Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Security updates for Monday
  • Impossible is impossible!

    Sometimes when you plan for a security event, it would be expected that the thing you're doing will be making some outcome (something bad probably) impossible. The goal of the security group is to keep the bad guys out, or keep the data in, or keep the servers patched, or find all the security bugs in the code. One way to look at this is security is often in the business of preventing things from happening, such as making data exfiltration impossible. I'm here to tell you it's impossible to make something impossible.

    As you think about that statement for a bit, let me explain what's happening here, and how we're going to tie this back to security, business needs, and some common sense. We've all heard of the 80/20 rule, one of the forms is that the last 20% of the features are 80% of the cost. It's a bit more nuanced than that if you really think about it. If your goal is impossible it would be more accurate to say 1% of the features are 2000% of the cost. What's really being described here is a curve that looks like this

  • What is the spc_t container type, and why didn't we just run as unconfined_t?

    If you are on an SELinux system, and run docker with SELinux separation turned off, the containers will run with the spc_t type.

  • The importance of paying attention in building community trust

    Trust is important in any kind of interpersonal relationship. It's inevitable that there will be cases where something you do will irritate or upset others, even if only to a small degree. Handling small cases well helps build trust that you will do the right thing in more significant cases, whereas ignoring things that seem fairly insignificant (or saying that you'll do something about them and then failing to do so) suggests that you'll also fail when there's a major problem. Getting the small details right is a major part of creating the impression that you'll deal with significant challenges in a responsible and considerate way.

    This isn't limited to individual relationships. Something that distinguishes good customer service from bad customer service is getting the details right. There are many industries where significant failures happen infrequently, but minor ones happen a lot. Would you prefer to give your business to a company that handles those small details well (even if they're not overly annoying) or one that just tells you to deal with them?

Systemd bug in the News

Filed under
Linux
Security
  • Systemd bug allows ordinary user to crash Linux systems

    The systemd project is yet to release a fix for a bug that was disclosed on 28 September but at least one GNU/Linux distribution has patched the same.

    The bug, allowing a user to crash a system by using a short command as an ordinary user, was disclosed by a developer named Andrew Ayer.

    After running this command, according to Ayer, "You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system. The system feels generally unstable (e.g. ssh and su hang for 30 seconds since systemd is now integrated with the login system)."

  • Major Linux distributions suffer from the latest system crippling bug

    A system administrator, Andrew Ayer discovered a crippling bug while working with his Linux System. He reported the issue at length in a blogpost pointing out how anyone could crash Systemd by one single tweet. The system will not collapse as soon as the tweet is rendered on screen by the system. Instead, what it meant was that any Linux distribution could be crippled by a command that can fit into one tweet. He even posted a tweet with the command to prove his point.

Down the rabbit hole, part 3: Linux and Tor are key to ensuring privacy, security

Filed under
Linux
Security

So, I’ve decided I need to improve the privacy and security of my life (especially as it relates to computing). And I’ve come to the conclusion that in order to effectively do this, I need to focus on utilizing open source software as much as possible.

What next?

Let’s start at a very simple, basic level: the operating system of my laptop computers (I don’t actually have a desktop currently, but the same ideas will apply) and how they connect to the internet.

Read more

Security News

Filed under
Security
  • security things in Linux v4.7
  • Microsoft warns Windows security fix may break network shares

    The latest of these, Preview Build 14936 – for testers on what Microsoft refers to as the Fast Ring – comes with the usual set of updates, new features, and fixes for things that the previous release managed to break.

    However, what caught our eye was a warning that after updating, users may find that shared devices such as NAS boxes have mysteriously disappeared from the home network folder, and that any previously mapped network drives are unavailable.

    Microsoft offers a fix for this; if you change your network to “private” or “enterprise”, it should start working again.

    It seems that the cause of this hiccup is a fix that Microsoft made earlier in September to address a security hole severe enough that it might allow remote code execution with elevated permissions on an affected system, although this would require an attacker to create a specially crafted request.

    The fix addresses this by, among other things, “correcting how Windows enforces permissions”.

    Windows Insiders are typically no newbies and used to preview builds breaking stuff, but it is likely that this change will find its way into the Windows 10 code everybody else is running sooner or later.

  • Android Devices Are Targeted By New Lockscreen Ransomware

Security Leftovers

Filed under
Security
  • Bug Bounty Hunters Can Earn $1.5 Million For A Successful Jailbreak Of iOS 10
  • How To Ensure Trustworthy, Open Source Elections [Ed: This reminds us Microsoft must be kicked out of election process [1, 2]

    A strong democracy hinges not only on the right to vote but also on trustworthy elections and voting systems. Reports that Russia or others may seek to impact the upcoming U.S. presidential election—most recently, FBI evidence that foreign hackers targeted voter databases in Arizona and Illinois—has brought simmering concerns over the legitimacy of election results to a boil.

  • Source Code for IoT Botnet ‘Mirai’ Released

    The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.

    The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.

Security News

Filed under
Security
  • Your next DDoS attack, brought to you courtesy of the IoT

    The internet is reeling under the onslaught of unprecedented denial-of-service attacks, the sort we normally associate with powerful adversaries like international criminal syndicates and major governments, but these attacks are commanded by penny-ante crooks who are able to harness millions of low-powered, insecure Internet of Things devices like smart lightbulbs to do their bidding.

    Symantec reports on the rising trend in IoT malware, which attack systems that "may not include any advanced security features" and are "designed to be plugged in and forgotten" without "any firmware updates" so that "infection of such devices may go unnoticed by the owner."

    The USA and China are the two countries where people own most of these things, so they're also where most of the malicious traffic originates. Symantec ran a honeypot that recorded attempts to login and compromise a system that presented as a vulnerable IoT device, and found that the most common login attempts used the default passwords of "root" and "admin," suggesting that malware authors have discovered that IoT owners rarely change these defaults. Other common logins include "123456," "test" and "oracle."

  • Meet Linux.Mirai Trojan, a DDoS nightmare
  • Linux.Mirai Trojan Carries Out DDoS Attacks
  • Fears of a hacked election may keep 1 out of every 5 voters home, says report

    Recent hacks of the Democratic National Committee, the Democratic Congressional Campaign Committee and election databases have increased fears that cybercriminals will try to interfere with the upcoming U.S. presidential election.

    Concerns leading up to election day on November 8 could have a real impact on voter turnout, according to a study from cybersecurity firm Carbon Black. More than one in five registered U.S. voters may stay home on election day because of fears about cybersecurity and vote tampering, the study — an online survey of 700 registered voters aged 18-54 — found.

  • Hostile Web Sites

    I was asked whether it would be safe to open a link in a spam message with wget. So here are some thoughts about wget security and web browser security in general.

  • You can crash Linux Systemd with a single Tweet

    System administrator Andrew Ayer has discovered a potentially critical bug in systemd which can bring a vulnerable Linux server to its knees with a single command line.”After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons.

  • How to reignite a flamewar in one tweet (and I still don’t get it)
  • Multiple Linux Distributions Affected By Crippling Bug In Systemd

    System administrator Andrew Ayer has discovered a potentially critical bug in systemd which can bring a vulnerable Linux server to its knees with one command. "After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system." According to the bug report, Debian, Ubuntu, and CentOS are among the distros susceptible to various levels of resource exhaustion. The bug, which has existed for more than two years, does not require root access to exploit.

Security Leftovers

Filed under
Security
  • Let's Encrypt Wants to Help Improve the CA Model

    Let's Encrypt, a non-profit effort that brings free SSL/TLS certificates to the web, was first announced in November 2014 and became a Linux Foundation Collaborative Project in April 2015. To date, it has provided more than 5 million free certificates.

    While having an SSL/TLS certificate to encrypt traffic is an important element of web security, it's not the only one, said Josh Aas, executive director of the Internet Security Research Group and leader of Let's Encrypt.

    "There is a lot in the total picture of what makes a website secure, and we can do a lot to help a certain part of it," he said in a video interview.

  • How to Throw a Tantrum in One Blog Post

    The systemd team has recently patched a local denial of service vulnerability affecting the notification socket, which is designed to be used for daemons to report their lifecycle and health information. Some people have used this as an opportunity to throw a fresh tantrum about systemd.

Security News

Filed under
Security
  • Report: Linux security must be upgraded to protect future tech

    The summit was used to expose a number of flaws in Linux's design that make it increasingly unsuitable to power modern devices. Linux is the operating system that runs most of the modern world. It is behind everything from web servers and supercomputers to mobile phones. Increasingly, it's also being used to run connected Internet of Things (IoT) devices, including products like cars and intelligent robots.

  • security things in Linux v4.6

    Hector Marco-Gisbert removed a long-standing limitation to mmap ASLR on 32-bit x86, where setting an unlimited stack (e.g. “ulimit -s unlimited“) would turn off mmap ASLR (which provided a way to bypass ASLR when executing setuid processes). Given that ASLR entropy can now be controlled directly (see the v4.5 post), and that the cases where this created an actual problem are very rare, means that if a system sees collisions between unlimited stack and mmap ASLR, they can just adjust the 32-bit ASLR entropy instead.

Security Leftovers

Filed under
Security
  • Friday's security advisories
  • ICANN grinds forward on crucial DNS root zone signing key update

    The Internet Corporation for Assigned Names and Numbers is moving -- carefully -- to upgrade the DNS root zone key by which all domains can be authenticated under the DNS Security Extensions protocol.

    ICANN is the organization responsible for managing the Domain Name System, and DNS Security Extensions (DNSSEC) authenticates DNS responses, preventing man-in-the-middle attacks in which the attacker hijacks legitimate domain resolution requests and replaces them with fraudulent domain addresses.

    DNSSEC still relies on the original DNS root zone key generated in 2010. That 1024-bit RSA key is scheduled to be replaced with a 2048-bit RSA key next October. Although experts are split over the effectiveness of DNSSEC, the update of the current root zone key signing key (KSK) is long overdue.

  • Cybersecurity isn't an IT problem, it's a business problem

    The emergence of the CISO is a relatively recent phenomenon at many companies. Their success often relies upon educating the business from the ground up. In the process, companies become a lot better about how to handle security and certainly learn how not to handle it.

    As a CIO, knowing the pulse of security is critical. I oversee a monthly technology steering committee that all the executives attend. The CISO reports during this meeting on the state of the security program. He also does an excellent job of putting risk metrics out there, color coded by red, yellow, and green. This kind of color grading allows us to focus attention on where we are and what we’re doing about it.

Security News

Filed under
Security
  • Don't Trust Consumer Routers

    Another example of why you shouldn’t trust consumer routers. d-link

    It isn’t just this specific d-link router. We’ve seen the same issues over and over and over with pretty much every non-enterprise vendor.

    Plus we don’t want our devices used by crackers to DDoS Brian Krebs anymore, right?

    We are Linux people. We CAN do this ourselves.

  • D-Link DWR-932 router is chock-full of security holes

    Security researcher Pierre Kim has unearthed a bucketload of vulnerabilities affecting the LTE router/portable wireless hotspot D-Link DWR-932. Among these are backdoor accounts, weak default PINs, and hardcoded passwords.

  • The Cost of Cyberattacks Is Less than You Might Think

    What's being left out of these costs are the externalities. Yes, the costs to a company of a cyberattack are low to them, but there are often substantial additional costs borne by other people. The way to look at this is not to conclude that cybersecurity isn't really a problem, but instead that there is a significant market failure that governments need to address.

  • NHS trusts are still using unsupported Windows XP PCs

    AT LEAST 42 National Health Service (NHS) trusts in the UK still run Microsoft's now-defunct Windows XP operating system.

    Motherboard filed Freedom of Information requests with more than 70 NHS hospital trusts asking how many Windows XP machines they use. 48 replied within the allotted time, and a whopping 42 of them admitted that they still use the operating system that reached end-of-life status in April 2014.

    Some of the culprits include East Sussex Healthcare, which has 413 Windows XP machines, Sheffield's Children's hospital with 1,290, and Guy's and St Thomas' NHS Trust in London with an insane 10,800 Windows XP-powered PCs.

    23 replied to Motherboard's quizzing about whether they have an extended support agreement in place and, unsurprisingly, the majority said that they do not.

Syndicate content

More in Tux Machines

Microsoft vs GNU/Linux

Netflix and GNU/Linux

today's howtos

KDE/Qt

  • Device Tailored Compositors with Qt Wayland at CLAAS E-Systems
    Have you heard about software in cars that run on embedded devices? Do you think that creating such software might be challenging? Well, welcome to a complete new world of complexity, welcome to the world of agriculture machines! For many years, automatic steering (on fields), terminals to control the complex mechanical operations of a self-driving 16 ton combine harvester on a soft ground, and self-optimization systems to optimize any tiny bit of your harvester, are key demands from customers. I, myself, am working at CLAAS E-Systems, the electronics and software department within the CLAAS group. Our group is well known for being among the leading manufacturers for combine harvesters, tractors and forage harvesters.
  • Qt Wayland Is Next Appearing On Tractors & Farm Equipment
    With Qt 5.8's Qt Wayland Compositor Framework taking shape, more developers are beginning to tailor a Qt Wayland compositor to their use-cases. One of those is a company specializing in farm equipment like combine harvesters, tractors, and harvesters. As a guest post on the official Qt blog, developer Andreas Cord-Landwehr of CLAAS E-Systems talked up Qt Wayland for their purposes in the highly-regulated agriculture industry.
  • KDevelop 5.1 Open-Source IDE Launches with LLDB and OpenCL Support, Many Changes
    The development team behind the popular, open-source, cross-platform, free and powerful KDevelop IDE (Integrated Development Environment) were proud to announce the official release and general availability of KDevelop 5.1. KDevelop 5.1 is now the most advanced stable version of the application, which is written entirely in Qt and designed to be used on various GNU/Linux distributions that usually ship with the KDE Plasma desktop environment, but also on the latest releases of the Microsoft Windows operating system.