobs
    The best emojis on the market are no more: Google’s weird blobs are being retired in favour of more conventional circular yellow faces.
  • Google I/O: What about Android on Chrome OS?
    The hottest tech-show ticket these days is Google I/O. In the just-finished 2017 conference, Google announced lots of great stuff, including a lightweight version of Android, Android Go; a first look at the next version of Android, Android O; and a major upgrade to Google Home. One thing that was noticeably missing, however: big news about Android apps on Chrome OS.
  • RaspAnd Marshmallow 6.0.1 Android OS Now Available for Raspberry Pi 3 and 2 SBCs
    After informing us about the availability of a new build of his RaspAnd Nougat operating system for Raspberry Pi 3 and 2 SBCs based on Android 7.1.2, Arne Exton released an updated RaspAnd Marshmallow 6 version.