Language Selection

English French German Italian Portuguese Spanish

Security

OpenBSD 6.0 tightens security by losing Linux compatibility

Filed under
Security
BSD

OpenBSD, one of the more prominent variants of the BSD family of Unix-like operating systems, will be released at the beginning of September, according to a note on the official OpenBSD website.

Often touted as an alternative to Linux. OpenBSD is known for the lack of proprietary influence on its software and has garnered a reputation for shipping with better default security than other OSes and for being highly vigilant (some might say strident) about the safety of its users. Many software router/firewall projects are based on OpenBSD because of its security-conscious development process.

Read more

Security News

Filed under
Security

Security News

Filed under
Security
  • As a blockchain-based project teeters, questions about the technology’s security

    There’s no shortage of futurists, industry analysts, entrepreneurs and IT columnists who in the past year have churned out reports, articles and books touting blockchain-based ledgers as the next technology that will run the world.

  • Fix Bugs, Go Fast, and Update: 3 Approaches to Container Security

    Containers are becoming the central piece of the future of IT. Linux has had containers for ages, but they are still maturing as a technology to be used in production or mission-critical enterprise scenarios. With that, security is becoming a central theme around containers. There are many proposed solutions to the problem, including identifying exactly what technology is in place, fixing known bugs, restricting change, and generally implementing sound security policies. This article looks at these issues and how organizations can adapt their approach to security to keep pace with the rapid evolution of containers.

  • Preventing the next Heartbleed and making FOSS more secure [Ed: Preventing the next Microsoft-connected trademarked bug for FOSS and making FOSS more secure from Microsoft FUD]

    David Wheeler is a long-time leader in advising and working with the U.S. government on issues related to open source software. His personal webpage is a frequently cited source on open standards, open source software, and computer security. David is leading a new project, the CII Best Practices Badging project, which is part of the Linux Foundation's Core Infrastructure Initiative (CII) for strengthening the security of open source software. In this interview he talks about what it means for both government and other users.

Keeweb A Linux Password Manager

Filed under
Linux
Reviews
Security

Today we are depending on more and more online services. Each online service we sign up for, let us set a password and this way we have to remember hundreds of passwords. In this case, it is easy for anyone to forget passwords. In this article I am going to talk about Keeweb, a Linux password manager that can store all your passwords securely either online or offline.

Read<br />
more

Security News

Filed under
Security
  • Security updates for Thursday
  • Open Source Information Security Tool Aimed at MSSPs

    A Virginia software developer announced today the release of what’s billed as the first open source information security analytics tool for managed security services providers (MSSP) and enterprise.

    IKANOW says its new platform features multi-tenancy, enterprise scalability and is fully customizable.

  • Most companies still can't spot incoming cyberattacks

    Four out of five businesses lack the required infrastructure or security professionals with relevant skills to spot and defend against incoming cyberattacks.

    According to a new report by US cybersecurity and privacy think tank Ponemon Institute on behalf of cybersecurity firm BrandProtect, 79 percent of cybersecurity professionals say that their organisations are struggling to monitor the internet for the external threats posed by hackers and cybercriminals.

  • HTTpoxy Flaw Re-emerges After 15 Years and Gets Fixed

    After lying dormant for years, flaws in the HTTP Proxy header used in programming languages and applications, such as PHP, Go and Python, have now been fixed.
    Some flaws take longer—a lot longer—than others to get fixed. The newly named HTTpoxy vulnerability was first discovered back in March 2001 and fixed in the open-source Perl programming language, but it has sat dormant in multiple other languages and applications until July 18.

    The HTTPoxy flaw is a misconfiguration vulnerability in the HTTP_PROXY variable that is commonly used by Common Gateway Interface (CGI) environment scripts. The HTTPoxy flaw could potentially enable a remotely exploitable vulnerability on servers, enabling an attacker to run code or redirect traffic. The flaw at its core is a name space conflict between two different uses for a server variable known as HTTP Proxy.

  • Hack The World

    Currently HackerOne has 550+ customers, has paid over $8.9 million in bounties, and fixed over 25,000 vulnerabilities, which makes for a safer Internet.

  • EU aims to increase the security of password manager and web server software: KeePass and Apache chosen for open source audits [“pyrrhic because of Keepass : flushing the audit money down the toilet on MS based cruft” -iophk]

    For the FOSSA pilot project to improve the security of open source software that my colleague Max and I proposed, the European Commission sought your input on which tools to audit.

    The results are now in: The two overwhelming public favorites were KeePass (23%) and the Apache HTTP Server (19%). The EU has decided to follow these recommendations and audit both of these software projects for potential security issues.

  • KeeThief – A Case Study in Attacking KeePass Part 2

    The other week I published the “A Case Study in Attacking KeePass” post detailing a few notes on how to operationally “attack” KeePass installations. This generated an unexpected amount of responses, most good, but a few negative and dismissive. Some comments centered around the mentality of “if an attacker has code execution on your system you’re screwed already so who cares“. Our counterpoint to this is that protecting your computer from malicious compromise is a very different problem when it’s joined to a domain versus isolated for home use. As professional pentesters/red teamers we’re highly interested in post-exploitation techniques applicable to enterprise environments, which is why we started looking into ways to “attack” KeePass installations in the first place. Our targets are not isolated home users.

  • Giuliani calls for cybersecurity push

    Former New York mayor Rudy Giuliani made a surprise appearance at the BlackBerry Security Summit, warning of the rapid growth of cybercrime and cyberterrorism.

    Cybercrime and cyberterrorism are both growing at rates between 20% and 40%, said Giuliani, who made a brief return from the Republican National Convention in Cleveland to speak at BlackBerry's New York event.

    "Think of it like cancer. We can't cure it... but if we catch it early we can put it into remission," he said. The quicker you can spot an attack, the less chance there is of loss.

  • Notorious Hacker ‘Phineas Fisher’ Says He Hacked The Turkish Government

    A notorious hacker has claimed responsibility for hacking Turkey’s ruling party, the AKP, and stealing more than 300,000 internal emails and other files.

    The hacker, who’s known as Phineas Fisher and has gained international attention for his previous attacks on the surveillance tech companies FinFisher and Hacking Team, took credit for breaching the servers of Turkey’s ruling party, the Justice and Development Party or AKP.

    “I hacked AKP,” Phineas Fisher, who also goes by the nickname Hack Back, said in a message he spread through his Twitter account on Wednesday evening.

Security News

Filed under
Security

EC to audit Apache HTTP Server and Keepass

Filed under
Security

The European Commission is preparing a software source code security audit on two software solutions, Apache HTTP server and Keepass, a password manager. The source code will be analysed and tested for potential security problems, and the results will be shared with the software developers. The audits will start in the coming weeks.

Read more

Security News

Filed under
Security
  • Security advisories for Tuesday
  • BlackBerry Inks Software Deal With U.S. Senate
  • BlackBerry inks security software deals, shares slip
  • BlackBerry Announces String of Small Security Software Deals
  • BlackBerry inks U.S. government software deals; shares slip
  • Carbanak Gang Tied to Russian Security Firm?

    Among the more plunderous cybercrime gangs is a group known as “Carbanak,” Eastern European hackers blamed for stealing more than a billion dollars from banks. Today we’ll examine some compelling clues that point to a connection between the Carbanak gang’s staging grounds and a Russian security firm that claims to work with some of the world’s largest brands in cybersecurity.

    The Carbanak gang derives its name from the banking malware used in countless high-dollar cyberheists. The gang is perhaps best known for hacking directly into bank networks using poisoned Microsoft Office files, and then using that access to force bank ATMs into dispensing cash. Russian security firm Kaspersky Lab estimates that the Carbanak Gang has likely stolen upwards of USD $1 billion — but mostly from Russian banks.

  • Now you can ask Twitter directly to verify your account

    Do you have an army of imposters online pretending to be you? Probably not, but now you can still request for a verified Twitter account.

    On Tuesday, Twitter launched an official application process so that any account can be verified and receive a blue checkmark badge next to its username. Twitter users interested in applying should have a verified phone number and email address, as well as a profile photo that reflects the person or company branding.

    Verified accounts get to filter their mentions to only see those from other verified accounts. But that seems to be the only real feature or perk that comes from having a blue badge–aside from bragging rights, of course. Additionally, verified accounts can’t be private, and the username must remain the same or you will have to seek verification all over again. If you are rejected, you can reapply after 30 days. Previously, the verification process was never clear-cut, and it seemed to require a direct connection to a Twitter rep.

  • Software flaw puts mobile phones and networks at risk of complete takeover [Ed: proprietary software]

    A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday.

    The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One.

Security News

Filed under
Security
  • Ubuntu forum breach traced to neglected plugin
  • Canonical warns users after Ubuntu forum data breach
  • Flaw in vBulletin add-on leads to Ubuntu Forums database breach
  • CrypTech — Internet Engineers’ New Open Source Weapon Against ‘Creepy’ Governments

    The CrypTech project is an independent security hardware development effort that consists of an international team. CrypTech Alpha is an open source crypto-vault that stores the private/public keys and separates the digital certificates from the software using them. It has been developed as a hardware secure module (HSM) to make the implementation of strong cryptography easier.

  • Entrepreneur in £10m swoop for hacking team

    One of the northwest’s best-known entrepreneurs has splashed out about £10m on a cyber-security venture that helps businesses repel hackers.

    Lawrence Jones, who runs the Manchester-based internet hosting and cloud computing specialist UKFast, has bought Pentest, an “ethical hacking” firm whose staff help detect flaws in clients’ cyber-defences.

    Jones, 47, will merge Pentest’s 45 staff into his own cyber-security outfit, Secarma. “It’s become obvious that there is a massive need to put emphasis on cyber-security,” said the internet tycoon, whose wealth is calculated by The Sunday Times Rich List as £275m.

  • Guilt by ASN: Compiler's bad memory bug could sting mobes, cell towers

    A vulnerability in a widely used ASN.1 compiler isn't a good thing: it means a bunch of downstream systems – including mobile phones and cell towers – will inherit the bug.

    And an ASN.1 bug is what the Sadosky Foundation in Argentina has turned up, in Objective Systems' software.

    The research group's Lucas Molas says Objective's ASN1C compiler for C/C++ version 7.0.0 (other builds are probably affected) generates code that suffers from heap memory corruption. This could be potentially exploited to run malware on machines and devices that run the vulnerable compiler output or interfere with their operation.

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

Linux From Scratch 8.0 Released, Adding Major Changes

Linux From Scratch is a book which can be used to build an independent Linux distribution which doesn’t use any other Linux distribution as a base. It teaches you how things work under the hood and how to compile software and build your own Linux system. The guide is also free for all. BLFS (Beyond Linux from Scratch) is an additional guide which will take you through graphical user interfaces setup, printing support, networking and more. It also contains a lot of great information. Read more

Today in Techrights

Software Freedom Conservancy Funding

  • Software Freedom Conservancy matching
    Non-profits that provide project support have proven themselves to be necessary for the success and advancement of individual projects and Free Software as a whole. The Free Software Foundation (founded in 1985) serves as a home to GNU projects and a canonical list of Free Software licenses. The Open Source Initiative came about in 1998, maintaining the Open Source Definition, based on the Debian Free Software Guidelines, with affiliate members including Debian, Mozilla, and the Wikimedia Foundation. Software in the Public Interest (SPI) was created in the late 90s largely to act as a fiscal sponsor for projects like Debian, enabling it to do things like accept donations and handle other financial transactions.
  • Clojars is Conservancy’s Newest Member Project
    Software Freedom Conservancy is pleased to announce the addition of Clojars as its newest member project. Clojars is a community-maintained repository for free and open source libraries written in the Clojure programming language. Clojars emphasizes ease of use, publishing library packages that are simple to use with build automation tools.

Leftovers: Software

  • systemd 233 about to be released, please help testing
    systemd 233 is scheduled to be released next week, and there is only a handful of small issues left. As usual there are tons of improvements and fixes, but the most intrusive one probably is another attempt to move from legacy cgroup v1 to a “hybrid” setup where the new unified (cgroup v2) hierarchy is mounted at /sys/fs/cgroup/unified/ and the legacy one stays at /sys/fs/cgroup/ as usual. This should provide an easier path for software like Docker or LXC to migrate to the unified hiearchy, but even that hybrid mode broke some bits.
  • Keep : A personal shell command keeper
    Introducing a new command line tool which solves the issue of memorizing commands or storing them somewhere which is difficult to find. With the grep and run commands, one can easily find their long forgotten commands and use them them right away.
  • qutebrowser v0.10.0 released
    I'm happy to annouce the release of qutebrowser v0.10.0! qutebrowser is a keyboard driven browser with a vim-like, minimalistic interface. It's written using PyQt and cross-platform. I haven't announced the v0.9.0 release in this blog (or any patch releases), but for v0.10.0 it definitely makes sense to do so, as it's mostly centered on QtWebEngine!
  • GNOME Pomodoro: A Pomodoro Timer With AppIndicator And GNOME Shell Support
    GNOME Pomodoro is, like the name suggests, a Pomodoro timer for GNOME. The application website mentions that it's currently only for GNOME Shell, however, an AppIndicator is also available.
  • 7 Awesome Open Source Build Automation Tools For Sysadmin/DevOps/Developers
    Build automation is a vital tool for devops, sysadmins, and developers. It is nothing but scripting or automating the process of compiling source code into binary. Sysadmins can use build tools to manage and update config files. Following is a list of awesome open source and popular tools associated with automating build processes on Linux or Unix-like system.