Security and Fear, Uncertainty, Doubt (FUD) About Linux

posted by Roy Schestowitz on Sep 05, 2024

• LWN ☛ Security updates for Wednesday

  Security updates have been issued by AlmaLinux (buildah, gvisor-tap-vsock, nodejs:18, python-urllib3, and skopeo), Debian (firefox-esr and openssl), Fedora (apr and seamonkey), Red Hat (podman), Slackware (mozilla and seamonkey), SUSE (bubblewrap and flatpak, buildah, docker, dovecot23, ffmpeg, frr, go1.21-openssl, graphviz, java-1_8_0-openj9, kubernetes1.26, kubernetes1.27, kubernetes1.28, openssl-1_0_0, openssl-3, perl-DBI, python-aiohttp, python-Django, python-WebOb, thunderbird, tiff, ucode-intel, unbound, webkit2gtk3, and xen), and Ubuntu (drupal7 and twisted).

• Reproducible Builds: Reproducible Builds in August 2024

  Welcome to the August 2024 report from the Reproducible Builds project!

  Our reports attempt to outline what we’ve been up to over the past month, highlighting news items from elsewhere in tech where they are related. As ever, if you are interested in contributing to the project, please visit our Contribute page on our website.

• OpenSSF (Linux Foundation) ☛ Prioritizing Security: Key Findings From The OpenSSF Survey For Financial Institutions [Ed: Front group for companies like Microsoft]

  The 'Linux' Foundation's Open Source Security Foundation (OpenSSF) Secure Software Development Education 2024 Survey offers crucial insights that are particularly relevant to the financial services industry, including FINOS members such as sell-side banks, buy-side firms, and wealth managers. As these organizations increasingly rely on software to drive operations, the emphasis on secure software development becomes critical.

• Security Week ☛ Android’s September 2024 Update Patches Exploited Vulnerability

  Google has released Android security updates to patch an exploited local privilege escalation vulnerability.

• Tom's Hardware ☛ Older YubiKeys compromised by unpatchable 2FA bug — side-channel attack is critical, but expensive and difficult to execute

  Many two-factor authentication keys from Yubico have become vulnerable to a side-channel attack resulting in cloning 2FA keys, due to a weakness with integrated Infineon security chips.

• Rust Blog ☛ The Rust Programming Language Blog: Security advisory for the standard library (CVE-2024-43402) [Ed: Rust says choosing Rust is all about security, but every few weeks or months this keeps happening]

  On April 9th, 2024, the Rust Security Response WG disclosed CVE-2024-24576, where std::process::Command incorrectly escaped arguments when invoking batch files on Windows. We were notified that our fix for the vulnerability was incomplete, and it was possible to bypass the fix when the batch file name had trailing whitespace or periods (which are ignored and stripped by Windows).

• NVISO Labs ☛ MEGAsync Forensics and Intrusion Attribution

  MEGAsync forensics can be leveraged to identify exfiltrated files, additional victims and, subsequently, perform attribution.

• Security Week ☛ Zyxel Patches Critical Vulnerabilities in Networking Devices

  Zyxel has released patches for multiple vulnerabilities in its networking devices, including a critical flaw impacting access points and security routers.

• Security Week ☛ D-Link Warns of Code Execution Flaws in Discontinued Router Model

  D-Link warns of multiple remote code execution vulnerabilities impacting its discontinued DIR-846 router model.

• Federal News Network ☛ WH launches cyber hiring sprint to fill open tech roles

  The cyber hiring push led by the Office of the National Cyber Director comes as the government grapples with an estimated 3,000 open cybersecurity jobs.

• Bruce Schneier ☛ Security Researcher Sued for Disproving Government Statements

  This story seems straightforward. A city is the victim of a ransomware attack. They repeatedly lie to the media about the severity of the breach. A security researcher repeatedly proves their statements to be lies. The city gets mad and sues the researcher.

  Let’s hope the judge throws the case out, but—still—it will serve as a warning to others.

• Bad Reasons to Update Your Linux Kernel

  Freshen up with something new and improved – if it’s as simple as applying a software update…. well, why not? That’s a tempting argument to make for things like updating your Linux kernels and it’s no surprise that junior sysadmins are sometimes tempted to quickly apply a kernel update.

  But a Linux kernel update is not to be taken lightly. In the world of enterprise Linux, change means risk. Whatever reasons you think you might have to update your kernel, there is only one that really matters.

• Fear, Uncertainty, Doubt/Fear-mongering/Dramatisation

  • IT Pro Today ☛ Linux Ransomware Threats: How Attackers Target Linux Systems [Ed: Ransomware is predominantly a Windows problem, so this is an effort to distort reality and invent narratives]

    Ransomware is one of the most prolific and dangerous cybersecurity threats facing computer users worldwide. Modern ransomware operators target a variety of platforms, including Linux. Organizations rely heavily on Linux for critical infrastructure, such as cloud environments and servers, making them attractive targets for ransomware operators and other Advanced Persistent Threat (APT) groups.

  • New Cicada3301 virus attacks Windows and Linux [Ed: No, it attacks something else]

  • Notebook Check ☛ Windows and Linux vulnerable to oddly familiar Cicada3301 ransomware [Ed: Trying to twist high profile Windows incidents as something "Linux"]