Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Recent WordPress vulnerability used to deface 1.5 million pages

    Up to 20 attackers or groups of attackers are defacing WordPress websites that haven't yet applied a recent patch for a critical vulnerability.

    The vulnerability, located in the platform's REST API, allows unauthenticated attackers to modify the content of any post or page within a WordPress site. The flaw was fixed in WordPress 4.7.2, released on Jan. 26, but the WordPress team did not publicly disclose the vulnerability's existence until a week later, to allow enough time for a large number of users to deploy the update.

  • Simple Server Hardening

    These days, it's more important than ever to tighten up the security on your servers, yet if you were to look at several official hardening guides, they read as though they were written for Red Hat from 2005. That's because they were written for Red Hat in 2005 and updated here and there through the years. I came across one of these guides when I was referring to some official hardening benchmarks for a PCI audit and realized if others new to Linux server administration were to run across the same guide, they likely would be overwhelmed with all of the obscure steps. Worse though, they likely would spend hours performing obscure sysctl tweaks and end up with a computer that was no more protected against a modern attack. Instead, they could have spent a few minutes performing a few simple hardening steps and ended up with a more secure computer at the end. So in this article, I describe a few hardening steps that provide the most bang for the buck. These tips should take only a few minutes, yet for that effort, you should get a much more secure system at the end.

  • Sophos: IoT Malware Growing More Sophisticated
  • Linux IoT, Android and MacOS expected in 2017, SophosLabs
  • Hackers using Linux flaws to attack IoT devices
  • Linux Security Fundamentals: Estimating the Cost of a Cyber Attack

Security News

Filed under
Security

Security News

Filed under
Security
  • Opening Cyber Salvo in the French Elections

    On Feb 1st, 2017, Wikileaks began tweeting about the candidates in the French election coming up in a few months. This election (along with Germany’s later this year) is a very highly anticipated overt cyber conflict, one that many people in the intelligence, infosec and natsec communities are all paying attention to. We all saw what happened in the US and expect the Russians to meddle in both of these elections too. The outcomes are particularly important because France and Germany (“Old Europe”) are the strong core of the EU, and Putin’s strategic goal is a weak EU. He’s been dealt a weak hand and his geopolitical strategy is to weaken his opponents, pretty straight forward.

  • Kaspersky says businesses hit by fileless Windows malware

    Fileless Windows malware is infecting enterprise systems in 40 or more countries, with more than 140 institutions having been hit, according to the anti-virus company Kaspersky.

    The malware has not been given a name yet, but Kaspersky says it is similar to Duqu 2.0 that attacked its own network and stayed undetected for more than six months.

    It said an unnamed bank found the malware in late 2016 after it detected Meterpreter code in the physical memory of one of its Windows domain controllers. Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime.

  • Hack my car? Most believe it can happen

    Most Americans have some concerns that self-driving cars can be hacked to cause crashes, disable the vehicle in some way or even be used as weapons by terrorists, according to researchers at the University of Michigan.

    And large percentages of people are at least slightly concerned that these kinds of vehicles can be hacked to gain access to personal data.

    However, more than half have these same cybersecurity concerns about conventional vehicles, say Michael Sivak and Brandon Schoettle of the U-M Transportation Research Institute.

    Using an online survey of more than 500 Americans, the researchers asked respondents how concerned they are about hackers gaining access to personally owned self-driving (both with control over the gas pedal, brake and steering, and without) and conventional vehicles.

  • ‘Top 10 Spammer’ Indicted for Wire Fraud

    Michael A. Persaud, a California man profiled in a Nov. 2014 KrebsOnSecurity story about a junk email purveyor tagged as one of the World’s Top 10 Worst Spammers, was indicted this week on federal wire fraud charges tied to an alleged spamming operation.

  • Chap scripts remote Linux takeover for sysadmins

    Linux sysadmins with a sense of adventure: Tokyo-based developer Hector Martin has put together a set of scripts to replace an in-use Linux system over SSH.

    Over at GitHub, Martin's Takeover.sh is the kind of no-safety-net we imagine El Reg's readers will love.

Programming and Security News

Filed under
Development
Security
  • RSPIRV: Google's Rust Implementation Of SPIR-V

    Google developers have been working on a number of open-source projects in the Vulkan space and one of their latest is SPIR-V processing with Rust.

    RSPIRV is another project under the Google umbrella on GitHub. RSPIRV is a Rust implementation of SPIR-V module processing functionalities. SPIR-V, of course, being the intermediate representation/language used by Vulkan as well as OpenCL 2.1+ and can also be used in OpenGL.

  • Optimize PHP with finely tuned IT resources and settings

    More than 90% of PHP-based websites still use PHP version 5. Of those websites, less than one quarter run the latest supported version, PHP 5.6. Despite the release of PHP 7 in December 2015, which has been documented and benchmarked as up to two times faster than PHP 5.6, the adoption rate is only around 3% among websites that use the language. The first step -- before optimizing PHP using the following tips -- is to upgrade to version 7.

  • Node for Java Developers

    The biggest audience for my Node.js workshops, courses and books (especially when I’m teaching live) is Java developers. You see, it used to be that Java was the only language professional software developers/engineers had to know. Not anymore. Node.js as well as other languages like Go, Elixir, Python, Clojure, dictate a polyglot environment in which the best tool for the job is picked.

  • Morocco's First Open Source ERP Uses Java EE 7!
  • Hazelcast's Parallel Streaming Engine Targets Java/Big Data Programmers

    In-memory data grid (IMDG) specialist Hazelcast Inc. yesterday launched a new distributed processing engine for Big Data streams. The open-source, Apache 2-licenced Hazelcast Jet is designed to process data in parallel across nodes, enabling data-intensive applications to operate in near real-time.

  • On new zlib breaking perl
  • anytime 0.2.1
  • Security updates for Friday
  • Capsule8 Launches Linux-Based Container Security Platform

    Cybersecurity startup Capsule8 this week announced that it has raised US$2.5 million to launch the industry's first container-aware, real-time threat protection platform designed to protect legacy and next-generation Linux infrastructures from existing and potential attacks.

    CEO John Viega, CTO Dino Dai Zovi and Chief Scientist Brandon Edwards, all veteran hackers, cofounded the firm. They raised seed funding from Bessemer Venture Partners, as well as individual investors Shandul Shah of Index Ventures and ClearSky's Jay Leek.

Security Leftovers

Filed under
Security
  • Mirai Botnet Spreads With Help From Infected Windows Computers
  • Lovely. Now someone's ported IoT-menacing Mirai to Windows boxes

    The Mirai malware that hijacked hundreds of thousands of IoT gadgets, routers and other devices is now capable of infecting Windows systems.

  • Finding Ticketbleed

    Ticketbleed (CVE-2016-9244) is a software vulnerability in the TLS stack of certain F5 products that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time, which can contain any kind of random sensitive information, like in Heartbleed.

  • Cybersecurity firms pilloried by GCHQ technical director over “witchcraft”

    “we are allowing massively incentivised companies to define the public perception of the problem”.

  • Wire’s independent security review

    Ever since Wire launched end-to-end encryption and open sourced its apps one question has consistently popped up: “Is there an independent security review available?” Well, there is now!

    Kudelski Security and X41 D-Sec published a joint review of Wire’s encrypted messaging protocol implementation. They found it to have “high security, thanks to state-of-the-art cryptographic protocols and algorithms, and software engineering practices mitigating the risk of software bugs.”

  • Practical Steps for Protecting IoT Devices

    The security of IoT devices is a high priority these days, as attackers can use Distributed Denial of Service (DDoS) attacks to target them and wreak havoc on a system.

    “Due to the sheer volume of unconnected devices, it can take hours and often days to mitigate such an attack,” says Adam Englander, who is a Senior Engineer of the LaunchKey product at iovation.

  • IoT Cybersecurity Alliance Will Collaborate on Standards, Education

    A new IoT Cybersecurity Alliance formed by AT&T, IBM, Palo Alto Networks, Symantec, and Trustonic promises to help solve one of the most critical elements of the Internet of Things (IoT) — security. The group says its goal is to work on IoT security standards as well as raise awareness about the topic.

    There are numerous IoT-related associations working to promote different segments of IoT and streamline the fragmentation that exists in the industry. However, this is the first group to focus solely on security. AT&T, which was an early advocate for IoT, said it has seen a 3,198 percent increase in attackers scanning for vulnerabilities in IoT devices.

Linux Kernel 3.10.105 LTS Is Out with Almost 300 Improvements, Security Fixes

Filed under
Linux
Security

Linux kernel maintainer Willy Tarreau was proud to announce today the availability of a new maintenance update for the long-term supported Linux 3.10 kernel series, version 3.10.105.

Read more

Five New Linux Kernel Vulnerabilities Patched in Ubuntu 16.10 for Raspberry Pi 2

Filed under
Linux
Security
Ubuntu

Canonical announced a few hours ago the availability of a new security update for the Raspberry Pi 2 kernel packages of the Ubuntu 16.10 (Yakkety Yak) operating system, which patches a total of five newly discovered vulnerabilities.

Read more

Security Leftovers

Filed under
Security

KDE Applications 16.12.2 Rolls Out for Plasma Users to Fix over 20 Recorded Bugs

Filed under
KDE
Security

Today, February 9, 2017, KDE has had the great pleasure of announcing the general availability of the second point release of its KDE Applications 16.12 software suite for KDE Plasma desktops.

Read more

Security Leftovers

Filed under
Security
  • Thousands of WordPress websites defaced through patch failures

    Thousands of WordPress domains have been subject to attack through a severe content injection security flaw that many website operators have failed to protect themselves against.

    The security flaw, a zero-day vulnerability that affects the WordPress REST API, allows attackers to modify the content of posts or pages within a website backed by the WordPress content management system (CMS).

    As noted by cybersecurity firm Sucuri, one of the REST endpoints allows access via the API to view, edit, delete, and create posts.

  • Introducing Capsule8: Industry's First Container-Aware, Real-time Threat Protection for Linux

    "The cloud has catapulted Linux to the most popular platform on the planet, and now the use of container technology is exploding. Yet there has been no world-class commercial security offering focused on securing the Linux infrastructure until now," said Bob Goodman, partner at Bessemer. "Capsule8 is solving the difficult problem of providing zero-day threat protection for Linux, whether legacy, container or something in-between. Simply put, John, Dino and Brandon are pioneering the most comprehensive and effective security protection ever offered for Linux."

  • Container-Aware Security Startup Capsule8 Emerges from Stealth

    Capsule8, a Brooklyn, NY-based security startup, emerged from stealth today to debut its container-aware threat protection platform for Linux.

Syndicate content

More in Tux Machines

Linux Devices, Tizen, and Android

Leftovers: OSS

  • SAP buys into blockchain, joins Hyperledger Project
  • foss-north speaker line-up
    I am extremely pleased to have confirmed the entire speaker line-up for foss north 2017. This will be a really good year!
  • Chromium/Chrome Browser Adds A glTF Parser
    Google's Chrome / Chromium web-browser has added a native glTF 1.0 parser. The GL Transmission Format, of course, being Khronos' "3D asset delivery format" for dealing with compressed scenes and assets by WebGL, OpenGL ES, and other APIs. There are glTF utility libraries in JavaScript and other web-focused languages, but Google adding a native glTF 1.0 parser appears to be related to their VR push with supporting VR content on the web. Their glTF parser was added to Chromium Git on Friday.
  • Sex and Gor and open source
    A few weeks ago, Dries Buytaert, founder of the popular open-source CMS Drupal, asked Larry Garfield, a prominent Drupal contributor and long-time member of the Drupal community, “to leave the Drupal project.” Why did he do this? He refuses to say. A huge furor has erupted in response — not least because the reason clearly has much to do with Garfield’s unconventional sex life. [...] I’ll unpack the first: open-source communities/projects are crucially important to many people’s careers and professional lives — cf “the cornerstone of my career” — so who they allow and deny membership to, and how their codes of conduct are constructed and followed, is highly consequential.
  • Hazelcast Releases 3.8 – The Fastest Open Source In-Memory Data Grid
  • SecureDrop and Alexandre Oliva are 2016 Free Software Awards winners
  • MRRF 17: Lulzbot and IC3D Release Line Of Open Source Filament
    Today at the Midwest RepRap Festival, Lulzbot and IC3D announced the creation of an Open Source filament. While the RepRap project is the best example we have for what can be done with Open Source hardware, the stuff that makes 3D printers work – filament, motors, and to some extent the electronics – are tied up in trade secrets and proprietary processes. As you would expect from most industrial processes, there is an art and a science to making filament and now these secrets will be revealed.
  • RApiDatetime 0.0.2

Security Leftovers

  • NSA: We Disclose 90% of the Flaws We Find
    In the wake of the release of thousands of documents describing CIA hacking tools and techniques earlier this month, there has been a renewed discussion in the security and government communities about whether government agencies should disclose any vulnerabilities they discover. While raw numbers on vulnerability discovery are hard to come by, the NSA, which does much of the country’s offensive security operations, discloses more than nine of every 10 flaws it finds, the agency’s deputy director said.
  • EFF Launches Community Security Training Series
    EFF is pleased to announce a series of community security trainings in partnership with the San Francisco Public Library. High-profile data breaches and hard-fought battles against unlawful mass surveillance programs underscore that the public needs practical information about online security. We know more about potential threats each day, but we also know that encryption works and can help thwart digital spying. Lack of knowledge about best practices puts individuals at risk, so EFF will bring lessons from its comprehensive Surveillance Self-Defense guide to the SFPL. [...] With the Surveillance Self-Defense project and these local events, EFF strives to help make information about online security accessible to beginners as well as seasoned techno-activists and journalists. We hope you will consider our tips on how to protect your digital privacy, but we also hope you will encourage those around you to learn more and make better choices with technology. After all, privacy is a team sport and everyone wins.
  • NextCloud, a security analysis
    First, I would like to scare everyone a little bit in order to have people appreciate the extent of this statement. As the figure that opens the post indicates, there are thousands of vulnerable Owncloud/NextCloud instances out there. It will surprise many just how easy is to detect those by trying out common URL paths during an IP sweep.
  • FedEx will deliver you $5.00 just to install Flash
    Bribes on offer as courier's custom printing service needs Adobe's security sinkhole

GNOME Extensions Website Has A New Look

Every GNOME Shell user will visit the official GNOME Shell Extensions website at least once. And if those users do so this weekend they’ll notice a small difference as the GNOME Shell Extensions website is sporting a minor redesign. This online repo plays host to a stack of terrific add-ons that add additional features and tweak existing ones. Read more