Language Selection

English French German Italian Portuguese Spanish

Security

Security: Canonical, CVE-2017-12836, GDPR, CIS, Fancy Bear and More

Filed under
Security

Change Control Security Fixes

Filed under
Development
Security

Ubuntu Received 29 Security Patches for 15 Supported Packages in the Last Week

Filed under
Security

Canonical's James Donner published the August 10, 2017, weekly update of Ubuntu Security team's activities, which managed to triage 242 security vulnerability reports and post 13 USNs (Ubuntu Security Notices).

Read more

Security: AI Apocalypse and Microsoft Windows Apocalypse

Filed under
Security

Security: Updates, Password Advice, Salesforce, Pacer and More

Filed under
Security
  • Security updates for Thursday
  • Password guru regrets past advice

    Bill Burr had advised users to change their password every 90 days and to muddle up words by adding capital letters, numbers and symbols - so, for example, "protected" might become "pr0t3cT3d4!".

    The problem, he believes, is that the theory came unstuck in practice.

    Mr Burr now acknowledges that his 2003 manual was "barking up the wrong tree".

  • Salesforce “red team” members present tool at Defcon, get fired

    At Defcon in Las Vegas last month, word rapidly spread that two speakers—members of Salesforce's internal "red team"—had been fired by a senior executive from Salesforce "as they left the stage." Those two speakers, who presented under their Twitter handles, were Josh "FuzzyNop" Schwartz, Salesforce's director of offensive security, and John Cramb, a senior offensive security engineer.

  • “Pretty egregious” security flaw raises questions about Pacer

    The Pacer court document service used by more than a million journalists and lawyers has raked in more than $1 billion since it was established in 1995, but a new report questions whether its administrators have put enough of that windfall into securing the system. Hanging in the balance is the reliability of a service that's crucial for the smooth functioning of the entire US federal court system.

    Until Wednesday, Pacer suffered from a vulnerability that made it possible for hackers to charge download and search-query fees to other users, as long as those users visited a booby-trapped webpage while logged in to a Pacer website. Officials with the non-profit known as the Free Law Project also speculate that the same flaw—known as a cross-site request forgery—may also have allowed hackers to file court documents on behalf of unsuspecting attorneys who happened to be logged in to Pacer. If the speculation is correct, the flaw had the potential to severely disrupt or complicate ongoing court cases. Pacer administrators, however, have told Free Law the fraudulent filing hack wasn't possible.

    Even if the hypothesis is wrong, the flaw still made it possible for hackers to cause Pacer users to be billed for services they never requested. The users would have a hard time figuring out why they were being charged for downloads and searches they never made. Even when the users changed passwords, their accounts could still rack up fraudulent charges whenever they were simultaneously logged in to the hacked or malicious site and one of the Pacer sites.

  • How cloud-native security can prevent modern attacks

    When I first set out to start my company, I received some backlash from a former colleague that cybersecurity was not “interesting anymore.” I disagreed, which I’m sure most people now do. As technology evolves, there will always be new ways  (and new groups) to hack into systems, whether it’s for fun, profit or for national security reasons. That’s why it’s no surprise that within the past few years, cybersecurity has been a top concern for businesses. According to a recent report, cybercrime damages will cost the world $6 trillion annually by 2021, up from $3 trillion just a year ago, proving that enterprises literally cannot afford to forgo strong cybersecurity measures.

  • We can stop hacking {sic} and trolls, but it would ruin the internet

     

    A new way to run the internet would scupper ransomware and hacking, but its authoritarian backers could control everything we do online

  • Mingis on Tech: Android vs iOS – Which is more secure?

Red Hat and Servers

Filed under
Red Hat
Security

Security: Updates, Mastering matplotlib, Carbon Black, DDOS Arrests, and HashiCorp

Filed under
Security
  • Security updates for Wednesday
  • Mastering matplotlib: Acknowledgments
  • More Details on the PACER Vulnerability We Shared with the Administrative Office of the Courts

    PACER/ECF is a system of 204 websites that is run by the Administrative Office of the Courts (AO) for the management of federal court documents. The main function of PACER/ECF is for lawyers and the public to upload and download court documents such as briefs, memos, orders, and opinions.

    In February we reported that we disclosed a major vulnerability in PACER/ECF to the AO. The proof of concept and disclosure/resolution timeline are available here.

  • Endpoint security firm leaking terabytes of data

     

    Endpoint security software vendor Carbon Black has been found to be exfiltrating data from several Fortune 1000 companies due to the architecture of its Cb Response software, the information security services and managed services provider DirectDefense claims.  

  • Teenagers charged over allegedly running huge DDoS operation

     

    Two Israeli teenagers, who have been alleged to have co-founded and run a company used for launching distributed denial of service attacks, have been arrested and indicted on conspiracy and hacking charges.  

  • HashiCorp Vault Brings Disaster Recovery to Secrets Management

    HashiCorp has released new versions of both its open-source and enterprise editions of its Vault secrets management platform, providing new scalability and security operations capabilities.

    Vault helps organizations securely store and access application tokens, passwords and authentication credentials, which collectively are commonly referred to as "secrets" in an information security context.

Security: Fines for Insecurity, Open Source Security Podcast, Linux Security Questions, Updates and More

Filed under
Security

Security: HTTPS, System Administration, Botnets, Binary Scans, and Node.js

Filed under
Security
  • Everything is an HTTPS interface

    Serverless applications by their nature are heavily decomposed into a variety of services, such as autonomous functions, object storage, authentication services, document databases, and pub/sub message queues. The interfaces between these services are typically HTTPS. When you’re using the AWS SDK to call an AWS services, the interface it’s calling under the hood is an HTTPS interface. This is true for the majority of cloud platforms, with some alternative protocols occasionally being used (WebSockets and MQTT) in specific use cases.

  • Future Proof Your SysAdmin Career: Locking Down Security

    For today’s system administrators, gaining competencies that move them up the technology stack and broaden their skillsets is increasingly important. However, core skills like networking remain just as crucial. Previously in this series, we've provided an overview of essentials and looked at evolving network skills. In this part, we focus on another core skill: security.

    With ever more impactful security threats emerging, the demand for fluency with network security tools and practices is increasing for sysadmins. That means understanding everything from the Open Systems Interconnect (OSI) model to devices and protocols that facilitate communication across a network.

  • The IoT Botnet Wars: How to Harden Linux Devices from DoS Attacks

    While fighting botnets like Mirai and BrickerBot with another botnet, Hajime, may help prevent denial-of-service attacks on the IoT, the best defense is a basic system security-hardening plan.

  • Security Scan Checks Binary Open Source [Ed: Someone turned the openwashing press release into an article. Proprietary trying to come across as "open"]
  • Malicious code in the Node.js npm registry shakes open source trust model

    Software development relies heavily on trust, especially when it comes to open source components. JavaScript developers recently got a reminder just how fragile the trust model is with the news that 39 malicious packages were removed from npm, the Node.js package management registry.

Security: MalwareTech, F2FS, and WannaCry

Filed under
Security
  • MalwareTech released on bail; supporters to meet Wednesday

    MalwareTech, the cyber security researcher who halted the WannaCry ransomware virus earlier this year and was arrested in Las Vegas last week, will be released on bail today and will travel directly to Milwaukee for a court appearance tomorrow in the Eastern District of Wisconsin – Update: the arraignment is rescheduled for 10am on Monday, 14 August. After 24 hours of no information about his arrest, and a flurry of international news coverage, it was reported that MalwareTech, who lives in the UK and who was in the US for Defcon, was not a flight risk and will be allowed out on $30,000 bail.

  • Marcus Hutchins freed on bail, to face court on 14 Aug
  • Regarding Marcus Hutchins aka MalwareTech
  • F2FS Hit By Three Security Vulnerabilities: Memory Corruption, Possible Code Execution

    Btrfs isn't the only Linux file-system taking some heat but the Flash-Friendly File-System (F2FS) is now having a tough week with three CVEs going public.

  • How leaked exploits empower cyber criminals [Ed: The problem is the stockpiling and the back doors (e.g. by design,  see Microsoft-NSA collaborations), not just the leaks.]

    A central themes in the 2016 report was issues that arose from the Mirai botnet and the takeover of numerous insecure IoT devices. Although those record-setting DDoS attacks were vastly different from 2017’s outbreak of WannaCry ransomware and the destructive NotPetya malware, the events share a similar root cause: leaked exploits and source code. IoT botnets and data-encrypting malware were of course common before those incidents however the September 2016 release of the Mirai source code and the April 2017 release of NSA exploits exacerbated the crime.  

Syndicate content

More in Tux Machines

Games: Singularity: Escalation, ASTROKILL and More

Red Hat News

Android Leftovers

PC-MOS/386 is the latest obsolete operating system to open source on Github

PC-MOS/386 was first announced by The Software Link in 1986 and was released in early 1987. It was capable of working on any x86 computer (though the Intel 80386 was its target market). However, some later chips became incompatible because they didn't have the necessary memory management unit. It had a dedicated following but also contained a couple of design flaws that made it slow and/or expensive to run. Add to that the fact it had a Y2K bug that manifested on 31 July 2012, after which any files created wouldn't work, and it's not surprising that it didn't become the gold standard. The last copyright date listed is 1992, although some users have claimed to be using it far longer. Read more