40 Linux Server Hardening Security Tips [2019 edition]

Why Trust Is Key for Cyber-Security Risk Management

"Trust" is an often-overused term, but according to Rohit Ghai, president of RSA Security, trust is the key to understanding and managing digital risk.

In a video interview with eWEEK, Ghai discusses his views on trust, where the concept of an artificial intelligence "digital twin" fits in and why there could well be a need to redefine industry cyber-security categories to better reflect how risk management technologies should work. He also provides insight into how RSA Security's products, including Archer, Netwitness and SecurID, fit together to help organizations provide trust and manage risk.

"As long as we pay attention to the idea of risk and trust co-existing and taking a risk orientation to security, I think we'll be fine," Ghai said. "Trust is important. We are living in an era where people are losing faith or trust in technology, and we have to act now to restore it."

IPFire 2.21 - Core Update 129 is ready for testing

The next release is available for testing - presumably going to be last release in the 2.21 series before we bring some bigger changes. This update has a huge number and significant changes for IPsec as well as many updates to the core system and various smaller bug fixes.

Superuser accounts: What they are and how to secure them

Most security technologies are helpless in protecting against superusers because they were developed to protect the perimeter – but superusers are already on the inside. Superusers may be able to change firewall configurations, create backdoors and override security settings, all while erasing traces of their activity.

Insufficient policies and controls around superuser provisioning, segregation and monitoring further heighten risks. For instance, database administrators, network engineers and application developers are frequently given full superuser-level access. Sharing of superuser accounts among multiple individuals is also a rampant practice, which muddles the audit trail. And in the case of Windows PCs, users often log in with administrative account privileges –far broader than what is needed.

Security updates for Monday

User Account Review | Roadmap to Securing Your Infrastructure

One of the topics you may not often think of as being all that important to security is user accounts on systems. We spend so much time on other things — like managing firewall rules, system patching, analyzing report data, etc. — that user accounts are often a neglected topic.

At a previous employer, I performed many security-focused audits for organizations needing to meet regulatory compliance. As part of these audits, I would review systems for best practice and general housekeeping. You can tell a lot about an administrator by the state of their environment. Too often I would find accounts that had not logged in for years or may have never logged in. Why do you need those accounts if they’re not being used?

Brace yourselves: New variant of Mirai takes aim at a new crop of IoT devices [Ed: Install FOSS firmware and brace yourselves for the latest scaremongering from Mr. Goodin (sued for his dramatisation, exaggerations, and distortions)]

A newly discovered variant contains a total of 27 exploits, 11 of which are new to Mirai, researchers with security firm Palo Alto Networks reported in a blog post Monday. Besides demonstrating an attempt to reinvigorate Mirai’s place among powerful botnets, the new exploits signal an attempt to penetrate an arena that's largely new to Mirai. One of the 11 new exploits targets the WePresent WiPG-1000 Wireless Presentation systems, and another exploit targets LG Supersign TVs. Both of these devices are intended for use by businesses, which typically have networks that offer larger amounts of bandwidth than Mirai’s more traditional target of home consumers.

Routed IPsec VPNs are landing in IPFire 2.21 - Core Update 129

The forthcoming Core Update will have some brilliant changes to our IPsec stack.

These changes were required for a project that Lightning Wire Labs has been doing and are potentially a little bit niche. We have backported these as well from IPFire 3 where this feature is even more advanced and - to me - a lot more exciting, too.

A new rash of highly covert card-skimming malware infects ecommerce sites

Group-IB has dubbed the JavaScript sniffer GMO after the gmo[.]il domain it uses to send pilfered data from infected sites, all of which run the Magento e-commerce Web platform. The researchers said the domain was registered last May and that the malware has been active since then. To conceal itself, GMO compresses the skimmer into a tiny space that’s highly obfuscated and remains dormant when it detects the Firebug or Google Developer Tools running on a visitor’s computer. GMO was manually injected into all seven sites, an indication that it is still relatively fledgling.

Nasty WinRAR bug is being actively exploited to install hard-to-detect malware

Nasty code-execution bug in WinRAR threatened millions of users for 14 years
The flaw, disclosed last month by Check Point Research, garnered instant mass attention because it made it possible for attackers to surreptitiously install persistent malicious applications when a target opened a compressed ZIP file using any version of WinRAR released over the past 19 years. The absolute path traversal made it possible for archive files to extract to the Windows startup folder (or any other folder of the archive creator’s choosing) without generating a warning. From there, malicious payloads would automatically be run the next time the computer rebooted.

How a wireless keyboard lets [intruders] take full control of connected computers

The attacks can be carried out by anyone who is within range of an affected keyboard set and takes the time to build the hardware that exploits the replay and injection flaws. Normally, that distance is about 30 feet, but the use of special antennas could extend that range. That leaves open the possibility of attacks from hackers in nearby offices or homes.

Friday’s SySS advisory said that there is currently no known fix for the vulnerabilities. It said company researchers privately reported the vulnerability to Fujitsu. The disclosure timeline is: [...]

Security researchers reveal defects that allow wireless hijacking of giant construction cranes, scrapers and excavators

Using software-defined radios, researchers from Trend Micro were able to reverse-engineer the commands used to control massive industrial machines, including cranes, excavators and scrapers; most of these commands were unencrypted, but even the encrypted systems were vulnerable to "replay attacks" that allowed the researchers to bypass the encryption.

[Older] Attacks Against Industrial Machines via Vulnerable Radio Remote Controllers: Security Analysis and Recommendations

In our research and vulnerability discoveries, we found that weaknesses in the controllers can be (easily) taken advantage of to move full-sized machines such as cranes used in construction sites and factories. In the different attack classes that we’ve outlined, we were able to perform the attacks quickly and even switch on the controlled machine despite an operator’s having issued an emergency stop (e-stop).

The core of the problem lies in how, instead of depending on wireless, standard technologies, these industrial remote controllers rely on proprietary RF protocols, which are decades old and are primarily focused on safety at the expense of security. It wasn’t until the arrival of Industry 4.0, as well as the continuing adoption of the industrial internet of things (IIoT), that industries began to acknowledge the pressing need for security.

How Ethereum Applications Earn A+ Security Ratings

More than 1.2 million ethereum applications have used a little-known security tool to help them avoid the costly errors arising from self-executing lines of code known as smart contracts.

Launched by ethereum technology startup Amberdata back in October, the free tool is available for anyone in the general public to interpret the security of active applications on the ethereum blockchain. Smart contracts with bugs that have been exploited have led to huge losses, even to the tune of hundreds of millions.

The automated service scans for common vulnerabilities found in smart contract code and generates a letter grade rating (e.g. A, B, or C) for the security of a decentralized application (dapp).

The feature is one of the many tools encouraging best practice and increased transparency between dapp developers and end-users in the ethereum ecosystem.

How to protect your router

Currently, there are a variety of open source and OpenVPN capable routers to choose from, but the most popular models are the Linksys AC3200 and the Netgear Nighthawk AC1900.

Fighting Crypto Hacks: Company Tackles Security Issues in Ethereum Smart Contracts

A decentralized, open-source crypto platform based on the Ethereum protocol named Callisto Network offers users free-of-charge smart contract security audits. The company wants to support them in the battle against cyber criminals and help developers solve security issues in Ethereum codes.

Just Android things: 150m phones, gadgets installed 'adware-ridden' mobe simulator games

Android adware found its way into as many as 150 million devices – after it was stashed inside a large number of those bizarre viral mundane job simulation games, we're told.

The so-called Simbad malware was built into mobile gaming titles such as Real Tractor Farming Simulator, Heavy Mountain Bus Simulator 2018, and Snow Heavy Excavator Simulator, according to infosec research biz Check Point today.

Google sinks more than 200 Android apps infected with SimBad adware

The adware campaign made use of malware dubbed SimBad, which sits within a malicious software development kit called 'RXDrioder' and can perform actions after an infected Android device is booted. SimBad then connects back to a control and command server where it receives instructions from the malicious actors controlling it.

How To Secure Privileged Access In An Organisation

Open-source 64-ish-bit serial number gen snafu sparks TLS security cert revoke runaround

25% of software vulnerabilities remain unpatched for more than a year [Ed: How about back doors in proprietary software? These can never be patched, they're there by design and the user cannot change the code ]

Shmoocon 2019, Conor Patrick’s ‘Building And Selling Solo: An Open Source Secure Hardware Token’

Cryptojacking Takes a New Turn in CryptoSink Campaign

Researchers from F5 Labs reported on March 14 that they have discovered a new cryptojacking campaign that is abusing unpatched Elasticsearch servers.

Unauthorized cryptocurrency mining, commonly referred to as "cryptojacking," is an attack trend that started in 2017 and hit a peak in mid-2018. With a cryptojacking attack, a hacker makes use of a system or server resources to help mine cryptocurrency. F5 Labs is dubbing the cryptojacking campaign it discovered "CryptoSink" as the attackers are identifying systems that have already been compromised by cryptojacking and are "sinkholing" or redirecting the competitive mining effort. When the competitive cryptojacking effort is sinkholed, it is effectively shut down in favor of the new CryptoSink effort.

New cryptominer targets Elasticsearch on Windows, Linux

A new cryptomining campaign that targets both Windows and Linux systems running the Elasticsearch search and analytics engine has been detailed by researchers from F5 Networks.
Andrey Shalnev and Maxim Zavodchik said in a blog post that the campaign, which they have named Cryptosink, was using a five-year-old vulnerability in Elasticsearch to gain entry to the servers.

The initial infection vector was a malicious HTTP request that targeted Elasticsearch.

[...]

The malware was also able to backdoor the server by adding the SSH keys of the person who was carrying out the attack.

And it used several command and control servers, with the current live one being in China.

Shalnev and Zavodchik said the rise of cryptomining botnets and the decline in crypto currency value meant there was tough competition among the various currencies.