Language Selection

English French German Italian Portuguese Spanish

Security: NPM, IT Security Lessons from the Marriott Data Breach, and Secure SHell

Filed under
Security
  • event-stream, npm, and trust

    Malware inserted into a popular npm package has put some users at risk of losing Bitcoin, which is certainly worrisome. More concerning, though, is the implications of how the malware got into the package—and how the package got distributed. This is not the first time we have seen package-distribution channels exploited, nor will it be the last, but the underlying problem requires more than a technical solution. It is, fundamentally, a social problem: trust.

    Npm is a registry of JavaScript packages, most of which target the Node.js event-driven JavaScript framework. As with many package repositories, npm helps manage dependencies so that picking up a new version of a package will also pick up new versions of its dependencies. Unlike, say, distribution package repositories, however, npm is not curated—anyone can put a module into npm. Normally, a module that wasn't useful would not become popular and would not get included as a dependency of other npm modules. But once a module is popular, it provides a ready path to deliver malware if the maintainer, or someone they delegate to, wants to go that route.

  • IT Security Lessons from the Marriott Data Breach

    A number of data breaches have been disclosed over the course of 2018, but none have been as big or had as much impact as the one disclosed on Nov. 30 by hotel chain Marriott International.

    A staggering 500 million people are at risk as a result of the breach, placing it among the largest breaches of all time, behind Yahoo at 1 billion. While the investigation and full public disclosure into how the breach occurred is still ongoing, there are lots of facts already available, and some lessons for other organizations hoping to avoid the same outcome.

  • The Dark Side of the ForSSHe: Shedding light on OpenSSH backdoors

    SSH, short for Secure SHell, is a network protocol to connect computers and devices remotely over an encrypted network link. It is generally used to manage Linux servers using a text-mode console. SSH is the most common way for system administrators to manage virtual, cloud, or dedicated, rented Linux servers.

    The de facto implementation, bundled in almost all Linux distributions, is the portable version of OpenSSH. A popular method used by attackers to maintain persistence on compromised Linux servers is to backdoor the OpenSSH server and client already installed.

More in Tux Machines

Android Leftovers

Snake your way across your Linux terminal

Welcome back to the Linux command-line toys advent calendar. If this is your first visit to the series, you might be asking yourself what a command-line toy even is. It's hard to say exactly, but my definition is anything that helps you have fun at the terminal. We've been on a roll with games over the weekend, and it was fun, so let's look at one more game today, Snake! Snake is an oldie but goodie; versions of it have been around seemingly forever. The first version I remember playing was one called Nibbles that came packaged with QBasic in the 1990s, and was probably pretty important to my understanding of what a programming language even was. Here I had the source code to a game that I could modify and just see what happens, and maybe learn something about what all of those funny little words that made up a programming language were all about. Read more

Growing Your Small Business With An Affordable OS

Your small business needs to grow, there's no doubt about that. Expansion is the name of the game when you have a one or two man company, and you're going to want to bring on at least 20 or more people to really get the cogs grinding. And if you're working on a digital interface, slowly phasing pen and paper out of the office you operate in, you're going to need plenty of people around to oil the engine and keep the tech in a usable state. Because of this, technology helps your small business grow, and can do quite a few wonders for the time and effort you invested into it. Even if you're working on a minimal budget, there's quite a few option to look into to make sure you've got just as much of a chance as the shop next door to you that seems to have a never ending stream of customers. After all, you've got to get your internal processes working perfectly first, and with a bit of technological aid, you might manage that faster than you first thought. Read more

Security: Polkit, CSP, Ansible and Router Hardening Checklist

  • Polkit CVE-2018-19788 vs. SELinux
  • Why is your site not using Content Security Policy / CSP?
    Yesterday, I had the pleasure of watching on Frikanalen the OWASP talk by Scott Helme titled "What We’ve Learned From Billions of Security Reports". I had not heard of the Content Security Policy standard nor its ability to "call home" when a browser detect a policy breach (I do not follow web page design development much these days), and found the talk very illuminating. The mechanism allow a web site owner to use HTTP headers to tell visitors web browser which sources (internal and external) are allowed to be used on the web site. Thus it become possible to enforce a "only local content" policy despite web designers urge to fetch programs from random sites on the Internet, like the one enabling the attack reported by Scott Helme earlier this year.
  • Red Hat Ansible Playbooks Password Exposure Vulnerability [CVE-2018-16859]
    CVE-2018-16859. A vulnerability in Red Hat Ansible could allow a local attacker to discover plaintext passwords on a targeted system.
  • Router Hardening Checklist