Language Selection

English French German Italian Portuguese Spanish


Security: FUD, Patches, and Misconfigured Servers

Filed under
  • Hackers exploit old flaw to turn Linux servers into cryptocurrency miners [Ed: Neglect it relies on means GNU/Linux is not at all the issue here]
  • Security updates for Thursday
  • Security updates for Friday
  • Dealing with network hackers in 1995

    Going back to early 1995, I was working for Los Alamos National Labs as a contractor systems administrator. I didn't have a security clearance so could not work 'behind the fence' as they said. Instead, I worked with a large number of similarly uncleared post-docs, graduate students, and college interns in a strip mall converted into offices. The offices ran from nearly one end of the strip mall to the other with a large selection of Unix, PC, and Mac systems spread through the building connected together with 10base2 (or thin-wire). To make things even more fun, most of the systems were disk-less SunOS Sparc ELC/SLC and IPC systems booting off a Sparc 10 which had 64 MB of RAM and I think 2 2 GB disk drives.

    The first problem I had to deal with was my most of the systems would crash at different times during the day. I got a Digital network book my Dad had given me, and learned about common problems with networking as this was not something I had dealt with before. I found that the local network was connected to a T1 which ran back to the main campus about 2 miles away. The T1 went to a hub which had 7 thin-wire lines running out of it. That seemed fine until I traced the thin-wire out. I was worried there were bad connectors (there were) or kinks in the line (there were) but the real problem was that out of the 7 thin-wire lines 3 were used.  Most of the systems were on one line. 2 (my desktop and the Sparc 10) were on another one, and the Next and SGI's were on the third. The other lines were just laying under the carpets not used. I met with my new boss Dale, and showed him what I had found. I learned a lot from Dale. He got me a copy of the Unix System Administrators Handbook and told me to start reading it on networks.

  • How “Hacker Search Engine” Shodan Caught Leakage of 750MB Worth Of Server Passwords

    Remember Memcached servers? Now, we have another case of servers exposed online and fulfilling evil intentions of the hackers. This time, thousands of etcd servers maintained by corporates and organizations are spitting sensitive passwords and encrypted keys, allowing anyone to get access to important data.

    Security researcher Giovanni Collazo was able to harvest 8781 passwords, 650 AWS access keys, 23 secret keys, and 8 private keys.

  • The security footgun in etcd

    From an application security perspective databases are the most valuable parts of our systems. They store the data that gives value to our apps and companies. This data which has been entrusted to us by our users should be kept safe and away of the hands of criminals.

  • Thousands of servers found leaking 750MB worth of passwords and keys

    Thousands of servers operated by businesses and other organizations are openly sharing credentials that may allow anyone on the Internet to log in and read or modify potentially sensitive data stored online.

    In a blog post published late last week, researcher Giovanni Collazo said a quick query on the Shodan search engine returned almost 2,300 Internet-exposed servers running etcd, a type of database that computing clusters and other types of networks use to store and distribute passwords and configuration settings needed by various servers and applications. etcd comes with a programming interface that responds to simple queries that by default return administrative login credentials without first requiring authentication. The passwords, encryption keys, and other forms of credentials are used to access MySQL and PostgreSQL databases, content management systems, and other types of production servers.

The Kernel Self-Protection project aims to make Linux more secure

Filed under

Security vulnerabilities in the kernel often remain undetected. The kernel hacker initiative, Kernel Self-Protection, promotes safe programming techniques to keep attackers off the network, and, if they do slip through the net, mitigate the consequences.

Any Black Hat who finds a previously unknown vulnerability in the Linux kernel has hit the jackpot. Potentially millions of servers and embedded devices are suddenly open to attack, and the attacker can usually gain root privileges. Users clearly don't want this to happen, and kernel makers try to prevent such events.

Read more

Security: AMD, Slingshot, Voting and Cryptocurrencies

Filed under

Security: Syzbot, FOSS Updates, and AMD

Filed under

Security Leftovers

Filed under

  • 7 Questions to Ask About Your DevSecOps Program
  • Developers Are Ethical But Not Responsible?

    Ask a person if he or she is a racist and the answer is almost always no. Ask a developer if they consider ethical considerations when writing code and only six percent say no. If everyone acted the way they self-report, then there would be peace and love throughout the world.

    Based on over a hundred thousand respondents, StackOverflow’s Developer Survey 2018 presents a more complicated reality. If they were asked to write code for an unethical purpose, 59 percent would say no, but another 37 percent of developers were non-committal about whether they would comply. In another question, only about 5 percent said they definitely not report unethical problems with code. But sounding the alarm is about as far as most people will go.

  • Cloud Security: 10 Top Tips
  • Group Policy Objects (GPOs) for Linux®

Security: Updates, Synopsys/Black Duck FUD, and Software Security Over Convenience

Filed under
  • Security updates for Tuesday
  • With Much of the Data Center Stack Open Source, Security is a Special Challenge [Ed: Black attacking FOSS again in order to sell its proprietary products; does proprietary software have no security issues? Which cannot be fixed, either?]
  • Synopsys reveals its open-source rookies of the year [Ed: Anti-FOSS company Black Duck, which markets its proprietary software by attacking FOSS (it admitted being anti-GPL since inception, created by Microsoft employee), wants the public to think of it as a FOSS authority]
  • Software security over convenience

    Recently I got inspired (paranoid ?) by my boss who cares a lot about software security. Previously, I had almost the same password on all the websites I used, I had them synced to google servers (Chrome user previously), but once I started taking software security seriously, I knew the biggest mistake I was making was to have a single password everywhere, so I went one step forward and set randomly generated passwords on all online accounts and stored them in a keystore.

Security: Intel, Editors and Windows in Critical Systems

Filed under
  • diff -u: Intel Design Flaw Fallout

    Linux patches for these issues are in a state of ongoing development. Security is always the first priority, at the expense of any other feature. Next would probably be the general speed of a running system for the average user. After that, the developers might begin piecing together any features that had been pulled as part of the initial security fix.

    But while this effort goes on, the kernel developers seem fairly angry at Intel, especially when they feel that Intel is not doing enough to fix the problems in future processors.

    In response to one set of patches, for example, Linus Torvalds burst out with, "All of this is pure garbage. Is Intel really planning on making this shit architectural? Has anybody talked to them and told them they are f*cking insane?" He went on, "the IBRS garbage implies that Intel is _not_ planning on doing the right thing for the indirect branch speculation. Honestly, that's completely unacceptable."

  • Hackers Can Abuse Plugins for Popular Unix Text Editors to Escalate Privileges

    Advanced Unix Text Editors offers extensibility by allowing users to install third-party plugins for ease of use and to enhance the Text Editors functionalities.

    Server administrators often run text editors with elevated privileges “sudo gedit” to edit root-owned configuration files. If the text editor contains vulnerable third-party plugin it enlarges attack surface.

  • House approves legislation to authorize Homeland Security cyber teams

    House lawmakers on Monday passed legislation that would codify into law the Department of Homeland Security’s cyber incident response teams that help protect federal networks and critical infrastructure from cyberattacks.

Security: Endgame, Updates, antiX, Fedora and SELinux

Filed under
  • Endgame Launches Open-Source Initiative to Drive Adoption of MITRE ATT&CK™, the Best Model of Attacker Behavior

    Endgame, the leader in unified endpoint protection against targeted attacks, today announced it released a set of open-source tools that allow enterprises to test defenses against modern attacker behaviors. These tools, called red team automation (RTA), directly map to MITRE's ATT&CK™ matrix, the most comprehensive framework for attacker techniques and tactics. Security teams that lack sufficient time and resources will now have the ability to measure protection capabilities beyond malware-based attacks.

  • Security updates for Monday
  • Security updates for Friday
  • Debian-Based antiX Linux OS Receives New Kernel Patches for Meltdown and Spectre

    The first point release of the Debian-based antiX 17 "Heather Heyer" operating system series arrived this past weekend with a new kernel patched against the Meltdown and Spectre security flaws, as well as the latest software versions.

    antiX 17.1 (Heather Heyer) is now available, powered by the Linux 4.9.87 LTS kernel patched against the Meltdown and Spectre security vulnerabilities unearthed in January 2018 and discovered to put billions of devices at risk of attacks. This protects new antiX installations against these type of attacks.

    Based on the latest Debian GNU/Linux 9.4 "Stretch" operating system, antiX 17.1 comes with up-to-date packages from its software repositories, including the LibreOffice 5.2.7 office suite and Mozilla Firefox 52.7.1 ESR web browser. Additionally, this release comes with eudev 3.5 and latest xf86-video-sisimedia-antix release.

  • Update on the Meltdown & Spectre vulnerabilities

    January saw the annoucement of a series of critical vulnerabilities called Spectre and Meltdown. The nature of these issues meant the solutions were complex and required fixing delicate code. The initial fix for Meltdown on x86 was KPTI, which was available almost immediately. Developing mitigations for Spectre was more complex. Other architectures had to look at their vulnerability status as well, and get mitigation in where it was needed. As a bit of time has passed, what is the exposure on Fedora now?

  • SELinux should and does BLOCK access to Docker socket

AMD And CTS Labs: A Story Of Failed Stock Manipulation

Filed under

We have attempted to contact Jessica Schaefer from Bevel PR, the listed PR firm on the vulnerability disclosure website, only to be greeted by a full voicemail inbox. We attempted to contact both Bevel PR and CTS Labs by email and inquire about the relationship between CTS and Viceroy, and provided them with ample time to respond. They did not respond to our inquiry.

So, let's look at Viceroy Research. According to MoneyWeb, Viceroy Research is headed by a 44-year-old British citizen and ex-social worker, John Fraser Perring, in conjunction with two 23-year-old Australian citizens, Gabriel Bernarde and Aidan Lau. I wonder which of these guys is so fast at typing. Viceroy Research was the group responsible for the uncovering of the Steinhoff accounting scandal, about which you can read more here.

After successfully taking down Steinhoff, it tried to manufacture controversy around Capitec Bank, a fast-growing South African bank. This time it didn't work out so well. The Capitec stock price dropped shortly and quickly recovered when the South African reserve bank made a statement that Capitec's business is sound. Just a week ago Viceroy attempted to do the same thing with a German company called ProSieben, also with mixed success, and in alleged breach of German securities laws, according to BaFin (similar to the SEC).

Now, it appears it is going after AMD, though it looks to be another unsuccessful attack.

Investor Takeaway

After the announcement of this news, AMD stock generally traded sideways with slight downward movement, not uncommon for AMD in general. Hopefully this article showed you that CTS's report is largely nonsense and a fabrication with perhaps a small kernel of truth hidden somewhere in the middle. If the vulnerabilities are confirmed by AMD, they are likely to be easily fixed by software patches. If you are long AMD, stay long. If you are looking for an entry point, this might be a good opportunity to use this fake news to your advantage. AMD is a company with a bright future if it continues to execute well, and we see it hitting $20 per share by the end of 2018.

Read more

Security: Bitwarden, Container Security, Windows at U.S. Power Plants, Firefox’s Weak Master Password Encryption

Filed under
  • Behind the scenes with the Bitwarden password manager

    Having to remember passwords for web applications, email, banking, and more begat the password manager. And that begat such popular and proprietary services like LastPass and 1Password.

    A little over two years ago, software developer Kyle Spearrin decided the open source world needed its own web-based password manager. His company, 8Bit Solutions, develops and markets an open source alternative to services like LastPass and 1Password called Bitwarden.

    Recently I had the opportunity to ask Spearrin some questions about Bitwarden's origins, how it secures user information, where he sees Bitwarden going, and more.

  • Episode 88 - Chat with Chris Rosen from IBM about Container Security
  • Feds: Russian [Crackers] Are Attacking U.S. Power Plants


    The targets of these attacks include the country’s electric grid, including its nuclear power system, as well as “commercial facilities, water, aviation, and critical manufacturing sectors,” the statement said.

    The report is damning confirmation of what has for months been suspected: that [crackers] in Russia are capable of infiltrating and compromising vital systems relied on by millions of Americans. According to the new report, the attacks began at least as early as March 2016, thriving on vulnerabilities in these systems’ online operations.

  • Firefox’s Weak Master Password Encryption Can Be Cracked In Just 1 Minute [Ed: If you have physical/remote access to a machine and an account, then you have a lot more power over it than just a list of passwords]

    You might rest assured after setting a Master Password in the Firefox web browser, but it’s not as secure as you think. Last year, Mozilla did a major overhaul of their browser in the form of Firefox Quantum. But the non-profit forgot to fix the security holes that exist in their ‘very fast’ web browser for nine years.

Syndicate content