Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security

Security News

Filed under
Security
  • Security advisories for Wednesday
  • DevOps and the Art of Secure Application Deployment

    Secure application deployment principles must extend from the infrastructure layer all the way through the application and include how the application is actually deployed, according to Tim Mackey, Senior Technical Evangelist at Black Duck Software. In his upcoming talk, “Secure Application Development in the Age of Continuous Delivery” at LinuxCon + ContainerCon Europe, Mackey will discuss how DevOps principles are key to reducing the scope of compromise and examine why it’s important to focus efforts on what attackers’ view as vulnerable.

  • Sept 2016 Patch Tuesday: Microsoft released 14 security bulletins, rated 7 as critical

    Microsoft released 14 security bulletins for September, seven of which are rated critical due to remote code execution flaws. Microsoft in all its wisdom didn’t regard all RCEs as critical. There’s also an “important rated” patch for a publicly disclosed flaw which Microsoft claims isn’t a zero-day being exploited. But at least a 10-year-old hole is finally being plugged.

    Next month marks a significant change as Microsoft says it intends roll out "servicing changes" that include bundled patches. Unless things change, not all Windows users will be able to pick and choose specific security updates starting in October.

  • Microsoft Patches Zero Day Flaw Used In Two Massive Malvertising Campaigns [Ed: Microsoft, as usual, told the NSA about this months before patching]

    Microsoft was first notified about the so-called information disclosure bug in September 2015, security vendor Proofpoint said in an alert this week. But a patch for it became available only after Trend Micro and Proofpoint reported the bug again to Microsoft more recently when researching a massive malvertising campaign being operated by a group called AdGholas, the alert noted.

MySQL Patching

Filed under
Security
  • MySQL 0-day could lead to total system compromise
  • MySQL Exploit Evidently Patched

    News began circulating yesterday that the popular open source database MySQL contains a publicly disclosed vulnerability that could be used to compromise servers. The flaw was discovered by researcher Dawid Golunski and began getting media attention after he published a partial proof-of-concept of the exploit, which is purposefully incomplete to prevent abuse. He said the exploit affects "all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions." In addition, MariaDB and Percona DB which are derived from MySQL are affected.

Security News

Filed under
Security
  • Tuesday's security updates
  • [Mozilla:] Cybersecurity is a Shared Responsibility

    There have been far too many “incidents” recently that demonstrate the Internet is not as secure as it needs to be. Just in the past few weeks, we’ve seen countless headlines about online security breaches. From the alleged hack of the National Security Agency’s “cyberweapons” to the hack of the Democratic National Committee emails, and even recent iPhone security vulnerabilities, these stories reinforce how crucial it is to focus on security.

    Internet security is like a long chain and each link needs to be tested and re-tested to ensure its strength. When the chain is broken, bad things happen: a website that holds user credentials (e.g., email addresses and passwords) is compromised because of weak security; user credentials are stolen; and, those stolen credentials are then used to attack other websites to gain access to even more valuable information about the user.

    One weak link can break the chain of security and put Internet users at risk. The chain only remains strong if technology companies, governments, and users work together to keep the Internet as safe as it can be.

  • IoT malware exploits DVRs, home cameras via default passwords

    The Internet of Things business model dictates that devices be designed with the minimum viable security to keep the products from blowing up before the company is bought or runs out of money, so we're filling our homes with net-connected devices that have crummy default passwords, and the ability to probe our phones and laptops, and to crawl the whole internet for other vulnerable systems to infect.

    Linux/Mirai is an ELF trojan targeting IoT devices, which Malware Must Die describes as the most successful ELF trojan. It's very difficult to determine whether these minimal-interface devices are infected, but lab tests have discovered the malware in a wide range of gadgets.

  • Someone Is Learning How to Take Down the Internet

    First, a little background. If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack (DDoS). Like the name says, this is an attack designed to prevent legitimate users from getting to the site. There are subtleties, but basically it means blasting so much data at the site that it's overwhelmed. These attacks are not new: hackers do this to sites they don't like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it's a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.

  • Internet's defences being probed: security expert

    A big player, most possibly a nation state, has been testing the security of companies that run vital parts of the Internet's infrastructure, according to well-known security expert Bruce Schneier.

    In an essay written for the Lawfare blog, Schneier, an inventor of the Blowfish, Twofish and Yarrow algorithms, said that the probes which had been observed appeared to be very carefully targeted and seemed to be testing what exactly would be needed to compromise these corporations.

    Schneier said he did not know who was carrying out the probes but, at a first guess, said it was either China or Russia.

    Pointing out that the easiest way to take a network off the Internet was by using a distributed denial of service (DDoS) attack, he said that major firms that provide the basic infrastructure to make the Internet work had recently seen an escalation of such attacks.

  • Hackers smear Olympic athletes with data dump of medical files

    Hackers are trying to tarnish the U.S. Olympic team by releasing documents they claim show athletes including gymnast Simone Biles and tennis players Venus and Serena Williams used illegal substances during the Rio Games.

    The medical files, allegedly from the World Anti-Doping Agency, were posted Tuesday on a site bearing the name of the hacking group Fancy Bears. “Today we'd like to tell you about the U.S. Olympic team and their dirty methods to win,” said a message on the hackers' site.

    The World Anti-Doping Agency confirmed it had been hacked and blamed Fancy Bears, a Russian state-sponsored cyber espionage team that is also known as APT 28 -- the very same group that may have recently breached the Democratic National Committee.

Security News

Filed under
Security
  • Securing the Programmer

    I have a favorite saying: "If you are a systems administrator, you have the keys to the kingdom. If you are an open-source programmer, you don't know which or how many kingdoms you have the keys to." We send our programs out into the world to be run by anyone for any purpose. Think about that: by anyone, for any purpose. Your code might be running in a nuclear reactor right now, or on a missile system or on a medical device, and no one told you. This is not conjecture; this is everyday reality. Case in point: the US Army installed gpsd on all armor (tanks, armored personnel carriers and up-armored Humvees) without telling its developers.

    This article focuses on the needs of infrastructure software developers—that is, developers of anything that runs as root, has a security function, keeps the Internet as a whole working or is life-critical. Of course, one never knows where one's software will be run or under what circumstances, so feel free to follow this advice even if all you maintain is a toddler login manager. This article also covers basic security concepts and hygiene: how to think about security needs and how to keep your development system in good shape to reduce the risk of major computing security mishaps.

  • Software-Defined Security Market Worth 6.76 Billion USD by 2021
  • Two critical bugs and more malicious apps make for a bad week for Android
  • Let's Encrypt Aiming to Encrypt the Web

    By default, the web is not secure, enabling data to travel in the clear, but that's a situation that is easily corrected through the use of SSL/TLS. A challenge with implementing Secure Sockets Layer/Transport Layer Security has been the cost to acquire an SSL/TSL certificate from a known Certificate Authority (CA), but that has changed in 2016, thanks to the efforts of Let's Encrypt.

    Let's Encrypt is a non-profit effort that that was was announced in November 2014 and became a Linux Foundation Collaborative Project in April 2015. Let's Encrypt exited its beta period in April 2016 and to date has provided more than 5 million free certificates.

Security News

Filed under
Security
  • Security advisories for Monday
  • Linux with a irc trojan.
  • On Experts

    There are a rather large number of people who think they are experts, some think they're experts at everything. Nobody is an expert at everything. People who claim to have done everything should be looked at with great suspicion. Everyone can be an expert at something though.

  • OPM Hacking Report Says Agency Missed One Set Of Attacks, Spent Little On Cybersecurity [Ed: spent on Windows]

    The twice-hacked Office of Personnel Management has had little to offer but promises of "taking security seriously" and free identity theft protection for the thousands of government employees whose personal information was pried loose by hackers.

    Twice-hacked, because there was one breach the OPM did discover, and one it didn't. While it spent time walling off the breach it had detected, another went unnoticed, leaking enough info on government employees that the CIA began worrying about the safety of agents located abroad.

    A new report [PDF] by the Committee on Oversight and Government Reform (which AP refers to but, oddly, does not feel compelled to LINK to, despite it being a completely PUBLIC document) details where the OPM initially went wrong.

  • Hollywood Keeps Insisting Tech Is Easy, Yet Can't Secure Its Own Screeners

    While some will just look at this and mock Hollywood for bad security practices, it does raise more serious questions: if Hollywood can't figure out its own (basic) technology issues, why does it think that the tech industry should solve all its problems for it? If it doesn't even understand the basics, how can it insist that those in Silicon Valley can fix the things that it doesn't understand itself?

    We're already seeing this with the MPAA's ridiculous and misguided freakout over the FCC's plan to have cable companies offer up app versions so that authorized subscribers can access authorized, licensed content. The MPAA and its think tank friends keep falsely insisting that the FCC's recommendation requires the cable companies to ship the actual content to third parties. But the plan has never said that. It only required that third-party devices be able to access the content -- such as by passing through credentials so that the content could flow from the (licensed) cable service to the end user.

    The fact that these guys don't seem to understand the basics of how the technology works comes through not just in the fact that they failed to secure their screener system, but also in the policy proposals that they keep making. It's becoming increasingly difficult to take those policies seriously when they seem to be based on a fundamental ignorance of how technology actually works.

Hands-on: Blue Hydra can expose the all-too-unhidden world of Bluetooth

Filed under
Security

I installed Blue Hydra by "cloning" its Ruby code from its GitHub repository on an older MacBook Air I'd configured with Kali GNU/Linux "Rolling" (64 bit), a security-testing-focused version of Debian, and a SENA UD100 USB Bluetooth adapter. Blue Hydra will work on other Debian-based distributions, and it's even pre-installed as part of the current release of Pentoo (a security-focused live CD version of Gentoo Linux). Pwnie Express has also packaged Blue Hydra for use with its line of sensors (though not with the PwnPhone), and it can be integrated with the company's Pulse security monitoring and auditing service.

Read more

Security News

Filed under
Security
  • How OPNFV Earned Its Security Stripes and Received a CII Best Practices Badge

    Earning the CII badge will have a HUGE impact on OPNFV’s general approach to building security into the development model (something all open source projects should model). Statistics show that around 50 percent of vulnerabilities in a software are “flaws” (usually design fault/defective design, which is hard to fix after software has been released) and 50 percent bugs (implementation fault). Following these best practices will hopefully address both design and implementation faults before they become vulnerabilities.

  • MySQL Hit By "Critical" Remote Code Execution 0-Day

    The latest high-profile open-source software project having a bad security day is MySQL... MySQL 5.5/5.6/5.7 has a nasty zero-day vulnerability.

    Researchers have discovered multiple "severe" MySQL vulnerabilities with the CVE-2016-6662 being marked as critical and does affect the latest MySQL version.

    This 0-day is open for both local and remote attackers and could come via authenticated access to a MySQL database (including web UI administration panels) or via SQL injection attacks. The exploit could allow attackers to execute arbitrary code with root privileges.

  • CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day )
  • Is Debian the gold standard for Linux security?
  • 10 Best Password Managers For Linux Operating Systems

    With so many online accounts on the internet, it can be tediously difficult to remember all your passwords. Many people write them down or store them in a document, but that’s plain insecure. There are many password managers for Windows and OS X, but here we’ll look at some of the best password managers for Linux.

Security News

Filed under
Security
  • Moving towards a more secure web

    To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

  • UK Politician's Campaign Staff Tweets Out Picture Of Login And Password To Phones During Campaign Phone Jam

    When we talk password security here at Techdirt, those conversations tend to revolve around stories a bit above and beyond the old "people don't use strong enough passwords" trope. While that certainly is the case, we tend to talk more about how major corporations aren't able to learn their lessons about storing customer passwords in plain text, or about how major media outlets are occasionally dumb enough to ask readers to submit their own passwords in an unsecure fashion.

    But for the truly silly, we obviously need to travel away from the world of private corporations and directly into the world of politicians, who often times are tasked with legislating on matters of data security and privacy, but who cannot help but show their own ineptness on the matter themselves. Take Owen Smith, for example. Smith is currently attempting to become the head of the UK's Labour Party, with his campaign working the phones as one would expect. And, because this is the age of social media engagement, one of his campaign staffers tweeted out the following photo of the crew hard at work.

  • WiredTree Warns Linux Server Administrators To Update In Wake Of Critical Off-Path Kernel Vulnerability

    WiredTree, a leading provider of managed server hosting, has warned Linux server administrators to update their servers in response to the discovery of a serious off-path vulnerability in the Linux kernel’s handling of TCP connections.

  • Reproducible Builds: week 72 in Stretch cycle
Syndicate content

More in Tux Machines

Leftovers: OSS

  • Diving into Drupal: Princeton’s Multi-site Migration Success with Open-source
    Princeton University’s web team had a complex and overwhelming digital ecosystem comprised of many different websites, created from pre-built templates and hosted exclusively on internal servers. Fast forward six years: Princeton continues to manage a their multisite and flagship endeavors on the open-source Drupal platform, and have seen some great results since their migration back in 2011. However, this success did not come overnight. Organizational buy-in, multi-site migration and authentication were a few of the many challenges Princeton ran into when making the decision to move to the cloud.
  • GitHub Invites Developers to Contribute to the Open Source Guides
    GitHub has recently launched its Open Source Guides, a collection of resources addressing the most common scenarios and best practices for both contributors and maintainers of open source projects. The guides themselves are open source and GitHub is actively inviting developers to participate and share their stories.
  • Top open source projects
    TechRadar recently posted an article about "The best open source software 2017" where they list a few of their favorite open source software projects. It's really hard for an open source software project to become popular if it has poor usability—so I thought I'd add a few quick comments of my own about each.
  • Dropbox releases open-source Slack bot
    Dropbox is looking to tackle unauthorized access and other security incidents in the workplace with a chatbot. Called Securitybot, it that can automatically grab alerts from security monitoring tools and verify incidents with other employers. The company says that through the use of the chatbot, which is open source, it will no longer be necessary to manually reach out to employees to verify access, every time someone enters a sensitive part of the system. The bot is built primarily for Slack, but it is designed to be transferable to other platforms as well.
  • Dropbox’s tool shows how chatbots could be future of cybersecurity
    Disillusion with chatbots has set in across the tech industry and yet Dropbox’s deep thinkers believe they have spotted the technology’s hidden talent: cybersecurity.

Desktop GNU/Linux

  • Entroware have unleashed the 'Aether' laptop for Linux enthusiasts featuring Intel's 7th generation CPUs
  • New Entroware Aether Laptop Pairs Intel Kaby Lake with Ubuntu
    The new Entroware Aether is the latest Linux powered laptop from British company Entroware, and is powered by the latest Intel Kaby Lake processors.
  • Freedom From Microsoft v1.01
    But we can be Free from Microsoft! As we saw above, there is a powerful – and now popular movement afoot to make alternative software available. The Free Software Foundation, and the GNU Project, both founded by Richard Stallman, provide Free software to users with licenses that guarantee users rights: the rights to view, modify, and distribute the software source code. With GNU-licensed software, such as Linux, the user is in complete control over the software they employ. And as people contribute to modify Free Software source code, and are required to share those modifications again, the aggregate creative acts give rise to the availability of many more, much more useful results. Value is created beyond what anyone thought possible, and our freedom multiplies.
  • Review of the week 2017/08
    This week we had to cancel a couple snapshots, as a regression in grub was detected, that caused issues on chain-loading bootloaders. But thanks to our genius maintainers, the issue could be found, fixed and integrated into Tumbleweed (and this despite being busy with hackweek! A great THANK YOU!). Despite those canceled snapshots, this review will still span 4 revisions: 0216, 0218, 0219 and 0224. And believe me, there have been quite some things coming your way.

Security Leftovers

  • [Older] The Secure Linux OS - Tails
    Some people worry a lot about security issues. Anyone can worry about their personal information, such as credit card numbers, on the Internet. They can also be concerned with someone monitoring their activity on the Internet, such as the websites they visit. To help ease these frustrations about the Internet anyone can use the Internet without having to “look over their shoulder”.
  • Password management made easy as news of CloudFlare leak surfaces
    In the last 24 hours, news broke that a serious Cloudflare bug has been causing sensitive data leaks since September, exposing 5.5 million users across thousands of websites. In addition to login data cached by Google and other search engines, it is possible that some iOS applications have been affected as well. With the scale of this leak, the best course of action is to update every password for every site you have an account for. If there was ever a good time to modernize your password practices, this is it. As consumers and denizens of the Internet, we have a responsibility to be aware of the risks we face and make an attempt to mitigate that risk by taking best-effort precautions. Poor password and authentication hygiene leaves a user open to risks such as credit card fraud and identity theft, just like forgetting to brush your teeth regularly can lead to cavities and gum disease. This leaves us with the question of what good password and authentication hygiene looks like. If we stick with the (admittedly poorly chosen) dentistry analogy, then there are five easily identifiable aspects of good hygiene.
  • Security: You might want to change passwords on sites that use Cloudflare
  • Smoothwall Express
    The award-winning Smoothwall Express open-source firewall—designed specifically to be installed and administered by non-experts—continues its forward development march with a new 3.1 release.

Leftovers: Ubuntu and Derivatives

  • 'Big Bang Theory's' Stuart wears Ubuntu T-shirt
    Am I the only person to notice that comic book shop-owning Stuart (Kevin Sussman) on the "The Big Bang Theory" is wearing an Ubuntu T-shirt on the episode airing Thursday, Feb. 23, 2017? (It's Season 10, Episode 17, if that information helps you.) The T-shirt appearance isn't as overt as Sheldon's mention of the Ubuntu Linux operating system way back in Season 3 (Episode 22, according to one YouTube video title), but it's an unusual return for Ubuntu to the world of "Big Bang."
  • Unity Explained: A Look at Ubuntu’s Default Desktop Environment
    Ubuntu is the most well-known version of Linux around. It’s how millions of people have discovered Linux for the first time, and continues to draw new users into the world of open source operating systems. So the interface Ubuntu uses is one many people are going to see. In this area, Ubuntu is unique. Even as a new user, rarely will you confuse the default Ubuntu desktop for something else. That’s because Ubuntu has its own interface that you can — but probably won’t — find anywhere else. It’s called Unity.
  • A Look at Ubuntu MATE 16.04.2 LTS for Raspberry Pi
    Installing Ubuntu MATE onto my Raspberry Pi 3 was straight forward. You can easily use Etcher to write the image to a microSD card, the partition is automatically resized to fill your microSD card when the pi is powered up for the first time, and then you are sent through a typical guided installer. Installation takes several minutes and finally the system reboots and you arrive at the desktop. A Welcome app provides some good information on Ubuntu MATE, including a section specific for the Raspberry Pi. The Welcome app explains that the while the system is based on Ubuntu MATE and uses Ubuntu armhf base, it is in fact using the same kernel as Raspian. It also turns out that a whole set of Raspian software has been ported over such as raspi-config, rpi.gpio, sonic-pi, python-sent-hat, omxplayer, etc. I got in a very simple couple of tests that showed that GPIO control worked.
  • Zorin OS 12 Business Has Arrived [Ed: Zorin 12.1 has also just been released]
    This new release of Zorin OS Business takes advantage of the new features and enhancements in Zorin OS 12, our biggest release ever. These include an all new desktop environment, a new way to install software, entirely new desktop apps and much more. You can find more information about what’s new in Zorin OS 12 here.