Showing posts with label linux. Show all posts
Showing posts with label linux. Show all posts

2018-02-19

Intel ME OS is Minix3 -Google wants Linux

17.11.6: news.cyb/sec/Intel Mgt Engine OS is Minix3 while Google wants Linux:
2018: summary:
. below the OS level is hypervisor,
and below hypervisor level is
the ME (mgt engine).
. it allows the maker of the pc
to do updates even when power seems off,
as long as there is internet.
. the ME uses the secure Minix OS kernel,
but also includes a web browser,
and other huge amounts of functionality
that you can't get the bugs out of,
so Google suggests replacing it with
a Linux kernel and less functionality.
. this has the potential to be a back door
with which the national security agencies
can better protect us from terrorists
and others who take advantage of privacy.

2018-01-16

call for increasing offensive cyber capability

1.3: news.cyb/sec/call for increasing offensive cyber capability:
. the military wants to focus on cyber offense;
the thing to keep in mind with offense,
is it involves placing vulnerabilities
in the hardware that is used internationally;
and that will affect the security of everyone
when those vulnerabilities get out
into the hands of cyber criminals.

apps using #Python may be vulnerable

1.2: news.cyb/sec/lang/python/undocumented methods:
Liam Tung 2017:
IOActive researcher Fernando Arnaboldi
revealed Python has "undocumented methods
and local environment variables
that can be used for OS command execution".
ref:
blackhat presentation:
Exposing Hidden Exploitable Behaviors in Programming Languages
Using Differential Fuzzing:
A differential fuzzing framework was created to detect
dangerous and unusual behaviors in
similar software implementations.
1.16: the paper:
. some Python commands are undocumented because
they are for deprecated functions;
meaning don't use the functions in new code,
but for backward compatiblity we are
keeping the function in place undocumented.
. documentation can be there to warn you
that a function doesn't check its inputs,
so you shouldn't feed it data from an untrusted source.

2014-11-09

#Secret Manuals Show #Spyware Sold to #police

11.5: news.cyb/sec/Secret Manuals Show Spyware Sold to police:
firstlook.org 2014/10
When Apple and Google unveiled
new encryption schemes last month,
law enforcement officials complained that
they wouldn't be able to unlock evidence
on criminals’ digital devices.
What they didn't say is that there are
already methods to bypass encryption,
thanks to off-the-shelf digital implants
readily available to the smallest national agencies
and the largest city police forces
— easy-to-use software that takes over and monitors
digital devices in real time.
First Look Media are publishing in full, for the first time,
manuals explaining the prominent commercial implant software
“Remote Control System,” manufactured by
the Italian company Hacking Team.
. they mention citizenlab.org's June 24 Police Story:
 Hacking Team’s Government Surveillance Malware

2014-10-11

#BadUSB code made public #badBIOS #android #linux #mac #Windows

news.cyb/sec/#badBIOS/#BadUSB code made public:
10.11: summary:
. in 2013 I wrote about #badBIOS malware
apparently infecting my mac and linux/pc;
 recently a demonstration of badUSB
has proven a key technology needed by badBIOS;
but the code was not revealed; because,
USB is considered to be unpatchable,
unless $billions in hardware were replaced .
. even more recently,
other researchers have released the code .
 

2014-01-30

#mac #osx #rtfm #badBIOS #NSA stuccomontana

9: news.cyb/sec/#mac #osx #rtfm #badBIOS #NSA stuccomontana:
intro:
. when NSA conceals a computer vulnerability
(one that can take possession of your computer
and make it do the bidding of the internet)
there is nothing magical about this situation
that would prevent criminal elements
from also exploiting these backdoors .
. NSA knows the cat is out of the bag;
that's why they set up the Snowden leak:
NSA knows they need to get our permission now
rather than use our computer vulnerabilities
because the criminals now know too much
about the backdoors NSA needs for surveillance .

. the following is someone claiming to show
an NSA leak documenting the #badBIOS malware
that has been plaguing Dragos Ruiu .

2013-12-14

brightness on ubuntu linux fujitsu laptop

10.10: web.cyb/xuw/brightness:
. ubuntu 12.04 LTS screen brightness?
adjust-the-screen-brightness-on-an-acer-aspire-one-d270
cant-adjust-screen-brightness-on-ubuntu-12-04lts
xbacklight
Install it by terminal:
sudo apt-get install xbacklight
Change brightness by xbacklight -set {20..50},
For example, to set medium brightness one would use
xbacklight -set 50

2013-11-30

#badBIOS @dragosr vs Mac, Linux and PC

4: cyb/sec/#badBIOS/ 
30: summary:
. malware that spreads via usb devices
can infect other usb devices,
and the problem is not the os;
it is the hardware and usb standards
which expose the os to malware infection .
. Dragos Ruiu talks about a mac infection
which sounds like the one I got;
it prevented me from reinstalling the os;
and it started infecting my chromebook,
but the chrome os was able to clean it up .
. my 2005 ubuntu laptop was not so lucky .
. a laptop in my future that will likely do well
is one running the xen hypervisor,
hardened with the Qubes OS .
(see #Qubes #Xen vs Dragos Ruiu's #badBIOS).

2012-06-19

beautiful photostitching in Linux

5.5: web.cyb/mac#lion/photo stitch replacement:
. the new Lion system doesn’t include Rosetta,
which means the older PowerPC-only programs
can’t run on it;
so, I'm going to be out Canon's Photo Stitch?
what are some linux replacements?
. another term for Photo Stitching is Panoramas .
[6.11:
... and if linux doesn't work out;
Canon upgraded the PhotoStitch to work with Lion
(freeware -- not just an upgrade).

 6.19: have the cd?:
. there is also a version for Windows,
but it's only an upgrade,
you'll need the cd that came with your Canon .]

[6.19: tried the linux openware:
. after installing Hugin on linux
with Ubuntu's Software Center,
the tips suggested I see the tutorial;
and, trying that out, it was truly amazing .
. someone in 2007 said you had to install Enblend too,
but that seems to be already in place now .]

2011-09-30

Fusion sharing external Linux drive #Mac #Vmware

9.22: cyb/mac/formats sharable with linux
9.30: intro:
. I have 2 machines: mac and linux,
and I want an external drive they can both use:
however last time I checked,
fusion couldn't allow a linux vm to
directly access a mac's external drive .
. if that is true, then I need some
mac drivers that access linux`ext{2,3,4} .
9.22: summary:
. it looks like the openware community
isn't really interested in ntfs support;
fat32 is sufficient if you minimize exposure:
having it mounted only for loading bak's,
and using that card only for a bak .
. I should use version control systems
to notice when corruptions have happened .

2010-11-07

before qubes there was mac vmware virtualizing windows


[at the ubuntu forum]/Setting up virtual machines

. I am so thankful this article was pointed out us;
for 2 years I've been using
mac.vmware`fusion to run ubuntu
-- worried about rootkits --
but since recently hearing about
Joanna Rutkowska's expertise in rootkits
I wondered how her setup differed from mine .

. I was suprised she did her online shopping
on a separate machine from her banking;
but she's right, once at macmall (a secure site)
I got my credit card "validated" by a scam;
who knows what else I got?
(I think macmall uses 3rd-party advertizing).

. as for linux having no 3rd-party drivers:
in security terms,
all open source is 3rd-party!
it's a lot of cooks in the kitchen;
complexity increases risk .
. did you know that most of
russia, china, the world,
are using bootleg microsoft?
when the world moves to linux,
the botnets will come for linux next !

. but by the time they do,
we will be saved by ...
# intel's VT-d, TXT, TPM,
# linux (or anything) on the
okL4 verified microvisor
# and using Joanna's system of
5 vm's for each security domain,
-- or Joanna's Qubes

5 vm's for each security level:
# red: browsing random sites, no privacy;
-- expected to get infected;
. I revert it to a known snapshot every week or so.
# yellow: semi-sensitive tasks,
. uses firefox.NoScript to only allow
scripting to a trusted few sites:
online shopping, blogging, etc.
Sure, somebody might do a
man-in-the-middle (MITM) attack against
a plaintext HTTP connection
that is whitelisted by NoScript
and inject some malicious drive-by exploit,
but then again,
Yellow machine is only semi-sensitive
and there would not be a big tragedy
if somebody stole the information from it.
[unless credit cards are used?
maybe that's for green vm?]
# green: https-only, bank's account
. it is quite important to make sure
only HTTPS is used for this machine
to mitigate potential MITM attacks;
for example, on any hotel Wi-Fi.
. don't use the host's browser as a Green machine:
[the host is a huge attack vector;
and, all the attacks are coming from online;
so, take it offline .]
# where to keep one's email client:
[with separate personal and work vm's;
both have mozilla mail;
work needs a noscript browser]

other tips:
#handling updates:
[getting prompt updates for each guest vm
dramatically reduces the number of attacks .]
# clipboard:
[every guest can be logging the clipboard .]
transfer of files between vm's and host:
[more networking is more risk .]



2010-06-01

SOA-style security for linux

news.addn/security/soa for linux:

5.6:
OpenVZ is container-based virtualization for Linux
. this is what could make linux
more secure than mac ? 5.13:
another layer of security wouldn't hurt,
but openVZ is just the open engine for
for a closed product from Parallels .
. Qubes has a complete open betaware isolation solution .

5.13: web:
Qubes is an open source operating system
designed to provide strong security for desktop computing.
Qubes is based on Xen, X Window System, and Linux,
and can run most Linux applications
and utilize most of the Linux drivers.
qubes-os.org/trac/wiki/SourceCode
qubes-os.org/gitweb/
qubes-os.org/trac/wiki/InstallationGuide
In the future it might also run Windows apps.
. critique at threatpost.com .

5.13:
Secure Virtualization Using SELinux (sVirt):
"(Crackers have already broken though the xen hypervisor,
as I documented in one of my previous blogs.

Adventures with a certain Xen vulnerability (pdf)
was just published which contains a Xen vulnerability
which allows a process in a virtual machine
to attack the host machine,
and SELinux is pretty much a speed bump in his way.
3.4
What actions are available for an uid 0 process
running in thesystem u:system r:xend t:s0 context?
It turns out that default SELinux policy allows very few.
For instance, we cannot write to system configuration files,
nor load kernel modules.
However, qemu-dm processes also implement
virtual block devices for HVM guests,
and these devices can be backed by raw disk partitions.
In order to make it possible,
the default SELinux policy grants xend t domain
the read-write access to all disk partitions.
The relevant lines in the SELinux reference policy
(from the default selinux-policy-3.0.8-44.fc8.src.rpm)
are: storage_raw_read_fixed_disk(xend_t)
storage_raw_write_fixed_disk(xend_t)
Particularly, qemu-dm (so, the shell executed from it as well)
can write to the blocks on the root filesystem.
Through the use of fixed disk the attacker
is able to trick the host operating system
into loading kernel modules that can take over the machine.
If we had forced the users to label the physical disk partitions,
this vulnerability would not have been exploitable.
Lesson learned.
When it comes to virtualization going forward,
I plan on forcing the user to apply the correct labeling.
KVM/QEMU have nice process separation
and make confinement easier.
virt_manager and libvirt are being built with SELinux
understanding in them.
virt_manager will setup the labeling correctly
when virtual images are installed
and libvirt will make sure they run in the correct domain
when they are launched.
In the future we want to protect not only the host machine
from the virtual machines,
but the virtual machines from each other.
Watch for information on in the future

In conclusion,
as we move towards more widespread use of virtualization,
we should avoid making compromises in security
for the sake of usability,
but work toward making security usable.) .
Want to know how to make Linux really secure?
http://www.linuxsecurity.com/content/blogcategory/171/167/
Security Enhanced Linux (SE Linux),
a system of security policies developed by the NSA,
lets you secure Linux at every level from the kernel up.
Find out how EnGarde Secure Linux and others
build and maintain a truly secure server environment.

secure virtualization with MAC
selinuxproject.org/page/SVirt

2010-05-31

ubuntu lucid saves a fujitsu laptop

rev.addn/xuw/why linux on xpw didn't work:
5.10:
. I had linux on this laptop once before;
so, what were the problems that had me switching back?
. I couldn't get screen brightness down;
then I crippled the wifi trying to network with mac .
5.11:
. there are ubuntu pages for my new wifi card,
but that wasn't a problem if I didn't mess with networking .
http://ubuntuforums.org/showthread.php?t=1387483
http://www.backports.ubuntuforums.org/showthread.php?t=1353044

5.31: summary:

. ubuntu 10.04 (lucid) did find my laptop's wifi
and even the brightness -- a feat mac can't do
even with it's own monitors! (imac 24") .

. I first tried the netbook version
and couldn't figure out why the menu's icon's were so huge .
huge icons are great on an ipod touch,
but they were making me [/]scroll
through a tiny menu!
. I got obsessive about rearranging the submenu's
so that none of them would need scrolling .
. along the way I delete any icons I didn't need;
duh, it was as if I'd actually deleted app's .
. after that I lost control of the gui
and couldn't even find a way to reach a terminal!

. I finally got back in there
after installing a 2nd ubuntu
(try the desktop version this time);
when I went back in rescue mode
it would add a lightweight gui
where I could backup my bookmarks etc .

. the desktop edition with gnome windows
is really working well .
. there are several niceties that expect gnome:
mercurial distributed version control,
and a default login that was auto-starting my wifi
-- I lost the auto-start after switching
from gnome to xfce4 .
. the reason I switched is that when you do ctrl-tab
to switch between windows,
gnome does the huge flashy act
that gives me epileptic fits !
. I like the {mac, pc} style of just showing
an array of icons, not flipping through every window .
. but I'm definitely going back
for mercurial integration .

linux vs bsd security

5.20: web.addn/laptop`os selection:

. win'xp is just too bogged down with security issues,
so I'm going for a more secure os,
one that doesn't rely on disruptive anti-malware,
and won't run my laptop's fan so hard .
. as long as I'm making the move for security,
is bsd better than linux ?
review freebsd, vs openbsd, vs TrustedBSD .

. gui for openbsd?
openbsdsupport.org/desktopOBSD.html

. wiki for sec'focused os .
Security-focused_operating_system

. TrustedBSD -- cap'based sec
en.wikipedia.org/wiki/TrustedBSD
TrustedBSD is a sub-project of FreeBSD designed to add
trusted operating system extensions, targeting the
Common Criteria for Information Technology Security Evaluation
(see also Orange Book ).
fine-grained capabilities .
-- access control lists are known to be confronted with
the confused deputy problem,
capabilities are a different way to avoid this issue.
. ported the NSA's FLASK/TE implementation from SELinux
. OpenBSM, an open source implementation of Sun's
Basic Security Module (BSM) API and audit log file format,
supports an extensive security audit system.
While most components of the TrustedBSD project
are eventually folded into the main sources for FreeBSD,
many features, once fully matured,
find their way into other operating systems.
For example, OpenPAM and UFS2
have been adopted by NetBSD .
. the TrustedBSD MAC Framework
has been adopted by Apple for Mac OS X .
Much of this work was sponsored by DARPA .

Ubuntu security
Ubuntu is the most popular Linux distribution,
and is built with security and protection in mind.
While the desktop version of Ubuntu provides a GUI ,
the server version avoids that
added security vulnerability.
[todo: what's the diff?]
Ubuntu developers made a conscientious decision
to disable the administrative root account:
it's been given a password which
matches no possible encrypted value,
therefore may not log in directly by itself.
This makes the system very secure
as the only way to get root privilege
is to use the "sudo" command.
Moreover, AppArmor is installed and loaded by default.
It uses profiles of an application
to determine what files and permissions
the application requires.

an openbsd server admn goes to Ubuntu's
JeOS
(Just Enough Operating System):
. linux was more of security threat back then .
"( Ubuntu JeOS is a version of Ubuntu that has
an optimized VMWare kernel. (50MB or so)
. the packaging system didn't require me to install
X11, TCL, Ruby, PHP, or MySQL for my server setup.
I was able to get just the tools I needed.) .