Language Selection

English French German Italian Portuguese Spanish

Security

Security: new updates, new flaws, and SELinux

Filed under
Security
  • Security updates for Tuesday
  • Never Trust Yellow Fruit

    You've probably heard about the WiFi Pineapple from Hak5. It's a fascinating device that allows you to do some creepy pen testing. It's the sort of tool that could be used for evil, but it's also incredibly useful for securing networks.

    The hardware is fairly basic and resembles an off-the-shelf router. The multiple network interfaces really shine, however, when paired with the operating system. The WiFi Pineapple software creates a rogue, hidden access point that purposefully tricks clients into connecting to it instead of the AP they're usually connected to.

  • Time to Patch: 'Stack Clash' Vulnerability Affects Wide Range of Unix-like OSes
  • Stack Clash Vulnerability Exploits Linux Stack Guard
  • What capabilities do I really need in my container?

    A few years ago the SELinux team realized that more and more applications were getting EPERM returns when a syscall requested some access. Most operators understood EPERM (Permission Denied) inside of a log file to mean something was wrong with the Ownership of a process of the contents it was trying to access or the permission flags on the object were wrong. This type of Access Control is called DAC (Discretionary Access Control) and under certain conditions SELinux also caused the kernel to return EPERM. This caused Operators to get confused and is one of the reasons that Operators did not like SELinux. They would ask, why didn’t httpd report that Permission denied because of SELinux? We realized that there was a growing list of other tools besides regular DAC and SELinux which could cause EPERM. Things like SECCOMP, Dropped Capabilities, other LSM … The problem was that the processes getting the EPERM had no way to know why they got EPERM. The only one that knew was the kernel and in a lot of cases the kernel was not even logging the fact that it denied access. At least SELinux denials usually show up in the audit log (AVCs). The goal of Friendly EPERM was to allow the processes to figure out why they got EPERM and make it easier for admin to diagnose.

  • Erebus Resurfaces as Linux Ransomware

Canonical Outs Major Security Updates for All Supported Ubuntu Linux Releases

Filed under
Security
Ubuntu

Canonical released major kernel security updates for all supported Ubuntu Linux operating systems patching up to eleven vulnerabilities across all of the supported architectures.

Read more

Security Leftovers: Privilege Escalation, Nayana Caught by Malware in Ads

Filed under
Security

That's random: OpenBSD adds more kernel security

Filed under
Security
BSD

OpenBSD has a new security feature designed to harden it against kernel-level buffer overruns, the "KARL" (kernel address randomised link).

The changes are described in this note to an OpenBSD developer list penned by founder and lead developer Theo de Raadt.

Read more

Security Leftovers: Security in Medicine, WannaCry, Let’s Encrypt, Rooting a Printer

Filed under
Security

Security Leftovers: Updates, 'Clouds', Cars, Erebus

Filed under
Security
  • Security updates for Friday
  • The 2 cloud security myths that must die
  • Open source security challenges in cars

    A revolution is underway in the automotive industry. The car is no longer simply a means of getting from here to there. Today’s car reaches out for music streamed from the cloud, allows hands-free phone calls, and provides real-time traffic information and personalised roadside assistance.

    Almost every modern automobile feature — speed monitoring, fuel efficiency tracking, anti-lock braking, traction and skid-control — is now digitised to provide drivers with easier, safer operation and better information.

  • Erebus Ransomware Targets Linux Servers

    The IT security researchers at Trend Micro recently discovered malware that has the potential to infect Linux-based servers. The malware, called Erebus, has been responsible for hijacking 153 Linux-based networks of a South Korean web-hosting company called NAYANA.

    [...]

    Once the user clicked on those ads, the ransomware would activate in the usual way.

Enhancing the security of the OS with cryptography changes in Red Hat Enterprise Linux 7.4

Filed under
Linux
Red Hat
Security

Today we see more and more attacks on operating systems taking advantage of various technologies, including obsolete cryptographic algorithms and protocols. As such, it is important for an operating system not only to carefully evaluate the new technologies that get introduced, but to also provide a process for phasing out technologies that are no longer relevant. Technologies with no practical use today increase the attack surface of the operating system and more specifically, in the cryptography field, introduce risks such as untrustworthy communication channels, when algorithms and protocols are being used after their useful lifetime.

Read more

Security Leftovers: CherryBlossom, Security Tps, Travel With Keys, Windows Malware in Electricity Systems, PGP Lapse

Filed under
Security
  • The CIA has lots of ways to hack your router

    According to new documents published by WikiLeaks, the CIA has been building and maintaining a host of tools to do just that. This morning, the group published new documents describing a program called Cherry Blossom, which uses a modified version of a given router’s firmware to turn it into a surveillance tool. Once in place, Cherry Blossom lets a remote agent monitor the target’s internet traffic, scan for useful information like passwords, and even redirect the target to a desired website.

  • Advanced CIA firmware has been infecting Wi-Fi routers for years

    Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices. That's according to secret documents posted Thursday by WikiLeaks.

    CherryBlossom, as the implant is code-named, can be especially effective against targets using some D-Link-made DIR-130 and Linksys-manufactured WRT300N models because they can be remotely infected even when they use a strong administrative password. An exploit code-named Tomato can extract their passwords as long as a default feature known as universal plug and play remains on. Routers that are protected by a default or easily-guessed administrative password are, of course, trivial to infect. In all, documents say CherryBlossom runs on 25 router models, although it's likely modifications would allow the implant to run on at least 100 more.

  • 3 security tips for software developers

    Every developer knows the importance of following best security practices. But too often we cut corners, maybe because we have to work hard until those security practices sink in. Unfortunately, that usually takes something like seeing a security malpractice that's so bad it gets marked in indelible ink in our brains.

    I've seen a lot of instances of poor security practices during my career as a sysadmin, but the three I'm going to describe here are basic things that every software developer should avoid. It's important to note that I've seen every single one of these errors committed by large companies and experienced developers, so you can't chalk these mistakes up to novice junior engineers.

  • Travel (Linux) laptop setup

    I understand that this is way too paranoid for most people (and not nearly paranoid enough for some others -- as I like to say, IT security is just like driving on the highway in the sense that anyone going slower than you is an idiot, and anyone going faster is clearly a maniac). Whether this guide is of any use to you is entirely your call, but I hope I gave you some good ideas to help secure your digital life next time you are away from the comfort of your home or office.

  • Potent malware targets electricity systems

    "In that way, it can be immediately re-purposed in Europe and portions of the Middle East and Asia."

    In addition, it said, the malware could be adapted "with a small amount of tailoring" to render it potent against the North American power grid.

    It said that the malware can be applied to work at several electricity substations at the same time, giving it the power to create a widespread power shutdown that could last for hours and potentially days.

  • KMail’s ‘Send Later’ caused PGP encrypted private emails to be sent in plain-text

    I recently discovered the security vulnerability CVE-2017-9604 in the KDE Project’s KMail email client. This vulnerability led KMail to not encrypt email messages scheduled to be sent with a delay, even when KMail gave every indication that the email contents would be encrypted using OpenPGP.

IPFire 2.19 Linux Firewall Gets WPA Enterprise Authentication in Client Mode

Filed under
GNU
Linux
Security

Michael Tremer from the IPFire Project announced the availability of a new stable update for the IPFire 2.19 series of the open-source Linux-based firewall distribution.

IPFire 2.19 Core Update 111 is now live and it appears to be a major update adding quite a large number of new features to the firewall, along with dozens of up-to-date components. The biggest change, however, seems to be the ability for IPFire to authenticate itself with an EAP (Extensible Authentication Protocol)-enabled wireless network, supporting both TTLS and PEAP methods.

Read more

Syndicate content

More in Tux Machines

PC-MOS/386 is the latest obsolete operating system to open source on Github

PC-MOS/386 was first announced by The Software Link in 1986 and was released in early 1987. It was capable of working on any x86 computer (though the Intel 80386 was its target market). However, some later chips became incompatible because they didn't have the necessary memory management unit. It had a dedicated following but also contained a couple of design flaws that made it slow and/or expensive to run. Add to that the fact it had a Y2K bug that manifested on 31 July 2012, after which any files created wouldn't work, and it's not surprising that it didn't become the gold standard. The last copyright date listed is 1992, although some users have claimed to be using it far longer. Read more

GIMP, More Awesome Than I Remember

For what seems like decades, GIMP (Graphic Image Manipulation Program) has been the de facto standard image editor for Linux. It works well, has many features, and it even supports scripting. I always have found it a bit clumsy, however, and I preferred using something else for day-to-day work. I recently had the pleasure of sitting at a computer without an image editor though, so I figured I'd give GIMP another try on a non-Linux operating system. See, the last time I tried to use GIMP on OS X, it required non-standard libraries and home-brew adding. Now, if you head over to the GIMP site, you can download a fully native version of GIMP for Windows, OS X and Linux. Read more

Linux 4.13.9

I'm announcing the release of the 4.13.9 kernel. All users of the 4.13 kernel series must upgrade. The updated 4.13.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.13.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-st... Read more Also: Linux 4.9.58 Linux 4.4.94 Linux 3.18.77

Linux 4.14-rc6

So rc6 is delayed, not because of any development problems, but simply because the internet was horribly bad my usual Sunday afternoon time, and I decided not to even try to fight it. And by delaying things, I got a couple more ull requests in from Greg. Yay, I guess? rc6 is a bit larger than I was hoping for, and I'm not sure whether that is a sign that we _will_ need an rc8 after all this release (which wouldn't be horribly surprising), or whether it's simply due to timing. I'm going to leave that open for now, so just know that rc8 _may_ happen. Read more Also: Linux 4.14-rc6 Released: Linux 4.14 Kernel Final In 2~3 Weeks