Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security

More Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • security things in Linux v4.9
  • Black Hats Leveraging PowerShell

    Those with long memories might remember that in 1996, Microsoft added support in the Internet Explorer browser for ActiveX controls. While this greatly expanded the functionality of the Internet, it also made the web a much less safe place, especially for the average user. The trouble was, ActiveX made it simple to download and install software with little or no input from users. Even those not old enough to remember have probably already figured out that this didn't work out well.

  • A security lifetime every five years

    A long time ago, it wouldn’t be uncommon to have the same job at the same company for ten or twenty years. People loved their seniority, they loved their company, they loved everything staying the same. Stability was the name of the game. Why learn something new when you can retire in a few years?

    Well, a long time ago, was a long time ago. Things are quite a bit different now. If you’ve been doing the same thing at the same company for more than five years, there’s probably something wrong. Of course there are always exceptions to every rule, but I bet more than 80% of the people in their jobs for more than five years aren’t exceptions. It’s easy to get too comfortable, it’s also dangerous.

  • Hack of Saudi Arabia Exposes Middle East Cybersecurity Flaw

    More than a year after a drowned Syrian toddler washed up on a beach in Turkey, the tiny refugee’s body, captured in a photograph that shocked the world, reappeared on computer screens across Saudi Arabia -- this time as a prelude to a cyberattack.

    The strike last month disabled thousands of computers across multiple government ministries in Saudi Arabia, a rare use of offensive cyberweapons aimed at destroying computers and erasing data. The attackers, who haven’t claimed responsibility, used the same malware that was employed in a 2012 assault against Saudi Arabian Oil Co., known as Saudi Aramco, and which destroyed 35,000 computers within hours.

  • London councils are reliant on unsupported Microsoft server software [Ed: Well, even if supported, still back doors in it. Abandon.]

    ALMOST 70 PER CENT of London councils are running unsupported server software, leaving them vulnerable to exploits for which there are no patches available.

    That's according to backup firm Databarracks, which through a Freedom of Information (FoI) request revealed that 69 per cent of London councils are running out-of-date server software.

    The firm contacted all 32 London boroughs as well as the City of London and received responses from all.

    The data revealed that 63 per cent of London councils are still running Windows Server 2003, 51 per cent run SQL Server 2005 and 10 per cent still use Windows Server 2000 - none of which are still supported by Microsoft.

  • PwC sends 'cease and desist' letters to researchers who found critical flaw

    A security research firm has released details of a "critical" flaw in a security tool, despite being threatened with legal threats.

    Munich-based ESNC published a security advisory last week detailing how a remotely exploitable bug in a security tool, developed by auditing and tax giant PwC, could allow an attacker to gain unauthorized access to an affected SAP system.

Security News

Filed under
Security
  • The sad tale of CVE-2015-1336

    Today I released man-db 2.7.6 (announcement, NEWS, git log), and uploaded it to Debian unstable. The major change in this release was a set of fixes for two security vulnerabilities, one of which affected all man-db installations since 2.3.12 (or 2.3.10-66 in Debian), and the other of which was specific to Debian and its derivatives.

    It’s probably obvious from the dates here that this has not been my finest hour in terms of responding to security issues in a timely fashion, and I apologise for that. Some of this is just the usual life reasons, which I shan’t bore you by reciting, but some of it has been that fixing this properly in man-db was genuinely rather complicated and delicate. Since I’ve previously advocated man-db over some of its competitors on the basis of a better security posture, I think it behooves me to write up a longer description.

  • Dear democracy, you need more hackers

    This is my write up from Nesta’s recent digital democracy day — I wasn’t planning to blog but it inspired me, so here you go.

    The day included two sessions; one focussed on local government and one in parliament focussed on, well, parliament. At the heart of each session were four fantastic presentations showcasing digital democracy projects from Iceland (Citizen’s Foundation —Gunnar Grímsson), Taiwan (Digital Minister — Audrey Tang), France (Cap Collectif — Nicolas Patte) and Brazil (Chamber of Deputies Hacker Lab — Cristiano Falia). Big thanks to Theo and the rest of the gang at Nesta for arranging Smile

    My main thought following the day (there was so much — it’s been hard to boil it down…) is that there needs to be more capacity in our democracy to hack. Government can no longer rely on off the shelf solutions to meet democratic challenges but needs to experiment and adapt - something brilliantly illustrated by each of the four projects.

    [...]

    The tools are not much use if the institutions of democracy are unwilling or unable to respond to them. Nicholas Patte explained how it took a long time to convince the elected representatives in France about their crowd sourced legislation project but, with perseverance, they got there in the end.

    I loved that Taiwan has a ‘Minister of Hacking’ who can get things done at the highest level of government — her sage advice is that politicians can be asked to accept ‘those things they can live with’; compromise clearly plays a role.

  • Users Told Disconnect Certain Netgear Routers

    About this time I’m wondering if I’d even purchase a Netgear router.

    You’d think that with all of the fuss recently about the insecure Internet of things, especially when it comes to routers, that any router maker would be on top of it and patching vulnerabilities as soon as they’re discovered.

    Evidently not, as far as Netgear is concerned.

  • Busted Windows 8, 10 update blamed for breaking Brits' DHCP

    Folks using Windows 10 and 8 on BT and Plusnet networks in the UK are being kicked offline by a mysterious software bug.

    Computers running the Microsoft operating systems are losing network connectivity due to what appears to be a problem with DHCP. Specifically, it seems some Windows 10 and 8 boxes can no longer reliably obtain LAN-side IP addresses and DNS server settings from their BT and Plusnet broadband routers, preventing them from reaching the internet and other devices on their networks.

    (The link between BT and Plusnet is that, while the latter bills itself as a friendly independent ISP, it's really a subsidiary of the former.)

    BT and Plusnet told The Register Microsoft is investigating the blunder. Redmond also confirmed on Thursday in its support forum that it’s looking into the problem.

  • Containers in Production – Is Security a Barrier? A Dataset from Anchore

    Over the last week we have had the opportunity to work with an interesting set of data collected by Anchore (full disclosure: Anchore is a RedMonk client). Anchore collected this data by means of a user survey ran in conjunction with DevOps.com. While the number of respondents is relatively small, at 338, there are some interesting questions asked, and a number of data points which support wider trends we are seeing around container usage. With any data set of this nature, it is important to state that survey results strictly reflect the members of the DevOps.com community.

Security Leftovers

Filed under
Security
  • The IoT: Gateway for enterprise hackers

    The risk of notoriously insecure Internet of Things devices is not so much that those devices themselves will be compromised, but that they provide dozens – perhaps hundreds – of openings that could allow attackers to get inside an enterprise network

  • Netgear users advised to stop using affected routers after severe flaw found
  • We must return transparency to voting [Ed: a real problem]

    With the passage of the Help America Vote Act in 2002, electronic voting systems became the law of the land. This law required proprietary electronic voting systems be used in America.

    It must be noted, however, that Americans would not be permitted to use open-source software to protect their right to vote. When proprietary electronic-voting systems are used for elections, Americans literally lost their right to vote.

    In America, our governments, whether local, state or federal, rely on elections that permit anyone to scrutinize the election process, including the vote count. Whether by paper ballot or electronic voting system, it is every American's right to examine the vote count process to satisfy their personal demand that the vote count is accurate and verifiable.

  • CloudLinux 7 Kernel Update Patches 5-Year-Old Privilege-Escalation Vulnerability

More Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • A 'mystery device' is letting thieves break into cars and drive off with them, insurance group says

    Insurance crime investigators are raising alarms over a device that not only lets thieves break into cars that use keyless entry systems but also helps start and steal them.

    Investigators from the National Insurance Crime Bureau, a not-for-profit organization, said in an interview they obtained what they called the “mystery device” from a third-party security expert at an overseas company.

    So far, the threat here may be mostly theoretical. The crime bureau said it heard of the device being used in Europe and had reports that it had entered the U.S., but said there are no law enforcement reports of a car being stolen using it in the United States.

  • Turkish hacking group offers tiered points rewards program for DoS attacks

    A TURKISH HACKING GANG is taking an unusual approach to funding denial of service attacks, and is soliciting for, and offering hackers rewards for taking down chosen pages.

    This is unusual, as far as we know, and it has led to the creation of comment from the security industry. Often these things do.

  • German judges explain why Adblock Plus is legal

    Last month, Adblock Plus maker Eyeo GmbH won its sixth legal victory in German courts, with a panel of district court judges deciding that ad-blocking software is legal despite German newsmagazine Der Spiegel's arguments to the contrary. Now, the reasoning of the Hamburg-based panel of judges has been made public.

    According to an unofficial English-translated copy (PDF) of the judgment, Spiegel Online argued it was making a "unified offer" to online consumers. Essentially, that offer is: read the news content for free and view some ads. While Internet users have the freedom "not to access this unified offer," neither they nor Adblock Plus have the right to "dismantle" it. Eyeo's behavior thus amounted to unfair competition, and it could even wipe the offer out, Spiegel claimed.

    "The Claimant [Spiegel] argues that the Defendant’s [Eyeo's] business model endangers the Claimant’s existence," reads the judgment, which isn't final because it can be appealed by Spiegel. Because users aren't willing to pay for editorial content on the Web, "it is not economically viable for the Claimant to switch to this business model."

    Spiegel asked for an accounting of all the blocked views on its website and a fine to be paid—or even for managers Wladimir Palant and Till Faida to be placed in "coercive detention" of up to two years.

  • Op-ed: I’m throwing in the towel on PGP, and I work in security [Ed: Onlya tool would drop PGP for Facebook-controlled Whatsapp. The company back-doors everything under gag orders.]

    In the coming weeks I'll import all signatures I received, make all the signatures I promised, and then publish revocations to the keyservers. I'll rotate my Keybase key. Eventually, I'll destroy the private keys.

  • 90 per cent of NHS Trusts are still running Windows XP machines

    90 PER CENT of the NHS continues to run Windows XP machines, two and a half years after Microsoft ditched support for the ageing OS.

    It's Citrix who is ringing the alarm bells, having learnt that 90 per cent of NHS Trusts are still running Windows XP PCs. The firm sent Freedom of Information (FoI) requests to 63 NHS Trusts, 42 of which responded.

    The data also revealed that 24 Trusts are still not sure when they'll migrate from Windows XP to a newer version of Microsoft's OS. 14 per cent said they would be transitioning to a new operating system by the end of this year, while 29 per cent pledged to make the move sometime next year.

  • Ransomware blamed for attack that caused Lincolnshire NHS Trust shutdown

    RANSOMWARE is to blame for an attack which saw an NHS Trust in Lincolnshire that forced to cancel operations for four days in October.

    In a statement, Northern Lincolnshire and Goole NHS Foundation Trust said that a ransomware variant called Globe2 was to blame for the incident.

  • Researchers Find Fresh Fodder for IoT Attack Cannons

    New research published this week could provide plenty of fresh fodder for Mirai, a malware strain that enslaves poorly-secured Internet of Things (IoT) devices for use in powerful online attacks. Researchers in Austria have unearthed a pair of backdoor accounts in more than 80 different IP camera models made by Sony Corp. Separately, Israeli security experts have discovered trivially exploitable weaknesses in nearly a half-million white-labeled IP camera models that are not currently sought out by Mirai.

  • Your data is not safe. Here's how to lock it down

    But some people worry that government surveillance will expand under a Donald Trump presidency, especially because he tapped Mike Pompeo, who supports mass surveillance, for CIA chief.

  • Tor at the Heart: Library Freedom Project

    Library Freedom Project is an initiative that aims to make real the promise of intellectual freedom in libraries by teaching librarians and their local communities about surveillance threats, privacy rights and responsibilities, and privacy-enhancing technologies to help safeguard digital freedoms.

  • PowerShell security threats greater than ever, researchers warn

    Administrators should upgrade to the latest version of Microsoft PowerShell and enable extended logging and monitoring capabilities in the light of a surge in related security threats, warn researchers [...] Now more than 95% of PowerShell scripts analysed by Symantec researchers have been found to be malicious, with 111 threat families using PowerShell.

  • Five-Year-Old Bait-and-Switch Linux Security Flaw Patched

    Maintainers of the Linux Kernel project have fixed three security flaws this week, among which there was a serious bug that lingered in the kernel for the past five years and allowed attackers to bypass some OS security systems and open a root shell.

  • The Internet of Dangerous Auction Sites

    Ok, I know this is kind of old news now, but Bruce Schneier gave testimony to the House of Representatives’ Energy & Commerce Committee about computer security after the Dyn attack. I’m including this quote because I feel it sets the scene nicely for what follows here.

    Last week, I was browsing the popular online auction site eBay and I noticed that there was no TLS. For a moment, I considered that maybe my traffic was being intercepted deliberately, there’s no way that eBay as a global company would be deliberately risking users in this way. I was wrong. There is not and has never been TLS for large swathes of the eBay site. In fact, the only point at which I’ve found TLS is in their help pages and when it comes to entering card details (although it’ll give you back the last 4 digits of your card over a plaintext channel).

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Security advisories for Friday
  • Oh, the security!

    This security concern has only raised because of using 3rd party parsers (well, in the case of the GStreamer vulnerability in question, decoders, why a parsing facility like GstDiscoverer triggers decoding is another question worth asking), and this parsing of content happens in exactly one place in your common setup: tracker-extract.

  • Patch for CVE-2016-8655 Issue Now Available for CloudLinux OS 7 KernelCare Users

    Just the other day we reported on the general availability of a kernel update for the shared hosting-oriented CloudLinux OS 7 operating system, and today a new patch is available for those running KernelCare.

    If you're not familiar with KernelCare, it's a commercial kernel live patching technology developed and provided by CloudLinux of its CloudLinux OS users. We've discussed CloudLinux's KernelCare in a previous report if you're curious to test drive it.

Three serious Linux kernel security holes patched

Filed under
Linux
Security

The good news is developers are looking very closely at Linux's core code for possible security holes. The bad news is they're finding them.

At least the best news is that they're fixing them as soon as they're uncovered.

The latest three kernel vulnerabilities are designated CVE-2016-8655, CVE-2016-6480, and CVE-2016-6828. Of these, CVE-2016-8655 is the worst of the bunch. It enables local users, which can include remote users with virtual and cloud-based Linux instances, to crash the system or run arbitrary code as root.

Read more

Antivirus Live CD 21.0-0.99.2 Helps You Protect Your Computer Against Viruses

Filed under
Security

4MLinux developer Zbigniew Konojacki proudly informs Softpedia today about the general availability of the Antivirus Live CD 21.0-0.99.2 bootable ISO image for scanning computers for viruses and other malware.

Read more

Syndicate content

More in Tux Machines

KDE Leftovers

  • Integrate Your Android Device With Ubuntu Using KDE Connect Indicator Fork
    KDE Connect is a tool which allows your Android device to integrate with your Linux desktop. With KDE Connect Indicator, you can use KDE Connect on desktop that support AppIndicators, like Unity, Xfce (Xubuntu), and so on.
  • FirstAid – PDF Help Viewer
    in the recent months, I didn’t find much time to spend on Kate/KTextEditor development. But at least I was now able to spend a bit more time on OpenSource & Qt things even during work time in our company. Normally I am stuck there with low level binary or source analysis work. [...] Therefore, as our GUIs are developed with Qt anyways, we did take a look at libpoppler (and its Qt 5 bindings), which is the base of Okular, too.
  • KBibTeX 0.6.1-rc2 released
    After quite some delay, I finally assembled a second release candidate for KBibTeX 0.6.1. Version 0.6.1 will be the last release in the 0.6.x series.
  • Meet KDE at FOSDEM Next Month
    Next month is FOSDEM, the largest gathering of free software developers anywhere in Europe. FOSDEM 2017 is being held at the ULB Campus Solbosch on Saturday 4th and Sunday 5th of February. Thousands of coders, designers, maintainers and managers from projects as popular as Linux and as obscure as Tcl/Tk will descend on the European capital Brussels to talk, present, show off and drink beer.

Leftovers: OSS

  • D-Wave Unveils Open-Source Software for Quantum Computing
    Canada-based D-Wave Systems has released an open-source software tool designed to help developers program quantum computers, Wired reported Wednesday.
  • D-Wave builds open quantum computing software development ecosystem
    D-Wave Systems has released an open source quantum computing chunk of software. Quantum computing, as we know, moves us on from the world of mere 1’s and 0’s in binary to the new level of ‘superposition’ qubits that can represent many more values and therefore more computing power — read this accessible piece for a simple explanation of quantum computing.
  • FOSS Compositing With Natron
    Anyone who likes to work with graphics will at one time or another find compositing software useful. Luckily, FOSS has several of the best in Blender and Natron.
  • Hadoop Creator Doug Cutting: 5 Ways to Be Successful with Open Source in 2017
    Because of my long-standing association with the Apache Software Foundation, I’m often asked the question, “What’s next for open source technology?” My typical response is variations of “I don’t know” to “the possibilities are endless.” Over the past year, we’ve seen open source technology make strong inroads into the mainstream of enterprise technology. Who would have thought that my work on Hadoop ten years ago would impact so many industries – from manufacturing to telecom to finance. They have all taken hold of the powers of the open source ecosystem not only to improve the customer experience, become more innovative and grow the bottom line, but also to support work toward the greater good of society through genomic research, precision medicine and programs to stop human trafficking, as just a few examples. Below I’ve listed five tips for folks who are curious about how to begin working with open source and what to expect from the ever-changing ecosystem.
  • Radio Free HPC Looks at New Open Source Software for Quantum Computing
    In this podcast, the Radio Free HPC team looks at D-Wave’s new open source software for quantum computing. The software is available on github along with a whitepaper written by Cray Research alums Mike Booth and Steve Reinhardt.
  • Why events matter and how to do them right
    Marina Paych was a newcomer to open source software when she left a non-governmental organization for a new start in the IT sector—on her birthday, no less. But the real surprise turned out to be open source. Fast forward two years and this head of organizational development runs an entire department, complete with a promotional staff that strategically markets her employer's open source web development services on a worldwide scale.
  • Exploring OpenStack's Trove DBaaS Cloud Servic
    You can install databases such as MySQL, PostgreSQL, or even MongoDB very quickly thanks to package management, but the installation is not even half the battle. A functioning database also needs user accounts and several configuration steps for better performance and security. This need for additional configuration poses challenges in cloud environments. You can always manually install a virtual machine in traditional settings, but cloud users want to generate an entire virtual environment from a template. Manual intervention is difficult or sometimes even impossible.
  • Mobile Edge Computing Creates ‘Tiny Data Centers’ at the Edge
    “Usually access networks include all kinds of encryption and tunneling protocols,” says Fite. “It’s not a standard, native-IP environment.” Saguna’s platform creates a bridge between the access network to a small OpenStack cloud, which works in a standard IP environment. It provides APIs about such things as location, registration for services, traffic direction, radio network services, and available bandwidth.

Leftovers: Ubuntu and Debian

  • Debian Creeps Closer To The Next Release
    I’ve been alarmed by the slow progress of Debian towards the next release. They’ve had several weird gyrations in numbers of “release-critical” bugs and still many packages fail to build from source. Last time this stage, they had only a few hundred bugs to go. Now they are over 600. I guess some of that comes from increasing the number of included packages. There are bound to be more bad interactions, like changing the C compiler. I hate that language which seems to be a moving target… Systemd seems to be smoother but it still gives me problems.
  • Mir: 2016 end of year review
    2016 was a good year for Mir – it is being used in more places, it has more and better upstream support and it is easier to use by downstream projects. 2017 will be even better and will see version 1.0 released.
  • Ubuntu Still Planning For Mir 1.0 In 2017
    Alan Griffiths of Canonical today posted a year-in-review for Mir during 2016 and a look ahead to this year.
  • Linux Mint 18.1 “Serena” KDE – BETA Release

GNU Gimp Development

  • Community-supported development of GEGL now live
    Almost every new major feature people have been asking us for, be it high bit depth support, or full CMYK support, or layer effects, would be impossible without having a robust, capable image processing core. Øyvind Kolås picked up GEGL in mid-2000s and has been working on it in his spare time ever since. He is the author of 42% of commits in GEGL and 50% of commits in babl (pixel data conversion library).
  • 2016 in review
    When we released GIMP 2.9.2 in late 2015 and stepped over into 2016, we already knew that we’d be doing mostly polishing. This turned out to be true to a larger extent, and most of the work we did was under-the-hood changes. But quite a few new features slipped in. So, what are the big user-visible changes for GIMP in 2016?