Language Selection

English French German Italian Portuguese Spanish


Mozilla defaults Tracking Protection for Firefox developer builds, but only for private browsing

Filed under

Pre-beta versions of Firefox will block domains known to track users by default when a private browser window is opened.

Read more

Security Leftovers

Filed under
  • Friday's security advisories
  • Research Paper: Securing Linux Containers
  • Kaspersky Antivirus accused of creating fake malware for over 10 years

    It basically worked like this: Kaspersky would inject dangerous-looking code into common pieces of software. It would then anonymously submit the files to malware aggregators such as Google-owned VirusTotal. When competitors added the malware to their detection engines, they’d mistakenly flag the original files because of the similar code.

  • Investigating the Computer Security Practices and Needs of Journalists

    Though journalists are often cited as potential users of computer security technologies, their practices and mental models have not been deeply studied by the academic computer security community. Such an understanding, however, is critical to developing technical solutions that can address the real needs of journalists and integrate into their existing practices. We seek to provide that insight in this paper, by investigating the general and computer security practices of 15 journalists in the U.S. and France via in-depth, semi-structured interviews. Among our findings is evidence that existing security tools fail not only due to usability issues but when they actively interfere with other aspects of the journalistic process; that communication methods are typically driven by sources rather than journalists; and that journalists’ organizations play an important role in influencing journalists’ behaviors. Based on these and other findings, we make recommendations to the computer security community for improvements to existing tools and future lines of research.

  • Ten scary hacks I saw at Black Hat and DEF CON

    The highlight of this year’s Black Hat conference was a remote hack of the Jeep Cherokee and other Fiat Chrysler vehicles, demonstrated by security researches Charlie Miller and Chris Valasek.

    The attack was the culmination of a year of painstaking work that involved reverse-engineering car firmware and communications protocols. It eventually allowed the two researchers to hack into the car infotainment systems over mobile data connections and take over brake, steering and other critical systems. The research forced Chrysler to recall 1.4 million automobiles so they could be patched and prompted a car cybersafety legislative proposal from the U.S. Congress.

  • How to hack a Corvette with a text message

    Researchers have demonstrated how a simple text message can be used to control a vehicle.

  • Facebook issues Internet Defense Prize for vulnerability discovery tool

    Facebook has awarded $100,000 to a pair of Ph.D students for their work in the security of C++ programs which resulted in the detection and patching of zero-day vulnerabilities.

Security Leftovers

Filed under
  • Linux Concerns: Convenience vs. Security

    Once upon a recent time, Linux was more secure than it is today. Only the root user could mount external device, and in many distributions new users were automatically assigned a few groups that limited the hardware they could access. Distributions followed the principle of least privilege (aka least access), under which users, applications, and devices receive only the access to the system that they absolutely require.

  • Security updates for Thursday
  • One Definition Of Lock-in: Running “2003” So Many Years Later

    Why do they do it? Run “2003” in 2015! It’s not cost, because Debian GNU/Linux would cost $0. It’s lock-in whether by habit or by application. Lots of folks have invested heavily in applications that still work so they are willing to risk everything, perhaps by adding other layers of security. Why?

  • Imploding Barrels and Other Highlights From Hackfest DefCon

    Visiting Las Vegas can feel a bit like being a metal sphere in a pinball machine—you’re tossed from bright lights to blaring shows and back again until you eventually (hopefully) emerge out a hole at your home airport. When you visit Vegas with a swarm of hackers and security researchers, the dizziness gets amped up tenfold and can be laced with a dose of dark mischief.

  • Cisco networking gear can be hijacked, warns company

    An attacker can swap out the device's firmware with altered, malicious software.

  • Video Shows a Terrifying Drug Infusion Pump Hack in Action

    It’s one thing to talk about security vulnerabilities in a product, but another to provide a proof-of-concept demonstration showing the device being hacked.

    That’s what occurred last month when BlackBerry Chief Security Officer David Kleidermacher and security professional Graham Murphy showed how easy it is for hackers to take control of a hospital drug infusion pump by overwriting the device’s firmware with malicious software.

  • August ’15 security fixes for Adobe Flash

    ...Adobe released updated Flash player plugins which adddress many new vulnerabilities (as usual).

Security Leftovers

Filed under
  • Researchers reveal electronic car lock hack after 2-year injunction by Volkswagen

    In 2012, researchers at Radboud University in the Netherlands discovered a security flaw in a common automotive security chip used in theft prevention by Volkswagen, Audi, Fiat, Honda, and Volvo vehicles. But after they disclosed their results to the auto manufacturers—a full nine months before they planned to publish them—the automakers sued to keep them quiet.

  • How texting a Corvette could stop it in its tracks

    As if recent research on car hacking wasn’t frightening enough, a new study shows yet another danger to increasingly networked vehicles.

    This time around, academics with the University of California analyzed small, third-party devices that are sometimes plugged into a car’s dashboard, known as telematic control units (TCUs).

    Insurance companies issue the devices to monitor driving metrics in order to meter polices. Other uses include fleet management, automatic crash reporting and tracking stolen vehicles.

  • BlackBerry can't catch a break: Now it's fending off Jeep hacking claims

    BlackBerry has denied rumors that its software might have played a role in the infamous "Jeep hack," saying it's "unequivocally" not true.

    In July, security researchers revealed that certain cars built by Fiat Chrysler were vulnerable to potentially life-threatening remote attacks, thanks to a flaw in the automaker's uConnect in-vehicle infotainment system.

    The underlying operating system that powers uConnect is QNX Neutrino, a real-time OS that's made by a BlackBerry subsidiary. On Friday, investment website Seeking Alpha published an editorial questioning whether some kind of flaw in QNX might be implicated in the Jeep hack.

  • Intel left a fascinating security flaw in its chips for 16 years – here's how to exploit it

    A design flaw in Intel's processors can be exploited to install malware beneath operating systems and antivirus – making it tough to detect and remove.

    "It's a forgotten patch to a forgotten problem, but opens up an incredible vulnerability," said Christopher Domas, a security researcher with the Battelle Memorial Institute, who revealed the hardware bug at the Black Hat conference in Vegas last week.

  • Security updates for Tuesday
  • Security advisories for Wednesday
  • Tokenless Keystone

    One time paswords (OTPs) in conjunction with Basic Auth or some other way to curry the data to the server provides an interesting alternative. In theory, the user could pass the OTP along at the start of the request, the Horizon server would be responsible for timestamping it, and the password could then be used for the duration. This seems impractical, as we are essentially generating a new bearer token. For all-in-one deployments they would work as well as Basic-Auth.

Oracle's Lunacy

Filed under
  • No, You Really Can’t

    Writing mysteries is a lot more fun than the other type of writing I’ve been doing. Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. This is why I’ve been writing a lot of letters to customers that start with “hi, howzit, aloha” but end with “please comply with your license agreement and stop reverse engineering our code, already.”


    But you know, if Oracle's strongly-worded letters are written in Davidson's style, I think I'd quite enjoy the entertainment value.

  • No, You Really Can’t (Mary Ann Davidson Blog)
  • Oracle security chief to customers: Stop checking our code for vulnerabilities [Updated]

    Perhaps thinking that all the security researchers in the world were busy recovering from Black Hat and DEF CON and would be somehow more pliant to her earnest message, Mary Ann Davidson wrote a stern message to customers entitled "No, You Really Can't" (here in Google's Web cache; it's also been reproduced on in the event that Oracle gets Google to remove the cached copy). Her message: stop scanning Oracle's code for vulnerabilities or we will come after you. "I’ve been writing a lot of letters to customers that start with 'hi, howzit, aloha'," Davidson wrote, "but end with 'please comply with your license agreement and stop reverse engineering our code, already.'"

  • Oracle pulls CSO's BONKERS anti-bug bounty and infosec rant

    While other IT industry heavyweights have embraced bug bounties and working with security researchers more generally, Oracle has set its face in the opposite direction in a blog post likening reverse engineering to cheating on your spouse.

    Mary Ann Davidson, Oracle's chief security officer (CSO), expressed corporate dislike from the software giant for both reverse engineers and bug bounties in a long blog post on Monday. The post was pulled on Tuesday lunchtime, but its contents remain available via the Internet Archive here.

  • Oracle to 'sinner' customers: Reverse engineering is a sin and we know best

    Opinion: Stop sending vulnerability reports already. Oracle's chief security officer wants to go back to writing murder mysteries.

Tails 1.5 is out

Filed under

There are numerous other changes that might not be apparent in the daily operation of a typical user. Technical details of all the changes are listed in the Changelog.

Read more

'CVE-2015-4495 and SELinux', Or why doesn't SELinux confine Firefox?

Filed under

Why don't we confine Firefox with SELinux?

That is one of the most often asked questions, especially after a new CVE like CVE-2015-4495, shows up. This vulnerability in firefox allows a remote session to grab any files in your home directory. If you can read the file then firefox can read it and send it back to the website that infected your browser.

The big problem with confining desktop applications is the way the desktop has been designed.

Read more

OpenSSH 7.0

Filed under

OpenSSH 7.0 has just been released. It will be available from the
mirrors listed at shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support. OpenSSH also includes
transitional support for the legacy SSH 1.3 and 1.5 protocols
that may be enabled at compile-time.

Read more

Security Leftovers

Filed under
  • Researchers Hack into a Linux-Powered Self-Aiming Sniper Rifle

    Two researchers, Michael Auger and Runa Sandvik, will present today, at the Black Hack conference in Las Vegas, their recent findings into the world of computerized weapons security.

  • OPM Wins Pwnie for Most Epic Fail at Black Hat Awards Show
  • DefCon ProxyHam Talk Disappears but Technology is No Secret

    Part of the drama at any Black Hat or DefCon security conference in any given year usually revolves around a talk that is cancelled for some mysterious reason, typically over fears that it could reveal something truly disruptive. Such is the case in 2015 at DefCon with a talk called ProxyHam, which was supposed to reveal technology that could enable an attacker to wireless proxy traffic over long distances, hiding their true location.

  • A chat with Black Hat's unconventional keynote speaker

    In 2010, Black Hat had its first female keynote, Jane Holl Lute, who served at the time as the deputy secretary of the Department of Homeland Security. Lute's first comment about the nature of cyberspace set the tone for her keynote, which was, in characteristic DHS cybersecurity style, tone-deaf to attendee levels of expertise.

  • Uneasy detente between Def Con hackers and 'feds'

    That led founder Jeff Moss to call for a "cooling off period" during which "feds" avoided coming near the annual conference in Las Vegas.

  • Design flaw in Intel processors opens door to rootkits, researcher says

    A design flaw in the x86 processor architecture dating back almost two decades could allow attackers to install a rootkit in the low-level firmware of computers, a security researcher said Thursday. Such malware could be undetectable by security products.

  • Why Your Mac Is More Vulnerable to Malware Than You Think

    The attack would enable a hacker to remotely target computers with malware that would both go undetected by security scanners and would afford the attacker a persistent hold on a system, even when it undergoes firmware and operating system updates. Because firmware updates require the assistance of the existing firmware to install, any malware in the firmware could block updates from being installed or write itself to a new update. Zetter reports that the only way to eliminate malware that’s embedded in a computer’s main firmware would be to re-flash the chip that contains the firmware.

  • ‘Zero-day’ stockpiling puts us all at risk

    The recent dump of emails from Hacking Team sheds new light on the extent of government involvement in the international market for zero-days. Rather than disclosing these vulnerabilities to software makers, so that they can be fixed, government agencies buy and then stockpile zero-days.

  • What's wrong with the web? -- authentication

Security Leftovers

Filed under
  • Security updates for Friday
  • Security updates for Thursday
  • Black Hat Researchers Hack Rifle for Fun

    "The reason we started doing this in the first place is Runa [Sandvik] is from Norway and has a very romanticized vision of the U.S., so loving all things America, we needed to go to a gun show," Augur said.

    At to the gun show, Sandvik became interested in the TrackingPoint weapon after learning that it is a Linux-powered device that could be connected to a phone via a mobile app.

  • And even Wintel is not safe

    At the annual Black Hat conference delegates have been shown a new exploit for Intel and AMD x86 central processor units that has hitherto existed since 1977!


    Christopher Domas, a security researcher with the Battelle Memorial Institute discovered the flaw. “By leveraging the flaw, attackers could install a rootkit in the processors System Management Mode (SMM), a protected region of code that underpins all the firmware security features in modern computers. Once installed, the rootkit could be used for destructive attacks like wiping the UEFI (Unified Extensible Firmware Interface) the modern BIOS or even to re-infect the OS after a clean install. Protection features like Secure Boot wouldn’t help, because they too rely on the SMM to be secure. The attack essentially breaks the hardware roots of trust,” Domas said.

  • HTML5 privacy hole left users open to tracking for three years

    A feature of HTML5 that allows sites to detect battery life on a visitor's device can also be used to track behaviour, a piece of research has revealed.

  • Sick of Flash security holes? HTML5 has its own

    HTML5 has been billed as the natural, standards-based successor to proprietary plug-ins such as Adobe's Flash Player for providing rich multimedia services on the Web. But when it comes to security, one of Flash's major weaknesses, HTML5 is no panacea.

    In fact, HTML5 has security issues of its own. Julien Bellanger, CEO of application security monitoring firm Prevoty, says HTML5 makes security more complex, not simpler. HTML5 security has been a question mark for years, and it has not improved over the stretch, he says.

  • Attackers can access Dropbox, Google Drive, OneDrive files without a user's password

    The attack differs from traditional man-in-the-middle attacks, which rely on tapping data in transit between two servers or users, because it exploits a vulnerability in the design of many file synchronization offerings, including Google, Box, Microsoft, and Dropbox services.

  • SDN switches aren't hard to compromise, researcher says

    Onie is a small, Linux based operating system that runs on a bare-metal switch. A network operating system is installed on top of Onie, which is designed to make it easy and fast for the OS to be swapped with a different one.

  • Open Network Switches Pose Security Risk, Researcher Says

    At the Black Hat show, a security expert demonstrates how vulnerable SDN switches that use the ONIE software are open to attacks by hackers.

  • OPM wins Pwnie, Google on Android security, DoJ on CFAA: Black Hat 2015 roundup

    Black Hat USA is finishing up in Las Vegas. News from its 18th year includes nuclear nightmares, Department of Justice on computer crime and research, Google on the state of Android security and much more.

  • on the detection of quantum insert

    The NSA has a secret project that can redirect web browsers to sites containing more sophisticated exploits called QUANTUM INSERT. (Do I still need to say allegedly?) It works by injecting packets into the TCP stream, though overwriting the stream may be a more accurate description. Refer to Deep dive into QUANTUM INSERT for more details. At the end of that post, there’s links to some code that can help one detect QI attacks in the wild. As noted by Wired and Bruce Schneier, among dozens of others, now we can defend ourselves against this attack (well, at least detect it).

Syndicate content

More in Tux Machines

Phoronix on Graphics

Leftovers: Ubuntu

  • Ubuntu Touch OTA-7 Update Is Being Tested, on Track for October Launch
    The Ubuntu Touch OS is getting a new OTA very soon and the developers are putting the final touches on it. The update is still on track for an October 19 launch and it will remain that way if nothing goes wrong.
  • False Rumors About Microsoft Buying Canonical Are Ridiculous
    The rumor that Microsoft is interested in buying Canonical doesn't seem to go away, despite the fact that there is no real basis to it. We’ve already explained why that is unlikely to happen, but people still don't listen, so here are some more reasons why the rumor is perfect for April 1.
  • Is Microsoft Wooing Canonical & Important Departures…
    A while back I was fitted for a tinfoil hat by some because I had the audacity — the audacity! — to suggest that it would be a shrewd business move by the now-Linux-loving Microsoft to buy Canonical because a.) Canonical had technology that Microsoft would want and need to advance in mobile (like the Ubuntu Phone technology, which blows Microsoft’s out of the water currently), and b.) by this time, Mark Shuttleworth is beyond tired of flushing millions after millions down the toilet (though, as a half-billionaire, he still has several decades of current spending before his bank account resembles, well, mine), and who can blame him? You laughed. Well, sports fans, allow me to hand back your tinfoil hat and ask, who’s laughing now? Linux Journal’s James Darvell outlines this scenario in great detail, quoting a blog item reporting the business deal, and makes an observation worth keeping an eye on: “Microsoft could convert Canonical into a very profitable acquisition by eliminating the unprofitable parts of the company,” he writes. “In fact, it could become the dominant player in the cloud space, and secure the company’s future.”
  • Spice Vulnerabilities Closed in Ubuntu 14.04 LTS and Ubuntu 15.04
    A Spice vulnerability has been found and repaired in the Ubuntu 15.04 and Ubuntu 14.04 LTS operating systems. The SPICE protocol client and server library has been patched in the past few months a couple of times, and this is just the latest fix. It's not a major component, but users should really close any kind of exploit and vulnerability and upgrade their systems frequently.

Security Leftovers

Android Leftovers