Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Linux Security Summit 2016 – CFP Announced!

    The 2016 Linux Security Summit (LSS) will be held in Toronto, Canada, on 25th and 26th, co-located with LinuxCon North America. See the full announcement.

  • Tuesday's security updates
  • Your computerdump sister also can hack Linux – Orange Tekno Time

    A newly discovered vulnerability makes it incredibly easy to break into a large pool of Linux-based computers. A security hole found in Grub2, a widely-used bootloader in many Linux distributions including Ubuntu and Red Hat, allows a user to login to a computer by pressing the backspace key 28 times. Various Linux distributions have released a patch for the vulnerability.

  • New DDoS Defense Turns Servers Into 'Moving Targets'

    The distributed denial-of-service (DDoS) attack is the classic cheap hack. It requires virtually nothing of those who wield it beyond the ability to download something from the internet, yet a DDoS offers unusually public consequences (most real security breaches happen in the dark). It is also difficult to defend against, in some part because it doesn't involve actually breaching a network at all—just flooding it with more innocuous-seeming traffic than it can handle.

  • Google Offers Rare Glimpse at Its Data Center Security Measures

    Laser beam intrusion detection systems, iris scanners and customized access cards are just some of the controls that Google uses to protect its data centers.

    A laser beam intrusion detection system, customized electronic access cards and biometric iris scans are just some of the multilevel security measures that Google has implemented to control access to its data centers.

  • Ransomware is scary, but not for the reasons you think it is

    If we keep thinking about this and bring the ransomware to its logical conclusion, the future versions are going to request a constant ongoing payment. Not a one time get out of jail free event. Why charge them once when you can charge them over and over again? Most modern infrastructures are complex enough it will be hard to impossible to remove an extremely clever bit of malware. It's going to be time for the good guys to step it up here, more thoughts on that some other day though.

    There is even a silly angle that's fun to ponder. We could imagine ransomware that attacks other known malware. If the ransomware is getting a constant ongoing payment, it would be bad if anything else could remove it, from legitimate software to other ransomware. While I don't think antivirus and ransomware will ever converge on the same point, it's still fun to think about.

KDE Plasma 5.6 Gets Its First Point Release, Brings Small Bug Fixes

Filed under
KDE
Security

Today, March 29, 2016, KDE had the great pleasure of announcing the immediate availability of the first point release for the stable KDE Plasma 5.6 desktop environment.

Read more

Security Leftovers

Filed under
Security
  • XSS Hits Zen Cart Open-Source E-commerce App

    Multiple Cross-Site Scripting (XSS) vulnerabilities have been uncovered in the popular online open source shopping cart application, Zen Cart.

    XSS, allows the attacker to inject malicious client-side scripts into a website, which are later executed by the victims while browsing the website. There are different cross-site scripting variants, all of which can be used to craft different types of attacks. In this case, malicious XSS injections could result in hackers gaining access to cookies and sensitive information, and could allow site defacement, which can result in further attacks.

  • Popular Shopping Cart App Plugs Dozens of XSS Vulnerabilities

    Popular open source shopping cart app Zen Cart is warning its users of dozens of cross-site scripting vulnerabilities found in its software. Affected websites, security experts say, risk exposing customers to malware, theft of cookies data and site defacement.

    Researchers at the security firm Trustwave discovered the vulnerabilities in September 2015 and have worked closely with Zen Cart to update the (1.5.4) shopping cart software. On March 17, Zen Cart released a 1.5.5 update to its software along with a patch for previous versions of Zen Cart, for those customers that wanted to continue using the older platform. Public disclosure of the vulnerability was on Friday.

  • CVE-2016-0774 Linux Kernel moderate vulnerability

A Peek At Upcoming Open Source Enhancements In IBM i

Filed under
OSS
Security

It's hard to quantify the value created through open source development of software. Last year, the Linux Foundation released a white paper that found the total value of the development of the Linux operating system amounted to $5 billion. In 2013, IBM itself committed to donating $1 billion in cold hard cash to further development of Linux and other open source projects. When one considers that nearly all of the cutting-edge IT work being done in distributed computing (i.e., the worlds of Hadoop, Spark, Kafka, and NoSQL databases) involves open sharing of source code--mostly through the Apache Software Foundation--then the humongous value that open source brings comes into view.

Read more

Security Leftovers

Filed under
Security
  • Thursday's security updates
  • Secure code before or after sharing?[Ed: FUD season. US moving to FOSS, so parasites pop up]

    The White House wants federal agencies to share more of their custom code with each other, and also to provide more of it to the open source community. That kind of reuse and open source development of software could certainly cut costs and provide more able software in the future, but is this also an opening for more bugs and insecure code?

  • SMTP Strict Transport Security Standard Drafted for Email Security

    Love it or hate it, email remains a must-have tool in the modern Internet, though email isn't always as secure as it should be. When users connect to email servers, those connections have the potential to be intercepted by attackers, so there is a need for standards, like the new SMTP Strict Transport Security (STS) standard, published March 18 as an Internet Engineering Task Force (IEFT) draft.

  • Certified Ethical Hacker website caught spreading crypto ransomware
  • Certificate pinning is a useful thing, says Netcraft. So why do hardly any of you use it?

    Venerable net-scan outfit Netcraft has issued what cliché would describe as “a stinging rebuke” to sysadmins the world over, for ignoring HTTP Public Key Pinning (HPKP).

    Pinning is designed to defend users against impersonation attacks, in which an attacker tricks a certificate authority to issue a fraudulent certificate for a site.

    If the attacker can present a user with a certificate for fubar.com, they can impersonate the site, opening a path for malfeasance like credential harvesting.

  • Oracle issues emergency Java patch for bug leading to system hijack

    Oracle has released an emergency patch for Java which fixes a critical bug leading to remote code execution without the need for user credentials.

  • Hospital Declares ‘Internal State of Emergency’ After Ransomware Infection [iophk: The FBI needs to prosecute those that brought Windows into the hospital.]

    A Kentucky hospital says it is operating in an “internal state of emergency” after a ransomware attack rattled around inside its networks, encrypting files on computer systems and holding the data on them hostage unless and until the hospital pays up.

  • Judge Won’t Consider EFF’s Arguments in FBI Mass Hacking Case

    Earlier this month, digital rights group the Electronic Frontier Foundation (EFF) filed a strongly worded amicus brief arguing that the warrant used by the FBI for its use of malware to identify visitors of a dark web child pornography site was “unconstitutional,” and qualified as a broad, “general warrant.”

    But on Tuesday, Robert J. Bryan, the district judge overseeing the case rejected the group’s argument, saying it contained allegations of fact not supported in the record, and that it was simply repeating arguments already made by the defense.

    “According to EFF, a self-proclaimed ‘recognized expert’ on the intersection of civil liberties and technology, the law enforcement techniques employed in this case present novel questions of Fourth Amendment law,” Bryan writes in his order. The brief was signed by Mark Rumold, Nate Cardozo, and Andrew Crocker from the EFF, and Venkat Balasubramani, an attorney who is representing the organization.

  • Security education outfit EC-Council dishes out ransomware online

    Senior threat intelligence man Yonathan Klijnsma says the website of the EC-Council, the organisation responsible for the Ethical Hacker certification, is serving the dangerous Angler exploit kit to infect PCs.

    Klijnsma of Dutch firm Fox-IT says the website was serving the world's most highly-capable and dangerous exploit kit hours ago to users of Internet Explorer.

    Checks by this writer appear to show it is still serving the exploit at the time of publication.

  • Weak links in the blockchain: We're neglecting the foundations

    Premature infatuation with blockchain overlooks security weaknesses in the platform that underlies Bitcoin digital currency.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security

FreeNAS 9.10 Open-Source Storage Operating System Adds USB 3.0 & Skylake Support

Filed under
Security
BSD

Jordan Hubbard from the FreeNAS project, an open-source initiative to create a powerful, free, secure, and reliable NAS (Network-attached storage) operating system based on BSD technologies, announced the release of FreeNAS 9.10.

FreeNAS 9.10 is the tenth maintenance release in the current stable 9.x series of the project, thus bringing the latest security patches from upstream, support for new devices, as well as several under-the-hood updates. As expected, FreeNAS 9.10 has been rebased on the latest FreeBSD 10.3 RC3 (Release Candidate) release.

Read more

Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • Cryptostalker, a Tool to Detect Crypto-Ransomware on Linux

    A while back, we stumbled upon an interesting GitHub repo dubbed randumb, which included an example called Cryptostalker, advertised as a tool to detect crypto-ransomware on Linux.

    Cryptostalker and the original project randumb are the work of Sean Williams, a developer from San Francisco. Mr. Williams wanted to create a tool that monitored the filesystem for newly written files, and if the files contained random data, the sign of encrypted content, and they were written at high speed, it would alert the system's owner.

  • Google slings critical patch at exploited Linux kernel root hole

    Google has shipped an out-of-band patch for Android shuttering a bug that is under active exploitation to root devices.

    The vulnerability (CVE-2015-1805) affects all Android devices running Linux kernel versions below 3.18.

  • Everything is fine, nothing to see here!

    Today everyone who is REALLY, I mean REALLY REALLY good at security got there through blood sweat and tears. Nobody taught them what they know, they learned it on their own. Many of us didn't have training when we were learning these things. Regardless of this though, if training is fantastic, why does it seem there is a constant march toward things getting worse instead of better? That tells me we're not teaching the right skills to the right people. The skills of yesterday don't help you today, and especially don't help tomorrow. By its very definition, training can only cover the topics of yesterday.

  • Inside the Starburst-sized box that could save the Internet

    Cybercrime is costing us millions. Hacks drain the average American firm of $15.4 million per year, and, in the resulting panic, companies often spend more than $1.9 million to resolve a single attack. It’s time to face facts: Our defenses aren’t strong enough to keep the hackers out.

  • Utah’s Online Caucus Gives Security Experts Heart Attacks

    On Tuesday, registered Republicans in Utah who want to participate in their state’s caucus will have the option to either head to a polling station and cast a vote in person or log onto a new website and choose their candidate online. To make this happen, the Utah GOP paid more than $80,000 to the London-based company Smartmatic, which manages electronic voting systems and internet voting systems in 25 countries and will run the Utah GOP caucus system.

Syndicate content

More in Tux Machines

Leftovers: OSS

OSS in the Back End

  • Open Source NFV Part Four: Open Source MANO
    Defined in ETSI ISG NFV architecture, MANO (Management and Network Orchestration) is a layer — a combination of multiple functional entities — that manages and orchestrates the cloud infrastructure, resources and services. It is comprised of, mainly, three different entities — NFV Orchestrator, VNF Manager and Virtual Infrastructure Manager (VIM). The figure below highlights the MANO part of the ETSI NFV architecture.
  • After the hype: Where containers make sense for IT organizations
    Container software and its related technologies are on fire, winning the hearts and minds of thousands of developers and catching the attention of hundreds of enterprises, as evidenced by the huge number of attendees at this week’s DockerCon 2016 event. The big tech companies are going all in. Google, IBM, Microsoft and many others were out in full force at DockerCon, scrambling to demonstrate how they’re investing in and supporting containers. Recent surveys indicate that container adoption is surging, with legions of users reporting they’re ready to take the next step and move from testing to production. Such is the popularity of containers that SiliconANGLE founder and theCUBE host John Furrier was prompted to proclaim that, thanks to containers, “DevOps is now mainstream.” That will change the game for those who invest in containers while causing “a world of hurt” for those who have yet to adapt, Furrier said.
  • Is Apstra SDN? Same idea, different angle
    The company’s product, called Apstra Operating System (AOS), takes policies based on the enterprise’s intent and automatically translates them into settings on network devices from multiple vendors. When the IT department wants to add a new component to the data center, AOS is designed to figure out what needed changes would flow from that addition and carry them out. The distributed OS is vendor-agnostic. It will work with devices from Cisco Systems, Hewlett Packard Enterprise, Juniper Networks, Cumulus Networks, the Open Compute Project and others.
  • MapR Launches New Partner Program for Open Source Data Analytics
    Converged data vendor MapR has launched a new global partner program for resellers and distributors to leverage the company's integrated data storage, processing and analytics platform.
  • A Seamless Monitoring System for Apache Mesos Clusters
  • All Marathons Need a Runner. Introducing Pheidippides
    Activision Publishing, a computer games publisher, uses a Mesos-based platform to manage vast quantities of data collected from players to automate much of the gameplay behavior. To address a critical configuration management problem, James Humphrey and John Dennison built a rather elegant solution that puts all configurations in a single place, and named it Pheidippides.
  • New Tools and Techniques for Managing and Monitoring Mesos
    The platform includes a large number of tools including Logstash, Elasticsearch, InfluxDB, and Kibana.
  • BlueData Can Run Hadoop on AWS, Leave Data on Premises
    We've been watching the Big Data space pick up momentum this year, and Big Data as a Service is one of the most interesting new branches of this trend to follow. In a new development in this space, BlueData, provider of a leading Big-Data-as-a-Service software platform, has announced that the enterprise edition of its BlueData EPIC software will run on Amazon Web Services (AWS) and other public clouds. Essentially, users can now run their cloud and computing applications and services in an Amazon Web Services (AWS) instance while keeping data on-premises, which is required for some companies in the European Union.

today's howtos

Industrial SBC builds on Raspberry Pi Compute Module

On Kickstarter, a “MyPi” industrial SBC using the RPi Compute Module offers a mini-PCIe slot, serial port, wide-range power, and modular expansion. You might wonder why in 2016 someone would introduce a sandwich-style single board computer built around the aging, ARM11 based COM version of the original Raspberry Pi, the Raspberry Pi Compute Module. First off, there are still plenty of industrial applications that don’t need much CPU horsepower, and second, the Compute Module is still the only COM based on Raspberry Pi hardware, although the cheaper, somewhat COM-like Raspberry Pi Zero, which has the same 700MHz processor, comes close. Read more