Category Archives: Linux

Serious Linux kernel vulnerability patched

As amusing as it may sound, the recently-patched ‘Dirty Cow’ Linux kernel vulnerability (CVE-2016-5195) highlights a couple of important points:

  • vulnerabilities – even known ones – can remain unpatched in critical software for years; and
  • a misconfigured server that allows uploaded files to be executed is easily hacked.

At first glance, the Dirty Cow vulnerability may not seem particularly noteworthy. It doesn’t directly allow for arbitrary code execution. But it does allow an attacker who already has the ability to run arbitrary code on a target system to gain full access to that system via privilege escalation.

A Linux server that allows user uploads of any kind is normally configured so that uploaded files cannot be executed. However, it’s very easy to get this wrong, especially for web servers. Still, in most cases, being able to run an uploaded file remotely isn’t enough to provide the kind of access attackers want. Dirty Cow provides that access.

Anyone running a Linux server is strongly advised to install the available kernel updates for Dirty Cow immediately.

Confirmed: record-breaking DDoS attacks using IoT devices

Another week, another huge DDoS attack, this time against French web hosting provider OVH.

Analysis by security experts has now confirmed that these attacks used a huge network of compromised devices, mostly security cameras and Digital Video Recorders (DVRs). These devices are typically vulnerable out of the box, and unless they are configured properly, they remain vulnerable. Most of the devices in question run a version of BusyBox Linux.

Brian Krebs posted a list of manufacturers that produce hardware known to be affected, based on his research. But his list is only a starting point, and much more work is needed.

Adding to this nightmare is the news that the source code for Mirai, the botnet used for the recent, massive attacks, has been released to the public. We can (and should) expect more attacks in the coming weeks and months.

What can be done to stop this? The best solution would be to complete the work of identifying vulnerable hardware (make and model), and contact the owners of all affected devices with instructions for securing those devices. In practical terms, the first part is relatively straightforward work. The second part is problematic. Who is responsible if a device is being co-opted in DDoS attacks? The user? The service provider? The manufacturer? Many owners of these devices have no idea they are being used like this.

Eventually, the current crop of IoT devices being used in these attacks will be secured. But more new ‘smart’ devices are being manufactured and connected to the Internet every day. Until manufacturers stop shipping unsecure-by-default devices, we’re going to keep seeing these huge attacks.

Microsoft: “Upgrade to Windows 10 or we’ll make Windows 7 and 8.1 just as bad.”

Microsoft just announced the next move in their fight to push their advertising platform into our faces, and it’s very bad.

Let’s review, shall we? Microsoft really wants you to use Windows 10. Their official explanation for this includes vague language about reliability, security, productivity, and a consistent interface across platforms. Their claims may be true, but they hide the real reason, which is that Microsoft saw how much money Google makes from advertising, realized that they had a captive audience in Windows users, and added advertising infrastructure to Windows 10 to capitalize on that. The privacy-annihiliating features are easily explained: the more Microsoft knows about its users, the higher the value of the advertising platform, since ads can be better targeted.

A short history of Microsoft’s sneakiest Windows 10 moves

Move #1: Offer free Windows 10 upgrades for Windows 7 and 8.1 users. Who doesn’t like free stuff? Many people jumped at this opportunity, assuming that newer is better.

Move #2: Dismayed by the poor reception of Windows 10, and upset by all the recommendations to avoid it, Microsoft creates updates for Windows 7 and 8.1 that continually pester users into upgrading, in some cases actually upgrading against their wishes or by tricking them. Angry users fight back by identifying and avoiding the problematic updates.

Move #3: Still not happy with people hanging on to Windows 7 and 8.1, Microsoft creates updates that add Windows 10 features to Windows 7 and 8.1, including instrumentation related to advertising. Again, users fight back by identifying and avoiding these updates.

Move #4: Microsoft announces that business and education customers can avoid all of the privacy-compromising and advertising-related features of Windows 10 through the use of Group Policy. This is good news for bus/edu customers, but then again, those customers pay a high premium for Enterprise versions of Windows already. At least now Windows 10 is a viable option for those customers.

Move #5: Microsoft realizes that the Group Policy tweaks provided for bus/edu customers can also be applied to Pro versions of Windows, Microsoft disables those settings in the Pro version. Windows 10 Home users never had access to those settings. Angry users are running out of options.

Move #6: Which brings us to today. Since the only way to avoid privacy and advertising issues (borrowed from Windows 10) in Windows 7/8.1 will be to stop using Windows Update entirely, angry users are now looking at alternative operating systems.

We know business and education customers won’t be affected by this latest change. The rest of us will have to suffer – or switch.

Assuming Microsoft doesn’t back way from this decision, I imagine my future computing setup to consist primarily of my existing Linux server, and one or two Linux machines for everyday use, development, blogging, media, etc. I’ll keep a single Windows XP machine for running older games and nothing else. In this scenario, I won’t run newer games if they don’t have a console version. Aside: if I’m not the only person doing this, we might see a distinct decline in PC gaming.

Dear Microsoft: I only kind of disliked you before. Now…

Computerworld has more. Thanks for the tip, Pat.

Joomla 3.6.1 update problems

The latest version of Joomla is causing problems for web servers running older versions of PHP. Affected Joomla sites are still accessible, but users and administrators are unable to log in.

An announcement on the Joomla web site, and another in the Joomla documentation, provide details and workarounds for problems caused by the update, but web servers running PHP 5.3 won’t find them particularly helpful. If you administer a web server running PHP 5.3, the solution is to either wait for Joomla 3.6.2, or make some changes to a single Joomla file, as outlined in this fix on Github.

In case you’re wondering why any diligent web server administrator would still be running a version of PHP that is known to be insecure, what’s actually going on in most cases is that the admin is running a custom build of PHP that has had all relevant security fixes applied. For example, these custom builds of PHP are provided for Ubuntu LTS (Long Term Support) releases to allow for maximum security and stability.

Update 2016Aug05: That was fast. Joomla 3.6.2 is now available, and it fixes the PHP 5.3 compatibility issue.

Critical security flaw affects millions of systems

Here we go again. Researchers have discovered (actually more like rediscovered) a very bad flaw in the commonly-used GNU C Library, also known as glibc.

The flaw has existed, undiscovered, since 2008. It was discovered and reported to the glibc maintainers in July of 2015 (CVE-2015-7547), but nothing was done about it until Google researchers re-discovered the flaw and reported it on a public security blog.

The glibc maintainers reacted to the Google revelations by developing and publishing a patch. It’s not clear why such a serious vulnerability was not fixed sooner.

But that’s not the end of the story. Any computer or device that runs some flavour of Linux, including most of the world’s web servers and many routers, is potentially vulnerable. Individual software applications that are compiled with glibc are also potentially vulnerable.

Although it’s safe to assume that diligent sysadmins will update their Linux computers, tracking down all the affected software will take time. The Linux firmware running on routers and other network devices will be updated much more slowly, if at all. All of this opens up many exploitation possibilities for the foreseeable future.

The good news is that there are several mitigating factors. Many routers don’t use glibc. In some cases, default settings will prevent exploits from working. Android devices are not vulnerable. Still, this problem is likely to get worse before it gets better.

Update 2016Feb20: Dan Kaminsky just posted his analysis of the glibc vulnerability. It’s very technical, but if you’re looking for a deeper dive into this subject, it’s a great place to start. Dan helpfully explains why it’s difficult to predict just how bad things will get.

Security and privacy roundup for January 2016

Your devices are talking about you

You already know that your web browser is tracking your activity. You are probably also aware of ‘The Internet of Things‘ – the increasing prevalence of devices that are connected to the Internet – and you recognize that any such device can also track your activities. Bruce Schneier reveals the next step in this evolution: enabling devices to share information about you. Of course, since the goal of all this surveillance is merely better-targeted advertising, most people are unlikely to care. Still, if privacy and control are important to you, this will not be welcome news.

Brian Krebs reminded us that ransomware can affect files in your cloud storage space as well as on your physical computer and network-connected devices.

A summary of software vulnerabilities over at VentureBeat shows Mac OS X topping the list for 2015. Microsoft’s security efforts seem to be paying off, as the highest-ranked version of Windows on the 2015 list is Windows 8.1 at number 10, and fewer than half the vulnerabilities as OS X.

Serious vulnerabilities were discovered in OpenSSH (a very commonly-used secure terminal client), OpenSSL (the ubiquitous security library), and Trend Micro antivirus software.

Vulnerabilities in the Linux kernel (affecting Android phones and Linux PCs) remain unpatched on many affected devices.

Google produced more patches for vulnerabilities affecting Android devices, but as always, the patches are finding their way to devices very slowly.

The very weak hashing functions MD5 and SHA1 are still being used in HTTPS encryption in some contexts.

It’s official: your smart TV can become infected with malware.

Network devices made by Juniper and Fortinet were found to contain serious vulnerabilities, including an NSA-developed back-door function and a hard-coded back-door password (more).

The free-to-use deep search tool Shodan made the news when researchers showed that it can be used to find household cameras, including baby-cams. Note that the problem here is not Shodan, which is just a useful search tool. The problem is the failure to properly secure Internet-connected devices.

There were more serious corporate security breaches in January, at Time Warner and Linode. As usual in these cases, the login credentials of subscribers were obtained by the attackers.

Amazon’s security practices were (unwillingly) tested by a customer, and found seriously deficient.

More malicious apps were found in the Google Play store. Google removed those apps, but not until they were downloaded millions of times by unsuspecting Android device users.

LG fixed a critical security hole affecting as many as ten million of its mobile devices.

December security and privacy roundup

Security and privacy stories making the rounds in December…

Aethra modem botnet

In February I wrote about hack attempts on several of my WordPress sites. Most of those attacks originated in Italy, from Aethra modems provided by Italian service provider Albacom. At the time, I tried to contact Albacom and its new owner, BT Italy, with no success. Apparently I wasn’t the only person who noticed. The people who make Wordfence, an extremely useful security plugin for WordPress, recently reported on the efforts of a Voidsec security researcher to track down and report the problem.

Nemesis malware worse than ever

A particularly nasty piece of malware called Nemesis now has the ability to insert part of itself in the boot process of a PC, making it even more difficult to detect and remove. Luckily for regular folks, Nemesis mostly seems to be targeting financial institutions. On second thought, there’s nothing lucky about that.

Linux computers increasingly targeted – and vulnerable

It’s becoming clear that Linux computers can be just as vulnerable as computers running Windows: a single, unpatched application vulnerability can be all that’s required for attackers to gain complete control. Hacking groups are acting quickly when new vulnerabilities are revealed, and have been adding exposed Linux servers to their botnets at an alarming rate.

Mysterious attack on root DNS servers

In early December, most of the Internet’s core name servers were briefly flooded with requests from all over the net; the requests were all related to two specific (and undisclosed) domain names. It’s still not clear who perpetrated the attack, and no real damage was done, since the servers involved absorbed the traffic relatively easily.

Help for securing routers

The US-CERT security organization posted a useful guide for securing home routers. The guide necessarily gets into technical details, but anyone who is interested in keeping their home network secure – and has access to their router’s configuration – should give it a look.

Oracle spanked by the US FTC for its deceptive practices

Oracle has done a terrible job of informing Java users of the dangers of leaving old versions of Java installed. Worse, Java installation software is traditionally not very good at detecting and removing older Java installs. The FTC finally noticed, calling Oracle’s practices a “deceptive act or process” in violation of the Federal Trade Commission Act. In response, Oracle has posted a Java uninstall tool on its web site. To be fair, the newer Java runtime installers now also look for older versions and offer to uninstall them, so they are making progress.

A rational response to claims that encryption is somehow bad

You’ve no doubt noticed elected officials in various countries claiming that smartphone encryption is making police work more difficult. They often use the catchphrase ‘going dark’ and invoke ‘terrorism’ to scare people into believing their BS. There’s a post over on Techdirt that exposes the lunacy of these ‘going dark’ claims.

Panopticlick – is your browser keeping your activity private?

The Electronic Freedom Foundation (EFF) created a web-based tool that analyzes your web browser and lets you know how well it protects you against online tracking technologies. It’s a handy way to make sure that the browser you’re using is keeping your activity as private as you think it is. Keep in mind that a lot of web sites (including this one) use tracking technologies for legitimate reasons, such as counting the number of visits.

Security practices of some service providers still terrible

Brian Krebs recently reported that his PayPal account was hacked. During his subsequent investigation, he discovered that PayPal handed his credentials to someone impersonating him on the phone. PayPal’s responses to Krebs’ criticisms don’t exactly inspire confidence. Krebs says “the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.”

Security & privacy roundup for September 2015

Android made security news in September for a lockscreen bypass hack and a ransomware app designated Android/Lockerpin.A.

Passwords in the leaked Ashley Madison user database became much easier to decrypt, once again reminding us to avoid re-using passwords.

A rogue version of the iPhone development tool XCode was found to have added malicious code to almost 500 legitimate apps. Those apps were published on the Apple App Store, and were subsequently installed by millions of iPhone and iPad users.

In other Apple-related news, a simple bypass for the Gatekeeper process, that protects Mac OS X users from malicious software, was discovered.

This month’s Flash updates prompted Brian Krebs to take another look at Adobe Shockwave. He found that even the most recent versions of Shockwave still contain very out of date versions of Flash, and strongly recommends that you remove Shockwave from all your computers.

A series of exploits against the Imgur and 8chan sites caused little damage, despite their enormous potential. The true goals of the hack are still in question, and the associated vulnerabilities on the affected sites have been fixed.

A researcher discovered several serious vulnerabilities in popular security software from Kaspersky Labs. While there’s no evidence of exploits in the wild, this is rather alarming. Anti-malware software typically has access to core system functionality, making working exploits very valuable to attackers. Kaspersky Labs acted quickly to fix the bugs, but this isn’t the first time security software has been found vulnerable, and likely won’t be the last.

A new botnet called Xor.DDoS is using compromised Linux computers to perform DDoS attacks against a variety of web sites, probably at the request of paying customers. The Linux computers hosting the botnet appear to have been compromised via weak root passwords. So far, most of the targets are in Asia. This marks a shift in platform for botnet developers, which previously focused almost exclusively on Windows.

Security roundup – May 2015

Recent security breaches at mSpy and AdultFriendFinder are a gift for Internet extortionists. mSpy hasn’t helped matters by first denying the problem, and then trying to downplay its impact.

A serious vulnerability called Logjam has been discovered in the Diffie-Hellman Key Exchange software, which is used to secure communications on many web and email servers. Meanwhile, despite its many flaws, it’s still a good thing that the web is moving towards HTTPS encryption everywhere.

In the world of network-attached hardware, malware called Linux/Moose is exploiting vulnerabilities in routers and spreading across the Internet. A security flaw in NetUSB is making many consumer routers vulnerable.

A serious vulnerability in many virtual hardware platforms, including Oracle’s popular VirtualBox, is making life difficult for many service providers.

Those of you who monitor traffic arriving at your home or work network are no doubt aware that your network is being constantly scanned for vulnerabilities. Brian Krebs rightly points out that much of this scanning activity is not malicious.

And finally, before you exchange that Android device, you should know that even if you’ve performed a full reset, your personal data is not being completely erased.

Shellshock: a very bad vulnerability in a very common *nix tool

Linux and other flavours of the Unix operating system (aka *nix) run about half of the world’s web servers. Increasingly, *nix also runs on Internet-enabled hardware, including routers and modems. A huge proportion of these systems also have BASH configured as the default command interpreter (aka shell).

A serious vulnerability in BASH was recently discovered. The full extent of the danger related to this vulnerability has yet to be determined, because the bug opens up a world of possible exploits. As an example, the bug can be demonstrated by issuing a specially-crafted request to a vulnerable web server that results in that server pinging another computer.

Patches that address the vulnerability (at least partially) became available almost immediately for most Linux flavours. Apple’s OS X has yet to see a patch, but presumably that will change soon, although Apple has been oddly slow to respond to issues like this in the past.

Most average users don’t need to worry about this bug, but if you run a web server, or any server that’s accessible from the Internet, you should make sure your version of BASH is updated.

As new information emerges, I’ll post updates here.

References:

Update 2014Sep27: The first patch for BASH didn’t fix the problem completely, but another patch that does is now available for *nix systems. Still nothing from Apple for OS X. Scans show that there are thousands of vulnerable web servers on the Internet. Existing malware is being modified to take advantage of this new vulnerability. Attacks using the BASH vulnerability are already being observed. Posts from Ars Technica, Krebs on Security and SANS have additional details.

Update #2: It looks like there are more holes to be patched in BASH.

Update 2014Oct01: Apple releases a bash fix for OS X, more vulnerabilities are discovered, and either attacks based on bash vulnerabilities are increasing or attacks are subsiding, depending on who you ask.

Update 2014Oct08: Windows isn’t affected, unless you’re using Cygwin with bash. Oddly, Apple’s OS X bash patch is not available via the App Store; you have to obtain it from the main Apple downloads site. A security researcher claims to have found evidence of a new botnet that uses the Shellshock exploit.

Update 2014Oct23: Ars Technica: Fallout of Shellshock far from over