Language Selection

English French German Italian Portuguese Spanish

Security

Parrot 4.7 release notes

Filed under
GNU
Linux
Security

We are proud to announce the release of Parrot 4.7, which represents an important step forward for our project.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (bird, opendmarc, php7.3, and qemu), Fedora (bird, dino, nbdkit, and openconnect), Oracle (nginx:1.14, patch, and thunderbird), Red Hat (dovecot, kernel, kernel-alt, and kernel-rt), Scientific Linux (thunderbird), and SUSE (kernel, openssl, openssl-1_1, python-SQLAlchemy, and python-Werkzeug).

  • Skidmap malware drops LKMs on Linux machines to enable cryptojacking, backdoor access [Ed: This is not a "Linux" issue any more than Adobe Photoshop malicious files are a "Windows" issue ]

    Researchers have discovered a sophisticated cryptomining program that uses loadable kernel modules (LKMs) to help infiltrate Linux machines, and hides its malicious activity by displaying fake network traffic stats.

    Dubbed Skidmap, the malware can also grant attackers backdoor access to affected systems by setting up a secret master password that offers access to any user account in the system, according to Trend Micro threat analysts Augusto Remillano II and Jakub Urbanec in a company blog post.

  • Linux for ethical hackers 101

    In order to familiarize yourself with the full range of ethical hacking tools, it is important to be conversant with the Linux OS. As the systems engineer Yasser Ibrahim said in a post on Quora: “In Linux you need to understand from the basics to the advanced, learn the console commands and how to navigate and do everything from your console, also shell programming (not a must, but always preferable), know what a kernel is and how it works, understand the Linux file systems, how to network on Linux.”

Security: Criminal Charges, Updates, 'IoT', Cybersecurity Practices and Intel Management Engine (Back Door)

Filed under
Security
  • Security Researchers Whose 'Penetration Test' Involved Breaking And Entering Now Facing Criminal Charges

    Turning security researchers into criminals is so popular we have a tag for it here at Techdirt. A security hole is found or a breach pointed out, and the first thing far too many entities do in response is turn the messenger over to law enforcement while muttering unintelligible things about "hacking."

  • Security updates for Thursday

    Security updates have been issued by CentOS (exiv2, firefox, ghostscript, http-parser, httpd, kdelibs and kde-settings, kernel, pango, qemu-kvm, and thunderbird), Debian (ibus), Fedora (kernel, kernel-headers, python34, qbittorrent, and samba), openSUSE (chromium), Oracle (go-toolset:ol8), Red Hat (kernel, nginx:1.14, patch, ruby, skydive, systemd, and thunderbird), Scientific Linux (thunderbird), SUSE (libreoffice, openssl-1_1, python-urllib3, and python-Werkzeug), and Ubuntu (tomcat9 and wpa, wpasupplicant).

  • Irdeto Warns Healthcare IoT Is Under Heavy Attack

    The world of IoT is no stranger to attacks, with security being a number one priority for keeping the world of interconnected devices safe. One area where security is most crucial is healthcare, where successful attacks can result in loss of life. It wasn’t too long ago that ransomware was making the rounds, shutting down entire hospital networks and putting patients at risk. Irdeto made a press release that put forward the case for better security for healthcare IoT. They quoted some statistics that put some insight into how healthcare comes under attack from malicious agents.

  • Why it's time to embrace top-down cybersecurity practices

    Cybersecurity is no longer just the domain of the IT staff putting in firewalls and backing up servers. It takes a commitment from the top and a budget to match. The stakes are high when it comes to keeping your customers' information safe.

    The average cost of a data breach in 2018 was $148 for each compromised record. That equals an average cost of $3.86 million per breach. Because it takes organizations more than six months—196 days on average—to detect breaches, a lot of remediation must happen after discovery.

    With compliance regulations in most industries tightening and stricter security rules, such as the General Data Protection Regulation (GDPR) becoming law, breaches can lead to large fines as well as loss of reputation.

  • SIM Application Toolkit: Avoid Being Exploited

    Technologies are often created with good intent, to make our life easier, to solve problems in a convenient way. The Management Engine in Intel’s CPUs, for instance, was intended to make the life of admins easier. It allowed for remote access on a very low level, so they could even do complete remote reinstalls of a machine. And if you have to manage a large fleet of machines, distributed within a larger enterprise, this can save huge amounts of effort, time–and thus money.

    [...]

    Its name already points to the origin: the SIM card. It is the tiny chip card you insert into your phone, to get access to the cellular network of an operator. The SIM card used to be a fairly simple device, which you can imagine as the key to unlock the access to the network: i.e., it stores a secret (a cryptographic key) along with an ID (the IMSI) and some details about the issuing operator, etc. This data set grants you access to the operator’s network.

    But phones [also called handset, or ‘terminal equipment’ (TE), in mobile terms] have become more and more powerful. And setting up these cards has become more and more complicated; you need an SMS center number, details for the MMS server, mailbox dial-in number… and a lot more. All this needs to be properly set up in the mobile, to make full use of both the mobile and the network. To make this even more complicated, these details (and the way to set them up) are different from operator to operator. The process for this initial setup is (also) called provisioning. It was to make this (and other things) as convenient and least painful as possible for users that SAT was invented.

    The name SAT tells us not only that it is SIM-related, but also that it contains the term application: SIM cards can, and today they usually do, indeed contain small applications or applets. They are small computers on their own, they run code, and they can indeed be programmed. Most are based on the JavaCard standard and can be programmed with small Java applets. The SAT defines a standard way to interface the SAT applets with the modem and the phone.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by CentOS (firefox and kernel), Debian (thunderbird), Fedora (curl), openSUSE (curl and python-Werkzeug), Oracle (kernel and thunderbird), Red Hat (rh-nginx114-nginx), SUSE (curl, ibus, MozillaFirefox, firefox-glib2, firefox-gtk3, openldap2, openssl, openssl1, python-urllib3, and util-linux and shadow), and Ubuntu (linux, linux-aws, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-oracle, linux-raspi2, linux-snapdragon, and wpa).

  • SGX and security modules

    Software Guard Extensions (SGX) is a set of security-related instructions for Intel processors; it allows the creation of private regions of memory, called "enclaves". The aim of this feature is to work like an inverted sandbox: instead of protecting the system from malicious code, it protects an application from a compromised kernel hypervisor, or other application. Linux support for SGX has existed out-of-tree for years, and the effort of upstreaming it has reached an impressive version 22 of the patch set. During the upstreaming discussion, the kernel developers discovered that the proposed SGX API did not play nicely with existing security mechanisms, including Linux security modules (LSMs).

  • GitHub acquires Semmle to help developers spot security vulnerabilities [Ed: Company in NSA PRISM pretends to care about security (and also, Microsoft now uses GitHub to change people's code without asking the developers)]

    Software hosting service GitHub has acquired Semmle, a code analysis platform that helps developers discover security vulnerabilities in large codebases.

How to break out of a hypervisor: Abuse Qemu-KVM on-Linux pre-5.3 – or VMware with an AMD driver

Filed under
Linux
Security

A pair of newly disclosed security flaws could allow malicious virtual machine guests to break out of their hypervisor's walled gardens and execute malicious code on the host box.

Both CVE-2019-14835 and CVE-2019-5049 are not particularly easy to exploit as they require specific types of hardware or events to occur. However, if successful, either could allow a miscreant to run malware on the host from a VM instance.

CVE-2019-14835 was discovered and reported by Peter Pi, a member of the Tencent Blade Team. It is found in the Linux kernel versions 2.6.34 up to version 5.3, where it is patched.

Read more

Canonical Outs New Linux Kernel Security Update for All Supported Ubuntu OSes

Filed under
Security
Ubuntu

Canonical released today a new Linux kernel security update for all supported Ubuntu releases to address three vulnerabilities across all supported architectures.

The new Linux kernel security update addresses three vulnerabilities affecting the Ubuntu 19.04 (Disco Dingo), Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 16.04 LTS (Xenial Xerus), Ubuntu 14.04 ESM (Trusty Tahr), and Ubuntu 12.04 ESM (Precise Pangolin) operating systems.

The first security issue addressed in this update is a a buffer overflow (CVE-2019-14835) discovered by Peter Pi in Linux kernel's virtio network backend (vhost_net) implementation, which could allow an attacker in the guest system to either execute arbitrary code in the host OS or crash the host operating system by causing a denial of service.

Read more

Did Lilu Ransomware Really Infect Linux Servers

Filed under
Linux
Server
Security

Note that the domain name of this folder has been hidden from view making it impossible for us to verify if these files were actually on a Linux server. The article goes on to note that “Lilocked doesn't encrypt system files, but only a small subset of file extensions, such as HTML, JS, CSS, PHP, INI, and various image file formats. This means infected servers continue to run normally.”

This limitation raises the obvious question of whether the core of the Linux server itself has been compromised or whether merely applications connected to the core have been hacked. There are many very insecure website building applications such as Wordpress and many insecure web mail applications such as Exim that have been repeatedly hacked over the years. Both Wordpress and Exim have suffered from dozens of major security problems that have nothing to do with the security of the Linux operating system which is at the core of all Linux servers. All of the file formats mentioned in the article are files used on Wordpress websites and files that can be transmitted via Exim email programs.

[...]

So instead of 6000 websites on 6000 servers being infected, it looks more like 6000 files on less than 1000 websites were infected. And many of these websites could have been on the same server – meaning that perhaps only a couple dozen out of the worlds 10 million Linux servers had infected files – and none of the files were actually in the core of any Linux servers.

[...]

Many of these articles were exact copies of the Zdnet article. Thus far, not a single so-called “security expert” has bothered either to look into the evidence provided much less challenge or disagree with this silly claim.

Instead, make even more extreme claims, noting that there are millions of Linux servers running outdated, un-patched and insecure versions of Exim software. This is a fact. But given how many holes have been found in the Exim software, the problem is not with the Linux servers, it is with the Exim software. In my humble opinion, the design of Exim is not secure and the design of Postfix is more secure.

The solution to this Exim problem is to demand that Cpanel support support Postfix and to ask Debian to also switch from Exim to Postfix (something Ubuntu has already done for very obvious reasons). This is the benefit of the diversity of free open source software. If one program has problems, there is quite often a more secure alternative that can be installed with just the click of a button. This is a problem that has been going on for years. But it can be fixed in a matter of minutes.

Read more

Security: TrendMicro, Mozilla's Firefox Monitor and Capsule8

Filed under
Security
  • New Linux malware mines crypto after installing backdoor with secret master password [Ed: Skips the part about it having to be installed in the first place (not the fault of Linux)]

    Cybersecurity researchers have identified a new strain of Linux malware that not only mines cryptocurrency illicitly, but provides the attackers with universal access to an infected system via a “secret master password.”

    TrendMicro’s latest blog also reveals that Skidmap attempts to mask its cryptocurrency mining by faking network traffic and CPU-related statistics.

  • Linux malware masks illicit crypto mining with fake network traffic

    A new cryptocurrency mining malware targeting Linux systems has demonstrated how complex this type of malware has become. Known as Skidmap, the malware is not only harder to detect, it also gives the attackers unfiltered access to the affected system.

  • What to do after a data breach

    You saw the news alert. You got an email, either from Firefox Monitor or a company where you have an account. There’s been a security incident — a data breach. And your account has been compromised.

    Getting notified that you’ve been a victim of a data breach can be alarming. You have valid cause for concern, but there are a few steps you can take immediately to protect your account and limit the damage.

  • Capsule8 Protect Earns HIPAA Compliance Certification

Security: Updates, Drama and FUD

Filed under
Security
  • Security updates for Tuesday

    Security updates have been issued by Debian (dino-im, python2.7, python3.4, and wpa), Fedora (kmplayer), openSUSE (podman and samba), Oracle (thunderbird), Red Hat (thunderbird), Slackware (expat), SUSE (curl), and Ubuntu (apache2).

  • This New Linux Malware Mines Crypto By Creating Malign Linux Modules

    As per the research, the new Linux malware mines crypto by creating malicious loadable kernel modules (LKM) to stay under the wraps. As the malware utilizes Linux kernel module rootkits, it becomes difficult to detect and patch it. This is because of its overwriting and modification of kernel parts capabilities.

  • A Critical Exim Vulnerability, Lilocked Ransomware on the Rise, but Linux Not to Blame

    In the context of these recent vulnerabilities and exploits, it is easy to label Linux and Open Source as “vulnerable” or “insecure”. However, doing so is unfair as well as incorrect. Unlike Windows and MacOS, Linux is a multi-user environment (a characteristic that the OS inherited from Unix) where users are granted specific privileges. This design prevents the compromise of one user account from impacting an entire system. In order to gain control over a Linux system, malware would have to gain root access to the system.

    Vulnerabilities exist in every system, and in terms of security vulnerabilities, Linux has a relatively clean record when compared to other popular operating systems. In the words of Linux creator Linus Torvalds, “Given enough eyeballs, all bugs are shallow”. Because of the intense review that Linux is continuously undergoing from security experts in the Open Source community, vulnerabilities are quickly identified and fixed. Because of this, as well as the way in which Linux manages privileges, relatively few viruses and worms are written to attack Linux systems. In comparison, proprietary operating systems like Microsoft Windows are easy targets for malicious coders, making them frequent victims of malware and viruses. This year, a total of 700 vulnerabilities in Microsoft Windows were disclosed, 189 of which were classified as critical.

    Exim, however, is a notoriously insecure mail server. In spite of this, it has a market share of over 57 percent, due to the fact that the MTA has been bundled with many Linux distros, including Debian and Red Hat. Thus, the frequent security bugs and exploits involving Exim affect a large number of Linux users, but are not a reflection of the inherent security of the Linux OS.

Security Leftovers

Filed under
Security
  • Security updates for Monday

    Security updates have been issued by Debian (ansible, faad2, linux-4.9, and thunderbird), Fedora (jbig2dec, libextractor, sphinx, and thunderbird), Mageia (expat, kconfig, mediawiki, nodejs, openldap, poppler, thunderbird, webkit2, and wireguard), openSUSE (buildah, ghostscript, go1.12, libmirage, python-urllib3, rdesktop, and skopeo), SUSE (python-Django), and Ubuntu (exim4, ibus, and Wireshark).

  • Open Source Security Podcast: Episode 161 - Human nature and ad powered open source

    Josh and Kurt start out discussing human nature and how it affects how we view security. A lot of things that look easy are actually really hard. We also talk about the npm library Standard showing command line ads. Are ads part of the future of open source?

  • Skidmap malware drops LKMs on Linux machines to enable cryptojacking, backdoor access

    Researchers have discovered a sophisticated cryptomining program that uses loadable kernel modules (LKMs) to help infiltrate Linux machines, and hides its malicious activity by displaying fake network traffic stats.

    Dubbed Skidmap, the malware can also grant attackers backdoor access to affected systems by setting up a secret master password that offers access to any user account in the system, according to Trend Micro threat analysts Augusto Remillano II and Jakub Urbanec in a company blog post today.

    “Skidmap uses fairly advanced methods to ensure that it and its components remain undetected. For instance, its use of LKM rootkits – given their capability to overwrite or modify parts of the kernel – makes it harder to clean compared to other malware,” the blog post states. “In addition, Skidmap has multiple ways to access affected machines, which allow it to reinfect systems that have been restored or cleaned up.”

  • Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload

    Cryptocurrency-mining malware is still a prevalent threat, as illustrated by our detections of this threat in the first half of 2019. Cybercriminals, too, increasingly explored new platforms and ways to further cash in on their malware — from mobile devices and Unix and Unix-like systems to servers and cloud environments.

    They also constantly hone their malware’s resilience against detection. Some, for instance, bundle their malware with a watchdog component that ensures that the illicit cryptocurrency mining activities persist in the infected machine, while others, affecting Linux-based systems, utilize an LD_PRELOAD-based userland rootkit to make their components undetectable by system monitoring tools.

Syndicate content