Language Selection

English French German Italian Portuguese Spanish

Security

Security: Criminal Charges, Updates, 'IoT', Cybersecurity Practices and Intel Management Engine (Back Door)

Filed under
Security
  • Security Researchers Whose 'Penetration Test' Involved Breaking And Entering Now Facing Criminal Charges

    Turning security researchers into criminals is so popular we have a tag for it here at Techdirt. A security hole is found or a breach pointed out, and the first thing far too many entities do in response is turn the messenger over to law enforcement while muttering unintelligible things about "hacking."

  • Security updates for Thursday

    Security updates have been issued by CentOS (exiv2, firefox, ghostscript, http-parser, httpd, kdelibs and kde-settings, kernel, pango, qemu-kvm, and thunderbird), Debian (ibus), Fedora (kernel, kernel-headers, python34, qbittorrent, and samba), openSUSE (chromium), Oracle (go-toolset:ol8), Red Hat (kernel, nginx:1.14, patch, ruby, skydive, systemd, and thunderbird), Scientific Linux (thunderbird), SUSE (libreoffice, openssl-1_1, python-urllib3, and python-Werkzeug), and Ubuntu (tomcat9 and wpa, wpasupplicant).

  • Irdeto Warns Healthcare IoT Is Under Heavy Attack

    The world of IoT is no stranger to attacks, with security being a number one priority for keeping the world of interconnected devices safe. One area where security is most crucial is healthcare, where successful attacks can result in loss of life. It wasn’t too long ago that ransomware was making the rounds, shutting down entire hospital networks and putting patients at risk. Irdeto made a press release that put forward the case for better security for healthcare IoT. They quoted some statistics that put some insight into how healthcare comes under attack from malicious agents.

  • Why it's time to embrace top-down cybersecurity practices

    Cybersecurity is no longer just the domain of the IT staff putting in firewalls and backing up servers. It takes a commitment from the top and a budget to match. The stakes are high when it comes to keeping your customers' information safe.

    The average cost of a data breach in 2018 was $148 for each compromised record. That equals an average cost of $3.86 million per breach. Because it takes organizations more than six months—196 days on average—to detect breaches, a lot of remediation must happen after discovery.

    With compliance regulations in most industries tightening and stricter security rules, such as the General Data Protection Regulation (GDPR) becoming law, breaches can lead to large fines as well as loss of reputation.

  • SIM Application Toolkit: Avoid Being Exploited

    Technologies are often created with good intent, to make our life easier, to solve problems in a convenient way. The Management Engine in Intel’s CPUs, for instance, was intended to make the life of admins easier. It allowed for remote access on a very low level, so they could even do complete remote reinstalls of a machine. And if you have to manage a large fleet of machines, distributed within a larger enterprise, this can save huge amounts of effort, time–and thus money.

    [...]

    Its name already points to the origin: the SIM card. It is the tiny chip card you insert into your phone, to get access to the cellular network of an operator. The SIM card used to be a fairly simple device, which you can imagine as the key to unlock the access to the network: i.e., it stores a secret (a cryptographic key) along with an ID (the IMSI) and some details about the issuing operator, etc. This data set grants you access to the operator’s network.

    But phones [also called handset, or ‘terminal equipment’ (TE), in mobile terms] have become more and more powerful. And setting up these cards has become more and more complicated; you need an SMS center number, details for the MMS server, mailbox dial-in number… and a lot more. All this needs to be properly set up in the mobile, to make full use of both the mobile and the network. To make this even more complicated, these details (and the way to set them up) are different from operator to operator. The process for this initial setup is (also) called provisioning. It was to make this (and other things) as convenient and least painful as possible for users that SAT was invented.

    The name SAT tells us not only that it is SIM-related, but also that it contains the term application: SIM cards can, and today they usually do, indeed contain small applications or applets. They are small computers on their own, they run code, and they can indeed be programmed. Most are based on the JavaCard standard and can be programmed with small Java applets. The SAT defines a standard way to interface the SAT applets with the modem and the phone.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by CentOS (firefox and kernel), Debian (thunderbird), Fedora (curl), openSUSE (curl and python-Werkzeug), Oracle (kernel and thunderbird), Red Hat (rh-nginx114-nginx), SUSE (curl, ibus, MozillaFirefox, firefox-glib2, firefox-gtk3, openldap2, openssl, openssl1, python-urllib3, and util-linux and shadow), and Ubuntu (linux, linux-aws, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-oracle, linux-raspi2, linux-snapdragon, and wpa).

  • SGX and security modules

    Software Guard Extensions (SGX) is a set of security-related instructions for Intel processors; it allows the creation of private regions of memory, called "enclaves". The aim of this feature is to work like an inverted sandbox: instead of protecting the system from malicious code, it protects an application from a compromised kernel hypervisor, or other application. Linux support for SGX has existed out-of-tree for years, and the effort of upstreaming it has reached an impressive version 22 of the patch set. During the upstreaming discussion, the kernel developers discovered that the proposed SGX API did not play nicely with existing security mechanisms, including Linux security modules (LSMs).

  • GitHub acquires Semmle to help developers spot security vulnerabilities [Ed: Company in NSA PRISM pretends to care about security (and also, Microsoft now uses GitHub to change people's code without asking the developers)]

    Software hosting service GitHub has acquired Semmle, a code analysis platform that helps developers discover security vulnerabilities in large codebases.

How to break out of a hypervisor: Abuse Qemu-KVM on-Linux pre-5.3 – or VMware with an AMD driver

Filed under
Linux
Security

A pair of newly disclosed security flaws could allow malicious virtual machine guests to break out of their hypervisor's walled gardens and execute malicious code on the host box.

Both CVE-2019-14835 and CVE-2019-5049 are not particularly easy to exploit as they require specific types of hardware or events to occur. However, if successful, either could allow a miscreant to run malware on the host from a VM instance.

CVE-2019-14835 was discovered and reported by Peter Pi, a member of the Tencent Blade Team. It is found in the Linux kernel versions 2.6.34 up to version 5.3, where it is patched.

Read more

Canonical Outs New Linux Kernel Security Update for All Supported Ubuntu OSes

Filed under
Security
Ubuntu

Canonical released today a new Linux kernel security update for all supported Ubuntu releases to address three vulnerabilities across all supported architectures.

The new Linux kernel security update addresses three vulnerabilities affecting the Ubuntu 19.04 (Disco Dingo), Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 16.04 LTS (Xenial Xerus), Ubuntu 14.04 ESM (Trusty Tahr), and Ubuntu 12.04 ESM (Precise Pangolin) operating systems.

The first security issue addressed in this update is a a buffer overflow (CVE-2019-14835) discovered by Peter Pi in Linux kernel's virtio network backend (vhost_net) implementation, which could allow an attacker in the guest system to either execute arbitrary code in the host OS or crash the host operating system by causing a denial of service.

Read more

Did Lilu Ransomware Really Infect Linux Servers

Filed under
Linux
Server
Security

Note that the domain name of this folder has been hidden from view making it impossible for us to verify if these files were actually on a Linux server. The article goes on to note that “Lilocked doesn't encrypt system files, but only a small subset of file extensions, such as HTML, JS, CSS, PHP, INI, and various image file formats. This means infected servers continue to run normally.”

This limitation raises the obvious question of whether the core of the Linux server itself has been compromised or whether merely applications connected to the core have been hacked. There are many very insecure website building applications such as Wordpress and many insecure web mail applications such as Exim that have been repeatedly hacked over the years. Both Wordpress and Exim have suffered from dozens of major security problems that have nothing to do with the security of the Linux operating system which is at the core of all Linux servers. All of the file formats mentioned in the article are files used on Wordpress websites and files that can be transmitted via Exim email programs.

[...]

So instead of 6000 websites on 6000 servers being infected, it looks more like 6000 files on less than 1000 websites were infected. And many of these websites could have been on the same server – meaning that perhaps only a couple dozen out of the worlds 10 million Linux servers had infected files – and none of the files were actually in the core of any Linux servers.

[...]

Many of these articles were exact copies of the Zdnet article. Thus far, not a single so-called “security expert” has bothered either to look into the evidence provided much less challenge or disagree with this silly claim.

Instead, make even more extreme claims, noting that there are millions of Linux servers running outdated, un-patched and insecure versions of Exim software. This is a fact. But given how many holes have been found in the Exim software, the problem is not with the Linux servers, it is with the Exim software. In my humble opinion, the design of Exim is not secure and the design of Postfix is more secure.

The solution to this Exim problem is to demand that Cpanel support support Postfix and to ask Debian to also switch from Exim to Postfix (something Ubuntu has already done for very obvious reasons). This is the benefit of the diversity of free open source software. If one program has problems, there is quite often a more secure alternative that can be installed with just the click of a button. This is a problem that has been going on for years. But it can be fixed in a matter of minutes.

Read more

Security: TrendMicro, Mozilla's Firefox Monitor and Capsule8

Filed under
Security
  • New Linux malware mines crypto after installing backdoor with secret master password [Ed: Skips the part about it having to be installed in the first place (not the fault of Linux)]

    Cybersecurity researchers have identified a new strain of Linux malware that not only mines cryptocurrency illicitly, but provides the attackers with universal access to an infected system via a “secret master password.”

    TrendMicro’s latest blog also reveals that Skidmap attempts to mask its cryptocurrency mining by faking network traffic and CPU-related statistics.

  • Linux malware masks illicit crypto mining with fake network traffic

    A new cryptocurrency mining malware targeting Linux systems has demonstrated how complex this type of malware has become. Known as Skidmap, the malware is not only harder to detect, it also gives the attackers unfiltered access to the affected system.

  • What to do after a data breach

    You saw the news alert. You got an email, either from Firefox Monitor or a company where you have an account. There’s been a security incident — a data breach. And your account has been compromised.

    Getting notified that you’ve been a victim of a data breach can be alarming. You have valid cause for concern, but there are a few steps you can take immediately to protect your account and limit the damage.

  • Capsule8 Protect Earns HIPAA Compliance Certification

Security: Updates, Drama and FUD

Filed under
Security
  • Security updates for Tuesday

    Security updates have been issued by Debian (dino-im, python2.7, python3.4, and wpa), Fedora (kmplayer), openSUSE (podman and samba), Oracle (thunderbird), Red Hat (thunderbird), Slackware (expat), SUSE (curl), and Ubuntu (apache2).

  • This New Linux Malware Mines Crypto By Creating Malign Linux Modules

    As per the research, the new Linux malware mines crypto by creating malicious loadable kernel modules (LKM) to stay under the wraps. As the malware utilizes Linux kernel module rootkits, it becomes difficult to detect and patch it. This is because of its overwriting and modification of kernel parts capabilities.

  • A Critical Exim Vulnerability, Lilocked Ransomware on the Rise, but Linux Not to Blame

    In the context of these recent vulnerabilities and exploits, it is easy to label Linux and Open Source as “vulnerable” or “insecure”. However, doing so is unfair as well as incorrect. Unlike Windows and MacOS, Linux is a multi-user environment (a characteristic that the OS inherited from Unix) where users are granted specific privileges. This design prevents the compromise of one user account from impacting an entire system. In order to gain control over a Linux system, malware would have to gain root access to the system.

    Vulnerabilities exist in every system, and in terms of security vulnerabilities, Linux has a relatively clean record when compared to other popular operating systems. In the words of Linux creator Linus Torvalds, “Given enough eyeballs, all bugs are shallow”. Because of the intense review that Linux is continuously undergoing from security experts in the Open Source community, vulnerabilities are quickly identified and fixed. Because of this, as well as the way in which Linux manages privileges, relatively few viruses and worms are written to attack Linux systems. In comparison, proprietary operating systems like Microsoft Windows are easy targets for malicious coders, making them frequent victims of malware and viruses. This year, a total of 700 vulnerabilities in Microsoft Windows were disclosed, 189 of which were classified as critical.

    Exim, however, is a notoriously insecure mail server. In spite of this, it has a market share of over 57 percent, due to the fact that the MTA has been bundled with many Linux distros, including Debian and Red Hat. Thus, the frequent security bugs and exploits involving Exim affect a large number of Linux users, but are not a reflection of the inherent security of the Linux OS.

Security Leftovers

Filed under
Security
  • Security updates for Monday

    Security updates have been issued by Debian (ansible, faad2, linux-4.9, and thunderbird), Fedora (jbig2dec, libextractor, sphinx, and thunderbird), Mageia (expat, kconfig, mediawiki, nodejs, openldap, poppler, thunderbird, webkit2, and wireguard), openSUSE (buildah, ghostscript, go1.12, libmirage, python-urllib3, rdesktop, and skopeo), SUSE (python-Django), and Ubuntu (exim4, ibus, and Wireshark).

  • Open Source Security Podcast: Episode 161 - Human nature and ad powered open source

    Josh and Kurt start out discussing human nature and how it affects how we view security. A lot of things that look easy are actually really hard. We also talk about the npm library Standard showing command line ads. Are ads part of the future of open source?

  • Skidmap malware drops LKMs on Linux machines to enable cryptojacking, backdoor access

    Researchers have discovered a sophisticated cryptomining program that uses loadable kernel modules (LKMs) to help infiltrate Linux machines, and hides its malicious activity by displaying fake network traffic stats.

    Dubbed Skidmap, the malware can also grant attackers backdoor access to affected systems by setting up a secret master password that offers access to any user account in the system, according to Trend Micro threat analysts Augusto Remillano II and Jakub Urbanec in a company blog post today.

    “Skidmap uses fairly advanced methods to ensure that it and its components remain undetected. For instance, its use of LKM rootkits – given their capability to overwrite or modify parts of the kernel – makes it harder to clean compared to other malware,” the blog post states. “In addition, Skidmap has multiple ways to access affected machines, which allow it to reinfect systems that have been restored or cleaned up.”

  • Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload

    Cryptocurrency-mining malware is still a prevalent threat, as illustrated by our detections of this threat in the first half of 2019. Cybercriminals, too, increasingly explored new platforms and ways to further cash in on their malware — from mobile devices and Unix and Unix-like systems to servers and cloud environments.

    They also constantly hone their malware’s resilience against detection. Some, for instance, bundle their malware with a watchdog component that ensures that the illicit cryptocurrency mining activities persist in the infected machine, while others, affecting Linux-based systems, utilize an LD_PRELOAD-based userland rootkit to make their components undetectable by system monitoring tools.

New WireGuard Snapshot Offers Better Compatibility With Distributions/Kernels

Filed under
GNU
Linux
Software
Security

WireGuard sadly isn't slated for the now-open Linux 5.4 merge window, but lead developer Jason Donenfeld has put out a new development snapshot of this open-source secure VPN tunnel.

Coming barely two weeks since the previous WireGuard snapshot, this newest development release isn't too heavy on the changes but the focus is on better portability/compatibility.

Read more

New Distro Releases: EasyOS Buster 2.1.3, EasyOS Pyro 1.2.3 and IPFire 2.23 - Core Update 136

Filed under
GNU
Linux
Security
Debian
  • EasyOS Buster version 2.1.3 released

    EasyOS version 2.1.3, latest in the "Buster" series, has been released. This is another incremental upgrade, however, as the last release announced on Distrowatch is version 2.1, the bug fixes, improvements and upgrades have been considerable since then. So much, that I might request the guys at Distrowatch to announce version 2.1.3.

  • EasyOS Pyro version 1.2.3 released

    Another incremental release of the Pyro series. Although this series is considered to be in maintenance mode, it does have all of the improvements as in the latest Buster release.

  • IPFire 2.23 - Core Update 136 is available for testing

    the summer has been a quiet time for us with a little relaxation, but also some shifted focus on our infrastructure and other things. But now we are back with a large update which is packed with important new features and fixes.

Syndicate content

More in Tux Machines

Debian: CUPS, LTS and Archival

  • Praise Be CUPS Driverless Printing

    Last Tuesday, I finally got to start updating $work's many desktop computers to Debian Buster. I use Puppet to manage them remotely, so major upgrades basically mean reinstalling machines from scratch and running Puppet. Over the years, the main upgrade hurdle has always been making our very large and very complicated printers work on Debian. Unsurprisingly, the blog posts I have written on that topic are very popular and get me a few 'thank you' emails per month. I'm very happy to say, thanks to CUPS Driverless Printing (CUPS 2.2.2+), all those trials and tribulations are finally over. Printing on Buster just works. Yes yes, even color booklets printed on 11x17 paper folded in 3 stapled in the middle.

  • Freexian’s report about Debian Long Term Support, August 2019

    Like each month, here comes a report about the work of paid contributors to Debian LTS.

  • Louis-Philippe Véronneau: Archiving 20 years of online content

    mailman2 is pretty great. You can get a dump of an email list pretty easily and mailman3's web frontend, the lovely hyperkitty, is well, lovely. Importing a legacy mailman2 mbox went without a hitch thanks to the awesome hyperkitty_import importer. Kudos to the Debian Mailman Team for packaging this in Debian for us. But what about cramming a Yahoo! Group mailing list in hyperkitty? I wouldn't recommend it. After way too many hours spent battling character encoding errors I just decided people that wanted to read obscure emails from 2003 would have to deal with broken accents and shit. But hey, it kinda works! Oh, and yes, archiving a Yahoo! Group with an old borken Perl script wasn't an easy task. Hell, I kept getting blacklisted by Yahoo! for scraping too much data to their liking. I ended up patching together the results of multiple runs over a few weeks to get the full mbox and attachments. By the way, if anyone knows how to tell hyperkitty to stop at a certain year (i.e. not display links for 2019 when the list stopped in 2006), please ping me.

Running The AMD "ABBA" Ryzen 3000 Boost Fix Under Linux With 140 Tests

Last week AMD's AGESA "ABBA" update began shipping with a fix to how the boost clock frequencies are handled in hopes of better achieving the rated boost frequencies for Ryzen 3000 series processors. I've been running some tests of an updated ASUS BIOS with this adjusted boost clock behavior to see how it performs under Linux with a Ryzen 9 3900X processor. The AGESA 1.0.0.3 ABBA update has an improved boost clock frequency algorithm along with changes to the idle state handling. This AGESA update should better position AMD Ryzen 3000 processors with the boost clock behavior expected by users with better hitting the maximum boost frequency and doing so more aggressively. Read more

Stable kernels 5.2.16, 4.19.74, and 4.14.145

  • Linux 5.2.16
    I'm announcing the release of the 5.2.16 kernel. All users of the 5.2 kernel series must upgrade. The updated 5.2.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.2.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-s...
  • Linux 4.19.74
  • Linux 4.14.145

Linux Container Technology Explained (Contributed)

State and local governments’ IT departments increasingly rely on DevOps practices and agile development methodologies to improve service delivery and to help maintain a culture of constant collaboration, iteration, and flexibility among all stakeholders and teams. However, when an IT department adopts agile and DevOps practices and methodologies, traditional IT problems still need to be solved. One long-standing problem is “environmental drift,” when the code and configurations for applications and their underlying infrastructure can vary between different environments. State and local IT teams often lack the tools necessary to mitigate the effects of environmental drift, which can hamper collaboration and agility efforts. Read more