Language Selection

English French German Italian Portuguese Spanish


Security News

Filed under
  • Just Too Much Administration – Breaking JEA, PowerShell’s New Security Barrier

    Just Enough Administration (JEA) is a new Windows 10/Server 2016 feature to create granular least privilege policies by granting specific administrative privileges to users, defined by built-in and script-defined PowerShell cmdlets. Microsoft's documentation claimed JEA was a security boundary so effective you did not need to worry about an attacker stealing and misusing the credentials of a JEA user.

    But every JEA role capability example I found Microsoft had published had vulnerabilities that could be exploited to obtain complete system administrative rights, most of them immediately, reliably, and without requiring any special configuration. I find it hard to believe most custom role capabilities created by system administrators in the wild are going to be more secure than these, given the track record of the functionally similar features in Linux, the non-obvious nature of vulnerabilities, and the importance of dangerous cmdlets to routine system troubleshooting and maintenance.

    I recommended Microsoft invert what their JEA articles and documentation said about security. Instead of leading with statements that JEA was a security barrier, users with JEA rights should not be considered administrators, and their credentials do not need to be protected like real administrators with a note that this may not be the case if you are not careful; Microsoft's JEA documentation should lead with statements that JEA should not be treated like a security barrier and users with JEA rights and their credentials should be tightly controlled exactly like normal administrators unless the role capabilities have been strictly audited by security professionals. Additionally, the README files and comments of their example role capabilities should start with stern reminders of this.

  • Thousands of internet-connected devices are a security disaster in the making

    The first problem: many IoT devices, like those cameras, are consumer-oriented, which means their owners don't have a security-conscious IT department. "Individuals do not have the purchasing power of a large corporation," says John Dickson, principal of Denim Group, "so they cannot demand security features or privacy protections that a large corporation can of an a product or software vendor."

    PC Pitstop Vice President of Cyber Security Dodi Glenn points out that many IoT purchasers neglect basic security measures, failing to change passwords from obvious defaults. And even if they did want to secure their devices, there are limits to what they can do: "You can't secure these devices with antivirus applications."

  • A SSHowDowN in security: IoT devices enslaved through 12 year old flaw

    In what researchers call the "Internet of Unpatchable Things," a 12-year-old security flaw is being exploited by attackers in a recent spate of SSHowDowN Proxy attacks.

    The Internet of Things (IoT) is an emerging market full of Wi-Fi and networked devices including routers, home security systems, and lighting products. While the idea of making your home more efficient and automating processes is an appealing one, unfortunately, vendors en masse are considering security as an afterthought for thousands of devices now in our homes, leaving our data vulnerable.

  • Microsoft was unable to meaningfully improve the software

    Documents in a class-action lawsuit against Ford and its original MyFord Touch in-vehicle infotainment (IVI) system reveal that the company's engineers and even its top executive were frustrated with the problematic technology.

    The documents from the 2013 lawsuit show Ford engineers believed the IVI, which was powered by the SYNC operating system launched in 2010, might be "unsaleable" and even described a later upgrade as a "polished turd," according to a report in the Detroit News, which was confirmed by Computerworld.

    The SYNC OS was originally powered by Microsoft software. Microsoft continued releasing software revisions it knew were defective, according to the lawsuit.

    "In the spring of 2011, Ford hired Microsoft to oversee revisions, and hopefully the improvement, of the [software]. But ... Microsoft was unable to meaningfully improve the software, and Ford continued releasing revised software that it knew was still defective," the lawsuit states.

    Last week, a U.S. District Court judge certified the case as a class action.

  • Senator wants nationwide, all-mail voting to counter election hacks

    "It's not a question of if you're going to get hacked—it's when you're going to get hacked."

    Those were the words of Verizon CEO Lowell McAdam as he sought to assure investors last week that the company is still interested in purchasing Yahoo despite the massive data breach of Yahoo consumer accounts.

    Whether McAdam's words ring true for the hodgepodge of election systems across the US is anybody's guess. But in the wake of the Obama administration's announcement that the Russian government directed hacks on the Democratic National Committee and other institutions to influence US elections, a senator from Oregon says the nation should conduct its elections like his home state does: all-mail voting.

  • SourceClear Adds Atlassian Stack to Its Open Source Security Platform

    Open source security company SourceClear said it is integrating Atlassian’s suite of developer tools including Bitbucket Pipelines, JIRA Server, JIRA Cloud, and Bamboo into the company’s open source platform. The integration will result in automated security checks being a part of the developer workflow before they ship code.

Security News

Filed under
  • Security updates for Tuesday
  • Systemd and Ubuntu users urged to update to patch Linux flaws

    Linux users should beware of a recently discovered systemd vulnerability that could shut down a system using a command short enough to send in a tweet and Ubuntu users should update to new Linux kernel patches affecting supported operating systems.

    SSLMate founder and Linux administrator Andrew Ayer spotted the bug which has the potential to kill a number of critical commands while making others unstable, according to Betanews.

  • Microsoft: No More Pick-and-Choose Patching

    Adobe and Microsoft today each issued updates to fix critical security flaws in their products. Adobe’s got fixes for Acrobat and Flash Player ready. Microsoft’s patch bundle for October includes fixes for at least five separate “zero-day” vulnerabilities — dangerous flaws that attackers were already exploiting prior to today’s patch release. Also notable this month is that Microsoft is changing how it deploys security updates, removing the ability for Windows users to pick and choose which individual patches to install.

  • Ministry of Defence CIO – defending the data assets of the nation

    An interesting example of knowing what is actually important, such as being ‘secure’ does not mean pulling up drawbridges and never talking. It does seem possible that the MoD has lesson it can teach industry in building security defences in depth, using a wide range of tools, that then map onto the future world of mobile and cloud infrastructures.

Security News

Filed under
  • Security advisories for Monday
  • Crash: how computers are setting us up for disaster

    When a sleepy Marc Dubois walked into the cockpit of his own aeroplane, he was confronted with a scene of confusion. The plane was shaking so violently that it was hard to read the instruments. An alarm was alternating between a chirruping trill and an automated voice: “STALL STALL STALL.” His junior co-pilots were at the controls. In a calm tone, Captain Dubois asked: “What’s happening?”

    Co-pilot David Robert’s answer was less calm. “We completely lost control of the aeroplane, and we don’t understand anything! We tried everything!”

    The crew were, in fact, in control of the aeroplane. One simple course of action could have ended the crisis they were facing, and they had not tried it. But David Robert was right on one count: he didn’t understand what was happening.

    As William Langewiesche, a writer and professional pilot, described in an article for Vanity Fair in October 2014, Air France Flight 447 had begun straightforwardly enough – an on-time take-off from Rio de Janeiro at 7.29pm on 31 May 2009, bound for Paris. With hindsight, the three pilots had their vulnerabilities. Pierre-Cédric Bonin, 32, was young and inexperienced. David Robert, 37, had more experience but he had recently become an Air France manager and no longer flew full-time. Captain Marc Dubois, 58, had experience aplenty but he had been touring Rio with an off-duty flight attendant. It was later reported that he had only had an hour’s sleep.

    Fortunately, given these potential fragilities, the crew were in charge of one of the most advanced planes in the world, an Airbus 330, legendarily smooth and easy to fly. Like any other modern aircraft, the A330 has an autopilot to keep the plane flying on a programmed route, but it also has a much more sophisticated automation system called fly-by-wire. A traditional aeroplane gives the pilot direct control of the flaps on the plane – its rudder, elevators and ailerons. This means the pilot has plenty of latitude to make mistakes. Fly-by-wire is smoother and safer. It inserts itself between the pilot, with all his or her faults, and the plane’s mechanics. A tactful translator between human and machine, it observes the pilot tugging on the controls, figures out how the pilot wanted the plane to move and executes that manoeuvre perfectly. It will turn a clumsy movement into a graceful one.

  • Canonical Patches New Linux Kernel Vulnerabilities in All Supported Ubuntu OSes

    Today, October 11, 2016, Canonical published several security advisories to inform Ubuntu users about new Linux kernel updates for their supported operating systems.

    Four new kernel vulnerabilities are affecting Ubuntu 16.04 LTS (Xenial Xerus) and Ubuntu 14.04 LTS (Trusty Tahr) or later versions, and three the Ubuntu 12.04 LTS (Precise Pangolin) series of operating systems. They are also affecting the Ubuntu 16.04 LTS for Raspberry Pi 2 kernel.

    The first security flaw is an unbounded recursion in Linux kernel's VLAN and TEB Generic Receive Offload (GRO) processing implementations, which could have allowed a remote attacker to crash the system through a denial of service or cause a stack corruption. It was discovered by Vladimír Beneš and affects Ubuntu 16.04 and 14.04.

Security Leftovers

Filed under
  • How 'Security Fatigue' Affects Our Choices Online

    A new study claims many users suffer from 'security fatigue,' which affects the choices we make online. What's the real answer and where does the root cause sit?
    An overabundance of security news and alerts has led to "security fatigue," which is causing users to make bad choices when it comes to online security, suggests a report from the National Institute of Standards and Technology (NIST).

  • Apache Milagro: A New Security System for the Future of the Web
  • Ransomware hackers are hitting the NHS in the knackers [ophk: "politicians’ heads should roll for running MS anywhere near the NHS”]

    Rashmi Knowles, chief EMEA security architect at RSA, said: "Ransomware is an extremely lucrative business for cyber criminals as once they are in they just need to encrypt the data. Whereas actually stealing data and then trying to resell makes it a much longer process.

    "Current data shows that ransomware cases are expected to double from 2015 to 2016, and it should come as no surprise that breaches continue to happen as frequently as they do.

    "The results show organisations relying on a fragmented foundation of data and technologies. Because it remains siloed, visibility is incomplete, making attacker activity difficult to scope.

    "As a result the speed with which they can detect and investigate threats becomes a real challenge."

The top three Wi-Fi pen testing tools in Kali Linux

Filed under

Every hacker and security researcher loves Kali Linux. The developers of Kali Linux ethical hacking distro have released the second Kali Rolling ISO release i.e. Kali 2016.2. Just like the previous one, Kali promises to deliver lots of new updates and changes in this release. Over the course of past few months, Kali developers have been busy adding new tools to Kali and fixing multiple bugs. For example, they have added HTTPS support in busybox that allows secure installation over SSL.

Kali Linux provides you the flexibility to install your favorite desktop environment and personalizing your experience. However, Kali developers note that users often talk about how they would love to see another desktop environments instead of GNOME.

Read more

Security News

Filed under
  • One election-system vendor uses developers in Serbia

    The use of proprietary systems in elections has its critics. One Silicon Valley group, the Open Source Election Technology Foundation, is pushing for an election system that shifts from proprietary, vendor-owned systems to one that that is owned "by the people of the United States."

  • Europe to Push New Security Rules Amid IoT Mess

    The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections.

  • Internet of Things botnets: You ain’t seen nothing yet

    Internet of Things (IoT) botnet "Mirai" is the shape of things to come and future assaults could be even more severe, a leading security research firm warns.

    Mirai powered the largest ever DDoS attack ever, spawning a 620Gbps DDoS against KrebsOnSecurity. Source code for the malware was released on hacker forums last week.

    The malware relied on factory default or hard-coded usernames and passwords to compromise vulnerable IoT devices such as insecure routers, IP cameras, digital video recorders and the like.

    PenTestPartners, the UK security consultancy behind numerous hack on Iot devices ranging from Wi-Fi enabled kettles to cars, said that the botnet finally illustrates the consequences of IoT vendors cutting the corners on security.

Security News

Filed under
  • Security advisories for Friday
  • surveillance, whistleblowing, and security engineering

    Imagine for a moment that you are a security engineer who discovers a backdoor that your company execs have been trying to hide from your team. Would you quit on ethical grounds or stay so that you can prevent this from happening again? I don’t think there is one right answer. Personally I am grateful both for those who left and blew the whistle, and for those who stayed to protect Yahoo’s 800 million users.

    Part of the job function of security engineers and pen testers is being ready for the moment you encounter something that you think should be disclosed but your company wants to keep secret. Think about what you would be willing to lose. Be prepared to escalate internally. Know the terms of your NDA and your exit agreement; try your best to honor them. Most of all, keep pushing for end-to-end encryption.

  • Digital Vigilantes Want to Shame DDoS Attackers And Their Corporate Enablers

    Hacker attacks that try to take down websites with a flood of bogus traffic, technically known as Distributed Denial of Service (DDoS) attacks, have become a daily occurrence on the internet. The rise of DDoS has created a cottage industry of companies dedicated to mitigating the attacks, and, on the flip side, professional DDoS-for-hire services and gangs.

    Now, a group of security researchers wants to name and shame not only the hackers responsible for such crippling attacks, but also the internet providers and traffic carriers that enable them by turning a blind eye to their actions, with a project called SpoofIT.

  • Russia Drafting Law to Favor Open Source

    I wrote the original cyber-vulnerability letter to the White House in 1994, and instead of acting responsibly, the US Government allowed NSA -- with the active complicty of US communicaitons and computing provider CEOs -- to compromise all US offerings. Not only are the communications and computing devices and related consulting compromised, but so are larger offerings (e.g. Boeing aircraft, which come with a computer system pre-configured for US Government remote control take-over -- Lufthansa is reported to have discovered this and at great expense removed all US computers from every aircraft). NOTE: I am quite certain about both of the above indictments, but only a proper European Commission investigation can satisfy the public interest; I believe that the same problems infect C4I systems from China, France, Israel, and Russia, and I do not believe most people are aware that the electrical system is now easily used to enter computers that are nominally disconnected from the Internet.

  • Systemd vulnerability crashes Linux systems

    A new vulnerability has been discovered that could shut down most Linux systems using a command short enough to fit in a tweet.

Security Leftovers

Filed under
  • Promoting Cybersecurity Awareness

    We are happy to support National Cyber Security Awareness Month (NCSAM), a global effort between government and industry to ensure everyone has the resources they need to be safer, more secure and better able to protect their personal information online.

    We’ve talked about how cybersecurity is a shared responsibility, and that is the theme for National Cybersecurity Awareness Month – the Internet is a shared resource and securing it is our shared responsibility. This means technology companies, governments, and even users have to work together to protect and improve the security of the Internet. We all have to do our part to make the Internet safer and more secure for everyone. This is a time for all Internet users to Stop. Think. Connect. This month, and all year long, we want to help you be more “CyberAware.”

  • 'Security fatigue' is the worst thing to happen to people since insecurity

    CHANGING PASSWORDS is just too much for some people, according to research, and causes them to do stupid things.

    This is called 'security fatigue', apparently, and comes straight from the National Institute of Standards and Technology (NIST) and a collection of clipboards and pens.

    "After updating your password for the umpteenth time, have you resorted to using one you know you'll remember because you've used it before? Have you ever given up on an online purchase because you just didn't feel like creating a new account?" asked NIST.

    "If you have done any of those things, it might be the result of ‘security fatigue'. It exposes online users to risk and costs businesses money in lost customers."

  • The new BYOD backlash hides an ulterior motive

    Recent research from IDC shows a clear picture: IT organizations are increasingly unhappy about BYOD and now want to curtail or end the practice.

    Their stated concern: The costs are too high and the savings too low. But those concerns are misguided and likely masking a secret agenda to regain control over mobile devices, not to save money. Face it: BYOD was never popular with IT.

Security News

Filed under

First pfSense 2.3.2 Update Adds OpenSSL Security Fixes to the BSD-Based Firewall

Filed under

Today, October 6, 2016, Jim Thompson from the pfSense project has had the great pleasure of announcing the release and immediate availability of the pfSense 2.3.2-p1 maintenance update to the open source BSD-based firewall distro.

Read more

Syndicate content

More in Tux Machines

Linux 4.8.4

I'm announcing the release of the 4.8.4 kernel. And yeah, sorry about the quicker releases, I'll be away tomorrow and as they seem to have passed all of the normal testing, I figured it would be better to get them out earlier instead of later. And I like releasing stuff on this date every year... All users of the 4.8 kernel series must upgrade. The updated 4.8.y git tree can be found at: git:// linux-4.8.y and can be browsed at the normal git web browser: Read more Also: Linux 4.7.10 Linux 4.4.27

New Releases: Budgie, Solus, SalentOS, and Slackel

  • Open-Source Budgie Desktop Sees New Release
    The pet parakeet of the Linux world, Budgie has a new release available for download. in this post we lookout what's new and tell you how you can get it.
  • Solus Linux Making Performance Gains With Its BLAS Configuration
    - Those making use of the promising Solus Linux distribution will soon find their BLAS-based workloads are faster. Solus developer Peter O'Connor tweeted this week that he's found some issues with the BLAS linking on the distribution and he's made fixes for Solus. He also mentioned that he uncovered these BLAS issues by using our Phoronix Test Suite benchmarking software.
  • SalentOS “Luppìu” 1.0 released!
    With great pleasure the team announces the release of SalentOS “Luppìu” 1.0.
  • Slackel "Live kde" 4.14.21
    This release is available in both 32-bit and 64-bit architectures, while the 64-bit iso supports booting on UEFI systems. The 64-bit iso images support booting on UEFI systems. The 32-bit iso images support both i686 PAE SMP and i486, non-PAE capable systems. Iso images are isohybrid.

Security News

  • Free tool protects PCs from master boot record attacks [Ed: UEFI has repeatedly been found to be both a detriment to security and enabler of Microsoft lock-in]
    Cisco's Talos team has developed an open-source tool that can protect the master boot record of Windows computers from modification by ransomware and other malicious attacks. The tool, called MBRFilter, functions as a signed system driver and puts the disk's sector 0 into a read-only state. It is available for both 32-bit and 64-bit Windows versions and its source code has been published on GitHub. The master boot record (MBR) consists of executable code that's stored in the first sector (sector 0) of a hard disk drive and launches the operating system's boot loader. The MBR also contains information about the disk's partitions and their file systems. Since the MBR code is executed before the OS itself, it can be abused by malware programs to increase their persistence and gain a head start before antivirus programs. Malware programs that infect the MBR to hide from antivirus programs have historically been known as bootkits -- boot-level rootkits. Microsoft attempted to solve the bootkit problem by implementing cryptographic verification of the bootloader in Windows 8 and later. This feature is known as Secure Boot and is based on the Unified Extensible Firmware Interface (UEFI) -- the modern BIOS.
  • DDOS Attack On Internet Infrastructure
    I hope somebody's paying attention. There's been another big DDOS attack, this time against the infrastructure of the Internet. It began at 7:10 a.m. EDT today against Dyn, a major DNS host, and was brought under control at 9:36 a.m. According to Gizmodo, which was the first to report the story, at least 40 sites were made unreachable to users on the US East Coast. Many of the sites affected are among the most trafficed on the web, and included CNN, Twitter, PayPal, Pinterest and Reddit to name a few. The developer community was also touched, as GitHub was also made unreachable. This event comes on the heels of a record breaking 620 Gbps DDOS attack about a month ago that brought down security expert Brian Krebs' website, KrebsonSecurity. In that attack, Krebs determined the attack had been launched by botnets that primarily utilized compromised IoT devices, and was seen by some as ushering in a new era of Internet security woes.
  • This Is Why Half the Internet Shut Down Today [Update: It’s Getting Worse]
    Twitter, Spotify and Reddit, and a huge swath of other websites were down or screwed up this morning. This was happening as hackers unleashed a large distributed denial of service (DDoS) attack on the servers of Dyn, a major DNS host. It’s probably safe to assume that the two situations are related.
  • Major DNS provider Dyn hit with DDoS attack
    Attacks against DNS provider Dyn continued into Friday afternoon. Shortly before noon, the company said it began "monitoring and mitigating a DDoS attack" against its Dyn Managed DNS infrastructure. The attack may also have impacted Managed DNS advanced service "with possible delays in monitoring."
  • What We Know About Friday’s Massive East Coast Internet Outage
    Friday morning is prime time for some casual news reading, tweeting, and general Internet browsing, but you may have had some trouble accessing your usual sites and services this morning and throughout the day, from Spotify and Reddit to the New York Times and even good ol’ For that, you can thank a distributed denial of service attack (DDoS) that took down a big chunk of the Internet for most of the Eastern seaboard. This morning’s attack started around 7 am ET and was aimed at Dyn, an Internet infrastructure company headquartered in New Hampshire. That first bout was resolved after about two hours; a second attack began just before noon. Dyn reported a third wave of attacks a little after 4 pm ET. In all cases, traffic to Dyn’s Internet directory servers throughout the US—primarily on the East Coast but later on the opposite end of the country as well—was stopped by a flood of malicious requests from tens of millions of IP addresses disrupting the system. Late in the day, Dyn described the events as a “very sophisticated and complex attack.” Still ongoing, the situation is a definite reminder of the fragility of the web, and the power of the forces that aim to disrupt it.
  • Either IoT will be secure or the internet will be crippled forever
    First things first a disclaimer. I neither like nor trust the National Security Agency (NSA). I believe them to be mainly engaged in economic spying for the corporate American empire. Glenn Greenwald has clearly proven that in his book No Place to Hide. At the NSA, profit and power come first and I have no fucking clue as to how high they prioritize national security. Having said that, the NSA should hack the Internet of (insecure) Things (IoT) to death. I know Homeland Security and the FBI are investigating where the DDoS of doomsday proportions is coming from and the commentariat is already screaming RUSSIA! But it is really no secret what is enabling this clusterfuck. It’s the Mirai botnet. If you buy a “smart camera” from the Chinese company Hangzhou XiongMai Technologies and do not change the default password, it will be part of a botnet five minutes after you connect it to the internet. We were promised a future where we would have flying cars but we’re living in a future where camera’s, light-bulbs, doorbells and fridges can get you in serious trouble because your home appliances are breaking the law.
  • IoT at the Network Edge
    Fog computing, also known as fog networking, is a decentralized computing infrastructure. Computing resources and application services are distributed in logical, efficient places at any points along the connection from the data source (endpoint) to the cloud. The concept is to process data locally and then use the network for communicating with other resources for further processing and analysis. Data could be sent to a data center or a cloud service. A worthwhile reference published by Cisco is the white paper, "Fog Computing and the Internet of Things: Extend the Cloud to Where the Things Are."
  • Canonical now offers live kernel patching for Ubuntu 16.04 LTS users
    Canonical has announced its ‘Livepatch Service’ which any user can enable on their current installations to eliminate the need for rebooting their machine after installing an update for the Linux kernel. With the release of Linux 4.0, users have been able to update their kernel packages without rebooting, however, Ubuntu will be the first distribution to offer this feature for free.
  • ​The Dirty Cow Linux bug: A silly name for a serious problem
    Dirty Cow is a silly name, but it's a serious Linux kernel problem. According to the Red Hat bug report, "a race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system."
  • Ancient Privilege Escalation Bug Haunts Linux
  • October 21, 2016 Is Dirty COW a serious concern for Linux?
  • There is a Dirty Cow in Linux
  • Red Hat Discovers Dirty COW Archaic Linux Kernel Flaw Exploited In The Wild
  • Linux kernel bug being exploited in the wild
  • Update Linux now: Critical privilege escalation security flaw gives hackers full root access
  • Linux kernel bug: DirtyCOW “easyroot” hole and what you need to know
  • 'Most serious' Linux privilege-escalation bug ever discovered
  • New 'Dirty Cow' vulnerability threatens Linux systems
  • Serious Dirty Cow Linux Vulnerability Under Attack
  • Easy-to-exploit rooting flaw puts Linux PCs at risk
  • Linux just patched a vulnerability it's had for 9 years
  • Dirty COW Linux vulnerability has existed for nine years
  • 'Dirty Cow' Linux Vulnerability Found
  • 'Dirty Cow' Linux Vulnerability Found After Nine Years
  • FakeFile Trojan Opens Backdoors on Linux Computers, Except openSUSE
    Malware authors are taking aim at Linux computers, more precisely desktops and not servers, with a new trojan named FakeFile, currently distributed in live attacks. Russian antivirus vendor Dr.Web discovered this new trojan in October. The company's malware analysts say the trojan is spread in the form of an archived PDF, Microsoft Office, or OpenOffice file.

today's howtos