Language Selection

English French German Italian Portuguese Spanish

Security

Security: Patches, Web Security Books, SecWeb – Designing Security for the Web

Filed under
Security

  • Security updates for Friday

    Security updates have been issued by Fedora (curl, LibRaw, python-pillow, and python36), Mageia (coturn, samba, and vino), openSUSE (opera), and Ubuntu (openssl).

  • Comparing 3 Great Web Security Books

    I thought about using a clickbait title like “Is this the best web security book?”, but I just couldn’t do that to you all. Instead, I want to compare and contrast 3 books, all of which I consider great books about web security. I won’t declare any single book “the best” because that’s too subjective. Best depends on where you’re coming from and what you’re trying to achieve.

  • Hardening Firefox against Injection Attacks – The Technical Details

    In a recent academic publication titled Hardening Firefox against Injection Attacks (to appear at SecWeb – Designing Security for the Web) we describe techniques which we have incorporated into Firefox to provide defense in depth against code injection attacks. Within this blogpost we are going to provide insights into the described hardening techniques at a technical level with pointers to the actual code implementing it. Note that links to source code are perma-linked to a recent revision as of this blog post. More recent changes may have changed the location of the code in question.

    [...]

    Firefox ships with a variety of built-in pages, commonly referred to as about: pages. Such about: pages allow the user to view internal browser information or change settings.

    If one were able to inject script into a privileged about: page it would represent a complete browser takeover in many cases. To reduce this injection attack surface, we apply a strong Content Security Policy (CSP) of default-src chrome: to all about: pages. The applied CSP restricts script to only JavaScript files bundled and shipped with the browser and accessible only via the Firefox internal chrome:// protocol. Whenever loading any kind of JavaScript, Firefox internally consults its CSP implementation by calling the function ShouldLoad() for external resources, or GetAllowsInline() for inline scripts. If the script to be executed is not allow-listed by the added CSP then Firefox will block the script execution, rendering the code injection attack obsolete.

    Further, we verify that any newly added about: page within Firefox exposes a strong CSP by consulting the function AssertAboutPageHasCSP(). This function basically acts as a commit guard to our codebase and ensures that no about: page makes it into the Firefox codebase without a strong CSP.

    Before we started to protect about: pages with a CSP we faced a bug where text and markup controlled by a web application was reused in a permission prompt, which led to a Universal Cross-Site Scripting (UXSS) attack in the browser interface (CVE-2018-5124). These scripts run with elevated privileges that get access to internal APIs and can result in a full system compromise. What raises the severity of such bugs is the high-level nature of the vulnerability and the highly deterministic nature of the exploit code which allowed comparably trivial exploitation.

Security Leftovers

Filed under
Security
  • FreeBSD Security Advisory FreeBSD-SA-20:19.unbound
  • GCC Compiler Lands Mitigation For Arm's Straight Line Speculation Vulnerability

    It took a month after Arm disclosed the CPU "SLS" vulnerability and when the LLVM compiler landed their initial mitigation, but the GNU Compiler Collection (GCC) now has mitigations as well for this Straight Line Speculation vulnerability.

    The Straight Line Speculation vulnerability could lead to instructions on ARMv8 processors being executed following a change in control flow. Mitigating SLS involves using SB instructions for a speculation barrier following vulnerable instructions.

  • Security updates for Thursday

    Security updates have been issued by CentOS (firefox), Debian (ffmpeg, fwupd, ruby2.5, and shiro), Fedora (freerdp, gssdp, gupnp, mingw-pcre2, remmina, and xrdp), openSUSE (chocolate-doom), Oracle (firefox and kernel), and Ubuntu (linux, linux-lts-xenial, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon and thunderbird).

  • Mozilla Security Blog: Reducing TLS Certificate Lifespans to 398 Days

    We intend to update Mozilla’s Root Store Policy to reduce the maximum lifetime of TLS certificates from 825 days to 398 days, with the aim of protecting our user’s HTTPS connections. Many reasons for reducing the lifetime of certificates have been provided and summarized in the CA/Browser Forum’s Ballot SC22. Here are Mozilla’s top three reasons for supporting this change.

Security: KeePassXC, Flaws and Back Doors in Encryption

Filed under
Security
  • KeePassXC 2.6.0 Free Password Manager Released With New Light And Dark Themes, Password Checks

    KeePassXC 2.6.0 was released recently with improvements like an overhauled user interface with new light and dark themes, new offline password health check, check passwords against the Have I Been Pwned online service, and more.

    KeePassXC is a free and open-source password manager started as a community fork of KeePassX (which itself is a fork of KeePass), which is not actively maintained. The application is built using Qt and runs on Linux, Windows and macOS.

    The application uses the KeePass 2.x (.kdbx) password database format as its native file format in versions 3.1 and 4 using AES encryption with a 256 bit key; version 2 of the database can be opened, but it's upgraded to a newer format when opened, while KeePass 1.x (.kdb) databases can be imported into a .kbdx file as a one-way process.

    For easily entering passwords in a web browser, KeePassXC comes with browser extensions for Mozilla Firefox and Chrome-based web browsers (Google Chrome, Chromium, Vivaldi).

  • F5 BigIP vulnerability exploitation followed by a backdoor implant attempt

    While monitoring SANS Storm Center's honeypots today, I came across the second F5 BIGIP CVE-2020-5902 vulnerability exploitation followed by a backdoor deployment attempt. The first one was seen by Johannes yesterday [1].

  • Understanding Open Source Technology & US Export Controls
  • Understanding US export controls with open source projects

    One of the greatest strengths of open source development is how it enables collaboration across the entire world. However, because open source development is a global activity, it necessarily involves making available software across national boundaries. Some countries’ export control regulations, such as the United States, may require taking additional steps to ensure that an open source project is satisfying obligations under local regulations.

Security and DRM

Filed under
Security
     
  • Revealed: How home router manufacturers dropped the ball on security

                     

                       

    The June report by Fraunhofer-Institut fur Kommunikation (FKIE) extracted firmware images from routers made by Asus, AVM, D-Link, Linksys, Netgear, TP-Link, and Zyxel—127 in all. The report (as noted by ZDNet) compared the firmware images to known vulnerabilities and exploit mitigation techniques, so that even if a vulnerability was exposed, the design of the router could mitigate it.

                       

    No matter how you slice it, Fraunhofer’s study pointed out basic lapses in security across several aspects. At the most basic level, 46 routers didn’t receive any updates at all in the last year. Many used outdated Linux kernels with their own, known vulnerabilities. Fifty routers used hard-coded credentials, where a known username and password was encoded into the router as a default credential that asked the user to change it—but would still be there, accessible, if they did not.

    FKIE could not find a single router without flaws. Nor could the institute name a single router vendor that avoided the security issues.

  •                

  • [Attackers] Start Exploiting Recently Patched BIG-IP Vulnerability

                     

                       

    F5 informed customers last week that a BIG-IP configuration utility named Traffic Management User Interface (TMUI) is impacted by a critical remote code execution vulnerability whose exploitation can result in “complete system compromise.”

                       

    The flaw is tracked as CVE-2020-5902 and it was reported to F5 by cybersecurity firm Positive Technologies. The vendor has released patches for impacted versions.

  •                

  • Taiwan’s defense science institute entangled in security breach over Chinese cloud service

                     

                       

    A procurement flaw has been found at Taiwan’s military technology development institute, and critics say it may have jeopardized the country’s national security because it involved a Chinese cloud service.

                       

    For successful bidders for online storage server equipment in 2018, the National Chung-Shan Institute of Science and Technology (NCSIST) required that a Beijing-based cloud service provider, Baidu, be included on a list of cloud service software to be used for backup needs. The incident was first reported by Apple Daily on Monday (July 6).

                       

    The requirement meant NCSIST files would be synchronized automatically on the Baidu program. The revelation has stunned people in many quarters, as the leaking of Taiwanese military technology to China poses a grave national security threat, wrote iThome.

  • Bryan Quigley: Wrong About Signal

    A couple years ago I was a part of a discussion about encrypted messaging.

    - I was in the Signal camp - we needed it to be quick and easy to setup for users to get setup. Using existing phone numbers makes it easy.

    - Others were in the Matrix camp - we need to start from scratch and make it distributed so no one organization is in control. We should definitely not tie it to phone numbers.
    I was wrong.

    Signal has been moving in the direction of adding PINs for some time because they realize the danger of relying on the phone number system. Signal just mandated PINs for everyone as part of that switch. Good for security? I really don't think so. They did it so you could recover some bits of "profile, settings, and who you’ve blocked".

    [...]

    In summary, Signal got people to hastily create or reuse PINs for minimal disclosed security benefits. There is a possibility that the push for mandatory cloud based PINS despite all of the pushback is that Signal knows of active attacks that these PINs would protect against. It likely would be related to using phone numbers.

    I'm trying out the Riot Matrix client. I'm not actively encouraging others to join me, but just exploring the communities that exist there. It's already more featureful and supports more platforms than Signal ever did.

  • Your next BMW might only have heated seats for 3 months

    In a VR presentation streamed from Germany today, BMW ran through a series of digital updates to its cars, including more details on the new BMW digital key service announced with Apple at last week's WWDC and confirming that current model cars will be fully software upgradeable over the air, a la Tesla. The first such update will hit BMW Operating System 7 cars in July. Packages are said to be approximately 1GB in size and will take roughly 20 minutes to install.

    But, the most notable part of the day's presentation was the new plan to turn many options into software services. BMW mentioned everything from advanced safety systems like adaptive cruise and automatic high-beams to other, more discrete options like heated seats.

Security: Free Software Patches, Proprietary Software 'Patches', FUD and Proprietary Software Gone Rogue

Filed under
Security
  • Security updates for Monday

    Security updates have been issued by Debian (chromium, php7.0, and thunderbird), Fedora (ceph, gssdp, gupnp, libfilezilla, libldb, mediawiki, python-pillow, python36, samba, and xpdf), Mageia (curl, docker, firefox, libexif, libupnp, libvncserver, libxml2, mailman, ntp, perl-YAML, python-httplib2, tcpreplay, tomcat, and vlc), openSUSE (chocolate-doom, python3, and Virtualbox), Slackware (libvorbis), and SUSE (mozilla-nspr, mozilla-nss, systemd, tomcat, and zstd).

  • macOS Security Failure - Apple's 'fix' doesn't work

    Security vulnerability means standard accounts can read all files on the Mac hard drive - and Apple's 'fix' didn't fix it

  • Home router warning: They're riddled with known flaws and run ancient, unpatched Linux [Ed: Right now ZDNet blames "Linux" for people not keeping routers up to date. This is typical CBS tabloid practice.]
  • Wladimir Palant: Dismantling BullGuard Antivirus' online protection

    Just like so many other antivirus applications, BullGuard antivirus promises to protect you online. This protection consists of the three classic components: protection against malicious websites, marking of malicious search results and BullGuard Secure Browser for your special web surfing needs. As so often, this functionality comes with issues of its own, some being unusually obvious.

Security and DRM: CAs, Open Source Security Podcast, Reproducible Builds and Cars That Refuse to Work

Filed under
Security
  • How you get multiple TLS certificate chains from a server certificate

    However, several certificates can have the same keypair and X.509 Subject Name, provided that other attributes differ. One such attribute is the issuer that signed them (including whether this is a self-signed CA root certificate). So the first thing is that having more than one certificate for an issuer is generally required to get multiple chains. If you only have one certificate for each issuer, you can pretty much only build a single chain.

    There are three places that these additional certificates for an issuer can come from; they can be sent by the server, they can be built into your certificate store in advance, or they can be cached because you saw them in some other context. The last is especially common with browsers, which often cache intermediate certificates that they see and may use them in preference to the intermediate certificate that a TLS server sends. Other software is generally more static about what it will use. My guess is that we're unlikely to have multiple certificates for a single CA root issuer, at least for modern CAs and modern root certificate sets as used by browsers and so on. This implies that the most likely place to get additional issuer certificates is from intermediate certificates sent by a server.

  • Josh Bressers: Episode 204 – What Would Apple Do?

    Josh and Kurt talk about some recent security actions Apple has taken. Not all are good, but in general Apple is doing things to benefit their customers (their customers are not advertisers). We also discuss some of the challenges when your customers are advertisers.

  • Security 101: Encryption, Hashing, and Encoding

    Encoding is a manner of transforming some data from one representation to another in a manner that can be reversed. This encoding can be used to make data pass through interfaces that restrict byte values (e.g., character sets), or allow data to be printed, or other transformations that allow data to be consumed by another system. Some of the most commonly known encodings include hexadecimal, Base 64, and URL Encoding.

    Reversing encoding results in the exact input given (i.e., is lossless), and can be done deterministically and requires no information other than the data itself. Lossless compression can be considered encoding in any format that results in an output that is smaller than the input.

    While encoding may make it so that the data is not trivially recognizable by a human, it offers no security properties whatsoever. It does not protect data against unauthorized access, it does not make it difficult to be modified, and it does not hide its meaning.

    Base 64 encoding is commonly used to make arbitrary binary data pass through systems only intended to accept ASCII characters. Specifically, it uses 64 characters (hence the name Base 64) to represent data, by encoding each 6 bits of raw data as a single output character. Consequently, the output is approximately 133% of the size of the input. The default character set (as defined in RFC 4648) includes the upper and lower case letters of the English alphabet, the digits 0-9, and + and /. The spec also defines a “URL safe” encoding where the extra characters are - and _.

  • Reproducible Builds: Reproducible Builds in June 2020

    One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security.

    But whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into seemingly secure software during the various compilation and distribution processes.

  • Software Update Brings Subscription based Functions-on-Demand to BMW Cars

    Consumers used to select options like an air conditioner or a satellite navigation system at the time of purchase, but now BMW will have the option to enable or disable some of the features by software depending on whether you pay for a subscription. This obviously does not include critical or safety functions like breaks or airbags, but currently you have to pay a subscription to use active cruise control and adaptive M suspension among others. Car companies will also have to way find to handle second-hand cars, as a new owner may not be able to access all advertised functions without paying extra.

    Connected cars will also offer challenges in the future, as potentially your car could refuse to start depending on your social credit score, alcohol/drugs blood level, driving habits, a missed payment on the car loan, etc… Governments may also decide to mandate auto-fining drivers who exceed speed limits, park in the wrong location, and so on.

dns-tor-proxy 0.2.0 aka DoH release

Filed under
Software
Security

I just now released 0.2.0 of the dns-tor-proxy tool. The main feature of this release is DNS over HTTPS support. At first I started writing it from scratch, and then decided to use modified code from the amazing dns-over-https project instead.

Read more

Security 101: Beginning with Kali Linux

Filed under
GNU
Linux
Security
Debian

I’ve found a lot of people who are new to security, particularly those with an interest in penetration testing or red teaming, install Kali Linux™1 as one of their first forays into the “hacking” world. In general, there’s absolutely nothing wrong with that. Unfortunately, I also see many who end up stuck on this journey: either stuck in the setup/installation phase, or just not knowing what to do once they get into Kali.

This isn’t going to be a tutorial about how to use the tools within Kali (though I hope to get to some of them eventually), but it will be a tour of the operating system’s basic options and functionality, and hopefully will help those new to the distribution get more oriented.

Read more

Security: Patches and diffoscope 150 released

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (docker.io and imagemagick), Fedora (alpine, firefox, hostapd, and mutt), openSUSE (opera), Red Hat (rh-nginx116-nginx), SUSE (ntp, python3, and systemd), and Ubuntu (firefox, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-riscv, linux, linux-azure, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-gke-5.0, linux-oem-osp1, net-snmp, and samba).

  • What is Software Security?

    Software security is the building of secure software with inherent defense so that it continues to function under malicious attacks, to the satisfaction of the users and owners of the software. This article explains the threats and solutions, from a general point of view. Standard vocabulary in information security is also explained. You should be computer and Internet literate to understand this article; you should also have studied a computer language, e.g., Perl, C, C++, PHP, etc.
    What is secured is information and software packages (applications and documents). Information is any message that is useful to anybody. “Information” is a vague word. The context in which it is used gives its meaning. It can mean news, lecture, tutorial (or lesson), or solution. A software package is usually a solution to some problem or related problems. In the past, all information not spoken was written on paper. Today, the software can be considered as a subset of information.

  • L1TF Cache Flushing Mode Could Soon Be Controlled Via Kconfig Build Option

    Approaching the two year anniversary next month of the L1TF / Foreshadow vulnerability, a Google engineer has proposed allowing the default mitigation state to be controlled via a Kconfig build-time option.

    This speculative execution attack on Intel CPUs has been mitigated since August 2018 and has offered for KVM virtual machine mitigation the kvm-intel.vmentry_l1d_flush module parameter for controlling the L1 data cache flushing behavior. But now a Google engineer has proposed setting the default L1 data flushing mode to be configurable at build-time via a new KVM_VMENTRY_L1D_FLUSH knob. This knob doesn't provide any new L1 Terminal Fault mitigation but rather just allows adjusting the default behavior for the default configuration of that kernel image, whether it be to never flush the cache before a VMENTER, conditionally flush, or the most impactful state of always flushing.

  • diffoscope 150 released

    The diffoscope maintainers are pleased to announce the release of diffoscope version 150.

Canonical Outs Important Linux Kernel Security Updates for All Supported Ubuntu Releases

Filed under
Linux
Security
Ubuntu

The most important security issue fixed in this new Linux kernel update was discovered in the SELinux network label handling implementation by Matthew Sheets. This vulnerability (CVE-2020-10711) affects Ubuntu 20.04 LTS, 19.10, 18.04 LTS, and 16.04 LTS, and could allow a remote attacker to cause a denial of service (system crash).

On Ubuntu 19.10 and Ubuntu 18.04 LTS systems using either Linux 5.3 or 5.0 kernels, the new security update addresses another important vulnerability (CVE-2020-10751) discovered by Dmitry Vyukov in the SELinux netlink security hook, which could allow a privileged attacker to bypass SELinux netlink restrictions.

Read more

Syndicate content

More in Tux Machines

Screencasts and Audiocasts: Neptune OS 6.5, GNU World Order, Python

  • Neptune OS 6.5 Run Through

    In this video, we are looking at Neptune OS 6.5. Enjoy!

  • GNU World Order 362

    **Gutenprint**, **HPLIP**, and **htop** from Slackware software set AP.

  • Talk Python to Me: #272 No IoT things in hand? Simulate them with Device Simulator Express [Roy: "Talk Python to Me" appears to be boosting Microsoft monopolists and proprietary software again]

    Python is one of the primary languages for IoT devices. With runtimes such as CircuitPython and MicroPython, they are ideal for the really small IoT chips. Maybe you've heard of the Circuit Playground Express, BBC micro:bit, or the fancy Adafruit CLUE. They aren't too expensive (ranging from $25 to $50 each). But for large groups such as classrooms, this can be a lot of money. Moreover, getting your hands on these devices can sometimes be tricky as well.

today's howtos

Olimex Tukhla High-End Open Source Hardware NXP i.MX 8QuadMax SBC in the Works

Most open-source hardware Arm Linux SBCs are optimized for cost, and there are few higher-end boards with extensive connectivity designed for professionals. Beagleboard X15 would be one of the rare examples currently available on the market, but it was launched five years ago. One European company noticed the void in this market and asked Olimex to develop a high-end open-source Linux board with a well-documented processor. They ruled out RK3399, and instead went Olimex Tukhla SBC will be powered by NXP i.MX 8QuadMax, the top processor of i.MX 8 family with two Cortex-A72 cores, four Cortex-A53 cores, and two real-time Cortex-M4F cores. Read more

Robotics Recap: Learning, Programming & Snapping ROS 2

Robotics@Canonical puts a strong focus on the migration from ROS to ROS 2. ROS 2 benefits from many improvements, especially robot security. Our goal is to make it easy for you to transition to ROS 2, whether you’re completely new to ROS or a seasoned engineer retooling for a new environment. Your new platform should be secure-by-default, and we expect you’ll need to pivot between different environments as you migrate from ROS to ROS 2. Along the way we’ve encountered some friction points, some mild surprises, and some opportunities to better leverage existing tools. Whenever that happened we tried to fix them and share our experiences so you didn’t run into the same problems! This has resulted in blog posts and videos in three key focus areas: getting started with ROS 2, software development in ROS 2, and building snaps for ROS. Let’s recap some of our recent output. Read more