Crypto currencies mining malware hits Android.

http://www.theinquirer.net/inquirer/news/2336674/bitcoin-mining-malware-hits-android

ANDROIDOS_KAGECOIN.HBT is capable of mining Bitcoin, Litecoin and Dogecoin by altering the Google Mobile Ads code in apps to disguise a redirect to a mining pool.

Although using relatively low-powered devices is likely to mine coins at an exponentially slow rate, the combined power of all the zombie machines in the hackers' network has already netted them thousands of Dogecoins, according to Trend Micro, which discovered the exploit.

So much for Linux security, again.

Cheers.

Definitely a long way to go...

"HMRC runs 5,000 servers but only 3% run Linux".

Full Report

---

Definitely a long way to go...

"HMRC runs 5,000 servers but only 3% run Linux".

Full Report

Thanks for that. All very scary! That is the HMRC you're talking about leaping into new and much more efficient and effective ways of working!!! Very scary...

I like the closing comments that shows some of the ecology of why FLOSS works so well:

... Completing the open source circle, Dearnley said HMRC's experience with Hadoop has enabled it to contribute code back to the open source community. "As we develop in Hadoop we can put it back in the code stream. Even CESG encourages me to do that and it is encouraging for the team."

Dearnley said open source software would define the organisation's future. "It is as much about people as it is about technology – and the people have to believe in it."

IT is what we make it...
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

All by the power of FLOSS for a high profile security hiccup that has been able to be discovered from the code and quickly cleaned up:


Fears over 'heartbleed' security bug found in software

... 'Serious' vulnerability

A huge swathe of the web could be vulnerable because OpenSSL is used in Apache and Nginx server software. Statistics from net monitoring firm Netcraft suggest that more than 53% of the web's servers that between them host more than 500 million websites run these programs. It is not yet clear how many of those servers use the vulnerable versions.

The bug in OpenSSL was discovered by researchers working for Google and security firm Codenomicon.

In a blog entry about their findings the researchers said the "serious vulnerability" allowed anyone to read the memory of servers supposedly protected with the flawed version of OpenSSL. Via this route, attackers could get at the secret keys used to scramble data as it passes between a server and its users.

"This allows attackers to eavesdrop [on] communications, steal data directly from the services and users and to impersonate services and users," wrote the team that discovered the vulnerability. They called it the "heartbleed" bug because it occurs in the heartbeat extension for OpenSSL. ...


Diagnosis of the OpenSSL Heartbleed Bug

When I wrote about the GnuTLS bug, I said that this isn't the last severe TLS stack bug we'd see. I didn't expect it to be quite this bad, however.

The Heartbleed bug is a particularly nasty bug. It allows an attacker to read up to 64KB of memory...

... Then the read from memcpy is going to read whatever memory was near the SSLv3 record.

And apparently, there's a lot of stuff nearby.

To be honest, I am a little surprised at the claims of the people who found the Heartbleed vulnerability. When I heard about it, I figured that 64KB wasn't enough to look for things like secret keys...

... The researchers claim that they recovered secret keys, and I'd like to see a Proof of Concept for this. Please contact me if you find one...


Phew!

So as can be expected for FLOSS and Linux, that has indeed immediately hit the world headlines including the everyday general press.


So, no known actual exploits yet and any exploits would have to be from software running on the same platform... Still might be possible for 'phishing' trips to be tried for some cases...


The bug seems to have existed for about 2 years and has been patched in around 24 hours once discovered.

Even so, after you've updated, the advice seems to be to renew all x509 certs and change any passwords that might possibly have been exposed. That's going to make for a long day/week for some people...


And all uncovered and quickly fixed by the power of FLOSS...

Meanwhile in the proprietary world, what unknowns secretly lurk in the proprietary code used by everyone else that has likely secretly copied the same code to be left ignored and hidden like mines under the proprietary cloak...?


You can bet there's a lot of FLOSS eyes checking through all the code around this for some rapid clean-ups. Similarly so for proprietary?

IT is what we make it!
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

Fixed isn't until someone knows they need a patch.

No auto-patch = serious security flaws.

Welcome to the world of Winlux!

---

Fixed isn't until someone knows they need a patch.

No auto-patch = serious security flaws.

Welcome to the world of Winlux!

Well...

For my Linux desktop systems, they prompted that an update was ready that same day. Sure enough, for those interested to look at the updates list, the SSL fixes were in there for everything affected. The update took a mere few seconds. (That's the efficient beauty of modular systems!)


Sorting out the various servers is more of a chore due to needing to update the security certificates. You simply DO NOT want that to be done automatically!


However, from all this, the biggest hit (or possibly benefit) is for the users: You'd best rework all your online passwords to something new and easily non-obvious.


And perhaps this does highlight a danger in the freedom of no-cost availability breeding complacency. Then also, it is the same freedom that found the problem also...

Meanwhile, for the proprietary stuff hidden behind secrecy: Literally, who knows?!

IT is very much what we make it...
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

What versions of the OpenSSL are affected?

Status of different versions:
•OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
•OpenSSL 1.0.1g is NOT vulnerable
•OpenSSL 1.0.0 branch is NOT vulnerable
•OpenSSL 0.9.8 branch is NOT vulnerable

Why not?

Is it because they were coded right but in the rush to upgrade to 1.0.1 and higher, the coders had a memory loss?

If so they need to install newer and faster ram :-)

---

With all the hulabaloo regarding Microsoft's Windows Operating System it seems that it will be Linux instead that cripples the Internet...

Oh dear...

---

It might just be hackers are bored with Microsoft. They may have set their sights on LINUX the open source non hackable wonder code.

Im betting we get to see a lot more of Linux getting hacked.

---

[/quote]

Old James

Oh yes, we will see many more Linux hacks. With embedded Linux being so lightweight, portable, and flexible, it is found in many devices from home WiFi routers to business level managed switches, routers, ATMs, etc. The more Linux is so prevalent on these important devices, the more the enterprising hackers will go after them.

The fun starts...

Comment excerpt...

"The article is interesting news but CRA is unique - they knew they'd been hacked due to far greater security. Most places wouldn't know."

Article excerpt...

"a sophomore at The University of Western Ontario, a major research institution based in London. He's also an accomplished programmer, having placed first in a programming competition held by the London District Catholic School Board.

Solis-Reyes is also the creator of a BlackBerry phone application designed to solve Sudoku puzzles. Solis-Reyes released the app while he was still in high school."

Comment excerpt...

"As far as the hacker goes, it depends a little on his motivation and what he did with the hacked info. Was he seeking profit or just seeing if he could do it? Stupidity isn't necessarily criminal."

"Isn't ignorance Bliss".

Teenage Heartbleed hacker arrested

---

Um, OpenSSL is not Linux. It's a library that runs on many platforms, including Windows. And this bit about closing down the Internet doesn't even have anything to do with OpenSSL. It's a flaw in the way SSL is setup and administered. Maybe you should blame Network Solutions/Verisign and ...

Not to mention that it's not gonna happen. Seems to me MS has had the default set to NOT check the revocation lists for quite some time. Hmm...

Really, guys, this is truly reaching. Yes it's a major league PITA for those of us trying to properly admin servers, but it has absolutely NOTHING to do with Linux itself.

---

Maybe not, but the main aim of this thread is to deride all operating systems asides from Open Source of which Linux is the main contender.

Is OpenSSL open source or proprietary software?

---

Maybe not, but the main aim of this thread is to deride all operating systems asides from Open Source of which Linux is the main contender...

Please do not confuse "open source" that guarantees your continued freedoms (also known as "FLOSS" or "FOSS", the "L" emphasizes the libre freedom) as opposed to various commercial and proprietary or patents restricted "open source" where the code may be available for scrutiny but you also suffer various restrictions.

See: Wikipedia - Free and open-source software


As for any "derision"... There do seem to be a few Microsoft evangelists on these threads who look to be intent on polluting any comment that might not be promoting Microsoft. For myself, I'm still not sure whether that is due to the power of indoctrination by the Microsoft Marketing, paid shills, or the strong sense of allegiance engendered by having to pay lots of money to Microsoft for use of their software. Or if there is the more simple case of simply not knowing of anything else.


I'm sure others can read through this thread and note the biases and the various angles of approach.


And for a rather interesting perspective:

Microsoft's 'evil open source' man on life as HP's top cloud-wrangler

Sweating the assets and building up OpenStack

He brought Microsoft the open source it had viewed with such dread and now former Redmond man Bill Hilf is challenging the thinking at Hewlett-Packard.

Microsoft plucked Hilf from IBM in 2004 to become its general manager for open source and platform strategy at a time when Microsoft was waging a war on open source, calling it a “cancer”.

IBM, meanwhile, was so enthralled with the stuff it was spray-painting peace signs, hearts and Tuxes on city pavements in San Francisco and Chicago in an “IBM loves Linux" guerrilla ad campaign.

“When I first started at Microsoft, open source was truly considered a societal evil,” Hilf reflected on those early days for The Reg.

Since Hilf's time there, Microsoft now participates in open-source projects, has improved the way open-source code runs on Windows and has even developed software that manages Linux servers...


Following the various approaches seen over the years, my personal view of Microsoft's apparent view towards FLOSS is that all looks to be highly schizophrenic!


IT is what we make it...
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

...There do seem to be a few Microsoft evangelists on these threads who look to be intent on polluting any comment that might not be promoting Microsoft.

Yep, if any reader looks back on both the "Geek" threads they will see most of the "MS Fanboys" using Linux as well.

The only evangelism on this thread is from an evangelist who demeans MS threads with "Geekiness".

Horses for courses!

---

As for any "derision"... There do seem to be a few Microsoft evangelists on these threads who look to be intent on polluting any comment that might not be promoting Microsoft.

I think we need to revisit the definition of the term 'evangelist' because I do not think it means what you think it means. Apparently defending your FUD against Microsoft gets anyone thrown into such a label. I've not seen a single person in this thread evangelize Microsoft software.

For myself, I'm still not sure whether that is due to the power of indoctrination by the Microsoft Marketing, paid shills, or the strong sense of allegiance engendered by having to pay lots of money to Microsoft for use of their software. Or if there is the more simple case of simply not knowing of anything else.

Yeah, clearly those are the only reasons to defend Microsoft from some of your wild allegations and strong implications or outright misinformation. Or is this just your way of keeping the flame of dissent alive without actually trying or attempting to understand those that don't agree with you?

I'm sure others can read through this thread and note the biases and the various angles of approach.

I truly hope they can.

Hi,

I haven't read all the thread, but nevertheless I will express my toughts. GNU/Linux is clearly more secure than Windows, mainly because security through obscurity doesn't work, and also thanks to some Unix's design decisions. Is it the more secure OS? No. For example, OpenBSD is more secure. Is it totally secure? No, even OpenBSD isn't. There do are some completelly secure OSes, in theory, (for example, some military OSes) but they are too simple and too restrictive to be used by the general public.

Anyway, I don't use GNU/Linux because it's more secure, but because it's (more or less) free software.

I tend to disagree that Linux is more secure purely because it is open source. Yes, there is a great advantage to being able to see the code with many eyes to make it better; however, marketplace penetration really isn't there for Linux, so I feel it's premature at best to claim this approach is better than "security through obscurity". This is why the Heartbleed topic was brought up! OpenSSL is open source and yet a huge flaw was found.

The real test to how secure an OS is when it is targeted almost exclusively by hackers like Windows currently is today.

Note that I am not claiming Windows is more secure! Far from it. My position is that there is no such thing as a secure OS; any determined hacker will get through given enough time. It doesn't matter if it is open source or closed source. A hacker will find the flaw in the very human programming of the code. The only secure computer is one that is locked in a room and does not have internet or network connectivity.

Personally, I don't use Windows because I feel that paid software is better (which I don't feel that way). I use Windows because I understand the inner working of the OS. I'm very familiar with working in it, and it does everything I need it to do, from games to video editing to browsing the web to using the command line. I truly enjoy working with the OS, which isn't something I can say for my various trips into several Linux distributions. I understand that others have great experiences with Unix/GNU Linux, and I say more power to them! I simply won't stand for someone spreading FUD on a topic I feel I'm qualified to speak up about, nor will I stand for the prevalent attitude that somehow Windows users are "lesser" than all other types of users.

For a light hearted interlude, here's something apt that was randomly coincidentally selected from a long long time ago:

> > Other than the fact Linux has a cool name, could someone explain why I
> > should use Linux over BSD?
>
> No.  That's it.  The cool name, that is.  We worked very hard on
> creating a name that would appeal to the majority of people, and it
> certainly paid off: thousands of people are using linux just to be able
> to say "OS/2? Hah.  I've got Linux.  What a cool name".  386BSD made the
> mistake of putting a lot of numbers and weird abbreviations into the
> name, and is scaring away a lot of people just because it sounds too
> technical.
        -- Linus Torvalds' follow-up to a question about Linux

In the *nix world, there is an old utility called fortune that displays a "fortune cookie". Often that is used as a greeting to start the day upon a login. The Linus quote came up for a small giggle on one of the old trusty Linux systems whilst doing the rounds this afternoon. There are some fun/silly/amazing/whatever quotes randomly hidden in there to be randomly served to lighten any frame of mind...

;-)


Aside: Note that originally Linux was NOT called that name by Linus very deliberately not to have it named after himself. However, as developments developed, the Linus -> Linux association gained defacto adoption by others regardless of whatever Linus might have named what we now call Linux.


IT is what we make it for ourselves...
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

Oh sure, when Linux does something fun like that, you greet it with the light-hearted nature it is intended in, but when Microsoft puts Easter Eggs into it's software, every cries about program bloat! ;-)

(Yes, I'm well aware that building in an entire FPS Shooter into Excel is considerably more code than a few lines quoting Linus Torvalds!)