Language Selection

English French German Italian Portuguese Spanish

Security

Security: Memcached, Intel MKTME, and Open Source Security Podcast

Filed under
Security

Security: Updates, Ethereum. 4G LTE, and Compromised Guest Account

Filed under
Security
  • Security updates for Monday
  • Ethereum responds to eclipse attacks described by research trio

    What is an "eclipse" attack? Amy Castor, who follows Bitcoin and Ethereum, walked readers in Bitcoin Magazine through this type of attack.

    "An eclipse attack is a network-level attack on a blockchain, where an attacker essentially takes control of the peer-to-peer network, obscuring a node's view of the blockchain."

    Catalin Cimpanu, security news editor for Bleeping Computer: "Eclipse attacks are network-level attacks carried out by other nodes by hoarding and monopolizing the victim's peer-to-peer connection slots, keeping the node in an isolated network."

    Meanwhile, here are some definitions of Ethereum. It is an open software platform based on blockchain technology.

  • 4G LTE Loopholes Invite Unwanted Phone And Location Tracking, Fake Emergency Alerts

    In a new paper, the researchers at Purdue University and the University of Iowa have discovered vulnerabilities in three procedures of the LTE protocol.

    The loopholes could be exploited to launch 10 new attacks, such as location tracking, intercepting calls and texts, making devices offline, etc. With the help of authentication relay attacks, an evil mind can connect to a network without credentials and impersonate a user. A situation of an artificial emergency can be created by issuing fake threat alerts, similar to the recent missile launch alerts in Hawai.

  • Compromised Guest Account

    Some of the workstations I run are sometimes used by multiple people. Having multiple people share an account is bad for security so having a guest account for guest access is convenient.

    If a system doesn’t allow logins over the Internet then a strong password is not needed for the guest account.

    If such a system later allows logins over the Internet then hostile parties can try to guess the password. This happens even if you don’t use the default port for ssh.

Security: Shadow Brokers, GitHub, SgxSpectre, DDoS Method Adds Extortion

Filed under
Security
  • Shadow Brokers the reason why Kaspersky Lab is in the US doghouse

    At times, it does not pay to be the brightest kid on the block. But Kaspersky Lab, which has been in forefront of A-V research for some time, would have got away even with this, had it not been for a catastrophic leak of Windows vulnerabilities crafted by the NSA via a group that has called itself the Shadow Brokers.

  • 1.35Tbps: GitHub Faced World’s Biggest Ever DDoS Attack

    Just recently, GitHub, the most famous code sharing and hosting platform, faced the world’s most powerful DDoS attack. As per GitHub, the website was unavailable for about 5 minutes (17:21 to 17:26 UTC) on February 28th as a result of this massive torrent of 1.2 Tbps traffic targetting the site all at once.

  • SgxSpectre Exploits Recent Intel CPU Flaw And Leaks “Enclave” Secrets
  • Powerful New DDoS Method Adds Extortion

    Memcached communicates using the User Datagram Protocol or UDP, which allows communications without any authentication — pretty much anyone or anything can talk to it and request data from it.

    Because memcached doesn’t support authentication, an attacker can “spoof” or fake the Internet address of the machine making that request so that the memcached servers responding to the request all respond to the spoofed address — the intended target of the DDoS attack.

    Worse yet, memcached has a unique ability to take a small amount of attack traffic and amplify it into a much bigger threat. Most popular DDoS tactics that abuse UDP connections can amplify the attack traffic 10 or 20 times — allowing, for example a 1 mb file request to generate a response that includes between 10mb and 20mb of traffic.

Security: IOTA, Ethereum, GitHub, IPv6

Filed under
Security
  • Cryptographers Urge People to Abandon IOTA After Leaked Emails

    This past weekend, multiple prominent security researchers and academic cryptographers took to Twitter to paint a big black mark on the cryptocurrency project, IOTA. The posts implore investors not to hold the currency and researchers not to collaborate on enhancing the security of the system.

    An outcry was triggered shortly after a chain of private emails sent among the IOTA team and a group of external security researchers was made public, exposing the developers’ response to the disclosure of a critical flaw in one of their cryptographic building blocks. The correspondence, which ended with vague threats of legal action by IOTA founder, Sergey Ivancheglo, against a member of the Boston University security group, has prompted many academic researchers to denounce the entire project.

  • Ethereum’s smart contracts are full of holes

    Computer programs that run on blockchains are shaking up the financial system. But much of the hype around what are called smart contracts is just that. It’s a brand-new field. Technologists are just beginning to figure out how to design them so they can be relied on not to lose people’s money, and—as a new survey of Ethereum smart contracts illustrates—security researchers are only now coming to terms with what a smart-contract vulnerability even looks like.

  • GitHub Survived the Biggest DDoS Attack Ever Recorded

    On Wednesday, at about 12:15 pm ET, 1.35 terabits per second of traffic hit the developer platform GitHub all at once. It was the most powerful distributed denial of service attack recorded to date—and it used an increasingly popular DDoS method, no botnet required.

    GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off.

  • It's begun: 'First' IPv6 denial-of-service attack puts IT bods on notice

    What's claimed to be the first IPv6-based distributed denial-of-service attack has been spotted by internet engineers who warn it is only the beginning of what could become the next wave of online disruption.

    Network guru Wesley George noticed the strange traffic earlier this week as part of a larger attack on a DNS server in an effort to overwhelm it. He was taking packet captures of the malicious traffic as part of his job at Neustar's SiteProtect DDoS protection service when he realized there were "packets coming from IPv6 addresses to an IPv6 host."

    The attack wasn't huge – unlike this week's record-breaking 1.35Tbps attack on GitHub – and it wasn't using a method that is exclusive to IPv6, but it was sufficiently unusual and worrying to flag to the rest of his team.

Security: Updates, UEFI 'Secure' Boot, ​Memcached DDoS, Security in the Modern Data Center and the Latest FOSS From Sonatype

Filed under
Security
  • Security updates for Friday
  • [Slackware] Security updates for OpenJDK 7 and 8
  • The Linux Kernel Prepares To Be Further Locked Down When Under UEFI Secure Boot

    For more than the past year we have reported on kernel work to further lock down the Linux kernel with UEFI Secure Boot and it's looking now like that work may finally be close to being mainlined.

    Among the further restrictions that would be placed on the Linux kernel when running with UEFI Secure Boot enabled is blocking access to kernel module parameters that end up dealing with hardware settings, blocking access to some areas of /dev that could manipulate the kernel or hardware state, etc.

  • ​Memcached DDoS: The biggest, baddest denial of service attacker yet

    We've been seeing a rise of ever bigger Distributed Denial of Service (DDoS) attacks for years now. But, now a new attack method, Memcrashed, can blast your site with over a terabyte of traffic. Good luck standing up to that volume of abuse!

    Memcrashed works by exploiting the memcached program. Memcached is an open-source, high-performance, distributed, object-caching system. It's commonly used by social networks such as Facebook and its creator LiveJournal as an in-memory key-value store for small chunks of arbitrary data. It's the program that enables them to handle their massive data I/O. It's also used by many to cache their web-server-session data to speed up their sites -- and that's where the trouble starts.

  • Security in the Modern Data Center
  • One in Eight Open Source Components Contain Flaws [Ed: What about proprietary software? Not worth ever debating in the media? Phil Muncaster uses dramatic headline as a form of marketing for Sonatype.]

    For example, 145,000 downloads of vulnerable versions of Apache Commons Collections were recorded in the UK in 2017 – vulnerabilities connected to ransomware attacks in the wild.

What's New in Qubes 4

Filed under
OS
Security

I've been using Qubes as my primary desktop for more than two years, and I've written about it previously in my Linux Journal column, so I was pretty excited to hear that Qubes was doing a refactor of its own in the new 4.0 release. As with most refactors, this one caused some past features to disappear throughout the release candidates, but starting with 4.0-rc4, the release started to stabilize with a return of most of the features Qubes 3.2 users were used to. That's not to say everything is the same. In fact, a lot has changed both on the surface and under the hood.

Although Qubes goes over all of the significant changes in its Qubes 4 changelog, instead of rehashing every low-level change, I want to highlight just some of the surface changes in Qubes 4 and how they might impact you whether you've used Qubes in the past or are just now trying it out.

Read more

Security: FOSS Updates, PS4 and Media Trying to Associate FOSS With Crime

Filed under
Security

Security: ARPAnet, Android, Intel, Cryptojacking and More

Filed under
Security
  • "Nobody cared about security"

     

    In the long run, however, the more significant reason why the ARPAnet and early Internet lacked security was not that it wasn't needed, nor that it would have made development of the network harder, it was that implementing security either at the network or the application level would have required implementing cryptography. At the time, cryptography was classified as a munition. Software containing cryptography, or even just the hooks allowing cryptography to be added, could only be exported from the US with a specific license. Obtaining a license involved case-by-case negotiation with the State Department. In effect, had security been a feature of the ARPAnet or the early Internet, the network would have to have been US-only. Note that the first international ARPAnet nodes came up in 1973, in Norway and the UK.

  • ​The 10 best ways to secure your Android phone

    The most secure smartphones are Android smartphones. Don't buy that? Apple's latest version of iOS 11 was cracked a day -- a day! -- after it was released.

    So Android is perfect? Heck no!

    Android is under constant attack and older versions are far more vulnerable than new ones. Way too many smartphone vendors still don't issue Google's monthly Android security patches in a timely fashion, or at all. And, zero-day attacks still pop up.

  • Not Getting Android OS Updates? Here’s How Google Is Updating Your Device Anyway

    Android updates are a still a point of contention among die-hard fans, because most manufacturers don’t keep updated with the latest offerings from Google. But just because your phone isn’t getting full OS updates doesn’t mean it’s totally out of date.

    While some major features still require full version updates, Google has a system in place that keeps many handsets at least somewhat relevant with Google Play Services. The company can squash certain bugs and even introduce new features just by updating Play Services.

  • Intel Finally Releases Spectre Patches for Broadwell and Haswell Processors
  • How to Defend Servers Against Cryptojacking

    Cryptojacking has become one of the most active and pervasive threats in recent years. In a cryptojacking attack, a cryptocurrency mining script is injected into a server or a webpage to take advantage of the victim system's CPU power.

  • 8 Startups Raise Money to Secure Everything From ICS to Home Networks
  • Sonatype Makes Nexus Firewall Available to 10 Million Developers

Security: Updates, Open Source Security Podcast, PGP, and 'DevSecOps'

Filed under
Security

Security: “Medjacking”, Exploding e-Cigarettes, and Linux FUD

Filed under
Security
  • “Medjacked”: Could Hackers Take Control of Pacemakers and Defibrillators—or Their Data?

    Are high-tech medical devices vulnerable to hacks? Hackers have targeted them for years, according to a new article in the Journal of the American College of Cardiology. But Dr. Dhanunjaya Lakkireddy, senior author of the paper, says hackers have harmed no one so far.

  • Exploding e-Cigarettes Are a Growing Danger to Public Health

    Whatever their physiological effects, the most immediate threat of these nicotine-delivery devices comes from a battery problem called thermal runaway

    [...]

    Exploding cigarettes sound like a party joke, but today’s version isn’t funny at all. In fact, they are a growing danger to public health. Aside from mobile phones, no other electrical device is so commonly carried close to the body. And, like cellphones, e-cigarettes pack substantial battery power. So far, most of the safety concerns regarding this device have centered on the physiological effects of nicotine and of the other heated, aerosolized constituents of the vapor that carries nicotine into the lungs. That focus now needs to be widened to include the threat of thermal runaway in the batteries, especially the lithium-ion variety.

  • Uh, oh! Linux confuses Bleeping Computer again

    The tech website Bleeping Computer, which carries news about security and malware, has once again demonstrated that when it comes to Linux, its understanding of security is somewhat lacking.

    What makes the current case surprising is the fact that the so-called security issue which the website chose to write about had already been ripped to pieces by senior tech writer Stephen Vaughan-Nicholls four days earlier.

    Called Chaos, the vulnerability was touted by a firm known as GoSecure as one that would allow a backdoor into Linux servers through SSH.

  • Are Mac and Linux users safe from ransomware?

    Ransomware is currently not much of a problem for Linux systems. A pest discovered by security researchers is a Linux variant of the Windows malware ‘KillDisk’. However, this malware has been noted as being very specific; attacking high profile financial institutions and also critical infrastructure in Ukraine. Another problem here is that the decryption key that is generated by the program to unlock the data is not stored anywhere, which means that any encrypted data cannot be unlocked, whether the ransom is paid or not. Data can still sometimes be recovered by experts like Ontrack, however timescales, difficulty and success rates depend on the exact situation and strain of ransomware.

Syndicate content

More in Tux Machines

Events: Video Conferences, Code.gov, and LibreOffice

  • How to video conference without people hating you
    What about an integrated headset and microphone? This totally depends on the type. I tend to prefer the full sound of a real microphone but the boom mics on some of these headsets are quite good. If you have awesome heaphones already you can add a modmic to turn them into headsets. I find that even the most budget dedicated headsets sound better than earbud microphones.
  • Learn about the open source efforts of Code.gov at this event
    The U.S. government has a department looking to spread open source projects, and members will be in Baltimore this week. Code.gov is looking to promote reuse of open source code within the government to cut down on duplicating development work, and spread use of the code throughout the country. On April 26 event at Spark Baltimore, team members from Code.gov, the U.S. Department of Transportation and the Presidential Innovation Fellowship are among those invited to be at a meetup to share more. Held from 12-3 p.m., the event will feature talks from the invited guests about what they’re working on and Federal Source Code Policy, as well as how it can apply locally, said organizing team member Melanie Shimano.
  • LibreOffice Conference 2018 Takes Place in Tirana, Albania, for LibreOffice 6.1
    While working on the next major LibreOffice release, The Document Foundation is also prepping for this year's LibreOffice Conference, which will take place this fall in Albania. The LibreOffice Conference is the perfect opportunity for new and existing LibreOffice developers, users, supporters, and translators, as well as members of the Open Source community to meet up, share their knowledge, and plan the new features of the next major LibreOffice release, in this case LibreOffice 6.1, due in mid August 2018. A call for papers was announced over the weekend as The Document Foundation wants you to submit proposals for topics and tracks, along with a short description of yourself for the upcoming LibreOffice Conference 2018 event, which should be filed no later than June 30, 2018. More details can be found here.
  • LibreOffice Conference Call for Paper
    The Document Foundation invites all members and contributors to submit talks, lectures and workshops for this year’s conference in Tirana (Albania). The event is scheduled for late September, from Wednesday 26 to Friday 28. Whether you are a seasoned presenter or have never spoken in public before, if you have something interesting to share about LibreOffice or the Document Liberation Project, we want to hear from you!

GitLab Web IDE

  • GitLab Web IDE Goes GA and Open-Source in GitLab 10.7
    GitLab Web IDE, aimed to simplify the workflow of accepting merge requests, is generally available in GitLab 10.7, along with other features aimed to improve C++ and Go code security and improve Kubernets integration. The GitLab Web IDE was initially released as a beta in GitLab 10.4 Ultimate with the goal of streamlining the workflow to contribute small fixes and to resolve merge requests without requiring the developer to stash their changes and switch to a new branch locally, then back. This could be of particular interest to developers who have a significant number of PRs to review, as well as to developers starting their journey with Git.
  • GitLab open sources its Web IDE
    GitLab has announced its Web IDE is now generally available and open sourced as part of the GitLab 10.7 release. The Web IDE was first introduced in GitLab Ultimate 10.4. It is designed to enable developers to change multiple files, preview Markdown, review changes and commit directly within a browser. “At GitLab, we want everyone to be able to contribute, whether you are working on your first commit and getting familiar with git, or an experienced developer reviewing a stack of changes. Setting up a local development environment, or needing to stash changes and switch branches locally, can add friction to the development process,” Joshua Lambert, senior product manager of monitoring and distribution at GitLab, wrote in a post.

Record Terminal Activity For Ubuntu 16.04 LTS Server

At times system administrators and developers need to use many, complex and lengthy commands in order to perform a critical task. Most of the users will copy those commands and output generated by those respective commands in a text file for review or future reference. Of course, “history” feature of the shell will help you in getting the list of commands used in the past but it won’t help in getting the output generated for those commands. Read
more

Linux Kernel Maintainer Statistics

As part of preparing my last two talks at LCA on the kernel community, “Burning Down the Castle” and “Maintainers Don’t Scale”, I have looked into how the Kernel’s maintainer structure can be measured. One very interesting approach is looking at the pull request flows, for example done in the LWN article “How 4.4’s patches got to the mainline”. Note that in the linux kernel process, pull requests are only used to submit development from entire subsystems, not individual contributions. What I’m trying to work out here isn’t so much the overall patch flow, but focusing on how maintainers work, and how that’s different in different subsystems. Read more