Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

If you hitch a ride with a scorpion… (Coverity)

Filed under
OSS
Security

I haven’t seen a blog post or notice about this, but according to the Twitters, Coverity has stopped supporting online scanning for open source projects. Is anybody shocked by this? Anybody?

[...]

Not sure what the story is with Coverity, but it probably has something to do with 1) they haven’t been able to monetize the service the way they hoped, or 2) they’ve been able to monetize the service and don’t fancy spending the money anymore or 3) they’ve pivoted entirely and just aren’t doing the scanning thing. Not sure which, don’t really care — the end result is the same. Open source projects that have come to depend on this now have to scramble to replace the service.

[...]

I’m not going to go all RMS, but the only way to prevent this is to have open tools and services. And pay for them.

Read more

Security: 17 Things

Filed under
Security

A list for protecting yourself and others from the most common and easiest-to-pull-off security crimes.

I spend a lot of time giving information security advice, such as why RMF (Risk Management Framework) is too top-heavy for implementing risk management practices in small or R&D-focused organizations, what the right Apache SSL settings really are or how static analysis can help improve C code. What I'm asked for the most though isn't any of those things; it's the everyday stuff that even non-technical people can do to protect themselves from the looming but nebulous threat of an information security accident.

Read more

Security: CPU Patches, PostgreSQL, Apple 'Back Door'

Filed under
Security
  • Canonical Releases Spectre/Meltdown Patches for Ubuntu 17.10 for Raspberry Pi 2

    Canonical published two security advisories on Thursday to announce the availability of Spectre mitigations for the ARM64 (AArch64) hardware architecture on its Ubuntu 17.10 and Ubuntu 16.04.4 LTS systems.

    In January, Canonical released several kernel updates for Ubuntu 17.10 (Artful Aardvark) and other supported Ubuntu releases with software mitigations against the Spectre and Meltdown security vulnerabilities. These patches were first released for 64-bit (amd64) architectures, and then for 32-bit (i386), PPC64el, and s390x systems.

    Today, the company announced the availability of new kernel updates that address both the Meltdown and Spectre security vulnerabilities for the ARM64 (AArch64) hardware architecture, patching the Raspberry Pi 2 kernel for Ubuntu 17.10, as well as its derivatives.

  • Oracle Patches Spectre for Red Hat

    The Red Hat community has patiently awaited a retpoline kernel implementation that remediates CVE-2017-5715 (Spectre v2) and closes all Meltdown and Spectre vulnerabilities that have captured headlines this year.

    Red Hat's initial fixes rely upon microcode updates for v2 remediation, a decision that leaves the vast majority of AMD64-capable processors in an exploitable state. Intel's new microcode has proven especially problematic; it performs badly and the January 2018 versions were plagued with stability issues that crashed many systems. It is a poor solution to a pressing problem.

  • ​Meet the Scarlett Johansson PostgreSQL malware attack

    t's not the first time an image has been used to give a victim malware, but it may be the first time it's been used so narrowly. According to the security firm Imperva, their StickyDB database management system (DBMS) honeypot has uncovered an attack that places malware, which cryptomines Monero, on PostgreSQL DBMS servers. Its attack vector? An image of Hollywood star Scarlett Johansson.

    Now, you might ask, "How many PostgreSQL DBMS servers are out there on the internet to be attacked?" The answer: "More than you'd expect." A Shodan search revealed almost 710,000 PostgreSQL servers ready to be hacked. It appears there are so many of them because it's way too easy, especially on Amazon Web Services (AWS), to set up PostgreSQL servers without security.

  • This Black Box Can ‘Unlock Your iPhone’ For Cops; Images Leaked

    The debate whether law enforcement agencies should be given exclusive access to iOS-powered Apple devices started when the FBI was unable to unlock San Bernardino shooter’s iPhone. Eventually, FBI found other ways to get inside Apple’s secured digital fortress, through an Israel-based company called Cellebrite.

    In the latest news, we have come across about a new iPhone unlocking device called GrayKey that can be used by law enforcement guys to harvest passcode of an iPhone and other iOS-powered devices such as iPads and iPods.

Security: HIPAA, Updates, Let’s Encrypt

Filed under
Security

Security: Torvalds Rant Over AMD Flaws/Report, Intel Microcode Updates, Yahoo and Kubernetes

Filed under
Security
  • Linus Torvalds Roasts CTS Labs After They Exposed AMD Chip Vulnerabilities

    Just a couple of days back, CTS researchers exposed more than a dozen ‘critical’ vulnerabilities in AMD chips marketed under the brand names Ryzen and Epyc. The company also claimed that a backdoor exists in AMD processors. Their revelation came with a well-decorated website, a whitepaper, and a video.

  • Torvalds wades into CTS Labs' AMD chip security report
  • Linux Torvalds casts shade on CTS Labs' AMD CPU flaw security report
  • Intel Rolls Out Updated, Post-Spectre CPU Microcode (20180312)

    Intel has published the Intel Processor Microcode Package for Linux 20180312 release with the latest improvements around the microcode-based approach for Spectre CPU vulnerability mitigation, succeeding their microcode updates from earlier in the year.

  • Judge Says Yahoo Still On The Hook For Multiple Claims Related To Three Billion Compromised Email Accounts

    A federal judge is going to let a bunch of people keep suing Yahoo over its three-year run of continual compromise. Yahoo had hoped to get the class action suit tossed, stating that it had engaged in "unending" efforts to thwart attacks, but apparently it just wasn't good enough to prevent every single one of its three billion email accounts from falling into the hands of hackers.

  • 3 best practices for securing Kubernetes environments

    The Kubernetes orchestration platform is such a gigantic open source project that its evolution is inherently rapid. The pace of change significantly increases the importance of adhering to security best practices when using the ever-changing Kubernetes platform to automate deployment, scaling, and management of containerized cloud-native applications.

    Ultimately, effective security also supports the entire Kubernetes project, since the technology's overall adoption depends on the confidence and trust that Kubernetes earns and establishes. That said, standard security procedures and practices that work well in traditional environments are often inadequate for securing Kubernetes environments, where traffic is vastly more dynamic, and where there must be security in place around the pods, containers, nodes, and images.

​Linus Torvalds slams CTS Labs over AMD vulnerability report

Filed under
Linux
Security

CTS Labs, a heretofore unknown Tel Aviv-based cybersecurity startup, has claimed it's found over a dozen security problems with AMD Ryzen and EPYC processors. Linus Torvalds, Linux's creator, doesnt buy it.

Read more

Security: AMD, Updates, Reproducible Builds and More

Filed under
Security
  • Israeli firm dumps AMD flaws with 24 hours notice

    Security researchers from a previously unknown Israeli company, CTS Labs, have disclosed 13 flaws in AMD processors. All can be taken advantage of only by an attacker who has already gained admin privileges within the system in question.

  • “Backdoor” Found In AMD CPUs, Researchers Discover 13 Critical Vulnerabilities In RYZEN And EPYC
  • Security updates for Wednesday
  • Reproducible Builds: Weekly report #150
  • ACME v2 and Wildcard Certificate Support is Live

    We’re pleased to announce that ACMEv2 and wildcard certificate support is live! With today’s new features we’re continuing to break down barriers for HTTPS adoption across the Web by making it even easier for every website to get and manage certificates.

    ACMEv2 is an updated version of our ACME protocol which has gone through the IETF standards process, taking into account feedback from industry experts and other organizations that might want to use the ACME protocol for certificate issuance and management some day.

    Wildcard certificates allow you to secure all subdomains of a domain with a single certificate. Wildcard certificates can make certificate management easier in some cases, and we want to address those cases in order to help get the Web to 100% HTTPS. We still recommend non-wildcard certificates for most use cases.

  • Samba critical flaws: Patch now but older open instances have 'far worse issues'
  • An overview of online ad fraud

    I have researched various aspects of the online advertisement industry for a while, and one of the fascinating topics that I have come across which I didn’t know too much about before is ad fraud. You may have heard that this is a huge problem as this topic hits the news often, and after learning more about it, I think of it as one of the major threats to the health of the Web, so it’s important for us to be more familiar with the problem.

    People have done a lot of research on the topic but most of the material uses the jargon of the ad industry so they may be inaccessible to those who aren’t familiar with it (I’m learning my way through it myself!) and also you’d need to study a lot to put a broad picture of what’s wrong together, so I decided to summarize what I have learned so far, expressed in simple terms avoiding jargon, in the hopes that it’s helpful. Needless to say, none of this should be taken as official Mozilla policy, but rather this is a hopefully objective summary plus some of my opinions after doing this research at the end.

Security: AMD and Samba Flaws

Filed under
Security

IPFire 2.19 - Core Update 119 released

Filed under
GNU
Linux
Security

This is the release announcement for IPFire 2.19 – Core Update 119. It updates the toolchain of the distribution and fixes a number of smaller bug and security issues. Therefore this update is another one of a series of general housekeeping updates to make IPFire better, faster and of course more secure!

Read more

Also: NuTyX 10.1 available with cards 2.4.0

Syndicate content

More in Tux Machines

Purism's Librem 5 Linux Phone Will Support Ubuntu Touch, Thanks to UBports

Lead by talented Linux developer Marius Gripsgard, the UBports Foundation keeps the Ubuntu Touch mobile OS developed by Canonical, the company behind the widely-used Ubuntu Linux operating system, alive for various popular smartphones, including Fairphone 2, Nexus 5, OnePlus One, as well as the BQ Aquaris M10 FHD tablet that was designed to run Ubuntu Touch in the first place. Now, Purism and UBports are partnering to offer the Ubuntu Touch mobile operating system on the upcoming Librem 5 Linux phone, which raised more than $2 million last fall​, promising to be the privacy and security-focused smartphone you've been expecting for a long time. While not the default OS, users will be able to easily run Ubuntu Touch on the Librem 5 phone. Read more also: UBPorts Ubuntu Touch To Be Supported By The Purism Librem 5

Ubuntu-Based ExTiX Distro, the Ultimate Linux System, Updates Its Deepin Edition

Based on the Ubuntu 18.04 LTS (Bionic Beaver) operating system, the ExTiX 18.4 Deepin Edition is now available and it ships updated components, including the latest Deepin 15.5 Desktop, the Calamares 3.1.12 universal installer framework, and a custom Linux 4.16.2 kernel with extra hardware support. "I’ve made a new extra version of ExTiX with Deepin 15.5 Desktop (made in China!)," said Arne Exton in the release announcement. "Only a minimum of packages is installed in ExTiX Deepin. You can, of course, install all the packages you want, even while running ExTiX Deepin live, i.e. from a DVD or USB stick." Read more

Stable kernels 4.16.4, 4.14.36, 4.9.96, 4.4.129 and 3.18.106

Things You Should Know About Ubuntu 18.04

This article answers frequently asked questions about Ubuntu 18.04 and thus informing you of the important things you should know about Ubuntu 18.04. Read more