Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Thousands of WordPress websites defaced through patch failures

    Thousands of WordPress domains have been subject to attack through a severe content injection security flaw that many website operators have failed to protect themselves against.

    The security flaw, a zero-day vulnerability that affects the WordPress REST API, allows attackers to modify the content of posts or pages within a website backed by the WordPress content management system (CMS).

    As noted by cybersecurity firm Sucuri, one of the REST endpoints allows access via the API to view, edit, delete, and create posts.

  • Introducing Capsule8: Industry's First Container-Aware, Real-time Threat Protection for Linux

    "The cloud has catapulted Linux to the most popular platform on the planet, and now the use of container technology is exploding. Yet there has been no world-class commercial security offering focused on securing the Linux infrastructure until now," said Bob Goodman, partner at Bessemer. "Capsule8 is solving the difficult problem of providing zero-day threat protection for Linux, whether legacy, container or something in-between. Simply put, John, Dino and Brandon are pioneering the most comprehensive and effective security protection ever offered for Linux."

  • Container-Aware Security Startup Capsule8 Emerges from Stealth

    Capsule8, a Brooklyn, NY-based security startup, emerged from stealth today to debut its container-aware threat protection platform for Linux.

Security Leftovers

Filed under
Security

FOSS CMS News

Filed under
OSS
Security
  • Migrated blog from WordPress to Hugo

    My WordPress blog got hacked two days ago and now twice today. This morning I purged MySQL and restored a good backup from three days ago, changed all DB and WordPress passwords (both the old and new ones were long and autogenerated ones), but not even an hour after the redeploy the hack was back. (It can still be seen on Planet Debian and Planet Ubuntu. Neither the Apache logs nor the Journal had anything obvious, nor were there any new files in global or user www directories, so I’m a bit stumped how this happened. Certainly not due to bruteforcing a password, that would both have shown in the logs and also have triggered ban2fail, so this looks like an actual vulnerability.

  • WordPress 4.7.2

    When WordPress originally announced their latest security update, there were three security fixes. While all security updates can be serious, they didn’t seem too bad. Shortly after, they updated their announcement with a fourth and more serious security problem.

    I have looked after the Debian WordPress package for a while. This is the first time I have heard people actually having their sites hacked almost as soon as this vulnerability was announced.

  • 4 open source tools for doing online surveys

    Ah, the venerable survey. It can be a fast, simple, cheap, and effective way gather the opinions of friends, family, classmates, co-workers, customers, readers, and others.

    Millions turn to proprietary tools like SurveyGizmo, Polldaddy, SurveyMonkey, or even Google Forms to set up their surveys. But if you want more control, not just over the application but also the data you collect, then you'll want to go open source.

    Let's take a look at four open source survey tools that can suit your needs, no matter how simple or complex those needs are.

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Lynis – Security Auditing and Hardening Tool for Linux/Unix Systems

    First i want to tell you about system security before going deeper about Lynis. Every system administrator should know/understand about system security, Hardening, etc,. So that we can make our system up and running smoothly without any issues otherwise we have to face so many issues.

  • Security Hygiene for Software Professionals

    As software makers, we face a unique threat model. The computers or accounts we use to develop and deliver software are of more value to an attacker than what ordinary computer users have—cloud service keys can be stolen and used for profit, and the software we ship can be loaded with malware without our knowledge. And that’s before we consider that the code we write has a tremendous value of its own and should be protected.

  • AI isn't just for the good guys anymore

    Last summer at the Black Hat cybersecurity conference, the DARPA Cyber Grand Challenge pitted automated systems against one another, trying to find weaknesses in the others' code and exploit them.

    "This is a great example of how easily machines can find and exploit new vulnerabilities, something we'll likely see increase and become more sophisticated over time," said David Gibson, vice president of strategy and market development at Varonis Systems.

    His company hasn't seen any examples of hackers leveraging artificial intelligence technology or machine learning, but nobody adopts new technologies faster than the sin and hacking industries, he said.

    "So it's safe to assume that hackers are already using AI for their evil purposes," he said.

  • MongoDB And Open Source: Super-Sized Vulnerability? [Ed: TopSpin Security is spinning and lying. MongoDB didn’t have a vulnerability, it was the fault of bad setup.]

OpenSUSE Web Site Cracked, Tumbleweed Update

Filed under
Security
Web
SUSE

Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • There are no militant moderates in security
  • Exploit for Windows DoS zero-day published, patch out on Tuesday?
  • Ransomware Attack Left DC Police Surveillance Blind Shortly Before The Innauguration

    Once exclusively the domain of hospitals with comically-bad IT support, crippling ransomware attacks are increasingly beginning to impact essential infrastructure. Just ask the San Francisco MTA, whose systems were shut down entirely for a spell last fall after a hacker (with a long history of similar attacks) managed to infiltrate their network, forcing the MTA to dole out free rides until the threat was resolved. Or you could ask the St. Louis public library network, which saw 16 city branches crippled last month by a bitcoin-demanding intruder.

    We've also seen a spike in ransomware attacks on our ever-expanding surveillance and security apparatus, DC Police acknowledging this week that 70% of the city's surveillance camera DVRs were infected with malware. The infection was so thorough, DC Police were forced to acknowledge that city police cameras were unable to record much of anything during a three day stretch last month...

  • Hackers hit D.C. police closed-circuit camera network, city officials disclose

    Hackers infected 70 percent of storage devices that record data from D.C. police surveillance cameras eight days before President Trump’s inauguration, forcing major citywide reinstallation efforts, according to the police and the city’s technology office.

  • Network protection laws 'may have opposite effect'

    Laws that have been proposed by the Australian Government to guard communications networks and businesses from cyber attack and sabotage may have the opposite effect from that intended, a coalition of industry groups has warned.

    The warning came jointly from the Australian Industry Group, the Australian Information Industry Association, the Australian Mobile Telecommunications Association and Communications Alliance in a submission to the Parliamentary Joint Committee on Intelligence and Security.

  • Russians Engineer a Brilliant Slot Machine Cheat—And Casinos Have No Fix

    In early June 2014, accountants at the Lumiere Place Casino in St. Louis noticed that several of their slot machines had—just for a couple of days—gone haywire. The government-approved software that powers such machines gives the house a fixed mathematical edge, so that casinos can be certain of how much they’ll earn over the long haul—say, 7.129 cents for every dollar played. But on June 2 and 3, a number of Lumiere’s machines had spit out far more money than they’d consumed, despite not awarding any major jackpots, an aberration known in industry parlance as a negative hold. Since code isn’t prone to sudden fits of madness, the only plausible explanation was that someone was cheating.

    Casino security pulled up the surveillance tapes and eventually spotted the culprit, a black-haired man in his thirties who wore a Polo zip-up and carried a square brown purse. Unlike most slots cheats, he didn’t appear to tinker with any of the machines he targeted, all of which were older models manufactured by Aristocrat Leisure of Australia. Instead he’d simply play, pushing the buttons on a game like Star Drifter or Pelican Pete while furtively holding his iPhone close to the screen.

  • SSL or IPsec: Which is best for IoT network security?

    Internet of Things (IoT) devices are soon expected to outnumber end-user devices by as much as four to one. These applications can be found everywhere—from manufacturing floors and building management to video surveillance and lighting systems.

  • The barriers to using IoT in healthcare: What's stopping the Internet of Things from transforming the industry?

    Big things are expected of the Internet of Things (IoT) in a plethora of industries, and healthcare is no exception. The market is poised to reach $117 billion by 2020 according to business intelligence company MarketResearch.com.

    IoT covers a broad spectrum of interconnected devices communicating across the net that together can have benefits for the treatment of patients, the workloads of practitioners, and the wealth of the nation.

New CloudLinux 7 Kernel Released to Beta with Fix for "Kernel Panic" Issue, More

Filed under
Red Hat
Security

CloudLinux's Mykola Naugolnyi is announcing the availability of an updated kernel version in the Beta repositories of the Red Hat Enterprise Linux-based CloudLinux 7 operating system.

The kernel packages of CloudLinux 7 have been updated to version 3.10.0-427.36.1.lve1.4.37, and they are now available for installation directly from the updates-testing repository. Since kernel version 3.10.0-427.36.1.lve1.4.35, CloudLinux's team managed to backport a fix for a known "Kernel panic" issue.

The new updated CloudLinux 7 kernel build also attempts to implement the ability to ignore root-owned links when checking symlink ownership. Therefore, it is recommended that you update your systems to kernel version 3.10.0-427.36.1.lve1.4.37 as soon as possible.

Read more

Security News

Filed under
Security
  • This dump of Iphone-cracking tools shows how keeping software defects secret makes everyone less secure

    Last month, a hacker took 900GB of data from Cellebrite, an Israeli cyber-arms dealer that was revealed to be selling surveillance and hacking tools to Russia, the UAE, and Turkey.

    Yesterday, that hacker dumped Cellebrite's arsenal of mobile cracking tools, including a suite of tools to attack Apple's Ios devices (Iphones and Ipads).

    The dump reveals that Cellebrite seemingly repackages untested and unaudited jailbreaking tools as lawful interception products and sells them to repressive regimes. It also reveals that suppressing disclosure of security vulnerabilities in commonly used tools does not prevent those vulnerabilities from being independently discovered and weaponized -- it just means that users, white-hat hackers and customers are kept in the dark about lurking vulnerabilities, even as they are exploited in the wild, which only end up coming to light when they are revealed by extraordinary incidents like this week's dump.

  • Gentoo Developer: Is The Linux Desktop Less Secure Than Windows 10?

    Gentoo Linux developer Hanno Böck, who also writes for Golem and runs The Fuzzing Project as a software fuzzing initiative to find issues in software, presented today at FOSDEM 2017 over some Linux desktop security shortcomings and how Microsoft Windows 10 is arguably more secure out-of-the-box.

IPFire 2.19 to Bring Tor 0.2.9.9 and OpenSSL 1.0.2k with New Security Fixes

Filed under
GNU
Linux
Security

Michael Tremer announced the availability for public testing of the upcoming IPFire 2.19 Core Update 109 maintenance release of the open source Linux-based router and firewall distribution.

The most important change included in this update appears to be support for the unbound 1.6.0 recursive and caching DNS resolver in the built-in DNS proxy, which will re-activate QNAME hardening and minimisation below NX domains. The change should also make IPFire check if a router drops DNS responses that are longer than a specific threshold.

Read more

Syndicate content

More in Tux Machines

Leftovers: BSD

Security Leftovers

  • Stop using SHA1 encryption: It’s now completely unsafe, Google proves
    Security researchers have achieved the first real-world collision attack against the SHA-1 hash function, producing two different PDF files with the same SHA-1 signature. This shows that the algorithm's use for security-sensitive functions should be discontinued as soon as possible. SHA-1 (Secure Hash Algorithm 1) dates back to 1995 and has been known to be vulnerable to theoretical attacks since 2005. The U.S. National Institute of Standards and Technology has banned the use of SHA-1 by U.S. federal agencies since 2010, and digital certificate authorities have not been allowed to issue SHA-1-signed certificates since Jan. 1, 2016, although some exemptions have been made. However, despite these efforts to phase out the use of SHA-1 in some areas, the algorithm is still fairly widely used to validate credit card transactions, electronic documents, email PGP/GPG signatures, open-source software repositories, backups and software updates.
  • on pgp
    First and foremost I have to pay respect to PGP, it was an important weapon in the first cryptowar. It has helped many whistleblowers and dissidents. It is software with quite interesting history, if all the cryptograms could tell... PGP is also deeply misunderstood, it is a highly successful political tool. It was essential in getting crypto out to the people. In my view PGP is not dead, it's just old and misunderstood and needs to be retired in honor. However the world has changed from the internet happy times of the '90s, from a passive adversary to many active ones - with cheap commercially available malware as turn-key-solutions, intrusive apps, malware, NSLs, gag orders, etc.
  • Cloudflare’s Cloudbleed is the worst privacy leak in recent Internet history
    Cloudflare revealed today that, for months, all of its protected websites were potentially leaking private information across the Internet. Specifically, Cloudflare’s reverse proxies were dumping uninitialized memory; that is to say, bleeding private data. The issue, termed Cloudbleed by some (but not its discoverer Tavis Ormandy of Google Project Zero), is the greatest privacy leak of 2017 and the year has just started. For months, since 2016-09-22 by their own admission, CloudFlare has been leaking private information through Cloudbleed. Basically, random data from random sites (again, it’s worth mentioning that every site that used CloudFlare in the last half year should be considered to having fallen victim to this) would be randomly distributed across the open Internet, and then indefinitely cached along the way.
  • Serious Cloudflare bug exposed a potpourri of secret customer data
    Cloudflare, a service that helps optimize the security and performance of more than 5.5 million websites, warned customers today that a recently fixed software bug exposed a range of sensitive information that could have included passwords and cookies and tokens used to authenticate users. A combination of factors made the bug particularly severe. First, the leakage may have been active since September 22, nearly five months before it was discovered, although the greatest period of impact was from February 13 and February 18. Second, some of the highly sensitive data that was leaked was cached by Google and other search engines. The result was that for the entire time the bug was active, hackers had the ability to access the data in real-time by making Web requests to affected websites and to access some of the leaked data later by crafting queries on search engines. "The bug was serious because the leaked memory could contain private information and because it had been cached by search engines," Cloudflare CTO John Graham-Cumming wrote in a blog post published Thursday. "We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence."

Security Leftovers

  • Change all the passwords (again)
    Looks like it is time to change all the passwords again. There’s a tiny little flaw in a CDN used … everywhere, it seems.
  • Today's leading causes of DDoS attacks [Ed: The so-called 'Internet of things' (crappy devices with identical passwords) is a mess; programmers to blame, not Linux]
    Of the most recent mega 100Gbps attacks in the last quarter, most of them were directly attributed to the Mirai botnet. The Mirai botnet works by exploiting the weak security on many Internet of Things (IoT) devices. The program finds its victims by constantly scanning the internet for IoT devices, which use factory default or hard-coded usernames and passwords.
  • How to Set Up An SSL Certificate on Your Website [via "Steps To Secure Your Website With An SSL Certificate"]
  • SHA-1 is dead, long live SHA-1!
    Unless you’ve been living under a rock, you heard that some researchers managed to create a SHA-1 collision. The short story as to why this matters is the whole purpose of a hashing algorithm is to make it impossible to generate collisions on purpose. Unfortunately though impossible things are usually also impossible so in reality we just make sure it’s really really hard to generate a collision. Thanks to Moore’s Law, hard things don’t stay hard forever. This is why MD5 had to go live on a farm out in the country, and we’re not allowed to see it anymore … because it’s having too much fun. SHA-1 will get to join it soon.
  • SHA1 collision via ASCII art
    Happy SHA1 collision day everybody! If you extract the differences between the good.pdf and bad.pdf attached to the paper, you'll find it all comes down to a small ~128 byte chunk of random-looking binary data that varies between the files.
  • PayThink Knowledge is power in fighting new Android attack bot
    Android users and apps have become a major part of payments and financial services, carrying an increased risk for web crime. It is estimated that there are 107.7 million Android Smartphone users in the U.S. who have downloaded more than 65 million apps from the Google App Store, and each one of them represents a smorgasbord of opportunity for hackers to steal user credentials and other information.
  • Red Hat: 'use after free' vulnerability found in Linux kernel's DCCP protocol IPV6 implementation
    Red Hat Product Security has published details of an "important" security vulnerability in the Linux kernel. The IPv6 implementation of the DCCP protocol means that it is possible for a local, unprivileged user to alter kernel memory and escalate their privileges. Known as the "use-after-free" flaw, CVE-2017-6074 affects a number of Red Hat products including Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 and Red Hat Openshift Online v2. Mitigating factors include the requirement for a potential attacker to have access to a local account on a machine, and for IPV6 to be enabled, but it is still something that will be of concern to Linux users. Describing the vulnerability, Red Hat says: "This flaw allows an attacker with an account on the local system to potentially elevate privileges. This class of flaw is commonly referred to as UAF (Use After Free.) Flaws of this nature are generally exploited by exercising a code path that accesses memory via a pointer that no longer references an in use allocation due to an earlier free() operation. In this specific issue, the flaw exists in the DCCP networking code and can be reached by a malicious actor with sufficient access to initiate a DCCP network connection on any local interface. Successful exploitation may result in crashing of the host kernel, potential execution of code in the context of the host kernel or other escalation of privilege by modifying kernel memory structures."

Android Leftovers