Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, DNS Features in IPFire, Shodan and Canonical's Role in Robot Operating System (ROS 2)

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Debian (python-pysaml2), Mageia (clamav, graphicsmagick, opencontainers-runc, squid, and xmlsec1), Oracle (kernel, ksh, python-pillow, systemd, and thunderbird), Red Hat (rh-nodejs12-nodejs), Scientific Linux (ksh, python-pillow, and thunderbird), and SUSE (nodejs6, openssl, ppp, and squid).

  • What you can do with the new DNS features in IPFire

    Every time you try to access a website - for example ipfire.org - you will ask a DNS server for the IP address to connect to. They won't see anything past "the slash" in the URL, but that is not necessary to know what you probably have in mind to do. That DNS server now knows which bank you are with, where you work, where you do your online shopping, who is hosting your emails and many things more...

    Although this data is not too interesting about one individual, it becomes very relevant when you are looking at many profiles. People who shop at a certain place or are with a certain bank might be high earners. People who shop at another place might have trouble to stay afloat financially. Now I know what advertisements I need to show to which group so that they will become my customers.

    In short, your whole browser history tells a lot about you and you might be giving it away for free to the advertising industry or other parties who will use your data against you.

  • How Shodan Has Been Improved to Help Protect Energy Utilities

    Shodan is a well-known security hacking tool that has even been showcased on the popular Mr. Robot TV show. While Shodan can potentially be used by hackers, it can also be used for good to help protect critical infrastructure, including energy utilities.

    At the RSA Conference in San Francisco, Michael Mylrea, Director of Cybersecurity R&D (ICS, IoT, IIoT) at GE Global Research, led a session titled "Shodan 2.0: The World’s Most Dangerous Search Engine Goes on the Defensive," where he outlined how Shodan has been enabled to help utilities identify risks in critical energy infrastructure. Shodan, to the uninitiated, is a publicly available search engine tool that crawls the internet looking for publicly exposed devices.

    Mylrea explained that utilities are often resource constrained when it comes to cybersecurity and are typically unaware of their risk. In recent years, there have been a number of publicly disclosed incidents involving utilities. To help solve that challenge, Mylrea proposed a project to the US Department of Energy (DoE) to enhance Shodan for utilities so they could use the tool to find risks quickly.

  • Canonical takes leadership role in security for ROS

    Canonical is committed to the future of robotics, as proven a short time ago when we joined the Technical Steering Committee of the second version of the Robot Operating System (ROS 2). We’re also dedicated to building a foundation of enterprise-grade, industry leading security practices within Ubuntu, so we’re excited to join both of these strengths with our own Joe McManus taking the helm of the ROS 2 Security Working Group.

    We believe robots based on Linux are cheaper to develop, more flexible, faster to market, easier to manage, and more secure. While ROS began as an academic project over a decade ago, it has grown to become the most popular middleware for creating Linux-powered robots. It has harnessed the power of open source, allowing for many of the complex problems faced by robotics to be solved through collaboration. The ROS developer community has continued to grow, and ROS now enjoys an increasing amount of commercial use and supported robots. In response, the ROS community has completely overhauled the ROS codebase and started distributing ROS 2.

Red Hat Enterprise Linux 7 and CentOS 7 Receive Important Kernel Security Update

Filed under
Red Hat
Security

The new kernel security update is marked as “Important” by the Red Hat Product Security team and patches two heap overflows (CVE-2019-14816 and CVE-2019-14901) in the Marvell Wi-Fi chip driver.

While CVE-2019-14816 could allow an attacker on the same Wi-Fi physical network segment to cause a denial of service (system crash) or even maybe execute arbitrary code, CVE-2019-14901is more dangerous as it lets a remote attacker crash the system or execute arbitrary code.

Read more

Security, FUD, Openwashing and Threats

Filed under
Server
Security
  • Security updates for Tuesday

    Security updates have been issued by Debian (curl and otrs2), Fedora (NetworkManager-ssh and python-psutil), Mageia (ipmitool, libgd, libxml2_2, nextcloud, radare2, and upx), openSUSE (inn and sudo), Oracle (kernel, ksh, python-pillow, and thunderbird), Red Hat (curl, kernel, nodejs:10, nodejs:12, procps-ng, rh-nodejs10-nodejs, ruby, and systemd), SUSE (dpdk, firefox, java-1_7_1-ibm, java-1_8_0-ibm, libexif, libvpx, nodejs10, nodejs8, openssl1, pdsh, slurm_18_08, python-azure-agent, python3, and webkit2gtk3), and Ubuntu (libapache2-mod-auth-mellon, libpam-radius-auth, and rsync).

  • New Critical RCE Bug in OpenBSD SMTP Server Threatens Linux Distros [Ed: Typical FUD associating "Linux" with a package that GNU/Linux distros do not come with]

    Security researchers have discovered a new critical vulnerability in the OpenSMTPD email server. An attacker could exploit it remotely to run shell commands as root on the underlying operating system.

  • New OpenSMTPD RCE Flaw Affects Linux and OpenBSD Email Servers [Ed: Again attributing to operating systems bugs in pertinent packages they may not even have]

    OpenSMTPD has been found vulnerable to yet another critical vulnerability that could allow remote attackers to take complete control over email servers running BSD or Linux operating systems.
    OpenSMTPD, also known as OpenBSD SMTP Server, is an open-source implementation of the Simple Mail Transfer Protocol (SMTP) to deliver messages on a local machine or to relay them to other SMTP servers.
    It was initially developed as part of the OpenBSD project but now comes pre-installed on many UNIX-based systems.

  • Y2K bug has a 2020 echo

    The New Scientist reports on problems with software caused by an echo of the Y2K bug that had every excited in the late 1990s.

    It turns out one of the fixes then was to kick various software cans down the road to 2020. In theory that gave people 20 years to find long term answers to the problems. In some cases they might have expected software refreshes to have solved the issue.

    [...]

    This happens because Unix time started on January 1 1970. Time since then is stored as a 32-bit integer. On January 19 2038, that integer will overflow.

    Most modern applications and operating systems have been patched to fix this although there are some compatibility problems. The real issue comes with embedded hardware, think of things like medical devices, which will need replacing some time in the next 18 years.

  • The “Cloud Snooper” malware that sneaks into your Linux servers [Ed: They don't want to mention that people actually need to install this malware on GNU/Linux for dangers to become viable. Typical Sophos FUD/sales.]
  • Cybersecurity alliance launches first open source messaging framework for security tools [Ed: Openwash of proprietary software firms]

    Launched by the Open Cybersecurity Alliance (OCA), a consortium of cybersecurity vendors including IBM, Crowdstrike, and McAfee, on Monday, the OCA said that OpenDXL Ontology is the "first open source language for connecting cybersecurity tools through a common messaging framework."

  • Microsoft uses its expertise in malware to help with fileless attack detection on Linux [Ed: Truly laughable stuff as Microsoft specialises in adding back doors, then abusing those who speak about it]
  • Azure Sphere, Microsoft's Linux-Powered IoT Security Service, Launches [Ed: Microsoft is Googlebombing "Linux" again; you search for Linux news, you get Microsoft Azure (surveillance) and proprietary malware, instead.]

Security Leftovers

Filed under
Security
  • Security updates for Monday

    Security updates have been issued by Debian (libpam-radius-auth, pillow, ppp, proftpd-dfsg, and python-pysaml2), Fedora (firefox, glib2, hiredis, http-parser, libuv, mingw-openjpeg2, nghttp2, nodejs, openjpeg2, python-pillow, skopeo, and webkit2gtk3), Mageia (patch, postgresql, and systemd), Red Hat (ksh, nodejs:10, openjpeg2, python-pillow, systemd, and thunderbird), and SUSE (java-1_7_1-ibm, libsolv, libzypp, zypper, pdsh, slurm_18_08, and php53).

  • U.S. Government Says Update Chrome 80 As High-Rated Security Flaws Found

    Are you a Google Chrome user? High-rated security vulnerabilities have already been discovered in version 80 of Google Chrome. The Cybersecurity and Infrastructure Security Agency is encouraging Google users to update again just weeks after the Chrome 80 release. Here’s what you need to know.

  • OpenBSD Pwned, Patched Again: Bug is Remotely Exploitable [Ed: Misleading. This is about OpenSMTPD.]

    There’s a fresh remote code execution (RCE) vulnerability in OpenSMTPD, and by extension in OpenBSD. Yes, it feels like déjà vu all over again.

    The severity of the vulnerability, CVE-2020-8794, means that anyone running a public-facing OpenSMTPD deployments should update as soon as possible.

    OpenBSD’s developers describe the issue as a “an out of bounds read in smtpd [that] allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.”

  • Kali Linux explained: A pentester’s toolkit

    Kali Linux is the world's most popular offensive-security-optimized Linux distro. Maintained and managed by the fine folks at Offensive Security, Kali was born in 2006 as BackTrack Linux, but after a major refactoring in 2013 got the name Kali. What does the name mean? Well, we'll get to that.

  • Police to get right to use spyware in serious crime investigations

    The new bill, that will allow the police to use trojans or virus programmes to tap into the chats, is expected to be voted through parliament on Thursday. Home Affairs Minister Mikael Damberg says he is convinced it will lead to more convictions.

  • McAfee WebAdvisor: From XSS in a sandboxed browser extension to administrator privileges

    A while back I wrote about a bunch of vulnerabilities in McAfee WebAdvisor, a component of McAfee antivirus products which is also available as a stand-alone application. Part of the fix was adding a bunch of pages to the extension which were previously hosted on siteadvisor.com, generally a good move. However, when I looked closely I noticed a Cross-Site Scripting (XSS) vulnerability in one of these pages (CVE-2019-3670).

    Now an XSS vulnerability in a browser extension is usually very hard to exploit thanks to security mechanisms like Content Security Policy and sandboxing. These mechanisms were intact for McAfee WebAdvisor and I didn’t manage to circumvent them. Yet I still ended up with a proof of concept that demonstrated how attackers could gain local administrator privileges through this vulnerability, something that came as a huge surprise to me as well.

Security and FUD: SpaceX, NMap, Polyverse, MongoDB, NGINX and Kubernetes

Filed under
Security
  • All Those Low-Cost Satellites in Orbit Could Be Weaponized by Hackers, Warns Expert

    Last month, SpaceX became the operator of the world's largest active satellite constellation. As of the end of January, the company had 242 satellites orbiting the planet with plans to launch 42,000 over the next decade.

    This is part of its ambitious project to provide internet access across the globe. The race to put satellites in space is on, with Amazon, UK-based OneWeb and other companies chomping at the bit to place thousands of satellites in orbit in the coming months.

  • NMap - A Basic Security Audit of Exposed Ports and Services

    For a plethora of reasons, auditing the security of our servers and networks is of paramount importance. Whether we are talking about a development server, a workstation, or a major enterprise application, security should be baked into every step of the deployment. While we can easily check our firewall settings from “the inside” of our systems. It is also a good idea to run a security audit from "the outside”. Using a network enumeration tool such as the famous and highly vetted Network Mapper (NMap).

  • Cybersecurity startup Polyverse raises $8M to protect Linux open-source code from hackers [Ed: Right around the corner from Bill Gates, another company like Black Duck and it'll "protect" Linux... just buy its proprietary software]

    Polyverse has been validated by the U.S. Department of Defense for mitigating zero-day attacks, intrusions that occur just as a vulnerability becomes public, such as the infamous WannaCry ransomware and hacks of companies like Equifax. The company says its technology is “running on millions of servers.”

  • MongoDB: developer distraction dents DevSecOps dreams

    MongoDB’s director of developer relations has just opened a piece of internal research that suggests as few as 29% of Europe’s developers take full responsibility for security.

    Now, 29% is a somewhat arbitrary figure, cleary i.e. it could be 22.45% or it could be 39.93%… the fact that the firm has pointed to an exact sum in this way is merely intended to show that it has undertaken a degree of calculation and statistical analysis

  • NGINX Unit Adds Support for Reverse Proxying and Address-Based Routing

    NGINX announced the release of versions 1.13 and 1.14 of NGINX Unit, its open-source web and application server. These releases include support for reverse proxying and address-based routing based on the connected client's IP address and the target address of the request.

    NGINX Unit is able to run web applications in multiple language versions simultaneously. Languages supported include Go, Perl, PHP, Python, Node.JS, Java, and Ruby. The server does not rely on a static configuration file, instead allowing for configuration via a REST API using JSON. Configuration is stored in memory allowing for changes to happen without a restart.

  • Kubernetes Security Plagued by Human Error, Misconfigs

    Following a year of numerous security bugs within the Kubernetes ecosystem and the first security audit of Kubernetes conducted by the Cloud Native Computing Foundation (CNCF), which hosts the open source platform, continued wide-spread adoption has seen security become somewhat of an afterthought.

    However, if security concerns continue inhibiting business innovation, does that fall on businesses for neglecting security practices or the market for not providing them with the tools to confidently secure their deployments?

    “People just get security wrong sometimes,” McLean said. “Companies need a combination of increased learning, cross-pollination, new tooling, and updated processes to identify and remediate these security ‘mistakes’ during build and deploy vs. waiting for exposure during runtime.”

Security and Scare for Sale

Filed under
Security
  • Malware Attack Takes ISS World's Systems Offline

    Founded in 1901, the Copenhagen, Denmark-based company provides cleaning, support, property, catering, security, and facility management services for offices, factories, airports, hospitals, and other locations all around the world.

    At the moment, the company’s employees don’t have access to corporate systems, as they were taken offline following a malware attack earlier this week.

  • The rise and rise of ransomware [iophk: Windows TCO]
  • Security flaws belatedly fixed in open source SuiteCRM software

    According to Romano, a second-order PHP object injection vulnerability (CVE-2020-8800) in SuiteCRM could be “exploited to inject arbitrary PHP objects into the application scope, allowing an attacker to perform a variety of attacks, such as executing arbitrary PHP code”.

    SuiteCRM versions 7.11.11 and below are said to be vulnerable.

    [...]

    “We have put a notice on our open source community channels and advice via social media. We have a dedicated community that works around the clock to spot vulnerabilities and produce suitable fixes, which is one of the key benefits for a business when choosing to use open source software.”

  • With the rise of third-party code, zero-trust is key

    The surface area of website and web application attacks keeps growing. One reason for this is the prevalence of third-party code. When businesses build web apps, they use code from many sources, including both commercial and open-source projects, often created and maintained by both professional and amateur developers.

    Web application creators take advantage of third-party code because it allows them to build their websites and apps quickly. For example, companies are likely to add a third-party chat widget to their site, instead of building one from scratch.

    But third-party code can leave websites vulnerable. Consider the July 2018 Magecart attack on Ticketmaster. In this data breach, hackers were able to gain access to sensitive customer information on Ticketmaster's website by compromising a third-party script used to provide chatbot functionality.

    The challenge is that this third-party functionality runs directly on the customer's browser, and the browser is built to simply render the code sent down from a web server. It assumes that all code, whether first-party or third-party, is good.

  • New company BluBracket takes on software supply chain code security
  • BluBracket scores $6.5M seed to help secure code in distributed environments

    BluBracket, a new security startup from the folks who brought you Vera, came out of stealth today and announced a $6.5 million seed investment. Unusual Ventures led the round with participation by Point72 Ventures, SignalFire and Firebolt Ventures.

Security: Debian LTS Work, Various Patches, Honeypots/Honeynets and FUD (Marketing)

Filed under
Security
  • Freexian’s report about Debian Long Term Support, January 2020

    January started calm until at the end of the month some LTS contributors met, some for the first time ever, at the Mini-DebCamp preceeding FOSDEM in Brussels. While there were no formal events about LTS at both events, such face2face meetings have proven to be very useful for future collaborations!
    We currently have 59 LTS sponsors sponsoring 219h each month. Still, as always we are welcoming new LTS sponsors!

  • Security updates for Friday

    Security updates have been issued by CentOS (openjpeg2), Debian (cloud-init, jackson-databind, and python-reportlab), Red Hat (ksh, python-pillow, systemd, and thunderbird), Slackware (proftpd), SUSE (java-1_7_0-ibm, nodejs10, and nodejs12), and Ubuntu (ppp and squid, squid3). 

  • Honeypots and Honeynets
  • Up close and personal with Linux malware [Ed: ESET trying to sell its useless proprietary software for a platform that does not need it]

    Chances are that the very word ‘Linux’ conjures up images of near-impenetrable security. However, Linux-based computer systems and applications running on them increasingly end up in the crosshairs of bad actors, and recent years have seen discoveries of a number of malicious campaigns that hit Linux systems, including botnets that were made up of thousands of Linux servers. These mounting threats have challenged the conventional thinking that Linux is more or less spared the problems that affect other operating systems, particularly Windows.

Security, Fear, Uncertainty, and Doubt

Filed under
Security
  • Security updates for Thursday

    Security updates have been issued by Debian (netty and netty-3.9), Fedora (ceph, dovecot, poppler, and webkit2gtk3), openSUSE (inn and rmt-server), Oracle (openjpeg2), Red Hat (rabbitmq-server), Scientific Linux (openjpeg2), SUSE (dnsmasq, rsyslog, and slurm), and Ubuntu (php7.0).

  • 30 The Most Common Hacking Techniques and How to Deal with Them [Ed: Cracking, not hacking. Not the same thing.]
  • A guide to developing a holistic IT security strategy

    In assessing how prevalent cyberattacks are for companies, 18 percent of respondents rated the security risk as very high. Half (50 percent) even stated that their company had suffered financial losses due to security incidents. Opinions differed as to whether the incidents were handled optimally: Almost half (49 percent) say that everything worked well, while the other half (49 percent) believe there is a lot of potential for improvement.

  • Linux and malware: Should you worry? [Ed: All those headlines with question marks mean that the answer is "No."]

    Gone are the days when the idea of viruses or other malware hitting Linux was almost universally greeted with quizzical glances, if not outright rejection. Long thought of as the perfect marriage of open-source goodness and strong, Unix-like security, Linux-based operating systems are now increasingly seen as another valuable – and viable – target.

    This shift in thinking is partly the result of a growing realization among both Linux hobbyists and system administrators that a compromised Linux system such as a web server provides attackers an excellent ‘return on investment’. Just as importantly, malware research in recent years has brought better visibility into threats facing Linux systems.

Why You Still Don’t Need Antivirus Software on Linux in 2020

Filed under
GNU
Linux
Security

There’s a division of opinion when it comes to the question; does Linux need antivirus? Well, the short answer is no. Some say viruses for Linux are rare; others say Linux’s security system is secure and much safer than other operating Windows.

So, is Linux really secure?

While no single operating system is entirely secure, Linux is known to be much more reliable than Windows or any operating system. The reason behind this is not the security of Linux itself but the minority of viruses and malware that exist for the operating system.

Viruses and malware are incredibly rare in Linux. They do exist though the likelihood of getting a virus on your Linux OS is very low. Linux based operating systems also have additional security patches that are updated regularly to keep it safer.

The userbase of Linux is tiny when compared to Windows. While Operating systems like Windows and Mac house all kinds of users, Linux is inclined more towards advanced users. In the end, It all comes down to the caution taken by the user.

Can you get viruses on Linux?

Yes, before you assume anything, viruses and malware can affect any operating system.

No operating system is 100% safe, and it’s a fool errand to look for one. Like Windows and Mac OS, you can get viruses on Linux. However rare they are, they still exist.

On the official page of Ubuntu, a Linux based OS, it is said that Ubuntu is highly secure. A lot of people installed Ubuntu for the sole purpose of having a dependable OS when it comes to the security of their data and sensitive details.

Read more

Security: Patches, Bugs, RMS Talk and NG Firewall 15.0

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by CentOS (firefox, java-1.7.0-openjdk, ksh, and sudo), Debian (php7.0 and python-django), Fedora (cacti, cacti-spine, mbedtls, and thunderbird), openSUSE (chromium, re2), Oracle (firefox, java-1.7.0-openjdk, and sudo), Red Hat (openjpeg2 and sudo), Scientific Linux (java-1.7.0-openjdk and sudo), SUSE (dbus-1, dpdk, enigmail, fontforge, gcc9, ImageMagick, ipmitool, php72, sudo, and wicked), and Ubuntu (clamav, linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-aws-5.0, linux-azure, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-azure, linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3, linux-lts-xenial, linux-aws, and qemu).

  • Certificate validity and a y2k20 bug

    One of the standard fields of an SSL certificate is the validity period. This field includes notBefore and notAfter dates which, according to RFC5280 section 4.1.2.5, indicates the interval "during which the CA warrants that it will maintain information about the status of the certificate"

    This is one of the fields that should be inspected when accepting new or unknown certificates.

    When creating certificates, there are a number of theories on how long to set that period of validity. A short period reduces risk if a private key is compromised. The certificate expires soon after and can no longer be used. On the other hand, if the keys are well protected, then there is a need to regularly renew those short-lived certificates.

  • Free Software is protecting your data – 2014 TEDx Richard Stallman Free Software Windows and the NSA

    Libre booted (BIOS with Linux overwritten) Thinkpad T400s running Trisquel GNU/Linux OS. (src: https://stallman.org/stallman-computing.html)

    LibreBooting the BIOS?

    Yes!

    It is possible to overwrite the BIOS of some Lenovo laptops (why only some?) with a minimal version of Linux.

  • NG Firewall 15.0 is here with better protection for SMB assets

    Here comes the release of NG Firewall 15.0 by Untangle with the creators claiming top-notch security for SMB assets. Let’s thoroughly discuss the latest NG Firewall update.

    With that being said, it only makes sense to first introduce this software to the readers who aren’t familiar with it. As the name ‘NG Firewall’ suggests, it is indeed a firewall but a very powerful one. It is a Debian-based and network gateway designed for small to medium-sized enterprises.

    If you want to be up-to-date with the latest firewall technology, your best bet would be to opt for this third-generation firewall. Another factor that distinguishes the NG Firewall from other such products in the market is that it combines network device filtering functions and traditional firewall technology.

Syndicate content

More in Tux Machines

Price of Raspberry Pi 4B with 2GB RAM Drops to $35 Permanently

Raspberry Pi 1 Model B was introduced to the world almost exactly 8 years ago on February 29, 2012, and to celebrate the Raspberry Pi Foundation decided to permanently lower the price of Raspberry Pi 4B with 2GB RAM to $35. This was made possible due to falling RAM prices. The 1GB RAM version will still be sold for $35 to industrial and commercial customers due to long term support commitments. Sadly, the 4GB RAM version remains at $55, so no discount for this version for now. Read more

Android Leftovers

What Is the Difference Between Ubuntu Desktop and Ubuntu Server?

Apart from the many Ubuntu Flavours, Ubuntu has different versions namely Ubuntu Cloud, Ubuntu Core, Ubuntu Kylin, Ubuntu Cloud, Ubuntu Server, and Ubuntu desktop. The Ubuntu Server is the operating system version of Ubuntu built specifically to the server specifications while Ubuntu Desktop is the version built to run on desktops and laptops. In case you missed it, here are 10 Reasons Why Your Business Is Better Off With A Linux Server. And if you’re just joining us then read on to know which type of the Ubuntu ISO image you’re better off using. A server is a computer designed to provide data and other functionality to other computers over the internet. They may run common servers like the Apache TTP server and the computers typically run on a LAN or WAN e.g. desktops, laptops, smartphones, IoT devices. A desktop computer is any personal computer designed to be used regularly at a single location due to its size. Read more

7 open source Q&A platforms

Where do you go when you have a question? Since humans began walking the earth, we've asked the people around us—our family, friends, neighbors, classmates, co-workers, or other people we know well. Much later came libraries and bookstores offering knowledge and resources, as well as access for anyone to come in and search for the answers. When the home computer became common, these knowledge bases extended to electronic encyclopedias shipped on floppy disks or CD-ROMs. Then, when the internet age arrived, these knowledge bases migrated online to the likes of Wikipedia, and search engines like Google were born with the purpose of making it easy for people to search for answers to their questions. Now, sites like StackOverflow are there to answer our software questions and Quora for our general queries. The lesson is clear, though. We all have questions, and we all want answers for them. And some of us want to help others find answers to their questions, and this is where self-hosted Q&A sites come in. Read more