Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Let's Encrypt Reaches 2,000,000 Certificates

    Earlier today, the Let's Encrypt certificate authority issued its two millionth certificate, less than two months after the millionth certificate. As we noted when the millionth certificate was issued, each certificate can cover several web sites, so the certificates Let's Encrypt has issued are already protecting millions and millions of sites.

  • Hackers Make This Search Engine Out Of 70 Million Voters’ Data

    Did you ever imagine an easily-browsable hacked data available to public and that too in the form of a search engine? Well, here is one of those interesting hacking cases where hackers made a search engine out of the hacked data of the 70 million citizens of Philippines and anyone can easily search for everybody else.

  • How Big Is Your Target?

    In his 2014 TED presentation Cory Doctorow compares an open system of development to the scientific method and credits the methods for bringing mankind out of the dark ages. Tim Berners-Lee has a very credible claim to patent the technology that runs the internet, but instead has championed for its open development. This open development has launched us forward into a brave new world. Nearly one third of all internet traffic rides on just one openly developed project. Its place of dominance may be unsure as we approach a world with cybersecurity headlines. Those headlines do much to feed the industry of fear resulting in government efforts to close doors on open source efforts.

    This paper is a qualitative theoretical discussion regarding cyber security and open source solutions written in three parts. Its goal is to demonstrate that the use of open source technologies reduces vulnerability to cyber attacks. The first part of this paper identifies the difficulties in presenting a software consideration model capable of illustrating the full spectrum of expectations for the performance of today’s code. Previous models merely address basic requirements for execution namely security, functionality & usability. While these aspects are important they fail to take into account modern requirements for maintenance, scalability, price, reliability and accessibility of software. This part of the paper modernizes the model developed by Andrew Waite and presents a clear model for software discussion.

Security Leftovers

Filed under
Security
  • Thursday's security updates
  • libressl - more vague promises

    There hasn’t been a lot of noise coming out of the LibreSSL camp recently. Mostly there’s not much to report, so any talks or presentations will recover a lot of the same material. But it’s an election year, and in that spirit, we can look back at some promises previously made and hopefully make a few new ones.

  • My OpenWrt Tor configuration

    In my previous article I shared my thoughts on running Tor on the router. I described an ideal Tor router configuration and argued that having Tor on the router benefits both security and usability.

    This article is about that ideal Tor router configuration. How did I configure my router, and why did I choose the configuration? The interesting part is that it really is “just configuration”. No programming involved. Even more interesting, it's easy too!

Security Leftovers

Filed under
Security
  • April security sensationalism and FUD

    If you happen to follow the security scene, you must have noticed a lot of buzz around various security issues discovered this month. Namely, a critical vulnerability in the Microsoft Graphics Component, as outlined in the MS16-039 bulletin, stories and rumors around something called Badlock bug, and risks associated using Firefox add-ons. All well and good, except it's nothing more than clickbait hype nonsense.

    Reading the articles fueled my anger to such heights that I had to wait a day or two before writing this piece. Otherwise, it would have just been venom and expletives. But it is important to express myself and protect the Internet users from the torrent of pointless, amateurish, sensationalist wanna-be hackerish security diarrhea that has been produced this month. Follow me.

  • DRAM bitflipping exploits that hijack computers just got easier
  • PacketFence v6.0 released

    The Inverse team is pleased to announce the immediate availability of PacketFence 6.0. This is a major release with new features, enhancements and important bug fixes. This release is considered ready for production use and upgrading from previous versions is strongly advised.

  • [Old] The Athens Affair

    How some extremely smart hackers pulled off the most audacious cell-network break-in ever

  • Write opinionated workarounds

    A few years ago, I decided that I should aim for my code to be as portable as possible. This generally meant targeting POSIX; in some cases I required slightly more, e.g., "POSIX with OpenSSL installed and cryptographic entropy available from /dev/urandom". This dedication made me rather unusual among software developers; grepping the source code for the software I have installed on my laptop, I cannot find any other examples of code with strictly POSIX compliant Makefiles, for example. (I did find one other Makefile which claimed to be POSIX-compatible; but in actual fact it used a GNU extension.) As far as I was concerned, strict POSIX compliance meant never having to say you're sorry for portability problems; if someone ran into problems with my standard-compliant code, well, they could fix their broken operating system.

Security Leftovers

Filed under
Security
  • Tuesday's security updates
  • Security advisories for Wednesday
  • Red Hat Product Security Risk Report: 2015

    This report takes a look at the state of security risk for Red Hat products for calendar year 2015. We look at key metrics, specific vulnerabilities, and the most common ways users of Red Hat products were affected by security issues.

    Our methodology is to look at how many vulnerabilities we addressed and their severity, then look at which issues were of meaningful risk, and which were exploited. All of the data used to create this report is available from public data maintained by Red Hat Product Security.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security updates for Monday
  • DHS CIO walks back staff comments on open source

    Some IT professionals at the Department of Homeland Security raised eyebrows over recent comments on GitHub that suggested a proposed federal open-source policy could result in the "mafia having a copy of all FBI system code" or could give terrorists "access to air traffic control software." The comments were attributed to the CIO's office.

    However, DHS CIO Luke McCormack has since filed his own official comments, noting that "prior comments do not represent DHS policy or views."

  • Microsoft PowerShell — Hackers’ New Favorite Tool For Coding Malware

    You might not know but PowerShell, the ubiquitous force running behind the Windows environment, is slowly becoming a secure way for the attackers to hide their malicious activities. Unfortunately, at the moment, there’s no technical method of distinguishing between malicious and good PowerShell source code.

  • MIT reveals AI platform which detects 85 percent of cyberattacks

    Today's cybersecurity professionals face daunting tasks: protecting enterprise networks from threats as best they can, damage limitation when data breaches occur, cyberforensics and documenting the evolution and spread of digital attacks and malware across the world.

Kali Linux Rolling Release — Best Features That Make It The Best OS For Ethical Hackers

Filed under
GNU
Linux
Security

Kali Linux, a hacker’s favorite operating system, is now available with first Rolling release. This release ensures that you are always using the latest and best tools for pen-testing purposes. The first Kali Linux Rolling release also brings a Kali Linux Package Tracker tool and changes the way VMware guest tools are installed. You can read more about the features below and use the links for downloading Kali Linux Rolling 2016.1 ISO files and torrents.

Read more

Security Leftovers

Filed under
Security
  • Flaw-finding Ruby on Rails bot steams past humans
  • Future of secure systems in the US

    Security and privacy are important to many people. Given the personal and financial importance of data stored in computers (traditional or mobile), users don’t want criminals to get a hold of it. Companies know this, which is why both Apple IOS and Google Android both encrypt their local file systems by default now. If a bill anything like what’s been proposed becomes law, users that care about security are going to go elsewhere. That may end up being non-US companies’ products or US companies may shift operations to localities more friendly to secure design. Either way, the US tech sector loses. A more accurate title would have been Technology Jobs Off-Shoring Act of 2016.

  • Software end of life matters!

    Anytime you work on a software project, the big events are always new releases. We love to get our update and see what sort of new and exciting things have been added. New versions are exciting, they're the result of months or years of hard work. Who doesn't love to talk about the new cool things going on?

  • JBOSS Backdoor opens 3 million servers at risk of attacks

Security Leftovers

Filed under
Security
  • Backdoor in JBoss Java Platform Puts 3.2 Million Servers at Risk
  • Let's Encrypt: threat or opportunity to other certificate authorities?

    Let's Encrypt is a certificate authority (CA) that just left beta stage, that provides domain name-validated (DV) X.509 certificates for free and in an automated way: users just have to run a piece of software on their server to get and install a certificate, resulting in a valid TLS setup.

  • Making it easier to deploy TPMTOTP on non-EFI systems

    On EFI systems you can handle this by sticking the secret in an EFI variable (there's some special-casing in the code to deal with the additional metadata on the front of things you read out of efivarfs). But that's not terribly useful if you're not on an EFI system. Thankfully, there's a way around this. TPMs have a small quantity of nvram built into them, so we can stick the secret there. If you pass the -n argument to sealdata, that'll happen. The unseal apps will attempt to pull the secret out of nvram before falling back to looking for a file, so things should just magically work.

  • Badlock Vulnerability Falls Flat Against Its Hype

    Weeks of anxiety and concern over the Badlock vulnerability ended today with an anticlimactic thud.

  • Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases Available for Download
  • The Internet of bricks

    One of the promises of the "Internet of things" is that it gives us greater control over our homes, gadgets, and more. Free software also offers that sort of promise, along with the idea that, if necessary, we can support our own gadgetry when the manufacturer moves on to some new shiny object. The currently unfolding story of the Revolv hub shows that, in many cases, these promises are empty. The devices we depend on and think we own can, in fact, be turned into useless bricks at the manufacturer's whim.

    The Revolv "M1" home-automation hub was one of many products designed to bring home control to the Internet. It is able to control lights, heating, and more, all driven by smartphone-based applications. The product was sufficiently successful to catch the eye of the business-development folks at Nest, who acquired the company; Nest was acquired in turn by Google, and is now a separate company under the "Alphabet" umbrella.

  • Underwriters Labs refuses to share new IoT cybersecurity standard

    UL, the 122-year-old safety standards organisation whose various marks (UL, ENEC, etc.) certify minimum safety standards in fields as diverse as electrical wiring, cleaning products, and even dietary supplements, is now tackling the cybersecurity of Internet of Things (IoT) devices with its new UL 2900 certification. But there's a problem: UL's refusal to freely share the text of the new standard with security researchers leaves some experts wondering if UL knows what they're doing.

    When Ars requested a copy of the UL 2900 docs to take a closer look at the standard, UL (formerly known as Underwriters Laboratories) declined, indicating that if we wished to purchase a copy—retail price, around £600/$800 for the full set—we were welcome to do so. Independent security researchers are also, we must assume, welcome to become UL retail customers.

  • Combined malware threat is robbing banks of millions every day

    THE SECURITY attack dogs at IBM have uncovered two normally solo malware threats working together to rob banks in the US and Canada.

    IBM's X-Force division has dubbed the combined malware Stealma and Louise GozNym by merging the names of the individual, but now friendly, Gozi ISFB and Nymaim.

    "It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 US and Canadian banks, stealing millions of dollars so far," said IBM in a blog post.

Syndicate content

More in Tux Machines

The 2016 Open Source Jobs Report

Red Hat News

  • Want to work in Release Engineering in Europe?
    Red Hat Release Engineering is hiring in Europe.
  • Red Hat targets midmarket with Keating, Tech Data partnerships
    Red Hat Canada has unveiled a new approach to reach the lower end of the enterprise and the upper midmarket in partnership with Keating Technologies and Tech Data Canada. Under the program, Keating will work with the vendor to uncover and qualify leads in the $500 million to $1.0 billion market. Once fully developed, those leads will be handed over to existing Red Hat Canada partners to close the deal, and will be fulfilled through Tech Data.
  • Gulf Air creates private cloud to support open-source big data engine
    Bahrain’s national carrier is using Red Hat Enterprise Linux, Red Hat JBoss Enterprise Application Platform, and Red Hat Storage as a platform for its Arabic Sentiment Analysis system, which monitors people’s comments through their social media posts.
  • Fedora Pune meetup April 2016
    I actually never even announced the April meetup, but we had in total 13 people showing up for the meet. We moved the meet to my office from our usual space as I wanted to use the white board. At beginning I showed some example code about how to write unittests, and how are we using Python3 unittests in our Fedora Cloud/Atomic images automatically. Anwesha arranged some soft drinks, and snacks for everyone.

Android Leftovers

“LEDE” OpenWrt fork promises greater openness

A “Linux Embedded Development Environment” (LEDE) fork of the lightweight, router-oriented OpenWrt Linux distribution vows greater transparency and inclusiveness. Some core developers of the OpenWrt community has forked off into a Linux Embedded Development Environment (LEDE) group. LEDE is billed as both a “reboot” and “spinoff” of the lightweight, router-focused distribution that aims to build an open source embedded Linux distro that “makes it easy for developers, system administrators or other Linux enthusiasts to build and customize software for embedded devices, especially wireless routers.” Read more