Home Tags Unix

Tag: Unix

HPE offers an escape from the aging HP-UX OS via containers

Hewlett Packard Enterprises' HP-UX OS has been around for more than 30 years, and users may be looking to move on from the Unix-based OS.Now HPE is offering a way out of the ancient OS using containers, which are small buckets running instances of a...

18 things you should know about using Linux tools in Windows...

Last year Microsoft added an unusual new feature to Windows 10: Linux support.

The Windows Subsystem for Linux (WSL) — sometimes called Bash on Windows — is “Microsoft’s implementation of a Linux-compatible infrastructure that runs atop and within the Windows kernel,” senior program manager Rich Turner tells CIO.com.

That means running Linux binaries without leaving Windows.“Bash on Windows offers a toolset for developers, IT administrators and other tech professionals that want or need to run Linux command-line tools alongside their Windows tools and applications,” Turner explains.

Developed with the help of Canonical (and a large community of Linux users), it’s not there to turn Linux into Windows, or Windows into Linux.
It’s just that some Linux tools are so ubiquitous for development and deployment that it’s useful to be able to use them without spinning up a virtual machine (VM).

That’s one of the reasons Macs are so popular with developers: MacOS is based on BSD, which is Unix, so it can run Linux tools like Bash.

And now, so can Windows 10.To read this article in full or to leave a comment, please click here

10 Unix commands every Mac and Linux user should know

GUIs are great—we wouldn’t want to live without them.

But if you’re a Mac or Linux user and you want to get the most out of your operating system (and your keystrokes), you owe it to yourself to get acquainted with the Unix command line. Point-and-click is wonderful whenever you need to do something once or twice.

But if you need to repeat that task many times, the command line is your savior.The command line is a window into the full, awesome power of your computer.
If you long to break free of the constraints of the GUI or think that programming or administering remote machines is in your future, then learning the Unix command line is definitely for you.To read this article in full or to leave a comment, please click here

ShadowBrokers Dump More Equation Group Hacks, Auction File Password

The ShadowBrokers' latest dump of Equation Group hacks focuses on UNIX systems and GSM networks, and was accompanied by an open letter to President Trump.

Angry Shadow Brokers release password for suspected NSA hacking tools

Annoyed with the U.S. missile strike last week on an airfield in Syria, among other things, hacker group Shadow Brokers resurfaced on Saturday and released what they said was the password to files containing suspected National Security Agency tools they had earlier tried to sell.“Is appearing you are abandoning ‘your base’, ‘the movement’, and the peoples who getting you elected,” the group wrote in broken English in a letter to U.S. President Donald Trump posted online on Saturday.[ 18 surprising tips for security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]The hacker group, believed by some security experts to have Russian links, released in January an arsenal of tools that appeared designed to spy on Windows systems, after trying to to sell these and other supposedly Windows and Unix hacking tools for bitcoin.To read this article in full or to leave a comment, please click here

Penquin’s Moonlit Maze

Moonlight Maze is the stuff of cyberespionage legend.
In 1996, in the infancy of the Internet, someone was rummaging through military, research, and university networks primarily in the United States, stealing sensitive information on a massive scale.

To say that this historic threat actor is directly related to the modern day Turla would elevate an already formidable modern day attacker to another league altogether.

AWS follows Google with Reserved Instance flexibility changes

Customers who have Reserved Instance contracts with Amazon Web Services will be able to subdivide some of their Linux and Unix virtual machine instances while maintaining their capacity discounts, thanks to pricing changes announced Monday.Reserved Instances allow customers to lock themselves into paying AWS for a certain amount of compute capacity with the company's EC2 (Elastic Compute Cloud) in exchange for a discount off its list price. To read this article in full or to leave a comment, please click here

Heartbleed Persists on 200,000 Servers, Devices

Almost 200,000 servers and devices are still vulnerable to Heartbleed, the OpenSSL flaw patched nearly three years ago. The numbers come from search engine Shodan, which released data showing U.S. servers hosted on Amazon AWS are disproportionately vulnerable to the flaw. “There’s a lot to be worried about with this data, but also a lot that’s unsurprising,” said Tim Jarrett senior director of security, Veracode. The Shodan analysis released over the weekend is part of the search engine’s Heartbleed Report (2017-01). It paints a gloomy picture when it comes to Heartbleed mitigation. The report indicates that almost 52,000 Apache HTTPD servers remain vulnerable and exposed to the internet, in particular versions 2.2.22 and 2.2.15. Amazon Web Services hosts the highest number of vulnerable devices (6,380), followed by Verizon Wireless (4,330) and German-based ISP Cronon AG (2,290). “The initial media blizzard for Heartbleed helped secure hundreds of thousands of devices (from 600,000 down to 200,000) but the subsequent follow-up has been lackluster as the problem keeps lingering,” said John Matherly, Shodan founder. He points out that the vast majority of affected services actually support TLSv1.2. “This means they support good encryption, unfortunately their dependencies are old,” he said. Heartbleed was an internet-wide bug that in 2014 affected millions of Linux, UNIX and Apple machines running vulnerable versions of the OpenSSL library. The Heartbleed vulnerability can result in the revelation of 64 KB of memory to any client or server that is connected. In April of 2014, fixes for versions of OpenSSL were quickly pushed out. “Most Heartbleed vulnerabilities are reported in the U.S. This makes sense given the prevalence of web applications hosted in Amazon AWS and Verizon as well as other US-based ISPs,” Jarrett said. He said part of the issue is that it’s easy to create new servers in AWS that don’t enforce the same type of safety provisions as they once required. “What used to require a sysadmin and a capital expenditure can now be done with a few lines of code. And we know that both real and virtual servers are easy to forget about, particularly when created outside of normal IT processes. So it’s unsurprising that some of these ‘forgotten servers’ are unpatched and dangerous,” Jarrett said. The Shodan data shows the overwhelming impacted services are HTTPS with 148,420 vulnerable servers followed by HTTPS (port 8443) with 23,600 servers and then Webmin, the sys admin interface for Unix (5,970).

Docker Patches Container Escape Vulnerability

Docker has patched a privilege escalation vulnerability (CVE-2016-9962) that could lead to container escapes, allowing a hacker to affect operations of a host from inside a container. The vulnerability is rated high severity by some Linux distributions such as Arch Linux, which traces the problem to a bug found in the “opencontainers’ runc” code, used by several container engines. According to Aqua Security, the vulnerability is exploited when running an exec command inside an already running container.

Exec is a Unix command where one exec command replaces the current shell process without creating a new process. “When that happens, a malicious process inside the container can access a ‘forgotten’ file descriptor of a directory that resides on the host.

This in turn can be used to perform directory traversal to the host’s file system, thus facilitating a nasty and easy escape,” wrote Sagie Dulce, senior researcher at Aqua Security. Docker released an update, Docker Engine 1.12.6, last week that patches the flaw.
It rates the vulnerability as minor and describes it as an “insecure opening of file-descriptor” which allows for privilege escalation. Red Hat rated the vulnerability as medium after first describing the problem in a blog post titled “Docker 0-Day Stopped Cold by SELinux” which was later changed to “SELinux Mitigates container Vulnerability.” Red Hat had argued that SELinux would have better protected against CVE-2016-9962. Red Hat also alerted its users to patch the vulnerability and said running SELinux would not fully protect against the vulnerability. “SELinux is the only thing that protects the host file system from attacks from inside of the container.
If the processes inside of the container get access to a host file and attempt to read and write the content, SELinux will check the access,” wrote Dan Walsh, consulting engineer at Red Hat. Aqua Security’s Dulce believes the open file descriptor issue is part of a larger problem tied to exec commands inside a running container.
In the case of CVE-2016-9962, there is a small window of opportunity “before the runc init process execs the command inside the container, where the container has access to the runc init process on the host.” The timing of the process allows the runc init process to enter the namespace of the container before it execs the final command, Dulce said. “This window could enable a container, for example, to list file descriptors on the host process, which can then lead it to the host’s file system.” Aleksa Sarai with SUSE and Tõnis Tiigi with Docker are credited for disclosing the vulnerability on Jan. 2.

Suspected NSA tool hackers dump more cyberweapons

The hacking group that stole cyberweapons suspected to be from the U.S. National Security Agency is signing off—but not before releasing another arsenal of tools that appear designed to spy on Windows systems. On Thursday, the Shadow Brokers dumped them online after an attempt to sell these and other supposedly Windows and Unix hacking tools for bitcoin. The Shadow Brokers made news back in August when they dumped hacking tools for routers and firewall products that they claimed came from the Equation Group, a top cyberespionage team that some suspect works for the NSA. Those tools contained several previously unknown and valuable exploits, lending credibility to the hacking group’s claims, according to security researchers.   The Shadow Brokers’ latest dump includes 61 files, many of which have never been seen by security firms before, said Jake Williams, founder of Rendition InfoSec, a security provider. He’s been examining the tools, and said it’ll take time to verify their capabilities. His initial view is that they’re designed for detection evasion.   For instance, one of the tools is built to edit Windows event logs. Potentially, a hacker could use the tool to selectively delete notifications and alerts in the event logs, preventing the victim from realizing they’ve been breached, he said. “If you simply remove a record or two, then even an organization that is following the best security practices, presumably, wouldn’t notice the change,” he said. On Thursday, the Shadow Brokers said they released the Windows hacking tools for free because a Kaspersky Lab’s antivirus product could already flag them as harmful. The clandestine group previously tried to auction off a whole set of hacking tools for 1 million bitcoins or what was at the time $584 million.

But after several months, that auction only managed to generate 10 bitcoins. “Despite theories, it always being about bitcoins for TheShadowBrokers,” the group said in broken English in their supposed final message. However, Williams believes the Shadow Brokers are likely spies working for the Russian government.

This latest dump was a message to the U.S, he said. Williams points to the timing.
In recent weeks, U.S. intelligence agencies have been claiming the Kremlin tried to influence the U.S. election.

Based on those findings, President Barack Obama has already ordered sanctions against Russia and vowed covert action. “If they are Russian, this is a shot across the bow,” Williams said. It’s unclear how the Shadow Brokers managed to steal the hacking tools.

But they claim to have many more in reserve.

The group has said their arsenal of supposed Linux and Windows-based hacking tools is still up for sale at 10,000 bitcoins. On Thursday, Microsoft said it’s investigating this latest batch of hacking tools that have been released. 

How to hunt for rare malware

At SAS 2017, on April 1st and 2nd on St. Maarten, Global Director of GReAT Costin Raiu and Principal Security Researchers Vitaly Kamluk and Sergey Mineev will provide YARA training for incident response specialists and malware researchers, who need an effective arsenal for finding malware.

During the training, the experts will give participants access to some of Kaspersky Lab internal systems, which are otherwise closed to the public, to demonstrate how the company’s malware analysts catch rare samples.

After two days, even being a newcomer, you’ll walk away with the ability to write rules and start using the tool for hunting malware. You can book your seat now — the class will be limited for maximum 15 participants. Each trainer has an impressive portfolio of cyber-espionage campaigns that they have investigated, including Stuxnet, Duqu, Flame, Gauss, Red October, MiniDuke, Turla, Careto/TheMask, Carbanak and Duqu2. Why YARA training? Protective measures that were effective yesterday don’t guarantee the same level of security tomorrow.
Indicators of Compromise (IoCs) can help you search for footprints of known malware or for an active infection.

But serious threat actors have started to tailor their tools to fit each victim, thus making IoCs much less effective.

But good YARA detection rules still allow analysts to find malware, exploits and 0-days which couldn’t be found in any other way.

The rules can be deployed in networks and on various multi scanner systems. Giveaways People who go through the training will be able to start writing relatively complex YARA rules for malware – from polymorphic keyloggers all the way up to highly complex malware – that can’t be detected easily with strings.

The GReAT trainers will teach how to balance rules, in other words how to write detection rules while minimising the risk of false-positives.

They also will share their experience of what exactly they are looking for when they write YARA rules as part of their everyday jobs. What are the requirements for participation? You don’t have to be an expert in order to go through this training.
It’s enough to have basic knowledge of how to use a TextEditor and the UNIX grep tool, and a basic understanding of what computer viruses are and what binary formats look like. You’ll also need your laptop and YARA software v. 3.4.0 installed on the machine.

Experience with malware analysis, reverse engineering and programming (especially in structured languages) will help you to learn more quickly, but this doesn’t mean that you can’t learn without it. Catching a 0-day with YARA One of the most remarkable cases in which Kaspersky Lab’s GReAT used YARA was the very famous Silverlight 0-day: the team started hunting for this after Hacking Team, the Italian company selling “legal surveillance tools” for governments and LEAs, was hacked. One of the stories in the media attracted our researchers’ attention — according to the article, a programmer offered to sell Hacking Team a Silverlight 0-day, an exploit for an obsolete Microsoft plug-in which at some point had been installed on a huge number of computers. GReAT decided to create a YARA rule based on this programmer’s older, publicly available proof-of-concept exploits. Our researchers found that he had a very particular style when coding the exploits — he used very specific comments, shell code and function names.

All of this unique information was used to write a YARA rule — the experts set it to carry out a clear task, basically saying “Go and hunt for any piece of malware that shows the characteristics described in the rule”.

Eventually it caught a new sample, it was a 0-day, and the team reported it to Microsoft immediately. If you’re a scholar… Surprisingly enough, YARA can be used for any sort of classification, such as finding documents by metadata, email and so on.
If you work with any kind of rare information and lack a competitive tool for searching for it, come to St. Maarten in April and join the training — you’ll benefit greatly. You are welcome to listen the podcast to learn about how YARA can be used in malware hunting, data analysis and incident response activities. Book a seat at sas.kaspersky.com now to hunt APTs with YARA like a GReAT ninja!

Exim gives Linux admins a security fix for Christmas

Linux administrators will have to change their holiday plans, because Exim is still releasing a security update on Christmas Day, and not earlier as had been hoped. An information leakage vulnerability was fixed last week in Exim, a widely used email agent for Unix and Linux systems, and major distributions are currently updating their packages to incorporate the fix.

Exim maintainer Heiko Schlittermann originally announced on Dec. 18 that details of the vulnerability and the updated software will be available Dec. 25.

There was a possibility the release date could be moved to Dec. 23 if the partner distributions could complete their preparations in a shorter timeframe, but that's no longer the case. "As at least one major distro isn't ready yet, we'll keep our initial schedule and release the fixed versions on Dec, 25th, 10:00 UTC," Schlittermann wrote early Dec. 23. "We're sorry for the release date." The timing was unfortunate, but Schlittermann suggested delaying the patch would be worse. "And yes, we know, it is holiday in many countries, maybe in all countries of some of all that many worlds.

The decision wasn't an easy one.

Delaying some days more would probably hit New Year celebration or Дед Мороз.

Delaying it even more?" Schlittermann asked. Nothing much about the information leakage vulnerability, designated CVE-2016-9963, is known at the moment, not even its severity. "If several conditions are met, Exim leaks private information to a remote attacker," Schlittermann said in a different message.

That can mean exposing hostnames or IP addresses stored in memory, which isn't ideal, or as critical as leaking private cryptographic keys. Exim is going from 4.87 to 4.87.1, which makes the update a fairly minor one. However, Schlittermann originally wrote, "We can't celebrate any holiday while knowing that there are systems outside, that may leak private information," suggesting the vulnerability may not be so benign. The uncertainty puts IT administrators in a quandary on how to handle the update, especially if they weren't planning on providing on-call coverage on Dec. 25 and 26. The Exim team appears to have done the best it could to avoid the Christmas Day update.

The team received the vulnerability report on Dec. 15, requested CVE on Dec. 16, and had a fix ready and tested by Dec. 18. Major distributions and other partners are given seven days to prepare their packages before the public release, which brings the date to Dec. 25. While maintainers from Red Hat and SUSE said they would be ready by Dec. 23 to accommodate an earlier release date, that wasn't the case for other distributors. The impact of the update should be "very minimal" since most administrators will be receiving the patch from their respective distributions.

For example, Exim is part of the default Debian installation, so administrators will receive the updated software directly from Debian's repositories. "And if you build your own Exim packages, the effort to rebuild it (4.87.1 is almost the same as 4.87, which you should have running already) is minimal," Schlittermann said.

Exim 4.88 and Exim 4.87.1 will be available in the official Exim repository. Even so, administrators still have to analyze and test the updates to make sure the new version doesn't cause any problems within their environments.
So IT teams have to decide: handle the update in a timely manner, or take a chance and wait a few more days?