Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security advisories for Wednesday
  • 17 Security Experts Share Predictions for the Top Cyber-Trends of 2017

    Enterprises, governments and end users faced no shortage of security challenges in 2016. As the year draws to a close, we wonder: What security trends will continue into 2017? What will be the big security stories of the year to come? Many trends emerged in 2016 that are very likely to remain key issues for organizations of all sizes and shapes in 2017. Among them is the continued and growing risk of ransomware, which emerged in 2016 as a primary attack vector for hackers aiming to cash in on their nefarious activities. In 2016, nation-states once again were identified by multiple organizations as being the source of serious cyber-threats, and there is no indication that will change in the year ahead. Among the emerging trends that could become more prominent in the new year are the widespread use of containers and microservices to improve security control. This eWEEK slide show will present 17 security predictions for the year ahead from 17 security experts.

  • Learning From A Year of Security Breaches

    This year (2016) I accepted as much incident response work as I could. I spent about 300 hours responding to security incidents and data breaches this year as a consultant or volunteer.

    This included hands on work with an in-progress breach, or coordinating a response with victim engineering teams and incident responders.

    These lessons come from my consolidated notes of those incidents. I mostly work with tech companies, though not exclusively, and you’ll see a bias in these lessons as a result.

  • Girl uses sleeping mom's thumbprint to buy $250 in Pokemon toys

    The most famous, and unlikeliest, hacker in the news this week is little Ashlynd Howell of Little Rock, Ark. The exploits of the enterprising 6-year-old first came to light in a Wall Street Journal story about the difficulties of keeping presents a secret in the digital age. It seems that while mom Bethany was sleeping on the couch, Ashlynd gently picked up her mother's thumb and used it to unlock the Amazon app on her phone. She then proceeded to order $250 worth of Pokemon presents for herself. When her parents got 13 confirmation notices about the purchases, they thought that either they'd been hacked (they were, as it turned out) or that their daughter had ordered them by mistake. But she proudly explained, "No, Mommy, I was shopping." The Howells were able to return only four of the items.

  • FDIC Latest Agency To Claim It Was Hacked By A Foreign Government

    Caught in the middle of all this are the financial transactions of millions of Americans, in addition to whatever sensitive government information might have been located on the FDIC's computers.

    But claiming the Chinese were involved seems premature, even according to Reuter's own reporting, which relies heavily on a bunch of anonymous government officials discussing documents no one at Reuters has seen.

  • Parrot Security 3.3 Ethical Hacking OS With Linux Kernel 4.8 Released

Parsix GNU/Linux 8.15 (Nev) and 8.10 (Erik) Get Latest Debian Security Patches

Filed under
Security

It's been two weeks since our last report on the latest security updates pushed to the stable repositories of the Debian-based Parsix GNU/Linux operating system, and a new set of patches for various software components arrived the other day.

Read more

KDE Plasma 5.8.5 Is the Last Bugfix Release for 2016, over 55 Issues Resolved

Filed under
KDE
Security

As expected, KDE announced today the general and immediate availability of the fifth maintenance update to the long-term supported KDE Plasma 5.8 desktop environment for GNU/Linux distributions.

Read more

Security News

Filed under
Security
  • Security advisories for Monday
  • Is Mirai Really as Black as It’s Being Painted?

    An important feature of the way the Mirai botnet scans devices is that the bot uses a login and password dictionary when trying to connect to a device. The author of the original Mirai included a relatively small list of logins and passwords for connecting to different devices. However, we have seen a significant expansion of the login and password list since then, achieved by including default logins and passwords for a variety of IoT devices, which means that multiple modifications of the bot now exist.

    [...]

    If you ignore trivial combinations like “root:root” or “admin:admin”, you can get a good idea of which equipment the botnet is looking for. For example, the pairs “root:xc3511” and “root:vizxv” are default accounts for IP cameras made by rather large Chinese manufacturers.

  • Parrot Security 3.3 Ethical Hacking OS Updates Anonsurf, Fixes Touchpad Support

    A new stable release of the Debian-based Parrot Security ethical hacking and penetration testing operating system has been released on Christmas Day, versioned 3.3.

    Powered by a kernel from the Linux 4.8 series, Parrot Security OS 3.3 is here a little over two months since the release of Parrot Security 3.2, but it doesn't look like it's a major update and all that, as it only updates a few core components and hacking tools, and addresses a few of the bugs reported by users since version 3.2.

  • Linux Top 3: Guix, Parrot Security and OpenMandriva Lx

    The GNU Guix project builds a transactional package manager system and it is the base feature around which Guix SD(system distribution) is built.

    [...]

    The 3.01 release brings a number of major fixes since 3.0 release:

    updated software
    new drivers and kernel – better support for newer hardware
    many bugs fixed
    stable Plasma running on Wayland

  • LibreOffice 5.2.4 packages

    The computers worked frantically while I relaxed with my family. Slackware 14.2 and -current packages are ready for LibreOffice 5.2.4. Enjoy the newest version of this highly popular office suite.

Security News

Filed under
Security
  • SQL is Insecure

    SQL is insecure, tell everyone. If you use SQL, your website will get hacked. Tell everyone.

    I saw the news that the US Elections Agency was hacked by a SQL injection attack and I kind of lost it. It’s been well over two decades since prepared statements were introduced. We’ve educated and advised developers about how to avoid SQL injection, yet it still happens. If education failed, all we can do is shame developers into never using SQL.

    I actually really like SQL, I’ve even made a SQL dialect. SQL’s relational algebra is expressive, probably more so than any other NoSQL database I know of. But developers have proven far too often that it’s simply too difficult to know when to use prepared statements or just concatenate strings — it’s time we just abandon SQL altogether. It isn’t worth it. It’s time we called for all government’s to ban use of SQL databases in government contracts and in healthcare. There must be utter clarity.

  • Cyber-criminals target African countries with ransom-ware

    Once again Conficker retained its position as the world’s most prevalent malware, responsible for 15% of recognised attacks. Second-placed Locky, which only started its distribution in February of this year, was responsible for 6% of all attacks, and third-placed Sality was responsible for 5% of known attacks. Overall, the top ten malware families were responsible for 45% of all known attacks.

  • It's Incredibly Easy to Tamper with Someone's Flight Plan, Anywhere on the Globe

    It’s easier than many people realize to modify someone else’s flight booking, or cancel their flight altogether, because airlines rely on old, unsecured systems for processing customers’ travel plans, researchers will explain at the Chaos Communication Congress hacking festival on Tuesday. The issues predominantly center around the lack of any meaningful authentication for customers requesting their flight information.

    The issues highlight how a decades-old system is still in constant, heavy use, despite being susceptible to fairly simple attacks and with no clear means for a solution.

    “Whenever you take a trip, you are in one or more of these systems,” security researcher Karsten Nohl told Motherboard in a phone call ahead of his and co-researcher Nemanja Nikodijevic’s talk.

  • Open source risks and rewards – why team structure matters

    An impressive and user-friendly digital presence is an indispensable asset to any brand. It is often the first point of contact for customers who expect and demand great functionality and engaging content across multiple platforms. The finding that nearly half of us won't wait even three seconds for a website to load bears witness to ever increasing customer expectations which must be met.

    Partnership with a digital agency can be a great way to keep up to speed with rapid change and innovation but to ensure the very best outcome, both client and agency need to find an optimum commercial, creative and secure cultural fit. This should be a priority for both sides from the very first pitch. The promise of exceptional creativity and customer experience is one thing, but considering the more practical aspects of how the relationship will work is entirely another.

Security News

Filed under
Security
  • Friday's security advisories
  • The State of Linux Security

    In the last 10 years, GNU/Linux achieved something some foreseen as almost impossible: powering both the smallest and biggest devices in the world, and everything in between. Only the desktop is not a conquered terrain yet.

    The year 2016 had an impact on the world. Both from a real life perspective, as digitally. Some people found their personal details leaked on the internet, others found their software being backdoored. Let’s have a look back on what happened this year regarding Linux security.

BlackArch Linux

Filed under
GNU
Linux
Security
  • BlackArch Linux now has over 1,600 hacking tools

    To extensively support ethical hackers and white-hat cybersecurity experts, BlackArch Linux has released a new update with over 1,600 hacking tools. The latest version also comes with newer Linux kernel and includes enormous improvements and performance fixes.

    Emerged as BlackArch 2016.12.20, the update brings more than 100 new tools to support security professionals. These new tools have expanded the previous list to a total of 1,605 tools. Additionally, the distribution comes with Linux kernel 4.8.13 to deliver an improved and more stable experience than its previous release.

  • BlackArch Linux 2016.12.20 Ethical Hacking Distro Released With 100+ New Tools

Security News

Filed under
Security
  • Thursday's security updates
  • Lithuania said found Russian spyware on its government computers

    The Baltic state of Lithuania, on the frontline of growing tensions between the West and Russia, says the Kremlin is responsible for cyber attacks that have hit government computers over the last two years.

    The head of cyber security told Reuters three cases of Russian spyware on its government computers had been discovered since 2015, and there had been 20 attempts to infect them this year.

    "The spyware we found was operating for at least half a year before it was detected – similar to how it was in the USA," Rimtautas Cerniauskas, head of the Lithuanian Cyber Security Centre said.

  • Dear CIO: Linux Mint Encourages Users to Keep System Up-to-Date

    Swapnil Bhartiya gets it wrong.

    Let me start by pointing out that Bhartiya is not only a capable open source writer, he’s also a friend. Another also: he knows better. That’s why the article he just wrote for CIO completely confounds me. Methinks he jumped the gun and didn’t think it through before he hit the keyboard.

    The article ran with the headline Linux Mint, please stop discouraging users from upgrading. In it, he jumps on Mint’s lead developer Clement Lefebvre’s warning against unnecessary upgrades to Linux Mint.

Security Leftovers

Filed under
Security
  • Most ATMs in India Are Easy Targets for Hackers & Malware Attacks

    Hacking is a hotly debated subject across the country right now, and it’s fair to say that the ATM next door is also in danger. It has been reported that over 70 percent of the 2 lakh money-dispensing ATM machines in our country are running on Microsoft’s outdated Windows XP operating system, leaving it vulnerable to cyber attacks.

    Support for Windows XP was discontinued by Microsoft in 2014 which means that since then the company hasn’t rolled out any security updates for this Windows version.

    While it doesn’t make sense for banks to continue using outdated software, security experts feel that the practice stems from legacy behaviour, when physical attacks were a bigger threat than software hacks.

  • 20 Questions Security Pros Should Ask Themselves Before Moving To The Cloud

    A template for working collaboratively with the business in today's rapidly changing technology environment.

    Everywhere I go lately, the cloud seems to be on the agenda as a topic of conversation. Not surprisingly, along with all the focus, attention, and money the cloud is receiving, comes the hype and noise we’ve come to expect in just about every security market these days. Given this, along with how new the cloud is to most of us in the security world, how can security professionals make sense of the situation? I would argue that that depends largely on what type of situation we’re referring to, exactly. And therein lies the twist.

    Rather than approach this piece as “20 questions security professionals should ask cloud providers,” I’d like to take a slightly different angle. It’s a perspective I think will be more useful to security professionals grappling with issues and challenges introduced by the cloud on a daily basis. For a variety of reasons, organizations are moving both infrastructure and applications to the cloud at a rapid rate - far more rapidly than anyone would have forecast even two or three years ago.

  • Report: $3-5M in Ad Fraud Daily from ‘Methbot’

    New research suggests that an elaborate cybercrime ring is responsible for stealing between $3 million and $5 million worth of revenue from online publishers and video advertising networks each day. Experts say the scam relies on a vast network of cloaked Internet addresses, rented data centers, phony Web sites and fake users made to look like real people watching short ad segments online.

    Online advertising fraud is a $7 billion a year problem, according to AdWeek. Much of this fraud comes from hacked computers and servers that are infected with malicious software which forces the computers to participate in ad fraud. Malware-based ad fraud networks are cheap to acquire and to run, but they’re also notoriously unstable and unreliable because they are constantly being discovered and cleaned up by anti-malware companies.

  • Linux Backdoor Gives Hackers Full Control Over Vulnerable Devices [Ed: Microsoft booster Bogdan Popa says "Linux Backdoor"; that's a lie. It’s Microsoft that has them.]

IPFire 2.19 - Core Update 108 released

Filed under
GNU
Linux
Security

Just before Christmas, we are going to release the last Core Update for 2016. IPFire 2.19 – Core Update 108 brings some minor bug fixes and feature enhancements, some security fixes in ntp and various fixes in the squid web proxy.

Read more

Syndicate content

More in Tux Machines

Wine-Staging 2.0-RC5 and 'Squad' Might be Coming to GNU/Linux

  • Wine-Staging 2.0-RC5 Improves Compatibility For Origin, GOG Galaxy & More
    Wine-Staging 2.0-RC5 was released on Sunday as the newest version of this experimental/testing Wine build. This time around there are some exciting new patches. On top of re-basing off Friday's Wine 2.0-rc5 release and continuing to maintain quite a number of patches that haven't yet made their way into mainline Wine, a few more patches were added. Upstream Wine is currently under a code freeze until the 2.0 release later this month but that doesn't stop the Wine-Staging crew.
  • Release 2.0-rc5
    Wine Staging 2.0-rc5 improves the compatibility of various applications that require at least Windows Vista or Windows 7. This includes Origin, Uplay, GOG Galaxy and many more. Several bugs were fixed in the PE loader to support loading of packed executables with truncated headers and/or on-the-fly section decompression. If you are using the 64 bit version of Wine, you may also benefit from the memory manager improvements, which allow applications to reserve/allocate more than 32 GB of virtual memory. The memory allocations are now only constrained by resource limitations of the hardware / the operating system and no longer by an artificial design limit in Wine.
  • Looks like FPS game 'Squad' might be coming to Linux soon
    The game uses Unreal Engine and we know already how iffy their Linux support actually is. Hopefully they won't come across too many troubles.

Security News

  • Microsoft slates end to security bulletins in February [iophk: "further obscuring"; Ed: See this]
    Microsoft next month will stop issuing detailed security bulletins, which for nearly 20 years have provided individual users and IT professionals information about vulnerabilities and their patches. One patching expert crossed his fingers that Microsoft would make good on its pledge to publish the same information when it switches to a new online database. "I'm on the fence right now," said Chris Goettl, product manager with patch management vendor Shavlik, of the demise of bulletins. "We'll have to see [the database] in February before we know how well Microsoft has done [keeping its promise]."
  • Reflected XSS through AngularJS sandbox bypass causes password exposure of McDonald users
    By abusing an insecure cryptographic storage vulnerability (link) and a reflected server cross-site-scripting vulnerability (link) it is possible to steal and decrypt the password from a McDonald's user. Besides that, other personal details like the user's name, address & contact details can be stolen too.
  • DragonFlyBSD Installer Updated To Support UEFI System Setup
    DragonFlyBSD has been working on its (U)EFI support and with the latest Git code its installer now has basic UEFI support.

A Look At The Huge Performance Boosts With Nouveau Mesa 17.0-devel On Maxwell

Landing this week in Mesa 17.0-devel Git was OpenGL 4.3 for NVC0 Maxwell and a big performance boost as well for these GeForce GTX 750 / 900 series NVIDIA "Maxwell" graphics processors. Here are some before/after benchmarks of the performance improvements, which the patch cited as "1.5~3.5x better", when testing a GeForce GTX 750 Ti and GTX 980. Read more Also: Fresh Tests Of Intel Beignet OpenCL

Q4OS 1.8.2, Orion

New version 1.8.2 is based on the the most recent release of stable Debian Jessie 8.7, important security patches have been applied and core system packages have been updated. Q4OS Update manager has been rewritten from scratch to provide a robust and reliable tool for safe system upgrades. Other Q4OS specific fixes and under the hood improvements are delivered as usual. All the updates are immediately available for existing Q4OS users from the regular Q4OS repositories. Most attention is now focused on the development of the testing Q4OS 'Scorpion' version 2.2, based on Debian 9 Stretch. Q4OS 2.2 Scorpion continues to be under development so far, and it will stay as long as Debian Stretch will be testing, the release date is preliminarily scheduled at about the turn of April and May 2017. Q4OS 'Scorpion' will be supported at least five years from the official release date. Read more