Language Selection

English French German Italian Portuguese Spanish

Security

A Peek At Upcoming Open Source Enhancements In IBM i

Filed under
OSS
Security

It's hard to quantify the value created through open source development of software. Last year, the Linux Foundation released a white paper that found the total value of the development of the Linux operating system amounted to $5 billion. In 2013, IBM itself committed to donating $1 billion in cold hard cash to further development of Linux and other open source projects. When one considers that nearly all of the cutting-edge IT work being done in distributed computing (i.e., the worlds of Hadoop, Spark, Kafka, and NoSQL databases) involves open sharing of source code--mostly through the Apache Software Foundation--then the humongous value that open source brings comes into view.

Read more

Security Leftovers

Filed under
Security
  • Thursday's security updates
  • Secure code before or after sharing?[Ed: FUD season. US moving to FOSS, so parasites pop up]

    The White House wants federal agencies to share more of their custom code with each other, and also to provide more of it to the open source community. That kind of reuse and open source development of software could certainly cut costs and provide more able software in the future, but is this also an opening for more bugs and insecure code?

  • SMTP Strict Transport Security Standard Drafted for Email Security

    Love it or hate it, email remains a must-have tool in the modern Internet, though email isn't always as secure as it should be. When users connect to email servers, those connections have the potential to be intercepted by attackers, so there is a need for standards, like the new SMTP Strict Transport Security (STS) standard, published March 18 as an Internet Engineering Task Force (IEFT) draft.

  • Certified Ethical Hacker website caught spreading crypto ransomware
  • Certificate pinning is a useful thing, says Netcraft. So why do hardly any of you use it?

    Venerable net-scan outfit Netcraft has issued what cliché would describe as “a stinging rebuke” to sysadmins the world over, for ignoring HTTP Public Key Pinning (HPKP).

    Pinning is designed to defend users against impersonation attacks, in which an attacker tricks a certificate authority to issue a fraudulent certificate for a site.

    If the attacker can present a user with a certificate for fubar.com, they can impersonate the site, opening a path for malfeasance like credential harvesting.

  • Oracle issues emergency Java patch for bug leading to system hijack

    Oracle has released an emergency patch for Java which fixes a critical bug leading to remote code execution without the need for user credentials.

  • Hospital Declares ‘Internal State of Emergency’ After Ransomware Infection [iophk: The FBI needs to prosecute those that brought Windows into the hospital.]

    A Kentucky hospital says it is operating in an “internal state of emergency” after a ransomware attack rattled around inside its networks, encrypting files on computer systems and holding the data on them hostage unless and until the hospital pays up.

  • Judge Won’t Consider EFF’s Arguments in FBI Mass Hacking Case

    Earlier this month, digital rights group the Electronic Frontier Foundation (EFF) filed a strongly worded amicus brief arguing that the warrant used by the FBI for its use of malware to identify visitors of a dark web child pornography site was “unconstitutional,” and qualified as a broad, “general warrant.”

    But on Tuesday, Robert J. Bryan, the district judge overseeing the case rejected the group’s argument, saying it contained allegations of fact not supported in the record, and that it was simply repeating arguments already made by the defense.

    “According to EFF, a self-proclaimed ‘recognized expert’ on the intersection of civil liberties and technology, the law enforcement techniques employed in this case present novel questions of Fourth Amendment law,” Bryan writes in his order. The brief was signed by Mark Rumold, Nate Cardozo, and Andrew Crocker from the EFF, and Venkat Balasubramani, an attorney who is representing the organization.

  • Security education outfit EC-Council dishes out ransomware online

    Senior threat intelligence man Yonathan Klijnsma says the website of the EC-Council, the organisation responsible for the Ethical Hacker certification, is serving the dangerous Angler exploit kit to infect PCs.

    Klijnsma of Dutch firm Fox-IT says the website was serving the world's most highly-capable and dangerous exploit kit hours ago to users of Internet Explorer.

    Checks by this writer appear to show it is still serving the exploit at the time of publication.

  • Weak links in the blockchain: We're neglecting the foundations

    Premature infatuation with blockchain overlooks security weaknesses in the platform that underlies Bitcoin digital currency.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security

FreeNAS 9.10 Open-Source Storage Operating System Adds USB 3.0 & Skylake Support

Filed under
Security
BSD

Jordan Hubbard from the FreeNAS project, an open-source initiative to create a powerful, free, secure, and reliable NAS (Network-attached storage) operating system based on BSD technologies, announced the release of FreeNAS 9.10.

FreeNAS 9.10 is the tenth maintenance release in the current stable 9.x series of the project, thus bringing the latest security patches from upstream, support for new devices, as well as several under-the-hood updates. As expected, FreeNAS 9.10 has been rebased on the latest FreeBSD 10.3 RC3 (Release Candidate) release.

Read more

Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • Cryptostalker, a Tool to Detect Crypto-Ransomware on Linux

    A while back, we stumbled upon an interesting GitHub repo dubbed randumb, which included an example called Cryptostalker, advertised as a tool to detect crypto-ransomware on Linux.

    Cryptostalker and the original project randumb are the work of Sean Williams, a developer from San Francisco. Mr. Williams wanted to create a tool that monitored the filesystem for newly written files, and if the files contained random data, the sign of encrypted content, and they were written at high speed, it would alert the system's owner.

  • Google slings critical patch at exploited Linux kernel root hole

    Google has shipped an out-of-band patch for Android shuttering a bug that is under active exploitation to root devices.

    The vulnerability (CVE-2015-1805) affects all Android devices running Linux kernel versions below 3.18.

  • Everything is fine, nothing to see here!

    Today everyone who is REALLY, I mean REALLY REALLY good at security got there through blood sweat and tears. Nobody taught them what they know, they learned it on their own. Many of us didn't have training when we were learning these things. Regardless of this though, if training is fantastic, why does it seem there is a constant march toward things getting worse instead of better? That tells me we're not teaching the right skills to the right people. The skills of yesterday don't help you today, and especially don't help tomorrow. By its very definition, training can only cover the topics of yesterday.

  • Inside the Starburst-sized box that could save the Internet

    Cybercrime is costing us millions. Hacks drain the average American firm of $15.4 million per year, and, in the resulting panic, companies often spend more than $1.9 million to resolve a single attack. It’s time to face facts: Our defenses aren’t strong enough to keep the hackers out.

  • Utah’s Online Caucus Gives Security Experts Heart Attacks

    On Tuesday, registered Republicans in Utah who want to participate in their state’s caucus will have the option to either head to a polling station and cast a vote in person or log onto a new website and choose their candidate online. To make this happen, the Utah GOP paid more than $80,000 to the London-based company Smartmatic, which manages electronic voting systems and internet voting systems in 25 countries and will run the Utah GOP caucus system.

Security Leftovers

Filed under
Security

Snowden: “I Used Free And Open Source Software Like Debian And TOR. I Didn’t Trust Microsoft”

Filed under
GNU
Linux
Security
Debian

At the Free Software Foundation’s LibrePlanet2016 conference on Saturday, NSA whistleblower Edward Snowden participated in a discussion regarding free software and security. He joined the talk via video conferencing from Russia.

Edward Snowden told that he was able to disclose the secrets of American government and its projects of mass surveillance using free software. The event was being held in an MIT lecture hall and this statement drew a wide round of applause.

Praising the likes of Debian, Tails, and TOR, he said — “What happened in 2013 couldn’t have happened without free software.”

Read more

Also: OS X and Linux rise in developer market to threaten Windows

Antivirus Live CD 17.0-0.99.1 Uses ClamAV 0.99.1 to Clean Your PCs of Viruses

Filed under
Linux
Security

4MLinux developer Zbigniew Konojacki today informs Softpedia about the immediate availability for download of a new build of his Antivirus Live CD tool based on the latest 4MLinux and ClamAV projects.

Read more

Security Leftovers

Filed under
Security
  • Leopard Flower firewall – Protect your bytes

    Several months ago, I decided to explore a somewhat obscure topic of outbound per-application firewall control in Linux. A concept that Windows users are well familiar with, it’s been around for ages, providing Windows folks with a heightened sense of – if not practical factual – protection against rogues residing in their system and trying to phone home.

    In Linux, things are a little different, but with the growing flux of Windows converts arriving at the sandy shores of open-source, the notion of need for outbound control of applications has also risen, giving birth to software designed to allay fears if not resolve problems. My first attempt to play with Leopard Flower and Douane was somewhat frustrating. Now, I’m going to revisit the test, focusing only on the former.

    [...]

    Leopard Flower firewall is an interesting concept. Misplaced, though, for most parts. It caters to a Windows need that does not exist on Linux, and to be frank, has no place in the Microsoft world either. Then, it also tries to resolve a problem of control and knowledge by requiring the user to exercise the necessary control and knowledge. But if they had those to begin with, they wouldn’t need to dabble in per-application firewalls. Furthermore, the software is still fairly immature. There are at least half a dozen little things and changes that can be implemented to make lpfw more elegant, starting with installation and followed by service and GUI model, prompts, robustness, and a few others.

  • Critical bug in libotr could open users of ChatSecure, Adium, Pidgin to compromise
  • Clair 1.0 Brings Advances in Container Security

    CoreOS pushes the open-source container security project to the 1.0 milestone and production stability.
    As container use grows, there is an increasing need to understand from a security perspective what is actually running in a container. That's the goal of CoreOS' Clair container security project, which officially hits the 1.0 milestone today, in an effort to help organizations validate container application security.

Syndicate content

More in Tux Machines

Ubuntu 16.10 Final Beta Officially Released with Linux Kernel 4.8, Download Now

Delayed six days, the Final Beta release of the upcoming Ubuntu 16.10 (Yakkety Yak) operating system launched today, September 28, 2016, as the final development snapshot in the series. Today's Final Beta is in fact the first Beta pre-release version of Ubuntu 16.10, and the only development milestone that you'll be able to test if you want to see what's coming to the next major release of Ubuntu Linux. However, we can tell you that it is powered by Linux kernel 4.8, contains up-to-date applications, and still uses the Unity 7 UI. "The Ubuntu team is pleased to announce the final beta release of Ubuntu 16.10 Desktop, Server, and Cloud products. Codenamed "Yakkety Yak", 16.10 continues Ubuntu's proud tradition of integrating the latest and greatest open source technologies into a high-quality, easy-to-use Linux distribution. The team has been hard at work through this cycle, introducing new features and fixing bugs," reads the announcement. Read more

Parsix GNU/Linux 8.5 "Atticus" to Reach End of Life on September 30, 2016

The Parsix GNU/Linux developers announced that the end-of-life status is approaching fast for the Parsix GNU/Linux 8.5 "Atticus" operating system, urging users to upgrade to the latest release immediately. Dubbed Atticus and based on the Debian GNU/Linux 8.5 "Jessie" operating system, Parsix GNU/Linux 8.5 was unveiled seven months ago, on February 14, 2016. Running the long-term supported Linux 4.1.17 kernel injected with TuxOnIce 3.3 and BFS patches, it was built around the GNOME 3.18 desktop environment with the GNOME Shell 3.18.3 user interface. The end of life (EOL) will be officially reached on September 30, 2016, which means that users of the Parsix GNU/Linux 8.5 "Atticus" operating system will no longer receive security and software updates. Therefore, they are urged today to upgrade to the latest, most recent version of the Debian-based distribution, Parsix GNU/Linux 8.10 "Erik." Read more

SteamOS 2.93 Brewmaster Beta Adds New Security Fixes from Debian GNU/Linux 8.6

Valve's SteamOS 2 gaming operating system is still getting goodies, and it looks like a new Beta update has been pushed on September 26, 2016, to the brewmaster_beta channel for public beta testers. That's right, SteamOS 2.93 Brewmaster Beta is here to replace the previous build announced earlier this month, SteamOS 2.91 Brewmaster Beta, and add the latest security fixes and updates from upstream. This means that SteamOS is now officially based on the recently released Debian GNU/Linux 8.6 "Jessie" operating system. "SteamOS brewmaster update 2.93 pushed to brewmaster_beta. Corrects a build issue where the last kernel updates were not actually included. Also updates from the Debian 8.6 release[www.debian.org] and the usual security fixes," says John Vert, Valve engineer, in the release announcement. Read more