Language Selection

English French German Italian Portuguese Spanish

Security

pfSense 2.3.2 Open Source BSD Firewall Distro Arrives with over 70 Improvements

Filed under
Security
BSD

Electric Sheep Fencing LLC, through Chris Buechler, proudly announced on July 25, 2016, the immediate availability for download of the second maintenance update aimed at the pfSense 2.3 series of the FreeBSD-based open-source firewall distribution.

Read more

Security Leftovers

Filed under
Security

OpenBSD 6.0 tightens security by losing Linux compatibility

Filed under
Security
BSD

OpenBSD, one of the more prominent variants of the BSD family of Unix-like operating systems, will be released at the beginning of September, according to a note on the official OpenBSD website.

Often touted as an alternative to Linux. OpenBSD is known for the lack of proprietary influence on its software and has garnered a reputation for shipping with better default security than other OSes and for being highly vigilant (some might say strident) about the safety of its users. Many software router/firewall projects are based on OpenBSD because of its security-conscious development process.

Read more

Security News

Filed under
Security

Security News

Filed under
Security
  • As a blockchain-based project teeters, questions about the technology’s security

    There’s no shortage of futurists, industry analysts, entrepreneurs and IT columnists who in the past year have churned out reports, articles and books touting blockchain-based ledgers as the next technology that will run the world.

  • Fix Bugs, Go Fast, and Update: 3 Approaches to Container Security

    Containers are becoming the central piece of the future of IT. Linux has had containers for ages, but they are still maturing as a technology to be used in production or mission-critical enterprise scenarios. With that, security is becoming a central theme around containers. There are many proposed solutions to the problem, including identifying exactly what technology is in place, fixing known bugs, restricting change, and generally implementing sound security policies. This article looks at these issues and how organizations can adapt their approach to security to keep pace with the rapid evolution of containers.

  • Preventing the next Heartbleed and making FOSS more secure [Ed: Preventing the next Microsoft-connected trademarked bug for FOSS and making FOSS more secure from Microsoft FUD]

    David Wheeler is a long-time leader in advising and working with the U.S. government on issues related to open source software. His personal webpage is a frequently cited source on open standards, open source software, and computer security. David is leading a new project, the CII Best Practices Badging project, which is part of the Linux Foundation's Core Infrastructure Initiative (CII) for strengthening the security of open source software. In this interview he talks about what it means for both government and other users.

Keeweb A Linux Password Manager

Filed under
Linux
Reviews
Security

Today we are depending on more and more online services. Each online service we sign up for, let us set a password and this way we have to remember hundreds of passwords. In this case, it is easy for anyone to forget passwords. In this article I am going to talk about Keeweb, a Linux password manager that can store all your passwords securely either online or offline.

Read<br />
more

Security News

Filed under
Security
  • Security updates for Thursday
  • Open Source Information Security Tool Aimed at MSSPs

    A Virginia software developer announced today the release of what’s billed as the first open source information security analytics tool for managed security services providers (MSSP) and enterprise.

    IKANOW says its new platform features multi-tenancy, enterprise scalability and is fully customizable.

  • Most companies still can't spot incoming cyberattacks

    Four out of five businesses lack the required infrastructure or security professionals with relevant skills to spot and defend against incoming cyberattacks.

    According to a new report by US cybersecurity and privacy think tank Ponemon Institute on behalf of cybersecurity firm BrandProtect, 79 percent of cybersecurity professionals say that their organisations are struggling to monitor the internet for the external threats posed by hackers and cybercriminals.

  • HTTpoxy Flaw Re-emerges After 15 Years and Gets Fixed

    After lying dormant for years, flaws in the HTTP Proxy header used in programming languages and applications, such as PHP, Go and Python, have now been fixed.
    Some flaws take longer—a lot longer—than others to get fixed. The newly named HTTpoxy vulnerability was first discovered back in March 2001 and fixed in the open-source Perl programming language, but it has sat dormant in multiple other languages and applications until July 18.

    The HTTPoxy flaw is a misconfiguration vulnerability in the HTTP_PROXY variable that is commonly used by Common Gateway Interface (CGI) environment scripts. The HTTPoxy flaw could potentially enable a remotely exploitable vulnerability on servers, enabling an attacker to run code or redirect traffic. The flaw at its core is a name space conflict between two different uses for a server variable known as HTTP Proxy.

  • Hack The World

    Currently HackerOne has 550+ customers, has paid over $8.9 million in bounties, and fixed over 25,000 vulnerabilities, which makes for a safer Internet.

  • EU aims to increase the security of password manager and web server software: KeePass and Apache chosen for open source audits [“pyrrhic because of Keepass : flushing the audit money down the toilet on MS based cruft” -iophk]

    For the FOSSA pilot project to improve the security of open source software that my colleague Max and I proposed, the European Commission sought your input on which tools to audit.

    The results are now in: The two overwhelming public favorites were KeePass (23%) and the Apache HTTP Server (19%). The EU has decided to follow these recommendations and audit both of these software projects for potential security issues.

  • KeeThief – A Case Study in Attacking KeePass Part 2

    The other week I published the “A Case Study in Attacking KeePass” post detailing a few notes on how to operationally “attack” KeePass installations. This generated an unexpected amount of responses, most good, but a few negative and dismissive. Some comments centered around the mentality of “if an attacker has code execution on your system you’re screwed already so who cares“. Our counterpoint to this is that protecting your computer from malicious compromise is a very different problem when it’s joined to a domain versus isolated for home use. As professional pentesters/red teamers we’re highly interested in post-exploitation techniques applicable to enterprise environments, which is why we started looking into ways to “attack” KeePass installations in the first place. Our targets are not isolated home users.

  • Giuliani calls for cybersecurity push

    Former New York mayor Rudy Giuliani made a surprise appearance at the BlackBerry Security Summit, warning of the rapid growth of cybercrime and cyberterrorism.

    Cybercrime and cyberterrorism are both growing at rates between 20% and 40%, said Giuliani, who made a brief return from the Republican National Convention in Cleveland to speak at BlackBerry's New York event.

    "Think of it like cancer. We can't cure it... but if we catch it early we can put it into remission," he said. The quicker you can spot an attack, the less chance there is of loss.

  • Notorious Hacker ‘Phineas Fisher’ Says He Hacked The Turkish Government

    A notorious hacker has claimed responsibility for hacking Turkey’s ruling party, the AKP, and stealing more than 300,000 internal emails and other files.

    The hacker, who’s known as Phineas Fisher and has gained international attention for his previous attacks on the surveillance tech companies FinFisher and Hacking Team, took credit for breaching the servers of Turkey’s ruling party, the Justice and Development Party or AKP.

    “I hacked AKP,” Phineas Fisher, who also goes by the nickname Hack Back, said in a message he spread through his Twitter account on Wednesday evening.

Security News

Filed under
Security

EC to audit Apache HTTP Server and Keepass

Filed under
Security

The European Commission is preparing a software source code security audit on two software solutions, Apache HTTP server and Keepass, a password manager. The source code will be analysed and tested for potential security problems, and the results will be shared with the software developers. The audits will start in the coming weeks.

Read more

Security News

Filed under
Security
  • Security advisories for Tuesday
  • BlackBerry Inks Software Deal With U.S. Senate
  • BlackBerry inks security software deals, shares slip
  • BlackBerry Announces String of Small Security Software Deals
  • BlackBerry inks U.S. government software deals; shares slip
  • Carbanak Gang Tied to Russian Security Firm?

    Among the more plunderous cybercrime gangs is a group known as “Carbanak,” Eastern European hackers blamed for stealing more than a billion dollars from banks. Today we’ll examine some compelling clues that point to a connection between the Carbanak gang’s staging grounds and a Russian security firm that claims to work with some of the world’s largest brands in cybersecurity.

    The Carbanak gang derives its name from the banking malware used in countless high-dollar cyberheists. The gang is perhaps best known for hacking directly into bank networks using poisoned Microsoft Office files, and then using that access to force bank ATMs into dispensing cash. Russian security firm Kaspersky Lab estimates that the Carbanak Gang has likely stolen upwards of USD $1 billion — but mostly from Russian banks.

  • Now you can ask Twitter directly to verify your account

    Do you have an army of imposters online pretending to be you? Probably not, but now you can still request for a verified Twitter account.

    On Tuesday, Twitter launched an official application process so that any account can be verified and receive a blue checkmark badge next to its username. Twitter users interested in applying should have a verified phone number and email address, as well as a profile photo that reflects the person or company branding.

    Verified accounts get to filter their mentions to only see those from other verified accounts. But that seems to be the only real feature or perk that comes from having a blue badge–aside from bragging rights, of course. Additionally, verified accounts can’t be private, and the username must remain the same or you will have to seek verification all over again. If you are rejected, you can reapply after 30 days. Previously, the verification process was never clear-cut, and it seemed to require a direct connection to a Twitter rep.

  • Software flaw puts mobile phones and networks at risk of complete takeover [Ed: proprietary software]

    A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday.

    The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One.

Syndicate content

More in Tux Machines

Security News

  • A 'mystery device' is letting thieves break into cars and drive off with them, insurance group says
    Insurance crime investigators are raising alarms over a device that not only lets thieves break into cars that use keyless entry systems but also helps start and steal them. Investigators from the National Insurance Crime Bureau, a not-for-profit organization, said in an interview they obtained what they called the “mystery device” from a third-party security expert at an overseas company. So far, the threat here may be mostly theoretical. The crime bureau said it heard of the device being used in Europe and had reports that it had entered the U.S., but said there are no law enforcement reports of a car being stolen using it in the United States.
  • Turkish hacking group offers tiered points rewards program for DoS attacks
    A TURKISH HACKING GANG is taking an unusual approach to funding denial of service attacks, and is soliciting for, and offering hackers rewards for taking down chosen pages. This is unusual, as far as we know, and it has led to the creation of comment from the security industry. Often these things do.
  • German judges explain why Adblock Plus is legal
    Last month, Adblock Plus maker Eyeo GmbH won its sixth legal victory in German courts, with a panel of district court judges deciding that ad-blocking software is legal despite German newsmagazine Der Spiegel's arguments to the contrary. Now, the reasoning of the Hamburg-based panel of judges has been made public. According to an unofficial English-translated copy (PDF) of the judgment, Spiegel Online argued it was making a "unified offer" to online consumers. Essentially, that offer is: read the news content for free and view some ads. While Internet users have the freedom "not to access this unified offer," neither they nor Adblock Plus have the right to "dismantle" it. Eyeo's behavior thus amounted to unfair competition, and it could even wipe the offer out, Spiegel claimed. "The Claimant [Spiegel] argues that the Defendant’s [Eyeo's] business model endangers the Claimant’s existence," reads the judgment, which isn't final because it can be appealed by Spiegel. Because users aren't willing to pay for editorial content on the Web, "it is not economically viable for the Claimant to switch to this business model." Spiegel asked for an accounting of all the blocked views on its website and a fine to be paid—or even for managers Wladimir Palant and Till Faida to be placed in "coercive detention" of up to two years.
  • Op-ed: I’m throwing in the towel on PGP, and I work in security [Ed: Onlya tool would drop PGP for Facebook-controlled Whatsapp. The company back-doors everything under gag orders.]
    In the coming weeks I'll import all signatures I received, make all the signatures I promised, and then publish revocations to the keyservers. I'll rotate my Keybase key. Eventually, I'll destroy the private keys.
  • 90 per cent of NHS Trusts are still running Windows XP machines
    90 PER CENT of the NHS continues to run Windows XP machines, two and a half years after Microsoft ditched support for the ageing OS. It's Citrix who is ringing the alarm bells, having learnt that 90 per cent of NHS Trusts are still running Windows XP PCs. The firm sent Freedom of Information (FoI) requests to 63 NHS Trusts, 42 of which responded. The data also revealed that 24 Trusts are still not sure when they'll migrate from Windows XP to a newer version of Microsoft's OS. 14 per cent said they would be transitioning to a new operating system by the end of this year, while 29 per cent pledged to make the move sometime next year.
  • Ransomware blamed for attack that caused Lincolnshire NHS Trust shutdown
    RANSOMWARE is to blame for an attack which saw an NHS Trust in Lincolnshire that forced to cancel operations for four days in October. In a statement, Northern Lincolnshire and Goole NHS Foundation Trust said that a ransomware variant called Globe2 was to blame for the incident.
  • Researchers Find Fresh Fodder for IoT Attack Cannons
    New research published this week could provide plenty of fresh fodder for Mirai, a malware strain that enslaves poorly-secured Internet of Things (IoT) devices for use in powerful online attacks. Researchers in Austria have unearthed a pair of backdoor accounts in more than 80 different IP camera models made by Sony Corp. Separately, Israeli security experts have discovered trivially exploitable weaknesses in nearly a half-million white-labeled IP camera models that are not currently sought out by Mirai.
  • Your data is not safe. Here's how to lock it down
    But some people worry that government surveillance will expand under a Donald Trump presidency, especially because he tapped Mike Pompeo, who supports mass surveillance, for CIA chief.
  • Tor at the Heart: Library Freedom Project
    Library Freedom Project is an initiative that aims to make real the promise of intellectual freedom in libraries by teaching librarians and their local communities about surveillance threats, privacy rights and responsibilities, and privacy-enhancing technologies to help safeguard digital freedoms.
  • PowerShell security threats greater than ever, researchers warn
    Administrators should upgrade to the latest version of Microsoft PowerShell and enable extended logging and monitoring capabilities in the light of a surge in related security threats, warn researchers [...] Now more than 95% of PowerShell scripts analysed by Symantec researchers have been found to be malicious, with 111 threat families using PowerShell.
  • Five-Year-Old Bait-and-Switch Linux Security Flaw Patched
    Maintainers of the Linux Kernel project have fixed three security flaws this week, among which there was a serious bug that lingered in the kernel for the past five years and allowed attackers to bypass some OS security systems and open a root shell.
  • The Internet of Dangerous Auction Sites
    Ok, I know this is kind of old news now, but Bruce Schneier gave testimony to the House of Representatives’ Energy & Commerce Committee about computer security after the Dyn attack. I’m including this quote because I feel it sets the scene nicely for what follows here. Last week, I was browsing the popular online auction site eBay and I noticed that there was no TLS. For a moment, I considered that maybe my traffic was being intercepted deliberately, there’s no way that eBay as a global company would be deliberately risking users in this way. I was wrong. There is not and has never been TLS for large swathes of the eBay site. In fact, the only point at which I’ve found TLS is in their help pages and when it comes to entering card details (although it’ll give you back the last 4 digits of your card over a plaintext channel).

Android Leftovers

Linux 4.8.14

Turns out I'm going to be on a very long flight early tomorrow morning, so I figured it would be good to get this kernel out now, instead of delaying it by an extra day. So, I'm announcing the release of the 4.8.14 kernel. All users of the 4.8 kernel series must upgrade. The updated 4.8.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.8.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-st... Read more Also: Linux 4.4.38 Linux Kernel 4.8.14 Hits the Streets with Numerous Networking Improvements, More

An Everyday Linux User Review Of Zorin 12

This version of Zorin is a great step forward. It has a renewed sense of purpose and stands out in its own right as a decent Linux distribution. I think Zorin should follow Mint's lead and stick with aligning itself to the Ubuntu LTS release. This gives the developers more time to push it along at their own pace. All in all a decent alternative to Linux Mint and Ubuntu. Read more