Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Friday's security updates
  • Hacking Slack accounts: As easy as searching GitHub

    A surprisingly large number of developers are posting their Slack login credentials to GitHub and other public websites, a practice that in many cases allows anyone to surreptitiously eavesdrop on their conversations and download proprietary data exchanged over the chat service.

    According to a blog post published Thursday, company researchers recently estimated that about 1,500 access tokens were publicly available, some belonging to people who worked for Fortune 500 companies, payment providers, Internet service providers, and health care providers. The researchers privately reported their findings to Slack, and the chat service said it regularly monitors public sites for posts that publish the sensitive tokens.

  • Time for a patch: six vulns fixed in NTP daemon
  • NTP Daemon Gets Fixes for Vulnerabilities Causing DoS and Authentication Bypass
  • Cisco Spots New NTP Bugs
  • Network Time Keeps on Ticking with Long-Running NTP Project [Ed: corrected URL]
  • Open Source Milagro Project Aims to Fix Web Security for Cloud, Mobile, IoT

    As the Internet continues to both grow in size and widen in scope, so do demands on the supporting infrastructure. The number of users and devices, amount of activity, internationalization of the web, and new devices that range from mobile apps and cloud instances to "Internet of Things," put strain on the system. Not just for bandwidth or service availability, but also on the assurance of trust -- trust that the entities at each end are who (or what) they say they are, and that their communications are private and secure.

  • M2Mi Obtains DHS Open-Source Cryptographic Tool Development Funds

    Machine-to-Machine Intelligence Corp. has been awarded $75,000 in funds by the Department of Homeland Security‘s science and technology directorate to create a deployable cryptographic protocol for an Internet of Things security initiative.

  • Encrypted Network Traffic Comes at a Cost

    The use of encryption over the Internet is growing. Fueled by Edward Snowden's revelations on the extent of NSA and GCHQ content monitoring, encryption is now increasingly provided by the big tech companies as part of their standard product offerings. It's effectiveness can be seen in the continuing demands by different governments for these same tech companies to provide government backdoors for that encryption. Encryption works: it safeguards privacy.

    Against this background, the use of Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt network traffic is likely to grow dramatically. Google is encouraging this. It already uses HTTPS as a positive weight for web sites in its search algorithm, while current rumors suggest it will soon start to place a warning red X in the URL bar of sites that do not use it. Taken together, these are strong incentives for businesses that don't currently use SSL/TLS to start doing so. Some predictions believe that almost 70% of network traffic will be encrypted by the end of this year.

  • Raptor Engineering Updates Details On Their POWER8-Based Talos Secure Workstation

    Raptor Engineering has published new information around their proposed high-performance Talos Secure Workstation that for around $3k is a high-end POWER8 motherboard.

Security Leftovers

Filed under
Security
  • The road to hell is paved with SAML Assertions

    A vulnerability in Microsoft Office 365 SAML Service Provider implementation allowed for cross domain authentication bypass affecting all federated domains. An attacker exploiting this vulnerability could gain unrestricted access to a victim's Office 365 account, including access to their email, files stored in OneDrive etc.

  • Cisco Finds Backdoor Installed on 12 Million PCs

    Cisco started analyzing Tuto4PC’s OneSoftPerDay application after its systems detected an increase in “Generic Trojans” (i.e. threats not associate with any known family). An investigation uncovered roughly 7,000 unique samples with names containing the string “Wizz,” including “Wizzupdater.exe,” “Wizzremote.exe” and “WizzInstaller.exe.” The string also showed up in some of the domains the samples had been communicating with.

  • The "Wizzards" of Adware [Ed: unsurprisingly Windows]
  • All About Fraud: How Crooks Get the CVV

    A longtime reader recently asked: “How do online fraudsters get the 3-digit card verification value (CVV or CVV2) code printed on the back of customer cards if merchants are forbidden from storing this information? The answer: If not via phishing, probably by installing a Web-based keylogger at an online merchant so that all data that customers submit to the site is copied and sent to the attacker’s server.

  • Why We Should Be Worried About Ancient Viruses Infecting Power Plants [Ed: unsurprisingly Windows again]

    The reasons these patients are vulnerable to viruses like W32.Ramnit and Conficker is because they run legacy systems that haven’t been patched or updated for a decade. And that’s fine as long as the operators of the plant keep them isolated and assume they are insecure, hopefully keeping the more critical parts of the network away safer.

  • Magical Thinking in Internet Security

    Increased complexity without corresponding increases in understanding would be a net loss to a buyer. At scale, it's been a net loss to the world economy.

  • Edward Snowden: The Internet Is Broken

    In 2013, a now-infamous government contractor named Edward Snowden shined a stark light on our vulnerable communications infrastructure by leaking 10,000 classified U.S. documents to the world.

    One by one, they detailed a mass surveillance program in which the National Security Administration and others gathered information on citizens — via phone tracking and tapping undersea Internet cables.

    Three years after igniting a controversy over personal privacy, public security, and online rights that he is still very much a part of, Snowden spoke with Popular Science in December 2015 and shared his thoughts on what's still wrong and how to fix it.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security advisories for Wednesday
  • German nuclear plant infected with computer viruses, operator says

    A nuclear power plant in Germany has been found to be infected with computer viruses, but they appear not to have posed a threat to the facility's operations because it is isolated from the Internet, the station's operator said on Tuesday.

    The Gundremmingen plant, located about 120 km (75 miles) northwest of Munich, is run by the German utility RWE (RWEG.DE).

    The viruses, which include "W32.Ramnit" and "Conficker", were discovered at Gundremmingen's B unit in a computer system retrofitted in 2008 with data visualization software associated with equipment for moving nuclear fuel rods, RWE said.

    Malware was also found on 18 removable data drives, mainly USB sticks, in office computers maintained separately from the plant's operating systems. RWE said it had increased cyber-security measures as a result.

  • Death of the enterprise VPN - if remote access is not secure what comes next? [iophk: "Spam. Besides, if an app cannot be put on the net without a VPN then it does not belong on the net in the first place."]

    VPNs are the backbone of enterprise remote access and yet their security limitations are starting to pile up. The problem is that the very thing that once made them so useful, network access, is now their biggest weakness. As the 2014 attacks on retailers Target and Home Depot painfully illustrate, this architecture can easily be exploited by attackers armed with stolen credentials to move around networks from within in ways that are difficult to spot until it’s too late.

GNOME Software Bug Doesn't Let Ubuntu 16.04 LTS Users Install Third-Party Debs

Filed under
GNOME
Security
Ubuntu

We've been tipped earlier by one of our readers that there's a bug in the GNOME Software (Ubuntu Software) package manager which doesn't let users install third-party .deb files in Ubuntu 16.04 LTS.

Read more

Security Leftovers

Filed under
Security

Security support for Wheezy handed over to the LTS team

Filed under
Security
Debian

As of 25 April, one year after the release of Debian 8, alias "Jessie", and nearly three years after the release of Debian 7, alias "Wheezy", regular security support for Wheezy comes to an end. The Debian Long Term Support (LTS) Team will take over security support.

Read more

Also: Debian GNU/Linux 7 "Wheezy" Has Become an LTS Release, Supported Until May 2018

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Friday's security updates
  • Why I gave your paper a Strong Reject

    Writing a bunch of wordy bullshit that doesn't mean anything. Trust me, you're not going to wow and amaze the program committee by talking about dynamic, scalable, context-aware, Pareto-optimal middleware for cloud hosting of sensing-intensive distributed vehicular applications. If your writing sounds like the automatically-generated, fake Rooter paper ("A theoretical grand challenge in theory is the important unification of virtual machines and real-time theory. To what extent can web browsers be constructed to achieve this purpose?"), you might want to rethink your approach. Be concise and concrete. Explain what you're doing in clear terms. Bad ideas won't get accepted just because they sound fancy.

  • Computer System Security Policy Debate (Follow-up)

    The challenge is that political people see everything as a political/policy issue, but this isn’t that kind of issue. I get particularly frustrated when I read ignorant ramblings like this that dismiss the overwhelming consensus of the people that actually understand what needs to be done as emotional, hysterical obstructionism. Contrary to what seems to be that author’s point, constructive dialogue and understanding values does nothing to change the technical risks of mandating exceptional access. Of course the opponents of Feinstein-Burr decry it as technologically illiterate, it is technologically illiterate.

Security Leftovers

Filed under
Security
  • Let's Encrypt Reaches 2,000,000 Certificates

    Earlier today, the Let's Encrypt certificate authority issued its two millionth certificate, less than two months after the millionth certificate. As we noted when the millionth certificate was issued, each certificate can cover several web sites, so the certificates Let's Encrypt has issued are already protecting millions and millions of sites.

  • Hackers Make This Search Engine Out Of 70 Million Voters’ Data

    Did you ever imagine an easily-browsable hacked data available to public and that too in the form of a search engine? Well, here is one of those interesting hacking cases where hackers made a search engine out of the hacked data of the 70 million citizens of Philippines and anyone can easily search for everybody else.

  • How Big Is Your Target?

    In his 2014 TED presentation Cory Doctorow compares an open system of development to the scientific method and credits the methods for bringing mankind out of the dark ages. Tim Berners-Lee has a very credible claim to patent the technology that runs the internet, but instead has championed for its open development. This open development has launched us forward into a brave new world. Nearly one third of all internet traffic rides on just one openly developed project. Its place of dominance may be unsure as we approach a world with cybersecurity headlines. Those headlines do much to feed the industry of fear resulting in government efforts to close doors on open source efforts.

    This paper is a qualitative theoretical discussion regarding cyber security and open source solutions written in three parts. Its goal is to demonstrate that the use of open source technologies reduces vulnerability to cyber attacks. The first part of this paper identifies the difficulties in presenting a software consideration model capable of illustrating the full spectrum of expectations for the performance of today’s code. Previous models merely address basic requirements for execution namely security, functionality & usability. While these aspects are important they fail to take into account modern requirements for maintenance, scalability, price, reliability and accessibility of software. This part of the paper modernizes the model developed by Andrew Waite and presents a clear model for software discussion.

Syndicate content

More in Tux Machines

Red Hat News

  • Building MySQL DBaaS on OpenStack And Ceph Clouds
    With a properly configured OpenStack deployment and Red Hat Ceph storage backend, DBaaS clients merely go to a self-service interface and request the number and configuration of databases they require. OpenStack dynamically provisions the required storage capacity from the appropriate Ceph storage pool. No more manual placement of these database instances on MySQL clusters of various shapes and sizes. This manual exercise was a bit like playing the old Tetris game, trying to fit new database instances into fixed-sized clusters, followed by moving or rearranging them to new clusters when they outgrew available capacity.
  • Now available: The Open Organization Leaders Manual
    Available now, The Open Organization Leaders Manual is a community-produced companion to Jim Whitehurst's The Open Organization. With contributions from more than 15 authors, it explores new attitudes and practices leaders should adopt when leveraging the power of transparecy, meritocracy, inclusivity, sharing, and collaboration to build the workplaces of the future.
  • Red Hat Inc (RHT) Stake Maintained by Verde Servicos Internacionais S.A.
  • National Pension Service Purchases 12,387 Shares of Red Hat Inc (RHT)

7 cool little open source projects that stood out in 2016

In the early days of the open source movement, a lot of the attention was on operating systems, and later on large content management systems. These days, containers are mentioned regularly even in mainstream news outlets. The big tech stories are great, but they miss the other great activity in the niches of the open source space. I've rounded up seven interesting lesser-known projects from the past year. You can see more articles about projects like this in my Nooks and Crannies column. Read more

RaspArch, the Arch Linux Remix for Raspberry Pi 3 SBCs, Now Shipping with Yaourt

After announcing the release of a new version of his Ubuntu-based ExTiX Linux operating system for Intel Compute Stick devices, Arne Exton has announced today the availability of RaspArch Build 161205. RaspArch is a remix of Arch Linux ARM for Raspberry Pi 3 and Raspberry Pi 2 single-board computers, and the latest release is shipping with the long-term supported Linux 4.4.35 kernel and the latest package versions released upstream as of December 5, 2016. "When you have installed RaspArch to your Micro SD Card you can use the system like any other Arch Linux system, i.e. install new programs, etc," said Arne Exton in the release announcement. "Arch motto is KISS (Keep It Simple Stupid). RaspArch uses kernel 4.4.35-1-ARCH and the LXDE Desktop environment." Read more

Gentoo-Based Porteus Kiosk 4.2 Released with Linux Kernel 4.4.36, Firefox 45.5.1

Porteus Solutions, through Tomasz Jokiel, announced today the release and immediate availability of Porteus Kiosk 4.2.0, the latest stable version of the free and open source Gentoo-based kiosk operating system for web terminals. Powered by the latest long-term supported Linux 4.4.36 kernel, Porteus Kiosk 4.2.0 ships with some of the latest and greatest GNU/Linux technologies and Open Source software projects, including the recently released X.Org Server 1.18.4 display server, as well as the Mozilla Firefox 45.5.1 ESR and Google Chrome 54.0.2840.100 web browsers. Read more