Category Archives: Linux

Security roundup – May 2015

Recent security breaches at mSpy and AdultFriendFinder are a gift for Internet extortionists. mSpy hasn’t helped matters by first denying the problem, and then trying to downplay its impact.

A serious vulnerability called Logjam has been discovered in the Diffie-Hellman Key Exchange software, which is used to secure communications on many web and email servers. Meanwhile, despite its many flaws, it’s still a good thing that the web is moving towards HTTPS encryption everywhere.

In the world of network-attached hardware, malware called Linux/Moose is exploiting vulnerabilities in routers and spreading across the Internet. A security flaw in NetUSB is making many consumer routers vulnerable.

A serious vulnerability in many virtual hardware platforms, including Oracle’s popular VirtualBox, is making life difficult for many service providers.

Those of you who monitor traffic arriving at your home or work network are no doubt aware that your network is being constantly scanned for vulnerabilities. Brian Krebs rightly points out that much of this scanning activity is not malicious.

And finally, before you exchange that Android device, you should know that even if you’ve performed a full reset, your personal data is not being completely erased.

Shellshock: a very bad vulnerability in a very common *nix tool

Linux and other flavours of the Unix operating system (aka *nix) run about half of the world’s web servers. Increasingly, *nix also runs on Internet-enabled hardware, including routers and modems. A huge proportion of these systems also have BASH configured as the default command interpreter (aka shell).

A serious vulnerability in BASH was recently discovered. The full extent of the danger related to this vulnerability has yet to be determined, because the bug opens up a world of possible exploits. As an example, the bug can be demonstrated by issuing a specially-crafted request to a vulnerable web server that results in that server pinging another computer.

Patches that address the vulnerability (at least partially) became available almost immediately for most Linux flavours. Apple’s OS X has yet to see a patch, but presumably that will change soon, although Apple has been oddly slow to respond to issues like this in the past.

Most average users don’t need to worry about this bug, but if you run a web server, or any server that’s accessible from the Internet, you should make sure your version of BASH is updated.

As new information emerges, I’ll post updates here.

References:

Update 2014Sep27: The first patch for BASH didn’t fix the problem completely, but another patch that does is now available for *nix systems. Still nothing from Apple for OS X. Scans show that there are thousands of vulnerable web servers on the Internet. Existing malware is being modified to take advantage of this new vulnerability. Attacks using the BASH vulnerability are already being observed. Posts from Ars Technica, Krebs on Security and SANS have additional details.

Update #2: It looks like there are more holes to be patched in BASH.

Update 2014Oct01: Apple releases a bash fix for OS X, more vulnerabilities are discovered, and either attacks based on bash vulnerabilities are increasing or attacks are subsiding, depending on who you ask.

Update 2014Oct08: Windows isn’t affected, unless you’re using Cygwin with bash. Oddly, Apple’s OS X bash patch is not available via the App Store; you have to obtain it from the main Apple downloads site. A security researcher claims to have found evidence of a new botnet that uses the Shellshock exploit.

Update 2014Oct23: Ars Technica: Fallout of Shellshock far from over

Heartbleed followup

Fallout from the Heartbleed vulnerability continues.

The list of major web sites affected by this issue (and in most cases advising their users to change their passwords) is expanding rapidly. It includes Instagram, Tumblr, DropBox, and many others.

The list of affected software is also growing.

Ars Technica’s ongoing coverage includes the disturbing news that the Heartbleed vulnerability may have been exploited months before patch and Researchers find thousands of potential targets for Heartbleed OpenSSL bug.

Security researchers at the University of Michigan scanned the Internet looking for vulnerable web sites, and found plenty, which they list in their Heartbleed Bug Health Report.

Numerous tools for detecting Heartbleed vulnerability have appeared on the web, including this one at filippo.io. Use these tools with caution, since some will almost certainly turn out to be scams of some kind.

The XKCD web comic has joined in the fun:

XKCD's take on the Heartbleed problem.
XKCD’s take on the Heartbleed problem.

Extremely critical security bug affects most of the Internet

A bug in the OpenSSL cryptography software running on most of the world’s servers has opened a window into random server data that was never meant to be exposed.

This newly-discovered vulnerability – now known as ‘Heartbleed’ – has apparently existed for at least two years. It’s unclear whether the bug was known to (and used by) nefarious persons to gather supposedly secure information during that time.

Patches for affected operating systems and other software that uses OpenSSL were made available almost immediately after the bug was discovered by researchers. Anyone running a Linux server is strongly advised to update the OpenSSL library ASAP.

Services that use OpenSSL to provide security are separately assessing the risk to their customers and issuing their own advisories and recommendations. For instance, Yahoo Mail is known to be vulnerable. Mojang, makers of the popular game Minecraft, advise all players to change their passwords. Ars Technica is also advising all its users to change their passwords.

This bug is so important that it has its own web page, which provides an overview of the issue and makes general recommendations.

Update 2014Apr10: The LastPass web site has some helpful information about major sites that have been affected by Heartbleed and recommends changing your passwords for those sites. They also provide a site check that allows you to determine whether a particular site was affected by Heartbleed.

Roundup of recent Linux exploits

Linux proponents often say that Linux is safer than Windows, and in some respects, it’s true. Linux is inherently more secure than most versions of Windows. Actual Linux viruses are rare, since it’s very difficult for them to propagate. It’s also much more difficult to hide malicious activity on Linux systems than it is on Windows systems.

But don’t be fooled: Linux is not invulnerable. Now that it’s the basis for Mac OS X, and generally growing in popularity, Linux has become much more of a target. The Linux kernel currently sits at the top of the CVEDetails Top 50 products with distinct vulnerabilities list, with Mac OS X at number four and Windows XP at the fifth spot.

Not all vulnerabilities are exploited. Many exploits are never seen outside of research labs. Serious Linux vulnerabilities that are exploited ‘in the wild’ usually see patches within days of discovery.

A large proportion of the world’s web servers run Linux; a single compromised Linux server can affect all web visitors, so keeping them patched and clean is critical. But there seems to be a certain amount of complacency among some Linux system administrators, and Linux servers often stay unpatched and/or misconfigured for long periods of time, providing windows of opportunity for targeted attacks. Worse still, the reliability of Linux servers is such that Internet-facing servers are sometimes neglected completely.

Several recent stories highlight these issues.

A critical bug in the GnuTLS library, common to most Linux distributions, allows malicious parties to bypass security measures and eavesdrop on encrypted communication. This bug may have existed as far back as 2005. A patch for the GnuTLS vulnerability was made available in early March 2014.

The Windigo malware has been around since about 2011. It lies in wait on Linux web servers, infecting Windows visitors with malware, redirecting visitors to malicious web sites, serving ads for porn sites, and sending out spam. Typically, Windigo is installed on Linux servers by way of stolen credentials, rather than software vulnerabilities and related exploits. As many as 35,000 Linux servers have been affected, including high profile sites like kernel.org. Since the affected Linux systems are typically web servers, Windigo’s reach is potentially huge.

An extremely critical vulnerability in PHP that was discovered two years ago remains unpatched on many Linux servers. Exploits designed to take advantage of this bug can give attackers control of entire web sites. A patch for this vulnerability was made available soon after discovery of the bug.

Sites running out of date versions of Linux are susceptible to a new mass compromise that is taking over web sites and serving up fraudulent web pages and advertisements.

The lesson is that while Linux is a secure operating system, it must be kept patched to be truly secure. In particular, anyone administering a Linux-based web server has a responsibility to the Internet in general to keep their server patched.

Operating System and browser use statistics

Ars Technica recently posted an interesting summary of usage stats for operating systems and web browsers on desktop, laptop, and mobile computing platforms.

Here are a few highlights:

  • Almost half of all computers are running Windows 7, and a third still run Windows XP.
  • Internet Explorer is used on over half of all computers.
  • There is still a sizable population of computers running Internet Explorer 6.

New Linux PC, running 64-bit Ubuntu 12.04

When my main game server died recently – a row of capacitors went bad on the motherboard – I took it as a sign that it’s time to build a powerful new server. But instead of running Windows, I decided it was time to take the next step in switching my systems over to Linux.

I’ve been running an Ubuntu Linux server for a while, mainly to help educate myself in Linux administration. It’s at least partially a production server: it runs the centralized syslog logging service for the local network, and it runs the email services for my self-hosted web sites. But it’s nowhere close to being able to run a Linux client GUI: a 688 MHz Celeron CPU and a paltry 384 MB of RAM.

The new PC is running an Intel Core i7-3770K on an ASUS P8Z77-V LGA 1155 Intel Z77 Intel Motherboard, with 8GB of DDR3 SDRAM. The case is a real beauty, a Corsair Obsidian Series 550D Black Aluminum / Steel ATX Mid Tower: big, quiet fans; detachable vent covers; removable filters on all intakes; no-tool installation of drives; hidden cable routing; foam insulation; silicon fan, power supply and drive mounts; one-touch removal side panels; and removable drive bays. Highly recommended.

I had some trouble installing Ubuntu from my USB thumb drive, so I finally gave up and installed a $5 DVD drive and installed from there without any trouble.

By default, Ubuntu 12.04 runs the Unity desktop GUI. It’s probably a good choice for novice computer users, since it hides a lot of technical details and is fairly simple. It’s too simple for my taste, however. So now I’m installing KDE. I’ll post more as the work continues.