Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Allwinner Leaves Root Exploit in Linux Kernel, Putting ARM Devices at Risk

    Running a Bitcoin node on your ARM single board computer? Fan of cheap Chinese tablets and smartphones? Maybe you contributed to the recent CHIP computer Kickstarter, or host a wallet on one of these devices. Well, if any of these applies to you, and your device is powered by an Allwinner SoC, you should probably wipe it and put an OS on it with the most recent kernel release. Why? Allwinner left a development “tool” on their ARM Linux kernel that allows anyone to root their devices with a single command. This oversight has serious security implications for any Allwinner powered device, especially so for those of us hosting sensitive data on them.

  • 5 steps to reduce cyber vulnerabilities

    The National Vulnerability Database (NVD) — the U.S. government’s repository of standards-based vulnerability management data — says 2015 was another blockbuster year for security vulnerabilities with an average of 17 new vulnerabilities added per day.

    While IT managers can somewhat breathe a collective sigh of relief that the total number of vulnerabilities actually decreased from 7,937 in 2014 to 6,270 in 2015, there’s no time to relax. According to NVD data, 37 percent of vulnerabilities reported in 2015 were classified as highly severe, up from 24 percent in 2014.

  • How to Get an Open Source Security Badge from CII

    Everybody loves getting badges. Fitbit badges, Stack Overflow badges, Boy Scout merit badges, and even LEED certification are just a few examples that come to mind. A recent 538 article "Even psychologists love badges" publicized the value of a badge.

  • 4 Steps To Secure Serverless Applications

    Serverless applications remove a lot of the operational burdens from your team. No more managing operating systems or running low level infrastructure.

    This lets you and your team focus on building…and that’s a wonderful thing.

  • IPv6 support finally coming to Fail2Ban with next major release

    The reaction to this headline from sysadmins who deploy Fail2Ban on an IPv6 enabled system is probably: “Fail2Ban doesn’t support IPv6‽” At least, that seems to be the reaction most admins have posted on forums and social media when they learn that Fail2Ban doesn’t support IPv6. Now Fail2Ban’s IPv4-only limitation is about to be lifted.

    Fail2Ban is a tool that identifies unwanted behaviors by monitoring service logs, and can act upon that by banning offending IP addresses temporarily. Up until recently, Fail2Ban only supported IPv4 although it’s almost certainly running on many IPv6 capable systems as well.

  • Tor Browser announces stable 6.0 release

    The Tor Browser team has announced the first stable version of its 6.0 release. It can be downloaded from the project's website.

    The browser is based on Firefox ESR and this release brings it up-to-date with Firefox 45-ESR, providing better support for HTML5 video on YouTube.

Security Leftovers (Primarily Windows)

Filed under
Security
  • Doing a 'full scan' of the Internet right now

    I'm scanning at only 125kpps from 4 source IP addresses, or roughly 30kpps from each source address. This is so that I'll get below many thresholds for IDSs, which trigger when they see fast scans from a single address. The issue isn't to avoid detection, but to avoid generating work for people who get unnecessarily paranoid about the noise they see in their IDS logs.

  • A Hacker Is Selling Dangerous Windows Exploit, Making All Versions Of OS Hackable

    A hacker is selling a dangerous zero day vulnerability on a Russian cybercrime website. This exploit is said to be affecting more than 1.5 billion Windows users as it works on all version of Windows. The hacker wishes to sell the complete source code and demo of the exploit to any person who pays him $90,000 in bitcoin.

  • Microsoft warns of self-propagating ransomware

    The new ransomware, which Microsoft has dubbed Ransom:Win32/ZCryptor.A, is distributed through spam emails. It can also infect a machine running Windows through a malware installer or fake installers like a Flash player setup file.

    The ransomware would run at boot and drop a file autorun.inf in removable drives, a zycrypt.lnk in the start-up folder and a copy of itself as {Drive}:\system.exe and %APPDATA%\zcrypt.exe.

    It would then change the file attributes to hide itself from the user in file explorer.

  • Windows 10 Surface Book: Microsoft Keeps ‘Sleep of Death’ bug

    It seems like Microsoft will not be fixing the ‘Sleep of Death’ bug, even though most of the Surface Book users face the problem.

    During the recent quarterly earnings report, Microsoft pointed out that the Surface line is getting popularity in the market. Microsoft also said that it has turned out to be the growth leader in its More Personal Computing line of business.

    At the event, the company said that the device has brought 61 percent growth.

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Security challenges for the Qubes build process

    Ultimately, we would like to introduce a multiple-signature scheme, in which several developers (from different countries, social circles, etc.) can sign Qubes-produced binaries and ISOs. Then, an adversary would have to compromise all the build locations in order to get backdoored versions signed. For this to happen, we need to make the build process deterministic (i.e. reproducible). Yet, this task still seems to be years ahead of us. Ideally, we would also somehow combine this with Intel SGX, but this might be trickier than it sounds.

  • Katy Perry’s Twitter Account With 90 Million Followers Hacked

    Notably, with 90 million followers, Katy Perry is the most followed person on the platform.

Google and Oracle

Filed under
Google
Security
Legal

Security Leftovers (Parrot Security OS 3.0 “Lithium”, Regulation)

Filed under
Security
  • Parrot Security OS 3.0 “Lithium” — Best Kali Linux Alternative Coming With New Features

    The Release Candidate of Parrot Security OS 3.0 ‘Lithium’ is now available for download. The much-anticipated final release will come in six different editions with the addition of Libre, LXDE, and Studio editions. The version 3.0 of this Kali Linux alternative is based on Debian Jessie and powered by custom hardened Linux 4.5 kernel.

  • Regulation can fix security, except you can't regulate security

    Every time I start a discussion about how we can solve some of our security problems it seems like the topics of professional organizations and regulation are where things end up. I think regulations and professional organizations can fix a lot of problems in an industry, I'm not sure they work for security. First let's talk about why regulation usually works, then, why it won't work for security.

Parrot Security OS 3.0 "Lithium" Is a Linux Distro for Cryptography & Anonymity

Filed under
GNU
Linux
Security

A few days ago, Parrot Security OS developer Frozenbox Network teased users on Twitter with the upcoming release of the long anticipated Parrot Security OS 3.0 "Lithium" distribution.

Based on the latest Debian GNU/Linux technologies and borrowing many of the packages from the Debian 8 "Jessie" stable repositories, Parrot Security OS 3.0 just received new Release Candidate (RC) ISO builds that users can now download and install on their personal computer if they want to get an early taste of what's coming.

Read more

Security Leftovers

Filed under
Security

Black Duck's Free Tool Digs Out Open Source Bugs

Filed under
OSS
Security

The main advantage of such tools is ease of use. The main limitation is that a tool is only as effective as its creators' list of vulnerabilities. Using a given tool implies that you trust the vendor to stay alert and on the job, noted King.

Developers have "a ton of other similar offerings out there," he said. By offering a free scanner, Black Duck can draw attention to its other products.

"If the new tool delivers what the company promises, it will help put the company in good stead with customer developers. Satisfied customers tend to be repeat customers," King said.

Read more

Security Leftovers

Filed under
Security
  • Friday's security updates
  • Judge Says The FBI Can Keep Its Hacking Tool Secret, But Not The Evidence Obtained With It

    Michaud hasn't had the case against him dismissed, but the government will now have to rely on evidence it didn't gain access to by using its illegal search. And there can't be much of that, considering the FBI had no idea who Michaud was or where he resided until after the malware-that-isn't-malware had stripped away Tor's protections and revealed his IP address.

    The FBI really can't blame anyone but itself for this outcome. Judge Bryan may have agreed that the FBI had good reason to keep its technique secret, but there was nothing preventing the FBI from voluntarily turning over details on its hacking tool to Michaud. But it chose not to, despite his lawyer's assurance it would maintain as much of the FBI's secrecy as possible while still defending his client.

    Judge Bryan found the FBI's ex parte arguments persuasive and declared the agency could keep the info out of Michaud's hands. But doing so meant the judicial playing field was no longer level, as he acknowledged in his written ruling. Fortunately, the court has decided it's not going to allow the government to have its secrecy cake and eat it, too. If it wants to deploy exploits with minimal judicial oversight, then it has to realize it can't successfully counter suppression requests with vows of silence.

  • Researcher Pockets $30,000 in Chrome Bounties

    Having cashed in earlier in May to the tune of $15,500, Mlynski pocketed another $30,000 courtesy of Google’s bug bounty program after four high-severity vulnerabilities were patched in the Chrome browser, each worth $7,500 to the white-hat hacker.

Kali Linux Alternative: BackBox Linux 4.6 Released With Updated Hacking Tools

Filed under
GNU
Linux
Security

BackBox Linux, a Kali Linux alternative, is here with its latest version i.e. BackBox Linux 4.6. Based on Ubuntu Linux, this hacking operating system is now available for download with updated hacking tools and Ruby 2.2.

Read more

Syndicate content

More in Tux Machines

Red Hat rides the IoT wave with open-source

In the past, only companies with the deepest pockets were able to benefit from gathering data from distributed devices to drive better decision making and realize additional revenue. Today, the economics of the IoT architecture--the hardware, the ubiquitous nature of connectivity, big data and analysis, and customer expectations are dramatically expanding the scope of IoT and making it possible for every enterprise--and not just consumers--to benefit. Read more

More .NET Openwashing

GeckoLinux 421.160623.0 Rolling Editions Out Based on Latest openSUSE Tumbleweed

This past weekend, the developers behind the openSUSE-based GeckoLinux computer operating system have announced the release of updated Rolling Editions, version 421.160623.0. Being the first time we write here about GeckoLinux, we would like to inform our readers that it's a versatile GNU/Linux distributions distributed in many flavors that are split into two main editions, Rolling Editions, based on openSUSE Tumbleweed and Static Editions, based on openSUSE Leap. Read more

Red Hat Updates JBoss for Cloud Migration