Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • How OPNFV Earned Its Security Stripes and Received a CII Best Practices Badge

    Earning the CII badge will have a HUGE impact on OPNFV’s general approach to building security into the development model (something all open source projects should model). Statistics show that around 50 percent of vulnerabilities in a software are “flaws” (usually design fault/defective design, which is hard to fix after software has been released) and 50 percent bugs (implementation fault). Following these best practices will hopefully address both design and implementation faults before they become vulnerabilities.

  • MySQL Hit By "Critical" Remote Code Execution 0-Day

    The latest high-profile open-source software project having a bad security day is MySQL... MySQL 5.5/5.6/5.7 has a nasty zero-day vulnerability.

    Researchers have discovered multiple "severe" MySQL vulnerabilities with the CVE-2016-6662 being marked as critical and does affect the latest MySQL version.

    This 0-day is open for both local and remote attackers and could come via authenticated access to a MySQL database (including web UI administration panels) or via SQL injection attacks. The exploit could allow attackers to execute arbitrary code with root privileges.

  • CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day )
  • Is Debian the gold standard for Linux security?
  • 10 Best Password Managers For Linux Operating Systems

    With so many online accounts on the internet, it can be tediously difficult to remember all your passwords. Many people write them down or store them in a document, but that’s plain insecure. There are many password managers for Windows and OS X, but here we’ll look at some of the best password managers for Linux.

Security News

Filed under
Security
  • Moving towards a more secure web

    To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

  • UK Politician's Campaign Staff Tweets Out Picture Of Login And Password To Phones During Campaign Phone Jam

    When we talk password security here at Techdirt, those conversations tend to revolve around stories a bit above and beyond the old "people don't use strong enough passwords" trope. While that certainly is the case, we tend to talk more about how major corporations aren't able to learn their lessons about storing customer passwords in plain text, or about how major media outlets are occasionally dumb enough to ask readers to submit their own passwords in an unsecure fashion.

    But for the truly silly, we obviously need to travel away from the world of private corporations and directly into the world of politicians, who often times are tasked with legislating on matters of data security and privacy, but who cannot help but show their own ineptness on the matter themselves. Take Owen Smith, for example. Smith is currently attempting to become the head of the UK's Labour Party, with his campaign working the phones as one would expect. And, because this is the age of social media engagement, one of his campaign staffers tweeted out the following photo of the crew hard at work.

  • WiredTree Warns Linux Server Administrators To Update In Wake Of Critical Off-Path Kernel Vulnerability

    WiredTree, a leading provider of managed server hosting, has warned Linux server administrators to update their servers in response to the discovery of a serious off-path vulnerability in the Linux kernel’s handling of TCP connections.

  • Reproducible Builds: week 72 in Stretch cycle

Security News

Filed under
Security
  • The H Factor – Why you should be building “human firewalls”

    It is often the illusive “H Factor” – the human element – that ends up being the weakest link that makes cyber-attacks and data breaches possible.

  • White House appoints first Federal Chief Information Security Officer

    The White House announced Thursday that retired Brigadier General Gregory J. Touhill will serve as the first federal Chief Information Security Officer (CISO).

    "The CISO will play a central role in helping to ensure the right set of policies, strategies, and practices are adopted across agencies and keeping the Federal Government at the leading edge of 21st century cybersecurity," read a blog post penned by Tony Scott, US Chief Information Officer, and J. Michael Daniel, special assistant to the president and cybersecurity coordinator.

  • Xen Project patches serious virtual machine escape flaws

    The Xen Project has fixed four vulnerabilities in its widely used virtualization software, two of which could allow malicious virtual machine administrators to take over host servers.

    Flaws that break the isolation layer between virtual machines are the most serious kind for a hypervisor like Xen, which allows users to run multiple VMs on the same underlying hardware in a secure manner.

  • This USB stick will fry your unsecured computer

    A Hong Kong-based technology manufacturer, USBKill.com, has taken data security to the "Mission Impossible" extreme by creating a USB stick that uses an electrical discharge to fry an unauthorized computer into which it's plugged.

    "When the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges -- all in the matter of seconds," the company said in a news release.

Security News

Filed under
Security
  • Home-router IoT Devices Compromised for Building DDoS Botnet

    IoT (Internet-of-Thing) devices have been used to make a botnet earlier also just like attackers recently compromised 8 different popular home-routers that are IoT brands to make a botnet out of them which executed a DDoS attack at the application-level against several servers of certain website. Discoverer of this application-level DDoS alternatively HTTPS flood assault of Layer 7 is Sucuri the security company.

  • New Linux Trojan Discovered Coded in Mozilla's Rust Language [Ed: don’t install it. Easy.]

    A new trojan coded in Rust is targeting Linux-based platforms and adding them to a botnet controlled through an IRC channel, according to a recent discovery by Dr.Web, a Russian antivirus maker.

    Initial analysis of this trojan, detected as Linux.BackDoor.Irc.16, reveals this may be only a proof-of-concept or a testing version in advance to a fully weaponized version.

    Currently, the trojan only infects victims, gathers information about the local system and sends it to its C&C server.

  • The Limits of SMS for 2-Factor Authentication

    A recent ping from a reader reminded me that I’ve been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication online. The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code.

  • Telnet is not dead – at least not on ‘smart’ devices

    Depending on your age, you either might or might not have used Telnet to connect to remote computers in the past. But regardless of your age, you would probably not consider Telnet for anything you currently use. SSH has become the de facto standard when it comes to remote shell connection as it offers higher security, data encryption and much more besides.

    When we created our first honeypots for the Turris project (see our older blog articles – 1, 2, 3), we started with SSH and Telnet, because both offer interactive console access and thus are very interesting for potential attackers. But SSH was our main goal, while Telnet was more of a complimentary feature. It came as a great surprise to discover that the traffic we drew to the Telnet honeypots is three orders of magnitude higher than in the case of SSH (note the logarithmic scale of the plot below). Though there is a small apples-to-oranges issue, as we compare the number of login attempts for Telnet with the number of issued commands for SSH, the huge difference is obvious and is also visible in other aspects, such as in the number of unique attacker IP addresses.

  • Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years

    vDOS — a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline — has been massively hacked, spilling secrets about tens of thousands of paying customers and their targets.

    The vDOS database, obtained by KrebsOnSecurity.com at the end of July 2016, points to two young men in Israel as the principal owners and masterminds of the attack service, with support services coming from several young hackers in the United States.

  • Cisco’s Network Bugs Are Front and Center in Bankruptcy Fight

    Game of War: Fire Age, your typical melange of swords and sorcery, has been one of the top-grossing mobile apps for three years, accounting for hundreds of millions of dollars in revenue. So publisher Machine Zone was furious when the game’s servers, run by hosting company Peak Web, went dark for 10 hours last October. Two days later, Machine Zone fired Peak Web, citing multiple outages, and later sued.

    Then came the countersuit. Peak Web argued in court filings that Machine Zone was voiding its contract illegally, because the software bug that caused the game outages resided in faulty network switches made by Cisco Systems, and according to Peak Web’s contract with Machine Zone, it wasn’t liable. In December, Cisco publicly acknowledged the bug’s existence—too late to help Peak Web, which filed for bankruptcy protection in June, citing the loss of Machine Zone’s business as the reason. The Machine Zone-Peak Web trial is slated for March 2017.

    “Machine Zone wasn’t acting in good faith,” says Steve Morrissey, a partner at law firm Susman Godfrey, which is representing Peak Web. “They were trying to get out of the contract.” Machine Zone has disputed that assertion in court documents, but it declined to comment for this story. Cisco also declined to comment on the case, saying only that it tries to publish confirmed problems quickly.

    There’s buggy code in virtually every electronic system. But few companies ever talk about the cost of dealing with bugs, for fear of being associated with error-prone products. The trial, along with Peak Web’s bankruptcy filings, promises a rare look at just how much or how little control a company may have over its own operations, depending on the software that undergirds it. Think of the corporate computers around the world rendered useless by a faulty update from McAfee in 2010, or of investment company Knight Capital, which lost $458 million in 30 minutes in 2012—and had to be sold months later—after new software made erratic, automated stock market trades.

Free Software Foundation stresses necessity of full user control over Internet-connected devices

Filed under
GNU
Security

The Internet of Things (IoT) refers to the integration of Internet technology into a wider range of home devices than previously envisaged by most users. Early adopters of IoT may now have homes with Internet-connected lightbulbs, alarm systems, baby monitors and even coffee machines. Internet integration allows owners to have greater flexibility over their devices, making it possible to turn on their air conditioning as they leave work to cool the house before they return, to have curtains that automatically close based on sunset time, or lights that automatically turn off after the owner has left the house. Each individual benefit may seem marginal, but overall they add significant benefit to the owners.

Read more

Security News

Filed under
Security
  • Friday's security updates
  • Ten-year-old Windows Media Player hack is the new black, again

    Net scum are still finding ways to take down users with a decade-old Windows Media Player attack.

    The vector is a reborn social engineering hatchet job not seen in years in which attackers convince users to run executable content through Windows Media Player's Digital Rights Management (DRM) functionality.

    Windows Media Player will throw a DRM warning whenever users do not have the rights to play content, opening a URL through which a licence can be acquired.

    Now malware villains are packing popular movies with malicious links so that the DRM warning leads to sites where they're fooled into downloading trojans masquerading as necessary video codecs.

  • Luabot Malware Turning Linux Based IoT Devices into DDoS Botnet

    The IT security researchers at MalwareMustDie have discovered a malware that is capable of infecting Linux-based Internet of Things (IoT) devices and web servers to launch DDoS (Distributed Denial of Service) attacks.

Security News

Filed under
Security

Security News

Filed under
Security

Wireshark 2.2

Filed under
Software
Security
  • Wireshark 2.2 Released

    Wireshark 2.2 features "Decode As" improvements, the various UIs now support exporting packets as JSON, there is new file format decoding support, and a wide range of new protocol support. New protocol coverage includes Apache Cassandra, USB3 Vision Protocol, USIP protocol, UserLog protocol, Zigbee Protocol Clusters, Cisco ttag, and much more.

  • Wireshark 2.2.0 Is Out as the World's Most Popular Network Vulnerability Scanner

    Today, September 7, 2016, the development team behind the world's most popular network protocol analyzer, Wireshark, proudly announced the release of a new major stable version, namely Wireshark 2.2.

    After being in development for the past couple of months, Wireshark 2.2.0 has finally hit the stable channel, bringing with it a huge number of improvements and updated protocols. For those of you who never heard of Wireshark, we want to remind them that it's an open-source network vulnerability scanner used by security researchers and network administrators for development, analysis, troubleshooting, as well as education purposes.

Syndicate content

More in Tux Machines

Red Hat and Fedora

  • Red Hat, Logicalis in digital transformation partnership in Latin America
    PromonLogicalis, a provider of information technology and communication solutions and services in Latin America, and Red Hat, Inc. (NYSE: RHT), the world's leading provider of open source solutions, announced a collaboration that aim to help organizations navigate the digital transformation of their infrastructures to pave the way for cloud and the software-defined technologies, and to advance open source technology awareness in the region. Open source is delivering significant advancements in many areas of technology through community-powered innovation, including cloud computing, mobile, big data, and more. And, as companies embrace modern technology as a competitive advantage via digital transformation efforts, many are turning to open source because of the flexibility and agility it can enable.
  • Red Hat Inc. (RHT) Downgraded by Zacks Investment Research to “Hold”
  • An Easy Way To Try Intel & RADV Vulkan Drivers On Fedora 24
    Fedora 25 should have good support for the open-source Vulkan Linux drivers (particularly if it lands the next Mesa release) while Fedora 24 users can now more easily play with the latest Mesa Git RADV and Intel ANV Vulkan drivers via a new repository. A Phoronix reader has setup a Fedora Copr repository that is building Intel's Vulkan driver from Mesa Git plus the RADV Radeon Vulkan driver re-based from its source (David Airlie's semi-interesting GitHub branch). Fedora COPR, for the uninformed, is the distribution's equivalent to Ubuntu PPA repositories.
  • Meeting users, lots of users
    Every year, I introduce Fedora to new students at Brno Technical University. There are approx. 500 of them and a sizable amount of them then installs Fedora. We also organize a sort of installfest one week after the presentation where anyone who has had any difficulties with Fedora can come and ask for help. It’s a great opportunity to observe what things new users struggle with the most. Especially when you have such a high number of new users. What are my observations this year?

Linux Devices

  • 96Boards SBCs host Intel Joule and Curie IoT modules
    Gumstix announced two SBCs this week, based on Intel Joule and Curie IoT modules and built to 96Boards CE and IE form-factor specifications, respectively. At Linaro Connect Las Vegas 2016, where earlier this week Linaro’s 96Boards.org announced a new 96Boards IoT Edition (IE) spec, Gumstix announced support for 96Boards.org’s open SBC standards with two new single-board computers. Both SBCs will be available for purchase in October.
  • ORWL — First Open Source And Physically Secure PC, Runs Linux And Windows
    ORWL is the first open source, physically secure computer. Using a secure microcontroller (MCU) and an ‘active clamshell mesh’, the device makes sure that nobody breaks the security of the system. Its maker, Design Shift, has also launched a crowdfunding campaign on Crowd Supply.
  • Purism Is Still Hoping To Build A GNU/Linux Free Software Librem Smartphone
    Purism, the startup behind the Librem laptops with a focus on free software and user privacy/freedom, still has their minds set on coming up with a GNU/Linux smartphone. Purism continues selling their high-priced laptops and their Librem 11 is forthcoming as an Intel-based tablet/convertible device with stocking station. Next on their horizon they want to produce "the ideal no-carrier, Free Software phone running a bona fide GNU+Linux stack."

Leftovers: OSS

  • Asterisk 14 Improves Open-Source VoIP
    Digium, the lead commercial sponsor behind the Asterisk open source PBX project announced the release Asterisk 14 this week, continuing to evolve the decade old effort, making it easier to use and deploy.
  • Yahoo open-sources a deep learning model for classifying pornographic images
    Yahoo today announced its latest open-source release: a model that can figure out if images are specifically pornographic in nature. The system uses a type of artificial intelligence called deep learning, which involves training artificial neural networks on lots of data (like dirty images) and getting them to make inferences about new data. The model that’s now available on GitHub under a BSD 2-Clause license comes pre-trained, so users only have to fine-tune it if they so choose. The model works with the widely used Caffe open source deep learning framework. The team trained the model using its now open source CaffeOnSpark system. The new model could be interesting to look at for developers maintaining applications like Instagram and Pinterest that are keen to minimize smut. Search engine operators like Google and Microsoft might also want to check out what’s under the hood here. “To the best of our knowledge, there is no open source model or algorithm for identifying NSFW images,” Yahoo research engineer Jay Mahadeokar and senior director of product management Gerry Pesavento wrote in a blog post.
  • Cloudera, Hortonworks, and Uber to Keynote at Apache Big Data and ApacheCon Europe
  • Vendors Pile on Big Data News at Strata
    Cloudera, Pentaho and Alation are among vendors making Big Data announcements at this week's Strata event. Vendors big and small are making news at this week's Strata + Hadoop event as they try to expand their portion of the Big Data market. Cloudera highlighted a trio of Apache Software Foundation (ASF) projects to which it contributes. Among them is Spark 2.0, which benefits from a new Dataset API that offers the promise of better usability and performance as well as new machine learning libraries.
  • New alliances focus on open-source, data science empowerment
    How can data science make a true market impact? Partnerships, particularly amongst open source communities. As IBM solidifies its enterprise strategies around data demands, two new partnerships emerge: one with Continuum Analytics, Inc., advancing open-source analytics for the enterprise; and another with Galvanize, initiating a Data Science for Executives program. Continuum Analytics, the creator and driving force behind Anaconda — a leading open data science platform powered by Python — has allied with IBM to advance open-source analytics for the enterprise. Data scientists and data engineers in open-source communities can now embrace Python and R to develop analytic and machine learning models in the Spark environment through its integration with IBM’s DataWorks Project. The new agreement between IBM and Galvanize, which provides a dynamic learning community for technology, will offer an assessment, analysis and training element for Galvanize’s Data Science for Executives program. This program empowers corporations to better understand, use and maximize the value of their data. The program will support IBM’s DataFirst Method, a methodology that IBM says provides the strategy, expertise and game plan to help ensure enterprise customers’ succeed on their journey to become a data-driven business.
  • Apache Spot: open source big data analytics for cyber
  • Chinese open source blockchain startup Antshares raises $4.5M through crowdsourcing [Ed: Microsoft-connected]
  • August and September 2016: photos from Pittsburgh and Fresno
  • Libre Learn Lab: a summit on freely licensed resources for education
    Libre Learn Lab is a two-day summit for people who create, use and implement freely licensed resources for K-12 education, bringing together educators, policy experts, software developers, hardware hackers, and activists to share best practices and address the challenges of widespread adoption of these resources in education. The 2nd biennial conference is Saturday, October 8th, and Sunday, October 9th, at the MIT Tang Center. The keynote addresses will be delivered by the FSF’s own Richard M. Stallman, former Chief Open Education Advisor Andrew Marcinek and founder of HacKIDemia Stefania Druga. At the event, there will be a special tribute to Dr. Seymour Papert (the father of educational computing) by Dr. Cynthia Solomon.

Security Leftovers

  • Friday's security advisories
  • ICANN grinds forward on crucial DNS root zone signing key update
    The Internet Corporation for Assigned Names and Numbers is moving -- carefully -- to upgrade the DNS root zone key by which all domains can be authenticated under the DNS Security Extensions protocol. ICANN is the organization responsible for managing the Domain Name System, and DNS Security Extensions (DNSSEC) authenticates DNS responses, preventing man-in-the-middle attacks in which the attacker hijacks legitimate domain resolution requests and replaces them with fraudulent domain addresses. DNSSEC still relies on the original DNS root zone key generated in 2010. That 1024-bit RSA key is scheduled to be replaced with a 2048-bit RSA key next October. Although experts are split over the effectiveness of DNSSEC, the update of the current root zone key signing key (KSK) is long overdue.
  • Cybersecurity isn't an IT problem, it's a business problem
    The emergence of the CISO is a relatively recent phenomenon at many companies. Their success often relies upon educating the business from the ground up. In the process, companies become a lot better about how to handle security and certainly learn how not to handle it. As a CIO, knowing the pulse of security is critical. I oversee a monthly technology steering committee that all the executives attend. The CISO reports during this meeting on the state of the security program. He also does an excellent job of putting risk metrics out there, color coded by red, yellow, and green. This kind of color grading allows us to focus attention on where we are and what we’re doing about it.