Language Selection

English French German Italian Portuguese Spanish

Security

Happy 15th Birthday Red Hat Product Security

Filed under
Red Hat
Security

This summer marked 15 years since we founded a dedicated Product Security team for Red Hat. While we often publish information in this blog about security technologies and vulnerabilities, we rarely give an introspection into the team itself. So I’d like, if I may, to take you on a little journey through those 15 years and call out some events that mean the most to me; particularly what’s changed and what’s stayed the same. In the coming weeks some other past and present members of the team will be giving their anecdotes and opinions too. If you have a memory of working with our team we’d love to hear about it, you can add a comment here or tweet me.

Read more

Security Leftovers

Filed under
Security
  • Alpine edge has switched to libressl

    We decided to replace openssl with libressl because we believe it is a better library. While OpenSSL is trying to fix the broken code, libressl has simply removed it.

  • German nuclear plant infected with computer viruses, operator says

    A nuclear power plant in Germany has been found to be infected with computer viruses, but they appear not to have posed a threat to the facility’s operations because it is isolated from the internet, the station’s operator said on Monday.

    The Gundremmingen plant, located about 120 km northwest of Munich, is run by the German utility RWE.

    The viruses, which include “W32.Ramnit” and “Conficker”, were discovered at Gundremmingen’s B unit in a computer system retrofitted in 2008 with data visualisation software associated with equipment for moving nuclear fuel rods, RWE said.

  • The Slashdot Interview With Security Expert Mikko Hypponen: 'Backupception'

    Mikko Hypponen, Chief Research Officer at security firm F-Secure, has answered a range of your questions. Read on to find his insight on the kind of security awareness training we need, whether anti-virus products are relevant anymore, and whether we have already lost the battle to bad guys. Bonus: his take on whether or not you should take backups of your data.

  • SourceClear Brings Secure Continuous Delivery to the Developer Workflow [Ed: I don't trust them; they're Microsoft connected with a negative track record]
  • Serious security: Three changes that could turn the tide on hackers

    The state of tech security is currently so dire that it feels like anything you have ever stored on a computer, or a company or government has ever stored about you, has already been hacked into by somebody.

  • Crypto needs more transparency, researchers warn

    Researchers with at the French Institute for Research in Computer Science and Automation (INRIA) and the University of Pennsylvania have called for security standards-setters to publish the seeds for the prime numbers on which their standards rely.

    The boffins also demonstrated again that 1,024-bit primes can no longer be considered secure, by publishing an attack using “special number field sieve” (SNFS) mathematics to show that an attacker could create a prime that looks secure, but isn't.

    Since the research is bound to get conspiracists over-excited, it's worth noting: their paper doesn't claim that any of the cryptographic primes it mentions have been back-doored, only that they can no longer be considered secure.

    “There are opaque, standardised 1024-bit and 2048-bit primes in wide use today that cannot be properly verified”, the paper states.

    Joshua Fried and Nadia Heninger (University of Pennsylvania) worked with Pierrick Gaudry and Emmanuel Thomé (INRIA at the University of Lorraine on the paper, here.

    They call for 2,048-bit keys to be based on “standardised primes” using published seeds, because too many crypto schemes don't provide any way to verify that the seeds aren't somehow back-doored.

  • Is Let’s Encrypt the Largest Certificate Authority on the Web?

    By the time you read this, Let’s Encrypt will have issued its 12 millionth certificate, of which 6 million are active and unexpired. With these milestones, Let’s Encrypt now appears to us to be the the Internet’s largest certificate authority—but a recent analysis by W3Techs said we were only the third largest. So in this post we investigate: how big is Let’s Encrypt, really?

Security News

Filed under
Security
  • Friday's security advisories
  • Metasploit eyeing Linux and usability improvements; iOS support uncertain

    Engineers at Rapid7, which owns the popular Metasploit penetration testing tool, are preparing a variety of enhancements for the ramp-up to version 5.0 in 2017.

    Metasploit evolved in 2003, Rapid7 acquired it from the original developers in 2009, and fourth-generation software debuted in 2011. Metasploit Pro is currently in version 4.2 and costs several thousand dollars for a license; Metasploit Framework currently in version 4.12.33 is open source, officials explained.

  • Self-Checkout Skimmers Go Bluetooth

    This blog has featured several stories about payment card skimming devices designed to be placed over top of credit card terminals in self-checkout lanes at grocery stores and other retailers. Many readers have asked for more details about the electronics that power these so-called “overlay” skimmers. Here’s a look at one overlay skimmer equipped with Bluetooth technology that allows thieves to snarf swiped card data and PINs wirelessly using nothing more than a mobile phone.

    The rather crude video below shows a Bluetooth enabled overlay skimmer crafted to be slipped directly over top of Ingenico iSC250 credit card terminals. These Ingenico terminals are widely used at countless U.S. based merchants; earlier this year I wrote about Ingenico overlay skimmers being found in self-checkout lanes at some WalMart locations.

  • 10-year-old OpenSSH vulnerability caught up in IoT DDoS attacks [iophk: "not an actual ssh problem despite the parrots"]

    THE THREAT WRANGLERS AT Akamai have come up with something new for us to worry about, except that it isn't so much new as a decade old.

    An OpenSSH vulnerability is being used to fuel distributed denial-of-service (DDoS) attacks on the bloody Internet of Things (IoT).

    DDoS attacks are a constant pain, but attacks on the IoT are relatively new. A combination of the two would be a problem, unless you are the kind of company that makes its business discovering this kind of thing.

    "Researchers at Akamai have been monitoring the growth of attacks leveraging IoT devices," said Eric Kobrin, director of adversarial resilience at Akamai, in a blog post about the SSHowDowN Proxy.

  • a single byte write opened a root execution exploit

    As one of the maintainers of the c-ares project I’m receiving mails for suspected security problems in c-ares and this was such a one. In this case, the email with said subject came from an individual who had reported a ChromeOS exploit to Google.

    It turned out that this particular c-ares flaw was one important step in a sequence of necessary procedures that when followed could let the user execute code on ChromeOS from JavaScript – as the root user. I suspect that is pretty much the worst possible exploit of ChromeOS that can be done. I presume the reporter will get a fair amount of bug bounty reward for this.

Parrot Security 3.2 "CyberSloop" Ethical Hacking OS Is Out with Linux Kernel 4.7

Filed under
Security

Today, October 15, 2016, the ParrotSec team unleashed the second point release to the Debian-based Parrot Security 3.x GNU/Linux distribution designed for ethical hackers and security researchers.

Read more

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Thursday's security updates
  • Guile security vulnerability w/ listening on localhost + port
  • Akamai Finds Longtime Security Flaw in 2 Million Devices

    It’s well known that the Internet of Things is woefully insecure, but the most shameful and frustrating part is that some of the vulnerabilities that are currently being exploited could have been eradicated years ago. Now evidence of how these bugs are being used in attacks is calling attention to security holes that are long overdue to be plugged.

    New research released this week from the content delivery network Akamai takes a closer look at how hackers are abusing weaknesses in a cryptographic protocol to commandeer millions of ordinary connected devices—routers, cable modems, satellite TV equipment, and DVRs—and then coordinate them to mount attacks. After analyzing IP address data from its Cloud Security Intelligence platform, Akamai estimates that more than 2 million devices have been compromised by this type of hack, which it calls SSHowDowN. The company also says that at least 11 of its customers—in industries like financial services, retail, hospitality, and gaming—have been targets of this attack.

    The exploited protocol, called Secure Shell (SSH), is commonly used to facilitate remote system access and can be implemented robustly. But many IoT manufacturers either don’t incorporate it or are oblivious to the best practices for SSH when setting up default configurations on their devices. As makers scramble to bring their products to market, these oversights sow widespread insecurity in the foundation of the Internet of Things.

  • IoT Devices as Proxies for Cybercrime

    However, WPS also may expose routers to easy compromise. Read more about this vulnerability here. If your router is among those listed as vulnerable, see if you can disable WPS from the router’s administration page. If you’re not sure whether it can be, or if you’d like to see whether your router maker has shipped an update to fix the WPS problem on their hardware, check this spreadsheet.

    Finally, the hardware inside consumer routers is controlled by software known as “firmware,” and occasionally the companies that make these products ship updates for their firmware to correct security and stability issues. When you’re logged in to the administrative panel, if your router prompts you to update the firmware, it’s a good idea to take care of that at some point. If and when you decide to take this step, please be sure to follow the manufacturer’s instructions to the letter: Failing to do so could leave you with an oversized and expensive paperweight.

    Personally, I never run the stock firmware that ships with these devices. Over the years, I’ve replaced the firmware in various routers I purchased with an open source alternative, such as DD-WRT (my favorite) or Tomato. These flavors generally are more secure and offer a much broader array of options and configurations. Again, though, before you embark on swapping out your router’s stock firmware with an open source alternative, take the time to research whether your router model is compatible, and that you understand and carefully observe all of the instructions involved in updating the firmware.

    Since October is officially National Cybersecurity Awareness Month, it probably makes sense to note that the above tips on router security come directly from a piece I wrote a while back called Tools for a Safer PC, which includes a number of other suggestions to help beef up your personal and network security.

  • Microsoft says hackers have exploited zero-days in Windows 10's Edge, Office, IE; issues fix

    Microsoft's October Patch Tuesday fixes dozens of critical flaws, among them five affecting Internet Explorer, Edge, and Office that have already been under attack.

    Tuesday's update addresses 49 vulnerabilities within 10 security bulletins. Five bulletins are rated as critical and concern remote code execution vulnerabilities affecting Edge, Internet Explorer, Adobe Flash Player, Office, Windows, and Skype for Business.

    According to Microsoft, there were four so-called zero-day flaws, or previously unknown bugs that were being exploited in the wild. However, none has been publicly disclosed before now.

    All these bugs serve as a reminder for users to be cautious when clicking on links or opening attachments from unknown sources.

  • Like it or not, here are ALL your October Microsoft patches

    Redmond kicks off the era of the force-fed security update

    [...]

    Microsoft is kicking off a controversial new security program this month by packaging all of its security updates into a single payload.

    The October security release introduces Redmond's new policy of bundling all security bulletins as one download. While more convenient for end users, who now get just one bundle, the move will irk many administrators, who had preferred to individually test and apply each patch to avoid compatibility problems.

Security News

Filed under
Security
  • Just Too Much Administration – Breaking JEA, PowerShell’s New Security Barrier

    Just Enough Administration (JEA) is a new Windows 10/Server 2016 feature to create granular least privilege policies by granting specific administrative privileges to users, defined by built-in and script-defined PowerShell cmdlets. Microsoft's documentation claimed JEA was a security boundary so effective you did not need to worry about an attacker stealing and misusing the credentials of a JEA user.

    But every JEA role capability example I found Microsoft had published had vulnerabilities that could be exploited to obtain complete system administrative rights, most of them immediately, reliably, and without requiring any special configuration. I find it hard to believe most custom role capabilities created by system administrators in the wild are going to be more secure than these, given the track record of the functionally similar features in Linux, the non-obvious nature of vulnerabilities, and the importance of dangerous cmdlets to routine system troubleshooting and maintenance.

    I recommended Microsoft invert what their JEA articles and documentation said about security. Instead of leading with statements that JEA was a security barrier, users with JEA rights should not be considered administrators, and their credentials do not need to be protected like real administrators with a note that this may not be the case if you are not careful; Microsoft's JEA documentation should lead with statements that JEA should not be treated like a security barrier and users with JEA rights and their credentials should be tightly controlled exactly like normal administrators unless the role capabilities have been strictly audited by security professionals. Additionally, the README files and comments of their example role capabilities should start with stern reminders of this.

  • Thousands of internet-connected devices are a security disaster in the making

    The first problem: many IoT devices, like those cameras, are consumer-oriented, which means their owners don't have a security-conscious IT department. "Individuals do not have the purchasing power of a large corporation," says John Dickson, principal of Denim Group, "so they cannot demand security features or privacy protections that a large corporation can of an a product or software vendor."

    PC Pitstop Vice President of Cyber Security Dodi Glenn points out that many IoT purchasers neglect basic security measures, failing to change passwords from obvious defaults. And even if they did want to secure their devices, there are limits to what they can do: "You can't secure these devices with antivirus applications."

  • A SSHowDowN in security: IoT devices enslaved through 12 year old flaw

    In what researchers call the "Internet of Unpatchable Things," a 12-year-old security flaw is being exploited by attackers in a recent spate of SSHowDowN Proxy attacks.

    The Internet of Things (IoT) is an emerging market full of Wi-Fi and networked devices including routers, home security systems, and lighting products. While the idea of making your home more efficient and automating processes is an appealing one, unfortunately, vendors en masse are considering security as an afterthought for thousands of devices now in our homes, leaving our data vulnerable.

  • Microsoft was unable to meaningfully improve the software

    Documents in a class-action lawsuit against Ford and its original MyFord Touch in-vehicle infotainment (IVI) system reveal that the company's engineers and even its top executive were frustrated with the problematic technology.

    The documents from the 2013 lawsuit show Ford engineers believed the IVI, which was powered by the SYNC operating system launched in 2010, might be "unsaleable" and even described a later upgrade as a "polished turd," according to a report in the Detroit News, which was confirmed by Computerworld.

    The SYNC OS was originally powered by Microsoft software. Microsoft continued releasing software revisions it knew were defective, according to the lawsuit.

    "In the spring of 2011, Ford hired Microsoft to oversee revisions, and hopefully the improvement, of the [software]. But ... Microsoft was unable to meaningfully improve the software, and Ford continued releasing revised software that it knew was still defective," the lawsuit states.

    Last week, a U.S. District Court judge certified the case as a class action.

  • Senator wants nationwide, all-mail voting to counter election hacks

    "It's not a question of if you're going to get hacked—it's when you're going to get hacked."

    Those were the words of Verizon CEO Lowell McAdam as he sought to assure investors last week that the company is still interested in purchasing Yahoo despite the massive data breach of Yahoo consumer accounts.

    Whether McAdam's words ring true for the hodgepodge of election systems across the US is anybody's guess. But in the wake of the Obama administration's announcement that the Russian government directed hacks on the Democratic National Committee and other institutions to influence US elections, a senator from Oregon says the nation should conduct its elections like his home state does: all-mail voting.

  • SourceClear Adds Atlassian Stack to Its Open Source Security Platform

    Open source security company SourceClear said it is integrating Atlassian’s suite of developer tools including Bitbucket Pipelines, JIRA Server, JIRA Cloud, and Bamboo into the company’s open source platform. The integration will result in automated security checks being a part of the developer workflow before they ship code.

Security News

Filed under
Security
  • Security updates for Tuesday
  • Systemd and Ubuntu users urged to update to patch Linux flaws

    Linux users should beware of a recently discovered systemd vulnerability that could shut down a system using a command short enough to send in a tweet and Ubuntu users should update to new Linux kernel patches affecting supported operating systems.

    SSLMate founder and Linux administrator Andrew Ayer spotted the bug which has the potential to kill a number of critical commands while making others unstable, according to Betanews.

  • Microsoft: No More Pick-and-Choose Patching

    Adobe and Microsoft today each issued updates to fix critical security flaws in their products. Adobe’s got fixes for Acrobat and Flash Player ready. Microsoft’s patch bundle for October includes fixes for at least five separate “zero-day” vulnerabilities — dangerous flaws that attackers were already exploiting prior to today’s patch release. Also notable this month is that Microsoft is changing how it deploys security updates, removing the ability for Windows users to pick and choose which individual patches to install.

  • Ministry of Defence CIO – defending the data assets of the nation

    An interesting example of knowing what is actually important, such as being ‘secure’ does not mean pulling up drawbridges and never talking. It does seem possible that the MoD has lesson it can teach industry in building security defences in depth, using a wide range of tools, that then map onto the future world of mobile and cloud infrastructures.

Security News

Filed under
Security
  • Security advisories for Monday
  • Crash: how computers are setting us up for disaster

    When a sleepy Marc Dubois walked into the cockpit of his own aeroplane, he was confronted with a scene of confusion. The plane was shaking so violently that it was hard to read the instruments. An alarm was alternating between a chirruping trill and an automated voice: “STALL STALL STALL.” His junior co-pilots were at the controls. In a calm tone, Captain Dubois asked: “What’s happening?”

    Co-pilot David Robert’s answer was less calm. “We completely lost control of the aeroplane, and we don’t understand anything! We tried everything!”

    The crew were, in fact, in control of the aeroplane. One simple course of action could have ended the crisis they were facing, and they had not tried it. But David Robert was right on one count: he didn’t understand what was happening.

    As William Langewiesche, a writer and professional pilot, described in an article for Vanity Fair in October 2014, Air France Flight 447 had begun straightforwardly enough – an on-time take-off from Rio de Janeiro at 7.29pm on 31 May 2009, bound for Paris. With hindsight, the three pilots had their vulnerabilities. Pierre-Cédric Bonin, 32, was young and inexperienced. David Robert, 37, had more experience but he had recently become an Air France manager and no longer flew full-time. Captain Marc Dubois, 58, had experience aplenty but he had been touring Rio with an off-duty flight attendant. It was later reported that he had only had an hour’s sleep.

    Fortunately, given these potential fragilities, the crew were in charge of one of the most advanced planes in the world, an Airbus 330, legendarily smooth and easy to fly. Like any other modern aircraft, the A330 has an autopilot to keep the plane flying on a programmed route, but it also has a much more sophisticated automation system called fly-by-wire. A traditional aeroplane gives the pilot direct control of the flaps on the plane – its rudder, elevators and ailerons. This means the pilot has plenty of latitude to make mistakes. Fly-by-wire is smoother and safer. It inserts itself between the pilot, with all his or her faults, and the plane’s mechanics. A tactful translator between human and machine, it observes the pilot tugging on the controls, figures out how the pilot wanted the plane to move and executes that manoeuvre perfectly. It will turn a clumsy movement into a graceful one.

  • Canonical Patches New Linux Kernel Vulnerabilities in All Supported Ubuntu OSes

    Today, October 11, 2016, Canonical published several security advisories to inform Ubuntu users about new Linux kernel updates for their supported operating systems.

    Four new kernel vulnerabilities are affecting Ubuntu 16.04 LTS (Xenial Xerus) and Ubuntu 14.04 LTS (Trusty Tahr) or later versions, and three the Ubuntu 12.04 LTS (Precise Pangolin) series of operating systems. They are also affecting the Ubuntu 16.04 LTS for Raspberry Pi 2 kernel.

    The first security flaw is an unbounded recursion in Linux kernel's VLAN and TEB Generic Receive Offload (GRO) processing implementations, which could have allowed a remote attacker to crash the system through a denial of service or cause a stack corruption. It was discovered by Vladimír Beneš and affects Ubuntu 16.04 and 14.04.

Syndicate content

More in Tux Machines

SUSE Leftovers

  • openSUSE Heroes meeting, day 2
    After a long, but exciting first day, we even managed to get some sleep before we started again and discussed the whole morning about our policies and other stuff that is now updated in the openSUSE wiki. After that, we went out for a nice lunch…
  • Installing Tumbleweed, November 2016
    The Tumbleweed system that I already have installed had desktops KDE, Gnome, XFCE and LXDE. But for recent intstalls (as with Leap 42.2), I have been going with KDE, Gnome, XFCE, LXQt, FVWM and MATE. So it seemed reasonable for the new Tumbleweed install to follow the same path. I also added Enlightenment for experimenting.

Android Leftovers

Linux Graphics

  • LibRetro's Vulkan PlayStation PSX Renderer Released
    A few days back I wrote about a Vulkan renderer for a PlayStation emulator being worked on and now the code to that Vulkan renderer is publicly available. For those wanting to relive some PlayStation One games this week or just looking for a new test case for Vulkan drivers, the Vulkan renderer for the LibRetro Beetle/Mednafen PSX emulator is now available, months after the LibRetro folks made a Vulkan renderer for the Nintendo 64 emulator.
  • Etnaviv DRM Updates Submitted For Linux 4.10
    The Etnaviv DRM-Next pull request is not nearly as exciting as MSM getting Adreno 500 series support, a lot of Intel changes, or the numerous AMDGPU changes, but it's not bad either for a community-driven, reverse-engineered DRM driver for the Vivante graphics cores.
  • Mesa 12.0.4 Being Prepped For Ubuntu 16.10/16.04
    Ubuntu is preparing Mesa 12.0.4 for Ubuntu Xenial and Yakkety users. It's not as great as Mesa 13, but at least there are some important fixes back-ported. Mesa 12.0.4 is exciting for dozens of bug fixes, including the work to offer better RadeonSI performance. But with Mesa 12.0.4 you don't have the RADV Vulkan driver, OpenGL 4.5, or the other exciting Mesa 13 work.

Games for GNU/Linux