Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Linux
Security
  • Security advisories for Wednesday
  • 10 basic linux security measures everyone should be doing

    Akin to locking your doors and closing your windows there’s some really basic things everyone should be doing with their Linux installs (This is of course written from a Fedora viewpoint, but I think this pretty much applies to all computer OSes).

  • Johnson & Johnson Warns Insulin Pump Owners They Could Be Killed By Hackers

    Initially the lack of security on "smart" Internet of Things devices was kind of funny as companies rushed to make a buck and put device security on the back burner. And while hackable tea kettles and refrigerators that leak your Gmail credentials just seem kind of stupid on the surface, people are slowly realizing that at scale -- we're introducing millions of new attack vectors into homes and businesses annually. Worse, compromised devices are now being used as part of massive new DDoS attacks like the one we recently saw launched against Brian Krebs.

    Unfortunately, companies that service the medical industry also decided a few years ago that it would be a good idea to connect every-damn-thing to networks without first understanding the security ramifications of the decision. As a result, we're seeing a rise in not only the number of ransomware attacks launched on hospitals, but a spike in hackable devices like pacemakers that could mean life and death for some customers.

  • EFF Asks Court to Block U.S. From Prosecuting Security Researcher For Detecting and Publishing Computer Vulnerabilities

    The Electronic Frontier Foundation (EFF) asked a court Thursday for an order that would prevent the government from prosecuting its client, security researcher Matthew Green, for publishing a book about making computer systems more secure.

    Green is writing a book about methods of security research to recognize vulnerabilities in computer systems. This important work helps keep everyone safer by finding weaknesses in computer code running devices critical to our lives—electronic devices, cars, medical record systems, credit card processing, and ATM transactions. Green’s aim is to publish research that can be used to build more secure software.

  • Malta unveils Cyber Security Strategy

    The government of Malta has unveiled a National Cyber Security Strategy. The strategy provides the legal context to defend the country’s computer networks infrastructure and its users from threats.

  • Mirai “internet of things” malware from Krebs DDoS attack goes open source

    Last week, we wrote about a DDoS attack on well-known investigative cybercrime journalist Brian Krebs.

    To explain.

    A DDoS attack is an aggressive sort of DoS attack, where DoS is short for denial of service.

    A DoS is a bit like getting into the queue at the station to buy a ticket for the next train, only to have a time-waster squeeze in front of you and slow you down.

    By the time the miscreant has asked, innocently enough, about the different sorts of ticket available, and whether it costs extra to take a bicycle, and how much longer it would take if he were to change trains in Manchester, only to walk off without buying a ticket at all…

    …you’ve watched your train arrive, load up with passengers, and depart without you.

    A DDoS attack is worse: it’s short for distributed denial of service attack, and it’s much the same thing as a DoS, except that the trouble-stirrer doesn’t show up on his own.

  • Linux systems susceptible to crashes from tweet sized command
  • Linux 4.8 Debuts - But Maybe It Shouldn't Have

    The Linux 4.8.0 kernel was officially release on October 2, becoming the fifth kernel release so far in 2016. The Linux 4.7 kernel was released on July 24.

    As opposed to all the other kernel releases this year (and in fact in contrast to all kernel releases since 2.6) Torvalds really wasn't happy about this one, though the source of his displeasure didn't become apparent until after the release.

    "So the last week was really quiet, which maybe means that I could probably just have skipped rc8 after all," Torvalds wrote in in his Linux 4.8 release announcement. "Oh well, no real harm done."

    A day later on October 3, Torvalds addmits that he shouldn't have merged a late set of updates from kernel developer Andrew Morton.

Security News

Filed under
Linux
OSS
Security

Study: open source groups take security serious

Filed under
OSS
Security

The IT security practices of some open source communities are exemplary, shows a study for the European Commission and European Parliament. Many communities use experts to ensure software security and to help their developers avoid security flaws. “These communities take security serious”, says Alberto Dominguez Serra, one of the authors working for Everis, a IT consultancy.

Read more

Nextcloud 10.0.1 Maintenance Release Improves the Updater, Patches Over 40 Bugs

Filed under
OSS
Security

The Nextcloud developers have released recently the first maintenance update to the Nextcloud 10 series of the open-source and cross-platform self-hosting cloud server forked from ownCloud.

Read more

Microsoft Malware and Spyware, GNU/Linux Routers

Filed under
GNU
Linux
Microsoft
Security
  • ‘We’re From Microsoft and We’ve Been Remotely Watching Your Computer’

    We are going into our third year of living in the Gardens of Taylor. When you come off of the city street and onto this property, you can sometimes get a creepy feeling, like this is familiar in an unpleasant sort of way. It can feel like you’ve just stepped into Stepford Village. Every yard has been manicured to match the ones on either side of it. The edging along all driveways and sidewalks is a perfect two inches across and if a weed or mushroom happens to grow within that etched space, it is gone the next time you look for it.

    Stuff like that just vanishes. Spooky like.

    Fact is, the property manager pays the lawn service to make a drive through every other day in order to take care of any anomalies. Once I got used to it, I became comfortable with living here, being that it’s for people with physical disabilities and age 55 or over.

    On moving-in day, we hadn’t been there an hour before people began to take notice of us from across the street. They would stop just long enough to pretend they weren’t checking us out, then they would be on their way. Some even stopped to help.

    [...]

    Now Claude and Jane both run Linux. Their money is safe, and if anyone calls giving them instructions how to get a virus off of their Windows’ computer, they just laugh and hang up, but not before telling them they run Linux.

    There will come a day, maybe sooner than any of us think, when a scam like this might actually work on a Linux machine. In the past two years we’ve seen stories of Linux servers being compromised, and there is constant news that this or that piece of malicious code might be making its way to Linux computers soon.

    Being prudent, I run both Avast for day-to-day stuff and various Clam iterations for biweekly sweeps for rootkits. I exchange a lot of Windows stuff with my Reglue kids, so that’s only smart. Not that I expect anything to go south in the near future. Everything I’ve seen coming down the Linux pike demands hands-on the target computer to inject the badware.

    Here’s a Helios Helpful Hint: Don’t let someone you don’t know have access to your computer, sans the repair guy.

    However I do believe in preparedness. Jane’s Linux Mint install runs the same security as mine and I administrate it remotely (from home. I’ll get Claude up to speed on Wednesday.

    How long ago was it that many of us gave up on the “disconnected generation?” For a while I didn’t work with people who were so set in their ways that they bucked any suggestion of having to learn something new. And honest-to-goodness, a lady in the neighborhood asked me to make her computer the same way it was when she bought it. That would be the Windows Vista release. Sigh.

    “No ma’am. Not for any amount of money. Sorry.”

    I’m not into any more stress than necessary these days.

    Vista? Really?

  • Security Design: Stop Trying to Fix the User

    Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."

    Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?

  • Security Design: Stop Trying to Fix the User [It says (scroll down) "Getting a virus simply by opening an email was an urban legend, a technically impossible but scary sounding thing to frighten normies with, as late as the 90s. ...Microsoft made that myth real with the first release of Outlook"]
  • A tiny PC as a router

    We needed a router and wifi access point in the office, and simultaneously both I and my co-worker Ivan needed such a thing at our respective homes. After some discussion, and after reading articles in Ars Technica about building PCs to act as routers, we decided to do just that.

    The PC solution seem to offer better performance, but this is actually not a major reason for us.

    We want to have systems we understand and can hack. A standard x86 PC running Debian sounds ideal to use.

    Why not a cheap commercial router? They tend to be opaque and mysterious, and can't be managed with standard tooling such as Ansible. They may or may not have good security support. Also, they may or may not have sufficient functionality to be nice things, such as DNS for local machines, or the full power if iptables for firewalling.

    Why not OpenWRT? Some models of commercial routers are supported by OpenWRT. Finding good hardware that is also supported by OpenWRT is a task in itself, and not the kind of task especially I like to do. Even if one goes this route, the environment isn't quite a standard Linux system, because of various hardware limitations. (OpenWRT is a worthy project, just not our preference.)

Systemd is not Magic Security Dust

Filed under
Linux
Security

Systemd maintainer David Strauss has published a response to my blog post about systemd. The first part of his post is replete with ad hominem fallacies, strawmen, and factual errors. Ironically, in the same breath that he attacks me for not understanding the issues around threads and umasks, he betrays an ignorance of how the very project which he works on uses threads and umasks. This doesn't deserve a response beyond what I've called out on Twitter.

In the second part of his blog post, Strauss argues that systemd improves security by making it easy to apply hardening techniques to the network services which he calls the "keepers of data attackers want." According to Strauss, I'm "fighting one of the most powerful tools we have to harden the front lines against the real attacks we see every day." Although systemd does make it easy to restrict the privileges of services, Strauss vastly overstates the value of these features.

Read more

Why health implants should have open source code

Filed under
OSS
Security

As medical implants become more common, sophisticated and versatile, understanding the code that runs them is vital. A pacemaker or insulin-releasing implant can be lifesaving, but they are also vulnerable not just to malicious attacks, but also to faulty code.

For commercial reasons, companies have been reluctant to open up their code to researchers. But with lives at stake, we need to be allowed to take a peek under the hood.

Over the past few years several researchers have revealed lethal vulnerabilities in the code that runs some medical implants. The late Barnaby Jack, for example, showed that pacemakers could be “hacked” to deliver lethal electric shocks. Jay Radcliffe demonstrated a way of wirelessly making an implanted insulin pump deliver a lethal dose of insulin.

But “bugs” in the code are also an issue. Researcher Marie Moe recently discovered this first-hand, when her Implantable Cardioverter Defibrillator (ICD) unexpectedly went into “safe mode”. This caused her heart rate to drop by half, with drastic consequences.

Read more

Also: Hack Crashes Linux Distros with 48 Characters of Code

Hardware Firewall: Choosing the Right Firewall Distribution

Filed under
GNU
Linux
Security

Over the years I've bought some less than impressive consumer routers, so these days I run my own self-built hardware firewall appliance. Surprisingly, deciding on which option was best for my needs was not as easy as I had hoped.

Building a hardware firewall requires you to decide on the hardware your firewall/router computer operating system will be installed on. Like myself, some people might use an old PC. Others might decide to install their selected firewall operating system onto a rack mount server. However one decides to do this, the completed act of installing this OS onto the dedicated hardware creates a dedicated hardware firewall.

And unlike a software firewall, hardware firewalls serve a single dedicated purpose – to act as a gateway appliance for your network. Having had experience with three popular firewall operating systems in the past, I found that choosing the "right one" is a matter of perspective.

In this article, I'm going to share my experience and overall impressions about those three different firewall solutions. Some of these are highly advanced while others are incredibly easy to use. Each of these solutions share something that I feel good about sharing with my readers. All of the firewalls are easily downloadable without any annoying sign-up pages (I'm looking at you, Sophos).

Read more

Security News

Filed under
Security
  • Security updates for Monday
  • Impossible is impossible!

    Sometimes when you plan for a security event, it would be expected that the thing you're doing will be making some outcome (something bad probably) impossible. The goal of the security group is to keep the bad guys out, or keep the data in, or keep the servers patched, or find all the security bugs in the code. One way to look at this is security is often in the business of preventing things from happening, such as making data exfiltration impossible. I'm here to tell you it's impossible to make something impossible.

    As you think about that statement for a bit, let me explain what's happening here, and how we're going to tie this back to security, business needs, and some common sense. We've all heard of the 80/20 rule, one of the forms is that the last 20% of the features are 80% of the cost. It's a bit more nuanced than that if you really think about it. If your goal is impossible it would be more accurate to say 1% of the features are 2000% of the cost. What's really being described here is a curve that looks like this

  • What is the spc_t container type, and why didn't we just run as unconfined_t?

    If you are on an SELinux system, and run docker with SELinux separation turned off, the containers will run with the spc_t type.

  • The importance of paying attention in building community trust

    Trust is important in any kind of interpersonal relationship. It's inevitable that there will be cases where something you do will irritate or upset others, even if only to a small degree. Handling small cases well helps build trust that you will do the right thing in more significant cases, whereas ignoring things that seem fairly insignificant (or saying that you'll do something about them and then failing to do so) suggests that you'll also fail when there's a major problem. Getting the small details right is a major part of creating the impression that you'll deal with significant challenges in a responsible and considerate way.

    This isn't limited to individual relationships. Something that distinguishes good customer service from bad customer service is getting the details right. There are many industries where significant failures happen infrequently, but minor ones happen a lot. Would you prefer to give your business to a company that handles those small details well (even if they're not overly annoying) or one that just tells you to deal with them?

Syndicate content

More in Tux Machines

SUSE Leftovers

  • OBS got the power!
    Old build workers, rack mounted Old build workers, rack mounted One year after introducing a new kind of Open Build Service worker machines, the “lambkins”, the openSUSE Build Service got a big hardware refresh. The new machines, sponsored by SUSE, are equipped with: 2,8GHz AMD Opteron Processors (6348) 256 GB RAM one 120 GB SSD Four of them are located in a chassis with a height of 2 units and run 12-16 workers on them (virtual machines, that are building packages). That new build power allowed us to remove some of old machines from the pool. The unified hardware makes the management of the machines a lot easier now, even if there are still the most powerful old machines left.
  • openSUSE Heroes December meeting – final results
    While we had some fun and good food and drinks, we also managed to discuss a lot during the three days in the Nuremberg headquarter. This was needed because this was the first time that the Heroes came together in their current form. In the end, we managed to do no coding and even (nearly) no administration – but instead we started to discuss our (internal and external) policies and work flows – and did some decisions regarding the next steps and the future of the openSUSE infrastructure.
  • New and improved Inqlude web site
    During last year's Summer of Code I had the honor of mentoring Nanduni Indeewaree Nimalsiri. She worked on Inqlude, the comprehensive archive of third party Qt libraries, improving the tooling to create a better structured web site with additional features such as categorization by topic. She did an excellent job with it and all of her code ended up on the master branch. But we hadn't yet made the switch to change the default layout of the web site to fully take advantage of all her work. As part of SUSE's 15th Hack Week, which is taking place this week, I took some time to change that, put up some finishing touches, and switch the Inqlude web site to the new layout. So here we are. I proudly present the new improved home page of Inqlude.

Benchmarks Of Ubuntu 17.04 Beta vs. Antergos, Clear Linux, openSUSE Tumbleweed

For those curious how Ubuntu 17.04 is shaping up, considering this week was the "beta" release for participating flavors, I decided to take a fresh Ubuntu 17.04 x86_64 daily ISO and see how its performance compares to Ubuntu 17.10, Clear Linux 13600, Antergos 17.2, and openSUSE Tumbleweed. Read more

DebianDog Is a Useful Pocket Pup

The earlier versions of DebianDog work flawlessly, but the latest release seems to suffer from some work-in-progress flaws. I had very little trouble running the default software as-is. When I changed system settings or configured applications a certain way, those changes either did not work or were accompanied by a variety of glitches. I also had some trouble getting the persistent memory options to work. A related problem was setting up the personal save storage file. These issues cropped up or did not appear at all, depending on the hardware I was using. I used the same boot CD and bootable DVD drive on all of my test computers. DebianDog Linux is a good alternative for Linux users looking for something different. It is a very good OS choice if you work on multiple computers or travel around to various work locations and want all your work files on the same OS configuration that you carry in your pocket. DebianDog can be a very workable alternative to lugging a laptop around. Read more

Princeton University’

Missouri vs Ole Miss Live Streaming Minnesota vs Penn St. Live Streaming Villanova vs Creighton Live Streaming Miami (OH) vs Bowling Green Live Streaming Robert Morris vs Sacred Heart Live Streaming Cleveland St. vs Youngstown St. Live Streaming Louisiana Monroe vs Appalachian St Live Streaming