Language Selection

English French German Italian Portuguese Spanish

Security

FOSS in Government (US and UK)

Filed under
OSS
Security
  • Dear The Sun: we need to talk about your understanding of open source

    I want to talk to you about this article, and the claims it makes about open source software. I would have liked to chat to your cited expert, whom you’ve listed only as Neil Doyle. Sadly, the article fails to specify his area of expertise and both messages and emails to author Ryan Sabey asking for further information have gone unanswered. So I’m responding to it here, supported by some brilliant, contactable experts in security and open source.

    After sitting open-mouthed at the misinformation in this article for some time, I began to reach out to fellow tech experts to see if they felt the same. I first contacted Dr. Jessica Barker, the independent cybersecurity authority behind cyber.uk. I asked if she could address the concerns you raised that use of open source software in the public sector would pose security risks.

    [...]

    “The Sun seems to be implying that open source software is more vulnerable to attack than closed source, which is a sweeping misunderstanding that fails to take the complex nature of cybersecurity into account.

    Both open source and closed source software can be vulnerable to exploit, however these vulnerabilities are arguably more likely to be discovered in open source rather than closed source software as more people (including security researchers) are able to look at it. By its nature, it is publicly available and so it’s harder to hide malicious vulnerabilities”.

  • DOD Aims to Make Cybersecurity a Fundamental Part of Its Tech Mission
  • The Department of Software?

    Well-developed software can make or break modern weapons systems. Software problems initially hindered F-35 production, for example. The Department of Defense (DOD) set up a Digital Service team last year to help the military solve its information technology problems. Future work on autonomous systems will heavily rely on software development. Most importantly, the DOD will have to protect its own data. To improve the DOD’s use of software, the Center for a New American Security (CNAS) looked at how the Pentagon could better use “open source software.” While the DOD uses some open source software, its full utilization for military software development will require deeper changes to how the DOD approaches code.

  • John Weathersby: Selling Open Source to the Federal Government

    John Weathersby founded and ran the Open Source Software Institute to “promote the development and implementation of open source software solutions within U.S. federal, state, and local government agencies.” A worthy goal!

    But why stick to nothing but software? In 2014, Weathersby founded The Open Technology Center at Camp Shelby Joint Forces Training Center (in Mississippi), which is a “non-profit research and development entity sponsored by the Mississippi National Guard and U.S. Department of Homeland Security whose mission is to innovate and integrate open source software technologies for use within national defense and security organizations.”

    The OTC is doing some neat stuff, ranging from autonomous vehicles to making it easier for local governments to request, receive, and account for disaster recovery funds in the wake of an emergency. It’s all good! And it’s all about open source, which is why it’s worth listening to what Weathersby has to say.

Security Leftovers

Filed under
Security
  • DDoS attacks: For the hell of it or targeted – how do you see them off?

    Distributed Denial of Service (DDoS) attacks can be painful and debilitating. How can you defend against them? Originally, out-of-band or scrubbing-centre DDoS protection was the only show in town, but another approach, inline mitigation, provides a viable and automatic alternative.

    DDoS attacks can be massive, in some cases reaching hundreds of Gbits/sec, but those mammoths are relatively rare. For the most part, attackers will flood companies with around 1 Gbit/sec of traffic or less. They’re also relatively short affairs, with most attacks lasting 30 minutes or less. This enables attackers to slow down computing resources or take them offline altogether while flying under the radar, making it especially difficult for companies to detect and stop them.

  • IoT and a new type of threat for Linux

    Linux has played a significant role in establishing IoT devices as increasingly important parts of our everyday lives, both at home and in the enterprise. Linux based OSes make it easy for developers to create applications that can run on anything, from a fridge to a car, and as a result 73 percent of IoT developers use Linux to run applications on.

    Now, however, questions of security are arising. With IoT gesturing in a brave new world of connected devices, businesses must cope with a greater number of entry points and vulnerabilities, with security the top concern in the industry.

    By placing such a burden on Linux’s security capabilities, there are now real fears that IoT devices will be left exposed and businesses will pay the price.

  • NIST Seeks Comments on Cybersecurity Reports

    The US National Institute of Standards and Technology (NIST) has recently issued two draft reports on cybersecurity issues of interest to industrial IoT users, and is seeking industry comment before making their final revisions. One report describes the proposed manufacturing profile for NIST's Cybersecurity Framework. The other addresses cryptography standards and practices for resource-constrained processors.

    Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, NIST created in 2014 a voluntary Cybersecurity Framework, which is a compendium of industry standards and best practices to help organizations manage cybersecurity risks. Created through collaboration between government and the private sector, the Framework helps guide cybersecurity activities and encourages organizations to consider cybersecurity risks as part of their risk management processes. Profiles, a key element of the Framework, help an organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. A profile is intended both to help identify opportunities for improving cybersecurity as well as providing a touchstone to compare against in order to prioritize process improvement activities.

  • Hackers Able To Control Tesla S Systems From Twelve Miles Away

    Over the last few years, we've well documented the abysmal security in the internet of things space. And while refrigerators that leak your Gmail credentials are certainly problematic, the rise in exploitable vehicle network security is exponentially more worrying. Reports emerge almost monthly detailing how easy it is for hackers to bypass vehicle security, allowing them to at best fiddle with in-car systems like air conditioning, and at worst take total control of a compromised vehicle. It's particularly problematic given these exploits may take years to identify and patch.

Security News

Filed under
Security
  • Bug that hit Firefox and Tor browsers was hard to spot—now we know why

    As a result, the cross-platform, malicious code-execution risk most recently visited users of browsers based on the Firefox Extended Release on September 3 and lasted until Tuesday, or a total of 17 days. The same Firefox version was vulnerable for an even longer window last year, starting on July 4 and lasting until August 11. The bug was scheduled to reappear for a few days in November and for five weeks in December and January. Both the Tor Browser and the production version of Firefox were vulnerable during similarly irregular windows of time.

  • Florida Man Charged With Hacking Linux Servers

    Donald Ryan Austin of South Florida has been arrested on charges of hacking into the networks of Linux Kernel Organization and Linux Foundation and installing malicious software. A US Department of Justice (DoJ) release said Austin, who is a computer programmer, is now out on bail and could face a maximum sentence of 10 years if convicted.

    According to the indictment, Austin stole the credentials of an employee to break into the Linux networks and installed rootkit and Trojan software apart from altering the servers. He has been charged with four counts of deliberate damage to a protected computer.

  • Why do hackers prefer Linux?

    Linux has much to offer any computer user, but it has proven to be particularly popular with hackers. A writer at The Merkle recently considered the reasons why hackers have so much love for Linux.

  • How To Get “Hollywood Hacker Feel” In Your Linux Command Line?

    A developer has created a command line utility which can give you the feel of Hollywood movie hacker. His tool replicates the decrypting text seen from the 1992 hacker movie Sneakers. The code is freely available on his GitHub page.

Security News

Filed under
Security
  • Security updates for Tuesday
  • Aid Security Incident Statistics: 18-month trends based on open source reported events affectng aid infrastructure (December 2014 to May 2016)
  • Easy Secure Web Serving with OpenBSD’s acme-client and Let’s Encrypt

    s recently as just a few years ago, I hosted my personal website, VPN, and personal email on a computer running OpenBSD in my basement. I respected OpenBSD for providing a well-engineered, no-nonsense, and secure operating system. But when I finally packed up that basement computer, I moved my website to an inexpensive cloud server running Linux instead.

    Linux was serviceable, but I really missed having an OpenBSD server. Then I received an email last week announcing that the StartSSL certificate I had been using was about to expire and realized I was facing a tedious manual certificate replacement process. I decided that I would finally move back to OpenBSD, running in the cloud on Vultr, and try the recently-imported acme-client (formerly “letskencrypt”) to get my HTTPS certificate from the free, automated certificate authority Let’s Encrypt.

  • iPhone passcode bypassed with NAND mirroring attack

    Passcodes on iPhones can be hacked using store-bought electronic components worth less than $100 (£77), according to one Cambridge computer scientist.

    Sergei Skorobogatov has demonstrated that NAND mirroring—the technique dismissed by James Comey, the director of the FBI, as unworkable—is actually a viable means of bypassing passcode entry limits on an Apple iPhone 5C. What's more, the technique, which involves soldering off the phone's flash memory chip, can be used on any model of iPhone up to the iPhone 6 Plus, which use the same type of LGA60 NAND chip. Later models, however, will require "more sophisticated equipment and FPGA test boards."

    In a paper he wrote on the subject, Skorobogatov, a Russian senior research associate at the Cambridge Computer Laboratory's security group, confirmed that "any attacker with sufficient technical skills could repeat the experiment," and while the technique he used is quite fiddly, it should not present too much of an obstacle for a well-resourced branch of law enforcement.

    The attack works by cloning the iPhone's flash memory chip. iPhones generally allow users six attempts to guess a passcode before locking them out for incrementally longer periods of time; by the complex process of taking the phone apart, removing its memory chip, and then cloning it, an attacker is able to have as many clusters of six tries as they have the patience to make fresh clones. Skorobogatov estimates that each run of six attempts would take about 45 seconds, meaning that it would take around 20 hours to do a full cycle of all 10,000 passcode permutations. For a six-digit passcode, this would grow to about three months—which he says might still be acceptable for national security.

  • Seagate NAS hack should scare us all

    No fewer than 70 percent of internet-connected Seagate NAS hard drives have been compromised by a single malware program. That’s a pretty startling figure. Security vendor Sophos says the bitcoin-mining malware Miner-C is the culprit.

Tails 2.6 Anonymous Linux Live CD Is Out, Brings Tor 0.2.8.7 & Tor Browser 6.0.5

Filed under
GNU
Linux
Security
Debian

Just a few moment ago, the Tails development team proudly announced the official and general availability of the Tails 2.6 anonymous Live CD Linux operating system based on the latest Debian technologies.

Earlier this month, we reported on the availability of the first development version of Tails 2.6, the RC1 build, which also appeared to be the only one, and now, nearly three weeks later, we can get our hands on the final release, which brings many updated components and several new features.

According to the release notes, the biggest new features in Tails 2.6 are the enablement of the kASLR (kernel address space layout randomization) in the Linux kernel packages that ship with the popular amnesic incognito live system, protecting users from buffer overflow attacks.

Read more

IPFire 2.19 - Core Update 104 released

Filed under
GNU
Linux
Security

This is the official release announcement for IPFire 2.19 – Core Update 104.
This update brings you a new kernel under the hood and a from scratch rewritten Guardian.

Read more

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Security advisories for Monday
  • Why do we do security?

    I had a discussion last week that ended with this question. "Why do we do security". There wasn't a great answer to this question. I guess I sort of knew this already, but it seems like something too obvious to not have an answer. Even as I think about it I can't come up with a simple answer. It's probably part of the problems you see in infosec.

    The purpose of security isn't just to be "secure", it's to manage risk in some meaningful way. In the real world this is usually pretty easy for us to understand. You have physical things, you want to keep them from getting broken, stolen, lost, pick something. It usually makes some sort of sense.

  • New release: usbguard-0.6.2
  • DNSync

    While setting up my new network at my house, I figured I’d do things right and set up an IPSec VPN (and a few other fancy bits). One thing that became annoying when I wasn’t on my LAN was I’d have to fiddle with the DNS Resolver to resolve names of machines on the LAN.

Security News

Filed under
Security
  • Why real hackers prefer Linux over Windows and Mac

    We have published many tutorials for hackers and security researchers. You may have noticed that most tutorials are based on Linux operating systems. Even the hacking tools out there are based on Linux barring a few which are written for Windows and Mac. The moot question here is that why do hackers prefer Linux over Mac or Windows?

    Today we look at the reason why hackers always prefer Linux over Mac, Windows, and other operating systems. You may have your own reasons for choosing Linux but what do hackers really look forward to while working with Linux.

  • HDDCryptor Ransomware Overwrites Your MBR Using Open Source Tools [Ed: Windows ransom but the headline only says “Open Source”]

    Most of the research on this infection has been done by Marinho, who says that his company was called in to investigate and fix a massive infection at a multi-national company that affected computers in its Brazil, India, and US subsidiaries.

  • The power of protocol analyzers

    In the complicated world of networking, problems happen. But determining the exact cause of a novel issue in the heat of the moment gets dicey. In these cases, even otherwise competent engineers may be forced to rely on trial and error once Google-fu gives out.

    Luckily, there’s a secret weapon waiting for willing engineers to deploy—the protocol analyzer. This tool allows you to definitively determine the source of nearly any error, provided you educate yourself on the underlying protocol. The only catch for now? Many engineers avoid it entirely due to (totally unwarranted) dread.

  • Bitcoin: A Sequence of Proofs

    A potential solution to the growing pains of Bitcoin is the use of proof-of-stake rather than proof-of-work. An attacker which has a stake in the history already on the blockchain is unlikely to jeopardize it. In proof-of-stake, the cryptocurrency is paid by the miners into the bets of the next block to win. If an attacker bets on multiple chains, then they're guaranteed to lose money. This, combined with the fact that buying a lot of currency is more expensive than a lot of computer power, makes proof-of-stake practical. We will cover Peercoin later, which does proof of stake and has other mitigations for certain attacks.

    An interesting idea is vote tattling. When an attacker votes on one block with a predecessor, and then votes on another with the same predecessor, peers can observe this. They can report double voting by using the votes as cryptographically-verified evidence, and taking the attacker's vote-money.

Syndicate content

More in Tux Machines

This Custom Android-x86 Build Puts Android 7.1.1 on Your PC, with Linux 4.11 RC7

GNU/Linux developer Arne Exton was happy to announce the release of a new build of his custom built Android-x86 project that lets uses runs the latest Android mobile operating system on their personal computers. Read more

Clear Linux Announces Intel Clear Containers 2.1.6 with Docker 17.04.0 Support

Clear Linux's Kent Helm was proud to announce the release and general availability of Intel Clear Containers 2.1.6, a maintenace update that promises to improve compatibility with recent Docker releases, but also adds various bug fixes. Read more

Nantes Métropole releases open source tool for LibreOffice transition

The French city of Nantes (Nantes Métropole) has released an open source tool used to schedule its migration to LibreOffice. The shift from commercial software to the free and open source LibreOffice productivity suite started in 2013 and is intended to save the administration EUR 260 000 per year. The transition was finalised in April 2016. Read more

Today in Techrights