Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Twitter Community Helps Create Improved Linux Encoder Ransomware

    November 2015 saw the emergence of Linux.Encoder.1, the first piece of ransomware to target vulnerable Linux web servers. A programming flaw allowed Bitdefender researchers to obtain the decryption key and provide victims with a free recovery utility.

  • Plain cruelty: Boffins flay Linux ransomware for the third time

    Probably the world's most tragically determined blackhat developers have had their revitalised Linux.Encoder ransomware pwned again by meddling BitDefender whitehats.

    The third iteration of the Linux.Encoder ransomware was unleashed on the world, infecting a paltry 600 servers before a crack team of security analysts returned to rip it apart.

  • Windows and Linux Malware Linked to Chinese DDoS Tool

    Similar-looking malware targeting both Linux and Windows computers has been linked to a DDoSing toolkit sold by Chinese hackers via the ddos[.]tf service, Malware Must Die! reports.

    The malware, codenamed Linux/DDOSTF (or Linux/MrBlack) targets mainly Linux machines running Elasticsearch servers, but it also attacks and infects Windows systems, particularly older Windows XP and Windows 2003 Server instances.

  • Exploiting Silent Circle's Secure Blackphone

    The highly secure device could have been exploited, were it not for the responsible disclosure by a security researcher.

    Any modern device is made up of multiple hardware and software components, any one of which could represent a potential risk. That's a reality that secure mobile phone vendor Silent Circle has learned with its Blackphone, thanks to the responsible security disclosure from Tim Strazzere, director of mobile research at SentinelOne.

  • Severe Silent Circle Blackphone vulnerability lets hackers take over

    Researchers have revealed a severe vulnerability in Silent Circle's Blackphone which could allow attackers to take control of the device's functions.

    Silent Circle's Blackphone, born after former US National Security Agency (NSA) contractor Edward Snowden exposed the intelligence agency's spying practices on the global stage, is a phone peddled to the privacy-conscious. The Blackphone grants users complete control of app permissions and includes encrypted services such as Silent Phone and Silent Text, designed to prevent surveillance and eavesdropping.

    The device runs on PrivatOS, a custom Android build with a set of security-focused tools.

  • Security Notification and Linode Manager Password Reset

    The entire Linode team has been working around the clock to address both this issue and the ongoing DDoS attacks. We've retained a well-known third-party security firm to aid in our investigation. Multiple Federal law enforcement authorities are also investigating and have cases open for both issues. When the thorough investigation is complete, we will share an update on the findings.

  • How Hackers Invaded 30 Million Web Servers On The Internet With A Poem

    From an IP address associated with 32nd Chaos Communication Congress (32c3) taking place in Germany, some unknown hackers sent a poetic message to all the IPv4 addresses on the Internet who left with their web servers port open. Later, the hackers said that they didn’t mean to harm anybody and wished to remind the people the importance of keeping the Internet open and decentralised.

WordPress 4.4.1 Updates for XSS (and 52 other issues)

Filed under
OSS
Security
Web

The first WordPress update of 2016 is out and like many other incremental updates, it is being triggered by a security vulnerability. The single security issue being patched in WordPress 4.4.1 is a cross site scripting vulnerability that could have potentially enabled a site compromised.wordpress

From a general usability and bug perspective there are 52 bugs that WordPress developers are addressing in the 4.4.1 update that spans multiple area of the popular open-source content management system including.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • Third try is no charm for failed Linux ransomware creators

    Getting cryptographic implementations right is difficult. A group of malware creators is currently experiencing that hard truth, to the amusement of security researchers.

    For the past several months, a group of cybercriminals have been infecting Linux systems -- primarily Web servers -- with a file-encrypting ransomware program that the security industry has dubbed Linux.Encoder.

  • Indian Hackers Attack Pakistani Websites In Response To Pathankot Terror Attack

    An Indian hacking collective named Indian Black Hats has defaced multiple Pakistani websites. This Kerala-based group has dedicated the attack to the little daughter of a Pathankot terror attack martyr. The group told fossBytes, “Harming is not our aim..but if anyone pick their eyes on our mother India..we stand for it”.

OpenSSL’s teachable moment: Secure Shell key management in light of open source vulnerabilities

Filed under
OSS
Security

Imagine an Internet without encryption. Credit card numbers would flow in the clear from point to point. Social Security numbers and other personally identifiable information would be sitting ducks for any cyber criminal to make off with. And government secrets wouldn’t stay secret for long.

Read more

Canonical Patches New Vulnerability for Ubuntu 15.10's Desktop and Raspberry Pi 2 Kernels

Filed under
Security
Ubuntu

Just a few minutes ago, January 5, 2016, Canonical published several Ubuntu Security Notices to inform Ubuntu users about the availability of new Linux kernel versions for their operating systems.

Read more

Also: Xenial Xerus Alpha 1 released!

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Microsoft Got Hacked And Didn't Tell Anyone

    Microsoft knew that Chinese spies hacked people using Hotmail accounts for years — and didn’t tell any of the people who were hacked.

  • Are You Ready For Linux Ransomware? [Ed: Are you ready for Linux FUD? Here you go… ]
  • Secure Boot — Fedora, RHEL, and Shim Upstream Maintenance: Government Involvement or Lack Thereof

    Note that there are parts of this chain I’m not a part of, and obviously linux distributions I’m not involved in that support Secure Boot. I encourage other maintainers to offer similar statements for their respective involvement.

  • Security advisories for Monday
  • I am Using Let’s Encrypt on my server now

    I just moved my web server’s SSL/TLS certificates to Let’s Encrypt and I am positively surprised how relatively easy it was.

    In all honesty, it started as a simple “Hullo! What’s this all about?” and after toying with it a bit, I decided to simply use it to replace all my CAcert.org and StartSSL certificates.

  • Dutch govt says no to backdoors, slides $540k into OpenSSL without breaking eye contact

    The Dutch government has formally opposed the introduction of backdoors in encryption products.

    A government position paper, published by the Ministry of Security and Justice on Monday and signed by the security and business ministers, concludes that "the government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability and use of encryption within the Netherlands."

    The conclusion comes at the end of a five-page run-through of the arguments for greater encryption and the counter-arguments for allowing the authorities access to the information.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • New Year's Eve security updates
  • The current state of boot security

    I gave a presentation at 32C3 this week. One of the things I said was "If any of you are doing seriously confidential work on Apple laptops, stop. For the love of god, please stop." I didn't really have time to go into the details of that at the time, but right now I'm sitting on a plane with a ridiculous sinus headache and the pseudoephedrine hasn't kicked in yet so here we go.

  • Researcher criticises 'weak' crypto in Internet of Things alarm system

    Security shortcomings in an internet-connected burglar alarm system from UK firm Texecom leave it open to hack attacks, an engineer turned security researcher warns.

    Luca Lo Castro said he had come across shortcomings in the encryption of communication after buying Texecom’s Premier Elite Control Panel and ComIP module and assembling it.

    To be able to remote control the alarm system remotely, you open a firewall port in the router and do a port forwarding to the internet. But this allows the mobile app to directly connect to the ComIP module over an unencrypted connection, Lo Castro discovered.

    Using WireShark, he said he had discovered that data traffic between the mobile app and the control panel is done in clear text or encoded to BASE64. That means potentially confidential information like the alarm control panel (UDL) password, device name and location are exposed, as a blog post by Lo Castro explains.

Syndicate content

More in Tux Machines

“Thin Mini-ITX” Skylake board has 20mm profile

Advantech’s Linux-ready “AIMB-285” Mini-ITX board offers 6th Gen Core CPUs, a 20mm profile, mini-PCIe and PCIe, plus an optional enclosure. Advantech calls the 20mm-high AIMB-285 the first “thin Mini-ITX” board to run 6th Generation Intel Core “Skylake” processors. Intel released a “Thin Mini-ITX” spec back in 2011, with 25mm specified as the maximum board thickness including the “I/O Shield” area. Since then, we’ve only seen two other Mini-ITX boards claim a thinner, 20mm maximum thickness: Congatec’s similarly Skylake-based Conga-IC170 and Adlink’s Braswell-based AmITX-BW-I. Read more

Schools that #GoOpen should #GoOpenSource

School administrators know that traditional proprietary textbooks are expensive. Teachers in budget-strapped schools often face shortages of textbooks. Worse, print content is usually out-of-date as soon as the ink dries on the page. There has to be something better than students hauling bulbous backpacks loaded with dead knowledge stamped on dead trees. In the fall of 2015, the U.S. Department of Education launched the #GoOpen campaign, an initiative encouraging public schools to adopt openly-licensed digital educational materials to transform teaching and learning, and perhaps lighten both backpacks and textbook bills. The Department recently published the #GoOpen District Launch Packet, a useful step-by-step implementation guide for schools planning a transition from traditional textbooks to Open Educational Resources (OER). We should applaud the Department of Education's efforts to promote affordable, equitable, and quality educational materials for all schools. Their initiative empowers educators to curate, shape, and share educational content at a local level. No longer is the written word of proprietary publishers like Pearson the fountain of all classroom knowledge. Districts that choose to #GoOpen opt to honor teacher expertise, empower them to build communities of shared practice, and encourage collaboration with colleagues across counties and states. Given unfettered permission to revise, remix, and redistribute curriculum material, teachers are trusted to become active agents in the creation of high-quality learning materials. Read more

Red Hat and Fedora

  • Red Hat CEO Tells LinuxCon Crowd What Makes Linux Stand Out
    Five years ago, on the 20th anniversary of Linux, Red Hat CEO Jim Whitehurst delivered a keynote address at LinuxCon. Today, he returned to the LinuxCon stage here to help celebrate the 25th anniversary of Linux, bringing a message not all that different from the one he shared in 2011. The Linux world, however, is a different place in 2016, with one-time mortal foe Microsoft now embracing the open-source model. Whitehurst briefly shared the keynote stage with Wim Coekaerts, corporate vice president of enterprise open source at Microsoft, which is something that wouldn't have happened five years ago. Red Hat and Microsoft today partner at multiple levels, as the message and value of open source has continued to expand. During his keynote, Whitehurst said that it's hard to talk about the history of Red Hat without talking about the history of Linux and vice versa, as the two are very much intertwined. Back in the 1990s when Red Hat got started a few years after Linux's birth, Whitehurst said his company didn't have a great business model. At one point, Red Hat actually tried to sell shrink-wrapped boxed software at big box retailers. Around 2001, Red Hat first introduced the enterprise open-source software model that is the core of the company's business today. The basic idea is to bundle open-source software together, test and certify the software, and then provide multiple years of enterprise-grade support.
  • Option Market: Red Hat Inc Risk Hits A Deteriorated Level
  • Building Fedora Rawhide Images with Imagefactory
  • Fedora 24 Release Party in Singapore
    As you might know, Fedora released its 24th version at the end of June! Recently, the Fedorans in Singapore had a party to celebrate the release. The release party was not only to celebrate its release, but also to commemorate Fedora’s open source journey so far. We invited people from different diverse background to join us for a night of fun and open conversations (Singapore is a cosmopolitan country!)

GNOME News

  • Sysprof + Builder
    After the GNOME 3.20 cycle completed I started revamping Sysprof. More here, here, and here. The development went so smoothly that I did a 3.20 release a couple of weeks later. A primary motivation of that work was rebuilding Sysprof into a set of libraries for building new tools. In particular, I wanted to integrate Sysprof with Builder as our profiler of choice. On my flight back from GUADEC I laid the groundwork to integrate these two projects. As of Builder 3.21.90 (released yesterday) you can now profile your project quite easily. There are more corner cases we need to handle but I consider those incremental bugs now.
  • GUADEC… Its been fun.
    I’m not really much of a traveler or outgoing in any way. So when I was invited to GUADEC, I wasn’t very sure about it. It took some encouragement from my mentor and a fellow GSoC mate to convince me. And… I’m glad I went! It was one of those things that I could not have experienced from my comfy chair to which I reserve myself for the greater part of my day. In fact this trip makes me feel I might be wrong about social interactions not being time well spent for me (but then again I don’t exactly buckle down into ambitious projects, so you’re free to call me ignorant).
  • gnome-boxes: GSoC Evaluation
    This post is meant to be a final self-evaluation and self-analysis of my work for gnome-boxes during the summer. The initial project idea was about implementing/fixing a bunch of SPICE-based features/bugs to/in Boxes. The list of bugs of the SPICE component has since changed, as some new bugs have been discovered and some old ones have been closed, so I made a summary of my involvement...