Explore top 10 tips to secure your open-source projects now. Read More
×An attacker compromises a Linux container, launches a cryptominer, sets up a way to stay in the system through a background task, and disappears before the investigation even begins. By the time analysts start looking at the logs, the workload has shut down, and the container no longer exists. . This is the visibility problem modern Linux security teams are struggling with. Security teams depend on visibility. If they cannot see what is happening on a system, they cannot investigate attacks, understand suspicious behavior, or respond quickly when something goes wrong. That problem gets much harder in modern Linux environments. For years, endpoint detection and response tools — usually shortened to EDR — matured around Windows systems. Analysts grew used to having a clear view into processes, files, network connections, and suspicious activity. Linux never followed the same path. Why Attackers Are Targeting Linux Systems At the same time, Linux became the backbone of modern infrastructure. It now powers: Cloud platforms and production servers Containers and Kubernetes clusters Enterprise applications and databases Critical internet-facing services Attackers noticed that shift too. Linux malware, ransomware, cryptominers, and cloud-focused attacks have all grown steadily more common . The issue is not that Linux lacks security tools, or that it is “less secure.” The bigger problem is that Linux environments changed faster than most monitoring tools did. Infrastructure scales automatically in the background. In some environments, the system an analyst is investigating may no longer exist by the time the investigation even starts. That creates blind spots. Sometimes large ones. What Endpoint Detection Tools Monitor on Linux At a basic level, EDR tools collect activity data from systems so security teams can understand what happened during an attack. That data includes things like: Processes starting or stopping Files being created or modified Scripts running User logins Network connections Services being installed Scheduled tasks being created Why Linux Attacks Are Hard to Detect Most Linux attacks do not look malicious at first. Attackers often use the same tools administrators rely on every day, like Python, Bash, cron jobs, and curl, allowing malicious activity to blend into normal operations. Modern Linux environments also generate massive amounts of system activity. Containers spin up and disappear constantly, processes launch through APIs, and workloads move between hosts. Security tools may see a suspicious process running, but lack the context needed to understand what triggered it or where it started. That is the real challenge with Linux detection. The issue is rarely a lack of data. It is a lack of context. Linux Environments Don’t Behave Like Traditional Systems Traditional security tools were built for systems that stayed relatively stable. A workstation came online, ran the same software every day, and usually stayed in place for months or years. Modern Linux infrastructure rarely works like that anymore. Today, many Linux workloads run inside containers. Applications are broken into small, moving parts. New workloads appear constantly while older ones disappear just as quickly. Why Containers Create Visibility Blind Spots That speed changes everything for security teams: Evidence Disappearance: A container may only exist for a few seconds. If the tool misses activity during that window, the evidence may be gone forever. Vanishing Filesystems: Files can vanish before the tool has a chance to save the details. Complex Connections: It is harder to see which process started another because workloads are launched through automated platforms instead of direct commands. Why Linux Monitoring Is So Inconsistent Unlike Windows, Linux is highly fragmented. Organizations run different versions, different "kernels" (the core of the system), and different setups. Onemonitoring approach may work perfectly in one environment and fail completely somewhere else. That complexity forces vendors into difficult tradeoffs: Collect more data, and you risk slowing down the system or making it unstable. Collect less data, and analysts lose the ability to see important activity. Common Linux EDR Visibility Gaps Many organizations assume they have more visibility than they actually do. A dashboard may appear healthy. The tool is online. Alerts are flowing. Everything looks fine. Then the investigation starts. Suddenly, there’s no record of the background task that launched the malware. No data showing how the attacker kept their access. No record of failed logins. Researchers found major gaps in areas like: Core system (kernel) monitoring Background service tracking Scheduled task (cron) monitoring Failed login visibility Changes to running processes How Container Attacks Can Evade Investigations Consider a real-world scenario involving groups like TeamTNT, who target cloud environments. An attacker breaks into a cloud workload. They launch a cryptominer and set up a background task to keep the attack running. The malicious activity spikes the CPU, and the system automatically kills the "unhealthy" container and replaces it with a clean one. When analysts arrive, the evidence is gone. Without deep data that was captured and saved before the container vanished, analysts lose the full story. Missing data is hard to notice until you actually need it. Is your Linux visibility as strong as you think? The only way to know is to test it. If your team hasn't checked what your tools actually see during a container-based attack, now is the time to start Containers Make Endpoint Visibility Harder Containers made life easier for developers, but made security visibility harder almost immediately. At the core of the Linux system, a container is just a group of isolated processes. For securitytools, this creates challenges: Short Lifespans: A workload can do its damage and disappear before anyone looks at the logs. Isolation: A tool might see a process running, but struggle to see what the rest of the container looks like at that exact moment. Automation Layers: A command might be started by an automated script, making it hard for security teams to see who or what originally triggered it. Because production systems must stay stable, security tools often have to be very "light." Heavy tools aren't allowed on critical servers. So, vendors compromise—sometimes intentionally. Why More Security Data Is Not Always Better The solution seems obvious: just collect more data. In reality, that creates its own problems. The more data you collect, the more memory, storage, and processing power you use. Security teams also struggle with alert fatigue. Flooding analysts with endless data often slows investigations down instead of helping. What they need is useful context. That distinction matters. Process Monitoring Alone Is Not Enough Traditional tools focus on processes: a process starts, a process stops. This is useful, but incomplete. Take a "reverse shell" (a common attack tool) running through Python. On the surface, it looks normal. But the picture changes when analysts can actually see the script itself. Being able to see the details inside a script can expose: Hidden IP addresses Secret network connections Commands that are usually buried behind normal-looking activity This is why Linux detection is moving beyond just watching processes. The process itself rarely tells the whole story anymore. Attackers Already Exploit Linux Visibility Gaps Modern Linux security products use advanced hooks to capture activity. These improve visibility, but they are complex. Researchers have already shown ways to trick or bypass these monitoring methods. Attackers actively study where the "cameras" are turned off. Any blind spot eventuallybecomes useful to someone. Linux detection has to move beyond the basics because modern threats operate across: Containers and automated APIs System memory and hidden scripts Cloud infrastructure and the core kernel How Security Teams Can Improve Linux Visibility To bridge the gap, security teams should focus on these practical steps: Test Your Tools: Don't trust the dashboard. Run a test that mimics an attack and verify that your tool actually records it. Look Inside Scripts: Ensure your tools are capturing the actual commands inside a script, not just the name of the program (like "Python"). Track the Container Lifecycle: Match up cloud logs with your security tools to see what happened inside a container before it was deleted. Watch the Core System: Monitor for changes to the kernel—this is where advanced attackers hide. Check for Persistence: Test if you can see changes to background tasks and scheduled jobs that allow an attacker to stay in the system. Linux Visibility Still Matters Linux systems are no longer just sitting in the background; they run the most important parts of modern business. Attackers know how valuable these systems are. The challenge for defenders is visibility. Many assume Linux security works the same way Windows security does. In reality, it has a completely different set of challenges. The industry is improving, and new tools are closing the gaps. But one reality remains: A security tool can only protect what it can actually see. Stay Ahead of Linux Security & Infrastructure Trends Interested in more in-depth coverage of Linux security, CI/CD security, software supply chain defense, DevSecOps, and enterprise hardening strategies? Subscribe to the LinuxSecurity newsletter for weekly threat analysis, infrastructure security insights, and practical guidance covering the Linux and open-source ecosystem. Related Reading Why Container Security Monitoring Breaks Down in Ephemeral Environments How Linux Malware Evades Traditional Detection Tools Why Cloud-Native Infrastructure Creates Security Visibility Gaps The Challenges of Incident Response in Kubernetes Environments Why Traditional EDR Approaches Struggle in Modern Linux Systems . This is the visibility problem modern Linux security teams are struggling with. Security teams depen. attacker, compromises, linux, container, launches, cryptominer. . MaK Ulac
maddog, as he’s affectionately known throughout the Linux and open source community, has made a career of being in the trenches with the Linux developers, teaching them the way of Open Source and Free Software development after decades of being involved with technology and education. . In an exclusive interview with LinuxSecurity researchers, Jon "maddog" Hall, often referred to as “the Godfather of Linux”, reveals his history with Linux, some of his contributions to the community, a bit about its evolution, and his thoughts on what we might see with Linux in the coming years. LinuxSecurity: When was the first time you realized Linus really had something special with the creation of Linux and it was going to change the world the way it has? It took a while. When I first met Linus at DECUS in May of 1994 I saw an interesting project that could help develop research on 64-bit address spaces on top of the Alpha processor. As I talked with Linus I liked him both for his technical expertise, as well as for his personality. I also tried Linux on an Intel computer and was impressed with the speed and “feel” of the system. Later I began to think about having the same “Unix-like” system, with source code, available across all the different systems. Remember that BSD was still going through the lawsuit and was not available for free distribution. LinuxSecurity: You've talked about "world domination" with free and open-source software in the past - do you believe we've reached that point now? We have reached a lot of that in High-Performance Computing, Embedded Systems, Servers, and Android phones, but we are still not quite there on desktops and laptops (although Android-based Chromebooks are biting into that). LinuxSecurity: What do you think are some of the biggest open source accomplishments? High-Performance Computing (based on the work of the “Beowulf” systems by Donald Becker and Dr. Thomas Sterling), and the work on the Internet, including the World Wide Web. LinuxSecurity: How have the Linux and open source communities changed over the last twenty years? A lot more “Open Source Developers” are employed by companies or have their own companies based on “Open Source” and Free Software. LinuxSecurity: What impact has the pandemic had on Linux development, implementation, and features? Not much, since most FOSS projects were developed over the Internet anyway. I would say there has been a large increase in video conferencing tools, and ones that were marginal have many more features and scalability today. LinuxSecurity: Where do you think Linux has been most successful? Is there a specific industry that has benefited most, like healthcare or finance, or a specific field, like security or web hosting? Definitely web hosting and virtualization, and with that, security, which is very necessary in an Internet-based environment. LinuxSecurity: We've talked a bit about open source versus proprietary software as it relates to security. While the application of open-source may not inherently be more secure, open-source design and the concept of "many eyes" provides the ability for it to be more secure. Do you believe this is one of the successes of Linux and open source? What role does the "many eyes" aspect of open source have to the overall security of Linux? Actually, I do not believe in the “many eyes” aspect. I know of FOSS projects that have only one set of eyes on the code, and while many people *could* look at the sources, only the one person *does* look at it. Of course, the same can be said of much-closed source code too. I also do not believe in the concept that FOSS is more susceptible to security breaches because bad actors can “see where the bugs are”. If obscurity was the basis of security, then Microsoft would be the most secure system in the world…… In my mind the true benefit of Free Software (and I use that term instead of Open Source) is that the end-user has access to the source code so they can fixthe bug when it is found….in professional terms “Mean Time To Fix (MTTF)”. I have worked on (and owned) closed source systems. When the company that developed and shipped that system lost interest in it, you could no longer get security patches for it, even though many people might still be using it. The company might tell you to update to a newer version of their software, but they do not seem to realize (or care) that you can not do that. You do not have the money to buy new hardware to run the new operating system. The device controller that you have does not work with the new operating system or the new motherboard you have. The software that you use has not been ported to the new operating system or hardware. The reasons go on and on. While Windows XP was retired more than a decade ago, it is estimated that .6% of the PC base is still running Windows XP. That does not sound like a lot until you do the math and realize it is over 12 million systems. If Microsoft had released the source code for Windows XP, then owners of the systems could have formed a community to keep the system software securely patched… or at least as secure as it ever is. When Free Software developers detect a bug, they usually supply a source code patch that can be applied across multiple distributions, multiple hardware architectures, and multiple editions of Linux within hours. Some people say “Oh maddog! I do not have the expertise to apply those patches”. That might be true, but you have the ability to hire someone to apply those patches. It is YOUR choice, and YOUR control of YOUR software. With Microsoft you have no control ….it is not YOUR software . Jon Hall auf der CeBIT 2015 in Hannover, Olaf Kosinsky, Wikimedia Open-source security is big business. Many of the world's largest organizations have now contributed to the Open Source Security Foundation (OpenSSF) and others to improve the security of open-source software. Google committed $1 million to a new Linux Foundation opensource security rewards program after the Linux Foundation raised $10M itself to support open source security projects. Google has committed $100 million overall to support third-party foundations that manage open source security priorities and help fix vulnerabilities. LinuxSecurity: This is especially important at a time when we've seen an increase in supply chain attacks and ransomware attacks on the nation's infrastructure. Do you think Linux vendors are doing enough to protect their users? Where do you think the most significant improvements need to take place? As organizations shift more resources to the cloud, do you think this is a priority for organizations today? Do you think open source could be the solution to these national cybersecurity concerns? Security is a big problem and getting bigger and more intense as more and more systems control our daily lives. We can no longer fly planes or use elevators without computers. Autonomous cars are on the horizon. Years ago OpenBSD had a “side project” of developing security-related software and OpenSSH and OpenSSL were created. Much work was done to eliminate buffer overflows, etc. But more work has to be done. On the other hand, many security issues come from “bad user on device” or improper system and network administration techniques, so even the most secure code in the world will not protect your network… this is where security training and certification efforts like LPI’s come in. We need to build security in, not have it as an add-on later. We need to train “Mom&Pop” in basic security techniques and not to paste their passwords as a “sticky” on their screens or under their keyboards. LinuxSecurity: What's next for Linux in the security arena? I do not know what is “next”, but what I would like to see is a trusted system that enables a secure boot and trusted applications, built-in with a Free Software model and with certificates that can be generated by anyone, not just Microsoft. LinuxSecurity: We've talked about how Microsoft has discontinued support for many of their products, leaving tens of millions of users unable to keep their legacy systems secure. Do you think Microsoft should open source their legacy applications they no longer support? Do you think this would help to address the outstanding security concerns? I have discussed some of this above, and I think it would be great if Microsoft was to Open Source all of their products, but I do not believe that will happen, nor may it even be possible. Large corporations like Microsoft often buy technology from other companies or use technologies under license or NDA that may not allow them to share the source code with end-users. Likewise, it is not just the source code that has to be released, but the build environment that has to be duplicated to maintain a whole system. This would cost a lot of money. LinuxSecurity: What do you attribute the increase in malware/ransomware attacks on Linux systems, or even the use of Linux systems to conduct these attacks? The greater number of Linux systems doing ever more valuable things is the reason. Crackers have long used FOSS tools to attack systems to find holes in the target systems due to the flexibility of the systems. Many of these same people typically build better, more secure systems with the information that they find. LinuxSecurity: Microsoft has changed its position on Linux a few times over the years. Not only are they a member of the Linux Foundation, but they are also submitting patches to the Linux kernel "to create a complete virtualization stack with Linux and Microsoft hypervisor." How do you believe this benefits the Linux community to have an inherently private organization with a history of "embrace and extend" now contributing to the development of Linux? Do you believe they are making valuable contributions to open source initiatives, or just making it easier for their own applications to interoperate in an open-source world? Microsoft contributes toprojects that benefit Microsoft . I do not blame them for that, they are a corporation with stockholders and a particular business plan. I will point out that Microsoft (and many other vendors) love “Open Source” (that mostly benefits the developer) rather than “Free Software” which benefits the developer and the end user by making sure the end user has all the software and facilities they need to rebuild their environment. Likewise Microsoft has been coming to FOSS events for years, talking about their products and developments and contributions to FOSS people. Yet NOT ONE TIME has Microsoft allowed Free Software people to come to their USER GROUP meetings to freely talk about the benefits of Free Software to their end-users. Microsoft did, one time, allow Richard Stallman to talk to their research group, but not to their end-users. Imagine if Microsoft end users understood that they, the end-user, could have CONTROL of their own systems?... If Microsoft wanted to embrace Free Software they might start by making Microsoft Office more compatible with Libre Office through the support of Open fonts and Excel macros and ODF, and other methods. But no…. Jon Hall with his gadgets 1, AbhiSuryawanshi, Wikimedia LinuxSecurity: Projects you're working on for 2022? Caninos Loucos, a long-running program to develop completely open single-board computers in Latin America. It is going slower than I hoped, but it is still moving along. Project Caua , a program to help college students with paying for “incidental expenses” (room, board, books, computers, internet, transportation, etc.) in countries that have free Federal and State tuition for qualified students. More than forty percent of the qualified students can not take advantage of the free tuition because they are too poor to afford the “incidentals”. Project Caua could help students start their own business supporting small business owners who can not afford a full-time systems administrator. I am also very interested in theRISC-V architecture and FPGAs. Finally I am cleaning my house, where I have been “collecting” things for fifty years… it may take me another fifty to get rid of it all. Conclusion Jon ‘maddog’ Hall has made a lasting impact on open-source and free software development and continues to be one of the leading voices in Linux. maddog’s expert opinion has given us an idea of what the future might hold for the open source community and where some of the developments have fallen short. Thank you, maddog, for your time and for answering our questions. . In a fascinating discussion, tech visionary Jon 'maddog' Hall reflects on the growth of Linux, its importance in cybersecurity, and the ongoing progress within the open-source community.. Jon Maddog Hall, Linux Evolution, Open Source Contributions, Free Software Insights, Cybersecurity Developments. . Brittany Day
Welcome to LinuxSecurity.com - the community's central source for information on Linux and open source security since 1996. Whether you’re a new visitor or a long-time community member, this article will provide you with insight into the mission behind our site, our history and the content we provide. . Who We Are & What We Provide LinuxSecurity.com has served as the community's go-to resource for information on Linux and open source security for over two-and-a-half decades. We follow the latest open source security news , trends and advisories as they affect the community, and produce content that appeals to administrators, developers, home users, and security professionals. Having created a site that satisfies the needs of both IT professionals and those individuals seeking to learn more about security and Open Source, LinuxSecurity.com has grown to encompass not only this website but also two industry leading email newsletters , Linux Security Week and Linux Advisory Watch, which represent yet another opportunity to help further the advocacy and adoption of Linux by users worldwide. Just recently both the LinuxSecurity site and newsletters underwent a major redesign. We now offer the ability to create a user profile and customize your advisories based on the distro(s) you use. LinuxSecurity.com is owned and maintained by Guardian Digital . As a proud member of and contributor to the Linux community, Guardian Digital devotes the LinuxSecurity.com advertising revenues to covering the costs of maintaining the site to ensure access to LinuxSecurity.com will always be freely available to everyone. Our History LinuxSecurity.com was first launched in 1996 by a handful of Open Source enthusiasts and security experts who recognized a void in the availability of accurate and insightful news relating to open source security issues. Led by Dave Wreski, who currently serves as chief executive officer of Guardian Digital, this group has grown into a global network of collaborators whodevote their time to gathering and publicizing the latest security news, advisories and reports relevant to the Linux community. The LinuxSecurity.com editorial and web development staff also creates feature articles , commentaries and surveys designed to keep readers informed of the latest Linux advancements and to promote the general growth and adoption of Linux worldwide. As Dave founded LinuxSecurity.com and established the site as the Linux community’s central resource for security news, updates and information, he was simultaneously contributing to the foundation of the Linux community at a time when it was just getting started with his work on the revolutionary Linux Security HOWTO, a comprehensive overview of the security issues that Linux system administrators face, which also covers general security philosophy and a number of specific examples of how to improve the security of a Linux system. Dave reflects on the mission of LinuxSecurity.com, “I founded LinuxSecurity.com to serve as the authoritative voice of Linux and Open Source security news with content driven by the security needs expressed by this vibrant, up-and-coming community. Over two decades later, LinuxSecurity.com still strives to provide objective, helpful information and thought leadership content about security as it relates to the rapidly growing, revolutionary open-source product that Linux is.” Let’s Get In Touch! Community involvement is one of our core values, and we love to hear from LinuxSecurity community members. If you have a question, suggestion, or feedback, send us an email here:
To say that it’s an exciting time in the cybersecurity community is an understatement! Two of the most prestigious cybersecurity conferences - Black Hat USA 2021 and DEF CON - are rapidly approaching, featuring an impressive list of trainings and presentations. . LinuxSecurity will be covering Black Hat USA and DEF CON on social media, as well as interviewing a few renowned speakers and trainers from this year’s lineup, and then wrapping things up by summarizing the key findings and takeaways from this year’s events in a comprehensive feature article. Here’s what you need to know about these events and their coverage on LinuxSecurity, so you can stay up-to-date and informed on the latest cybersecurity trends, findings and insights - even if you won’t be among the lucky Black Hat USA and DEFCON attendees this year. Background Information Celebrating its 24th anniversary this year, Black Hat USA features briefings and trainings taught by experts from around the globe, providing offensive and defensive hackers of all levels with invaluable opportunities for firsthand technical skill-building. This year, Black Hat is excited to present a unique hybrid event experience. The event will begin with four days of real-time online Virtual Trainings (July 31-August 3), followed by the two-day main conference (August 4-5), which will be both a Virtual (online) Event and a Live, In-Person Event at the Mandalay Bay in Las Vegas. A detailed schedule of Trainings and Briefings can be found on the Black Hat website. Black Hat USA 2021 is immediately followed by DEF CON , an infamous hacker conference held in Las Vegas each year. The event consists of several tracks of speakers with expertise in the realm of computer security and hacking, as well as cybersecurity challenges and competitions (known as hacking “wargames”). LinuxSecurity Featured Experts LinuxSecurity will be speaking with multiple cybersecurity experts who are teaching courses at Black Hat USA 2021 including: Ryan MacDougall Chief Operating Officer, Social-Engineer, LLC Ryan MacDougall is a subject matter expert in the areas of network penetration testing, application security, protocol analysis, as well as social engineering. Ryan directed technical operations, as well as built and secured large networks for the financial and telecommunications industries, whose area of focus covers 6 countries, consisting of 3 data centers and 8 regional offices. During his 10 years running operations in a company that grew through M&A activities, acquiring, integrating, as well as standardizing operations, Ryan developed a deep understanding as well as insight into fundamental flaws present in a wide variety of enterprise environments. Ryan MacDougall is presently the Chief Operating Officer and Open Source Intelligence trainer for Social-Engineer, LLC. In addition, he runs operations during penetration tests and exercises with clients, as well as managing client relationships. Additionally, Ryan is also a multiyear Blackhat conference trainer and DEFCON SEVillage speaker, regarding social engineering as well as, open source intelligence gathering. Ryan will be presenting Practical OSINT for Social Engineers at Black Hat 2021. Madhu Akula Cloud Native Security Architect Madhu Akula is the creator of Kubernetes Goat, an intentionally vulnerable-by-design Kubernetes Cluster used to learn and practice Kubernetes Security. He is also a published author and Cloud Native security researcher with extensive experience. Madhu is an active member of the international security, DevOps, and Cloud Native communities (null, DevSecOps, AllDayDevOps, etc). He holds industry certifications like OSCP (Offensive Security Certified Professional), CKA (Certified Kubernetes Administrator), etc. Madhu frequently speaks and runs training sessions at security events and conferences around the world including DEFCON (24, 26 & 27), BlackHat USA (2018 & 19), USENIX LISA (2018 & 19), O'Reilly Velocity EU 2019, GitHub Satellite2020, Appsec EU (2018 & 19), All Day DevOps (2016, 17, 18, 19 & 20), DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n(2017, 18), Nullcon (2018, 19), SACON 2019, Serverless Summit, null and multiple others. His research has identified vulnerabilities in over 200 companies and organizations including Google, Microsoft, LinkedIn, eBay, AT&T, WordPress, NTOP and Adobe, and he is credited with multiple CVE's, Acknowledgements, and rewards. He is co-author of Security Automation with Ansible2 (ISBN-13: 978-1788394512), which is listed as a technical resource by Red Hat Ansible. Also, Madhu is a technical reviewer of the Learn Kubernetes Security book published by Packt. He won 1st prize for building an Infrastructure Security Monitoring solution at the InMobi flagship hackathon among 100+ engineering teams. Madhu will be presenting A Practical Approach to Breaking & Pwning Kubernetes Clusters at Black Hat USA 2021. Jay Beale CTO, InGuardians Jay Beale works on Kubernetes and cloud native security, both as a professional threat actor and in his open source work. He is the architect of the Peirates attack tool for Kubernetes & the @Bustakube CTF cluster. He created Bastille Linux and the widely used CIS Linux scoring tool. Since 2000, he has led training classes on Linux & Kubernetes security at the Black Hat, RSA, CanSecWest and IDG confs. An author and speaker, Beale has contributed to nine books, two columns and over 100 public talks. He is a co-founder and CTO of the infosec consulting company InGuardians. Jay will be presenting A Purple Team View: Attacking and Defending Linux, Docker and Kubernetes at Black Hat USA 2021. We Want to Provide You with the Information You Want to Know Have questions about the upcoming Black Hat USA or DEF CON conferences, or an experience, story, or report to share? Is there a topic that will be covered at these events that you are particularly interested in? Is there something you would like to ask one of the presenters we will be interviewing?Let us know on Twitter and we will try our best to provide you with the information you are looking for! . Stay updated on cybersecurity trends with our insights from Black Hat USA and DEF CON featuring expert opinions.. Cybersecurity Events, Black Hat Coverage, DEF CON Insights, Expert Interviews. . Brittany Day
Defcon 26 provided individuals and organizations with valuable tips and insight on security and the latest and most effective defenses. Here are some security-related highlights from the event.. Defcon 26, a high-profile hacking conference that recently took place in Las Vegas, offered a multitude of predictions and implications regarding changes and trends in the field of cyber security. Although Defcon is an event that is mainly attended by ethical hackers who are aiming to learn how to better protect the systems they are responsible for, everyone can gain knowledge from the experts who spoke and the activities and contests that took place at Defcon 26. With cyber threats becoming increasingly prevalent and dangerous, cyber security is an issue that affects all individuals and organizations. According to CSO, cyber crime damage costs are expected to hit $6 trillion annually by 2021 (CSO Online). Email is an extremely popular attack vector used by cyber criminals, so effectively securing email accounts is becoming increasingly important. Here are two highlights from Defcon 26 and a summary of what they suggest in the context of today’s cyber threat landscape: 1. NSA Brings Nation-State Details to Defcon: “Spot the Fed” has been a longstanding tradition at Defcon, but the task was extremely easy this year. Rob Joyce, senior advisor for cybersecurity strategy at the NSA, discussed the latest details on nation-state hacking and defense. He suggested that there are four actors that are most concerning in regard to nation-state hacking: Russia, China, Iran and North Korea. In terms of defense strategies, Joyce emphasized that the transparency provided by public hacking is critical in finding and fixing flaws that nation-state hackers could exploit. He also referred to cybersecurity as a “team sport”, suggesting that the government and private enterprises should share information on vulnerabilities and attacks. Finally, Joyce reminded the audience that basic security measures, such as software patchingand multifactor authentication, should not be overlooked. (DarkReading) 2. Tesla Plans to Open-source Security Software: Following Defcon 26, CEO of Tesla Elon Musk announced that Tesla is planning to open-source its security software to other automakers for free. Musk feels that doing this will decrease the risk of cyber criminals hacking self-driving vehicles. Tesla has a good relationship with security researchers and whitehat hackers, whose work has led to the rapid fixing of various vulnerabilities in the past. Open-sourcing security software will likely encourage more security researchers to search for and identify vulnerabilities, making Tesla cars even more secure. (Electric) These are just two of many security-related highlights of Defcon 26. The schedule was packed with speeches from experts in the field of security, hacking-related activities and contests and Q & A sessions. As expected, Defcon 26 proved to be a hub for innovation in the field cyber security and advancement in the practice of ethical hacking. With the evolution of cyber crime and email-related threats, it is crucial that businesses and individuals stay informed and implement the latest and most advanced defenses and protection strategies. . Defcon 26, a high-profile hacking conference that recently took place in Las Vegas, offered a multit. defcon, provided, individuals, organizations, valuable, insight, security. . Brittany Day
It is customary for communities of every sphere to stand up occasionally, and take a good, long look at what . What would you really want to see on the site? Is it your distribution of choice? Hacking tips? Or new security applications? The newest vulnerability update? More Open Source business news? More RSS feeds? More focus on consistent and prominent Advisories? Whatever it is, you can help us continue to improve what we offer with this quick survey. It should take you a couple of minutes to complete, and in about two weeks, we'll post the results to the site. Survey Link: (As you access the survey, don't fill in the security question - it's not necessary!). Thank you for your input and stay tuned!. What would you really want to see on the site? Is it your distribution of choice? Hacking tips? Or n. customary, communities, every, sphere, stand, occasionally. . Brittany Day
Vincenzo Ciaglia of Linux Netwosix talks about this year of Linux Security. A full immersion in the world of Linux Security from many sides and points of view. . Introduction And another year arrives. What will this 2005 give to us? Only chocolates, cakes, happiness and no other stress from the work or anything else? Ok, I'm just joking. Let's start! The year 2004 has been the year of Linux, according to many "linux critics". In my opinion, it has just been another year for Linux to demonstrate its power, usability, and security in comparison to other operating systems and commercial products. Many successes followed one another without a break. Management's View of Linux Security Today There is still very little consideration for Linux. It's a simple sentence, but a complex situation. Let's take the example of Italy (my home country). Only too few companies understood the real problem of security. Here is a simple example: "Hey manager, you could be a simple target for an attacker if you make this or do this with your LAN", "Hey Linux-Security-addict don't worry, please! We have so many computer experts in our company" Ok, nothing it's strange but the "computer experts" are really so expert? Many times we see how this computer experts are just some Windows beginners who want to conquer the world with a simple "double click". Well, dear managers, the security isn't only this. Security being synonymous with professional is a joke. Moreover I see how many Linux companies all over the world are growing up. This is another very good thing for us. It means that the managers are understanding day by day the problem and want to do everything to solve their big security problems. User's View of Linux Security However, with the passing of the time, there are many home users who love to configure good firewalls for their own computers or use commercial products. This is a very good thing but we're still far away from afull concept of "security". Security isn't just a simple firewall. Security is behavior! If you still take notes of your passwords on some papers and you leave them on your desktop ... well, you can be secure that you're not a security-care user. If you are not a connoisseur of social engineering and its techniques, you can't sleep at night very well, trust me. We can talk about Physical Security, too. If you still leave your computer unguarded at lunch break you can be secure that someone so curious and more clever than you will use your computer to have your sensitive data and use them for some uses (legal or not). So dear user, come on, be careful and don't be sure that you have a big security plan for your LAN. And ... trust no one to avoid social engineering. State of Linux Security On this side we can talk for hours but I have just a little space to spare. There are so many interesting projects that are helping the Linux community to solve the security problems. Linux is the most attaccked system from the attackers but it is even the most secure. Don't worry, isn't a contradiction. I just want to say that thanks to its structure , Linux can be considered as the most secure operating system today but thanks to many sleepy SysAdmin is the most attacked one, too. I appreciate many security projects, for example: Aide, Chkrootkit, Ettercap, Nmap, just to make some names about linux security related packages. I can't forget the SELinux Project, in my opinion the most important and useful kernel security patch never created without forget GrSecurity. What can be done? We must believe in security and in a secure world without attackers. We have to improve our behavior about security and be careful about everything. From the SysAdmin side, the best way to follow is to keep upgraded their systems and don't sleep at work. Finally, we have to burn every Windows copy and switch to Linux ;) Holiday Thanks I can't forget the somany linux security communities on the net and the big helps of the Linux Expert users through mailing lists, forums with the hope of helping the newbie one. It's really a wonderful thing, don't you think? It's just OpenSource and a perfect world is possible with it. Vincenzo Ciaglia is the founder of the Netwosix project and contributing writer for LinuxSecurity.com . The landscape of Linux security is ever-changing, necessitating proactive management and user education to effectively safeguard systems from emerging threats. Linux Security Insights, Proactive Security Management, Open Source Projects, Firewall Strategies. . Brittany Day
Just to give everyone an idea about who writes these articles and feature stories that we spend so much of our time reading each day, I have decided to ask Brian Hatch and Duane Dunston, the newest members of the LinuxSecurity.com team, a few questions. . I'd also like to begin by thanking both Brian Hatch and Duane Dunston for allowing us to conduct this interview. Before we get to that, let me give you a brief introduction as to who these folks are, although I promise you that you will receive plenty of insight the further you read: Brian Hatch is Chief Hacker at Onsight, Inc. [1] where he is a Unix/Linux and network security consultant. His clients have ranged from major banks, pharmaceutical companies and educational institutions to major California web browser developers and dot-coms that haven't failed. He has taught various security, Unix, and programming classes for corporations through Onsight and as an adjunct instructor Northwestern University. He is also co-maintainer of Stunnel [2] , an Open Source secure SSL wrapper used around the world to encrypt clear text protocols. Brian Hatch has been interviewed several times on his stances on security, full disclosure, and Open Source technologies. (See interview 1 and i nterview 2 .) Rather than retrace this ground, we thought we'd ask questions geared toward his personal rather than professional endeavors. Duane Dunston is a Computer Security Analyst at STG Inc. for the National Climatic Data Center [3] in Asheville, NC. He received his B.A. and M.S. de grees from Pfeiffer University and he has his GSEC certification from SANS [14] . Not only does he enjoy his work in computer security, he also likes t o get involved in its ever-growing technologies. LS: How did you attain your security knowledge? Did you get a CS degree, or was it on your own? Brian: I had your formal four year college education, but during that time had only one official computer class -Pascal - because they wouldn't teach C at the time. All my Unix, C, and security knowledge was self taught from the man pages, which is definitely not the way I'd suggest for maintaining sanity. Nowhere is there an 'asterisk means pointer' man page. Suffice it to say, my early C code was ugly as sin. Luckily I've deleted every copy, and burned the tape backups. Frequently I'm brought into security gigs in early stages to make decisions and get infrastructure in place, and then hand off the project to an employee, which means I frequently find myself in a position where I make hiring decisions. Because of my non-formal background, I am able to go in without preconceptions that certifications are the only mark of quality, and am able to get some extremely qualified folks hired even though they are sans certifications. (Pun intended.) Had I been a CS major, there still would have been no chance to take security-related classes at the time anyway - there was no security emphasis at the time. There was a small group of us who would compare notes and tricks, and this was invaluable, more than any formal classes would have been. Hopefully more educational institutions are integrating security concepts into their curriculum, because without it the code being whipped up throughout the world will continue to be largely crap. Programs with buffer overflows are unconscionable, and yet they pop up in every product out there still, despite being a known quantity with well defined solutions. Duane: I graduated from Pfeiffer University in 1997 with a BA in Sociology, the day after I ended up in Thaliand for about 5 months teaching English. When I returned there wasn't much work for a Sociology major straight from Thailand teaching English. I had some computer experience prior to that, though. My first PC was a Gateway 486 which I got back in '94. I started shadowing my best friend and former boss at work and there I was introduced toLinux. I continued to use Linux through Graduate school and learn more and more about security. After realizing I didn't want to be a Manager, which is what I have my graduate degree in, I decided I wanted to stay with computers but with Security. Nearly all of what I have learned has been on my own from websites, books, and having support from my managers to just experiment. LS: What are some of your other hobbies? Brian: Between writing books, writing the Linux Security: Tips, Tricks and Hackery newsletter [4] , preparing for a Linux security class I'll be teaching in January, answering questions about Stunnel and maintaining the Stunnel website , trying to keep up with current security issues on mailing lists like Bugtraq and VulnWatch, web pages like LinuxSecurity.com , something called a "Day Job", and a somewhat foreign concept in the computer geek circle called "wife and kids", I've very little free time. I like to read a lot, though the topic depends on the location. By myself, I usually pick security and geeky titles - I'll re-read W. Richard Stevens' books now and then for fun. But much more of my time is spent reading books such as Dinosaur Roar , Tumble Bumble , or Sheep in a Jeep to my daughter. If she stops paying attention, I start sneaking new characters in, such as Dmitri Dog, who is hounded by the evil Ashcroft Crow. I figure I need to sneak in anti-DMCA [12] sentiments early via allegory. Duane: I don't have many hobbies outside of computers. My interest tend to be around a particular aspect of computers. In particular, parallel computing, cryptography, finding good uses of open source in the business world, and computer forensics. I do have an interest in the arts. In particular, what is going through an artist's mind as he or she is working. Two of my friends are artist and I really enjoy being around them, and other artists, and listening to them brainstorm ideas or talk aboutwhat their work means to them. LS: Supposing you had free time, what would you be doing with it? Brian: I'd devote some time to helping out the Linux Security Module project. I hope to help port systrace to LSM next year. Currently it is a kernel patch, and I think the community would be served better in the long run by having it available as an LSM module, which would make it more accessible to those who fear kernel compilation. And some day I hope to get around to turning some of the megs of perl code I've written over the years into well defined Perl modules for CPAN. Then I won't be the only one supporting this spaghetti code. ;-) If I had infinite time, I'd learn to play the Hammered Dulcimer and French Horn. There's nothing in the world as musical as a well-played French Horn. LS: In your opinion, what is the most interesting thing about Linux and Security? Brian: The first thing is that, with Linux, security is a possibility. It is not an end point - you must constantly keep abreast of new attacks and revisit your security posture - but there is nothing that is unavailable to you if you want to look. Closed source systems can never offer this. By design, be it chosen for monetary reasons or to prevent competition, closed source products always hide details from the users and administrators that could be critical to understanding how thing function, and how they can be broken. One of the beauties of Linux (and other open systems, such as *BSD) is that you can use them to boost the security of those closed source machines. By the liberal application of Linux machines throughout your infrastructure, you can keep those exploits-waiting-to-happen locked down where they can do less harm. For more of my ranting on this topic, see my article Linux is Securable -- I won't waste time rambling here. What is most intriguing right now on the Linux horizon is the evolution of securitycontrols. In the beginning, all you had to work with were file permissions. Root could do absolutely anything unchecked, and root access was required for some things such as binding low network ports or opening raw sockets, which meant use of set userid bits on programs, which frequently were broken to gain root access. Next came capabilities, where each bit of root's power was defined in more specific terms. When determining if a process could bind port 80 originally you'd check to see if uid==0. Now you'd check if the process had the CAP_NET_BIND_SERVICE capability. In theory, you could now remove capabilities from the system -for example removing the ability to load kernel modules ever again, which is good for defending against malicious LKMs. This compartmentalization was a good evolutionary step, but it didn't get used much in the real world. You had only global access to turn off a capability, and you'd never have it available again, except by rebooting. You couldn't assign a capability on a process-by-process level, which made it much less useful. Then came some excellent security kernel patches. LIDS [7] , Grsecurity [8] , SELinux [9] , and others. Finally we had ways to give abilities to only the processes that needed them. We could completely lock down our machine such that any deviation from what we have allowed will fail. Should an unknown buffer overflow occur, the cracker can't bind an inbound rootshell on port XYZ, it won't be able to read files outside those we've allowed, and won't be able to write to the file system anywhere. If they break in as root, they still can't change anything in /etc unless they know yet another password, they won't be able to Trojan files in /bin, or insert a loadable kernel module into the system. Life is good. But, life could be better. These patches are not integrated into the kernel. You won't get them on your Red Hat CD, or your Debian download. (Though some places do shiphardened kernels, such as Owl which contains the OpenWall [10] kernel security patches, or EnGarde [11] , which comes with LIDS.) So normal users need to go out of their way to patch and recompile the kernel - a daunting task. So, the current bright spot on the Linux security horizon in my opinion is the Linux Security Module infrastructure, which promises to make it possible to load these advance Linux security policy behaviors without a kernel recompile, thus removing a significant barrier to the new Linux administrators. If we can get more of the LSM modules to be stackable where appropriate, we'd be able to pick and choose the best of the features of each, something which currently involves manually merging kernel patches - quite a painful endeavor. So, as we enter this new era of Linux security, you bet I'm excited. Just tell your manager that it's a "Paradigm shift" and they'll give you time to play with it too. Duane: Computer forensics reigns supreme in my opinion. These experts provide us the information we need to fine tune the tools we currently use and the tools needed to prevent attacks from occurring in the future. Sifting through megabytes or gigabytes of data to find one clue as to how someone compromised a system has to be tedious but the information they find helps us quickly learn how to patch the vulnerability and create tools to help detect how a system was compromised. I just don't think the security industry can survive without forensic experts. There are many people who aren't forensic "experts" who can and do identify how a system was compromised and they also provide the community with valuable information. However, the forensic experts can dig down and find the root of the problem and the information they provide can then be used to help fine tune currently used tools and methods. LS: What are some of the lessons you you have learned in your years in computer security? Brian: Well, in no particular order, here are a few things that pop to mind. Never bother with a technological hack when a social engineering one takes ten seconds. Posting a piece of paper listing a 'contest for the most creative and verifiable username/password' in a college campus food court will get you several hundred valid entries you can use at will. The easiest way to get access to a friend's account is to get them to 'xhost +' to play network xtank. The next easiest is to untar /etc/shadow from the backup tapes that the administrator leaves next to the tape drive. Sometimes the perfect hack is just one click away. When you have a frustrating week, let the script kiddies amuse you. Set up a honeypot with as much known-buggy software as you can find. Break almost all the tools. Don't include vi or emacs, make them learn ex. Include perl, but no modules. Install the Fortran compiler, but no others. Include netcat, but not telnet. Make the default shell tcsh, and remove all Bourne shell variants. Delete all terminfo/termcap definitions. Don't include more, less, or any other pager. Compile a version of cat that randomly swaps letters every so often. Never put that honeypot anywhere near your actual machines. Use mutt. A good mailer is key to getting work done, and you can't be secure if you're too busy wading through your email. If you can't do it from the command line using Netcat, you don't actually understand how it works. If you can give the root password to your enemy and he can't compromise your system, you've done a good job securing it. Every now and then, lock the root password on your own machine and try to recover it. You'll learn where your own weakness are, and hone your skills. Make sure you have a throttle on any software that can page you. Never rename /usr/lib/libc.a. Always have a statically linked shell, in case another administrator renames libc.a and you need to re-create it using nothing but shell built-ins. And check your logs. Always check your logs. Duane: The most important lesson I have learned is that management support is critical to any security person's job. If you don't have management support to shut down services, put up a firewall, install file-integrity, enforce policies, etc. then there is not much use to be around. All you are going to be doing is fighting fires and that can get old real quick. As security professionals we have to keep managers informed with what is going on in the security world in plain terms. Some managers don't understand the language of security people. A little bit of downtime to enable security is a small trade off compared to the downtime of a compromise or a well=publicized hack. I have been very fortunate to have very supportive supervisors. If you want to get their support then provide them hard facts and not theory. That doesn't mean you have to run an exploit to prove your point but you can show them logs from your Intrusion Detection Sensor's or logs from the firewall or from any other devices you run. LS: What got you interested in the field of computers/Linux/security? Brian: Apparently I was born with an inherent distrust and paranoia. When I got my first computer, an Apple ][, I spent ages developing a completely secure 'hello' program. In order to boot off the disk, you needed several passwords, and could not drop out of it using any of the existing methods such as ctrl-reset, etc. You couldn't boot off a separate disk to access the files because I slightly modified the disk layout to be not compatible. When I try to think back to why I did this, I have no idea. There wasn't a damn thing on those disks that was private or, for that matter, interesting even to me. Just the 'help Brian to learn to spell' programthat my mother and I wrote. My actual interest in computers started from that very machine. I was playing Snake Byte (ahh, I miss that game) and hit ctrl-reset by mistake. I was dropped down to an asterisk prompt, and discovered it could do simple integer math. 2+2==4, 6+3==9. However when I got to higher results, such as 5+7 I was confused by the answer "C". It took me a while to figure out what was going on, and soon I learned to think in hexadecimal, though it was many years before I learned what it was called. Knowing only some apple DOS and BASIC commands, I tried 'list' to see what the program looked like, but at the assembler prompt. "L" meant "List a page of assembly instructions", "I" meant inverse, "S" meant "Step one instruction", and "T" meant "trace execution". So instead of getting a look at a BASIC program, I was accosted by pages of machine code in a manner less friendly that gdb. I think that was my "Eureka!" moment where suddenly I knew there was something completely foreign out there, and I wanted to learn everything about it. Since then, my drive for security has come from both directions. I'd be on a project where we were supposed to RCS everything, but the administrators failed to put us in the proper groups to be able to do our work. Some of their build process used sudo to chown files to the install user before packaging them up. This meant we all had unrestricted chown access, although that fact was buried deep inside the Makefiles. So, a quick 'sudo chown bri /etc/group; vi /etc/group; sudo chown root /etc/group' was all it took for us to get our work done and make our deadline. The same personality traits that make me want to find the weaknesses in systems is the one that makes me want to lock things down as much as possible too, and I think most security freaks are the same way. Duane: I got into security after a security incident occurred at an organization I was affiliated with. Itbecame a sort of obsession trying to understand why someone hacked their server. The server that was attacked had nothing significant on it. However, I soon learned that there has to be nothing of significance on the computer by simply having high-speed access, large storage space, or just having an Internet connection was enough for someone to compromise a server. That year SANS had some of their courses freely available and I went through those documents and audio files with a fine-toothed comb. I remember spending Christmas that year at my alma matr's computer systems learning how to interpret syslog messages, how to enable tcp_wrapper support, using Crack, and how to run nmap. My supervisor, Bob, and my best friend, Bone, both knew security was important and welcomed and supported any advice. LS: Brian, I see that you're donating all online proceeds from sales of Hacking Linux Exposed, Second edition to the Electronic Frontier Foundation. Brian: I'm extremely worried about many recent changes that are affecting the world of technology -- the DMCA and the continued threat of decreased privacy being the most obvious. I'm a member of the EFF [13] , and thought this would be another good way to support them. We've set up 'associates' accounts with Amazon and Barnes and Noble, and all the money we get through those accounts we'll send to the EFF. This actually goes for any purchases that 'originate' at our site too. See our books page for more info. LS: Duane, during the many email conversations we have had, you have expressed some ideas about security related education, would you mind explaining those a little? Duane: I would like to see a more systematic approach to teaching the basics of security and making this information freely-available. If System Administrators took care of the most common vulnerabilities then that would greatly reduce their chances of being compromised and make their job less frustrating. I know thetime investment it takes to administer many servers but there has to be time for security. Onsight Inc. - Perl Training | Python Training | Linux Training | Tcl/Tk Training | Programming Courses - By Onsight Onsight offers security design and implementation consulting, as well as on-site training in Unix and Network security, Basic Perl programming, Advanced Perl programming, CGI programming using Perl, Tcl/Tk, XML and JavaScript. Stunnel - stunnel: Home Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. National Climatic Data Center - NCDC is the world's largest active archive of weather data. Linux Security - Tips, Tricks, and Hackery - This newsletter shows both defensive and offensive security tricks you can apply to your Linux (and other Unix-like) systems. Linux Security Module - The Linux Security Modules (LSM) project provides a lightweight, general purpose framework for access control. Systrace - Systrace - Interactive Policy Generation for System Calls Systrace enforces system call policies for applications by constraining the application's access to the system. LIDS - Linux Intrusion Detection System - LIDS is a kernel patch and admin tool to enhance the linux kernel security. Grsecurity - grsecurity Grsecurity is an extensive set of security patches to the 2.4 tree of Linux kernels. SELinux- SELinux, the Security-Enhanced Linux (previously known as NSA Linux) provides a flexible Mandatory Access Control system. OpenWall - Linux kernel security hardening patch from the Openwall Project The OpenWall patch is a collection of security-related features for the 2.2 Tree of Linux kernel, EnGarde Secure Linux - Guardian Digital Makes Email Safe For Business - Microsoft 365, Goo.... EnGarde Secure Linux is a comprehensive software solution that provides all the toolsnecessary to build a complete online presence, including DNS, W eb, e-mail services, and more. Anti-DMCA - The Anti Digital Millenium Copyright Act Website. Electronic Frontier Foundation - Electronic Frontier Foundation | Defending your rights in the digital world EFF is a donor-supported membership organization working to protect our fundamental rights regardless of technology. SysAdmin, Audit, Network, Security - Cyber Security Training, Degrees & Resources | SANS Institute The SANS Institute is a cooperative research and education organization. . Introducing Sarah Fields and Mark Thompson, the new contributors at CyberDefense.net. Delve into their experiences and perspectives in this article.. Brian Hatch, Duane Dunston, Linux Security, Open Source, Cybersecurity Experts. . Duane Dunston
Get the latest Linux and open source security news straight to your inbox.