Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Friday's security updates
  • Room for Application Security Improvement

    Using open source components is a common software development process; just how common, however, may come as a surprise -- even a shock -- to some. The average organization uses 229,000 open source components a year, found research by Sonatype, a provider of software development lifecycle solutions that manages a Central Repository of these components for the Java development community.

    There were 31 billion requests for downloads from the repository in 2015, up from 17 billion in 2014, according to Sonatype.

    The number "blows people's minds," said Derek Weeks, a VP and DevOps advocate at Sonatype. "The perspective of the application security professional or DevOps security professional or open source governance professional is, 'This really changes the game. If it were 100, I could control that, but if it is 200,000 the world has changed."

  • Ubuntu Forums Suffer Data breach; Credit Goes to SQL Flaw

Ubuntu Forums Cracked. Again.

Filed under
Security
Ubuntu

Security Leftovers

Filed under
Security

Canonical Patches Linux Kernel Vulnerability in All Supported Ubuntu OSes

Filed under
Security
Ubuntu

Today, July 14, 2016, Canonical published multiple security notices to inform users of the Ubuntu 16.04 LTS (Xenial Xerus), Ubuntu 14.04 LTS (Trusty Tahr) and Ubuntu 15.10 (Wily Werewolf) operating systems about the availability of a new kernel update.

Read more

Changes in Tor

Filed under
OSS
Security

Security News

Filed under
Security
  • David A. Wheeler: Working to Prevent the Next Heartbleed

    The Heartbleed bug revealed that some important open source projects were so understaffed that they were unable to properly implement best security practices. The Linux Foundation’s Core Infrastructure Initiative , formed to help open source projects have the ability to adopt these practices, uses a lot of carrot and very little stick.

  • The First iPhone Hacker Shows How Easy It Is To Hack A Computer

    Viceland is known for its extensive security-focused coverage and videos. In the latest CYBERWAR series, it’s showing us different kinds of cyber threats present in the world around us. From the same series, recently, we covered the story of an ex-NSA spy that showed us how to hack a car.

    In another spooky addition to the series, we got to see how easily the famous iPhone hacker George Hotz hacked a computer.

    George Hotz, also known as geohot, is the American hacker known for unlocking the iPhone. He developed bootrom exploit and limera1n jailbreak tool for Apple’s iOS operating system. Recently, he even built his own self-driving car in his garage.

  • Beware; Adwind RAT infecting Windows, OS X, Linux and Android Devices

    Cyber criminals always develop malware filled with unbelievable features but hardly ever you will find something that targets different operating systems simultaneously. Now, researchers have discovered a malware based on Java infecting companies in Denmark but it’s only a matter of time before it will probably hit other countries.

  • 7 Computers Fighting Against Each Other To Become “The Perfect Hacker”

    Are automated “computer hackers” better than human hackers? DARPA is answering this question in positive and looking to prove its point with the help of its Cyber Grand Challenge. The contest finale will feature seven powerful computer fighting against each other. The winner of the contest will challenge human hackers at the annual DEF CON hacking conference.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • Download This Security Fix Now — All Versions Of Windows Operating System Hackable

    As a part of its monthly update cycle, Microsoft has released security patches for all versions of Windows operating system. This update addresses a critical flaw that lets an attacker launch man-in-the-middle attacks on workstations. This security vulnerability arises as the print spooler service allows a user to install untrusted drivers with elevated privileges.

  • The Truth About Penetration Testing Vs. Vulnerability Assessments

    Vulnerability assessments are often confused with penetration tests. In fact, the two terms are often used interchangeably, but they are worlds apart. To strengthen an organization’s cyber risk posture, it is essential to not only test for vulnerabilities, but also assess whether vulnerabilities are actually exploitable and what risks they represent. To increase an organization’s resilience against cyber-attacks, it is essential to understand the inter-relationships between vulnerability assessment, penetration test, and a cyber risk analysis.

Untangle Announces NG Firewall Version 12.1

Filed under
GNU
Linux
Security

Untangle® Inc., a security software and appliance company, announced the release of version 12.1 of its award-winning NG Firewall software. Untangle NG Firewall version 12.1 brings new features and functionality to the popular and powerful small business firewall platform.

NG Firewall delivers a comprehensive solution for small-to-medium businesses, schools, governmental organizations and nonprofits that require enterprise-grade perimeter security with the flexibility of a convergent Unified Threat Management (UTM) device. Untangle’s industry-leading approach to network traffic visibility and policy management gives its customers deep insight into what’s happening on their network via its database-driven reporting engine and 360° dashboard.

“Version 12.1 is the next step in the evolution of the Untangle NG Firewall user interface,” said Dirk Morris, founder and chief product officer at Untangle. “Building on the base provided by the last two major releases, version 12.1 provides a fully responsive mobile management console as well as faster performing, more flexible reporting and dashboard widget capabilities.”

Read more

Security Leftovers

Filed under
Security
  • Posing as ransomware, Windows malware just deletes victim’s files

    There has been a lot of ingenuity poured into creating crypto-ransomware, the money-making malware that has become the scourge of hospitals, businesses, and home users over the past year. But none of that ingenuity applies to Ranscam, a new ransom malware reported by Cisco's Talos Security Intelligence and Research Group.

    Ranscam is a purely amateur attempt to cash in on the cryptoransomware trend that demands payment for "encrypted" files that were actually just plain deleted by a batch command. "Once it executes, it, it pops up a ransom message looking like any other ransomware," Earl Carter, security research engineer at Cisco Talos, told Ars. "But then what happens is it forces a reboot, and it just deletes all the files. It doesn't try to encrypt anything—it just deletes them all."

    Talos discovered the file on the systems of a small number of customers. In every case, the malware presented exactly the same message, including the same Bitcoin wallet address. The victim is instructed:

    "You must pay 0.2 Bitcoins to unlock your computer. Your files have been moved to a hidden partition and crypted. Essential programs in your computer have been locked and your computer will not function properly. Once your Bitcoin payment is received your computer and files will be returned to normal instantly."

  • Webpages, Word files, print servers menacing Windows PCs, and disk encryption bypasses – yup, it's Patch Tuesday

    Microsoft will fix critical holes in Internet Explorer, Edge, Office and Windows with this month's Patch Tuesday security bundle. Meanwhile, Adobe has patched dozens of exploitable vulnerabilities in its Flash player.

    Redmond's July release includes 11 sets of patches, six rated as "critical" and five classified as "important." The highlights are: a BitLocker device encryption bypass, evil print servers executing code on vulnerable machines, booby-trapped webpages and Office files injecting malware into PCs, and the usual clutch of privilege elevation flaws.

  • Ad blocking: yes, its war now

    idnes.cz: they put moving advertisment on that their web, making browsers unusable -- they eat 100% CPU and pages lag when scrolling. They put video ads inside text that appear when you scroll. They have video ads including audio... (Advertisment for olympic games is particulary nasty, Core Duo, it also raises power consumption by like 30W). Then they are surpised of adblock and complain with popup when they detect one. I guess I am either looking for better news source, or for the next step in adblock war...

IPFire 2.19 Update 103 Adds Web Proxy Improvements, Latest Tor for Anonymity

Filed under
Linux
Security

The IPFire 2.19 Core Update 103 Linux kernel-based firewall distribution has been released today, July 12, bringing web proxy improvements and the latest security patches and bug fixes.

Read more

Syndicate content

More in Tux Machines

Today in Techrights

today's leftovers

  • iTWire - Microsoft to reduce global workforce
  • Microsoft Faces Two Lawsuits For Aggressive Windows 10 Upgrade Campaign
    The series of lawsuits against Microsoft doesn’t seem to terminate sooner.
  • Controlling access to the memory cache
    Access to main memory from the processor is mediated (and accelerated) by the L2 and L3 memory caches; developers working on performance-critical code quickly learn that cache utilization can have a huge effect on how quickly an application (or a kernel) runs. But, as Fenghua Yu noted in his LinuxCon Japan 2016 talk, the caches are a shared resource, so even a cache-optimal application can be slowed by an unrelated task, possibly running on a different CPU. Intel has been working on a mechanism that allows a system administrator to set cache-sharing policies; the talk described the need for this mechanism and how access to it is implemented in the current patch set.
  • Why Blockchain Matters
    If your familiarity with Bitcoin and Blockchain is limited to having heard about the trial of Silk Road’s Ross Ulbricht, you can be forgiven -- but your knowledge is out of date. Today, Bitcoin and especially Blockchain are moving into the mainstream, with governments and financial institutions launching experiments and prototypes to understand how they can take advantage of the unique characteristics of the technology.
  • Our Third Podcast, with Cybik, is Out Now
    Cybik comes back on how he came to know and use Linux in the first place, his gaming habits, how he got involved into the Skullgirls port, and shares with us his outlook on the Linux gaming landscape. The podcast is just an hour long and you can either download it below, and use our RSS feed (that has the additional benefit of making it easy for you to get new episodes from now on):
  • GSoC: final race and multi-disc implementation
    It’s been a while since I wrote a post here. A lot has happened since then. Now Gnome-games fully supports PlayStation games, with snapshoting capabilities. The next thing I’m working on is multi-disc support, specially for PlayStation titles. So far, there’s a working propotity although a lot needs to be re-engineered and polished. This last part of the project has involved working both in UI, persistance and logic layers.
  • This Week in GTK+ – 11
    In this last week, the master branch of GTK+ has seen 22 commits, with 6199 lines added and 1763 lines removed.
  • [Solus] Replacement of Release Schedule
    In the not so distant past, Solus followed a static point release model. Our most current release at this time is 1.2, with a 1.2.1 planned to drop in the near future. However, we also recently announced our move to a rolling release model. As such, these two schools of thought are in contradiction of one another.
  • First release of official ArchStrike ISO files! [Ed: last week]
  • July ’16 security fixes for Java 8
    On the heels of Oracle’s July 2016 security updates for Java 8, the icedtea folks have released version 3.1.0 of their build framework so that I could create packages for OpenJDK 8u101_b13 or “Java 8 Update 101 Build 13” (and the JRE too of course).
  • Pipelight update
    I decided to do an update of my “pipelight” package. I had not looked at it for a long time, basically because I do not use it anymore, but after I upgraded my “wine” package someone asked if I could please write up what could be done for wine-pipelight. As you know, pipelight is a Linux plugin wrapper for Mozilla-compatible browsers which lets you install and use Windows plugins on Linux. This configuration enables you to access online services which would otherwise be unavailable to you on a Linux platform. The pipelight plugin wrapper uses wine to load the Windows software.
  • Red Hat, Inc. (NYSE:RHT) Current Analyst Ratings
  • Friday Session Wrap for Red Hat, Inc. (NYSE:RHT)
  • Fedora @ EuroPython 2016 - event report
  • Android 7.0 Nougat could be release as soon as next month
  • Android gains anti-spam caller ID feature
  • Amazon Cloud Revenue Hits $2.9B
  • ServerMania – Discover High Availability Cloud Computing, powered by OpenStack
    Cloud computing is fast growing in the world of computer and Internet technology, many companies, organizations and even individuals are opting for shared pool of computing resources and services. For starters, Cloud computing is a type of Internet-based computing where users consume hosted services on shared server resources. There are fundamentally three types of cloud computing available today: private, public and hybrid cloud computing.

Leftovers: OSS and Sharing

  • Student survey data shows Open Source training uptake amongst women and young people remains extreme
    Future Cert, the UK and Ireland representative for the LPI (Linux Professional Institute), is calling for more awareness of Open Source software training amongst the under 21s and especially women, which the industry is so desperately in need of. New figures from a recent Future Cert student survey reveals that the number of women and young people taking LPI Certification in Open Source computing remains extremely low. Of those questioned, 98% were male, and just 2% were female, taking an LPI exam. This figure is significantly less than an already low figure of around 15% to 17% of women in IT careers in general. It raises the question, what does the industry need to do to make an Open Source career attractive to women?
  • Quality in open source: testing CRIU
    Checkpoint/Restore In Userspace, or CRIU, is a software tool for Linux that allows freezing a running application (or part of it) and checkpointing it to disk as a collection of files. The files can then be used to restore and run the application from the point where it was frozen. The distinctive feature of the CRIU project is that it is mainly implemented in user space. Back in 2012, when Andrew Morton accepted the first checkpoint/restore (C/R) patches to the Linux kernel, the idea to implement saving and restoring of running processes in user space seemed kind of crazy. Yet, four years later, not only is CRIU working, it has also attracted more and more attention. Before CRIU, there had been other attempts to implement checkpoint/restore in Linux (DMTCP, BLCR, OpenVZ, CKPT, and others), but none were merged into the mainline. Meanwhile CRIU survived, which attests to its viability. Some time ago, I implemented support for the Test Anything Protocol format into the CRIU test runner; creating that patch allowed me to better understand the nature of the CRIU testing process. Now I want to share this knowledge with LWN readers. [...] The CRIU tests are quite easy to use and available for everyone. Moreover, the CRIU team has a continuous-integration system that consists of Patchwork and Jenkins, which run the required test configurations per-patch and per-commit. Patchwork also allows the team to track the status of patch sets to make the maintainer's work easier. The developers from the team always keep an eye on regressions. If a commit breaks a tree, the patches in question will not be accepted.
  • Open-source Wire messenger gets encrypted screen-sharing
    Chat app Wire has been rapidly adding feature as of late as it looks to gain some traction against the myriad of competitors out there. The latest trick in its arsenal is screen sharing. Now you can click on the new screen-sharing button to, well, share your screen during a call (if you’re on a desktop, that is). It works during group chats too and, as with all Wire communications, is encrypted end-to-end. Wire believes it’s the first messaging app to include end-to-end encryption.
  • SPI board election results are available
    Software in the Public Interest (SPI) has completed its 2016 board elections. There were two open seats on the board in addition to four board members whose terms were expiring. The six newly elected members of the board are Luca Filipozzi, Joerg Jaspert, Jimmy Kaplowitz, Andrew Tridgell, Valerie Young, and Martin Zobel-Helas. The full results, including voter statistics, are also available.
  • SFK 2016 - Call for Speakers
    Software Freedom Kosova is an annual international conference in Kosovo organized to promote free/libre open source software, free culture and open knowledge, now in its 7th edition. It is organized by FLOSSK, a non governmental, not for profit organization, dedicated to promote software freedom and related philosophies.
  • Microsoft's Next Open Source Target Could Be PowerShell: Report
  • Open-source drug discovery project advances drug development
  • The First-Ever Test of Open-Source Drug-Discovery
  • Open-Source Drug Discovery a Success
  • CNS - Open-Source Project Spurs New Drug Discoveries
    Medicines for Malaria Venture, a nonprofit group based in Geneva, Switzerland, distributed 400 diverse compounds with antimalarial activity — called the Malaria Box — to 200 labs in 30 nations in late 2011. The findings from subsequent studies and analyses were published Thursday in the journal PLOS Pathogens. Distributing the Malaria Box to various labs enabled scientists to analyze the compounds and develop findings that have led to more than 30 new drug-development projects for a variety of diseases. As a stipulation to receiving the samples, the various research groups had to deposit the information from their studies in the public domain.
  • Wire and Launchkit go open source, a water flow monitoring system, and more news
  • Apache, astsu, Biscuit, Python, Puppet 4, systemd & more!
  • The Onion Omega2: The Latest Router Dev Board
  • Build a $700 open source bionic prosthesis with new tutorial by Nicolas Huchet of Bionico
    The 3D printing community has already successfully taken over the market for cosmetic prostheses, as fantastic initiatives like E-NABLE have proven. But the world of bionics is a different place and just a handful of makers have gone there with any form of success, such as the very inspiring Open Bionics. But even 3D printed bionic prostheses are definitely within our reach, as French open source fanatic Nicolas Huchet of Bionico has proven. Though by no means a making expert himself, he 3D printed his own open source bionic hand during a three month residency at FabLab Berlin and has now shared all the files – including an extensive tutorial – online. This means you can now 3D print your very own bionic prosthesis at home for just $700.
  • BCN3D Technologies develops open source 3D printed 'Moveo' robotic arm for schools
    Designed from scratch and developed by BCN3D engineers in collaboration with the Generalitat de Catalunya’s Departament d’Ensenyament (Department of Education), the BCN3D Moveo is an Arduino Mega 2560-powered, 3D printed robotic arm which could enable schools and colleges in Spain and elsewhere to teach students the basics of robotics, mechanical design, and industrial programming. When the Departament d’Ensenyament approached BCN3D one year ago regarding the possibility of an educative robotics project, the tech organization jumped at the chance to get on board.

Security Leftovers