Language Selection

English French German Italian Portuguese Spanish

Security

Security: Apple, OpenVPN, Old Drupal Bugs and More

Filed under
Security

Most secure Linux distros in 2018

Filed under
GNU
Linux
Security

Think of a Linux distribution as a bundle of software delivered together, based on the Linux kernel - a kernel being the core of a system that connects software to hardware and vice versa – with a GNU operating system and a desktop environment, giving the user a visual way to operate the system via a graphical user interface.

Linux has a reputation as being more secure than Windows and Mac OS due to a combination of factors – not all of them about the software.

Firstly, although desktop Linux users are on the up, Linux environments are far less common in the grand scheme of things than Windows devices on personal computers. The Linux community also tends to be more technical. There are technical reasons too, including fundamental differences in the way the distribution architecture tends to be structured.

Nevertheless over the last decade security-focused distributions started to appear, which will appeal to the privacy-conscious user who wants to avoid the worldwide state-sanctioned internet spying that the west has pioneered and where it continues to innovate. Of course, none of these will guarantee your privacy, but they're a good start. Here we list some of them.

It is worth noting that security best practices are often about process rather than the technology, avoiding careless mistakes like missing patches and updates, and using your common sense about which websites you visit, what you download, and what you plug into your computer.

Read more

Canonical Releases AMD Microcode Updates for All Ubuntu Users to Fix Spectre V2

Filed under
Security
Ubuntu

The Spectre microprocessor side-channel vulnerabilities were publicly disclosed earlier this year and discovered to affect billions of devices made in the past two decades. Unearthed by Jann Horn of Google Project Zero, the second variant (CVE-2017-5715) of the Spectre vulnerability is described as a branch target injection attack.

The security vulnerability affects all microprocessors that use branch prediction and speculative execution function, and it can allow unauthorized memory reads via side-channel attacks if the system isn't patched. For example, a local attacker could use it to expose sensitive information, including kernel memory.

Read more

Linux Kernel and Security: LVM2, Containers, AMD

Filed under
Linux
Security
  • LVM2 Begins Work On Major Changes To Logical Volume Management

    LVM2 as the user-space tools for Logical Volume Management (LVM) on Linux is in the process of going through a big re-work.

  • Containers and Cloud Security

    The idea behind this blog post is to take a new look at how cloud security is measured and what its impact is on the various actors in the cloud ecosystem. From the measurement point of view, we look at the vertical stack: all code that is traversed to provide a service all the way from input web request to database update to output response potentially contains bugs; the bug density is variable for the different components but the more code you traverse the higher your chance of exposure to exploitable vulnerabilities. We’ll call this the Vertical Attack Profile (VAP) of the stack. However, even this axis is too narrow because the primary actors are the cloud tenant and the cloud service provider (CSP). In an IaaS cloud, part of the vertical profile belongs to the tenant (The guest kernel, guest OS and application) and part (the hypervisor and host OS) belong to the CSP. However, the CSP vertical has the additional problem that any exploit in this piece of the stack can be used to jump into either the host itself or any of the other tenant virtual machines running on the host. We’ll call this exploit causing a failure of containment the Horizontal Attack Profile (HAP). We should also note that any Horizontal Security failure is a potentially business destroying event for the CSP, so they care deeply about preventing them. Conversely any exploit occurring in the VAP owned by the Tenant can be seen by the CSP as a tenant only problem and one which the Tenant is responsible for locating and fixing. We correlate size of profile with attack risk, so the large the profile the greater the probability of being exploited.

  • Canonical Releases AMD Microcode Updates for All Ubuntu Users to Fix Spectre V2

    Canonical released a microcode update for all Ubuntu users with AMD processors to address the well-known Spectre security vulnerability.

    The Spectre microprocessor side-channel vulnerabilities were publicly disclosed earlier this year and discovered to affect billions of devices made in the past two decades. Unearthed by Jann Horn of Google Project Zero, the second variant (CVE-2017-5715) of the Spectre vulnerability is described as a branch target injection attack.

Unbreakable Enterprise Kernel Release

Filed under
Red Hat
Security
  • Announcing the general availability of the Unbreakable Enterprise Kernel Release 5

    The Unbreakable Enterprise Kernel Release 5 (UEK R5) is a heavily tested and optimized operating system kernel for Oracle Linux 7 Update 5 and later on 64-bit Intel (x86_64) and ARM (aarch64) architectures. It is based on the mainline Linux kernel version 4.14 LTS. This release also updates drivers and includes bug and security fixes.

  • Oracle's Unbreakable Enterprise Kernel R5 Now Officially Ready For x86_64 & AArch64

    Oracle has promoted its Unbreakable Enterprise Kernel Release 5 to general availability for x86_64 and ARM64 (AArch64) architectures.

    Unbreakable Enterprise Kernel Release is their downstream of the Linux kernel that they sprinkle with extra features for security, performance, and extra features. The Unbreakable Enterprise Kernel is paired with Oracle Linux, the company's downstream of Red Hat Enterprise Linux.

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • Hortonworks’ Shaun Bierweiler on Enterprise Open Source’s Security Edge Over Proprietary Software

    Shaun Bierweiler, vice president of U.S. public sector at Hortonworks, told Datanami in an interview published Tuesday about the advantage of adopting an open approach to technology development in the big data space.

    “When you think about integration points, and the various technologies and players coming to market, if you don’t have an open approach and open model and open interfaces, it’s really difficult costly and time-consuming to bring those pieces together,” he said.

  • Best free Linux firewalls of 2018

    A firewall is an important aspect of computer security these days, and most modern routers have one built in, which while helpful, can be difficult to configure. Fortunately there are also distributions (distros) of the free operating system Linux which have been specifically designed to function as firewalls.

    These will generally have much more advanced features than those found on a router, and allow you to have far greater control over keeping your personal or business network safe.

  • The LJ Password Generator Tool
  • Open Source Hardware Cryptocurrency Wallet Unveiled By McAfee And Bitfi

    Global payments tech firm Bitfi has launched the Bitfi Wallet. According to the payments company the hardware wallet is unhackable. Some of the digital currencies that the wallet supports include privacy-oriented virtual currency Monero (XMR) which has not previously had a hardware wallet. The wallet comes with a dashboard consisting of a wireless setup as well as support.

Hyperthreading From Intel Seen as Dodgy, Buggy

Filed under
Graphics/Benchmarks
Hardware
Security
  • Intel Hyper Threading Performance With A Core i7 On Ubuntu 18.04 LTS

    Following the news yesterday of OpenBSD disabling Intel Hyper Threading by default within its OS over security concerns and plans to disable Simultaneous Multi Threading for other processors/architectures too, here are some fresh Intel HT benchmarks albeit on Ubuntu Linux. The OpenBSD developer involved characterized HT/SMT as "doesn't necessarily have a positive effect on performance; it highly depends on the workload. In all likelihood it will actually slow down most workloads if you have a CPU with more than two cores." So here are some benchmarks using a current-generation Intel Core i7 8700K six-core processor with Hyper Threading.

  • SMT Disabled by Default in -current
  • OpenBSD Will Disable Intel Hyper-Threading To Avoid Spectre-Like Exploits

    OpenBSD, an open source operating system that focuses on security, announced that it will disable Intel’s Hyper-Threading (HT) feature so that attackers can no longer employ Spectre-like cache timing attacks.

  • Intel’s hyperthreading blocked on OpenBSD amid hints of new Spectre-like bugs

    The maintainer of open source Unix-like operating system, OpenBSD, has announced that it will disable hyperthreading on Intel CPUs because of security concerns. It claims that simultaneous multithreading creates a potential new attack vector for Spectre-like exploits, and plans to expand its disabling of multithreading technologies to other chip manufacturers in the near future.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • Millions of Streaming Devices Are Vulnerable to a Retro Web Attack

    Sitting in his Chicago apartment, two blocks from Lake Michigan, Dorsey did what anyone with a newfound hacking skill would: He tried to attack devices he owned. Instead of being blocked at every turn, though, Dorsey quickly discovered that the media streaming and smart home gadgets he used every day were vulnerable to varying degrees to DNS rebinding attacks. He could gather all sorts of data from them that he never would have expected.

  • Pros vs Joes CTF: The Evolution of Blue Teams

    Pros v Joes CTF is a CTF that holds a special place in my heart. Over the years, I’ve moved from playing in the 1st CTF as a day-of pickup player (signing up at the conference) to a Blue Team Pro, to core CTF staff. It’s been an exciting journey, and Red Teaming there is about the only role I haven’t held. (Which is somewhat ironic given that my day job is a red team lead.) As Blue teams have just formed, and I’m not currently attached to any single team, I wanted to share my thoughts on the evolution of Blue teaming in this unique CTF. In many ways, this will resemble the Blue Team player’s guide I wrote about 3 years ago, but will be based on the evolution of the game and of the industry itself. That post remains relevant, and I encourage you to read it as well.

    [...]

    It turns out that a lot of the fundamental knowledge necessary in securing a network are just basically system administration fundamentals. Understanding how the system works and how systems interact with each other provides much of the basics of information security.

    On both Windows and Linux, it is useful to understand:

    How to install & update software and operating system updates
    How to change permissions of files
    How to start and stop services
    How to set up a host-based firewall
    Basic Shell Commands
    User administration

OpenBSD disables hyperthreading support for Intel CPUs due to likely data leaks

Filed under
Security
BSD

Security: OpenBSD, FUD and More

Filed under
Security
  • OpenBSD Disabling SMT / Hyper Threading Due To Security Concerns

    Security oriented BSD operating system OpenBSD is making the move to disable Hyper Threading (HT) on Intel CPUs and more broadly moving to disable SMT (Simultanious Multi Threading) on other CPUs too.

    Disabling of Intel HT and to follow with disabling SMT for other architectures is being done in the name of security. "SMT (Simultanious Multi Threading) implementations typically share TLBs and L1 caches between threads. This can make cache timing attacks a lot easier and we strongly suspect that this will make several spectre-class bugs exploitable. Especially on Intel's SMT implementation which is better known as Hypter-threading. We really should not run different security domains on different processor threads of the same core."

    OpenBSD could improve their kernel's scheduler to workaround this, but given that is a large feat, at least for now they have decided to disable Hyper Threading by default.

    Those wishing to toggle the OpenBSD SMT support can use the new hw.smt sysctl setting on OpenBSD/AMD64 and is being extended to cover CPUs from other vendors and architectures.

  • Linux malware threats - bots, backdoors, trojans and malicious apps [Ed: Ignoring back doors in Windows and other proprietary platforms to instead focus on malicious software one actually needs to install on one's machine or choose a trivial-to-guess password (when there are open ports)]
  • Does Open Source Boost Security? Hortonworks Says Yes

    Organizations are best served security-wise if they favor and adopt open source technology — especially enterprise open source — over proprietary alternatives, according to Hortonworks. However, not everybody agrees that open source software intrinsically is more secure.

    It’s tough to argue that open source hasn’t brought significant benefits to the IT industry and the tens of thousands of organizations that rely on IT products to automate their operations. Starting with the introduction of Linux in the late 1990s, major swaths of the tech industry have shifted to open source development methodologies. That includes the vast majority of the big data ecosystem, which has been largely bootstrapped by various Apache Software Foundation projects.

  • Don't Neglect Open Source Security [Ed: Well, if you have chosen proprietary software, then you have already given up on security altogether. With FOSS there's at least control and hope.]
  • How to build a strong DevSecOps culture: 5 tips [Ed: Red Hat is still promoting dumb buzzwords that help employers overwork their staff]
  • A Framework to Strengthen Open Source Security and Compliance [Ed: Firms that profit from perceived insecurity of FOSS push so-called 'white papers' into IDG]
Syndicate content