Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

UK's National Cyber Security Centre Give Advice on Securing Ubuntu 18.04 LTS

Filed under
Security
Ubuntu

Dubbed Bionic Beaver, the Ubuntu 18.04 LTS operating system was launched in April 2018 as the latest release of Canonical's popular Ubuntu Linux OS, and it's a long-term support release that will receive security and software updates for the next five years, until April 2023. The Ubuntu 18.04.1 LTS point release is also available for download and includes all the latest security updates.

Being based on the Linux kernel, Ubuntu is already a secure computer operating system compared to Windows or macOS, but if you're living in the UK (United Kingdom) and you need to configure your Ubuntu 18.04 LTS installations for maximum security, the National Cyber Security Centre tells you how.

Read more

Security: Symantec TLS Certificates, Automating Kernel Exploitation, Initial SpectreRSB Support

Filed under
Security
  • Update on the Distrust of Symantec TLS Certificates

    Firefox 60 (the current release) displays an “untrusted connection” error for any website using a TLS/SSL certificate issued before June 1, 2016 that chains up to a Symantec root certificate. This is part of the consensus proposal for removing trust in Symantec TLS certificates that Mozilla adopted in 2017. This proposal was also adopted by the Google Chrome team, and more recently Apple announced their plan to distrust Symantec TLS certificates. As previously stated, DigiCert’s acquisition of Symantec’s Certification Authority has not changed these plans.

    In early March when we last blogged on this topic, roughly 1% of websites were broken in Firefox 60 due to the change described above. Just before the release of Firefox 60 on May 9, 2018, less than 0.15% of websites were impacted – a major improvement in just a few months’ time.

  • Automating Kernel Exploitation for Better Flaw Remediation

    Black Hat researchers plan on open sourcing a new framework they say can help organizations get a better rein on vulnerability fixes for kernel bugs.

    The explosive disclosure of the Spectre and Meltdown vulnerabilities were like a detonator on the already incendiary field of kernel vulnerabilities this year. Security researchers had previously been ramping up their exploration of kernel bugs, but this year the discoveries have mushroomed considerably.

  • Initial SpectreRSB Support Queued For Merging Into The Mainline Linux Kernel

    Last week "SpectreRSB" was detailed as a new Spectre Variant Two like attack affecting modern processors. A Linux kernel patch was quick to materialize and now it's been staged for merging soon into the mainline Linux kernel.

    Spectre Return Stack Buffer is just one of the newest speculative execution vulnerabilities affecting at least Intel CPUs. Researchers at the University of California were able to exploit SpectreRSB into leaking private data protected by Intel SGX (Software Guard Extensions) and that these return stack buffer attacks could be process-process or even inter-VM.

The Dark Side of Containers: Protecting Container Data from Itself

Filed under
GNU
Linux
Server
Security

Containers are virtualized but not by hypervisors. They can be deployed to a VM but are not VMs.

Both containers and VMs use server/host OS as the bottom two layers of the stack. In VM environments, the next level is the hypervisor followed by VMs containing guest OS, libraries (div/lib in Linux), and applications. A single VM runs two full operating systems: the host and guest OS.

In contrast, containers do not have a hypervisor layer. A container shares the host OS, housing only the libraries and application code and data. Container benefits include greater portability, less operational overhead, lower OS licensing and maintenance/support costs, and less expensive application development.

Read more

Security: Updates, Marcus Hutchins (MalwareTech) and FUD

Filed under
Security

EasySSH is your next favorite GUI SSH client

Filed under
Software
Security

For some tasks, I'm a Linux purist and refuse to budge from the command line. But other tasks could be made a bit more efficient with a GUI tool. One such task is having to log into a data center full of Linux servers. Instead of issuing the command USER@IP (where USER is a user name and IP is the server IP) over and over, wouldn't it be nice to have a simple, one-trick-pony GUI tool that would allow you to store those logins ? Fortunately, there are a few such tools available. The one I use the most is EasySSH. This particular take on the SSH GUI tool doesn't offer much in the way of bells and whistles, but it does a great job of keeping all my SSH logins saved, so a login is but a click away.

I know what you're thinking.

Security!

Yes. There is one major caveat to this tool. Anyone who has access to the tool can gain access to your servers. Why? Because usernames/passwords are required to be saved. So if you want to use this tool (which I do), do so only on a machine you trust and that can't (in any way) fall into the wrong hands. Even with that glaring security issue, EasySSH is an application you should consider for your busy Linux remote admin work. Let me show you how to install and use it. I'll be demonstrating on Elementary OS (as EasySSH was developed specifically for Elementary OS), but you can install the tool on any platform that supports Flatpak.

Read more

Also: SPAKE2 In Golang: Elliptic Curves Primer

Security: Machine Learning, Signal and NetSpectre

Filed under
Security
  • What Are Machine Learning Models Hiding?

    Federated learning, where models are crowd-sourced from hundreds or even millions of users, is an even juicier target. In a recent paper, we show that a single malicious participant in federated learning can completely replace the joint model with another one that has the same accuracy but also incorporates backdoor functionality. For example, it can intentionally misclassify images with certain features or suggest adversary-chosen words to complete certain sentences.

  • Concerns with Signal receipt notifications
  • I'm paraphrasing as I lost copy of the original chat, but it was striking how he had absolutely no clue how I figured out he had just came home in front of his laptop. He was quite worried I hacked into his system to spy on his webcam or some other "hack". As it turns out, I just made simple assertions based on data Signal provides to other peers when you send messages. Using those messages, I could establish when my friend opened his laptop and the Signal Desktop app got back online.

  • Thoughts on NetSpectre

    In this blog post, I’m going to walk through the NetSpectre vulnerability, what this means to our customers, and what Red Hat and other industry partners are doing to address it.

    Please note that based on Red Hat’s understanding, the observed measured maximum leakage rate from successfully exploiting this vulnerability is on the order of 15-60 bits (2-8 bytes) per hour on a local network, much lower over the internet and we do not yet have real-world examples of vulnerable code. Nonetheless, the risk posed by sophisticated attackers capable of deploying Advanced Persistent Threats (APTs) like NetSpectre against sensitive installations is real. But it is important to remember that an attacker will require a very significant amount of time to actually pull off a real-world attack.

  • NetSpectre Attack Could Enable Remote CPU Exploitation

    Researchers from Graz University in Austria released new research on July 26 detailing how the Spectre CPU speculative execution vulnerability could be used over a remote network.

    In a 14-page report, the researchers dubbed their attack method NetSpectre, which can enable an attacker to read arbitrary memory over a network. Spectre is the name that researchers have given to a class of vulnerabilities that enable attackers to exploit the speculative execution feature in modern CPUs. Spectre and the related Meltdown CPU vulnerabilities were first publicly disclosed on Jan. 3.

  • NetSpectre: not much of a PowerPC threat either

    In the continuing death march of Spectre side-channel variants for stealing data, all of the known attacks thus far have relied upon code running locally on the computer (so don't run sketchy programs, which have much better ways of pwning your Power Mac than slow and only occasionally successful data leaks). As you'll recall, it is possible for Spectre to succeed on the G5 and 7450 G4e, but not on the G3 and 7400.

    The next generation is making Spectre go remote, and while long hypothesized it was never demonstrated until the newest, uh, "advance" called NetSpectre (PDF). The current iteration comes in two forms.

Security: Updates, Bitwarden, Remote Spectre Exploits, Ascendance of nftables

Filed under
Security
  • Security updates for Friday
  • Update: 3 months with Bitwarden

    Three months ago, I wanted to move away from LastPass — who’ve lately have been reducing support for Firefox and other platforms — to an open source password manager instead. I chose to migrate to Bitwarden and I’ve been overall happy with the decision ever since. Here are my thoughts and impressions three months on with Bitwarden.

  • Remote Spectre exploits demonstrated

    This paper from four Graz University of Technology researchers [PDF] describes a mechanism they have developed to exploit the Spectre V1 vulnerability over the net, with no local code execution required. "We show that memory access latency, in general, can be reflected in the latency of network requests. Hence, we demonstrate that it is possible for an attacker to distinguish cache hits and misses on specific cache lines remotely, by measuring and averaging over a larger number of measurements. Based on this, we implemented the first access-driven remote cache attack, a remote variant of Evict+ Reload called Thrash+Reload. Our remote Thrash+Reload attack is a significant leap forward from previous remote cache timing attacks on cryptographic algorithms. We facilitate this technique to retrofit existing Spectre attacks to our network-based scenario. This NetSpectre variant is able to leak 15 bits per hour from a vulnerable target system." Other attacks described in the paper are able to achieve higher rates.

  • The Ascendance of nftables

    iptables is the default Linux firewall and packet manipulation tool. If you’ve ever been responsible for a Linux machine (aside from an Android phone perhaps) then you’ve had to touch iptables. It works, but that’s about the best thing anyone can say about it.

    At Red Hat we’ve been working hard to replace iptables with its successor: nftables. Which has actually been around for years but for various reasons was unable to completely replace iptables. Until now.

Security: Vista 10, Intel, Internet Cannot be Trusted and Google Promotes Keys

Filed under
Security
  • Enterprise Windows 10 users, Microsoft has some 'quality' patches coming your way

    Running Windows 10 in the enterprise? Took the advice of Microsoft when it said the April 2018 Update was ready for the big leagues? You probably want to install last night's "quality improvements".

    In what is starting to feel a little more frequent than it should, Microsoft pushed out a raft of fixes for the 1803 incarnation of Windows 10 (aka the April 2018 Update), marking the third such update in July and taking the build number to 17134.191.

  • Some of Intel's Effort to Repair Spectre in Future CPUs

    Arjan van de Ven agreed it was extremely unlikely that anyone would claim to be skylake unless it was to take advantage of the RSB issue.

    That was it for the discussion, but it's very cool that Intel is consulting with the kernel people about these sorts of hardware decisions. It's an indication of good transparency and an attempt to avoid the fallout of making a bad technical decision that would incur further ire from the kernel developers.

  • More mitigations against speculative execution vulnerabilities

    Philip Guenther (guenther@) and Bryan Steele (brynet@) have added more mitigations against speculative execution CPU vulnerabilities on the amd64 platform.

  • The Internet Cannot be Trusted – Beamsplitters, Backdoors, and Broken Promises

    We all know that the Internet is not a fundamentally safe place. With the tremendous gains in information sharing and the conveniences that the Internet brings, come opportunities for exploitation. Fraud, harassment, surveillance, censorship, social and political manipulation, industrial and political espionage, data theft and discrimination have all taken hold in one of the greatest tools ever created by mankind.

    This article is intended to show you those failings in design, and the challenges ahead that engineers around the world have to imagine their way out of. I will focus heavily on network equipment, but this problem extends far beyond that horizon. PCs, mobile devices, industrial systems, the cloud, and databases around the world all face serious issues that beyond the scope of this writing.

  • Google takes on Yubico with its self-made Titan Security Key

    Google's key, similar to Yubico's YubiKey, will now be made available to the general unwashed, with Google announcing that it'll first be made available for Cloud customers before going on sale in the coming months.

    The Titan uses multifactor authentication to protect people against phishing attacks and will be made available in multiple forms, such as a Bluetooth fob or USB stick, acting as an extra layer of security layer when logging into Google accounts.

Linux Kernel Gets Patch For New SpectreRSB Vulnerability

Filed under
Linux
Security

Earlier this week SpectreRSB was revealed by University of California researchers as a new Spectre V2 like attack affecting modern processors. A Linux kernel patch is in the works for starting to mitigate SpectreRSB.

The RSB in this context is with regards to the Return Stack Buffer that is targeted in this latest speculative execution issue. The researchers found with this vulnerability they could exploit private data supposed to be protected by Intel's Software Guard Extensions (SGX) and that the return stack buffer attacks could be cross-process or inter-VM.

Read more

Also: Security updates for Wednesday

Syndicate content

More in Tux Machines

Keeping patient data safe with open source tools

Healthcare is experiencing a revolution. In a tightly regulated and ancient industry, the use of free and open source software make it uniquely positioned to see a great deal of progress. I work at a scrappy healthcare startup where cost savings are a top priority. Our primary challenge is how to safely and efficiently manage personally identifying information (PII), like names, addresses, insurance information, etc., and personal health information (PHI), like the reason for a recent clinical visit, under the regulations of the Health Insurance Portability and Accountability Act of 1996, HIPAA, which became mandatory in the United States in 2003. Read more

Security Leftovers

  • Indian Bank Hit in $13.5M Cyberheist After FBI ATM Cashout Warning

    But according to Indian news outlet Dailypionneer.com, there was a second attack carried out on August 13, when the Cosmos Bank hackers transferred nearly $2 million to the account of ALM Trading Limited at Hang Seng Bank in Hong Kong.

  • How to Protect Yourself Against a SIM Swap Attack

    A sobering caveat: If a skilled SIM hijacker targets you, there’s realistically not much you can do to stop them, says Allison Nixon, threat research at security firm Flashpoint. “In most of the cases that we’ve seen, a sufficiently determined attacker can take over someone’s online footprint,” she says.

    That’s because ultimately, the machinations behind SIM swaps are largely out of your control. [...]

  • Open Source Security Podcast: Episode 110 - Review of Black Hat, Defcon, and the effect of security policies
    Josh and Kurt talk about Black Hat and Defcon and how unexciting they have become. What happened with hotels at Defcon, and more importantly how many security policies have 2nd and 3rd level effects we often can't foresee. We end with important information about pizza, bananas, and can openers.

YunoHost 3.0.0.1

At this point I have only set up YunoHost, created a few user accounts and installed a handful of applications. While I may play with it further, my main focus going into this trial was how well the framework of the distribution functions. That is: is it easy to install, how hard is it for new users to add services and accounts, and is it straight forward to keep the system up to date? Basically, I wanted to know whether I could give this distribution to someone who wanted to set up home-based network services for the first time and expect them to be able to use it. Based on my experiences so far with YunoHost, my answer is: probably. The distribution does make it pretty easy to create user accounts and install web-based services. In fact, YunoHost does this quite well. The admin panel is very streamlined, uncluttered and easy to navigate and getting something like a game of Hextris or a media streaming service installed is about as easy as a few mouse clicks. Managing the firewall, monitoring the system and creating backups are nearly as easy. The administrator still needs to figure out how to get backup archives off the disk to another location for safe keeping, but the bulk of the work in backing up and restoring the operating system is done for us. Where I feel the distribution runs into trouble is mostly little details, and a few general concepts. For example, asking the user to create an "admin" password but leaving the root password as the default is both likely to confuse people and leave a permanent security hole on the servers of most inexperienced hobbyist administrators. On the topic of accounts, it makes sense, from a security standpoint, to separate web accounts from system accounts. But, this means there may be some confusion as to why, once an account has been created, it cannot log into the system. Little concepts like this may throw new users and I don't feel these issues are well addressed by the documentation. The first time through, the system installer failed during the partitioning section. It worked the second time though with the same settings, so I'm not sure if this is a semi-persistent bug or a one-time error with my system. On the whole, YunoHost performs well. It's light on resources, it offers a lot of common network services home administrators will probably want and it is pretty easy to run and maintain. There are a few little wrinkles in the experience, but in general I found the distribution to be straight forward to use. For people looking to set up a home server, this is probably a good platform on which to build. Read more

Software: GIMP, Password Safe, and Podcasts

  • GIMP 2.10.6 Introduces Vertical Text, New Filters, and GIMP Extension Public Repo
    A brand-new point release for popular photo editing software GIMP has been released today, bringing GIMP to version 2.10.6 – this update doesn’t bring a whole load of significant features, but there are some great improvements and new functionalities. For starters, GIMP 2.10.6 finally introduces support for vertical text (top to bottom), which has been a highly requested feature particularly for East-Asian writing systems. Thus, users can now set text in mixed orientation (as is typical in East-Asian vertical writing) or upright orientation (more common for Western vertical writing), with right-to-left, as well as left-to-right columns.
  • Password Safe is a KeePass-Compatible Password Manager for Linux
    Password Safe is an open-source KeePass-compatible password manager for Linux, designed specifically for use on the GNOME desktop.
  • Linux users finally get a decent podcasts app called, well, ‘Podcasts’
    Podcasts are a hugely popular form of “infotainment” these days, with almost any and every niche you can think of catered for with a show or a segment. If you’re not enjoying the wealth of podcasts out there, you’re really missing out. Podcasts provide you with the experience of a radio show, covering a wide range of topics ranging from gospel to science fiction to music and every thing in between. There are so many ways to enjoy your podcst. On mobile, popular apps such as PocketCast offer users a one-stop-shop for all the podcasts you can listen to. Many music streaming services like Apple Music and Spotify offer dedicated sections on Podcasts.