Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Thursday's security updates
  • Secure code before or after sharing?[Ed: FUD season. US moving to FOSS, so parasites pop up]

    The White House wants federal agencies to share more of their custom code with each other, and also to provide more of it to the open source community. That kind of reuse and open source development of software could certainly cut costs and provide more able software in the future, but is this also an opening for more bugs and insecure code?

  • SMTP Strict Transport Security Standard Drafted for Email Security

    Love it or hate it, email remains a must-have tool in the modern Internet, though email isn't always as secure as it should be. When users connect to email servers, those connections have the potential to be intercepted by attackers, so there is a need for standards, like the new SMTP Strict Transport Security (STS) standard, published March 18 as an Internet Engineering Task Force (IEFT) draft.

  • Certified Ethical Hacker website caught spreading crypto ransomware
  • Certificate pinning is a useful thing, says Netcraft. So why do hardly any of you use it?

    Venerable net-scan outfit Netcraft has issued what cliché would describe as “a stinging rebuke” to sysadmins the world over, for ignoring HTTP Public Key Pinning (HPKP).

    Pinning is designed to defend users against impersonation attacks, in which an attacker tricks a certificate authority to issue a fraudulent certificate for a site.

    If the attacker can present a user with a certificate for fubar.com, they can impersonate the site, opening a path for malfeasance like credential harvesting.

  • Oracle issues emergency Java patch for bug leading to system hijack

    Oracle has released an emergency patch for Java which fixes a critical bug leading to remote code execution without the need for user credentials.

  • Hospital Declares ‘Internal State of Emergency’ After Ransomware Infection [iophk: The FBI needs to prosecute those that brought Windows into the hospital.]

    A Kentucky hospital says it is operating in an “internal state of emergency” after a ransomware attack rattled around inside its networks, encrypting files on computer systems and holding the data on them hostage unless and until the hospital pays up.

  • Judge Won’t Consider EFF’s Arguments in FBI Mass Hacking Case

    Earlier this month, digital rights group the Electronic Frontier Foundation (EFF) filed a strongly worded amicus brief arguing that the warrant used by the FBI for its use of malware to identify visitors of a dark web child pornography site was “unconstitutional,” and qualified as a broad, “general warrant.”

    But on Tuesday, Robert J. Bryan, the district judge overseeing the case rejected the group’s argument, saying it contained allegations of fact not supported in the record, and that it was simply repeating arguments already made by the defense.

    “According to EFF, a self-proclaimed ‘recognized expert’ on the intersection of civil liberties and technology, the law enforcement techniques employed in this case present novel questions of Fourth Amendment law,” Bryan writes in his order. The brief was signed by Mark Rumold, Nate Cardozo, and Andrew Crocker from the EFF, and Venkat Balasubramani, an attorney who is representing the organization.

  • Security education outfit EC-Council dishes out ransomware online

    Senior threat intelligence man Yonathan Klijnsma says the website of the EC-Council, the organisation responsible for the Ethical Hacker certification, is serving the dangerous Angler exploit kit to infect PCs.

    Klijnsma of Dutch firm Fox-IT says the website was serving the world's most highly-capable and dangerous exploit kit hours ago to users of Internet Explorer.

    Checks by this writer appear to show it is still serving the exploit at the time of publication.

  • Weak links in the blockchain: We're neglecting the foundations

    Premature infatuation with blockchain overlooks security weaknesses in the platform that underlies Bitcoin digital currency.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security

FreeNAS 9.10 Open-Source Storage Operating System Adds USB 3.0 & Skylake Support

Filed under
Security
BSD

Jordan Hubbard from the FreeNAS project, an open-source initiative to create a powerful, free, secure, and reliable NAS (Network-attached storage) operating system based on BSD technologies, announced the release of FreeNAS 9.10.

FreeNAS 9.10 is the tenth maintenance release in the current stable 9.x series of the project, thus bringing the latest security patches from upstream, support for new devices, as well as several under-the-hood updates. As expected, FreeNAS 9.10 has been rebased on the latest FreeBSD 10.3 RC3 (Release Candidate) release.

Read more

Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • Cryptostalker, a Tool to Detect Crypto-Ransomware on Linux

    A while back, we stumbled upon an interesting GitHub repo dubbed randumb, which included an example called Cryptostalker, advertised as a tool to detect crypto-ransomware on Linux.

    Cryptostalker and the original project randumb are the work of Sean Williams, a developer from San Francisco. Mr. Williams wanted to create a tool that monitored the filesystem for newly written files, and if the files contained random data, the sign of encrypted content, and they were written at high speed, it would alert the system's owner.

  • Google slings critical patch at exploited Linux kernel root hole

    Google has shipped an out-of-band patch for Android shuttering a bug that is under active exploitation to root devices.

    The vulnerability (CVE-2015-1805) affects all Android devices running Linux kernel versions below 3.18.

  • Everything is fine, nothing to see here!

    Today everyone who is REALLY, I mean REALLY REALLY good at security got there through blood sweat and tears. Nobody taught them what they know, they learned it on their own. Many of us didn't have training when we were learning these things. Regardless of this though, if training is fantastic, why does it seem there is a constant march toward things getting worse instead of better? That tells me we're not teaching the right skills to the right people. The skills of yesterday don't help you today, and especially don't help tomorrow. By its very definition, training can only cover the topics of yesterday.

  • Inside the Starburst-sized box that could save the Internet

    Cybercrime is costing us millions. Hacks drain the average American firm of $15.4 million per year, and, in the resulting panic, companies often spend more than $1.9 million to resolve a single attack. It’s time to face facts: Our defenses aren’t strong enough to keep the hackers out.

  • Utah’s Online Caucus Gives Security Experts Heart Attacks

    On Tuesday, registered Republicans in Utah who want to participate in their state’s caucus will have the option to either head to a polling station and cast a vote in person or log onto a new website and choose their candidate online. To make this happen, the Utah GOP paid more than $80,000 to the London-based company Smartmatic, which manages electronic voting systems and internet voting systems in 25 countries and will run the Utah GOP caucus system.

Security Leftovers

Filed under
Security

Snowden: “I Used Free And Open Source Software Like Debian And TOR. I Didn’t Trust Microsoft”

Filed under
GNU
Linux
Security
Debian

At the Free Software Foundation’s LibrePlanet2016 conference on Saturday, NSA whistleblower Edward Snowden participated in a discussion regarding free software and security. He joined the talk via video conferencing from Russia.

Edward Snowden told that he was able to disclose the secrets of American government and its projects of mass surveillance using free software. The event was being held in an MIT lecture hall and this statement drew a wide round of applause.

Praising the likes of Debian, Tails, and TOR, he said — “What happened in 2013 couldn’t have happened without free software.”

Read more

Also: OS X and Linux rise in developer market to threaten Windows

Antivirus Live CD 17.0-0.99.1 Uses ClamAV 0.99.1 to Clean Your PCs of Viruses

Filed under
Linux
Security

4MLinux developer Zbigniew Konojacki today informs Softpedia about the immediate availability for download of a new build of his Antivirus Live CD tool based on the latest 4MLinux and ClamAV projects.

Read more

Security Leftovers

Filed under
Security
  • Leopard Flower firewall – Protect your bytes

    Several months ago, I decided to explore a somewhat obscure topic of outbound per-application firewall control in Linux. A concept that Windows users are well familiar with, it’s been around for ages, providing Windows folks with a heightened sense of – if not practical factual – protection against rogues residing in their system and trying to phone home.

    In Linux, things are a little different, but with the growing flux of Windows converts arriving at the sandy shores of open-source, the notion of need for outbound control of applications has also risen, giving birth to software designed to allay fears if not resolve problems. My first attempt to play with Leopard Flower and Douane was somewhat frustrating. Now, I’m going to revisit the test, focusing only on the former.

    [...]

    Leopard Flower firewall is an interesting concept. Misplaced, though, for most parts. It caters to a Windows need that does not exist on Linux, and to be frank, has no place in the Microsoft world either. Then, it also tries to resolve a problem of control and knowledge by requiring the user to exercise the necessary control and knowledge. But if they had those to begin with, they wouldn’t need to dabble in per-application firewalls. Furthermore, the software is still fairly immature. There are at least half a dozen little things and changes that can be implemented to make lpfw more elegant, starting with installation and followed by service and GUI model, prompts, robustness, and a few others.

  • Critical bug in libotr could open users of ChatSecure, Adium, Pidgin to compromise
  • Clair 1.0 Brings Advances in Container Security

    CoreOS pushes the open-source container security project to the 1.0 milestone and production stability.
    As container use grows, there is an increasing need to understand from a security perspective what is actually running in a container. That's the goal of CoreOS' Clair container security project, which officially hits the 1.0 milestone today, in an effort to help organizations validate container application security.

Security Leftovers

Filed under
Security
  • Friday's security updates
  • At pwn2Own, Chrome, Flash and Other Key Tools Proved Vulnerable
  • Motor Vehicles Increasingly Vulnerable to Remote Exploits

    As previously reported by the media in and after July 2015, security researchers evaluating automotive cybersecurity were able to demonstrate remote exploits of motor vehicles. The analysis demonstrated the researchers could gain significant control over vehicle functions remotely by exploiting wireless communications vulnerabilities. While the identified vulnerabilities have been addressed, it is important that consumers and manufacturers are aware of the possible threats and how an attacker may seek to remotely exploit vulnerabilities in the future. Third party aftermarket devices with Internet or cellular access plugged into diagnostics ports could also introduce wireless vulnerabilities.

  • Malvertising hits BBC, Newsweek, NYT and MSN

    Links to malware inside online advertising bypassed the security systems of the advertising serving companies and distributed ransomware to unsuspecting ‘link clickers’.

    Earlier this week major websites including BBC, Newsweek, New York Times and MSN ‘hosted’ malvertising on their sites that has been credited as the largest of attack of its type for two years. Previously Google’s DoubleClick and Zedo ad servers were ‘infected’ and YouTube, Amazon and Yahoo websites used advertisements served from them.

    Although ad serving networks try to filter out malicious ones, occasionally altered ones’ slip in. On a high-traffic site, this means a large pool of potential victims. Websites that serve the ads are usually unaware of the problem.

    AppNexus, one of the ad servers said it has an anti-malware detection system called Sherlock it uses to screen ads and also uses a filtering product from a third-party vendor. "We devote considerable financial resources to safeguarding our customers. Unfortunately, bad actors also invest considerably in developing new forms of malware,” said Josh Zeitz, vice president of communications.

  • Security Researcher Goes Missing After Investigating Bangladesh Bank Cyber-Heist

    Tanvir Hassan Zoha, 34, security researcher, has gone missing just days after accusing Bangladesh's central bank officials of negligence, which facilitated the theft of over $81 million from the country's oversea accounts.

Syndicate content

More in Tux Machines

Nvidia 361.45.11 Graphics Driver Released for Linux, FreeBSD and Solaris Systems

Today, May 24, 2016, Nvidia released a new long-lived graphics drivers for Unix users, version 361.45.11, available now for GNU/Linux, FreeBSD, and Solaris operating systems. Read more Also: New NVIDIA 361 Linux Driver Released

Android Leftovers

NVIDIA vs. AMD OpenGL & Vulkan Benchmarks With Valve's Dota 2

Yesterday marked the public availability of Dota 2 with a Vulkan renderer after Valve had been showing it off for months. This is the second commercial Linux game (after The Talos Principle) to sport a Vulkan renderer and thus we were quite excited to see how this Dota 2 Vulkan DLC is performing for both NVIDIA GeForce and AMD Radeon graphics cards. Here are our initial Dota 2 benchmarks with Vulkan as well as OpenGL for reference when using the latest Linux graphics drivers on Ubuntu. Read more

Why Hyperledger wants to be the ‘Linux of blockchain’

Blockchain technology offers many different benefits to enterprise developers — but there’s no cross-industry open standard for how to develop it. That makes it difficult for vendors and CIO customers to place their bets and begin building it into their technology architecture. Hyperledger, a Linux Foundation project to produce a standard open-source blockchain, wants to solve that problem, and it just got an executive director, Brian Behlendorf, to help it on its way. He founded the Apache Software Foundation, was previously on the board of the Mozilla Foundation and the Electronic Frontier Foundation, and managed tech VC firm Mithril Capital Management. Read more