Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security

Additional Information About Linux Foundation Breach

Filed under
Linux
Server
Security
  • Linux project mum after man indicted for 2011 breach

    The Linux Kernel Organisation, the non-profit that manages development of the kernel, is still reluctant to make any statement about a breach of its servers that took place more than five years ago, despite the fact that a man from South Florida has been charged with being responsible for the intrusion.

    The same man, named as Donald Ryan Austin by the US Attorney's Office in the Northern District of California, was also charged with gaining unauthorised access to the servers of the Linux Foundation, an organisation that employs Linux creator Linus Torvalds.

    Asked for a response to the development, senior kernel developer Greg Kroah-Hartman told iTWire: "The process is not complete yet, so sorry, I do not have any comment at this point in time."

  • Hacker behind Linux Kernel’s Mass Trojan Infection Arrested in Florida

    Cert-Bund, a German cyber security group estimated that a third of Linux computers in the U.S., and a tenth of those in the world that were checked, were in fact infected with the Trojan Austin had uploaded into the servers.

    After obtaining the credentials, he used them to make unauthorized changes to those servers by adding messages that automatically appeared when the servers rebooted. He also broke into a private email server of Linux Kernel Founder Peter Anvin, along with the Odin1, Zues1, and Pub3 servers.

Development Starts for Tails 2.6 Anonymous Live CD, Now Based on Tor 0.2.8.6

Filed under
Security
Debian

The development team behind the Tails amnesic incognito live system project known to many as the Linux-based Live CD used by ex-CIA employee Edward Snowden to stay hidden and anonymous online, announced the release of Tails 2.6 RC1.

Read more

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Linux – Justice Grinds Slowly But Eventually Gets Its Hacker
  • Do electronic voting machines put 2016 election at risk? [Ed: Microsoft inside]

    Soon after the 2000 presidential elections went to a recount, Americans got acquainted with an exotic new vocabulary – hanging chads and butterfly ballots – and what lawmakers saw as a modern solution to the nightmare of punchcard voting systems: electronic voting machines.

    In 2002, Congress passed the Help America Vote Act, pouring nearly $3 billion into an effort to get states to adopt those machines.

  • FBI says foreign hackers penetrated state election systems [Ed: FBI also insists on back doors in everything!]

    The FBI has uncovered evidence that foreign hackers penetrated two state election databases in recent weeks, prompting the bureau to warn election officials across the country to take new steps to enhance the security of their computer systems, according to federal and state law enforcement officials.

  • Hack Brief: As FBI Warns Election Sites Got Hacked, All Eyes Are on Russia

    In any other year, hackers breaking into a couple of state government websites through common web vulnerabilities would hardly raise a blip on the cybersecurity community’s radar. But in this strange and digitally fraught election season, the breach of two state board of election websites not only merits an FBI warning—it might just rise to the level of an international incident.

  • Ransomware Targets UK Hospitals, But NHS Won't Pay Up

    Ransomware has caused massive headaches for hospitals. In February of this year, at least a dozen hospitals around the world had been seriously infected with malware demanding cash to retrieve their files. Some even resorted to pen-and-paper systems, and others gave the hackers over $10,000 worth of bitcoin to unlock their systems.

    But judging by responses to Freedom of Information requests, UK hospitals are not paying hackers when ransomware strikes.

    Motherboard asked National Health Service (NHS) trusts for details on attack figures and payments stretching back to January 2012. Many had been successfully hacked at some point (although on a limited scale, infecting only a small number of computers). Another piece of research carried out by cybersecurity company NCC Group found nearly half of 60 NHS Trusts suffered a ransomware attack in the last year.

  • Malware-ridden Word docs lead to Microsoft alert blurt

    MICROSOFT HAS taken the trouble to warn Windows users about an attack that takes what trust people have left in the software and throws it out of the window.

    The firm explained that the problem involves macros and the use of social engineering. People are tricked into downloading and then enabling malicious content that ultimately leads to trouble when they innocently use Word.

    "Attackers have been using social engineering to avoid the increasing costs of exploitation due to the significant hardening and exploit mitigation investments in Windows," said the firm in a Microsoft TechNet blog post suggesting that this is a cheap shot by hackers.

  • About 70 credit card skimmers found at Michigan gas stations in past year

    In the year since the first credit-card skimmer was found in a Michigan gas station, about 70 more have been discovered in the state according to a press release from the Michigan Department of Agriculture and Rural Development.

    "Approximately 70 credit card skimmers have been found and removed from gas pumps statewide since last year," said MDARD director Jamie Clover Adams. "Credit card skimmers will not be tolerated in Michigan. MDARD's Weights and Measures inspectors, gas station owners, and law enforcement remain on the hunt for skimmers to protect the state's consumers from fraud."

    According to the MDARD, which inspects gas station pumps, the skimmers can't be seen from outside the pump and can be installed in seconds

    The skimmers copy the consumer's card information for criminals to make fraudulent purchases.

  • Dropbox has been hacked for a reported 68 million personal records

    ANOTHER DAY, another hacked site. Dropbox is the latest company to have its users' data dangled in harm's way after what appears to be a major cyber attack involving 68 million personal records.

    The incident has been confirmed by venerable security researcher Troy Hunt, who claimed that he and his wife were affected.

  • Let's Encrypt client imported into -current

    Kristaps Dzonsons' Let's Encrypt client, letskencrypt, has been imported into OpenBSD-current as acme-client.

    letskencrypt, which has previously been available as a port, is a privilege-separated Let's Encrypt (ACME protocol) client written in C.

  • The story of how WoSign gave me an SSL certificate for GitHub.com
  • Attackers Infect Transmission Torrent Client With OS X Malware

    Researchers at ESET say that malware designed to steal the content of OS X’s keychain and maintain a permanent backdoor was found in a recent build of open source torrent client Transmission. Following an investigation, the Transmission team say they were subjected to an attack on their servers. Steps have been taken to ensure greater security in the future.

  • BitTorrent Client Transmission Again Victimized by OS X Malware

    Just five months after Transmission was infected with the first "ransomware" ever found on the Mac, the popular BitTorrent client is again at the center of newly uncovered OS X malware.

    Researchers at security website We Live Security have discovered the malware, called OSX/Keydnap, was spread through a recompiled version of Transmission temporarily distributed through the client's official website.

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Thursday's security updates
  • Friday's security updates
  • Security advisories for Monday
  • Tox Is Your New Secure Chat Application

    In a previous article, I talked about the Ring communication app. The article proved quite popular and aside from drawing a bit of attention -- or maybe because of it -- that article also drew some criticism, including "What about Tox?" That’s a totally fair question, so here we are.

  • Florida Computer Programmer Arrested For Hacking

    A South Florida-based computer programmer made an appearance in the Southern District of Florida today after being arrested Sunday on charges of hacking into computers operated by the Linux Kernel Organization and the Linux Foundation, announced United States Attorney Brian J. Stretch and Federal Bureau of Investigation Special Agent in Charge John F. Bennett.

    The Linux Kernel Organization operates the www.kernel.org website from which it distributes the Linux kernel software. The Linux Foundation is a separate nonprofit foundation that supports the www.kernel.org website.

  • ​Florida Man Arrested for Allegedly Hacking Key Linux Servers

    A computer programmer from South Florida was arrested last week for allegedly hacking into servers related to the Linux operating system, the Department of Justice announced on Thursday. The case acts as a reminder that even the websites that host and distribute the operating systems our devices run on can be targeted by hackers.

Security Leftovers

Filed under
Security
  • School Creates Own Security Hole; Tries To Have Concerned Parent Arrested For Hacking

    We've seen it so often over the years, it's probably now time to accept the fact that this will never change: when entities are presented evidence of security holes and breaches, far too often the initial reaction is to shoot the messenger.

    A school whose online student portal exposed a lot of sensitive data decided the best way to handle a concerned parent's repeated questions about how it was handling the problem was to file a criminal complaint against the parent. (via the Office of Inadequate Security)

    The details of the breach (since closed) were reported by independent journalist Sherrie Peif.

  • [Tor] A New Bridge Authority

    After ten years of volunteer maintenance of Tonga, Tor's bridge Authority—a piece of critical infrastructure within the Tor network—our colleague and friend, Lucky Green, a long time cypherpunk, and free speech and privacy advocate, has decided to step down from this role. Tonga's cryptographic keys will be destroyed this week. We are incredibly thankful to Lucky for all his support and selfless labour in maintaining a key component of our censorship circumvention efforts, grateful for the years we have spent working with him, and very sorry to see him go.

  • More Than 40% Of Attacks Abuse SSL Encryption

    There’s an important caveat about encrypted traffic from new research released this week: Encryption works so well that hackers are using it as cover.

    A new study from A10 and the Ponemon Institute found that 80% of respondents say their organizations have been the victim of a cyberattack or malicious insiders in the past year -- and 41% of the attacks have used encryption to evade detection. In addition, 75% say malware hidden within encrypted traffic is a risk to their organizations.

    At issue: The report found that SSL encryption not only hides data from would-be hackers but also from common security tools.

    “Hackers are using SSL encryption to slide by standard perimeter defenses,” says Chase Cunningham, director of cyber operations at A10 Networks.

  • The Cloud Security Alliance publishes its best practices for Big Data security

    Big Data is a boon for businesses worldwide, but the benefits come at a cost. The more data companies store, the more vulnerable they are to potential security breaches. And data breaches can be enormously expensive when they occur. IBM’s 2016 Cost of Data Breach report found that the average consolidated total cost of a data breach grew from $3.8 million to $4 million in the last year, which makes securing their data an important goal for any company that’s invested in it.

Redis Misconfiguration and Ransom

Filed under
Linux
Security
Syndicate content

More in Tux Machines

Networking and Security

  • FAQ: What's so special about 802.11ad Wi-Fi?
    Here are the broad strokes about 802.11ad, the wireless technology that’s just starting to hit the market.
  • 2.5 and 5 Gigabit Ethernet Now Official Standards
    In 2014, multiple groups started efforts to create new mid-tier Ethernet speeds with the NBASE-T Alliance starting in October 2014 and MGBASE-T Alliance getting started a few months later in December 2014. While those groups started out on different paths, the final 802.3bz standard represents a unified protocol that is interoperable across multiple vendors. The promise of 2.5 and 5 Gbps Ethernet is that they can work over existing Cat5 cabling, which to date has only been able to support 1 Gbps. Now with the 802.3bz standard, organizations do not need to rip and replace cabling to get Ethernet that is up to five times faster. "Now, the 1000BASE-T uplink from the wireless to wired network is no longer sufficient, and users are searching for ways to tap into higher data rates without having to overhaul the 70 billion meters of Cat5e / Cat6 wiring already sold," David Chalupsky, board of directors of the Ethernet Alliance and Intel principal engineer, said in a statement. "IEEE 802.3bz is an elegant solution that not only addresses the demand for faster access to rapidly rising data volumes, but also capitalizes on previous infrastructure investments, thereby extending their life and maximizing value."
  • A quick fix for stupid password reset questions
    It didn’t take 500 million hacked Yahoo accounts to make me hate, hate, hate password reset questions (otherwise known as knowledge-based authentication or KBA). It didn't help when I heard that password reset questions and answers -- which are often identical, required, and reused on other websites -- were compromised in that massive hack, too. Is there any security person or respected security guidance that likes them? They are so last century. What is your mother’s maiden name? What is your favorite color? What was your first pet’s name?
  • French hosting provider hit by DDoS close to 1TBps
    A hosting provider in France has been hit by a distributed denial of service attack that went close to one terabyte per second. Concurrent attacks against OVH clocked in at 990GBps. The attack vector is said to be the same Internet-of-Things botnet of 152,464 devices that brought down the website of security expert Brian Krebs. OVH chief technology officer Octave Klaba tweeted that the network was capable of attacks up to 1.5TBps.
  • Latest IoT DDoS Attack Dwarfs Krebs Takedown At Nearly 1Tbps Driven By 150K Devices
    If you thought that the massive DDoS attack earlier this month on Brian Krebs’ security blog was record-breaking, take a look at what just happened to France-based hosting provider OVH. OVH was the victim of a wide-scale DDoS attack that was carried via network of over 152,000 IoT devices. According to OVH founder and CTO Octave Klaba, the DDoS attack reached nearly 1 Tbps at its peak. Of those IoT devices participating in the DDoS attack, they were primarily comprised of CCTV cameras and DVRs. Many of these types devices' network settings are improperly configured, which leaves them ripe for the picking for hackers that would love to use them to carry our destructive attacks.

Android Leftovers

  • Goodbye QWERTY: BlackBerry stops making hardware
    BlackBerry CEO John Chen has been hinting at this move for almost a year now: today BlackBerry announced it will no longer design hardware. Say goodbye to all the crazy hardware QWERTY devices, ultra-wide phones, and unique slider designs. Speaking to investors, BlackBerry CEO John Chen described the move as a "pivot to software," saying, "The company plans to end all internal hardware development and will outsource that function to partners. This allows us to reduce capital requirements and enhance return on invested capital." The "Outsourcing to partners" plan is something we've already seen with the "BlackBerry" DTEK50, which was just a rebranded Alcatel Idol 4. Chen is now betting the future of the company on software, saying, "In Q2, we more than doubled our software revenue year over year and delivered the highest gross margin in the company's history. We also completed initial shipments of BlackBerry Radar, an end-to-end asset tracking system, and signed a strategic licensing agreement to drive global growth in our BBM consumer business." BlackBerry never effectively responded to the 2007 launch of the iPhone and the resulting transition to modern touchscreen smartphones. BlackBerry took swings with devices like the BlackBerry Storm in 2008, its first touchscreen phone; and the BlackBerry Z10 in 2013, the first BlackBerry phone with an OS designed for touch, but neither caught on. BlackBerry's first viable competitor to the iPhone didn't arrive until it finally switched to Android in 2015 with the BlackBerry Priv. It was the first decent BlackBerry phone in some time, but the high price and subpar hardware led to poor sales.
  • Oracle's 'Gamechanger' Evidence Really Just Evidence Of Oracle Lawyers Failing To Read
    Then on to the main show: Oracle's claim that Google hid the plans to make Android apps work on Chrome OS. Google had revealed to Oracle its "App Runtime for Chrome" (ARC) setup, and it was discussed by Oracle's experts, but at Google I/O, Google revealed new plans for apps to run in Chrome OS that were not using ARC, but rather a brand new setup, which Google internally referred to as ARC++. Oracle argued that Google only revealed to them ARC, but not ARC++ and that was super relevant to the fair use argument, because it showed that Android was replacing more than just the mobile device market for Java. But, here's Oracle's big problem: Google had actually revealed to Oracle the plans for ARC++. It appears that Oracle's lawyers just missed that fact. Ouch.
  • Understanding Android's balance between openness and security
    At the 2016 Structure Security conference, Google's Adrian Ludwig talked about the balance between keeping Android as open as possible, while also keeping it secure.
  • Google's Nougat Android update hits the sweet spot: Software 'isn't flashy, but still pretty handy'
    Nougat, Google's latest update of its Android smartphone software, isn't particularly flashy; you might not even notice what's different about it at first. But it offers a number of practical time-saving features, plus a few that could save money — and perhaps even your life. Nougat is starting to appear on phones, including new ones expected from Google next week.
  • How to change the home screen launcher on Android
  • Andromeda: Chrome OS and Android will merge
  • Sale of Kodi 'fully-loaded' streaming boxes faces legal test
  • Android boxes: Middlesbrough man to be first to be prosecuted for selling streaming kits

Endless OS 3.0 is out!

So our latest and greatest Endless OS is out with the new 3.0 version series! The shiny new things include the use of Flatpak to manage the applications; a new app center (GNOME Software); a new icon set; a new Windows installer that gives you the possibility of installing Endless OS in dual-boot; and many bug fixes. Read more

Expandable, outdoor IoT gateway runs Android on i.MX6

VIA’s “Artigo A830” IoT gateway runs Android on an i.MX6 DualLite SoC and offers HDMI, GbE, microSD, numerous serial and USB ports, plus -20 to 60° operation. As the name suggests, the VIA Technologies Artigo A830 Streetwise IoT Platform is designed for outdoor Internet of Things gateway applications. These are said to include smart lockers, vending machines, information kiosks, and signage devices that run “intensive multimedia shopping, entertainment, and navigation applications.” The outdoors focus is supported with an extended -20 to 60°C operating range, as well as surge and ESD protection for surviving challenges such as a nearby lightning strike. Read more