Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • DNS server attacks begin using BIND software flaw

    Attackers have started exploiting a flaw in the most widely used software for the DNS (Domain Name System), which translates domain names into IP addresses.

    Last week, a patch was issued for the denial-of-service flaw, which affects all versions of BIND 9, open-source software originally developed by the University of California at Berkeley in the 1980s.

  • Researchers Create First Firmware Worm That Attacks Macs

    The common wisdom when it comes to PCs and Apple computers is that the latter are much more secure. Particularly when it comes to firmware, people have assumed that Apple systems are locked down in ways that PCs aren’t.

    It turns out this isn’t true. Two researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of MACs. What’s more, the researchers have designed a proof-of-concept worm for the first time that would allow a firmware attack to spread automatically from MacBook to MacBook, without the need for them to be networked.

Open Source Players Show Dedication To Heightening Security Measures

Filed under
OSS
Security

The Wall Street Journal recently reported that the Core Infrastructure Initiative, a group formed last year after the Heartbleed bug targeted vulnerabilities in OpenSSL encryption software, has invested $500,000 in three new projects aimed at improving the security of open source code. Participants in the Core Infrastructure Initiative include large corporations such as Microsoft, Facebook, and Cisco Systems; it is managed by the nonprofit Linux Foundation. This collaboration demonstrates a desire from both the open source community and technology leaders to preserve free and open standards while continuing to make security a top priority.

Read more

Antivirus Live CD 13.1-0.98.7 Uses ClamAV 0.98.7 to Protect Your PC Against Viruses

Filed under
Linux
Security

Zbigniew Konojacki, the creator of the independent 4MLinux GNU/Linux distribution, announced recently that version 13.1-0.98.7 of his Antivirus Live CD project is now available for download, based on the 4MLinux 13.1 series.

Read more

Canonical Closes SQLite Vulnerabilities in All Supported Ubuntu OSes

Filed under
Security
Ubuntu

Canonical has published details in a security notice about a number of SQLite vulnerabilities that have been found and fixed in Ubuntu 15.04, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS OSes.

Read more

Security Leftovers

Filed under
Security
  • Friday's security updates
  • These Researchers Just Hacked an Air-Gapped Computer Using a Simple Cellphone

    The most sensitive work environments, like nuclear power plants, demand the strictest security. Usually this is achieved by air-gapping computers from the Internet and preventing workers from inserting USB sticks into computers. When the work is classified or involves sensitive trade secrets, companies often also institute strict rules against bringing smartphones into the workspace, as these could easily be turned into unwitting listening devices.

  • Fake Address Round Trip Time: 13 days

    Regular readers will have noticed that I've been running a small scale experiment over the last few months, feeding one spammer byproduct back to them via a reasonably accessible web page. The hope was that I would learn a few things about spammer behavior in the process.

Security Leftovers

Filed under
Security
  • The cyber-mechanics who protect your car from hackers

    “Most manufacturers know there is a problem and they’re working on solutions, but no-one will go public with it,” explains Martin Hunt, who works in automotive penetration testing for UK telecommunications firm BT.

  • US to rethink hacker tool export rules after mass freakout in security land

    Proposed changes to the US government's export controls on hacking tools will likely be scaled back following widespread criticism from the infosec community, a government spokesman has said.

    "A second iteration of this regulation will be promulgated," a spokesman for the US Department of Commerce told Reuters, "and you can infer from that that the first one will be withdrawn."

    The proposed restrictions are required by the Wassenaar Arrangement, a 41-nation pact that first came into effect in 1996 and which calls for limits on trade of "dual-use goods," meaning items that have both civilian and military applications.

    In 2013, the list of goods governed under the Arrangement was amended to include technologies used for testing, penetrating, and exploiting vulnerabilities in computer systems and networks.

  • Remote denial of service vulnerability exposes BIND servers

    BIND operators released new versions of the DNS protocol software overnight to patch a critical vulnerability which can be exploited for use in denial-of-service cyberattacks.

    Lead investigator Michael McNally from the Internet Systems Consortium (ISC) said in a security advisory the bug, CVE-2015-5477, is a critical issue which can allow hijackers to send malicious packets to knock out email systems, websites and other online services.

  • Botnet takedowns: are they worth it?

    The number of botnets has grown rapidly over the last decade. From Gameover Zeus leveraging encrypted peer-to-peer command and control servers, to Conflicker, infecting millions of computers across the world – botnets are continuing to infiltrate many internet-based services and causing mass disruption, and it's getting worse.

Security Leftovers

Filed under
Security
  • Tuesday's security updates
  • Security updates for Wednesday
  • Security updates for Thursday
  • Small number of computer-aided rifles could be hacked in contrived scenario

    The internet is reeling today at the "news" that a rare make of computer-aided gunsight can under certain circumstances be hacked into, permitting a hacker to interfere with a suitably-equipped rifle's aim.

    The gunsight in question is the much-hyped but seldom purchased TrackingPoint kit, a system with a Linux machine at its heart which can be fitted to a range of different rifles.

    The TrackingPoint (details on its capabilities are at the end of this article) is mainly a curiosity. People who would be interested in it - experienced long-range marksmen - basically don't need it, and people who need it - those who have seldom or never fired a rifle - typically don't want it. And very few in either group can afford it.

  • Researchers Hack Linux-Powered, Self-Aiming Smart Rifle, Causing It To Change Targets
  • Remote code execution via serialized data

    Serialization and, more importantly, deserialization of data is unsafe due to the simple fact that the data being processed is trusted implicitly as being “correct.” So if you’re taking data such as program variables from a non trusted source you’re making it possible for an attacker to control program flow. Additionally many programming languages now support serialization of not just data (e.g. strings, arrays, etc.) but also of code objects. For example with Python pickle() you can actually serialize user defined classes, you can take a section of code, ship it to a remote system, and it is executed there.

  • To exec or transition that is the question...
  • CIL – Part1: Faster SELinux policy (re)build
  • FCC Rules Block use of Open Source

    The United States Federal Communications Commission (FCC) has introduced ‘software security requirements’ obliging WiFi device manufacturers to “ensure that only properly authenticated software is loaded and operating the device”. The document specifically calls out the DD-WRT open source router project, but clearly also applies to other popular distributions such as OpenWRT. This could become an early battle in ‘The war on general purpose computing’ as many smartphones and Internet of Things devices contain WiFi router capabilities that would be covered by the same rules.

  • Hacked Jeep Cherokee Exposes Weak Underbelly of High-Tech Cars

    The Jeep Cherokee brought to a halt by hackers last week exposed wireless networks as the weakest link in high-tech vehicles, underscoring the need to find fast over-the-air fixes to block malicious intrusions.

    Features that buyers now expect in most modern automobiles, such as driving directions and restaurant guides, count on a constant connection to a telecommunications network. But that link also makes cars vulnerable to security invasions like those that threaten computers in homes and businesses.

Linux-powered smart sniper rifle can be hacked

Filed under
Linux
Security

Two years ago, TrackingPoint burst on to the scene with a Linux-powered smart sniper rifle that took the guesswork out of killshots. Now, however, a pair of hackers have figured out how to make it miss every single time.

Read more

Security Leftovers

Filed under
Security
  • Secure Server Deployments in Hostile Territory, Part II

    There are a few other general security practices I put in place. First, as I mentioned before, because each host has a certificate signed by an internal trusted CA for Puppet, we take advantage of those certs to require TLS for all network communications between hosts. Given that you are sharing a network with other EC2 hosts, you want to make sure nobody can read your traffic as it goes over this network. In addition, the use of TLS helps us avoid man-in-the-middle attacks.

  • Hackers Can Disable a Sniper Rifle—Or Change Its Target

    At the Black Hat hacker conference in two weeks, security researchers Runa Sandvik and Michael Auger plan to present the results of a year of work hacking a pair of $13,000 TrackingPoint self-aiming rifles. The married hacker couple have developed a set of techniques that could allow an attacker to compromise the rifle via its Wi-Fi connection and exploit vulnerabilities in its software. Their tricks can change variables in the scope’s calculations that make the rifle inexplicably miss its target, permanently disable the scope’s computer, or even prevent the gun from firing. In a demonstration for WIRED (shown in the video above), the researchers were able to dial in their changes to the scope’s targeting system so precisely that they could cause a bullet to hit a bullseye of the hacker’s choosing rather than the one chosen by the shooter.

  • Get root on an OS X 10.10 Mac: The exploit is so trivial it fits in a tweet

    Yosemite, aka version 10.10, is the latest stable release of the Mac operating system, so a lot of people are affected by this vulnerability. The security bug can be exploited by a logged-in attacker or malware on the computer to gain total unauthorized control of the Mac. It is documented here by iOS and OS X guru Stefan Esser.

    It's all possible thanks to an environment variable called DYLD_PRINT_TO_FILE that was added in Yosemite. It specifies where in the file system a component of the operating system called the dynamic linker can log error messages.

    If the environment variable is abused with a privileged program, an attacker can modify arbitrary files owned by the powerful user account root – files like the one that lists user accounts that are allowed administrator privileges.

Samsung docs detail Linux TRIM bug and fix

Filed under
Linux
Security

We've been covering a report from search provider Algolia pointing out a potential issue in Samsung SSDs' TRIM implementation. More recently, Samsung itself reported that the bug actually resides in the Linux kernel, and that the company had submitted a patch for the problem.

Now, we have more details of the bug. Samsung has provided us with internal documents detailing the exact cause of the issue, and the subsequent solution. We're geting a bit technical here, so we'll take some liberty to simplify. When Linux's RAID implementation receives a sequence of read or write operations, it creates separate buffers in memory for each of them.

Read more

Syndicate content

More in Tux Machines

Kernel Space: Linux, Graphics

  • Linux kernel bug delivers corrupt TCP/IP data to Mesos, Kubernetes, Docker containers
    The Linux Kernel has a bug that causes containers that use veth devices for network routing (such as Docker on IPv6, Kubernetes, Google Container Engine, and Mesos) to not check TCP checksums. This results in applications incorrectly receiving corrupt data in a number of situations, such as with bad networking hardware. The bug dates back at least three years and is present in kernels as far back as we’ve tested. Our patch has been reviewed and accepted into the kernel, and is currently being backported to -stable releases back to 3.14 in different distributions (such as Suse, and Canonical). If you use containers in your setup, I recommend you apply this patch or deploy a kernel with this patch when it becomes available. Note: Docker’s default NAT networking is not affected and, in practice, Google Container Engine is likely protected from hardware errors by its virtualized network.
  • Performance problems
    Just over a year ago I implemented an optimization to the SPI core code in Linux that avoids some needless context switches to a worker thread in the main data path that most clients use. This was really nice, it was simple to do but saved a bunch of work for most drivers using SPI and made things noticeably faster. The code got merged in v4.0 and that was that, I kept on kicking a few more ideas for optimizations in this area around but that was that until the past month.
  • Compute Shader Code Begins Landing For Gallium3D
    Samuel Pitoiset began pushing his Gallium3D Mesa state tracker changes this morning for supporting compute shaders via the GL_ARB_compute_shader extension. Before getting too excited, the hardware drivers haven't yet implemented the support. It was back in December that core Mesa received its treatment for compute shader support and came with Intel's i965 driver implementing CS.
  • Libav Finally Lands VDPAU Support For Accelerated HEVC Decoding
    While FFmpeg has offered hardware-accelerated HEVC decoding using NVIDIA's VDPAU API since last summer, this support for the FFmpeg-forked libav landed just today. In June was when FFmpeg added support to its libavcodec for handling HEVC/H.265 video decoding via NVIDIA's Video Decode and Presentation API for Unix interface. Around that same time, developer Philip Langdale who had done the FFmpeg patch, also submitted the patch for Libav for decoding HEVC content through VDPAU where supported.

Unixstickers, Linux goes to Washington, Why Linux?

  • Unixstickers sent me a package!
    There's an old, popular saying, beware geeks bearing gifts. But in this case, I was pleased to see an email in my inbox, from unixstickers.com, asking me if I was interested in reviewing their products. I said ye, and a quick few days later, there was a surprise courier-delivered envelope waiting for me in the post. Coincidentally - or not - the whole thing happened close enough to the 2015 end-of-the-year holidays to classify as poetic justice. On a slightly more serious note, Unixstickers is a company shipping T-shirts, hoodies, mugs, posters, pins, and stickers to UNIX and Linux aficionados worldwide. Having been identified one and acquired on the company's PR radar, I am now doing a first-of-a-kind Dedoimedo non-technical technical review of merchandise related to our favorite software. So not sure how it's gonna work out, but let's see.
  • Linux goes to Washington: How the White House/Linux Foundation collaboration will work
    No doubt by now you've heard about the Obama Administration's newly announced Cybersecurity National Action Plan (CNAP). You can read more about it on CIO.com here and here. But what you may not know is that the White House is actively working with the Linux and open source community for CNAP. In a blog post Jim Zemlin, the executive director of the Linux Foundation said, “In the proposal, the White House announced collaboration with The Linux Foundation’s Core Infrastructure Initiative (CII) to better secure Internet 'utilities' such as open-source software, protocols and standards.”
  • Why Linux?
    Linux may inspire you to think of coders hunched over their desks (that are littered with Mountain Dew cans) while looking at lines of codes, faintly lit by the yellow glow of old CRT monitors. Maybe Linux sounds like some kind of a wild cat and you have never heard the term before. Maybe you have use it every day. It is an operating system loved by a few and misrepresented to many.

RebeccaBlackOS 2016-02-08 Review. Why? Because it’s Friday.

These are the types of problems found in an independent distro build from scratch. I cannot understand how a system built on Debian could be this buggy and apparently have zero VM support which Debian comes with by default. I can take some solace in the fact that it was built by one person and that one person is a Rebecca Black fan but as far as a Linux Distribution is concerned there is not much here. Some could say “Well its not supposed to be taken as a serious Distribution.” True except it is listed and kept up with on DistroWatch therefor it should be held as a system ready distribution especially when it was not released as a beta or an RC. If this distribution is ever going to be considered a real platform it has a long way to go. I give it about as many thumbs down as the Rebecca Black Friday video. Read more

Android More Leftovers