Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security

FOSS and Security

Filed under
OSS
Security
  • Coffee Shop DevOps: How to use feedback loops to get smarter
  • How to design your project for participation

    Working openly means designing for participation. "Designing for participation" is a way of providing people with insight into your project, which you've built from the start to incorporate and act on that insight. Documenting how you intend to make decisions, which communication channels you’ll use, and how people can get in touch with you are the first steps in designing for participation. Other steps include working openly, being transparent, and using technologies that support collaboration and additional ways of inviting participation. In the end, it’s all about providing context: Interested people must be able to get up to speed and start participating in your project, team, or organization as quickly and easily as possible.

  • So long, Firefox Hello!

    After updating my PCLinuxOS install, I noticed that the icon of Firefox Hello had changed: it was read and displayed a message reading "Error!"

    I thought it was a simply login failure, so I logged in and the icon went green, as normal. However, I noticed that Hello did not display the "Start a conversation" window, but one that read "browse this page with a friend".

    A bit confused, I called Megatotoro, who read this statement from Mozilla to me. Apparently, I had missed the fact that Mozilla is discontinuing Hello starting from Firefox 49. Current Firefox version is 48, so...

  • FreeBSD 11.0 Up to Release Candidate State, Support for SSH Protocol v1 Removed

    The FreeBSD Project, through Glen Barber, has had the pleasure of announcing this past weekend the general availability of the first Release Candidate for the upcoming FreeBSD 11.0 operating system, due for release on September 2, 2016.

    It appears to us that the development cycle of FreeBSD 11.0 was accelerated a bit, as the RC1 milestone is here just one week after the release of the fourth Beta build. Again, the new snapshot is available for 64-bit (amd64), 32-bit (i386), PowerPC (PPC), PowerPC 64-bit (PPC64), SPARC64, AArch64 (ARM64), and ARMv6 hardware architectures.

  • Open Source//Open Society Conference Live Blog

    This conference offers 2 huge days of inspiration, professional development and connecting for those interested in policy, data, open technology, leadership, management and team building.

  • White House Source Code Policy Should Go Further

    A new federal government policy will result in the government releasing more of the software that it creates under free and open source software licenses. That’s great news, but doesn’t go far enough in its goals or in enabling public oversight.

    A few months ago, we wrote about a proposed White House policy regarding how the government handles source code written by or for government agencies. The White House Office of Management and Budget (OMB) has now officially enacted the policy with a few changes. While the new policy is a step forward for government transparency and open access, a few of the changes in it are flat-out baffling.

  • The Brewing Problem Of PGP Short-ID Collision Attacks
  • Starwood, Marriott, Hyatt, IHG hit by malware: HEI

    A data breach at 20 U.S. hotels operated by HEI Hotels & Resorts for Starwood, Marriott, Hyatt and Intercontinental may have divulged payment card data from tens of thousands of food, drink and other transactions, HEI said on Sunday.

  • Linux TCP Flaw Leaves 80% Android Phones Open To Spying
  • Good morning Android!

Security News

Filed under
Security
  • Serving Up Security? Microsoft Patches ‘Malicious Butler’ Exploit — Again

    It’s been a busy year for Windows security. Back in March, Microsoft bulletin MS16-027 addressed a remote code exploit that could grant cybercriminals total control of a PC if users opened “specially crafted media content that is hosted on a website.” Just last month, a problem with secure boot keys caused a minor panic among users.

    However, new Microsoft patches are still dealing with a flaw discovered in November of last year — it was first Evil Maid and now is back again as Malicious Butler. Previous attempts to slam this door shut have been unsuccessful. Has the Redmond giant finally served up software security?

  • PGP Short-ID Collision Attacks Continued, Now Targeted Linus Torvalds

    After contacted the owner, it turned out that one of the keys is a fake. In addition, labelled same names, emails, and even signatures created by more fake keys. Weeks later, more developers found their fake "mirror" keys on the keyserver, including the PGP Global Directory Verification Key.

  • Let's Encrypt: Why create a free, automated, and open CA?

    During the summer of 2012, Eric Rescorla and I decided to start a Certificate Authority (CA). A CA acts as a third-party to issue digital certificates, which certify public keys for certificate holders. The free, automated, and open CA we envisioned, which came to be called Let's Encrypt, has been built and is now one of the larger CAs in the world in terms of issuance volume.

    Starting a new CA is a lot of work—it's not a decision to be made lightly. In this article, I'll explain why we decided to start Let's Encrypt, and why we decided to build a new CA from scratch.

    We had a good reason to start building Let's Encrypt back in 2012. At that time, work on an HTTP/2 specification had started in the Internet Engineering Task Force (IETF), a standards body with a focus on network protocols. The question of whether or not to require encryption (via TLS) for HTTP/2 was hotly debated. My position, shared by my co-workers at Mozilla and many others, was that encryption should be required.

Security News

Filed under
Security

Security News

Filed under
Security
  • New FFS Rowhammer Attack Hijacks Linux VMs

    Researchers from the Vrije University in the Netherlands have revealed a new version of the infamous Rowhammer attack that is effective at compromising Linux VMs, often used for cloud hosting services.

  • Fixing Things

    Recent reports that TCP connections can be hijacked have kicked an anthill at Kernel.org. Linus and others have a patch.

  • Minica - lightweight TLS for everyone!

    A while back, I found myself in need of some TLS certificates set up and issued for a testing environment.

    I remembered there was some code for issuing TLS certs in Docker, so I yanked some of that code and made a sensable CLI API over it.

  • Guy Tricks Windows Tech Support Scammers Into Installing Ransomware Code

    A man named Ivan Kwiatkowski managed to install Locky ransomware on the machine of a person who was pretending to be a tech support executive of a reputed company. Ivan wrote his experiences in a blog post tells that how the tech support scammer fell into the pit he dug for innocent people.

Security News

Filed under
Security
  • Hacker demonstrates how voting machines can be compromised [Ed: Microsoft inside]

    Concerns are growing over the possibility of a rigged presidential election. Experts believe a cyberattack this year could be a reality, especially following last month's hack of Democratic National Committee emails.

    The ranking member of the Senate Homeland Security Committee sent a letter Monday to the Department of Homeland Security, saying in part: "Election security is critical, and a cyberattack by foreign actors on our elections systems could compromise the integrity of our voting process."

    Roughly 70 percent of states in the U.S. use some form of electronic voting. Hackers told CBS News that problems with electronic voting machines have been around for years. The machines and the software are old and antiquated. But now with millions heading to the polls in three months, security experts are sounding the alarm, reports CBS News correspondent Mireya Villarreal.

  • Another Expert Weighs in on Election Hacking

    Today the old Gray Lady, the New York Times, no less, weighed in on election hacking in an Op/Ed piece titled The Election Won't be Rigged. But it Could be Hacked. Of course, anyone who's read my second cybersecurity thriller, The Lafayette Campaign, a Tale of Election and Deceptions, already knew that.

    The particular focus of the NYT article is that since voting can be hacked, it's vital to have a way to audit elections after they occur to see whether that has been the case, and to reveal the true electoral result.

  • New release: usbguard-0.5.11
  • Linux.Lady Trojan Turns Redis Servers to Mining Rigs

Security Leftovers

Filed under
Security
  • Troyan Virus Turns Linux Servers into Bitcoin Miners

    A new and dangerous computer virus has been targeting Linux servers, its goal: to turn computer servers into Bitcoin miners. The attack is aimed at environments running the Redis NoSQL database, the virus is also able to probe the network interfaces of its hosts to propagate itself.

    Approximately more than 30,000 servers running the Redis database are in danger due to the lack of an access password. The virus is named “Linux.Lady” and it was discovered first by the Russian IT-security solutions vendor Dr. Web. The company released a report on the virus, classifying it into the Troyan subcategory.

  • A New Wireless Hack Can Unlock 100 Million Volkswagens

    In 2013, when University of Birmingham computer scientist Flavio Garcia and a team of researchers were preparing to reveal a vulnerability that allowed them to start the ignition of millions of Volkswagen cars and drive them off without a key, they were hit with a lawsuit that delayed the publication of their research for two years. But that experience doesn’t seem to have deterred Garcia and his colleagues from probing more of VW’s flaws: Now, a year after that hack was finally publicized, Garcia and a new team of researchers are back with another paper that shows how Volkswagen left not only its ignition vulnerable but the keyless entry system that unlocks the vehicle’s doors, too. And this time, they say, the flaw applies to practically every car Volkswagen has sold since 1995.

  • Almost every Volkswagen sold since 1995 can be unlocked with an Arduino

    The first affects almost every car Volkswagen has sold since 1995, with only the latest Golf-based models in the clear. Led by Flavio Garcia at the University of Birmingham in the UK, the group of hackers reverse-engineered an undisclosed Volkswagen component to extract a cryptographic key value that is common to many of the company's vehicles.

  • Road Warriors: Beware of ‘Video Jacking’

    A little-known feature of many modern smartphones is their ability to duplicate video on the device’s screen so that it also shows up on a much larger display — like a TV. However, new research shows that this feature may quietly expose users to a simple and cheap new form of digital eavesdropping.

    Dubbed “video jacking” by its masterminds, the attack uses custom electronics hidden inside what appears to be a USB charging station. As soon as you connect a vulnerable phone to the appropriate USB charging cord, the spy machine splits the phone’s video display and records a video of everything you tap, type or view on it as long as it’s plugged in — including PINs, passwords, account numbers, emails, texts, pictures and videos.

Security News

Filed under
Security
  • One bug to rule them all: 'State-supported' Project Sauron malware attacks world's top PCs

    Two top electronic security firms have discovered a new powerful malware suite being used to target just dozens of high-value targets around the world. The research shows that it was likely developed on the orders of a government engaging in cyber espionage.

    The California-based Symantec has labeled the group behind the attack Strider, while Moscow-based Kaspersky Labs dubbed it ProjectSauron. Both are references to J. R. R. Tolkien’s Lord of the Rings, a nod to the fact that the original malware code contained the word “Sauron.”

  • Disable WPAD now or have your accounts and private data compromised

    The Web Proxy Auto-Discovery Protocol (WPAD), enabled by default on Windows and supported by other operating systems, can expose computer users' online accounts, web searches, and other private data, security researchers warn.

    Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections, said Alex Chapman and Paul Stone, researchers with U.K.-based Context Information Security, during the DEF CON security conference this week.

  • With Anonymous' latest attacks in Rio, the digital games have begun

    A wave of denial of service (DDoS) attacks on state and city websites followed immediately after Anonymous delivered their statement. The group boasted taking down at least five sites, including www.brasil2016.gov.br, www.rio2016.com, www.esporte.gov.br, www.cob.org.br and www.rj.gov.br. They broadcast their exploits using the hashtags #OpOlympicHacking, #Leaked and #TangoDown, some of which were set up months ago.



  • Kaminsky Advocates for Greater Cloud Security

    There are a lot of different reasons why organizations choose to move to the cloud and many reasons why they do not. Speaking at a press conference during the Black Hat USA security event, security researcher Dan Kaminsky provided his views on what's wrong with the Internet today and where the cloud can fit in.

    "There's a saying we have," Kaminsky said. "There is no such thing as cloud, just other people's computers."

    While the cloud represents a utility model for computing, Kaminsky also suggests that there are ways to use the cloud to improve overall security. With the cloud, users and applications can be isolated or 'sandboxed' in a way that can limit risks.

    With proper configurations, including rate limiting approaches, the impact of data breaches could potentially be reduced as well. As an example, Kaminsky said that with rate limiting controls, only the money from a cash register is stolen by a hacker, as opposed to stealing all of a company's corporate profits for a month.

  • Linux TCP Flaw allows Hackers to Hijack Internet Traffic and Inject Malware Remotely
  • Our Encrypted Email Service is Safe Against Linux TCP Vulnerability

    ProtonMail is not vulnerable to the recently announced Linux TCP Vulnerability

In limiting open source efforts, the government takes a costly gamble

Filed under
OSS
Security

The vast majority of companies are now realizing the value of open sourcing their software and almost all have done so for at least certain projects. These days Google, Facebook, Microsoft, Apple and almost every major company is releasing code to the open source community at a constant rate.

As is the case with many cutting edge developments it’s taking governments a while to catch on and understand the value in going open source. But now governments around the world are beginning to take the view that as their software is funded by the public, it belongs to the public and should be open for public use and are starting to define codified policies for its release.

[...]

The vast majority of code is still not classified and therefore, much higher levels of open sourcing are possible. While a bigger embrace of open source may seem like a risk, the real danger lies in small, overly-cautious implementation which is costing taxpayers by the day and making us all less secure.

Read more

More Security Leftovers

Filed under
Security
  • Volkswagen Created A 'Backdoor' To Basically All Its Cars... And Now Hackers Can Open All Of Them

    In other words, VW created a backdoor, and assumed that it would remain hidden. But it did not.

    This is exactly the kind of point that we've been making about the problems of requiring any kind of backdoor and not enabling strong encryption. Using a single encryption key across every device is simply bad security. Forcing any kind of backdoor into any security system creates just these kinds of vulnerabilities -- and eventually someone's going to figure out how they work.

    On a related note, the article points out that the researchers who found this vulnerability are the same ones who also found another vulnerability a few years ago that allowed them to start the ignition of a bunch of VW vehicles. And VW's response... was to sue them and try to keep the vulnerability secret for nearly two years. Perhaps, rather than trying to sue these researchers, they should have thrown a bunch of money at them to continue their work, alert VW and help VW make their cars safer and better protected.

  • Software Freedom Doesn't Kill People, Your Security Through Obscurity Kills People

    The time has come that I must speak out against the inappropriate rhetoric used by those who (ostensibly) advocate for FLOSS usage in automotive applications.

    There was a catalyst that convinced me to finally speak up. I heard a talk today from a company representative of a software supplier for the automotive industry. He said during his talk: "putting GPLv3 software in cars will kill people" and "opening up the source code to cars will cause more harm than good". These statements are completely disingenuous. Most importantly, it ignores the fact that proprietary software in cars is at least equally, if not more, dangerous. At least one person has already been killed in a crash while using a proprietary software auto-control system. Volkswagen decided to take a different route; they decided to kill us all slowly (rather than quickly) by using proprietary software to lie about their emissions and illegally polluting our air.

    Meanwhile, there has been not a single example yet about use of GPLv3 software that has harmed anyone. If you have such an example, email it to me and I promise to add it right here to this blog post.

  • Linux Networking Flaw Allows Attacker To Trick Safety Mechanism
Syndicate content

More in Tux Machines

Latvian Ventspils controls costs with open source

The administration of Ventspils, Latvia’s sixth largest city, is an avid user of free and open source software. The main benefits: cost and resource optimisation. Read more

Ubuntu Touch finds a home on a conflict-free, fair-trade, user-maintainable handset

Handset maker Fairphone is teaming up with the community project UBports, which seeks to get Ubuntu Touch on mobile devices. They will be showing off Ubuntu Touch running on the Fairphone 2 during Mobile World Congress, which starts February 27 in Barcelona. While Ubuntu is probably not the first name that comes to mind when you think of mobile devices, the phone in question offers some compelling features. “UBports Foundation will be showcasing its work at the Canonical booth, the company behind Ubuntu. Canonical is planning to tell about the latest developments around the convergence of its devices and UBports Foundation will share its mission ‘Ubuntu On Every Device’ with the visitors,” UBports said in a February 8 press release. Currently, UBports’ website lists three devices as “fully working as daily drivers:” The OnePlus One, Nexus 5, and the Fairphone 2, with the latter showing all parts as functioning with Ubuntu Touch, save the GPS radio. (Interestingly, the UBports project website for the Fairphone 2 still lists the GSM radio [in addition to the GPS] as a work in progress. However there is a video of two people talking with the handset, so it’s likely the Fairphone 2 project website is out of date.) The website also has instructions for flashing Ubuntu to the Fairphone 2. Read more

BSD Leftovers

  • LLVM/Clang 4.0 Is Running Late Due To Seven Blocker Bugs
    LLVM 4.0 was supposed to have been released by now, but it's running late due to open blocker bugs. Hans Wennborg commented on the mailing list that while the release should have happened on 21 February, serving as release manager, he hasn't tagged the release yet due to open blocker bugs.
  • FreeBSD-Based pfSense 2.3.3 Open-Source Firewall Released with over 100 Changes
    Rubicon Communications' Jim Pingle announced the availability of a new point release to the pfSense 2.3 stable series, which adds over 100 improvements and a bunch of new features. Updated to FreeBSD 10.3-RELEASE-p16, the pfSense 2.3.3 maintenance release is here more than seven months after the 2.3.2 update and introduces several new packages, including TFTP Server, LCDproc, cellular, and tinc, a lot of improvements for the OpenVPN and IPsec implementations, as well as numerous stability and security fixes from FreeBSD. Dozens of bug fixes are included in pfSense 2.3.3 for WebGUI, graphs and monitoring, gateways and routing, notifications, Dynamic DNS, captive portal, NTP and GPS, DNS, resolver and forwarder, DHCP and DHCPv6 servers, router advertisements, HA and CARP, traffic shaping, firewall, rules, NAT, aliases, states, users, authentication, and privileges.
  • “Hi, I’m jkh and I’m a d**k”
    Yesterday, I was privy to a private email message discussing a topic I care deeply about. I contacted the author and said “You really need to make this public and give this a wider audience.” His response boiled down to “if I wanted it to get a wider audience, I was welcome to do so myself.” So here’s my first ever guest post, from Jordan K Hubbard, one of the founders of the FreeBSD Project. While this discussion focuses on FreeBSD, it’s applicable to any large open source project.

Linux Graphics