Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Smart electricity meters can be dangerously insecure, warns expert

    Smart electricity meters, of which there are more than 100m installed around the world, are frequently “dangerously insecure”, a security expert has said.

    The lack of security in the smart utilities raises the prospect of a single line of malicious code cutting power to a home or even causing a catastrophic overload leading to exploding meters or house fires, according to Netanel Rubin, co-founder of the security firm Vaultra.

    “Reclaim your home,” Rubin told a conference of hackers and security experts, “or someone else will.”

    If a hacker took control of a smart meter they would be able to know “exactly when and how much electricity you’re using”, Rubin told the 33rd Chaos Communications Congress in Hamburg. An attacker could also see whether a home had any expensive electronics.

  • London Ambulance Service hit by 'computer system crash' on New Year's Eve

    Officials confirmed there was a systems fault in the early hours, though staff are trained for such situations, and they continued to prioritise responses as normal.

    Calls were reportedly logged manually between 12.30am GMT and 5:15am.

  • 33c3 notes

    Some notes and highlights from #33c3. In particular, some talks I found worth watching. I intentionally don't mention any of the much interesting self-organized sessions and workshops I participated since these are not recorded. I'm just listing some interesting projects at the bottom. I wrote these notes quickly, so I'm certainly missing some stuff.

Security Leftovers

Filed under
Security
  • Ex-student charged with cyberattack on school’s internet

    A Connecticut juvenile has been charged with launching cyberattacks against a school’s internet service in connection with outages that happened in 2015 and earlier this year.

    Shelton police say the former Shelton High School student, whose name and age haven’t been released, was arrested Thursday on a charge of computer crimes in the third-degree. He’s due in juvenile court on Friday.

  • 5 signs we're finally getting our act together on security

    The high-water line in information security gets higher each year. Just as we think we’ve finally figured out how to defend against attacks, then attackers come up with something new and we are right back to trying to figure out what to do next.

  • You have one second extra tonight!

    Official clocks will hit 23:59:59 as usual, but then they'll say 23:59:60, before rolling over into 2017. This is known as a ‘leap second’ and timekeepers slip them in periodically to keep our clocks in sync with the Earth’s rotation. The laboratory with responsibility for maintaining the equipment to measure time interval (or frequency) in Ireland is the NSAI’s National Metrology Laboratory.

Security Leftovers

Filed under
Security
  • Washington Post Publishes False News Story About Russians Hacking Electrical Grid

    A story published by The Washington Post Friday claims Russia hacked the electrical grid in Vermont. This caused hysteria on social media but has been denied by a spokesman for a Vermont utility company.

    The Post story was titled, “Russian hackers penetrated U.S. electricity grid through a utility in Vermont, officials say.”

  • Recount 2016: An Uninvited Security Audit of the U.S. Presidential Election

    The 2016 U.S. presidential election was preceded by unprecedented cyberattacks and produced a result that surprised many people in the U.S. and abroad. Was it hacked? To find out, we teamed up with scientists and lawyers from around the country—and a presidential candidate—to initiate the first presidential election recounts motivated primarily by e-voting security concerns. In this talk, we will explain how the recounts took place, what we learned about the integrity of the election, and what needs to change to ensure that future U.S. elections are secure.

  • Malware Purveyor Serving Up Ransomware Via Bogus ICANN Blacklist Removal Emails

    Fun stuff ahead for some website owners, thanks to a breakdown in the registration process. A Swiss security researcher has spotted bogus ICANN blacklist removal emails being sent to site owners containing a Word document that acts as a trigger for ransomware.

Security Leftovers

Filed under
Security
  • A Chip to Protect the Internet of Things

    The Internet of Things offers the promise of all sorts of nifty gadgets, but each connected device is also a tempting target for hackers. As recent cybersecurity incidents have shown, IoT devices can be harnessed to wreak havoc or compromise the privacy of their owners. So Microchip Technology and Amazon.com have collaborated to create an add-on chip that’s designed to make it easier to combat certain types of attack—and, of course, encourage developers to use Amazon’s cloud-based infrastructure for the Internet of Things.

  • Reproducible Builds: week 87 in Stretch cycle

    100% Of The 289 Coreboot Images Are Now Built Reproducibly by Phoronix, with more details in German by Pro-Linux.de.

    We have further reports on our Reproducible Builds World summit #2 in Berlin from Rok Garbas of NixOS as well as Clemens Lang of MacPorts

  • Chrome will soon mark some HTTP pages as 'non-secure'

    Beginning next month, the company will tag web pages that include login or credit card fields with the message "Not Secure" if the page is not served using HTTPS, the secure version of the internet protocol.

    The company on Tuesday began sending messages through its Google Search Console, a tool for webmasters, warning them of the changes that take place starting in January 2017.

Security Leftovers

Filed under
Security
  • Security advisories for Wednesday
  • 17 Security Experts Share Predictions for the Top Cyber-Trends of 2017

    Enterprises, governments and end users faced no shortage of security challenges in 2016. As the year draws to a close, we wonder: What security trends will continue into 2017? What will be the big security stories of the year to come? Many trends emerged in 2016 that are very likely to remain key issues for organizations of all sizes and shapes in 2017. Among them is the continued and growing risk of ransomware, which emerged in 2016 as a primary attack vector for hackers aiming to cash in on their nefarious activities. In 2016, nation-states once again were identified by multiple organizations as being the source of serious cyber-threats, and there is no indication that will change in the year ahead. Among the emerging trends that could become more prominent in the new year are the widespread use of containers and microservices to improve security control. This eWEEK slide show will present 17 security predictions for the year ahead from 17 security experts.

  • Learning From A Year of Security Breaches

    This year (2016) I accepted as much incident response work as I could. I spent about 300 hours responding to security incidents and data breaches this year as a consultant or volunteer.

    This included hands on work with an in-progress breach, or coordinating a response with victim engineering teams and incident responders.

    These lessons come from my consolidated notes of those incidents. I mostly work with tech companies, though not exclusively, and you’ll see a bias in these lessons as a result.

  • Girl uses sleeping mom's thumbprint to buy $250 in Pokemon toys

    The most famous, and unlikeliest, hacker in the news this week is little Ashlynd Howell of Little Rock, Ark. The exploits of the enterprising 6-year-old first came to light in a Wall Street Journal story about the difficulties of keeping presents a secret in the digital age. It seems that while mom Bethany was sleeping on the couch, Ashlynd gently picked up her mother's thumb and used it to unlock the Amazon app on her phone. She then proceeded to order $250 worth of Pokemon presents for herself. When her parents got 13 confirmation notices about the purchases, they thought that either they'd been hacked (they were, as it turned out) or that their daughter had ordered them by mistake. But she proudly explained, "No, Mommy, I was shopping." The Howells were able to return only four of the items.

  • FDIC Latest Agency To Claim It Was Hacked By A Foreign Government

    Caught in the middle of all this are the financial transactions of millions of Americans, in addition to whatever sensitive government information might have been located on the FDIC's computers.

    But claiming the Chinese were involved seems premature, even according to Reuter's own reporting, which relies heavily on a bunch of anonymous government officials discussing documents no one at Reuters has seen.

  • Parrot Security 3.3 Ethical Hacking OS With Linux Kernel 4.8 Released

Parsix GNU/Linux 8.15 (Nev) and 8.10 (Erik) Get Latest Debian Security Patches

Filed under
Security

It's been two weeks since our last report on the latest security updates pushed to the stable repositories of the Debian-based Parsix GNU/Linux operating system, and a new set of patches for various software components arrived the other day.

Read more

KDE Plasma 5.8.5 Is the Last Bugfix Release for 2016, over 55 Issues Resolved

Filed under
KDE
Security

As expected, KDE announced today the general and immediate availability of the fifth maintenance update to the long-term supported KDE Plasma 5.8 desktop environment for GNU/Linux distributions.

Read more

Security News

Filed under
Security
  • Security advisories for Monday
  • Is Mirai Really as Black as It’s Being Painted?

    An important feature of the way the Mirai botnet scans devices is that the bot uses a login and password dictionary when trying to connect to a device. The author of the original Mirai included a relatively small list of logins and passwords for connecting to different devices. However, we have seen a significant expansion of the login and password list since then, achieved by including default logins and passwords for a variety of IoT devices, which means that multiple modifications of the bot now exist.

    [...]

    If you ignore trivial combinations like “root:root” or “admin:admin”, you can get a good idea of which equipment the botnet is looking for. For example, the pairs “root:xc3511” and “root:vizxv” are default accounts for IP cameras made by rather large Chinese manufacturers.

  • Parrot Security 3.3 Ethical Hacking OS Updates Anonsurf, Fixes Touchpad Support

    A new stable release of the Debian-based Parrot Security ethical hacking and penetration testing operating system has been released on Christmas Day, versioned 3.3.

    Powered by a kernel from the Linux 4.8 series, Parrot Security OS 3.3 is here a little over two months since the release of Parrot Security 3.2, but it doesn't look like it's a major update and all that, as it only updates a few core components and hacking tools, and addresses a few of the bugs reported by users since version 3.2.

  • Linux Top 3: Guix, Parrot Security and OpenMandriva Lx

    The GNU Guix project builds a transactional package manager system and it is the base feature around which Guix SD(system distribution) is built.

    [...]

    The 3.01 release brings a number of major fixes since 3.0 release:

    updated software
    new drivers and kernel – better support for newer hardware
    many bugs fixed
    stable Plasma running on Wayland

  • LibreOffice 5.2.4 packages

    The computers worked frantically while I relaxed with my family. Slackware 14.2 and -current packages are ready for LibreOffice 5.2.4. Enjoy the newest version of this highly popular office suite.

Security News

Filed under
Security
  • SQL is Insecure

    SQL is insecure, tell everyone. If you use SQL, your website will get hacked. Tell everyone.

    I saw the news that the US Elections Agency was hacked by a SQL injection attack and I kind of lost it. It’s been well over two decades since prepared statements were introduced. We’ve educated and advised developers about how to avoid SQL injection, yet it still happens. If education failed, all we can do is shame developers into never using SQL.

    I actually really like SQL, I’ve even made a SQL dialect. SQL’s relational algebra is expressive, probably more so than any other NoSQL database I know of. But developers have proven far too often that it’s simply too difficult to know when to use prepared statements or just concatenate strings — it’s time we just abandon SQL altogether. It isn’t worth it. It’s time we called for all government’s to ban use of SQL databases in government contracts and in healthcare. There must be utter clarity.

  • Cyber-criminals target African countries with ransom-ware

    Once again Conficker retained its position as the world’s most prevalent malware, responsible for 15% of recognised attacks. Second-placed Locky, which only started its distribution in February of this year, was responsible for 6% of all attacks, and third-placed Sality was responsible for 5% of known attacks. Overall, the top ten malware families were responsible for 45% of all known attacks.

  • It's Incredibly Easy to Tamper with Someone's Flight Plan, Anywhere on the Globe

    It’s easier than many people realize to modify someone else’s flight booking, or cancel their flight altogether, because airlines rely on old, unsecured systems for processing customers’ travel plans, researchers will explain at the Chaos Communication Congress hacking festival on Tuesday. The issues predominantly center around the lack of any meaningful authentication for customers requesting their flight information.

    The issues highlight how a decades-old system is still in constant, heavy use, despite being susceptible to fairly simple attacks and with no clear means for a solution.

    “Whenever you take a trip, you are in one or more of these systems,” security researcher Karsten Nohl told Motherboard in a phone call ahead of his and co-researcher Nemanja Nikodijevic’s talk.

  • Open source risks and rewards – why team structure matters

    An impressive and user-friendly digital presence is an indispensable asset to any brand. It is often the first point of contact for customers who expect and demand great functionality and engaging content across multiple platforms. The finding that nearly half of us won't wait even three seconds for a website to load bears witness to ever increasing customer expectations which must be met.

    Partnership with a digital agency can be a great way to keep up to speed with rapid change and innovation but to ensure the very best outcome, both client and agency need to find an optimum commercial, creative and secure cultural fit. This should be a priority for both sides from the very first pitch. The promise of exceptional creativity and customer experience is one thing, but considering the more practical aspects of how the relationship will work is entirely another.

Security News

Filed under
Security
  • Friday's security advisories
  • The State of Linux Security

    In the last 10 years, GNU/Linux achieved something some foreseen as almost impossible: powering both the smallest and biggest devices in the world, and everything in between. Only the desktop is not a conquered terrain yet.

    The year 2016 had an impact on the world. Both from a real life perspective, as digitally. Some people found their personal details leaked on the internet, others found their software being backdoored. Let’s have a look back on what happened this year regarding Linux security.

Syndicate content

More in Tux Machines

RPi-friendly home automation kit adds voice recognition support

Following its successful Kickstarter campaign for a standalone Matrix home automation and surveillance hub, and subsequent release of an FPGA-driven Matrix Creator daughter board for use with the Raspberry Pi, Matrix Labs today launched a “Matrix Voice” board on Indiegogo. The baseline board, currently available at early-bird pricing of $45, has an array of 7 microphones surrounding a ring of 18 software-controlled RGBW LEDs. A slightly pricier model includes an MCU-controlled WiFi/Bluetooth ESP32 wireless module. Read more

The Year Of Linux On Everything But The Desktop

The War on Linux goes back to Bill Gates, then CEO of Microsoft, in an “open letter to hobbyists” published in a newsletter in 1976. Even though Linux wouldn’t be born until 1991, Gates’ burgeoning software company – itself years away from releasing its first operating system – already felt the threat of open source software. We know Gates today as a kindly billionaire who’s joining us in the fight against everything from disease to income inequality, but there was a time when Gates was the bad guy of the computing world. Microsoft released its Windows operating system in 1985. At the time, its main competition was Apple and Unix-like systems. BSD was the dominant open source Unix clone then – it marks its 40th birthday this year, in fact – and Microsoft fired barrages of legal challenges to BSD just like it eventually would against Linux. Meanwhile Apple sued Microsoft over its interface, in the infamous “Look and Feel” lawsuit, and Microsoft’s reign would forever be challenged. Eventually Microsoft would be tried in both the US and the UK for antitrust, which is a government regulation against corporate monopolies. Even though it lost both suits, Microsoft simply paid the fine out of its bottomless pockets and kept right at it. Read more

Digital audio and video editing in GNU/Linux

  • Linux Digital Audio Workstation Roundup
    In the world of home studio recording, the digital audio workstation is one of the most important tools of the trade. Digital audio workstations are used to record audio and MIDI data into patterns or tracks. This information is then typically mixed down into songs or albums. In the Linux ecosystem, there is no shortage of Digital audio workstations to chose from. Whether you wish to create minimalist techno or full orchestral pieces, chances are there is an application that has you covered. In this article, we will take a brief look into several of these applications and discuss their strengths and weaknesses. I will try to provide a fair evaluation of the DAWs presented here but at the end of the day, I urge you to try a few of these applications and to form an opinion of your own.
  • Shotcut Video Editor Available As A Snap Package [Quick Update]
    Shotcut is a free, open source Qt5 video editor developed on the MLT Multimedia Framework (it's developed by the same author as MLT), available for Linux, Windows and Mac. Under the hood, Shotcut uses FFmpeg, so it supports many audio, video and image formats, along with screen, webcam and audio capture. The application doesn't require importing files, thanks to its native timeline editing. Other features worth mentioning are multitrack timeline with thumbnails and waveforms, 4k resolution support, video effects, as well as a flexible UI with dockable panels.
  • Simple Screen Recorder Is Now Available as a Snap App
    Simple Screen Recorder, a popular screen recording app for Linux desktops, is now available to install as a Snap app from the Ubuntu Store.

Kernel News: Linux 4.10 in SparkyLinux, Wayland 1.13.0, and Weston 2.0 RC2

  • Linux Kernel 4.10 Lands in SparkyLinux's Unstable Repo, Here's How to Install It
    The trend of offering users the most recent Linux kernel release continues today with SparkyLinux, an open-source, Debian-based distribution that always ships with the latest GNU/Linux technologies and software versions. SparkyLinux appears to be the third distro to offer its users the ability to install the recently released Linux 4.10 kernel, after Linux Lite and Ubuntu, as the developers announced earlier that the Linux kernel 4.10 packages are now available from the unstable repository.
  • Wayland 1.13.0 Display Server Officially Released, Wayland 1.14 Lands in June
    Bryce Harrington, a Senior Open Source Developer at Samsung, announced today the release and general availability of the Wayland 1.13.0 for GNU/Linux distributions that already adopted the next-generation display server.next-generation display server. Wayland 1.13.0 has entered development in the first days of the year, but the first Alpha build arrived at the end of January, along with the Alpha version of the Weston 2.0 compositor, including most of the new features that are present in this final release that you'll be able to install on your Linux-based operating systems in the coming days.
  • Weston 2.0 RC2 Wayland Compositor Arrives With Last Minute Fixes
    While Wayland 1.13 was released today, Bryce Harrington today opted against releasing the Weston 2.0 reference compositor and instead issue a second release candidate. Weston 2.0 is the next version of this "playground" for Wayland compositor technologies since the new output configuration API had broke the ABI, necessitating a break from the same versioning as Wayland.
  • [ANNOUNCE] weston 1.99.94