Language Selection

English French German Italian Portuguese Spanish

Security

Best free Linux firewalls of 2019: go beyond Iptables for desktops and servers

Filed under
GNU
Linux
Security

Linux distros will often come with at least a basic firewall bundled with it. Often this won't be active by default so will need to be activated.

Additionally this will likely be the standard Iptables supplied, even though less experienced users may struggle with it. UFW - Uncomplicated Firewall is also bundled with some distros, and aims to make the process simpler.

However, there are distros and applications out there that can cater for the more advanced user and the less experienced one, making it easier to setup and configure a firewall that works for your needs.

Some, like ClearOS build it directly into the operating system as part of its security focus, but most other options would be applications that aim to block rogue IPs, monitor ports, and prevent otherwise prevent bad packets from interfering with your machine.

For most home users there are few actual settings that need to be customized, so simple apps can be popular, but for those looking to manage their machine as a server, additional controls and advanced command options will tend to be the more welcome.

Read more

Security Leftovers

Filed under
Security
  • Falco founder: Kubernetes security has to do better than “don’t worry – OH MY GOD”

    It’s almost a year since Sysdig’s behavioral activity monitoring tool Falco entered the sandbox of the Cloud Native Computing Foundation (CNCF). We talked to the company’s new chief open source advocate Kris Nova and co-founder Loris Degioanni to check in about the project’s progress and talk about the state of Kubernetes security and open source licensing in general.

    Falco was first introduced to the public back in May 2016. It’s no secret that security wasn’t exactly a top priority when Kubernetes was developed, so Falco was set up to tackle some of the challenges the orchestrator introduced to the modern infrastructure stack.

    [...]

    Moving the project into the CNCF in October 2018 was the logical next step for Degioanni. “In order to be cloud-native and to actually be placed as a part of the stack of the next generation of infrastructures, you want to be part of the CNCF nowadays.”

    But the foundation has strict rules on what projects must do to make it to the next stage, so the first months in the sandbox were mostly spent setting up processes and work on Falco’s own infrastructure. With Nova, who spent quite some time on the Kubernetes project, now on board, this trajectory is likely to continue.

  • Australian not-for-profit's encryption solution to privacy breaches

    One of the main aspects of addressing or curing the privacy breach epidemic is to gain back control and management over personal data. Where we see the aspect of giving back consumer some control, all of the control, and the accountability for their personal data that's stored on digital space, and what we developed is a set of tools that allows an entire economy of consumers, businesses and marketers to interact in harmony and in a way move the world to a more privacy aware interaction.

  • Open source breach and attack simulation tool Infection Monkey gets new features

    Guardicore, a leader in internal data center and cloud security, unveiled new capabilities for its Infection Monkey that make it the industry’s first Zero Trust assessment tool.

  • Patch now: 1,300 Harbor cloud registries open to attack [Ed: What they mean by “open to attack” is “needs patching”. Typical ZDNet.]

Security Leftovers

Filed under
Security
  • New Linux Cryptojacker Can Mask CPU Usage and Fake Network Activity [Ed: It's not "Linux" but something that can be installed and run on it]

    Cryptojacking is a lucrative venture for malware developers, but it comes with a problem. Cryptojackers take up a lot of the processor’s resources which makes the attack very noticeable for the victim. One strain of cryptojacker has developed a way to avoid detection by masking the tell-tale signs from the user.1 The Arrival of Skidmap Skidmap is a Linux-based malware which mines cryptocurrency on computers and servers without the owner’s permission. What makes Skidmap so dangerous is its wide range of advanced features that make it a pain to locate and stop.

  • [Slackware] Chromium critical security update

    Earlier this week I already provided a Chromium update in my Slackware repository. That update addressed a critical security issue in the media playback plugin whereby an attacker was able to take over your computer remotely, simply by letting you load an infected page.

    But then another critical vulnerability was discovered and two days ago a new Chromium source was released to take care of this security hole in the User Interface code. The new version of Chromium is 77.0.3865.90 and of the four mentioned vulnerabilities on the website, one is a remote-takeover issue.

Parrot 4.7 release notes

Filed under
GNU
Linux
Security

We are proud to announce the release of Parrot 4.7, which represents an important step forward for our project.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (bird, opendmarc, php7.3, and qemu), Fedora (bird, dino, nbdkit, and openconnect), Oracle (nginx:1.14, patch, and thunderbird), Red Hat (dovecot, kernel, kernel-alt, and kernel-rt), Scientific Linux (thunderbird), and SUSE (kernel, openssl, openssl-1_1, python-SQLAlchemy, and python-Werkzeug).

  • Skidmap malware drops LKMs on Linux machines to enable cryptojacking, backdoor access [Ed: This is not a "Linux" issue any more than Adobe Photoshop malicious files are a "Windows" issue ]

    Researchers have discovered a sophisticated cryptomining program that uses loadable kernel modules (LKMs) to help infiltrate Linux machines, and hides its malicious activity by displaying fake network traffic stats.

    Dubbed Skidmap, the malware can also grant attackers backdoor access to affected systems by setting up a secret master password that offers access to any user account in the system, according to Trend Micro threat analysts Augusto Remillano II and Jakub Urbanec in a company blog post.

  • Linux for ethical hackers 101

    In order to familiarize yourself with the full range of ethical hacking tools, it is important to be conversant with the Linux OS. As the systems engineer Yasser Ibrahim said in a post on Quora: “In Linux you need to understand from the basics to the advanced, learn the console commands and how to navigate and do everything from your console, also shell programming (not a must, but always preferable), know what a kernel is and how it works, understand the Linux file systems, how to network on Linux.”

Security: Criminal Charges, Updates, 'IoT', Cybersecurity Practices and Intel Management Engine (Back Door)

Filed under
Security
  • Security Researchers Whose 'Penetration Test' Involved Breaking And Entering Now Facing Criminal Charges

    Turning security researchers into criminals is so popular we have a tag for it here at Techdirt. A security hole is found or a breach pointed out, and the first thing far too many entities do in response is turn the messenger over to law enforcement while muttering unintelligible things about "hacking."

  • Security updates for Thursday

    Security updates have been issued by CentOS (exiv2, firefox, ghostscript, http-parser, httpd, kdelibs and kde-settings, kernel, pango, qemu-kvm, and thunderbird), Debian (ibus), Fedora (kernel, kernel-headers, python34, qbittorrent, and samba), openSUSE (chromium), Oracle (go-toolset:ol8), Red Hat (kernel, nginx:1.14, patch, ruby, skydive, systemd, and thunderbird), Scientific Linux (thunderbird), SUSE (libreoffice, openssl-1_1, python-urllib3, and python-Werkzeug), and Ubuntu (tomcat9 and wpa, wpasupplicant).

  • Irdeto Warns Healthcare IoT Is Under Heavy Attack

    The world of IoT is no stranger to attacks, with security being a number one priority for keeping the world of interconnected devices safe. One area where security is most crucial is healthcare, where successful attacks can result in loss of life. It wasn’t too long ago that ransomware was making the rounds, shutting down entire hospital networks and putting patients at risk. Irdeto made a press release that put forward the case for better security for healthcare IoT. They quoted some statistics that put some insight into how healthcare comes under attack from malicious agents.

  • Why it's time to embrace top-down cybersecurity practices

    Cybersecurity is no longer just the domain of the IT staff putting in firewalls and backing up servers. It takes a commitment from the top and a budget to match. The stakes are high when it comes to keeping your customers' information safe.

    The average cost of a data breach in 2018 was $148 for each compromised record. That equals an average cost of $3.86 million per breach. Because it takes organizations more than six months—196 days on average—to detect breaches, a lot of remediation must happen after discovery.

    With compliance regulations in most industries tightening and stricter security rules, such as the General Data Protection Regulation (GDPR) becoming law, breaches can lead to large fines as well as loss of reputation.

  • SIM Application Toolkit: Avoid Being Exploited

    Technologies are often created with good intent, to make our life easier, to solve problems in a convenient way. The Management Engine in Intel’s CPUs, for instance, was intended to make the life of admins easier. It allowed for remote access on a very low level, so they could even do complete remote reinstalls of a machine. And if you have to manage a large fleet of machines, distributed within a larger enterprise, this can save huge amounts of effort, time–and thus money.

    [...]

    Its name already points to the origin: the SIM card. It is the tiny chip card you insert into your phone, to get access to the cellular network of an operator. The SIM card used to be a fairly simple device, which you can imagine as the key to unlock the access to the network: i.e., it stores a secret (a cryptographic key) along with an ID (the IMSI) and some details about the issuing operator, etc. This data set grants you access to the operator’s network.

    But phones [also called handset, or ‘terminal equipment’ (TE), in mobile terms] have become more and more powerful. And setting up these cards has become more and more complicated; you need an SMS center number, details for the MMS server, mailbox dial-in number… and a lot more. All this needs to be properly set up in the mobile, to make full use of both the mobile and the network. To make this even more complicated, these details (and the way to set them up) are different from operator to operator. The process for this initial setup is (also) called provisioning. It was to make this (and other things) as convenient and least painful as possible for users that SAT was invented.

    The name SAT tells us not only that it is SIM-related, but also that it contains the term application: SIM cards can, and today they usually do, indeed contain small applications or applets. They are small computers on their own, they run code, and they can indeed be programmed. Most are based on the JavaCard standard and can be programmed with small Java applets. The SAT defines a standard way to interface the SAT applets with the modem and the phone.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by CentOS (firefox and kernel), Debian (thunderbird), Fedora (curl), openSUSE (curl and python-Werkzeug), Oracle (kernel and thunderbird), Red Hat (rh-nginx114-nginx), SUSE (curl, ibus, MozillaFirefox, firefox-glib2, firefox-gtk3, openldap2, openssl, openssl1, python-urllib3, and util-linux and shadow), and Ubuntu (linux, linux-aws, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-oracle, linux-raspi2, linux-snapdragon, and wpa).

  • SGX and security modules

    Software Guard Extensions (SGX) is a set of security-related instructions for Intel processors; it allows the creation of private regions of memory, called "enclaves". The aim of this feature is to work like an inverted sandbox: instead of protecting the system from malicious code, it protects an application from a compromised kernel hypervisor, or other application. Linux support for SGX has existed out-of-tree for years, and the effort of upstreaming it has reached an impressive version 22 of the patch set. During the upstreaming discussion, the kernel developers discovered that the proposed SGX API did not play nicely with existing security mechanisms, including Linux security modules (LSMs).

  • GitHub acquires Semmle to help developers spot security vulnerabilities [Ed: Company in NSA PRISM pretends to care about security (and also, Microsoft now uses GitHub to change people's code without asking the developers)]

    Software hosting service GitHub has acquired Semmle, a code analysis platform that helps developers discover security vulnerabilities in large codebases.

How to break out of a hypervisor: Abuse Qemu-KVM on-Linux pre-5.3 – or VMware with an AMD driver

Filed under
Linux
Security

A pair of newly disclosed security flaws could allow malicious virtual machine guests to break out of their hypervisor's walled gardens and execute malicious code on the host box.

Both CVE-2019-14835 and CVE-2019-5049 are not particularly easy to exploit as they require specific types of hardware or events to occur. However, if successful, either could allow a miscreant to run malware on the host from a VM instance.

CVE-2019-14835 was discovered and reported by Peter Pi, a member of the Tencent Blade Team. It is found in the Linux kernel versions 2.6.34 up to version 5.3, where it is patched.

Read more

Canonical Outs New Linux Kernel Security Update for All Supported Ubuntu OSes

Filed under
Security
Ubuntu

Canonical released today a new Linux kernel security update for all supported Ubuntu releases to address three vulnerabilities across all supported architectures.

The new Linux kernel security update addresses three vulnerabilities affecting the Ubuntu 19.04 (Disco Dingo), Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 16.04 LTS (Xenial Xerus), Ubuntu 14.04 ESM (Trusty Tahr), and Ubuntu 12.04 ESM (Precise Pangolin) operating systems.

The first security issue addressed in this update is a a buffer overflow (CVE-2019-14835) discovered by Peter Pi in Linux kernel's virtio network backend (vhost_net) implementation, which could allow an attacker in the guest system to either execute arbitrary code in the host OS or crash the host operating system by causing a denial of service.

Read more

Did Lilu Ransomware Really Infect Linux Servers

Filed under
Linux
Server
Security

Note that the domain name of this folder has been hidden from view making it impossible for us to verify if these files were actually on a Linux server. The article goes on to note that “Lilocked doesn't encrypt system files, but only a small subset of file extensions, such as HTML, JS, CSS, PHP, INI, and various image file formats. This means infected servers continue to run normally.”

This limitation raises the obvious question of whether the core of the Linux server itself has been compromised or whether merely applications connected to the core have been hacked. There are many very insecure website building applications such as Wordpress and many insecure web mail applications such as Exim that have been repeatedly hacked over the years. Both Wordpress and Exim have suffered from dozens of major security problems that have nothing to do with the security of the Linux operating system which is at the core of all Linux servers. All of the file formats mentioned in the article are files used on Wordpress websites and files that can be transmitted via Exim email programs.

[...]

So instead of 6000 websites on 6000 servers being infected, it looks more like 6000 files on less than 1000 websites were infected. And many of these websites could have been on the same server – meaning that perhaps only a couple dozen out of the worlds 10 million Linux servers had infected files – and none of the files were actually in the core of any Linux servers.

[...]

Many of these articles were exact copies of the Zdnet article. Thus far, not a single so-called “security expert” has bothered either to look into the evidence provided much less challenge or disagree with this silly claim.

Instead, make even more extreme claims, noting that there are millions of Linux servers running outdated, un-patched and insecure versions of Exim software. This is a fact. But given how many holes have been found in the Exim software, the problem is not with the Linux servers, it is with the Exim software. In my humble opinion, the design of Exim is not secure and the design of Postfix is more secure.

The solution to this Exim problem is to demand that Cpanel support support Postfix and to ask Debian to also switch from Exim to Postfix (something Ubuntu has already done for very obvious reasons). This is the benefit of the diversity of free open source software. If one program has problems, there is quite often a more secure alternative that can be installed with just the click of a button. This is a problem that has been going on for years. But it can be fixed in a matter of minutes.

Read more

Syndicate content

More in Tux Machines

Python Programming Leftovers

  • Cogito, Ergo Sumana: Futureproofing Your Python Tools

    The people who maintain Python and key Python platforms want to help you protect the code you write and depend on. [...] Publishing that package is a great way of making it so other people can run and deploy it, even within other parts of your organization. But -- who actually has the keys to the castle? Who can upload a new version, or delete a version that has a problem? You should probably make sure multiple people have either "owner" or "maintainer" privileges on the project on PyPI. And you should review your project security history display, which lists sensitive events (such as "file removed from release version 1.0.1") in your PyPI user account and your PyPI project. We just added this display, so you can look at things that have happened in your user account or project, and check for signs someone's stolen your credentials.

  • py3status v3.20 – EuroPython 2019 edition

    Shame on me to post this so long after it happened… Still, that’s a funny story to tell and a lot of thank you to give so let’s go!

  • Finding Python Developers for Your Startup

    Recently I stumble across a situation while I was helping out for one of the events for JuniorDev SG. There was not a lot of Python developers and some of my other developer's friend. Said that they hardly encounter any developer friends who are using Python for their work. It begins during a conversation, where one of the attendees for a JuniorDev SG event. Approached me to search for Python developers to work for their startup based in Singapore.

Geary 3.34 Debuts with Deeper GNOME Contacts Integration, Other Changes

The Geary email client has issued a brand new release, and in this post I tell you a bit about it. Geary 3.34.0 — you may recall that Geary switched to following GNOME numbering last year — is the latest update to this web-mail friendly mail tool, and there’s healthy dose of improvement on offer, as noted in the release notes. Among them is deeper integration with GNOME Contacts. Geary’s in-app contacts pop-over now supports adding and editing contacts stored in the GNOME Contacts app, and is able to auto-complete email addresses based on data from contacts too. Serial typo-makers like me will appreciate the spell checker now covering the mail composer’s subject line; while the addition of support for Outlook-specific email attachments (TNEF) will please those who regularly run in to issues on that front. Other changes in Geary 3.34.0 include “a substantial number” of server compatibility improvements, background syncing tweaks, and other bug fixes. Read more

today's howtos

Best free Linux firewalls of 2019: go beyond Iptables for desktops and servers

Linux distros will often come with at least a basic firewall bundled with it. Often this won't be active by default so will need to be activated. Additionally this will likely be the standard Iptables supplied, even though less experienced users may struggle with it. UFW - Uncomplicated Firewall is also bundled with some distros, and aims to make the process simpler. However, there are distros and applications out there that can cater for the more advanced user and the less experienced one, making it easier to setup and configure a firewall that works for your needs. Some, like ClearOS build it directly into the operating system as part of its security focus, but most other options would be applications that aim to block rogue IPs, monitor ports, and prevent otherwise prevent bad packets from interfering with your machine. For most home users there are few actual settings that need to be customized, so simple apps can be popular, but for those looking to manage their machine as a server, additional controls and advanced command options will tend to be the more welcome. Read more