Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • One election-system vendor uses developers in Serbia

    The use of proprietary systems in elections has its critics. One Silicon Valley group, the Open Source Election Technology Foundation, is pushing for an election system that shifts from proprietary, vendor-owned systems to one that that is owned "by the people of the United States."

  • Europe to Push New Security Rules Amid IoT Mess

    The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections.

  • Internet of Things botnets: You ain’t seen nothing yet

    Internet of Things (IoT) botnet "Mirai" is the shape of things to come and future assaults could be even more severe, a leading security research firm warns.

    Mirai powered the largest ever DDoS attack ever, spawning a 620Gbps DDoS against KrebsOnSecurity. Source code for the malware was released on hacker forums last week.

    The malware relied on factory default or hard-coded usernames and passwords to compromise vulnerable IoT devices such as insecure routers, IP cameras, digital video recorders and the like.

    PenTestPartners, the UK security consultancy behind numerous hack on Iot devices ranging from Wi-Fi enabled kettles to cars, said that the botnet finally illustrates the consequences of IoT vendors cutting the corners on security.

Security News

Filed under
Security
  • Security advisories for Friday
  • surveillance, whistleblowing, and security engineering

    Imagine for a moment that you are a security engineer who discovers a backdoor that your company execs have been trying to hide from your team. Would you quit on ethical grounds or stay so that you can prevent this from happening again? I don’t think there is one right answer. Personally I am grateful both for those who left and blew the whistle, and for those who stayed to protect Yahoo’s 800 million users.

    Part of the job function of security engineers and pen testers is being ready for the moment you encounter something that you think should be disclosed but your company wants to keep secret. Think about what you would be willing to lose. Be prepared to escalate internally. Know the terms of your NDA and your exit agreement; try your best to honor them. Most of all, keep pushing for end-to-end encryption.

  • Digital Vigilantes Want to Shame DDoS Attackers And Their Corporate Enablers

    Hacker attacks that try to take down websites with a flood of bogus traffic, technically known as Distributed Denial of Service (DDoS) attacks, have become a daily occurrence on the internet. The rise of DDoS has created a cottage industry of companies dedicated to mitigating the attacks, and, on the flip side, professional DDoS-for-hire services and gangs.

    Now, a group of security researchers wants to name and shame not only the hackers responsible for such crippling attacks, but also the internet providers and traffic carriers that enable them by turning a blind eye to their actions, with a project called SpoofIT.

  • Russia Drafting Law to Favor Open Source

    I wrote the original cyber-vulnerability letter to the White House in 1994, and instead of acting responsibly, the US Government allowed NSA -- with the active complicty of US communicaitons and computing provider CEOs -- to compromise all US offerings. Not only are the communications and computing devices and related consulting compromised, but so are larger offerings (e.g. Boeing aircraft, which come with a computer system pre-configured for US Government remote control take-over -- Lufthansa is reported to have discovered this and at great expense removed all US computers from every aircraft). NOTE: I am quite certain about both of the above indictments, but only a proper European Commission investigation can satisfy the public interest; I believe that the same problems infect C4I systems from China, France, Israel, and Russia, and I do not believe most people are aware that the electrical system is now easily used to enter computers that are nominally disconnected from the Internet.

  • Systemd vulnerability crashes Linux systems

    A new vulnerability has been discovered that could shut down most Linux systems using a command short enough to fit in a tweet.

Security Leftovers

Filed under
Security
  • Promoting Cybersecurity Awareness

    We are happy to support National Cyber Security Awareness Month (NCSAM), a global effort between government and industry to ensure everyone has the resources they need to be safer, more secure and better able to protect their personal information online.

    We’ve talked about how cybersecurity is a shared responsibility, and that is the theme for National Cybersecurity Awareness Month – the Internet is a shared resource and securing it is our shared responsibility. This means technology companies, governments, and even users have to work together to protect and improve the security of the Internet. We all have to do our part to make the Internet safer and more secure for everyone. This is a time for all Internet users to Stop. Think. Connect. This month, and all year long, we want to help you be more “CyberAware.”

  • 'Security fatigue' is the worst thing to happen to people since insecurity

    CHANGING PASSWORDS is just too much for some people, according to research, and causes them to do stupid things.

    This is called 'security fatigue', apparently, and comes straight from the National Institute of Standards and Technology (NIST) and a collection of clipboards and pens.

    "After updating your password for the umpteenth time, have you resorted to using one you know you'll remember because you've used it before? Have you ever given up on an online purchase because you just didn't feel like creating a new account?" asked NIST.

    "If you have done any of those things, it might be the result of ‘security fatigue'. It exposes online users to risk and costs businesses money in lost customers."

  • The new BYOD backlash hides an ulterior motive

    Recent research from IDC shows a clear picture: IT organizations are increasingly unhappy about BYOD and now want to curtail or end the practice.

    Their stated concern: The costs are too high and the savings too low. But those concerns are misguided and likely masking a secret agenda to regain control over mobile devices, not to save money. Face it: BYOD was never popular with IT.

Security News

Filed under
Security

First pfSense 2.3.2 Update Adds OpenSSL Security Fixes to the BSD-Based Firewall

Filed under
OSS
Security
BSD

Today, October 6, 2016, Jim Thompson from the pfSense project has had the great pleasure of announcing the release and immediate availability of the pfSense 2.3.2-p1 maintenance update to the open source BSD-based firewall distro.

Read more

Bugs and Security

Filed under
Linux
Security
  • New Linux Kernel 4.8 -- Plus a Kernel-Killing Bug

    After nearly exactly two months, Linus Torvalds released kernel 4.8 into the wild on Sunday, October 2nd. Torvalds dubbed 4.8 Psychotic Stoned Sheep, probably inspired by the news that a flock of woolly ruminants ate some abandoned cannabis and, high as kites, run amok in rural Wales, striking terror into the hearts of the locals.

    This has been one of the larger releases, with many patches being sent in before the first release candidate was published. However, Torvalds attributes many of the changes to the switch to a new documentation format -- instead of using the DocBook, documentation must now be submitted in the Sphinx doc format.

  • Linus Torvalds Apologizes for Inclusion of a Kernel Bug in the Linux 4.8 Release

    Two days after announcing the release of the Linux 4.8 kernel as the latest stable and most advanced kernel branch for GNU/Linux operating systems, Linus Torvalds apologizes on the kernel mailing list for the inclusion of bug.

    According to Mr. Torvalds, the bug was left in the last RC8 (Release Candidate 8) build by kernel developer Andrew Morton, which caused problems when attempting to compile it, thus resulting in a dead kernel. If you're curious, the full report is attached to Linus Torvalds' mailing list announcement.

  • Buggy code to the left of me, perfect source to the right, here I am, stuck in the middle with EU

    Midway through SUPERSEDE, the EU three-year project backed by €3.25m in funding to make software better, software still sucks.

    It's always been thus, but now that computer code has a say in the driving of Teslas, confronts everyone daily on smartphones, and has crept into appliances, medical devices, and infrastructure, it's a more visible problem.

    Robert Vamosi, security strategist at Synopsys, told The Register in a phone interview that software quality matters more than ever.

    "We're seeing real-world examples of automobiles remotely attacked and medical devices being suspended when they need to keep functioning," he said. "It's becoming life-critical."

    The organizations involved in SUPERSEDE – ATOS, Delta Informatica, SEnerCon, Siemens, Universitat Politècnica de Catalunya (UPC), the University of Applied Sciences and Arts Northwestern Switzerland (FHNW), and the University of Zurich (UZH) – aim to improve the user experience of their software products with a toolkit to provide better feedback and analytics data to application developers.

  • 5 Tips on Using OAuth 2.0 for Secure Authorization

    OAuth is an open standard in authorization that allows delegating access to remote resources without sharing the owner's credentials. Instead of credentials, OAuth introduces tokens generated by the authorization server and accepted by the resource owner.

    In OAuth 1.0, each registered client was given a client secret and the token was provided in response to an authentication request signed by the client secret. That produced a secure implementation even in the case of communicating through an insecure channel, because the secret itself was only used to sign the request and was not passed across the network.

    OAuth 2.0 is a more straightforward protocol passing the client secret with every authentication request. Therefore, this protocol is not backward compatible with OAuth 1.0. Moreover, it is deemed less secure because it relies solely on the SSL/TLS layer. One of OAuth contributors, Eran Hammer, even said that OAuth 2.0 may become "the road to hell," because:

    "… OAuth 2.0 at the hand of a developer with deep understanding of web security will likely result in a secure implementation. However, at the hands of most developers – as has been the experience from the past two years – 2.0 is likely to produce insecure implementations."

    Despite this opinion, making a secure implementation of OAuth 2.0 is not that hard, because there are frameworks supporting it and best practices listed. SSL itself is a very reliable protocol that is impossible to compromise when proper certificate checks are thoroughly performed.

    Of course, if you are using OAuth 1.0, then continue to use it; there is no point in migrating to OAuth 2.0. But if you are developing a new mobile or an Angular web application (and often mobile and web applications come together, sharing the same server), then OAuth 2.0 will be a better choice. It already has some built-in support in the OWIN framework for .NET that can be easily extended to create different clients and use different security settings.

  • J&J warns diabetic patients: Insulin pump vulnerable to hacking

    Johnson & Johnson is telling patients that it has learned of a security vulnerability in one of its insulin pumps that a hacker could exploit to overdose diabetic patients with insulin, though it describes the risk as low.

    Medical device experts said they believe it was the first time a manufacturer had issued such a warning to patients about a cyber vulnerability, a hot topic in the industry following revelations last month about possible bugs in pacemakers and defibrillators.

    J&J executives told Reuters they knew of no examples of attempted hacking attacks on the device, the J&J Animas OneTouch Ping insulin pump. The company is nonetheless warning customers and providing advice on how to fix the problem.

  • Who Makes the IoT Things Under Attack?

    As KrebsOnSecurity observed over the weekend, the source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released. Here’s a look at which devices are being targeted by this malware.

    The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords. Many readers have asked for more information about which devices and hardware makers were being targeted. As it happens, this is fairly easy to tell just from looking at the list of usernames and passwords included in the Mirai source code.

Security News

Filed under
Linux
Security
  • Security advisories for Wednesday
  • 10 basic linux security measures everyone should be doing

    Akin to locking your doors and closing your windows there’s some really basic things everyone should be doing with their Linux installs (This is of course written from a Fedora viewpoint, but I think this pretty much applies to all computer OSes).

  • Johnson & Johnson Warns Insulin Pump Owners They Could Be Killed By Hackers

    Initially the lack of security on "smart" Internet of Things devices was kind of funny as companies rushed to make a buck and put device security on the back burner. And while hackable tea kettles and refrigerators that leak your Gmail credentials just seem kind of stupid on the surface, people are slowly realizing that at scale -- we're introducing millions of new attack vectors into homes and businesses annually. Worse, compromised devices are now being used as part of massive new DDoS attacks like the one we recently saw launched against Brian Krebs.

    Unfortunately, companies that service the medical industry also decided a few years ago that it would be a good idea to connect every-damn-thing to networks without first understanding the security ramifications of the decision. As a result, we're seeing a rise in not only the number of ransomware attacks launched on hospitals, but a spike in hackable devices like pacemakers that could mean life and death for some customers.

  • EFF Asks Court to Block U.S. From Prosecuting Security Researcher For Detecting and Publishing Computer Vulnerabilities

    The Electronic Frontier Foundation (EFF) asked a court Thursday for an order that would prevent the government from prosecuting its client, security researcher Matthew Green, for publishing a book about making computer systems more secure.

    Green is writing a book about methods of security research to recognize vulnerabilities in computer systems. This important work helps keep everyone safer by finding weaknesses in computer code running devices critical to our lives—electronic devices, cars, medical record systems, credit card processing, and ATM transactions. Green’s aim is to publish research that can be used to build more secure software.

  • Malta unveils Cyber Security Strategy

    The government of Malta has unveiled a National Cyber Security Strategy. The strategy provides the legal context to defend the country’s computer networks infrastructure and its users from threats.

  • Mirai “internet of things” malware from Krebs DDoS attack goes open source

    Last week, we wrote about a DDoS attack on well-known investigative cybercrime journalist Brian Krebs.

    To explain.

    A DDoS attack is an aggressive sort of DoS attack, where DoS is short for denial of service.

    A DoS is a bit like getting into the queue at the station to buy a ticket for the next train, only to have a time-waster squeeze in front of you and slow you down.

    By the time the miscreant has asked, innocently enough, about the different sorts of ticket available, and whether it costs extra to take a bicycle, and how much longer it would take if he were to change trains in Manchester, only to walk off without buying a ticket at all…

    …you’ve watched your train arrive, load up with passengers, and depart without you.

    A DDoS attack is worse: it’s short for distributed denial of service attack, and it’s much the same thing as a DoS, except that the trouble-stirrer doesn’t show up on his own.

  • Linux systems susceptible to crashes from tweet sized command
  • Linux 4.8 Debuts - But Maybe It Shouldn't Have

    The Linux 4.8.0 kernel was officially release on October 2, becoming the fifth kernel release so far in 2016. The Linux 4.7 kernel was released on July 24.

    As opposed to all the other kernel releases this year (and in fact in contrast to all kernel releases since 2.6) Torvalds really wasn't happy about this one, though the source of his displeasure didn't become apparent until after the release.

    "So the last week was really quiet, which maybe means that I could probably just have skipped rc8 after all," Torvalds wrote in in his Linux 4.8 release announcement. "Oh well, no real harm done."

    A day later on October 3, Torvalds addmits that he shouldn't have merged a late set of updates from kernel developer Andrew Morton.

Security News

Filed under
Linux
OSS
Security

Study: open source groups take security serious

Filed under
OSS
Security

The IT security practices of some open source communities are exemplary, shows a study for the European Commission and European Parliament. Many communities use experts to ensure software security and to help their developers avoid security flaws. “These communities take security serious”, says Alberto Dominguez Serra, one of the authors working for Everis, a IT consultancy.

Read more

Nextcloud 10.0.1 Maintenance Release Improves the Updater, Patches Over 40 Bugs

Filed under
OSS
Security

The Nextcloud developers have released recently the first maintenance update to the Nextcloud 10 series of the open-source and cross-platform self-hosting cloud server forked from ownCloud.

Read more

Syndicate content

More in Tux Machines

today's leftovers

  • Why You Should Consider Open Sourcing Your Software
    Free & Open source software have grown so rapidly in the last few years. Just compare the situation of being ignored and considered like a nerds-movement in the early 2000’s to the situation today in 2017. We surly made a huge advancement so far. Thanks to the amazing ecosystem of open source which links both communities and enterprises together. However, when it comes to individuals, a lot of people are hesitant when it comes to open-sourcing their software. They think that the “secret” behind it will be stolen. They think that they will be releasing their work “for nothing in return” when they do so. That’s definitely false.
  • Caspia Projects and Thunderbird – Open Source In Absentia
    What does this have to do with Thunderbird? I sat in a room a few weeks ago with 10 guys at Clallam Bay, all who have been in a full-time, intensive software training program for about a year, who are really interested in trying to do real-world projects rather than simply hidden internal projects that are classroom assignments, or personal projects with no public outlet. I start in April spending two days per week with these guys. Then there are another 10 or so guys at WSR in Monroe that started last month, though the situation there is more complex. The situation is similar to other groups of students that might be able to work on Thunderbird or Mozilla projects, with these differences:1) Student or GSOC projects tend to have a duration of a few months, while the expected commitment time for this group is much longer.
  • Make Dragonfly BSD great again!
    Recently I spent some time reading Dragonfly BSD code. While doing so I spotted a vulnerability in the sysvsem subsystem that let user to point to any piece of memory and write data through it (including the kernel space). This can be turned into execution of arbitrary code in the kernel context and by exploiting this, we're gonna make Dragonfly BSD great again!

Desktop GNU/Linux

  • [Video] Litebook Alpha Review! | Unboxing, Apps, and Gaming!
  • Beginners Guide To Linux
    Curious about getting into Raspberry Pi or just Linux in general but you're not sure where to start? This post is for you. It's not intended to be a comprehensive guide, rather a gentle intro into the Linux world. I'm not a Linux expert, but I know from experience that it can be an intimidating platform to get started in. I want this post to show you what you need to know to get started with Linux.
  • [Video] 5 Reasons To Switch To Linux
  • System76 Provides Wireless Fixes for Ubiquity
    We are proud to have contributed to Ubiquity in such a way that we feel improves all users’ lives when using Ubuntu. We will continue improving the platform and hope that our users will see value in what we do.
  • GNOME 3.24 Released, See What`s New
    After being in development for six months, GNOME 3.24 was released today, bringing improvements such as Night Light, weather information in the date / time indicator, along with updates to its applications, and more.

Late Night Linux, Bad Voltage, and Effective Communication in Podcasting

  • Late Night Linux – Episode 06
    Jesse is back but this time Félim is in his sick bed so it’s a 3 man show yet again. Some heated debates about Nextcloud’s actions, Ubuntu extended support and PowerPC distros, followed by a deep dive into the world of HiDPI 4k support in Linux.
  • Bad Voltage Live at SCaLE 15x
    The Bad Voltage live stage show, from SCaLE 15x in Pasadena, March 2017!
  • Effective Communication in Podcasting
    When I got serious about doing Linux videos on YouTube, I drew on all of that Old Media experience plus I took a few classes to make sure I knew what I was talking about before handing out advice to others. That has led to the EzeeLinux project. The goal of EzeeLinux is to educate folks about Linux and get them started on the right path to success… I have been truly humbled by the response it has gotten. That said, I don’t feel like I’m competing with anyone – the more, the merrier! I honestly feel that Linux and Open Source Software are arguably one of the few truly good things happening in the world today. It brings people from all over the world together and provides a means to get cutting edge technology into the hands of anyone, anywhere who wants to take the time to learn how to use it regardless of their financial situation. That is the kind of power that can quite literally change the world, folks. No one should be left behind in this Information Age. Come to think of it, Ed Murrow would probably do a documentary about Linux if he was still around today… It would be right up his street, I think. It’s the kind of thing he liked to talk about.

Leftovers: Software

  • [Video] Linux Audio Programs Compared 2017
    I made this video for those that are new to, or just interested in making music on the Linux OS. I go over the features, goods and bads of Rosegarden, LMMS, Ardour, Mixbus, and EnergyXT, as well as touch on Qtractor. I don't don't go much into details of the particular versions I am using, but the video was made in the early part of 2017 and I'm running Ubuntu 16.04LTS.
  • Green Recorder: A Simple Desktop/Screen Recorder for Linux
    Green Recorder is a simple, open source desktop recorder developed for Linux systems built using Python, GTK and FFmpeg. It supports most of the Linux desktop environments such as Unity, Gnome, Cinnamon, Mate, Xfce and so on. Recently it has been updated to work with Wayland too in Gnome session.
  • Komorebi: A New Way To Enhance Your Desktop Using Animated/Parallax Wallpapers
    In past there were applications that allowed us to run videos/Gif as wallpaper on the desktop and make desktop look much cooler but than all of sudden the development of such Apps stopped and I can't name any App that exist for this purpose. Komorebi is fairly new application designed to make your desktop experience much better and make desktop cool as well, we can say it is kind of 'live wallpaper' situation here or 3D wallpaper. It is developed by Abe Masri and available under GPL license for free.
  • Stacer Sytem Optimizer: A Must Have Application For Ubuntu/Linux Mint
    There are multiple ways to optimize your Linux, the most geeky way is using Terminal, there are also applications available that performs such actions like Bleachbit, Ubuntu cleaner and so on. Stacer is simple, open-source, quick and new application designed to offer you all-in-one optimizer for your Ubuntu/Linux Mint (It's alternative to CCleaner but only for Linux).
  • Qtox: Open Source and Fully Secure Skype Replacement for Linux
    Long years ago, we've talked about a Skype alternative called Tox which was still in its early developmental stages. Tox was supposed to become the anti-thesis of Skype by being a fully open-source video and voice chat client that placed user privacy and security at its center. Well, guess what, there are now fully active and well-maintained chat clients that are built on top of Tox protocol. qTox is one of them.
  • Rclone 1.36 Released With SFTP And Local Symlinks Support, More
    Rclone 1.36 was released recently, bringing support for SFTP, local symbolic links support, mount improvements, along with many other new features and bug fixes. For those not familiar with Rclone, this is a cross-platform command line tool for synchronizing files and folders to multiple cloud storages, which supports Dropbox, Google Drive, Amazon S3, Amazon Drive, Microsoft One Drive, Yandex Disk, and more. It can be used to sync files either from your machine or from one cloud storage to another.
  • Streamlink Twitch GUI 1.2.0 Adds Support For Communities And Team Pages, Basic Hotkeys
    Streamlink Twitch GUI (previously Livestreamer Twitch GUI) is a multi-platform Twitch.tv browser. The application is powered by Node.js, Chromium and Streamlink, though it can still use Livestreamer (which is no longer maintained) too.
  • Code Editor `Brackets` 1.9 Released, Available In PPA
    Brackets is a free, open source code editor focused on front-end web development (HTML, CSS and JavaScript).
  • Terminix Terminal Emulator Renamed To Tilix, Sees New Bugfix Release
    [Quick update] Terminix, a GTK3 tiling terminal emulator, has been renamed to Tilix due to some trademark issues.