Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • How 'Security Fatigue' Affects Our Choices Online

    A new study claims many users suffer from 'security fatigue,' which affects the choices we make online. What's the real answer and where does the root cause sit?
    An overabundance of security news and alerts has led to "security fatigue," which is causing users to make bad choices when it comes to online security, suggests a report from the National Institute of Standards and Technology (NIST).

  • Apache Milagro: A New Security System for the Future of the Web
  • Ransomware hackers are hitting the NHS in the knackers [ophk: "politicians’ heads should roll for running MS anywhere near the NHS”]

    Rashmi Knowles, chief EMEA security architect at RSA, said: "Ransomware is an extremely lucrative business for cyber criminals as once they are in they just need to encrypt the data. Whereas actually stealing data and then trying to resell makes it a much longer process.

    "Current data shows that ransomware cases are expected to double from 2015 to 2016, and it should come as no surprise that breaches continue to happen as frequently as they do.

    "The results show organisations relying on a fragmented foundation of data and technologies. Because it remains siloed, visibility is incomplete, making attacker activity difficult to scope.

    "As a result the speed with which they can detect and investigate threats becomes a real challenge."

The top three Wi-Fi pen testing tools in Kali Linux

Filed under
GNU
Linux
Security

Every hacker and security researcher loves Kali Linux. The developers of Kali Linux ethical hacking distro have released the second Kali Rolling ISO release i.e. Kali 2016.2. Just like the previous one, Kali promises to deliver lots of new updates and changes in this release. Over the course of past few months, Kali developers have been busy adding new tools to Kali and fixing multiple bugs. For example, they have added HTTPS support in busybox that allows secure installation over SSL.

Kali Linux provides you the flexibility to install your favorite desktop environment and personalizing your experience. However, Kali developers note that users often talk about how they would love to see another desktop environments instead of GNOME.

Read more

Security News

Filed under
Security
  • One election-system vendor uses developers in Serbia

    The use of proprietary systems in elections has its critics. One Silicon Valley group, the Open Source Election Technology Foundation, is pushing for an election system that shifts from proprietary, vendor-owned systems to one that that is owned "by the people of the United States."

  • Europe to Push New Security Rules Amid IoT Mess

    The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections.

  • Internet of Things botnets: You ain’t seen nothing yet

    Internet of Things (IoT) botnet "Mirai" is the shape of things to come and future assaults could be even more severe, a leading security research firm warns.

    Mirai powered the largest ever DDoS attack ever, spawning a 620Gbps DDoS against KrebsOnSecurity. Source code for the malware was released on hacker forums last week.

    The malware relied on factory default or hard-coded usernames and passwords to compromise vulnerable IoT devices such as insecure routers, IP cameras, digital video recorders and the like.

    PenTestPartners, the UK security consultancy behind numerous hack on Iot devices ranging from Wi-Fi enabled kettles to cars, said that the botnet finally illustrates the consequences of IoT vendors cutting the corners on security.

Security News

Filed under
Security
  • Security advisories for Friday
  • surveillance, whistleblowing, and security engineering

    Imagine for a moment that you are a security engineer who discovers a backdoor that your company execs have been trying to hide from your team. Would you quit on ethical grounds or stay so that you can prevent this from happening again? I don’t think there is one right answer. Personally I am grateful both for those who left and blew the whistle, and for those who stayed to protect Yahoo’s 800 million users.

    Part of the job function of security engineers and pen testers is being ready for the moment you encounter something that you think should be disclosed but your company wants to keep secret. Think about what you would be willing to lose. Be prepared to escalate internally. Know the terms of your NDA and your exit agreement; try your best to honor them. Most of all, keep pushing for end-to-end encryption.

  • Digital Vigilantes Want to Shame DDoS Attackers And Their Corporate Enablers

    Hacker attacks that try to take down websites with a flood of bogus traffic, technically known as Distributed Denial of Service (DDoS) attacks, have become a daily occurrence on the internet. The rise of DDoS has created a cottage industry of companies dedicated to mitigating the attacks, and, on the flip side, professional DDoS-for-hire services and gangs.

    Now, a group of security researchers wants to name and shame not only the hackers responsible for such crippling attacks, but also the internet providers and traffic carriers that enable them by turning a blind eye to their actions, with a project called SpoofIT.

  • Russia Drafting Law to Favor Open Source

    I wrote the original cyber-vulnerability letter to the White House in 1994, and instead of acting responsibly, the US Government allowed NSA -- with the active complicty of US communicaitons and computing provider CEOs -- to compromise all US offerings. Not only are the communications and computing devices and related consulting compromised, but so are larger offerings (e.g. Boeing aircraft, which come with a computer system pre-configured for US Government remote control take-over -- Lufthansa is reported to have discovered this and at great expense removed all US computers from every aircraft). NOTE: I am quite certain about both of the above indictments, but only a proper European Commission investigation can satisfy the public interest; I believe that the same problems infect C4I systems from China, France, Israel, and Russia, and I do not believe most people are aware that the electrical system is now easily used to enter computers that are nominally disconnected from the Internet.

  • Systemd vulnerability crashes Linux systems

    A new vulnerability has been discovered that could shut down most Linux systems using a command short enough to fit in a tweet.

Security Leftovers

Filed under
Security
  • Promoting Cybersecurity Awareness

    We are happy to support National Cyber Security Awareness Month (NCSAM), a global effort between government and industry to ensure everyone has the resources they need to be safer, more secure and better able to protect their personal information online.

    We’ve talked about how cybersecurity is a shared responsibility, and that is the theme for National Cybersecurity Awareness Month – the Internet is a shared resource and securing it is our shared responsibility. This means technology companies, governments, and even users have to work together to protect and improve the security of the Internet. We all have to do our part to make the Internet safer and more secure for everyone. This is a time for all Internet users to Stop. Think. Connect. This month, and all year long, we want to help you be more “CyberAware.”

  • 'Security fatigue' is the worst thing to happen to people since insecurity

    CHANGING PASSWORDS is just too much for some people, according to research, and causes them to do stupid things.

    This is called 'security fatigue', apparently, and comes straight from the National Institute of Standards and Technology (NIST) and a collection of clipboards and pens.

    "After updating your password for the umpteenth time, have you resorted to using one you know you'll remember because you've used it before? Have you ever given up on an online purchase because you just didn't feel like creating a new account?" asked NIST.

    "If you have done any of those things, it might be the result of ‘security fatigue'. It exposes online users to risk and costs businesses money in lost customers."

  • The new BYOD backlash hides an ulterior motive

    Recent research from IDC shows a clear picture: IT organizations are increasingly unhappy about BYOD and now want to curtail or end the practice.

    Their stated concern: The costs are too high and the savings too low. But those concerns are misguided and likely masking a secret agenda to regain control over mobile devices, not to save money. Face it: BYOD was never popular with IT.

Security News

Filed under
Security

First pfSense 2.3.2 Update Adds OpenSSL Security Fixes to the BSD-Based Firewall

Filed under
OSS
Security
BSD

Today, October 6, 2016, Jim Thompson from the pfSense project has had the great pleasure of announcing the release and immediate availability of the pfSense 2.3.2-p1 maintenance update to the open source BSD-based firewall distro.

Read more

Bugs and Security

Filed under
Linux
Security
  • New Linux Kernel 4.8 -- Plus a Kernel-Killing Bug

    After nearly exactly two months, Linus Torvalds released kernel 4.8 into the wild on Sunday, October 2nd. Torvalds dubbed 4.8 Psychotic Stoned Sheep, probably inspired by the news that a flock of woolly ruminants ate some abandoned cannabis and, high as kites, run amok in rural Wales, striking terror into the hearts of the locals.

    This has been one of the larger releases, with many patches being sent in before the first release candidate was published. However, Torvalds attributes many of the changes to the switch to a new documentation format -- instead of using the DocBook, documentation must now be submitted in the Sphinx doc format.

  • Linus Torvalds Apologizes for Inclusion of a Kernel Bug in the Linux 4.8 Release

    Two days after announcing the release of the Linux 4.8 kernel as the latest stable and most advanced kernel branch for GNU/Linux operating systems, Linus Torvalds apologizes on the kernel mailing list for the inclusion of bug.

    According to Mr. Torvalds, the bug was left in the last RC8 (Release Candidate 8) build by kernel developer Andrew Morton, which caused problems when attempting to compile it, thus resulting in a dead kernel. If you're curious, the full report is attached to Linus Torvalds' mailing list announcement.

  • Buggy code to the left of me, perfect source to the right, here I am, stuck in the middle with EU

    Midway through SUPERSEDE, the EU three-year project backed by €3.25m in funding to make software better, software still sucks.

    It's always been thus, but now that computer code has a say in the driving of Teslas, confronts everyone daily on smartphones, and has crept into appliances, medical devices, and infrastructure, it's a more visible problem.

    Robert Vamosi, security strategist at Synopsys, told The Register in a phone interview that software quality matters more than ever.

    "We're seeing real-world examples of automobiles remotely attacked and medical devices being suspended when they need to keep functioning," he said. "It's becoming life-critical."

    The organizations involved in SUPERSEDE – ATOS, Delta Informatica, SEnerCon, Siemens, Universitat Politècnica de Catalunya (UPC), the University of Applied Sciences and Arts Northwestern Switzerland (FHNW), and the University of Zurich (UZH) – aim to improve the user experience of their software products with a toolkit to provide better feedback and analytics data to application developers.

  • 5 Tips on Using OAuth 2.0 for Secure Authorization

    OAuth is an open standard in authorization that allows delegating access to remote resources without sharing the owner's credentials. Instead of credentials, OAuth introduces tokens generated by the authorization server and accepted by the resource owner.

    In OAuth 1.0, each registered client was given a client secret and the token was provided in response to an authentication request signed by the client secret. That produced a secure implementation even in the case of communicating through an insecure channel, because the secret itself was only used to sign the request and was not passed across the network.

    OAuth 2.0 is a more straightforward protocol passing the client secret with every authentication request. Therefore, this protocol is not backward compatible with OAuth 1.0. Moreover, it is deemed less secure because it relies solely on the SSL/TLS layer. One of OAuth contributors, Eran Hammer, even said that OAuth 2.0 may become "the road to hell," because:

    "… OAuth 2.0 at the hand of a developer with deep understanding of web security will likely result in a secure implementation. However, at the hands of most developers – as has been the experience from the past two years – 2.0 is likely to produce insecure implementations."

    Despite this opinion, making a secure implementation of OAuth 2.0 is not that hard, because there are frameworks supporting it and best practices listed. SSL itself is a very reliable protocol that is impossible to compromise when proper certificate checks are thoroughly performed.

    Of course, if you are using OAuth 1.0, then continue to use it; there is no point in migrating to OAuth 2.0. But if you are developing a new mobile or an Angular web application (and often mobile and web applications come together, sharing the same server), then OAuth 2.0 will be a better choice. It already has some built-in support in the OWIN framework for .NET that can be easily extended to create different clients and use different security settings.

  • J&J warns diabetic patients: Insulin pump vulnerable to hacking

    Johnson & Johnson is telling patients that it has learned of a security vulnerability in one of its insulin pumps that a hacker could exploit to overdose diabetic patients with insulin, though it describes the risk as low.

    Medical device experts said they believe it was the first time a manufacturer had issued such a warning to patients about a cyber vulnerability, a hot topic in the industry following revelations last month about possible bugs in pacemakers and defibrillators.

    J&J executives told Reuters they knew of no examples of attempted hacking attacks on the device, the J&J Animas OneTouch Ping insulin pump. The company is nonetheless warning customers and providing advice on how to fix the problem.

  • Who Makes the IoT Things Under Attack?

    As KrebsOnSecurity observed over the weekend, the source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released. Here’s a look at which devices are being targeted by this malware.

    The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords. Many readers have asked for more information about which devices and hardware makers were being targeted. As it happens, this is fairly easy to tell just from looking at the list of usernames and passwords included in the Mirai source code.

Security News

Filed under
Linux
Security
  • Security advisories for Wednesday
  • 10 basic linux security measures everyone should be doing

    Akin to locking your doors and closing your windows there’s some really basic things everyone should be doing with their Linux installs (This is of course written from a Fedora viewpoint, but I think this pretty much applies to all computer OSes).

  • Johnson & Johnson Warns Insulin Pump Owners They Could Be Killed By Hackers

    Initially the lack of security on "smart" Internet of Things devices was kind of funny as companies rushed to make a buck and put device security on the back burner. And while hackable tea kettles and refrigerators that leak your Gmail credentials just seem kind of stupid on the surface, people are slowly realizing that at scale -- we're introducing millions of new attack vectors into homes and businesses annually. Worse, compromised devices are now being used as part of massive new DDoS attacks like the one we recently saw launched against Brian Krebs.

    Unfortunately, companies that service the medical industry also decided a few years ago that it would be a good idea to connect every-damn-thing to networks without first understanding the security ramifications of the decision. As a result, we're seeing a rise in not only the number of ransomware attacks launched on hospitals, but a spike in hackable devices like pacemakers that could mean life and death for some customers.

  • EFF Asks Court to Block U.S. From Prosecuting Security Researcher For Detecting and Publishing Computer Vulnerabilities

    The Electronic Frontier Foundation (EFF) asked a court Thursday for an order that would prevent the government from prosecuting its client, security researcher Matthew Green, for publishing a book about making computer systems more secure.

    Green is writing a book about methods of security research to recognize vulnerabilities in computer systems. This important work helps keep everyone safer by finding weaknesses in computer code running devices critical to our lives—electronic devices, cars, medical record systems, credit card processing, and ATM transactions. Green’s aim is to publish research that can be used to build more secure software.

  • Malta unveils Cyber Security Strategy

    The government of Malta has unveiled a National Cyber Security Strategy. The strategy provides the legal context to defend the country’s computer networks infrastructure and its users from threats.

  • Mirai “internet of things” malware from Krebs DDoS attack goes open source

    Last week, we wrote about a DDoS attack on well-known investigative cybercrime journalist Brian Krebs.

    To explain.

    A DDoS attack is an aggressive sort of DoS attack, where DoS is short for denial of service.

    A DoS is a bit like getting into the queue at the station to buy a ticket for the next train, only to have a time-waster squeeze in front of you and slow you down.

    By the time the miscreant has asked, innocently enough, about the different sorts of ticket available, and whether it costs extra to take a bicycle, and how much longer it would take if he were to change trains in Manchester, only to walk off without buying a ticket at all…

    …you’ve watched your train arrive, load up with passengers, and depart without you.

    A DDoS attack is worse: it’s short for distributed denial of service attack, and it’s much the same thing as a DoS, except that the trouble-stirrer doesn’t show up on his own.

  • Linux systems susceptible to crashes from tweet sized command
  • Linux 4.8 Debuts - But Maybe It Shouldn't Have

    The Linux 4.8.0 kernel was officially release on October 2, becoming the fifth kernel release so far in 2016. The Linux 4.7 kernel was released on July 24.

    As opposed to all the other kernel releases this year (and in fact in contrast to all kernel releases since 2.6) Torvalds really wasn't happy about this one, though the source of his displeasure didn't become apparent until after the release.

    "So the last week was really quiet, which maybe means that I could probably just have skipped rc8 after all," Torvalds wrote in in his Linux 4.8 release announcement. "Oh well, no real harm done."

    A day later on October 3, Torvalds addmits that he shouldn't have merged a late set of updates from kernel developer Andrew Morton.

Security News

Filed under
Linux
OSS
Security
Syndicate content

More in Tux Machines

Red Hat After Graphics People

GNOME News

  • Desk Changer is a Wallpaper Slideshow Extension for GNOME
    Have you been looking for a GNOME wallpaper slideshow extension? If so, you can stop. In the comments to our recent post on the way GNOME handles wallpapers a number of readers asked whether GNOME had an image slideshow feature built in, without the need for third-party apps and the like. The answer is yes, GNOME does. Sort of.
  • Minwaita: A Compact Version of Theme Adwaita for Gnome Desktop
    As you may already know that Ubuntu is switching back to Gnome, this is the transition time for Ubuntu to switch back. Some creators are motivated and creating themes for Gnome desktop, which is a good thing and hopefully we shall see plenty of Gnome themes and icons around soon. As its name shows "Minwaita" it is minimal/compact version of Adwaita theme, the theme is available after some enhancements to make Gnome more sleek and more vanilla Gnome experience without moving to away from Adwaita's design. This theme is compatible with Gnome 3.20 and up versions. This theme was released back in November, 2016 and still in continuous development that means if you find any problem or bug in the theme then report it to get it fixed in the next update. Obsidian-1 icons used in the following screenshots.
  • Gnome Pomodoro Timer Can Help You Increase Productivity
    If you are struggling with focus on something, it could be your work or study then try Pomodoro technique, this method developed by Francesco Cirillo in the late 1980s. The technique uses a timer to break down work into intervals, traditionally 25 minutes in length, separated by short breaks. You can read more about Pomodoro here.
  • Widget hierarchies in GTK+ 4.0
    In GTK+3, only GtkContainer subclasses can have child widgets. This makes a lot of sense for “public” container children like we know them, e.g. GtkBox — i.e. the developer can add, remove and reorder child widgets arbitrarily and the container just does layout.

Red Hat News

Leftovers: Ubuntu and Debian