Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security

Security Leftovers

Filed under
Security

Parrot Security OS 3.5 Improves Linux Security Tools Distribution

Filed under
OS
Linux
Security

There seems to be no shortage of Linux distributions specifically designed and built for security researchers. That list includes the Parrot Security OS Linux distribution, which was updated to version 3.5 on March 8. The Parrot Security OS platform is based on the Debian Linux distribution, with the open-source MATE desktop the default choice for new users. As a platform for security researchers, Parrot Security OS provides a wide array of tools that fit into different categories, including information gathering, vulnerability analysis, database assessment, exploitation tools, password attacks, wireless testing, digital forensics, reverse engineering and reporting tools. One of its more interesting tools is the open-source Kayak car hacking tool that can be used to diagnose a car's CAN (Controller Area Network) bus. In addition, version 3.5 includes the CryptKeeper encrypted folder manager tool, as well as the Metasploit penetration testing framework, which is packed full with 1,627 exploits. For users who want to stay somewhat anonymous while using the system, anonymous web surfing tools are also included in the Linux distribution. In this slide show, eWEEK takes a look at some of the highlights of the Parrot Security OS 3.5 release.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Monday
  • How Android and iOS devices really get hacked
  • Security Expert Bruce Schneier on Regulating IoT

    With the Internet of Things already flexing its muscle and showing its potential to be a security nightmare, has the time come for governments to step into the fray and begin regulating the Internet? Security guru Bruce Schneier thinks that may be an inevitability, and says the development community might want to go ahead and start leading the way to assure that regulations aren't put in place by people who don't understand tech.

    "As everything turns into a computer, computer security becomes 'everything security,'" he explained, "and there are two very important ramifications of that. The first is that everything we know about computer security becomes applicable to everything. The second is the restrictions and regulations that the real world puts on itself are going to come into our world, and I think that has profound implications for us in software and especially in open source."

  • Ioquake3 Pushes Out Important Security Update

    All of those running ioquake3-powered games are encouraged to update their engine installation as soon as possible.

    The developers behind this popular fork of the open-source id Tech 3 engine code have pushed a "large security fix" and all users are encouraged to upgrade prior to connecting to any online servers. Unfortunately, ioquake3 currently doesn't have any auto-update system to make it easy to roll out game engine updates.

Security News

Filed under
Security
  • The Nintendo Switch already hacked through a known vulnerability?

    It appears that the not-so-well hidden Nintendo Switch browser shipped with a bunch of old vulnerabilities that hackers were able to leverage. Yesterday, hacker qwertyoruiop (known for Jailbreaks of multiple iOS versions, and who also contributed to the PS4 1.76 Jailbreak) posted a screenshot of what seems to be a Webkit exploit running on the Nintendo Switch.

  • Linux: fix an existing bug for 11 years in the Kernel
  • Security, Consumer Reports, and Failure

    As one can imagine there were a fair number of “they’ll get it wrong” sort of comments. They will get it wrong, at first, but that’s not a reason to pick on these guys. They’re quite brave to take this task on, it’s nearly impossible if you think about the state of security (especially consumer security). But this is how things start. There is no industry that has gone from broken to perfect in one step. It’s a long hard road when you have to deal with systemic problems in an industry. Consumer product security problems may be larger and more complex than any other industry has ever had to solve thanks to things such as globalization and how inexpensive tiny computers have become.

Security News

Filed under
Security
  • Apache Struts Vulnerability Under Attack

    An easy to exploit remote code execution flaw discovered in the widely used open-source Apache Struts 2 framework has been patched, but that's not stopping attackers from attempting to exploit vulnerable systems.

    The open-source Apache Struts 2 technology is a widely used framework component in Java applications and it's currently under attack. The attacks follow the March 6 disclosure by the Struts project for a Remote Code Execution (RCE) vulnerability identified as CVE-2017-5638.

  • An insecure mess: How flawed JavaScript is turning web into a hacker's playground

    An analysis of over 133,000 websites has found that 37 percent of them have at least one JavaScript library with a known vulnerability.

    Researchers from Northeastern University have followed up on research in 2014 that drew attention to potential security risks caused by loading outdated versions of JavaScript libraries, such as such as jQuery, and the AngularJS framework in the browser.

  • The Big Hack - the Day Cars Drove Themselves Into Walls and the Hospitals Froze

    I have decided to submit a story from the hypothetical future, published by New York Magazine 9 months ago, one that I picked while browsing whatever I missed since my last visit on Schneier on security.

  • Pennsylvania Senate Democrats resist ransom in cyberattack [iophk: "Microsoft on site to prevent defection"]

    Microsoft was doing a forensic audit to try to figure out who penetrated the network and how...

  • Security firm issues patch for another Windows 0-day

    A security firm that issued a patch for a Windows zero-day vulnerability last week has done a repeat, this time for a vulnerability that potentially allows arbitrary remote code execution in Internet Explorer 11.

  • Students to go head to head in cyber games competition [iophk: "cyber, cyber, cyber, cyber, ..."]
  • SCALE 15x Keynote: Karen Sandler - In the Scheme of Things, How Important is Software Freedom?
  • Church of England puts a stop to ransomware with Darktrace

    Attackers certainly were getting in: up until Jennings bumped into Darktrace at a trade show, the Church was being hit with ransomware attacks, as many as three or four in the space of six to eight weeks. In all instances the problem was internal – Jennings admits that IT literacy is not particularly high in the organisation – usually through a malicious email.

  • Australian start-up testing new online voting system [Ed: Another terrible idea; see Vault 7; everything has back doors. Use paper.]

    An Australian start-up that is currently testing what it says is the biggest dry run of an electronic voting system is confident that it can gradually make headway into getting its system taken up in the country.

    XO.1 is in the process of running a 24-hour stress test of its SecureVote system using the bitcoin blockchain network. The test began at 2am AEST this morning.

Security Leftovers

Filed under
Security
  • Payments Giant Verifone Investigating Breach

    Verifone circled back post-publication with the following update to their statement: “According to the forensic information to-date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame. We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational.”

  • Terabytes of Government Data Copied [iophk: "they need to publish via bittorrent more often to take out the single point of failure; they need to learn to use torrents from day one of their research"]
  • Millions of websites still using vulnerable SHA-1 certificate

    At least 21 percent of all public websites are using insecure SHA-1 certificates – past the migration deadline and after Google researchers demonstrated a real-world collision attack. And this is without taking into account private or closed networks that also might be using the hash.

  • Widespread Bug Bounty Program Could Help Harden Open Source Security

    One company is adding to its bug bounty program efforts by offering its professional services to the open source community for free. HackerOne’s platform, known as HackerOne Community Edition, will help open source software teams create a comprehensive approach to vulnerability management, including a bug bounty program.

  • Consumer Reports Proposes Open Source Security Standard To Keep The Internet Of Things From Sucking

    Thanks to a laundry list of lazy companies, everything from your Barbie doll to your tea kettle is now hackable. Worse, these devices are now being quickly incorporated into some of the largest botnets ever built, resulting in some of the most devastating DDoS attacks the internet has ever seen. In short: thanks to "internet of things" companies that prioritized profits over consumer privacy and the safety of the internet, we're now facing a security and privacy dumpster fire that many experts believe will, sooner or later, result in mass human fatalities.

    Hoping to, you know, help prevent that, the folks at Consumer Reports this week unveiled a new open source digital consumer-protection standard that safeguards consumers’ security and privacy in the internet-of-broken things era. According to the non-profit's explanation of the new standard, it's working with privacy software firm Disconnect, non-profit privacy research firm Ranking Digital Rights (RDR), and nonprofit software security-testing organization Cyber Independent Testing Lab (CITL) on the new effort, which it acknowledges is early and requires public and expert assistance.

  • Researchers warn augmented mobile and open source = malware opportunity [Ed: Well, and proprietary is never a malware ramp (sarcasm)]

    ESET researchers warn that augments mobile applications plus open source platforms like Google's open could be a recipe for clever malware to come, in a recent security post.

    Currently, Google only requires developers to make a onetime payment of $25 and within 24 hours they can have an application in the Google Play Store compared to Apple which requires a yearly license which costs more than $100 and a vetting period of up to two weeks.

  • Operation Rosehub patches Java vulnerabilities in open source projects

    Google employees recently completed Operation Rosehub, a grass roots effort that patches a set of serious Java vulnerabilities in thousands of open source projects.

  • [Video] CPU Backdoors Could Allow Government Spying
  • Moving Git past SHA-1 [Ed: no longer behind LWN paywall]

    The SHA-1 hash algorithm has been known for at least a decade to be weak; while no generated hash collisions had been reported, it was assumed that this would happen before too long. On February 23, Google announced that it had succeeded at this task. While the technique used is computationally expensive, this event has clarified what most developers have known for some time: it is time to move away from SHA-1. While the migration has essentially been completed in some areas (SSL certificates, for example), there are still important places where it is heavily used, including at the core of the Git source-code management system. Unsurprisingly, the long-simmering discussion in the Git community on moving away from SHA-1 is now at a full boil.

  • Linux kernel: CVE-2017-2636: local privilege escalation flaw in n_hdlc
  • Spammergate: The Fall of an Empire

Security News

Filed under
Security
  • Security updates for Friday
  • Reproducible Builds: week 97 in Stretch cycle
  • Linux says open source more secure than closed, responds to Wikileaks’ claims

    Apple has already released a statement that said the vulnerabilities have already been fixed. Google too has responded to the issue. Linux just released a statement assuring the users that its being open source is safer for most people. The idea is that open source software communities continue to work on securing systems.

  • MAC randomization: A massive failure that leaves iPhones, Android mobes open to tracking

    To protect mobile devices from being tracked as they move through Wi-Fi-rich environments, there's a technique known as MAC address randomization. This replaces the number that uniquely identifies a device's wireless hardware with randomly generated values.

    In theory, this prevents scumbags from tracking devices from network to network, and by extension the individuals using them, because the devices in question call out to these nearby networks using different hardware identifiers.

  • Open source security and ‘hacking robots before skynet’ [Ed: Let's pretend proprietary software is secure and robust, and has zero back doors (we cannot see)]

    In this case, the devices were used to form a botnet and attack other systems, conducting a denial of service attack that made Twitter, Etsy, and other popular sites unavailable to users. This was inconvenient to users, and likely cost revenue for Dyn customers. It was almost certainly costly for Dyn.

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • Hardening the LSM API

    The Linux Security Modules (LSM) API provides security hooks for all security-relevant access control operations within the kernel. It’s a pluggable API, allowing different security models to be configured during compilation, and selected at boot time. LSM has provided enough flexibility to implement several major access control schemes, including SELinux, AppArmor, and Smack.

  • Hackers exploit Apache Struts vulnerability to compromise corporate web servers
  • Critical vulnerability under “massive” attack imperils high-impact sites

    The code-execution bug resides in the Apache Struts 2 Web application framework and is trivial to exploit. Although maintainers of the open source project patched the vulnerability on Monday, it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update, researchers are warning. Making matters worse, at least two working exploits are publicly available.

  • How Safe Are Blockchains? It Depends.

    Blockchain, the distributed ledger technology underlying bitcoin, may prove to be far more valuable than the currency it supports. But it’s only as valuable as it is secure. As we begin to put distributed ledger technology into practice, it’s important to make sure that the initial conditions we’re setting up aren’t setting us up for security issues later on.

  • Three Overlooked Lessons about Container Security

    Last week was an exciting week for me — I’ve just joined container security specialists Aqua Security and spent a couple of days in Tel Aviv getting to know the team and the product. I’m sure I’m learning things that might be obvious to the seasoned security veteran, but perhaps aren’t so obvious to the rest of us! Here are three aspects I found interesting and hope you will too, even if you’ve never really thought about the security of your containerized deployment before:

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Security updates for Wednesday
  • Google leads ‘guerilla patching’ of big vulnerability in open source projects

    Google has revealed its emergency patching efforts to fix a widespread and “pernicious” software vulnerability that affected thousands of open source projects in 2015.

    Referred to as “Mad Gadget” by Google (aka the Java “Apache Commons Collections Deserialization Vulnerability” CVE 2015-6420), the flaw was first highlighted by FoxGlove Security in November of that year, months after the first proof-of-concept code garnered almost zero attention.

  • Microsoft and Samsung react to Vault 7 CIA leaks -- Google, Linux Foundation and others remain silent

    The Vault 7 document and code cache released yesterday by WikiLeaks revealed that many big software companies were being actively exploited by the CIA. Apple, Microsoft, Google, Samsung, and even Linux were all named as having vulnerabilities that could be used for surveillance.

  • Vault 7 fallout: Linux Foundation says it's "not surprising" Linux is targeted [Ed: "NSA Asked Linus Torvalds To Install Backdoors Into GNU/Linux"]

    In the wake of WikiLeaks' Vault 7 CIA leaks, Apple has been quick to point out that vulnerabilities mentioned in the documents have already been addressed. Microsoft and Samsung have said they are "looking into" things, and now the Linux Foundation has spoken out.

    Nicko van Someren, Chief Technology Officer at The Linux Foundation says that while it is "not surprising" that Linux would find itself a target, the open source project has a very fast release cycle, meaning that kernel updates are released every few days to address issues that are found.

  • The Linux Foundation responds to Wikileaks' CIA hacking revelations

    THE LINUX FOUNDATION has become the latest firm to responded to the revelations that its products have been compromised by the CIA.

    Wikileaks on Tuesday published 8,761 documents dubbed 'Year Zero', the first part in a series of leaks on the agency that Wikileaks has dubbed 'Vault 7'.

    The whistleblowing foundation claims the document dump reveals full details of the CIA's 'global covert hacking program', including 'weaponised exploits' used against operating systems including Android, iOS, Linux, macOS, Windows and "even Samsung TVs, which are turned into cover microphones".

Syndicate content

More in Tux Machines

Red Hat and Fedora

  • Is there need for Red Hat Certification training in Zimbabwe?
    A local institution is investigating the need to train Systems Administrators/Engineers who use Linux towards Red Hat certifications. The course is targeted at individuals with at least 2 years experience using Linux.
  • Red Hat, Inc. (NYSE:RHT) By The Numbers: Valuation in Focus
  • Fedora @ Konteh 2017 - event report
    This year we managed to get a booth on a very popular student job fair called Konteh. (Thanks to Boban Poznanovic, one of the event managers)
  • Fedora 26 Alpha status is NO-GO
    The result of the second Fedora 26 Alpha Go/No-Go Meeting is NO-GO. Due to blockers found during the last days [1] we have decided to delay the Fedora 26 Alpha release for one more week. There is going to be one more Go/No-Go meeting on the next Thursday, March 30th, 2017 at 17:00 UTC to verify we are ready for the release.
  • Fedora 26 Alpha Faces Another Delay
    Fedora 26 was set back by a delay last week and today it's been delayed again for another week. Fedora 26 Alpha has been delayed for another week when at today's Go/No-Go meeting it was given a No-Go status due to outstanding blocker bugs.

GNOME News: Gtef, GNOME 3.24 Release Video, Epiphany 3.24

  • Gtef 2.0 – GTK+ Text Editor Framework
    Gtef is now hosted on gnome.org, and the 2.0 version has been released alongside GNOME 3.24. So it’s a good time for a new blog post on this new library.
  • GNOME's GTK Gets Gtef'ed
    Developer Sébastien Wilmet has provided an overview of Gtef with this text editing framework having been released in tandem with GNOME 3.24. Gtef provides a higher level API to make it easier for text editing or in developer-focused integrated development environments.
  • The Official GNOME 3.24 Release Video Is Here
    By now you’re probably well aware that a new update to the GNOME desktop has been released — and if you’re not, where’ve you been?! GNOME 3.24 features a number of neat new features, welcome improvements, and important advances, most of which we’ve documented in blog posts during the course of this week.
  • A Web Browser for Awesome People (Epiphany 3.24)
    Are you using a sad web browser that integrates poorly with GNOME or elementary OS? Was your sad browser’s GNOME integration theme broken for most of the past year? Does that make you feel sad? Do you wish you were using an awesome web browser that feels right at home in your chosen desktop instead? If so, Epiphany 3.24 might be right for you. It will make you awesome. (Ask your doctor before switching to a new web browser. Results not guaranteed. May cause severe Internet addiction. Some content unsuitable for minors.)

today's howtos

AMDGPU Vega Patches and AMD Open-Sources Code

  • More AMDGPU Vega Patches Published
    Less than one week after AMDGPU DRM Vega support was published along with the other Vega enablement patches for the Linux driver stack, more Direct Rendering Manager patches are being shot out today.
  • AMD have announced 'Anvil', an MIT-licensed wrapper library for Vulkan
    AMD are continuing their open source push with 'Anvil' a new MIT-licenses wrapper library for Vulkan. It's aim is to reduce the time developers spend to get a working Vulkan application.
  • AMD Open-Sources Vulkan "Anvil"
    While waiting for AMD to open-source their Vulkan Linux driver, we have a new AMD open-source Vulkan project to look at: Anvil. Anvil is a project out of AMD's GPUOpen division and aims to be a wrapper library for Vulkan to make it easier to bring-up new Vulkan applications/games. Anvil provides C++ Vulkan wrappers similar to other open-source Vulkan projects while also adding in some extra features.