Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Linux Foundation launches badge program to boost open source security

    The Linux Foundation has released the first round of CII Best Practices badges as part of a program designed to improve the quality and security of open-source software.

    Announced on Tuesday, the non-profit said the Core Infrastructure Initiative (CII), a project which brings tech firms, developers and stakeholders together to create best practice specifications and improve the security of critical open-source projects, has now entered a new stage with the issue of CII badges to a select number of open-source software.

  • Free Badge Program Signals What Open Source Projects Meet Criteria for Security, Quality and Stability
  • How to Conduct Internal Penetration Testing

    The best way to establish how vulnerable your network is to a hacker attack is to subject it to a penetration test carried out by outside experts. (You must get a qualified third party to help with penetration testing, of course, and eSecurity Planet recently published an article on finding the right penetration testing company.)

  • SSH for Fun and Profit

    In May last year, a new attack on the Diffie Hellman algorithm was released, called Logjam. At the time, I was working on a security team, so it was our responsiblity to check that none of our servers would be affected. We ran through our TLS config and decided it was safe, but also needed to check that our SSH config was too. That confused me – where in SSH is Diffie Hellman? In fact, come to think of it, how does SSH work at all? As a fun side project, I decided to answer that question by writing a very basic SSH client of my own.

IPFire 2.19 Core Update 101 Patches Cross-Site-Scripting Vulnerability in Web UI

Filed under
Security

The development team behind the IPFire software have announced the general availability of the Core Update 101 of the IPFire 2.19 Linux kernel-based firewall distribution.

Read more

Security Leftovers

Filed under
Security

IPFire 2.19 - Core Update 101 released

Filed under
GNU
Linux
Security

This is the official release announcement for IPFire 2.19 – Core Update 101. This update contains various security fixes and bug fixes.

Read more

Git 2.8.2 Popular Source Code Management System Released with Over 18 Bug Fixes

Filed under
Security

The stable 2.8 series of the popular Git source code management system just received its second point release, version 2.8.2, bringing over 18 improvements and bug fixes.

Read more

Security Leftovers

Filed under
Security
  • 66% of USB Flash Drives infected – don’t trust a stray [Ed: Windows]

    The problem is that the OS will automatically run a program that can install malware from a USB stick.

  • Dental Assn Mails Malware to Members

    The domain is used by crooks to infect visitors with malware that lets the attackers gain full control of the infected Windows computer.

  • Slack bot token leakage exposing business critical information

    Developers are leaking access tokens for Slack widely on GitHub, in public repositories, support tickets and public gists. They are extremely easy to find due to their structure. It is clear that the knowledge about what these tokens can be used for with malicious intent is not on top of people’s minds…yet. The Detectify team shows the impact, with examples, and explains how this could be prevented.

Security Leftovers

Filed under
Security
  • Friday's security updates
  • Hacking Slack accounts: As easy as searching GitHub

    A surprisingly large number of developers are posting their Slack login credentials to GitHub and other public websites, a practice that in many cases allows anyone to surreptitiously eavesdrop on their conversations and download proprietary data exchanged over the chat service.

    According to a blog post published Thursday, company researchers recently estimated that about 1,500 access tokens were publicly available, some belonging to people who worked for Fortune 500 companies, payment providers, Internet service providers, and health care providers. The researchers privately reported their findings to Slack, and the chat service said it regularly monitors public sites for posts that publish the sensitive tokens.

  • Time for a patch: six vulns fixed in NTP daemon
  • NTP Daemon Gets Fixes for Vulnerabilities Causing DoS and Authentication Bypass
  • Cisco Spots New NTP Bugs
  • Network Time Keeps on Ticking with Long-Running NTP Project [Ed: corrected URL]
  • Open Source Milagro Project Aims to Fix Web Security for Cloud, Mobile, IoT

    As the Internet continues to both grow in size and widen in scope, so do demands on the supporting infrastructure. The number of users and devices, amount of activity, internationalization of the web, and new devices that range from mobile apps and cloud instances to "Internet of Things," put strain on the system. Not just for bandwidth or service availability, but also on the assurance of trust -- trust that the entities at each end are who (or what) they say they are, and that their communications are private and secure.

  • M2Mi Obtains DHS Open-Source Cryptographic Tool Development Funds

    Machine-to-Machine Intelligence Corp. has been awarded $75,000 in funds by the Department of Homeland Security‘s science and technology directorate to create a deployable cryptographic protocol for an Internet of Things security initiative.

  • Encrypted Network Traffic Comes at a Cost

    The use of encryption over the Internet is growing. Fueled by Edward Snowden's revelations on the extent of NSA and GCHQ content monitoring, encryption is now increasingly provided by the big tech companies as part of their standard product offerings. It's effectiveness can be seen in the continuing demands by different governments for these same tech companies to provide government backdoors for that encryption. Encryption works: it safeguards privacy.

    Against this background, the use of Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt network traffic is likely to grow dramatically. Google is encouraging this. It already uses HTTPS as a positive weight for web sites in its search algorithm, while current rumors suggest it will soon start to place a warning red X in the URL bar of sites that do not use it. Taken together, these are strong incentives for businesses that don't currently use SSL/TLS to start doing so. Some predictions believe that almost 70% of network traffic will be encrypted by the end of this year.

  • Raptor Engineering Updates Details On Their POWER8-Based Talos Secure Workstation

    Raptor Engineering has published new information around their proposed high-performance Talos Secure Workstation that for around $3k is a high-end POWER8 motherboard.

Security Leftovers

Filed under
Security
  • The road to hell is paved with SAML Assertions

    A vulnerability in Microsoft Office 365 SAML Service Provider implementation allowed for cross domain authentication bypass affecting all federated domains. An attacker exploiting this vulnerability could gain unrestricted access to a victim's Office 365 account, including access to their email, files stored in OneDrive etc.

  • Cisco Finds Backdoor Installed on 12 Million PCs

    Cisco started analyzing Tuto4PC’s OneSoftPerDay application after its systems detected an increase in “Generic Trojans” (i.e. threats not associate with any known family). An investigation uncovered roughly 7,000 unique samples with names containing the string “Wizz,” including “Wizzupdater.exe,” “Wizzremote.exe” and “WizzInstaller.exe.” The string also showed up in some of the domains the samples had been communicating with.

  • The "Wizzards" of Adware [Ed: unsurprisingly Windows]
  • All About Fraud: How Crooks Get the CVV

    A longtime reader recently asked: “How do online fraudsters get the 3-digit card verification value (CVV or CVV2) code printed on the back of customer cards if merchants are forbidden from storing this information? The answer: If not via phishing, probably by installing a Web-based keylogger at an online merchant so that all data that customers submit to the site is copied and sent to the attacker’s server.

  • Why We Should Be Worried About Ancient Viruses Infecting Power Plants [Ed: unsurprisingly Windows again]

    The reasons these patients are vulnerable to viruses like W32.Ramnit and Conficker is because they run legacy systems that haven’t been patched or updated for a decade. And that’s fine as long as the operators of the plant keep them isolated and assume they are insecure, hopefully keeping the more critical parts of the network away safer.

  • Magical Thinking in Internet Security

    Increased complexity without corresponding increases in understanding would be a net loss to a buyer. At scale, it's been a net loss to the world economy.

  • Edward Snowden: The Internet Is Broken

    In 2013, a now-infamous government contractor named Edward Snowden shined a stark light on our vulnerable communications infrastructure by leaking 10,000 classified U.S. documents to the world.

    One by one, they detailed a mass surveillance program in which the National Security Administration and others gathered information on citizens — via phone tracking and tapping undersea Internet cables.

    Three years after igniting a controversy over personal privacy, public security, and online rights that he is still very much a part of, Snowden spoke with Popular Science in December 2015 and shared his thoughts on what's still wrong and how to fix it.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security advisories for Wednesday
  • German nuclear plant infected with computer viruses, operator says

    A nuclear power plant in Germany has been found to be infected with computer viruses, but they appear not to have posed a threat to the facility's operations because it is isolated from the Internet, the station's operator said on Tuesday.

    The Gundremmingen plant, located about 120 km (75 miles) northwest of Munich, is run by the German utility RWE (RWEG.DE).

    The viruses, which include "W32.Ramnit" and "Conficker", were discovered at Gundremmingen's B unit in a computer system retrofitted in 2008 with data visualization software associated with equipment for moving nuclear fuel rods, RWE said.

    Malware was also found on 18 removable data drives, mainly USB sticks, in office computers maintained separately from the plant's operating systems. RWE said it had increased cyber-security measures as a result.

  • Death of the enterprise VPN - if remote access is not secure what comes next? [iophk: "Spam. Besides, if an app cannot be put on the net without a VPN then it does not belong on the net in the first place."]

    VPNs are the backbone of enterprise remote access and yet their security limitations are starting to pile up. The problem is that the very thing that once made them so useful, network access, is now their biggest weakness. As the 2014 attacks on retailers Target and Home Depot painfully illustrate, this architecture can easily be exploited by attackers armed with stolen credentials to move around networks from within in ways that are difficult to spot until it’s too late.

Syndicate content

More in Tux Machines

today's leftovers

  • FLOSS Weekly 389: Best Practices Badge
  • OpenGL 4.5 For The Intel Mesa Driver May Be Imminent
    Intel has been rapidly advancing their OpenGL 4.x support and OpenGL 4.5 is even in sight now. Kristian Høgsberg today landed GL_KHR_robustness support in the i965 DRI driver, a requirement for OpenGL 4.5.
  • Shotwell vs. digiKam
    How to manage your photos? – That is probably the biggest question for anyone doing anything with a photo camera. As resolutions of cameras grow, the data we have to manage is growing ever. In my case I am talking about more than 50000 photos and videos measuring up to about 200Gb of disk space, constantly growing. There are several photo management softwares out there, I guess the most commonly used ones are Shotwell for the Gnome desktop, digiKam for the KDE world, and FotoXX. I have not used Shotwell and digiKam for quite some time, and collect here my experiences of strength and weaknesses of the two programs. FotoXX seems to be very powerful, too, but I haven’t tested it till now.
  • Tweet your database with db2twitter
    db2twitter is developed by and run for LinuxJobs.fr, the job board of th french-speaking Free Software and Opensource community.
  • Tiny Core Linux 7.1 Screenshot Tour
  • Annoying myths about Linux that won't go away
    Linux has been around for many years, and has gotten better and better as time has gone by. Yet there are some enduring, inaccurate, and annoying myths about Linux that persist to this day. A Linux redditor started a thread about Linux myths and got some interesting responses from his fellow Linux users:
  • GStreamer Spring Hackfest 2016
    After missing the last few GStreamer hackfests I finally managed to attend this time. It was held in Thessaloniki, Greece’s second largest city. The city is located by the sea side and the entire hackfest and related activities were either directly by the sea or just a couple blocks away.
  • My talk at OSDC 2016: Continuous Integration in Data Centers – Further 3 Years Later
  • Isenkram with PackageKit support - new version 0.23 available in Debian unstable
    The isenkram system is a user-focused solution in Debian for handling hardware related packages. The idea is to have a database of mappings between hardware and packages, and pop up a dialog suggesting for the user to install the packages to use a given hardware dongle. Some use cases are when you insert a Yubikey, it proposes to install the software needed to control it; when you insert a braille reader list it proposes to install the packages needed to send text to the reader; and when you insert a ColorHug screen calibrator it suggests to install the driver for it. The system work well, and even have a few command line tools to install firmware packages and packages for the hardware already in the machine (as opposed to hotpluggable hardware).

today's howtos

Leftovers: Gaming

Leftovers: KDE (Akonadi, KWin)

  • Akonadi for e-mail needs to die
    So, I'm officially giving up on kmail2 (i.e., the Akonadi-based version of kmail) on the last one of my PCs now. I have tried hard and put in a lot of effort to get it working, but it costs me a significant amount of time and effort just to be able to receive and read e-mail - meaning hanging IMAP resources every few minutes, the feared "Multiple merge candidates" bug popping up again and again, and other surprise events. That is plainly not acceptable in the workplace, where I need to rely on e-mail as means of communication. By leaving kmail2 I seem to be following many many other people... Even dedicated KDE enthusiasts that I know have by now migrated to Trojita or Thunderbird.
  • Virtual keyboard support in KWin/Wayland 5.7
    Over the last weeks I worked on improved input device support in KWin/Wayland and support for virtual keyboard. KWin 5.7 will integrate the new QtVirtualKeyboard module which is now available under GPLv3. For us this means that we have access to a high quality QML based keyboard. For Qt it means that the virtual keyboard is exposed to more users and thanks to the open source nature it means that we can upstream fixes.
  • Virtual Keyboard Support For KWin / KDE Wayland 5.7
    The latest KWin/Wayland hacking project by Martin Gräßlin is adding virtual keyboard support to KWin for the upcoming KDE Plasma 5.7 release. This virtual keyboard support is powered by the QtVirtualKeyboard module and provides a high-quality, QML-based keyboard that will work on KWin/Wayland when no hardware keyboard is available. Implementing this virtual keyboard support with Wayland compatibility was actually quite a feat, but has now become a reality thanks to the work by Martin.