Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Azure bug bounty Pwning Red Hat Enterprise Linux

    Acquired administrator level access to all of the Microsoft Azure managed Red Hat Update Infrastructure that supplies all the packages for all Red Hat Enterprise Linux instances booted from the Azure marketplace.

  • pledge(2) … or, how I learned to love web application sandboxing

    I use application-level sandboxing a lot because I make mistakes a lot; and when writing web applications, the price of making mistakes is very dear. In the early 2000s, that meant using systrace(4) on OpenBSD and NetBSD. Then it was seccomp(2) (followed by libseccomp(3)) on Linux. Then there was capsicum(4) on FreeBSD and sandbox_init(3) on Mac OS X.

  • [Older] Why is Apache Vulnerable by Default?

    Apache is the most popular web server on Earth, with a market share of 46.4% — well above Nginx (21.8%) and Microsoft IIS (9.8%). Thanks to Linux package managers like Yum and APT you can install and get it up and running in minutes. The core installation even features powerful modules for URL rewriting, user authentication, and more.

Security News

Filed under
Security
  • Friday's security updates
  • Linux hardening: a 15-step checklist for a secure Linux server [Ed: paywall]

    Most people assume Linux is secure, and that’s a false assumption. Imagine your laptop is stolen without first being hardened. A thief would probably assume your username is “root” and your password is “toor” since that’s the default password on Kali and most people continue to use it. Do you? I hope not.

  • Homeland Security Issues 'Strategic Principles' For Securing The Internet Of Broken Things

    For much of the last year, we've noted how the rush to connect everything from toasters to refrigerators to the internet -- without adequate (ok, any) security safeguards -- has resulted in a security, privacy and public safety crisis. At first, the fact that everything from Barbies to tea kettles were now hackable was kind of funny. But in the wake of the realization that these hacked devices are contributing to massive new DDoS botnet attacks (on top of just leaking your data or exposing you to hacks) the conversation has quickly turned serious.

    Security researchers have been noting for a while that it's only a matter of time before the internet-of-not-so-smart-things contributes to human fatalities, potentially on a significant scale if necessary infrastructure is attacked. As such, the Department of Homeland Security recently released what they called "strategic principles" for securing the Internet of Things; an apparent attempt to get the conversation started with industry on how best to avoid a dumb device cyber apocalypse.

  • Microsoft gives third-parties access to Windows 10 Telemetry data

    Microsoft struck a deal with security company FireEye recently according to a report on Australian news magazin Arn which gives FireEye access to all Windows 10 Telemetry data.

Security News

Filed under
Security
  • Microsoft is reportedly sharing Windows 10 telemetry data with third-parties

    MICROSOFT HAS REPORTEDLY signed a deal with FireEye that will see it share telemetry data from Windows 10 with the third-party security outfit.

    So says Australian website ARN, which reports that Microsoft and FireEye's partnership, which will see the security firm's iSIGHT Intelligence tools baked into Windows Defender, will also see FireEye "gain access to telemetry from every device running Windows 10."

    Microsoft uses telemetry data from Windows 10 to help identify security issues, to fix problems and to help improve the quality of its operating system, which sounds like a good thing. However, with the company previously admitting that it's latest OS is harvesting more data than any version before it, Microsoft's mega data-slurp also raised some privacy concerns.

  • Hackers attack European Commission

    The European Commission was the victim of a “large scale” cyberattack Thursday, a spokesperson said.

    “The attack has so far been successfully stopped with no interruption of service, although connection speeds have been affected for a time. No data breach has occurred,” the spokesperson said.

  • 8 Books Security Pros Should Read

    Calling all infosec pros: What are the best books in your security library?

    On a second thought, let's take a step back. A better question may be: Do you have a security library at all? If not, why?

    Security professionals have countless blogs, videos, and podcasts to stay updated on rapidly changing news and trends. Books, on the other hand, are valuable resources for diving into a specific area of security to build knowledge and broaden your expertise.

    Because the security industry is so complex, it's impossible to cram everything there is to know in a single tome. Authors generally focus their works on single topics including cryptography, network security modeling, and security assessment.

    Consider one of the reads on this list of recommendations, Threat Modeling: Designing for Security. This book is based on the idea that while all security pros model threats, few have developed expertise in the area.

  • DoD Opens .Mil to Legal Hacking, Within Limits

    Security researchers are often reluctant to report programming flaws or security holes they’ve stumbled upon for fear that the vulnerable organization might instead decide to shoot the messenger and pursue hacking charges.

    But on Nov. 21, the DoD sought to clear up any ambiguity on that front for the military’s substantial online presence, creating both a centralized place to report cybersecurity flaws across the dot-mil space as well as a legal safe harbor (and the prospect of public recognition) for researchers who abide by a few ground rules.

  • Data breach law 'will create corporate awareness'

    The introduction of a data breach law requiring disclosure of consumer data leaks is important because it will make big corporates aware they need to be transparent about their state of security, the head of a big cyber-security firm says.

    Guy Eilon, the country manager of Forcepoint, was commenting on the speech made by Dan Tehan, the minister assisting the prime minister on cyber security, on Wednesday.

  • US Navy breach: 130,000 soldiers at risk after HPE contractor hacked [iophk: "MS, possibly MS sharepoint?"]

    The Navy has acknowledged the breach and said it was made aware of the incident after being notified that a laptop belonging to an employee of Navy contractor Hewlett-Packard Enterprise (HPE) was compromised by hackers.

  • US Navy warns 134,000 sailors of data breach after HPE laptop is compromised

    Sailors whose details have been compromised are being notified by phone, letter, and e-mail, the Navy said. "For those affected by this incident, the Navy is working to provide further details on what happened, and is reviewing credit monitoring service options for affected sailors."

  • Personal data for more than 130,000 sailors stolen, admits US Navy

    A spokesman for Hewlett Packard Enterprise Services, said: “This event has been reported to the Navy and because this is an ongoing investigation, HPE will not be commenting further out of respect for the privacy of our Navy personnel.”

  • Riseup’s Canary Has Died

    Popular provider of web tools for activists and anarchists and backbone of much infrastructure for internet freedom, Riseup.net has almost certainly been issued a gag order by the US government.

Security News

Filed under
Security
  • The FBI Hacked Over 8,000 Computers In 120 Countries Based on One Warrant

    In January, Motherboard reported on the FBI's “unprecedented” hacking operation, in which the agency, using a single warrant, deployed malware to over one thousand alleged visitors of a dark web child pornography site. Now, it has emerged that the campaign was actually an order of magnitude larger.

    In all, the FBI obtained over 8,000 IP addresses, and hacked computers in 120 different countries, according to a transcript from a recent evidentiary hearing in a related case.

  • curl security audit

    I asked for, and we were granted a security audit of curl from the Mozilla Secure Open Source program a while ago. This was done by Mozilla getting a 3rd party company involved to do the job and footing the bill for it. The auditing company is called Cure53.

  • Personal data for more than 130,000 sailors was breached, Navy says

    The Navy was notified in October by Hewlett Packard Enterprise Services that a computer supporting a Navy contract was “compromised,” and that the names and social security numbers of 134,386 current and former sailors were accessed by unknown persons, the service said in a news release.

  • Your headphones could be spying on you

    JUST WHEN you thought you couldn’t possibly be carrying any more tracking devices, it looks like you can add another one to the mix.

    A team of researchers in Israel have discovered that with a little hardware hackery, your headphones can be used to listen in on you when plugged into your computer.

    It’s been known for a long time that if you plug a microphone into a speaker jack, it can sometimes make a tinny speaker (if you blast the volume). But what about the other way around?

    Ben Gurion University researchers have discovered that with a simple malware program which they've christened SPEAKE(a)R, Realtek codecs, which provide the built in sound on most motherboards, can be reassigned to turn the headphone jack into a microphone.

  • How to create heat maps to show who’s trying to connect your router

Security News

Filed under
Security
  • Security advisories for Wednesday
  • Malware Found on New Windows Computers (Not What You Think)

    It appears that the office supply giant, Office Depot, isn’t adverse to tarnishing its reputation if there’s a buck or two to be made in the process.

    KIRO TV in Seattle reported on November 15 that it had taken brand new out-of-the-box computers that had never been connected to the Internet to Office Depot stores, both in Washington state and Portland, Oregon, and told the repair desk staff that “it’s running a little slow.” In four out of six cases they were told the computer was infected with viruses and would require an up to $180 fix.

    After declining the “fix,” they took the “virus laden” machines to a Seattle security outfit, IOActive, which reexamined the machines. “We found no symptoms of malware when we operated them,” an employee with the firm, Will Longman, said. “Nor did we find any actual malware.”

    In the two cases where undercover reporters weren’t told that their computers showed evidence of an infection, they were advised to install antivirus software. In one of the two stores, a technician evidently noticed that the machine was new and told the reporter to “ignore the test results.”

  • FBI Hacked into 8,000 Computers in 120 Countries Using A Single Warrant

    The FBI hacked into more than 8,000 computers in 120 different countries with just a single warrant during an investigation into a dark web child pornography website, according to a newly published court filings.

    This FBI's mass hacking campaign is related to the high-profile child pornography Playpen case and represents the largest law enforcement hacking campaign known to date.

    The warrant was initially issued in February 2015 when the FBI seized the Playpen site and set up a sting operation on the dark web site, in which the agency deployed malware to obtain IP addresses from alleged site's visitors.

  • How Unikernels Can Better Defend against DDoS Attacks

    On the episode of The New Stack Makers podcast, Dell EMC CTO Idit Levine, an EMC chief technology officer at the cloud management division and office of the CTO, discussed how unikernels are poised to offer all of the developer flexibility afforded to containers, while striving for better security and integrations with many of today’s top container platforms. She spoke with SolarWinds Cloud Technology Lead Lee Calcote at KubeCon 2016:

  • Exploit Code Bypasses Linux Security Features Leaving Systems Vulnerable
  • Researcher writes codeless exploit that bypasses Linux security measures

    If you’re a Linux administrator, then you’re likely aware that even being fully up to date on all of the patches for your Linux distribution of choice is no guarantee that you’re free from vulnerabilities. Linux is made up of numerous components, any of which can open up an installation to one exploit or another.

Tor phone (Android)

Filed under
Android
Security
  • Tor phone is antidote to Google “hostility” over Android, says developer

    The Tor Project recently announced the release of its prototype for a Tor-enabled smartphone—an Android phone beefed up with privacy and security in mind, and intended as equal parts opsec kung fu and a gauntlet to Google.

    The new phone, designed by Tor developer Mike Perry, is based on Copperhead OS, the hardened Android distribution profiled first by Ars earlier this year.

  • Tor-Enabled Phone Offers Various Layers Of Security

    We’ve seen all sorts of Android smartphones released over the years, from the ones that ship with Google’s stock Android or a third-party skin, to the ones that sport two displays, are curved or have heavy security features. There are tons of different smartphones available out there, and a number of different OS’ available for those smartphones, and that’s the true beauty of Android. Now, some of you have probably heard of a Tor-enabled smartphone by Tor Project. This smartphone put a huge emphasis on security and privacy, and those of you who are very concerned about such issues should be interested, though do keep in mind that the Tor-enabled smartphone actually references software that can be installed on a smartphone, not the actual hardware smartphone that will be available for sale, just to make that clear.

Elegant 0-day unicorn underscores “serious concerns” about Linux security

Filed under
Linux
Security
  • Elegant 0-day unicorn underscores “serious concerns” about Linux security [Ed: Molehill becomes mountain in the hands of Dan Goodin]

    Recently released exploit code makes people running fully patched versions of Fedora and other Linux distributions vulnerable to drive-by attacks that can install keyloggers, backdoors, and other types of malware, a security researcher says.

  • Researcher writes codeless exploit that bypasses Linux security measures

    If you’re a Linux administrator, then you’re likely aware that even being fully up to date on all of the patches for your Linux distribution of choice is no guarantee that you’re free from vulnerabilities. Linux is made up of numerous components, any of which can open up an installation to one exploit or another.

Security Leftovers

Filed under
Security
  • Beware: ScanGuard Scam

    My wife called this to my attention; a web site called "smartwebuser.org" (I refuse to post a link) that warned "If you live in Canada and have a Linux computer which is over 6 months old, then we advise you to keep reading." What followed was a puff piece for something called ScanGuard. It sounded suspiciously to me like all those "cleanup" apps that are advertised in email and occasionally on TV, that promise to protect your PC from viruses and malware, and make it run a zillion times faster. It sounded like a scam to me.

  • The Urgency of Protecting Your Online Data With Let's Encrypt

    We understand that online security is a necessity, so why is only 48.5% of online traffic encrypted? Josh Aas, co-founder of Let's Encrypt, gives us a simple answer: it's too difficult. So what do we do about it? Aas has answers for that as well in his LinuxCon North America presentation.

    Aas explains how the Achilles heel of managing Web encryption is not encryption itself, but authentication, which requires trusted third parties, and secure mechanisms for managing the trust chain. He says, "The encryption part is relatively easy. It's a software stack...it comes on most operating systems by default. It just needs to be configured. Most Web servers tie into it directly and take care of things for you. Your biggest challenge is protecting your private key. The authentication part is a bit of a nightmare, and it has been for a while, so if you want to authenticate, the way this works on the web is you need to get a certificate from a certificate authority, and it's complicated, even for really smart people like my friend Colin here at Cisco."

  • Is encrypted e-mail a must in the Trump presidential era?

    With Donald Trump poised to take over the U.S. presidency, does it make sense for all of us to move to encrypted e-mail if we want to preserve our privacy? Encrypted e-mail provider ProtonMail says yes, indeed.

  • New IoT botnet behind fake Instagram, Twitter and YouTube profiles

    Hackers have created thousands of fake accounts on popular social media platforms like Instagram, Twitter, YouTube and Periscope, via an IoT botnet, using the Linux/Moose malware. Security researchers claim that fake social media accounts are created by hackers to randomly follow people and browse content, in efforts to make the bots seem more "human" and avoid spam filters.

    According to security researchers, the Linux/Moose botnet is a "new generation" IoT botnet that operates on embedded systems such as routers, rather than computers. This makes the bot much more difficult to detect. The botnet can function on even limited computational power and specialises in "social media fraud".

  • Great. Now Even Your Headphones Can Spy on You

    Cautious computer users put a piece of tape over their webcam. Truly paranoid ones worry about their devices’ microphones, some even crack open their computers and phones to disable or remove those audio components so they can’t be hijacked by hackers. Now one group of Israeli researchers has taken that game of spy-versus-spy paranoia a step further, with malware that converts your headphones into makeshift microphones that can slyly record your conversations.

  • Watch out: ɢoogle.com isn’t the same as Google.com

    If you don’t watch where you’re going on the internet, you might be headed down a dark alley before you know it.

    Like a lot of big websites, we use Google Analytics to keep track of traffic on TNW. A few weeks ago, however, we spotted something that looked a bit out of the ordinary.

KDE Plasma 5.8.4 LTS Desktop Environment Released for Linux with More Bug Fixes

Filed under
KDE
Security

Today, November 22, 2016, KDE announced the release of the fourth maintenance update to the long-term supported KDE Plasma 5.8 desktop environment for Linux-based operating systems.

Read more

Security News

Filed under
Security
  • Security advisories for Monday
  • Fast security is the best security

    DevOps security is a bit like developing without a safety net. This is meant to be a reference to a trapeze act at the circus for those of you who have never had the joy of witnessing the heart stopping excitement of the circus trapeze. The idea is that when you watch a trapeze act with a net, you know that if something goes wrong, they just land in a net. The really exciting and scary trapeze acts have no net. If these folks fall, that's pretty much it for them. Someone pointed out to me that the current DevOps security is a bit like taking away the net.

  • Detecting fraudulent signups?

    I run a couple of different sites that allow users to sign-up and use various services. In each of these sites I have some minimal rules in place to detect bad signups, but these are a little ad hoc, because the nature of "badness" varies on a per-site basis.

  • Reproducible Builds: week 82 in Stretch cycle

    What happened in the Reproducible Builds effort between Sunday November 13 and Saturday November 19 2016...

Syndicate content

More in Tux Machines

KDE Leftovers: digikam, KDevelop, Kate, GSoC, and Akademy

  • [digikam] Call to Test the Pre-Release of 5.6.0
    Once again a lot has been going on behind the scenes since the last release. The HTML gallery tool is back, database shrinking (e.g. purging stale thumbnails) is also supported on MySQL, grouping has been improved and additional sidecars can now be specified. Therefore the release of 5.6.0 will be (is already) delayed, as we would like to invite you to test all these features. As usual they are available in the pre-release bundles or obviously directly from the git repository. Please report any dysfunctions, unexpected behaviour or suggestions for improvement to our bug tracker.
  • KDevelop runtimes: Docker and Flatpak integration
    On my last blog post I discussed about how some assumptions such as the platform developed on can affect our development. We need to minimize it by empowering the developers with good tools so that they can develop properly. To that end, I introduced runtimes in our IDE to abstract platforms (much like on Gnome’s Builder or Qt Creator).
  • Kate 17.04.1 available for Windows
  • GSoC - Community Bonding Period with Krita
  • First month report: my feelings about gsoc
  • My Akademy Plans
    The Akademy programme (saturday, sunday) is actually pretty long; the conference days stretch into feels-like-evening to me. Of course, the Dutch are infamous for being “6pm at the dinner table, and eat potatoes” so my notion of evening may not match what works on the Mediterranean coast. Actually, I know it doesn’t since way back when at a Ubuntu Developer Summit in Sevilla it took some internal-clock-resetting to adjust to dinner closer to midnight than 18:00.

Gaming News: Shogun, SteamOS, Dawn Of War III

Galicia continues promotion of free software

The government of the autonomous region of Galicia (Spain) will continue to encourage the use of free and open source software solutions in the public and private sector. This week, the government published the ‘Free Software Plan 2017’, outlining 110 actions. In its ‘Plan de acción software libre 2017’, Galicia announces new initiatives to promote sharing and reuse of ICT solutions. The government is to share new software solutions, but will also emphasise the reuse of existing tools, pointing to Mancomún, the region’s software repository, the catalogue maintained by the Spanish central government’s Centre for Technology Transfer, and to the European Commission’s Joinup eGovernment portal. Read more

Linux Devices: Raspberry Pi, PIC32, Lime Micro

  • Apollo Lake COM Express module has onboard microSD and eMMC
    The COM Express Compact Type 6 “MSC C6C-AL” taps Intel’s Apollo Lake and offers up to 16GB DDR3L, microSD and optional eMMC, plus support for 5x PCIe slots.
  • How to create an Internet-in-a-Box on a Raspberry Pi
    If you're a homeschool parent or a teacher with a limited budget, Internet-in-a-Box might be just what you've been looking for. Its hardware requirements are very modest—a Raspberry Pi 3, a 64GB microSD card, and a power supply—but it provides access to a wealth of educational resources, even to students without internet access in the most remote areas of the world.
  • Squeeze Pi: Adventures in home audio
    The Squeezebox Touch provided a family-friendly interface to access our music library, either directly on the device or via a range of mobile applications. Logitech discontinued its development in 2012, but I was happy as they open sourced the Squeezebox's server software as Logitech Media Server and supplied the open source code used on the physical Squeezebox devices.
  • Evaluating PIC32 for Hardware Experiments
    PIC32 uses the MIPS32 instruction set. Since MIPS has been around for a very long time, and since the architecture was prominent in workstations, servers and even games consoles in the late 1980s and 1990s, remaining in widespread use in more constrained products such as routers as this century has progressed, the GNU toolchain (GCC, binutils) has had a long time to comfortably support MIPS. Although the computer you are using is not particularly likely to be MIPS-based, cross-compiling versions of these tools can be built to run on, say, x86 or x86-64 while generating MIPS32 executable programs.
  • Want a Raspberry Pi-powered PC? This $50 case turns the Pi into a desktop
    As long as you keep your expectations in check, it's perfectly feasible to run the latest Raspberry Pi as a desktop computer. However, the base Raspberry Pi 3 is a bare bones board, so anyone wanting to set it up as a desktop PC will need to buy their own case and other add-ons.
  • Open source LimeNET SDR computers run Ubuntu Core on Intel Core
    Lime Micro has launched three open source “LimeNET” SDR systems that run Ubuntu Core on Intel Core CPUs, including one with a new LimeSDR QPCIe board. Lime Microsystems has gone to Crowd Supply to launch three fully open source LimeNET computers for software defined radio (SDR) applications. The systems run Ubuntu “Snappy” Core Linux on Intel’s Core processors, enabling access to an open, community-based LimeSDR App Store using the Ubuntu Core snap packaging and update technology. The SDR processing is handled by three variations on last year’s open source LimeSDR board, which run Intel’s (Altera) Cyclone IV FPGA.