Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Moving towards a more secure web

    To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

  • UK Politician's Campaign Staff Tweets Out Picture Of Login And Password To Phones During Campaign Phone Jam

    When we talk password security here at Techdirt, those conversations tend to revolve around stories a bit above and beyond the old "people don't use strong enough passwords" trope. While that certainly is the case, we tend to talk more about how major corporations aren't able to learn their lessons about storing customer passwords in plain text, or about how major media outlets are occasionally dumb enough to ask readers to submit their own passwords in an unsecure fashion.

    But for the truly silly, we obviously need to travel away from the world of private corporations and directly into the world of politicians, who often times are tasked with legislating on matters of data security and privacy, but who cannot help but show their own ineptness on the matter themselves. Take Owen Smith, for example. Smith is currently attempting to become the head of the UK's Labour Party, with his campaign working the phones as one would expect. And, because this is the age of social media engagement, one of his campaign staffers tweeted out the following photo of the crew hard at work.

  • WiredTree Warns Linux Server Administrators To Update In Wake Of Critical Off-Path Kernel Vulnerability

    WiredTree, a leading provider of managed server hosting, has warned Linux server administrators to update their servers in response to the discovery of a serious off-path vulnerability in the Linux kernel’s handling of TCP connections.

  • Reproducible Builds: week 72 in Stretch cycle

Security News

Filed under
Security
  • The H Factor – Why you should be building “human firewalls”

    It is often the illusive “H Factor” – the human element – that ends up being the weakest link that makes cyber-attacks and data breaches possible.

  • White House appoints first Federal Chief Information Security Officer

    The White House announced Thursday that retired Brigadier General Gregory J. Touhill will serve as the first federal Chief Information Security Officer (CISO).

    "The CISO will play a central role in helping to ensure the right set of policies, strategies, and practices are adopted across agencies and keeping the Federal Government at the leading edge of 21st century cybersecurity," read a blog post penned by Tony Scott, US Chief Information Officer, and J. Michael Daniel, special assistant to the president and cybersecurity coordinator.

  • Xen Project patches serious virtual machine escape flaws

    The Xen Project has fixed four vulnerabilities in its widely used virtualization software, two of which could allow malicious virtual machine administrators to take over host servers.

    Flaws that break the isolation layer between virtual machines are the most serious kind for a hypervisor like Xen, which allows users to run multiple VMs on the same underlying hardware in a secure manner.

  • This USB stick will fry your unsecured computer

    A Hong Kong-based technology manufacturer, USBKill.com, has taken data security to the "Mission Impossible" extreme by creating a USB stick that uses an electrical discharge to fry an unauthorized computer into which it's plugged.

    "When the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges -- all in the matter of seconds," the company said in a news release.

Security News

Filed under
Security
  • Home-router IoT Devices Compromised for Building DDoS Botnet

    IoT (Internet-of-Thing) devices have been used to make a botnet earlier also just like attackers recently compromised 8 different popular home-routers that are IoT brands to make a botnet out of them which executed a DDoS attack at the application-level against several servers of certain website. Discoverer of this application-level DDoS alternatively HTTPS flood assault of Layer 7 is Sucuri the security company.

  • New Linux Trojan Discovered Coded in Mozilla's Rust Language [Ed: don’t install it. Easy.]

    A new trojan coded in Rust is targeting Linux-based platforms and adding them to a botnet controlled through an IRC channel, according to a recent discovery by Dr.Web, a Russian antivirus maker.

    Initial analysis of this trojan, detected as Linux.BackDoor.Irc.16, reveals this may be only a proof-of-concept or a testing version in advance to a fully weaponized version.

    Currently, the trojan only infects victims, gathers information about the local system and sends it to its C&C server.

  • The Limits of SMS for 2-Factor Authentication

    A recent ping from a reader reminded me that I’ve been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication online. The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code.

  • Telnet is not dead – at least not on ‘smart’ devices

    Depending on your age, you either might or might not have used Telnet to connect to remote computers in the past. But regardless of your age, you would probably not consider Telnet for anything you currently use. SSH has become the de facto standard when it comes to remote shell connection as it offers higher security, data encryption and much more besides.

    When we created our first honeypots for the Turris project (see our older blog articles – 1, 2, 3), we started with SSH and Telnet, because both offer interactive console access and thus are very interesting for potential attackers. But SSH was our main goal, while Telnet was more of a complimentary feature. It came as a great surprise to discover that the traffic we drew to the Telnet honeypots is three orders of magnitude higher than in the case of SSH (note the logarithmic scale of the plot below). Though there is a small apples-to-oranges issue, as we compare the number of login attempts for Telnet with the number of issued commands for SSH, the huge difference is obvious and is also visible in other aspects, such as in the number of unique attacker IP addresses.

  • Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years

    vDOS — a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline — has been massively hacked, spilling secrets about tens of thousands of paying customers and their targets.

    The vDOS database, obtained by KrebsOnSecurity.com at the end of July 2016, points to two young men in Israel as the principal owners and masterminds of the attack service, with support services coming from several young hackers in the United States.

  • Cisco’s Network Bugs Are Front and Center in Bankruptcy Fight

    Game of War: Fire Age, your typical melange of swords and sorcery, has been one of the top-grossing mobile apps for three years, accounting for hundreds of millions of dollars in revenue. So publisher Machine Zone was furious when the game’s servers, run by hosting company Peak Web, went dark for 10 hours last October. Two days later, Machine Zone fired Peak Web, citing multiple outages, and later sued.

    Then came the countersuit. Peak Web argued in court filings that Machine Zone was voiding its contract illegally, because the software bug that caused the game outages resided in faulty network switches made by Cisco Systems, and according to Peak Web’s contract with Machine Zone, it wasn’t liable. In December, Cisco publicly acknowledged the bug’s existence—too late to help Peak Web, which filed for bankruptcy protection in June, citing the loss of Machine Zone’s business as the reason. The Machine Zone-Peak Web trial is slated for March 2017.

    “Machine Zone wasn’t acting in good faith,” says Steve Morrissey, a partner at law firm Susman Godfrey, which is representing Peak Web. “They were trying to get out of the contract.” Machine Zone has disputed that assertion in court documents, but it declined to comment for this story. Cisco also declined to comment on the case, saying only that it tries to publish confirmed problems quickly.

    There’s buggy code in virtually every electronic system. But few companies ever talk about the cost of dealing with bugs, for fear of being associated with error-prone products. The trial, along with Peak Web’s bankruptcy filings, promises a rare look at just how much or how little control a company may have over its own operations, depending on the software that undergirds it. Think of the corporate computers around the world rendered useless by a faulty update from McAfee in 2010, or of investment company Knight Capital, which lost $458 million in 30 minutes in 2012—and had to be sold months later—after new software made erratic, automated stock market trades.

Free Software Foundation stresses necessity of full user control over Internet-connected devices

Filed under
GNU
Security

The Internet of Things (IoT) refers to the integration of Internet technology into a wider range of home devices than previously envisaged by most users. Early adopters of IoT may now have homes with Internet-connected lightbulbs, alarm systems, baby monitors and even coffee machines. Internet integration allows owners to have greater flexibility over their devices, making it possible to turn on their air conditioning as they leave work to cool the house before they return, to have curtains that automatically close based on sunset time, or lights that automatically turn off after the owner has left the house. Each individual benefit may seem marginal, but overall they add significant benefit to the owners.

Read more

Security News

Filed under
Security
  • Friday's security updates
  • Ten-year-old Windows Media Player hack is the new black, again

    Net scum are still finding ways to take down users with a decade-old Windows Media Player attack.

    The vector is a reborn social engineering hatchet job not seen in years in which attackers convince users to run executable content through Windows Media Player's Digital Rights Management (DRM) functionality.

    Windows Media Player will throw a DRM warning whenever users do not have the rights to play content, opening a URL through which a licence can be acquired.

    Now malware villains are packing popular movies with malicious links so that the DRM warning leads to sites where they're fooled into downloading trojans masquerading as necessary video codecs.

  • Luabot Malware Turning Linux Based IoT Devices into DDoS Botnet

    The IT security researchers at MalwareMustDie have discovered a malware that is capable of infecting Linux-based Internet of Things (IoT) devices and web servers to launch DDoS (Distributed Denial of Service) attacks.

Security News

Filed under
Security

Security News

Filed under
Security

Wireshark 2.2

Filed under
Software
Security
  • Wireshark 2.2 Released

    Wireshark 2.2 features "Decode As" improvements, the various UIs now support exporting packets as JSON, there is new file format decoding support, and a wide range of new protocol support. New protocol coverage includes Apache Cassandra, USB3 Vision Protocol, USIP protocol, UserLog protocol, Zigbee Protocol Clusters, Cisco ttag, and much more.

  • Wireshark 2.2.0 Is Out as the World's Most Popular Network Vulnerability Scanner

    Today, September 7, 2016, the development team behind the world's most popular network protocol analyzer, Wireshark, proudly announced the release of a new major stable version, namely Wireshark 2.2.

    After being in development for the past couple of months, Wireshark 2.2.0 has finally hit the stable channel, bringing with it a huge number of improvements and updated protocols. For those of you who never heard of Wireshark, we want to remind them that it's an open-source network vulnerability scanner used by security researchers and network administrators for development, analysis, troubleshooting, as well as education purposes.

Syndicate content

More in Tux Machines

Android Leftovers

Licensing resource series: Free GNU/Linux distributions & GNU Bucks

When Richard Stallman set out to create the GNU Project, the goal was to create a fully free operating system. Over 33 years later, it is now possible for users to have a computer that runs only free software. But even if all the software is available, putting it all together yourself, or finding a distribution that comes with only free software, would be quite the task. That is why we provide a list of Free GNU/Linux distributions. Each distro on the list is commited to only distributing free software. With many to choose from, you can find a distro that meets your needs while respecting your freedom. But with so much software making up an entire operating system, how is it possible to make sure that nothing nasty sneaks into the distro? That's where you, and GNU Bucks come in. Read more

Linux 4.7.6

I'm announcing the release of the 4.7.6 kernel. All users of the 4.7 kernel series must upgrade. The updated 4.7.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.7.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-st... Read more Also: Linux 4.4.23

Linaro beams LITE at Internet of Things devices

Linaro launched a “Linaro IoT and Embedded” (LITE) group, to develop end-to-end open source reference software for IoT devices and applications. Linaro, which is owned by ARM and major ARM licensees, and which develops open source software for ARM devices, launched a Linaro IoT and Embedded (LITE) Segment Group at this week’s Linaro Connect event in Las Vegas. The objective of the LITE initiative is to produce “end to end open source reference software for more secure connected products, ranging from sensors and connected controllers to smart devices and gateways, for the industrial and consumer markets,” says Linaro. Read more Also:

  • Linaro organisation, with ARM, aims for end-end open source IoT code
    With the objective of producing reference software for more secure connected products, ranging from sensors and connected controllers to smart devices and gateways, for the industrial and consumer markets, Linaro has announced LITE: Collaborative Software Engineering for the Internet of Things (IoT). Linaro and the LITE members will work to reduce fragmentation in operating systems, middleware and cloud connectivity solutions, and will deliver open source device reference platforms to enable faster time to market, improved security and lower maintenance costs for connected products. Industry interoperability of diverse, connected and secure IoT devices is a critical need to deliver on the promise of the IoT market, the organisation says. “Today, product vendors are faced with a proliferation of choices for IoT device operating systems, security infrastructure, identification, communication, device management and cloud interfaces.”
  • An open source approach to securing The Internet of Things
  • Addressing the IoT Security Problem
    Last week's DDOS takedown of security guru Brian Krebs' website made history on several levels. For one, it was the largest such reported attack ever, with unwanted traffic to the site hitting levels of 620 Gbps, more than double the previous record set back in 2013, and signalling that the terabyte threshold will certainly be crossed soon. It also relied primarily on compromised Internet of Things devices.