Language Selection

English French German Italian Portuguese Spanish

Security

That's random: OpenBSD adds more kernel security

Filed under
Security
BSD

OpenBSD has a new security feature designed to harden it against kernel-level buffer overruns, the "KARL" (kernel address randomised link).

The changes are described in this note to an OpenBSD developer list penned by founder and lead developer Theo de Raadt.

Read more

Security Leftovers: Security in Medicine, WannaCry, Let’s Encrypt, Rooting a Printer

Filed under
Security

Security Leftovers: Updates, 'Clouds', Cars, Erebus

Filed under
Security
  • Security updates for Friday
  • The 2 cloud security myths that must die
  • Open source security challenges in cars

    A revolution is underway in the automotive industry. The car is no longer simply a means of getting from here to there. Today’s car reaches out for music streamed from the cloud, allows hands-free phone calls, and provides real-time traffic information and personalised roadside assistance.

    Almost every modern automobile feature — speed monitoring, fuel efficiency tracking, anti-lock braking, traction and skid-control — is now digitised to provide drivers with easier, safer operation and better information.

  • Erebus Ransomware Targets Linux Servers

    The IT security researchers at Trend Micro recently discovered malware that has the potential to infect Linux-based servers. The malware, called Erebus, has been responsible for hijacking 153 Linux-based networks of a South Korean web-hosting company called NAYANA.

    [...]

    Once the user clicked on those ads, the ransomware would activate in the usual way.

Enhancing the security of the OS with cryptography changes in Red Hat Enterprise Linux 7.4

Filed under
Linux
Red Hat
Security

Today we see more and more attacks on operating systems taking advantage of various technologies, including obsolete cryptographic algorithms and protocols. As such, it is important for an operating system not only to carefully evaluate the new technologies that get introduced, but to also provide a process for phasing out technologies that are no longer relevant. Technologies with no practical use today increase the attack surface of the operating system and more specifically, in the cryptography field, introduce risks such as untrustworthy communication channels, when algorithms and protocols are being used after their useful lifetime.

Read more

Security Leftovers: CherryBlossom, Security Tps, Travel With Keys, Windows Malware in Electricity Systems, PGP Lapse

Filed under
Security
  • The CIA has lots of ways to hack your router

    According to new documents published by WikiLeaks, the CIA has been building and maintaining a host of tools to do just that. This morning, the group published new documents describing a program called Cherry Blossom, which uses a modified version of a given router’s firmware to turn it into a surveillance tool. Once in place, Cherry Blossom lets a remote agent monitor the target’s internet traffic, scan for useful information like passwords, and even redirect the target to a desired website.

  • Advanced CIA firmware has been infecting Wi-Fi routers for years

    Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices. That's according to secret documents posted Thursday by WikiLeaks.

    CherryBlossom, as the implant is code-named, can be especially effective against targets using some D-Link-made DIR-130 and Linksys-manufactured WRT300N models because they can be remotely infected even when they use a strong administrative password. An exploit code-named Tomato can extract their passwords as long as a default feature known as universal plug and play remains on. Routers that are protected by a default or easily-guessed administrative password are, of course, trivial to infect. In all, documents say CherryBlossom runs on 25 router models, although it's likely modifications would allow the implant to run on at least 100 more.

  • 3 security tips for software developers

    Every developer knows the importance of following best security practices. But too often we cut corners, maybe because we have to work hard until those security practices sink in. Unfortunately, that usually takes something like seeing a security malpractice that's so bad it gets marked in indelible ink in our brains.

    I've seen a lot of instances of poor security practices during my career as a sysadmin, but the three I'm going to describe here are basic things that every software developer should avoid. It's important to note that I've seen every single one of these errors committed by large companies and experienced developers, so you can't chalk these mistakes up to novice junior engineers.

  • Travel (Linux) laptop setup

    I understand that this is way too paranoid for most people (and not nearly paranoid enough for some others -- as I like to say, IT security is just like driving on the highway in the sense that anyone going slower than you is an idiot, and anyone going faster is clearly a maniac). Whether this guide is of any use to you is entirely your call, but I hope I gave you some good ideas to help secure your digital life next time you are away from the comfort of your home or office.

  • Potent malware targets electricity systems

    "In that way, it can be immediately re-purposed in Europe and portions of the Middle East and Asia."

    In addition, it said, the malware could be adapted "with a small amount of tailoring" to render it potent against the North American power grid.

    It said that the malware can be applied to work at several electricity substations at the same time, giving it the power to create a widespread power shutdown that could last for hours and potentially days.

  • KMail’s ‘Send Later’ caused PGP encrypted private emails to be sent in plain-text

    I recently discovered the security vulnerability CVE-2017-9604 in the KDE Project’s KMail email client. This vulnerability led KMail to not encrypt email messages scheduled to be sent with a delay, even when KMail gave every indication that the email contents would be encrypted using OpenPGP.

IPFire 2.19 Linux Firewall Gets WPA Enterprise Authentication in Client Mode

Filed under
GNU
Linux
Security

Michael Tremer from the IPFire Project announced the availability of a new stable update for the IPFire 2.19 series of the open-source Linux-based firewall distribution.

IPFire 2.19 Core Update 111 is now live and it appears to be a major update adding quite a large number of new features to the firewall, along with dozens of up-to-date components. The biggest change, however, seems to be the ability for IPFire to authenticate itself with an EAP (Extensible Authentication Protocol)-enabled wireless network, supporting both TTLS and PEAP methods.

Read more

Security Leftovers: CyberSecurity, Cryptocoin, and SMB

Filed under
Security

Security Leftovers: Microsoft PowerShell Threat, DevSecOps, Botnets, USB, and Death of Microsoft's Docs.com

Filed under
Security
  • Fileless malware attack against US restaurants went undetected by most AV [Ed: Microsoft PowerShell leaves restaurants open to attacks]
  • DevSecOps is Not a Security Panacea

    Many development teams view security as an impediment to agility and innovation, but efforts over the past few years have tried to integrate security controls and testing directly into DevOps workflows without sacrificing development speed and deployment flexibility.

    Known as DevSecOps, this marriage between security and agile development aims to implement core security tasks like event monitoring, patch management, privilege control and vulnerability assessment directly into DevOps processes. This includes dynamic and static vulnerability testing at all levels of the development cycle, so that major flaws can be discovered early on, before the code makes it into production.

  • Commerce Seeks Input on Fighting Botnets

    The Commerce Department is asking for public input on what the government should do to combat cyberattacks launched by armies of infected computers.

  • ​How to use Linux's built-in USB attack protection

    There are USB sticks that will destroy your computer, USB sticks loaded with spyware, and even official enterprise USB sticks infected with malware. Last, but never least, when it comes to stealing data from a computer, you can't beat a USB stick. There are devices like the USG USB stick firewall, which can protect you, or if you're a Linux user, you can always stop attackers armed with USB sticks with USBGuard.

  • [Older] Patches Available for Linux Sudo Vulnerability
  • Lack of Experience May Plague IoT Security Startups [Ed: An even worse culprit is intelligence agencies intentionally weakening software/libraries for back door access (remote domination)]
  • Microsoft kills off Docs.com in favour of LinkedIn SlideShare

    Docs.com, which originally began as a collaboration between Microsoft and Facebook to provide a service similar to Google Docs, is being closed in favour of SlideShare, a service that Microsoft acquired along with its purchase of LinkedIn.

GNU/Linux Prevents Back Doors, Microsoft Patches Some

Filed under
GNU
Linux
Microsoft
Security
Syndicate content

More in Tux Machines

Red Hat: OpenStack and Financial News

Security: Google and Morgan Marquis-Boire

  • Google: 25 per cent of black market passwords can access accounts

    The researchers used Google's proprietary data to see whether or not stolen passwords could be used to gain access to user accounts, and found that an estimated 25 per cent of the stolen credentials can successfully be used by cyber crooks to gain access to functioning Google accounts.

  • Data breaches, phishing, or malware? Understanding the risks of stolen credentials

    Drawing upon Google as a case study, we find 7--25\% of exposed passwords match a victim's Google account.

  • Infosec star accused of sexual assault booted from professional affiliations
    A well-known computer security researcher, Morgan Marquis-Boire, has been publicly accused of sexual assault. On Sunday, The Verge published a report saying that it had spoken with 10 women across North America and Marquis-Boire's home country of New Zealand who say that they were assaulted by him in episodes going back years. A woman that The Verge gave the pseudonym "Lila," provided The Verge with "both a chat log and a PGP signed and encrypted e-mail from Morgan Marquis-Boire. In the e-mail, he apologizes at great length for a terrible but unspecified wrong. And in the chat log, he explicitly confesses to raping and beating her in the hotel room in Toronto, and also confesses to raping multiple women in New Zealand and Australia."

Review: Fedora 27 Workstation

On the whole there are several things to like about Fedora 27. The operating system was stable during my trial and I like that there are several session options, depending on whether we want to use Wayland or the X display server or even a more traditional-looking version of GNOME. I am happy to see Wayland is coming along to the point where it is close to on par with the X session. There are some corner cases to address, but GNOME on Wayland has improved a lot in the past year. I like the new LibreOffice feature which lets us sign and verify documents and I like GNOME's new settings panel. These are all small, but notable steps forward for GNOME, LibreOffice and Fedora. Most of the complaints I had this week had more to do with GNOME specifically than Fedora as an operating system. GNOME on Fedora is sluggish on my systems, both on the desktop computer and in VirtualBox, especially the Wayland session. This surprised me as when I ran GNOME's Wayland session on Ubuntu last month, the desktop performed quite a bit better. Ubuntu's GNOME on Wayland session was smooth and responsive, but Fedora's was too slow for me to use comfortably and I switched over to using the X session for most of my trial. Two other big differences I felt keenly between Ubuntu and Fedora were with regards to how these two leading projects set up GNOME. On Ubuntu we have a dock that acts as a task switcher, making it a suitable environment for multitasking. Fedora's GNOME has no equivalent. This means Fedora's GNOME is okay for running one or two programs at a time, but I tend to run eight or nine applications at any given moment. This becomes very awkward when using Fedora's default GNOME configuration as it is hard to switch between open windows quickly, at least without installing an extension. In a similar vein, Ubuntu's GNOME has window control buttons and Fedora's version does not, which again adds a few steps to what are usually very simple, quick actions. What it comes down to is I feel like Ubuntu takes GNOME and turns it into a full featured desktop environment, while Fedora provides us with just plain GNOME which feels more like a framework for a desktop we can then shape with extensions rather than a complete desktop environment. In fact, I think that describes Fedora's approach in general - the distribution feels more like a collection of open source utilities rather than an integrated whole. Earlier I mentioned LibreOffice can work with signed documents, but Fedora has no key manager, meaning we need to find and download one. Fedora ships with Totem, which is a fine video player, but it doesn't work with Wayland, making it an odd default choice. These little gaps or missed connections show up occasionally and it sets the distribution apart from other projects like openSUSE or Linux Mint where there is a stronger sense the pieces of the operating system working together with a unified vision. The big puzzle for me this week was with software updates. Linux effectively solved updating software and being able to keep running without a pause, reboot or lock-up decades ago. Other mainstream distributions have fast updates - some even have atomic, on-line updates. openSUSE has software snapshots through the file system, Ubuntu has live kernel updates that do away with rebooting entirely and NixOS has atomic, versioned updates via the package manager, to name just three examples. But Fedora has taken a big step backward in making updates require an immediate reboot, and taking an unusually long time to complete the update process, neither of which benefits the user. Fedora has some interesting features and I like that it showcases new technologies. It's a good place to see what new items are going to be landing in other projects next year. However, Fedora feels more and more like a testing ground for developers and less like a polished experience for people to use as their day-to-day operating system. Read more

6 Reasons Why Linux is Better than Windows For Servers

A server is a computer software or a machine that offers services to other programs or devices, referred to as “clients“. There are different types of servers: web servers, database servers, application servers, cloud computing servers, file servers, mail servers, DNS servers and much more. The usage share for Unix-like operating systems has over the years greatly improved, predominantly on servers, with Linux distributions at the forefront. Today a bigger percentage of servers on the Internet and data centers around the world are running a Linux-based operating system. Read more Also: All the supercomputers in the world moved to Linux operating systems