Language Selection

English French German Italian Portuguese Spanish

Security

Changes in Tor

Filed under
OSS
Security

Security News

Filed under
Security
  • David A. Wheeler: Working to Prevent the Next Heartbleed

    The Heartbleed bug revealed that some important open source projects were so understaffed that they were unable to properly implement best security practices. The Linux Foundation’s Core Infrastructure Initiative , formed to help open source projects have the ability to adopt these practices, uses a lot of carrot and very little stick.

  • The First iPhone Hacker Shows How Easy It Is To Hack A Computer

    Viceland is known for its extensive security-focused coverage and videos. In the latest CYBERWAR series, it’s showing us different kinds of cyber threats present in the world around us. From the same series, recently, we covered the story of an ex-NSA spy that showed us how to hack a car.

    In another spooky addition to the series, we got to see how easily the famous iPhone hacker George Hotz hacked a computer.

    George Hotz, also known as geohot, is the American hacker known for unlocking the iPhone. He developed bootrom exploit and limera1n jailbreak tool for Apple’s iOS operating system. Recently, he even built his own self-driving car in his garage.

  • Beware; Adwind RAT infecting Windows, OS X, Linux and Android Devices

    Cyber criminals always develop malware filled with unbelievable features but hardly ever you will find something that targets different operating systems simultaneously. Now, researchers have discovered a malware based on Java infecting companies in Denmark but it’s only a matter of time before it will probably hit other countries.

  • 7 Computers Fighting Against Each Other To Become “The Perfect Hacker”

    Are automated “computer hackers” better than human hackers? DARPA is answering this question in positive and looking to prove its point with the help of its Cyber Grand Challenge. The contest finale will feature seven powerful computer fighting against each other. The winner of the contest will challenge human hackers at the annual DEF CON hacking conference.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • Download This Security Fix Now — All Versions Of Windows Operating System Hackable

    As a part of its monthly update cycle, Microsoft has released security patches for all versions of Windows operating system. This update addresses a critical flaw that lets an attacker launch man-in-the-middle attacks on workstations. This security vulnerability arises as the print spooler service allows a user to install untrusted drivers with elevated privileges.

  • The Truth About Penetration Testing Vs. Vulnerability Assessments

    Vulnerability assessments are often confused with penetration tests. In fact, the two terms are often used interchangeably, but they are worlds apart. To strengthen an organization’s cyber risk posture, it is essential to not only test for vulnerabilities, but also assess whether vulnerabilities are actually exploitable and what risks they represent. To increase an organization’s resilience against cyber-attacks, it is essential to understand the inter-relationships between vulnerability assessment, penetration test, and a cyber risk analysis.

Untangle Announces NG Firewall Version 12.1

Filed under
GNU
Linux
Security

Untangle® Inc., a security software and appliance company, announced the release of version 12.1 of its award-winning NG Firewall software. Untangle NG Firewall version 12.1 brings new features and functionality to the popular and powerful small business firewall platform.

NG Firewall delivers a comprehensive solution for small-to-medium businesses, schools, governmental organizations and nonprofits that require enterprise-grade perimeter security with the flexibility of a convergent Unified Threat Management (UTM) device. Untangle’s industry-leading approach to network traffic visibility and policy management gives its customers deep insight into what’s happening on their network via its database-driven reporting engine and 360° dashboard.

“Version 12.1 is the next step in the evolution of the Untangle NG Firewall user interface,” said Dirk Morris, founder and chief product officer at Untangle. “Building on the base provided by the last two major releases, version 12.1 provides a fully responsive mobile management console as well as faster performing, more flexible reporting and dashboard widget capabilities.”

Read more

Security Leftovers

Filed under
Security
  • Posing as ransomware, Windows malware just deletes victim’s files

    There has been a lot of ingenuity poured into creating crypto-ransomware, the money-making malware that has become the scourge of hospitals, businesses, and home users over the past year. But none of that ingenuity applies to Ranscam, a new ransom malware reported by Cisco's Talos Security Intelligence and Research Group.

    Ranscam is a purely amateur attempt to cash in on the cryptoransomware trend that demands payment for "encrypted" files that were actually just plain deleted by a batch command. "Once it executes, it, it pops up a ransom message looking like any other ransomware," Earl Carter, security research engineer at Cisco Talos, told Ars. "But then what happens is it forces a reboot, and it just deletes all the files. It doesn't try to encrypt anything—it just deletes them all."

    Talos discovered the file on the systems of a small number of customers. In every case, the malware presented exactly the same message, including the same Bitcoin wallet address. The victim is instructed:

    "You must pay 0.2 Bitcoins to unlock your computer. Your files have been moved to a hidden partition and crypted. Essential programs in your computer have been locked and your computer will not function properly. Once your Bitcoin payment is received your computer and files will be returned to normal instantly."

  • Webpages, Word files, print servers menacing Windows PCs, and disk encryption bypasses – yup, it's Patch Tuesday

    Microsoft will fix critical holes in Internet Explorer, Edge, Office and Windows with this month's Patch Tuesday security bundle. Meanwhile, Adobe has patched dozens of exploitable vulnerabilities in its Flash player.

    Redmond's July release includes 11 sets of patches, six rated as "critical" and five classified as "important." The highlights are: a BitLocker device encryption bypass, evil print servers executing code on vulnerable machines, booby-trapped webpages and Office files injecting malware into PCs, and the usual clutch of privilege elevation flaws.

  • Ad blocking: yes, its war now

    idnes.cz: they put moving advertisment on that their web, making browsers unusable -- they eat 100% CPU and pages lag when scrolling. They put video ads inside text that appear when you scroll. They have video ads including audio... (Advertisment for olympic games is particulary nasty, Core Duo, it also raises power consumption by like 30W). Then they are surpised of adblock and complain with popup when they detect one. I guess I am either looking for better news source, or for the next step in adblock war...

IPFire 2.19 Update 103 Adds Web Proxy Improvements, Latest Tor for Anonymity

Filed under
Linux
Security

The IPFire 2.19 Core Update 103 Linux kernel-based firewall distribution has been released today, July 12, bringing web proxy improvements and the latest security patches and bug fixes.

Read more

Security News

Filed under
Security
  • New Report Shows Healthy Growth in Open Source Usage, but Security is Not Locked Down
  • Tuesday's security advisories
  • Security staff should talk to end users more

    IT security departments need to improve their relationships with their users by going out and talking to them, Red Hat's security strategist Josh Pressers has advised.

    Pressers warned that in order to stop the spread of 'shadow IT' within the enterprise, security professionals need to make a bigger effort to understand staff in other departments, warning that "we don't listen very well".

    Shadow IT has become an increasing problem for corporate IT managers, as employees use non-approved tools and technologies at work, rather than the systems provided by the in-house team.

  • Every version of Windows hit by "critical" security flaw [Ed: Microsoft Zack (Zack Whittaker, formerly Microsoft UK) on the latest back/bug door in Windows]

    Microsoft has patched a security vulnerability found in every supported version of Windows, which if exploited could allow an attacker to take over a system.

    The software giant said in a bulletin posted Tuesday as part of its monthly release of security fixes that the the "critical" flaw could let an attacker remotely install malware, which can be used to modify or delete data, or create new accounts with full user rights.

    The "critical"-rated flaw affects Windows Vista and later -- including Windows Server 2008 and later.

    Those who are logged in as an administrator, such as some home accounts and server users, are at the greatest risk.

Security Leftovers

Filed under
Security
  • CISSP certification: Are multiple choice tests the best way to hire infosec pros?

    Want a job in infosec? Your first task: hacking your way through what many call the "HR firewall" by adding a CISSP certification to your resume.

    Job listings for security roles often list the CISSP (Certified Information Systems Security Professional) or other cybersecurity certifications, such as those offered by SANS, CompTIA, and Cisco, as a requirement. This is especially true in the enterprise space, including banks, insurance companies, and FTSE 100 corporations. But at a time when the demand for good infosec people sees companies outbidding each other to hire top talent, and ominous studies warn of a looming cybersecurity skills shortage, experts are questioning whether certifications based on multiple choice tests are really the best way to recruit the right people.

  • Pokémon Go on iOS gives full access to Google accounts

    Signing into Pokémon Go on iOS with a Google account gives the game full access to that account, according to a systems architect, Adam Reeve.

    The Android version of the game apparently does not have these issues.

    Reeve said that the security situation was not the same for all iOS users.

    Pokémon Go was released last week and has been a huge hit. It is the latest in a series of games from Nintendo but is made by a developer named Niantic, which is part owned by Google.

  • Pokémon Go shouldn’t have full access to your Gmail, Docs and Google account — but it does

    When you use Google to sign into Pokémon Go, as so many of you have already, the popular game for some reason grants itself (for some iOS users, anyway) the highest possible level of access to your Google account, meaning it can read your email, location history… pretty much everything. Why does it need this, and why aren’t users told?

  • Have you given Pokémon Go full access to everything in your Google account?

    Gamers who have downloaded the Pokémon Go augmented reality game were given a scare on Monday, after noticing that the app had apparently been granted “full access” to their Google accounts.

    Taken at face value, the permissions would have represented a major security vulnerability, albeit one that only appeared to affect players who signed up to play the game using their Google account on Apple devices.

  • Pokémon Go Was Never Able To Read Your Email [Updated]

    Here’s even more confirmation that Pokémon Go never had the ability to access your Gmail or Calendar. A product security developer at Slack tested the token provided by Pokémon Go and found that it was never able to get data from services like Gmail or Calendar.

  • HTTPS is not a magic bullet for Web security

    We're in the midst of a major change sweeping the Web: the familiar HTTP prefix is rapidly being replaced by HTTPS. That extra "S" in an HTTPS URL means your connection is secure and that it's much harder for anyone else to see what you're doing. And on today's Web, everyone wants to see what you're doing.

    HTTPS has been around nearly as long as the Web, but it has been primarily used by sites that handle money—your bank's website, shopping carts, social networks, and webmail services like Gmail. But these days Google, Mozilla, the EFF, and others want every website to adopt HTTPS. The push for HTTPS everywhere is about to get a big boost from Mozilla and Google when both companies' Web browsers begin to actively call out sites that still use HTTP.

  • Now it’s easy to see if leaked passwords work on other sites

    Over the past few months, a cluster of megabreaches has dumped account credentials for a mind-boggling 642 million accounts into the public domain, where they can then be used to compromise other accounts that are protected by the same password. Now, there's software that can streamline this vicious cycle by testing for reused passcodes on Facebook and other popular sites.

  • What serverless computing really means [iophk: "securityless"]

    Arimura even goes as far as to use the controversial “no-ops,” coined by former Netflix cloud architect Adrain Cockcroft. Again, just as there will always be servers, there will always be ops to run them. Again, no-ops and serverless computing take the developer’s point of view: Someone else has to worry about that stuff, but not me while I create software.

  • An open letter to security researchers and practitioners

    Earlier this month, the World Wide Web Consortium's Encrypted Media
    Extensions (EME) spec progressed to Draft Recommendation phase. This is
    a controversial standard for transmitting DRM-encumbered videos, and it
    marks the very first time that the W3C has attempted to standardize a
    DRM system.

    This means that for the first time, W3C standards for browsers will fall
    under laws like the DMCA (and its international equivalents, which the
    US Trade Representative has spread all over the world). These laws allow
    companies to threaten security researchers who disclose vulnerabilities
    in DRM systems, on the grounds that these disclosures make it easier to
    figure out how to bypass the DRM.

    Last summer, the Copyright Office heard from security researchers about
    the effect that DRM has on their work; those filings detail showstopper
    bugs in consumer devices, cars, agricultural equipment, medical
    implants, and voting machines that researchers felt they couldn't
    readily publish about, lest they face punitive lawsuits from the
    companies they embarrassed.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • Is Your Antivirus Making Your PC More Hackable? Probably YES!f

    Is your antivirus software protecting you from all kinds of malware and security threats? The answer to this questions is a big NO. While one shouldn’t completely get rid of his/her antivirus solution, one shouldn’t be too carefree having them installed. We also advise our readers to follow the basic security practices to stay safe on the internet.

  • Social Media Accounts Of Twitter And Yahoo CEOs Hacked By OurMine

    Hacking group OurMine has now targetted Jack Dorsey and Marissa Mayer. OurMine recently hacked their Twitter accounts and posted messages on their profile. OurMine has triggered the frequency of its operations in the recent times and targeting multiple high-profile tech CEOs and celebrities.

  • Let's Encrypt torpedoes cost and maintenance issues for Free RTC

    Many people have now heard of the EFF-backed free certificate authority Let's Encrypt. Not only is it free of charge, it has also introduced a fully automated mechanism for certificate renewals, eliminating a tedious chore that has imposed upon busy sysadmins everywhere for many years.

    These two benefits - elimination of cost and elimination of annual maintenance effort - imply that server operators can now deploy certificates for far more services than they would have previously.

  • Voice Commands Hidden In YouTube Videos Can Hack Your Smartphone
  • This is quite a nice tool – magic-wormhole

    This beats doing a scp from system to system, especially if the receiving system is behind a NAT and/or firewall.

  • Entry level AI

    I was listening to the podcast Security Weekly and the topic of using AI For security work came up. This got me thinking about how most people make their way into security and what something like AI might mean for the industry.

    In virtually every industry you start out doing some sort of horrible job nobody else wants to do, but you have to start there because it's the place you start to learn the skills you need for more exciting and interesting work. Nobody wants to go over yesterday's security event log, but somebody does it.

Syndicate content

More in Tux Machines

Red Hat News

  • Improving Storage Performance with Ceph and Flash
    Ceph is a storage system designed to be used at scale, with clusters of Ceph in deployment in excess of 40 petabytes today. At LinuxCon Europe, Allen Samuels, Engineering Fellow at Western Digital, says that Ceph has been proven to scale out reasonably well. Samuels says, “the most important thing that a storage management system does in the clustered world is to give you availability and durability,” and much of the technology in Ceph focuses on controlling the availability and the durability of your data. In his presentation, Samuels talks not just about some of the performance advantages to deploying Ceph on Flash, but he also goes into detail about what they are doing to optimize Ceph in future releases.
  • Ceph and Flash by Allen Samuels, Western Digital
  • Red Hat Opens Up OpenShift Dedicated to Google Cloud Platform
    When businesses and enterprises begin adopting data center platforms that utilize containerization, then and only then can we finally say that the container trend is sweeping the planet. Red Hat’s starter option for containerization platforms is OpenShift Dedicated — a public cloud-based, mostly preconfigured solution, which launched at this time last year on Amazon AWS.
  • Volatility Numbers in View for Red Hat, Inc. (NYSE:RHT)

Leftovers: OSS and Sharing

  • Rhizome is working on an open-source tool to help archive digital content
    "The stability of this kind of easy archiving for document storage, review and revision is a great possibility, but the workflow for journalists is very specific, so the grant will allow us to figure out how it could function." Another feature of Webrecorder that journalists might find appealing, and one of the software's core purposes, is to preserve material that might be deleted or become unavailable in time. However, the tool is currently operated under a Digital Millennium Copyright Act (DMCA) Takedown policy. This means any individual can ask for a record of their web presence or materials to be removed, so Rhizome will be working to "answer the more complicated questions and figure out policies" around privacy and copyright with the latest round of funding.
  • An ode to releasing software
    There is one particular moment in every Free and Open Source Software project: it’s the time when the software is about to get released. The software has been totally frozen of course, QA tests have been made, all the lights are green; the website still needs to be updated with the release notes, perhaps some new content and of course the stable builds have to be uploaded. The release time is always a special one. The very day of the release, there is some excitement and often a bit of stress. The release manager(s), as well as everyone working on the project’s infrastructure are busy making sure everything is ready when the upload of the stable version of the software, binaries and source, has been completed. In many cases, some attention is paid to the main project’s mirror servers so that the downloads are fluid and work (mostly) flawlessly as soon as the release has been pushed and published.
  • Diversity Scholarship Series: My Time at CloudNativeCon 2016
    CloudNativeCon 2016 was a wonderful first conference for me and although the whirlwind of a conference is tiring, I left feeling motivated and inspired. The conference made me feel like I was a part of the community and technology I have been working with daily.
  • WordPress 4.7 Content Management System Provides New Design Options
    WordPress is among the most widely used open-source technologies in the world, powering more than 70 million websites. WordPress 4.7 was released Dec. 6, providing a new milestone update including new features for both users and developers. As is typically the case with new WordPress releases, there is also a new default theme in the 4.7 update. The 2017 theme provides users with a number of interesting attributes including the large feature image as well as the ability to have a video as part of the header image. The Theme Customizer feature enables users to more intuitively adjust various elements of a theme, to fit the needs of websites that use will upgrade to WordPress 4.7. In addition, the new custom CSS (Cascading Style Sheets) feature within a theme preview lets users quickly see how style changes will change the look of a site. As an open-source project, WordPress benefits from participation of independent contributors and for the 4.7 release there were 482 contributors. In this slideshow eWEEK takes a look at some of the highlights of the WordPress 4.7 release.
  • Psychology Professor Releases Free, Open-Source, Preprint Software
    The Center for Open Science, directed by University of Virginia psychology professor Brian Nosek, has launched three new services to more quickly share research data as the center continues its mission to press for openness, integrity and reproducibility of scientific research. Typically, researchers send preprint manuscripts detailing their research findings to peer-reviewed academic journals, such as Nature and Science. The review process can take months or even years before publication – if the research is published at all. By contrast, “preprinting,” or sharing non-peer-reviewed research results online, enables crucial data to get out to the community the moment it is completed. That, said Nosek, is critical.
  • Integral Ad Science Launches Open Source SDK to Drive Mobile Innovation for the Advertising Industry
  • Tullett Prebon Information, Quaternion and Columbia University form open source risk collaboration
  • Tullett Prebon Information And Quaternion Risk Management Partner To Enhance Transparency And Standardisation In Risk Modelling – Partnership Fuels Columbia University Research To Improve Understanding Of Systemic Risk
  • Integral Ad Science Partners with Google, Others for Open Source Viewability
  • DoomRL creator makes free roguelike open-source to try and counter Zenimax legal threat
  • DoomRL Goes Open-Source in Face of Copyright Claims
    Earlier this week, ZeniMax Medi hit DoomRL, a popular roguelike version of the original first-person shooter, with a cease-and-desist order. This order instructed producer ChaosForge to remove the free downloadable game to prevent further legal action. Instead of taking it down, co-creator Kornel Kisielewicz turned the game open-source.
  • This Indian software company just partnered with the world’s biggest open source community
    In what can be called a major motivation for Indian tech firms, Amrut Software, an end-to-end Software, BPO services and solutions provider has become a GitHub distributor for India region. GitHub hosts world’s biggest open source community along with the most popular version control systems, configuration management and collaboration tools for software developers. It has some of the largest installations of repositories in the world.
  • Python 3.6 released with many new improvements and features
    Python,the high-level interpreted programming language is now one of the most preferred programming language by beginners and professional-level developers.So,here Python 3.6 is now available with many changes,improvements and of course the ease of Python was not left in the work list.

Security Leftovers