Language Selection

English French German Italian Portuguese Spanish

Security

OpenSSH 7.6 and FreeBSD 10.4

Filed under
Software
Security
BSD

Security: Updates, Reproducible Builds, Dnsmasq, Leaks, Kaspersky, and Linux LTS

Filed under
Security

Security: Dnsmasq, Other Updates, Equifax Breach, and US DDoS

Filed under
Security

Security: Behind the Masq, CVE-2017-1000253

Filed under
Security
  • Behind the Masq: Yet more DNS, and DHCP, vulnerabilities

    Our team has previously posted about DNS vulnerabilities and exploits. Lately, we’ve been busy reviewing the security of another DNS software package: Dnsmasq. We are writing this to disclose the issues we found and to publicize the patches in an effort to increase their uptake.

    Dnsmasq provides functionality for serving DNS, DHCP, router advertisements and network boot. This software is commonly installed in systems as varied as desktop Linux distributions (like Ubuntu), home routers, and IoT devices. Dnsmasq is widely used both on the open internet and internally in private networks.

  • ​Serious Linux kernel security bug fixed

    Sometimes old fixed bugs come back to bite us. That's the case with CVE-2017-1000253, a Local Privilege Escalation Linux kernel bug.

Debian and Tails: Development Reports and Tails 3.2

Filed under
Security
Debian
  • Monthly FLOSS activity - 2017/09 edition
  • Free Software Efforts (2017W39)

    Here’s my weekly report for week 39 of 2017. In this week I have travelled to Berlin and caught up on some podcasts in doing so. I’ve also had some trouble with the RSS feeds on my blog but hopefully this is all fixed now.

    Thanks to Martin Milbret I now have a replacement for my dead workstation, an HP Z600, and there will be a blog post about this new set up to come next week. Thanks also to Sýlvan and a number of others that made donations towards getting me up and running again. A breakdown of the donations and expenses can be found at the end of this post.

  • My Debian Activities in September 2017

    This month almost the same numbers as last month appeared in the statistics. I accepted 213 packages and rejected 15 uploads. The overall number of packages that got accepted this month was 425.

  • Tails 3.2: Privacy, Security, and Anonymity on the Internet Just Got Easier

    The operating system Ed Snowden used to communicate with journalists when he revealed the size and scope of NSA surveillance in 2013 received a major update Thursday. Tails (which stands for The Amnesic Incognito Live System) is a Linux distribution created and distributed by the Tails Project. Tails is built from the ground up to offer security, privacy, and anonymity to computer users everywhere.

    Tails — which is described by its developers as “privacy for anyone anywhere” — has been around since 2009 and has received the Mozilla Open Source Support Award (2016), the Access Innovation Prize (2014), and the OpenITP award (2013). More importantly, it has been used by dissidents in oppressive nations, activists who feel the need to remain anonymous, whistleblowers, and investigative journalists. In fact, the three journalists most involved in the Snowden revelations all used Tails when communicating with him about NSA surveillance. Snowden insisted on it. In April 2014, Freedom of the Press Foundation reported that Laura Poitras, Glenn Greenwald, and Barton Gellman all told the foundation that Tails was instrumental in allowing them to communicate with Snowden about NSA surveillance while avoiding the very surveillance they were preparing to report on.

Security: IoT Cybersecurity Improvement Act, Linux Security Summit 2017, CII on NTP

Filed under
Security
  • IoT Cybersecurity Improvement Act of 2017: The pros and cons from a hacker

    We have early on recognized the state of such security. Our IoT Village has highlighted the problem at many conferences, such as DEFCON and RSA, for the past three years.

  • Linux Security Summit 2017 Roundup

    The 2017 Linux Security Summit (LSS) was held last month in Los Angeles over the 14th and 15th of September.  It was co-located with Open Source Summit North America (OSSNA) and the Linux Plumbers Conference (LPC).

  • Securing Network Time

    Since its inception the CII has considered network time, and implementations of the Network Time Protocol, to be “core infrastructure.” Correctly synchronising clocks is critical both to the smooth functioning of many services and to the effectiveness of numerous security protocols; as a result most computers run some sort of clock synchronization software and most of those computers implement either the Network Time Protocol (NTP, RFC 5905) or the closely related but slimmed down Simple Network Time Protocol (SNTP, RFC 4330).

Security: Cyber Operators , EFI, Equifax, Tor

Filed under
Security
  • Cyber Operators — Differences Matter
  • Equitablefax

    I’m calling this mostly a problem with Equihax architecture. This isn’t about a struts bug, this is about a terrible network design that allows random kiddies to scrape the data store clean via a single shell (well, 30, but still). That Equihax was focussing on buying boxes to protect against 0day, and (from stories I’ve read circa 2015) working on ensuring employee phones are compartmented for BYOD. Well, they were clearly spending money out of the security budget. And it wasn’t trivial sums either, FireEye boxes aren’t exactly free. But from the looks of it, the problem wasn’t that they got compromised, the problem was that they couldn’t detect a compromise and prevent it from becoming a breach (seriously: 30 webshells exfiltrating data on 143 million people would have left some pretty hefty “access.log” files).

  • Critical Code in Millions of Macs Isn't Getting Apple's Updates

    For certain models of Apple laptops and desktop computers, close to a third or half of machines have EFI versions that haven't kept pace with their operating system system updates. And for many models, Apple hasn't released new firmware updates at all, leaving a subset of Apple machines vulnerable to known years-old EFI attacks that could gain deep and persistent control of a victim's machine.

  • Report Bugs, Get $$ Like @atechdad

    The day after Julian Jackson (@atechdad) reported the bug through HackerOne, we released Tor Browser 7.0.3. We saw no indication that it was used in the wild, and the bug didn't affect users of Tails, Whonix, or our sandboxed Tor Browser.

  • Here's What to Ask the Former Equifax CEO

    Richard Smith -- who resigned as chief executive of big-three credit bureau Equifax this week in the wake of a data breach that exposed 143 million Social Security numbers -- is slated to testify in front of no fewer than four committees on Capitol Hill next week. If I were a lawmaker, here are some of the questions I'd ask when Mr. Smith goes to Washington.

  • Without Fanfare, Equifax Makes Bankruptcy Change That Affects Hundreds of Thousands

    For what appears to be decades, the credit rating agency Equifax has quietly layered three more years of tarnish on the credit histories of hundreds of thousands of people who had filed for bankruptcy under Chapter 13.

    While its competitors, TransUnion and Experian, placed a flag on such histories for seven years, Equifax left it on the reports of Chapter 13 filers who failed to complete their bankruptcy plans for 10.

    After ProPublica asked about the difference in its policy, the company said it now leaves the flag on for seven years, but refused to say when and why the change was made.

Security: Updates, EFI Mess, Clarence Birdseye

Filed under
Security
  • Security updates for Friday
  • An alarming number of patched Macs remain vulnerable to stealthy firmware hacks

    An alarming number of Macs remain vulnerable to known exploits that completely undermine their security and are almost impossible to detect or fix even after receiving all security updates available from Apple, a comprehensive study released Friday has concluded.

  • What Clarence Birdseye can teach us about container security

    Clarence Birdseye is generally considered to be the founder of the modern frozen food industry. In 1925, after a couple of false starts, he moved his General Seafood Corporation to Gloucester, Massachusetts. There, he used his newest invention, the double belt freezer, to freeze fish quickly using a pair of brine-cooled stainless steel belts. This and other Birdseye innovations centered on the idea that flash-freezing meant that only small ice crystals could form, and therefore cell membranes were not damaged. Over time, these techniques were applied to a wide range of food — including the ubiquitous frozen peas.

Security: CII, Policy, Investment, and More

Filed under
Security

Security: Updates or Patches

Filed under
Security
Syndicate content

More in Tux Machines

Android Leftovers

An Early Look At Linux 4.16 Performance On Five Systems

Here are some preliminary benchmarks of the Linux 4.16 development kernel compared to Linux 4.15 stable on five different systems. Last week I began testing out the Linux 4.16 kernel on a few different boxes and it's been going rather well (sans the ongoing AMD Raven Ridge Linux issues...). For some initial Linux 4.16 kernel benchmarks I have results today to share for a Core i5 6600K, Core i7 6800K, Xeon E3-1280 v5, Core i9 7980XE, and Ryzen 7 1800X as a few of the available boxes for testing. Tests on other hardware and a greater variety of tests will be coming in the days and weeks ahead as Linux 4.16 continues to stabilize. Read more

Oracle open-sources DTrace under the GPL

Oracle appears to have open-sourced DTrace, the system instrumentation tool that Sun Microsystems created in the early 2000s and which has been beloved of many-a-sysadmin ever since. As noted by developer Mark J. Wielaard, this commit by an Oracle developer shows that something is afoot. Read more

KDE receives 200,000 USD-donation from the Pineapple Fund

KDE e.V. is announcing today it has received a donation of 200,000 USD from the Pineapple Fund. With this donation, the Pineapple Fund recognizes that KDE as a community creates software which benefits the general public, advances the use of Free Software on all kinds of platforms, and protects users' privacy by putting first-class and easy to use tools in the hands of the people at zero cost. KDE joins a long list of prestigious charities, organizations and communities that the Pineapple Fund has so generously donated to. "KDE is immensely grateful for this donation. We would like to express our deeply felt appreciation towards the Pineapple Fund for their generosity" said Lydia Pinscher, President of KDE e.V.. "We will use the funds to further our cause to make Free Software accessible to everyone and on all platforms. The money will help us realize our vision of creating a world in which everyone has control over their digital life and enjoys freedom and privacy". Read more