Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Best VPN for Ubuntu in 2019 (Full Review)

    Linux is a highly customizable and completely open-source operating system that gives you full control over your computer. The Ubuntu distribution takes that customizability and adds a layer of user-friendliness on top. You get all the security benefits of Linux, only you don’t have to be a command line expert to get things done.

    Even though Ubuntu is more secure than other operating systems, out of the box it doesn’t do much to protect data leaving your device. VPNs bridge that crucial gap by providing encryption for every packet that exits your home network. You’ll get non-local privacy along with a high level of anonymity, all from the comfort of your own Ubuntu system.

  • Cisco's failure to heed whistleblower's warning about security defects in video surveillance software costs the company $8.6m in fines

                       

                         

    There's a lesson here about the people who advocate for allowing companies to decide when defects in their products can be revealed: companies are not trustworthy custodians of bad news about their products, even (especially) when the stakes are high and they face titanic liability for failing to mitigate reported defects.  

  • GitLab Is A Very Powerful Tool For Security: Liz Rice Of Aqua Security

    The ‘Takeaway’ from this interview is that GitLab is a very powerful tool for security. Guest Liz Rice, VP of Open Source Engineering at Aqua Security.

  • Liz Rice On Technology & Culture Of The Cloud Native World

    Liz Rice, VP of Open Source Engineering at Aqua Security sat down with Swapnil Bhartiya at KubeCon and CloudNativeCon, Barcelona, to talk about a wide range of topics.

  • bzip2 and the CVE that wasn’t

    Compiling with the GCC sanitizers and then fuzzing the resulting binaries might find real bugs. But not all such bugs are security issues. When a CVE is filed there is some pressure to treat such an issue with urgency and push out a fix as soon as possible. But taking your time and making sure an issue can be replicated/exploited without the binary being instrumented by the sanitizer is often better.

    This was the case for CVE-2019-12900 “BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors“.

    The bzip2 project had lost the domain which it had used for the last 15 years. And it hadn’t seen an official release since 2010. The bzip2 project homepage, documentation and downloads had already been moved back to sourceware.org. And a new bug tracker, development mailinglist and git repository had been setup. But we were still in the middle of a code cleanup (removing references to the old homepage, updating the manual and adding various cleanups that distros had made to the code) when the CVE was filed.

Security Leftovers

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (firefox-esr and thunderbird), openSUSE (openexr and rmt-server), Oracle (bind, container-tools:rhel8, cyrus-imapd, dotnet, edk2, firefox, flatpak, freeradius:3.0, ghostscript, gvfs, httpd:2.4, java-1.8.0-openjdk, java-11-openjdk, kernel, mod_auth_mellon, pacemaker, pki-deps:10.6, python-jinja2, python27:2.7, python3, python36:3.6, systemd, thunderbird, vim, virt:rhel, WALinuxAgent, and wget), Slackware (mariadb), SUSE (java-1_8_0-openjdk, polkit, and python-Django1), and Ubuntu (Sigil and sox).

  • Securing BGP on the host with the RPKI

    An increasingly popular design for a data-center network is BGP on the host: each host ships with a BGP daemon to advertise the IPs it handles and receives the routes to its fellow servers. Compared to a L2-based design, it is very scalable, resilient, cross-vendor and safe to operate.1 Take a look at “L3 routing to the hypervisor with BGP” for a usage example.

    [...]

    On the Internet, BGP is mostly relying on trust. This contributes to various incidents due to operator errors, like the one that affected Cloudflare a few months ago, or to malicious attackers, like the hijack of Amazon DNS to steal cryptocurrency wallets. RFC 7454 explains the best practices to avoid such issues.

    People often use AS sets, like AS-APPLE in this example, as they are convenient if you have multiple AS numbers or customers. However, there is currently nothing preventing a rogue actor to add arbitrary AS numbers to their AS set.
    IP addresses are allocated by five Regional Internet Registries (RIR). Each of them maintains a database of the assigned Internet resources, notably the IP addresses and the associated AS numbers. These databases may not be totally reliable but are widely used to build ACLs to ensure peers only announce the prefixes they are expected to. Here is an example of ACLs generated by bgpq3 when peering directly with Apple:

  • Fernando ‘Corby’ Corbató

    Fernando “Corby” Corbató lived long enough to curse his most famous invention: the computer password. In 1961 he adapted the ancient system of secret codes almost as an afterthought for his truly groundbreaking invention: the ability for several people to simultaneously use the same computer — in those days room-sized elephants — remotely. But five years ago he admitted that passwords had become “a nightmare”. For a while he carried round three sheets of closely typed paper with his own collection of 150 codes. He eventually entrusted them to an electronic file.

Canonical Releases Linux 5.0 Kernel (HWE) Security Update for Ubuntu 18.04.2 LTS

Filed under
Security
Ubuntu

Canonical released today a new Linux kernel security update, this time for users of the Ubuntu 18.04.2 LTS operating system using the Linux 5.0 HWE (Hardware Enablement) kernel from Ubuntu 19.04.

This Linux Hardware Enablement (HWE) kernel from Ubuntu 19.04 for Ubuntu 18.04.2 LTS includes the same fixes for four security flaws that Canonical added in the lastest kernel for Ubuntu 19.04 last week, including an integer overflow (CVE-2019-11487) discovered in Linux kernel, which could lead to use-after-free issues as local attackers were able to use the exploit to execute arbitrary code or cause a denial of service (system crash).

Read more

Security Leftovers

Filed under
Security
  • Security updates for Thursday

    Security updates have been issued by CentOS (httpd, libssh2, and qemu-kvm), Debian (glib2.0, squirrelmail, subversion, and wpa), Fedora (proftpd), Oracle (icedtea-web), Red Hat (icedtea-web), Scientific Linux (icedtea-web), SUSE (icedtea-web, java-1_7_0-openjdk, subversion, and zypper, libzypp and libsolv), and Ubuntu (linux-hwe, openjdk-lts, pango1.0, python-django, and subversion).

  • Canonical Announces the Availability of Xibo as a Snap, Chrome 76 Released, Viruses Discovered in LibreOffice, Pop!_OS 18.10 Reaches End of Life, and Dutch Ministry of Justice and Security Warns of Microsoft Office Online Privacy Risks

    System76 announces that Pop!_OS 18.10 has reached end of life and will no longer receive security updates. To keep your system secure and up to date, upgrade your OS to version 19.04.

  • The FTC's Settlement With Equifax Is Such A Joke, The FTC Is Now Begging You Not To Ask For A Cash Settlement

    Last week there was a bit of news as the FTC released a proposed settlement between the FTC and Equifax over the data brokers' massive security breach that came to light nearly two years ago. We had already noted that the FTC's way of dealing with Equifax seemed particularly tone deaf, but it's getting worse. Much worse. As you may have heard, part of the "settlement" with Equifax is that you could sign up to get $125 from the company (or possibly more). It was either that or free credit monitoring. But, come on: everyone already has so many "free credit monitoring" services from previous breaches that this is a totally meaningless offer. It also costs nothing for Equifax.

    So, over the past week or so a ton of (helpful) news sites have been posting explainers on how to get your $125. Except... apparently too many people signed up and now the FTC is helping Equifax by telling people not to ask for money from the company any more.

  • Log management: Helping IT admins to achieve infrastructure-wide visibility

    When properly configured and deployed, log management tools can unearth a veritable treasure trove of data that IT administrators can use to triage and diagnose problems in enterprise IT infrastructures

  • New Home Secretary calls for an end to end-to-end encryption

    UK Home Secretary Priti Patel has taken to the pages of The Telegraph to call for Facebook to insert back door access to the end-to-end encryption system of its messaging platform and other , as members of the Five Eyes nations meet to call for the same.

    When protecting digital traffic, there are effectively two methods: client-server cryptography and end-to-end cryptography. In client-server cryptography, your traffic is encrypted between your client device and the remote server and vice-versa; anyone on the server, however, can access the traffic in its unencrypted form. In end-to-end cryptography, popularly and controversially used in Facebook's WhatsApp instant messaging platform, the encryption remains intact from client device to client device regardless of how many servers it passes through on the way - meaning there's no easy way for ne'er-do-wells nor security services to capture the traffic in its unencrypted form.

    Back in 2017 then-Home Secretary Amber Rudd called for back door access to be provided to governments, security services, and law enforcement while claiming that 'real people' don't care about encryption. A year later the governments of the 'Five Eyes' countries - the UK and Australia, Canada, New Zealand, and the United States of America - hinted at the need for mandatory back-door access, and were supported by the UK's Government Communications Headquarters (GCHQ) and National Cyber Security Centre (NCSC). Most recently US Attorney General William Barr has joined the ranks of the non-technical claiming that it's entirely possible to add a back door into an end-to-end cryptosystem without threatening the security or privacy of its legitimate users.

Security Leftovers

Filed under
Security
  • Visa vulnerability lets cybercrims bypass contactless card limit

    When testing the attack with five major UK banks, Leigh-Anne Galloway and Tim Yunusov were not only able to bypass the verification limit "irrespective of the card terminal," but also found that the attack is possible with foreign cards and terminals.

  • Google’s Plans for Chrome Extensions Won’t Really Help Security

    Note: Sam Jadali, the author of the DataSpii report referenced in this blog post, is an EFF Coders’ Rights client. However, the information about DataSpii in this post is based entirely on public reports.

    Last week we learned about DataSpii, a report by independent researcher Sam Jadali about the “catastrophic data leak” wrought by a collection of browser extensions that surreptitiously extracted their users’ browsing history (and in some cases portions of visited web pages). Over four million users may have had sensitive information leaked to data brokers, including tax returns, travel itineraries, medical records, and corporate secrets.

    While DataSpii included extensions in both the Chrome and Firefox extension marketplaces, the majority of those affected used Chrome. Naturally, this led reporters to ask Google for comment. In response to questions about DataSpii from Ars Technica, Google officials pointed out that they have “announced technical changes to how extensions work that will mitigate or prevent this behavior.” Here, Google is referring to its controversial set of proposed changes to curtail extension capabilities, known as Manifest V3.

    As both security experts and the developers of extensions that will be greatly harmed by Manifest V3, we’re here to tell you: Google’s statement just isn’t true. Manifest V3 is a blunt instrument that will do little to improve security while severely limiting future innovation.

  • EFF at Vegas Security Week

    EFF is back this year at Vegas Security Week, sometimes affectionately known as Hacker Summer Camp. Stop by our booths at BSides, Black Hat, and DEF CON to find out about the latest developments in protecting digital freedom, sign up for our action alerts and mailing list, and donate to become an EFF member. We'll also have our limited-edition DEF CON 27 shirts available. These shirts have a puzzle incorporated into the design—try your hand at cracking it!

  • Protecting update systems from nation-state attackers

    Frequent updates are a key part of keeping systems secure, but that goal will not be met if the update mechanism itself is compromised by an attacker. At a talk during the 2019 Open Source Summit Japan, Justin Cappos described Uptane, an update delivery mechanism for automotive applications that, he said, can prevent such problems, even when the attacker has the resources of a nation state. It would seem that some automobile manufacturers agree.
    The list of companies that have suffered successful attacks on their update systems is long, Cappos began; it is something that happens all too frequently. Often these attacks are carried out by governments; he listed compromises that have been attributed to North Korea and Russia. The Stuxnet attack exploited the Windows update service as well, he said. Nation-state attackers can launch complex attacks; if you are defending against them, you have to worry about holding off a dedicated team of professionals — the best attackers in the world — who command massive resources and who are focused on your company in particular. It is a scary scenario, he said.

    It is even scarier when one is dealing with the software that makes a modern automobile run. An attacker who gains the ability to install new software on cars could create no end of mayhem, up to and including large-scale loss of life. Clearly, we all want our cars to be well defended against even the most sophisticated intrusion attempts.

    [...]

    There are multiple open-source implementations of Uptane available. It has now been mandated by several manufacturers, but he was not allowed to name them. It meets or surpasses all of the existing proposals for update security, including upcoming regulations that require compromise resistance. There is a standardization effort around Uptane that is funded by the US Department of Homeland Security, rather than by the vendors. The system has been through a number of security audits as well. Uptane has been integrated with in-toto, a mechanism for supply-chain security that has been adopted widely, including by Debian, Arch Linux, and the reproducible builds project.

    This code, he said, can be expected to ship in about one-third of all new cars on US roads in the near future.

    Cappos closed by saying that, regardless of the work he and others have done, some groups will use insecure designs and car companies will put lives at risk. Attacks will happen, and appeals to weak regulations for cover will not suffice; people will die and (seemingly worse for manufacturers) big lawsuits will result. Systems like Uptane are meant to prevent that from happening.

On self-hosting the project

Filed under
Development
OSS
Security

Something that I cannot highlight often enough, but never did in writing is, that the IPFire Project is entirely self-hosted. We host all services for our developers and users ourselves. We do not use any big services from any third-parties and never share any user-data.

This is quite important to myself and others in the team, because it has many implications that are not very easy to see: IPFire is being used by many individuals and organisations with a higher need for security. They are a regularly targeted. Although this is not a problem for the average user of IPFire, it still helps to keep a low-profile wherever possible.

Read more

Also: Github Has Restricted Accounts of Users from US Sanctioned Countries

Security: Small Airplanes, Hutchins, Updates, Windows XP and WireGuard

Filed under
Security
  • US issues hacking security alert for small planes [iophk: as planes become networked, attacks will no longer require physical access, such a thing has happened in cars.]

    The cybersecurity firm, Rapid7, found that an attacker could potentially disrupt electronic messages transmitted across a small plane’s network, for example by attaching a small device to its wiring, that would affect aircraft systems.

    Engine readings, compass data, altitude and other readings “could all be manipulated to provide false measurements to the pilot,” according to the DHS alert.

  • Small Airplanes Can Be Hacked to Display False Data in Flight

    However, the [attack] requires physical access.

    [...]

    Rapid7 verified the findings by investigating two commercially available avionics systems. It determined that only "some level of physical access" to the aircraft's wiring was needed to pull of the hack, which could be delivered by attaching a small device to the plane's Controller Area Network (CAN) bus to send the false commands.

    The key problem is that the CAN bus is integrated into the plane's other components without any firewalls or authentication systems in place. This means untrusted connections over a USB adapter hooked up to the plane can send commands to its electronic systems.

  • No Jail Time for “WannaCry Hero” [iophk: the plea "bargain" still means he has become a convicted felon]

    Hutchins’ conviction means he will no longer be allowed to stay in or visit the United States, although Judge Stadtmeuller reportedly suggested Hutchins should seek a presidential pardon, which would enable him to return and work here.

  • Security updates for Wednesday

    Security updates have been issued by CentOS (389-ds-base, curl, and kernel), Debian (libssh2), Fedora (kernel, kernel-headers, and oniguruma), openSUSE (chromium, openexr, thunderbird, and virtualbox), Oracle (389-ds-base, curl, httpd, kernel, and libssh2), Red Hat (nss and nspr and ruby:2.5), Scientific Linux (httpd and kernel), SUSE (java-1_8_0-openjdk, mariadb, mariadb-connector-c, polkit, and python-requests), and Ubuntu (openjdk-8, openldap, and sox).

  • It's 2019, and one third of businesses still have active Windows XP deployments [Ed: The problem is that they use Windows (back doors in all versions), not that they use "XP". They should move corporate data to something secure like BSD and GNU/Linux.]

    Zero-day attacks were the second-most cited concern among IT decision makers, according to SpiceWorks, with 18% of respondents citing that as their primary concern. Insider data leaks were the most cited, at 27%, while attacks on IoT devices was third (17%), followed by supply-chain attacks (15%), DDoS attacks (15%), and cryptojacking (15%). Fewer than 20% of respondents indicated their business was "completely prepared" for common security threats.

    Considering the risks that accompany unsupported software generally, and the larger attack surface that results from an unsupported (or otherwise unpatched) operating system, there is a relative lack of urgency to migrate from Windows 7. Certainly, while paid support for volume licenses is a possibility for some, smaller organizations ineligible for volume licensing will be left out in the cold. To date, Microsoft has shown no signs of wavering in their intent to grant a reprieve to the remaining users of Windows 7. Without a major shift, or a reprieve from Redmond, the prospect of unpatched, internet-connected systems is fertile ground for botnet creation.

  • NordLynx: NordVPN Builds New Tech Around WireGuard

    Well known Panama-based VPN provider NordVPN has announced their NordLynx technology today that is based on the WireGuard protocol.

    NordLynx is the company's new "fast and secure" VPN solution built atop WireGuard. The company describes WireGuard as a "radical change" and "a breath of fresh air in the industry."

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security updates for Tuesday

    Security updates have been issued by Fedora (cutter-re and radare2), Oracle (389-ds-base, httpd, kernel, libssh2, and qemu-kvm), Red Hat (389-ds-base, chromium-browser, curl, docker, httpd, keepalived, kernel, kernel-alt, kernel-rt, libssh2, perl, podman, procps-ng, qemu-kvm, qemu-kvm-ma, ruby, samba, and vim), Scientific Linux (389-ds-base, curl, libssh2, and qemu-kvm), SUSE (bzip2 and openexr), and Ubuntu (python-urllib3 and tmpreaper).

  • Equifax Settlement Won’t be Enough to Deter Future Breaches: The Law Must Catch Up

    Last week, news broke of a large financial settlement for the massive 2017 Equifax data breach affecting 147 million Americans. While the direct compensation to those harmed and the fines paid are important, it’s equally important to evaluate how much this result is likely to create strong incentives to increase data security for both Equifax and the other companies that are closely watching.

    We doubt it will do enough. Without stronger privacy legislation, the lawyers and regulators trying to respond to these data leaks are operating with one hand tied behind their back.

    In the meantime, EFF strongly urges everyone impacted by the calamitous Equifax breach to participate in the settlement claims process. Equifax must pay for the harm they have caused to everyone. And all too often, the fact that too few people make claims in these consumer privacy cases is used in the next case to argue that consumers just don’t care about privacy, making it even harder to force real security upgrades. If you do care about your privacy and want to make companies more responsible with your data, make your position known.

  • Capitol One Breach Sets Record

    Capitol One bank announced that a criminal hacker stole the personal information of 106 million people who had applied for credit, including credit scores, social security numbers, and bank account numbers. By some measures, it is the largest data breach of a US bank in history. The FBI arrested the alleged hacker and filed a complaint in federal court. Capitol One joins a long list of companies that have had data breaches in recent years. In testimony before the Senate and the House several years ago, EPIC warned Congress that US financial institutions were not doing to safeguard consumer data. EPIC has recently renewed calls for the creation of a US Data Protection Agency.

  • Capital One Gets In On The Data Breach Action, Coughs Up Info On 100 Million Customers To A Single Hacker

    That's a big "if" -- one that's certainly called into question by the swift apprehension of a suspect. Maybe this is all on the level. Even if it is, does it matter? Companies collecting massive amounts of data are still, on the whole, pretty cavalier about data security, even as breach after horrifying breach is announced.

    Given the data obtained, it almost seems like it would have been far less labor-intensive to just scour the web for a copy of the Equifax breach and download that instead. The Venn diagram of the sensitive data likely has a significant overlap.

    Then there's the press release by Capital One, which inadvertently shows how little it really cares what happens to customers' sensitive information.

Canonical Releases New Linux Kernel Live Patch for Ubuntu 18.04 and 16.04 LTS

Filed under
Linux
Security
Ubuntu

Coming hot on the heels of the last Linux kernel security updates released by Canonical last week for all supported Ubuntu Linux releases, this new kernel live patch is now available for users of the Ubuntu 18.04 LTS (Bionic Beaver) and Ubuntu 16.04 LTS (Xenial Xerus) operating systems who use the Canonical Livepatch Service to apply rebootless kernel updates.

It fixes five security issues, including a race condition (CVE-2019-11815), which could lead to a use-after-free, in Linux kernel's RDS (Reliable Datagram Sockets) protocol implementation that may allow a local attacker to crash the system or execute arbitrary code, as well as a flaw (CVE-2019-2054) affecting ARM CPUs, which lets local attackers to bypass seccomp restrictions.

Read more

Syndicate content

More in Tux Machines

Debian: Introducing Noir, miniDebConf19 Vaumarcus and New FAI.me Feature

  • Introducing Noir

    Noir is a drop-in replacement for Black (the uncompromising code formatter), with the default line length set to PEP-8's preferred 79 characters. If you want to use it, just replace black with noir in your requirements.txt and/or setup.py and you're good to go. Black is a Python code formatter that reformats your code to make it more PEP-8 compliant. It implements a subset of PEP-8, most notably it deliberately ignores PEP-8's suggestion for a line length of 79 characters and defaults to a length of 88. I find the decision and the reasoning behind that somewhat arbitrary. PEP-8 is a good standard and there's a lot of value in having a style guide that is generally accepted and has a lot of tooling to support it. When people ask to change Black's default line length to 79, the issue is usually closed with a reference to the reasoning in the README. But Black's developers are at least aware of this controversial decision, as Black's only option that allows to configure the (otherwise uncompromising) code formatter, is in fact the line length. Apart from that, Black is a good formatter that's gaining more and more popularity. And, of course, the developers have every right to follow their own taste. However, since Black is licensed under the terms of the MIT license, I tried to see what needs to be done in order to fix the line length issue.

  • miniDebConf19 Vaumarcus – Oct 25-27 2019 – Registration is open

    The Vaumarcus miniDebConf19 is happening! Come see the fantastic view from the shores of Lake Neuchâtel, in Switzerland! We’re going to have two-and-a-half days of presentations and hacking in this marvelous venue and anybody interested in Debian development is welcome.

  • New FAI.me feature

    FAI.me, the build service for installation and cloud images has a new feature. When building an installation images, you can enable automatic reboot or shutdown at the end of the installation in the advanced options. This was implemented due to request by users, that are using the service for their VM instances or computers without any keyboard connected.

FreeBSD's Executive Director Calls For Linux + BSD Devs To Work Together

While called the Open-Source Summit, the event is primarily about Linux as after all it's hosted by the Linux Foundation. But at this week's Open-Source Summit in San Diego, Deb Goodkin as the executive director of the FreeBSD Foundation presented. Deb's talk was of course on FreeBSD but also why FreeBSD and Linux developers should work together. The presentation covered FreeBSD's development workflow and various features of this open-source operating system project for those unfamiliar as well as some of the companies utilizing FreeBSD and their different use-cases. It's a good overview for those not familiar with FreeBSD. Read more

Enlightenment DR 0.23.0 Release

Highlights: New padded screenshot option Meson build now is the build system Music Control now supports rage mpris dbus protocol Add Bluez5 support with totally new and redone module and gadget Add dpms option to turn it off or on Alt-tab window switcher allows moving of windows while alt-tabbing Lots of bug fixes, compile warning fixes etc. Massive improvements to Wayland support Read more Also: Enlightenment 0.23 Released With Massive Wayland Improvements

LG Has Been Working On Reduced Boot Times With Hibernation Optimizations

LG Electronics has been exploring improvements around hibernation/suspend-to-disk to speed-up the Linux boot process for consumer electronics rather than performing cold boots and as part of that is working towards upstream optimizations. While hibernation-based booting is generally quicker than performing cold boots, suspending to disk does yield extra writes to the NAND flash memory on these consumer devices and that is one of the things they are seeking to avoid. So it's been an effort not only to speed-up the hibernation boot process but also reducing the amount of data that needs to be written out to the flash storage. Read more