Language Selection

English French German Italian Portuguese Spanish

Security

CyberArk open-sources Conjur

Filed under
OSS
Security
  • CyberArk open-sources Conjur

    Security vendor CyberArk has released an open-source version of its Conjur secrets management software.

    CyberArk Conjur enables DevOps teams to automatically secure and manage secrets used by machines and users to protect containerised and cloud-native applications across the DevOps pipeline, company officials said.

  • Open-source stewardship key as CyberArk moves to help devs avoid another Heartbleed

    Conjur’s credential-management technology includes specific functionality for securely managing ‘secrets’ – access keys, privileged account credentials, API keys, and other sensitive information – and Lawler expects that the release of CyberArk Conjur Community Edition to the open-source community will drive a flurry of innovation that will further raise the level of open-source security overall.

Security: NSA Data Dumps Again

Filed under
Security

Security: Dragonfly, Zhejiang University, ‘Internet of Things’, ShadowBrokers and Protego

Filed under
Security
  • Hackers {sic} attacking US and European energy firms could sabotage power grids [iophk: "symantec == windoze; windoze == fraud"

    Cybersecurity firm Symantec says ‘Dragonfly’ group has been investigating and penetrating energy facilities in US, Turkey and Switzerland

  • A Simple Design Flaw Makes It Astoundingly Easy To Hack {sic} Siri And Alexa

    [...] a team from Zhejiang University translated typical vocal commands into ultrasonic frequencies that are too high for the human ear to hear, but perfectly decipherable by the microphones and software powering our always-on voice assistants. This relatively simple translation process lets them take control of gadgets with just a few words uttered in frequencies none of us can hear.

  • The ‘internet of things’ is sending us back to the Middle Ages

    By gazing into this fish tank, we can see the problem with “internet of things” devices: We don’t really control them. And it’s not always clear who does – though often software designers and advertisers are involved.

  • ShadowBrokers release UNITEDRAKE NSA malware

    The ShadowBrokers group of hackers has released a remote access and control tool used by the US NSA to capture information from Windows-based machines.

    The existence of the UNITEDRAKE RAT first came to light in 2014 as part of a series of classified documents leaked by former NSA contractor Edward Snowden.

  • Shadow Brokers appear again with new exploit

    And a second, known as ETERNALROMANCE, was used to craft ransomware that was given various names — Petya (nomenclature given to ransomware that already existed), NotPetya, ExPetr, Nyetya and GoldenEye — which attacked Windows machines in Europe in June and spread to other countries.

  • Protego

    Today, September 7th 2017, WikiLeaks publishes four secret documents from the Protego project of the CIA, along with 37 related documents (proprietary hardware/software manuals from Microchip Technology Inc.). The project was maintained between 2014 and 2015.

Security: Patches, Apache Struts, FBI Cracking

Filed under
Security
  • Security updates for Wednesday
  •  

  • Apache Struts Update Patches Critical Vulnerabilities

    Apache Struts is a widely used Java framework that is embedded into many enterprise applications, which means that any vulnerabilities provide a potentially very large attack surface. Today the open-source Struts project announced its 2.5.13 update fixing three vulnerabilities.

  • Hackers lie in wait after penetrating US and Europe power grid networks

    Nation-sponsored hackers have penetrated the operational networks multiple US and European energy companies use to control key parts of the power grid that supplies electricity to hundreds of millions of people, researchers warned Wednesday.

    The incursions detected by security firm Symantec represent a dramatic escalation by a hacking group dubbed Dragonfly, which has been waging attacks against US and European energy companies since at least 2011. In 2014, Symantec reported that Dragonfly was aggressively establishing beachheads in a limited number of target networks, mainly by stealing the user names and passwords used to restrict access to legitimate personnel. Over the past year, the hacking group has managed to compromise dozens of energy firms and, in a handful of cases, install backdoors in the highly sensitive networks the firms use to supply power to the grid.

  • Court Finds FBI's 'Malware' Deployment To Be Perfectly Constitutional

    The US court system has hosted a large number of lively discussions about the tactics used by the FBI in its Playpen child porn investigation. A lot of new ground was broken by the FBI, not all of it good. First, the agency kept a darkweb child porn site running for two weeks after it seized it. It did this to facilitate the distribution of malware designed to uncover information about the computers (and users) accessing the site.

    Adding to the mess was the malware itself. The FBI's Network Investigative Technique (NIT) was deployed across the US (and across the globe) via a single warrant signed by a magistrate judge in Virginia. Plenty of courts have declared the FBI's warrant invalid, as the search performed violated Rule 41's jurisdictional limitations. (Those limitations no longer exist, so chalk up a win for the DOJ.) Many have also called the NIT's extraction of IP addresses and device-identifying info a search. But very few judges have seen fit to suppress the evidence obtained, either finding no privacy expectations in IP addresses or granting the FBI "good faith."

Security: Linux 4.13, Superfish (Windows), VPN in China, Marcus Hutchins and Estonia

Filed under
Security

Security: Updates, Podcast, and PDFs

Filed under
Security

Security: Updates, B. F. Skinner, and Yahoo

Filed under
Security
  • Security updates for Monday
  • The father of modern security: B. F. Skinner

    What I mean with that statement is our security process is often based on ideas that don't really work. As an industry we have built up a lot of ideas and processes that aren't actually grounded in facts and science. We don't understand why we do certain things, but we know that if we don't do those things something bad will happen! Will it really happen? I heard something will happen. I suspect the answer is no, but it's very difficult to explain this concept sometimes.

    [...]

    Here's where it gets real. It's easy to pick on the password example because it's in the past. We need to focus on the present and the future. You have an organization that's full of policy, ideas, and stuff. How can we try to make a dent in what we have today? What matters? What doesn't work, and what's actually harmful?

  • US judge says that Yahoo must face lawsuits over data breaches

    B. F. Skinner

    The lawsuit concerns two major breaches: one that occurred in 2013 that impacted more than a billion users, and another in late 2014 that affected at least 500 million accounts. in December, a judicial panel consolidated five putative class action suits that sought to represent account holders who had e-mails, passwords, and other sensitive information compromised.

  • Yahoo must face litigation by data breach victims: U.S. judge

    A U.S. judge said Yahoo must face nationwide litigation brought on behalf of well over 1 billion users who said their personal information was compromised in three massive data breaches.

Spyware Dolls and Intel's vPro

Filed under
Security

For a number of years now there has been growing concern that the management technologies in recent Intel CPUs (ME, AMT and vPro) also conceal capabilities for spying, either due to design flaws (no software is perfect) or backdoors deliberately installed for US spy agencies, as revealed by Edward Snowden. In a 2014 interview, Intel's CEO offered to answer any question, except this one.

The LibreBoot project provides a more comprehensive and technical analysis of the issue, summarized in the statement "the libreboot project recommends avoiding all modern Intel hardware. If you have an Intel based system affected by the problems described below, then you should get rid of it as soon as possible" - eerily similar to the official advice German authorities are giving to victims of Cayla the doll.

All those amateur psychiatrists suggesting LibreBoot developers suffer from symptoms of schizophrenia have had to shut their mouths since May when Intel confirmed a design flaw (or NSA backdoor) in every modern CPU had become known to hackers.

Bill Gates famously started out with the mission to put a computer on every desk and in every home. With more than 80% of new laptops based on an Intel CPU with these hidden capabilities, can you imagine the NSA would not have wanted to come along for the ride?

Read more

IPFire 2.19 - Core Update 113 released

Filed under
GNU
Linux
Security

This is the official release announcement for IPFire 2.19 – Core Update 113. The change log is rather short, but comes with a big new feature...

Read more

Syndicate content

More in Tux Machines

OpenSUSE fonts – The sleeping beauty guide

Pandora’s box of fonts is one of the many ailments of the distro world. As long as we do not have standards, and some rather strict ones at that, we will continue to suffer from bad fonts, bad contrast, bad ergonomics, and in general, settings that are not designed for sustained, prolonged use. It’s a shame, because humans actually use computers to interface with information, to READ text and interpret knowledge using the power of language. It’s the most critical element of the whole thing. OpenSUSE under-delivers on two fonts – anti-aliasing and hinting options that are less than ideal, and then it lacks the necessary font libraries to make a relevant, modern and pleasing desktop for general use. All of this can be easily solved if there’s more attention, love and passion for the end product. After all, don’t you want people to be spending a lot of time interacting, using and enjoying the distro? Hopefully, one day, all this will be ancient history. We will be able to choose any which system and never worry or wonder how our experience is going to be impacted by the choice of drivers, monitors, software frameworks, or even where we live. For the time being, if you intend on using openSUSE, this little guide should help you achieve a better, smoother, higher-quality rendering of fonts on the screen, allowing you to enjoy the truly neat Plasma desktop to the fullest. Oh, in the openSUSE review, I promised we would handle this, and handle it we did! Take care. Read more

Today in Techrights

Direct Rendering Manager and VR HMDs Under Linux

  • Intel Prepping Support For Huge GTT Pages
    Intel OTC developers are working on support for huge GTT pages for their Direct Rendering Manager driver.
  • Keith Packard's Work On Better Supporting VR HMDs Under Linux With X.Org/DRM
    Earlier this year Keith Packard started a contract gig for Valve working to improve Linux's support for virtual reality head-mounted displays (VR HMDs). In particular, working on Direct Rendering Manager (DRM) and X.Org changes needed so VR HMDs will work well under Linux with the non-NVIDIA drivers. A big part of this work is the concept of DRM leases, a new Vulkan extension, and other changes to the stack.

Software: Security Tools, cmus, Atom-IDE, Skimmer Scanner

  • Security Tools to Check for Viruses and Malware on Linux
    First and foremost, no operating system is 100 percent immune to attack. Whether a machine is online or offline, it can fall victim to malicious code. Although Linux is less prone to such attacks than, say, Windows, there is no absolute when it comes to security. I have witnessed, first hand, Linux servers hit by rootkits that were so nasty, the only solution was to reinstall and hope the data backup was current. I’ve been a victim of a (very brief) hacker getting onto my desktop, because I accidentally left desktop sharing running (that was certainly an eye opener). The lesson? Even Linux can be vulnerable. So why does Linux need tools to prevent viruses, malware, and rootkits? It should be obvious why every server needs protection from rootkits — because once you are hit with a rootkit, all bets are off as to whether you can recover without reinstalling the platform. It’s antivirus and anti-malware where admins start getting a bit confused. Let me put it simply — if your server (or desktop for that matter) makes use of Samba or sshfs (or any other sharing means), those files will be opened by users running operating systems that are vulnerable. Do you really want to take the chance that your Samba share directory could be dishing out files that contain malicious code? If that should happen, your job becomes exponentially more difficult. Similarly, if that Linux machine performs as a mail server, you would be remiss to not include AV scanning (lest your users be forwarding malicious mail).
  • cmus – A Small, Fast And Powerful Console Music Player For Linux
    You may ask a question yourself when you see this article. Is it possible to listen music in Linux terminal? Yes because nothing is impossible in Linux. We have covered many popular GUI-based media players in our previous articles but we didn’t cover any CLI based media players as of now, so today we are going to cover about cmus, is one of the famous console-based media players among others (For CLI, very few applications is available in Linux).
  • You Can Now Transform the Atom Hackable Text Editor into an IDE with Atom-IDE
    GitHub and Facebook recently launched a set of tools that promise to allow you to transform your Atom hackable text editor into a veritable IDE (Integrated Development Environment). They call the project Atom-IDE. With the release of Atom 1.21 Beta last week, GitHub introduced Language Server Protocol support to integrate its brand-new Atom-IDE project, which comes with built-in support for five popular language servers, including JavaScript, TypeScript, PHP, Java, C#, and Flow. But many others will come with future Atom updates.
  • This open-source Android app is designed to detect nearby credit card skimmers
    Protecting our data is a constant battle, especially as technology continues to advance. A recent trend that has popped up is the installation of credit card skimmers, especially at locations such as gas pumps. With a simple piece of hardware and 30 seconds to install it, a hacker can easily steal credit card numbers from a gas pump without anyone knowing. Now, an open-source app for Android is attempting to help users avoid these skimmers.