Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • How to secure MongoDB on Linux or Unix production server

    MongoDB is a free and open-source NoSQL document database server. It is used by web application for storing data on a public facing server. Securing MongoDB is critical. Crackers and hackers are accessing insecure MongoDB for stealing data and deleting data from unpatched or badly-configured databases. In this tutorial you will learn about how to secure a MongoDB instance or server running cloud server.

  • MongoDB Ransomware Attacks Grow in Number

    Last week when the news started hitting the net about ransomware attacks focusing on unprotected instances of MongoDB, it seemed to me to be a story that would have a short life. After all, the attacks weren’t leveraging some unpatched vulnerabilities in the database, but databases that were misconfigured in a way that left them reachable via the Internet, and with no controls — like a password other than the default — over who had privileges. All that was necessary to get this attack vector under control was for admins to be aware of the situation and to be ready and able to reconfigure and password protect.

  • FTC will pay you to build an IoT security checker

    The Federal Trade Commission (FTC) wants the public to take a crack at developing tools to improve security around Internet of Things (IoT) devices.

    Specifically, the FTC is hosting a competition challenging the public to create a technical solution that would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy-to-guess passwords.

  • Security advisories for Monday
  • Security Advice: Bad, Terrible, or Awful

    As an industry, we suck at giving advice. I don’t mean this in some negative hateful way, it’s just the way it is. It’s human nature really. As a species most of us aren’t very good at giving or receiving advice. There’s always that vision of the wise old person dropping wisdom on the youth like it’s candy. But in reality they don’t like the young people much more than the young people like them. Ever notice the contempt the young and old have for each other? It’s just sort of how things work. If you find someone older and wiser than you who is willing to hand out good advice, stick close to that person. You won’t find many more like that.

Open source server simplifies HTTPS, security certificates

Filed under
OSS
Security

For administrators seeking an easier method to turn on HTTPS for their websites, there is Caddy, an open source web server that automatically sets up security certificates and serves sites over HTTPS by default.

Built on Go 1.7.4, Caddy is a lightweight web server that supports HTTP/2 out of the box and automatically integrates with any ACME-enabled certificate authority such as Let’s Encrypt. HTTP/2 is enabled by default when the site is served over HTTPS, and administrators using Caddy will never have to deal with expired TLS certificates for their websites, as Caddy handles the process of obtaining and deploying certificates.

Read more

MongoDB Misconfiguration and Ransom, NSA Windows Cracking

Filed under
Security

Security News

Filed under
Security
  • 6 ways to secure air-gapped computers from data breaches

    How do you avoid this? Depending upon the nature of the data contained within the air-gapped system, you should only allow certain staff members access to the machine. This might require the machine to be locked away in your data center or in a secured room on the premises. If you don't have a data center or a dedicated room that can be locked, house the computer in the office of a high-ranking employee.

  • Possibly Smart, Possibly Stupid, Idea Regarding Tor & Linux Distributions

    I will admit that I have not fully thought this through yet, so I am
    writing this in the hope that other folk will follow up, share their
    experiences and thoughts.

    So: I have installed a bunch of Tor systems in the past few months -
    CentOS, Ubuntu, Raspbian, Debian, OSX-via-Homebrew - and my abiding
    impression of the process is one of "friction".

    Before getting down to details, I hate to have to cite this but I have been
    a coder and paid Unix sysadmin on/off since 1988, and I have worked on
    machines with "five nines" SLAs, and occasionally on boxes with uptimes of
    more than three years; have also built datacentres for Telcos, ISPs and
    built/setup dynamic provisioning solutions for huge cluster computing. The
    reason I mention this is not to brag, but to forestall

  • [Older] Introducing rkt’s ability to automatically detect privilege escalation attacks on containers

    Intel's Clear Containers technology allows admins to benefit from the ease of container-based deployment without giving up the security of virtualization. For more than a year, rkt's KVM stage1 has supported VM-based container isolation, but we can build more advanced security features atop it. Using introspection technology, we can automatically detect a wide range of privilege escalation attacks on containers and provide appropriate remediation, making it significantly more difficult for attackers to make a single compromised container the beachhead for an infrastructure-wide assault.

  • Diving back into coreboot development

    Let me first introduce myself: I’m Youness Alaoui, mostly known as KaKaRoTo, and I’m a Free/Libre Software enthusiast and developer. I’ve been hired by Purism to work on porting coreboot to the Librem laptops, as well as to try and tackle the Intel ME issue afterwards.

    I know many of you are very excited about the prospect of having coreboot running on your Librem and finally dropping the proprietary AMI BIOS that came with it. That’s why I’ll be posting reports here about progress I’m making—what I’ve done so far, and what is left to be done.

  • Web databases hit in ransom attacks

    Gigabytes of medical, payroll and other data held in MongoDB databases have been taken by attackers, say security researchers.

  • Why HTTPS for Everything?

    HTTPS enables privacy and integrity by default. It is going to be next big thing. The internet’s standards bodies, web browsers, major tech companies, and the internet community of practice have all come to understand that HTTPS should be the baseline for all web traffic. Ultimately, the goal of the internet community is to establish encryption as the norm, and to phase out unencrypted connections. Investing in HTTPS makes it faster, cheaper, and easier for everyone.

Security Leftovers

Filed under
Security
  • Security updates for Friday
  • Linux KillDisk Ransomware Can't Decrypt

    Disk-wiping malware known as KillDisk, which has previously been used in hack attacks tied to espionage operations, has been given an update. Now, the malware works on Linux as well as Windows systems and also includes the ability to encrypt files, demand a bitcoin ransom and leave Linux systems unbootable.

  • GNU Officially Boots Libreboot

    FSF and GNU decide to grant Libreboot lead developer Leah Rowe’s wishes. The project is no longer a part of GNU says RMS.

Security News

Filed under
Security

Security News

Filed under
Security
  • 8 Docker security rules to live by

    Odds are, software (or virtual) containers are in use right now somewhere within your organization, probably by isolated developers or development teams to rapidly create new applications. They might even be running in production. Unfortunately, many security teams don’t yet understand the security implications of containers or know if they are running in their companies.

    In a nutshell, Linux container technologies such as Docker and CoreOS Rkt virtualize applications instead of entire servers. Containers are superlightweight compared with virtual machines, with no need for replicating the guest operating system. They are flexible, scalable, and easy to use, and they can pack a lot more applications into a given physical infrastructure than is possible with VMs. And because they share the host operating system, rather than relying on a guest OS, containers can be spun up instantly (in seconds versus the minutes VMs require).

  • Zigbee Writes a Universal Language for IoT

    The nonprofit Zigbee Alliance today unveiled dotdot, a universal language for the Internet of Things (IoT).

    The group says dotdot takes the IoT language at Zigbee’s application layer and enables it to work across different networking technologies.

  • $25,000 Prize Offered in FTC IoT Security Challenge

    It appears as if the Federal Trade Commission is getting serious about Internet of Things security issues -- and it wants the public to help find a solution. The FTC has announced a contest it's calling the "IoT Home Inspector Challenge." What's more, there's a big payoff for the winners, with the Top Prize Winner receiving up to $25,000 and each of a possible three "honorable Mentions" getting $3,000. Better yet, winners don't have to fork over their intellectual property rights, and will retain right to their submissions.

    Of course, the FTC is a federal agency, and with a change of administrations coming up in a couple of weeks, it hedges its bet a bit with a caveat: "The Sponsor retains the right to make a Prize substitution (including a non-monetary award) in the event that funding for the Prize or any portion thereof becomes unavailable." In other words, Obama has evidently given the go-ahead, but they're not sure how Trump will follow through.

  • LG threatens to put Wi-Fi in every appliance it releases in 2017

    In the past few years, products at CES have increasingly focused on putting the Internet in everything, no matter how "dumb" the device in question is by nature. It's how we've ended up with stuff like this smart hairbrush, this smart air freshener, these smart ceiling fans, or this $100 pet food bowl that can order things from Amazon.

  • Ex-MI6 Boss: When It Comes To Voting, Pencil And Paper Are 'Much More Secure' Than Electronic Systems

    Techdirt has been worried by problems of e-voting systems for a long time now. Before, that was just one of our quaint interests, but over the last few months, the issue of e-voting, and how secure it is from hacking, specifically hacking by foreign powers, has become a rather hot topic. It's great that the world has finally caught up with Techdirt, and realized that e-voting is not just some neat technology, and now sees that democracy itself is at play. The downside is that because the stakes are so high, the level of noise is too, and it's really hard to work out how worried we should be about recent allegations, and what's the best thing to do on the e-voting front.

  • Five things that got broken at the oldest hacking event in the world

    Chaos Communications Congress is the world’s oldest hacker conference, and Europe’s largest. Every year, thousands of hackers gather in Hamburg to share stories, trade tips and discuss the political, social and cultural ramifications of technology.

    As computer security is a big part of the hacker world, they also like to break things. Here are five of the most important, interesting, and impressive things broken this time.

Security News

Filed under
Security
  • KillDisk Ransomware Now Targets Linux, Prevents Boot-Up, Has Faulty Encryption
  • KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt
  • lecture: What could possibly go wrong with (insert x86 instruction here)? [Ed: video]

    Hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputting a result. However, the internal state of the hardware leaks information about the programs that are executing. In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. Beyond classical cache-based side-channel attacks, we demonstrate how to perform cache attacks without a single memory access, as well as how to bypass kernel ASLR. This talk does not require any knowledge about assembly. We promise.

    When hunting for bugs, the focus is mostly on the software layer. On the other hand, hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputing a result. However, the internal state of the hardware leaks information about the programs that are running. Unlike software bugs, these bugs are not easy to patch on current hardware, and manufacturers are also reluctant to fix them in future generations, as they are tightly tied with performance optimizations.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • MongoDB Data Being Held For Ransom

    If you're using MongoDB, you might want to check to make sure you have it configured properly -- or better yet, that you're running the latest and greatest -- to avoid finding it wiped and your data being held for ransom.

    A hacker who goes by the name Harak1r1 is attacking unprotected MongoDB installations, wiping their content and installing a ransom note in place of the the stolen data. The cost to get the data returned is 0.2 bitcoin, which comes to about $203. If that sounds cheap, it isn't. Not if you're deploying multiple Mongo databases and they all get hit -- which has been happening.

Security News

Filed under
Security
Syndicate content

More in Tux Machines

Games and CrossOver

Red Hat and Fedora

Android Leftovers

Leftovers: OSS and Sharing

  • CoreOS Tectonic Now Installs Kubernetes on OpenStack
    CoreOS and OpenStack have a somewhat intertwined history, which is why it's somewhat surprising it took until today for CoreOS's Tectonic Kubernetes distribution to provide an installer that targets OpenStack cloud deployments.
  • Docker and Core OS plan to donate their container technologies to CNCF
    Containers have become a critical component of modern cloud, and Docker Inc. controls the heart of containers, the container runtime. There has been a growing demand that this critical piece of technology should be under control of a neutral, third party so that the community can invest in it freely.
  • How Blockchain Is Helping China Go Greener
    Blockchain has near-universal applicability as a distributed transaction platform for securely authenticating exchanges of data, goods, and services. IBM and the Beijing-based Energy-Blockchain Labs are even using it to help reduce carbon emissions in air-polluted China.
  • An efficient approach to continuous documentation
  • The peril in counting source lines on an OSS project
    There seems to be a phase that OSS projects go through where as they mature and gain traction. As they do it becomes increasingly important for vendors to point to their contributions to credibly say they are the ‘xyz’ company. Heptio is one such vendor operating in the OSS space, and this isn’t lost on us. :) It helps during a sales cycle to be able to say “we are the a big contributor to this project, look at the percentage of code and PRs we submitted”. While transparency is important as is recognizing the contributions that key vendors, focus on a single metric in isolation (and LoC in particular) creates a perverse incentive structure. Taken to its extreme it becomes detrimental to project health.
  • An Open Source Unicycle Motor
    And something to ponder. The company that sells this electric unicycle could choose to use a motor with open firmware or one with closed firmware. To many consumers, that difference might not be so significant. To this consumer, though, that’s a vital difference. To me, I fully own the product I bought when the firmware is open. I explain to others that they ought to choose that level of full ownership whenever they get a chance. And if they join a local makerspace, they will likely meet others with similar values. If you don’t yet have a makerspace in your community, inquire around to see if anyone is in the process of forming one. Then find ways to offer them support. That’s how we do things in the FOSS community.
  • The A/V guy’s take on PyCon Pune
    “This is crazy!”, that was my reaction at some point in PyCon Pune. This is one of my first conference where I participated in a lot of things starting from the website to audio/video and of course being the speaker. I saw a lot of aspects of how a conference works and where what can go wrong. I met some amazing people, people who impacted my life , people who I will never forget. I received so much of love and affection that I can never express in words. So before writing anything else I want to thank each and everyone of you , “Thank you!”.
  • Azure Service Fabric takes first tentative steps toward open source [Ed: Microsoft Peter is openwashing a patent trap with back doors]
  • Simulate the Internet with Flashback, a New WebDev Test Tool from LinkedIn
  • Mashape Raises $18M for API Gateway Tech
    Casado sees Mashape's Kong API gateway in particular as being a particularly well positioned technology. Kong is an open-source API gateway and microservice management technology.
  • PrismTech to Demonstrate Open Source FACE 2.1 Transport Services Segment (TSS) Reference Implementation at Air Force FACE Technical Interchange Meeting
    PrismTech’s TSS reference implementation is being made available under GNU Lesser General Public License (LGPL) v3 open source license terms.
  • How Open-Source Robotics Hardware Is Accelerating Research and Innovation

    The latest issue of the IEEE Robotics & Automation Magazine features a special report on open-source robotics hardware and its impact in the field.