Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Arbitrary code execution in TeX distributions

    Many out there use TeX or one of its distributions like TeX Live, LaTex, MiKTeX or teTeX. Sharing TeX files between authors is common, and often conference organizers, journal editors or university institutions offer TeX templates for papers and diploma theses. So what if a TeX file can take over your computer?

  • Security firm issues patch for Windows zero-day

    A security firm has released a patch for a remotely exploitable vulnerability in Windows that Microsoft is expected to patch on 14 March.

    0patch team member Luka Treiber said this was the first time the company had issued code to fix a zero-day exploit.

    He has provided a detailed rundown of his methodology on the firm's website.

    Anyone wishing to use the patch has to download 0patch's patching agent and the obtain the code.

  • The working dead: The security risks of outdated Linux kernels [Ed: IDG says that running old and unpatched Linux kernel is not a good idea, like that wasn't obvious.]

    Linux kernel security vulnerabilities are often in the headlines. Recently it was revealed a serious kernel vulnerability remained undiscovered for over a decade. But, what does this mean in a practical sense? Why is security of the Linux kernel important? And, what effects do vulnerabilities have on older or obsolete kernels that are persistent in many devices?

Talks and FOSS Events

Filed under
OSS
Security
  • Me at the RSA Conference

    This is my talk at the RSA Conference last month. It's on regulation and the Internet of Things, along the lines of this essay.

  • How to handle conflict like a boss

    I was initially afraid that a talk about conflict management would be touchy-feely to the point of uselessness, but found that every time Deb Nicholson described a scenario, I could remember a project that I'd been involved in where just such a problem had arisen. In the end, her "Handle conflict like a boss" presentation may turn out to have been one of the more rewarding talks I heard at FOSDEM 2017.

    Nicholson's first contention was that conflict happens because some people are missing some information. She related a story about a shared apartment where the resident who was responsible for dividing up the electricity bill was getting quite annoyed at the resident who had got behind on his share, until Nicholson pointed out that the latter resident was away at his grandmother's funeral. Instantly, the person who'd been angry was calm and concerned, through no change other than coming into possession of all the facts. Conflict is natural, said Nicholson, but it doesn't have to be the end of the world.

  • Principled free-software license enforcement

    Issues of when and how to enforce free-software licenses, and who should do it, have been on some people's minds recently, and Richard Fontana from Red Hat decided to continue the discussion at FOSDEM. This was a fairly lawyerly talk; phrases like "alleged violation" and "I think that..." were scattered throughout it to a degree not normally found in talks by developers. This is because Fontana is a lawyer at Red Hat, and he was talking about ideas which, while they are not official Red Hat positions, were developed following discussions between him and other members of the legal team at Red Hat.

    To his mind, GPL enforcement has always been an important element of free-software law; not that we should all be doing it, all the time, but like it or not, litigation is part of a legal system. Awareness of its possibility, however, was making some Red Hat customers and partners worried about the prospect. There has not, in fact, been much actual litigation around free-software licenses — certainly not compared to the amount of litigation software companies are capable of generating in the normal course of business — thus Fontana felt their fears were unreasonable.

Security Leftovers

Filed under
Security
  • Software Grand Exposure: SGX Cache Attacks Are Practical

    Side-channel information leakage is a known limitation of SGX. Researchers have demonstrated that secret-dependent information can be extracted from enclave execution through page-fault access patterns. Consequently, various recent research efforts are actively seeking countermeasures to SGX side-channel attacks. It is widely assumed that SGX may be vulnerable to other side channels, such as cache access pattern monitoring, as well. However, prior to our work, the practicality and the extent of such information leakage was not studied.

  • KDE issues security advisory for HTTPS KIO Slave

    The vulnerability here is that the full URL with all parameters (including usernames, passwords etc.) was passed to the FindProxyForURL function. A malicius attacker could manipulate the local network and distribute a PAC file which then leaks the full URL (e.g. over the network), even though HTTPS is supposed to protect the URL. The issue has been fixed for HTTPS in two commits (here and here). There is no fix for HTTP as it is unencrypted and the proxy can always see the full URL anyways.

  • Multiple Vulnerabilities in X.org
  • Sticky Password for Android 8.0.3646

Security Leftovers

Filed under
Security

7 Essential Tips for Linux Sysadmin Workstation Security

Filed under
Linux
Security

If you’re a sysadmin who works from home, logs in for after-hours emergency support or simply prefers to work from a laptop in your office, you need to do it securely. Preparation and vigilance are essential in keeping your workstation and network safe from hackers.

Anyone who uses a Linux workstation to access and manage their company’s or project's IT infrastructure runs the risk that his or her computer will become an incursion vector against the rest of that infrastructure.

Read more

Security Leftovers

Filed under
Security
  • Security-Oriented Alpine Linux 3.5.2 Distro Released with Kernel 4.4.52 LTS

    Alpine Linux, the open-source security-oriented GNU/Linux distribution based on BusyBox and musl libc, has been updated earlier to version 3.5.2, the second point release to the stable 3.5 series.

    Alpine Linux 3.5.2 comes one month after the release of Alpine Linux 3.5.1 and brings with it the recently released long-term supported Linux 4.4.52 kernel, as well as numerous up-to-date components, including PHP 7.0.16, lighttpd 1.4.45, Chromium 56.0.2924.76, PostgreSQL 9.6.2, nginx 1.10.3, ZoneMinder 1.30.2, and RackTables 0.20.12.

  • SSH Communications Security's Universal SSH Key Manager

    Today's IAM solutions, warns enterprise cybersecurity expert SSH Communications Security, fail to address fully the requirements of trusted access. Organizations lack an efficient way to manage and govern trusted access credentials and have no visibility into the activities that occur within the secure channels that are created for trusted access operations.

  • Three Years after Heartbleed, How Vulnerable Are You? [Ed: Fools who cling on to hype, marketing and FUD from a Microsoft-connected firm even 3 years later]

    Three years ago, the Heartbleed vulnerability in the OpenSSL cryptographic library sent the software industry and companies around the world into a panic. Software developers didn't know enough about the open source components used in their own products to understand whether their software was vulnerable — and customers using that software didn't know either.

Security Leftovers

Filed under
Security
  • Human error caused Amazon Web Services outage

    A wrong command entered by a member of its technical staff was responsible for the outage experienced by Amazon Web Services simple storage service this week.

    In a detailed explanation, the company said the S3 team was attempting to debug an issue that caused a slowdown in its billing system when, at 9.37am PST on Tuesday (4.30am Wednesday AEST), one of its technical staff ran a command that was intended to remove a few servers from one of the subsystems used by the S3 billing process.

    The worker entered one wrong input for the command and ended up removing a much larger number of servers than intended, some of which supported two other S3 subsystems.

  • Apple's macOS bitten by a brace of backdoors

    OH JEEZ, THE SANCTITY OF THE Apple operating system continues to be whittled away at, and now two reasonably fresh backdoors have been revealed by a concerned security company.

    Apple backdoors are much prized, just ask the FBI, so to have two in a day should be a thing to celebrate. But only if you like that kind of stuff.

    The Malwarebytes blog dishes the dirt on the pair and the threat that they pose to people who use Macs.

    One of them is XAgent, which Palo Alto Networks clocked onto in February. It is a nasty business indeed.

  • SHA-1 crack just got real: System Center uses it to talk to Linux

    When Google revealed last week that it had destroyed the SHA-1 algorithm, it hammered another nail into the venerable algo's coffin.

    But as we noted in our report on the feat, many applications still use SHA-1. And if you're one of the many Windows shops running Microsoft's System Center Operations Manager Management Server, you've got an exposure.

Security News

Filed under
Security
  • Amazon S3-izure cause: Half the web vanished because an AWS bod fat-fingered a command

    Amazon has provided the postmortem for Tuesday's AWS S3 meltdown, shedding light on what caused one of its largest cloud facilities to bring a chunk of the web down.

    In a note today to customers, the tech giant said the storage system was knocked offline by a staffer trying to address a problem with its billing system. Essentially, someone mistyped a command within a production environment while debugging a performance gremlin.

    "The Amazon Simple Storage Service (S3) team was debugging an issue causing the S3 billing system to progress more slowly than expected. At 9:37AM PST, an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process," the team wrote in its message.

  • HackerOne Offers Free Bug Bounty Programs for Open Source Projects

    HackerOne, a platform that is offering hosting for bug bounty programs, announced today that open-source projects can now sign up for a free bug bounty program if they meet a few simple conditions.

    The new offering, named HackerOne Community Edition, is identical with HackerOne Professional Edition, the commercial service the company is offering to some of the world's largest organizations, such as Twitter, Dropbox, Adobe, Yahoo, Uber, GitHub, Snapchat, and many others.

  • Once overlooked, uninitialized-use 'bugs' may provide portal for hacker attacks on linux

    Popular with programmers the world over for its stability, flexibilityand security, Linux now appears to be vulnerable to hackers.

Security News

Filed under
Security
  • Security updates for Thursday
  • Security updates for Wednesday
  • Researchers find “severe” flaw in WordPress plugin with 1 million installs

    More than 1 million websites running the WordPress content management system may be vulnerable to hacks that allow visitors to snatch password data and secret keys out of databases, at least under certain conditions.

    The vulnerability stems from a "severe" SQL injection bug in NextGEN Gallery, a WordPress plugin with more than 1 million installations. Until the flaw was recently fixed, NextGEN Gallery allowed input from untrusted visitors to be included in WordPress-prepared SQL queries. Under certain conditions, attackers can exploit the weakness to pipe powerful commands to a Web server's backend database.

  • cloudbleed hero graphics
  • Botnets

    Botnets have existed for at least a decade. As early as 2000, hackers were breaking into computers over the Internet and controlling them en masse from centralized systems. Among other things, the hackers used the combined computing power of these botnets to launch distributed denial-of-service attacks, which flood websites with traffic to take them down.

    But now the problem is getting worse, thanks to a flood of cheap webcams, digital video recorders, and other gadgets in the "Internet of things." Because these devices typically have little or no security, hackers can take them over with little effort. And that makes it easier than ever to build huge botnets that take down much more than one site at a time.

  • Yahoo boss Marissa Mayer loses millions in bonuses over security lapses

    Yahoo chief executive Marissa Mayer will lose her annual bonus and the company’s top lawyer has been removed over their mishandling of security breaches that exposed the personal information of more than 1 billion users.

    Mayer’s cash bonus is worth about $2m a year and her personal cost from the security flaws increased when the board also accepted her offer to relinquish an annual stock award worth millions of dollars.

    Mayer, whose management team was found by an internal review to have reacted too slowly to one breach in 2014, said on Wednesday she wanted the board to distribute her bonus to Yahoo’s entire workforce of 8,500 employees. The board did not say if it would do so.

  • Unlimited randomness with the ChaosKey?

    A few days ago I ordered a small batch of the ChaosKey, a small USB dongle for generating entropy created by Bdale Garbee and Keith Packard. Yesterday it arrived, and I am very happy to report that it work great! According to its designers, to get it to work out of the box, you need the Linux kernel version 4.1 or later. I tested on a Debian Stretch machine (kernel version 4.9), and there it worked just fine, increasing the available entropy very quickly. I wrote a small test oneliner to test. It first print the current entropy level, drain /dev/random, and then print the entropy level for five seconds.

  • Startup Offers Free ‘Bug Bounty’ Help to Open Source Projects

    Many people don't realize much of the Internet is built on free software. Even giant companies like Facebook, Google, and Amazon rely extensively on big libraries of code—known as "open source" software"—written by thousands of programmers, who share their work with everyone.

    But no software is perfect. Like the proprietary code developed by many companies, open source software contains flaws that hackers can exploit to steal information or spread viruses. That's why a new initiative to patch those holes is important.

  • 50 Google Engineers Volunteered to Patch Thousands of Java Open Source Projects

    A year ago, several Google engineers got together and lay the foundation of Operation Rosehub, a project during which Google employees used some of their official work time to patch thousands of open source projects against a severe and widespread Java vulnerability.

    Known internally at Google as the Mad Gadget vulnerability, the issue was discovered at the start of 2015 but came to everyone's attention in November 2015 after security researchers from Foxglove Security showcased how it could be used to steal data from WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS Java applications.

KDE Plasma 5.9.3 Linux Desktop Environment Released, over 40 Recorded Bug Fixed

Filed under
KDE
Security

The KDE project had the great pleasure of announcing the release of the third maintenance update to the recently released KDE Plasma 5.9 desktop environment stable series.

Read more

Syndicate content

More in Tux Machines

Leftovers: OSS and Sharing

  • Making your OpenStack monitoring stack highly available using Open Source tools
    Operators tasked with maintaining production environments are relying on monitoring stacks to provide insight to resource usage and a heads-up to threats of downtime. Perhaps the most critical function of a monitoring stack is providing alerts which trigger mitigation steps to ensure an environment stays up and running. Downtime of services can be business-critical, and often has extremely high cost ramifications. Operators working in cloud environments are especially reliant on monitoring stacks due to the increase in potential inefficiency and downtime that comes with greater resource usage. The constant visibility of resources and alerts that a monitoring stack provides, makes it a fundamental component of any cloud.
  • InfraRed: Deploying and Testing Openstack just made easier!
  • The journey of a new OpenStack service in RDO
    When new contributors join RDO, they ask for recommendations about how to add new services and help RDO users to adopt it. This post is not a official policy document nor a detailed description about how to carry out some activities, but provides some high level recommendations to newcomers based on what I have learned and observed in the last year working in RDO.
  • Getting to know the essential OpenStack components better
  • Getting to know core components, speed mentoring, and more OpenStack news
  • Testing LibreOffice 5.3 Notebookbar
    I teach an online CSCI class about usability. The course is "The Usability of Open Source Software" and provides a background on free software and open source software, and uses that as a basis to teach usability. The rest of the class is a pretty standard CSCI usability class. We explore a few interesting cases in open source software as part of our discussion. And using open source software makes it really easy for the students to pick a program to study for their usability test final project.
  • [Older] Drupal member sent out after BDSM lifestyle revealed

    Drupal, like many other open source projects, has a stated goal of welcoming and accepting all people, no matter their heritage, culture, sexual orientation, gender identity or other factors.

  • Controversy Erupts in Open-Source Community After Developer's Sex Life Made Public
    Drupal is a popular open-source content-management system, used to build websites. Like many other open-source projects, Drupal is guided by several committees that are supposed to be accountable to the community and its code of conduct, which enshrines values like "be considerate" and "be respectful." Also like many other open-source projects, Drupal attracts all sorts of people, some of whom are eclectic. Last week, under murky circumstances, Drupal creator Dries Buytaert banned one of the project's technical and community leaders, Larry Garfield. Buytaert attributed the decision to aspects of Garfield's private sex life. Many Drupal users and developers are up in arms about the perceived injustice of the move, exacerbated by what they see as a lack of transparency.
  • HospitalRun: Open Source Software for the Developing World
    When open source software is used for global health and global relief work, its benefits shine bright. The benefits of open source become very clear when human health and human lives are on the line. In this YouTube video, hear Harrisburg, Pennsylvania software developer Joel Worrall explain about HospitalRun software – open source cloud-based software used at developing world healthcare facilities.
  • Scotland emphasises sharing and reuse of ICT
    Scotland’s public administrations should focus on common, shared technology platforms, according to the new digital strategy, published on 22 March. The government says it wants to develop “shared infrastructure, services and standards in collaboration with our public sector partners, to reduce costs and enable resources to be focused on front-line services.”
  • [Older] OpenSSL Re-licensing to Apache License v. 2.0 To Encourage Broader Use with Other FOSS Projects and Products

    OpenSSL Launches New Website to Organize Process, Seeks to Contact All Contributors

  • Austria state secretary promotes open data
    The State Secretary at Austria’s Federal Chancellery, Muna Duzdar, is encouraging the making available of government data as open data. “The administration must set an example and support the open data culture by giving society its data back”, the State Secretary for Digitalisation said in a statement.
  • Study: Hungary should redouble open data initiatives
    The government of Hungary should redouble its efforts to make public sector information available as open data, and actively help to create market opportunities, a government white paper recommends. The ‘White Paper on National Data Policy’ was approved by the government in December.
  • Williamson School Board OKs developing open source science curriculum
    Science textbooks may be a thing of the past in Williamson County Schools. The Williamson County school board approved a proposal Monday night to use open source science resources instead of science textbooks. The switch will require a team of nine teachers to spend a year developing an open source curriculum.
  • How Elsevier plans to sabotage Open Access
    It was a long and difficult road to get the major publishing houses to open up to open access, but in the end the Dutch universities got their much awaited ‘gold deal’ for open access. A recently revealed contract between Elsevier and the Dutch research institutes lays bare the retardant tactics the publishing giant employs to stifle the growth of open access.
  • #0: Introducing R^4
  • RcppTOML 0.1.2

Security Leftovers

  • Security updates for Monday
  • FedEx Will Pay You $5 to Install Flash on Your Machine
    FedEx is making you an offer you can’t afford to accept. It’s offering to give you $5 (actually, it’s a discount on orders over $30) if you’ll just install Adobe Flash on your machine. Nobody who knows anything about online security uses Flash anymore, except when it’s absolutely necessary. Why? Because Flash is the poster child for the “security-vulnerability-of-the-hour” club — a group that includes another Adobe product, Acrobat. How unsafe is Flash? Let’s put it this way: seven years ago, Steve Jobs announced that Flash was to be forever banned from Apple’s mobile products. One of the reasons he cited was a report from Symantec that “highlighted Flash for having one of the worst security records in 2009.” Flash security hasn’t gotten any better since.
  • Every once in a while someone suggests to me that curl and libcurl would do better if rewritten in a “safe language”
  • An insecure dishwasher has entered the IoT war against humanity

    Regel says that he has contacted Miele on a number of occasions about the issue, but had failed to get a response to his missives, and this has no updated information on the vulnerability.

    He added, bleakly that "we are not aware of an actual fix."

  • Monday Witness: It's Time to Reconize a Civil Right Not to be Connected
    Along with death and taxes, two things appear inevitable. The first is that Internet of Things devices will not only be built into everything we can imagine, but into everything we can't as well. The second is that IoT devices will have wholly inadequate security, if they have any security at all. Even with strong defenses, there is the likelihood that governmental agencies will gain covert access to IoT devices anyway. What this says to me is that we need a law that guarantees consumers the right to buy versions of products that are not wirelessly enabled at all.
  • Remember kids, if you're going to disclose, disclose responsibly!
    If you pay any attention to the security universe, you're aware that Tavis Ormandy is basically on fire right now with his security research. He found the Cloudflare data leak issue a few weeks back, and is currently going to town on LastPass. The LastPass crew seems to be dealing with this pretty well, I'm not seeing a lot of complaining, mostly just info and fixes which is the right way to do these things.

Lightroom and Darktable: the verdict two years after switching

In summer 2015, I posted a detailed account of my tentative switch from Windows7 and Lightroom to Linux and Darktable. This was sparked by sudden crashes that were afflicting my system, but in a deeper sense grew from frustration with Windows and, to a lesser degree, with Lightroom. Once I headed for Linux, I decided to plunge in fully and commit to using Ubuntu and free, open-source photo software for several months – at least until the end of that year. That would give me a chance to see whether I could actually run my photography business on the new system. Read more

7 Linux Mainstream Distros Alternatives

Linux Mainstream Distros are quite popular as they have a large number of developers working on them as well as a large number of users using them. In addition, these distros also have strong support system. People often search alternatives for Linux Mainstream Distros but often get confused about which is the best one for them. So listed below are 7 best Linux mainstream distros alternative choices for you. Read more