Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Why it's time to stop blaming open source for ransomware attacks

Filed under
OSS
Security

Developers may be the new kingmakers, to quote Redmonk, but they're not very careful about locking the gates. That's the primary take-away from a slew of ransomware attacks against MongoDB, CouchDB, Elasticsearch, and Hadoop, as I've argued.

Some people, however, have learned the exact wrong lesson from this debacle. Exhibit A is David Ramel's article wherein he suggests that open source is ultimately to blame for the attacks. This is wrong on so many levels, but let's address just a few.

Read more

Security Leftovers

Filed under
Security
  • The long road to getrandom() in glibc

    The GNU C library (glibc) 2.25 release is expected to be available at the beginning of February; among the new features in this release will be a wrapper for the Linux getrandom() system call. One might well wonder why getrandom() is only appearing in this release, given that kernel support arrived with the 3.17 release in 2014 and that the glibc project is supposed to be more receptive to new features these days. A look at the history of this particular change highlights some of the reasons why getting new features into glibc is still hard.

  • Maintainers for desktop "critical infrastructure"

    That work is great, but it is limited by a number of factors: funding and the interests of its members, primarily. Few of the companies involved have much, if any, interest in the Linux desktop. Some might argue that there aren't any companies with that particular interest, though that would be disingenuous. In any case, though, desktop Linux is a community-supported endeavor, at least more so than server or cloud Linux, which likely means some things are slipping through the cracks.

    Kaskinen left his job in 2015 to be able to spend more time on PulseAudio (and some audio packages that he maintains for OpenEmbedded). For the last four months or so, he has been soliciting funds on Patreon. Unlike Kickstarter and other similar systems, Patreon is set up to provide ongoing funding, rather than just a chunk of money for a particular feature or project. Donors pledge a monthly amount to try to support someone's work going forward.

  • Important CentOS 7 Linux Kernel Security Patch Released, 3 Vulnerabilities Fixed

    CentOS developer and maintainer Johnny Hughes is announcing the availability of a new, important Linux kernel security update for the CentOS 7 series of operating systems.

    CentOS 7 is derived from the freely distributed source code of the commercial Red Hat Enterprise Linux 7 operating system series, which means that it also benefits of its security patches. According to the recently published RHSA-2017:0086-1 security advisory, which was marked as important, three security vulnerabilities are patched.

  • Trump's New Cyber-Security Advisor Runs a Very, Very Insecure Website

    According to Phonos Group founder Dan Tentler, Giuliani's security company website runs a very, very old Joomla distribution, an open-source, free-to-use CMS.

    That's Joomla 3.1.1, released in April 2013. Since then, two major zero-days have plagued Joomla, so grave that they could allow attackers to take full control over a Joomla installation. Those are CVE-2016-9838 and CVE-2015-8562.

    But that's not the worse of it. The Joomla admin panel login page is also freely available, meaning anyone could access it and attempt to brute-force the admin password.

  • Reminder: Microsoft to no longer update original Windows 10 release after March 26 [Ed: Microsoft will leave even more Vista 10 back doors open, unless you install the latest doors]

    As Microsoft noted last year, the company plans to update only two Current Branch for Business versions of Windows 10 at any given time.

  • St. Louis' public library computers hacked for ransom [iophk: “Those who installed Windows on them have not been brought to justice”]

    Hackers have infected every public computer in the St. Louis Public Library system, stopping all book borrowing and cutting off internet access to those who rely on it for computers.

    The computer system was hit by ransomware, a particularly nasty type of computer virus that encrypts computer files.

    This form of attack renders computers unusable -- unless victims are willing to pay an extortion fee and obtain a key to unlock the machines.

  • Microsoft Targets Chrome Users With Windows 10 Pop-up Ad

    Microsoft really wants you to use its software products as well as running Windows 10, and that includes the Edge browser. But it can't stop you choosing to use an alternative web browser. However, if you opt to use Chrome, then expect to start seeing adverts right on your Windows desktop.

  • United Airlines Domestic Flights Grounded for 2 Hours by Computer Outage

    All of United Airlines' domestic flights were grounded for more than two hours Sunday night because of a computer outage, the Federal Aviation Administration said as scores of angry travelers sounded off on social media.

  • There’s no glory in patching

    Regular patching is essential but not without risks. Missing a critical patch is an easy way of getting your service compromised but insufficient testing is an even easier way of getting it to fall over. Here at drie we talk a lot about why trying to build your own infrastructure around AWS can be, to put it mildly, a bit of a pain. Today I’d like to go a little deeper on one issue most people encounter when going it alone in AWS and why you’re better off making it someone else’s problem. While it may seem like a mundane concern, keeping up to date with the latest patches and security fixes for your dependencies is a significant undertaking and neglecting server patches is a swift route to getting your infrastructure hacked.

Your Computer's Clipboard is a Security Problem - Fix it in Linux With xsel and cron

Filed under
Security
HowTos

Any program you run can read your clipboard, and its contents linger until another copy event or a reboot. Modern browsers enable multiple ways for malicious websites to read the clipboard contents (or add items in), so eliminate the worry by using a script with cron that auto-clears your clipboard regularly.

Read more

via DMT/Linux Blog

Security Leftovers

Filed under
Security
  • After MongoDB Debacle, Expect More Ransomware, Open Source Attacks in 2017 [Ed: Black Duck is at it again]

    "Black Duck's Open Source Security Audit Report found that, on average, vulnerabilities in open source components used in commercial application were over 5 years old," Pittenger said. "The Linux kernel vulnerability discovered 8/16 (CVE-2016-5195) had been in the Linux code base since 2012. Most organizations don't know about the open source vulnerabilities in their code because they don't track the open source components they use, and don't actively monitor open source vulnerability information."

  • Mirai: Student behind IoT malware used it in Minecraft server protection racket, claims Krebs

    SECURITY BLOGGER BRIAN KREBS has suggested that "Anna Senpai", the reprobate behind the Mirai Internet-of-shonky-Things (IoT) botnet, is a student studying at Rutgers University in the US.

    Krebs made his disclosure after conducting an in-depth investigation and finding out that Mirai had been developed and deployed over the past three years or so - it didn't suddenly emerge last year.

    Krebs believes that Mirai has been used a number of times in connection with what looks suspiciously likes an online protection racket: companies running, for example, Minecraft servers being offered distributed denial of service (DDoS) protection, on the one hand, just before being taken offline in massive DDoS attacks on the other.

  • Gmail phishing scam has everyone reaching for 2FA

    STOP WHAT YOU ARE DOING, unless you don't have a Gmail account. Carry on if that is the case.

    If you do use Gmail you apparently really, really, need to be aware of a crafty phishing scam that will have you hooked, lined, sinkered, gutted, covered in batter and served with curry sauce before you have a chance to realise that anything is happening.

    The scam that has everyone in a lather uses a deceptive URL, and quite a sneaky one. People probably won't even notice it because, for the most part, it looks fine. It is only once it is clicked and the bastard gateway is broken through that the phishing and the stealing begins.

Canonical Patches Nvidia Graphics Drivers Vulnerability in All Ubuntu Releases

Filed under
Security

It's time to update your Ubuntu Linux operating system if you have a Nvidia graphics card running the Nvidia Legacy 340 or 304 binary X.Org drivers provided on the official software repositories.

Read more

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Reproducible Builds: week 90 in Stretch cycle

    The F-Droid Verification Server has been launched. It rebuilds apps from source that were built by f-droid.org and checks that the results match.

  • 6 Week Progress Update for PGP Clean Room

    One of the PGP Clean Room’s aims is to provide users with the option to easily initialize one or more smartcards with personal info and pins, and subsequently transfer keys to the smartcard(s). The advantage of using smartcards is that users don’t have to expose their keys to their laptop for daily certification, signing, encryption or authentication purposes.

  • New Kali Linux Professional Information Security Certification to debut at Black Hat USA, 2017

    First Official Kali Linux book release will coincide with launch of the new information security training program as the Penetration Testing platform celebrates its 10th anniversary.

  • The flatpak security model – part 1: The basics

    This is the first part of a series talking about the approach flatpak takes to security and sandboxing.

    First of all, a lot of people think of container technology like docker, rkt or systemd-nspawn when they think of linux sandboxing. However, flatpak is fundamentally different to these in that it is unprivileged.

  • Newly discovered Mac malware found in the wild also works well on Linux [Ed: Only if fools are stupid enough to actually INSTALL malware.]

    The malware, which a recent Mac OS update released by Apple is detecting as Fruitfly, contains code that captures screenshots and webcam images, collects information about each device connected to the same network as the infected Mac, and can then connect to those devices, according to a blog post published by anti-malware provider Malwarebytes. It was discovered only this month, despite being painfully easy to detect and despite indications that it may have been circulating since the release of the Yosemite release of OS X in October 2014. It's still unclear how machines get infected.

    [...]

    Another intriguing finding: with the exception of Mac-formatted Mach object file binary, the entire Fruitfly malware library runs just fine on Linux computers.

Why Linux Installers Need to Add Security Features

Filed under
Linux
Security

Twelve years ago, Linux distributions were struggling to make installation simple. Led by Ubuntu and Fedora, they long ago achieved that goal. Now, with the growing concerns over security, they need to reverse directions slightly, and make basic security options prominently available in their installers rather than options that users can add manually later.

At the best of times, of course, convincing users to come anywhere near security features is difficult. Too many users are reluctant even to add features as simple as unprivileged user accounts or passwords, apparently preferring the convenience of the moment to reducing the risk of an intrusion that will require reinstallation, or a consultation with a computer expert at eighty dollars an hour.

Read more

Syndicate content

More in Tux Machines

Red Hat News

Leftovers: Ubuntu

Linux Devices

  • AsteroidOS 1.0 Alpha on the Asus Zenwatch 3
    In a previous article, I published a small userspace image and Linux kernel for the Zenwatch 3 that enables root access with SSH over USB on the watch. By now, I reached my initial goal to get AsteroidOS, the alternative Android Wear operating system, running on the Zenwatch 3. Similar to SailfishOS and Ubuntu Touch, AsteroidOS uses the original Android kernel - a patched Linux kernel - with a GNU/Linux userspace that, in turn, also uses some of the original, closed-source Android libraries to access certain hardware like the GPU. As the Android libraries expect a different software ecosystem, e.g., a different C library called bionic, we cannot simply call the Android libraries from within a common GNU/Linux application. Instead, we need an additional software layer that translates between the Android and the common GNU/Linux world. This layer is called libhybris.
  • How Ironic: Harman Kardon’s Microsoft Cortana Speaker Is Powered by Linux
    Harman Kardon, the company recently acquired by Samsung, has developed its very own Cortana speaker, which is very similar to the Amazon Echo but featuring Microsoft’s famous digital assistant. And since Cortana is the key feature of this little device, it only makes sense for Harman Kardon to turn to Windows 10 to power the device. And yet, it looks like the so-called Harman Kardon is actually running Linux.
  • MontaVista® Launches Carrier Grade eXpress®(CGX) 2.2 Linux® for 5G and IoT at MWC 2017
  • The Numbers Article for Mobile in 2017 - All the Statistics You Could Ask For
    Mobile is the hottest industry. Banking and payments are rushing to mobile. Governments doing healthcare and education with mobile. Travel from airlines to taxis to trains and busses to hotel bookings is going mobile. Your driver's licence is migrating to the mobile phone as are your keys to your home. And all the other big tech stories from Internet of Things (IoT) to 'Big Data' analytics to Cloud computing - are all dependent on mobile. And next week we have the massive industry event in Barcelona, Mobile World Congress. My brand new TomiAhonen Almanac 2017 is now finished and is released today. So this is the perfect time to do my annual 'State of Mobile' blog of the major statistics. What are the big numbers. Lets start with reach. Yes, mobile is by far the most widely-spread communication technology humankind has ever witnessed.
  • Tizen Store Expands Its Service Coverage to 222 Countries
    The Tizen Store, as the name suggests, is the Tizen Application Store for developers to publish their free and paid for Tizen apps. In April 2015, we saw the store expand it’s coverage to include 182 countries, which was mainly for FREE apps, but we saw this as setting the foundation for providing paid for apps further down the road.

Android Leftovers