Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Security advisories for Monday
  • Is Mirai Really as Black as It’s Being Painted?

    An important feature of the way the Mirai botnet scans devices is that the bot uses a login and password dictionary when trying to connect to a device. The author of the original Mirai included a relatively small list of logins and passwords for connecting to different devices. However, we have seen a significant expansion of the login and password list since then, achieved by including default logins and passwords for a variety of IoT devices, which means that multiple modifications of the bot now exist.

    [...]

    If you ignore trivial combinations like “root:root” or “admin:admin”, you can get a good idea of which equipment the botnet is looking for. For example, the pairs “root:xc3511” and “root:vizxv” are default accounts for IP cameras made by rather large Chinese manufacturers.

  • Parrot Security 3.3 Ethical Hacking OS Updates Anonsurf, Fixes Touchpad Support

    A new stable release of the Debian-based Parrot Security ethical hacking and penetration testing operating system has been released on Christmas Day, versioned 3.3.

    Powered by a kernel from the Linux 4.8 series, Parrot Security OS 3.3 is here a little over two months since the release of Parrot Security 3.2, but it doesn't look like it's a major update and all that, as it only updates a few core components and hacking tools, and addresses a few of the bugs reported by users since version 3.2.

  • Linux Top 3: Guix, Parrot Security and OpenMandriva Lx

    The GNU Guix project builds a transactional package manager system and it is the base feature around which Guix SD(system distribution) is built.

    [...]

    The 3.01 release brings a number of major fixes since 3.0 release:

    updated software
    new drivers and kernel – better support for newer hardware
    many bugs fixed
    stable Plasma running on Wayland

  • LibreOffice 5.2.4 packages

    The computers worked frantically while I relaxed with my family. Slackware 14.2 and -current packages are ready for LibreOffice 5.2.4. Enjoy the newest version of this highly popular office suite.

Security News

Filed under
Security
  • SQL is Insecure

    SQL is insecure, tell everyone. If you use SQL, your website will get hacked. Tell everyone.

    I saw the news that the US Elections Agency was hacked by a SQL injection attack and I kind of lost it. It’s been well over two decades since prepared statements were introduced. We’ve educated and advised developers about how to avoid SQL injection, yet it still happens. If education failed, all we can do is shame developers into never using SQL.

    I actually really like SQL, I’ve even made a SQL dialect. SQL’s relational algebra is expressive, probably more so than any other NoSQL database I know of. But developers have proven far too often that it’s simply too difficult to know when to use prepared statements or just concatenate strings — it’s time we just abandon SQL altogether. It isn’t worth it. It’s time we called for all government’s to ban use of SQL databases in government contracts and in healthcare. There must be utter clarity.

  • Cyber-criminals target African countries with ransom-ware

    Once again Conficker retained its position as the world’s most prevalent malware, responsible for 15% of recognised attacks. Second-placed Locky, which only started its distribution in February of this year, was responsible for 6% of all attacks, and third-placed Sality was responsible for 5% of known attacks. Overall, the top ten malware families were responsible for 45% of all known attacks.

  • It's Incredibly Easy to Tamper with Someone's Flight Plan, Anywhere on the Globe

    It’s easier than many people realize to modify someone else’s flight booking, or cancel their flight altogether, because airlines rely on old, unsecured systems for processing customers’ travel plans, researchers will explain at the Chaos Communication Congress hacking festival on Tuesday. The issues predominantly center around the lack of any meaningful authentication for customers requesting their flight information.

    The issues highlight how a decades-old system is still in constant, heavy use, despite being susceptible to fairly simple attacks and with no clear means for a solution.

    “Whenever you take a trip, you are in one or more of these systems,” security researcher Karsten Nohl told Motherboard in a phone call ahead of his and co-researcher Nemanja Nikodijevic’s talk.

  • Open source risks and rewards – why team structure matters

    An impressive and user-friendly digital presence is an indispensable asset to any brand. It is often the first point of contact for customers who expect and demand great functionality and engaging content across multiple platforms. The finding that nearly half of us won't wait even three seconds for a website to load bears witness to ever increasing customer expectations which must be met.

    Partnership with a digital agency can be a great way to keep up to speed with rapid change and innovation but to ensure the very best outcome, both client and agency need to find an optimum commercial, creative and secure cultural fit. This should be a priority for both sides from the very first pitch. The promise of exceptional creativity and customer experience is one thing, but considering the more practical aspects of how the relationship will work is entirely another.

Security News

Filed under
Security
  • Friday's security advisories
  • The State of Linux Security

    In the last 10 years, GNU/Linux achieved something some foreseen as almost impossible: powering both the smallest and biggest devices in the world, and everything in between. Only the desktop is not a conquered terrain yet.

    The year 2016 had an impact on the world. Both from a real life perspective, as digitally. Some people found their personal details leaked on the internet, others found their software being backdoored. Let’s have a look back on what happened this year regarding Linux security.

BlackArch Linux

Filed under
GNU
Linux
Security
  • BlackArch Linux now has over 1,600 hacking tools

    To extensively support ethical hackers and white-hat cybersecurity experts, BlackArch Linux has released a new update with over 1,600 hacking tools. The latest version also comes with newer Linux kernel and includes enormous improvements and performance fixes.

    Emerged as BlackArch 2016.12.20, the update brings more than 100 new tools to support security professionals. These new tools have expanded the previous list to a total of 1,605 tools. Additionally, the distribution comes with Linux kernel 4.8.13 to deliver an improved and more stable experience than its previous release.

  • BlackArch Linux 2016.12.20 Ethical Hacking Distro Released With 100+ New Tools

Security News

Filed under
Security
  • Thursday's security updates
  • Lithuania said found Russian spyware on its government computers

    The Baltic state of Lithuania, on the frontline of growing tensions between the West and Russia, says the Kremlin is responsible for cyber attacks that have hit government computers over the last two years.

    The head of cyber security told Reuters three cases of Russian spyware on its government computers had been discovered since 2015, and there had been 20 attempts to infect them this year.

    "The spyware we found was operating for at least half a year before it was detected – similar to how it was in the USA," Rimtautas Cerniauskas, head of the Lithuanian Cyber Security Centre said.

  • Dear CIO: Linux Mint Encourages Users to Keep System Up-to-Date

    Swapnil Bhartiya gets it wrong.

    Let me start by pointing out that Bhartiya is not only a capable open source writer, he’s also a friend. Another also: he knows better. That’s why the article he just wrote for CIO completely confounds me. Methinks he jumped the gun and didn’t think it through before he hit the keyboard.

    The article ran with the headline Linux Mint, please stop discouraging users from upgrading. In it, he jumps on Mint’s lead developer Clement Lefebvre’s warning against unnecessary upgrades to Linux Mint.

Security Leftovers

Filed under
Security
  • Most ATMs in India Are Easy Targets for Hackers & Malware Attacks

    Hacking is a hotly debated subject across the country right now, and it’s fair to say that the ATM next door is also in danger. It has been reported that over 70 percent of the 2 lakh money-dispensing ATM machines in our country are running on Microsoft’s outdated Windows XP operating system, leaving it vulnerable to cyber attacks.

    Support for Windows XP was discontinued by Microsoft in 2014 which means that since then the company hasn’t rolled out any security updates for this Windows version.

    While it doesn’t make sense for banks to continue using outdated software, security experts feel that the practice stems from legacy behaviour, when physical attacks were a bigger threat than software hacks.

  • 20 Questions Security Pros Should Ask Themselves Before Moving To The Cloud

    A template for working collaboratively with the business in today's rapidly changing technology environment.

    Everywhere I go lately, the cloud seems to be on the agenda as a topic of conversation. Not surprisingly, along with all the focus, attention, and money the cloud is receiving, comes the hype and noise we’ve come to expect in just about every security market these days. Given this, along with how new the cloud is to most of us in the security world, how can security professionals make sense of the situation? I would argue that that depends largely on what type of situation we’re referring to, exactly. And therein lies the twist.

    Rather than approach this piece as “20 questions security professionals should ask cloud providers,” I’d like to take a slightly different angle. It’s a perspective I think will be more useful to security professionals grappling with issues and challenges introduced by the cloud on a daily basis. For a variety of reasons, organizations are moving both infrastructure and applications to the cloud at a rapid rate - far more rapidly than anyone would have forecast even two or three years ago.

  • Report: $3-5M in Ad Fraud Daily from ‘Methbot’

    New research suggests that an elaborate cybercrime ring is responsible for stealing between $3 million and $5 million worth of revenue from online publishers and video advertising networks each day. Experts say the scam relies on a vast network of cloaked Internet addresses, rented data centers, phony Web sites and fake users made to look like real people watching short ad segments online.

    Online advertising fraud is a $7 billion a year problem, according to AdWeek. Much of this fraud comes from hacked computers and servers that are infected with malicious software which forces the computers to participate in ad fraud. Malware-based ad fraud networks are cheap to acquire and to run, but they’re also notoriously unstable and unreliable because they are constantly being discovered and cleaned up by anti-malware companies.

  • Linux Backdoor Gives Hackers Full Control Over Vulnerable Devices [Ed: Microsoft booster Bogdan Popa says "Linux Backdoor"; that's a lie. It’s Microsoft that has them.]

IPFire 2.19 - Core Update 108 released

Filed under
GNU
Linux
Security

Just before Christmas, we are going to release the last Core Update for 2016. IPFire 2.19 – Core Update 108 brings some minor bug fixes and feature enhancements, some security fixes in ntp and various fixes in the squid web proxy.

Read more

Security Leftovers

Filed under
Security

5 Open Source Network Security Tools SMBs Should Consider

Filed under
OSS
Security

You might think that because your business is small you aren't an attractive target for hackers.

But you would be wrong.

According to the National Cyber Security Alliance (NCSA), 82 percent of small business owners believe that they are not a target for cyberattacks, but 43 percent of last year's cyberattacks targeted SMBs. And a single attack can cost SMBs up to $99,000.

Cyberattacks of all kinds are on the rise with data breaches increasing 15 percent over the past year, NCSA says. And ransomware, attacks that freeze up organizations' systems until they pay a ransom, has become particularly prevalent; in just the first three months of 2016, U.S. ransomware victims paid out $209 million to attackers, compared to $25 million for all of 2015.

Read more

IRC News, Freenode Update

Filed under
OSS
Security
Web
Syndicate content

More in Tux Machines

LinuxCon Europe on 100G Networking

  • The World of 100G Networking
    Capacity and speed requirements keep increasing for networking, but going from where are now to 100G networking isn’t a trivial matter, as Christopher Lameter and Fernando Garcia discussed recently in their LinuxCon Europe talk about the world of 100G networking. It may not be easy, but with recently developed machine learning algorithms combined with new, more powerful servers, the idea of 100G networking is becoming feasible and cost effective.
  • The World of 100G Networking by Christoph Lameter
    The idea of 100G networking is becoming feasible and cost effective. This talk gives an overview about the competing technologies in terms of technological differences and capabilities and then discusses the challenges of using various kernel interfaces to communicate at these high speeds.

Development News

  • Oh, the things Vim could teach Silicon Valley's code slingers
    Vim text editor turned 25 late last year – the first public iteration was launched on November 2, 1991, a couple of weeks after Linus Torvalds announced Linux. To celebrate Vim's anniversary, creator Bram Moolenaar recently dropped version 8.0. Ordinarily the update of a text editor wouldn't be worth mentioning, but this is the first major Vim release in ten years. In today's world, where web browsers drop major point updates (what they consider major, anyway) several times a year, Vim's lack of major updates is not just refreshing, but speaks of an entirely different approach to developing software. Even leaving aside the absurd version system of today's web browsers, eight releases in 25 years would be considered slow by today's software development standards. Interestingly, though, Vim's biggest rival, GNU Emacs, has a roughly similar development pace. GNU Emacs began life in the 1970s and is currently at version 25, which means it averages two releases to Vim's one, but still definitely on the slow side.
  • Learn to code site Code.org loses student work due to index bug
    Learn-to-code site Code.org is apologising to its students after being caught by a database table maxing out, and dropping progress for an unknown number of participants. In its mea-culpa blog post, the group says it was burned by a database table with a 32-bit index.
  • GCC 7.0 Lands The BRIG Frontend For AMD's HSA
    GCC 7 moved on to only bug/documentation fixes but an exception was granted to allow the BRIG front-end to land for AMD's HSA support in this year's GNU Compiler Collection update. As of this morning, the BRIG front-end has merged. BRIG is the binary form of the Heterogeneous System Architecture Intermediate Language (HSA IL). This BRING front-end also brings the libhsail-rt run-time into GCC. So far BRIG in GCC has just been tested on Linux x86_64.

The best open source software 2017

The term ‘open source’ refers to software whose source code is freely available to download, edit, use and share. There are different types of open source license, which give users different degrees of freedom, but the main aim of open source is to encourage collaboration. Open source software has lots of advantages over other ‘free’ options you’ll come across – even if you’re not a developer yourself. It’s usually maintained by a community and updated frequently to patch vulnerabilities or squish bugs as soon as they’re identified; there are no restrictions on commercial use, so you can happily use it for your home business; and the ability to edit the source means there’s often a wealth of user-created plugins available to download. Read more

COM duo expands upon quad -A53/FPGA Zynq UltraScale+

Enclustra unveiled two Linux-ready COMs based on the quad-core Cortex-A53 based Zynq UltraScale+ ARM/FPGA SoC with DDR4 RAM up to 8GB. Enclustra’s SODIMM-style Mars XU3 and larger Mercury+ XU1 computer-on-modules run Linux on the Xilinx Zynq UltraScale+ MPSoC. They follow Enclustra’s announcement earlier this month of a Linux-friendly Mercury+ AA1 COM running on an Intel/Altera Arria 10 ARM/FPGA hybrid. Enclustra offers several SODIMM-style Mars and larger Mercury COMs equipped with Altera and Xilinx FPGAs or FPGA/ARM hybrid SoCs, including the Altera Cyclone V based Mercury SA1. Read more