Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Securing The Nation With Insecure Databases: CBP Vendor Hacked, Exposing Thousands Of License Plate, Car Passenger Photos

    US Customs and Border Protection has suffered an inevitability in the data collection business. The breach was first reported by the Washington Post. It first appeared to affect the DHS's airport facial recognition system, but further details revealed it was actually a border crossing database that was compromised.

    The breach involved photos of travelers and their vehicles, which shows the CPB is linking people to vehicles with this database, most likely to make it easier to tie the two together with the billions of records ICE has access to through Vigilant's ALPR database.

    The breach involved a contractor not following the rules of its agreement with the CBP. According to the vendor agreement, all harvested data was supposed to remain on the government's servers. This breach targeted the vendor, which means the contractor had exfiltrated photos and plate images it was specifically forbidden from moving to its own servers.

  • PHP version 7.2.20RC1 and 7.3.7RC1
  • The GoldBrute botnet is trying to crack open 1.5 million RDP servers

    The latest round of bad news emerged last week when Morphus Labs’ researcher Renato Marinho announced the discovery of an aggressive brute force campaign against 1.5 million RDP servers by a botnet called ‘GoldBrute’.

  • New Brute-Force Botnet Targeting Over 1.5 Million RDP Servers Worldwide

    The campaign, discovered by Renato Marinho at Morphus Labs, works as shown in the illustrated image, and its modus operandi has been explained in the following steps: [...]

  • 32 bit is dead - Long live 32 bit

    This is another follow-up post on the Intel processor vulnerabilities. Yay. With more bad news. Yay!

    Instead of a long build-up, I will just give you the point: 32 bit is broken

    Well, is that really news? Not really. The real news is that Intel processors are broken - but you already know that. You also know that there are fixes around. Patches for the kernel. Disabling Intel(R) Hyper-Threading.

Security FUD Leftovers

Filed under
Security

Security: Updates, "Smart" Cards and More

Filed under
Security
  • Security updates for Wednesday
  • Why Smart Cards Are Smart

    I hope you've found this discussion of the benefits of OpenPGP smart cards useful. With the large market of USB security tokens out there (which has grown even larger with the interest in secure cryptocurrency storage), you have a lot of options to choose from in a number of price ranges. Be sure to check which GPG key sizes and algorithms a smart card supports before you buy it, especially if you use newer elliptic curve algorithms or larger (3072- or 4096-bit) RSA keys.

  • Are Your Linux Servers Really Protected?
  • ProdataKey, DW Partner to Integrate Access Control and VMS

    DW customers can add a pdk io system to their site via a Cloud platform that reduces upfront investment in on premise hardware and management. DW Spectrum IPVMS is accessed with freely distributed client software for Windows/Linux/Mac, the DW Cloud web client for all leading web browsers and via the free DW Spectrum mobile app for iOS and Android.

    The server software is included with pre-configured DW Blackjack NVR servers or it can be installed on third-party Windows or Ubuntu Linux-based systems.

Security Leftovers

Filed under
Security
  • A [Windows] virus has thrown Philadelphia’s court system into chaos

     

    Since May 21st, a virus has shut down Philadelphia’s online court system, bringing network access to a standstill. The problems started unexpectedly: suddenly, no one could seem to access the system to file documents. “It wasn’t working,” says Rachel Gallegos, a senior staff attorney with the civil legal aid organization Community Legal Services. “I thought it was my computer.”

  • Linux Command-Line Editors Vulnerable to High-Severity Bug

     

    Vim and Neovim have both released patches for the bug (CVE-2019-12735) that the National Institute of Standards and Technology warns, “allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline.”
     

    “Beyond patching, it’s recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines,” the researcher said.

  • Beware Linux users! Vulnerability in Vim or Neovim Editor could compromise your Linux
  • The bits and bytes of PKI

    In two previous articles—An introduction to cryptography and public key infrastructure and How do private keys work in PKI and cryptography?—I discussed cryptography and public key infrastructure (PKI) in a general way. I talked about how digital bundles called certificates store public keys and identifying information. These bundles contain a lot of complexity, and it's useful to have a basic understanding of the format for when you need to look under the hood.

  • Update Uncertainty | TechSNAP 405

    We explore the risky world of exposed RDP, from the brute force GoldBrute botnet to the dangerously worm-able BlueKeep vulnerability.

    Plus the importance of automatic updates, and Jim’s new backup box.

  • Microsoft's June 2019 Patch Tuesday fixes many of SandboxEscaper's zero-days

    Microsoft has published today its monthly roll-up of security updates, known as Patch Tuesday. This month, the OS maker has patched 88 vulnerabilities, among which 21 received a rating of "Critical," the company's highest severity ranking.

    Furthermore, the May 2019 Patch Tuesday also included fixes for four of the five zero-days that a security researcher and exploit seller by the name of SandboxEscaper published online over the course of the last month.

  • Researchers use Rowhammer bit flips to steal 2048-bit crypto key [Ed: Mass slanderer and FUDmeister from Ars Technica (he got sued for his style) recalls Rowhammer (which is more theoretical a risk then a real one)]
  • RAMBleed Attack Can Steal Sensitive Data From Computer Memory[Ed: Rowhammer was mentioned by another site of FUDmeisters (one of whom CBS hired for clickbait)]

Security: Updates, Microsoft TCO and Red Hat Enterprise Linux 8

Filed under
Security
  • Security updates for Tuesday
  • Hack Brief: [Attackers] [Copied] a Border Agency Database of Traveler Photos [iophk: "Microsoft TCO"]

    In its rush to gather biometric data from travelers in the US, Customs and Border Protection has apparently neglected basic safeguards to protect it. One of its subcontractors was recently breached, leaving photos of travelers and license plates in the hands of [attackers].

    The Washington Post first reported the incident, whose full scope remains unclear. But the [attack] has raised sharp questions about the agency’s already controversial push for biometrics. Facial recognition scans have become more routine at airports; CBP wants it in the top 20 US airports by 2021.

  • Consistent PKCS #11 support in Red Hat Enterprise Linux 8

    In recent years, there have been a number of security issues taking advantage of flaws in applications and even computer processors. These opened new attack vectors or made some others more viable and exploitable than before. We can talk about timing differences, cache access patterns and other side-channel attacks that can be exploited either locally, from the same machine or even over the network to read or reconstruct our secrets.

    Keeping secret information storage isolated from other unrelated applications on a single system is a long-standing data protection technique. Storage isolation is usually implemented in software by isolating processes, applications, containers or virtual machines running on the same physical machine. Hardware tokens are taking this principle to another level, providing the physical isolation of the secret information, which has the potential to improve security significantly. Working with external hardware for storing secrets in an operating system historically has been difficult for system administrators and end users, and this is what we are improving in Red Hat Enterprise Linux 8.

Security Leftovers

Filed under
Security
  • Report: Response to the Consultation on the Government's regulatory proposals regarding consumer Internet of Things (IoT) security

    Open Rights Group (ORG) is a UK-based digital campaigning organisation working to protect fundamental rights to privacy and free speech online. With over 3,000 active supporters, we are a grassroots organisation with local groups across the UK.

    We are a project partner to Values and Ethics in Responsible Technology in Europe (VIRT-EU) – a European project funded by the Horizon 2020 program. VIRT-EU’s mission is to foster ethical thinking in IoT development. The following comments stem predominantly from our experience accumulated in the course of that project.

    We address the consultation questions in order below, omitting questions 7, 8 and 9 as these lie outside our remit.

    1. Do you agree that the Government should take powers to regulate on the security of consumer IoT products? If yes, do you agree with the proposed legislative approach?

    We welcome the proposal to create primary legislation to introduce enhanced security for consumers using IoT devices. We also support the approach of making some requirements mandatory in the first instance with a longer strategy.

  • 'This Is a Bombshell': Facial Recognition Data Collected by US Customs Agency Hacked

    "This is a bombshell," said Evan Greer, deputy director of the advocacy group Fight fight for the Future, in response to the reporting. "Even if you 100% trust the US government with your biometric information (which you shouldn't) this is a reminder that once your face is scanned and stored in a database, it's easily shared across government agencies, stolen by hackers, other governments, etc."

    Buzzfeed, also among the first to report on the breach on Monday, noted that the "cyberattack comes amid the ongoing rollout of CBP's "biometric entry-exit system," the government initiative to biometrically verify the identities of all travelers crossing US borders." As BuzzFeed News reported Citing earlier reporting, Buzzfeed pointed out that "CBP is scrambling to implement the initiative with the goal of using facial recognition technology on '100 percent of all international passengers,' including American citizens, in the top 20 US airports by 2021."

  • What you need to know about the MDS vulnerability and Red Hat Virtualization

    A new series of vulnerabilities in Intel processors, known as Microarchitectural Data Sampling, or more simply MDS, was recently made public and Red Hat released information about how the vulnerabilities affect our software and how to protect your organization.

    In the simplest terms, MDS is a vulnerability in Intel processors similar to Spectre and Meltdown; it allows a guest to read protected memory from anywhere on the host or guest. To mitigate the risks exposed by MDS, a combination of updated microcode, updated kernel(s), patches, and administrator action will need to be taken for both the hypervisors and virtual machines in your Red Hat Virtualization deployment. Unlike some similar vulnerabilities, simply disabling SMT and/or hyper-threading is not enough to protect your applications.

  • 5 reasons chaos engineering is indispensable to the CISO

    Security leaders, including the chief information security officer (CISO), are challenged to continuously demonstrate their role within the company's value stream as part of improving security. In doing so, a growing number of security organizations are shifting toward a more "applied security mode," leading many to rethink our traditional practices and question their effectiveness in today's high-velocity, software-driven world.

  • Wireless Security | Roadmap to Securing Your Infrastructure
  • IPFire on AWS: Update to IPFire 2.23 - Core Update 132

    Today, we have updated IPFire on AWS to IPFire 2.23 - Core Update 132 - the latest official release of IPFire.

    This update brings you the new Intrusion Prevention System out-of-the-box as well as updates to the whole system.

  • Amitabh Bachchan’s Twitter Account “Hacked” And DP Got Changed

Securing the Kernel Stack

Filed under
Linux
Security

The Linux kernel stack is a tempting target for attack. This is because the kernel needs to keep track of where it is. If a function gets called, which then calls another, which then calls another, the kernel needs to remember the order they were all called, so that each function can return to the function that called it. To do that, the kernel keeps a "stack" of values representing the history of its current context.

If an attacker manages to trick the kernel into thinking it should transfer execution to the wrong location, it's possible the attacker could run arbitrary code with root-level privileges. Once that happens, the attacker has won, and the computer is fully compromised. And, one way to trick the kernel this way is to modify the stack somehow, or make predictions about the stack, or take over programs that are located where the stack is pointing.

Protecting the kernel stack is crucial, and it's the subject of a lot of ongoing work. There are many approaches to making it difficult for attackers to do this or that little thing that would expose the kernel to being compromised.

Read more

Also: AMD Zen 2 + Radeon RX 5700 Series For Linux Expectations

EFF and Open Rights Group Defend the Right to Publish Open Source Software to the UK Government

Filed under
OSS
Security
Legal

EFF and Open Rights Group today submitted formal comments to the British Treasury, urging restraint in applying anti-money-laundering regulations to the publication of open-source software.

The UK government sought public feedback on proposals to update its financial regulations pertaining to money laundering and terrorism in alignment with a larger European directive. The consultation asked for feedback on applying onerous customer due diligence regulations to the cryptocurrency space as well as what approach the government should take in addressing “privacy coins” like Zcash and Monero. Most worrisome, the government also asked “whether the publication of open-source software should be subject to [customer due diligence] requirements.”

We’ve seen these kind of attacks on the publication of open source software before, in fights dating back to the 90s, when the Clinton administration attempted to require that anyone merely publishing cryptography source code obtain a government-issued license as an arms dealer. Attempting to force today’s open-source software publishers to follow financial regulations designed to go after those engaged in money laundering is equally obtuse.

Read more

Security: Updates, Flaws and Chromium Update on Slackware

Filed under
Security
  • Security updates for Monday
  • Lessons From Global Cybersecurity Breaches For Your Next M&A
  • Cryptocurrency attack thwarted by npm team

    Cryptocurrency users narrowly escaped losing all their funds last week after an attacker poisoned a digital wallet with malicious code that stole their blockchain access details.

    The attacker injected malicious code into Agama, a cryptocurrency wallet created by Komodo. If successful, they could have stolen around $13m of Komodo’s KMD cryptocurrency, which is a privacy-centric coin. Luckily, they were thwarted by quick action from both Komodo and software repository npm.

  • Firefox fires blocks at trackers, Exim tackles 7-day remote flaw, and RDP pops up yet again

    Are you running the latest version (4.9.2) of Exim on your Linux box? If so, you can go ahead and skip down to the next item, because you're already clear of danger.

    Everyone else may want to consider updating, because older versions of the Linux mail server have been found to contain a command execution vulnerability that has now been confirmed to be remotely exploitable.

    The bug, initially thought only to be locally exploitable, was first addressed in February of this year when the latest Exim build was released. At the time, it was not considered to be a major security issue, but rather a minor bug that wouldn't need to be addressed in older versions.

  • Chromium 75 available as Slackware packages (32bit and 64bit)

    The Chromium 75 sources were released last week by Google, and this new major release contains 42 fixes for security issues. A couple of them are serious enough that you are encouraged to update to the new 75 release ASAP.

    In terms of functionality, not much changed in Chromium 75, but there is one interesting addition that you may want to try if you read a lot of content online. It’s called “Reader Mode” and is still disabled by default, You can enable it through the Chrome flag “chrome://flags/#enable-reader-mode“. The reader mode strips away page clutter like buttons, background images and changes the page layout for better readability.

IPFire Open-Source Linux Firewall Now Patched Against Intel MDS Vulnerabilities

Filed under
OSS
Security

IPFire 2.23 Core Update 132 is more like an emergency release that ships with an updated Linux kernel, version 4.14.120, which is patched against the recently disclosed Intel MDS (Microarchitectural Data Sampling) security vulnerabilities known as RIDL, Fallout, and ZombieLoad, as well as an updated intel-microcode firmware, version 20190514.

"Additionally, to mitigate this bug which cannot be fixed at all, SMT is disabled by default on all affected processors which has significant performance impacts," said Michael Tremer in the release announcement. "Please note, that Intel unfortunately is not releasing microcode for all processors any more and so you might still be vulnerable. To apply the fixes, please reboot your system."

Read more

Syndicate content

More in Tux Machines

Programming/Development: C++, Go, Mozilla/Firefox and Python

  • Deliverable 1 : [✓]
    Seems okay, far better than the initial results. Although I should say, I deviated from what I thought I would need to write. First I assumed that I don’t have to write another boost::graph wrapper for KisPaintDevice, but I had to. That was one heck of an experience. In one of the last few posts, I ranted on Dmitry’s interpretation of the Graph, turns out we were on the same page but I understood his explanation the wrong way. I should put more attention to details from now on I guess. All the pixels are connected to each other, but they only have an edge between them if they are adjacent. If in center, the out degree would be 8, if in corners, 3 and if in edges, 5. There are some other cases too, but I will leave them for the moment. While writing the wrapper, I also got to know some of the cool features and techniques of C++, which I will be writing posts on as soon as I get some time, concepts, traits, avoiding virtual functions and what not. It is commendable that how boost approaches boost::astar_search, there is not a single virtual function, you don’t have to inherit anything (you can though for safety), just templates and traits, you are done.
  • Go Creeping In
    I’ve seen the inside of the Google and Amazon tech stacks. There are common threads that run through them and also, I bet, through most BigTechCos. Here and there down the stack is a lot of C++ and vestigial remnants from earlier days, Perl or PHP or whatever. Out in front of humans, of course, JS. But in between, there are oceans and oceans of Java; to a remarkable degree, it runs the Internet. Except for, here and there, you find a small but steadily increasing proportion of Go.
  • Stand by for FPR14 SPR1 chemspill
    Mozilla has shipped a fix for MFSA2019-18 in Firefox 67.0.3 and 60.7.1. This exploit has been detected in the wild, and while my analysis indicates it would require a PowerPC-specific attack to be exploitable in official TenFourFox builds (the Intel versions may be directly exploited, however), it could probably cause drive-by crashes and we should therefore ship an urgent fix as well. The chemspill is currently undergoing confidence tests and I'm shooting to release builds before the weekend. For builders, the only change in FPR14 SPR1 is the patch for bug 1544386, which I will be pushing to the repo just as soon as I have confirmed the fix causes no regressions.
  • PyPI Now Supports Two-Factor Login via WebAuthn
  • Understanding Python assignment
  • How to Publish Your Own Python Package to PyPI
  • PyCoder’s Weekly: Issue #373 (June 18, 2019)
  • EuroPython 2019: Community Discounts
  • EuroPython 2019: Inviting European Python Conference Organizers

today's howtos

All Linux, all the time: Supercomputers Top 500

Starting at the top, two IBM-built supercomputers, Summit and Sierra, at the Department of Energy's Oak Ridge National Laboratory (ORNL) in Tennessee and Lawrence Livermore National Laboratory in California, respectively to the bottom -- a Lenovo Xeon-powered box in China -- all of them run Linux. Linux supports more hardware architectures than any other operating system. In supercomputers, it supports both clusters, such as Summit and Sierra, the most common architecture, and Massively Parallel Processing (MPP), which is used by the number three computer Sunway TaihuLight. When it comes to high-performance computing (HPC), Intel dominates the TOP500 by providing processing power to 95.6% of all systems included on the list. That said, IBM's POWER powers the fastest supercomputers. One supercomputer works its high-speed magic with Arm processors: Sandia Labs' Astra, an HPE design, which uses over 130-thousand Cavium ThunderX2 cores. And, what do all these processors run? Linux, of course. . 133 systems of the Top 500 supercomputers are using either accelerator or co-processor setups. Of these most are using Nvidia GPUs. And, once more, it's Linux conducting the hardware in a symphony of speed. Read more

Red Hat and SUSE Leftovers

  • Are DevOps certifications valuable? 10 pros and cons
  • Kubernetes 1.15: Enabling the Workloads
    The last mile for any enterprise IT system is the application. In order to enable those applications to function properly, an entire ecosystem of services, APIs, databases and edge servers must exist. As Carl Sagan once said, “If you wish to make an apple pie from scratch, you must first invent the universe.” To create that IT universe, however, we must have control over its elements. In the Kubernetes universe, the individual solar systems and planets are now Operators, and the fundamental laws of that universe have solidified to the point where civilizations can grow and take root. Discarding the metaphor, we can see this in the introduction of Object Count Quota Support For Custom Resources. In English, this enables administrators to count and limit the number of Kubernetes resources across the broader ecosystem in a given cluster. This means services like Knative, Istio, and even Operators like the CrunchyData PostgreSQL Operator, the MongoDB Operator or the Redis Operator can be controlled via quota using the same mechanisms that standard Kubernetes resources have enjoyed for many releases. That’s great for developers, who can now be limited by certain expectations. It would not benefit the cluster for a bad bit of code to create 30 new PostgreSQL clusters because someone forgot to add a “;” at the end of a line. Call them “guardrails” that protect against unbounded object growth in your etcd database.
  • Red Hat named HPE’s Partner of the Year at HPE Discover 2019
    For more than 19 years, Red Hat has collaborated with HPE to develop, deliver and support trusted solutions that can create value and fuel transformation for customers. Our work together has grown over these nearly two decades and our solutions now include Linux, containers and telecommunications technologies, to name just a few. As a testament to our collaboration, HPE has named Red Hat the Technology Partner of the Year 2019 for Hybrid Cloud Solutions.
  • Demystifying Containers – Part II: Container Runtimes
    This series of blog posts and corresponding talks aims to provide you with a pragmatic view on containers from a historic perspective. Together we will discover modern cloud architectures layer by layer, which means we will start at the Linux Kernel level and end up at writing our own secure cloud native applications. Simple examples paired with the historic background will guide you from the beginning with a minimal Linux environment up to crafting secure containers, which fit perfectly into todays’ and futures’ orchestration world. In the end it should be much easier to understand how features within the Linux kernel, container tools, runtimes, software defined networks and orchestration software like Kubernetes are designed and how they work under the hood.
  • Edge > Core > Cloud: Transform the Way You Want
    For more than 25 years, SUSE has been very successful in delivering enterprise-grade Linux to our customers. And as IT infrastructure has shifted and evolved, so have we. For instance, we enabled and supported the move to software-defined data centers as virtualization and containerization technologies became more prevalent and data growth demanded a new approach.
  • SUSE OpenStack Cloud Technology Preview Takes Flight
    We are pleased to announce that as of today we are making a technology preview of a containerized version of SUSE OpenStack Cloud available that will demonstrate a future direction for our product. The lifecycle management for this technology preview is based on an upstream OpenStack project called Airship, which SUSE has been using and contributing to for some time. This follows our open / open policy of upstream first and community involvement.