Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security updates for Monday
  • NetBSD 8.1 RC1 Released With MDS Mitigations, Option To Turn Off SMT/HT, Driver Updates

    The first and only anticipated release candidate for NetBSD 8.1 is now available for testing.

    The NetBSD 8.1 release candidate adds the necessary mitigations for the Microarchitectural Data Sampling / Zombieload vulnerabilities. With Hyper Threading looking increasingly insecure with these new CPU vulnerabilities, NetBSD has joined other operating systems in offering a new setting to disable HT/SMT support: the smtoff rc.conf option.

  • Outbound Traffic Filtering | Roadmap to Securing Your Infrastructure

    This week, we’re discussing outbound traffic filtering. This is filtering provided at the network edge by a firewall with rules (ACLs) restricting what internal users are allowed to access. Some firewalls have the ability to filter by an application (layer 7 firewalls), but we’re going to concentrate on standard packet-filtering firewalls and their capabilities. There are several reasons for wanting to restrict outbound communications, such as defeating malware, making data exfiltration harder, and the detection of infected hosts.

  • Bluetooth's Complexity Has Become a Security Risk

    Fundamentally, both Bluetooth and BLE open up a channel for two devices to communicate—an extremely useful arrangement, but one that also opens the door for dangerous interactions. Without strong cryptographic authentication checks, malicious third parties can use Bluetooth and BLE to connect to a device they shouldn't have access to, or trick targets into thinking their rogue device is a trusted one.

  • Huawei promises continued security updates and service to existing users post Google ban

    Google has shocked the world by banning Huawei from future OS versions and security updates, but existing Huawei handsets will continue getting Google Play app updates, while Huawei promises it will issue security updates instead.

  • Security Advisory: Kernel and Firmware Updates for Intel MDS Vulnerability
  • ICE Tops Its Old Record, Spends Another $820,000 On Cellphone-Cracking Tools

    As consecutive heads of the FBI have whined about the general public's increasing ability to keep their devices and personal data secure with encryption, a number of companies have offered tools that make this a moot point. Grayshift -- the manufacturer of phone-cracking tool GrayKey -- has been selling hundreds of thousands of dollars-worth of devices to other federal agencies not so insistent the only solution is backdoored encryption.

    ICE is one of these agencies. It led all federal agencies in phone-cracking expenditures in 2018. It spent $384,000 on these tools last year. It wasn't just ICE. Other agencies like the DEA and [checks notes] the Food and Drug Administration have also purchased these devices. But ICE led the pack, most likely because ICE -- along with DHS counterpart CBP -- are engaging in more suspicionless, warrantless device searches than ever.

Security Leftovers

Filed under
Security
  • Why Are Cryptographers Being Denied Entry into the US?

    Is there some cryptographer blacklist? Is something else going on? A lot of us would like to know.

  • Security Engineering: Third Edition

    Today I put online a chapter on Who is the Opponent, which draws together what we learned from Snowden and others about the capabilities of state actors, together with what we’ve learned about cybercrime actors as a result of running the Cambridge Cybercrime Centre. Isn’t it odd that almost six years after Snowden, nobody’s tried to pull together what we learned into a coherent summary?

    There’s also a chapter on Surveillance or Privacy which looks at policy. What’s the privacy landscape now, and what might we expect from the tussles over data retention, government backdoors and censorship more generally?

  • Google halts some business with China's Huawei: report

    Huawei will reportedly no longer be able to access Android updates, the Gmail app, the Google Play store and new versions of Google phones outside of China.

  • Google restricts Huawei's use of Android

    Existing Huawei smartphone users will be able to update apps and push through security fixes, as well as update Google Play services.

    But when Google launches the next version of Android later this year, it may not be available on Huawei devices.

    Future Huawei devices may no longer have apps such as YouTube and Maps.

  • Forget Huawei, The Internet Of Things Is The Real Security Threat

    We've noted for a while how a lot of the US protectionist security hysteria surrounding Huawei isn't supported by much in the way of hard data. And while it's certainly possible that Huawei helps the Chinese government spy, the reality is that Chinese (or any other) intelligence services don't really need to rely on Huawei to spy on the American public. Why? Because people around the world keep connecting millions of internet of broken things devices to their home and business networks that lack even the most rudimentary of security and privacy protections.

    Week after week we've documented how these devices are being built with both privacy and security as a distant afterthought, resulting in everything from your television to your refrigerator creating both new attack vectors and wonderful new surveillance opportunities for hackers and state actors.

Security: CBS FUD, .NET Push and Intel Disaster Due to Defects

Filed under
Security
  • Security researchers discover Linux version of Winnti malware [Ed: This targets already-vulnerable servers and GNU/Linux has little to do with that. It can be proprietary software on top of it.]

    Chronicle says it discovered this Linux variant after news broke last month that Bayer, one of the world's largest pharmaceutical companies, had been hit by Chinese hackers, and the Winnti malware was discovered on its systems.

  • Microsoft's Attack Surface Analyzer now works on Macs and Linux, too [Ed: Microsoft is now pushing .NET in the name of "security"]
  • Intel Loses 5X More Average Performance Than AMD From Mitigations: Report

    Intel has published its own set of benchmark results for the mitigations to the latest round of vulnerabilities, but Phoronix, a publication that focuses on Linux-related news and reviews, has conducted its own testing and found a significant impact. Phoronix's recent testing of all mitigations in Linux found the fixes reduce Intel's performance by 16% (on average) with Hyper-Threading enabled, while AMD only suffers a 3% average loss. Phoronix derived these percentages from the geometric mean of test results from its entire test suite.

    From a performance perspective, the overhead of the mitigations narrow the gap between Intel and AMD's processors. Intel's chips can suffer even more with Hyper-Threading (HT) disabled, a measure that some companies (such as Apple and Google) say is the only way to make Intel processors completely safe from the latest vulnerabilities. In some of Phoronix's testing, disabling HT reduced performance almost 50%. The difference was not that great in many cases, but the gap did widen in almost every test by at least a few points.

Security Leftovers

Filed under
Security
  • [Florida] Panhandle county that backed Trump among Russian hacking victims [iophk: "Windows TCO"]

     

    Washington County was one of two counties successfully hacked by Russians seeking voter information files. The FBI and the Department of Homeland Security in the past week have briefed Gov. Ron DeSantis and Florida’s congressional delegation about the attack, but federal authorities have asked that the names of the two counties be kept confidential.

  • Hacking democracies: Cataloguing cyber-enabled attacks on elections

     

    Of the 97 national elections in free or partly free countries reviewed for this report during the period from 8 November 2016 to 30 April 2019, a fifth (20 countries) showed clear examples of foreign interference, and several countries had multiple examples (see the appendix to this report).17 It’s worth noting that confidence in attributions to foreign actors varied widely. In ideal circumstances, a government source made the attribution, but often the attribution was more informal. Our intention was not to provide an exhaustive list of every alleged case of foreign interference but instead to capture the spread of states experiencing the phenomenon and illustrative examples of different methods. Details on all examples identified through this research are set out in the appendix.

  • Slack patches vulnerability in Windows client that could be used to hijack files

     

    The potential attack used a weakness in the way the "slack://" protocol handler was implemented in the Windows application. By creating a crafted link posted in a Slack channel, the attacker could alter the default settings of the client—changing the download directory, for example, to a new location with a URL such as “slack://settings/?update={‘PrefSSBFileDownloadPath’:’’}”. That path could be directed to a Server Message Block (SMB) file-sharing location controlled by the attacker. Once clicked, all future downloads would be dropped onto the attacker's SMB server. This link could be disguised as a Web link—in a proof-of-concept, the malicious Slack attack posed as a link to Google.

  • Protecting your computer against Intel’s latest security flaw is easy, unless it isn’t

     

    The new vulnerabilities are built into Intel hardware and go by various names. ZombieLoad, Fallout, or RIDL are the catchy ones; the more technical name is Microarchitectural Data Sampling (MDS). Before we get into it more, you probably want to know what to do about it.

  • Sites infected as open source Alpaca Forms & analytics service Picreel compromised [Ed: JavaScript is a security threat and this isn't the fault of FOSS but of poor stewardship]

    Hackers have breached two services and modified the JavaScript code to infect more than 4,600 websites with malware, according to security researchers.

  • The 10 Best Free and Open Source Identity Management Tools

    Identity and access management must form the core of your cybersecurity policies and platforms. Securing credentials and verifying users can help deflect and prevent an overwhelming majority of data breaches. Indeed, IAM forms the modern enterprise’s digital perimeter; strong authentication protocols alone can help keep digital assets secure and keeps external and internal threat actors out.

  • Top 3 Open Source Tools for SAST

    Static Application Security Testing, or SAST, is a type of security testing which analyzes the source code of an application to determine security flaws. It can also be termed as Source Code Analysis. SAST examines the source code before it’s compiled without executing anything. Due to this feature, it can be employed early in the development cycle to reap maximum benefits. This ensures that secure source code is written. Also, making early detection of security vulnerabilities lowers cost of fixing bugs post development. 

  • Open Source Innovation in Cybersecurity

    There is a convergence of growth in the number of protection vulnerabilities. The rise in hacker capabilities and tools are being enacted in the European Union, and businesses are expanding their investments in cybersecurity significantly. According to Global Market Insights, between 2019 and 2024, the demand for cybersecurity goods and assistance is assumed to grow from $120 billion to more than $300 billion annually. Estimation of Gartner affirms that by 2020 more than 60 percent of companies will have invested in multiple data security tools.

    [...]

    In smart cars, IoT platforms and cybersecurity software projects like Kali Linux, open source is a leading technology. While it has undergone exponential growth, the thriving proliferation of convenient source by banking networks, was not invariably a foregone conclusion.

  • Open Source Versioning: The Race to Stay Up-to-Date [Ed: The same is true for proprietary software, but companies like Microsoft bankrolled an industry of FUD that never speaks of back doors in blobs, only high-profile FOSS bugs]

    Open source libraries, once shunned as risky and not ready for prime time, are now used extensively across major corporations, including insurers. The reason is simple: In time- and resource-constrained companies trying to stay technologically competitive, it doesn’t make sense anymore to try to reinvent a wheel that’s already been battle-tested. However, having made the commitment to open source code and solution sets, it’s imperative to keep up-to-date with open source library maintenance and updates.

  • Don't let security fall apart at the SIEMs. How open source search can upgrade SIEM to fight modern threats
  • WhatsApp hack: Is any app or computer truly secure?

Security: BSDcan, Ransom and Exploits

Filed under
Security
  • ssh in https

    The wifi network at BSDcan, really the UOttawa network, blocks a bunch of ports. This makes it difficult to connect to outside machines using “exotic” protocols, basically anything except http or https. There are many ways to resolve this, here’s what I did.

  • These firms promise high-tech ransomware solutions—but typically just pay hackers [iophk: “Windows continues to enable entire cottage industries around grifting”]

    Proven Data promised to help ransomware victims by unlocking their data with the “latest technology,” according to company emails and former clients. Instead, it obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit obtained by ProPublica.

    Another US company, Florida-based MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims such as local law enforcement agencies, ProPublica has found. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks. Both firms have used aliases for their workers, rather than real names, in communicating with victims.

  • Google Starts Tracking Zero-Days Exploited in the Wild

    The new project, named 0Day ‘In the Wild’, is basically a spreadsheet that Project Zero uses to track vulnerabilities exploited before they became known to the public or the vendor.

    The spreadsheet currently lists over 100 vulnerabilities exploited in the wild since 2014. The table includes the flaw’s CVE identifier, impacted vendor, impacted product, the type of vulnerability, a brief description, the date of its discovery, the date when a patch was released, a link to the official advisory, a link to a resource analyzing the flaw, and information on attribution.

Developers Start Debating Whether To Block Password-Based Root SSH Logins For Fedora 31

Filed under
Red Hat
Security

While upstream SSH has disabled password logins for the root user as their default configuration the past number of years and that has carried over into being the out-of-the-box behavior for many operating systems, Fedora continues allowing password-based SSH root log-ins by default. But with the next Fedora release they are thinking about changing that default behavior.

This would allow Fedora to have better security out-of-the-box particularly on servers where OpenSSH tends to be running. The configuration can still be toggled with the "PermitRootLogin" directive of the SSHD configuration.

Read more

Also: FPgM [Fedora Program Management ] report: 2019-20

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security

Security: Latest on MDS Vulnerability and WhatsApp Vulnerability

Filed under
Security

Security: Updates, RDS, FBI, Microsoft, Google and Ransom

Filed under
Security
  • Security updates for Thursday
  • Severe Linux kernel flaw found in RDS
  • FBI Tells The Governor Of Florida About Election Hacking, But Says He Can't Tell Anyone Else

    I thought this was America, but whatever. Secrecy in all things government, despite the (often misheld) presumption that our public servants will be open and honest about issues that affect us.

    It's no secret voting systems and databases are not secure. These are problems that date back 15 years, but have shown little improvement since. Election interference is just another tool in the nation-state hacking kit, and the US is far from immune from these attacks.

    Federal agencies investigating election interference are at least speaking to officials in states affected by these efforts. But those officials are apparently not allowed to pass on this information to those affected the most: voters.

  • Microsoft’s First Windows XP Patch in Years Is a Very Bad Sign

    THIS WEEK, MICROSOFT issued patches for 79 flaws across its platforms and products. One of them merits particular attention: a bug so bad that Microsoft released a fix for it on Windows XP, an operating system it officially abandoned five years ago.

  • Google Says Titan Security Keys Could Be Hacked; Offers Free Replacement

    Today Google has announced a security flaw in its Bluetooth Titan Security Key that is used for 2-factor authentication. The security flaw could allow hackers in close proximity to bypass the security mechanism and connect their own devices.

  • Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers

    FROM 2015 TO 2018, a strain of ransomware known as SamSam paralyzed computer networks across North America and the U.K. It caused more than $30 million in damage to at least 200 entities, including the cities of Atlanta and Newark, New Jersey, the Port of San Diego and Hollywood Presbyterian Medical Center in Los Angeles. It knocked out Atlanta’s online water service requests and billing systems, prompted the Colorado Department of Transportation to call in the National Guard, and delayed medical appointments and treatments for patients nationwide whose electronic records couldn’t be retrieved. In return for restoring access to the files, the cyberattackers collected at least $6 million in ransom.

    “You just have 7 days to send us the BitCoin,” read the ransom demand to Newark. “After 7 days we will remove your private keys and it’s impossible to recover your files.”
    At a press conference last November, then-Deputy Attorney General Rod Rosenstein announced that the U.S. Department of Justice had indicted two Iranian men on fraud charges for allegedly developing the strain and orchestrating the extortion. Many SamSam targets were “public agencies with missions that involve saving lives,” and the attackers impaired their ability to “provide health care to sick and injured people,” Rosenstein said. The hackers “knew that shutting down those computer systems could cause significant harm to innocent victims.”

Syndicate content

More in Tux Machines

My personal journey from MIT to GPL

As I got started writing open source software, I generally preferred the MIT license. I actually made fun of the “copyleft” GPL licenses, on the grounds that they are less free. I still hold this opinion today: the GPL license is less free than the MIT license - but today, I believe this in a good way.

[...]

I don’t plan on relicensing my historical projects, but my new projects have used the GPL family of licenses for a while now. I think you should seriously consider it as well.

Read more

Security Leftovers

  • Yubico recalls government-grade security keys due security bug

    If you buy a government-grade security key, the one thing you really want from it is government-grade security. It's the very dictionary definition of "you had one job." That's why it's somewhat embarrassing that Yubico has put out a recall notice on its FIPS series of authentication keys which, it turns out, aren't completely secure.

  • [Microsoft's] EternalBlue exploit surfaces in bog standard mining attack Featured

    A bog standard attack aimed at planting a cryptocurrency miner has been found to be using advanced targeted attack tools as well, the security firm Trend Micro says, pointing out that this behaviour marks a departure from the norm.

Kernel: Systemd, DXVK, Intel and AMD

  • Systemd Is Now Seeing Continuous Fuzzing By Fuzzit
    In hoping to catch more bugs quickly, systemd now has continuous fuzzing integration via the new "Fuzzit" platform that provides continuous fuzzing as a service.  New this week to systemd is the continuous fuzzing integration where every pull request / push will see some quick checks carried out while on a daily basis will be fuzzed in full for all targets.
  •  
  • DXVK 1.2.2 Brings Minor CPU Overhead Optimizations, Game Fixes
    In time for those planning to spend some time this weekend gaming, DXVK lead developer Philip Rebohle announced the release of DXVK 1.2.2 that will hopefully soon be integrated as part of a Proton update for Steam Play but right now can be built from source. While certain upstream Wine developers express DXVK being a "dead end" and are optimistic in favor of piping their WineD3D implementation over Vulkan, for Linux gamers today wanting to enjoy D3D11 Windows games on Linux the DXVK library continues working out splendid with great performance and running many Direct3D games with much better performance over the current WineD3D OpenGL code.
  • Intel 19.23.13131 OpenCL NEO Stack Adds Comet Lake Support
    We've seen the Intel Comet Lake support get pieced together in recent months in the different components making up the Intel Linux graphics stack while the compute-runtime is the latest addition. Comet Lake as a refresher is a planned successor to Coffeelake/Whiskeylake and expected to come out this year as yet more 9th Gen hardware. But Comet Lake should be interesting with rumored 10-core designs. Though with being more processors with Gen9 graphics, the Comet Lake Linux support basically boils down to adding in the new PCI IDs.
  • AMD Wires Its New Runtime Linker Into RadeonSI Gallium3D
    RadeonSI Gallium3D has already shifted over to using this new linker. Making use of the .rodata should help with efficiencies throughout the driver (more details in this forum thread) but at this point is mostly laying the groundwork for more improvements to be made moving forward.

Red Hat and Fedora Leftovers

  • Building IT Transformation Architecture with Red Hat OpenShift
    In the era of mobile applications, business challenges to the enterprise IT organizations are more dynamic than ever. Many enterprises have difficulties responding in time because of the inherent complexity and risk of integrating emerging technologies into existing IT architectures. In this article, I will share my experience on how to utilize Red Hat OpenShift as a “Middle Platform” (中台) for enterprises to construct its bimodal IT architecture with agile, scalable and open strategy. In the past year, I have discussed with many corporate customers–especially in the financial services industry–the challenges of digital transformation, and the solutions. Most of their difficulties are coming from “core systems” which have been working for more than 10 years.
  • Fedora Community Blog: FPgM report: 2019-24
    Here’s your report of what has happened in Fedora Program Management this week. Elections voting is open through 23:59 UTC on Thursday 20 June. I have weekly office hours in #fedora-meeting-1. Drop by if you have any questions or comments about the schedule, Changes, elections, or anything else.
  • Copr's Dist-Git
    In Copr, we use dist-git to store sources as well. However, our use case is different. In the past, Copr only allowed to build from URL. You provided a URL to your SRC.RPM and Copr downloaded it and built it. This was a problem when the user wanted to resubmit the build. The original URL very often did not exists anymore. Therefore we came with an idea to store the SRC.RPM somewhere. And obviously, the dist-git was the first idea.