Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Security advisories for Monday
  • Fast security is the best security

    DevOps security is a bit like developing without a safety net. This is meant to be a reference to a trapeze act at the circus for those of you who have never had the joy of witnessing the heart stopping excitement of the circus trapeze. The idea is that when you watch a trapeze act with a net, you know that if something goes wrong, they just land in a net. The really exciting and scary trapeze acts have no net. If these folks fall, that's pretty much it for them. Someone pointed out to me that the current DevOps security is a bit like taking away the net.

  • Detecting fraudulent signups?

    I run a couple of different sites that allow users to sign-up and use various services. In each of these sites I have some minimal rules in place to detect bad signups, but these are a little ad hoc, because the nature of "badness" varies on a per-site basis.

  • Reproducible Builds: week 82 in Stretch cycle

    What happened in the Reproducible Builds effort between Sunday November 13 and Saturday November 19 2016...

Linux Kernel 3.2.84 LTS Released, Adds over 200 Improvements and Bug Fixes

Filed under
Linux
Security

On November 20, 2016, Linux kernel maintainer Ben Hutchings announced the release of the eighty-fourth maintenance update to the long-term supported Linux 3.2 kernel series.

Read more

Also: Linux Kernel 3.16.39 LTS Is a Massive Maintenance Update with 420 Improvements

Linux versus Unix hot patching

Filed under
GNU
Linux
Security

There has always been a debate about how close Linux can get to the real operating system (OS), the core proprietary Unix variants that for two decades defined the limits of non-mainframe scalability and reliability.

But times are changing, and the new narrative may be when will Unix catch up to Linux on critical reliability, availability, and serviceability (RAS) features such as hot patching?

Hot patching, the ability to apply updates to the OS kernel while it is running, is a long sought-after but elusive feature of a production OS.

It is sought after because both developers and operations teams recognise that bringing down an OS instance that is doing critical high-volume work is at best disruptive and at worst a logistical nightmare. Its level of difficulty also makes it somewhat elusive.

There have been several failed attempts and implementations that almost worked, but they were so fraught with exceptions that they were not really useful in production.

Read more

Also: Can I interest you in talking about Security?

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Security updates for Friday
  • Serious Linux Vulnerability Found By Just Holding Down The Enter Key For 70 Seconds

    Security researchers have found a rather frightening vulnerability in Linux that could ultimately allow an attacker to copy, modify, or destroy the contents of a hard drive, along with with configure the network to exfiltrate data. That in and of itself is cause for concern, but the real harrowing part about this is how easy it is to activate—an attacker need only boot up the system and hold down the enter key for 70 seconds.

  • Open Source Software: Secure Except When It Isn't

    There is still a flaw in the open source security model which the Core Infrastructure Initiative only partly addressed. Remember the thousands and thousands of eyes looking for vulnerabilities in the code? While that may be true in a generalized sense, there are some small but important projects that are flying under the radar and don't seem to be getting the necessary attention.

  • Adobe Fined $1M in Multistate Suit Over 2013 Breach; No Jail for Spamhaus Attacker

    Adobe will pay just $1 million to settle a lawsuit filed by 15 state attorneys general over its huge 2013 data breach that exposed payment records on approximately 38 million people. In other news, the 39-year-old Dutchman responsible for coordinating an epic, weeks-long distributed denial-of-service attack against anti-spam provider Spamhaus in 2013 will avoid any jail time for his crimes thanks to a court ruling in Amsterdam this week.

    On Oct. 3, 2013, KrebsOnSecurity broke the story that Adobe had just suffered a breach in which hackers siphoned usernames, passwords and payment card data on 38 million customers. The intruders also made off with digital truckloads of source code for some of Adobe’s most valuable software properties — including Adobe Acrobat and Reader, Photoshop and ColdFusion.

  • Half of companies have been hit with ransomware in the past year

    MORE TERRIFYING SECURITY RESEARCH has discovered that almost half of a collection of firms surveyed admitted that they have been the victim of a ransomware attack.

    Endpoint security outfit SentinelOne said that the ransomware attacks do not just go after monies these days, but have darker aims and can be used to threaten and terrorise people.

    "[Our] results point to a significant shift for ransomware. It's no longer just a tool for cyber crime, but a tool for cyber terrorism and espionage," said Tony Rowan, chief security consultant at SentinelOne, in the firm's Ransomware Research Data Summary (PDF).

  • Security Of FLOSS

    I’ve worked with IT since the 1960s. I’ve seen systems that fell down just idling. I’ve seen systems that were insecure by design. Their creators just didn’t seem to care. I’ve seen systems that were made to get you. Their creators wanted to own your soul. I’ve also used FLOSS.

Tails 3.0 Anonymous Live OS to Be Based on Debian 9 "Stretch", Require 64-bit PC

Filed under
GNU
Linux
Security
Debian

A few days after the announcement of Tails 2.7, the development team behind the popular amnesic incognito live system based on Debian GNU/Linux unveiled a few technical details about the next major release.

Yes, we're talking about Tails 3.0, which is now in development and appears to be the next major update of the anonymous live OS that ex-CIA employee Edward Snowden used to protect his identity online. Tails is a Debian-based GNU/Linux distribution built around the popular Tor anonymity network and Tor Browser anonymous browser.

Read more

Security News

Filed under
Security
  • Security updates for Thursday
  • Reproducible Builds: week 81 in Stretch cycle
  • Security-hardened Android, bounties for Tcl coders, and more open source news

    In a blog post yesterday, the Tor project announced a refresh of a prototype of a Tor-enabled Android phone aimed at reducing vulnerability to security and privacy issues. Combining several existing software packages together, the effort has created an installation tool for hardening your phone. While designed for a Nexus 6P reference device, the project hopes to expand to provide greater hardware choice.

  • Linux flaw exposed in a minute by pressing enter key

    Researchers have discovered a major vulnerability in the Cryptesetup utility that can impact many GNU/Linux systems, which is activated by pressing the enter key for about 70 seconds.

  • Chinese IoT Firm Siphoned Text Messages, Call Records

    A Chinese technology firm has been siphoning text messages and call records from cheap Android-based mobile smart phones and secretly sending the data to servers in China, researchers revealed this week. The revelations came the same day the White House and the U.S. Department of Homeland Security issued sweeping guidelines aimed at building security into Internet-connected devices, and just hours before a key congressional panel sought recommendations from industry in regulating basic security standards for so-called “Internet of Things” (IoT) devices.

  • Google security engineer slams antivirus software, cites better security methods

    Google senior security engineer Darren Bilby isn’t a fan of antivirus software, telling a conference in New Zealand that more time should be spent on more meaningful defenses such as whitelisting applications.

    Speaking at the Kiwicon hacking conference, Bilby said that antivirus apps are simply ineffective and the security world should concentrate its efforts on things that can make a difference.

    “Please no more magic,” Bilby told the conference, according to The Register. “We need to stop investing in those things we have shown do not work. Sure, you are going to have to spend some time on things like intrusion detection systems because that’s what the industry has decided is the plan, but allocate some time to working on things that actually genuinely help.”

    Antivirus software does some useful things, he said, “but in reality it is more like a canary in the coal mine. It is worse than that. It’s like we are standing around the dead canary saying, ‘Thank god it inhaled all the poisonous gas.’”

  • Dutch government wants to keep “zero days” available for exploitation

    The Dutch government is very clear about at least one thing: unknown software vulnerabilities, also known as “zero days”, may be left open by the government, in order to be exploited by secret services and the police.

    We all benefit from a secure and reliable digital infrastructure. It ensures the protection of sensitive personal data, security, company secrets and the national interest. It is essential for the protection of free communication and privacy. As a consequence, any vulnerability should be patched immediately. This is obviously only possible when unknown vulnerabilities are disclosed responsibly. Keeping a vulnerability under wraps is patently irresponsible: it may be found simultaneously by others who abuse it, for example to steal sensitive information or to attack other devices.

Mission Improbable: Hardening Android for Security And Privacy

Filed under
Security

This prototype is meant to show a possible direction for Tor on mobile. While I use it myself for my personal communications, it has some rough edges, and installation and update will require familiarity with Linux.

The prototype is also meant to show that it is still possible to replace and modify your mobile phone's operating system while retaining verified boot security - though only just barely. The Android ecosystem is moving very fast, and in this rapid development, we are concerned that the freedom of users to use, study, share, and improve the operating system software on their phones is being threatened. If we lose these freedoms on mobile, we may never get them back. This is especially troubling as mobile access to the Internet becomes the primary form of Internet usage worldwide.

Read more

Security News

Filed under
Security
  • Wickedly Clever USB Stick Installs a Backdoor on Locked PCs

    You probably know by now that plugging a random USB into your PC is the digital equivalent of swallowing a pill handed to you by a stranger on the New York subway. But serial hacker Samy Kamkar‘s latest invention may make you think of your computer’s USB ports themselves as unpatchable vulnerabilities—ones that open your network to any hacker who can get momentary access to them, even when your computer is locked.

  • How does your encrypted Linux system respond to the Cryptsetup bug?

    In all three case, the encrypted system partition is still encrypted, so you data is still save. However, as detailed in the bug report, unencrypted partitions, like ones mounted at /boot and /boot/efi (on UEFI systems) might still be open for exploitation. But how far can an attacker go on such system, when the system partition is still encrypted? Not far, I hope.

    A bug always has a solution, and in this case, the authors provided an easy-to-apply workaround. I’ve expanded on it a bit in the code block below. If after applying the workaround you discover that it does not work, welcome to the club. It didn’t work on all the encrypted systems I applied it on – Ubuntu 16.10, Manjaro 16.10, and Fedora Rawhide. By the way, all three distributions were running either Cryptsetup 1.7.2 or 1.7.3.

  • Holding down the Enter key can smash through Linux's defenses
  • 7 open source security predictions for 2017

    Everyone uses open source. It’s found in around 95 per cent of applications and it’s easy to understand why. Open source’s value in reducing development costs, in freeing internal developers to work on higher-order tasks, and in accelerating time to market is undeniable.

    The rapid adoption of open source has outpaced the implementation of effective open source management and security practices. In the annual ‘Future of Open Source Survey’ conducted earlier this year by Black Duck, nearly half of respondents said they had no formal processes to track their open source, and half reported that no one has responsibility for identifying known vulnerabilities and tracking remediation.

    The flip side of the open source coin is that if you’re using open source, the chances are good that you’re also including vulnerabilities known to the world at large. Since 2014, the National Vulnerability Database (NVD) has reported over 8,000 new vulnerabilities in open source software.

Security News

Filed under
Security
  • How to fix the Cryptsetup vulnerability in Linux

    Linux enjoys a level of security that most platforms cannot touch. That does not, in any way, mean it is perfect. In fact, over the last couple of years a number of really ugly vulnerabilities have been found — and very quickly patched. Enough time has passed since Heartbleed for those that do to find yet another security issue.

  • Get root on Linux: learn the secret password
  • Security advisories for Wednesday
  • The Web-Shaking Mirai Botnet Is Splintering—But Also Evolving

    Over the last few weeks, a series of powerful hacker attacks powered by the malware known as Mirai have used botnets created of internet-connected devices to clobber targets ranging from the internet backbone company Dyn to the French internet service provider OVH. And just when it seemed that Mirai might be losing steam, new evidence shows that it’s still dangerous—and even evolving.

    Researchers following Mirai say that while the number of daily assaults dipped briefly, they’re now observing development in the Mirai malware itself that seems designed to allow it to infect more of the vulnerable routers, DVRs and other internet-of-things (IoT) gadgets it’s hijacked to power its streams of malicious traffic. That progression could actually increase the total population available to the botnet, they warn, potentially giving it more total compute power to draw on.

    “There was an idea that maybe the bots would die off or darken over time, but I think what we are seeing is Mirai evolve,” says John Costello, a senior analyst at the security intelligence firm Flashpoint. “People are really being creative and finding new ways to infect devices that weren’t susceptible previously. Mirai is not going away.”

  • This $5 Device Can Hack Your Locked Computer In One Minute

    Next time you go out for lunch and leave your computer unattended at the office, be careful. A new tool makes it almost trivial for criminals to log onto websites as if they were you, and get access to your network router, allowing them to launch other types of attacks.

    Hackers and security researchers have long found ways to hack into computers left alone. But the new $5 tool called PoisonTap, created by the well-known hacker and developer Samy Kamkar, can even break into password-protected computers, as long as there’s a browser open in the background.Kamkar explained how it works in a blog post published on Wednesday.

Syndicate content

More in Tux Machines

today's howtos

Ubuntu 16.04.2 LTS Delayed Until February 2, Will Bring Linux 4.8, Newer Mesa

If you've been waiting to upgrade your Ubuntu 16.04 LTS (Xenial Xerus) operating system to the 16.04.2 point release, which should have hit the streets a couple of days ago, you'll have to wait until February 2. We hate to give you guys bad news, but Canonical's engineers are still working hard these days to port all the goodies from the Ubuntu 16.10 (Yakkety Yak) repositories to Ubuntu 16.04 LTS, which is a long-term supported version, until 2019. These include the Linux 4.8 kernel packages and an updated graphics stack based on a newer X.Org Server version and Mesa 3D Graphics Library. Read more

Calamares Release and Adoption

  • Calamares 3.0 Universal Linux Installer Released, Drops Support for KPMcore 2
    Calamares, the open-source distribution-independent system installer, which is used by many GNU/Linux distributions, including the popular KaOS, Netrunner, Chakra GNU/Linux, and recently KDE Neon, was updated today to version 3.0. Calamares 3.0 is a major milestone, ending the support for the 2.4 series, which recently received its last maintenance update, versioned 2.4.6, bringing numerous improvements, countless bug fixes, and some long-anticipated features, including a brand-new PythonQt-based module interface.
  • Due to Popular Request, KDE Neon Is Adopting the Calamares Graphical Installer
    KDE Neon maintainer Jonathan Riddell is announcing today the immediate availability of the popular Calamares distribution-independent Linux installer framework on the Developer Unstable Edition of KDE Neon. It would appear that many KDE Neon users have voted for Calamares to become the default graphical installer system used for installing the Linux-based operating system on their personal computers. Indeed, Calamares is a popular installer framework that's being successfully used by many distros, including Chakra, Netrunner, and KaOS.

Red Hat Financial News