Language Selection

English French German Italian Portuguese Spanish

Security

7 Essential Tips for Linux Sysadmin Workstation Security

Filed under
Linux
Security

If you’re a sysadmin who works from home, logs in for after-hours emergency support or simply prefers to work from a laptop in your office, you need to do it securely. Preparation and vigilance are essential in keeping your workstation and network safe from hackers.

Anyone who uses a Linux workstation to access and manage their company’s or project's IT infrastructure runs the risk that his or her computer will become an incursion vector against the rest of that infrastructure.

Read more

Security Leftovers

Filed under
Security
  • Security-Oriented Alpine Linux 3.5.2 Distro Released with Kernel 4.4.52 LTS

    Alpine Linux, the open-source security-oriented GNU/Linux distribution based on BusyBox and musl libc, has been updated earlier to version 3.5.2, the second point release to the stable 3.5 series.

    Alpine Linux 3.5.2 comes one month after the release of Alpine Linux 3.5.1 and brings with it the recently released long-term supported Linux 4.4.52 kernel, as well as numerous up-to-date components, including PHP 7.0.16, lighttpd 1.4.45, Chromium 56.0.2924.76, PostgreSQL 9.6.2, nginx 1.10.3, ZoneMinder 1.30.2, and RackTables 0.20.12.

  • SSH Communications Security's Universal SSH Key Manager

    Today's IAM solutions, warns enterprise cybersecurity expert SSH Communications Security, fail to address fully the requirements of trusted access. Organizations lack an efficient way to manage and govern trusted access credentials and have no visibility into the activities that occur within the secure channels that are created for trusted access operations.

  • Three Years after Heartbleed, How Vulnerable Are You? [Ed: Fools who cling on to hype, marketing and FUD from a Microsoft-connected firm even 3 years later]

    Three years ago, the Heartbleed vulnerability in the OpenSSL cryptographic library sent the software industry and companies around the world into a panic. Software developers didn't know enough about the open source components used in their own products to understand whether their software was vulnerable — and customers using that software didn't know either.

Security Leftovers

Filed under
Security
  • Human error caused Amazon Web Services outage

    A wrong command entered by a member of its technical staff was responsible for the outage experienced by Amazon Web Services simple storage service this week.

    In a detailed explanation, the company said the S3 team was attempting to debug an issue that caused a slowdown in its billing system when, at 9.37am PST on Tuesday (4.30am Wednesday AEST), one of its technical staff ran a command that was intended to remove a few servers from one of the subsystems used by the S3 billing process.

    The worker entered one wrong input for the command and ended up removing a much larger number of servers than intended, some of which supported two other S3 subsystems.

  • Apple's macOS bitten by a brace of backdoors

    OH JEEZ, THE SANCTITY OF THE Apple operating system continues to be whittled away at, and now two reasonably fresh backdoors have been revealed by a concerned security company.

    Apple backdoors are much prized, just ask the FBI, so to have two in a day should be a thing to celebrate. But only if you like that kind of stuff.

    The Malwarebytes blog dishes the dirt on the pair and the threat that they pose to people who use Macs.

    One of them is XAgent, which Palo Alto Networks clocked onto in February. It is a nasty business indeed.

  • SHA-1 crack just got real: System Center uses it to talk to Linux

    When Google revealed last week that it had destroyed the SHA-1 algorithm, it hammered another nail into the venerable algo's coffin.

    But as we noted in our report on the feat, many applications still use SHA-1. And if you're one of the many Windows shops running Microsoft's System Center Operations Manager Management Server, you've got an exposure.

Security News

Filed under
Security
  • Amazon S3-izure cause: Half the web vanished because an AWS bod fat-fingered a command

    Amazon has provided the postmortem for Tuesday's AWS S3 meltdown, shedding light on what caused one of its largest cloud facilities to bring a chunk of the web down.

    In a note today to customers, the tech giant said the storage system was knocked offline by a staffer trying to address a problem with its billing system. Essentially, someone mistyped a command within a production environment while debugging a performance gremlin.

    "The Amazon Simple Storage Service (S3) team was debugging an issue causing the S3 billing system to progress more slowly than expected. At 9:37AM PST, an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process," the team wrote in its message.

  • HackerOne Offers Free Bug Bounty Programs for Open Source Projects

    HackerOne, a platform that is offering hosting for bug bounty programs, announced today that open-source projects can now sign up for a free bug bounty program if they meet a few simple conditions.

    The new offering, named HackerOne Community Edition, is identical with HackerOne Professional Edition, the commercial service the company is offering to some of the world's largest organizations, such as Twitter, Dropbox, Adobe, Yahoo, Uber, GitHub, Snapchat, and many others.

  • Once overlooked, uninitialized-use 'bugs' may provide portal for hacker attacks on linux

    Popular with programmers the world over for its stability, flexibilityand security, Linux now appears to be vulnerable to hackers.

Security News

Filed under
Security
  • Security updates for Thursday
  • Security updates for Wednesday
  • Researchers find “severe” flaw in WordPress plugin with 1 million installs

    More than 1 million websites running the WordPress content management system may be vulnerable to hacks that allow visitors to snatch password data and secret keys out of databases, at least under certain conditions.

    The vulnerability stems from a "severe" SQL injection bug in NextGEN Gallery, a WordPress plugin with more than 1 million installations. Until the flaw was recently fixed, NextGEN Gallery allowed input from untrusted visitors to be included in WordPress-prepared SQL queries. Under certain conditions, attackers can exploit the weakness to pipe powerful commands to a Web server's backend database.

  • cloudbleed hero graphics
  • Botnets

    Botnets have existed for at least a decade. As early as 2000, hackers were breaking into computers over the Internet and controlling them en masse from centralized systems. Among other things, the hackers used the combined computing power of these botnets to launch distributed denial-of-service attacks, which flood websites with traffic to take them down.

    But now the problem is getting worse, thanks to a flood of cheap webcams, digital video recorders, and other gadgets in the "Internet of things." Because these devices typically have little or no security, hackers can take them over with little effort. And that makes it easier than ever to build huge botnets that take down much more than one site at a time.

  • Yahoo boss Marissa Mayer loses millions in bonuses over security lapses

    Yahoo chief executive Marissa Mayer will lose her annual bonus and the company’s top lawyer has been removed over their mishandling of security breaches that exposed the personal information of more than 1 billion users.

    Mayer’s cash bonus is worth about $2m a year and her personal cost from the security flaws increased when the board also accepted her offer to relinquish an annual stock award worth millions of dollars.

    Mayer, whose management team was found by an internal review to have reacted too slowly to one breach in 2014, said on Wednesday she wanted the board to distribute her bonus to Yahoo’s entire workforce of 8,500 employees. The board did not say if it would do so.

  • Unlimited randomness with the ChaosKey?

    A few days ago I ordered a small batch of the ChaosKey, a small USB dongle for generating entropy created by Bdale Garbee and Keith Packard. Yesterday it arrived, and I am very happy to report that it work great! According to its designers, to get it to work out of the box, you need the Linux kernel version 4.1 or later. I tested on a Debian Stretch machine (kernel version 4.9), and there it worked just fine, increasing the available entropy very quickly. I wrote a small test oneliner to test. It first print the current entropy level, drain /dev/random, and then print the entropy level for five seconds.

  • Startup Offers Free ‘Bug Bounty’ Help to Open Source Projects

    Many people don't realize much of the Internet is built on free software. Even giant companies like Facebook, Google, and Amazon rely extensively on big libraries of code—known as "open source" software"—written by thousands of programmers, who share their work with everyone.

    But no software is perfect. Like the proprietary code developed by many companies, open source software contains flaws that hackers can exploit to steal information or spread viruses. That's why a new initiative to patch those holes is important.

  • 50 Google Engineers Volunteered to Patch Thousands of Java Open Source Projects

    A year ago, several Google engineers got together and lay the foundation of Operation Rosehub, a project during which Google employees used some of their official work time to patch thousands of open source projects against a severe and widespread Java vulnerability.

    Known internally at Google as the Mad Gadget vulnerability, the issue was discovered at the start of 2015 but came to everyone's attention in November 2015 after security researchers from Foxglove Security showcased how it could be used to steal data from WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS Java applications.

KDE Plasma 5.9.3 Linux Desktop Environment Released, over 40 Recorded Bug Fixed

Filed under
KDE
Security

The KDE project had the great pleasure of announcing the release of the third maintenance update to the recently released KDE Plasma 5.9 desktop environment stable series.

Read more

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Reproducible Builds: week 96 in Stretch cycle

    Christos also reported that that NetBSD's base system is now 100.0% reproducible in our current test framework.

  • Game theory says publicly shaming cyberattackers could backfire

    Know your enemy, the saying goes. But when it comes to cyberattacks, a game theory model suggests that just knowing the perpetrator and pointing the finger at them might not be the best tactic, and could even play into the hands of the attacker.

    [...]

    But naming who’s behind an attack may not be helpful if you’re not in a position to retaliate, says Benjamin Edwards at IBM Research, who led the modelling work.

  • X.Org Struck Again By Multiple Security Issues

    By now you probably know that X.Org's security is in bad shape and routinely new security issues are uncovered and that's the case today.

  • Bad bug found in Microsoft browsing code [Ed: And many bugs intentionally not patched]

    Google has released details of a bug in Microsoft's browsing programs that would allow attackers to build websites that make the software crash.

    Google researcher Ivan Fratric said the bug could, in some cases, allow attackers to hijack a victim's browser.

    The bug was found in November, but details are only now being released after the expiry of the 90-day deadline Google gave Microsoft to find a fix.

    Microsoft has yet to say when it will produce a patch that removes the bug.

Security News

Filed under
Security
  • Security updates for Tuesday
  • EU updates smartphone secure development guideline

    The European Union Agency for Network and Information Security (ENISA) has published an updated version of its Smartphone Secure Development Guidelines. This document details the risks faced by developers of smartphone application, and provides ways to mitigate these.

  • CloudLinux 7 Users Get New Beta Linux Kernel Update That Addresses CVE-2017-6074

    CloudLinux's Mykola Naugolnyi announced today the availability of a new Beta kernel for the CloudLinux 7 operating system series, which patches a recently discovered and critical security flaw.

  • Linus Torvalds shrugged off warnings about 'insecure' SHA-1 in 2005

    LINUX FOUNDER Linus Torvalds was warned in 2005 that the use of the SHA-1 hash to sign code in Linux and Git was insecure and urged to shift to something better protected, but rejected the advice outright.

    Free software evangelist John Gilmore warned Torvalds ten years ago that "SHA1 has been broken; it's possible to generate two different blobs that hash to the same SHA1 hash".

    Gilmore penned his warning to Torvalds in April 2005, when MD5 had already been cracked and SHA1 remained "hard to crack" - but still crackable.

  • Subversion SHA1 Collision Problem Statement — Prevention and Remediation Options

    You probably saw the news last week that researchers at Google had found a scenario where they were able to break the SHA1 algorithm by creating two PDF files with differing content that produced the same hash. If you are following this story then you may have also seen that the Webkit Subversion repository had problems after a user committed these example files to their repository so that they could be used in test cases for SHA1 collisions.

  • making git-annex secure in the face of SHA1 collisions

    git-annex has never used SHA1 by default. But, there are concerns about SHA1 collisions being used to exploit git repositories in various ways. Since git-annex builds on top of git, it inherits its foundational SHA1 weaknesses. Or does it?

  • SSH Fingerprint Verification via Tor

    OpenSSH (really, are there any other implementations?) requires Trust on First Use for fingerprint verification.

    Verification can be especially problematic when using remote services like VPS or colocation.

    How can you trust that the initial connection isn’t being Man In The Middle’d?

  • Almost all Windows vulnerabilities are enabled by liberal 'admin rights'

    NEARLY OF THE VULNERABILITIES THAT AFFECT Microsoft's Windows operating system could be mitigated through a little careful control.

    Avecto, a security company, is the source of the latest revelation in this direction, and it says that 94 per cent of security problems could have been killed off if admin rights had been removed from the affected computer.

    This makes a lot of sense, since a computer that cannot be molested by a user cannot be molested by a third party. 94 per cent is just one example of the differences that can be made and Avecto says that in the case of Internet Explorer 100 per cent of risks are mitigated when rights are removed.

  • More on Bluetooth Ingenico Overlay Skimmers

    This blog has featured several stories about “overlay” card and PIN skimmers made to be placed atop Ingenico-brand card readers at store self-checkout lanes. I’m revisiting the topic again because a security technician at a U.S.-based retailer recently shared a few photos of several of these devices pulled from compromised card terminals, and the images and his story offer a fair bit more detail than in previous articles.

Syndicate content

More in Tux Machines

Embedded NUC SBC expands upon quad-core -A53 Snapdragon

Seco announced a wireless-ready “SBC-B47-eNUC” SBC that complies with the 4×4-inch eNUC form factor, and runs Linux or Android on a Snapdragon 410E. Seco is prepping its first SBC based on the 101.6 x 101.6mm (4.0 x 4.0-inch) Embedded NUC (eNUC) SBC standard from the Standardization Group for Embedded Technologies (SGET). The eNUC form factor offers superior industrial grade characteristics, long term support, and efficient heat dissipation, claims Seco. The Linux- and Android-supported board supports applications including IoT gateways, home automation, robotics, digital signage, and HMI. Read more

netOS Server 10.65.1 Released, Based on Ubuntu 16.04 LTS and Xfce 4.12 Desktop

Black Lab Software CEO Roberto J. Dohnert is informing Softpedia today about the release and general availability of the netOS Server 10.65.1 server-oriented and open-source operating system. Read more

Ubuntu GNOME 17.04 Final Beta Features GNOME 3.24 with Night Light, Flatpak 0.8

As part of yesterday's Ubuntu 17.04 Final Beta release, the Ubuntu GNOME 17.04 operating system got its second Beta milestone bringing with it the latest development version of the recently released GNOME 3.24 desktop environment. Read more Also: Kubuntu 17.04 Beta 2 Includes KDE Plasma 5.9 Desktop, KDE Applications 16.12.3 Ubuntu Budgie 17.04 Beta 2 Brings Latest GNOME 3.24 Apps, Budgie 10.2.9 Desktop

SAS, Canonical turn silly over open source

Zemlin's job, in other words, isn't to convince companies to adopt open source, but rather to provide a home for the nurturing of open source projects, so they're worthy of adoption. Similarly, Canonical can focus on contributing code rather than spooking enterprises into adopting more. And SAS? Well, it should probably start with 40 percent open source adoption and grow from there. Read more