Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • How worried should your organisation be about cyber espionage - and what can you do about it?

    Computerworld UK speaks with Jarno Niemela, senior security researcher at F-Secure.

  • Inverse Law of CVEs

    I've started a project to put the CVE data into Elasticsearch and see if there is anything clever we can learn about it. Ever if there isn't anything overly clever, it's fun to do. And I get to make pretty graphs, which everyone likes to look at.

  • eBay Asks Users to Downgrade Security

    The company wanted me to switch from using a hardware key fob when logging into eBay to receiving a one-time code sent via text message. I found it remarkable that eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option.

  • Practical basics of reproducible builds
  • License Agreements and Changes Are Coming

    The OpenSSL license is rather unique and idiosyncratic. It reflects views from when its predecessor, SSLeay, started twenty years ago. As a further complication, the original authors were hired by RSA in 1998, and the code forked into two versions: OpenSSL and RSA BSAFE SSL-C. (See Wikipedia for discussion.) I don’t want get into any specific details, and I certainly don’t know them all.

Security and Bugs

Filed under
Security
  • Security updates for Thursday
  • Devops embraces security measures to build safer software

    Devops isn’t simply transforming how developers and operations work together to deliver better software faster, it is also changing how developers view application security. A recent survey from software automation and security company Sonatype found that devops teams are increasingly adopting security automation to create better and safer software.

  • This Xfce Bug Is Wrecking Users’ Monitors

    The Xfce desktop environment for Linux may be fast and flexible — but it’s currently affected by a very serious flaw.

    Users of this lightweight alternative to GNOME and KDE have reported that the choice of default wallpaper in Xfce is causing damaging to laptop displays and LCD monitors.

    And there’s damning photographic evidence to back the claims up.

Security Leftovers

Filed under
Security
  • Windows flaw lets attackers take over A-V software

    A 15-year-old flaw in every version of Windows right from XP to Windows 10 allows a malicious attacker to take control of a system through the anti-virus software running on the system.

  • Google Continues to Make Strides in Improving Android Security
  • Google cites progress in Android security, but patching issues linger
  • Dark Matter

    Today, March 23rd 2017, WikiLeaks releases Vault 7 "Dark Matter", which contains documentation for several CIA projects that infect Apple Mac Computer firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA's Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.

    Among others, these documents reveal the "Sonic Screwdriver" project which, as explained by the CIA, is a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting" allowing an attacker to boot its attack software for example from a USB stick "even when a firmware password is enabled". The CIA's "Sonic Screwdriver" infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • Customer security awareness: alerting you to vulnerabilities that are of real risk
  • Cisco's WikiLeaks Security Vulnerability Exposure: 10 Things Partners Need To Know

    Cisco's security team has discovered that hundreds of its networking devices contain a vulnerability that could allow attackers to remotely executive malicious code and take control of the affected device.

    "We are committed to responsible disclosure, protecting our customers, and building the strongest security architecture and products that are designed through our Trustworthy Systems initiatives," said a Cisco spokesperson in an email to CRN regarding the vulnerability.

    Some channel partners of the San Jose, Calif.-based networking giant are already advising customers on how to bypass the critical security flaw. Here are 10 important items that Cisco channel partners should know about the security vulnerability.

  • Linux had a killer flaw for 11 years and no one noticed

    One of the key advantages of Open sauce software is that it is supposed to be easier to spot and fix software flaws, however Linux has had a local privilege escalation flaw for 11 years and no-one has noticed.

    The vulnerability, tracked as CVE-2017-6074, is over 11 years old and was likely introduced in 2005 when the Linux kernel gained support for the Datagram Congestion Control Protocol (DCCP). It was discovered last week and was patched by the kernel developers on Friday.

  • 6 Hot Internet of Things (IoT) Security Technologies
  • Microsoft Losing Its Edge

    However, despite these improvements in code cleanness and security technologies, it hasn’t quite proven itself when faced with experienced hackers at contests such as Pwn2Own. At last year’s edition of Pwn2Own, Edge proved to be a little better than Internet Explorer and Safari, but it still ended up getting hacked twice, while Chrome was only partially hacked once.

    Things seem to have gotten worse, rather than better, for Edge. At this year’s Pwn2Own, Microsoft’s browser was hacked no less than five times.

  • Microsoft loses the Edge at hacking contest

    And for every hack perpetrated against Edge, there was a corresponding attack against the Windows 10 kernel, indicating that it has a way to go in terms of security, according to Tom's Hardware.

  • Wikileaks: Apple, Microsoft and Google must fix CIA exploits within 90 days

    The 90-day deadline is the same that Google's own Project Zero security group provides to companies when it uncovers flaws in their software. If a company has failed to patch its software accordingly, Project Zero publishes details of the flaw whether the vendor likes it or not.

  • NTPsec Project announces 0.9.7

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Reproducible Builds: week 99 in Stretch cycle
  • Government Agencies to be Rated on Cybersecurity Using NIST Framework

    The Trump administration has announced that it will impose new metrics on federal agencies related to cybersecurity. Agencies and departments will be required to comply with the framework developed by the National Institute of Standards and Technology (NIST) and report back to the Department of Homeland Security (DHS), the Office of Management and Budget (OMB), and the White House.

    Homeland security advisor Thomas Bossert stated that the President’s budget will include an increase in federal funding to combat cyber threats, and that the administration’s priorities vis-à-vis cybersecurity are to modernize and centralize the existing system. To this end, the Administration intends to partner with business, including Silicon Valley, and state and local governments, on cybersecurity.

  • Firefox gets complaint for labeling unencrypted login page insecure

    The operator of a website that accepts subscriber logins only over unencrypted HTTP pages has taken to Mozilla's Bugzilla bug-reporting service to complain that the Firefox browser is warning that the page isn't suitable for the transmission of passwords.

    "Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission," a person with the user name dgeorge wrote here (the link was made private shortly after this post went live). "Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business."

Security Leftovers

Filed under
Security
  • Security updates for Monday
  • Old Linux kernel security bug bites

    OK, hands up, who knows what High-Level Data Link Control (HDLC) is? It's an archaic networking data framing protocol that's used in modems, X.25, frame-relay, ISDN, and other now uncommon networking technologies. I know it because I used to work with them back in the day. You'll get to know it now because a researcher discovered a security hole hidden within the Linux kernel driver that implements it.

  • Seven year-old Linux vulnerability now patched

    An old vulnerability was just discovered in the Linux kernel, potentially allowing hackers to gain privilege escalation, or cause a denial of service. The vulnerability was quickly fixed and there have been no signs of it in the wild, although that does not necessarily mean it went unnoticed.

  • OpenSSH 7.5 released

    OpenSSH 7.5 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly.

  • OpenSSH 7.5 Has Security Fixes, Removes OpenSSL 1.0 Support for Portable OpenSSH

    OpenSSH, the cross-platform and open-source 100% complete SSH 2.0 protocol implementation offering both SFTP server and client support was updated today to version 7.5.

    OpenSSH 7.5 comes three months after the release of OpenSSH 7.4 in late December 2016, and promises to be a maintenance update that addresses two important security issues, implements support for the "=-" syntax to make removing of methods from algorithm lists a lot easier, and fix numerous reported bugs.

  • Is Linux Mint a secure distribution?

    Linux Mint has been lambasted by some in the media for security problems over the last few years. But how accurate are such perceptions? Does Linux Mint really suffer from security problems or is it all much ado about nothing?

    A writer at DistroWatch wades into the controversy and examines some of the myths and misunderstandings about Linux Mint and security.

  • Linux Mint's security record

    Some of the more common misunderstandings I have encountered recently have involved the Linux Mint distribution. Mint has been a popular project in recent years and, with many people using the distribution and talking about the project, there is bound to be some mis-communication. In particular, most of the rumours and misunderstandings I have encountered have revolved around Mint's security practises and history. I would like to clear up a few of the more common rumours.

  • Mozilla Firefox is the First Pwn2own 2017 Victim to be Patched

    Some vendors respond to security issues faster than others. Last week, the 10th annual Pwn2own hacking challenge was hosted by Trend Micro's Zero Day Initiative (ZDI), with multiple groups of researchers taking aim at web browsers, operating systems and virtualization technology.

    Mozilla's Firefox web browser was successfully exploited on March 16, the second day of the Pwn2own event. Researchers from Chaitin Security Research Lab were the only group to attack Mozilla Firefox, and earned $30,000 for demonstrating a new zero-day exploit. The day the exploit was demonstrated, the only thing publicly revealed about the exploit is that it made use of an integer overflow flaw in combination with an uninitialized memory buffer in the Windows kernel.

Tails 3.0 Anonymous LiveCD Gets Third Beta Release with Important Security Fixes

Filed under
Security
Debian

The developers of the Tails amnesic incognito live system announced the availability of the third Beta release of the upcoming major Tails 3.0 operating system, which will be based on the soon-to-be-released Debian GNU/Linux 9 "Stretch" OS.

Read more

Security Leftovers

Filed under
Security
  • More than 300 Cisco switch models vulnerable to CIA hack

    A cache of CIA documents was dropped on the internet two weeks ago via WikiLeaks. It was a huge volume of data, some of which detailed CIA tools for breaking into smartphones and even smart TVs. Now, Cisco has said its examination of the documents points to a gaping security hole in more than 300 models of its switches. There’s no patch for this critical vulnerability, but it’s possible to mitigate the risk with some settings changes.

    Cisco’s security arm sent out an advisory on Friday alerting customers that the IOS and IOS XE Software Cluster were vulnerable to hacks based on the leaked documents. The 318 affected switch models are mostly in the Catalyst series, but there are also some embedded systems and IE-series switches on the list. These are enterprise devices that cost a few thousand dollars at least. So, nothing in your house is affected by this particular attack.

  • Assange chastises companies who haven't responded to CIA vulnerability offers

    Wikileaks head Julian Assange slammed companies not taking the site up on the sites offer to share security flaws the CIA had exploited in their products.

    In a screen-shot statement tweeted on Saturday, Wikileaks noted that "Organizations such as Mozilla" had responded to the site's emails offering unreleased security vulnerabilities from leaked CIA files. "Google and other companies" had not.

    "Most of these lagging companies have conflicts of interest due to their classified work with US government agencies. In practice such associations limit industry staff with US security clearances from fixing holes based on leaked information from the CIA. Should such companies choose to not secure their users against CIA or NSA attacks users may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts," the statement read.

    Wikileaks recently published a trove of files leaked from the CIA, including descriptions of hacking techniques. The site made an effort to redact source code showing how to actually accomplish the techniques, although enough code slipped through the cracks for researchers to reverse engineer at least one of the security flaws.

  • Gentoo: 201703-02 Adobe Flash Player: Multiple vulnerabilities

OpenSSH 7.5 released

Filed under
OSS
Security

OpenSSH 7.5 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support. OpenSSH also includes
transitional support for the legacy SSH 1.3 and 1.5 protocols
that may be enabled at compile-time.

Read more

Also: OpenSSH 7.5 Released, Legacy Crypto Functions Still Heading For Retirement

Syndicate content

More in Tux Machines

Today in Techrights

Leftovers: OSS

  • Communities of Communities: The Next Era of Open Source Software
    We are now about 20 years into the open source software era. You might think that open source simply means publishing the source code for something useful. While this is correct by definition, the most important component of any open source project is its community and how it works together. Open source projects are not isolated islands. In fact, it’s common for them to depend on each other. As new projects are created, it is also common that members come from related projects to work on something new. Apache Arrow is an example of a new project that worked across many related projects, creating a new community that from the beginning knew it needed to build a community of communities.
  • 9 Open Source Storage Solutions: A Perfect Solution To Store Your Precious Data
    Whatever business nature you have, there must be some precious data which you want to store in a secured place. Finding a right storage solution is always critical for business, especially for small and medium, but what if you get a perfect solution at no cost. There is no doubt that business cant runs without data, but while looking for a solution, you might need to spend a fortune to cover all your storage requirements. Open source tools come as the viable solution where you won’t spend money yet get a suitable solution to store your precious data. And don’t worry we will help you to find one of the best.
  • 15 Open Source Solutions To Setup Your Ecommerce Business
    In the past few years, there is a rapid growth in the online sales. According to a survey, more than 40% people are now shifted to online stores and majorly buying products from their smartphones and tablets. With the expeditious rise in the online marketplace, more business introducing online stores. For the big fishes in the industry, the expenses of setting up an online store is like spending peanuts, but for the small or startups, it appears to be a fortune. The smart move could be open source platforms, to begin with as they are not only free also reliable and scalable. One can set up the online store not only quickly as well as, in future if you want to add some of the functionalities, which are available with only premium, can be done by paying quite a small amount.
  • An Industry First: Teradata Debuts Open Source Kylo to Quickly Build, Manage Data Pipelines
  • MUA++ (or on to thunderbird)
  • OpenSSL Re-Licensing to Apache License v. 2.0

    The OpenSSL project, home of the world’s most popular SSL/TLS and cryptographic toolkit, is changing its license to the Apache License v2.0 (ASL v2). As part of this effort, the OpenSSL team launched a new website and has been working with various corporate collaborators to facilitate the re-licensing process.

Linux Graphics

  • Ubuntu 17.04 Still Hasn't Landed X.Org Server 1.19
    While the Ubuntu 17.04 final release is expected to happen in just over two weeks and the final freeze is quickly approaching, X.Org Server 1.19 has yet to land as anticipated into the Zesty Zapus.
  • NV_fill_rectangle Coming To Gallium3D/Nouveau
    Red Hat developer Lyude Paul is working on OpenGL NV_fill_rectangle support for Gallium3D and the Nouveau driver. Lyude has published a set of six patches for adding GL_NV_fill_rectangle support to Gallium3D and wires it up in the Nouveau NVC0 driver for GM200+ hardware.
  • New Engine Reset Capability Being Worked On For Intel DRM Linux Driver
    Intel's Michael Thierry published the fifth version of these patches on Friday. While there has been GPU reset support within the Intel DRM driver in case of hangs, this new engine-reset support is superior as it can reset a particular engine rather than performing a full GPU reset.
  • Vulkan 1.0.45 Released
    Version 1.0.45 is now the latest version of the Vulkan 1.0 specification.

Development News