Language Selection

English French German Italian Portuguese Spanish

Security

Security and FUD: SpaceX, NMap, Polyverse, MongoDB, NGINX and Kubernetes

Filed under
Security
  • All Those Low-Cost Satellites in Orbit Could Be Weaponized by Hackers, Warns Expert

    Last month, SpaceX became the operator of the world's largest active satellite constellation. As of the end of January, the company had 242 satellites orbiting the planet with plans to launch 42,000 over the next decade.

    This is part of its ambitious project to provide internet access across the globe. The race to put satellites in space is on, with Amazon, UK-based OneWeb and other companies chomping at the bit to place thousands of satellites in orbit in the coming months.

  • NMap - A Basic Security Audit of Exposed Ports and Services

    For a plethora of reasons, auditing the security of our servers and networks is of paramount importance. Whether we are talking about a development server, a workstation, or a major enterprise application, security should be baked into every step of the deployment. While we can easily check our firewall settings from “the inside” of our systems. It is also a good idea to run a security audit from "the outside”. Using a network enumeration tool such as the famous and highly vetted Network Mapper (NMap).

  • Cybersecurity startup Polyverse raises $8M to protect Linux open-source code from hackers [Ed: Right around the corner from Bill Gates, another company like Black Duck and it'll "protect" Linux... just buy its proprietary software]

    Polyverse has been validated by the U.S. Department of Defense for mitigating zero-day attacks, intrusions that occur just as a vulnerability becomes public, such as the infamous WannaCry ransomware and hacks of companies like Equifax. The company says its technology is “running on millions of servers.”

  • MongoDB: developer distraction dents DevSecOps dreams

    MongoDB’s director of developer relations has just opened a piece of internal research that suggests as few as 29% of Europe’s developers take full responsibility for security.

    Now, 29% is a somewhat arbitrary figure, cleary i.e. it could be 22.45% or it could be 39.93%… the fact that the firm has pointed to an exact sum in this way is merely intended to show that it has undertaken a degree of calculation and statistical analysis

  • NGINX Unit Adds Support for Reverse Proxying and Address-Based Routing

    NGINX announced the release of versions 1.13 and 1.14 of NGINX Unit, its open-source web and application server. These releases include support for reverse proxying and address-based routing based on the connected client's IP address and the target address of the request.

    NGINX Unit is able to run web applications in multiple language versions simultaneously. Languages supported include Go, Perl, PHP, Python, Node.JS, Java, and Ruby. The server does not rely on a static configuration file, instead allowing for configuration via a REST API using JSON. Configuration is stored in memory allowing for changes to happen without a restart.

  • Kubernetes Security Plagued by Human Error, Misconfigs

    Following a year of numerous security bugs within the Kubernetes ecosystem and the first security audit of Kubernetes conducted by the Cloud Native Computing Foundation (CNCF), which hosts the open source platform, continued wide-spread adoption has seen security become somewhat of an afterthought.

    However, if security concerns continue inhibiting business innovation, does that fall on businesses for neglecting security practices or the market for not providing them with the tools to confidently secure their deployments?

    “People just get security wrong sometimes,” McLean said. “Companies need a combination of increased learning, cross-pollination, new tooling, and updated processes to identify and remediate these security ‘mistakes’ during build and deploy vs. waiting for exposure during runtime.”

Security and Scare for Sale

Filed under
Security
  • Malware Attack Takes ISS World's Systems Offline

    Founded in 1901, the Copenhagen, Denmark-based company provides cleaning, support, property, catering, security, and facility management services for offices, factories, airports, hospitals, and other locations all around the world.

    At the moment, the company’s employees don’t have access to corporate systems, as they were taken offline following a malware attack earlier this week.

  • The rise and rise of ransomware [iophk: Windows TCO]
  • Security flaws belatedly fixed in open source SuiteCRM software

    According to Romano, a second-order PHP object injection vulnerability (CVE-2020-8800) in SuiteCRM could be “exploited to inject arbitrary PHP objects into the application scope, allowing an attacker to perform a variety of attacks, such as executing arbitrary PHP code”.

    SuiteCRM versions 7.11.11 and below are said to be vulnerable.

    [...]

    “We have put a notice on our open source community channels and advice via social media. We have a dedicated community that works around the clock to spot vulnerabilities and produce suitable fixes, which is one of the key benefits for a business when choosing to use open source software.”

  • With the rise of third-party code, zero-trust is key

    The surface area of website and web application attacks keeps growing. One reason for this is the prevalence of third-party code. When businesses build web apps, they use code from many sources, including both commercial and open-source projects, often created and maintained by both professional and amateur developers.

    Web application creators take advantage of third-party code because it allows them to build their websites and apps quickly. For example, companies are likely to add a third-party chat widget to their site, instead of building one from scratch.

    But third-party code can leave websites vulnerable. Consider the July 2018 Magecart attack on Ticketmaster. In this data breach, hackers were able to gain access to sensitive customer information on Ticketmaster's website by compromising a third-party script used to provide chatbot functionality.

    The challenge is that this third-party functionality runs directly on the customer's browser, and the browser is built to simply render the code sent down from a web server. It assumes that all code, whether first-party or third-party, is good.

  • New company BluBracket takes on software supply chain code security
  • BluBracket scores $6.5M seed to help secure code in distributed environments

    BluBracket, a new security startup from the folks who brought you Vera, came out of stealth today and announced a $6.5 million seed investment. Unusual Ventures led the round with participation by Point72 Ventures, SignalFire and Firebolt Ventures.

Security: Debian LTS Work, Various Patches, Honeypots/Honeynets and FUD (Marketing)

Filed under
Security
  • Freexian’s report about Debian Long Term Support, January 2020

    January started calm until at the end of the month some LTS contributors met, some for the first time ever, at the Mini-DebCamp preceeding FOSDEM in Brussels. While there were no formal events about LTS at both events, such face2face meetings have proven to be very useful for future collaborations!
    We currently have 59 LTS sponsors sponsoring 219h each month. Still, as always we are welcoming new LTS sponsors!

  • Security updates for Friday

    Security updates have been issued by CentOS (openjpeg2), Debian (cloud-init, jackson-databind, and python-reportlab), Red Hat (ksh, python-pillow, systemd, and thunderbird), Slackware (proftpd), SUSE (java-1_7_0-ibm, nodejs10, and nodejs12), and Ubuntu (ppp and squid, squid3). 

  • Honeypots and Honeynets
  • Up close and personal with Linux malware [Ed: ESET trying to sell its useless proprietary software for a platform that does not need it]

    Chances are that the very word ‘Linux’ conjures up images of near-impenetrable security. However, Linux-based computer systems and applications running on them increasingly end up in the crosshairs of bad actors, and recent years have seen discoveries of a number of malicious campaigns that hit Linux systems, including botnets that were made up of thousands of Linux servers. These mounting threats have challenged the conventional thinking that Linux is more or less spared the problems that affect other operating systems, particularly Windows.

Security, Fear, Uncertainty, and Doubt

Filed under
Security
  • Security updates for Thursday

    Security updates have been issued by Debian (netty and netty-3.9), Fedora (ceph, dovecot, poppler, and webkit2gtk3), openSUSE (inn and rmt-server), Oracle (openjpeg2), Red Hat (rabbitmq-server), Scientific Linux (openjpeg2), SUSE (dnsmasq, rsyslog, and slurm), and Ubuntu (php7.0).

  • 30 The Most Common Hacking Techniques and How to Deal with Them [Ed: Cracking, not hacking. Not the same thing.]
  • A guide to developing a holistic IT security strategy

    In assessing how prevalent cyberattacks are for companies, 18 percent of respondents rated the security risk as very high. Half (50 percent) even stated that their company had suffered financial losses due to security incidents. Opinions differed as to whether the incidents were handled optimally: Almost half (49 percent) say that everything worked well, while the other half (49 percent) believe there is a lot of potential for improvement.

  • Linux and malware: Should you worry? [Ed: All those headlines with question marks mean that the answer is "No."]

    Gone are the days when the idea of viruses or other malware hitting Linux was almost universally greeted with quizzical glances, if not outright rejection. Long thought of as the perfect marriage of open-source goodness and strong, Unix-like security, Linux-based operating systems are now increasingly seen as another valuable – and viable – target.

    This shift in thinking is partly the result of a growing realization among both Linux hobbyists and system administrators that a compromised Linux system such as a web server provides attackers an excellent ‘return on investment’. Just as importantly, malware research in recent years has brought better visibility into threats facing Linux systems.

Why You Still Don’t Need Antivirus Software on Linux in 2020

Filed under
GNU
Linux
Security

There’s a division of opinion when it comes to the question; does Linux need antivirus? Well, the short answer is no. Some say viruses for Linux are rare; others say Linux’s security system is secure and much safer than other operating Windows.

So, is Linux really secure?

While no single operating system is entirely secure, Linux is known to be much more reliable than Windows or any operating system. The reason behind this is not the security of Linux itself but the minority of viruses and malware that exist for the operating system.

Viruses and malware are incredibly rare in Linux. They do exist though the likelihood of getting a virus on your Linux OS is very low. Linux based operating systems also have additional security patches that are updated regularly to keep it safer.

The userbase of Linux is tiny when compared to Windows. While Operating systems like Windows and Mac house all kinds of users, Linux is inclined more towards advanced users. In the end, It all comes down to the caution taken by the user.

Can you get viruses on Linux?

Yes, before you assume anything, viruses and malware can affect any operating system.

No operating system is 100% safe, and it’s a fool errand to look for one. Like Windows and Mac OS, you can get viruses on Linux. However rare they are, they still exist.

On the official page of Ubuntu, a Linux based OS, it is said that Ubuntu is highly secure. A lot of people installed Ubuntu for the sole purpose of having a dependable OS when it comes to the security of their data and sensitive details.

Read more

Security: Patches, Bugs, RMS Talk and NG Firewall 15.0

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by CentOS (firefox, java-1.7.0-openjdk, ksh, and sudo), Debian (php7.0 and python-django), Fedora (cacti, cacti-spine, mbedtls, and thunderbird), openSUSE (chromium, re2), Oracle (firefox, java-1.7.0-openjdk, and sudo), Red Hat (openjpeg2 and sudo), Scientific Linux (java-1.7.0-openjdk and sudo), SUSE (dbus-1, dpdk, enigmail, fontforge, gcc9, ImageMagick, ipmitool, php72, sudo, and wicked), and Ubuntu (clamav, linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-aws-5.0, linux-azure, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-azure, linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3, linux-lts-xenial, linux-aws, and qemu).

  • Certificate validity and a y2k20 bug

    One of the standard fields of an SSL certificate is the validity period. This field includes notBefore and notAfter dates which, according to RFC5280 section 4.1.2.5, indicates the interval "during which the CA warrants that it will maintain information about the status of the certificate"

    This is one of the fields that should be inspected when accepting new or unknown certificates.

    When creating certificates, there are a number of theories on how long to set that period of validity. A short period reduces risk if a private key is compromised. The certificate expires soon after and can no longer be used. On the other hand, if the keys are well protected, then there is a need to regularly renew those short-lived certificates.

  • Free Software is protecting your data – 2014 TEDx Richard Stallman Free Software Windows and the NSA

    Libre booted (BIOS with Linux overwritten) Thinkpad T400s running Trisquel GNU/Linux OS. (src: https://stallman.org/stallman-computing.html)

    LibreBooting the BIOS?

    Yes!

    It is possible to overwrite the BIOS of some Lenovo laptops (why only some?) with a minimal version of Linux.

  • NG Firewall 15.0 is here with better protection for SMB assets

    Here comes the release of NG Firewall 15.0 by Untangle with the creators claiming top-notch security for SMB assets. Let’s thoroughly discuss the latest NG Firewall update.

    With that being said, it only makes sense to first introduce this software to the readers who aren’t familiar with it. As the name ‘NG Firewall’ suggests, it is indeed a firewall but a very powerful one. It is a Debian-based and network gateway designed for small to medium-sized enterprises.

    If you want to be up-to-date with the latest firewall technology, your best bet would be to opt for this third-generation firewall. Another factor that distinguishes the NG Firewall from other such products in the market is that it combines network device filtering functions and traditional firewall technology.

Unsigned Firmware Puts Windows, Linux Peripherals at Risk

Filed under
Security

Researchers at firmware security company Eclypsium on Tuesday released new research that identifies and confirms unsigned firmware in WiFi adapters, USB hubs, trackpads and cameras used in Windows and Linux computer and server products from Lenovo, Dell, HP and other major manufacturers.

Eclypsium also demonstrated a successful attack on a server via a network interface card with unsigned firmware used by each of the big three server manufacturers.

The demonstration shows the exposed attack vector once firmware on any of these components is infected using the issues the report describes. The malware stays undetected by any software security controls.

Unsigned firmware provides multiple pathways for malicious actors to compromise laptops and servers. That leaves millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware, warned Eclypsium.

Read more

Proprietary Software and Security

Filed under
Software
Security
  • TurboTax Is Still Tricking Customers With Tax Prep Ads That Misuse the Word “Free”

    On Dec. 30, the IRS announced it was revamping a long-standing agreement with the online tax preparation industry in which companies offer free filing to people with incomes below certain levels, a category that includes 70% of filers. The change in what’s known as the Free File program came in the wake of multiple ProPublica articles that revealed how the companies in the program steered customers eligible for free filing to their paid offerings. Under the updated agreement, the companies are now prohibited from hiding their Free File webpages from Google searches, and the IRS was allowed to create its own online tax-filing system.

    So far, it seems, the companies are abiding by their promise to make their Free File webpages visible in online searches. But the updated agreement appears to have a loophole: It doesn’t apply to advertising. Nothing in it, the agreement states, “limits or changes the rights” of participating companies to advertise “as if they were not participating in the Free File program.”

  • Ransomware Shuts Gas Compressor for 2 Days in Latest Attack [iophk: Windows TCO]

    It appears likely that the attacker explored the facility’s network to “identify critical assets” before executing the ransomware attack, according to Nathan Brubaker, a senior manager at the cybersecurity firm FireEye Inc. This tactic -- which has become increasingly popular among hackers -- makes it “possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators,” he said.

  • Twitter says Olympics, IOC accounts [cracked]

    Twitter (TWTR.N) said on Saturday that an official Twitter account of the Olympics and the International Olympic Committee’s (IOC) media Twitter account had been [cracked] and temporarily locked.

    The accounts were [cracked] through a third-party platform, a spokesperson for the social media platform said in an emailed statement, without giving further details.

  • Olympics, IOC accounts were [cracked], Twitter says

    The social media company Twitter on Saturday said that the official Twitter accounts for the Olympics as well as the International Olympic Committee (IOC) have both been [cracked] and temporarily locked.

  • Apple warns revenue will be lower than expected because of coronavirus impact

    In a rare investor update on Monday, Apple said the global effects of the coronavirus outbreak are having have a material impact on the company bottom line. The company does not expect to meet its own revenue guidance for the second quarter due to the impact of the virus, and warns that “worldwide iPhone supply will be temporarily constrained.” Store closures and reduced retail traffic in China are also expected to have a significant impact.

    All of Apple’s iPhone manufacturing partner sites have been reopened but are “ramping up more slowly than we had anticipated,” which means that fewer iPhones than expected will be manufactured. As a result, “[t]hese iPhone supply shortages will temporarily affect revenues worldwide,” says Apple.

  • We decided to leave AWS

    For past adventures, I mostly use third-party email delivery services like Postmark, SendGrid, SES, etc. Unfortunately their pricing models are based on the number of emails, which are not compatible with the unlimited forwards/sends that SimpleLogin offers. In addition, we want SimpleLogin to be easily self-hosted and its components fit on a single server. For these reasons, we decide to run our MTA (Mail Transfer Agent) on EC2 directly.

  • [Old] Kerberos (Sleepy: How does Kerberos work? – Theory

    The objective of this series of posts is to clarify how Kerberos works, more than just introduce the attacks. This due to the fact that in many occasions it is not clear why some techniques works or not. Having this knowledge allows to know when to use any of those attacks in a pentest.

    Therefore, after a long journey of diving into the documentation and several posts about the topic, we’ve tried to write in this post all the important details which an auditor should know in order to understand how take advantage of Kerberos protocol.

    In this first post only basic functionality will be discussed. In later posts it will see how perform the attacks and how the more complex aspects works, as delegation.

  • [Old] Kerberos (II): How to attack Kerberos?

    These attacks are sorted by the privileges needed to perform them, in ascending order. Thus, to perform the first attacks only connectivity with the DC (Domain Controller) is required, which is the KDC (Key Distribution Center) for the AD (Active Directory) network. Whereas, the last attack requires a user being a Domain Administrator or having similar privileges.

  • Kerberos (III): How does delegation work?

    In this article, we will focus on understand how the different kinds of delegation work, including some special cases. Additionally, some scenarios where it could be possible to take advantage of these mechanisms in order to leverage privilege escalation or set persistence in the domain will be introduced.

    Before starting with the explanations, I will assume that you already understand Kerberos’ basic concepts. However, if expressions like TGT, TGS, KDC or Golden ticket sound strange to you, you should definitely check the article “How does Kerberos works?” or any related Kerberos’ introduction.

GNOME 3.34.4 Released with Various Improvements and Bug Fixes

Filed under
GNOME
Security

Released on September 2019, the GNOME 3.34 “Thessaloniki” desktop environment is the first to adopt a new release cycle with extended maintenance updates. Previous GNOME releases only received two maintenance updates during their support cycle.

Therefore, GNOME 3.34.4 is here as a minor bugfix release to GNOME 3.34, addressing various issues, as well as updating translations across several components and applications. Among the changes, there’s a big GTK update with better Wayland support, VP8 encoding for the built-in screen-recorder, and another major Vala update.

Read more

Critical Sudo Vulnerability Now Patched in CentOS 7 and RHEL 7

Filed under
Red Hat
Security

A critical vulnerability (CVE-2019-18634) was discovered earlier this month by Joe Vennix in the Sudo package, a program that lets users run programs in a UNIX system with the security privileges of another user. The flaw could allow an unprivileged user to obtain full root privileges.

Affected Sudo versions included all releases from v1.7.1 to v1.8.25p1. However, it was discovered that it doesn’t affect systems that did not had the pwfeedback option enabled in the /etc/sudoers file. For more details you can check out our previous report.

Read more

Syndicate content

More in Tux Machines

Games: Humble Store, Bully: Scholarship and DOSBox

  • Humble Store has a 'Tabletop Sale' going, some good Linux games on offer

    It's the start of another glorious week for Linux gaming and another big sale is going on again. Over on the Humble Store, they have a Tabletop Sale now live.

  • How to play Bully: Scholarship Edition on Linux

    Bully: Scholarship Edition is a remaster of Rockstar Game’s “Bully,” a game about a young kid working his way through the social hierarchy of high school, meeting girls, making friends, and causing mischief. The game is an open world, which is typical of Rockstar. Here’s how to get it working on your Linux PC.

  • DOSBox – Run classic DOS games on your Linux PC

    DOSBox is an open-source software that creates a virtual MS-DOS compatible environment, including sound, graphics, and basic networking. It enables you to run DOS applications without any modifications. Using this wonderful app, you can run your classic DOS games and compilers like Wolfenstein 3D, Prince of Persia, Turbo C++, and MASM on your Linux PC. DOSBox makes use of Simple DirectMedia Layer (SDL), a library designed to allow low-level access to hardware components like a mouse, keyboards, sound system, and graphics. It has made the whole process of porting easier to various platforms. Currently, DOSBox runs on several platforms like different Linux, Windows, and macOS.

The CLA Denial-Of-Service attack

Obviously, there's a flaw in that logic. A CLA is an agreement between a project and a (new) contributor. A project does not absolutely requires the contributor to sign the agreement to accept its contributions, in theory. It's the reverse: for the contributor to have their patch accepted, they need to accept the CLA. But the project could accept contributions without CLA without violating the law. But it seems that projects sometimes end up doing a DOS on themselves by refusing perfectly fine contributions from drive-by contributors who don't have time to waste filling forms on all projects they stumble upon. In the case of this typo, I could have submitted a patch, but because I didn't sign a CLA, again, the project couldn't have merged it without breaking their own rules, even if someone else submits the same patch, after agreeing to the CLA. So, in effect, I would have DOS'd the project by providing the patch, so I just opened an issue which strangely — and hopefully — isn't covered by the CLA. Read more

today's howtos

More Android Leftovers