Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Bug Bounty Hunter Launches Accidental DDoS Attack on 911 Systems via iOS Bug

    The Maricopa County Sheriff's Office Cyber Crimes Unit arrested Meetkumar Hiteshbhai Desai, an 18-year-old teenager from the Phoenix area, for flooding the 911 emergency system with hang-up calls.

    According to a press release from the Maricopa County Sheriff's Office, Desai created a JavaScript exploit, which he shared on Twitter and other websites with his friends.

    People accessing Desai's link from their iPhones saw their phone automatically dial and redial 911.

  • Dyn DDoS attack exposes soft underbelly of the cloud

    It's apparently possible that a DDoS attack can be big enough to break the internet -- or, as shown in the attack against ISP Dyn, at least break large parts of it.

    The DDoS attack against Dyn that began Friday went far past taking down Dyn's servers. Beyond the big-name outages, organizations could not access important corporate applications or perform critical business operations.

  • [Older] ​The Dyn report: What we know so far about the world's biggest DDoS attack

    First, there was nothing -- nothing -- surprising about this attack. As Paul Mockapetris, creator of the Domain Name System (DNS), said, "The successful DDoS attack on DYN is merely a new twist on age-old warfare. ... Classic warfare can be anticipated and defended against. But warfare on the internet, just like in history, has changed. So let's take a look at the asymmetrical battle in terms of the good guys (DYN) and the bad guys (Mirai botnets), and realize and plan for more of these sorts of attacks."

  • Incident Report: Inadvertent Private Repository Disclosure

    On Thursday, October 20th, a bug in GitHub’s system exposed a small amount of user data via Git pulls and clones. In total, 156 private repositories of GitHub.com users were affected (including one of GitHub's). We have notified everyone affected by this private repository disclosure, so if you have not heard from us, your repositories were not impacted and there is no ongoing risk to your information.

    This was not an attack, and no one was able to retrieve vulnerable data intentionally. There was no outsider involved in exposing this data; this was a programming error that resulted in a small number of Git requests retrieving data from the wrong repositories.

    Regardless of whether or not this incident impacted you specifically, we want to sincerely apologize. It’s our responsibility not only to keep your information safe but also to protect the trust you have placed in us. GitHub would not exist without your trust, and we are deeply sorry that this incident occurred.

Security News

Filed under
Security
  • Friday's security advisories
  • Here's How to Protect Linux Servers & Android Phones from Dirty COW Vulnerability
  • The Inevitability of Being Hacked

    The last attempted hack came 5 minutes ago, using the username root and the password root.

  • New Windows code injection method could let malware bypass detection

    Security researchers have discovered a new way that allows malware to inject malicious code into other processes without being detected by antivirus programs and other endpoint security systems.

    The new method was devised by researchers from security firm Ensilo who dubbed it AtomBombing because it relies on the Windows atom tables mechanism. These special tables are provided by the operating system and can be used to share data between applications.

    "What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table," Ensilo researcher Tal Liberman said in a blog post. "We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code."

    This new code-injection technique is not currently detected by antivirus and endpoint security programs because it is based on legitimate functionality, according to Liberman. Also, the atom tables mechanism is present in all Windows versions and it's not something that can be patched because it's not a vulnerability.

  • Of course smart homes are targets for hackers

    The Wirecutter, an in-depth comparative review site for various electrical and electronic devices, just published an opinion piece on whether users should be worried about security issues in IoT devices. The summary: avoid devices that don't require passwords (or don't force you to change a default and devices that want you to disable security, follow general network security best practices but otherwise don't worry - criminals aren't likely to target you.

  • OpenStack Security Project Aims to Protect the Open-Source Cloud

    The OpenStack Security project adds new tools and processes to help secure OpenStack technologies. The project technical leader offers insight on the program.
    Security is such a critical element of the open-source OpenStack cloud platform that there is an entire project—the OpenStack Security project—dedicated to the task of helping protect OpenStack technologies.

    In a well-attended session at the OpenStack Summit in Barcelona, Spain, on Oct. 27, Rob Clark, the project technical leader of the OpenStack Security project, detailed the group's most recent efforts.

Security News

Filed under
Security
  • GNU Tar "Pointy Feather" Vulnerability Disclosed (CVE-2016-6321)

    Last week was the disclosure of the Linux kernel's Dirty COW vulnerability while the latest high-profile open-source project going public with a new security CVE is GNU's Tar. Tar CVE-2016-6321 is also called POINTYFEATHER according to the security researchers.

    The GNU Pointy Feather vulnerability comes down to a pathname bypass on the Tar extraction process. Regardless of the path-name(s) specified on the command-line, the attack allows for file and directory overwrite attacks using specially crafted tar archives.

  • Let’s Encrypt and The Ford Foundation Aim To Create a More Inclusive Web

    Let’s Encrypt was awarded a grant from The Ford Foundation as part of its efforts to financially support its growing operations. This is the first grant that has been awarded to the young nonprofit, a Linux Foundation project which provides free, automated and open SSL certificates to more than 13 million fully-qualified domain names (FQDNs).

    The grant will help Let’s Encrypt make several improvements, including increased capacity to issue and manage certificates. It also covers costs of work recently done to add support for Internationalized Domain Name certificates.

    “The people and organizations that Ford Foundation serves often find themselves on the short end of the stick when fighting for change using systems we take for granted, like the Internet,” Michael Brennan, Internet Freedom Program Officer at Ford Foundation, said. “Initiatives like Let’s Encrypt help ensure that all people have the opportunity to leverage the Internet as a force for change.”

  • How security flaws work: SQL injection

    Thirty-one-year-old Laurie Love is currently staring down the possibility of 99 years in prison. After being extradited to the US recently, he stands accused of attacking systems belonging to the US government. The attack was allegedly part of the #OpLastResort hack in 2013, which targeted the US Army, the US Federal Reserve, the FBI, NASA, and the Missile Defense Agency in retaliation over the tragic suicide of Aaron Swartz as the hacktivist infamously awaited trial.

  • How To Build A Strong Security Awareness Program

    At the Security Awareness Summit this August in San Francisco, a video clip was shown that highlights the need to develop holistic security awareness. The segment showed an employee being interviewed as a subject matter expert in his office cubicle. Unfortunately, all his usernames and passwords were on sticky notes behind him, facing the camera and audience for all to see.

    I bring this story up not to pick on this poor chap but to highlight the fact that security awareness is about human behavior, first and foremost. Understand that point and you are well on your way to building a more secure culture and organization.

    My work as director of the Security Awareness Training program at the SANS Institute affords me a view across hundreds of organizations and hundreds of thousands of employees trying to build a more secure workforce and society. As we near the end of this year's National Cyber Security Awareness Month, here are two tips to incorporate robust security awareness training into your organization and daily work.

FOSS Security

Filed under
OSS
Security
  • European Parliament votes to extend Free Software security audits

    Remember how I raised €1 million to demonstrate security and freedom aren’t opposites? Well here’s what happened next and how we are going to move forward with this.

    In 2014, two major security vulnerabilities, Heartbleed and Shellshock, were discovered. Both concerned Free Software projects that are widely used throughout the Internet, on computers, tablets, and smartphones alike. My colleague Max Andersson from the Swedish Greens and I proposed a so-called “pilot project”, the Free and Open Source Software Audit (FOSSA).

  • Princeton Upskills U on Open Source Security

    During Wednesday's Upskill U course, lecturer Gary Sockrider, principal security technologist for Arbor Networks , explained the history of DDoS attacks, case studies of recent attacks, and the business impact of these security threats. DDoS attacks not only raise operational expenses, but can also negatively affect an organization's brand, and result in loss of revenue and customers. (Listen to Security: Tackling DDoS.)

    "Having visibility is key, you can't stop something you can't see. Having good visibility across your own network is vital in finding and stopping these attacks," said Sockrider. "You can leverage common tools and technology that are already available on the network equipment you own today such as flow technologies, looking at SIP logs … Obviously you'll want to get to some specific intelligent DDoS mitigation in the end."

CentOS 6 Linux Servers Receive Important Kernel Security Patch, Update Now

Filed under
Linux
Red Hat
Security

We reported a couple of days ago that Johnny Hughes from the CentOS Linux team published an important kernel security advisory for users of the CentOS 7 operating system.

Read more

Security News

Filed under
Security
  • Thursday's security updates
  • Mirai will be dwarfed by future Android botnet DDoS attacks, Lookout warns

    THE MIRAI BOTNET will seem like nothing compared to the havoc that is caused when hackers turn their attention to hijacking Android smartphones, Lookout’s security research chief has warned.

    Speaking to the INQUIRER, Mike Murray said it would be easy for cyber crooks to take over millions of smartphones, noting how often the Android requires patching.

  • Deal Seeks to Limit Open-Source Bugs

    Seeking to spot potential security vulnerabilities in systems that increasingly rely on open source software, software license optimization vendor Flexera Software has acquired a specialist in identifying potentially vulnerable software components.

    Flexera, Itasca, Ill., said Thursday (Oct. 27) it is acquiring San Francisco-based Palamida Inc. Terms of the transaction were not disclosed.

  • Senator Wants to Classify Insecure Internet of Things Devices As 'Harmful'

    A massive attack carried out with a zombie army of hacked internet-connected devices caused intermittent outages on Friday, preventing tens of thousands of people from accessing popular sites such as Twitter, Reddit, and Netflix.

    For many security experts, an attack like that one, which leveraged thousands of easy-to-hack Internet of Things such as DVRs and surveillance cameras—weaponized thanks to a mediocre but effective malware known as Mirai—is just a sign of things to come.

    That’s why Sen. Mark Warner (D-Va.) wants the US government to do something about it.

  • Senator Prods Federal Agencies on IoT Mess

    The co-founder of the newly launched Senate Cybersecurity Caucus is pushing federal agencies for possible solutions and responses to the security threat from insecure “Internet of Things” (IoT) devices, such as the network of hacked security cameras and digital video recorders that were reportedly used to help bring about last Friday’s major Internet outages.

    In letters to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS), Virginia Senator Mark Warner (D) called the proliferation of insecure IoT devices a threat to resiliency of the Internet.

Security Leftovers

Filed under
Security

Alpine Linux 3.4.5 Released with Linux Kernel 4.4.27 LTS, Latest Security Fixes

Filed under
Linux
Security

A new maintenance update of the server-oriented Alpine Linux 3.4 operating system has been released, bringing a new Linux kernel version from the long-term supported 4.4 series and the latest security patches.

Read more

More of That Cow...

Filed under
Security
Syndicate content

More in Tux Machines

Leftovers: Gaming

Leftovers: Software

  • Hyper Is a Terminal Emulator Built Using Web Technologies
    A lot of us use the terminal on Ubuntu, typically from an app like GNOME Terminal, Xterm or an app like Guake. But did you know that there’s an JS/HTML/CSS Terminal? It’s called Hyper (formerly/also known as HyperTerm, though it has no relation to the Windows terminal of the same/similar name) and, usefulness aside, it’s certainl a novel proof-of-concept. “The goal of the project,” according to the official website, “is to create a beautiful and extensible experience for command-line interface users, built on open web standards.”
  • Little Kids Having Fun With “Terminal Train” In Ubuntu Linux
    Linux is often stereotyped as the operating system for tech savvy users and developers. However, there are some fun Linux commands that one can use in spare time. A small utility named sl can be installed in Linux to play with the Terminal Train.
  • This Cool 8-Bit Desktop Wallpaper Changes Throughout The Day
    Do you want a dynamic desktop wallpaper that changes throughout the day and looks like the sort of environment you’d be able to catchPokemon in? If so, check out Bit Day wallpapers. Created by Redditor user ~BloodyMarvelous, Bit Day is a collection of 12 high-resolution pixel art wallpapers.
  • This Script Sets Wallpapers from Imgur As Your Desktop Background
    Pyckground is a simple python script that can fetch a new desktop background on the Cinnamon desktop from any Imgur gallery you want. I came across it while doing a bit of background on the Bit Day wallpaper pack, and though it was nifty enough to be of use to some of you. So how does it work?
  • Productivity++
    In keeping with tradition of LTS aftermaths, the upcoming Plasma 5.9 release – the next feature release after our first Long Term Support Edition – will be packed with lots of goodies to help you get even more productive with Plasma!
  • Core Apps Hackfest 2016: report
    I spent last weekend at the Core Apps Hackfest in Berlin. The agenda was to work on GNOME’s core applications: Documents, Files, Music, Photos, Videos, Usage, etc.; to raise their overall standard and to make them push beyond the limits of the framework. There were 19 of us and among us we covered a wide range of modules and areas of expertise. I spent most of my time on the plumbing necessary for Documents and Photos to use GtkFlowBox and GtkListBox. The innards of Photos had already been overhauled to reduce its dependency on GtkTreeModel. Going into the hackfest we were sorely lacking a widget that had all the bells and whistles we need — the idiomatic GNOME 3 selection mode, and seamlessly switching between a list and grid view. So, this is where I decided to focus my energy. As a result, we now have a work-in-progress GdMainBox widget in libgd to replace the old GtkIconView/GtkTreeView-based GdMainView.

Leftovers: OSS and Sharing

  • Did Amazon Just Kill Open Source?
    Back in the days, we used to focus on creating modular architectures. We had standard wire protocols like NFS, RPC, etc. and standard API layers like BSD, POSIX, etc. Those were fun days. You could buy products from different vendors, they actually worked well together and were interchangeable. There were always open source implementations of the standard, but people could also build commercial variations to extend functionality or durability. The most successful open source project is Linux. We tend to forget it has very strict APIs and layers. New kernel implementations must often be backed by official standards (USB, SCSI…). Open source and commercial implementations live happily side by side in Linux. If we contrast Linux with the state of open source today, we see so many implementations which overlap. Take the big data eco-systems as an example: in most cases there are no standard APIs, or layers, not to mention standard wire protocols. Projects are not interchangeable, causing a much worse lock-in than when using commercial products which conform to a common standard.
  • Firebird 3 by default in LibreOffice 5.4 (Base)
    Lots of missing features & big bugs were fixed recently . All of the blockers that were initially mentioned on tracking bug are now fixed.
  • Linux & Open Source News Of The Week — Comma.ai, Patches For Firefox and Tor, And OSS-Fuzz
  • Open Source Malaria helps students with proof of concept toxoplasmosis pill
    A team of Australian student researchers at Sydney Grammar School has managed to recreate the formula for Daraprim, the drug made (in)famous by the actions of Turing Pharmaceuticals last year when it increased the price substantially per pill. According to Futurism, the undertaking was helped along by an, “online research-sharing platform called Open Source Malaria [OSM], which aims to use publicly available drugs and medical techniques to treat malaria.” The students’ pill passed a battery of tests for purity, and ultimately cost $2 using different, more readily available components. It shows the potential of the platform, which has said elsewhere there is, “enormous potential to crowdsource new potential medicines efficiently.” Although Daraprim is already around, that it could be synthesized relatively easily without the same materials as usual is a good sign for OSM.
  • Growing the Duke University eNable chapter
    We started the Duke University eNable chapter with the simple mission of providing amputees in the Durham area of North Carolina with alternative prostheses, free of cost. Our chapter is a completely student-run organization that aims to connect amputees with 3D printed prosthetic devices. We are partnered with the Enable Community Foundation (ECF), a non-profit prosthetics organization that works with prosthetists to design and fit 3D printed prosthetic devices on amputees who are in underserved communities. As an official ECF University Chapter, we represent the organization in recipient outreach, and utilize their open sourced designs for prosthetic devices.

today's howtos