Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • Latvia's e-health system hit by cyberattack from abroad

    Latvia said its new e-health system was on Tuesday hit by a large-scale cyberattack that saw thousands of requests for medical prescriptions pour in per second from more than 20 countries in Africa, the Caribbean and the European Union.

    No data was compromised, according to health officials, who immediately took down the site, which was launched earlier this month to streamline the writing of prescriptions in the Baltic state.

    "It is clear that it was a planned attack, a widespread attack—we might say a specialised one—as it emanated from computers located in various different countries, both inside the European Union and outside Europe," state secretary Aivars Lapins told reporters.

    "We received thousands of requests in a very short space of time. That's not the normal way the system works," he said, adding that an investigation is under way.

  • Linux Lite Developer Creates Automated Spectre/Meltdown Checker for Linux OSes

    The developer of the Ubuntu-based Linux Lite distribution has created a script that makes it easier for Linux users to check if their systems are vulnerable to the Meltdown and Spectre security flaws.

    As we reported last week, developer Stéphane Lesimple created an excellent script that would check if your Linux distribution's kernel is patched against the Meltdown and Spectre security vulnerabilities that have been publicly disclosed earlier this month and put billions of devices at risk of attacks.

  • Purism Releases Meltdown and Spectre Patches for Its Librem Linux Laptops

    Purism, the computer technology company behind the privacy-focused, Linux-based Librem laptops and the upcoming smartphone, released patches for the Meltdown and Spectre security vulnerabilities.

    The company was one of the first Linux OEMs and OS vendor to announce that it's working on addressing both the Meltdown and Spectre security exploits on his Linux laptops. Meltdown and Spectre have been unearthed in early January and they are two severe hardware bugs that put billions of devices at risk of attacks.

  • Facebook Awards Security Researchers $880,000 in 2017 Bug Bounties

    Facebook is hardly a small organization, with large teams of engineers and security professionals on staff. Yet even Facebook has found that it can profit from expertise outside of the company, which is why the social networking giant has continued to benefit from its bug bounty program.

    In 2017, Facebook paid out $880,000 to security researchers as part of its bug bounty program. The average reward payout in 2017 was $1,900, up from $1,675 in 2016.

  • Multicloud Deployments Create Security Challenges, F5 Report Finds

OSS Leftovers and Security

Filed under
OSS
Security
  • How to get all the benefits of open source software

    Open source software continues its meteoric rise, as more and more large enterprises weave open source code into various areas of their operations, increasingly shunning the big-name, proprietary software vendors.

    In fact, according to open source software development company, Sonatype, represented locally by 9TH BIT Consulting, 7,000 new open source software projects kick-off around the world every week, while 70,000 new open source components are released. Accessing this massive ‘hivemind’ of software development expertise is a highly attractive prospect for CIOs and business managers in all industries.

  • What is open source?

    What is open source software and how do vendors make their money? We answer your questions

    Open source is the foundation of modern technology. Even if you don't know what it is, chances are you've already used it at least once today. Open source technology helped build Android, Firefox, and even the Apache HTTP server, and without it, the internet as we know it would simply not exist.

    The central idea behind open source is a simple one: many hands make light work. In short, the more people you have working on something, the quicker and easier it is to do. As it applies to software development, this means opening projects up to the public to let people freely access, read and modify the source code.

  • Open Source Initiative Announces New Partnership With Adblock Plus

    Adblock Plus, the most popular Internet ad blocker today, joins The Open Source Initiative® (OSI) as corporate sponsors. Since its very first version, Adblock Plus has been an open source project that has developed into a successful business with over 100 million users worldwide. As such, the German company behind it, eyeo GmbH, has decided it is time to give back to the open source community.

    Founded in 1998, the OSI protects and promotes open source software, development and communities, championing software freedom in society through education, collaboration, and infrastructure. Adblock Plus is an open source project that aims to rid the Internet of annoying and intrusive online advertising. Its free web browser extensions (add-ons) put users in control by letting them block or filter which ads they want to see.

  • What if Open-Source Software Can Replace Dozens of Multi-Billion Dollar Companies? That is Exactly What Origin Protocol Wants to do Using Blockchain
  • Bonitasoft gets cute on AWS for low-code BPM

    There has been an undeniable popularisation of so-called ‘low-code’ programming platforms.

    This is a strain of technology designed to provide automated blocks of functionality that can be brought together by non-technical staff to perform specific compute and analysis tasks to serve their own business objectives.

  • Red Hat Certification: for developers too!

    Red Hat’s certification program provides validation of IT professionals’ skills and knowledge using our subscription products. Red Hat’s certifications carry credibility in the market because they are all earned by taking one or more hands-on, practical exams that last multiple hours. Like most programs offered by technology vendors, our most familiar certifications are those for system administrators.

  • LXD Weekly Status #30

    The main highlight for this week was the inclusion of the new proxy device in LXD, thanks to the hard work of some University of Texas students!

    The rest of the time was spent fixing a number of bugs, working on various bits of kernel work, getting the upcoming clustering work to go through our CI process and preparing for a number of planning meetings that are going on this week.

  • GitHub Alternative SourceForge Vies for Comeback with Redesigned Site

    SourceForge wants to be more than just another GitHub alternative, but an additional repository for developers to utilize to help gain users.

  • The Clock Is Ticking for Chip Flaw Fixes to Start Working

    Cures for the pervasive Meltdown and Spectre chip flaws aren’t working, and hacks may soon be incoming.

  • Intel: No Financial Meltdown

    Yves here. It is telling that the very measured Bruegel website is pretty bothered that Intel looks likely to get away with relatively little in the way of financial consequences as a result of its Spectre and Meltdown security disasters. This is a marked contrast with Volkswagen, where the company paid huge fines and executives went to jail.

    However, it was the US that went after a foreign national champion. The US-dominated tech press is still frustratingly given the Intel train wrecks paltry coverage relative to their importance.

  • CIP related work during the second half of 2017

    As you probably know by now, I have been involved in the Civil Infrastructure Project (CIP), a Linux Foundation Initiative formed in 2016, representing Codethink, a founder Member and coordinating the engineering work in two areas within the project:

Security Leftovers

Filed under
Security

Security: Updates, WordPress, Hardware Patches, and Open Source Security Podcast

Filed under
Security
  • Security updates for Tuesday
  • WordPress 4.9.2 Security and Maintenance Release

    WordPress 4.9.2 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

    An XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress.

  • Debian-Based SolydXK Linux OS Receives Patch for Meltdown Security Vulnerability

    The Debian-based SolydXK Linux operating system has been updated today with patches for the Meltdown security vulnerability, as well as various other new features and improvements.

    To mitigate the Meltdown security exploit that allows a locally installed program to access the memory, including the kernel memory, and steal sensitive information like passwords and encryption keys, the SolydXK 201801 ISO images are now powered by the latest kernel release with patches against this vulnerability.

  • Chakra GNU/Linux Now Patched Against Meltdown & Spectre Security Vulnerabilities

    It's time for users of the Chakra GNU/Linux operating system to patch their systems against the Meltdown and Spectre security vulnerabilities as new kernel updates landed today in the repos.

    Publicly disclosed earlier this month, the Meltdown and Spectre security vulnerabilities are affecting us all, but OS vendors and OEMs are trying their best to mitigate them so that no user can be the victim of attacks where their sensitive data is at risk of getting in the hands of the wrong person.

  • Open Source Security Podcast: Episode 78 - Risk lessons from Hawaii

Security: Hospital With Windows, Reproducible Builds, Intel, Transmission and More

Filed under
Security
  • Hospital [sic] sent offline as hackers infect systems with ransomware, demand payment [iophk: "Windows"]
  • Reproducible Builds: Weekly report #142
  • Spectre and Meltdown patches causing trouble as realistic attacks get closer

    Applications, operating systems, and firmware all need to be updated to defeat Meltdown and protect against Spectre, two attacks that exploit features of high-performance processors to leak information and undermine system security. The computing industry has been scrambling to respond after news of the problem broke early a few days into the new year.

    But that patching is proving problematic. The Meltdown protection is revealing bugs or otherwise undesirable behavior in various drivers, and Intel is currently recommending that people cease installing a microcode update it issued to help tackle the Spectre problem. This comes as researchers are digging into the papers describing the issues and getting closer to weaponizing the research to turn it into a practical attack. With the bad guys sure to be doing the same, real-world attacks using this research are sure to follow soon.

  • Finnish firm detects new Intel security flaw

    new security flaw has been found in Intel hardware which could enable hackers to access corporate laptops remotely, Finnish cybersecurity specialist F-Secure said on Friday.

    F-Secure said in a statement that the flaw had nothing to do with the "Spectre" and "Meltdown" vulnerabilities recently found in the micro-chips that are used in almost all computers, tablets and smartphones today.

    Rather, it was an issue within Intel Active Management Technology (AMT), "which is commonly found in most corporate laptops, (and) allows an attacker to take complete control over a user's device in a matter of seconds," the cybersecurity firm said.

  • What is RubyMiner? New malware found targeting Windows and Linux servers to mine cryptocurrency
  • BitTorrent flaw could let hackers take control of Windows, Linux PCs

    According to Project Zero, the client is vulnerable to a DNS re-binding attack that effectively tricks the PC into accepting requests via port 9091 from malicious websites that it would (and should) ordinarily ignore.

  • BitTorrent critical flaw allows hackers to remotely control users' computers

    A critical flaw in the popular Transmission BitTorrent app could allow hackers to remotely control users' computers. The flaw, uncovered by Google Project Zero security researchers, allows websites to execute malicious code on users' devices. Researchers also warned that BitTorrent clients could be susceptible to attacks as well if the flaw is leveraged.

Security: Purism, Intel, Wi-Fi, iOS

Filed under
Security
  • Purism patches Meltdown and Spectre variant 2, both included in all new Librem laptops

    Purism has released a patch for Meltdown (CVE-2017-5754, aka variant 3) as part of PureOS, and includes this latest PureOS image as part of all new Librem laptop shipments. Purism is also providing a microcode update for Intel processors to address Spectre variant 2 (CVE-2017-5715).

  • Intel Fumbles Its Patch for Chip Flaw

    Intel is quietly advising some customers to hold off installing patches that address new security flaws affecting virtually all of its processors. It turns out the patches had bugs of their own.

  • Wi-Fi Alliance announces WPA3 to secure modern networks

    The Consumer Electronics Show (CES) is an odd place to announce an enterprise product, but the Wi-Fi Alliance used the massive trade show — which has more or less taken over where Comdex left off — to announce a major upgrade to Wi-Fi security.

    The alliance announced the Wi-Fi Protected Access 3 (WPA3), a new standard of Wi-Fi security that greatly increases the security capabilities of the wireless standard. WPA2, which is the current standard in wireless security, has been around for 14 years, so this is way overdue.

  • More iOS 11 Jailbreak Tweaks Could Be Released by the Weekend

    The Electra jailbreak tool is better than LiberiOS because it comes with Substitute. This is the alternative to Cydia substrate that was first developed by Comex. This would allow users to install and use jailbreak tweaks compatible to iOS 11.

Security: Updates, Secure Contexts, RubyMiner, ZAP, Transmission, AMD

Filed under
Security
  • Security updates for Monday
  • Secure Contexts Everywhere

    Since Let’s Encrypt launched, the Secure Contexts specification has become much more mature. We have witnessed the successful restriction of existing, as well as new features to secure contexts. The W3C TAG is about to drastically raise the bar to ship features on insecure contexts. All the building blocks are now in place to quicken the adoption of HTTPS and secure contexts, and follow through on our intent to deprecate non-secure HTTP.

  • Linux and Windows Servers Targeted with RubyMiner Malware

    Security researchers have spotted a new strain of malware being deployed online. Named RubyMiner, this malware is a cryptocurrency miner spotted going after outdated web servers.

    According to research published by Check Point and Certego, and information received by Bleeping Computer from Ixia, attacks started on January 9-10, last week.

  • Virtual currency miners target web servers with malware
  • ZAP provides automated security tests in continuous integration pipelines

    Commonly, a mixture of open source and expensive proprietary tools are shoehorned into a pipeline to perform tests on nightly as well as ad hoc builds. However, anyone who has used such tests soon realizes that the maturity of a smaller number of time-honored tests is sometimes much more valuable than the extra detail you get by shoehorning too many tests into the pipe then waiting three hours for a nightly build to complete. The maturity of your battle-hardened tests is key.

  • BitTorrent users beware: Flaw lets hackers control your computer

    There's a critical weakness in the widely used Transmission BitTorrent app that allows websites to execute malicious code on some users' computers. That's according to a researcher with Google's Project Zero vulnerability reporting team, who also warns that other BitTorrent clients are likely similarly susceptible.

    [...]

    Among the things an attacker can do is change the Torrent download directory to the user's home directory. The attacker could then command Transmission to download a Torrent called ".bashrc" which would automatically be executed the next time the user opened a bash shell. Attackers could also remotely reconfigure Transmission to run any command of their choosing after a download has completed. Ormandy said the exploit is of "relatively low complexity, which is why I'm eager to make sure everyone is patched."

  • AMD Releases Linux and Windows Patches for Two Variants of Spectre Vulnerability

    AMD has published a press announcement on Thursday to inform its customers that it released patches for two variants of the Spectre security vulnerability disclosed to the public earlier this month.

  • 'Shift Left': Codifying Intuition into Secure DevOps

    Continuous delivery (CD) is becoming the cornerstone of modern software development, enabling organizations to ship — in small increments — new features and functionality to customers faster to meet market demands. CD is achieved by applying DevOps practices and principles (continuous integration and continuous deployment) from development to operations. There is no continuous delivery without implementing DevOps practices and principles. By that, I mean strong communication and collaboration across teams, and automation across testing, build, and deployment pipelines. But often achieving continuous delivery to meet market demands presents numerous challenges for security.

Security: Patching of GNU/Linux Distros

Filed under
GNU
Linux
Security

Security: Meltdown and Spectre, GPG and SSH, Mageia Updates

Filed under
Security
  • Beware! Fake Spectre & Meltdown Patches Are Infecting PCs With “Smoke Loader” Malware [Ed: Welcome to Microsoft Windows]

    One of the most common tactics employed by notorious cybercriminals involves taking advantage of the popular trends and creating fraudulent websites/apps to trick users. It looks like some of the players have tried to exploit the confusion surrounding Meltdown and Sprectre CPU bugs.

    Forget buggy updates which are causing numerous problems to the users, Malwarebytes has spotted a fake update package that installs malware on your computer. The firm has identified a new domain that’s full of material on how Meltdown and Spectre affect CPUs.

    [...]

    The fake file in the archive is Intel-AMD-SecurityPatch-10-1-v1.exe.

  • An update on ongoing Meltdown and Spectre work

    Last week, a series of critical vulnerabilities called Spectre and Meltdown were announced. Because of the nature of these issues, the solutions are complex and requires fixing delicate code. The fixes for Meltdown are mostly underway. The Meltdown fix for x86 is KPTI. KPTI has been merged into the mainline Linux tree and many stable trees, including the ones Fedora uses. Fixes for other arches are close to being done and should be available soon. Fixing Spectre is more difficult and requires fixes across multiple areas.

    Similarly to Meltdown, Spectre takes advantage of speculation done by CPUs. Part of the fix for Spectre is disallowing the CPU to speculate in particular vulnerable sequences. One solution developed by Google and others is to introduce “retpolines” which do not allow speculation. A sequence of code that might allow dangerous speculation is replaced with a “retpoline” which will not speculate. The difficult part of this solution is that the compiler needs to be aware of where to place a retpoline. This means a complete solution involves the compiler as well.

  • CPU microcode update code for amd64
  • Using a Yubikey for GPG and SSH
  • Inspect curl’s TLS traffic

    Since a long time back, the venerable network analyzer tool Wireshark (screenshot above) has provided a way to decrypt and inspect TLS traffic when sent and received by Firefox and Chrome.

  • Mageia Weekly Roundup 2018 – Week 2

    The year is definitely under way, with an astonishing 412 packages coming through commits – mostly for cauldron, but a few are the last remaining updates for Mageia 5, as well as important security updates for Mageia 6.

    Among those updates are all the kernel and microcode updates – our thanks to tmb and our untiring devs for these – to begin hitting Meltdown and Spectre on the head.

    A big hand for the upstream kernel team, as well as our own packagers, QA testers and everyone else that was involved in getting this tested and released.

Linspire, Freespire and Black Lab Enterprise Linux Patched

Filed under
GNU
Linux
Security
  • Linspire 7.0.1 and Freespire 3.0.1 Released - Meltdown and Spectre fix

    This morning we have released Linspire 7.0.1 and Freespire 3.0.1 . With this release we have addressed the Meltdown and Spectre vulnerabilities in Intel Processors. We have included no new features.

  • Black Lab Enterprise Linux 11.51 Released - Meltdown and Spectre Fix

    Today we have released Black Lab Enterprise Linux 11.51. This release addresses the Meltdown and Spectre vulnerabilities in Intel Processors. We have included no new features. To apply the fix simply run your system updater and the fix will be applied.

    This update has been thoroughly tested and does not cause any issues or malfunctions

  • At CES, Spectre haunted tech executives in public and private meetings

    Despite being drenched and briefly thrust in to darkness, the largest annoyance for many top tech executives at CES was the shadow of Spectre.

    The world’s largest electronics show immediately careened toward the twin maladies dubbed Spectre and Meltdown, potentially exploitable weaknesses in the brains of PCs and servers world-wide.

Syndicate content

More in Tux Machines

Arch Linux vs. Antergos vs. Clear Linux vs. Ubuntu Benchmarks

Last week when sharing the results of tweaking Ubuntu 17.10 to try to make it run as fast as Clear Linux, it didn't take long for Phoronix readers to share their opinions on Arch Linux and the request for some optimized Arch Linux benchmarks against Clear Linux. Here are some results of that testing so far in carrying out a clean Arch Linux build with some basic optimizations compared to using Antergos Minimal out-of-the-box, Ubuntu Server, and Clear Linux. Tests this time around were done on the Intel Core i9 7980XE system with ASUS PRIME X299-A motherboard, 4 x 4GB DDR4-3200 Corsair memory, GeForce GTX 750, and Corsair Force MP500 120GB NVMe solid-state drive. The system with 18 cores / 36 threads does make for quick and easy compiling of many Linux packages. Read more

Mozilla Leftovers

  • Making WebAssembly even faster: Firefox’s new streaming and tiering compiler
    People call WebAssembly a game changer because it makes it possible to run code on the web faster. Some of these speedups are already present, and some are yet to come. One of these speedups is streaming compilation, where the browser compiles the code while the code is still being downloaded. Up until now, this was just a potential future speedup. But with the release of Firefox 58 next week, it becomes a reality. Firefox 58 also includes a new 2-tiered compiler. The new baseline compiler compiles code 10–15 times faster than the optimizing compiler.
  • Firefox Telemetry Use Counters: Over-estimating usage, now fixed
    Firefox Telemetry records the usage of certain web features via a mechanism called Use Counters. Essentially, for every document that Firefox loads, we record a “false” if the document didn’t use a counted feature, and a “true” if the document did use that counted feature.
  • Firefox 58 new contributors
  • Giving and receiving help at Mozilla
    This is going to sound corny, but helping people really is one of my favorite things at Mozilla, even with projects I have mostly moved on from. As someone who primarily works on internal tools, I love hearing about bugs in the software I maintain or questions on how to use it best. Given this, you might think that getting in touch with me via irc or slack is the fastest and best way to get your issue addressed. We certainly have a culture of using these instant-messaging applications at Mozilla for everything and anything. Unfortunately, I have found that being “always on” to respond to everything hasn’t been positive for either my productivity or mental health. My personal situation aside, getting pinged on irc while I’m out of the office often results in stuff getting lost — the person who asked me the question is often gone by the time I return and am able to answer.
  • Friend of Add-ons: Trishul Goe
    Our newest Friend of Add-ons is Trishul Goel! Trishul first became involved with Mozilla five years when he was introduced to the Firefox OS smartphone. As a JavaScript developer with an interest in Mozilla’s mission, he looked for opportunities to get involved and began contributing to SUMO, L10n, and the Firefox OS Marketplace, where he contributed code and developed and reviewed apps. After Firefox OS was discontinued as a commercial product, Trishul became interested in contributing to Mozilla’s add-ons projects. After landing his first code contributions to addons.mozilla.org (AMO), he set about learning how to develop extensions for Firefox using WebExtensions APIs. Soon, he began sharing his knowledge by leading and mentoring workshops for extension developers as part of Mozilla’s “Build Your Own Extension” Activate campaign.

24-Way NVIDIA/AMD GPU Benchmarks With X-Plane 11

With the next update to X-Plane 11 introducing VR support, I have renewed interest in this realistic, cross-platform flight simulator. It's been a few years since we last delivered any benchmarks with X-Plane, but for your viewing please today is an assortment of 24 graphics cards both old and new, low-end to high-end from NVIDIA and AMD in looking at how this flight simulator is running on Ubuntu Linux. Read more

Librem 5 Privacy-Focused Linux Phone Crowdfunding Campaign Ends with $2 Million

Librem 5 was successfully crowdfunded about two weeks ago when it surpassed its goal of $1.5 million, but the campaign continued to run, and now it appears to have gathered half million dollars more, ending with $2 million, which we believe is more than enough to build world's first truly free mobile device. Powered by PureOS, Purism's own GNU/Linux distribution based on the popular Debian GNU/Linux operating system, but focused on offering users a privacy-focused and more secure desktop solution, Librem 5 will be using KDE's Plasma Mobile and GNOME's GNOME Shell user interfaces, along with powerful open source software. Read more