Language Selection

English French German Italian Portuguese Spanish

Security

Did Lilu Ransomware Really Infect Linux Servers

Filed under
Linux
Server
Security

Note that the domain name of this folder has been hidden from view making it impossible for us to verify if these files were actually on a Linux server. The article goes on to note that “Lilocked doesn't encrypt system files, but only a small subset of file extensions, such as HTML, JS, CSS, PHP, INI, and various image file formats. This means infected servers continue to run normally.”

This limitation raises the obvious question of whether the core of the Linux server itself has been compromised or whether merely applications connected to the core have been hacked. There are many very insecure website building applications such as Wordpress and many insecure web mail applications such as Exim that have been repeatedly hacked over the years. Both Wordpress and Exim have suffered from dozens of major security problems that have nothing to do with the security of the Linux operating system which is at the core of all Linux servers. All of the file formats mentioned in the article are files used on Wordpress websites and files that can be transmitted via Exim email programs.

[...]

So instead of 6000 websites on 6000 servers being infected, it looks more like 6000 files on less than 1000 websites were infected. And many of these websites could have been on the same server – meaning that perhaps only a couple dozen out of the worlds 10 million Linux servers had infected files – and none of the files were actually in the core of any Linux servers.

[...]

Many of these articles were exact copies of the Zdnet article. Thus far, not a single so-called “security expert” has bothered either to look into the evidence provided much less challenge or disagree with this silly claim.

Instead, make even more extreme claims, noting that there are millions of Linux servers running outdated, un-patched and insecure versions of Exim software. This is a fact. But given how many holes have been found in the Exim software, the problem is not with the Linux servers, it is with the Exim software. In my humble opinion, the design of Exim is not secure and the design of Postfix is more secure.

The solution to this Exim problem is to demand that Cpanel support support Postfix and to ask Debian to also switch from Exim to Postfix (something Ubuntu has already done for very obvious reasons). This is the benefit of the diversity of free open source software. If one program has problems, there is quite often a more secure alternative that can be installed with just the click of a button. This is a problem that has been going on for years. But it can be fixed in a matter of minutes.

Read more

Security: TrendMicro, Mozilla's Firefox Monitor and Capsule8

Filed under
Security
  • New Linux malware mines crypto after installing backdoor with secret master password [Ed: Skips the part about it having to be installed in the first place (not the fault of Linux)]

    Cybersecurity researchers have identified a new strain of Linux malware that not only mines cryptocurrency illicitly, but provides the attackers with universal access to an infected system via a “secret master password.”

    TrendMicro’s latest blog also reveals that Skidmap attempts to mask its cryptocurrency mining by faking network traffic and CPU-related statistics.

  • Linux malware masks illicit crypto mining with fake network traffic

    A new cryptocurrency mining malware targeting Linux systems has demonstrated how complex this type of malware has become. Known as Skidmap, the malware is not only harder to detect, it also gives the attackers unfiltered access to the affected system.

  • What to do after a data breach

    You saw the news alert. You got an email, either from Firefox Monitor or a company where you have an account. There’s been a security incident — a data breach. And your account has been compromised.

    Getting notified that you’ve been a victim of a data breach can be alarming. You have valid cause for concern, but there are a few steps you can take immediately to protect your account and limit the damage.

  • Capsule8 Protect Earns HIPAA Compliance Certification

Security: Updates, Drama and FUD

Filed under
Security
  • Security updates for Tuesday

    Security updates have been issued by Debian (dino-im, python2.7, python3.4, and wpa), Fedora (kmplayer), openSUSE (podman and samba), Oracle (thunderbird), Red Hat (thunderbird), Slackware (expat), SUSE (curl), and Ubuntu (apache2).

  • This New Linux Malware Mines Crypto By Creating Malign Linux Modules

    As per the research, the new Linux malware mines crypto by creating malicious loadable kernel modules (LKM) to stay under the wraps. As the malware utilizes Linux kernel module rootkits, it becomes difficult to detect and patch it. This is because of its overwriting and modification of kernel parts capabilities.

  • A Critical Exim Vulnerability, Lilocked Ransomware on the Rise, but Linux Not to Blame

    In the context of these recent vulnerabilities and exploits, it is easy to label Linux and Open Source as “vulnerable” or “insecure”. However, doing so is unfair as well as incorrect. Unlike Windows and MacOS, Linux is a multi-user environment (a characteristic that the OS inherited from Unix) where users are granted specific privileges. This design prevents the compromise of one user account from impacting an entire system. In order to gain control over a Linux system, malware would have to gain root access to the system.

    Vulnerabilities exist in every system, and in terms of security vulnerabilities, Linux has a relatively clean record when compared to other popular operating systems. In the words of Linux creator Linus Torvalds, “Given enough eyeballs, all bugs are shallow”. Because of the intense review that Linux is continuously undergoing from security experts in the Open Source community, vulnerabilities are quickly identified and fixed. Because of this, as well as the way in which Linux manages privileges, relatively few viruses and worms are written to attack Linux systems. In comparison, proprietary operating systems like Microsoft Windows are easy targets for malicious coders, making them frequent victims of malware and viruses. This year, a total of 700 vulnerabilities in Microsoft Windows were disclosed, 189 of which were classified as critical.

    Exim, however, is a notoriously insecure mail server. In spite of this, it has a market share of over 57 percent, due to the fact that the MTA has been bundled with many Linux distros, including Debian and Red Hat. Thus, the frequent security bugs and exploits involving Exim affect a large number of Linux users, but are not a reflection of the inherent security of the Linux OS.

Security Leftovers

Filed under
Security
  • Security updates for Monday

    Security updates have been issued by Debian (ansible, faad2, linux-4.9, and thunderbird), Fedora (jbig2dec, libextractor, sphinx, and thunderbird), Mageia (expat, kconfig, mediawiki, nodejs, openldap, poppler, thunderbird, webkit2, and wireguard), openSUSE (buildah, ghostscript, go1.12, libmirage, python-urllib3, rdesktop, and skopeo), SUSE (python-Django), and Ubuntu (exim4, ibus, and Wireshark).

  • Open Source Security Podcast: Episode 161 - Human nature and ad powered open source

    Josh and Kurt start out discussing human nature and how it affects how we view security. A lot of things that look easy are actually really hard. We also talk about the npm library Standard showing command line ads. Are ads part of the future of open source?

  • Skidmap malware drops LKMs on Linux machines to enable cryptojacking, backdoor access

    Researchers have discovered a sophisticated cryptomining program that uses loadable kernel modules (LKMs) to help infiltrate Linux machines, and hides its malicious activity by displaying fake network traffic stats.

    Dubbed Skidmap, the malware can also grant attackers backdoor access to affected systems by setting up a secret master password that offers access to any user account in the system, according to Trend Micro threat analysts Augusto Remillano II and Jakub Urbanec in a company blog post today.

    “Skidmap uses fairly advanced methods to ensure that it and its components remain undetected. For instance, its use of LKM rootkits – given their capability to overwrite or modify parts of the kernel – makes it harder to clean compared to other malware,” the blog post states. “In addition, Skidmap has multiple ways to access affected machines, which allow it to reinfect systems that have been restored or cleaned up.”

  • Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload

    Cryptocurrency-mining malware is still a prevalent threat, as illustrated by our detections of this threat in the first half of 2019. Cybercriminals, too, increasingly explored new platforms and ways to further cash in on their malware — from mobile devices and Unix and Unix-like systems to servers and cloud environments.

    They also constantly hone their malware’s resilience against detection. Some, for instance, bundle their malware with a watchdog component that ensures that the illicit cryptocurrency mining activities persist in the infected machine, while others, affecting Linux-based systems, utilize an LD_PRELOAD-based userland rootkit to make their components undetectable by system monitoring tools.

New WireGuard Snapshot Offers Better Compatibility With Distributions/Kernels

Filed under
GNU
Linux
Software
Security

WireGuard sadly isn't slated for the now-open Linux 5.4 merge window, but lead developer Jason Donenfeld has put out a new development snapshot of this open-source secure VPN tunnel.

Coming barely two weeks since the previous WireGuard snapshot, this newest development release isn't too heavy on the changes but the focus is on better portability/compatibility.

Read more

New Distro Releases: EasyOS Buster 2.1.3, EasyOS Pyro 1.2.3 and IPFire 2.23 - Core Update 136

Filed under
GNU
Linux
Security
Debian
  • EasyOS Buster version 2.1.3 released

    EasyOS version 2.1.3, latest in the "Buster" series, has been released. This is another incremental upgrade, however, as the last release announced on Distrowatch is version 2.1, the bug fixes, improvements and upgrades have been considerable since then. So much, that I might request the guys at Distrowatch to announce version 2.1.3.

  • EasyOS Pyro version 1.2.3 released

    Another incremental release of the Pyro series. Although this series is considered to be in maintenance mode, it does have all of the improvements as in the latest Buster release.

  • IPFire 2.23 - Core Update 136 is available for testing

    the summer has been a quiet time for us with a little relaxation, but also some shifted focus on our infrastructure and other things. But now we are back with a large update which is packed with important new features and fixes.

European Commission improving the security of widely used open source software

Filed under
OSS
Security

Amongst the many benefits of free and open source software, include the economic advantages of code reuse and the sharing of programming costs. For public institutions however, there are more fundamental reasons for embracing the open source model: [...]

Read more

Security: Vista 10 Woes, Linux FUD and More

Filed under
Security
  • Caution: KB4515384 is breaking audio on Windows 10

    If you’ve already installed KB4515384, and you want to try and fix the audio problem before you attempt the uninstall it, there is really only solution that you can try. Open the Control Panel sound settings.

    On the Playback tab, double-click your speakers to open their Properties. The properties window should have an ‘Enhancements’ tab though, it may be missing as in the case of the screenshot below. If the tab is there, go to it and enable all enhancements, and click Apply. Next, disable them all, and click Apply again.

  • Lilocked ransomware (Lilu) affects thousands of Linux-based servers [Ed: This is not about "Linux"; they're repeating ZDNet (tabloid) talking points from their anti-Linux trolls, whom CBS hired to attack Linux (the real issue here is malware being installed)]

    A ransomware strain named Lilocked or Lilu has been affecting thousands of Linux-based servers all over the world since mid-July and the attacks got intensified by the end of August, ZDNet reports.

  • From PowerShell to auditing: Expand your cybersecurity know-how at SANS London 2019 [Ed: PowerShell is used a lot by CRACKERS. Why does The Register associate NSA back-doored stuff with security? (clue/hint: money)]
  • DigitalOcean Continues Working On Linux Core Scheduling To Make HT/SMT Safer

    With Hyper Threading continuing to look increasingly unsafe in data centers / shared computing environments in light of all the speculative execution vulnerabilities exposed thus far particularly with L1TF and MDS having no SMT-secure mitigation, DigitalOcean continues working on their Linux kernel "core scheduling" patches so they can still make use of HT/SMT in a sane and safe manner.

    DigitalOcean's core scheduling work is their way to make Hyper Threading safe by ensuring that only trusted applications run concurrently on siblings of a core. Their scheduler also tries to be smart about not using SMT/HT in areas where it could degrade performance.

Security: FOSS Updates, Windows Spying as 'Security', Linux Package Management

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (curl, dnsmasq, and golang-go.crypto), Mageia (docker, firefox, flash-player-plugin, ghostscript, links, squid, sympa, tcpflow, thunderbird, and znc), openSUSE (srt), Oracle (.NET Core, kernel, libwmf, and poppler), Scientific Linux (firefox), SUSE (cri-o, curl, java-1_8_0-ibm, python-SQLAlchemy, and python-urllib3), and Ubuntu (curl and expat).

  • Microsoft Issues New Windows 10 Update Warning

    Meanwhile, the Windows Latest reports the Start menu stops working for some users who have upgraded to KB4515384 with Windows 10 delivering the following errors: “We’ll try to fix it the next time you sign in” and “Critical Error - Your Start menu isn’t working”

  • Heads up: Microsoft is back to snooping with this month’s Win7 and 8.1 'security-only' patches

    Two months ago, the July Win7 security-only patch was found to install telemetry software, triggered by newly installed scheduled tasks called ProgramDataUpdater, Microsoft Compatibility Appraiser, and AitAgent. As best I can tell, Microsoft never admitted that its security-only patch dropped a telemetry component.

    The August security-only update didn’t include that bit of snooping, so it looked like the July snooping was a one-off aberration.

    Now we’re learning that the September security-only patches for both Win 7 and Win 8.1 have this, shall we say, feature.

    [...]

    What information is Microsoft collecting? I don’t know. Telemetry is frequently downplayed as being largely uninteresting blobs of unattributed data. If that’s the case, why is Microsoft collecting it now, after all these years? It hasn’t even acknowledged (as best I can tell) that it's collecting it via security-only patches.

  • Security Issues with PGP Signatures and Linux Package Management

    In discussions around the PGP ecosystem one thing I often hear is that while PGP has its problems, it's an important tool for package signatures in Linux distributions. I therefore want to highlight a few issues I came across in this context that are rooted in problems in the larger PGP ecosystem.

    Let's look at an example of the use of PGP signatures for deb packages, the Ubuntu Linux installation instructions for HHVM. HHVM is an implementation of the HACK programming language and developed by Facebook. I'm just using HHVM as an example here, as it nicely illustrates two attacks I want to talk about, but you'll find plenty of similar installation instructions for other software packages. I have reported these issues to Facebook, but they decided not to change anything.

Security Leftovers

Filed under
Security
  • The New Target That Enables Ransomware Hackers to Paralyze Dozens of Towns and Businesses at Once

    On July 3, employees at Arbor Dental in Longview, Washington, noticed glitches in their computers and couldn’t view X-rays. Arbor was one of dozens of dental clinics in Oregon and Washington stymied by a ransomware attack that disrupted their business and blocked access to patients’ records.

    But the hackers didn’t target the clinics directly. Instead, they infiltrated them by exploiting vulnerable cybersecurity at Portland-based PM Consultants Inc., which handled the dentists’ software updates, firewalls and data backups. Arbor’s frantic calls to PM went to voicemail, said Whitney Joy, the clinic’s office coordinator.

  • If you're not using SSH certificates you're doing SSH wrong

    None of these issues are actually inherent to SSH. They're actually problems with SSH public key authentication. The solution is to switch to certificate authentication.

    SSH certificate authentication makes SSH easier to use, easier to operate, and more secure.

  • Your phone can be [cracked] - and there's nothing you can do about it

    Finally, another benefit of Simjacker from the attacker's perspective is that many of its attacks seems to work independent of handset types, as the vulnerability is dependent on the software on the UICC and not the device. We have observed devices from nearly every manufacturer being successfully targeted to retrieve location: Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards. One important note is that for some specific attacks handset types do matter. Some, such as setting up a call, require user interaction to confirm, but this is not guaranteed and older phones or devices with no keypad or screens (such as IoT device) may not even ask for this.

Syndicate content

More in Tux Machines

OSS: Events, WordPress and Licensing

  • Director Digital Business Solutions to kick off ApacheCon Europe in Berlin

    The European Commission, a long-time user of open source software, is strengthening its relationship with the Apache Foundation. At the Hackathon in May, the Commission brought together more than 30 developers involved in six different Apache projects. Attendees came from Croatia, Ireland, Poland and Romania, and even from Russia and the United States. At the meeting, many developers met in person for the first time. The hackathon helped the project members build connections and strengthen bonds.

  • FOSSCOMM 2019 aftermath

    FOSSCOMM (Free and Open Source Software Communities Meeting) is a Greek conference aiming at free-software and open-source enthusiasts, developers, and communities. This year was held at Lamia from October 11 to October 13. It is a tradition for me to attend to this conference. Usually I have presentations and of course booths to inform the attendees about the projects I represent. This year the structure of the conference was kind of different. Usually the conference starts on Friday with "beer event". Now it started with registration and a presentation. Personally I made my plan to leave from Thessaloniki by bus. It took me about 4 hours on the road. So when I arrived, I went to my hotel and then waited for Pantelis to go to the University and setup our booths.

  • Automattic Announces Mark Davies as Chief Financial Officer

    Automattic Inc., the parent company of WordPress.com, WooCommerce, and Tumblr, among other products, has announced that Mark Davies has joined the company as Chief Financial Officer. Davies comes to Automattic from Vivint, a $1B+ annual revenue smart home technology company, where he served as chief financial officer since 2013. The news follows Automattic's recent $300 million Series D investment round from Salesforce Ventures, and its acquisition in September of the social blogging platform Tumblr.

  • Empowering Generations of Digital Natives

    Technology is changing faster each year. Digital literacy can vary between ages but there are lots of ways different generations can work together and empower each as digital citizens. No matter whether you’re a parent or caregiver, teacher or mentor, it’s hard to know the best way to teach younger generations the skills needed to be an excellent digital citizen. If you’re not confident about your own tech skills, you may wonder how you can help younger generations become savvy digital citizens. But using technology responsibly is about more than just technical skills. By collaborating across generations, you can also strengthen all your family members’ skills, and offer a shared understanding of what the internet can provide and how to use it to help your neighborhoods and wider society.

  • How to Verify Smart Contracts on Etherscan

    You have your smart contract written, tested, and deployed. However, customers aren’t willing to do business with you unless they know the contract’s source code. After all, it could be set up in a way that’s not in their interest. Thankfully, Etherscan offers a neat tool that allows you to verify smart contracts so interested parties can see the source code and verify for themselves that everything is as it should be. While the process is simple, there are intricacies that might cause problems, especially to people not very familiar with Ethereum and the Solidity programming language.

  • Ethical Open Source: Is the world ready?

    Given its incredible popularity in the marketplace, there is no question that many software developers (and their respective companies) today see great value in using software that is subject to open source licenses. Users focus on the advantages to be had by gaining access, usually at no or minimal charge, to the software’s source code and to the thriving open source community supporting such projects. Powered by a worldwide community supporting the code base, open source code is generally perceived to be more reliable, robust and flexible than so-called proprietary software, with increased transparency leading to better code stability, faster bug fixes, and more frequent updates and enhancements. Historically the question of ethics and open source software (OSS) has mainly focussed on the goal of obtaining and guaranteeing certain “software freedoms,” namely the freedom to use, study, share and modify the software (as exemplified by the Free Software Definition and copyleft licenses such as the GPL family), and to ensure that derivative works were distributed under the same license terms to end “predatory vendor lock-in.”

Programming: SystemView, JDK, VimL and Bazel

  • New SystemView Verification Tool from SEGGER is Compatible with Windows, Linux, and macOS
  • 5 steps for an easy JDK 13 install on Ubuntu
  • Basic Data Types in Python 3: Strings
  • Excellent Free Books to Learn VimL

    VimL is a powerful scripting language of the Vim editor. You can use this dynamic, imperative language to design new tools, automate tasks, and redefine existing features of Vim. At an entry level, writing VimL consists of editing the vimrc file. Users can mould Vim to their personal preferences. But the language offers so much more; writing complete plugins that transform the editor. Learning VimL also helps improve your efficiency in every day editing. VimL supports many common language features: variables, control structures, built-in functions, user-defined functions, expressions first-class strings, high-level data structures (lists and dictionaries), terminal and file I/O, regex pattern matching, exceptions, as well as an integrated debugger. Vim’s runtime features are written in VimL.

  • Google Releases Bazel 1.0 Build System With Faster Build Performance

    Bazel is Google's preferred build system used by many of their own software projects. Bazel is focused on providing automated testing and release processes while supporting "language and platform diversity" and other features catered towards their workflow. Bazel 1.0 comes at a time when many open-source projects have recently been switching to Meson+Ninja as the popular build system these days for its fast build times and great multi-platform build support. Bazel also still has to compete with the likes of CMake and many others.

  • Bazel Reaches 1.0 Milestone!

    Bazel was born of Google's own needs for highly scalable builds. When we open sourced Bazel back in 2015, we hoped that Bazel could fulfill similar needs in the software development industry. A growing list of Bazel users attests to the widespread demand for scalable, reproducible, and multi-lingual builds. Bazel helps Google be more open too: several large Google open source projects, such as Angular and TensorFlow, use Bazel. Users have reported 3x test time reductions and 10x faster build speeds after switching to Bazel.

Kubuntu 19.10 Arrives with KDE Plasma 5.16, Embedded Nvidia Drivers, and More

Featuring the KDE Plasma 5.16.5 desktop environment and KDE Applications 19.04.3 software suite, the Kubuntu 19.10 release is here with up-to-date core components and applications, including Qt 5.12.4 LTS, Latte Dock 0.9.3, Elisa 0.4.2, Krita 4.2.7, Kdevelop 5.4.2, Ktorrent 5.1.2, as well as Kdenlive and Yakuake 19.08.1. "Plasma 5, the new generation of KDE's desktop has been developed to make it smoother to use while retaining the familiar setup," reads the release notes. "Plasma 5.16 has been developed to make it smoother to use while retaining the familiar setup. Kubuntu ships the 4th scheduled bugfix release of 5.16 (5.16.5)." Read more Also: Ubuntu MATE 19.10 Released with Latest MATE Desktop, New Apps, Many Improvements

Android Leftovers