Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Re-thinking Web App Security

    The implications of storing your data locally are quite profound.

  • ASLR^CACHE Attack Defeats Address Space Layout Randomization

    Researchers from VUSec found a way to break ASLR via an MMU sidechannel attack that even works in JavaScript. Does this matter? Yes, it matters. A lot. The discovery of this security flaw along with the practical implementation is really important mainly because of two factors: what it means for ASLR to be broken and how the MMU sidechannel attack works inside the processor.

  • The Biggest Risk with Container Security is Not Containers

    Container security may be a hot topic today, but we’re failing to recognize lessons from the past. As an industry our focus is on the containerization technology itself and how best to secure it, with the underlying logic that if the technology is itself secure, then so too will be the applications hosted.

    Unfortunately, the reality is that few datacenter attacks are focused on compromising the container framework. Yes, such attacks do exist, but the priority for malicious actors is mounting an attack on applications and data; increasingly for monetary reasons. According to SAP, more than 80 percent of all cyberattacks are specifically targeting software applications rather than the network.

Security Leftovers

Filed under
Security

CloudLinux 7 Gets New Linux Kernel Update to Fix Memory Leak, XFS Issue, More

Filed under
Linux
Security

CloudLinux's Mykola Naugolnyi announced today the availability of a new kernel update for CloudLinux 7 operating system series, urging users to update their machines immediately.

CloudLinux 7's kernel packages have been updated to version 3.10.0-427.36.1.lve1.4.37, which has been marked as ready for production and is available from the stable repositories of the operating system.

Today's kernel replaces version 3.10.0-427.18.2.lve1.4.27 that most CloudLinux 7 users might have installed on their machines, and it fixes a memory leak related to LVE Lightweight Virtual Environment) deletion.

Read more

Also (direct): CloudLinux 7 kernel updated

Security Leftovers

Filed under
Security
  • Recent WordPress vulnerability used to deface 1.5 million pages

    Up to 20 attackers or groups of attackers are defacing WordPress websites that haven't yet applied a recent patch for a critical vulnerability.

    The vulnerability, located in the platform's REST API, allows unauthenticated attackers to modify the content of any post or page within a WordPress site. The flaw was fixed in WordPress 4.7.2, released on Jan. 26, but the WordPress team did not publicly disclose the vulnerability's existence until a week later, to allow enough time for a large number of users to deploy the update.

  • Simple Server Hardening

    These days, it's more important than ever to tighten up the security on your servers, yet if you were to look at several official hardening guides, they read as though they were written for Red Hat from 2005. That's because they were written for Red Hat in 2005 and updated here and there through the years. I came across one of these guides when I was referring to some official hardening benchmarks for a PCI audit and realized if others new to Linux server administration were to run across the same guide, they likely would be overwhelmed with all of the obscure steps. Worse though, they likely would spend hours performing obscure sysctl tweaks and end up with a computer that was no more protected against a modern attack. Instead, they could have spent a few minutes performing a few simple hardening steps and ended up with a more secure computer at the end. So in this article, I describe a few hardening steps that provide the most bang for the buck. These tips should take only a few minutes, yet for that effort, you should get a much more secure system at the end.

  • Sophos: IoT Malware Growing More Sophisticated
  • Linux IoT, Android and MacOS expected in 2017, SophosLabs
  • Hackers using Linux flaws to attack IoT devices
  • Linux Security Fundamentals: Estimating the Cost of a Cyber Attack

Security News

Filed under
Security

Security News

Filed under
Security
  • Opening Cyber Salvo in the French Elections

    On Feb 1st, 2017, Wikileaks began tweeting about the candidates in the French election coming up in a few months. This election (along with Germany’s later this year) is a very highly anticipated overt cyber conflict, one that many people in the intelligence, infosec and natsec communities are all paying attention to. We all saw what happened in the US and expect the Russians to meddle in both of these elections too. The outcomes are particularly important because France and Germany (“Old Europe”) are the strong core of the EU, and Putin’s strategic goal is a weak EU. He’s been dealt a weak hand and his geopolitical strategy is to weaken his opponents, pretty straight forward.

  • Kaspersky says businesses hit by fileless Windows malware

    Fileless Windows malware is infecting enterprise systems in 40 or more countries, with more than 140 institutions having been hit, according to the anti-virus company Kaspersky.

    The malware has not been given a name yet, but Kaspersky says it is similar to Duqu 2.0 that attacked its own network and stayed undetected for more than six months.

    It said an unnamed bank found the malware in late 2016 after it detected Meterpreter code in the physical memory of one of its Windows domain controllers. Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime.

  • Hack my car? Most believe it can happen

    Most Americans have some concerns that self-driving cars can be hacked to cause crashes, disable the vehicle in some way or even be used as weapons by terrorists, according to researchers at the University of Michigan.

    And large percentages of people are at least slightly concerned that these kinds of vehicles can be hacked to gain access to personal data.

    However, more than half have these same cybersecurity concerns about conventional vehicles, say Michael Sivak and Brandon Schoettle of the U-M Transportation Research Institute.

    Using an online survey of more than 500 Americans, the researchers asked respondents how concerned they are about hackers gaining access to personally owned self-driving (both with control over the gas pedal, brake and steering, and without) and conventional vehicles.

  • ‘Top 10 Spammer’ Indicted for Wire Fraud

    Michael A. Persaud, a California man profiled in a Nov. 2014 KrebsOnSecurity story about a junk email purveyor tagged as one of the World’s Top 10 Worst Spammers, was indicted this week on federal wire fraud charges tied to an alleged spamming operation.

  • Chap scripts remote Linux takeover for sysadmins

    Linux sysadmins with a sense of adventure: Tokyo-based developer Hector Martin has put together a set of scripts to replace an in-use Linux system over SSH.

    Over at GitHub, Martin's Takeover.sh is the kind of no-safety-net we imagine El Reg's readers will love.

Programming and Security News

Filed under
Development
Security
  • RSPIRV: Google's Rust Implementation Of SPIR-V

    Google developers have been working on a number of open-source projects in the Vulkan space and one of their latest is SPIR-V processing with Rust.

    RSPIRV is another project under the Google umbrella on GitHub. RSPIRV is a Rust implementation of SPIR-V module processing functionalities. SPIR-V, of course, being the intermediate representation/language used by Vulkan as well as OpenCL 2.1+ and can also be used in OpenGL.

  • Optimize PHP with finely tuned IT resources and settings

    More than 90% of PHP-based websites still use PHP version 5. Of those websites, less than one quarter run the latest supported version, PHP 5.6. Despite the release of PHP 7 in December 2015, which has been documented and benchmarked as up to two times faster than PHP 5.6, the adoption rate is only around 3% among websites that use the language. The first step -- before optimizing PHP using the following tips -- is to upgrade to version 7.

  • Node for Java Developers

    The biggest audience for my Node.js workshops, courses and books (especially when I’m teaching live) is Java developers. You see, it used to be that Java was the only language professional software developers/engineers had to know. Not anymore. Node.js as well as other languages like Go, Elixir, Python, Clojure, dictate a polyglot environment in which the best tool for the job is picked.

  • Morocco's First Open Source ERP Uses Java EE 7!
  • Hazelcast's Parallel Streaming Engine Targets Java/Big Data Programmers

    In-memory data grid (IMDG) specialist Hazelcast Inc. yesterday launched a new distributed processing engine for Big Data streams. The open-source, Apache 2-licenced Hazelcast Jet is designed to process data in parallel across nodes, enabling data-intensive applications to operate in near real-time.

  • On new zlib breaking perl
  • anytime 0.2.1
  • Security updates for Friday
  • Capsule8 Launches Linux-Based Container Security Platform

    Cybersecurity startup Capsule8 this week announced that it has raised US$2.5 million to launch the industry's first container-aware, real-time threat protection platform designed to protect legacy and next-generation Linux infrastructures from existing and potential attacks.

    CEO John Viega, CTO Dino Dai Zovi and Chief Scientist Brandon Edwards, all veteran hackers, cofounded the firm. They raised seed funding from Bessemer Venture Partners, as well as individual investors Shandul Shah of Index Ventures and ClearSky's Jay Leek.

Security Leftovers

Filed under
Security
  • Mirai Botnet Spreads With Help From Infected Windows Computers
  • Lovely. Now someone's ported IoT-menacing Mirai to Windows boxes

    The Mirai malware that hijacked hundreds of thousands of IoT gadgets, routers and other devices is now capable of infecting Windows systems.

  • Finding Ticketbleed

    Ticketbleed (CVE-2016-9244) is a software vulnerability in the TLS stack of certain F5 products that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time, which can contain any kind of random sensitive information, like in Heartbleed.

  • Cybersecurity firms pilloried by GCHQ technical director over “witchcraft”

    “we are allowing massively incentivised companies to define the public perception of the problem”.

  • Wire’s independent security review

    Ever since Wire launched end-to-end encryption and open sourced its apps one question has consistently popped up: “Is there an independent security review available?” Well, there is now!

    Kudelski Security and X41 D-Sec published a joint review of Wire’s encrypted messaging protocol implementation. They found it to have “high security, thanks to state-of-the-art cryptographic protocols and algorithms, and software engineering practices mitigating the risk of software bugs.”

  • Practical Steps for Protecting IoT Devices

    The security of IoT devices is a high priority these days, as attackers can use Distributed Denial of Service (DDoS) attacks to target them and wreak havoc on a system.

    “Due to the sheer volume of unconnected devices, it can take hours and often days to mitigate such an attack,” says Adam Englander, who is a Senior Engineer of the LaunchKey product at iovation.

  • IoT Cybersecurity Alliance Will Collaborate on Standards, Education

    A new IoT Cybersecurity Alliance formed by AT&T, IBM, Palo Alto Networks, Symantec, and Trustonic promises to help solve one of the most critical elements of the Internet of Things (IoT) — security. The group says its goal is to work on IoT security standards as well as raise awareness about the topic.

    There are numerous IoT-related associations working to promote different segments of IoT and streamline the fragmentation that exists in the industry. However, this is the first group to focus solely on security. AT&T, which was an early advocate for IoT, said it has seen a 3,198 percent increase in attackers scanning for vulnerabilities in IoT devices.

Linux Kernel 3.10.105 LTS Is Out with Almost 300 Improvements, Security Fixes

Filed under
Linux
Security

Linux kernel maintainer Willy Tarreau was proud to announce today the availability of a new maintenance update for the long-term supported Linux 3.10 kernel series, version 3.10.105.

Read more

Five New Linux Kernel Vulnerabilities Patched in Ubuntu 16.10 for Raspberry Pi 2

Filed under
Linux
Security
Ubuntu

Canonical announced a few hours ago the availability of a new security update for the Raspberry Pi 2 kernel packages of the Ubuntu 16.10 (Yakkety Yak) operating system, which patches a total of five newly discovered vulnerabilities.

Read more

Syndicate content

More in Tux Machines

Leftovers: OSS

  • Diving into Drupal: Princeton’s Multi-site Migration Success with Open-source
    Princeton University’s web team had a complex and overwhelming digital ecosystem comprised of many different websites, created from pre-built templates and hosted exclusively on internal servers. Fast forward six years: Princeton continues to manage a their multisite and flagship endeavors on the open-source Drupal platform, and have seen some great results since their migration back in 2011. However, this success did not come overnight. Organizational buy-in, multi-site migration and authentication were a few of the many challenges Princeton ran into when making the decision to move to the cloud.
  • GitHub Invites Developers to Contribute to the Open Source Guides
    GitHub has recently launched its Open Source Guides, a collection of resources addressing the most common scenarios and best practices for both contributors and maintainers of open source projects. The guides themselves are open source and GitHub is actively inviting developers to participate and share their stories.
  • Top open source projects
    TechRadar recently posted an article about "The best open source software 2017" where they list a few of their favorite open source software projects. It's really hard for an open source software project to become popular if it has poor usability—so I thought I'd add a few quick comments of my own about each.
  • Dropbox releases open-source Slack bot
    Dropbox is looking to tackle unauthorized access and other security incidents in the workplace with a chatbot. Called Securitybot, it that can automatically grab alerts from security monitoring tools and verify incidents with other employers. The company says that through the use of the chatbot, which is open source, it will no longer be necessary to manually reach out to employees to verify access, every time someone enters a sensitive part of the system. The bot is built primarily for Slack, but it is designed to be transferable to other platforms as well.
  • Dropbox’s tool shows how chatbots could be future of cybersecurity
    Disillusion with chatbots has set in across the tech industry and yet Dropbox’s deep thinkers believe they have spotted the technology’s hidden talent: cybersecurity.

Desktop GNU/Linux

  • Entroware have unleashed the 'Aether' laptop for Linux enthusiasts featuring Intel's 7th generation CPUs
  • New Entroware Aether Laptop Pairs Intel Kaby Lake with Ubuntu
    The new Entroware Aether is the latest Linux powered laptop from British company Entroware, and is powered by the latest Intel Kaby Lake processors.
  • Freedom From Microsoft v1.01
    But we can be Free from Microsoft! As we saw above, there is a powerful – and now popular movement afoot to make alternative software available. The Free Software Foundation, and the GNU Project, both founded by Richard Stallman, provide Free software to users with licenses that guarantee users rights: the rights to view, modify, and distribute the software source code. With GNU-licensed software, such as Linux, the user is in complete control over the software they employ. And as people contribute to modify Free Software source code, and are required to share those modifications again, the aggregate creative acts give rise to the availability of many more, much more useful results. Value is created beyond what anyone thought possible, and our freedom multiplies.
  • Review of the week 2017/08
    This week we had to cancel a couple snapshots, as a regression in grub was detected, that caused issues on chain-loading bootloaders. But thanks to our genius maintainers, the issue could be found, fixed and integrated into Tumbleweed (and this despite being busy with hackweek! A great THANK YOU!). Despite those canceled snapshots, this review will still span 4 revisions: 0216, 0218, 0219 and 0224. And believe me, there have been quite some things coming your way.

Security Leftovers

  • [Older] The Secure Linux OS - Tails
    Some people worry a lot about security issues. Anyone can worry about their personal information, such as credit card numbers, on the Internet. They can also be concerned with someone monitoring their activity on the Internet, such as the websites they visit. To help ease these frustrations about the Internet anyone can use the Internet without having to “look over their shoulder”.
  • Password management made easy as news of CloudFlare leak surfaces
    In the last 24 hours, news broke that a serious Cloudflare bug has been causing sensitive data leaks since September, exposing 5.5 million users across thousands of websites. In addition to login data cached by Google and other search engines, it is possible that some iOS applications have been affected as well. With the scale of this leak, the best course of action is to update every password for every site you have an account for. If there was ever a good time to modernize your password practices, this is it. As consumers and denizens of the Internet, we have a responsibility to be aware of the risks we face and make an attempt to mitigate that risk by taking best-effort precautions. Poor password and authentication hygiene leaves a user open to risks such as credit card fraud and identity theft, just like forgetting to brush your teeth regularly can lead to cavities and gum disease. This leaves us with the question of what good password and authentication hygiene looks like. If we stick with the (admittedly poorly chosen) dentistry analogy, then there are five easily identifiable aspects of good hygiene.
  • Security: You might want to change passwords on sites that use Cloudflare
  • Smoothwall Express
    The award-winning Smoothwall Express open-source firewall—designed specifically to be installed and administered by non-experts—continues its forward development march with a new 3.1 release.

Leftovers: Ubuntu and Derivatives

  • 'Big Bang Theory's' Stuart wears Ubuntu T-shirt
    Am I the only person to notice that comic book shop-owning Stuart (Kevin Sussman) on the "The Big Bang Theory" is wearing an Ubuntu T-shirt on the episode airing Thursday, Feb. 23, 2017? (It's Season 10, Episode 17, if that information helps you.) The T-shirt appearance isn't as overt as Sheldon's mention of the Ubuntu Linux operating system way back in Season 3 (Episode 22, according to one YouTube video title), but it's an unusual return for Ubuntu to the world of "Big Bang."
  • Unity Explained: A Look at Ubuntu’s Default Desktop Environment
    Ubuntu is the most well-known version of Linux around. It’s how millions of people have discovered Linux for the first time, and continues to draw new users into the world of open source operating systems. So the interface Ubuntu uses is one many people are going to see. In this area, Ubuntu is unique. Even as a new user, rarely will you confuse the default Ubuntu desktop for something else. That’s because Ubuntu has its own interface that you can — but probably won’t — find anywhere else. It’s called Unity.
  • A Look at Ubuntu MATE 16.04.2 LTS for Raspberry Pi
    Installing Ubuntu MATE onto my Raspberry Pi 3 was straight forward. You can easily use Etcher to write the image to a microSD card, the partition is automatically resized to fill your microSD card when the pi is powered up for the first time, and then you are sent through a typical guided installer. Installation takes several minutes and finally the system reboots and you arrive at the desktop. A Welcome app provides some good information on Ubuntu MATE, including a section specific for the Raspberry Pi. The Welcome app explains that the while the system is based on Ubuntu MATE and uses Ubuntu armhf base, it is in fact using the same kernel as Raspian. It also turns out that a whole set of Raspian software has been ported over such as raspi-config, rpi.gpio, sonic-pi, python-sent-hat, omxplayer, etc. I got in a very simple couple of tests that showed that GPIO control worked.
  • Zorin OS 12 Business Has Arrived [Ed: Zorin 12.1 has also just been released]
    This new release of Zorin OS Business takes advantage of the new features and enhancements in Zorin OS 12, our biggest release ever. These include an all new desktop environment, a new way to install software, entirely new desktop apps and much more. You can find more information about what’s new in Zorin OS 12 here.