Language Selection

English French German Italian Portuguese Spanish


Security News

Filed under
  • A pile of security updates for Thursday
  • What this Yahoo data breach means for you

    On Thursday afternoon Yahoo confirmed a massive data leak of at least 500 million user accounts, which is a very big deal.

    Though the data breach obviously spells trouble for those with YahooMail accounts, users with hacked accounts need to keep in mind that the breach goes so much further.

    Yahoo owns a bunch of other major sites like Flickr, Tumblr and fantasy football site, which means the 500 million users affected by the data breach also have to worry about their personal information associated with all additional Yahoo services.

  • Hackers now have a treasure trove of user data with the Yahoo breach
  • Half! a! billion! Yahoo! email! accounts! raided! by! 'state! hackers!'

    Hackers strongly believed to be state-sponsored swiped account records for 500 million Yahoo! webmail users. And who knew there were that many people using its email?

    The troubled online giant said on Thursday that the break-in occurred in late 2014, and that names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, were lifted.

    This comes after a miscreant calling themselves Peace was touting copies of the Yahoo! account database on the dark web. At the time, in early August, Yahoo! said it was aware of claims that sensitive information was being sold online – and then today, nearly two months later, it alerted the world to the embarrassing security breach.

  • Brian Krebs' blog banged in bloody massive DDoS

    YOU KNOW that Brian Krebs guy? Well, his website has been hit with a huge denial-of-service (DDoS) attack that he couldn't handle on his own.

    Krebs is that security guy. He is bound to have some enemies out there, so we expect that sooner or later someone will take the credit for ruining the pathway to his pages.

    For now we have Krebs to explain what happened and who helped him deal with it. The short version is that there was great big whack of an attack on him, and that he needed assistance from security firm Akamai.

Security Fallacies

Filed under
  • Matthew Garrett Explains How to Increase Security at Boot Time [Ed: Microsoft apologist Matthew Garrett is promoting UEFI again, even after the Lenovo debacle]

    Security of the boot chain is a vital component of any other security solution, said Matthew Garrett of CoreOS in his presentation at Linux Security Summit. If someone is able to tamper with your boot chain then any other security functionality can be subverted. And, if someone can interfere with your kernel, any amount of self-protection the kernel might have doesn’t really matter.

    “The boot loader is in a kind of intermediate position,” Garrett said. It can modify the kernel before it passes control to it, and then there’s no way the kernel can verify itself once it’s running. In the Linux ecosystem, he continued, the primary protection in the desktop and server space is UEFI secure boot, which is a firmware feature whereby the firmware verifies a signature on the bootloader before it executes it. The bootloader in turn verifies a signature on the next step of the boot process, and so on.

  • Is open source security software too much of a risk for enterprises? [Ed: inverses the truth; proprietary software has secret back doors that cannot be found and patched]

    Although free, there are many institutions that are reluctant to use open source software, for obvious reasons. Using open source software that is not controlled by the enterprise -- in production environments and in mission-critical applications -- introduces risks that could be detrimental to the basic tenants of cybersecurity, such as confidentiality, integrity and availability. This includes open source security software like the tools Netflix uses.

Security News

Filed under
  • Security advisories for Wednesday
  • Why we should just simply call ourselves Hackers

    Developers, Programmers, Engineers, Code Artists, Coders, Codesmiths, Code Warriors, Craftsmen … these are currently the labels we use to explain our profession. One can get an idea of how this can appear confusing to the outsider.

    Computers can enrich our lives, give focus, amplify our adventures, gauge our science and grow our business. Right now computing is being embedded into everything and it is now more than ever that we need to redefine our role and show. some. fucking. solidarity.

    Rather than confusing pre-existing labels and shoe-horning them to our profession, which makes use of synthetic intelligence more than any, I propose that we call ourselves Hackers instead of the myriad other ways.

  • Germany surveys cyber-attacks

    Germany’s Federal Office for Information Security (BSI) has launched a survey to obtain information about actual cyber-attacks on business and government, to assess potential risks, and to determine protective measures. The study should result in new ICT security recommendations.

FOSS in Government (US and UK)

Filed under
  • Dear The Sun: we need to talk about your understanding of open source

    I want to talk to you about this article, and the claims it makes about open source software. I would have liked to chat to your cited expert, whom you’ve listed only as Neil Doyle. Sadly, the article fails to specify his area of expertise and both messages and emails to author Ryan Sabey asking for further information have gone unanswered. So I’m responding to it here, supported by some brilliant, contactable experts in security and open source.

    After sitting open-mouthed at the misinformation in this article for some time, I began to reach out to fellow tech experts to see if they felt the same. I first contacted Dr. Jessica Barker, the independent cybersecurity authority behind I asked if she could address the concerns you raised that use of open source software in the public sector would pose security risks.


    “The Sun seems to be implying that open source software is more vulnerable to attack than closed source, which is a sweeping misunderstanding that fails to take the complex nature of cybersecurity into account.

    Both open source and closed source software can be vulnerable to exploit, however these vulnerabilities are arguably more likely to be discovered in open source rather than closed source software as more people (including security researchers) are able to look at it. By its nature, it is publicly available and so it’s harder to hide malicious vulnerabilities”.

  • DOD Aims to Make Cybersecurity a Fundamental Part of Its Tech Mission
  • The Department of Software?

    Well-developed software can make or break modern weapons systems. Software problems initially hindered F-35 production, for example. The Department of Defense (DOD) set up a Digital Service team last year to help the military solve its information technology problems. Future work on autonomous systems will heavily rely on software development. Most importantly, the DOD will have to protect its own data. To improve the DOD’s use of software, the Center for a New American Security (CNAS) looked at how the Pentagon could better use “open source software.” While the DOD uses some open source software, its full utilization for military software development will require deeper changes to how the DOD approaches code.

  • John Weathersby: Selling Open Source to the Federal Government

    John Weathersby founded and ran the Open Source Software Institute to “promote the development and implementation of open source software solutions within U.S. federal, state, and local government agencies.” A worthy goal!

    But why stick to nothing but software? In 2014, Weathersby founded The Open Technology Center at Camp Shelby Joint Forces Training Center (in Mississippi), which is a “non-profit research and development entity sponsored by the Mississippi National Guard and U.S. Department of Homeland Security whose mission is to innovate and integrate open source software technologies for use within national defense and security organizations.”

    The OTC is doing some neat stuff, ranging from autonomous vehicles to making it easier for local governments to request, receive, and account for disaster recovery funds in the wake of an emergency. It’s all good! And it’s all about open source, which is why it’s worth listening to what Weathersby has to say.

Security Leftovers

Filed under
  • DDoS attacks: For the hell of it or targeted – how do you see them off?

    Distributed Denial of Service (DDoS) attacks can be painful and debilitating. How can you defend against them? Originally, out-of-band or scrubbing-centre DDoS protection was the only show in town, but another approach, inline mitigation, provides a viable and automatic alternative.

    DDoS attacks can be massive, in some cases reaching hundreds of Gbits/sec, but those mammoths are relatively rare. For the most part, attackers will flood companies with around 1 Gbit/sec of traffic or less. They’re also relatively short affairs, with most attacks lasting 30 minutes or less. This enables attackers to slow down computing resources or take them offline altogether while flying under the radar, making it especially difficult for companies to detect and stop them.

  • IoT and a new type of threat for Linux

    Linux has played a significant role in establishing IoT devices as increasingly important parts of our everyday lives, both at home and in the enterprise. Linux based OSes make it easy for developers to create applications that can run on anything, from a fridge to a car, and as a result 73 percent of IoT developers use Linux to run applications on.

    Now, however, questions of security are arising. With IoT gesturing in a brave new world of connected devices, businesses must cope with a greater number of entry points and vulnerabilities, with security the top concern in the industry.

    By placing such a burden on Linux’s security capabilities, there are now real fears that IoT devices will be left exposed and businesses will pay the price.

  • NIST Seeks Comments on Cybersecurity Reports

    The US National Institute of Standards and Technology (NIST) has recently issued two draft reports on cybersecurity issues of interest to industrial IoT users, and is seeking industry comment before making their final revisions. One report describes the proposed manufacturing profile for NIST's Cybersecurity Framework. The other addresses cryptography standards and practices for resource-constrained processors.

    Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, NIST created in 2014 a voluntary Cybersecurity Framework, which is a compendium of industry standards and best practices to help organizations manage cybersecurity risks. Created through collaboration between government and the private sector, the Framework helps guide cybersecurity activities and encourages organizations to consider cybersecurity risks as part of their risk management processes. Profiles, a key element of the Framework, help an organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. A profile is intended both to help identify opportunities for improving cybersecurity as well as providing a touchstone to compare against in order to prioritize process improvement activities.

  • Hackers Able To Control Tesla S Systems From Twelve Miles Away

    Over the last few years, we've well documented the abysmal security in the internet of things space. And while refrigerators that leak your Gmail credentials are certainly problematic, the rise in exploitable vehicle network security is exponentially more worrying. Reports emerge almost monthly detailing how easy it is for hackers to bypass vehicle security, allowing them to at best fiddle with in-car systems like air conditioning, and at worst take total control of a compromised vehicle. It's particularly problematic given these exploits may take years to identify and patch.

Security News

Filed under
  • Bug that hit Firefox and Tor browsers was hard to spot—now we know why

    As a result, the cross-platform, malicious code-execution risk most recently visited users of browsers based on the Firefox Extended Release on September 3 and lasted until Tuesday, or a total of 17 days. The same Firefox version was vulnerable for an even longer window last year, starting on July 4 and lasting until August 11. The bug was scheduled to reappear for a few days in November and for five weeks in December and January. Both the Tor Browser and the production version of Firefox were vulnerable during similarly irregular windows of time.

  • Florida Man Charged With Hacking Linux Servers

    Donald Ryan Austin of South Florida has been arrested on charges of hacking into the networks of Linux Kernel Organization and Linux Foundation and installing malicious software. A US Department of Justice (DoJ) release said Austin, who is a computer programmer, is now out on bail and could face a maximum sentence of 10 years if convicted.

    According to the indictment, Austin stole the credentials of an employee to break into the Linux networks and installed rootkit and Trojan software apart from altering the servers. He has been charged with four counts of deliberate damage to a protected computer.

  • Why do hackers prefer Linux?

    Linux has much to offer any computer user, but it has proven to be particularly popular with hackers. A writer at The Merkle recently considered the reasons why hackers have so much love for Linux.

  • How To Get “Hollywood Hacker Feel” In Your Linux Command Line?

    A developer has created a command line utility which can give you the feel of Hollywood movie hacker. His tool replicates the decrypting text seen from the 1992 hacker movie Sneakers. The code is freely available on his GitHub page.

Security News

Filed under
  • Security updates for Tuesday
  • Aid Security Incident Statistics: 18-month trends based on open source reported events affectng aid infrastructure (December 2014 to May 2016)
  • Easy Secure Web Serving with OpenBSD’s acme-client and Let’s Encrypt

    s recently as just a few years ago, I hosted my personal website, VPN, and personal email on a computer running OpenBSD in my basement. I respected OpenBSD for providing a well-engineered, no-nonsense, and secure operating system. But when I finally packed up that basement computer, I moved my website to an inexpensive cloud server running Linux instead.

    Linux was serviceable, but I really missed having an OpenBSD server. Then I received an email last week announcing that the StartSSL certificate I had been using was about to expire and realized I was facing a tedious manual certificate replacement process. I decided that I would finally move back to OpenBSD, running in the cloud on Vultr, and try the recently-imported acme-client (formerly “letskencrypt”) to get my HTTPS certificate from the free, automated certificate authority Let’s Encrypt.

  • iPhone passcode bypassed with NAND mirroring attack

    Passcodes on iPhones can be hacked using store-bought electronic components worth less than $100 (£77), according to one Cambridge computer scientist.

    Sergei Skorobogatov has demonstrated that NAND mirroring—the technique dismissed by James Comey, the director of the FBI, as unworkable—is actually a viable means of bypassing passcode entry limits on an Apple iPhone 5C. What's more, the technique, which involves soldering off the phone's flash memory chip, can be used on any model of iPhone up to the iPhone 6 Plus, which use the same type of LGA60 NAND chip. Later models, however, will require "more sophisticated equipment and FPGA test boards."

    In a paper he wrote on the subject, Skorobogatov, a Russian senior research associate at the Cambridge Computer Laboratory's security group, confirmed that "any attacker with sufficient technical skills could repeat the experiment," and while the technique he used is quite fiddly, it should not present too much of an obstacle for a well-resourced branch of law enforcement.

    The attack works by cloning the iPhone's flash memory chip. iPhones generally allow users six attempts to guess a passcode before locking them out for incrementally longer periods of time; by the complex process of taking the phone apart, removing its memory chip, and then cloning it, an attacker is able to have as many clusters of six tries as they have the patience to make fresh clones. Skorobogatov estimates that each run of six attempts would take about 45 seconds, meaning that it would take around 20 hours to do a full cycle of all 10,000 passcode permutations. For a six-digit passcode, this would grow to about three months—which he says might still be acceptable for national security.

  • Seagate NAS hack should scare us all

    No fewer than 70 percent of internet-connected Seagate NAS hard drives have been compromised by a single malware program. That’s a pretty startling figure. Security vendor Sophos says the bitcoin-mining malware Miner-C is the culprit.

Tails 2.6 Anonymous Linux Live CD Is Out, Brings Tor & Tor Browser 6.0.5

Filed under

Just a few moment ago, the Tails development team proudly announced the official and general availability of the Tails 2.6 anonymous Live CD Linux operating system based on the latest Debian technologies.

Earlier this month, we reported on the availability of the first development version of Tails 2.6, the RC1 build, which also appeared to be the only one, and now, nearly three weeks later, we can get our hands on the final release, which brings many updated components and several new features.

According to the release notes, the biggest new features in Tails 2.6 are the enablement of the kASLR (kernel address space layout randomization) in the Linux kernel packages that ship with the popular amnesic incognito live system, protecting users from buffer overflow attacks.

Read more

IPFire 2.19 - Core Update 104 released

Filed under

This is the official release announcement for IPFire 2.19 – Core Update 104.
This update brings you a new kernel under the hood and a from scratch rewritten Guardian.

Read more

Security Leftovers

Filed under
Syndicate content

More in Tux Machines

GParted Live 0.27.0-1 Disk Partitioning Live CD Out Now, Based on GParted 0.27.0

Just one day after announcing the release of the GParted 0.27.0 open-source partition editor software, Curtis Gedak is informing us about the availability of the GParted Live 0.27.0-1 stable release. Read more

Netrunner Core 16.09 "Avalon" Is Based on Debian GNU/Linux 8, KDE Plasma 5.7.5

Today, October 23, 2016, the development team behind the Debian-based Netrunner GNU/Linux distribution proudly announced the release of Netrunner Core 16.09 "Avalon." Read more