Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Mobile apps and stealing a connected car

    The concept of a connected car, or a car equipped with Internet access, has been gaining popularity for the last several years. The case in point is not only multimedia systems (music, maps, and films are available on-board in modern luxury cars) but also car key systems in both literal and figurative senses. By using proprietary mobile apps, it is possible to get the GPS coordinates of a car, trace its route, open its doors, start its engine, and turn on its auxiliary devices. On the one hand, these are absolutely useful features used by millions of people, but on the other hand, if a car thief were to gain access to the mobile device that belongs to a victim that has the app installed, then would car theft not become a mere trifle?

  • [Video] Keynote: Security and Privacy in a Hyper-connected World - Bruce Schneier, Security Expert
  • RSA Conference: Lessons from a Billion Breached Data Records

    Troy Hunt sees more breached records than most of us, running the popular ethical data breach search service "Have I been pwned." In a session at the RSA Conference this week, Hunt entertained the capacity crowd with tales both humorous and frightening about breaches that he has been involved with.

    One of things that Hunt said he is often asked is exactly how he learns about so many breaches. His answer was simple.

    "Normally stuff just gets sent to me," Hunt said.

    He emphasized that he doesn't want to be a disclosure channel for breaches, as that's not a role he wants to play. Rather his goal is more about helping people to be informed and protect themselves.

  • How Google Secures Gmail Against Spam and Ransomware

    Google's Gmail web email service is used by millions of companies and consumers around the world, making it an attractive target for attackers. In a session at the RSA Conference here, Elie Bursztein, anti-fraud and abuse research team lead at Google, detailed the many technologies and processes that Google uses to protect users and the Gmail service itself from exploitation.

  • IBM Reveals Security Risks to Owners of Previously Owned IoT Devices

    hen you sell a car, typically the new owner gets the keys to the car and the original owner walks away. With a connected car, Charles Henderson, global head of X-Force Red at IBM Security, found that the original owner still has remote access capabilities, even years after the car has been sold.

    Henderson revealed his disturbing new research into a previously unexplored area of internet of things (IoT) security at the RSA Conference here on Feb. 17. In a video interview with eWEEK, Henderson detailed the management issue he found with IoT devices and why it's a real risk.

    "As smart as a connected car is, it's not smart enough to know that it has been sold, and that poses a real problem," Henderson said.

Security News

Filed under
Security

Security News

Filed under
Security
  • OpenSSL project releases patch to fix critical bug
  • Microsoft's monthlong patch delay could pose risks [Ed: Microsoft is in no hurry because there are back doors it knows about but keeps secret anyway]

    Microsoft has decided to bundle its February patches together with those scheduled for March, a move that at least some security experts disagree with.

    "I was surprised to learn that Microsoft wants to postpone by a full month," said Carsten Eiram, the chief research officer at vulnerability intelligence firm Risk Based Security, via email. "Even without knowing all the details, I find such a decision very hard to justify. They are aware of vulnerabilities in their products and have developed fixes; those should always be made available to customers in a timely fashion."

    Microsoft took everyone by surprise on Tuesday when it announced that this month's patches had to be delayed because of a "last minute issue" that could have had an impact on customers. The company did not initially specify for how long the patches will be postponed, which likely threw a wre

  • Zero-day flaw around, but Microsoft updates delayed by a month
  • Microsoft misses regular security fix date

    Microsoft has delayed the release of a security update that would have fixed a vulnerability cyber thieves are known to be exploiting.

    The fix was to be released as part of Microsoft's regular monthly security update for its Windows software.

  • How Google reinvented security and eliminated the need for firewalls

    In some ways, Google is like every other large enterprise. It had the typical defensive security posture based on the concept that the enterprise is your castle and security involves building moats and walls to protect the perimeter.

    Over time, however, that perimeter developed holes as Google’s increasingly mobile workforce, scattered around the world, demanded access to the network. And employees complained about having to go through a sometimes slow, unreliable VPN. On top of that, Google, like everyone else, was moving to the cloud, which was also outside of the castle.

  • No Firewalls, No Problem for Google

    On Tuesday at RSA Conference, Google shared the seven-year journey of its internal BeyondCorp rollout where it affirms trust based on what it knows about its users and devices connecting to its networks. And all of this is done at the expense—or lack thereof—of firewalls and traditional network security gear.

  • Android Phone Hacks Could Unlock Millions of Cars

Security News

Filed under
Security
  • Thursday's security updates
  • Capsule8 comes out of stealth to help protect Linux from attacks

    Capsule8 has emerged from stealth mode to unveil its plans for the industry’s first container-aware, real-time threat protection platform designed to protect legacy and next-generation Linux infrastructures from both known and unknown attacks. Founded by experienced hackers John Viega, Dino Dai Zovi and Brandon Edwards, Capsule8 is being built on the real-world experience of its founders in building and bringing to market defensive systems to protect against exploitation of previously unknown vulnerabilities. The company raised seed funding of $2.5 million from Bessemer Venture Partners, as well as individual investors Shardul Shah of Index Ventures and Jay Leek of ClearSky. The funding will help fuel the launch of the Capsule8 platform spring 2017.

  • Bruce Schneier Says Government Involvement in Coding Is Coming

    Security expert Bruce Schneier is painting a grim future for the tech community as the government will start to stick its nose into people’s codes.

    Schneier, present at the RSA Conference, said that until now everyone had this “special right” to code the world as they saw fit. “My guess is we’re going to lose that right because it’s too dangerous to give it to a bunch of techies,” he added, according to The Register.

  • How To Shrink Attack Surfaces with a Hypervisor

    A software environment’s attack surface is defined as the sum of points in which an unauthorized user or malicious adversary can enter or extract data. The smaller the attack surface, the better. We recently sat down with Doug Goldstein (https://github.com/cardoe or @doug_goldstein) to discuss how companies can use hypervisors to reduce attack surfaces and why the Xen Project hypervisor is a perfect choice for security-first environments. Doug is a principal software engineer at Star Lab, a company focused on providing software protection and integrity solutions for embedded systems.

  • Xen Project asks to limit security vulnerability advisories
  • Xen Project wants permission to reveal fewer vulnerabilities
  • Xen Project proposes issuing fewer advisories
  • Verified Boot: From ROM to Userspace

    Amid growing attacks on Linux devices, the 2016 Embedded Linux Conference demonstrated a renewed focus on security. One well-attended presentation at ELC Europe covered the topic of verified boot schemes. In this talk, Marc Kleine-Budde of Pengutronix revealed the architecture and strategies of a recently developed verified boot scheme for a single-core, Cortex-A9 NXP i.MX6 running on the RIoTboard SBC.

  • Yahoo's Security Incompetence Just Took $250 Million Off Verizon's Asking Price

    So last year we noted how Verizon proposed paying $4.8 billion to acquire Yahoo as part of its plan to magically transform from stodgy old telco to sexy new Millennial advertising juggernaut, which, for a variety of reasons, isn't going so well. One of those reasons is the fact that Yahoo failed to disclose the two, massive hacks (both by the same party) that exposed the credentials of millions of Yahoo customers during deal negotiations. The exposure included millions of names, email addresses, phone numbers, birthdates, hashed passwords (using MD5) and "encrypted or unencrypted" security questions and answers.

    As noted previously, Verizon had been using the scandal to drive down the $4.8 billion asking price, reports stating that Verizon was demanding not only a $1 billion reduction in the price, but another $1 billion to cover the inevitable lawsuits by Yahoo customers.

  • Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

    One of the most effective ways the Wordfence team keeps the WordPress community and customers secure is through something we call the ‘Threat Defense Feed’. This is a combination of people, software, business processes and data. It’s an incredibly effective way to keep hackers out and provide our customers with early detection.

  • The 7 security threats to technology that scare experts the most

    What happens if a bad actor turns off your heat in the middle of winter, then demands $1,000 to turn it back on? Or even holds a small city’s power for ransom? Those kinds of attacks to personal, corporate, and infrastructure technology were among the top concerns for security experts from the SANS Institute, who spoke Wednesday during the RSA conference in San Francisco.

    Some of these threats target consumers directly, but even the ones that target corporations could eventually “filter down” to consumers, though the effects might not be felt for some time.

Security News

Filed under
Security
  • Wednesday's security updates
  • 10 Week Progress Update for PGP Clean Room

    This Valentine’s Day I’m giving everyone the gift of GIFs! Because who wants to stare at a bunch of code? Or read words?! I’ll make this short and snappy since I’m sure you’re looking forward to a romantic night with your terminal.

  • And hackers didn't have much luck either with other flaws in the mobe OS

    Despite shrill wailings by computer security experts over vulnerabilities in Android, Google claims very, very few of people have ever suffered at the hands of its bugs.

    Speaking at the RSA security conference in San Francisco on Tuesday, Adrian Ludwig, director of Android security, said the Stagefright hole – which prompted the Chocolate Factory to start emitting low-level security patches on a monthly basis – did put 95 per cent of Android devices at risk of attack. However, there have been no “confirmed” cases of infections via the bug, Ludwig claimed.

  • This Android Trojan pretends to be Flash security update but downloads additional malware
  • Pwnd Android conference phone exposes risk of spies in the boardroom

    Security researchers have uncovered a flaw in conference phone systems from Mitel that create a means for hackers to listen in on board meetings.

    Boffins at Context Information Security managed to gain root access and take full control of a Mitel MiVoice Conference and Video Phone, potentially enabling them to listen to meetings without alerting the room's occupants. The flaws also created a way to plant a remote backdoor on to an enterprise network.

  • Why do hackers focus so much on Android? It’s simple, really

    It seems that, despite what many thought was a supply and demand issue, Android is by far the most appealing, accessible and, essentially, antiquated arena for cyber-criminals to flourish in.

  • Google Touts Progress in Android Security in 2016

    Google has a daunting task of scanning 750 million Android devices daily for threats and checking 6 billion apps for malware each day as part of its management of 1.6 billion active Android devices. The numbers are staggering for Adrian Ludwig, director of Android Security; six years ago, when he joined Google, he said being responsible for the security of what would eventually be billions of Android devices seemed overwhelming.

Security Leftovers

Filed under
Security
  • Re-thinking Web App Security

    The implications of storing your data locally are quite profound.

  • ASLR^CACHE Attack Defeats Address Space Layout Randomization

    Researchers from VUSec found a way to break ASLR via an MMU sidechannel attack that even works in JavaScript. Does this matter? Yes, it matters. A lot. The discovery of this security flaw along with the practical implementation is really important mainly because of two factors: what it means for ASLR to be broken and how the MMU sidechannel attack works inside the processor.

  • The Biggest Risk with Container Security is Not Containers

    Container security may be a hot topic today, but we’re failing to recognize lessons from the past. As an industry our focus is on the containerization technology itself and how best to secure it, with the underlying logic that if the technology is itself secure, then so too will be the applications hosted.

    Unfortunately, the reality is that few datacenter attacks are focused on compromising the container framework. Yes, such attacks do exist, but the priority for malicious actors is mounting an attack on applications and data; increasingly for monetary reasons. According to SAP, more than 80 percent of all cyberattacks are specifically targeting software applications rather than the network.

Security Leftovers

Filed under
Security

CloudLinux 7 Gets New Linux Kernel Update to Fix Memory Leak, XFS Issue, More

Filed under
Linux
Security

CloudLinux's Mykola Naugolnyi announced today the availability of a new kernel update for CloudLinux 7 operating system series, urging users to update their machines immediately.

CloudLinux 7's kernel packages have been updated to version 3.10.0-427.36.1.lve1.4.37, which has been marked as ready for production and is available from the stable repositories of the operating system.

Today's kernel replaces version 3.10.0-427.18.2.lve1.4.27 that most CloudLinux 7 users might have installed on their machines, and it fixes a memory leak related to LVE Lightweight Virtual Environment) deletion.

Read more

Also (direct): CloudLinux 7 kernel updated

Security Leftovers

Filed under
Security
  • Recent WordPress vulnerability used to deface 1.5 million pages

    Up to 20 attackers or groups of attackers are defacing WordPress websites that haven't yet applied a recent patch for a critical vulnerability.

    The vulnerability, located in the platform's REST API, allows unauthenticated attackers to modify the content of any post or page within a WordPress site. The flaw was fixed in WordPress 4.7.2, released on Jan. 26, but the WordPress team did not publicly disclose the vulnerability's existence until a week later, to allow enough time for a large number of users to deploy the update.

  • Simple Server Hardening

    These days, it's more important than ever to tighten up the security on your servers, yet if you were to look at several official hardening guides, they read as though they were written for Red Hat from 2005. That's because they were written for Red Hat in 2005 and updated here and there through the years. I came across one of these guides when I was referring to some official hardening benchmarks for a PCI audit and realized if others new to Linux server administration were to run across the same guide, they likely would be overwhelmed with all of the obscure steps. Worse though, they likely would spend hours performing obscure sysctl tweaks and end up with a computer that was no more protected against a modern attack. Instead, they could have spent a few minutes performing a few simple hardening steps and ended up with a more secure computer at the end. So in this article, I describe a few hardening steps that provide the most bang for the buck. These tips should take only a few minutes, yet for that effort, you should get a much more secure system at the end.

  • Sophos: IoT Malware Growing More Sophisticated
  • Linux IoT, Android and MacOS expected in 2017, SophosLabs
  • Hackers using Linux flaws to attack IoT devices
  • Linux Security Fundamentals: Estimating the Cost of a Cyber Attack

Security News

Filed under
Security
Syndicate content

More in Tux Machines

New GNU/Linux Releases: TheSSS, Arkas OS, Black Lab, and Parrot

  • The Smallest Server Suite Gets Special Edition with PHP 7.0.15, Apache 2.4.25
    4MLinux developer Zbigniew Konojacki informs Softpedia about the availability of a special edition of the TheSSS (The Smallest Server Suite) Live Linux operating system. Carrying the same version number as the original TheSSS release, namely 21.0, and dubbed TheSSS7, the new flavor ships with more recent PHP packages from the 7.0.x series. Specifically, TheSSS7 includes PHP 7.0.15, while TheSSS comes with PHP 5.6.30.
  • Descent OS Is Dead, Arkas OS Takes Its Place and It's Based on Ubuntu 16.04 LTS
    Some of you out there might remember the Descent OS distro created by Brian Manderville and based on the popular Ubuntu Linux operating system, and today we have some bad news for them as the development is now officially closed. Descent OS first appeared in February 2012 as a lightweight Ubuntu derivative built around the GNOME 2 desktop environment. Back then, it was known as Descent|OS, and was quite actively developed with new features and components borrowed from the latest Ubuntu releases.
  • Black Lab Linux 8.1 Out Now with LibreOffice 5.3, It's Based on Ubuntu 16.04 LTS
    Softpedia was informed today by the Black Lab Software project about the general availability of the first point release to the Black Lab Linux 8.0 operating system series. Serving as a base release to the company's enterprise offerings and equipped with all the long-term supported Linux 4.4 kernel from the Ubuntu 16.04 LTS (Xenial Xerus) operating system, Black Lab Linux 8.1 comes with up-to-date components and the latest security patches ported from Ubuntu's repositories as of February 15, 2017. "Today we are pleased to announce the release of Black Lab Linux 8.1. Our first incremental release to the 8.0 series. In this release we have brought all security updates up to Feb 15, 2017, as well as application updates," said Roberto J. Dohnert, CEO of Black Lab Software.
  • Parrot 3.5 – Call For Betatesters
    We did our best to prepare these preview images including all the updates and the new features introduced since the last release, but now we need your help to understand how to make it even better, and of course we need your help to understand if there is something that doesn’t work as expected or something that absolutely needs to be included in the final release.

Linux and Graphics

  • Linux Kernel 4.10 Now Available for Linux Lite Users, Here's How to Install It
    Minutes after the release of Linux kernel 4.10 last evening, Jerry Bezencon from the Linux Lite project announced that users of the Ubuntu-based distribution can now install it on their machines. Linux 4.10 is now the most advanced kernel branch for all Linux-based operating systems, and brings many exciting new features like virtual GPU support, better writeback management, eBPF hooks for cgroups, as well as Intel Cache Allocation Technology support for the L2/L3 caches of Intel processors.
  • Wacom's Intuos Pro To Be Supported By The Linux 4.11 Kernel
    Jiri Kosina submitted the HID updates today for the Linux 4.11 kernel cycle.
  • Mesa 13.0.5 Released for Linux Gamers with over 70 Improvements, Bug Fixes
    We reported the other day that Mesa 13.0.5 3D Graphics Library will be released this week, and it looks like Collabora's Emil Velikov announced it earlier this morning for all Linux gamers. Mesa 13.0.5 is a maintenance update to the Mesa 13.0 stable series of the open source graphics stack used by default in numerous, if not all GNU/Linux distributions, providing gamers with powerful drivers for their AMD Radeon, Nvidia, and Intel GPUs. It comes approximately three weeks after the Mesa 13.0.4 update.
  • mesa 13.0.5

Interview: Thomas Weissel Installing Plasma in Austrian Schools

With Plasma 5 having reached maturity for widespread use we are starting to see rollouts of it in large environments. Dot News interviewed the admin behind one such rollout in Austrian schools. Read more

today's leftovers

  • Top Lightweight Linux Distributions To Try In 2017
    Today I am going to discuss the top lightweight Linux distros you can try this year on your computer. Although you got yourself a prettyLinuxle linux already but there is always something new to try in Linux. Remember I recommend to try this distros in virtualbox firstly or with the live boot before messing with your system. All distro that I will mention here will be new and somewhat differ from regular distros.
  • [ANNOUNCE] linux-4.10-ck1 / MuQSS CPU scheduler 0.152
  • MSAA Compression Support For Intel's ANV Vulkan Driver
    Intel developer Jason Ekstrand posted a patch over the weekend for enabling MSAA compression support within the ANV Vulkan driver.
  • Highlights of YaST development sprint 31
    As we announced in the previous report, our 31th Scrum sprint was slightly shorter than the usual ones. But you would never say so looking to this blog post. We have a lot of things to talk you about!
  • Comparing Mobile Subscriber Data Across Different Sources - How accurate is the TomiAhonen Almanac every year?
    You’ll see that last spring I felt the world had 7.6 Billion total mobile subscriptions when machine-to-machine (M2M) connections are included. I felt the world had 7.2 Billion total subscriptions when excluding M2M and just counting those in use by humans. And the most relevant number (bottom line) is the ‘unique’ mobile users, which I felt was an even 5.0 Billion humans in 2015. The chart also has the total handsets-in-use statistic which I felt was 5.6 Billion at the end of 2015. Note that I was literally the first person to report on the distinction of the unique user count vs total subscriptions and I have been urging, nearly begging for the big industry giants to also measure that number. They are slowly joining in that count. Similarly to M2M, we also are now starting to see others report M2M counts. I have yet to see a major mobile statistical provider give a global count of devices in use. That will hopefully come also, soon. But lets examine these three numbers that we now do have other sources, a year later, to see did I know what I was doing.