Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Tuesday's security advisories
  • Secure Hardware vs. Open Source

    Recently there have been discussions regarding Yubico’s OpenPGP implementation on the YubiKey 4. While open source and security remains central to our mission, we think some clarifications and context around current OpenPGP support would be beneficial to explain what we are doing, why, and how it reflects our commitment to improved security and open source.

  • The Alarming Truth

    Car alarms don't deter criminals, and they're a public nuisance. Why are they still so common?

  • Security hole in Symantec antivirus exposes Windows, Linux and Macs

    A major security vulnerability has been uncovered by UK white hat hacker and Google Project Zero developer, Tavis Ormandy. The vulnerability applies to the Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products and could see Linux, Mac and Windows PCs compromised.

  • Patch now: Google and JetBrains warn developers of buggy IDE

    Google has emailed Android developers advising them to update Android Studio, the official Android IDE, to fix security bugs. Other versions of the JetBrains IntelliJ IDE, on which Android Studio is based, are also affected.

    The bugs are related to the built-in web server in the IDE. A cross-site request forgery (CSRF) flaw means that if the IDE is running and the developer visits a malicious web page in any browser, scripts on the malicious web page could access the local file system.

  • Researchers crack new version of CryptXXX ransomware
  • How to empty your bank's vault with a few clicks and lines of code

    A security researcher has demonstrated how he could have theoretically emptied an Indian bank's coffers with no more than a few clicks and lines of code.

    Earlier this week, researcher Sathya Prakash revealed the discovery of multiple, critical vulnerabilities and poor coding in an unnamed government-run Indian bank.

Security Leftovers

Filed under
Security
  • SourceForge Tightens Security With Malware Scans

    After taking down the controversial DevShare program in early February, the new owners of popular software repository, SourceForge, have begun scanning all projects it hosts for malware in an attempt to regain trust that was lost by Dice Holdings, the site’s previous owners.

  • Mozilla Issues Legal Challenge to FBI to Disclose Firefox Flaw
  • Judge In Child Porn Case Reverses Course, Says FBI Will Not Have To Turn Over Details On Its Hacking Tool

    Back in February, the judge presiding over the FBI's case against Jay Michaud ordered the agency to turn over information on the hacking tool it used to unmask Tor users who visited a seized child porn site. The FBI further solidified its status as a law unto itself by responding that it would not comply with the court's order, no matter what.

    Unfortunately, we won't be seeing any FBI officials tossed into jail cells indefinitely for contempt of court charges. The judge in that case has reversed course, as Motherboard reports.

  • Judge Changes Mind, Says FBI Doesn’t Have to Reveal Tor Browser Hack

    In February, a judge ordered the FBI to reveal the full malware code it used to identify visitors of a dark web child pornography site, including the exploit that circumvented the protections of the Tor Browser. The government fought back, largely in sealed motions, and tried to convince the judge to reconsider.

  • Symantec antivirus security flaw exposes Linux, Mac and Windows

    Security holes in antivirus software are nothing new, but holes that exist across multiple platforms? That's rare... but it just happened. Google's Tavis Ormandy has discovered a vulnerability in Symantec's antivirus engine (used in both Symantec- and Norton-branded suites) that compromises Linux, Mac and Windows computers. If you use an early version of a compression tool to squeeze executables, you can trigger a memory buffer overflow that gives you root-level control over a system.

  • Apache incubating project promises new Internet security framework

    The newly announced Apache Milagro (incubating) project seeks to end to centralized certificates and passwords in a world that has shifted from client-server to cloud, IoT and containerized applications.

More Security Leftovers

Filed under
Security
  • Security updates for Monday
  • The Truth about Linux 4.6

    As anticipated in public comments, the Linux Foundation is already beginning a campaign to rewrite history and mislead Linux users. Their latest PR release can be found at: https://www.linux.com/news/greg-kh-update-linux-kernel-46-next-week-new-security-features, which I encourage you to read so you can see the spin and misleading (and just plain factually incorrect) information presented. If you've read any of our blog posts before or are familiar with our work, you'll know we always say "the details matter" and are very careful not to exaggerate claims about features beyond their realistic security expectations (see for instance our discussion of access control systems in the grsecurity wiki). In a few weeks I will be keynoting at the SSTIC conference in France, where a theme of my keynote involves how little critical thinking occurs in this industry and how that results in companies and users making poor security decisions. So let's take a critical eye to this latest PR spin and actually educate about the "security improvements" to Linux 4.6.

  • Major Remote SSH Security Issue in CoreOS Linux Alpha, Subset of Users Affected

    A misconfiguration in the PAM subsystem in CoreOS Linux Alpha 1045.0.0 and 1047.0.0 allowed unauthorized users to gain access to accounts without a password or any other authentication token being required. This vulnerability affects a subset of machines running CoreOS Linux Alpha. Machines running CoreOS Linux Beta or Stable releases are unaffected. The Alpha was subsequently reverted back to the unaffected previous version (1032.1.0) and hosts configured to receive updates have been patched. The issue was reported at May 15 at 20:21 PDT and a fix was available 6 hours later at 02:29 PDT.

  • Let's Encrypt: The Good and the Bad

    By now, most of you have heard about the "Let's Encrypt" initiative. The idea being that it's high time more websites had a simple, easy to manage method to offer https encryption. As luck would have it, the initiative is just out of its beta phase and has been adding sponsors like Facebook, Cisco, and Mozilla to their list of organizations that view this initiative as important.

    In this article, I want to examine this initiative carefully, taking a look at the good and the bad of Let's Encrypt.

Security Leftovers

Filed under
Security
  • Security will fix itself, eventually

    Here's my prediction though. In the future, good security will be cheaper to build, deploy, and run that bad security. This sounds completely insane with today's technology. A statement like is some kook ten years ago telling everyone solar power is our future. Ten years ago solar wasn't a serious thing, today it is. Our challenge is figuring out what the new security future will look like. We don't really know yet. We know we can't train our way out of this, most existing technology is a band-aid at best. If I had to guess I'll use the worn out "Artificial Intelligence will save us all", but who knows what the future will bring. Thanks to Al Gore, I'm now more optimistic things will get better. I'm impatient though, I don't want to wait for the future, I want it now! So all you smart folks do me a favor and start inventing the future.

  • Does Microsoft care about security? [Ed: no, because leaks show it gives back doors to governments]

    On Wednesday, I also booted my laptop to Windows. I had not used the laptop for several days, so the AV definitions were three days old. It updated after around 3 hours. But the Vista system still has not updated.

    This is the third consecutive month when I have had problems with updating MSE, at around the time of patch Tuesday. The previous two months, I attempted to manually update. On the manual update, it did a search for virus updates, then seemed to hang there forever not actually downloading. It did eventually update, after repeating this for two days. This month, I decided to allow it to update without manual intervention, with the results described above.

    It seems pretty obvious that, recently, Microsoft has worsened the priority for updates to Windows 7 and to Vista. The priority worsening is greater for Vista than for Windows 7. It affects monthly patches as well as MSE virus table updates.

    The message to malware producers is loud and clear. Malware producers should distribute their malware on patch Tuesday, and Microsoft will give them a free run for several days.

How Fuzzing Can Make A Large Open Source Project More Secure

Filed under
OSS
Security

Emily Ratliff of the Linux Foundation explains the considerations to take when planning to fuzz your open source project

One of the best practices for secure development is dynamic analysis. Among such techniques, fuzzing has been highly popular since its invention and a multitude of fuzzing tools of varying sophistication have been developed.

Read more

Also: Despite New FCC Rules, Linksys, Asus Say They'll Still Support Third Party Router Firmware

Ubuntu 16.04 LTS Receives Minor Kernel Update That Patches Two Vulnerabilities

Filed under
Security
Ubuntu

Today, May 16, 2016, Canonical published multiple security notices to inform the Ubuntu community about the availability of a new kernel update for their operating systems.

Read more

Security Leftovers

Filed under
Security
  • Replacing /dev/urandom

    The kernel's random-number generator (RNG) has seen a great deal of attention over the years; that is appropriate, given that its proper functioning is vital to the security of the system as a whole. During that time, it has acquitted itself well. That said, there are some concerns about the RNG going forward that have led to various patches aimed at improving both randomness and performance. Now there are two patch sets that significantly change the RNG's operation to consider.

  • Mozilla asks the FBI for details of Tor vulnerability that could also affect Firefox

    Mozilla is fighting to force the FBI to disclose details of a vulnerability in the Tor web browser. The company fears that the same vulnerability could affect Firefox, and wants to have a chance to patch it before details are made public.

    The vulnerability was exploited by FBI agents to home in on a teacher who was accessing child pornography. Using a "network investigative technique", the FBI was able to identify the man from Vancouver, but Mozilla is concerned that it could also be used by bad actors.

    Perhaps unsurprisingly, the government says that it should be under no obligation to disclose details of the vulnerability to Mozilla ahead of anyone else. But the company has filed a brief with a view to forcing the FBI's hand. The argument is that users should be kept protected from known flaws by allowing software companies to patch them.

Security Leftovers

Filed under
Security
  • Thursday's security advisories
  • Friday's security updates
  • I never imagined a nuclear plant’s control system being online

    Many people think that the web is the internet. They see the Googles, the Facebooks, the Reddits… but the web is something built on top of the internet and so only the tip of the iceberg. The iceberg is composed of webcams, power plants, printers… billions of devices.

  • Heart Surgery Stalled For Five Minutes Thanks To Errant Anti-Virus Scan [Ed: Microsoft Windows]

    If you've ever had the pleasure of simply asking one medical outfit to transfer your records to another company or organization, you've probably become aware of the sorry state of medical IT. Billions are spent on medical hardware and software, yet this is a sector for which the fax machine remains the pinnacle of innovation and a cornerstone of daily business life. Meanwhile, getting systems to actually communicate with each other appears to be a bridge too far. And this hodge podge of discordant and often incompatible systems can very often have very real and troubling implications for patients.

  • How to make containers more secure

    CoreOS's Matthew Garrett talks about the security risks in containers and how he and others are working to mitigate such risks.

  • Docker Ramps Up Container Security

    Docker this week announced the rollout of security scanning technology to safeguard container content across the entire software supply chain.

  • Jenkins security patches could break plug-ins

    Popular open source automation server Jenkins has fixed multiple security vulnerabilities. The latest version changes how plug-ins use build parameters, though, so developers will need to adapt to the new process.

  • Security From Whom?

    To take advantage of the X11 protocol issues, you need to be able to speak X11 to the server. Assuming you haven’t misconfigured something (ssh or your file permissions) so other users’ software can talk to your server, that means causing you to run evil X11 protocol code like XEvilTeddy.

  • Convenience, security and freedom - can we pick all three?

    Moxie, the lead developer of the Signal secure communication application, recently blogged on the tradeoffs between providing a supportable federated service and providing a compelling application that gains significant adoption. There's a set of perfectly reasonable arguments around that that I don't want to rehash - regardless of feelings on the benefits of federation in general, there's certainly an increase in engineering cost in providing a stable intra-server protocol that still allows for addition of new features, and the person leading a project gets to make the decision about whether that's a valid tradeoff.

  • Announcing Certbot: EFF's Client for Let's Encrypt
  • Signal Return Orientated Programming attacks

    When a process is interrupted, the kernel suspends it and stores its state in a sigframe which is placed on the stack. The kernel then calls the appropriate signal handler code and after a sigreturn system call, reads the sigframe off the stack, restores state and resumes the process. However, by crafting a fake sigframe, we can trick the kernel into executing something else.

Linux can't keep you safe if you don't update it

Filed under
Linux
Security

At CoreOS Fest in Berlin, Greg Kroah-Hartman, Linux kernel developer and maintainer of the stable branch, talked about an inconvenient truth about Linux and security: vendors are notoriously bad about implementing patches.

For the last 15 years the kernel community has been following a rule to fix things as soon as possible. The Linux community fixes the bugs and pushed them so that vendors can push them to their users.

Read more

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

Kernel Backports and Graphics

  • [Older] Backports and long-term stable kernels
  • What’s New in Wayland and Weston 1.12?
    The Wayland core protocol documentation has received numerous refinements to improve its clarity and consistency. Along with this, many blank areas of the protocol documentation have been fleshed out. A new wl_display_add_protocol logger API provides a new, interactive way to debug requests; along with this are new APIs for examining clients and their resources. This is analogous to using WAYLAND_DEBUG=1, but more powerful since it allows run time review of log data such as through a UI view. There have been improvements to how the protocol XML scanner handles version identification in protocol headers. This enables better detection and fallback handling when compositors and clients support differt versions of their protocols.
  • XDC2016 Wraps Up After Many Wayland, X.Org & Mesa Discussions
    The 2016 X.Org Developers' Conference (XDC2016) wrapped up Friday in Helsinki, Finland. Here is a summary of the major happenings for those that may have missed it or didn't yet watch the video streams.

IBM Claims “New Linux Based Power System Server Kicks Butt

today's howtos

Leftovers: Ubuntu

  • Ubuntu Phone, Sep 2016 - Vorsprung durch Touch
    The Ubuntu Phone is getting better, and with every new iteration of the OTA, my little BQ Aquaris E4.5 is gaining more speed and functionality. Like in the air force, with an avionics upgrade, which transforms ancient wings into a powerful and modern bird of prey. Only the pace of advancement is lagging behind the market. See what Android and iOS can do, even Windows Phone, and you realize how late and insufficiently meaningful the Ubuntu Phone really is. This has to change, massively. This latest round does bring some fine goods to the table - more speed and stability, better icons, more overall visual polish, incremental improvements in the applications and the scopes. But that's not enough to win the heart of the average user. A more radical, app-centric effort is required. More focus on delivering the mobile experience, be it as it may. Ubuntu cannot revolutionalize that which is already considered the past. It can only join the club and enjoy the benefits of a well-established reality. And that is a kickass app stack that makes the touch device worth using in the first place. Still, it's not all gloomy. E4.5 is a better product now than it was a year ago, fact. Ubuntu Phone is a better operating system than it was even this spring, fact. So maybe one day we will see Ubuntu become an important if not dominant player in the phone and tablet space. It sure is heading in the right direction, my only fear is the availability of resources to pull off this massive rehaul that is needed to make it stand up to the old and proven giants. And that's it really. If you're keen on Linux (not Android) making it in the mobile world, do not forget to check my Ubuntu tablet review! Especially the convergence piece. On that merry note, you do remember that I'm running a wicked contest this year, too? He/she who reads my books might get a chance to win an M10 tablet. Indeed. Off you go, dear readers. Whereas I will now run the same set of tests we did here on the Aquaris tablet, and see how it likes the OTA-12 upgrade. The end.
  • Ubuntu 16.10 Unity 8 - new window snapping feature
  • Ubuntu Online Summit for Ubuntu 17.04 is Taking Place In Mid-November
  • Ubuntu Online Summit: 15-16 November 2016