Language Selection

English French German Italian Portuguese Spanish


Security Leftovers

Filed under

Security Leftovers

Filed under
  • Tuesday's security advisories
  • Secure Hardware vs. Open Source

    Recently there have been discussions regarding Yubico’s OpenPGP implementation on the YubiKey 4. While open source and security remains central to our mission, we think some clarifications and context around current OpenPGP support would be beneficial to explain what we are doing, why, and how it reflects our commitment to improved security and open source.

  • The Alarming Truth

    Car alarms don't deter criminals, and they're a public nuisance. Why are they still so common?

  • Security hole in Symantec antivirus exposes Windows, Linux and Macs

    A major security vulnerability has been uncovered by UK white hat hacker and Google Project Zero developer, Tavis Ormandy. The vulnerability applies to the Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products and could see Linux, Mac and Windows PCs compromised.

  • Patch now: Google and JetBrains warn developers of buggy IDE

    Google has emailed Android developers advising them to update Android Studio, the official Android IDE, to fix security bugs. Other versions of the JetBrains IntelliJ IDE, on which Android Studio is based, are also affected.

    The bugs are related to the built-in web server in the IDE. A cross-site request forgery (CSRF) flaw means that if the IDE is running and the developer visits a malicious web page in any browser, scripts on the malicious web page could access the local file system.

  • Researchers crack new version of CryptXXX ransomware
  • How to empty your bank's vault with a few clicks and lines of code

    A security researcher has demonstrated how he could have theoretically emptied an Indian bank's coffers with no more than a few clicks and lines of code.

    Earlier this week, researcher Sathya Prakash revealed the discovery of multiple, critical vulnerabilities and poor coding in an unnamed government-run Indian bank.

Security Leftovers

Filed under
  • SourceForge Tightens Security With Malware Scans

    After taking down the controversial DevShare program in early February, the new owners of popular software repository, SourceForge, have begun scanning all projects it hosts for malware in an attempt to regain trust that was lost by Dice Holdings, the site’s previous owners.

  • Mozilla Issues Legal Challenge to FBI to Disclose Firefox Flaw
  • Judge In Child Porn Case Reverses Course, Says FBI Will Not Have To Turn Over Details On Its Hacking Tool

    Back in February, the judge presiding over the FBI's case against Jay Michaud ordered the agency to turn over information on the hacking tool it used to unmask Tor users who visited a seized child porn site. The FBI further solidified its status as a law unto itself by responding that it would not comply with the court's order, no matter what.

    Unfortunately, we won't be seeing any FBI officials tossed into jail cells indefinitely for contempt of court charges. The judge in that case has reversed course, as Motherboard reports.

  • Judge Changes Mind, Says FBI Doesn’t Have to Reveal Tor Browser Hack

    In February, a judge ordered the FBI to reveal the full malware code it used to identify visitors of a dark web child pornography site, including the exploit that circumvented the protections of the Tor Browser. The government fought back, largely in sealed motions, and tried to convince the judge to reconsider.

  • Symantec antivirus security flaw exposes Linux, Mac and Windows

    Security holes in antivirus software are nothing new, but holes that exist across multiple platforms? That's rare... but it just happened. Google's Tavis Ormandy has discovered a vulnerability in Symantec's antivirus engine (used in both Symantec- and Norton-branded suites) that compromises Linux, Mac and Windows computers. If you use an early version of a compression tool to squeeze executables, you can trigger a memory buffer overflow that gives you root-level control over a system.

  • Apache incubating project promises new Internet security framework

    The newly announced Apache Milagro (incubating) project seeks to end to centralized certificates and passwords in a world that has shifted from client-server to cloud, IoT and containerized applications.

More Security Leftovers

Filed under
  • Security updates for Monday
  • The Truth about Linux 4.6

    As anticipated in public comments, the Linux Foundation is already beginning a campaign to rewrite history and mislead Linux users. Their latest PR release can be found at:, which I encourage you to read so you can see the spin and misleading (and just plain factually incorrect) information presented. If you've read any of our blog posts before or are familiar with our work, you'll know we always say "the details matter" and are very careful not to exaggerate claims about features beyond their realistic security expectations (see for instance our discussion of access control systems in the grsecurity wiki). In a few weeks I will be keynoting at the SSTIC conference in France, where a theme of my keynote involves how little critical thinking occurs in this industry and how that results in companies and users making poor security decisions. So let's take a critical eye to this latest PR spin and actually educate about the "security improvements" to Linux 4.6.

  • Major Remote SSH Security Issue in CoreOS Linux Alpha, Subset of Users Affected

    A misconfiguration in the PAM subsystem in CoreOS Linux Alpha 1045.0.0 and 1047.0.0 allowed unauthorized users to gain access to accounts without a password or any other authentication token being required. This vulnerability affects a subset of machines running CoreOS Linux Alpha. Machines running CoreOS Linux Beta or Stable releases are unaffected. The Alpha was subsequently reverted back to the unaffected previous version (1032.1.0) and hosts configured to receive updates have been patched. The issue was reported at May 15 at 20:21 PDT and a fix was available 6 hours later at 02:29 PDT.

  • Let's Encrypt: The Good and the Bad

    By now, most of you have heard about the "Let's Encrypt" initiative. The idea being that it's high time more websites had a simple, easy to manage method to offer https encryption. As luck would have it, the initiative is just out of its beta phase and has been adding sponsors like Facebook, Cisco, and Mozilla to their list of organizations that view this initiative as important.

    In this article, I want to examine this initiative carefully, taking a look at the good and the bad of Let's Encrypt.

Security Leftovers

Filed under
  • Security will fix itself, eventually

    Here's my prediction though. In the future, good security will be cheaper to build, deploy, and run that bad security. This sounds completely insane with today's technology. A statement like is some kook ten years ago telling everyone solar power is our future. Ten years ago solar wasn't a serious thing, today it is. Our challenge is figuring out what the new security future will look like. We don't really know yet. We know we can't train our way out of this, most existing technology is a band-aid at best. If I had to guess I'll use the worn out "Artificial Intelligence will save us all", but who knows what the future will bring. Thanks to Al Gore, I'm now more optimistic things will get better. I'm impatient though, I don't want to wait for the future, I want it now! So all you smart folks do me a favor and start inventing the future.

  • Does Microsoft care about security? [Ed: no, because leaks show it gives back doors to governments]

    On Wednesday, I also booted my laptop to Windows. I had not used the laptop for several days, so the AV definitions were three days old. It updated after around 3 hours. But the Vista system still has not updated.

    This is the third consecutive month when I have had problems with updating MSE, at around the time of patch Tuesday. The previous two months, I attempted to manually update. On the manual update, it did a search for virus updates, then seemed to hang there forever not actually downloading. It did eventually update, after repeating this for two days. This month, I decided to allow it to update without manual intervention, with the results described above.

    It seems pretty obvious that, recently, Microsoft has worsened the priority for updates to Windows 7 and to Vista. The priority worsening is greater for Vista than for Windows 7. It affects monthly patches as well as MSE virus table updates.

    The message to malware producers is loud and clear. Malware producers should distribute their malware on patch Tuesday, and Microsoft will give them a free run for several days.

How Fuzzing Can Make A Large Open Source Project More Secure

Filed under

Emily Ratliff of the Linux Foundation explains the considerations to take when planning to fuzz your open source project

One of the best practices for secure development is dynamic analysis. Among such techniques, fuzzing has been highly popular since its invention and a multitude of fuzzing tools of varying sophistication have been developed.

Read more

Also: Despite New FCC Rules, Linksys, Asus Say They'll Still Support Third Party Router Firmware

Ubuntu 16.04 LTS Receives Minor Kernel Update That Patches Two Vulnerabilities

Filed under

Today, May 16, 2016, Canonical published multiple security notices to inform the Ubuntu community about the availability of a new kernel update for their operating systems.

Read more

Security Leftovers

Filed under
  • Replacing /dev/urandom

    The kernel's random-number generator (RNG) has seen a great deal of attention over the years; that is appropriate, given that its proper functioning is vital to the security of the system as a whole. During that time, it has acquitted itself well. That said, there are some concerns about the RNG going forward that have led to various patches aimed at improving both randomness and performance. Now there are two patch sets that significantly change the RNG's operation to consider.

  • Mozilla asks the FBI for details of Tor vulnerability that could also affect Firefox

    Mozilla is fighting to force the FBI to disclose details of a vulnerability in the Tor web browser. The company fears that the same vulnerability could affect Firefox, and wants to have a chance to patch it before details are made public.

    The vulnerability was exploited by FBI agents to home in on a teacher who was accessing child pornography. Using a "network investigative technique", the FBI was able to identify the man from Vancouver, but Mozilla is concerned that it could also be used by bad actors.

    Perhaps unsurprisingly, the government says that it should be under no obligation to disclose details of the vulnerability to Mozilla ahead of anyone else. But the company has filed a brief with a view to forcing the FBI's hand. The argument is that users should be kept protected from known flaws by allowing software companies to patch them.

Security Leftovers

Filed under
  • Thursday's security advisories
  • Friday's security updates
  • I never imagined a nuclear plant’s control system being online

    Many people think that the web is the internet. They see the Googles, the Facebooks, the Reddits… but the web is something built on top of the internet and so only the tip of the iceberg. The iceberg is composed of webcams, power plants, printers… billions of devices.

  • Heart Surgery Stalled For Five Minutes Thanks To Errant Anti-Virus Scan [Ed: Microsoft Windows]

    If you've ever had the pleasure of simply asking one medical outfit to transfer your records to another company or organization, you've probably become aware of the sorry state of medical IT. Billions are spent on medical hardware and software, yet this is a sector for which the fax machine remains the pinnacle of innovation and a cornerstone of daily business life. Meanwhile, getting systems to actually communicate with each other appears to be a bridge too far. And this hodge podge of discordant and often incompatible systems can very often have very real and troubling implications for patients.

  • How to make containers more secure

    CoreOS's Matthew Garrett talks about the security risks in containers and how he and others are working to mitigate such risks.

  • Docker Ramps Up Container Security

    Docker this week announced the rollout of security scanning technology to safeguard container content across the entire software supply chain.

  • Jenkins security patches could break plug-ins

    Popular open source automation server Jenkins has fixed multiple security vulnerabilities. The latest version changes how plug-ins use build parameters, though, so developers will need to adapt to the new process.

  • Security From Whom?

    To take advantage of the X11 protocol issues, you need to be able to speak X11 to the server. Assuming you haven’t misconfigured something (ssh or your file permissions) so other users’ software can talk to your server, that means causing you to run evil X11 protocol code like XEvilTeddy.

  • Convenience, security and freedom - can we pick all three?

    Moxie, the lead developer of the Signal secure communication application, recently blogged on the tradeoffs between providing a supportable federated service and providing a compelling application that gains significant adoption. There's a set of perfectly reasonable arguments around that that I don't want to rehash - regardless of feelings on the benefits of federation in general, there's certainly an increase in engineering cost in providing a stable intra-server protocol that still allows for addition of new features, and the person leading a project gets to make the decision about whether that's a valid tradeoff.

  • Announcing Certbot: EFF's Client for Let's Encrypt
  • Signal Return Orientated Programming attacks

    When a process is interrupted, the kernel suspends it and stores its state in a sigframe which is placed on the stack. The kernel then calls the appropriate signal handler code and after a sigreturn system call, reads the sigframe off the stack, restores state and resumes the process. However, by crafting a fake sigframe, we can trick the kernel into executing something else.

Linux can't keep you safe if you don't update it

Filed under

At CoreOS Fest in Berlin, Greg Kroah-Hartman, Linux kernel developer and maintainer of the stable branch, talked about an inconvenient truth about Linux and security: vendors are notoriously bad about implementing patches.

For the last 15 years the kernel community has been following a rule to fix things as soon as possible. The Linux community fixes the bugs and pushed them so that vendors can push them to their users.

Read more

Syndicate content

More in Tux Machines

A History Of Everyday Linux User's 350 Blog Posts

This article is something of a landmark as it is the 350th post on Everyday Linux User. I took last week off to celebrate. Well actually I went away with the family down to England for a few days and didn't take a computer with me. I did take in Alnwick Castle however which is the location for Hogwarts from the Harry Potter films. Read more

Kodi 17 "Krypton" Beta 4 Released with ARMv8A 64-bit Builds for Android, Fixes

Today, October 25, 2016, Martijn Kaijser had the great pleasure of announcing the release and immediate availability of the fourth, and probably the last Beta milestone of the upcoming Kodi 17 open-source and cross-platform media center software. Read more

GNOME's Epiphany 3.24 Web Browser to Use Firefox Sync Service, HTTPS Everywhere

The GNOME developers are preparing to release the first development version of the upcoming GNOME 3.24 desktop environment, versioned 3.23.1, and we can't help but notice that some of the core apps were updated recently. Read more

Suse: Question. What do you call second-place in ARM enterprise server linux? Answer: Red Hat

ARM TechCon Suse is claiming victory over Red Hat by announcing – and these caveats are all crucial – "the first commercial enterprise Linux distribution optimized for ARM AArch64 architecture servers." In plainer English, Suse has developed an enterprise-grade Linux distribution that runs on 64-bit ARM servers (should you happen to ever find one). Suse claims this software is a world first because it is a finished commercial product, thus beating Red Hat to the punch: Red Hat Enterprise Linux Server for ARM is still only available as a beta-like development preview. Read more