Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • Hardening the LSM API

    The Linux Security Modules (LSM) API provides security hooks for all security-relevant access control operations within the kernel. It’s a pluggable API, allowing different security models to be configured during compilation, and selected at boot time. LSM has provided enough flexibility to implement several major access control schemes, including SELinux, AppArmor, and Smack.

  • Hackers exploit Apache Struts vulnerability to compromise corporate web servers
  • Critical vulnerability under “massive” attack imperils high-impact sites

    The code-execution bug resides in the Apache Struts 2 Web application framework and is trivial to exploit. Although maintainers of the open source project patched the vulnerability on Monday, it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update, researchers are warning. Making matters worse, at least two working exploits are publicly available.

  • How Safe Are Blockchains? It Depends.

    Blockchain, the distributed ledger technology underlying bitcoin, may prove to be far more valuable than the currency it supports. But it’s only as valuable as it is secure. As we begin to put distributed ledger technology into practice, it’s important to make sure that the initial conditions we’re setting up aren’t setting us up for security issues later on.

  • Three Overlooked Lessons about Container Security

    Last week was an exciting week for me — I’ve just joined container security specialists Aqua Security and spent a couple of days in Tel Aviv getting to know the team and the product. I’m sure I’m learning things that might be obvious to the seasoned security veteran, but perhaps aren’t so obvious to the rest of us! Here are three aspects I found interesting and hope you will too, even if you’ve never really thought about the security of your containerized deployment before:

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Security updates for Wednesday
  • Google leads ‘guerilla patching’ of big vulnerability in open source projects

    Google has revealed its emergency patching efforts to fix a widespread and “pernicious” software vulnerability that affected thousands of open source projects in 2015.

    Referred to as “Mad Gadget” by Google (aka the Java “Apache Commons Collections Deserialization Vulnerability” CVE 2015-6420), the flaw was first highlighted by FoxGlove Security in November of that year, months after the first proof-of-concept code garnered almost zero attention.

  • Microsoft and Samsung react to Vault 7 CIA leaks -- Google, Linux Foundation and others remain silent

    The Vault 7 document and code cache released yesterday by WikiLeaks revealed that many big software companies were being actively exploited by the CIA. Apple, Microsoft, Google, Samsung, and even Linux were all named as having vulnerabilities that could be used for surveillance.

  • Vault 7 fallout: Linux Foundation says it's "not surprising" Linux is targeted [Ed: "NSA Asked Linus Torvalds To Install Backdoors Into GNU/Linux"]

    In the wake of WikiLeaks' Vault 7 CIA leaks, Apple has been quick to point out that vulnerabilities mentioned in the documents have already been addressed. Microsoft and Samsung have said they are "looking into" things, and now the Linux Foundation has spoken out.

    Nicko van Someren, Chief Technology Officer at The Linux Foundation says that while it is "not surprising" that Linux would find itself a target, the open source project has a very fast release cycle, meaning that kernel updates are released every few days to address issues that are found.

  • The Linux Foundation responds to Wikileaks' CIA hacking revelations

    THE LINUX FOUNDATION has become the latest firm to responded to the revelations that its products have been compromised by the CIA.

    Wikileaks on Tuesday published 8,761 documents dubbed 'Year Zero', the first part in a series of leaks on the agency that Wikileaks has dubbed 'Vault 7'.

    The whistleblowing foundation claims the document dump reveals full details of the CIA's 'global covert hacking program', including 'weaponised exploits' used against operating systems including Android, iOS, Linux, macOS, Windows and "even Samsung TVs, which are turned into cover microphones".

Canonical Releases New Kernels for Ubuntu Linux to Fix a Single Vulnerability

Filed under
Security
Ubuntu

Canonical published several security advisories to inform Ubuntu users about new kernel versions for their Ubuntu 16.04 LTS (Xenial Xerus) and Ubuntu 16.10 (Yakkety Yak) operating systems.

Read more

Parrot Security OS 3.5 Ethical Hacking Distro Brings Cryptkeeper, Kernel 4.9.13

Filed under
Security

The developers of the Debian-based Parrot Security OS distribution have announced today, March 8, 2017, the general availability of version 3.5 of the ethical hacking and penetration testing oriented OS.

Read more

5 Best Privacy Centric Linux Distributions

Filed under
Linux
Security

Are you worried about your privacy and/or security on the Internet? Well, you should be if you’re not. In this age, there are many reasons that should make you think twice about your privacy and security online. Security includes keeping safe from prying eyes looking to sniff data or identity for fraudulent activities. For the average user, keeping an updated version of your favorite Linux distro should be good enough. That is Ubuntu, Fedora, SUSE and all your usual distros should be quite ok so long as you’re keeping them updated. You can also employ tools such as Tor and OpenPGP to raise your level of security. Trust me, your everyday distro does a whole lot better at security than Windows and MacOS do offer especially when it comes to most malware, viruses and spyware.

Read<br />
more

Security News

Filed under
Security
  • Put down the coffee, stop slacking your app chaps or whatever – and patch Wordpress

    The 4.7.3 update comes just days after WordPress admins were alerted to a separate security crisis in NextGEN Gallery, a WordPress plugin vulnerable to SQL injection attacks.

  • WordPress 4.7.3 Updates for Six Security Issues

    The open-source WordPress blogging and content management system fixes six vulnerabilities, including three Cross Site Scripting flaws.

    The open-source WordPress blogging and content management system (CMS) released a new incremental version on March 6, providing users with six new security patches and 39 bug fixes. The new WordPress 4.7.3 update is the third security update for WordPress so far in 2017, following the 4.7.2 update on Jan. 26 and the 4.7.1 update on Jan. 12.

  • New Stable CloudLinux 7 Kernel Update Released to Patch Multiple Security Issues

    CloudLinux's Mykola Naugolnyi announced today, March 7, 2017, the immediate availability of a new stable kernel update for the CloudLinux 7 operating system series.

    The updated CloudLinux 7 kernel was bumped to version 3.10.0-427.36.1.lve1.4.39 and is here to address a bunch of security vulnerabilities discovered recently. First of all, you should know that this new kernel replaces the 3.10.0-427.18.2.lve1.4.38 build that many of you have installed, and can be downloaded from CloudLinux's stable repository.

  • Frankfurt used as remote hacking base for the CIA: WikiLeaks

    WikiLeaks documents reveal CIA agents were given cover identities and diplomatic passports to enter the country. The base was used to develop hacking tools as part of the CIA's massive digital arsenal.

  • Wikileaks reveals how CIA is targeting your iPhone, Android, and smart TV

    Wikileaks just dropped a massive collection of information detailing how the US government is attacking the devices that many of us use every single day in an effort to gain intel for its own purposes. Tactics for breaching iPhones, iPads, Android devices, PCs, routers, and even smart TVs are included in the leak, which has some serious privacy and security implications if even a fraction of it proves to be accurate.

  • WikiLeaks publishes massive trove of CIA spying files in 'Vault 7' release

    WikiLeaks has published a huge trove of what appear to be CIA spying secrets.

    The files are the most comprehensive release of US spying files ever made public, according to Julian Assange. In all, there are 8,761 documents that account for "the entire hacking capacity of the CIA", Mr Assange claimed in a release, and the trove is just the first of a series of "Vault 7" leaks.

    Already, the files include far more pages than the Snowden files that exposed the vast hacking power of the NSA and other agencies.

  • Wikileaks posts alleged trove of CIA hacking tools
  • WikiLeaks' CIA document dump shows agency can compromise Android, TVs

    WikiLeaks has released more than 8,700 documents it says come from the CIA's Center for Cyber Intelligence, with some of the leaks saying the agency had 24 "weaponized" and previously undisclosed exploits for the Android operating system as of 2016.

Security News

Filed under
Security

Security News

Filed under
Security
  • Third-Party Vendor Issues Temporary Patch for Windows GDI Vulnerability [Ed: Microsoft is so negligent when it comes to patching that some random companies out there attempt to patch binaries]

    A vulnerability discovered by Google Project Zero security researchers and left without a patch by Microsoft received a temporary fix from third-party security vendor ACROS Security.

    The vulnerability, tracked as CVE-2017-0038, is a bug in Windows GDI (Graphics Device Interface), a library that Windows uses to process graphics and formatted text, for both the video display and when sending data to local printers.

    According to Google researchers, attackers could leverage malformed EMF files to expose data found in the victim's memory, which can then be leveraged to bypass ASLR protection and execute code on the user's computer.

  • HackerOne opens up bug bounties to open source

    HackerOne is bringing bug hunting and software testing to open source developers to help make open source software more secure and safer to use.

    A lot of modern tools and technologies depend on open source software, so a security flaw can wind up having a widespread impact -- the Heartbleed flaw in OpenSSL, for example. Many open source projects still rely on the "thousand eyes" concept when it comes to software security -- that anyone being able to see the source code means defects are found and fixed faster. While it's true to some extent, it doesn't apply if no one is actually looking at the code, as we've learned repeatedly over the past few years.

  • WordPress 4.7.3 Security and Maintenance Release

    WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

Security News

Filed under
Security
  • Arbitrary code execution in TeX distributions

    Many out there use TeX or one of its distributions like TeX Live, LaTex, MiKTeX or teTeX. Sharing TeX files between authors is common, and often conference organizers, journal editors or university institutions offer TeX templates for papers and diploma theses. So what if a TeX file can take over your computer?

  • Security firm issues patch for Windows zero-day

    A security firm has released a patch for a remotely exploitable vulnerability in Windows that Microsoft is expected to patch on 14 March.

    0patch team member Luka Treiber said this was the first time the company had issued code to fix a zero-day exploit.

    He has provided a detailed rundown of his methodology on the firm's website.

    Anyone wishing to use the patch has to download 0patch's patching agent and the obtain the code.

  • The working dead: The security risks of outdated Linux kernels [Ed: IDG says that running old and unpatched Linux kernel is not a good idea, like that wasn't obvious.]

    Linux kernel security vulnerabilities are often in the headlines. Recently it was revealed a serious kernel vulnerability remained undiscovered for over a decade. But, what does this mean in a practical sense? Why is security of the Linux kernel important? And, what effects do vulnerabilities have on older or obsolete kernels that are persistent in many devices?

Talks and FOSS Events

Filed under
OSS
Security
  • Me at the RSA Conference

    This is my talk at the RSA Conference last month. It's on regulation and the Internet of Things, along the lines of this essay.

  • How to handle conflict like a boss

    I was initially afraid that a talk about conflict management would be touchy-feely to the point of uselessness, but found that every time Deb Nicholson described a scenario, I could remember a project that I'd been involved in where just such a problem had arisen. In the end, her "Handle conflict like a boss" presentation may turn out to have been one of the more rewarding talks I heard at FOSDEM 2017.

    Nicholson's first contention was that conflict happens because some people are missing some information. She related a story about a shared apartment where the resident who was responsible for dividing up the electricity bill was getting quite annoyed at the resident who had got behind on his share, until Nicholson pointed out that the latter resident was away at his grandmother's funeral. Instantly, the person who'd been angry was calm and concerned, through no change other than coming into possession of all the facts. Conflict is natural, said Nicholson, but it doesn't have to be the end of the world.

  • Principled free-software license enforcement

    Issues of when and how to enforce free-software licenses, and who should do it, have been on some people's minds recently, and Richard Fontana from Red Hat decided to continue the discussion at FOSDEM. This was a fairly lawyerly talk; phrases like "alleged violation" and "I think that..." were scattered throughout it to a degree not normally found in talks by developers. This is because Fontana is a lawyer at Red Hat, and he was talking about ideas which, while they are not official Red Hat positions, were developed following discussions between him and other members of the legal team at Red Hat.

    To his mind, GPL enforcement has always been an important element of free-software law; not that we should all be doing it, all the time, but like it or not, litigation is part of a legal system. Awareness of its possibility, however, was making some Red Hat customers and partners worried about the prospect. There has not, in fact, been much actual litigation around free-software licenses — certainly not compared to the amount of litigation software companies are capable of generating in the normal course of business — thus Fontana felt their fears were unreasonable.

Syndicate content

More in Tux Machines

Devices: Aaeon, Corvalent, and Renesas Electronics

Red Hat and Servers: India, China, Docker and Kubernetes

GNOME: LVFS and Epiphany

  • Richard Hughes: Shaking the tin for LVFS: Asking for donations!
    Nearly 100 million files are downloaded from the LVFS every month, the majority being metadata to know what updates are available. Although each metadata file is very small it still adds up to over 1TB in transfered bytes per month. Amazon has kindly given the LVFS a 2000 USD per year open source grant which more than covers the hosting costs and any test EC2 instances. I really appreciate the donation from Amazon as it allows us to continue to grow, both with the number of Linux clients connecting every hour, and with the number of firmware files hosted. Before the grant sometimes Red Hat would pay the bandwidth bill, and other times it was just paid out my own pocket, so the grant does mean a lot to me. Amazon seemed very friendly towards this kind of open source shared infrastructure, so kudos to them for that. At the moment the secure part of the LVFS is hosted in a dedicated Scaleway instance, so any additional donations would be spent on paying this small bill and perhaps more importantly buying some (2nd hand?) hardware to include as part of our release-time QA checks.
  • Epiphany 3.28 Development Kicks Off With Safe Browsing, Better Flatpak Handling
    Epiphany 3.27.1 was released a short time ago as the first development release of this web-browser for the GNOME 3.28 cycle. For being early in the development cycle there is already a fair number of improvements with Epiphany 3.27.1. Some of the highlights include Google Safe Browsing support, a new address bar dropdown powered by libdazzle, and improvements to the Flatpak support.
  • Safe Browsing in Epiphany
    I am pleased to announce that Epiphany users will now benefit from a safe browsing support which is capable to detect and alert users whenever they are visiting a potential malicious website. This feature will be shipped in GNOME 3.28, but those who don’t wish to wait that long can go ahead and build Epiphany from master to benefit from it. The safe browsing support is enabled by default in Epiphany, but you can always disable it from the preferences dialog by toggling the checkbox under General -> Web Content -> Try to block dangerous websites.

today's howtos