Language Selection

English French German Italian Portuguese Spanish

Security

Security: Hospital With Windows, Reproducible Builds, Intel, Transmission and More

Filed under
Security
  • Hospital [sic] sent offline as hackers infect systems with ransomware, demand payment [iophk: "Windows"]
  • Reproducible Builds: Weekly report #142
  • Spectre and Meltdown patches causing trouble as realistic attacks get closer

    Applications, operating systems, and firmware all need to be updated to defeat Meltdown and protect against Spectre, two attacks that exploit features of high-performance processors to leak information and undermine system security. The computing industry has been scrambling to respond after news of the problem broke early a few days into the new year.

    But that patching is proving problematic. The Meltdown protection is revealing bugs or otherwise undesirable behavior in various drivers, and Intel is currently recommending that people cease installing a microcode update it issued to help tackle the Spectre problem. This comes as researchers are digging into the papers describing the issues and getting closer to weaponizing the research to turn it into a practical attack. With the bad guys sure to be doing the same, real-world attacks using this research are sure to follow soon.

  • Finnish firm detects new Intel security flaw

    new security flaw has been found in Intel hardware which could enable hackers to access corporate laptops remotely, Finnish cybersecurity specialist F-Secure said on Friday.

    F-Secure said in a statement that the flaw had nothing to do with the "Spectre" and "Meltdown" vulnerabilities recently found in the micro-chips that are used in almost all computers, tablets and smartphones today.

    Rather, it was an issue within Intel Active Management Technology (AMT), "which is commonly found in most corporate laptops, (and) allows an attacker to take complete control over a user's device in a matter of seconds," the cybersecurity firm said.

  • What is RubyMiner? New malware found targeting Windows and Linux servers to mine cryptocurrency
  • BitTorrent flaw could let hackers take control of Windows, Linux PCs

    According to Project Zero, the client is vulnerable to a DNS re-binding attack that effectively tricks the PC into accepting requests via port 9091 from malicious websites that it would (and should) ordinarily ignore.

  • BitTorrent critical flaw allows hackers to remotely control users' computers

    A critical flaw in the popular Transmission BitTorrent app could allow hackers to remotely control users' computers. The flaw, uncovered by Google Project Zero security researchers, allows websites to execute malicious code on users' devices. Researchers also warned that BitTorrent clients could be susceptible to attacks as well if the flaw is leveraged.

Security: Purism, Intel, Wi-Fi, iOS

Filed under
Security
  • Purism patches Meltdown and Spectre variant 2, both included in all new Librem laptops

    Purism has released a patch for Meltdown (CVE-2017-5754, aka variant 3) as part of PureOS, and includes this latest PureOS image as part of all new Librem laptop shipments. Purism is also providing a microcode update for Intel processors to address Spectre variant 2 (CVE-2017-5715).

  • Intel Fumbles Its Patch for Chip Flaw

    Intel is quietly advising some customers to hold off installing patches that address new security flaws affecting virtually all of its processors. It turns out the patches had bugs of their own.

  • Wi-Fi Alliance announces WPA3 to secure modern networks

    The Consumer Electronics Show (CES) is an odd place to announce an enterprise product, but the Wi-Fi Alliance used the massive trade show — which has more or less taken over where Comdex left off — to announce a major upgrade to Wi-Fi security.

    The alliance announced the Wi-Fi Protected Access 3 (WPA3), a new standard of Wi-Fi security that greatly increases the security capabilities of the wireless standard. WPA2, which is the current standard in wireless security, has been around for 14 years, so this is way overdue.

  • More iOS 11 Jailbreak Tweaks Could Be Released by the Weekend

    The Electra jailbreak tool is better than LiberiOS because it comes with Substitute. This is the alternative to Cydia substrate that was first developed by Comex. This would allow users to install and use jailbreak tweaks compatible to iOS 11.

Security: Updates, Secure Contexts, RubyMiner, ZAP, Transmission, AMD

Filed under
Security
  • Security updates for Monday
  • Secure Contexts Everywhere

    Since Let’s Encrypt launched, the Secure Contexts specification has become much more mature. We have witnessed the successful restriction of existing, as well as new features to secure contexts. The W3C TAG is about to drastically raise the bar to ship features on insecure contexts. All the building blocks are now in place to quicken the adoption of HTTPS and secure contexts, and follow through on our intent to deprecate non-secure HTTP.

  • Linux and Windows Servers Targeted with RubyMiner Malware

    Security researchers have spotted a new strain of malware being deployed online. Named RubyMiner, this malware is a cryptocurrency miner spotted going after outdated web servers.

    According to research published by Check Point and Certego, and information received by Bleeping Computer from Ixia, attacks started on January 9-10, last week.

  • Virtual currency miners target web servers with malware
  • ZAP provides automated security tests in continuous integration pipelines

    Commonly, a mixture of open source and expensive proprietary tools are shoehorned into a pipeline to perform tests on nightly as well as ad hoc builds. However, anyone who has used such tests soon realizes that the maturity of a smaller number of time-honored tests is sometimes much more valuable than the extra detail you get by shoehorning too many tests into the pipe then waiting three hours for a nightly build to complete. The maturity of your battle-hardened tests is key.

  • BitTorrent users beware: Flaw lets hackers control your computer

    There's a critical weakness in the widely used Transmission BitTorrent app that allows websites to execute malicious code on some users' computers. That's according to a researcher with Google's Project Zero vulnerability reporting team, who also warns that other BitTorrent clients are likely similarly susceptible.

    [...]

    Among the things an attacker can do is change the Torrent download directory to the user's home directory. The attacker could then command Transmission to download a Torrent called ".bashrc" which would automatically be executed the next time the user opened a bash shell. Attackers could also remotely reconfigure Transmission to run any command of their choosing after a download has completed. Ormandy said the exploit is of "relatively low complexity, which is why I'm eager to make sure everyone is patched."

  • AMD Releases Linux and Windows Patches for Two Variants of Spectre Vulnerability

    AMD has published a press announcement on Thursday to inform its customers that it released patches for two variants of the Spectre security vulnerability disclosed to the public earlier this month.

  • 'Shift Left': Codifying Intuition into Secure DevOps

    Continuous delivery (CD) is becoming the cornerstone of modern software development, enabling organizations to ship — in small increments — new features and functionality to customers faster to meet market demands. CD is achieved by applying DevOps practices and principles (continuous integration and continuous deployment) from development to operations. There is no continuous delivery without implementing DevOps practices and principles. By that, I mean strong communication and collaboration across teams, and automation across testing, build, and deployment pipelines. But often achieving continuous delivery to meet market demands presents numerous challenges for security.

Security: Patching of GNU/Linux Distros

Filed under
GNU
Linux
Security

Security: Meltdown and Spectre, GPG and SSH, Mageia Updates

Filed under
Security
  • Beware! Fake Spectre & Meltdown Patches Are Infecting PCs With “Smoke Loader” Malware [Ed: Welcome to Microsoft Windows]

    One of the most common tactics employed by notorious cybercriminals involves taking advantage of the popular trends and creating fraudulent websites/apps to trick users. It looks like some of the players have tried to exploit the confusion surrounding Meltdown and Sprectre CPU bugs.

    Forget buggy updates which are causing numerous problems to the users, Malwarebytes has spotted a fake update package that installs malware on your computer. The firm has identified a new domain that’s full of material on how Meltdown and Spectre affect CPUs.

    [...]

    The fake file in the archive is Intel-AMD-SecurityPatch-10-1-v1.exe.

  • An update on ongoing Meltdown and Spectre work

    Last week, a series of critical vulnerabilities called Spectre and Meltdown were announced. Because of the nature of these issues, the solutions are complex and requires fixing delicate code. The fixes for Meltdown are mostly underway. The Meltdown fix for x86 is KPTI. KPTI has been merged into the mainline Linux tree and many stable trees, including the ones Fedora uses. Fixes for other arches are close to being done and should be available soon. Fixing Spectre is more difficult and requires fixes across multiple areas.

    Similarly to Meltdown, Spectre takes advantage of speculation done by CPUs. Part of the fix for Spectre is disallowing the CPU to speculate in particular vulnerable sequences. One solution developed by Google and others is to introduce “retpolines” which do not allow speculation. A sequence of code that might allow dangerous speculation is replaced with a “retpoline” which will not speculate. The difficult part of this solution is that the compiler needs to be aware of where to place a retpoline. This means a complete solution involves the compiler as well.

  • CPU microcode update code for amd64
  • Using a Yubikey for GPG and SSH
  • Inspect curl’s TLS traffic

    Since a long time back, the venerable network analyzer tool Wireshark (screenshot above) has provided a way to decrypt and inspect TLS traffic when sent and received by Firefox and Chrome.

  • Mageia Weekly Roundup 2018 – Week 2

    The year is definitely under way, with an astonishing 412 packages coming through commits – mostly for cauldron, but a few are the last remaining updates for Mageia 5, as well as important security updates for Mageia 6.

    Among those updates are all the kernel and microcode updates – our thanks to tmb and our untiring devs for these – to begin hitting Meltdown and Spectre on the head.

    A big hand for the upstream kernel team, as well as our own packagers, QA testers and everyone else that was involved in getting this tested and released.

Linspire, Freespire and Black Lab Enterprise Linux Patched

Filed under
GNU
Linux
Security
  • Linspire 7.0.1 and Freespire 3.0.1 Released - Meltdown and Spectre fix

    This morning we have released Linspire 7.0.1 and Freespire 3.0.1 . With this release we have addressed the Meltdown and Spectre vulnerabilities in Intel Processors. We have included no new features.

  • Black Lab Enterprise Linux 11.51 Released - Meltdown and Spectre Fix

    Today we have released Black Lab Enterprise Linux 11.51. This release addresses the Meltdown and Spectre vulnerabilities in Intel Processors. We have included no new features. To apply the fix simply run your system updater and the fix will be applied.

    This update has been thoroughly tested and does not cause any issues or malfunctions

  • At CES, Spectre haunted tech executives in public and private meetings

    Despite being drenched and briefly thrust in to darkness, the largest annoyance for many top tech executives at CES was the shadow of Spectre.

    The world’s largest electronics show immediately careened toward the twin maladies dubbed Spectre and Meltdown, potentially exploitable weaknesses in the brains of PCs and servers world-wide.

Benchmarking Ubuntu's Low-Latency Kernel & Liquorix Post-Meltdown

Filed under
Graphics/Benchmarks
Security
Ubuntu

The Ubuntu low-latency kernel is designed for, well, low-latency workloads like audio processing/recording. The lowlatency kernel compared to the generic Linux x86_64 kernel enables IRQ_FORCED_THREADING_DEFAULT, disables TREE_RCU in favor of PREEMPT_RCU, disables OPTPROBES, enables UNINLINE_SPIN_UNLOCK while disables the INLINE_*_UNLOCK tunables, enables PREEMPT support, changes to 1000Hz tick from 250Hz, and enables LATENCYTOP support.

The Liquorix kernel continues to be a bit more unique and among its alterations compared to a generic kernel is Zen interactive tuning, making use of the MuQSS process scheduler, hard kernel preemption, BFQ I/O scheduler by default, network optimizations, and more as outlined at Liquorix.net. Liquorix also defaults to CPUFreq on Intel CPUs and uses the ondemand governor rather than the other tested kernels defaulting to P_State powersave.

For these tests were benchmarks of 4.13.0-25-generic (the current default Ubuntu 17.10 kernel with KPTI patched), 4.14.13-041413-generic as the latest upstream stable kernel from the Ubuntu Mainline Kernel PPA, 4.14.13-041413-lowlatency as the equivalent low-latency Ubuntu kernel, and then 4.14.0-13.1-liquorix as the latest Liquorix kernel via its Launchpad PPA. All of these kernels had KPTI protection present and enabled, none of them currently have the (currently out-of-tree) Retpoline support.

Read more

Also: Ubuntu 17.10.1 ISOs available with corrupting BIOS fix

Security: KPTI, Kaspersky, FUD, and Yet More Promises From WPA

Filed under
Security
  • KPTI Support For 64-bit ARM Getting Buttoned Up Ahead Of Linux 4.16

    Kernel Page Table Isolation (KPTI) landed at the start of the year for x86/x86_64 systems for fending off the much talked about CPU attacks while the AMD64 / 64-bit ARM code is still a work-in-progress but looks like it will be squared away for the upcoming Linux 4.16 kernel cycle.

    There is this Git branch and the base work for those wishing to track the last minute alterations. There is currently the latest KPTI page table isolation patches for ARM64 and does include a return trampoline, a new HARDEN_BRANCH_PREDICTOR Kconfig switch, branch predictor hardening for Falkor and Cortex-A CPUs, and other security hardening improvements.

  • 'Very high level of confidence' Russia used Kaspersky software for devastating NSA leaks

    Three months after U.S. officials asserted that Russian intelligence used popular antivirus company Kaspersky to steal U.S. classified information, there are indications that the alleged espionage is related to a public campaign of highly damaging NSA leaks by a mysterious group called the Shadow Brokers.

    “That’s a Russian intelligence operation,” a former senior intelligence official, who requested anonymity to speak bluntly, told Yahoo Finance. “They’ve gotten a lot noisier than they used to be.”

  • FOSS Community Struggles to Patch Against Spectre, Meltdown Flaws [Ed: Unlike what? The proprietary software 'community'? Microsoft is bricking Windows-running PCs.]

    Many in the open source community worked feverishly this week to respond to heightened fears that software updates to fix the Spectre and Meltdown vulnerabilities would put millions of computers at risk of slowdowns or even total disability.

  • WPA3 – The Promise of Security

More Intel Catastrophes and Bricking of PCs Due to Intel's UEFI

Filed under
Hardware
Security

Intel is Full of Holes

Filed under
Hardware
Security
  • A Security Issue in Intel’s Active Management Technology (AMT)
  • Backdoor In 30 Seconds: New Major AMT Security Flaw Is Here To Haunt Intel Laptops
  • Meltdown and Spectre FAQ: Crapification at Scale

    Yesterday, Yves posted a “primers on Meltdown and Spectre”, which included several explanations of the two bugs from different viewpoints; if you feel you don’t have a handle on them, please review it. Today, I want to give an overview of the two bugs. I will dig into the details of these two bugs in the form of a FAQ, and then I’ll open a discussion of the larger business and political economy issues raised in the form of a MetaFAQ. First, I should make one point: Meltdown is a bug; Specture is a class of bugs (or, if you prefer, a strategy).

    [...]

    What Are The Costs of the Meltdown and Spectre Bugs?

    A few billions.

  • Fixing Chipmageddon Will Slow Down Older Computers

    Microsoft has come out and said it: cures for the pervasive chip flaws Meltdown and Spectre are likely to dent the performance of your PC if it’s a few years old.

  • Intel needs to come clean about Meltdown and Spectre

    Intel hasn’t had the best of times recently. Meltdown and Spectre security flaws have helped reveal fundamental issues with processor designs over the past 20 years, and the software updates to protect PCs will have performance impacts. Even as I write this, it’s still not clear to anyone exactly how bad these performance impacts will be for older desktop systems, or how significant they’ll be to server-based cloud platforms. It’s all a bit of a mess, and Intel hasn’t helped with its lack of transparency. It’s time for Intel to stop hiding behind cleverly worded statements.

  • Intel details performance hit for Meltdown fix on affected processors
  • Keeping Spectre secret

    When Graz University of Technology researcher Michael Schwarz first reached out to Intel, he thought he was about to ruin the company’s day. He had found a problem with their chips, together with his colleagues Daniel Gruss, Moritz Lipp, and Stefan Mangard. The vulnerability was both profound and immediately exploitable. His team finished the exploit on December 3rd, a Sunday afternoon. Realizing the gravity of what they’d found, they emailed Intel immediately.

  • Intel's telling some customers to avoid its fix for the Spectre and Meltdown attacks — because of a big bug
  • Everything running smoothly at the plant? *Whips out mobile phone* Wait. Nooo...

    The security of mobile apps that tie in with Supervisory Control and Data Acquisition (SCADA) systems has deteriorated over the last two-and-a-half years, according to new research.

    A team of boffins from IOActive and IoT security startup Embedi said they had discovered 147 vulnerabilities in 34 of the most popular Android mobile apps for SCADA systems.

    Mobile applications are increasingly being used in conjunction with SCADA systems. The researchers warned these apps are "riddled with vulnerabilities that could have dire consequences on SCADA systems that operate industrial control systems".

Syndicate content

More in Tux Machines

Command Line Heroes Launched

  • Red Hat launches new podcast series, Command Line Heroes
    Technology has become so integrated into our daily lives that it can be easy to take it for granted. But we’ve only gotten to where we are today because of the command line heroes that shaped the industry - and continue to do so. Command line hero. What does that really mean? To us it’s the developers, programmers, hackers, geeks and open source rebels - the people who are on the front line, transforming technology from the command line up. The biggest technology advancements and innovations didn’t happen by accident. They were made possible through the passion, creativity and persistence of technologists around the world.
  • Command Line Heroes
    I’ve been looking forward to this for quite a while, ever since it was announced: today, the first two episodes of Command Line Heroes were published. Command Line Heroes, or CLH for short, is a series of podcasts that tells the stories of open source. It’s hosted by Saron Yitbarek, of CodeNewbie fame, and sponsored by Red Hat.

NethServer, Red Hat, and Fedora

  • Why building a community is worth the extra effort
    Building the NethServer community was risky. But we've learned so much about the power of working with passionate people.
  • Risk Malaise Alert in Option Market: Red Hat Inc Implied Price Swing Hits A Deteriorated Level
  • Red Hat (NYSE:RHT) Receives “Neutral” Rating from Credit Suisse Group
  • Sit Investment Associates Inc. Takes $1.22 Million Position in Red Hat Inc (RHT)
  • Fixing flatpak startup times
    A lot of people have noticed that flatpak apps sometimes start very slowly. Upon closer inspection you notice this only happens the first time you run the application. Still, it gives a very poor first time impression. So, what is causing this, and can we fix it? The short answer to this is font-cache generation, and yes, I landed a fix today. For the longer version we have to take a detour into how flatpak and fontconfig works.
  • Fedora 28 wallpaper contest now open -- submit your image to the Linux distro!
    One of the first things I do after installing a new Linux distribution is set a different wallpaper. Why? Desktop pictures really inspire me -- my mood can be positively altered by a beautiful image. The default wallpaper is often boring. For the most part, I prefer images of nature with bright colors. After all, if I am stuck indoors working on my computer, a wallpaper of the beach, mountains, or a colorful bird, for instance, can transport me to the outdoors -- in my mind. Sadly, not every distro has beautiful high-quality images. Fedora, however, often does -- thanks to its "supplemental" wallpapers. What is particularly cool  about that operating system, is that it regularly accepts wallpaper submissions from the community as part of a contest. In other words, anybody can potentially contribute to a new version of the distro by simply uploading a photo, drawing, or other picture. Fedora 28 is the upcoming version of the OS, and the developers are now calling for wallpaper submissions for it. Will you submit an entry to the contest?

OSS Leftovers

  • Google's Kelsey Hightower talks Kubernetes and community
    Google developer advocate Kelsey Hightower says that he always figured that the (now wildly successful) Kubernetes container orchestration platform "would get big on its own at some point." He shared some of the reasons he sees for Kubernetes' success in a podcast recorded in December at CloudNativeCon in Austin. The first is that Kubernetes is an effective platform on which to do other things. It provides "better primitives than I had before" as Hightower puts it. At the same time, he says that this is something people misunderstand about Kubernetes. "It's not the end game," he says. Rather, at some point, it increasingly becomes "the new platform for building other platforms."
  • A FOSS Year Resolution
    It’s that time of year again. The time when some people are taking a long hard look at their lives and trying to decide what they want to change about themselves over the course of the next year. Some of us want to lose weight, or exercise more, or spend more time with our kids. The trouble is only about 9% of these resolutions actually happen.
  • Do not limit yourself
    The motto of Learn yourself, teach others is still very strong among us. We try to break any such stupid limits others try to force on our lives. We dream, we try to enjoying talking about that book someone just finished. We discuss about our favorite food. I will end this post saying one thing again. Do not bound yourself in some non existing limits. Always remember, What a great teacher, failure is (I hope I quoted Master Yoda properly). Not everything we will try in life will be a super successful thing, but we can always try to learn from those incidents. You don’t have to bow down in front of anyone, you can do things you love in your life without asking for others’ permissions.
  • Benjamin Mako Hill: OpenSym 2017 Program Postmortem
    The International Symposium on Open Collaboration (OpenSym, formerly WikiSym) is the premier academic venue exclusively focused on scholarly research into open collaboration. OpenSym is an ACM conference which means that, like conferences in computer science, it’s really more like a journal that gets published once a year than it is like most social science conferences. The “journal”, in iithis case, is called the Proceedings of the International Symposium on Open Collaboration and it consists of final copies of papers which are typically also presented at the conference. Like journal articles, papers that are published in the proceedings are not typically published elsewhere.
  • NVDA and Firefox 58 – The team is regaining strength
    A week before the Firefox 57 “Quantum” release in November, I published an Article detailing some bits to be aware of when using Firefox and the NVDA screen reader together. In Firefox 58, due on January 23, 2018, the reliable team is regaining strength in playing well together and offering you good and fast web accessibility. After the Firefox 57 release, due to many changes under the hood, NVDA and Firefox temporarily lapsed in performance. Statistics quickly showed that about two thirds of the NVDA user base stayed with us despite of this. So to all of you who stuck with us on this difficult release: Thank you! Many of the others moved to the extended support release of Firefox 52. Thank you to those of you as well, you decided to stick with Firefox! Also, statistics show that barely any of those of you who stuck with 57 decided to turn off multi-process Firefox, but instead used the new technology, and some of you even reported problems to us.
  • Retpoline-enabled GCC
    There will be upstream backports at least to GCC 7, but probably pretty far back (I've seen people talk about all the way to 4.3). So you won't have to run my crappy home-grown build for very long—it's a temporary measure. :-) Oh, and it made Stockfish 3% faster than with GCC 6.3! Hooray.
  • Payara Services to Embed Secure, Stable Open Source Java Runtime from Azul SystemsPayara Server 2018 Update Includes Azul Zulu Enterprise Builds of OpenJDK
  • Eclipse Che – A Next-Generation Cloud IDE and Workspace Server
    We have a couple of posts on developer workspaces and cloud IDEs but in my opinion, none of them has the combined features of beauty, flexibility, and efficiency while being free. That is why it is with great pleasure that I introduce to you the (arguably) best cloud-based IDE you will ever need, Eclipse Che. Eclipse Che is a beautiful and customizable open-source developer workspace and cloud Integrated Development Environment.

Security: Hospital With Windows, Reproducible Builds, Intel, Transmission and More

  • Hospital [sic] sent offline as hackers infect systems with ransomware, demand payment [iophk: "Windows"]
  • Reproducible Builds: Weekly report #142
  • Spectre and Meltdown patches causing trouble as realistic attacks get closer
    Applications, operating systems, and firmware all need to be updated to defeat Meltdown and protect against Spectre, two attacks that exploit features of high-performance processors to leak information and undermine system security. The computing industry has been scrambling to respond after news of the problem broke early a few days into the new year. But that patching is proving problematic. The Meltdown protection is revealing bugs or otherwise undesirable behavior in various drivers, and Intel is currently recommending that people cease installing a microcode update it issued to help tackle the Spectre problem. This comes as researchers are digging into the papers describing the issues and getting closer to weaponizing the research to turn it into a practical attack. With the bad guys sure to be doing the same, real-world attacks using this research are sure to follow soon.
  • Finnish firm detects new Intel security flaw
    new security flaw has been found in Intel hardware which could enable hackers to access corporate laptops remotely, Finnish cybersecurity specialist F-Secure said on Friday. F-Secure said in a statement that the flaw had nothing to do with the "Spectre" and "Meltdown" vulnerabilities recently found in the micro-chips that are used in almost all computers, tablets and smartphones today. Rather, it was an issue within Intel Active Management Technology (AMT), "which is commonly found in most corporate laptops, (and) allows an attacker to take complete control over a user's device in a matter of seconds," the cybersecurity firm said.
  • What is RubyMiner? New malware found targeting Windows and Linux servers to mine cryptocurrency
  • BitTorrent flaw could let hackers take control of Windows, Linux PCs
    According to Project Zero, the client is vulnerable to a DNS re-binding attack that effectively tricks the PC into accepting requests via port 9091 from malicious websites that it would (and should) ordinarily ignore.
  • BitTorrent critical flaw allows hackers to remotely control users' computers
    A critical flaw in the popular Transmission BitTorrent app could allow hackers to remotely control users' computers. The flaw, uncovered by Google Project Zero security researchers, allows websites to execute malicious code on users' devices. Researchers also warned that BitTorrent clients could be susceptible to attacks as well if the flaw is leveraged.