Language Selection

English French German Italian Portuguese Spanish

Security

Keeweb A Linux Password Manager

Filed under
Linux
Reviews
Security

Today we are depending on more and more online services. Each online service we sign up for, let us set a password and this way we have to remember hundreds of passwords. In this case, it is easy for anyone to forget passwords. In this article I am going to talk about Keeweb, a Linux password manager that can store all your passwords securely either online or offline.

Read<br />
more

Security News

Filed under
Security
  • Security updates for Thursday
  • Open Source Information Security Tool Aimed at MSSPs

    A Virginia software developer announced today the release of what’s billed as the first open source information security analytics tool for managed security services providers (MSSP) and enterprise.

    IKANOW says its new platform features multi-tenancy, enterprise scalability and is fully customizable.

  • Most companies still can't spot incoming cyberattacks

    Four out of five businesses lack the required infrastructure or security professionals with relevant skills to spot and defend against incoming cyberattacks.

    According to a new report by US cybersecurity and privacy think tank Ponemon Institute on behalf of cybersecurity firm BrandProtect, 79 percent of cybersecurity professionals say that their organisations are struggling to monitor the internet for the external threats posed by hackers and cybercriminals.

  • HTTpoxy Flaw Re-emerges After 15 Years and Gets Fixed

    After lying dormant for years, flaws in the HTTP Proxy header used in programming languages and applications, such as PHP, Go and Python, have now been fixed.
    Some flaws take longer—a lot longer—than others to get fixed. The newly named HTTpoxy vulnerability was first discovered back in March 2001 and fixed in the open-source Perl programming language, but it has sat dormant in multiple other languages and applications until July 18.

    The HTTPoxy flaw is a misconfiguration vulnerability in the HTTP_PROXY variable that is commonly used by Common Gateway Interface (CGI) environment scripts. The HTTPoxy flaw could potentially enable a remotely exploitable vulnerability on servers, enabling an attacker to run code or redirect traffic. The flaw at its core is a name space conflict between two different uses for a server variable known as HTTP Proxy.

  • Hack The World

    Currently HackerOne has 550+ customers, has paid over $8.9 million in bounties, and fixed over 25,000 vulnerabilities, which makes for a safer Internet.

  • EU aims to increase the security of password manager and web server software: KeePass and Apache chosen for open source audits [“pyrrhic because of Keepass : flushing the audit money down the toilet on MS based cruft” -iophk]

    For the FOSSA pilot project to improve the security of open source software that my colleague Max and I proposed, the European Commission sought your input on which tools to audit.

    The results are now in: The two overwhelming public favorites were KeePass (23%) and the Apache HTTP Server (19%). The EU has decided to follow these recommendations and audit both of these software projects for potential security issues.

  • KeeThief – A Case Study in Attacking KeePass Part 2

    The other week I published the “A Case Study in Attacking KeePass” post detailing a few notes on how to operationally “attack” KeePass installations. This generated an unexpected amount of responses, most good, but a few negative and dismissive. Some comments centered around the mentality of “if an attacker has code execution on your system you’re screwed already so who cares“. Our counterpoint to this is that protecting your computer from malicious compromise is a very different problem when it’s joined to a domain versus isolated for home use. As professional pentesters/red teamers we’re highly interested in post-exploitation techniques applicable to enterprise environments, which is why we started looking into ways to “attack” KeePass installations in the first place. Our targets are not isolated home users.

  • Giuliani calls for cybersecurity push

    Former New York mayor Rudy Giuliani made a surprise appearance at the BlackBerry Security Summit, warning of the rapid growth of cybercrime and cyberterrorism.

    Cybercrime and cyberterrorism are both growing at rates between 20% and 40%, said Giuliani, who made a brief return from the Republican National Convention in Cleveland to speak at BlackBerry's New York event.

    "Think of it like cancer. We can't cure it... but if we catch it early we can put it into remission," he said. The quicker you can spot an attack, the less chance there is of loss.

  • Notorious Hacker ‘Phineas Fisher’ Says He Hacked The Turkish Government

    A notorious hacker has claimed responsibility for hacking Turkey’s ruling party, the AKP, and stealing more than 300,000 internal emails and other files.

    The hacker, who’s known as Phineas Fisher and has gained international attention for his previous attacks on the surveillance tech companies FinFisher and Hacking Team, took credit for breaching the servers of Turkey’s ruling party, the Justice and Development Party or AKP.

    “I hacked AKP,” Phineas Fisher, who also goes by the nickname Hack Back, said in a message he spread through his Twitter account on Wednesday evening.

Security News

Filed under
Security

EC to audit Apache HTTP Server and Keepass

Filed under
Security

The European Commission is preparing a software source code security audit on two software solutions, Apache HTTP server and Keepass, a password manager. The source code will be analysed and tested for potential security problems, and the results will be shared with the software developers. The audits will start in the coming weeks.

Read more

Security News

Filed under
Security
  • Security advisories for Tuesday
  • BlackBerry Inks Software Deal With U.S. Senate
  • BlackBerry inks security software deals, shares slip
  • BlackBerry Announces String of Small Security Software Deals
  • BlackBerry inks U.S. government software deals; shares slip
  • Carbanak Gang Tied to Russian Security Firm?

    Among the more plunderous cybercrime gangs is a group known as “Carbanak,” Eastern European hackers blamed for stealing more than a billion dollars from banks. Today we’ll examine some compelling clues that point to a connection between the Carbanak gang’s staging grounds and a Russian security firm that claims to work with some of the world’s largest brands in cybersecurity.

    The Carbanak gang derives its name from the banking malware used in countless high-dollar cyberheists. The gang is perhaps best known for hacking directly into bank networks using poisoned Microsoft Office files, and then using that access to force bank ATMs into dispensing cash. Russian security firm Kaspersky Lab estimates that the Carbanak Gang has likely stolen upwards of USD $1 billion — but mostly from Russian banks.

  • Now you can ask Twitter directly to verify your account

    Do you have an army of imposters online pretending to be you? Probably not, but now you can still request for a verified Twitter account.

    On Tuesday, Twitter launched an official application process so that any account can be verified and receive a blue checkmark badge next to its username. Twitter users interested in applying should have a verified phone number and email address, as well as a profile photo that reflects the person or company branding.

    Verified accounts get to filter their mentions to only see those from other verified accounts. But that seems to be the only real feature or perk that comes from having a blue badge–aside from bragging rights, of course. Additionally, verified accounts can’t be private, and the username must remain the same or you will have to seek verification all over again. If you are rejected, you can reapply after 30 days. Previously, the verification process was never clear-cut, and it seemed to require a direct connection to a Twitter rep.

  • Software flaw puts mobile phones and networks at risk of complete takeover [Ed: proprietary software]

    A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday.

    The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One.

Security News

Filed under
Security
  • Ubuntu forum breach traced to neglected plugin
  • Canonical warns users after Ubuntu forum data breach
  • Flaw in vBulletin add-on leads to Ubuntu Forums database breach
  • CrypTech — Internet Engineers’ New Open Source Weapon Against ‘Creepy’ Governments

    The CrypTech project is an independent security hardware development effort that consists of an international team. CrypTech Alpha is an open source crypto-vault that stores the private/public keys and separates the digital certificates from the software using them. It has been developed as a hardware secure module (HSM) to make the implementation of strong cryptography easier.

  • Entrepreneur in £10m swoop for hacking team

    One of the northwest’s best-known entrepreneurs has splashed out about £10m on a cyber-security venture that helps businesses repel hackers.

    Lawrence Jones, who runs the Manchester-based internet hosting and cloud computing specialist UKFast, has bought Pentest, an “ethical hacking” firm whose staff help detect flaws in clients’ cyber-defences.

    Jones, 47, will merge Pentest’s 45 staff into his own cyber-security outfit, Secarma. “It’s become obvious that there is a massive need to put emphasis on cyber-security,” said the internet tycoon, whose wealth is calculated by The Sunday Times Rich List as £275m.

  • Guilt by ASN: Compiler's bad memory bug could sting mobes, cell towers

    A vulnerability in a widely used ASN.1 compiler isn't a good thing: it means a bunch of downstream systems – including mobile phones and cell towers – will inherit the bug.

    And an ASN.1 bug is what the Sadosky Foundation in Argentina has turned up, in Objective Systems' software.

    The research group's Lucas Molas says Objective's ASN1C compiler for C/C++ version 7.0.0 (other builds are probably affected) generates code that suffers from heap memory corruption. This could be potentially exploited to run malware on machines and devices that run the vulnerable compiler output or interfere with their operation.

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Two Million Passwords Breached in Ubuntu Hack
  • VBulletin flaw exploited in breach of Ubuntu Forums

    A known SQL injection vulnerability affecting vBulletin software was exploited by an attacker to breach the Ubuntu Forums database.

  • Ubuntu Forums data breach exposes 2 million users

    Ubuntu aficionados beware, as a data breach of the Ubuntu Forum has resulted in the leak of information for two million users. It should be noted that the breach has not hit Canonical Ltd., which runs the Ubuntu operating system, but rather the forum, so other services are still safe.

    The notice from Canonical explains that the breach was made possible through an SQL injection vulnerability in the forum’s Forumrunner add-on, which had not been patched. By injecting certain formatted SQL into the forum database, the hacker could then reach any table, particularly the “user” table.

  • Ubuntu Forum Hack Exposes 2 Million Users

    Ubuntu Linux developer Canonical has confirmed that a data breach exposed personal information of two million users of its forum.

  • How to scam $750,000 out of Microsoft Office: Two-factor auth calls to premium-rate numbers

    Gaming two-factor authentication systems with premium rate phone numbers can be very profitable – or it was until the flaws got reported.

    Belgian security researcher Arne Swinnen noticed that the authentication systems used by Facebook-owned Instagram, Google and Microsoft allow access tokens to be received by a voice call as well as a text message. By linking accounts to a premium-rate phone number he controlled and could pocket money from, he was able to scam the three companies out of cash – in some cases potentially thousands of dollars a day.

  • How Do Hackers Easily Crack Your Strongest Passwords — Explained
  • Security Skills Give Open Source Professionals a Career Advantage

    In today’s market, open source professionals with security expertise are crucial players on an employer roster. The growing use of cloud and big data, as well as the overhaul and expansion of many companies’ tech infrastructures, are driving the demand and need for professionals with this skillset.

    According to the 2016 Open Source Jobs Report, 14 percent of hiring managers and recruiters surveyed believe security to be the most important open source skill to date, ranking third just behind cloud technologies (51 percent) and networking (21 percent). Employers aren’t the only ones that see the value in security; 16 percent of open source professionals surveyed cited security as the most important open source skill and the biggest driver for open source growth in 2016.

  • AT&T Unveils Powerful New Security Platform

    AT&T this week unveiled a new powerful security platform, using big data analysis based on a Hadoop architecture which allows the company to ingest and analyze 5 billion security events in less than ten minutes.

  • Software security: Does quality provide a blueprint for change?

    Software security has been in the news a lot lately, between various high profile social media hacks to massive data breaches it feels like people in the industry are always talking about security, or more appropriately, the lack thereof. While having a conversation with somebody from my company’s internal security team a few weeks ago I had a bit of an epiphany: security in 2016 is much like quality was in 1999.

    Let’s think back 17 years and remember what the quality process was like in 1999. Code was written in rather monolithic chunks with very little thought (if any) given to how that code was to be tested. Testers were on completely separate teams, often times denied access to early versions of the software and code. Testers would write massive sets of test cases from technical specifications and would accept large drops of code from developers only after a feature was considered completed. Automation was either a pipe dream or only existed for very stable features that had been around for a while. A manual testing blitz would then kick off, bugs would be filed, work thrown back over the wall, rinse and repeat. After several of these cycles it was the testers job to give a go/no-go on whether the product was good enough to ship, essentially acting as gatekeepers.

  • As a blockchain-based project teeters, questions about the technology’s security

    There’s no shortage of futurists, industry analysts, entrepreneurs and IT columnists who in the past year have churned out reports, articles and books touting blockchain-based ledgers as the next technology that will run the world.

    In the middle of all this hype is a small fire that threatens to put some of those words to ash: The hijacking last month of around US$40 million of dollars worth of a cryptocurrency called ether – named after its blockchain platform, Ethereum — from The DAO, a crowd-sourced investment vehicle that has so far raised over US$100 million in the digital currency. Instead, the DAO has become paralyzed and on the verge of collapse.

  • Sandia Labs Researchers Build DNA-Based Encrypted Storage

    Researchers at Sandia National Laboratories in New Mexico are experimenting with encrypted DNA storage for archival applications.

    Husband and wife team George and Marlene Bachand are biological engineers with a remarkable vision of the future.

    The researchers at the Sandia National Laboratories Center for Integrated Nanotechnologies foresee a time when a speck of DNA on a piece of paper the size of a millimeter could securely store the entire anthology of Shakespeare’s works.

Canonical and Proprietary Forums Software (Again Cracked)

Filed under
Security
Ubuntu

Security News

Filed under
Security
  • Ubuntu user forums hack leaks millions of user details [Ed: Canonical continued using proprietary software that had already been breached, now gives GNU/Linux a bad name again. Many journalists out there cannot tell the difference between operating system and forums software, never mind proprietary and Free software. How many so-called "technology" journalists still say "commercial" software instead of proprietary software, as if FOSS is non-commercial?]

    Attacker took advantage of unpatched software.

    Canonical, the parent company of popular Linux distribution Ubuntu, has disclosed that its user web forums have suffered a major data breach.

    Over the weekend, Canonical said that it had come across claims that a third party had a copy of the Ubuntu Forums database.

    The company was able to verify that a breach had taken place, with a database containing details of two million Ubuntu Forums users being leaked.

  • As Open Source Code Spreads, So Do Components with Security Flaws[Ef: Catalin Cimpanu's headline would have us believe that proprietary software has no "Security Flaws", only FOSS]

    The company that provides hosting services for the Maven Central Repository says that one in sixteen downloads is for a Java component that contains a known security flaw.

  • OpenSSH has user enumeration bug

    A bug in OpenSSH allows an attacker to check whether user names are valid on a 'net-facing server - because the Blowfish algorithm runs faster than SHA256/SHA512.

    The bug hasn't been fixed yet, but in his post to Full Disclosure, Verint developer Eddie Harari says OpenSSH developer Darren Tucker knows about the issue and is working to address it.

    If you send a user ID to an OpenSSH server with a long (but wrong) password – 10 kilobytes is what Harari mentions in his post – then the server will respond quickly for fake users, but slower for real users.

Syndicate content

More in Tux Machines

How To Build A Raspberry Pi Smartwatch — The Geekiest Watch Ever Made

In our Getting Started With Raspberry Pi series, we’ve introduced you to the basics of Pi, told you how to get everything you need, and help you boot a basic operating system. But, Raspberry Pi is much more than that. You can use it as a TOR proxy router, build your own PiPhone, and even install Windows 10 IoT. This little device comes with lots of flexibility, that allows it to be used in multiple applications. Well, did you ever think about wearing your Raspberry Pi? If your answer is NO, I won’t be surprised. If you imagine a scenario where Raspberry Pi is used to build a smartwatch, it would look too bulky. Well, that’s the thing about making geeky things that set you apart from the regular crowd, right? Read more

Ubuntu Leftovers

  • Yakkety Yak Alpha 2 Released
  • Ubuntu 16.10 "Yakkety Yak" Alpha 2 Released
    Today marks the second alpha release for Ubuntu 16.10 "Yakkety Yak" flavors participating in these early development releases. Participating in today's Yakkety Yak Alpha 2 development milestone are Lubuntu, Ubuntu MATE, and Ubuntu Kylin. No Xubuntu or Kubuntu releases to report on this morning.
  • PSA: Ubuntu 15.10 Hits End of Life Today
    It's time to wave a weary goodbye to the Wily Werewolf, as Ubuntu 15.10 support ends today.
  • Jono Bacon on Life After (and Before) GitHub
    Do you want to know what it takes to be a professional community manager? This interview will show you the kind of personality that does well at it, and how Jono Bacon, one of the world’s finest community managers, discovered Linux and later found his way into community management. Bacon is world-famous as the long-time community manager for Ubuntu. He was so good, I sometimes think his mother sang “you’ll be a community manager by and by” to him when he was a baby. In 2014 he went to XPRIZE, not a FOSS company, but important nevertheless. From there he dove back into FOSS as community manager for GitHub. Now Bacon is a freelance, self-employed community manager. One of his major clients is HackerOne, whose CEO is Bacon’s and my mutual friend Mårten Mickos. But HackerOne is far from his only client. In the interview he says he recently got back from visiting a client in China, and that he has more work then he can handle.

I've been Linuxing since before you were born

Once upon a time, there was no Linux. No, really! It did not exist. It was not like today, with Linux everywhere. There were multiple flavors of Unix, there was Apple, and there was Microsoft Windows. When it comes to Windows, the more things change, the more they stay the same. Despite adding 20+ gigabytes of gosh-knows-what, Windows is mostly the same. (Except you can't drop to a DOS prompt to get actual work done.) Hey, who remembers Gorilla.bas, the exploding banana game that came in DOS? Fun times! The Internet never forgets, and you can play a Flash version on Kongregate.com. Apple changed, evolving from a friendly system that encouraged hacking to a sleek, sealed box that you are not supposed to open, and that dictates what hardware interfaces you are allowed to use. 1998: no more floppy disk. 2012: no more optical drive. The 12-inch MacBook has only a single USB Type-C port that supplies power, Bluetooth, Wi-Fi, external storage, video output, and accessories. If you want to plug in more than one thing at a time and don't want to tote a herd of dongles and adapters around with you, too bad. Next up: The headphone jack. Yes, the one remaining non-proprietary standard hardware port in Apple-land is doomed. Read more