Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • CISSP certification: Are multiple choice tests the best way to hire infosec pros?

    Want a job in infosec? Your first task: hacking your way through what many call the "HR firewall" by adding a CISSP certification to your resume.

    Job listings for security roles often list the CISSP (Certified Information Systems Security Professional) or other cybersecurity certifications, such as those offered by SANS, CompTIA, and Cisco, as a requirement. This is especially true in the enterprise space, including banks, insurance companies, and FTSE 100 corporations. But at a time when the demand for good infosec people sees companies outbidding each other to hire top talent, and ominous studies warn of a looming cybersecurity skills shortage, experts are questioning whether certifications based on multiple choice tests are really the best way to recruit the right people.

  • Pokémon Go on iOS gives full access to Google accounts

    Signing into Pokémon Go on iOS with a Google account gives the game full access to that account, according to a systems architect, Adam Reeve.

    The Android version of the game apparently does not have these issues.

    Reeve said that the security situation was not the same for all iOS users.

    Pokémon Go was released last week and has been a huge hit. It is the latest in a series of games from Nintendo but is made by a developer named Niantic, which is part owned by Google.

  • Pokémon Go shouldn’t have full access to your Gmail, Docs and Google account — but it does

    When you use Google to sign into Pokémon Go, as so many of you have already, the popular game for some reason grants itself (for some iOS users, anyway) the highest possible level of access to your Google account, meaning it can read your email, location history… pretty much everything. Why does it need this, and why aren’t users told?

  • Have you given Pokémon Go full access to everything in your Google account?

    Gamers who have downloaded the Pokémon Go augmented reality game were given a scare on Monday, after noticing that the app had apparently been granted “full access” to their Google accounts.

    Taken at face value, the permissions would have represented a major security vulnerability, albeit one that only appeared to affect players who signed up to play the game using their Google account on Apple devices.

  • Pokémon Go Was Never Able To Read Your Email [Updated]

    Here’s even more confirmation that Pokémon Go never had the ability to access your Gmail or Calendar. A product security developer at Slack tested the token provided by Pokémon Go and found that it was never able to get data from services like Gmail or Calendar.

  • HTTPS is not a magic bullet for Web security

    We're in the midst of a major change sweeping the Web: the familiar HTTP prefix is rapidly being replaced by HTTPS. That extra "S" in an HTTPS URL means your connection is secure and that it's much harder for anyone else to see what you're doing. And on today's Web, everyone wants to see what you're doing.

    HTTPS has been around nearly as long as the Web, but it has been primarily used by sites that handle money—your bank's website, shopping carts, social networks, and webmail services like Gmail. But these days Google, Mozilla, the EFF, and others want every website to adopt HTTPS. The push for HTTPS everywhere is about to get a big boost from Mozilla and Google when both companies' Web browsers begin to actively call out sites that still use HTTP.

  • Now it’s easy to see if leaked passwords work on other sites

    Over the past few months, a cluster of megabreaches has dumped account credentials for a mind-boggling 642 million accounts into the public domain, where they can then be used to compromise other accounts that are protected by the same password. Now, there's software that can streamline this vicious cycle by testing for reused passcodes on Facebook and other popular sites.

  • What serverless computing really means [iophk: "securityless"]

    Arimura even goes as far as to use the controversial “no-ops,” coined by former Netflix cloud architect Adrain Cockcroft. Again, just as there will always be servers, there will always be ops to run them. Again, no-ops and serverless computing take the developer’s point of view: Someone else has to worry about that stuff, but not me while I create software.

  • An open letter to security researchers and practitioners

    Earlier this month, the World Wide Web Consortium's Encrypted Media
    Extensions (EME) spec progressed to Draft Recommendation phase. This is
    a controversial standard for transmitting DRM-encumbered videos, and it
    marks the very first time that the W3C has attempted to standardize a
    DRM system.

    This means that for the first time, W3C standards for browsers will fall
    under laws like the DMCA (and its international equivalents, which the
    US Trade Representative has spread all over the world). These laws allow
    companies to threaten security researchers who disclose vulnerabilities
    in DRM systems, on the grounds that these disclosures make it easier to
    figure out how to bypass the DRM.

    Last summer, the Copyright Office heard from security researchers about
    the effect that DRM has on their work; those filings detail showstopper
    bugs in consumer devices, cars, agricultural equipment, medical
    implants, and voting machines that researchers felt they couldn't
    readily publish about, lest they face punitive lawsuits from the
    companies they embarrassed.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • Is Your Antivirus Making Your PC More Hackable? Probably YES!f

    Is your antivirus software protecting you from all kinds of malware and security threats? The answer to this questions is a big NO. While one shouldn’t completely get rid of his/her antivirus solution, one shouldn’t be too carefree having them installed. We also advise our readers to follow the basic security practices to stay safe on the internet.

  • Social Media Accounts Of Twitter And Yahoo CEOs Hacked By OurMine

    Hacking group OurMine has now targetted Jack Dorsey and Marissa Mayer. OurMine recently hacked their Twitter accounts and posted messages on their profile. OurMine has triggered the frequency of its operations in the recent times and targeting multiple high-profile tech CEOs and celebrities.

  • Let's Encrypt torpedoes cost and maintenance issues for Free RTC

    Many people have now heard of the EFF-backed free certificate authority Let's Encrypt. Not only is it free of charge, it has also introduced a fully automated mechanism for certificate renewals, eliminating a tedious chore that has imposed upon busy sysadmins everywhere for many years.

    These two benefits - elimination of cost and elimination of annual maintenance effort - imply that server operators can now deploy certificates for far more services than they would have previously.

  • Voice Commands Hidden In YouTube Videos Can Hack Your Smartphone
  • This is quite a nice tool – magic-wormhole

    This beats doing a scp from system to system, especially if the receiving system is behind a NAT and/or firewall.

  • Entry level AI

    I was listening to the podcast Security Weekly and the topic of using AI For security work came up. This got me thinking about how most people make their way into security and what something like AI might mean for the industry.

    In virtually every industry you start out doing some sort of horrible job nobody else wants to do, but you have to start there because it's the place you start to learn the skills you need for more exciting and interesting work. Nobody wants to go over yesterday's security event log, but somebody does it.

Parrot Security OS 3.0 Ethical Hacking Distro Lands for Raspberry Pi, Cubieboard

Filed under
OS
Security

Frozenbox Network, the developer of the Parrot Security OS ethical hacking distribution for personal computers and embedded devices, announced the release of Raspberry Pi and Cubieboard 4 binary images for Parrot Security OS 3.0.

Read more

Security Leftovers

Filed under
Security
  • LWN.net Weekly Edition for June 30, 2016
  • TP-Link forgets to register domain name, leaves config pages open to hijack

    In common with many other vendors, TP-Link, one of the world's biggest sellers of Wi-Fi access points and home routers, has a domain name that owners of the hardware can use to quickly get to their router's configuration page. Unlike most other vendors, however, it appears that TP-Link has failed to renew its registration for the domain, leaving it available for anyone to buy. Any owner of the domain could feasibly use it for fake administration pages to phish credentials or upload bogus firmware. This omission was spotted by Amitay Dan, CEO of Cybermoon, and posted to the Bugtraq mailing list last week.

  • Experimenting with Post-Quantum Cryptography

    The study of cryptographic primitives that remain secure even against quantum computers is called “post-quantum cryptography”. Today we're announcing an experiment in Chrome where a small fraction of connections between desktop Chrome and Google's servers will use a post-quantum key-exchange algorithm in addition to the elliptic-curve key-exchange algorithm that would typically be used. By adding a post-quantum algorithm on top of the existing one, we are able to experiment without affecting user security. The post-quantum algorithm might turn out to be breakable even with today's computers, in which case the elliptic-curve algorithm will still provide the best security that today’s technology can offer. Alternatively, if the post-quantum algorithm turns out to be secure then it'll protect the connection even against a future, quantum computer.

  • HTTPS crypto’s days are numbered. Here’s how Google wants to save it

    Like many forms of encryption in use today, HTTPS protections are on the brink of a collapse that could bring down the world as we know it. Hanging in the balance are most encrypted communications sent over the last several decades. On Thursday, Google unveiled an experiment designed to head off, or at least lessen, the catastrophe.

    In the coming months, Google servers will add a new, experimental cryptographic algorithm to the more established elliptic curve algorithm it has been using for the past few years to help encrypt HTTPS communications. The algorithm—which goes by the wonky name "Ring Learning With Errors"—is a method of exchanging cryptographic keys that's currently considered one of the great new hopes in the age of quantum computing. Like other forms of public key encryption, it allows two parties who have never met to encrypt their communications, making it ideal for Internet usage.

Security Leftovers

Filed under
Security
  • WordPress Stays Focused on Security, More Open Source CMS News

    WordPress upgraded to version 4.5.3 last month with a security release for all versions of the content management system. But it quickly discovered a number of vulnerabilities.

    A total of 17 bugs were found in the last three releases from this year, many of which allowed attackers to take over websites running on WordPress. And according to the latest estimates from BuiltWith, 48 percent of the top million websites globally run on WordPress. But popularity has a price: It is also one of the most hacked platforms.

  • Security updates for Friday
  • Building a Safer Internet with HackerOne

    A while back my friend Mårten Mickos joined HackerOne as CEO. Around that time we had lunch and he shared with me more about the company. Mårten has an impressive track record, and I could see why he was so passionate about his new gig.

Use Linux or Tor? The NSA might just be tracking you

Filed under
Linux
Security

But it seems those intent on keeping pesky government agencies out of their online business may well be shooting themselves in the virtual foot.

As documents related to the XKeyscore snooping program reveal, the US's National Security Agency has started focusing its snooping efforts on Linux Journal readers, Tails Linux, and Tor users.

Read more

Security Leftovers

Filed under
Security
  • Symantec admits it won't patch 'catastrophic' security flaws until mid-July [Ed: that’s proprietary software for you…]

    SECURITY OUTFIT Symantec has warned customers that security flaws in the firm's systems outed by Google's Project Zero last month won't be fixed until mid-July.

  • Cybersecurity: MEPs back rules to help vital services resist online threats

    Firms supplying essential services, e.g. for energy, transport, banking and health, or digital ones, such as search engines and cloud services, will have to improve their ability to withstand cyber-attacks under the first EU-wide rules on cybersecurity, approved by MEPs on Wednesday.

    Setting common cybersecurity standards and stepping up cooperation among EU countries will help firms to protect themselves, and also help prevent attacks on EU countries’ interconnected infrastructure, say MEPs.

  • European Union’s First Cybersecurity Law Gets Green Light

    The European Union approved its first rules on cybersecurity, forcing businesses to strengthen defenses and companies such as Google Inc. and Amazon.com Inc. to report attacks.

    The European Parliament endorsed legislation that will impose security and reporting obligations on service operators in industries such as banking, energy, transport and health and on digital operators like search engines and online marketplaces. The law, voted through on Wednesday in Strasbourg, France, also requires EU national governments to cooperate among themselves in the field of network security.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security advisories for Wednesday
  • Java Deserialization attacks on JBoss Middleware

    Recent research by Chris Frohoff and Gabriel Lawrence has exposed gadget chains in various libraries that allow code to be executed during object deserialization in Java. They've done some excellent research, including publishing some code that allows anyone to serialize a malicious payload that when deserialized runs the operating system command of their choice, as the user which started the Java Virtual Machine (JVM). The vulnerabilities are not with the gadget chains themselves but with the code that deserializes them.

  • Linux Mint 18 improves security, but at a cost

    The default update settings of Linux Mint would not update the Linux kernel or notify the user when security updates and bug fixes were published upstream (from Ubuntu, which Mint is directly based on, or Debian, which is the basis of Ubuntu). This default behavior left users vulnerable to root exploits, and potential hardware issues for which patches were issued alongside security fixes. Other upstream updates were also blacklisted from Linux Mint for conflicting with the design of the Cinnamon desktop.

  • Safer automotive software through Open Source?

    Linux is about to conquer one of the last blank spots in the world of open source software: The car. EE Times Europe talked with Dan Cauchy, General Manager of Automotive at the Linux Foundation, about intentions and status of Automotive Grade Linux.

Syndicate content

More in Tux Machines

Salix 14.2 Xfce Edition Officially Released Based on Slackware 14.2, Xfce 4.12

After being in development for the past three months, the Salix 14.2 Xfce Edition operating system has finally hit the stable channels, and it is now available for download. Based on the Slackware 14.2 GNU/Linux distribution and built around the lightweight and highly customizable Xfce 4.12 desktop environment, Salix 14.2 Xfce Edition ships with numerous improvements and new features that some of you who managed to test-drive the Beta and Release Candidate pre-releases are already accustomed with. Of course, many of the core components and default applications have been updated to their latest versions. Read more

Leftovers: Security

  • Tor 0.2.8.7 Addresses Important Bug Related to ReachableAddresses Option
    The Tor Project, through Nick Mathewson, is pleased to inform the Tor community about the release and general availability of yet another maintenance update to the Tor 0.2.8 stable series.
  • Emergency Service Window for Kolab Now
    We’re going to need to free up a hypervisor and put its load on other hypervisors, in order to pull out the one hypervisor and have some of its faulty hardware replaced — but there’s two problems; The hypervisor to free up has asserted required CPU capabilities most of the eligible targets do not have — this prevents a migration that does not involve a shut down, reconfiguration, and restart of the guest.

TheSSS 19.0 Linux Server Out with Kernel 4.4.14, Apache 2.4.23 & MariaDB 10.1.16

TheSSS (The Smallest Server Suite) is one of the lightest Linux kernel-based operating systems designed to be used as an all-around server for home users, as well as small- and medium-sized businesses looking for a quick and painless way of distributing files across networks or to simply test some web-based software. Read more

GNOME Control Center 3.22 to Update the Keyboard Settings, Improve Networking

The upcoming GNOME 3.22 desktop environment is still in the works, and a first Beta build was seeded to public beta testers last week, bringing multiple enhancements and new features to most of its core components and apps. While GNOME 3.22 Beta was announced on August 22, it appears that the maintainers of certain core packages needed a little more time to work on various improvements and polish their applications before they were suitable for public testing. And this is the case of GNOME Control Center, which was recently updated to version 3.21.90, which means 3.22 Beta. Read more