Language Selection

English French German Italian Portuguese Spanish

Security

Security: The Microsoft Cyber Attack, VPNFilter, Compliance, Docker

Filed under
Security
  • « The Microsoft Cyber Attack » : a German Documentary from the ARD on Relations Between Microsoft and Public Administration Now Available in English

    On February 19th, 2018, the German public broadcaster (ARD) aired a documentary on Microsoft relations with public administrations. Part of the inquiry is about the Open Bar agreement between Microsoft and the French ministry of Defense, including interviews of French Senator Joëlle Garriaud-Maylam, Leïla Miñano, a journalist, and Étienne Gonnu of April.

    The documentary is now available in English thanks to Deutsche Welle (DW), the German public international broadcaster, on its Youtube channel dedicated to documentaries : The Microsoft Cyber Attack. It should be noted that April considers itself as a Free software advocate, rather than open source, as the voice-over suggests.

  • VPNFilter UNIX Trojan – How to Remove It and Protect Your Network

    This article has been created to explain what exactly is the VPNFilter malware and how to secure your network against this massive infection by protecting your router as well as protecting your computers.

    A new malware, going by the name of VPNFilter has reportedly infected over 500 thousand router devices across most widely used brands such as Linksys, MikroTik, NETGEAR as well as TP-Link, mostly used in homes and offices. The cyber-sec researchers at Cisco Talos have reported that the threat is real and it is live, even thought the infected devices are under investigation at the moment. The malware reportedly has something to do with the BlackEnergy malware, which targeted multiple devices in Ukraine and Industrial Control Systems in the U.S.. If you want to learn more about the VPNFilter malware and learn how you can remove it from your network plus protect your network, we advise that you read this article.

  • FBI: Reboot Your Router Now To Fight Malware That Affected 500,000 Routers
  • Compliance is Not Synonymous With Security

    While the upcoming GDPR compliance deadline will mark an unprecedented milestone in security, it should also serve as a crucial reminder that compliance does not equal security. Along with the clear benefits to be gained from upholding the standards enforced by GDPR, PCI DSS, HIPAA, and other regulatory bodies often comes a shift toward a more compliance-centric security approach. But regardless of industry or regulatory body, achieving and maintaining compliance should never be the end goal of any security program. Here’s why:

  • Dialing up security for Docker containers

    Docker containers are a convenient way to run almost any service, but admins need to be aware of the need to address some important security issues.

    Container systems like Docker are a powerful tool for system administrators, but Docker poses some security issues you won't face with a conventional virtual machine (VM) environment. For example, containers have direct access to directories such as /proc, /dev, or /sys, which increases the risk of intrusion. This article offers some tips on how you can enhance the security of your Docker environment.

OpenStack News/Leftovers

Filed under
OSS
Security
  • Canonical founder calls out OpenStack suppliers for ‘lack of focus’ on datacentre cost savings

    The OpenStack supplier community’s reluctance to prioritise the delivery of datacentre cost savings to their users could prove “fatal”, says Canonical co-founder Mark Shuttleworth.

  • OpenStack in transition

    OpenStack is one of the most important and complex open-source projects you’ve never heard of. It’s a set of tools that allows large enterprises ranging from Comcast and PayPal to stock exchanges and telecom providers to run their own AWS-like cloud services inside their data centers. Only a few years ago, there was a lot of hype around OpenStack as the project went through the usual hype cycle. Now, we’re talking about a stable project that many of the most valuable companies on earth rely on. But this also means the ecosystem around it — and the foundation that shepherds it — is now trying to transition to this next phase.

  • Free OpenStack Training Resources
  • How the OpenStack Foundation Is Evolving Beyond Its Roots

    The OpenStack Foundation is in a period of transition as it seeks to enable a broader set of open infrastructure efforts than just the OpenStack cloud project itself.

    In a video interview at the OpenStack Summit here, OpenStack Foundation Executive Director Jonathan Bryce and Chief Operating Officer Mark Collier discussed how the open-source organization is still thriving, even as corporate sponsorship changes and attendance at events declines.

    At the event, Collier said there were approximately 2,600 registered attendees, which is nearly half the number that came to the OpenStack Boston 2017 event. OpenStack's corporate sponsorship has also changed, with both IBM and Canonical dropping from the Platinum tier of membership.

Security: Updates, Browsers, Red Hat and Routers

Filed under
Security
  • Security updates for Friday
  • Ryzom falling: Remote code execution via the in-game browser

    Ryzom’s in-game browser is there so that you can open links sent to you without leaving the game. It is also used to display the game’s forum as well as various other web apps. The game even allows installing web apps that are created by third parties. This web browser is very rudimentary, it supports only a bunch of HTML tags and nothing fancy like JavaScript. But it compensates for that lack of functionality by running Lua code.

    You have to consider that the Lua programming language is what powers the game’s user interface. So letting the browser download and run Lua code allows for perfect integration between websites and the user interface, in many cases users won’t even be able to tell the difference. The game even uses this functionality to hot-patch the user interface and add missing features to older clients.

  • For Red Hat, security is a lifestyle, not a product

    Red Hat has a sterling reputation in Linux security circles. That means the company has a workable process for preventing problems and responding to them. Even if you don't use Linux, the Red Hat security approach has a lot going for it, and some of its practices might be worth adopting in your own shop.

  • How insecure is your router?

    Your router is your first point of contact with the internet. How much is it increasing your risk?

    [...]

    I'd love to pretend that once you've improved the security of your router, all's well and good on your home network, but it's not. What about IoT devices in your home (Alexa, Nest, Ring doorbells, smart lightbulbs, etc.?) What about VPNs to other networks? Malicious hosts via WiFi, malicious apps on your children's phones…?

    No, you won't be safe. But, as we've discussed before, although there is no such thing as "secure," it doesn't mean we shouldn't raise the bar and make it harder for the Bad Folks.™

Security: VPNFilter, Encryption in GNU/Linux, Intel CPU Bug Affecting rr Watchpoints

Filed under
Security
  • [Crackers] infect 500,000 consumer routers all over the world with malware

    VPNFilter—as the modular, multi-stage malware has been dubbed—works on consumer-grade routers made by Linksys, MikroTik, Netgear, TP-Link, and on network-attached storage devices from QNAP, Cisco researchers said in an advisory. It’s one of the few pieces of Internet-of-things malware that can survive a reboot. Infections in at least 54 countries have been slowly building since at least 2016, and Cisco researchers have been monitoring them for several months. The attacks drastically ramped up during the past three weeks, including two major assaults on devices located in Ukraine. The spike, combined with the advanced capabilities of the malware, prompted Cisco to release Wednesday’s report before the research is completed.

  • Do Not Use sha256crypt / sha512crypt - They're Dangerous

    I'd like to demonstrate why I think using sha256crypt or sha512crypt on current GNU/Linux operating systems is dangerous, and why I think the developers of GLIBC should move to scrypt or Argon2, or at least bcrypt or PBKDF2.

  • Intel CPU Bug Affecting rr Watchpoints

    I investigated an rr bug report and discovered an annoying Intel CPU bug that affects rr replay using data watchpoints. It doesn't seem to be hit very often in practice, which is good because I don't know any way to work around it. It turns out that the bug is probably covered by an existing Intel erratum for Skylake and Kaby Lake (and probably later generations, but I'm not sure), which I even blogged about previously! However, the erratum does not mention watchpoints and the bug I've found definitely depends on data watchpoints being set.

    I was able to write a stand-alone testcase to characterize the bug. The issue seems to be that if a rep stos (and probably rep movs) instruction writes between 1 and 64 bytes (inclusive), and you have a read or write watchpoint in the range [64, 128) bytes from the start of the writes (i.e., not triggered by the instruction), then one spurious retired conditional branch is (usually) counted. The alignment of the writes does not matter, and it's not related to speculative execution.

Security: Firefox Accounts, 'DevSecOps', VPNFilter, PassProtect, Reproducible Builds

Filed under
Security
  • Two-step authentication in Firefox Accounts
  • Firefox Finally Offers Two Factor Auth to Protect Your Passwords

    Mozilla is rolling out two factor authentication for Firefox accounts and if you sync passwords using Firefox Sync you should enable it immediately.

    The option for two factor authentication should show up in your Firefox account settings in a few weeks, but you can skip the wait by clicking this link. Do that and you should see the option for two-factor authentication, as shown above.

  • Now Make Your Firefox Account Safer With New Two Factor Authentication

    It seems that tech giants, finally, are gearing up to make portals more secure. In an announcement made yesterday, Mozilla has announced two-factor authentication for Firefox accounts. It is an optional security feature that will require inserting authentication code after signing in your Firefox account with your credentials.

    The newly introduced two-step verification feature is based on the commonly used Time-based One-Time Password (TOTP)-based standard. Currently, the feature is available with Duo, Google Authenticator, and Authy. Users will need to install these apps to receive the authentication code.

  • Navigating the container security ecosystem

    SJ Technologies partnered with Sonatype for the DevSecOps Community 2018 Survey. The survey was wildly popular, receiving answers from more than 2,000 respondents representing a wide range of industries, development practices, and responsibilities. One-third of respondents (33%) came from the technology industry, and banking and financial services was the second most represented group (15%). 70% of all respondents were using a container registry. With so many respondents utilizing containers, a deeper dive into container security is in order.

  • New VPNFilter malware targets at least 500K networking devices worldwide
  • 500,000 Routers Are Infected With Malware and Potentially Spying On Users
  • 500,000 Routers In 54 Countries Hacked To Create Massive Botnet Army
  • PassProtect Tells You If Your Password Is Compromised

    A compromised password can’t protect you. PassProtect is a Chrome extension that notifies you whenever a password you enter is exposed, giving you the chance to change it.

    Data breaches happen all the time, and the result is usually a bunch of usernames and password floating around the web. Attackers use these lists to access accounts, so it’s important to change your passwords after a breach. Most users can’t keep track of it all, however.

    Which is where PassProtect come in. Using data from Have I Been Pwned, Troy Hunt’s database of compromised passwords, PassProtect lets you know when a password you use was part of a recent breach.

  • PassProtect warns Chrome users when their username or passwords get pwned

    Data breaches happen all the time. When they do, it’s invariably bad, with countless people ensnared. The MySpace breach, for example, impacted nearly 360 million. LinkedIn impacted 165 million more. One tool helping to mitigate the aftermath is Okta’s new Chrome plugin, PassProtect.

  • Reproducible Builds: Weekly report #160

    This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Levente Polyak and Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Security: Updates, Kernel Mitigation (CPU Flaws) and FBI

Filed under
Security
  • Security updates for Wednesday
  • ARM64 Mitigation Posted For Spectre 4 / SSBD

    Following the Intel/AMD Spectre Variant 4 mitigation landing yesterday with "Speculative Store Bypass Disable" (SSBD) and then the POWER CPU mitigation landing today, ARM developers have posted their set of patches for 64-bit ARM CPUs to mitigate against this latest Spectre vulnerability around speculative execution.

  • Linux 4.9, 4.14, 4.16 Point Releases Bring SSBD For Spectre V4

    Greg Kroah-Hartman has today released the Linux 4.9.102, 4.14.43, and 4.16.11 kernels. Most notable about these stable release updates is Spectre Variant Four mitigation.

    Today's 4.9/4.14/4.16 point releases carry the Intel/AMD mitigation for Spectre V4 albeit the Intel support is dependent upon to-be-released microcode updates and is vulnerable by default while for AMD processors there is SSB disabled via prctl and seccomp.

  • An Initial Look At Spectre V4 "Speculative Store Bypass" With AMD On Linux

    Yesterday the latest Spectre vulnerability was disclosed as Spectre Variant 4 also known as "Speculative Store Bypass" as well as the less talked about Spectre Variant 3A "Rogue System Register Read". Here are my initial tests of a patched Linux kernel on AMD hardware for Spectre V4.

    Landing yesterday into Linux 4.17 Git was Speculative Store Bypass Disable (SSBD) as the Linux-based mitigation on Intel/AMD x86 CPUs. Since then has also been the POWER CPU SSBD implementation and pending patches for ARM64 CPUs.

  • Exclusive: FBI Seizes Control of Russian Botnet

    FBI agents armed with a court order have seized control of a key server in the Kremlin’s global botnet of 500,000 hacked routers, The Daily Beast has learned. The move positions the bureau to build a comprehensive list of victims of the attack, and short-circuits Moscow’s ability to reinfect its targets.

    The FBI counter-operation goes after “VPN Filter,” a piece of sophisticated malware linked to the same Russian hacking group, known as Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election. On Wednesday security researchers at Cisco and Symantec separately provided new details on the malware, which has turned up in 54 countries including the United States.

Security Leftovers, Mostly 'Spectre' and 'Meltdown' Related

Filed under
Security
  • More Meltdown/Spectre Variants
  • Spectre V2 & Meltdown Linux Fixes Might Get Disabled For Atom N270 & Other In-Order CPUs

    There's a suggestion/proposal to disable the Spectre Variant Two and Meltdown mitigation by default with the Linux kernel for in-order CPUs.

    If you have an old netbook still in use or the other once popular devices powered by the Intel Atom N270 or other in-order processors, there may be some reprieve when upgrading kernels in the future to get the Spectre/Meltdown mitigation disabled by default since these CPUs aren't vulnerable to attack but having the mitigation in place can be costly performance-wise.

  • Linux 4.17 Lands Initial Spectre V4 "Speculative Store Bypass" For POWER CPUs

    Following yesterday's public disclosure of Spectre Variant Four, a.k.a. Speculative Store Bypass, the Intel/AMD mitigation work immediately landed while overnight the POWER CPU patch landed.

  • New Variant Of Spectre And Meltdown CPU Flaw Found; Fix Affects Performance
  • Ubuntu 18.04 LTS Gets First Kernel Update with Patch for Spectre Variant 4 Flaw

    Canonical released the first kernel security update for its Ubuntu 18.04 LTS (Bionic Beaver) operating system to fix a security issue that affects this release of Ubuntu and its derivatives.

    As you can imagine, the kernel security update patches the Ubuntu 18.04 LTS (Bionic Beaver) operating system against the recently disclosed Speculative Store Buffer Bypass (SSBB) side-channel vulnerability, also known as Spectre Variant 4 or CVE-2018-3639, which could let a local attacker expose sensitive information in vulnerable systems.

  • RHEL and CentOS Linux 7 Receive Mitigations for Spectre Variant 4 Vulnerability

    As promised earlier this week, Red Hat released software mitigations for all of its affected products against the recently disclosed Spectre Variant 4 security vulnerability that also affects its derivatives, including CentOS Linux.

    On May 21, 2018, security researchers from Google Project Zero and Microsoft Security Response Center have publicly disclosed two new variants of the industry-wide issue known as Spectre, variants 3a and 4. The latter, Spectre Variant 4, is identified as CVE-2018-3639 and appears to have an important security impact on any Linux-based operating system, including all of its Red Hat's products and its derivatives, such as CentOS Linux.

Openwashing and FOSS FUD

Filed under
OSS
Security
  • Release: The Winemakers Co-Op to Debut Collaborative Wine: Open-Source Chardonnay June 3
  • Facebook open sources Katran networking tool, outlines automation system called Vending Machine [Ed: When surveillance giants are engaging in openwashing campaigns (all the core code is secret and abuses people)...]
  • Facebook Open Sources Katran Load Balancer; Details Network Provisioning Tool
  • Security and Open Source: Open Source Components Save Time but Need to be Closely Monitored [Ed: After Black Duck, Snyk and White Source another anti-FOSS firm spreads its FUD to sell services; ads disguised as 'articles'. Many of them this month, flooding FOSS news.]

    Chris Wysopal, CTO of Veracode, said that “the universal use of components in application development means that when a single vulnerability in a single component is disclosed, that vulnerability now has the potential to impact thousands of applications – making many of them breachable with a single exploit.”.

  • Linux Redis Automated Mining For Worm Analysis and Safety Advice [Ed: Rather old an issue]

    Since Redis has not authorized the disclosure of the attack method of root authority of Linux system, because of its ease-of-use, the hacking behaviors of mining and scanning of Linux services by using this issue have been endless. Among the many cases that handle this problem to invade the server for black production, there is a class of mining that USES this problem and can automatically scan the infected machine with pnscan. The attack has always been there, but it has shown a recent trend of increasing numbers, which has been captured many times, and we've been able to do a specific analysis of it.

  • Turla cyberespionage group switched to open-source malware [Ed: Crackers share code, so let's badmouth FOSS?]

    The Turla cyberespionage group has implemented some new tactics over the last few months incorporating some open-source exploitation tools instead of relying solely on their own creations to run campaigns.

    ESET researchers found that starting in March the Turla has been leveraging the open-source framework Metasploit to drop the group's proprietary Mosquito backdoor. The group has periodically used open-source hacking tools for other tasks, but ESET believes the group has never before used Metasploit as a first stage backdoor.

  • A Complete Beginner’s Guide to Not Getting Hacked

    Crackers are so to speak the evil hackers. Although these very often also do not offer the possibilities in order to do justice to the descriptions of the media. Then there are the would-be hackers, also called ScriptKiddies who use themTrojan2 and pre-programmed programs to get into computers and do damage.

    The “Kiddie” leads is a departure from the English “kid” (child), since young people are often behind such attacks. Due to their young age and lack of experience, ScriptKiddies often do not even know what they are doing. Let me give you an example. I have seen ScriptKiddies that use methods to intrude into Windows NT Calculator tried to break into a Linux machine. ScriptKiddies are often bored teenagers who try to have fun with the first tool. These tools are usually so simply knitted that actually, each normal, somewhat educated user can serve them.

    [...]

    According to Blendrit, co-founder at Tactica “One thing is clear: this language culture is constantly evolving, and many words find their way into the media, where they have a completely different meaning. Just as our most famous word, “hacker”, has fared.”

Security Leftovers

Filed under
Security
  • efail: Outdated Crypto Standards are to blame

    I have a lot of thoughts about the recently published efail vulnerability, so I thought I'd start to writeup some of them. I'd like to skip all the public outrage about the disclosure process for now, as I mainly wanted to get into the technical issues, explain what I think went wrong and how things can become more secure in the future. I read lots of wrong statements that "it's only the mail clients" and the underlying crypto standards are fine, so I'll start by explaining why I believe the OpenPGP and S/MIME standards are broken and why we still see these kinds of bugs in 2018. I plan to do a second writeup that will be titled "efail: HTML mails are to blame".

    I assume most will have heard of efail by now, but the quick version is this: By combining a weakness in cryptographic modes along with HTML emails a team of researchers was able to figure out a variety of ways in which mail clients can be tricked into exfiltrating the content of encrypted e-mails. Not all of the attack scenarios involve crypto, but those that do exploit a property of encryption modes that is called malleability. It means that under certain circumstances you can do controlled changes of the content of an encrypted message.

    [...]

    Properly using authenticated encryption modes can prevent a lot of problems. It's been a known issue in OpenPGP, but until know it wasn't pressing enough to fix it. The good news is that with minor modifications OpenPGP can still be used safely. And having a future OpenPGP standard with proper authenticated encryption is definitely possible. For S/MIME the situation is much more dire and it's probably best to just give up on it. It was never a good idea in the first place to have competing standards for e-mail encryption.

    For other crypto protocols there's a lesson to be learned as well: Stop using unauthenticated encryption modes. If anything efail should make that abundantly clear.

  • Comcast Leaked Customer Wi-Fi Logins in Plaintext, Change Your Passcode Now

    A Comcast Xfinity website was leaking Wi-Fi names and passwords, meaning now is a good time to change your Wi-Fi passcode.

    The site, intended to help new customers set up new routers, could easily be fooled into revealing the location of and password for any customer’s Wi-Fi network. A customer ID and a house or apartment number was all would-be attackers needed to get full access to your network, along with your full address.

  • Update Fedora Linux using terminal for latest software patches
  • Patch for New Spectre-Like CPU Bug Could Affect Your Performance
  • container_t versus svirt_lxc_net_t
Syndicate content