Banking Botnets Are Worse Than Ever

Financial institutions continue to face threats from banking botnets built using trojan-style Internet attacks. The new activity occurs in spite of some recent successes with discovering and eliminating criminal botnets. According to a new report from Dell SecureWorks, users should not feel confident that the recent discoveries of the Ramnit, Shylock, and Gameover ZeuS botnets indicate a safer Internet. Several other forms of botnets are still prevalent, led by the Citadel trojan, which reportedly attacked 1,170 unique targets. The report says, "New threats arise with emerging technologies, and attacks on mobile banking platforms and advances in bypassing standard authentication mechanisms evolved in 2014."

More than 90% of the trojans were aimed at US financial institutions, but the 10% aimed at the rest of the world was still enough to cause some significant losses. More that 1,400 institutions around the world reported attacks from banking trojans.

The Register offers a concise summary of the SecureWorks report on banking botnets. You can download the full report from the SecureWorks site. Be ready to provide some demographic information.

Debian Project Releases Debian 8 "Jessie"

The Debian Project has announced the arrival of Debian 8 "Jessie." The latest release of the great free distro was two years in development. The team pledges to maintain this version for five years.

The vast Debian project includes more than 20,000 packages and supports a total of 10 architectures, including the usual Intel equivalents, as well as MIPS, IBM S/390, 32-bit ARM, and even the new ARM64/AArch64 architecture.

The change that has received the most attention is the presence of systemd as the default init system. The Debian project says systemd will provide "many exciting features, such as faster boot times, cgroups for services, and the possibility of isolating part of the services." The move to systemd was controversial, however, with many old guard Unix and Linux veterans preferring the classic SysVinit system and suspecting that commercial vendors like Canonical influenced the switch. (The SysVinit system is still available for Debian 8 – it just isn't the default option.)

The Debian package repositories contain all the popular Linux deskops, as well as user applications, network server applications, and development tools. Installation images are available for CD, DVD, USB stick, Blu-ray, and network installation. Debian also provides a pre-built image designed for the OpenStack cloud. Debian 7 users can upgrade to Debian 8 using the apt-get package management tool.

Debian isn't as much in the public eye as it used to be, but the massive project is still extremely influential as a background distro that forms the basis for several popular Linux alternatives. Ubuntu, Knoppix, Mint, and many other Linux distributions are based on Debian.

Linux Kernel Turns Over

Linux godfather Linus Torvalds has announced the availability of Linux kernel 4.0. Kernel watchers have known this new "major" release has been on the way, so the announcement was no surprise. For many products and projects, a new major version number is timed to mark major feature enhancements, but Linus downplayed the significance of change from the 3.X to 4.X series, stating "… we've had much bigger changes in other versions."

Torvalds has been quoted in the past as saying Linux would need to roll over to a new major version before getting past 3.20 because he wanted to be able to count the minor release numbers on his fingers and toes. Perhaps more to the point, he says he is "… personally so much happier with time-based releases than the bad old days when we had feature-based releases." According to the announcement, 4.0 does not come with a trove of experimental new features but is a very stable release.

One new feature that has drawn some excitement from the Linux community is the new live kernel patching infrastructure.

The Linux Foundation and the Internet Security Research Group (ISRG) have announced a new project aimed at promoting encryption on the Internet. The new service, known as "Let's Encrypt," is described as "… a free, automated and open security certificate authority for the public's benefit. Let's Encrypt allows website owners to obtain security certificates within minutes, enabling a safer web experience for all."

Despite advances in encryption and intrusion prevention, security problems continue to plague the Internet. Experts have long advocated universal encryption as a best-practice technique for minimizing attacks. The Let's Encrypt project is intended to make it easier for webmasters to install and maintain encryption. According to ISRG executive director Josh Aas, "Encryption should be the default for the web. The web is a complicated place these days; it is difficult for consumers to be in control of their data. The only reliable strategy for making sure that everyone's private data and information is protected while in transit over the web is to encrypt everything. Let's Encrypt simplifies this."

The founders of the Let's Encrypt project believe one reason website encryption is not universal is that conventional certificate authority services are too complicated, and often too expensive, to be an option for smaller websites. Let's Encrypt will provide certificates for free, and it will simplify the configuration at the web server so that a couple of easy commands are all that is necessary to implement encryption.

According to the project website, Let's Encrypt will be available to the public in mid-2015.