Language Selection

English French German Italian Portuguese Spanish

Security

FreeBSD has its own TCP-queue-of-death bug, easier to hose than Linux's SegmentSmack

Filed under
Security
BSD

Hard on the heels of the Linux kernel's packets-of-death attack dubbed SegmentSmack, a similar vulnerability has been disclosed and fixed in FreeBSD.

Attributed to SegmentSmack discoverer Juha-Matti Tilli of Aalto University in Finland, the FreeBSD TCP issue is related to how the operating system's networking stack reassembles segmented packets. Much in the same way Linux kernel versions 4.9 and higher can be brought down by bad network traffic, a sequence of maliciously crafted packets can also crash FreeBSD machines.

FreeBSD 10, 10.4, 11, 11.1, and 11.2 are affected, and the maintainers have released patches to mitigate the programming cockup. In the open-source operating system project's advisory for CVE-2018-6922 (Linux's SegmentSmack was assigned CVE-2018-5390), the problem was this week described as an “inefficient algorithm” involving a segment reassembly data structure.

Read more

Security: Windows Problems, FOSS Updates, UEFI Lockdown, Snapchat Source Code Leak

Filed under
Security
  • Ring 0 Army Knife (r0ak) Read, Write, and Debugging Execution Tool Released ahead of Black Hat USA 2018
  • iPhone Chip Manufacturing Halts as TSMC’s Network is Hit by WannaCry Variant Virus

    TSMC was forced to shutdown its operations as many of its computer systems and manufacturing machines were caught in the grasp of a WannaCry variant ransomware according to a statement release. The company claims that its systems were not attacked remotely or locally, but the virus took its origin from when a supplier installed faulty software onto the company’s network without running a virus scan. The virus spread rapidly to over 10,000 of the company’s machines across its factories, impacting the plants that cater to Apple’s chip production heavily.

  • Security updates for Wednesday
  • US-CERT Warns of New Linux Kernel Vulnerability

    Denial-of-service attacks aren't just about external floods: A new US-CERT vulnerability note is a reminder that operating system kernel services can be used to effectively launch a DoS campaign against a system.

  • Good Lockdown vs. Bad

    The patch gave birth to an odd debate, but a familiar one by now. Matthew Garrett, ultimately the main proponent of the patch, kept defending it on technical grounds that Linus Torvalds felt were meaningless and dishonest, hiding a secret agenda that included helping companies like Microsoft lock users out of making changes to their own systems.

    Andy Lutomirski was another critic of Matthew's defense of the patch. The debate circled around and around, with Linus and Andy trying to get Matthew to admit the true motivation they believed he had and Matthew attempting to give solid reasons why the patch should go into the kernel. Things got ugly.

    James Morris initially accepted the patch, planning to send it up to Linus for inclusion, and Andy reviewed the code. Among his comments, Andy said the goal of the patch was not clearly stated. He said for the purpose of his code review he would assume the goal was to prevent the root user from either reading kernel memory or intentionally corrupting the kernel.

    But, he didn't think those were proper goals for a kernel, even a UEFI Secure Boot kernel. He said, "the kernel should try to get away from the idea that UEFI Secure Boot should imply annoying restrictions. It's really annoying and it's never been clear to me that it has a benefit." He singled out the idea of preventing the root user from accessing kernel memory as one of these annoying restrictions.

  • Snapchat Source Code Leaked and Posted to GitHub

    GitHub is often the go-to place for hackers or researchers to archive interesting code or data dumps. But sometimes affected companies do their best to remove exposed data from the code repository site.

    Earlier this year, Snap—the company behind social media network Snapchat—exposed some of the source code of the network’s iOS app, Snap confirmed to Motherboard on Tuesday. After someone archived that exposed code on GitHub, Snap told GitHub to remove the data with a copyright act request, Snap told Motherboard.

  • Snapchat’s Source Code Leaked Online, Archived on Github

    Hackers leave no chance of obtaining the source codes of popular apps as they aren’t public. However, in a recent incident, someone has archived Snapchat’s source code and posted it on Github.

    The incident was confirmed by the social networking app to Motherboard on Tuesday. The hackers got hold of the code after the app and exposed a portion of the source code of the network’s iOS app.

Security: Updates, Black Hat USA 2018, SegmentSmack

Filed under
Security
  • Security updates for Tuesday
  • Top 10 Talks to See at Black Hat USA 2018
  • Batten down the ports: Linux networking bug SegmentSmack could remotely crash systems

    A networking flaw has been discovered in the Linux kernel that could trigger a remote denial-of-service attack.

    Versions 4.9 and up are "vulnerable to denial-of-service conditions with low rates of specially crafted packets", according to a US CERT ADVISORY. The bug is being tracked as SegmentSmack (CVE-2018-5390).

    SegmentSmack – which sounds a bit like an American wrestler whose speciality is to close bouts just before an ad break – has prompted fixes for a wide variety of networking kit.

  • Ubuntu and Debian Stretch Receive Linux Kernel Security Update to Fix TCP Flaw

    Canonical and Debian Project released new Linux kernel security updates for their supported operating systems to address a critical vulnerability affecting the TCP implementation.

    Discovered and reported by security researcher Juha-Matti Tilli, the security flaw (CVE-2018-5390) could allow a remote attacker to cause a denial of service on affected machines by triggering worst-case code paths in Transmission Control Protocol (TCP) stream reassembly that has low rates using malicious packets.

Kernel: Linux 4.18, New Flaw and Potential Back Door (Google/NSA)

Filed under
Linux
Google
Security
  • The Best Features Of The Linux 4.18 Kernel

    Following a one week delay, the Linux 4.18 kernel is set to be released this coming weekend. In case you forgot about the new features and improvements since the Linux 4.18 cycle kicked off back in June, here's a look back at some of the most prominent additions for this latest kernel version.

  • Linux kernel bug: TCP flaw lets remote attackers stall devices with tiny DoS attack

    Security researchers are warning Linux system users of a bug in the Linux kernel version 4.9 and up that could be used to hit systems with a denial-of-service attack on networking kit.

    The warning comes from Carnegie Mellon University's CERT/CC, which notes that newer versions of the Linux kernel can be "forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (DoS)".

  • Speck Crypto Code Called For Removal From The Linux Kernel

    Now that Google will not be using the Speck crypto code for disk encryption on low-end Android devices but instead developing "HPolyC" as outlined in the aforelinked article, a plea has already been submitted to remove the current Speck code from the mainline Linux kernel.

    Following yesterday's mailing list announcement that Google has changed its mind on using Speck and instead investing in a new option, Linux developer Jason Donenfeld took the liberty of issuing a "request for comments" on removing the Speck crypto code. Donenfeld is the developer that's been working on WireGuard and the new Zinc crypto library.

Security Leftovers

Filed under
Security

How do I protect my OS with Linux security features?

Filed under
Linux
Security

The kernel space is the environment in which full and unlimited access to all the hardware and devices exists; other security systems don't apply in kernel space. Kernel layer access is limited to the root user, but the Linux root user is not an admin with a lot of permissions. The root user account has unlimited access to the kernel space and is secured with a very complex password

Permissions determine how admins can access files, but they don't decide how admins can access the system. The Linux permission system only applies to IT administrators who are not the root user or end users.

Originally, there were just three permissions: read, write and execute. Administrators can apply these permissions to admin accounts, group owners and other users. However, computing needs have changed and rendered these permissions too limited, so Linux OS developers added a second set of permissions to address specific use cases. This set includes various combinations of the original read, write and execute permissions.

Read more

Security: Updates, Windows, Reproducible Builds and More

Filed under
Security
  • Security updates for Monday
  • Windows apps made on Linux hit by security fail

    Troublingly, CERT/CC doesn't know of a practical way to fix the missing relocations table bug, tagged as CVE-2018-5392.

    However, it has suggested a workaround whereby mingw-w64 can be "coerced" into outputting executables with the relocations table intact. The advisory explains how to implement the workaround.

    According to CERT/CC, the bug affects Ubuntu, Debian, Red Hat, SUSE Linux, Arch Linux, CentOS, and more. However, none of the vendors has released a statement about the bug or its fix. The vendors were notified in late July.

  • An 18-Year-Old Information Security Consultant Donates Earnings To Charity

    Mahatma Gandhi once said that “be the change you want to see in the world.” Giving back to the society is a good way of changing the world and making it a better place to live in.

    And, Sagar Bansal, who is an eighteen-year-old information security consultant from India, is trying to be the change he wants to see in the world: by giving back his earnings to support needy students in advancing their education.

  • Reproducible Builds: Weekly report #171
  • Open Source Collaborative Hopes to Make Reporting Security Bugs Safer for All

    Despite the overall increase in companies offering bug bounty rewards to those who find and report vulnerabilities, ethical security research can still be a bit of a legal minefield. For example, back in May 2018 it fell to Governor Nathan Deal of Georgia to veto a bill that would have made even it difficult to do basic, ethical cybersecurity research. In addition, there is little in the way of a coherent framework for reporting bugs, creating a wide disparity between companies on what constitutes legal disclosure. In some instances, this has led to a reluctance among some white hat hackers to disclose vulnerabilities they’ve discovered.

Researchers open source tools to identify Twitter bots at scale

Filed under
OSS
Security

Duo Security published technical research and methodology detailing how to identify automated Twitter accounts, known as bots, at a mass scale. Using machine learning algorithms to identify bot accounts across their dataset, Duo Labs researchers also unraveled a sophisticated cryptocurrency scam botnet consisting of at least 15,000 bots, and identified tactics used by malicious bots to appear legitimate and avoid detection, among other findings.

Read more

Also: Duo Security researchers’ Twitter ‘bot or not’ study unearths crypto botnet

Security: HP, Windows Malware, Ubuntu and Wi-Fi (WPA)

Filed under
Security
  • HP printer? Over 100 inkjet models have two critical bugs so patch now, warns HP

    Days after launching its printer bug bounty offering up to $10,000 for researchers to find "obscure defects" in its printers, HP has released two firmware fixes for two severe ink printer bugs.

    Hundreds of HP Inkjet printers are vulnerable to two critical remote code execution (RCE) vulnerabilities and need to be patched immediately, according to HP's Product Security Response Team (PSRT).

  • Staff dust off their typewriters after malware attack

    Sophisticated malware has taken down systems in at least two Alaskan municipalities in an attack that officials say is the worst they have ever seen. The Alaskan Borough of Matanuska-Susitna (Mat Su) and the City of Valdez have both been hit.

    At Mat Su, everything from email to the electronic door key swiping system was affected. The Borough first noticed infections in its endpoints on 17 July when an update to its antivirus software spotted a common Trojan banking program on Windows 7 machines (but not its Windows 10 computers).

    The software didn’t notice a range of other malware that the Trojan was infecting endpoints with. It was only a few days later that the Borough noticed issues with 60 of its 500 computers, information technology director Eric Wyatt told local radio reporters.

  • Ubuntu 16.04.5 LTS adds support for Spectre Variant 2 Mitigation for Pentium Silver N/J5xxx, Celeron N/J4xxx, Xeon E5/E7 v4 and Core i7-69xx/68xx
  • New wi-fi crack attack allows outsiders to snag user creds

    Researchers have accidentally discovered a new attack on the wi-fi protected access protocols used in wireless access points that makes it easier for outsiders to capture access credentials.

    The new attack captures the Pairwise Master Key Identifier (PMKID) and - according to the Hashcat password recovery utility developers that devised it - works against 802.11i/p/q/r networks with roaming functions enabled, which covers most modern routers.

    Hashcat developer Jens "Atom" Steube explained to iTnews that the biggest difference between the new method and prior WPA/WPA2 cracks is that an attacker no longer needs another user to be on the target network to capture credentials - "simply starting the authentication process will do".

Security: Killing Flash, Voting and Cisco

Filed under
Security
  • [Older] Senator calls on US Government to start killing Flash now

    Oregon senator Ron Wyden highlighted the issue this week with a letter he wrote to government agencies responsible for federal cybersecurity. In it, he called on the Department of Homeland Security (DHS), NSA, and NIST to work together to end the U.S. government’s use of Adobe Flash before it’s too late:

    [...]

    Wyden, backed by respected privacy researcher and activist Chris Soghoian who works as the senator’s senior advisor for privacy & cybersecurity, finished the letter by calling for the following three actions to be taken

  • The 8-year-olds hacking [sic] our voting machines

    The contest will include children, ages 8 to 16, who will be tasked with penetrating replicas of the websites that secretaries of state across the country use to publish election results. They’ll vie for $2,500 in prize money, $500 of which will come from the DNC and be awarded to the child who comes up with the best defensive strategy for states around the country.

    The eye-popping reason that the Democrats have turned to children to hack them? “State election sites are so deeply flawed, Braun says, no adult hackers would be interested in cracking them. ‘The hackers would laugh us off the stage if we asked them to do this.’”

  • Kids to try hacking [sic] US election systems in new DNC contest
  • Trump officials look to neutralize cyber threats in supply chain

    Supply chain security is an issue that has also been on the FCC's radar. In April, Republican FCC Commissioner Michael O’Rielly issued a notice of proposed rulemaking to crack down on security risks.

    His proposal would prohibit the use of Universal Service Fund money to purchase telecom equipment or services "identified as posing a national security risk to communications networks or the communications supply chain.”

  • The Evolution of Networking and Security: Cisco Announces Intent to Acquire Duo
Syndicate content

More in Tux Machines

Keeping patient data safe with open source tools

Healthcare is experiencing a revolution. In a tightly regulated and ancient industry, the use of free and open source software make it uniquely positioned to see a great deal of progress. I work at a scrappy healthcare startup where cost savings are a top priority. Our primary challenge is how to safely and efficiently manage personally identifying information (PII), like names, addresses, insurance information, etc., and personal health information (PHI), like the reason for a recent clinical visit, under the regulations of the Health Insurance Portability and Accountability Act of 1996, HIPAA, which became mandatory in the United States in 2003. Read more

Security Leftovers

  • Indian Bank Hit in $13.5M Cyberheist After FBI ATM Cashout Warning

    But according to Indian news outlet Dailypionneer.com, there was a second attack carried out on August 13, when the Cosmos Bank hackers transferred nearly $2 million to the account of ALM Trading Limited at Hang Seng Bank in Hong Kong.

  • How to Protect Yourself Against a SIM Swap Attack

    A sobering caveat: If a skilled SIM hijacker targets you, there’s realistically not much you can do to stop them, says Allison Nixon, threat research at security firm Flashpoint. “In most of the cases that we’ve seen, a sufficiently determined attacker can take over someone’s online footprint,” she says.

    That’s because ultimately, the machinations behind SIM swaps are largely out of your control. [...]

  • Open Source Security Podcast: Episode 110 - Review of Black Hat, Defcon, and the effect of security policies
    Josh and Kurt talk about Black Hat and Defcon and how unexciting they have become. What happened with hotels at Defcon, and more importantly how many security policies have 2nd and 3rd level effects we often can't foresee. We end with important information about pizza, bananas, and can openers.

YunoHost 3.0.0.1

At this point I have only set up YunoHost, created a few user accounts and installed a handful of applications. While I may play with it further, my main focus going into this trial was how well the framework of the distribution functions. That is: is it easy to install, how hard is it for new users to add services and accounts, and is it straight forward to keep the system up to date? Basically, I wanted to know whether I could give this distribution to someone who wanted to set up home-based network services for the first time and expect them to be able to use it. Based on my experiences so far with YunoHost, my answer is: probably. The distribution does make it pretty easy to create user accounts and install web-based services. In fact, YunoHost does this quite well. The admin panel is very streamlined, uncluttered and easy to navigate and getting something like a game of Hextris or a media streaming service installed is about as easy as a few mouse clicks. Managing the firewall, monitoring the system and creating backups are nearly as easy. The administrator still needs to figure out how to get backup archives off the disk to another location for safe keeping, but the bulk of the work in backing up and restoring the operating system is done for us. Where I feel the distribution runs into trouble is mostly little details, and a few general concepts. For example, asking the user to create an "admin" password but leaving the root password as the default is both likely to confuse people and leave a permanent security hole on the servers of most inexperienced hobbyist administrators. On the topic of accounts, it makes sense, from a security standpoint, to separate web accounts from system accounts. But, this means there may be some confusion as to why, once an account has been created, it cannot log into the system. Little concepts like this may throw new users and I don't feel these issues are well addressed by the documentation. The first time through, the system installer failed during the partitioning section. It worked the second time though with the same settings, so I'm not sure if this is a semi-persistent bug or a one-time error with my system. On the whole, YunoHost performs well. It's light on resources, it offers a lot of common network services home administrators will probably want and it is pretty easy to run and maintain. There are a few little wrinkles in the experience, but in general I found the distribution to be straight forward to use. For people looking to set up a home server, this is probably a good platform on which to build. Read more

Software: GIMP, Password Safe, and Podcasts

  • GIMP 2.10.6 Introduces Vertical Text, New Filters, and GIMP Extension Public Repo
    A brand-new point release for popular photo editing software GIMP has been released today, bringing GIMP to version 2.10.6 – this update doesn’t bring a whole load of significant features, but there are some great improvements and new functionalities. For starters, GIMP 2.10.6 finally introduces support for vertical text (top to bottom), which has been a highly requested feature particularly for East-Asian writing systems. Thus, users can now set text in mixed orientation (as is typical in East-Asian vertical writing) or upright orientation (more common for Western vertical writing), with right-to-left, as well as left-to-right columns.
  • Password Safe is a KeePass-Compatible Password Manager for Linux
    Password Safe is an open-source KeePass-compatible password manager for Linux, designed specifically for use on the GNOME desktop.
  • Linux users finally get a decent podcasts app called, well, ‘Podcasts’
    Podcasts are a hugely popular form of “infotainment” these days, with almost any and every niche you can think of catered for with a show or a segment. If you’re not enjoying the wealth of podcasts out there, you’re really missing out. Podcasts provide you with the experience of a radio show, covering a wide range of topics ranging from gospel to science fiction to music and every thing in between. There are so many ways to enjoy your podcst. On mobile, popular apps such as PocketCast offer users a one-stop-shop for all the podcasts you can listen to. Many music streaming services like Apple Music and Spotify offer dedicated sections on Podcasts.