Language Selection

English French German Italian Portuguese Spanish

Security News

Filed under
Security
  • Security updates for Tuesday
  • EU updates smartphone secure development guideline

    The European Union Agency for Network and Information Security (ENISA) has published an updated version of its Smartphone Secure Development Guidelines. This document details the risks faced by developers of smartphone application, and provides ways to mitigate these.

  • CloudLinux 7 Users Get New Beta Linux Kernel Update That Addresses CVE-2017-6074

    CloudLinux's Mykola Naugolnyi announced today the availability of a new Beta kernel for the CloudLinux 7 operating system series, which patches a recently discovered and critical security flaw.

  • Linus Torvalds shrugged off warnings about 'insecure' SHA-1 in 2005

    LINUX FOUNDER Linus Torvalds was warned in 2005 that the use of the SHA-1 hash to sign code in Linux and Git was insecure and urged to shift to something better protected, but rejected the advice outright.

    Free software evangelist John Gilmore warned Torvalds ten years ago that "SHA1 has been broken; it's possible to generate two different blobs that hash to the same SHA1 hash".

    Gilmore penned his warning to Torvalds in April 2005, when MD5 had already been cracked and SHA1 remained "hard to crack" - but still crackable.

  • Subversion SHA1 Collision Problem Statement — Prevention and Remediation Options

    You probably saw the news last week that researchers at Google had found a scenario where they were able to break the SHA1 algorithm by creating two PDF files with differing content that produced the same hash. If you are following this story then you may have also seen that the Webkit Subversion repository had problems after a user committed these example files to their repository so that they could be used in test cases for SHA1 collisions.

  • making git-annex secure in the face of SHA1 collisions

    git-annex has never used SHA1 by default. But, there are concerns about SHA1 collisions being used to exploit git repositories in various ways. Since git-annex builds on top of git, it inherits its foundational SHA1 weaknesses. Or does it?

  • SSH Fingerprint Verification via Tor

    OpenSSH (really, are there any other implementations?) requires Trust on First Use for fingerprint verification.

    Verification can be especially problematic when using remote services like VPS or colocation.

    How can you trust that the initial connection isn’t being Man In The Middle’d?

  • Almost all Windows vulnerabilities are enabled by liberal 'admin rights'

    NEARLY OF THE VULNERABILITIES THAT AFFECT Microsoft's Windows operating system could be mitigated through a little careful control.

    Avecto, a security company, is the source of the latest revelation in this direction, and it says that 94 per cent of security problems could have been killed off if admin rights had been removed from the affected computer.

    This makes a lot of sense, since a computer that cannot be molested by a user cannot be molested by a third party. 94 per cent is just one example of the differences that can be made and Avecto says that in the case of Internet Explorer 100 per cent of risks are mitigated when rights are removed.

  • More on Bluetooth Ingenico Overlay Skimmers

    This blog has featured several stories about “overlay” card and PIN skimmers made to be placed atop Ingenico-brand card readers at store self-checkout lanes. I’m revisiting the topic again because a security technician at a U.S.-based retailer recently shared a few photos of several of these devices pulled from compromised card terminals, and the images and his story offer a fair bit more detail than in previous articles.

"Almost All Windows vulnerabilities are enabled by liberal admin

MS already has almost total control over the systems of Win10 users, now they just need a little more to make it "safe." I call BS.

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
--Benjamin Franklin, 1759

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Mozilla: Virtual Reality in Mixed Reality, Taskcluster Development

  • Building Bold New Worlds With Virtual Reality
    From rich text to video to podcasts, the Internet era offers an array of new ways for creators to build worlds. Here at Mozilla, we are particularly excited about virtual reality. Imagine moving beyond watching or listening to a story; imagine also feeling that story. Imagine being inside it with your entire mind and body. Now imagine sharing and entering that experience with something as simple as a web URL. That’s the potential before us.
  • This Week in Mixed Reality: Issue 3
    This week we’re heads down focusing on adding features in the three broad areas of Browsers, Social and the Content Ecosystem.
  • New to me: the Taskcluster team
    At this time last year, I had just moved on from Release Engineering to start managing the Sheriffs and the Developer Workflow teams. Shortly after the release of Firefox Quantum, I also inherited the Taskcluster team. The next few months were *ridiculously* busy as I tried to juggle the management responsibilities of three largely disparate groups.
  • Taskcluster migration update: we're finished!
    Over the past few weeks we've hit a few major milestones in our project to migrate all of Firefox's CI and release automation to taskcluster. Firefox 60 and higher are now 100% on taskcluster!

OSS Leftovers

  • After the First US Transaction, Propy Announces an Open Source Developer Program
    California-based blockchain startup Propy, is bringing the commercial use of blockchain technology to the US. After facilitating the first US Blockchain-based real estate deed in Vermont, Propy announced a new open source Developer Program. The idea behind Propy: it allows anyone to buy or sell real estate, anywhere, online. Propy provides an efficient crypto and fiat payment and an immutable record on the blockchain, ensuring that title deeds and property rights will be there forever.
  • Titus, the Netflix container management platform, is now open source
    Titus powers critical aspects of the Netflix business, from video streaming, recommendations and machine learning, big data, content encoding, studio technology, internal engineering tools, and other Netflix workloads. Titus offers a convenient model for managing compute resources, allows developers to maintain just their application artifacts, and provides a consistent developer experience from a developer’s laptop to production by leveraging Netflix container-focused engineering tools.
  • Netflix's Container Management System Is Now Open Source
    On Thursday Netflix announced it's made its home grown container management system, Titus, open source.
  • Lumina Networks on delivering open source SDN
    What kinds of companies should consider open source SDN, and what are the associated challenges in using such open source deployments? Lumina Networks has unrivalled expertise in working with customers and partners to deliver implementations, and explains its processes and outlines the benefits of using open source SDN.
  • Luxoft launches PELUX 1.0 open source platform for automotive
    Luxoft’s automotive division has launched PELUX 1.0, an open source platform available to developers. This has been developed from its PELUX software suite as used by carmakers and tier 1 suppliers to build converged infotainment, autonomous driving, communication, HMI and car body control systems.
  • Dev Preview: MongoDB Enterprise Running on OpenShift
    In order to compete and get products to market rapidly, enterprises today leverage cloud-ready and cloud-enabled technologies. Platforms as a Service (or PaaS) provide out-of-the-box capabilities which enable application developers to focus on their business logic and users instead of infrastructure and interoperability. This key ability separates successful projects from those which drown themselves in tangential work which never stops. In this blog post, we’ll cover MongoDB’s general PaaS and cloud enablement strategy as well as touch upon some new features of Red Hat’s OpenShift which enable you to run production-ready MongoDB clusters. We’re also excited to announce the developer preview of MongoDB Enterprise Server running on OpenShift. This preview allows you to test out how your applications will interact with MongoDB running on OpenShift.
  • Is Open Source The AI Nirvana for Intel? [Ed: openwashing a malicious company using buzzwords and urban myths]
  • Writing Chuck – Joke As A Service
    Recently I really got interested to learn Go, and to be honest I found it to be a beautiful language. I personally feel that it has that performance boost factor from a static language background and easy prototype and get things done philosophy from dynamic language background. The real inspiration to learn Go was these amazing number of tools written and the ease with which these tools perform although they seem to be quite heavy. One of the good examples is Docker. So I thought I would write some utility for fun, I have been using fortune, this is a Linux utility which gives random quotes from a database. I thought let me write something similar but let me do something with jokes, keeping this mind I was actually searching for what can I do and I landed up on jokes about Chuck Norris or as we say it facts about him. I landed up on chucknorris.io they have an API which can return different jokes about Chuck, and there it was my opportunity to put something up and I chose Go for it.

today's howtos

Security: Updates, IBM, Elytron and Container Vulnerability Scanning

  • Security updates for Friday
  • IBM Security launches open-source AI
    IBM Security unveiled an open-source toolkit at RSA 2018 that will allow the cyber community to test their AI-based security defenses against a strong and complex opponent in order to help build resilience and dependability into their systems.
  • Elytron: A New Security Framework in WildFly/JBoss EAP
    Elytron is a new security framework that ships with WildFly version 10 and Red Hat JBoss Enterprise Application Platform (EAP) 7.1. This project is a complete replacement of PicketBox and JAAS. Elytron is a single security framework that will be usable for securing management access to the server and for securing applications deployed in WildFly. You can still use the legacy security framework, which is PicketBox, but it is a deprecated module; hence, there is no guarantee that PicketBox will be included in future releases of WildFly. In this article, we will explore the components of Elytron and how to configure them in Wildfly.
  • PodCTL #32 – Container Vulnerability Scanning