Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Microsoft is reportedly sharing Windows 10 telemetry data with third-parties

    MICROSOFT HAS REPORTEDLY signed a deal with FireEye that will see it share telemetry data from Windows 10 with the third-party security outfit.

    So says Australian website ARN, which reports that Microsoft and FireEye's partnership, which will see the security firm's iSIGHT Intelligence tools baked into Windows Defender, will also see FireEye "gain access to telemetry from every device running Windows 10."

    Microsoft uses telemetry data from Windows 10 to help identify security issues, to fix problems and to help improve the quality of its operating system, which sounds like a good thing. However, with the company previously admitting that it's latest OS is harvesting more data than any version before it, Microsoft's mega data-slurp also raised some privacy concerns.

  • Hackers attack European Commission

    The European Commission was the victim of a “large scale” cyberattack Thursday, a spokesperson said.

    “The attack has so far been successfully stopped with no interruption of service, although connection speeds have been affected for a time. No data breach has occurred,” the spokesperson said.

  • 8 Books Security Pros Should Read

    Calling all infosec pros: What are the best books in your security library?

    On a second thought, let's take a step back. A better question may be: Do you have a security library at all? If not, why?

    Security professionals have countless blogs, videos, and podcasts to stay updated on rapidly changing news and trends. Books, on the other hand, are valuable resources for diving into a specific area of security to build knowledge and broaden your expertise.

    Because the security industry is so complex, it's impossible to cram everything there is to know in a single tome. Authors generally focus their works on single topics including cryptography, network security modeling, and security assessment.

    Consider one of the reads on this list of recommendations, Threat Modeling: Designing for Security. This book is based on the idea that while all security pros model threats, few have developed expertise in the area.

  • DoD Opens .Mil to Legal Hacking, Within Limits

    Security researchers are often reluctant to report programming flaws or security holes they’ve stumbled upon for fear that the vulnerable organization might instead decide to shoot the messenger and pursue hacking charges.

    But on Nov. 21, the DoD sought to clear up any ambiguity on that front for the military’s substantial online presence, creating both a centralized place to report cybersecurity flaws across the dot-mil space as well as a legal safe harbor (and the prospect of public recognition) for researchers who abide by a few ground rules.

  • Data breach law 'will create corporate awareness'

    The introduction of a data breach law requiring disclosure of consumer data leaks is important because it will make big corporates aware they need to be transparent about their state of security, the head of a big cyber-security firm says.

    Guy Eilon, the country manager of Forcepoint, was commenting on the speech made by Dan Tehan, the minister assisting the prime minister on cyber security, on Wednesday.

  • US Navy breach: 130,000 soldiers at risk after HPE contractor hacked [iophk: "MS, possibly MS sharepoint?"]

    The Navy has acknowledged the breach and said it was made aware of the incident after being notified that a laptop belonging to an employee of Navy contractor Hewlett-Packard Enterprise (HPE) was compromised by hackers.

  • US Navy warns 134,000 sailors of data breach after HPE laptop is compromised

    Sailors whose details have been compromised are being notified by phone, letter, and e-mail, the Navy said. "For those affected by this incident, the Navy is working to provide further details on what happened, and is reviewing credit monitoring service options for affected sailors."

  • Personal data for more than 130,000 sailors stolen, admits US Navy

    A spokesman for Hewlett Packard Enterprise Services, said: “This event has been reported to the Navy and because this is an ongoing investigation, HPE will not be commenting further out of respect for the privacy of our Navy personnel.”

  • Riseup’s Canary Has Died

    Popular provider of web tools for activists and anarchists and backbone of much infrastructure for internet freedom, Riseup.net has almost certainly been issued a gag order by the US government.

Security News

Filed under
Security
  • The FBI Hacked Over 8,000 Computers In 120 Countries Based on One Warrant

    In January, Motherboard reported on the FBI's “unprecedented” hacking operation, in which the agency, using a single warrant, deployed malware to over one thousand alleged visitors of a dark web child pornography site. Now, it has emerged that the campaign was actually an order of magnitude larger.

    In all, the FBI obtained over 8,000 IP addresses, and hacked computers in 120 different countries, according to a transcript from a recent evidentiary hearing in a related case.

  • curl security audit

    I asked for, and we were granted a security audit of curl from the Mozilla Secure Open Source program a while ago. This was done by Mozilla getting a 3rd party company involved to do the job and footing the bill for it. The auditing company is called Cure53.

  • Personal data for more than 130,000 sailors was breached, Navy says

    The Navy was notified in October by Hewlett Packard Enterprise Services that a computer supporting a Navy contract was “compromised,” and that the names and social security numbers of 134,386 current and former sailors were accessed by unknown persons, the service said in a news release.

  • Your headphones could be spying on you

    JUST WHEN you thought you couldn’t possibly be carrying any more tracking devices, it looks like you can add another one to the mix.

    A team of researchers in Israel have discovered that with a little hardware hackery, your headphones can be used to listen in on you when plugged into your computer.

    It’s been known for a long time that if you plug a microphone into a speaker jack, it can sometimes make a tinny speaker (if you blast the volume). But what about the other way around?

    Ben Gurion University researchers have discovered that with a simple malware program which they've christened SPEAKE(a)R, Realtek codecs, which provide the built in sound on most motherboards, can be reassigned to turn the headphone jack into a microphone.

  • How to create heat maps to show who’s trying to connect your router

Security News

Filed under
Security
  • Security advisories for Wednesday
  • Malware Found on New Windows Computers (Not What You Think)

    It appears that the office supply giant, Office Depot, isn’t adverse to tarnishing its reputation if there’s a buck or two to be made in the process.

    KIRO TV in Seattle reported on November 15 that it had taken brand new out-of-the-box computers that had never been connected to the Internet to Office Depot stores, both in Washington state and Portland, Oregon, and told the repair desk staff that “it’s running a little slow.” In four out of six cases they were told the computer was infected with viruses and would require an up to $180 fix.

    After declining the “fix,” they took the “virus laden” machines to a Seattle security outfit, IOActive, which reexamined the machines. “We found no symptoms of malware when we operated them,” an employee with the firm, Will Longman, said. “Nor did we find any actual malware.”

    In the two cases where undercover reporters weren’t told that their computers showed evidence of an infection, they were advised to install antivirus software. In one of the two stores, a technician evidently noticed that the machine was new and told the reporter to “ignore the test results.”

  • FBI Hacked into 8,000 Computers in 120 Countries Using A Single Warrant

    The FBI hacked into more than 8,000 computers in 120 different countries with just a single warrant during an investigation into a dark web child pornography website, according to a newly published court filings.

    This FBI's mass hacking campaign is related to the high-profile child pornography Playpen case and represents the largest law enforcement hacking campaign known to date.

    The warrant was initially issued in February 2015 when the FBI seized the Playpen site and set up a sting operation on the dark web site, in which the agency deployed malware to obtain IP addresses from alleged site's visitors.

  • How Unikernels Can Better Defend against DDoS Attacks

    On the episode of The New Stack Makers podcast, Dell EMC CTO Idit Levine, an EMC chief technology officer at the cloud management division and office of the CTO, discussed how unikernels are poised to offer all of the developer flexibility afforded to containers, while striving for better security and integrations with many of today’s top container platforms. She spoke with SolarWinds Cloud Technology Lead Lee Calcote at KubeCon 2016:

  • Exploit Code Bypasses Linux Security Features Leaving Systems Vulnerable
  • Researcher writes codeless exploit that bypasses Linux security measures

    If you’re a Linux administrator, then you’re likely aware that even being fully up to date on all of the patches for your Linux distribution of choice is no guarantee that you’re free from vulnerabilities. Linux is made up of numerous components, any of which can open up an installation to one exploit or another.

Tor phone (Android)

Filed under
Android
Security
  • Tor phone is antidote to Google “hostility” over Android, says developer

    The Tor Project recently announced the release of its prototype for a Tor-enabled smartphone—an Android phone beefed up with privacy and security in mind, and intended as equal parts opsec kung fu and a gauntlet to Google.

    The new phone, designed by Tor developer Mike Perry, is based on Copperhead OS, the hardened Android distribution profiled first by Ars earlier this year.

  • Tor-Enabled Phone Offers Various Layers Of Security

    We’ve seen all sorts of Android smartphones released over the years, from the ones that ship with Google’s stock Android or a third-party skin, to the ones that sport two displays, are curved or have heavy security features. There are tons of different smartphones available out there, and a number of different OS’ available for those smartphones, and that’s the true beauty of Android. Now, some of you have probably heard of a Tor-enabled smartphone by Tor Project. This smartphone put a huge emphasis on security and privacy, and those of you who are very concerned about such issues should be interested, though do keep in mind that the Tor-enabled smartphone actually references software that can be installed on a smartphone, not the actual hardware smartphone that will be available for sale, just to make that clear.

Elegant 0-day unicorn underscores “serious concerns” about Linux security

Filed under
Linux
Security
  • Elegant 0-day unicorn underscores “serious concerns” about Linux security [Ed: Molehill becomes mountain in the hands of Dan Goodin]

    Recently released exploit code makes people running fully patched versions of Fedora and other Linux distributions vulnerable to drive-by attacks that can install keyloggers, backdoors, and other types of malware, a security researcher says.

  • Researcher writes codeless exploit that bypasses Linux security measures

    If you’re a Linux administrator, then you’re likely aware that even being fully up to date on all of the patches for your Linux distribution of choice is no guarantee that you’re free from vulnerabilities. Linux is made up of numerous components, any of which can open up an installation to one exploit or another.

Security Leftovers

Filed under
Security
  • Beware: ScanGuard Scam

    My wife called this to my attention; a web site called "smartwebuser.org" (I refuse to post a link) that warned "If you live in Canada and have a Linux computer which is over 6 months old, then we advise you to keep reading." What followed was a puff piece for something called ScanGuard. It sounded suspiciously to me like all those "cleanup" apps that are advertised in email and occasionally on TV, that promise to protect your PC from viruses and malware, and make it run a zillion times faster. It sounded like a scam to me.

  • The Urgency of Protecting Your Online Data With Let's Encrypt

    We understand that online security is a necessity, so why is only 48.5% of online traffic encrypted? Josh Aas, co-founder of Let's Encrypt, gives us a simple answer: it's too difficult. So what do we do about it? Aas has answers for that as well in his LinuxCon North America presentation.

    Aas explains how the Achilles heel of managing Web encryption is not encryption itself, but authentication, which requires trusted third parties, and secure mechanisms for managing the trust chain. He says, "The encryption part is relatively easy. It's a software stack...it comes on most operating systems by default. It just needs to be configured. Most Web servers tie into it directly and take care of things for you. Your biggest challenge is protecting your private key. The authentication part is a bit of a nightmare, and it has been for a while, so if you want to authenticate, the way this works on the web is you need to get a certificate from a certificate authority, and it's complicated, even for really smart people like my friend Colin here at Cisco."

  • Is encrypted e-mail a must in the Trump presidential era?

    With Donald Trump poised to take over the U.S. presidency, does it make sense for all of us to move to encrypted e-mail if we want to preserve our privacy? Encrypted e-mail provider ProtonMail says yes, indeed.

  • New IoT botnet behind fake Instagram, Twitter and YouTube profiles

    Hackers have created thousands of fake accounts on popular social media platforms like Instagram, Twitter, YouTube and Periscope, via an IoT botnet, using the Linux/Moose malware. Security researchers claim that fake social media accounts are created by hackers to randomly follow people and browse content, in efforts to make the bots seem more "human" and avoid spam filters.

    According to security researchers, the Linux/Moose botnet is a "new generation" IoT botnet that operates on embedded systems such as routers, rather than computers. This makes the bot much more difficult to detect. The botnet can function on even limited computational power and specialises in "social media fraud".

  • Great. Now Even Your Headphones Can Spy on You

    Cautious computer users put a piece of tape over their webcam. Truly paranoid ones worry about their devices’ microphones, some even crack open their computers and phones to disable or remove those audio components so they can’t be hijacked by hackers. Now one group of Israeli researchers has taken that game of spy-versus-spy paranoia a step further, with malware that converts your headphones into makeshift microphones that can slyly record your conversations.

  • Watch out: ɢoogle.com isn’t the same as Google.com

    If you don’t watch where you’re going on the internet, you might be headed down a dark alley before you know it.

    Like a lot of big websites, we use Google Analytics to keep track of traffic on TNW. A few weeks ago, however, we spotted something that looked a bit out of the ordinary.

KDE Plasma 5.8.4 LTS Desktop Environment Released for Linux with More Bug Fixes

Filed under
KDE
Security

Today, November 22, 2016, KDE announced the release of the fourth maintenance update to the long-term supported KDE Plasma 5.8 desktop environment for Linux-based operating systems.

Read more

Security News

Filed under
Security
  • Security advisories for Monday
  • Fast security is the best security

    DevOps security is a bit like developing without a safety net. This is meant to be a reference to a trapeze act at the circus for those of you who have never had the joy of witnessing the heart stopping excitement of the circus trapeze. The idea is that when you watch a trapeze act with a net, you know that if something goes wrong, they just land in a net. The really exciting and scary trapeze acts have no net. If these folks fall, that's pretty much it for them. Someone pointed out to me that the current DevOps security is a bit like taking away the net.

  • Detecting fraudulent signups?

    I run a couple of different sites that allow users to sign-up and use various services. In each of these sites I have some minimal rules in place to detect bad signups, but these are a little ad hoc, because the nature of "badness" varies on a per-site basis.

  • Reproducible Builds: week 82 in Stretch cycle

    What happened in the Reproducible Builds effort between Sunday November 13 and Saturday November 19 2016...

Linux Kernel 3.2.84 LTS Released, Adds over 200 Improvements and Bug Fixes

Filed under
Linux
Security

On November 20, 2016, Linux kernel maintainer Ben Hutchings announced the release of the eighty-fourth maintenance update to the long-term supported Linux 3.2 kernel series.

Read more

Also: Linux Kernel 3.16.39 LTS Is a Massive Maintenance Update with 420 Improvements

Linux versus Unix hot patching

Filed under
GNU
Linux
Security

There has always been a debate about how close Linux can get to the real operating system (OS), the core proprietary Unix variants that for two decades defined the limits of non-mainframe scalability and reliability.

But times are changing, and the new narrative may be when will Unix catch up to Linux on critical reliability, availability, and serviceability (RAS) features such as hot patching?

Hot patching, the ability to apply updates to the OS kernel while it is running, is a long sought-after but elusive feature of a production OS.

It is sought after because both developers and operations teams recognise that bringing down an OS instance that is doing critical high-volume work is at best disruptive and at worst a logistical nightmare. Its level of difficulty also makes it somewhat elusive.

There have been several failed attempts and implementations that almost worked, but they were so fraught with exceptions that they were not really useful in production.

Read more

Also: Can I interest you in talking about Security?

Syndicate content

More in Tux Machines

Leftovers: OSS and Sharing

  • Lenovo Cloud Director: Open Source Technologies Are The Glue That Binds The Hybrid Cloud
    Hardware giant Lenovo is banking on a future where both public and private clouds are critical in driving IT innovation, and the glue binding those hybrid environments is mostly open source technologies. Dan Harmon, Lenovo's group director of cloud and software-defined infrastructure, encouraged solution providers attending the NexGen Cloud Conference & Expo on Wednesday to explore opportunities to engage Lenovo as its products stock the next generation of cloud data centers. Both public and private clouds are growing rapidly and will dominate the market by 2020, Harmon told attendees of the conference produced by CRN parent The Channel Company.
  • Cloudera Ratchets Up its Training for Top Open Source Data Solutions
    Recently, we've taken note of the many organizations offering free or low cost Hadoop and Big Data training. MIT and MapR are just a couple of the players making waves in this space. Recently, Cloudera announced a catalog of online, self-paced training classes covering the company's entire portfolio of industry-standard Apache Hadoop and Apache Spark training courses. The courses, according to Cloudera, allow you to learn about the latest big data technologies "in a searchable environment anytime, anywhere." Now, Cloudera has announced an updated lineup of training courses and performance-based certification exams for data analysts, database administrators, and developers. The expanded training offerings address the skills gap around many top open source technologies, such as Apache Impala (incubating), Apache Spark, Apache Kudu, Apache Kafka and Apache Hive.
  • Netflix’s open-source project Hollow, NVIDIA’s deep learning kits for educators, and new IBM Bluemix integrations—SD Times news digest: Dec. 6, 2016
  • Open governance enhances the value of land use policy software
    In December 2015, the COP21 Paris Agreement saw many countries commit to reducing greenhouse gas emissions through initiatives in the land sector. In this context, emissions estimation systems will be key in ensuring these targets are met. Such solutions would not only be capable of assessing past trends but also of supporting target setting, tracking progress and helping to develop scenarios to inform policy decisions.
  • Blender Institute collaborate with Lulzbot in the name of open source
    Blender Institute, a platform for 3D design and animation, are collaborating with Lulzbot 3D printers. This project a continuation of Lulzbot and Blender Institute’s approach to open source and aimed at enhancing collaboration. The Blender Institute in Amsterdam, the Netherlands, is an important figure in the Free and Open Source Software community (FOSS). Providing open source design tool software for 3D movies, games, and visual effects. While Lulzbot, a product line of Aleph Objects take an open source approach to hardware through their 3D printers.
  • Bluetooth 5 Specification Released

Remembering Linux Installfests

Ah, yes. I remember the good old days when you had to be a real man or woman to install Linux, and the first time you tried you ended up saying something like “Help!” or maybe “Mommmmyyyyy!” Really, kids, that’s how it was. Stacks of floppies that took about 7,000 hours to download over your 16 baud connection. Times sure have changed, haven’t they? I remember Caldera advertising that their distribution autodetected 1,500 different monitors. I wrote an article titled “Monitor Number 1501,” because it didn’t detect my monitor. And sound. Getting sound going in Linux took mighty feats of systemic administsationish strength. Mere mortals could not do it. And that’s why we had installfests: so mighty Linux he-men and she-women could come down from the top of Slackware Mountain or the Red Hat Volcano and share their godlike wisdom with us. We gladly packed up our computers and took them to the installfest location (often at a college, since many Linux-skilled people were collegians) and walked away with Linuxized computers. Praise be! Read more

What New Is Going To Be In Ubuntu 17.04 'Zesty Zapus'

Right on the heels of Ubuntu 16.10 'Yakkety Yak' is Ubuntu 17.04 Zesty Zapus. Ubuntu 17.04 is currently scheduled for release on April 13, 2017 but know that this is only an estimate. One thing to know is that all things being equal, it is going to be released in April 2017. Ubuntu Zesty Zapus will be supported for only 9 months until January 2018 as it is not a LTS (long term support) release. Read
more

Security News

  • News in brief: DirtyCOW patched for Android; naked lack of security; South Korea hacked
  • Millions exposed to malvertising that hid attack code in banner pixels
    Researchers from antivirus provider Eset said "Stegano," as they've dubbed the campaign, dates back to 2014. Beginning in early October, its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors. Borrowing from the word steganography—the practice of concealing secret messages inside a larger document that dates back to at least 440 BC—Stegano hides parts of its malicious code in parameters controlling the transparency of pixels used to display banner ads. While the attack code alters the tone or color of the images, the changes are almost invisible to the untrained eye.
  • Backdoor accounts found in 80 Sony IP security camera models
    Many network security cameras made by Sony could be taken over by hackers and infected with botnet malware if their firmware is not updated to the latest version. Researchers from SEC Consult have found two backdoor accounts that exist in 80 models of professional Sony security cameras, mainly used by companies and government agencies given their high price. One set of hard-coded credentials is in the Web interface and allows a remote attacker to send requests that would enable the Telnet service on the camera, the SEC Consult researchers said in an advisory Tuesday.
  • I'm giving up on PGP
    After years of wrestling GnuPG with varying levels of enthusiasm, I came to the conclusion that it's just not worth it, and I'm giving up. At least on the concept of long term PGP keys. This is not about the gpg tool itself, or about tools at all. Many already wrote about that. It's about the long term PGP key model—be it secured by Web of Trust, fingerprints or Trust on First Use—and how it failed me.