Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • David A. Wheeler: Working to Prevent the Next Heartbleed

    The Heartbleed bug revealed that some important open source projects were so understaffed that they were unable to properly implement best security practices. The Linux Foundation’s Core Infrastructure Initiative , formed to help open source projects have the ability to adopt these practices, uses a lot of carrot and very little stick.

  • The First iPhone Hacker Shows How Easy It Is To Hack A Computer

    Viceland is known for its extensive security-focused coverage and videos. In the latest CYBERWAR series, it’s showing us different kinds of cyber threats present in the world around us. From the same series, recently, we covered the story of an ex-NSA spy that showed us how to hack a car.

    In another spooky addition to the series, we got to see how easily the famous iPhone hacker George Hotz hacked a computer.

    George Hotz, also known as geohot, is the American hacker known for unlocking the iPhone. He developed bootrom exploit and limera1n jailbreak tool for Apple’s iOS operating system. Recently, he even built his own self-driving car in his garage.

  • Beware; Adwind RAT infecting Windows, OS X, Linux and Android Devices

    Cyber criminals always develop malware filled with unbelievable features but hardly ever you will find something that targets different operating systems simultaneously. Now, researchers have discovered a malware based on Java infecting companies in Denmark but it’s only a matter of time before it will probably hit other countries.

  • 7 Computers Fighting Against Each Other To Become “The Perfect Hacker”

    Are automated “computer hackers” better than human hackers? DARPA is answering this question in positive and looking to prove its point with the help of its Cyber Grand Challenge. The contest finale will feature seven powerful computer fighting against each other. The winner of the contest will challenge human hackers at the annual DEF CON hacking conference.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • Download This Security Fix Now — All Versions Of Windows Operating System Hackable

    As a part of its monthly update cycle, Microsoft has released security patches for all versions of Windows operating system. This update addresses a critical flaw that lets an attacker launch man-in-the-middle attacks on workstations. This security vulnerability arises as the print spooler service allows a user to install untrusted drivers with elevated privileges.

  • The Truth About Penetration Testing Vs. Vulnerability Assessments

    Vulnerability assessments are often confused with penetration tests. In fact, the two terms are often used interchangeably, but they are worlds apart. To strengthen an organization’s cyber risk posture, it is essential to not only test for vulnerabilities, but also assess whether vulnerabilities are actually exploitable and what risks they represent. To increase an organization’s resilience against cyber-attacks, it is essential to understand the inter-relationships between vulnerability assessment, penetration test, and a cyber risk analysis.

Untangle Announces NG Firewall Version 12.1

Filed under
GNU
Linux
Security

Untangle® Inc., a security software and appliance company, announced the release of version 12.1 of its award-winning NG Firewall software. Untangle NG Firewall version 12.1 brings new features and functionality to the popular and powerful small business firewall platform.

NG Firewall delivers a comprehensive solution for small-to-medium businesses, schools, governmental organizations and nonprofits that require enterprise-grade perimeter security with the flexibility of a convergent Unified Threat Management (UTM) device. Untangle’s industry-leading approach to network traffic visibility and policy management gives its customers deep insight into what’s happening on their network via its database-driven reporting engine and 360° dashboard.

“Version 12.1 is the next step in the evolution of the Untangle NG Firewall user interface,” said Dirk Morris, founder and chief product officer at Untangle. “Building on the base provided by the last two major releases, version 12.1 provides a fully responsive mobile management console as well as faster performing, more flexible reporting and dashboard widget capabilities.”

Read more

Security Leftovers

Filed under
Security
  • Posing as ransomware, Windows malware just deletes victim’s files

    There has been a lot of ingenuity poured into creating crypto-ransomware, the money-making malware that has become the scourge of hospitals, businesses, and home users over the past year. But none of that ingenuity applies to Ranscam, a new ransom malware reported by Cisco's Talos Security Intelligence and Research Group.

    Ranscam is a purely amateur attempt to cash in on the cryptoransomware trend that demands payment for "encrypted" files that were actually just plain deleted by a batch command. "Once it executes, it, it pops up a ransom message looking like any other ransomware," Earl Carter, security research engineer at Cisco Talos, told Ars. "But then what happens is it forces a reboot, and it just deletes all the files. It doesn't try to encrypt anything—it just deletes them all."

    Talos discovered the file on the systems of a small number of customers. In every case, the malware presented exactly the same message, including the same Bitcoin wallet address. The victim is instructed:

    "You must pay 0.2 Bitcoins to unlock your computer. Your files have been moved to a hidden partition and crypted. Essential programs in your computer have been locked and your computer will not function properly. Once your Bitcoin payment is received your computer and files will be returned to normal instantly."

  • Webpages, Word files, print servers menacing Windows PCs, and disk encryption bypasses – yup, it's Patch Tuesday

    Microsoft will fix critical holes in Internet Explorer, Edge, Office and Windows with this month's Patch Tuesday security bundle. Meanwhile, Adobe has patched dozens of exploitable vulnerabilities in its Flash player.

    Redmond's July release includes 11 sets of patches, six rated as "critical" and five classified as "important." The highlights are: a BitLocker device encryption bypass, evil print servers executing code on vulnerable machines, booby-trapped webpages and Office files injecting malware into PCs, and the usual clutch of privilege elevation flaws.

  • Ad blocking: yes, its war now

    idnes.cz: they put moving advertisment on that their web, making browsers unusable -- they eat 100% CPU and pages lag when scrolling. They put video ads inside text that appear when you scroll. They have video ads including audio... (Advertisment for olympic games is particulary nasty, Core Duo, it also raises power consumption by like 30W). Then they are surpised of adblock and complain with popup when they detect one. I guess I am either looking for better news source, or for the next step in adblock war...

IPFire 2.19 Update 103 Adds Web Proxy Improvements, Latest Tor for Anonymity

Filed under
Linux
Security

The IPFire 2.19 Core Update 103 Linux kernel-based firewall distribution has been released today, July 12, bringing web proxy improvements and the latest security patches and bug fixes.

Read more

Security News

Filed under
Security
  • New Report Shows Healthy Growth in Open Source Usage, but Security is Not Locked Down
  • Tuesday's security advisories
  • Security staff should talk to end users more

    IT security departments need to improve their relationships with their users by going out and talking to them, Red Hat's security strategist Josh Pressers has advised.

    Pressers warned that in order to stop the spread of 'shadow IT' within the enterprise, security professionals need to make a bigger effort to understand staff in other departments, warning that "we don't listen very well".

    Shadow IT has become an increasing problem for corporate IT managers, as employees use non-approved tools and technologies at work, rather than the systems provided by the in-house team.

  • Every version of Windows hit by "critical" security flaw [Ed: Microsoft Zack (Zack Whittaker, formerly Microsoft UK) on the latest back/bug door in Windows]

    Microsoft has patched a security vulnerability found in every supported version of Windows, which if exploited could allow an attacker to take over a system.

    The software giant said in a bulletin posted Tuesday as part of its monthly release of security fixes that the the "critical" flaw could let an attacker remotely install malware, which can be used to modify or delete data, or create new accounts with full user rights.

    The "critical"-rated flaw affects Windows Vista and later -- including Windows Server 2008 and later.

    Those who are logged in as an administrator, such as some home accounts and server users, are at the greatest risk.

Security Leftovers

Filed under
Security
  • CISSP certification: Are multiple choice tests the best way to hire infosec pros?

    Want a job in infosec? Your first task: hacking your way through what many call the "HR firewall" by adding a CISSP certification to your resume.

    Job listings for security roles often list the CISSP (Certified Information Systems Security Professional) or other cybersecurity certifications, such as those offered by SANS, CompTIA, and Cisco, as a requirement. This is especially true in the enterprise space, including banks, insurance companies, and FTSE 100 corporations. But at a time when the demand for good infosec people sees companies outbidding each other to hire top talent, and ominous studies warn of a looming cybersecurity skills shortage, experts are questioning whether certifications based on multiple choice tests are really the best way to recruit the right people.

  • Pokémon Go on iOS gives full access to Google accounts

    Signing into Pokémon Go on iOS with a Google account gives the game full access to that account, according to a systems architect, Adam Reeve.

    The Android version of the game apparently does not have these issues.

    Reeve said that the security situation was not the same for all iOS users.

    Pokémon Go was released last week and has been a huge hit. It is the latest in a series of games from Nintendo but is made by a developer named Niantic, which is part owned by Google.

  • Pokémon Go shouldn’t have full access to your Gmail, Docs and Google account — but it does

    When you use Google to sign into Pokémon Go, as so many of you have already, the popular game for some reason grants itself (for some iOS users, anyway) the highest possible level of access to your Google account, meaning it can read your email, location history… pretty much everything. Why does it need this, and why aren’t users told?

  • Have you given Pokémon Go full access to everything in your Google account?

    Gamers who have downloaded the Pokémon Go augmented reality game were given a scare on Monday, after noticing that the app had apparently been granted “full access” to their Google accounts.

    Taken at face value, the permissions would have represented a major security vulnerability, albeit one that only appeared to affect players who signed up to play the game using their Google account on Apple devices.

  • Pokémon Go Was Never Able To Read Your Email [Updated]

    Here’s even more confirmation that Pokémon Go never had the ability to access your Gmail or Calendar. A product security developer at Slack tested the token provided by Pokémon Go and found that it was never able to get data from services like Gmail or Calendar.

  • HTTPS is not a magic bullet for Web security

    We're in the midst of a major change sweeping the Web: the familiar HTTP prefix is rapidly being replaced by HTTPS. That extra "S" in an HTTPS URL means your connection is secure and that it's much harder for anyone else to see what you're doing. And on today's Web, everyone wants to see what you're doing.

    HTTPS has been around nearly as long as the Web, but it has been primarily used by sites that handle money—your bank's website, shopping carts, social networks, and webmail services like Gmail. But these days Google, Mozilla, the EFF, and others want every website to adopt HTTPS. The push for HTTPS everywhere is about to get a big boost from Mozilla and Google when both companies' Web browsers begin to actively call out sites that still use HTTP.

  • Now it’s easy to see if leaked passwords work on other sites

    Over the past few months, a cluster of megabreaches has dumped account credentials for a mind-boggling 642 million accounts into the public domain, where they can then be used to compromise other accounts that are protected by the same password. Now, there's software that can streamline this vicious cycle by testing for reused passcodes on Facebook and other popular sites.

  • What serverless computing really means [iophk: "securityless"]

    Arimura even goes as far as to use the controversial “no-ops,” coined by former Netflix cloud architect Adrain Cockcroft. Again, just as there will always be servers, there will always be ops to run them. Again, no-ops and serverless computing take the developer’s point of view: Someone else has to worry about that stuff, but not me while I create software.

  • An open letter to security researchers and practitioners

    Earlier this month, the World Wide Web Consortium's Encrypted Media
    Extensions (EME) spec progressed to Draft Recommendation phase. This is
    a controversial standard for transmitting DRM-encumbered videos, and it
    marks the very first time that the W3C has attempted to standardize a
    DRM system.

    This means that for the first time, W3C standards for browsers will fall
    under laws like the DMCA (and its international equivalents, which the
    US Trade Representative has spread all over the world). These laws allow
    companies to threaten security researchers who disclose vulnerabilities
    in DRM systems, on the grounds that these disclosures make it easier to
    figure out how to bypass the DRM.

    Last summer, the Copyright Office heard from security researchers about
    the effect that DRM has on their work; those filings detail showstopper
    bugs in consumer devices, cars, agricultural equipment, medical
    implants, and voting machines that researchers felt they couldn't
    readily publish about, lest they face punitive lawsuits from the
    companies they embarrassed.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • Is Your Antivirus Making Your PC More Hackable? Probably YES!f

    Is your antivirus software protecting you from all kinds of malware and security threats? The answer to this questions is a big NO. While one shouldn’t completely get rid of his/her antivirus solution, one shouldn’t be too carefree having them installed. We also advise our readers to follow the basic security practices to stay safe on the internet.

  • Social Media Accounts Of Twitter And Yahoo CEOs Hacked By OurMine

    Hacking group OurMine has now targetted Jack Dorsey and Marissa Mayer. OurMine recently hacked their Twitter accounts and posted messages on their profile. OurMine has triggered the frequency of its operations in the recent times and targeting multiple high-profile tech CEOs and celebrities.

  • Let's Encrypt torpedoes cost and maintenance issues for Free RTC

    Many people have now heard of the EFF-backed free certificate authority Let's Encrypt. Not only is it free of charge, it has also introduced a fully automated mechanism for certificate renewals, eliminating a tedious chore that has imposed upon busy sysadmins everywhere for many years.

    These two benefits - elimination of cost and elimination of annual maintenance effort - imply that server operators can now deploy certificates for far more services than they would have previously.

  • Voice Commands Hidden In YouTube Videos Can Hack Your Smartphone
  • This is quite a nice tool – magic-wormhole

    This beats doing a scp from system to system, especially if the receiving system is behind a NAT and/or firewall.

  • Entry level AI

    I was listening to the podcast Security Weekly and the topic of using AI For security work came up. This got me thinking about how most people make their way into security and what something like AI might mean for the industry.

    In virtually every industry you start out doing some sort of horrible job nobody else wants to do, but you have to start there because it's the place you start to learn the skills you need for more exciting and interesting work. Nobody wants to go over yesterday's security event log, but somebody does it.

Parrot Security OS 3.0 Ethical Hacking Distro Lands for Raspberry Pi, Cubieboard

Filed under
OS
Security

Frozenbox Network, the developer of the Parrot Security OS ethical hacking distribution for personal computers and embedded devices, announced the release of Raspberry Pi and Cubieboard 4 binary images for Parrot Security OS 3.0.

Read more

Syndicate content

More in Tux Machines

Remembering Vernon Adams

Open-source font developer Vernon Adams has passed away in California at the age of 49. [Vernon Adams] In 2014, Adams was injured in an automobile collision, sustaining serious trauma from which he never fully recovered. Perhaps best known within the Linux community as the creator of KDE's user-interface font Oxygen, Adams created a total of 51 font families published through Google Fonts, all under open licenses. He was also active in a number of related free-software projects, including FontForge, Metapolator, and the Open Font Library. In 2012, he co-authored the user's guide for FontForge as part of Google's Summer of Code Documentation Camp, which we reported on at that time. Read more

Fedora 24 review: The year’s best Linux distro is puzzlingly hard to recommend

Fedora 24 is one of the best Linux distro releases you're likely to see this year. And there are two other releases that I did not have room to cover in depth here: the Server and Cloud variants of Fedora 24, which pack in a ton of new features specific to those environments. The cloud platform especially continues to churn out the container-related features, with some new tools for OpenShift Origin, Fedora's Platform-as-a-Service system built around Google's Kubernetes project. Check out Fedora Magazine's release announcement for more on everything that's new in Server and Cloud. As always, Fedora WorkStation also comes in a variety of "Spins" that are pre-packaged setups for specific use cases. There are prepacked spins of all the major desktops, including Xfce, KDE, MATE, Cinnamon, and LXDE (you can also get alternative desktops in one go by downloading the DVD installer). Spins aren't just for desktops, though. For example, there's an astronomy spin, a design suite spin, robotics-focused spin, a security spin, and several more. None of these spins have anything you can't set up yourself, but if you don't want to put in the time and effort, Fedora can handle that for you. Read more

New NVIDIA SHIELD Android TV Console Shows Up At The FCC

While the Xiaomi Mi Box does seem to be inching closer towards its release and while this is expected to be the next big major device release for the Android TV platform, the last week has seen speculation mounting as to what NVIDIA might have up their sleeves. This is because a new SHIELD Controller popped up on the FCC and this was then followed by new filings for a new SHIELD Remote control. Of course, just because the two controller accessories were passing through the FCC, it does not automatically mean there will also be a new SHIELD Android TV device coming as well. Although on this particular occasion, that looks to be exactly what is happening. Read more

today's leftovers

  • BSODs at scale: we laugh at your puny five storeys, here's our SIX storey #fail
    It's an easy drive-by troll, isn't it? Last week, we asked readers to top the five-storey Blue Screen of Death spotted in Thailand, and examples big and small flooded the inbox. Manchester Piccadilly Station is either vying for the crown with last week's entry, or perhaps it's a display from the same maker. Thanks to James for catching this shot from 2013.
  • Monitoring of Monitoring
    I was recently asked to get data from a computer that controlled security cameras after a crime had been committed. Due to the potential issues I refused to collect the computer and insisted on performing the work at the office of the company in question. Hard drives are vulnerable to damage from vibration and there is always a risk involved in moving hard drives or systems containing them. A hard drive with evidence of a crime provides additional potential complications. So I wanted to stay within view of the man who commissioned the work just so there could be no misunderstanding. The system had a single IDE disk. The fact that it had an IDE disk is an indication of the age of the system. One of the benefits of SATA over IDE is that swapping disks is much easier, SATA is designed for hot-swap and even systems that don’t support hot-swap will have less risk of mechanical damage when changing disks if SATA is used instead of IDE. For an appliance type system where a disk might be expected to be changed by someone who’s not a sysadmin SATA provides more benefits over IDE than for some other use cases. I connected the IDE disk to a USB-IDE device so I could read it from my laptop. But the disk just made repeated buzzing sounds while failing to spin up. This is an indication that the drive was probably experiencing “stiction” which is where the heads stick to the platters and the drive motor isn’t strong enough to pull them off. In some cases hitting a drive will get it working again, but I’m certainly not going to hit a drive that might be subject to legal action! I recommended referring the drive to a data recovery company. The probability of getting useful data from the disk in question seems very low. It could be that the drive had stiction for months or years. If the drive is recovered it might turn out to have data from years ago and not the recent data that is desired. It is possible that the drive only got stiction after being turned off, but I’ll probably never know.
  • Blender 2.78 Is Adding Pascal Support, Fixes Maxwell Performance Issues
  • motranslator 1.1
    Four months after 1.0 release, motranslator 1.1 is out. If you happen to use it for untrusted data, this might be as well called security release, though this is still not good idea until we remove usage of eval() used to evaluate plural formula.
  • Live dmesg following
  • WineTricks has seen a massive amount of improvements this year
    WineTricks has seen allot of development recently, some of the notable changes are better IE 8 support, MetaTrader 4 support, Kindle improvements, Russian translation, A new self update function and a massive amount of other fixes and updates. The full changelog sense February 2016 and August 2016 is provided below with a download link to get the latest release.
  • Sunless Sea expansion Zubmariner releases on October 11th with Linux support
    Sunless Sea is about to get bigger, as Zubmariner has been confirmed for release on October 11th with Linux support.
  • Agenda, control an organization trying to take over the world in this strategy game
  • Clarity (Vector Design) Icon Theme for Linux Desktop’s
    Clarity Icon Theme is completely different from other icon themes because its purly based on Vector design. This theme is based on AwOken and Token, lots of shapes and basic color pallete was taken from these icons. Few icons was taken from Raphael. used some shapes from OpenClipart, Wikipedia, Humanity and AnyColorYouLike Themes. The rest of icons designed by developer by simplifying existed icons or logos. Two types of fonts used Impact and Cheboygan.
  • GUADEC 2016
    I have just returned from our annual users and developers conference. This years’ GUADEC has taken place in the lovely Karlsruhe, Germany. It once again was a fantastic opportunity to gather everyone who works pretty hard to make our desktop and platform the best out there. :)
  • GUADEC 2016, Karlsruhe
    Nice thing this year was that almost everyone was staying in the same place, or close; this favoured social gatherings even more than in the previous years. This was also helped by the organized events, every evenings, from barbecue to picnic, from local student-run bar to beer garden (thanks Centricular), and more. And during the days? Interesting talks of course, like the one offered by Rosanna about how the foundation runs (and how crazy is the US bank system), or the Builder update by Christian, and team meetings.
  • Debian-Based Q4OS 1.6 "Orion" Linux Distro Launches with Trinity Desktop 14.0.3
    Softpedia has been informed today, August 28, 2016, by the developer of the Debian-based Q4OS GNU/Linux distribution about the immediate availability for download of a new stable release to the "Orion" series, version 1.6. The biggest new feature of the Q4OS 1.6 "Orion" release is the latest Trinity Desktop Environment (TDE) 14.0.3 desktop environment, an open source project that tries to keep the spirit of the old-school KDE 3.5 desktop interface alive. Q4OS was used the most recent TDE version, so Q4OS 1.6 is here to update it. "The significant Q4OS 1.6 'Orion' release receives the most recent Trinity R14.0.3 stable version. Trinity R14.0.3 is the third maintenance release of the R14 series, it is intended to promptly bring bug fixes to users, while preserving overall stability," say the Q4OS developers in the release announcement.
  • Antergos installation guide with screenshots
  • Reproducible builds: week 70 in Stretch cycle
  • Ubuntu's Mir May Be Ready For FreeSync / Adaptive-Sync
    The Mir display server may already be ready for working with AMD's FreeSync or VESA's Adaptive-Sync, once all of the other pieces to the Linux graphics stack are ready. If the comments from this Mir commit are understood and correct, it looks like Mir may be ready for supporting FreeSync/Adaptive-Sync. While NVIDIA's proprietary driver supports their alternative G-SYNC technology on Linux, AMD FreeSync (or the similar VESA Adaptive-Sync standard) has yet to be supported by the AMD Linux stack. We won't be seeing any AMD FreeSync support until their DAL display stack lands. DAL still might come for Linux 4.9 but there hasn't been any commitment yet by AMD developers otherwise not until Linux 4.10+, and then after that point FreeSync can ultimately come to the open-source AMD driver. At least with the AMDGPU-PRO driver relying upon its own DKMS module, DAL with FreeSync can land there earlier.
  • Python vs. C/C++ in embedded systems
    The C/C++ programming languages dominate embedded systems programming, though they have a number of disadvantages. Python, on the other hand, has many strengths that make it a great language for embedded systems. Let's look at the pros and cons of each, and why you should consider Python for embedded programming.