Language Selection

English French German Italian Portuguese Spanish

Security: NPM, IT Security Lessons from the Marriott Data Breach, and Secure SHell

Filed under
Security
  • event-stream, npm, and trust

    Malware inserted into a popular npm package has put some users at risk of losing Bitcoin, which is certainly worrisome. More concerning, though, is the implications of how the malware got into the package—and how the package got distributed. This is not the first time we have seen package-distribution channels exploited, nor will it be the last, but the underlying problem requires more than a technical solution. It is, fundamentally, a social problem: trust.

    Npm is a registry of JavaScript packages, most of which target the Node.js event-driven JavaScript framework. As with many package repositories, npm helps manage dependencies so that picking up a new version of a package will also pick up new versions of its dependencies. Unlike, say, distribution package repositories, however, npm is not curated—anyone can put a module into npm. Normally, a module that wasn't useful would not become popular and would not get included as a dependency of other npm modules. But once a module is popular, it provides a ready path to deliver malware if the maintainer, or someone they delegate to, wants to go that route.

  • IT Security Lessons from the Marriott Data Breach

    A number of data breaches have been disclosed over the course of 2018, but none have been as big or had as much impact as the one disclosed on Nov. 30 by hotel chain Marriott International.

    A staggering 500 million people are at risk as a result of the breach, placing it among the largest breaches of all time, behind Yahoo at 1 billion. While the investigation and full public disclosure into how the breach occurred is still ongoing, there are lots of facts already available, and some lessons for other organizations hoping to avoid the same outcome.

  • The Dark Side of the ForSSHe: Shedding light on OpenSSH backdoors

    SSH, short for Secure SHell, is a network protocol to connect computers and devices remotely over an encrypted network link. It is generally used to manage Linux servers using a text-mode console. SSH is the most common way for system administrators to manage virtual, cloud, or dedicated, rented Linux servers.

    The de facto implementation, bundled in almost all Linux distributions, is the portable version of OpenSSH. A popular method used by attackers to maintain persistence on compromised Linux servers is to backdoor the OpenSSH server and client already installed.

More in Tux Machines

Linux Foundation: ONAP, the Joint Development Foundation and the Cloud Native Computing Foundation (CNCF)

  • Linux Foundation's ONAP 'Casablanca' Enables 5G Management
    Today’s topics include the Linux Foundation adding new features to ONAP Casablanca for 5G enablement, and Censys raising seed money to expand internet scanning for threat hunting. The Linux Foundation's LF Networking project group last week took the next step in delivering an open-source platform to enable telecom providers to deploy next-generation network services.
  • The Joint Development Foundation Joins the Linux Foundation Family to Drive Adoption of Open Source and Standards
    The Linux Foundation and the Joint Development Foundation today announced an agreement to bring the Joint Development Foundation into the Linux Foundation family to make it easier to collaborate through both open source and standards development. The Joint Development Foundation is a nonprofit that provides a “standards organization in a box” to enable groups to quickly establish projects. With today’s news, the Linux Foundation and the Joint Development Foundation plan to provide greater capabilities for communities to engage in open source and standards development to speed industry adoption. “Linux Foundation communities have been engaged in developing open standards and specifications around Linux since day one and more recently with newer efforts such as OpenChain and the Open Container Initiative to collectively solve technical challenges,” said Jim Zemlin, Executive Director of the Linux Foundation. “Leveraging the capabilities of the Joint Development Foundation will enable us to provide open source projects with another path to standardization, driving greater industry adoption of standards and specifications to speed adoption.”
  • How CNCF Is Growing the Cloud Landscape at KubeCon
    Thousands of developers, vendors and end users alike are descending on Seattle from Dec. 11-13 for the KubeCon + CloudNativeCon North America event. They are all here to learn and talk about the growing cloud native landscape, anchored by the Kubernetes container orchestration system. Among those at KubeCon is Chris Aniszczyk, Chief Operating Officer of the Cloud Native Computing Foundation (CNCF). In a video interview with eWEEK, Aniszczyk provides insight into the KubeCon event as well as highlighting the current and future direction of the CNCF, which now hosts 31 different open-source efforts. [...] Aniszczyk is also particularly enthusiastic about the Envoy project, which was created by ride-sharing company Lyft and officially joined the CNCF in September 2017. Envoy is a service mesh reverse proxy technology that is used to help scale micro-services data traffic. Among the organizations that are now using Envoy are Square, Stripe, Amazon and Google.

today's howtos

Adobe and GNU/Linux

Android Leftovers