Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Parrot Security OS 3.5 Improves Linux Security Tools Distribution

Filed under
OS
Linux
Security

There seems to be no shortage of Linux distributions specifically designed and built for security researchers. That list includes the Parrot Security OS Linux distribution, which was updated to version 3.5 on March 8. The Parrot Security OS platform is based on the Debian Linux distribution, with the open-source MATE desktop the default choice for new users. As a platform for security researchers, Parrot Security OS provides a wide array of tools that fit into different categories, including information gathering, vulnerability analysis, database assessment, exploitation tools, password attacks, wireless testing, digital forensics, reverse engineering and reporting tools. One of its more interesting tools is the open-source Kayak car hacking tool that can be used to diagnose a car's CAN (Controller Area Network) bus. In addition, version 3.5 includes the CryptKeeper encrypted folder manager tool, as well as the Metasploit penetration testing framework, which is packed full with 1,627 exploits. For users who want to stay somewhat anonymous while using the system, anonymous web surfing tools are also included in the Linux distribution. In this slide show, eWEEK takes a look at some of the highlights of the Parrot Security OS 3.5 release.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Monday
  • How Android and iOS devices really get hacked
  • Security Expert Bruce Schneier on Regulating IoT

    With the Internet of Things already flexing its muscle and showing its potential to be a security nightmare, has the time come for governments to step into the fray and begin regulating the Internet? Security guru Bruce Schneier thinks that may be an inevitability, and says the development community might want to go ahead and start leading the way to assure that regulations aren't put in place by people who don't understand tech.

    "As everything turns into a computer, computer security becomes 'everything security,'" he explained, "and there are two very important ramifications of that. The first is that everything we know about computer security becomes applicable to everything. The second is the restrictions and regulations that the real world puts on itself are going to come into our world, and I think that has profound implications for us in software and especially in open source."

  • Ioquake3 Pushes Out Important Security Update

    All of those running ioquake3-powered games are encouraged to update their engine installation as soon as possible.

    The developers behind this popular fork of the open-source id Tech 3 engine code have pushed a "large security fix" and all users are encouraged to upgrade prior to connecting to any online servers. Unfortunately, ioquake3 currently doesn't have any auto-update system to make it easy to roll out game engine updates.

Security News

Filed under
Security
  • The Nintendo Switch already hacked through a known vulnerability?

    It appears that the not-so-well hidden Nintendo Switch browser shipped with a bunch of old vulnerabilities that hackers were able to leverage. Yesterday, hacker qwertyoruiop (known for Jailbreaks of multiple iOS versions, and who also contributed to the PS4 1.76 Jailbreak) posted a screenshot of what seems to be a Webkit exploit running on the Nintendo Switch.

  • Linux: fix an existing bug for 11 years in the Kernel
  • Security, Consumer Reports, and Failure

    As one can imagine there were a fair number of “they’ll get it wrong” sort of comments. They will get it wrong, at first, but that’s not a reason to pick on these guys. They’re quite brave to take this task on, it’s nearly impossible if you think about the state of security (especially consumer security). But this is how things start. There is no industry that has gone from broken to perfect in one step. It’s a long hard road when you have to deal with systemic problems in an industry. Consumer product security problems may be larger and more complex than any other industry has ever had to solve thanks to things such as globalization and how inexpensive tiny computers have become.

Security News

Filed under
Security
  • Apache Struts Vulnerability Under Attack

    An easy to exploit remote code execution flaw discovered in the widely used open-source Apache Struts 2 framework has been patched, but that's not stopping attackers from attempting to exploit vulnerable systems.

    The open-source Apache Struts 2 technology is a widely used framework component in Java applications and it's currently under attack. The attacks follow the March 6 disclosure by the Struts project for a Remote Code Execution (RCE) vulnerability identified as CVE-2017-5638.

  • An insecure mess: How flawed JavaScript is turning web into a hacker's playground

    An analysis of over 133,000 websites has found that 37 percent of them have at least one JavaScript library with a known vulnerability.

    Researchers from Northeastern University have followed up on research in 2014 that drew attention to potential security risks caused by loading outdated versions of JavaScript libraries, such as such as jQuery, and the AngularJS framework in the browser.

  • The Big Hack - the Day Cars Drove Themselves Into Walls and the Hospitals Froze

    I have decided to submit a story from the hypothetical future, published by New York Magazine 9 months ago, one that I picked while browsing whatever I missed since my last visit on Schneier on security.

  • Pennsylvania Senate Democrats resist ransom in cyberattack [iophk: "Microsoft on site to prevent defection"]

    Microsoft was doing a forensic audit to try to figure out who penetrated the network and how...

  • Security firm issues patch for another Windows 0-day

    A security firm that issued a patch for a Windows zero-day vulnerability last week has done a repeat, this time for a vulnerability that potentially allows arbitrary remote code execution in Internet Explorer 11.

  • Students to go head to head in cyber games competition [iophk: "cyber, cyber, cyber, cyber, ..."]
  • SCALE 15x Keynote: Karen Sandler - In the Scheme of Things, How Important is Software Freedom?
  • Church of England puts a stop to ransomware with Darktrace

    Attackers certainly were getting in: up until Jennings bumped into Darktrace at a trade show, the Church was being hit with ransomware attacks, as many as three or four in the space of six to eight weeks. In all instances the problem was internal – Jennings admits that IT literacy is not particularly high in the organisation – usually through a malicious email.

  • Australian start-up testing new online voting system [Ed: Another terrible idea; see Vault 7; everything has back doors. Use paper.]

    An Australian start-up that is currently testing what it says is the biggest dry run of an electronic voting system is confident that it can gradually make headway into getting its system taken up in the country.

    XO.1 is in the process of running a 24-hour stress test of its SecureVote system using the bitcoin blockchain network. The test began at 2am AEST this morning.

Security Leftovers

Filed under
Security
  • Payments Giant Verifone Investigating Breach

    Verifone circled back post-publication with the following update to their statement: “According to the forensic information to-date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame. We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational.”

  • Terabytes of Government Data Copied [iophk: "they need to publish via bittorrent more often to take out the single point of failure; they need to learn to use torrents from day one of their research"]
  • Millions of websites still using vulnerable SHA-1 certificate

    At least 21 percent of all public websites are using insecure SHA-1 certificates – past the migration deadline and after Google researchers demonstrated a real-world collision attack. And this is without taking into account private or closed networks that also might be using the hash.

  • Widespread Bug Bounty Program Could Help Harden Open Source Security

    One company is adding to its bug bounty program efforts by offering its professional services to the open source community for free. HackerOne’s platform, known as HackerOne Community Edition, will help open source software teams create a comprehensive approach to vulnerability management, including a bug bounty program.

  • Consumer Reports Proposes Open Source Security Standard To Keep The Internet Of Things From Sucking

    Thanks to a laundry list of lazy companies, everything from your Barbie doll to your tea kettle is now hackable. Worse, these devices are now being quickly incorporated into some of the largest botnets ever built, resulting in some of the most devastating DDoS attacks the internet has ever seen. In short: thanks to "internet of things" companies that prioritized profits over consumer privacy and the safety of the internet, we're now facing a security and privacy dumpster fire that many experts believe will, sooner or later, result in mass human fatalities.

    Hoping to, you know, help prevent that, the folks at Consumer Reports this week unveiled a new open source digital consumer-protection standard that safeguards consumers’ security and privacy in the internet-of-broken things era. According to the non-profit's explanation of the new standard, it's working with privacy software firm Disconnect, non-profit privacy research firm Ranking Digital Rights (RDR), and nonprofit software security-testing organization Cyber Independent Testing Lab (CITL) on the new effort, which it acknowledges is early and requires public and expert assistance.

  • Researchers warn augmented mobile and open source = malware opportunity [Ed: Well, and proprietary is never a malware ramp (sarcasm)]

    ESET researchers warn that augments mobile applications plus open source platforms like Google's open could be a recipe for clever malware to come, in a recent security post.

    Currently, Google only requires developers to make a onetime payment of $25 and within 24 hours they can have an application in the Google Play Store compared to Apple which requires a yearly license which costs more than $100 and a vetting period of up to two weeks.

  • Operation Rosehub patches Java vulnerabilities in open source projects

    Google employees recently completed Operation Rosehub, a grass roots effort that patches a set of serious Java vulnerabilities in thousands of open source projects.

  • [Video] CPU Backdoors Could Allow Government Spying
  • Moving Git past SHA-1 [Ed: no longer behind LWN paywall]

    The SHA-1 hash algorithm has been known for at least a decade to be weak; while no generated hash collisions had been reported, it was assumed that this would happen before too long. On February 23, Google announced that it had succeeded at this task. While the technique used is computationally expensive, this event has clarified what most developers have known for some time: it is time to move away from SHA-1. While the migration has essentially been completed in some areas (SSL certificates, for example), there are still important places where it is heavily used, including at the core of the Git source-code management system. Unsurprisingly, the long-simmering discussion in the Git community on moving away from SHA-1 is now at a full boil.

  • Linux kernel: CVE-2017-2636: local privilege escalation flaw in n_hdlc
  • Spammergate: The Fall of an Empire

Security News

Filed under
Security
  • Security updates for Friday
  • Reproducible Builds: week 97 in Stretch cycle
  • Linux says open source more secure than closed, responds to Wikileaks’ claims

    Apple has already released a statement that said the vulnerabilities have already been fixed. Google too has responded to the issue. Linux just released a statement assuring the users that its being open source is safer for most people. The idea is that open source software communities continue to work on securing systems.

  • MAC randomization: A massive failure that leaves iPhones, Android mobes open to tracking

    To protect mobile devices from being tracked as they move through Wi-Fi-rich environments, there's a technique known as MAC address randomization. This replaces the number that uniquely identifies a device's wireless hardware with randomly generated values.

    In theory, this prevents scumbags from tracking devices from network to network, and by extension the individuals using them, because the devices in question call out to these nearby networks using different hardware identifiers.

  • Open source security and ‘hacking robots before skynet’ [Ed: Let's pretend proprietary software is secure and robust, and has zero back doors (we cannot see)]

    In this case, the devices were used to form a botnet and attack other systems, conducting a denial of service attack that made Twitter, Etsy, and other popular sites unavailable to users. This was inconvenient to users, and likely cost revenue for Dyn customers. It was almost certainly costly for Dyn.

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • Hardening the LSM API

    The Linux Security Modules (LSM) API provides security hooks for all security-relevant access control operations within the kernel. It’s a pluggable API, allowing different security models to be configured during compilation, and selected at boot time. LSM has provided enough flexibility to implement several major access control schemes, including SELinux, AppArmor, and Smack.

  • Hackers exploit Apache Struts vulnerability to compromise corporate web servers
  • Critical vulnerability under “massive” attack imperils high-impact sites

    The code-execution bug resides in the Apache Struts 2 Web application framework and is trivial to exploit. Although maintainers of the open source project patched the vulnerability on Monday, it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update, researchers are warning. Making matters worse, at least two working exploits are publicly available.

  • How Safe Are Blockchains? It Depends.

    Blockchain, the distributed ledger technology underlying bitcoin, may prove to be far more valuable than the currency it supports. But it’s only as valuable as it is secure. As we begin to put distributed ledger technology into practice, it’s important to make sure that the initial conditions we’re setting up aren’t setting us up for security issues later on.

  • Three Overlooked Lessons about Container Security

    Last week was an exciting week for me — I’ve just joined container security specialists Aqua Security and spent a couple of days in Tel Aviv getting to know the team and the product. I’m sure I’m learning things that might be obvious to the seasoned security veteran, but perhaps aren’t so obvious to the rest of us! Here are three aspects I found interesting and hope you will too, even if you’ve never really thought about the security of your containerized deployment before:

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Security updates for Wednesday
  • Google leads ‘guerilla patching’ of big vulnerability in open source projects

    Google has revealed its emergency patching efforts to fix a widespread and “pernicious” software vulnerability that affected thousands of open source projects in 2015.

    Referred to as “Mad Gadget” by Google (aka the Java “Apache Commons Collections Deserialization Vulnerability” CVE 2015-6420), the flaw was first highlighted by FoxGlove Security in November of that year, months after the first proof-of-concept code garnered almost zero attention.

  • Microsoft and Samsung react to Vault 7 CIA leaks -- Google, Linux Foundation and others remain silent

    The Vault 7 document and code cache released yesterday by WikiLeaks revealed that many big software companies were being actively exploited by the CIA. Apple, Microsoft, Google, Samsung, and even Linux were all named as having vulnerabilities that could be used for surveillance.

  • Vault 7 fallout: Linux Foundation says it's "not surprising" Linux is targeted [Ed: "NSA Asked Linus Torvalds To Install Backdoors Into GNU/Linux"]

    In the wake of WikiLeaks' Vault 7 CIA leaks, Apple has been quick to point out that vulnerabilities mentioned in the documents have already been addressed. Microsoft and Samsung have said they are "looking into" things, and now the Linux Foundation has spoken out.

    Nicko van Someren, Chief Technology Officer at The Linux Foundation says that while it is "not surprising" that Linux would find itself a target, the open source project has a very fast release cycle, meaning that kernel updates are released every few days to address issues that are found.

  • The Linux Foundation responds to Wikileaks' CIA hacking revelations

    THE LINUX FOUNDATION has become the latest firm to responded to the revelations that its products have been compromised by the CIA.

    Wikileaks on Tuesday published 8,761 documents dubbed 'Year Zero', the first part in a series of leaks on the agency that Wikileaks has dubbed 'Vault 7'.

    The whistleblowing foundation claims the document dump reveals full details of the CIA's 'global covert hacking program', including 'weaponised exploits' used against operating systems including Android, iOS, Linux, macOS, Windows and "even Samsung TVs, which are turned into cover microphones".

Canonical Releases New Kernels for Ubuntu Linux to Fix a Single Vulnerability

Filed under
Security
Ubuntu

Canonical published several security advisories to inform Ubuntu users about new kernel versions for their Ubuntu 16.04 LTS (Xenial Xerus) and Ubuntu 16.10 (Yakkety Yak) operating systems.

Read more

Syndicate content

More in Tux Machines

Games for GNU/Linux

Today in Techrights

Why OpenStack is the wrong cloud for Red Hat to be building its future on

Just because one can make money from OpenStack doesn't mean one should. Red Hat, on its recent earnings call, gladly assumed the title of "Red Hat of OpenStack," meaning the "vendor that does certification and confidently allow[s] both hardware and software vendors to participate in the ecosystem." In a similar vein, I've called OpenStack Red Hat's "Linux moment," a chance to productize the growing cloud movement. Read more

Linux 4.10.7

I'm announcing the release of the 4.10.7 kernel. All users of the 4.10 kernel series must upgrade. The updated 4.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.10.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-st... Read more Also: Linux 4.9.19 Linux 4.4.58