Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Security: Updates, DDOS. US and Election

Filed under
Security
  • Security updates for Thursday
  • It just got much easier to wage record-breaking DDoSes

    Now, two separate exploits are available that greatly lower the bar for waging these new types of attacks. The first one, called Memcrashed, prompts a user to enter the IP address to be targeted. It then automatically uses the Shodan search engine to locate unsecured memcached servers and abuses them to flood the target. Here's a screenshot showing the interface: [...]

  • Push to bolster election security stalls in Senate

    But Lankford on Wednesday was forced to table an amendment to a bill moving through the Senate that was aimed at improving information-sharing between federal and state election officials on election cyber threats. State officials objected to the amendment.

  • Senate committee approves bill reorganizing Homeland Security’s cyber office

    A key Senate panel on Wednesday advanced legislation to reauthorize the Department of Homeland Security (DHS) that includes a measure reorganizing the department’s cybersecurity wing.

    The bill includes language that would reorganize and rename the office within the department that protects federal networks and critical infrastructure from physical and cyber threats, currently known as the National Protection and Programs Directorate (NPPD). Under the legislation, the entity would be transformed into an operational agency called the Cybersecurity and Infrastructure Security Agency.

Security: Calling Cisco "Linux", DDoS Due to Bug, and Already Fixed Exim Bug

Filed under
Security

Security: Updates, Windows, Apple, and FUD

Filed under
Security

Security Leftovers

Filed under
Security
  • A few things I've learned about computer networking

     

    But I thought it could maybe be useful to list a bunch of concrete skills and concepts I’ve learned along the way. Like anything else, “computer networking” involves a large number of different concepts and skills and tools and I’ve learned them all one at a time. I picked most of these things up over the last 4 years.

  • Making security sustainable

    Perhaps the biggest challenge will be durability. At present we have a hard time patching a phone that’s three years old. Yet the average age of a UK car at scrappage is about 14 years, and rising all the time; cars used to last 100,000 miles in the 1980s but now keep going for nearer 200,000. As the embedded carbon cost of a car is about equal to that of the fuel it will burn over its lifetime, we just can’t afford to scrap cars after five years, as do we laptops.

  • US senator grills CEO over the myth of the hacker-proof voting machine

    Zetter unearthed a 2006 contract with the state of Michigan and a report from Pennsylvania's Allegheny County that same year that both showed ES&S employees using a remote-access application called pcAnywhere to remotely administer equipment it sold.

Plasma 5.12.3 bugfix updates available for 17.10 backports PPA

Filed under
KDE
Security

Users of Kubuntu 17.10 Artful Aardvark can now upgrade via our backports PPA to the 3rd bugfix release (5.12.3) of the Plasma 5.12 LTS release series from KDE.

(Testers of 18.04 Bionic Beaver will need to be patient as the Ubuntu archive is currently in Beta 1 candidate freeze for our packages, and but we hope to update the packages there once the Beta 1 is released)

The full changelog of fixes for 5.12.3 can be found here.

Read more

Security: DDoS, Reproducible Builds, and Microsoft Word

Filed under
Security
  • Hackers Set New DDoS World Record: 1.7 Tbps

    Not even a week has passed since the code sharing platform GitHub suffered the world’s biggest DDoS attack recorded at 1.35Tbps. Just four days later, the world record of the biggest DDoS has been broken in an attempt to take down the systems of an unknown entity identified as a “US-based service provider”.

  • DDoS Record Broken Again as Memcached Attack Hits 1.7 Tbps

    The size of massive distributed denial-of-service attacks continues to grow, hitting yet another new high on March 5, with a report of a 1.7-Tbps attack.

    The attack was reported by Netscout Arbor and came just four short days after the March 1 report of the then largest DDoS attack at 1.35 Tbps against GitHub. Both of the record breaking DDoS attacks were enabled via improperly configured memcached servers that reflected attack traffic, amplifying the total volume.

  • Reproducible Builds: Weekly report #149
  • Hacking operation uses malicious Word documents to target aid organisations

    A newly uncovered 'nation-state level' cyber espionage operation has targeted humanitarian aid organisations around the globe via the use of backdoors hidden within malicious Word documents.

    Dubbed Operation Honeybee based on the name of lure documents used during the attacks, the campaign has been discovered by security researchers at security company McAfee Labs after a new variant of the Syscon backdoor malware was spotted being distributed via phishing emails.

Security: Updates, 4G LTE, and Chip Bugs Handling by Oracle and OpenIndiana

Filed under
Security
  • Security updates for Tuesday
  • Researchers detail new 4G LTE vulnerabilities allowing spoofing, tracking, and spamming

    4G LTE isn’t nearly as secure or private as you think it is. Mobile privacy and security are both at risk. Researchers from Purdue University and the University of Iowa have released a new research paper detailing ten attacks on 4G LTE networks. Some attacks allow fake emergency alerts to be sent to a phone, others allow for the spoofing or tracking of the target’s location. The attacks could be carried out with less than $4,000 of equipment and open source 4G LTE software.

  • Oracle Brings KPTI Meltdown Mitigation To Linux 4.1

    If for some reason you are still riding the Linux 4.1 kernel series, you really should think about upgrading to at least a newer LTS series in the near future. But if you still plan on riding it for a while longer, at least it's getting page table isolation support for Meltdown mitigation.

    An Oracle kernel developer has posted patches bringing kernel page table isolation (KPTI, formerly known as KAISER) to the Linux 4.1 stable kernel series.

  • OpenIndiana Now Has KPTI Support Up For Testing To Mitigate Meltdown

    The Solaris-derived OpenIndiana operating system now has KPTI (Kernel Page Table Isolation) support for testing to mitigate the Intel Meltdown CPU vulnerability.

    Thanks in large part to the work done by Joyent on KPTI support for SmartOS/OmniOSce, the Illumos kernel used by OpenIndiana now has a KPTI implementation for testing. They have spun up some live install images for testing as well as an IPS repository containing a KPTI-enabled kernel build. With this KPTI work is also PCID (Process Context Identifier) support too.

  • A long two months

    I had a quiet New Year's Eve and Day for the beginning of 2018. We had originally planned a trip away with my parents and some friends from southern California, but they all fell through -- my father was diagnosed with cancer late in 2017 and their trip to visit us in the U.S. was cancelled, and our friends work in medicine and wound up being on call. One of Lou's other friends came to visit us, instead: she was on a mission to experience midnight twice on January 1st by flying from Hong Kong to San Francisco. That might sound like an excuse to party hard, but instead we sat around an Ikea table playing board games, drinking wine and eating gingerbread. It was very pleasant.

    [...]

    To mitigate Meltdown (and partially one of the Spectre variants), you have to make sure that speculative execution cannot reach any sensitive data from a user context.

Security: Memcached, Intel MKTME, and Open Source Security Podcast

Filed under
Security

Security: Updates, Ethereum. 4G LTE, and Compromised Guest Account

Filed under
Security
  • Security updates for Monday
  • Ethereum responds to eclipse attacks described by research trio

    What is an "eclipse" attack? Amy Castor, who follows Bitcoin and Ethereum, walked readers in Bitcoin Magazine through this type of attack.

    "An eclipse attack is a network-level attack on a blockchain, where an attacker essentially takes control of the peer-to-peer network, obscuring a node's view of the blockchain."

    Catalin Cimpanu, security news editor for Bleeping Computer: "Eclipse attacks are network-level attacks carried out by other nodes by hoarding and monopolizing the victim's peer-to-peer connection slots, keeping the node in an isolated network."

    Meanwhile, here are some definitions of Ethereum. It is an open software platform based on blockchain technology.

  • 4G LTE Loopholes Invite Unwanted Phone And Location Tracking, Fake Emergency Alerts

    In a new paper, the researchers at Purdue University and the University of Iowa have discovered vulnerabilities in three procedures of the LTE protocol.

    The loopholes could be exploited to launch 10 new attacks, such as location tracking, intercepting calls and texts, making devices offline, etc. With the help of authentication relay attacks, an evil mind can connect to a network without credentials and impersonate a user. A situation of an artificial emergency can be created by issuing fake threat alerts, similar to the recent missile launch alerts in Hawai.

  • Compromised Guest Account

    Some of the workstations I run are sometimes used by multiple people. Having multiple people share an account is bad for security so having a guest account for guest access is convenient.

    If a system doesn’t allow logins over the Internet then a strong password is not needed for the guest account.

    If such a system later allows logins over the Internet then hostile parties can try to guess the password. This happens even if you don’t use the default port for ssh.

Syndicate content

More in Tux Machines

today's leftovers

  • CRI: The Second Boom of Container Runtimes
    Harry (Lei) Zhang, together with the CTO of HyperHQ, Xu Wang, will present “CRI: The Second Boom of Container Runtimes” at KubeCon + CloudNativeCon EU 2018, May 2-4 in Copenhagen, Denmark. The presentation will clarify about more about CRI, container runtimes, KataContainers and where they are going. Please join them if you are interested in learning more.
  • Meet Gloo, the ‘Function Gateway’ That Unifies Legacy APIs, Microservices, and Serverless
    Gloo, a single binary file written in Go, can be deployed as a Kubernetes pod, in a Docker container, and now also on Cloud Foundry. The setup also requires a copy of Envoy, though the installation process can be greatly simplified through additional software developed by the company, TheTool. The user then writes configuration objects to capture the workflow logic.
  • Why is the kernel community replacing iptables with BPF?

    The Linux kernel community recently announced bpfilter, which will replace the long-standing in-kernel implementation of iptables with high-performance network filtering powered by Linux BPF, all while guaranteeing a non-disruptive transition for Linux users.

  • The developer of Helium Rain gave an update on their sales, low overall sales but a high Linux percentage
    Helium Rain [Steam, Official Site], the gorgeous space sim from Deimos Games is really quite good so it's a shame they've seen such low overall sales. In total, they've had around 14,000€ (~$17,000) in sales which is not a lot for a game at all. The good news, is that out of the two thousand copies they say they've sold, a huge 14% of them have come from Linux. It's worth noting, that number has actually gone up since we last spoke to them, where they gave us a figure of 11% sales on Linux.
  • Want to try Wild Terra Online? We have another load of keys to give away (update: all gone)
    Wild Terra Online [Steam], the MMO from Juvty Worlds has a small but dedicated following, now is your chance to see if it's for you.
  • Arch Linux Finally Rolling Out Glibc 2.27
    Arch Linux is finally transitioning to glibc 2.27, which may make for a faster system. Glibc 2.27 was released at the start of February. This updated GNU C Library shipped with many performance optimizations particularly for Intel/x86_64 but also some ARM tuning and more. Glibc 2.27 also has memory protection keys support and other feature additions, but the performance potential has been most interesting to us.
  • Installed nvidia driver
  • Stephen Smoogen: Fedora Infrastructure Hackathon (day 1-5)
  • Design and Web team summary – 20 April 2018
    The team manages all web projects across Canonical. From www.ubuntu.com to the Juju GUI we help to bring beauty and consistency to all the web projects.
  • Costales: UbuCon Europe 2018 | 1 Week to go!!
    We'll have an awesome weekend of conferences (with 4 parallel talks), podcasts, stands, social events... Most of them are in English, but there will be in Spanish & Asturian too.
  • Tough, modular embedded PCs start at $875
    Advantech has launched two rugged, Linux-ready embedded DIN-rail computers with Intel Bay Trail SoCs and iDoor expansion: an “UNO-1372G-E” with 3x GbE ports and a smaller UNO-1372G-J with only 2x GbE, but with more serial and USB ports.

OSS Leftovers

  • IRS Website Crash Reminder of HealthCare.gov Debacle as OMB Pushes Open Source
    OMB is increasingly pushing agencies to adopt open source solutions, and in 2016 launched a pilot project requiring at least 20 percent of custom developed code to be released as open source – partly to strengthen and help maintain it by tapping a community of developers. OMB memo M-16-21 further asks agencies to make any code they develop available throughout the federal government in order to encourage its reuse. “Open source solutions give agencies access to a broad community of developers and the latest advancements in technology, which can help alleviate the issues of stagnated or out-dated systems while increasing flexibility as agency missions evolve over time,” says Henry Sowell, chief information security officer at Hortonworks Federal. “Enterprise open source also allows government agencies to reduce the risk of vendor lock-in and the vulnerabilities of un-supported software,” he adds.
  • Migrations: the sole scalable fix to tech debt.

    Migrations are both essential and frustratingly frequent as your codebase ages and your business grows: most tools and processes only support about one order of magnitude of growth before becoming ineffective, so rapid growth makes them a way of life. This isn't because they're bad processes or poor tools, quite the opposite: the fact that something stops working at significantly increased scale is a sign that it was designed appropriately to the previous constraints rather than being over designed.

  • Gui development is broken

    Why is this so hard? I just want low-level access to write a simple graphical interface in a somewhat obscure language.

OpenBSD and NetBSD

Security: Twitter and Facebook

  • Twitter banned Kaspersky Lab from advertising in Jan
     

    Twitter has banned advertising from Russian security vendor Kaspersky Lab since January, the head of the firm, Eugene Kaspersky, has disclosed.  

  • When you go to a security conference, and its mobile app leaks your data
     

    A mobile application built by a third party for the RSA security conference in San Francisco this week was found to have a few security issues of its own—including hard-coded security keys and passwords that allowed a researcher to extract the conference's attendee list. The conference organizers acknowledged the vulnerability on Twitter, but they say that only the first and last names of 114 attendees were exposed.

  • The Security Risks of Logging in With Facebook
     

    In a yet-to-be peer-reviewed study published on Freedom To Tinker, a site hosted by Princeton's Center for Information Technology Policy, three researchers document how third-party tracking scripts have the capability to scoop up information from Facebook's login API without users knowing. The tracking scripts documented by Steven Englehardt, Gunes Acar, and Arvind Narayanan represent a small slice of the invisible tracking ecosystem that follows users around the web largely without their knowledge.

  • Facebook Login data hijacked by hidden JavaScript trackers
     

    If you login to websites through Facebook, we've got some bad news: hidden trackers can suck up more of your data than you'd intended to give away, potentially opening it up to abuse.