Language Selection

English French German Italian Portuguese Spanish

Security

Isolating processes with Qubes OS 3.1

Filed under
GNU
Linux
Security

There are several approaches to computer security. One method is to try to make every component work as correctly and error-free as possible. This is called security through correctness. Another approach is called security by obscurity and it involves hiding secrets or flaws. A third approach to security is isolation, which is sometimes called security by compartmentalization. This third method keeps important pieces separate so if one component is compromised, the other components can continue to work, unaffected.

These different styles of security might make more sense if we look at an example from the non-digital world. Imagine we have some valuables we want to keep locked away and we decide to buy a safe to store our precious documents, jewels and money. If we buy a high quality safe that is hard to force open, that is security through correctness. If we hide our safe behind a picture or in a secret room, that is security through obscurity. Buying two safes and placing half of our valuables in each so if one is robbed then we still have half of our items is an example of security by compartmentalization.

Read more

The linux-stable security tree project

Filed under
Linux
Security

Hi all,

I'd like to announce the linux-stable security tree project. The purpose
is to create a derivative tree from the regular stable tree that would
contain only commits that fix security vulnerabilities.

Read more

Hardware Modding/Hacking/Security

Filed under
Hardware
Security
  • Libreboot on my X60s
  • Nexenta to Showcase Market Leading Open Source-Driven Software-Defined Storage Solutions at Cloud Expo Europe, London
  • Cybersecurity education isn't good, nobody is shocked

    There was a news story published last week about the almost total lack of cybersecurity attention in undergraduate education. Most people in the security industry won't be surprised by this. In the majority of cases when the security folks have to talk to developers, there is a clear lack of understanding about security.

  • Making it easier to deploy TPMTOTP on non-EFI systems

    On EFI systems you can handle this by sticking the secret in an EFI variable (there's some special-casing in the code to deal with the additional metadata on the front of things you read out of efivarfs). But that's not terribly useful if you're not on an EFI system. Thankfully, there's a way around this. TPMs have a small quantity of nvram built into them, so we can stick the secret there. If you pass the -n argument to sealdata, that'll happen. The unseal apps will attempt to pull the secret out of nvram before falling back to looking for a file, so things should just magically work.

  • 6 steps to calculate ROI for an open hardware project

    Free and open source software advocates have courageously blazed a trail that is now being followed by those interested in open source for physical objects. It's called free and open source hardware (FOSH), and we're seeing an exponential rise in the number of free designs for hardware released under opensource licenses, Creative Commons licenses,or placed in the public domain.

Security Leftovers

Filed under
Security

Linux Mint security – 28 days later

Filed under
GNU
Linux
Security

Linux Mint has suffered a reputation damage, which has led to doubts and questions being raised in the community. Valid questions, because you don’t want any private, confidential data to be transmitted to a third party without your knowledge and consent. So you may want to check if Mint is clean, and whether it can be used safely. This article outlines the technical methods.

However, you should also not forget that this is not the first, nor the last hack of a website related to a distro project. All the big names have had similar issues in the past. Moreover, obscurity does not guarantee security. If you’ve never thought about this topic before Feb 20, then you really should not be focusing too much energy on it now. Because all the other times you downloaded packages and updates your system, there could have been a breach somewhere, but since you were not aware of it, you did not do anything about it. Now you are aware, but it does not change the reality, only your perception. You may want to double-check everything now, it’s a natural reaction, but it’s not really grounded in any hard, solid facts. If anything, the hack only helps put more security highlight on the distros and their management, so they should now be more secure than ever before.

There.

Read more

Security Leftovers

Filed under
Security
  • A perfect storm of broken business and busted FLOSS backdoors everything, so who needs the NSA?

    In 2014, Poul-Henning Kamp, a prolific and respected contributor to many core free/open projects gave the closing keynote at the Free and Open Source Developers' European Meeting (FOSDEM) in Belgium, and he did something incredibly clever: he presented a status report on a fictional NSA project (ORCHESTRA) whose mission was to make it cheaper to spy on the Internet without breaking any laws or getting any warrants.

  • Researchers help shut down spam botnet that enslaved 4,000 Linux machines
  • Mumblehard Linux botnet eliminated as a threat: ESET

    Security researchers at ESET reported that the spam-dispensing Mumblehard Linux botnet is no longer active due to the combined efforts of ESET, the Cyber Police of Ukraine and CyS Centrum.

  • OSVDB Shuts Down, Firefox Add-ons Unsafe & More…

    Speaking of vulnerabilities: We lost an open source security asset this week. On Tuesday we received word that OSVDB, or the Open Sourced Vulnerability Database project, an organization that’s cataloged computer security flaws since 2002, is closing up shop. The news came by way of an OSVDB blog that said, “We are not looking for anyone to offer assistance at this point, and it [the database] will not be resurrected in its previous form.” As for why the database is being shut down, the post went on to somewhat cryptically explain, “The industry simply did not want to contribute and support such an effort.” A good analysis of the details by Jon Gold was published Thursday on Network World.

  • Do You Think Linux Is More Secure Than Other OS?

    There’s an old school of thought that says that Linux is more secure than other operating systems. This topic has been hotly debated over the years. What’s your opinion? Do you think Linux is more secure than other OS?

  • Adobe Issues Emergency Update to Flash After Ransomware Attacks
  • FBI: $2.3 Billion Lost to CEO Email Scams

    The U.S. Federal Bureau of Investigation (FBI) this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years.

Security Leftovers

Filed under
Security
  • Friday's security advisories
  • Thursday's security updates
  • Nation-wide radio station hack airs hours of vulgar “furry sex” ramblings

    Some Tuesday morning listeners of KIFT, a Top 40 radio station located in Breckenridge, Colorado, were treated to a radically different programming menu than they were used to. Instead of the normal fare from Taylor Swift, The Chainsmokers, or other pop stars, a hack by an unknown party caused one of the station's signals to broadcast a sexually explicit podcast related to the erotic attraction to furry characters. The unauthorized broadcast lasted for about 90 minutes.

    KIFT wasn't the only station to be hit by the hack. On the same day, Livingston, Texas-based country music station KXAX also broadcast raunchy furry-themed audio. And according to an article posted Wednesday by radio industry news site RadioInsight.com, the unauthorized broadcasts from a hobbyist group called FurCast were also forced on an unnamed station in Denver and an unidentified national syndicator.

  • Maryland hospital: Ransomware success wasn’t IT department’s fault

    MedStar refused to respond to Ars Technica's inquiries about the attack. In the statement released to media, MedStar's spokesperson said, "As we have said before, based on the advice of IT, cybersecurity and law enforcement experts, MedStar will not be elaborating further on additional aspects of this malware event. This is not only for the protection and security of MedStar Health, its patients and associates, but is also for the benefit of other healthcare organizations and companies." The spokesperson claimed the hospital had "no evidence of any compromise of patient or associate data… furthermore, we are pleased that we brought our systems back up in what can only be viewed as a very rapid recovery led by dedicated MedStar and external IT expert partners."

  • Its a good thing SELinux blocks access to the docker socket.

    I have seen lots of SELinux bugs being reported where users are running a container that volume mounts the docker.sock into a container. The container then uses a docker client to do something with docker. While I appreciate that a lot of these containers probbaly need this access, I am not sure people realize that this is equivalent to giving the container full root outside of the contaienr on the host system. I just execute the following command and I have full root access on the host.

Security Leftovers

Filed under
Security
  • 'BillGates': Linux botnet is launching DDoS attacks on online gaming services

    IRONY ALERT: Bill Gates-themed software wants to get on as many computers as possible and not budge.

    Not Windows, of course, but a botnet called BillGates. The malware has been around since 2014 but now seems to be leaping forwards (not over a chair) and making a nuisance of itself, according to Akamai.

  • Mumblehard spam-spewing botnet floored

    Security researchers have teamed up with authorities in Ukraine to take down a spam-spewing Linux-infesting botnet.

    Security firm ESET teamed up with CyS-CERT and the Cyber Police of Ukraine to take down the Mumblehard botnet.

  • Authorities Shut Down Botnet of 4,000 Linux Servers Used to Send Spam

    The six-year-old Mumblehard botnet is no more, ESET reports, explaining that a joint effort with CyS Centrum LLC and the Cyber Police of Ukraine has finally allowed them to sinkhole the botnet's main C&C (command and control server).

  • Mumblehard Linux Spamming Botnet Finally Taken Offline

    Thousands of servers running Linux and BSD had been affected by one of world’s most damaging botnets

  • Academics claim Google Android two-factor authentication is breakable

    Computer security researchers warn security shortcomings in Android/Playstore undermine the security offered by all SMS-based two-factor authentication (2FA).

  • Google adds Cloud Test Lab integration to new Android Studio 2.0

    Google has updated its key Android development tool, Android Studio, to version 2.0 and added cloud test integration, a GPU debugger, and faster emulation and resource allocation.

    Mountain view touts the instant run feature as just about the most important new feature in the upgrade, as it analyses Android app code as it runs and determines ways it can be deployed faster, without requiring app re-installation.

  • Heartbleed Remains a Risk 2 Years After It Was Reported

    A vulnerability publicly disclosed in the open-source OpenSSL project two years ago continues to have an impact today.
    On April 7, 2014, CVE-2014-0160, better known as Heartbleed, was publicly disclosed by the OpenSSL project, affecting millions of users and devices around the world. Today, two years to the day it was first reported, the vulnerability remains a risk, and the trend of branded vulnerabilities it created continues to have an impact.

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

Proxmox VE 4.3 released

Proxmox Server Solutions GmbH today announced the general availability of Proxmox Virtual Environment 4.3. The hyper-converged open source server virtualization solution enables users to create and manage LXC containers and KVM virtual machines on the same host, and makes it easy to set up highly available clusters as well as to manage network and storage via an integrated web-based management interface. The new version of Proxmox VE 4.3 comes with a completely new comprehensive reference documentation. The new docu framework allows a global as well as contextual help function. Proxmox users can access and download the technical documentation via the central help-button (available in various formats like html, pdf and epub). A main asset of the new documentation is that it is always version specific to the current user’s software version. Opposed to the global help, the contextual help-button shows the user the documentation part he currently needs. Read more

Games for GNU/Linux

Security News

  • Tuesday's security updates
  • New Open Source Linux Ransomware Divides Infosec Community
    Following our investigation into this matter, and seeing the vitriol-filled reaction from some people in the infosec community, Zaitsev has told Softpedia that he decided to remove the project from GitHub, shortly after this article's publication. The original, unedited article is below.
  • Fax machines' custom Linux allows dial-up hack
    Party like it's 1999, phreakers: a bug in Epson multifunction printer firmware creates a vector to networks that don't have their own Internet connection. The exploit requirements are that an attacker can trick the victim into installing malicious firmware, and that the victim is using the device's fax line. The firmware is custom Linux, giving the printers a familiar networking environment for bad actors looking to exploit the fax line as an attack vector. Once they're in that ancient environment, it's possible to then move onto the network to which the the printer's connected. Yves-Noel Weweler, Ralf Spenneberg and Hendrik Schwartke of Open Source Training in Germany discovered the bug, which occurs because Epson WorkForce multifunction printers don't demand signed firmware images.
  • Google just saved the journalist who was hit by a 'record' cyberattack
    Google just stepped in with its massive server infrastructure to run interference for journalist Brian Krebs. Last week, Krebs' site, Krebs On Security, was hit by a massive distributed denial-of-service (DDoS) attack that took it offline, the likes of which was a "record" that was nearly double the traffic his host Akamai had previously seen in cyberattacks. Now just days later, Krebs is back online behind the protection of Google, which offers a little-known program called Project Shield to help protect independent journalists and activists' websites from censorship. And in the case of Krebs, the DDoS attack was certainly that: The attempt to take his site down was in response to his recent reporting on a website called vDOS, a service allegedly created by two Israeli men that would carry out cyberattacks on behalf of paying customers.
  • Krebs DDoS aftermath: industry in shock at size, depth and complexity of attack
    “This attack didn’t stop, it came in wave after wave, hundreds of millions of packets per second,” says Josh Shaul, Akamai’s vice president of product management, when Techworld spoke to him. “This was different from anything we’ve ever seen before in our history of DDoS attacks. They hit our systems pretty hard.” Clearly still a bit stunned, Shaul describes the Krebs DDoS as unprecedented. Unlike previous large DDoS attacks such as the infamous one carried out on cyber-campaign group Spamhaus in 2013, this one did not use fancy amplification or reflection to muster its traffic. It was straight packet assault from the old school.
  • iOS 10 makes it easier to crack iPhone back-ups, says security firm
    INSECURITY FIRM Elcomsoft has measured the security of iOS 10 and found that the software is easier to hack than ever before. Elcomsoft is not doing Apple any favours here. The fruity firm has just launched the iPhone 7, which has as many problems as it has good things. Of course, there are no circumstances when vulnerable software is a good thing, but when you have just launched that version of the software, it is really bad timing. Don't hate the player, though, as this is what Elcomsoft, and what Apple, are supposed to be doing right. "We discovered a major security flaw in the iOS 10 back-up protection mechanism. This security flaw allowed us to develop a new attack that is able to bypass certain security checks when enumerating passwords protecting local (iTunes) back-ups made by iOS 10 devices," said Elcomsoft's Oleg Afonin in a blog post.
  • After Tesla: why cybersecurity is central to the car industry's future
    The news that a Tesla car was hacked from 12 miles away tells us that the explosive growth in automotive connectivity may be rapidly outpacing automotive security. This story is illustrative of two persistent problems afflicting many connected industries: the continuing proliferation of vulnerabilities in new software, and the misguided view that cybersecurity is separate from concept, design, engineering and production. This leads to a ‘fire brigade approach’ to cybersecurity where security is not baked in at the design stage for either hardware or software but added in after vulnerabilities are discovered by cybersecurity specialists once the product is already on the market.

Ofcom blesses Linux-powered, open source DIY radio ‘revolution’

Small scale DAB radio was (quite literally) conceived in an Ofcom engineer’s garden shed in Brighton, on a Raspberry Pi, running a full open source stack, in his spare time. Four years later, Ofcom has given the thumbs up to small scale DAB after concluding that trials in 10 UK cities were judged to be a hit. We gave you an exclusive glimpse into the trials last year, where you could compare the specialised proprietary encoders with the Raspberry Pi-powered encoders. “We believe that there is a significant level of demand from smaller radio stations for small scale DAB, and that a wider roll-out of additional small scale services into more geographic areas would be both technically possible and commercially sustainable,” notes Ofcom. Read more