Language Selection

English French German Italian Portuguese Spanish

Security

The D in Systemd stands for 'Dammmmit!' A nasty DHCPv6 packet can pwn a vulnerable Linux box

Filed under
Red Hat
Security
Web

A security bug in Systemd can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box.

The flaw therefore puts Systemd-powered Linux computers – specifically those using systemd-networkd – at risk of remote hijacking: maliciously crafted DHCPv6 packets can try to exploit the programming cockup and arbitrarily change parts of memory in vulnerable systems, leading to potential code execution. This code could install malware, spyware, and other nasties, if successful.

The vulnerability – which was made public this week – sits within the written-from-scratch DHCPv6 client of the open-source Systemd management suite, which is built into various flavors of Linux.

Read more

Security: X.Org, “Citizen Clinic”, British Airways, and Golem

Filed under
Security
  • An X.Org security advisory
  • LTC Launches Cybersecurity “Citizen Clinic”

    The Center for Long-Term Cybersecurity has launched a new public interest cybersecurity clinic dedicated to providing services to politically vulnerable organizations—including media outlets, human rights groups, and non-government organizations—that are at risk of cyberattacks.

  • British Airways admits mega-breach hit additional 185,000 customers

    The firm originally said that the mega-breach, which was first made public at the beginning of September, saw [crackers] compromise the payment cards of at least 380,000 customers in a theft of data from the company's online booking systems.

    In an updated statement released on Thursday, BA admitted that a further 185,000 customers may have been affected by the breach.

  • The Next Chapter: From the Endpoint to the Cloud

    So, this month I’ve joined the Golem Project as a Chief Strategy Officer, also doubling as Chief Security Officer (conveniently, both roles have the same CSO acronym Smile The double nature of my role emphasizes the close relationships among the long-term roadmap, technical architecture, as well as product- and operations-security in Golem.

    Why Golem? Because Golem is a very unique project. Golem has been on a mission to build a “decentralized computer” out of a heterogeneous network of third-party provided computers. Founded two years ago through a very successful crowdfunding campaign, it instantly gained an impressive amount of funding, which allowed it to build a strong development team (incidentally, mostly based in my favorite city – Warsaw).

Security: OPAQUE, X.Org and More Patches

Filed under
Security
  • Should your next web-based login form avoid sending passwords in clear text?

    The answer to the question in the title is most likely “no.” While the OPAQUE protocol is a fascinating approach to authentication, for web applications it doesn’t provide any security advantages.

    I read an interesting post by Matthew Green where he presents ways to authenticate users by password without actually transmitting the password to the server, in particular a protocol called OPAQUE. It works roughly like that:

    The server has the user’s salt and public key, the client knows the password. Through application of some highly advanced magic, a private key materializes in the client, matching the public key known to the server. This only works if the password known to the client is correct, yet the client doesn’t learn the salt and the server doesn’t learn the password in the process. From that point on, the client can sign any requests sent to the server, and the server can verify them as belonging to this user.

    The fact that you can do it like this is amazing. Yet the blog post seems to suggest that websites should adopt this approach. I wrote a comment mentioning this being pointless. The resulting discussion with another commenter made obvious that the fundamental issues of browser-based cryptography that I first saw mentioned in Javascript Cryptography Considered Harmful (2011) still aren’t widely known.

  • X.Org Server 1.20.3 Released To Fix New Security Issue

    We've known that the X.Org Server security has been a "disaster" (according to security researchers) and while many bugs have been fixed in recent years, not all of the security bugs date back so far in the decades old code-base. Out today is X.Org Server 1.20.3 to fix a new CVE issued for X.Org Server 1.19 and newer.

    In X.Org Server 1.19 through X.Org Server 1.20.2 there was incorrect command-line parameter validation that could lead to privilege escalation and files being arbitrarily overwritten.

  • Security updates for Thursday

Cathay Pacific Cracked

Filed under
Security

Linux Security and FUD: TPM, OpenPGP, Spectre and Weak/Identical Passwords

Filed under
Linux
Security
  • Secure key handling using the TPM

    Trusted Computing has not had the best reputation over the years — Richard Stallman dubbing it "Treacherous Computing" probably hasn't helped — though those fears of taking away users' control of their computers have not proven to be founded, at least yet. But the Trusted Platform Module, or TPM, inside your computer can do more than just potentially enable lockdown. In our second report from Kernel Recipes 2018, we look at a talk from James Bottomley about how the TPM works, how to talk to it, and how he's using it to improve his key handling.

    Everyone wants to protect their secrets and, in a modern cryptographic context, this means protecting private keys. In the most common use of asymmetric cryptography, private keys are used to prove identity online, so control of a private key means control of that online identity. How damaging this can be depends on how much trust is placed in a particular key: in some cases those keys are used to sign contracts, in which case someone who absconds with a private key can impersonate someone on legal documents — this is bad.

    The usual solution to this is hardware security modules, nearly all of which are USB dongles or smart cards accessed via USB. Bottomley sees the problem with these as capacity: most USB devices can only cope with one or two key pairs, and smart cards tend to only hold three. His poster child in this regard is Ted Ts'o, whose physical keyring apparently has about eleven YubiKeys on it. Bottomley's laptop has two VPN keys, four SSH keys, three GPG keys (because of the way he uses subkeys) and about three other keys. Twelve keys is beyond the capacity of any USB device that he knows of.

  • OpenPGP signature spoofing using HTML

    Beyond just encrypting messages, and thus providing secrecy, the OpenPGP standard also enables digitally signing messages to authenticate the sender. Email applications and plugins usually verify these signatures automatically and will show whether an email contains a valid signature. However, with a surprisingly simple attack, it's often possible to fool users by faking — or spoofing — the indication of a valid signature using HTML email.

    For example, until version 2.0.7, the Enigmail plugin for Mozilla Thunderbird displayed a correct and fully trusted signature as a green bar above the actual mail content. The problem: when HTML mails are enabled this part of the user interface can be fully controlled by the mail sender.

  • Fighting Spectre with cache flushes

    One of the more difficult aspects of the Spectre hardware vulnerability is finding all of the locations in the code that might be exploitable. There are many locations that look vulnerable that aren't, and others that are exploitable without being obvious. It has long been clear that finding all of the exploitable spots is a long-term task, and keeping new ones from being introduced will not be easy. But there may be a simple technique that can block a large subset of the possible exploits with a minimal cost.

    Speculative-execution vulnerabilities are only exploitable if they leave a sign somewhere else in the system. As a general rule, that "somewhere else" is the CPU's memory cache. Speculative execution can be used to load data into the cache (or not) depending on the value of the data the attacker is trying to exfiltrate; timing attacks can then be employed to query the state of the cache and complete the attack. This side channel is a necessary part of any speculative-execution exploit.

    It has thus been clear from the beginning that one way of blocking these attacks is to flush the memory caches at well-chosen times, clearing out the exfiltrated information before the attacker can get to it. That is, unfortunately, an expensive thing to do. Flushing the cache after every system call would likely block a wide range of speculative attacks, but it would also slow the system to the point that users would be looking for ways to turn the mechanism off. Security is all-important — except when you have to get some work done.

    Kristen Carlson Accardi recently posted a patch that is based on an interesting observation. Attacks using speculative execution involve convincing the processor to speculate down a path that non-speculative execution will not follow. For example, a kernel function may contain a bounds check that will prevent the code from accessing beyond the end of an array, causing an error to be returned instead. An attack using the Spectre vulnerability will bypass that check speculatively, accessing data that the code was specifically (and correctly) written not to access.

  • Chalubo botnet targets Linux systems: Report [Ed: Misleading. Not about Linux but bad passwords. One has to wonder what goes through the minds of corporate news writers who learn about poorly-secured products and then ask, "does it run Linux?" Then they blame Linux. But never the same when something runs Windows (then it's "PC").]
  • Poorly secured SSH servers targeted by Chalubo botnet
  • This botnet snares your smart devices to perform DDoS attacks with a little help from Mirai

Security: Updates, LJ and Embargoes at Red Hat

Filed under
Security
  • Security updates for Wednesday
  • Episode 4: All About Security
  • Security embargoes at Red Hat

    The software security industry uses the term Embargo to describe the period of time that a security flaw is known privately, prior to a deadline, after which time the details become known to the public. There are no concrete rules (other than do not break the embargo, that is) for handling embargoed security flaws, but Red Hat uses some generally used security principles on how we handle them.

    When an issue is under embargo, Red Hat cannot share information about that issue prior to it becoming public after an agreed upon deadline. It is likely that any software project will have to deal with an embargoed security flaw at some point, and this is often the case for Red Hat.

Security: Updates, Windows Malware, and Supply-Chain Attacks

Filed under
Security
  • Security updates for Tuesday
  • Russia Linked to Disruptive Industrial Control Malware

    FireEye specifically traced the Triton intrusion malware to Russia's Central Scientific Research Institute of Chemistry and Mechanics, located in the Nagatino-Sadvoniki district of Moscow.

  • TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers

    TEMP.Veles’ lateral movement activities used a publicly-available PowerShell-based tool, WMImplant. On multiple dates in 2017, TEMP.Veles struggled to execute this utility on multiple victim systems, potentially due to AV detection. Soon after, the customized utility was again evaluated in the malware testing environment. The following day, TEMP.Veles again tried the utility on a compromised system.

  • Triton malware shines light on threat facing energy production companies

    Dubbed “Triton”or “Trisis,” the malware disrupts an emergency shutdown capability in Schneider Electric’s Triconex safety instrumented system (SIS). By targeting this system, Triton makes it easier for an industrial control system (ICS) to fail and break down.

  • Triton: [crackers] take out safety systems in 'watershed' attack on energy plant

    Galina Antova, co-founder of cybersecurity firm Claroty, said safety systems “could be fooled to indicate that everything is OK” even as [crackers] damage a plant.

  • New "Triton" ICS Malware Used in Critical Infrastructure Attack

    The [crackers] deployed Triton on a Windows-based engineering workstation. The malware had left legitimate programs running on the controllers in place, but added its own programs to the execution table. The threat attempts to return the controller to a running state in case of a failure, or overwrite the malicious program with junk data if the attempt fails, likely in an effort to cover its tracks.

  • FireEye Finds New Clues in TRITON/TRISIS Attack

    Attackers behind the epic industrial-plant hack reverse-engineered the safety-monitoring system's proprietary protocol, researchers found.

  • Apps Installed On Millions Of Android Phones Tracked User Behavior To Execute A Multimillion-Dollar Ad Fraud Scheme

    But an investigation by BuzzFeed News reveals that these seemingly separate apps and companies are today part of a massive, sophisticated digital advertising fraud scheme involving more than 125 Android apps and websites connected to a network of front and shell companies in Cyprus, Malta, British Virgin Islands, Croatia, Bulgaria, and elsewhere. More than a dozen of the affected apps are targeted at kids or teens, and a person involved in the scheme estimates it has stolen hundreds of millions of dollars from brands whose ads were shown to bots instead of actual humans. (A full list of the apps, the websites, and their associated companies connected to the scheme can be found in this spreadsheet.)

  • Two new supply-chain attacks come to light in less than a week

    The second supply-chain attack to come to light this week involves a malicious package that was slipped into the official repository for the widely used Python programming language. Called “Colourama,” the package looked similar to Colorama, which is one of the top-20 most-downloaded legitimate modules in the Python repository. The doppelgänger Colourama package contained most of the legitimate functions of the legitimate module, with one significant difference: Colourama added code that, when run on Windows servers, installed this Visual Basic script. It constantly monitors the server’s clipboard for signs a user is about to make a cryptocurrency payment. When triggered, the script diverts the payments from the wallet address contained in the clipboard to an attacker-owned wallet.

Security: Cross-Hyperthread Spectre V2 Mitigation Ready For Linux, Targeted vs General-Purpose Security and More

Filed under
Security
  • Cross-Hyperthread Spectre V2 Mitigation Ready For Linux With STIBP

    On the Spectre front for the recently-started Linux 4.20~5.0 kernel is STIBP support for cross-hyperthread Spectre Variant Two mitigation.

    Going back to the end of the summer was the patch work for this cross-hyperthread Spectre V2 mitigation with STIBP while now it's being merged to mainline.

  • Targeted vs General purpose security

    There seems to be a lot of questions going around lately about how to best give out simple security advice that is actionable. Goodness knows I’ve talked about this more than I can even remember at this point. The security industry is really bad at giving out actionable advice. It’s common someone will ask what’s good advice. They’ll get a few morsels, them someone will point out whatever corner case makes that advice bad and the conversation will spiral into nonsense where we find ourselves trying to defend someone mostly concerned about cat pictures from being kidnapped by a foreign nation. Eventually whoever asked for help quit listening a long time ago and decided to just keep their passwords written on a sticky note under the keyboard.

    I’m pretty sure the fundamental flaw in all this thinking is we never differentiate between a targeted attack and general purpose security. They are not the same thing. They’re incredibly different in fact. General purpose advice can be reasonable, simple, and good. If you are a target you’ve already lost, most advice won’t help you.

    General purpose security is just basic hygiene. These are the really easy concepts. Ideas like using a password manager, multi-factor-auth, install updates on your system. These are the activities anyone and everyone should be doing. One could argue these should be the default settings for any given computer or service (that’s a post for another day though). You don’t need to be a security genius to take these steps. You just have to restrain yourself from acting like a crazy person so whoever asked for help can actually get the advice they need.

  • Oracle Moves to Gen 2 Cloud, Promising More Automation and Security [Ed: Ellison wants people to blindly trust proprietary blobs for security (a bad thing to do, never mind the CIA past of Oracle and severe flaws in its DBs)].

    A primary message from Ellison is that the Gen 2 Oracle cloud is more secure, with autonomous capabilities to help protect against attacks. Ellison also emphasized the segmentation and isolation of workloads on the Gen 2 Oracle cloud, providing improved security.

  • Reproducible Builds: Weekly report #182

    Here’s what happened in the Reproducible Builds effort between Sunday October 14 and Saturday October 20 2018...

Windows Back Doors for NSA, Libssh (Not Related to OpenSSH) Patched

Filed under
Security
  • Windows servers still infected by DarkPulsar NSA exploit

    Researchers from security outfit Kaspersky Lab say they have found about 50 systems infected by the DarkPulsar malware, part of the NSA exploits which were dumped online by a group calling itself the Shadow Brokers in 2017.
    A research brief written by Andrey Dolgushev, Dmitry Tarakanov and Vasily Berdnikov said DarkPulsar was in the implants category of the dump which included two frameworks called DanderSpritz and FuzzBunch. DarkPulsar was not a backdoor in itself, but just the administrative part of a backdoor.

  • Kaspersky says it detected infections with DarkPulsar, alleged NSA malware

    The hacking tools were leaked by a group of hackers known as the Shadow Brokers, who claimed they stole them from the Equation Group, a codename given by the cyber-security industry to a group that's universally believed to be the NSA.

    DarkPulsar went mostly unnoticed for more than 18 months as the 2017 dump also included EternalBlue, the exploit that powered last year's three ransomware outbreaks --WannaCry, NotPetya, and Bad Rabbit.

    Almost all the infosec community's eyes have been focused on EternalBlue for the past year, and for a good reason, as the exploit has now become commodity malware.

    But in recent months, Kaspersky researchers have also started to dig deeper into the other hacking tools leaked by the Shadow Brokers last year.

    They looked at FuzzBunch, which is an exploit framework that the Equation Group has been using to deploy exploits and malware on victims' systems using a CLI interface similar to the Metasploit pen-testing framework.

  • Libssh CVE-2018-10933 Scanners & Exploits Released - Apply Updates Now

Security: Telstra, Google+ and Facebook Incidents, and Latest Updates

Filed under
Security
Syndicate content

More in Tux Machines

Google Shows Off New Android Dev Tools

After years of teasing and speculation, it finally looks as though foldable screen smartphones are headed to market. Google's dev announcement followed closely on the heels of Samsung's announcement at its own developer conference of a folding phone/tablet prototype with Infinity Flex Display. The Android tools will take advantage of the new display technology, which literally bends and folds, noted Stephanie Cuthbertson, director of product management at Google. The technology is based on two variations of screen design: two-screen devices and one-screen devices. Read more

More Empty Promises From Microsoft

today's howtos

Today in Techrights