Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Bug Bounty Hunters Can Earn $1.5 Million For A Successful Jailbreak Of iOS 10
  • How To Ensure Trustworthy, Open Source Elections [Ed: This reminds us Microsoft must be kicked out of election process [1, 2]

    A strong democracy hinges not only on the right to vote but also on trustworthy elections and voting systems. Reports that Russia or others may seek to impact the upcoming U.S. presidential election—most recently, FBI evidence that foreign hackers targeted voter databases in Arizona and Illinois—has brought simmering concerns over the legitimacy of election results to a boil.

  • Source Code for IoT Botnet ‘Mirai’ Released

    The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.

    The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.

Security News

Filed under
Security
  • Your next DDoS attack, brought to you courtesy of the IoT

    The internet is reeling under the onslaught of unprecedented denial-of-service attacks, the sort we normally associate with powerful adversaries like international criminal syndicates and major governments, but these attacks are commanded by penny-ante crooks who are able to harness millions of low-powered, insecure Internet of Things devices like smart lightbulbs to do their bidding.

    Symantec reports on the rising trend in IoT malware, which attack systems that "may not include any advanced security features" and are "designed to be plugged in and forgotten" without "any firmware updates" so that "infection of such devices may go unnoticed by the owner."

    The USA and China are the two countries where people own most of these things, so they're also where most of the malicious traffic originates. Symantec ran a honeypot that recorded attempts to login and compromise a system that presented as a vulnerable IoT device, and found that the most common login attempts used the default passwords of "root" and "admin," suggesting that malware authors have discovered that IoT owners rarely change these defaults. Other common logins include "123456," "test" and "oracle."

  • Meet Linux.Mirai Trojan, a DDoS nightmare
  • Linux.Mirai Trojan Carries Out DDoS Attacks
  • Fears of a hacked election may keep 1 out of every 5 voters home, says report

    Recent hacks of the Democratic National Committee, the Democratic Congressional Campaign Committee and election databases have increased fears that cybercriminals will try to interfere with the upcoming U.S. presidential election.

    Concerns leading up to election day on November 8 could have a real impact on voter turnout, according to a study from cybersecurity firm Carbon Black. More than one in five registered U.S. voters may stay home on election day because of fears about cybersecurity and vote tampering, the study — an online survey of 700 registered voters aged 18-54 — found.

  • Hostile Web Sites

    I was asked whether it would be safe to open a link in a spam message with wget. So here are some thoughts about wget security and web browser security in general.

  • You can crash Linux Systemd with a single Tweet

    System administrator Andrew Ayer has discovered a potentially critical bug in systemd which can bring a vulnerable Linux server to its knees with a single command line.”After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons.

  • How to reignite a flamewar in one tweet (and I still don’t get it)
  • Multiple Linux Distributions Affected By Crippling Bug In Systemd

    System administrator Andrew Ayer has discovered a potentially critical bug in systemd which can bring a vulnerable Linux server to its knees with one command. "After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system." According to the bug report, Debian, Ubuntu, and CentOS are among the distros susceptible to various levels of resource exhaustion. The bug, which has existed for more than two years, does not require root access to exploit.

Security Leftovers

Filed under
Security
  • Let's Encrypt Wants to Help Improve the CA Model

    Let's Encrypt, a non-profit effort that brings free SSL/TLS certificates to the web, was first announced in November 2014 and became a Linux Foundation Collaborative Project in April 2015. To date, it has provided more than 5 million free certificates.

    While having an SSL/TLS certificate to encrypt traffic is an important element of web security, it's not the only one, said Josh Aas, executive director of the Internet Security Research Group and leader of Let's Encrypt.

    "There is a lot in the total picture of what makes a website secure, and we can do a lot to help a certain part of it," he said in a video interview.

  • How to Throw a Tantrum in One Blog Post

    The systemd team has recently patched a local denial of service vulnerability affecting the notification socket, which is designed to be used for daemons to report their lifecycle and health information. Some people have used this as an opportunity to throw a fresh tantrum about systemd.

Security News

Filed under
Security
  • Report: Linux security must be upgraded to protect future tech

    The summit was used to expose a number of flaws in Linux's design that make it increasingly unsuitable to power modern devices. Linux is the operating system that runs most of the modern world. It is behind everything from web servers and supercomputers to mobile phones. Increasingly, it's also being used to run connected Internet of Things (IoT) devices, including products like cars and intelligent robots.

  • security things in Linux v4.6

    Hector Marco-Gisbert removed a long-standing limitation to mmap ASLR on 32-bit x86, where setting an unlimited stack (e.g. “ulimit -s unlimited“) would turn off mmap ASLR (which provided a way to bypass ASLR when executing setuid processes). Given that ASLR entropy can now be controlled directly (see the v4.5 post), and that the cases where this created an actual problem are very rare, means that if a system sees collisions between unlimited stack and mmap ASLR, they can just adjust the 32-bit ASLR entropy instead.

Security Leftovers

Filed under
Security
  • Friday's security advisories
  • ICANN grinds forward on crucial DNS root zone signing key update

    The Internet Corporation for Assigned Names and Numbers is moving -- carefully -- to upgrade the DNS root zone key by which all domains can be authenticated under the DNS Security Extensions protocol.

    ICANN is the organization responsible for managing the Domain Name System, and DNS Security Extensions (DNSSEC) authenticates DNS responses, preventing man-in-the-middle attacks in which the attacker hijacks legitimate domain resolution requests and replaces them with fraudulent domain addresses.

    DNSSEC still relies on the original DNS root zone key generated in 2010. That 1024-bit RSA key is scheduled to be replaced with a 2048-bit RSA key next October. Although experts are split over the effectiveness of DNSSEC, the update of the current root zone key signing key (KSK) is long overdue.

  • Cybersecurity isn't an IT problem, it's a business problem

    The emergence of the CISO is a relatively recent phenomenon at many companies. Their success often relies upon educating the business from the ground up. In the process, companies become a lot better about how to handle security and certainly learn how not to handle it.

    As a CIO, knowing the pulse of security is critical. I oversee a monthly technology steering committee that all the executives attend. The CISO reports during this meeting on the state of the security program. He also does an excellent job of putting risk metrics out there, color coded by red, yellow, and green. This kind of color grading allows us to focus attention on where we are and what we’re doing about it.

Security News

Filed under
Security
  • Don't Trust Consumer Routers

    Another example of why you shouldn’t trust consumer routers. d-link

    It isn’t just this specific d-link router. We’ve seen the same issues over and over and over with pretty much every non-enterprise vendor.

    Plus we don’t want our devices used by crackers to DDoS Brian Krebs anymore, right?

    We are Linux people. We CAN do this ourselves.

  • D-Link DWR-932 router is chock-full of security holes

    Security researcher Pierre Kim has unearthed a bucketload of vulnerabilities affecting the LTE router/portable wireless hotspot D-Link DWR-932. Among these are backdoor accounts, weak default PINs, and hardcoded passwords.

  • The Cost of Cyberattacks Is Less than You Might Think

    What's being left out of these costs are the externalities. Yes, the costs to a company of a cyberattack are low to them, but there are often substantial additional costs borne by other people. The way to look at this is not to conclude that cybersecurity isn't really a problem, but instead that there is a significant market failure that governments need to address.

  • NHS trusts are still using unsupported Windows XP PCs

    AT LEAST 42 National Health Service (NHS) trusts in the UK still run Microsoft's now-defunct Windows XP operating system.

    Motherboard filed Freedom of Information requests with more than 70 NHS hospital trusts asking how many Windows XP machines they use. 48 replied within the allotted time, and a whopping 42 of them admitted that they still use the operating system that reached end-of-life status in April 2014.

    Some of the culprits include East Sussex Healthcare, which has 413 Windows XP machines, Sheffield's Children's hospital with 1,290, and Guy's and St Thomas' NHS Trust in London with an insane 10,800 Windows XP-powered PCs.

    23 replied to Motherboard's quizzing about whether they have an extended support agreement in place and, unsurprisingly, the majority said that they do not.

Security Leftovers

Filed under
Security
  • Linux.Mirai Trojan causing mayhem with DDoS attacks

    A Trojan named Linux.Mirai has been found to be carrying out DDoS attacks.

    The malicious program first appeared in May 2016, detected by Doctor Web after being added to its virus database under the name Linux.DDoS.87. The Trojan can work with with the SPARC, ARM, MIPS, SH-4, M68K architectures and Intel x86 computers.

  • Don't Hide DRM in a Security Update

    Over 10,000 of you have joined EFF in calling on HP to make amends for its self-destructing printers in the past few days. Looks like we got the company’s attention: today, HP posted a response on its blog. Apparently recognizing that its customers are more likely to see an update that limits interoperability as a bug than as a feature, HP says that it will issue an optional firmware update rolling back the changes that it had made. We’re very glad to see HP making this step.

    But a number of questions remain.

    First, we’d like to know what HP’s plans are for informing users about the optional firmware update. Right now, the vast majority of people who use the affected printers likely do not know why their printers lost functionality, nor do they know that it’s possible to restore it. All of those customers should be able to use their printers free of artificial restrictions, not just the relatively few who have been closely following this story.

  • 6 Ways Driverless Cars Are Going To Kill Lots Of People

    You've probably read a few articles about driverless cars over the past couple of years. The technology is coming along quickly, with fleets of test cars already on the roads in some states. It seems like soon we'll achieve the American dream of stuffing our faces and texting all we want while still managing to avoid public transportation.

    But the reality is quite different. We're diving into this technology a little too quickly and ignoring all the warning signs about how we are going to screw up on the way to Driverless Car Utopia.

Security: Nmap 7.30 is Out

Filed under
OSS
Security
  • Nmap 7.30

    Integrated all 12 of your IPv6 OS fingerprint submissions from June to September. No new groups, but several classifications were strengthened, especially Windows localhost and OS X.

  • Nmap 7.30 Released As Stable With Many Additions
  • Nmap 7.30 Security Scanner Adds 12 New IPv6 OS Fingerprints, 7 NSE Scripts

    Today, September 29, 2016, the Nmap developers proudly announced the release of Nmap 7.30, the latest stable version of the free, open source and cross-platform security scanner and network mapper software.

    As expected, Nmap 7.30 is a major release that adds numerous new features and improvements, among which we can mention twelve new IPv6 OS fingerprints and seven NSE (Nmap Scripting Engine) scripts that have been submitted by various developers. There are now a total of 541 NSE scripts included in Nmap.

Security News

Filed under
Security
  • Security updates for Thursday
  • How 1.5 Million Connected Cameras Were Hijacked to Make an Unprecedented Botnet

    Last week, hackers forced a well-known security journalist to take down his site after hitting him for more than two days with an unprecedented flood of traffic.

    That cyberattack was powered by something the internet had never seen before: an army made of more than one million hacked Internet of Things devices.

    The hackers, whose identity is still unknown at this point, used not one, but two networks—commonly referred to as “botnets” in hacking lingo—made of around 980,000 and 500,000 hacked devices, mostly internet-connected cameras, according to Level 3 Communications, one of the world’s largest internet backbone providers. The attackers used all those cameras and other unsecured online devices to connect to the journalists’ website, pummeling the site with requests in an attempt to make it collapse.

  • NHS Hospitals Are Running Thousands of Computers on Unsupported Windows XP

    Hospitals across England are running thousands of out-of-date Windows XP machines, potentially putting patient data and other sensitive information at risk.

    Motherboard has found that at least 42 National Health Service (NHS) trusts in England are still using the Windows XP operating system, with many of them confirming that they no longer receive security updates for the software. Legal experts say that the NHS hospitals may be in breach of data protection regulations.

    “If hospitals are knowingly using insecure XP machines and devices to hold and otherwise process patient data they may well be in serious contravention of their obligations,” Jon Baines, Chair of the National Association of Data Protection and Freedom of Information Officers (NADPO), wrote in an email.

    In April 2014, Microsoft officially ended support for Windows XP, meaning that the company would no longer release security patches for the aging operating system. Any vulnerabilities discovered after that date would therefore be left for hackers to exploit. Governments and businesses could pay Microsoft for a custom extended support deal; the Crown Commercial Service, which is sponsored by the Cabinet Office, spent £5.5 million ($9 million) to continue receiving updates for the public sector, including for the NHS. That agreement ended in April 2015 and was not renewed.

Security News

Filed under
Security
  • security things in Linux v4.5
  • Time to Kill Security Questions—or Answer Them With Lies

    The notion of using robust, random passwords has become all but mainstream—by now anyone with an inkling of security sense knows that “password1” and “1234567” aren’t doing them any favors. But even as password security improves, there’s something even more problematic that underlies them: security questions.

    Last week Yahoo revealed that it had been massively hacked, with at least 500 million of its users’ data compromised by state sponsored intruders. And included in the company’s list of breached data weren’t just the usual hashed passwords and email addresses, but the security questions and answers that victims had chosen as a backup means of resetting their passwords—supposedly secret information like your favorite place to vacation or the street you grew up on. Yahoo’s data debacle highlights how those innocuous-seeming questions remain a weak link in our online authentication systems. Ask the security community about security questions, and they’ll tell you that they should be abolished—and that until they are, you should never answer them honestly.

    From their dangerous guessability to the difficulty of changing them after a major breach like Yahoo’s, security questions have proven to be deeply inadequate as contingency mechanisms for passwords. They’re meant to be a reliable last-ditch recovery feature: Even if you forget a complicated password, the thinking goes, you won’t forget your mother’s maiden name or the city you were born in. But by relying on factual data that was never meant to be kept secret in the first place—web and social media searches can often reveal where someone grew up or what the make of their first car was—the approach puts accounts at risk. And since your first pet’s name never changes, your answers to security questions can be instantly compromised across many digital services if they are revealed through digital snooping or a data breach.

  • LibreSSL and the latest OpenSSL security advisory

    Just a quick note that LibreSSL is not impacted by either of the issues mentioned in the latest OpenSSL security advisory - both of the issues exist in code that was added to OpenSSL in the last release, which is not present in LibreSSL.

  • Record-breaking DDoS reportedly delivered by >145k hacked cameras

    Last week, security news site KrebsOnSecurity went dark for more than 24 hours following what was believed to be a record 620 gigabit-per-second denial of service attack brought on by an ensemble of routers, security cameras, or other so-called Internet of Things devices. Now, there's word of a similar attack on a French Web host that peaked at a staggering 1.1 terabits per second, more than 60 percent bigger.

    The attacks were first reported on September 19 by Octave Klaba, the founder and CTO of OVH. The first one reached 1.1 Tbps while a follow-on was 901 Gbps. Then, last Friday, he reported more attacks that were in the same almost incomprehensible range. He said the distributed denial-of-service (DDoS) attacks were delivered through a collection of hacked Internet-connected cameras and digital video recorders. With each one having the ability to bombard targets with 1 Mbps to 30 Mbps, he estimated the botnet had a capacity of 1.5 Tbps.

    On Monday, Klaba reported that more than 6,800 new cameras had joined the botnet and said further that over the previous 48 hours the hosting service was subjected to dozens of attacks, some ranging from 100 Gbps to 800 Gbps. On Wednesday, he said more than 15,000 new devices had participated in attacks over the past 48 hours.

Syndicate content

More in Tux Machines

Android Leftovers

Fedora 26 Linux Distro Delayed Again, Looks Like It Launches on June 27, 2017

Last week, we told you that the upcoming Alpha build of the Fedora 26 Linux distribution was delayed by a week due to late blockers, being re-scheduled for tomorrow, March 28, 2017. Read more

ARM boosts Big.Little with DynamIQ, and launches Linux dev kit

ARM unveiled a more flexible version of its Big.Little multi-core scheme called DynamIQ, and launched an Embedded Linux Education Kit based on the Udoo Neo. ARM Ltd. announced a more advanced version of its Big.Little heterogeneous multi-processing technology for balancing core loads on multi-core Cortex-A SoCs. The new DynamIQ multi-core scheme enables more flexible core configurations that were not possible with Big.Little, says ARM. Meanwhile, ARM’s educational unit released a new ARM Embedded Linux Education Kit based on the i.MX6 SoloX based Udoo Neo hacker SBC (see farther below). Read more

Four Things a New Linux User Should Know

If you’re making the move from Windows or Mac (or even from Android or iOS), welcome to our world. These days, using Linux for doing everyday computer tasks isn’t that much different than using other operating systems — meaning the learning curve is only slight. In fact, my colleague Phil Shapiro works at a library that uses Linux on the computers its patrons use and says that hardly anyone even notices they’re not using Windows. It’s that easy. Read more