Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • 6 ways to secure air-gapped computers from data breaches

    How do you avoid this? Depending upon the nature of the data contained within the air-gapped system, you should only allow certain staff members access to the machine. This might require the machine to be locked away in your data center or in a secured room on the premises. If you don't have a data center or a dedicated room that can be locked, house the computer in the office of a high-ranking employee.

  • Possibly Smart, Possibly Stupid, Idea Regarding Tor & Linux Distributions

    I will admit that I have not fully thought this through yet, so I am
    writing this in the hope that other folk will follow up, share their
    experiences and thoughts.

    So: I have installed a bunch of Tor systems in the past few months -
    CentOS, Ubuntu, Raspbian, Debian, OSX-via-Homebrew - and my abiding
    impression of the process is one of "friction".

    Before getting down to details, I hate to have to cite this but I have been
    a coder and paid Unix sysadmin on/off since 1988, and I have worked on
    machines with "five nines" SLAs, and occasionally on boxes with uptimes of
    more than three years; have also built datacentres for Telcos, ISPs and
    built/setup dynamic provisioning solutions for huge cluster computing. The
    reason I mention this is not to brag, but to forestall

  • [Older] Introducing rkt’s ability to automatically detect privilege escalation attacks on containers

    Intel's Clear Containers technology allows admins to benefit from the ease of container-based deployment without giving up the security of virtualization. For more than a year, rkt's KVM stage1 has supported VM-based container isolation, but we can build more advanced security features atop it. Using introspection technology, we can automatically detect a wide range of privilege escalation attacks on containers and provide appropriate remediation, making it significantly more difficult for attackers to make a single compromised container the beachhead for an infrastructure-wide assault.

  • Diving back into coreboot development

    Let me first introduce myself: I’m Youness Alaoui, mostly known as KaKaRoTo, and I’m a Free/Libre Software enthusiast and developer. I’ve been hired by Purism to work on porting coreboot to the Librem laptops, as well as to try and tackle the Intel ME issue afterwards.

    I know many of you are very excited about the prospect of having coreboot running on your Librem and finally dropping the proprietary AMI BIOS that came with it. That’s why I’ll be posting reports here about progress I’m making—what I’ve done so far, and what is left to be done.

  • Web databases hit in ransom attacks

    Gigabytes of medical, payroll and other data held in MongoDB databases have been taken by attackers, say security researchers.

  • Why HTTPS for Everything?

    HTTPS enables privacy and integrity by default. It is going to be next big thing. The internet’s standards bodies, web browsers, major tech companies, and the internet community of practice have all come to understand that HTTPS should be the baseline for all web traffic. Ultimately, the goal of the internet community is to establish encryption as the norm, and to phase out unencrypted connections. Investing in HTTPS makes it faster, cheaper, and easier for everyone.

Security Leftovers

Filed under
Security
  • Security updates for Friday
  • Linux KillDisk Ransomware Can't Decrypt

    Disk-wiping malware known as KillDisk, which has previously been used in hack attacks tied to espionage operations, has been given an update. Now, the malware works on Linux as well as Windows systems and also includes the ability to encrypt files, demand a bitcoin ransom and leave Linux systems unbootable.

  • GNU Officially Boots Libreboot

    FSF and GNU decide to grant Libreboot lead developer Leah Rowe’s wishes. The project is no longer a part of GNU says RMS.

Security News

Filed under
Security

Security News

Filed under
Security
  • 8 Docker security rules to live by

    Odds are, software (or virtual) containers are in use right now somewhere within your organization, probably by isolated developers or development teams to rapidly create new applications. They might even be running in production. Unfortunately, many security teams don’t yet understand the security implications of containers or know if they are running in their companies.

    In a nutshell, Linux container technologies such as Docker and CoreOS Rkt virtualize applications instead of entire servers. Containers are superlightweight compared with virtual machines, with no need for replicating the guest operating system. They are flexible, scalable, and easy to use, and they can pack a lot more applications into a given physical infrastructure than is possible with VMs. And because they share the host operating system, rather than relying on a guest OS, containers can be spun up instantly (in seconds versus the minutes VMs require).

  • Zigbee Writes a Universal Language for IoT

    The nonprofit Zigbee Alliance today unveiled dotdot, a universal language for the Internet of Things (IoT).

    The group says dotdot takes the IoT language at Zigbee’s application layer and enables it to work across different networking technologies.

  • $25,000 Prize Offered in FTC IoT Security Challenge

    It appears as if the Federal Trade Commission is getting serious about Internet of Things security issues -- and it wants the public to help find a solution. The FTC has announced a contest it's calling the "IoT Home Inspector Challenge." What's more, there's a big payoff for the winners, with the Top Prize Winner receiving up to $25,000 and each of a possible three "honorable Mentions" getting $3,000. Better yet, winners don't have to fork over their intellectual property rights, and will retain right to their submissions.

    Of course, the FTC is a federal agency, and with a change of administrations coming up in a couple of weeks, it hedges its bet a bit with a caveat: "The Sponsor retains the right to make a Prize substitution (including a non-monetary award) in the event that funding for the Prize or any portion thereof becomes unavailable." In other words, Obama has evidently given the go-ahead, but they're not sure how Trump will follow through.

  • LG threatens to put Wi-Fi in every appliance it releases in 2017

    In the past few years, products at CES have increasingly focused on putting the Internet in everything, no matter how "dumb" the device in question is by nature. It's how we've ended up with stuff like this smart hairbrush, this smart air freshener, these smart ceiling fans, or this $100 pet food bowl that can order things from Amazon.

  • Ex-MI6 Boss: When It Comes To Voting, Pencil And Paper Are 'Much More Secure' Than Electronic Systems

    Techdirt has been worried by problems of e-voting systems for a long time now. Before, that was just one of our quaint interests, but over the last few months, the issue of e-voting, and how secure it is from hacking, specifically hacking by foreign powers, has become a rather hot topic. It's great that the world has finally caught up with Techdirt, and realized that e-voting is not just some neat technology, and now sees that democracy itself is at play. The downside is that because the stakes are so high, the level of noise is too, and it's really hard to work out how worried we should be about recent allegations, and what's the best thing to do on the e-voting front.

  • Five things that got broken at the oldest hacking event in the world

    Chaos Communications Congress is the world’s oldest hacker conference, and Europe’s largest. Every year, thousands of hackers gather in Hamburg to share stories, trade tips and discuss the political, social and cultural ramifications of technology.

    As computer security is a big part of the hacker world, they also like to break things. Here are five of the most important, interesting, and impressive things broken this time.

Security News

Filed under
Security
  • KillDisk Ransomware Now Targets Linux, Prevents Boot-Up, Has Faulty Encryption
  • KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt
  • lecture: What could possibly go wrong with (insert x86 instruction here)? [Ed: video]

    Hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputting a result. However, the internal state of the hardware leaks information about the programs that are executing. In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. Beyond classical cache-based side-channel attacks, we demonstrate how to perform cache attacks without a single memory access, as well as how to bypass kernel ASLR. This talk does not require any knowledge about assembly. We promise.

    When hunting for bugs, the focus is mostly on the software layer. On the other hand, hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputing a result. However, the internal state of the hardware leaks information about the programs that are running. Unlike software bugs, these bugs are not easy to patch on current hardware, and manufacturers are also reluctant to fix them in future generations, as they are tightly tied with performance optimizations.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • MongoDB Data Being Held For Ransom

    If you're using MongoDB, you might want to check to make sure you have it configured properly -- or better yet, that you're running the latest and greatest -- to avoid finding it wiped and your data being held for ransom.

    A hacker who goes by the name Harak1r1 is attacking unprotected MongoDB installations, wiping their content and installing a ransom note in place of the the stolen data. The cost to get the data returned is 0.2 bitcoin, which comes to about $203. If that sounds cheap, it isn't. Not if you're deploying multiple Mongo databases and they all get hit -- which has been happening.

Security News

Filed under
Security

Security Leftovers

Filed under
Security
  • Tuesday's security updates
  • Musl 1.1.16 Released, Fixes CVE Integer Overflow, s390x Support

    A new version of the musl libc standard library is available for those interested in this lightweight alternative to glibc and others.

    Musl 1.1.16 was released to fix CVE-2016-8859, an under-allocation bug in regexec with an integer overflow. Besides this CVE, Musl 1.1.16 improves overflow handling as part of it and has also made other noteworthy bug fixes.

  • musl 1.1.16 release
  • Looks like you have a bad case of embedded libraries

    A long time ago pretty much every application and library carried around its own copy of zlib. zlib is a library that does really fast and really good compression and decompression. If you’re storing data or transmitting data, it’s very likely this library is in use. It’s easy to use and is public domain. It’s no surprise it became the industry standard.

  • Deprecation of Insecure Algorithms and Protocols in RHEL 6.9

    Cryptographic protocols and algorithms have a limited lifetime—much like everything else in technology. Algorithms that provide cryptographic hashes and encryption as well as cryptographic protocols have a lifetime after which they are considered either too risky to use or plain insecure. In this post, we will describe the changes planned for the 6.9 release of Red Hat Enterprise Linux 6, which is already on Production Phase 2.

  • lecture: Million Dollar Dissidents and the Rest of Us [Ed: video]

    In August 2016, Apple issued updates to iOS and macOS that patched three zero-day vulnerabilities that were being exploited in the wild to remotely install persistent malcode on a target’s device if they tapped on a specially crafted link. We linked the vulnerabilities and malcode to US-owned, Israel-based NSO Group, a government-exclusive surveillance vendor described by one of its founders as “a complete ghost”.

    Apple’s updates were the latest chapter in a yearlong investigation by Citizen Lab into a UAE-based threat actor targeting critics of the UAE at home and around the world. In this talk, we will explain how Citizen Lab discovered and tracked this threat actor, and uncovered the first publicly-reported iOS remote jailbreak used in the wild for mobile espionage. Using the NSO case, we will detail some of the tools and techniques we use to track these groups, and how they try to avoid detection and scrutiny. This investigation is Citizen Lab’s latest expose into the abuse of commercial “lawful intercept” malcode.

  • Class Breaks

    There's a concept from computer security known as a class break. It's a particular security vulnerability that breaks not just one system, but an entire class of systems. Examples might be a vulnerability in a particular operating system that allows an attacker to take remote control of every computer that runs on that system's software. Or a vulnerability in Internet-enabled digital video recorders and webcams that allow an attacker to recruit those devices into a massive botnet.

    It's a particular way computer systems can fail, exacerbated by the characteristics of computers and software. It only takes one smart person to figure out how to attack the system. Once he does that, he can write software that automates his attack. He can do it over the Internet, so he doesn't have to be near his victim. He can automate his attack so it works while he sleeps. And then he can pass the ability to someone­ -- or to lots of people -- ­without the skill. This changes the nature of security failures, and completely upends how we need to defend against them.

GNU/Linux CVEs

Filed under
GNU
Linux
Security
  • Android, Debian & Ubuntu Top List Of CVE Vulnerabilities In 2016[Ed: while Microsoft lies]

    On a CVE basis for the number of distinct vulnerabilities, Android is ranked as having the most vulnerability of any piece of software for 2016 followed by Debian and Ubuntu Linux while coming in behind them is the Adobe Flash Player.

    The CVEDetails.com tracking service has compiled a list of software with the most active CVEs. The list isn't limited to just operating systems but all software with Common Vulnerabilities and Exposures.

  • Using systemd for more secure services in Fedora

    The AF_PACKET local privilege escalation (also known as CVE-2016-8655) has been fixed by most distributions at this point; stable kernels addressing the problem were released on December 10. But, as a discussion on the fedora-devel mailing list shows, systemd now provides options that could help mitigate CVE-2016-8655 and, more importantly, other vulnerabilities that remain undiscovered or have yet to be introduced. The genesis for the discussion was a blog post from Lennart Poettering about the RestrictAddressFamilies directive, but recent systemd versions have other sandboxing features that could be used to head off the next vulnerability.

    Fedora project leader Matthew Miller noted the blog post and wondered if the RestrictAddressFamilies directive could be more widely applied in Fedora. That directive allows administrators to restrict access to the network address families a service can use. For example, most services do not require the raw packet access that AF_PACKET provides, so turning off access to that will harden those services to some extent. But Miller was also curious if there were other systemd security features that the distribution should be taking advantage of.

Security News

Filed under
Security
  • Lockpicking in the IoT

    "Smart" devices using BTLE, a mobile phone and the Internet are becoming more and more popular. We will be using mechanical and electronic hardware attacks, TLS MitM, BTLE sniffing and App decompilation to show why those devices and their manufacturers aren't always that smart after all. And that even AES128 on top of the BTLE layer doesn't have to mean "unbreakable". Our main target will be electronic locks, but the methods shown apply to many other smart devices as well...

  • Photocopier Security

    A modern photocopier is basically a computer with a scanner and printer attached. This computer has a hard drive, and scans of images are regularly stored on that drive. This means that when a photocopier is thrown away, that hard drive is filled with pages that the machine copied over its lifetime. As you might expect, some of those pages will contain sensitive information.

  • OpenPGP really works

    After a day of analysis, PGP is used and significantly at various layers of my day-to-day activities. I can clearly said “PGP works”. Indeed, it’s not perfect (that’s the reality of a lot of cryptosystems) but PGP needs some love at the IETF, for the implementations or even some financial support.

Syndicate content

More in Tux Machines

Fedora: Fedora + Plasma + Unity, Design Interns, and New ISO Build

  • Fedora + Plasma + Unity = Nice looks?
    Hybrid things aren't usually the best option around. Like hybrid cars, for example. Technically, when you marry concepts, you change the energy state, and while this could make sense in that you blend the best of several worlds, when this is done in a forced manner over a short period of time rather than eons of evolution, you end with the worst bits as the product of your mutation. I read about the United theme for Plasma a few months ago, and given that I've spent a fair deal of time fiddling with themes and icons and fonts and making different desktop environments look prettier than their defaults, I was intrigued. So I decided to see whether the notion of having Plasma look like Unity is a sane option. Let us.  Fedora + Plasma + Unity = Nice looks? [...] What is thy point, Vanessa, the astute among you may ask? Well, I have nothing against United or its creators, but I did come to the conclusion that too much tweaking is worse than no tweaking, if this statement makes sense. I like the notion of trying to overcome the inherent problems in each desktop through the use of themes and extensions. After all, I've been doing that profusely for the past few months. But it gets undone when you cross the desktop environment space. Making Gnome better yes. Making Plasma better, absolutely. Unity as an overlay for Plasma, well tricky. There's too much disparity for you to be able to hide the underlying workflow mechanisms and UI philosophies. Then, every little inconsistency glares. You notice things you do not expect, and you get angry because there are certain things you do expect. Some transformations work quite well because they build on the foundations, e.g. various Gnome panels or Macbuntu. But Plasma has its own special charm and flow and making it into a weird version of Unity, which itself is a weird version of Gnome misses the bigger picture. And so, if you're asking me, Plasma and Unity are two separate worlds, best enjoyed in isolation. United is an interesting notion, but it also signifies the upper limit for my own wild ideas and tweaking. Yes, you can make it work, then again, it means taking away from the beauty and style of what these two desktops do, and that's not the purpose of my pimping guides. So we shall stop here, and explore other colors and shapes. Have fun, little penguins.
  • Fedora Design Interns 2017
    Here’s an update on internships. Older post linked to here. Quick recap: there’s been 2 long-term interns for Fedora design team since February, and one short-term guy, who came for 2 weeks at the beginning of June. Guys have been doing an amazing job, I can’t stress enough how happy I am to have them around.
  • F26-20170815 Updated ISOs released

today's howtos

Security: Hardware Back Doors, Microsoft Windows, Kronos

  • Hiding malware in boobytrapped replacement screens would undetectably compromise your mobile device
     

    On the one hand, if you let an untrusted stranger install hardware in your electronic device, you're opening yourself up to all kinds of potential mischief; on the other hand, an estimated one in five smartphones has a cracked screen and the easiest, most efficient and cheapest way to get that fixed is to go to your corner repair-shop.  

  • How hackers {sic} are targeting the shipping industry [iophk: "Microsoft TCO"]
     

    Whenever one of the firm's fuel suppliers would send an email asking for payment, the virus simply changed the text of the message before it was read, adding a different bank account number.  

  • Locky ransomware is back from the dead with two new strains [iophk: "Windows TCO"]
     

    What hasn't changed, though, is the method of distribution.Rather than rifling through the trove of spilt US National Security Agency exploits, as the groups behind WannaCry and NotPetya did, Locky is distributed via phishing emails containing malicious Microsoft Office files or zipped attachments containing a malicious script.

  • Connected cars could have an airbag problem
     

    "It's not the car manufacturers' fault, and it's not a problem introduced by them. The security issue that we leveraged in our research lies in the standard that specifies how the car device network (i.e., CAN) works," added Trend.

    [...] To eliminate the risk entirely, an updated CAN standard should be proposed, adopted, and implemented. This whole process would likely require another generation of vehicles."

  • Code chunk in Kronos malware used long before MalwareTech published it
    A chunk of code found in the Kronos bank-fraud malware originated more than six years before security researcher Marcus Hutchins is accused of developing the underlying code, a fellow security researcher said Friday. The conclusion, reached in an analysis of Kronos published by security firm Malwarebytes, by no means proves or disproves federal prosecutors' allegations that Hutchins wrote Kronos code and played a role in the sale of the malware. It does, however, clarify speculation over a Tweet from January 2015, in which MalwareTech—the online handle Hutchins used—complained that a complex piece of code he had published a month earlier had been added to an unnamed malware sample without his permission.
  • Secret chips in replacement parts can completely hijack your phone’s security
    People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device. The concern arises from research that shows how replacement screens—one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0—can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it.

Ubuntu: Themes and Icons, MAAS, Podcast and More

  • Some interesting Ubuntu themes and icons
    Well, I guess there isn't much to say. If you like the stock looks, ignore this article. If you find the defaults not colorful or fun enough, or you just plain like tweaking, then you might want to consider some of the stuff I've outlined here. My taste is subjective, of course, but then, I aim for simple, clean designs and pleasing art work. Overall, you have a plenty of good options here. More icons than themes. Vimix or Arc seem like neat choices for the latter, and among the sea of icons, Moka, Numix and Uniform seem to do a great job. And of course, Macbuntu. I wish there were more monochrome or accented icons, but that's something I still haven't found. Anyhow, I hope you like this silly little piece. If you have suggestions, please send them, just remember my aesthetics criteria - simplicity of installation, clean lines, no gradients, no bugs. That would be all for today, fellas.
  • 7 of the Best Icon Themes for Ubuntu
    On a hunt to find the best icon themes for Ubuntu? Well, you’ve come to the right post place! In this post we will show you some of the best icon themes for Ubuntu, ranging from modern, flat icon sets, to a circular icon pack carrying a colourful twist. Oh, and as this article is constantly updated you don’t need to fret about any of the links or information being out of date. Feel free to bookmark this list for future reference, or share it on social media.
  • MAAS Development Summary – August 18th, 2017
  • S10E24 – Fierce Hurried Start
  • conjure-up dev summary: aws native integration, vsphere <3, and ADDONS