Language Selection

English French German Italian Portuguese Spanish

Security

Security: AI Apocalypse and Microsoft Windows Apocalypse

Filed under
Security

Security: Updates, Password Advice, Salesforce, Pacer and More

Filed under
Security
  • Security updates for Thursday
  • Password guru regrets past advice

    Bill Burr had advised users to change their password every 90 days and to muddle up words by adding capital letters, numbers and symbols - so, for example, "protected" might become "pr0t3cT3d4!".

    The problem, he believes, is that the theory came unstuck in practice.

    Mr Burr now acknowledges that his 2003 manual was "barking up the wrong tree".

  • Salesforce “red team” members present tool at Defcon, get fired

    At Defcon in Las Vegas last month, word rapidly spread that two speakers—members of Salesforce's internal "red team"—had been fired by a senior executive from Salesforce "as they left the stage." Those two speakers, who presented under their Twitter handles, were Josh "FuzzyNop" Schwartz, Salesforce's director of offensive security, and John Cramb, a senior offensive security engineer.

  • “Pretty egregious” security flaw raises questions about Pacer

    The Pacer court document service used by more than a million journalists and lawyers has raked in more than $1 billion since it was established in 1995, but a new report questions whether its administrators have put enough of that windfall into securing the system. Hanging in the balance is the reliability of a service that's crucial for the smooth functioning of the entire US federal court system.

    Until Wednesday, Pacer suffered from a vulnerability that made it possible for hackers to charge download and search-query fees to other users, as long as those users visited a booby-trapped webpage while logged in to a Pacer website. Officials with the non-profit known as the Free Law Project also speculate that the same flaw—known as a cross-site request forgery—may also have allowed hackers to file court documents on behalf of unsuspecting attorneys who happened to be logged in to Pacer. If the speculation is correct, the flaw had the potential to severely disrupt or complicate ongoing court cases. Pacer administrators, however, have told Free Law the fraudulent filing hack wasn't possible.

    Even if the hypothesis is wrong, the flaw still made it possible for hackers to cause Pacer users to be billed for services they never requested. The users would have a hard time figuring out why they were being charged for downloads and searches they never made. Even when the users changed passwords, their accounts could still rack up fraudulent charges whenever they were simultaneously logged in to the hacked or malicious site and one of the Pacer sites.

  • How cloud-native security can prevent modern attacks

    When I first set out to start my company, I received some backlash from a former colleague that cybersecurity was not “interesting anymore.” I disagreed, which I’m sure most people now do. As technology evolves, there will always be new ways  (and new groups) to hack into systems, whether it’s for fun, profit or for national security reasons. That’s why it’s no surprise that within the past few years, cybersecurity has been a top concern for businesses. According to a recent report, cybercrime damages will cost the world $6 trillion annually by 2021, up from $3 trillion just a year ago, proving that enterprises literally cannot afford to forgo strong cybersecurity measures.

  • We can stop hacking {sic} and trolls, but it would ruin the internet

     

    A new way to run the internet would scupper ransomware and hacking, but its authoritarian backers could control everything we do online

  • Mingis on Tech: Android vs iOS – Which is more secure?

Red Hat and Servers

Filed under
Red Hat
Security

Security: Updates, Mastering matplotlib, Carbon Black, DDOS Arrests, and HashiCorp

Filed under
Security
  • Security updates for Wednesday
  • Mastering matplotlib: Acknowledgments
  • More Details on the PACER Vulnerability We Shared with the Administrative Office of the Courts

    PACER/ECF is a system of 204 websites that is run by the Administrative Office of the Courts (AO) for the management of federal court documents. The main function of PACER/ECF is for lawyers and the public to upload and download court documents such as briefs, memos, orders, and opinions.

    In February we reported that we disclosed a major vulnerability in PACER/ECF to the AO. The proof of concept and disclosure/resolution timeline are available here.

  • Endpoint security firm leaking terabytes of data

     

    Endpoint security software vendor Carbon Black has been found to be exfiltrating data from several Fortune 1000 companies due to the architecture of its Cb Response software, the information security services and managed services provider DirectDefense claims.  

  • Teenagers charged over allegedly running huge DDoS operation

     

    Two Israeli teenagers, who have been alleged to have co-founded and run a company used for launching distributed denial of service attacks, have been arrested and indicted on conspiracy and hacking charges.  

  • HashiCorp Vault Brings Disaster Recovery to Secrets Management

    HashiCorp has released new versions of both its open-source and enterprise editions of its Vault secrets management platform, providing new scalability and security operations capabilities.

    Vault helps organizations securely store and access application tokens, passwords and authentication credentials, which collectively are commonly referred to as "secrets" in an information security context.

Security: Fines for Insecurity, Open Source Security Podcast, Linux Security Questions, Updates and More

Filed under
Security

Security: HTTPS, System Administration, Botnets, Binary Scans, and Node.js

Filed under
Security
  • Everything is an HTTPS interface

    Serverless applications by their nature are heavily decomposed into a variety of services, such as autonomous functions, object storage, authentication services, document databases, and pub/sub message queues. The interfaces between these services are typically HTTPS. When you’re using the AWS SDK to call an AWS services, the interface it’s calling under the hood is an HTTPS interface. This is true for the majority of cloud platforms, with some alternative protocols occasionally being used (WebSockets and MQTT) in specific use cases.

  • Future Proof Your SysAdmin Career: Locking Down Security

    For today’s system administrators, gaining competencies that move them up the technology stack and broaden their skillsets is increasingly important. However, core skills like networking remain just as crucial. Previously in this series, we've provided an overview of essentials and looked at evolving network skills. In this part, we focus on another core skill: security.

    With ever more impactful security threats emerging, the demand for fluency with network security tools and practices is increasing for sysadmins. That means understanding everything from the Open Systems Interconnect (OSI) model to devices and protocols that facilitate communication across a network.

  • The IoT Botnet Wars: How to Harden Linux Devices from DoS Attacks

    While fighting botnets like Mirai and BrickerBot with another botnet, Hajime, may help prevent denial-of-service attacks on the IoT, the best defense is a basic system security-hardening plan.

  • Security Scan Checks Binary Open Source [Ed: Someone turned the openwashing press release into an article. Proprietary trying to come across as "open"]
  • Malicious code in the Node.js npm registry shakes open source trust model

    Software development relies heavily on trust, especially when it comes to open source components. JavaScript developers recently got a reminder just how fragile the trust model is with the news that 39 malicious packages were removed from npm, the Node.js package management registry.

Security: MalwareTech, F2FS, and WannaCry

Filed under
Security
  • MalwareTech released on bail; supporters to meet Wednesday

    MalwareTech, the cyber security researcher who halted the WannaCry ransomware virus earlier this year and was arrested in Las Vegas last week, will be released on bail today and will travel directly to Milwaukee for a court appearance tomorrow in the Eastern District of Wisconsin – Update: the arraignment is rescheduled for 10am on Monday, 14 August. After 24 hours of no information about his arrest, and a flurry of international news coverage, it was reported that MalwareTech, who lives in the UK and who was in the US for Defcon, was not a flight risk and will be allowed out on $30,000 bail.

  • Marcus Hutchins freed on bail, to face court on 14 Aug
  • Regarding Marcus Hutchins aka MalwareTech
  • F2FS Hit By Three Security Vulnerabilities: Memory Corruption, Possible Code Execution

    Btrfs isn't the only Linux file-system taking some heat but the Flash-Friendly File-System (F2FS) is now having a tough week with three CVEs going public.

  • How leaked exploits empower cyber criminals [Ed: The problem is the stockpiling and the back doors (e.g. by design,  see Microsoft-NSA collaborations), not just the leaks.]

    A central themes in the 2016 report was issues that arose from the Mirai botnet and the takeover of numerous insecure IoT devices. Although those record-setting DDoS attacks were vastly different from 2017’s outbreak of WannaCry ransomware and the destructive NotPetya malware, the events share a similar root cause: leaked exploits and source code. IoT botnets and data-encrypting malware were of course common before those incidents however the September 2016 release of the Mirai source code and the April 2017 release of NSA exploits exacerbated the crime.  

Canonical Outs Linux Security Patch for Ubuntu 14.04 LTS to Fix Several Issues

Filed under
Security
Ubuntu

Canonical on Monday published two Ubuntu Security Notice (USN) advisories to inform users of Ubuntu 14.04 LTS and Ubuntu 12.04 LTS operating systems about the availability of new kernel updates.

Read more

Security: Updates, OpenSSL, Women in Cybersecurity, Back to Radio and Latest Black Duck FUD

Filed under
Security
  • Security updates for Monday
  • Oracle Joins SafeLogic to Develop FIPS Module for OpenSSL Security

    Oracle announced on Aug. 3 that it is joining SafeLogic in an effort to develop a much needed FIPS 140-2 module for the open-source OpenSSL cryptographic library.

    OpenSSL is widely used to help secure internet communication and infrastructure, though it currently is lacking a critical module for government standards, known as FIPS 140-2. The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government cyber-security standard used to certify cryptographic modules.

  • OpenSSL drops TLS 1.0/1.1 support for Debian Unstable and what does it mean for Debian sid users?
  • What Women in Cybersecurity Really Think About Their Careers

    For once, some good news about women in the cybersecurity field: A new survey shows that despite the low number of women in the industry, many feel empowered in their jobs and consider themselves valuable members of the team.

    The newly published "Women in Cybersecurity:  A Progressive Movement" report — a survey of women by a woman — is the brainchild of security industry veteran Caroline Wong, vice president of security strategy at Cobalt, who formerly worked at Cigital, Symantec, eBay, and Zynga.

    Wong says she decided to conduct the survey after getting discouraged with all of the bad news about women being underrepresented, underpaid, and even harassed in the technology and cybersecurity fields. The number of women in the industry has basically plateaued at 11% over the past few years.

  • Radio navigation set to make global return as GPS backup, because cyber

    The risk to GPS has caused a number of countries to take a second look at terrestrial radio navigation. Today there's broad support worldwide for a new radio navigation network based on more modern technology—and the system taking the early lead for that role is eLoran. As Reuters reports, South Korea is preparing to bring back radio navigation with eLoran as a backup system for GPS, and the United States is planning to do the same.

  • Open source vulnerabilities pose a serious risk for software startups [Ed: The Microsoft-connected FUD firm is at it again]

Security: WebKitGTK+, DEF CON. OpenSSL, and Ebury

Filed under
Security
  • Endgame for WebKit Woes

    In my original blog post On WebKit Security Updates, I identified three separate problems affecting WebKit users on Linux:

        Distributions were not providing updates for WebKitGTK+. This was the main focus of that post.
        Distributions were shipping a insecure compatibility package for old, unmaintained WebKitGTK+ 2.4 (“WebKit1”).
        Distributions were shipping QtWebKit, which was also unmaintained and insecure.

    Let’s review these problems one at a time.

  • Hackers breach dozens of voting machines brought to conference

    One of the nation’s largest cybersecurity conferences is inviting attendees to get hands-on experience hacking a slew of voting machines, demonstrating to researchers how easy the process can be.

    “It took me only a few minutes to see how to hack it,” said security consultant Thomas Richards, glancing at a Premier Election Solutions machine currently in use in Georgia.

    The DEF CON cybersecurity conference is held annually in Las Vegas. This year, for the first time, the conference is hosting a "Voting Machine Village," where attendees can try to hack a number of systems and help catch vulnerabilities.

  • OpenSSL disables TLS 1.0 and 1.1

    I've just uploaded a version of OpenSSL to unstable that disables the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the only supported SSL/TLS protocol version.

  • Man jailed for role in spreading Linux malware

    OpenSSH is an implementation of the secure shell protocol; it runs on UNIX and Linux systems and is developed by the OpenBSD project.

    The malware in question is known as Ebury and is a backdoor that is used to steal OpenSSH credentials and keep access to a compromised server open.

Syndicate content

More in Tux Machines

Security: FOSS Updates, More on Marcus Hutchins

Development: DragonEgg, GCC, LLVM, and Java EE

Kernel and Graphics: Android Kernels, Mesa, and Vulkan 1.0.59

  • Android kernels: does upstream matter?
    There is this false narrative floating around in the dev community on how upstreaming breaks drivers and OEM code. Upstreaming breaking drivers and OEM code is not universally true- in contrast, it defies the very definition of a stable kernel. You see, each and every Android device out there runs a version of the Linux Kernel– and it doesn’t have to be the latest version all the time.
  • Mesa 17.2-RC5 Released, Final Should Come Within One Week
    The fifth and final planned release candidate of Mesa 17.2 is now available for testing.
  • Vulkan 1.0.59 Released With Shader Stencil Export
    Vulkan 1.0.59 is now available this weekend as the latest minor update to this high-performance graphics API. As usual, the bulk of this Vulkan 1.0.x point release is made up of document clarification/fixes to the text. Of those changes, nothing too notable stands out for Vulkan 1.0.59 but there is one new extension.

Games: Pillars of Eternity, Ryan "Icculus" Gordon, Paradox Interactive and HTC Vive