Language Selection

English French German Italian Portuguese Spanish

Security

Apache HTTP Server Vulnerabilities Fixes in Ubuntu OSes

Filed under
Server
Security
Ubuntu

Details about a couple of Apache HTTP Server vulnerabilities that have been found and fixed in Ubuntu 15.04, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS have now been published by Canonical in a security notification.

Read more

pfSense 2.2.4 BSD Firewall Fixes Multiple Stored XSS Vulnerabilities in the WebGUI

Filed under
Security
BSD

Electric Sheep Fencing LLC., through Chris Buechler, has announced the immediate availability for download of the fourth maintenance release of the pfSense 2.2 FreeBSD-based firewall software.

Read more

Security Leftovers

Filed under
Security
  • Unhinged Linux backdoor still poses a nuisance, if not a threat

    If successfully planted, the malware tries to register itself in the system as a daemon (system service). Thereafter it uses LZO compression and the Blowfish encryption algorithm to chat to command and control servers. Every packet contains a checksum, so that the recipient could verify data integrity.

  • Researchers analyze faulty new Linux backdoor
  • Seven things security experts do to keep safe online

    Cybersecurity experts aren’t like you or I, and now we have the evidence to prove it. Researchers at Google interviewed more than 200 experts to find out what security practices they actually carry out online, and then spoke to almost 300 non-experts to find out how they differ.

  • Why Chrysler's car hack 'fix' is staggeringly stupid

    More than a million Chrysler vehicles, including Jeeps, Ram pickups, and Dodge vehicles, are vulnerable to a major vulnerability that could drive them -- literally -- off the road.

    Last week, the company recalled 1.4 million vehicles at risk of a remote hijack vulnerability, which, as detailed by Wired, can result in a hacker remotely operating the brakes, interfering with the driver's visibility by switching on the windshield wipers, and even shutting off the engine.

  • The Elderly & the Scam Masters

    Jane answered the phone and a pleasant young man identified himself as an internet technician with Microsoft. He told her they’d received a report that something was extremely wrong with their computers and he was calling to help.

    [...]

    From here it gets crazy. There was a $200 payment made to this “tech expert” and then he calls back and says that payment wasn’t necessary. In fact, an error was made and a draft of $2,000 had been made and not $200. He needed to take his $1,800 back. Of course, the “bank statement” Jane looked at did indeed show $2,000 instead of $200, so Jane was being asked to refund the $1,800.

  • We Can Put An End To Identity Theft
  • Darkode Hacking Forum Taken Down by FBI and Europol

    In a joint operation that included law enforcement agencies from 20 countries, the infamous Darkode hacking forum has been taken down.

  • ​Stagefright: Just how scary is it for Android users?

    To do this with Android Kitkat, the most popular Android version, you open the Messenger app and tap on the menu at the top right corner of the screen (the three vertical dots) and then tap on Settings. Once there, select Block Unknown Senders, and you're done.

  • Bin your Android phone: 1 BILLION mobes can be infected by text message

    (There are a couple of workarounds: one is to root your Android mobile and disable Stagefright. Another is to remove or disable Google Hangouts, the default messaging app on Android, which processes video messages automatically. Even without Hangouts, if you receive a booby-trapped MMS and accidentally view it, you'll still be infected. Finally, you could tweak your carrier settings to not receive MMS texts.)

  • 950 million Android phones can be hijacked by malicious text messages

    Interestingly, the Stagefright vulnerability also affects Firefox on all platforms except Linux, and that includes the Firefox OS. Firefox developers have patched the vulnerability in versions 38 and up.

  • Researchers have found a new texting vulnerability in Android

Following Debian's GNU/Hurd in 2015

Filed under
Security
Debian

The Debian project is best known for its stable GNU/Linux operating system, a platform which is used as a base by over one hundred distributions. However, the Debian project is home to other operating systems, including a port of GNU's Hurd. The GNU/Hurd port combines Debian packages and package management with GNU userland software running on GNU's microkernel. The project offers this description: "The Hurd is a set of servers running on top of the GNU Mach microkernel. Together they build the base for the GNU operating system. Currently, Debian is only available for Linux and kFreeBSD, but with Debian GNU/Hurd we have started to offer GNU/Hurd as a development, server and desktop platform, too. We hope to be able to release Debian GNU/Hurd for Wheezy."

Read more

Security Leftovers

Filed under
Security
  • The scariest thing about the Chrysler hack is how hard it was to patch

    Chrysler is having a bad week. On Tuesday, Wired published a fantastic and gripping report detailing an open vulnerability in Chrysler's UConnect system, allowing attackers to take control of transmission, brakes, or even steering. There was already a patch available when the article was published, but because cars required physical updates, most cars hadn't received it. Today, Chrysler upped the ante, asking 1.4 million cars to report to dealerships or install a patch mailed out over USB. It's the biggest vulnerability we've ever seen from a car company, and a firsthand demonstration of how hard it is to patch a problem once it pops up.

  • 1/2 TRILLION spent on IT upgrades, but IRS, Feds still use DOS, old Windows

    President Obama's team has spent more than a half trillion dollars on information technology but some departments, notably the IRS, still run on DOS and old Windows, which isn't serviced anymore, according to House chairman.

  • US won’t publicly blame China for massive government hacks – reports

    Despite the fact that numerous American officials have blamed China for the massive hack that involved the personal data theft of millions of government employees, the United States has reportedly chosen not to publicly point the finger at Beijing.

    Two breaches at the Office of Personnel Management this year put the data of more than 22 million Americans at risk, raising concern about foreign cyberattacks and lax government security measures.

  • Car hack uses digital-radio broadcasts to seize control

    Several car infotainment systems are vulnerable to a hack attack that could potentially put lives at risk, a leading security company has said.

    NCC Group said the exploit could be used to seize control of a vehicle's brakes and other critical systems.

    The Manchester-based company told the BBC it had found a way to carry out the attacks by sending data via digital audio broadcasting (DAB) radio signals.

  • After Jeep Hack, Chrysler Recalls 1.4M Vehicles for Bug Fix

    Welcome to the age of hackable automobiles, when two security researchers can cause a 1.4 million product recall.

    On Friday, Chrysler announced that it’s issuing a formal recall for 1.4 million vehicles that may be affected by a hackable software vulnerability in Chrysler’s Uconnect dashboard computers. The vulnerability was first demonstrated to WIRED by security researchers Charlie Miller and Chris Valasek earlier this month when they wirelessly hacked a Jeep I was driving, taking over dashboard functions, steering, transmission and brakes. The recall doesn’t actually require Chrysler owners to bring their cars, trucks and SUVs to a dealer. Instead, they’ll be sent a USB drive with a software update they can install through the port on their vehicle’s dashboard.

  • Fiat Chrysler recalls 1.4 million cars over remote hack vulnerability
  • Valerie Plame: OPM breach is 'absolutely catastrophic' to security

    "When you have access to information about the friends, family members and health issues of someone who works for the U.S. government, you can use that to try to get close to that person and gather intelligence," she said. "To my mind, the OPM breach is absolutely catastrophic for our national security."

  • Newest Remote Car Hacking Raises More Questions About Reporter’s Death

    As readers of WhoWhatWhy know, our site has been one of the very few continuing to explore the fiery death two years ago of investigative journalist Michael Hastings, whose car left a straight segment of a Los Angeles street at a high speed, jumped the median, hit a tree, and blew up.

    Our original report described anomalies of the crash and surrounding events that suggest cutting-edge foul play—that an external hacker could have taken control of Hastings’s car in order to kill him. If this sounds too futuristic, a series of recent technical revelations has proven that “car hacking” is entirely possible. The latest just appeared this week.

  • This Jordanian Left Her Life as a Beauty Queen to Be an Islamic State-Fighting Hacktivist

    Lara Abdallat is not your average beauty queen. She was Miss Jordan 2010 and first runner-up to Miss Arab 2011, but she abandoned her career in pageantry to do something slightly more controversial and dangerous.

    Abdallat is currently fighting the Islamic State group and Islamic extremists as a hacktivist with Ghost Security, an international counterterrorism organization tenuously affiliated with Anonymous, perusing the Deep Web and the Darknet for suspicious activity.

Advanced spyware for Android now available to script kiddies everywhere

Filed under
Android
Security
Legal
  • Advanced spyware for Android now available to script kiddies everywhere

    One of the more recent discoveries resulting from the breach two weeks ago of malware-as-a-service provider Hacking Team is sure to interest Android enthusiasts. To wit, it's the source code to a fully featured malware suite that had the ability to infect devices even when they were running newer versions of the Google-developed mobile operating system.

    The leak of the code base for RCSAndroid—short for Remote Control System Android—is a mixed blessing. On the one hand, it provides the blueprints to a sophisticated, real-world surveillance program that can help Google and others better defend the Android platform against malware attacks. On the other, it provides even unskilled hackers with all the raw materials they need to deploy what's arguably one of the world's more advanced Android surveillance suites.

  • Security tool bod's hell: People think I wrote code for Hacking Team!

    A respected security researcher has denied any involvement with Hacking Team after open-source code he wrote was found in smartphone spyware sold by the surveillance-ware maker.

The French want to BAN .doc and .xls files from Le Gouvernement

Filed under
Microsoft
OSS
Security

Microsoft could get the boot from the French government if a new recommendation from an official advisor is adopted.

DISIC (Direction interministérielle des systèmes d'information et de communication de l'État) has recommended that French authorities ditch Microsoft Office tools in favour of the Open Document Format (ODF).

DISIC is responsible for harmonising and reducing the costs of all state computers, including government ministries, state and regional departments and local authorities, and sees ODF as the best way to make them all interoperable.

According to sources, an initial draft of the report envisaged outlawing Microsoft’s Open XML altogether, although with some agencies using tools specifically developed for use with Open XML, DISIC relented.

Read more

Security and Linux/FOSS/Proprietary

Filed under
Security
  • Security updates for Monday
  • Why DANE isn't going to win

    1024 bit RSA keys are quite common throughout the DNSSEC system. Getting rid of 1024 bit keys in the PKI has been a long-running effort; doing the same for DNSSEC is likely to take quite a while. Yes, rapid rotation is possible, by splitting key-signing and zone-signing (a good design choice), but since it can’t be enforced, it’s entirely likely that long-lived 1024 bit keys for signing DNSSEC zones is the rule, rather than exception.

  • RealVNC: more open remote access protocols will increase security

    Yes but RFB 5 is new... and it's a closed, secret, previously unpublished protocol (unlike earlier RFB 3.x versions).

    Hmm, still doesn't sound very secure.

    Security in remote access solutions will always be a concern for some it's true.

  • I worked at #HackingTeam, my emails were leaked to WikiLeaks and I’m ok with that

    Is radical transparency the best solution to expose injustice in this technocratic world, a world that is changing faster than law can keep up with?

    That question became even more relevant to me, a privacy activist, when I found myself in the Wikileaks archive, because I worked at Hacking Team 9 years ago.

    [...]

    This is a leak in the public interest, and I really feel that the personal and corporate damage is smaller than the improvement our society can gain from it. But to reach such an improvement, we have to focus on the bigger picture rather than getting distracted by the juicy details.

  • Hackers Remotely Kill a Jeep on the Highway—With Me in It

    Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

    At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.

  • 470,000 Vehicles At Risk After Hackers "Take Control & Crash" Jeep Cherokee From A Sofa 10 Miles Away

Researcher lashes out at Hacking Team over open-source code discovery

Filed under
OSS
Security

System security researcher Colin Mulliner said in a blog post on Tuesday that he discovered his open-source creations were being used -- without notice or permission by Hacking Team -- after individuals on Twitter pointed it out and he received a flood of emails and personal notifications.

Read more

OPSWAT adds support for Linux to their Multi Anti-Malware Scanner Metascan

Filed under
Linux
Security

OPSWAT, provider of solutions to secure and manage IT infrastructure, today announced the next generation of Metascan, that can be deployed on Linux. Metascan is a multi scanning solution for ISVs, IT admins and malware researchers that detects and prevents known and unknown threats. Metascan for Linux offers improved security and scalability, as well as enhanced usability and a new user interface.

Read more

Syndicate content

More in Tux Machines

Ubuntu Devs Willing to Work on GNOME Software to Replace Ubuntu Software Center

The Ubuntu Software Center managed to be the center of news stories after the Ubuntu MATE project decided to ditch it as default (still available in the repos), and discussions about a possible replacement in the regular Ubuntu desktop have started once more. Read more

FreeBSD 10.2 Release Candidate 2 Adds Better Hyper-V Support on Windows Server 2012

While not a GNU/Linux operating system, FreeBSD is an imperative open-source project, the most acclaimed BSD distribution on the market. Today, we announce the availability for download and testing of the second RC (Release Candidate) version of FreeBSD 10.2. Read more

Debian-Based Clonezilla Live 2.4.2-29 Is Out with Partclone 0.2.81 and Lots of Bugfixes

On the first day of August 2015, Steven Shiau has released a new testing version of his popular Clonezilla Live CD, which can be used for disk cloning and imaging operations, version 2.4.2-29. Read more

Arch Linux-Based BlackArch Penetration Testing Distro Now Using Linux Kernel 4.1 LTS

The development team behind the BlackArch project, a GNU/Linux distribution derived from Arch Linux and designed to be used for penetration testing and security analysis operations, released an updated installation media, BlackArch 2015.07.31. Read more