Language Selection

English French German Italian Portuguese Spanish

Security

GitLab Features Expansion

Filed under
Development
Security

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Security and reproducible-build progress in Guix 0.11

    The GNU Guix package-manager project recently released version 0.11, bringing with it support for several hundred new packages, a range of new tools, and some significant progress toward making an entire operating system (OS) installable using reproducible builds.

    Guix is a "functional" package manager, built on many of the same ideas found in the Nix package manager. As the Nix site explains it, the functional paradigm means that packages are treated like values in a functional programming language—Haskell in Nix's case, Scheme in Guix's. The functions that build and install packages do so without side effects, so the system can easily offer nice features like atomic transactions, rollbacks, and the ability for individual users to build and install separate copies of a package without fear that they will interfere. Part of making such a system reliable is to ensure that builds are "reproducible"—meaning that two corresponding copies of a binary built on different systems at different times will be bit-for-bit identical.

  • VeraCrypt Audit Under Way; Email Mystery Cleared Up

    To say the VeraCrypt audit, which begins today, got off to an inauspicious start would be an understatement.

    On Sunday, two weeks after the announcement that the open source file and disk encryption software would be formally scrutinized for security vulnerabilities, executives at one of the firms funding the audit posted a notice that four emails between the parties involved had been intercepted.

  • Cryptocurrency Mining Virus Targets Linux Machines
  • Why The Windows Secure Boot Hack Is a Good Thing

    Most coverage of the subject has been written in that panicky, alarmist prose that makes for exciting news, but the problem is that the invalidation of Secure Boot is a very positive development for everyone concerned, except for Microsoft. Yes, it shows why backdoors for “the good guys” are a terrible idea — yes, it even has far-reaching implications for every piece of computing technology using the UEFI standard. However, I maintain that it will have a positive influence on the direction of security and tech standards moving forward.

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Friday's security updates
  • Thursday's security advisories
  • Microsoft Windows UAC can be bypassed for untraceable hacks

    USER ACCOUNT Control (UAC), the thing in Microsoft Windows that creates extra menus you wish would just sod off, can be bypassed, allowing hackers to gain registry access.

    Security researcher Matt Nelson has discovered that the flaw allows someone to start PowerShell, access the registry and then leave no trace.

    The workaround/feature/bug/massive security hole works on any version of Windows with UAC, which was introduced in Windows Vista and later softened in Windows 7 as it proved such a spectacular pain in the Vista.

    The technique uses no files, no injections and leaves no trace. It's just pure direct access via a vulnerability. You could go off and do it to someone now.

    Don't do that, though.

  • all that’s not golden

    Several stories and events recently that in some way relate to backdoors and golden keys and security. Or do they? In a couple cases, I think some of the facts were slightly colored to make for a more exciting narrative. Having decided that golden keys are shitty, that doesn’t imply that all that’s shit is golden. A few different perspectives here, because I think some of the initial hoopla obscured some lessons that even people who don’t like backdoors can learn from.

    Secure Boot

    Microsoft added a feature to Secure Boot, accidentally creating a bypass for older versions. A sweet demo scene release (plain text) compares this incident to the FBI’s requested golden keys. Fortunately, our good friends over at the Register dug into this claim and explained some of the nuance in their article, Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea. Ha, ha, I kid.

    Matthew Garrett also has some notes on Microsoft’s compromised Secure Boot implementation. He’s purportedly a Linux developer, but he doesn’t once in this post call Windows a steaming pile, so he’s probably a Microsoft shill in disguise.

    Returning to the big question, What does the MS Secure Boot Issue teach us about key escrow? Maybe not a whole lot. Some questions to consider are how thoroughly MS tried to guard the key and whether they actually lost the key or just signed the wrong thing.

    Relevant to the crypto backdoor discussion, are the actions taken here the same? In a key escrow scheme, are iPhones sending encrypted data to the FBI or is the FBI sending encrypted messages to iPhones? The direction of information flow probably has a profound effect on the chances of the wrong thing leaking out. Not to say I want anything flowing in either direction, but it does affect how analogous the situations are.

    A perhaps more important lesson, for all security or crypto practitioners, is just barely hinted at in mjg59’s post. Microsoft created a new message format, but signed it with a key trusted by systems that did not understand this format. Misinterpretation of data formats results in many vulnerabilities. Whenever it’s possible that a message may be incorrectly handled by existing systems, it’s vital to roll keys to prevent misinterpretation.

  • Security against Election Hacking – Part 1: Software Independence

    So the good news is: our election system has many checks and balances so we don’t have to trust the hackable computers to tell us who won. The biggest weaknesses are DRE paperless touchscreen voting machines used in a few states, which are completely unacceptable; and possible problems with electronic pollbooks.

    In this article I’ve discussed paper trails: pollbooks, paper ballots, and per-precinct result printouts. Election officials must work hard to assure the security of the paper trail: chain of custody of ballot boxes once the polls close, for example. And they must use the paper trails to audit the election, to protect against hacked computers (and other kinds of fraud, bugs, and accidental mistakes). Many states have laws requiring (for example) random audits of paper ballots; more states need such laws, and in all states the spirit of the laws must be followed as well as the letter.

  • Security against Election Hacking (Freedom to Tinker)

    Over at the Freedom to Tinker blog, Andrew Appel has a two-part series on security attacks and defenses for the upcoming elections in the US (though some of it will obviously be applicable elsewhere too). Part 1 looks at the voting and counting process with an eye toward ways to verify what the computers involved are reporting, but doing so without using the computers themselves (having and verifying the audit trail, essentially). Part 2 looks at the so-called cyberdefense teams and how their efforts are actually harming all of our security (voting and otherwise) by hoarding bugs rather than reporting them to get them fixed.

Security Leftovers

Filed under
Security
  • CVE-2016-5696 and its effects on Tor

    This vulnerability is quite serious, but it doesn’t affect the Tor network any more than it affects the rest of the internet. In particular, the Tor-specific attacks mentioned in the paper will not work as described.

  • Secure Boot Failure, Response, and Mitigation

    Last week, it became public that there is an attack against Secure Boot, utilizing one of Microsoft’s utilities to install a set of security policies which effectively disables bootloader verification.

  • Static Code Analyzer Reportedly Finds 10,000 Open Source Bugs

    A Russian company behind the PVS-Studio static code analyzer claims to have used the tool to discover more than 10,000 bugs in various open source projects, including well-known offerings such as the Firefox Web browser and the Linux kernel.

  • Linux.Lady the Crypto-Currency Mining Trojan Discovered

    Organizations reliant on Redis NoSQL a most sought after database require re-checking their configurations, security researchers advise. That's because the Linux.Lady crypto-currency Trojan, which mines digital money, has been discovered as it piggybacks on insufficient out-of-the-box security.

    It is possible that a maximum of 30K Redis servers are susceptible to attack mainly since inadvertent system admins gave them an Internet connection devoid of constructing a password for them in addition to not having Redis secured by default.

  • DDoS protection in the cloud

    OpenFlow and other software-defined networking controllers can discover and combat DDoS attacks, even from within your own network.

    Attacks based on the distributed denial of service (DDoS) model are, unfortunately, common practice, often used to extort protection money or sweep unwanted services off the web. Currently, such attacks can reach bandwidths of 300GBps or more. Admins usually defend themselves by securing the external borders of their own networks and listening for unusual traffic signatures on the gateways, but sometimes they fight attacks even farther outside the network – on the Internet provider's site – by diverting or blocking the attack before it overloads the line and paralyzes the victim's services.

    In the case of cloud solutions and traditional hosting providers, the attackers and their victims often reside on the same network. Thanks to virtualization, they could even share the same computer core. In this article, I show you how to identify such scenarios and fight them off with software-defined networking (SDN) technologies.

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Fake Linus Torvalds' Key Found in the Wild, No More Short-IDs.
  • NIST Denounces SMS 2FA - What are the Alternatives?

    Towards the end of July 2016, the National Institute of Standards and Technology (NIST) started the process of deprecating the use of SMS-based out-of-band authentication. This became clear in the issue of the DRAFT NIST Special Publication 800-63B, Digital Authentication Guideline.

  • It's pretty easy to hack traffic lights

    Researchers from the University of Michigan EE/Computer Science Department (previously) presented their work on hacking traffic signals at this year's Usenix Security Symposium (previously), and guess what? It's shockingly easy to pwn the traffic control system.

    The researchers targeted the wireless control systems at each intersection, avoiding any tampering with the actual junction boxes, which might be detected by passers-by (though seriously, some high-viz vests and a couple of traffic cones would likely serve as perfect camouflage), and worked with the permission of a local Michigan traffic authority.

Linux kernel 4.6 reaches end of life

Filed under
Linux
Security

Those using a GNU/Linux operating system powered by a kernel from the Linux 4.6 branch have been urged to move to Linux kernel 4.7.

According to a report by Softpedia, users have been advised to install the new Linux kernel 4.7.1 build.

Read more

Also: The Linux Foundation Announces 2016 LiFT Scholarship Recipients

Security News

Filed under
Security
Syndicate content

More in Tux Machines

Leftovers: Software

  • Linux Command Line Browser To Surf Internet
    Links is an open source text and graphical web browser with a pull-down menu system. It renders complex pages, has partial HTML 4.0 support (including tables and frames and support for multiple characters sets such as UTF-8), supports color and monochrome terminals and allows horizontal scrolling. It’s very useful for low resources computers because day by day the web pages are bigger and heavier. If your computer doesn’t have a suitable performance you’ll have some mistakes while you’re surfing. So, Links is much faster than any common web browser (with GUI) because it doesn’t load all the content of a website, for example, videos, flash, etc.
  • Stacer – The Linux System Optimizer You’ve Been Waiting For
    System optimizer apps are quite the thing on platforms such as Windows and Android. Their usefulness, however, is debatable considering how notorious they are when it comes to using system resources. On the Linux platform, however, we can almost always find the applications, a developer puts their time in developing to be mostly useful. Stacer is one such app created to better optimized your Linux PC in the sense that it packs quite the list of features you’d normally expect from an optimizer and more to give your system a refresh whenever you feel the need.
  • Ulauncher – A Lightweight Application Launcher for Linux
    Each Desktop environment has the own launcher and doing their job nicely but it take a while to launch the application whenever we are searching. Ulauncher is a lightweight application launcher that loads instant search results, usese low resources, and remembers your previous choices and automatically selects the best option for you. It’s written in Python and uses GTK as a GUI toolkit. When you are typing wrong application name, after few words or spelling, it will figure out what you meant. Use Ulauncher to open your files and directories faster with fuzzy search. Type ~ or / to start browsing. Press Alt+Enter to access the alt menu.

Linux Kernel and Graphics

Security News

  • Windows 10 least secure of Windows versions: study
    Windows 10 was the least secure of of current Windows versions in 2016, with 46% more vulnerabilities than either Windows 8 or 8.1, according to an analysis of Microsoft's own security bulletins in 2016. Security firm Avecto said its research, titled "2016 Microsoft Vulnerabilities Study: Mitigating risk by removing user privileges", had also found that a vast majority of vulnerabilities found in Microsoft products could be mitigated by removing admin rights. The research found that, despite its claims to being the "most secure" of Microsoft's operating systems, Windows 10 had 395 vulnerabilities in 2016, while Windows 8 and 8.1 each had 265. The research also found that while 530 Microsoft vulnerabilities were reported — marginally up from the 524 reported in 2015 — and 189 given a critical rating, 94% could be mitigated by removing admin rights. This was up from 85% in 2015.
  • Windows 10 Creators Update can block Win32 apps if they’re not from the Store [Ed: By Microsoft Peter. People who put Vista 10 on a PC totally lose control of that PC; remember, the OS itself is malware, as per textbook definitions. With DRM and other antifeatures expect copyright enforcement on the desktop soon.]
    The latest Windows 10 Insider Preview build doesn't add much in the way of features—it's mostly just bug fixes—but one small new feature has been spotted, and it could be contentious. Vitor Mikaelson noticed that the latest build lets you restrict the installation of applications built using the Win32 API.
  • Router assimilated into the Borg, sends 3TB in 24 hours
    "Well, f**k." Harsh language was appropriate under the circumstances. My router had just been hacked. Setting up a reliable home network has always been a challenge for me. I live in a cramped three-story house, and I don't like running cables. So my router's position is determined by the fiber modem in a corner on the bottom floor. Not long after we moved in, I realized that our old Airport Extreme was not delivering much signal to the attic, where two game-obsessed occupants fought for bandwidth. I tried all sorts of things. I extended the network. I used Ethernet-over-powerline connectors to deliver network access. I made a mystic circle and danced naked under the full moon. We lost neighbors, but we didn't gain a signal.
  • Purism's Librem 13 Coreboot Port Now "100%" Complete
    According to Purism's Youness Alaoui, their Coreboot port to the Librem 13 v1 laptop is now considered complete. The Librem 13 was long talked about having Coreboot over a proprietary BIOS while the initial models still had shipped with the conventional BIOS. Finally in 2017, they have now Coreboot at what they consider to be 100% complete for this Linux-friendly laptop.
  • The Librem 13 v1 coreboot port is now complete
    Here are the news you’ve been waiting for: the coreboot port for the Librem 13 v1 is 100% done! I fixed all of the remaining issues, it is now fully working and is stable, ready for others to enjoy. I fixed the instability problem with the M.2 SATA port, finished running all the tests to ensure coreboot is working correctly, fixed the headphone jack that was not working, made the boot prettier, and started investigating the Intel Management Engine issue.
  • Linux Update Fixes 11-Year-Old Flaw
    Andrey Konovalov, a security researcher at Google, found a use-after-free hole within Linux, CSO Online reported. This particular flaw is of interest because it appears to be situational. It only showed up in kernels built with a certain configuration option — CONFIG_IP_DCCP — enabled.

Kerala saves Rs 300 cr as schools switch to open software

The Kerala government has made a saving of Rs 300 crore through introduction and adoption of Free & Open Source Software (FOSS) in the school education sector, said a state government official on Sunday. IT became a compulsory subject in Kerala schools from 2003, but it was in 2005 only that FOSS was introduced in a phased manner and started to replace proprietary software. The decision made by the curriculum committee to implement it in the higher secondary sector has also been completed now. Read more