Language Selection

English French German Italian Portuguese Spanish

Security

Security: AWS, Disqus, Drone Program

Filed under
Security
  • Forget stealing data — these hackers broke into Amazon's cloud to mine bitcoin

    A report from the security intelligence group RedLock found at least two companies which had their AWS cloud services compromised by hackers [sic] who wanted nothing more than to use the computer power to mine the cryptocurrency bitcoin. The hackers [sic] ultimately got access to Amazon's cloud servers after discovering that their administration consoles weren't password protected.

  • Disqus discovers hack [sic] of 17.5m user details after five years

    The biggest Web comment hosting service Disqus was breached in 2012 but the company only knew of it last week, according to an announcement made on Friday.

  • A Mysterious Virus Has Infiltrated America's Drone Program

    There’s something deeply wrong at Creech Air Force Base, the notorious home of America’s drone program, where pilots remotely order US Reaper and Predator drones to unleash destructive missile strikes on unsuspecting villagers in Yemen, Libya, Iraq, Syria, Afghanistan and other war zones.

    Less than a week after the Department of Homeland Security advised all federal agencies using anti-virus software created by Kaspersky Labs to remove the programs from their systems immediately, Ars Technica reports that two weeks ago the Defense Information Systems Agency detected mysterious spyware embedded in the drone “cockpits” – the control stations that pilots use to control the deadly machines.

Security: FireEye, Disqus, EFF on Apple

Filed under
Security
  • FireEye Warns of Expanding FormBook Malware Attacks

    "Because of the affiliate model (or Malware-as-a-Service) set up and its open availability on the web, it is difficult to determine the attack origins, and could be attributed to anyone who has subscribed to the service," Randi Eitzman, FireEye Analyst, told eSecurityPlanet.

    FormBook is being distributed via different document formats, including PDF, DOC and archive files that have some form of download link, macro or executable payload.

  • Disqus hacked [sic] : More than 17.5 million users' details stolen by hackers in 2012 data breach

    About a third of the compromised accounts contained passwords that were salted and hashed using the weak SHA-1 algorithm. Disqus said the exposed user data dates back to 2007 with the most recent data exposed from July 2012.

  • iOS 11’s Misleading “Off-ish” Setting for Bluetooth and Wi-Fi is Bad for User Security

    Turning off your Bluetooth and Wi-Fi radios when you’re not using them is good security practice (not to mention good for your battery usage). When you consider Bluetooth’s known vulnerabilities, it’s especially important to make sure your Bluetooth and Wi-Fi settings are doing what you want them to. The iPhone’s newest operating system, however, makes it harder for users to control these settings.

    On an iPhone, users might instinctively swipe up to open Control Center and toggle Wi-Fi and Bluetooth off from the quick settings. Each icon switches from blue to gray, leading a user to reasonably believe they have been turned off—in other words, fully disabled. In iOS 10, that was true. However, in iOS 11, the same setting change no longer actually turns Wi-Fi or Bluetooth “off.”

    Instead, what actually happens in iOS 11 when you toggle your quick settings to “off” is that the phone will disconnect from Wi-Fi networks and some devices, but remain on for Apple services. Location Services is still enabled, Apple devices (like Apple Watch and Pencil) stay connected, and services such as Handoff and Instant Hotspot stay on. Apple’s UI fails to even attempt to communicate these exceptions to its users.

IPFire 2.19 - Core Update 114 released

Filed under
GNU
Linux
Security

This is the official release announcement for IPFire 2.19 – Core Update 114. It brings some changes under the hood and modernises the base system. On top of that, minor issues are being fixed and some packages have been updated.

Read more

Security: Updates, Apple APFS Passwords, WordPress, Microsoft FUD, and Internet of Broken Things

Filed under
Security
  • Security updates for Friday
  • Apple fixes Keychain vulnerability, but only in macOS High Sierra

     

    The zero-day vulnerability in macOS's Keychain has been addressed by Apple, along with some other issues in High Sierra. But other recent versions of the operating system are still vulnerable.  

  • macOS High Sierra bug exposes APFS passwords in plain text

     

    A Brazilian software developer has uncovered a bug in Apple's macOS High Sierra software that exposes the passwords of encrypted Apple File System (APFS) volumes in plain text.

  • The September 2017 WordPress Attack Report

    This edition of the WordPress Attack Report is a continuation of the monthly series we’ve been publishing since December 2016. Reports from the previous months can be found here.

    This report contains the top 25 attacking IPs for September 2017 and their details. It also includes charts of brute force and complex attack activity for the same period, along with a new section revealing changes to the Wordfence real-time IP blacklist throughout the month. We also include the top themes and plugins that were attacked and which countries generated the most attacks for this period.

  • Step aside, Windows! Open source and Linux are IT’s new security headache [Ed: Microsoft propagandist Preston Gralla is back from the woods. The typical spin, lies. Deflection. Windows has back doors.]
  • Sex Toys Are Just As Poorly-Secured As The Rest Of The Internet of Broken Things

    At this point we've pretty well documented how the "internet of things" is a privacy and security dumpster fire. Whether it's tea kettles that expose your WiFi credentials or smart fridges that leak your Gmail password, companies were so busy trying to make a buck by embedding network chipsets into everything, they couldn't be bothered to adhere to even the most modest security and privacy guidelines. As a result, billions upon billions of devices are now being connected to the internet with little to no meaningful security and a total disregard to user privacy -- posing a potentially fatal threat to us all.

Security: Forseti, Updates, FormBook, Kaspersky, and APFS

Filed under
Security

Security: India's Internet, Equifax, and Yahoo!

Filed under
Security

Security: RoboCyberWall, Updates, Dnsmasq, SEC, and Yahoo!

Filed under
Security
  • RoboCyberWall Aims to Block Linux Server Hacks [Ed: ad disguised as an article]
  • Security updates for Wednesday
  • Google Patches Open-Source Flaw, Requires TLD Encryption

    Google has made a couple of notable moves on the security front this week: One, it has patched flaws in a DNS software package known as Dnsmasq; and two, it said it would start requiring encryption for 45 top-level domains (TLDs) that it controls as a registrar.

    Dnsmasq, an open-source package, is widely installed in desktop Linux distributions (like Ubuntu), home routers and IoT devices, and provides functionality for serving DNS, DHCP, router advertisements and network boot. Google discovered seven distinct issues within the kit: three potential remote code executions, one information leak, and three denial of service vulnerabilities affecting the latest version at the project git server as of September 5.

  • SEC hack came as internal security team begged for funding

    Last month, the Securities and Exchange Commission revealed a 2016 breach of a test system that allowed an unknown party to get access to unpublished corporate information in the SEC's Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system. The breach potentially allowed the bad actors to profit from trades based on the information. SEC Chairman Jay Clayton revealed the extent of that breach in a policy statement on the importance of the commission's cyber-security mission. But just a few months before the SEC discovered the initial breach last year, as Reuters reports, members of the SEC's own internal digital forensics and security team wrote a letter bemoaning the lack of support they received from the agency's Office of Information Technology and SEC leadership.

  • Hacks Are Always Worse Than Reported: All Of Yahoo Email Was Hacked In 2013. All. Of. It.

    Given recent and massive stories about data security breaches by some very, very large players in the technology and financial spaces, we have developed a mantra that you should have on repeat in your head any time you read stories about a breach: however big the breach is reported to be initially, it's always bigger. We formulated that 12 years ago and it has continually held true. We saw it with Equifax. We saw it with Deloitte. And you will also likely recall that 2013 and 2014 were not banner years for data security at a little company called Yahoo. Hacks of Yahoo's email platform were reported initially to be in the hundreds of thousands in terms of the number of accounts compromised. As Verizon began negotiating the purchase of Yahoo, that number crept into the hundreds of millions. Eventually, Yahoo settled on a billion compromised accounts resulting from the hacks.

Security: Yahoo 'Search Secrets', Breach Secrets, Bluetooth Woes, and Phishing

Filed under
Security
  • Yahoo Reveals Its Search Secrets, Vespa Tool is Now Available as Open Source

    Oath Inc., the Verizon company that has owned Yahoo since June, announced that Vespa is now available as open source on GitHub. According to a company blog post, making the big data processing and serving engine open source is a step further in Oath’s commitment to opening up its big data infrastructure to developers.

  • If you have a Yahoo account, do this now

    The company, which along with AOL is now part of a Verizon subsidiary called Oath, disclosed Tuesday that a 2013 hack had potentially stolen the information of all of its 3 billion users at the time — or triple the number of vulnerable users it had earlier reported.

  • Yahoo revises number of hacked accounts from 500,000,000 to 3,000,000,000

    Just over a year ago, Yahoo admitted that it had been hacked in 2013, and estimated that 500 million accounts had been compromised (the company blamed state-sponsored actors, and federal prosecutors have indicted two Russian spies for ordering the operation). Now the company has admitted that all three billion of its accounts were affected.

  • Yahoo Says All 3 Billion Accounts Hacked in 2013 Data Theft

    Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications.

  • Bluetooth sex toys are trivial to compromise just by walking around neighborhoods

    Lomas demonstrated the attack by wandering the streets of Berlin, compromising Lovesense Hush buttplugs. He also demonstrated that he could attack and compromise his father's BLE-enabled hearing aid, controlling what sound was played, allowing him to put voices in his father's head, or selectively alter his hearing.

  • Screwdriving. Locating and exploiting smart adult toys

    It’s hopefully well known by now that Bluetooth’s baby brother, BLE, isn’t exactly stellar when it comes to security. What you save in battery life and complexity comes at the price of easy discoverability and exploitability. Whilst BLE does have support for security, it is rarely implemented. When it is implemented it’s often done poorly.

  • Councils attacked over email ‘phishing’

    Banks and other financial institutions, including PayPal and Ebay, have been targeted frequently by crooks, as has the government’s tax collection agency HMRC - which often appears to be the source of emails promising lucrative tax rebates.

    But the government’s National Cyber Security Centre, which is part of GCHQ, has said that fewer than five per cent of other public sector organisations have taken sufficient steps to prevent similar attacks, by using the validation protocol known as DMARC.

OpenSSH 7.6 and FreeBSD 10.4

Filed under
Software
Security
BSD

Security: Updates, Reproducible Builds, Dnsmasq, Leaks, Kaspersky, and Linux LTS

Filed under
Security
Syndicate content

More in Tux Machines

3 Tools to Help You Remember Linux Commands

The Linux desktop has come a very long way from its humble beginnings. Back in my early days of using Linux, knowledge of the command line was essential—even for the desktop. That’s no longer true. Many users might never touch the command line. For Linux system administrators, however, that’s not the case. In fact, for any Linux admin (be it server or desktop), the command line is a requirement. From managing networks, to security, to application and server settings—there’s nothing like the power of the good ol’ command line. But, the thing is… there are a lot of commands to be found on a Linux system. Consider /usr/bin alone and you’ll find quite a lot of commands (you can issue ls /usr/bin/ | wc -l to find out exactly how many you have). Of course, these aren’t all user-facing executables, but it gives you a good idea of the scope of Linux commands. On my Elementary OS system, there are 2029 executables within /usr/bin. Even though I will use only a fraction of those commands, how am I supposed to remember even that amount? Read more

How Eclipse is advancing IoT development

Eclipse may not be the first open source organization that pops to mind when thinking about Internet of Things (IoT) projects. After all, the foundation has been around since 2001, long before IoT was a household word, supporting a community for commercially viable open source software development. September's Eclipse IoT Day, held in conjunction with RedMonk's ThingMonk 2017 event, emphasized the big role Eclipse is taking in IoT development. It currently hosts 28 projects that touch a wide range of IoT needs and projects. While at the conference, I talked with Ian Skerritt, who heads marketing for Eclipse, about Eclipse's IoT projects and how Eclipse thinks about IoT more broadly. Read more

Effective Strategies for Recruiting Open Source Developers

Experienced open source developers are in short supply. To attract top talent, companies often have to do more than hire a recruiter or place an ad on a popular job site. However, if you are running an open source program at your organization, the program itself can be leveraged as a very effective recruiting tool. That is precisely where the new, free online guide Recruiting Open Source Developers comes in. It can help any organization in recruiting developers, or building internal talent, through nurturing an open source culture, contributing to open source communities, and showcasing the utility of new open source projects. Why does your organization need a recruiting strategy? One reason is that the growing shortage of skilled developers is well documented. According to a recent Cloud Foundry report, there are a quarter-million job openings for software developers in the U.S. alone and half a million unfilled jobs that require tech skills. They’re also forecasting the number of unfillable developer jobs to reach one million within the next decade. Read more

Fedora meets RHEL

  • Fedora meets RHEL
  • Fedora 27 Making It Easy To Deploy Free RHEL7 VMs
    For those wanting to use Red Hat Enterprise Linux 7 within a GNOME Boxes driven virtual machine, you can do so for free now with Fedora Workstation 27. Red Hat has made it possible to easily deploy RHEL7 from within the GNOME Boxes virtualization software even if you are not a paying Red Hat customer. All that's required is a free Red Hat developer account.