Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Security advisories for Wednesday
  • Facebook, Uber, Slack, and Pandora Pros Praise Free Security Tools

    Proponents of open source software argue that by letting passionate developers get involved and tweak underlying code, the tools they create are stronger and more reliable. Plus, for companies looking to bolster their digital defenses, the software has the added benefit of being free.

  • LibreSSL 2.5
  • LibreSSL 2.5 Released With New Features, iOS Support

    LibreSSL 2.5.0 is available today as the newest version of this growing fork of OpenSSL led by the OpenBSD project.

    LibreSSL 2.5's libtls implementation now supports ALPN and SNI while handling four cipher suite groups, there is tightened error handling in some areas, support for OCSP intermediate certificates, initial support for Apple's iOS platform, and a variety of other fixes and functionality improvements.

Security News

Filed under
Security
  • Sloppy programming leads to OpenSSL woes
  • OpenSSL Fixes Critical Bug Introduced by Latest Update

    OpenSSL today released an emergency security update after a patch in its most recent update issued last week introduced a critical vulnerability in the cryptographic library.

  • The Internet Of Poorly Secured Things Is Fueling Unprecedented, Massive New DDoS Attacks

    Last week, an absolutely mammoth distributed denial of service (DDoS) attack brought down the website of security researcher Brian Krebs. His website, hosted by Akamai pro bono, was pulled offline after it was inundated with 620Gbps of malicious traffic, nearly double the size of the biggest attack Akamai (which tracks such things via their quarterly state of the internet report) has ever recorded. Krebs was ultimately able to get his website back online after Google stepped in to provide DDoS mitigation through its Project Shield service.

  • Trump Offers More Insight On His Cybersecurity Plans: 10-Year-Old Relatives Vs. 400-lb Bedroom Dwellers

    Look, anyone who refers to cybersecurity or cyberwarfare as "the cyber" is probably better off not discussing this. But Donald Trump, in last night's debate, felt compelled to further prove why he's in no position to be offering guidance on technological issues. And anyone who feels compelled to portray hackers as 400-lb bedroom dwellers probably shouldn't be opening their mouth in public at all.

    With this mindset, discussions about what "the Google" and "the Facebook" are doing about trimming back ISIS's social media presence can't be far behind. Trump did note that ISIS is "beating us at our game" when it comes to utilizing social media. Fair enough.

Security News

Filed under
Security
  • Tuesday's security updates
  • New Open Source Linux Ransomware Divides Infosec Community

    Following our investigation into this matter, and seeing the vitriol-filled reaction from some people in the infosec community, Zaitsev has told Softpedia that he decided to remove the project from GitHub, shortly after this article's publication. The original, unedited article is below.

  • Fax machines' custom Linux allows dial-up hack

    Party like it's 1999, phreakers: a bug in Epson multifunction printer firmware creates a vector to networks that don't have their own Internet connection.

    The exploit requirements are that an attacker can trick the victim into installing malicious firmware, and that the victim is using the device's fax line.

    The firmware is custom Linux, giving the printers a familiar networking environment for bad actors looking to exploit the fax line as an attack vector. Once they're in that ancient environment, it's possible to then move onto the network to which the the printer's connected.

    Yves-Noel Weweler, Ralf Spenneberg and Hendrik Schwartke of Open Source Training in Germany discovered the bug, which occurs because Epson WorkForce multifunction printers don't demand signed firmware images.

  • Google just saved the journalist who was hit by a 'record' cyberattack

    Google just stepped in with its massive server infrastructure to run interference for journalist Brian Krebs.

    Last week, Krebs' site, Krebs On Security, was hit by a massive distributed denial-of-service (DDoS) attack that took it offline, the likes of which was a "record" that was nearly double the traffic his host Akamai had previously seen in cyberattacks.

    Now just days later, Krebs is back online behind the protection of Google, which offers a little-known program called Project Shield to help protect independent journalists and activists' websites from censorship. And in the case of Krebs, the DDoS attack was certainly that: The attempt to take his site down was in response to his recent reporting on a website called vDOS, a service allegedly created by two Israeli men that would carry out cyberattacks on behalf of paying customers.

  • Krebs DDoS aftermath: industry in shock at size, depth and complexity of attack

    “This attack didn’t stop, it came in wave after wave, hundreds of millions of packets per second,” says Josh Shaul, Akamai’s vice president of product management, when Techworld spoke to him.

    “This was different from anything we’ve ever seen before in our history of DDoS attacks. They hit our systems pretty hard.”

    Clearly still a bit stunned, Shaul describes the Krebs DDoS as unprecedented. Unlike previous large DDoS attacks such as the infamous one carried out on cyber-campaign group Spamhaus in 2013, this one did not use fancy amplification or reflection to muster its traffic. It was straight packet assault from the old school.

  • iOS 10 makes it easier to crack iPhone back-ups, says security firm

    INSECURITY FIRM Elcomsoft has measured the security of iOS 10 and found that the software is easier to hack than ever before.

    Elcomsoft is not doing Apple any favours here. The fruity firm has just launched the iPhone 7, which has as many problems as it has good things. Of course, there are no circumstances when vulnerable software is a good thing, but when you have just launched that version of the software, it is really bad timing.

    Don't hate the player, though, as this is what Elcomsoft, and what Apple, are supposed to be doing right.

    "We discovered a major security flaw in the iOS 10 back-up protection mechanism. This security flaw allowed us to develop a new attack that is able to bypass certain security checks when enumerating passwords protecting local (iTunes) back-ups made by iOS 10 devices," said Elcomsoft's Oleg Afonin in a blog post.

  • After Tesla: why cybersecurity is central to the car industry's future

    The news that a Tesla car was hacked from 12 miles away tells us that the explosive growth in automotive connectivity may be rapidly outpacing automotive security.

    This story is illustrative of two persistent problems afflicting many connected industries: the continuing proliferation of vulnerabilities in new software, and the misguided view that cybersecurity is separate from concept, design, engineering and production.

    This leads to a ‘fire brigade approach’ to cybersecurity where security is not baked in at the design stage for either hardware or software but added in after vulnerabilities are discovered by cybersecurity specialists once the product is already on the market.

Security News

Filed under
Security
  • Canonical Patches OpenSSL Regression in Ubuntu 16.04 LTS, 14.04 LTS & 12.04 LTS

    After announcing a few days ago that a new, important OpenSSL update is available for all supported Ubuntu Linux operating systems, Canonical's Marc Deslauriers now informs the community about another patch to address a regression.

    The new security advisory (USN-3087-2) talks about a regression that was accidentally introduced along with the previous OpenSSL update (as detailed on USN-3087-1), which addressed no less than eleven (11) security vulnerabilities discovered upstream by the OpenSSL team.

  • Patch AGAIN: OpenSSL security fixes now need their own security fixes
  • Bangladesh Bank exposed to hackers by cheap switches, no firewall: Police
  • This is the Israeli company that can hack any iPhone and Android smartphone

    If Cellebrite sounds familiar, that’s because the name of this Israeli company came up during Apple’s standoff with the FBI over breaking iPhone encryption. The agency managed to crack the San Bernardino iPhone with the help of an undisclosed company. Many people believe it was Cellebrite that came to the rescue. Meanwhile, the company revealed that it could hack just about any modern smartphone, but refused to say whether its expertise is used by the police forces of repressive regimes.

  • Reproducible Builds: week 74 in Stretch cycle
  • East-West Encryption: The Next Security Frontier?

    Microsegmentation, a method to create secure, virtual connections in software-defined data centers (SDDCs), has already emerged as one of the primary reasons to embrace network virtualization (NV). But some vendors believe that East-West encryption of traffic inside the data center could be the next stop in data-center security.

    For example, VMware says it is looking at encrypting East-West traffic inside the data center, adding another layer of security to the SDDC. Why is that important? Today, most firewalls operate on the perimeter of the data center – either guarding or encrypting data leaving the data center for the WAN. And some security products may encrypt data at rest inside the data center. But encrypting the traffic in motion between servers inside the data center – known in the business as the East-West traffic – is not something that’s typically done.

  • DHS Offers Its Unsolicited 'Help' In Securing The Internet Of Things [Ed: In the UK, GCHQ meddles in the Surveillance of Things in the name of 'security' while at the same time, with Tories' consent, cracking PCs]

    It's generally agreed that the state of security for the Internet of Things runs from "abysmal" to "compromised during unboxing." The government -- despite no one asking it to -- is offering to help out… somehow. DHS Assistant Secretary for Cyber Policy Robert Silvers spoke at the Internet of Things forum, offering up a pile of words that indicates Silvers is pretty cool with the "cyber" part of his title... but not all that strong on the "policy" part.

IPFire 2.19 Linux Firewall OS Patched Against the Latest OpenSSL Vulnerabilities

Filed under
Linux
Security

Only three days after announcing the release of IPFire 2.19 Core Update 104, Michael Tremer informs the community about the availability of a new update, Core Update 105, which brings important OpenSSL patches.

Read more

Tor Project Releases Tor (The Onion Router) 0.2.8.8 with Important Bug Fixes

Filed under
GNU
Linux
Security

The Tor Project announced recently the release of yet another important maintenance update to the stable Tor 0.2.8.x series of the open-source and free software to protect your anonymity while surfing the Internet.

Read more

Security News

Filed under
Security
  • Security advisories for Monday
  • OpenSSL security advisory for September 26

    This OpenSSL security advisory is notable in that it's the second one in four days; sites that updated after the first one may need to do so again.

  • Who left all this fire everywhere?

    If you're paying attention, you saw the news about Yahoo's breach. Five hundred million accounts. That's a whole lot of data if you think about it. But here's the thing. If you're a security person, are you surprised by this? If you are, you've not been paying attention.

Antivirus Live CD 20.0-0.99.2 Uses ClamAV 0.99.2 to Protect Your PC from Viruses

Filed under
Linux
Security

Today, September 25, 2016, 4MLinux developer Zbigniew Konojacki informs Softpedia about the immediate availability for download of a new, updated version of his popular, independent, free, and open source Antivirus Live CD.

Read more

Parsix GNU/Linux 8.10 "Erik" Gets the Latest Debian Security Fixes, Update Now

Filed under
GNU
Linux
Security

A few minutes ago, the development team behind the Debian-based Parsix GNU/Linux computer operating system announced that new security fixes are now available for the Parsix GNU/Linux 8.10 "Erik" release.

Read more

Security Leftovers

Filed under
Security
  • Krebs Goes Down, Opera Gets a VPN & More…

    Krebs on Security in record DDOS attack: Everybody’s go-to site for news and views of security issues, has been temporarily knocked offline in a DDOS attack for the record books. We first heard about the attack on Thursday morning after Brian Krebs reported that his site was being hit by as much as 620 Gbs, more than double the previous record which was considered to be a mind-blower back in 2013 when the anti-spam site Spamhaus was brought to its knees.

    Security sites such as Krebs’ that perform investigative research into security issues are often targets of the bad guys. In this latest case, Ars Technica reported the attack came after Krebs published the identity of people connected with vDOS, Israeli black hats who launched DDOS attacks for pay and took in $600,000 in two years doing so. Akamai had been donating DDoS mitigation services to Krebs, but by 4 p.m. on the day the attack began they withdrew the service, motivated by the high cost of defending against such a massive attack. At this point, Krebs decided to shut down his site.

  • Upgrade your SSH keys!

    When generating the keypair, you're asked for a passphrase to encrypt the private key with. If you will ever lose your private key it should protect others from impersonating you because it will be encrypted with the passphrase. To actually prevent this, one should make sure to prevent easy brute-forcing of the passphrase.

    OpenSSH key generator offers two options to resistance to brute-force password cracking: using the new OpenSSH key format and increasing the amount of key derivation function rounds. It slows down the process of unlocking the key, but this is what prevents efficient brute-forcing by a malicious user too. I'd say experiment with the amount of rounds on your system. Start at about 100 rounds. On my system it takes about one second to decrypt and load the key once per day using an agent. Very much acceptable, imo.

  • Irssi 0.8.20 Released
  • What It Costs to Run Let's Encrypt

    Today we’d like to explain what it costs to run Let’s Encrypt. We’re doing this because we strive to be a transparent organization, we want people to have some context for their contributions to the project, and because it’s interesting.

    Let’s Encrypt will require about $2.9M USD to operate in 2017. We believe this is an incredible value for a secure and reliable service that is capable of issuing certificates globally, to every server on the Web free of charge.

    We’re currently working to raise the money we need to operate through the next year. Please consider donating or becoming a sponsor if you’re able to do so! In the event that we end up being able to raise more money than we need to just keep Let’s Encrypt running we can look into adding other services to improve access to a more secure and privacy-respecting Web.

  • North Korean DNS Leak reveals North Korean websites

    One of North Korea’s top level DNS servers was mis-configured today (20th September 2016) accidentally allowing global DNS zone transfers. This allowed anyone who makes a zone transfer request (AXFR) to retrieve a copy of the nation’s top level DNS data.

    [...]

    This data showed there are 28 domains configured inside North Korea, here is the list:

    airkoryo.com.kp
    cooks.org.kp
    friend.com.kp
    gnu.rep.kp
    kass.org.kp
    kcna.kp
    kiyctc.com.kp
    knic.com.kp
    koredufund.org.kp
    korelcfund.org.kp
    korfilm.com.kp
    ma.gov.kp
    masikryong.com.kp
    naenara.com.kp
    nta.gov.kp
    portal.net.kp
    rcc.net.kp
    rep.kp
    rodong.rep.kp
    ryongnamsan.edu.kp
    sdprk.org.kp
    silibank.net.kp
    star-co.net.kp
    star-di.net.kp
    star.co.kp
    star.edu.kp
    star.net.kp
    vok.rep.kp

  • Yahoo’s Three Hacks

    As a number of outlets have reported, Yahoo has announced that 500 million of its users’ accounts got hacked in 2014 by a suspected state actor.

    But that massive hack is actually one of three interesting hacks of Yahoo in recent years.

Syndicate content

More in Tux Machines

Leftovers: Software

today's howtos

GNU/Linux Desktop Security

  • How to Safely and Securely Back Up Your Linux Workstation
    Even seasoned system administrators can overlook Linux workstation backups or do them in a haphazard, unsafe manner. At a minimum, you should set up encrypted workstation backups to external storage. But it’s also nice to use zero-knowledge backup tools for off-site/cloud backups for more peace of mind. Let’s explore each of these methods in more depth. You can also download the entire set of recommendations as a handy guide and checklist.
  • Google zero-trust security framework goes beyond passwords
    With a sprawling workforce, a wide range of devices running on multiple platforms, and a growing reliance on cloud infrastructure and applications, the idea of the corporate network as the castle and security defenses as walls and moats protecting the perimeter doesn’t really work anymore. Which is why, over the past year, Google has been talking about BeyondCorp, the zero-trust perimeter-less security framework it uses to secure access for its 61,000 employees and their devices.

Leftovers: Gaming