Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Someone is putting lots of work into hacking Github developers [Ed: Dan Goodin doesn't know that everything is under attack and cracking attempts just about all the time?]

    Open-source developers who use Github are in the cross-hairs of advanced malware that has steal passwords, download sensitive files, take screenshots, and self-destruct when necessary.

  • Security Orchestration and Incident Response

    Technology continues to advance, and this is all a changing target. Eventually, computers will become intelligent enough to replace people at real-time incident response. My guess, though, is that computers are not going to get there by collecting enough data to be certain. More likely, they'll develop the ability to exhibit understanding and operate in a world of uncertainty. That's a much harder goal.

    Yes, today, this is all science fiction. But it's not stupid science fiction, and it might become reality during the lifetimes of our children. Until then, we need people in the loop. Orchestration is a way to achieve that.

Security News

Filed under
Security
  • Security updates for Wednesday
  • Cisco learned from Wikileaks that the CIA had hacked its systems

    When WikiLeaks founder Julian Assange disclosed earlier this month that his anti-secrecy group had obtained CIA tools for hacking into technology products made by U.S. companies, security engineers at Cisco Systems swung into action.

    The Wikileaks documents described how the Central Intelligence Agency had learned more than a year ago how to exploit flaws in Cisco's widely used Internet switches, which direct electronic traffic, to enable eavesdropping.

  • Exposed files on Microsoft's document-sharing site

    Confidential documents, passwords and health data have been inadvertently shared by firms using Microsoft's Office 365 service, say researchers.

    The sensitive information was found via a publicly available search engine that is part of Office 365.

    Security researchers said many firms mistakenly thought documents would only be shared with colleagues not globally.

    Microsoft said it would "take steps" to change the service and remove the sensitive data.

  • Russian Hacker Pleads Guilty for Role in Infamous Linux Ebury Malware

    The US Department of Justice announced yesterday that Maxim Senakh, 41, of Velikii Novgorod, Russia, pleaded guilty for his role in the creation of the Ebury malware and for maintaining its infamous botnet.

    US authorities indicted Senakh in January 2015, and the law enforcement detained the hacker in Finland in August of the same year.

  • Changes coming to TLS: Part One

    Transport layer Security version 1.3 (TLS 1.3) is the latest version of the SSL/TLS protocol which is currently under development by the IETF. It offers several security and performance improvements as compared to the previous versions. While there are several technical resouces which discuss the finer aspects of this new protocol, this two-part article is a quick reference to new features and major changes in the TLS protocol.

Security Leftovers

Filed under
Security
  • How To Improve The Linux System’s Security Using Firejail

    As you already know, Linux kernel is secure by default. But, it doesn’t mean that the softwares on the Linux system are completely secure. Say for example, there is a possibility that any add-ons on your web browser may cause some serious security issues. While doing financial transactions over internet, some key logger may be active in browser which you are not aware of. Even though, we can’t completely give the bullet-proof security to our Linux box, we still can add an extra pinch of security using an application called Firejail. It is a security utility which can sandbox any such application and let it to run in a controlled environment. To put this simply, Firejail is a SUID (Set owner User ID up on execution) program that reduces the risk of security breaches by restricting the running environment of untrusted applications.

  • “Httpd and Relayd Mastery” off to copyedit
  • Kalyna Block Cipher

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security updates for Monday
  • FedEx Will Pay You $5 to Install Flash on Your Machine

    FedEx is making you an offer you can’t afford to accept. It’s offering to give you $5 (actually, it’s a discount on orders over $30) if you’ll just install Adobe Flash on your machine.

    Nobody who knows anything about online security uses Flash anymore, except when it’s absolutely necessary. Why? Because Flash is the poster child for the “security-vulnerability-of-the-hour” club — a group that includes another Adobe product, Acrobat. How unsafe is Flash? Let’s put it this way: seven years ago, Steve Jobs announced that Flash was to be forever banned from Apple’s mobile products. One of the reasons he cited was a report from Symantec that “highlighted Flash for having one of the worst security records in 2009.”

    Flash security hasn’t gotten any better since.

  • Every once in a while someone suggests to me that curl and libcurl would do better if rewritten in a “safe language”
  • An insecure dishwasher has entered the IoT war against humanity

    Regel says that he has contacted Miele on a number of occasions about the issue, but had failed to get a response to his missives, and this has no updated information on the vulnerability.

    He added, bleakly that "we are not aware of an actual fix."

  • Monday Witness: It's Time to Reconize a Civil Right Not to be Connected

    Along with death and taxes, two things appear inevitable. The first is that Internet of Things devices will not only be built into everything we can imagine, but into everything we can't as well. The second is that IoT devices will have wholly inadequate security, if they have any security at all. Even with strong defenses, there is the likelihood that governmental agencies will gain covert access to IoT devices anyway.

    What this says to me is that we need a law that guarantees consumers the right to buy versions of products that are not wirelessly enabled at all.

  • Remember kids, if you're going to disclose, disclose responsibly!

    If you pay any attention to the security universe, you're aware that Tavis Ormandy is basically on fire right now with his security research. He found the Cloudflare data leak issue a few weeks back, and is currently going to town on LastPass. The LastPass crew seems to be dealing with this pretty well, I'm not seeing a lot of complaining, mostly just info and fixes which is the right way to do these things.

Security Leftovers

Filed under
Security
  • NSA: We Disclose 90% of the Flaws We Find

    In the wake of the release of thousands of documents describing CIA hacking tools and techniques earlier this month, there has been a renewed discussion in the security and government communities about whether government agencies should disclose any vulnerabilities they discover. While raw numbers on vulnerability discovery are hard to come by, the NSA, which does much of the country’s offensive security operations, discloses more than nine of every 10 flaws it finds, the agency’s deputy director said.

  • EFF Launches Community Security Training Series

    EFF is pleased to announce a series of community security trainings in partnership with the San Francisco Public Library. High-profile data breaches and hard-fought battles against unlawful mass surveillance programs underscore that the public needs practical information about online security. We know more about potential threats each day, but we also know that encryption works and can help thwart digital spying. Lack of knowledge about best practices puts individuals at risk, so EFF will bring lessons from its comprehensive Surveillance Self-Defense guide to the SFPL.

    [...]

    With the Surveillance Self-Defense project and these local events, EFF strives to help make information about online security accessible to beginners as well as seasoned techno-activists and journalists. We hope you will consider our tips on how to protect your digital privacy, but we also hope you will encourage those around you to learn more and make better choices with technology. After all, privacy is a team sport and everyone wins.

  • NextCloud, a security analysis

    First, I would like to scare everyone a little bit in order to have people appreciate the extent of this statement.

    As the figure that opens the post indicates, there are thousands of vulnerable Owncloud/NextCloud instances out there. It will surprise many just how easy is to detect those by trying out common URL paths during an IP sweep.

  • FedEx will deliver you $5.00 just to install Flash

    Bribes on offer as courier's custom printing service needs Adobe's security sinkhole

Security Leftovers

Filed under
Security
  • Google Threatens to Distrust Symantec SSL/TLS Certificates

    Google is warning that it intends to deprecate and remove trust in Symantec-issued SSL/TLS certificates, as Symantec shoots back that the move is unwarranted.

  • Hackers Stole My Website…And I Pulled Off A $30,000 Sting Operation To Get It Back

    I learned that my site was stolen on a Saturday. Three days later I had it back, but only after the involvement of fifty or so employees of six different companies, middle-of-the-night conferences with lawyers, FBI intervention, and what amounted to a sting operation that probably should have starred Sandra Bullock instead of…well…me.

  • Google Summer of Code

    The Linux Foundation umbrella organization is responsible for this year's WireGuard GSoC, so if you're a student, write "Linux Foundation" as your mentoring organization, and then specify in your proposal your desire to work with WireGuard, listing "Jason Donenfeld" as your mentor.

  • Takeaways from Bruce Schneier’s talk: “Security and Privacy in a Hyper-connected World”

    Bruce Schneier is one of my favorite speakers when it comes to the topic of all things security. His talk from IBM Interconnect 2017, “Security and Privacy in a Hyper-connected World“, covered a wide range of security concerns.

  • [Older] Make America Secure Again: Trump Should Order U.S. Spy Agencies to Responsibly Disclose Cyber Vulnerabilities

    Last week, WikiLeaks released a trove of CIA documents that detail many of the spy agency’s hacking capabilities. These documents, if genuine (and early reports suggest that they are), validate concerns that U.S. spy agencies are stockpiling cybersecurity vulnerabilities. The intelligence community uses undisclosed vulnerabilities to develop tools that can penetrate the computer systems and networks of its foreign targets. Unfortunately, since everyone uses the same technology in today’s global economy, each of these vulnerabilities also represents a threat to American businesses and individuals. In the future, rather than hoard this information, the CIA and other intelligence agencies should commit to responsibly disclosing vulnerabilities it discovers to the private sector so that security holes can be patched.

  • Announcing Keyholder: Secure, shared shell access

    The new software is a ssh-agent proxy that allows a group of trusted users to share an SSH identity without exposing the contents of that identity’s private key.

    [...]

    A common use of the ssh-agent is to “forward” your agent to a remote machine (using the -A flag in the OpenSSH client). After you’ve forwarded your ssh-agent, you can use the socket that that agent creates to access any of your many (now unencrypted) keys, and login to any other machines for which you may have keys in your ssh-agent. So, too, potentially, can all the other folks that have root access to the machine to which you’ve forwarded your ssh-agent.

  • pitchfork

    After years of training journalists and NGOs communication and operational security, after years of conducting research into the tools and protocols used, it took some more years developing a reasonable answer to most of the issues encountered during all this time.

    In todays world of commercially available government malware you don't want to store your encryption keys on your easily infected computer. You want them stored on something that you could even take into a sauna or a hot-tub - maintaining continuous physical contact.

    So people who care about such things use external smartcard-based crypto devices like Ubikey Neos or Nitrokeys (formerly Cryptosticks). The problems with these devices is that you have to enter PIN codes on your computer that you shouldn't trust, that they are either designed for centralized use in organizations, or they are based mostly on PGP.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • How worried should your organisation be about cyber espionage - and what can you do about it?

    Computerworld UK speaks with Jarno Niemela, senior security researcher at F-Secure.

  • Inverse Law of CVEs

    I've started a project to put the CVE data into Elasticsearch and see if there is anything clever we can learn about it. Ever if there isn't anything overly clever, it's fun to do. And I get to make pretty graphs, which everyone likes to look at.

  • eBay Asks Users to Downgrade Security

    The company wanted me to switch from using a hardware key fob when logging into eBay to receiving a one-time code sent via text message. I found it remarkable that eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option.

  • Practical basics of reproducible builds
  • License Agreements and Changes Are Coming

    The OpenSSL license is rather unique and idiosyncratic. It reflects views from when its predecessor, SSLeay, started twenty years ago. As a further complication, the original authors were hired by RSA in 1998, and the code forked into two versions: OpenSSL and RSA BSAFE SSL-C. (See Wikipedia for discussion.) I don’t want get into any specific details, and I certainly don’t know them all.

Syndicate content

More in Tux Machines

today's howtos

Security Leftovers

Leftovers: Debian, Ubuntu and Derivatives

  • Debian Developers Make Progress With RISC-V Port
    Debian developers continue making progress with a -- currently unofficial -- port of their Linux operating system to RISC-V. There is a in-progress Debian GNU/Linux port to RISC-V along with a repository with packages built for RISC-V. RISC-V for the uninitiated is a promising, open-source ISA for CPUs. So far there isn't any widely-available RISC-V hardware, but there are embedded systems in the works while software emulators are available.
  • 2×08: Pique Oil
  • [Video] Ubuntu 17.04 KDE
  • deepin 15.4 Released, With Download Link & Mirrors
    deepin 15.4 GNU/Linux operating system has been released at April 19th 2017. I list here one official download link and two faster mirrors from Sourceforge. I listed here the Mega and Google mirrors as well but remember they don't provide direct download. The 15.4 provided only as 64 bit, the 32 bit version has already dropped (except by commercial support). I hope this short list helps you.

Leftovers: OSS and Sharing

  • Overlayfs snapshots
    At the 2017 Vault storage conference, Amir Goldstein gave a talk about using overlayfs in a novel way to create snapshots for the underlying filesystem. His company, CTERA Networks, has used the NEXT3 ext3-based filesystem with snapshots, but customers want to be able to use larger filesystems than those supported by ext3. Thus he turned to overlayfs as a way to add snapshots for XFS and other local filesystems. NEXT3 has a number of shortcomings that he wanted to address with overlayfs snapshots. Though it only had a few requirements, which were reasonably well supported, NEXT3 never got upstream. It was ported to ext4, but his employer stuck with the original ext3-based system, so the ext4 version was never really pushed for upstream inclusion.
  • Five days and counting
    It is five days left until foss-north 2017, so it is high time to get your ticket! Please notice that tickets can be bought all the way until the night of the 25th (Tuesday), but catering is only included is you get your ticket on the 24th (Monday), so help a poor organizer and get your tickets as soon as possible!
  • OpenStack Radium? Maybe…but it could be Formidable
    OK the first results are in from the OpenStack community naming process for the R release. The winner at this point is Radium.
  • Libreboot Wants Back Into GNU
    Early this morning, Libreboot’s lead developer Leah Rowe posted a notice to the project’s website and a much longer post to the project’s subreddit, indicating that she would like to submit (or resubmit, it’s not clear how that would work at this point) the project to “rejoin the GNU Project.” The project had been a part of GNU from May 14 through September 15 of last year, at which time Ms. Rowe very publicly removed the project from GNU while making allegations of misdeeds by both GNU and the Free Software Foundation. Earlier this month, Rowe admitted that she had been dealing with personal issues at the time and had overreacted. The project also indicated that it had reorganized and that Rowe was no longer in full control.
  • Understanding the complexity of copyleft defense

    The fundamental mechanism defending software freedom is copyleft, embodied in GPL. GPL, however, functions only through upholding it--via GPL enforcement. For some, enforcement has been a regular activity for 30 years, but most projects don't enforce: they live with regular violations. Today, even under the Community Principles of GPL Enforcement, GPL enforcement is regularly criticized and questioned. The complex landscape is now impenetrable for developers who wish their code to remain forever free. This talk provides basic history and background information on the topic.

  • After Bill Gates Backs Open Access, Steve Ballmer Discovers The Joys Of Open Data
    A few months ago, we noted that the Gates Foundation has emerged as one of the leaders in requiring the research that it funds to be released as open access and open data -- an interesting application of the money that Bill Gates made from closed-source software. Now it seems that his successor as Microsoft CEO, Steve Ballmer, has had a similar epiphany about openness. Back in 2001, Ballmer famously called GNU/Linux "a cancer". Although he later softened his views on software somewhat, that was largely because he optimistically claimed that the threat to Microsoft from free software was "in the rearview mirror". Not really: today, the Linux-based Android has almost two orders of magnitude more market share than Windows Phone.
  • New Open Door Policy for GitHub Developer Program
    GitHub has opened the doors on its three year old GitHub Developer Program. As of Monday, developers no longer need to have paid accounts to participate. "We're opening the program up to all developers, even those who don't have paid GitHub accounts," the company announced in a blog post. "That means you can join the program no matter which stage of development you're in,"
  • MuleSoft Joins the OpenAPI Initiative: The End of the API Spec Wars
    Yesterday, MuleSoft, the creators of RAML, announced that they have joined the Open API Initiative. Created by SmartBear Software and based on the wildly popular Swagger Specification, the OpenAPI Initiative is a Linux Foundation project with over 20 members, including Adobe, IBM, Google, Microsoft, and Salesforce.