Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Linux Security Summit 2016 – CFP Announced!

    The 2016 Linux Security Summit (LSS) will be held in Toronto, Canada, on 25th and 26th, co-located with LinuxCon North America. See the full announcement.

  • Tuesday's security updates
  • Your computerdump sister also can hack Linux – Orange Tekno Time

    A newly discovered vulnerability makes it incredibly easy to break into a large pool of Linux-based computers. A security hole found in Grub2, a widely-used bootloader in many Linux distributions including Ubuntu and Red Hat, allows a user to login to a computer by pressing the backspace key 28 times. Various Linux distributions have released a patch for the vulnerability.

  • New DDoS Defense Turns Servers Into 'Moving Targets'

    The distributed denial-of-service (DDoS) attack is the classic cheap hack. It requires virtually nothing of those who wield it beyond the ability to download something from the internet, yet a DDoS offers unusually public consequences (most real security breaches happen in the dark). It is also difficult to defend against, in some part because it doesn't involve actually breaching a network at all—just flooding it with more innocuous-seeming traffic than it can handle.

  • Google Offers Rare Glimpse at Its Data Center Security Measures

    Laser beam intrusion detection systems, iris scanners and customized access cards are just some of the controls that Google uses to protect its data centers.

    A laser beam intrusion detection system, customized electronic access cards and biometric iris scans are just some of the multilevel security measures that Google has implemented to control access to its data centers.

  • Ransomware is scary, but not for the reasons you think it is

    If we keep thinking about this and bring the ransomware to its logical conclusion, the future versions are going to request a constant ongoing payment. Not a one time get out of jail free event. Why charge them once when you can charge them over and over again? Most modern infrastructures are complex enough it will be hard to impossible to remove an extremely clever bit of malware. It's going to be time for the good guys to step it up here, more thoughts on that some other day though.

    There is even a silly angle that's fun to ponder. We could imagine ransomware that attacks other known malware. If the ransomware is getting a constant ongoing payment, it would be bad if anything else could remove it, from legitimate software to other ransomware. While I don't think antivirus and ransomware will ever converge on the same point, it's still fun to think about.

KDE Plasma 5.6 Gets Its First Point Release, Brings Small Bug Fixes

Filed under
KDE
Security

Today, March 29, 2016, KDE had the great pleasure of announcing the immediate availability of the first point release for the stable KDE Plasma 5.6 desktop environment.

Read more

Security Leftovers

Filed under
Security
  • XSS Hits Zen Cart Open-Source E-commerce App

    Multiple Cross-Site Scripting (XSS) vulnerabilities have been uncovered in the popular online open source shopping cart application, Zen Cart.

    XSS, allows the attacker to inject malicious client-side scripts into a website, which are later executed by the victims while browsing the website. There are different cross-site scripting variants, all of which can be used to craft different types of attacks. In this case, malicious XSS injections could result in hackers gaining access to cookies and sensitive information, and could allow site defacement, which can result in further attacks.

  • Popular Shopping Cart App Plugs Dozens of XSS Vulnerabilities

    Popular open source shopping cart app Zen Cart is warning its users of dozens of cross-site scripting vulnerabilities found in its software. Affected websites, security experts say, risk exposing customers to malware, theft of cookies data and site defacement.

    Researchers at the security firm Trustwave discovered the vulnerabilities in September 2015 and have worked closely with Zen Cart to update the (1.5.4) shopping cart software. On March 17, Zen Cart released a 1.5.5 update to its software along with a patch for previous versions of Zen Cart, for those customers that wanted to continue using the older platform. Public disclosure of the vulnerability was on Friday.

  • CVE-2016-0774 Linux Kernel moderate vulnerability

A Peek At Upcoming Open Source Enhancements In IBM i

Filed under
OSS
Security

It's hard to quantify the value created through open source development of software. Last year, the Linux Foundation released a white paper that found the total value of the development of the Linux operating system amounted to $5 billion. In 2013, IBM itself committed to donating $1 billion in cold hard cash to further development of Linux and other open source projects. When one considers that nearly all of the cutting-edge IT work being done in distributed computing (i.e., the worlds of Hadoop, Spark, Kafka, and NoSQL databases) involves open sharing of source code--mostly through the Apache Software Foundation--then the humongous value that open source brings comes into view.

Read more

Security Leftovers

Filed under
Security
  • Thursday's security updates
  • Secure code before or after sharing?[Ed: FUD season. US moving to FOSS, so parasites pop up]

    The White House wants federal agencies to share more of their custom code with each other, and also to provide more of it to the open source community. That kind of reuse and open source development of software could certainly cut costs and provide more able software in the future, but is this also an opening for more bugs and insecure code?

  • SMTP Strict Transport Security Standard Drafted for Email Security

    Love it or hate it, email remains a must-have tool in the modern Internet, though email isn't always as secure as it should be. When users connect to email servers, those connections have the potential to be intercepted by attackers, so there is a need for standards, like the new SMTP Strict Transport Security (STS) standard, published March 18 as an Internet Engineering Task Force (IEFT) draft.

  • Certified Ethical Hacker website caught spreading crypto ransomware
  • Certificate pinning is a useful thing, says Netcraft. So why do hardly any of you use it?

    Venerable net-scan outfit Netcraft has issued what cliché would describe as “a stinging rebuke” to sysadmins the world over, for ignoring HTTP Public Key Pinning (HPKP).

    Pinning is designed to defend users against impersonation attacks, in which an attacker tricks a certificate authority to issue a fraudulent certificate for a site.

    If the attacker can present a user with a certificate for fubar.com, they can impersonate the site, opening a path for malfeasance like credential harvesting.

  • Oracle issues emergency Java patch for bug leading to system hijack

    Oracle has released an emergency patch for Java which fixes a critical bug leading to remote code execution without the need for user credentials.

  • Hospital Declares ‘Internal State of Emergency’ After Ransomware Infection [iophk: The FBI needs to prosecute those that brought Windows into the hospital.]

    A Kentucky hospital says it is operating in an “internal state of emergency” after a ransomware attack rattled around inside its networks, encrypting files on computer systems and holding the data on them hostage unless and until the hospital pays up.

  • Judge Won’t Consider EFF’s Arguments in FBI Mass Hacking Case

    Earlier this month, digital rights group the Electronic Frontier Foundation (EFF) filed a strongly worded amicus brief arguing that the warrant used by the FBI for its use of malware to identify visitors of a dark web child pornography site was “unconstitutional,” and qualified as a broad, “general warrant.”

    But on Tuesday, Robert J. Bryan, the district judge overseeing the case rejected the group’s argument, saying it contained allegations of fact not supported in the record, and that it was simply repeating arguments already made by the defense.

    “According to EFF, a self-proclaimed ‘recognized expert’ on the intersection of civil liberties and technology, the law enforcement techniques employed in this case present novel questions of Fourth Amendment law,” Bryan writes in his order. The brief was signed by Mark Rumold, Nate Cardozo, and Andrew Crocker from the EFF, and Venkat Balasubramani, an attorney who is representing the organization.

  • Security education outfit EC-Council dishes out ransomware online

    Senior threat intelligence man Yonathan Klijnsma says the website of the EC-Council, the organisation responsible for the Ethical Hacker certification, is serving the dangerous Angler exploit kit to infect PCs.

    Klijnsma of Dutch firm Fox-IT says the website was serving the world's most highly-capable and dangerous exploit kit hours ago to users of Internet Explorer.

    Checks by this writer appear to show it is still serving the exploit at the time of publication.

  • Weak links in the blockchain: We're neglecting the foundations

    Premature infatuation with blockchain overlooks security weaknesses in the platform that underlies Bitcoin digital currency.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security

FreeNAS 9.10 Open-Source Storage Operating System Adds USB 3.0 & Skylake Support

Filed under
Security
BSD

Jordan Hubbard from the FreeNAS project, an open-source initiative to create a powerful, free, secure, and reliable NAS (Network-attached storage) operating system based on BSD technologies, announced the release of FreeNAS 9.10.

FreeNAS 9.10 is the tenth maintenance release in the current stable 9.x series of the project, thus bringing the latest security patches from upstream, support for new devices, as well as several under-the-hood updates. As expected, FreeNAS 9.10 has been rebased on the latest FreeBSD 10.3 RC3 (Release Candidate) release.

Read more

Syndicate content

More in Tux Machines

Ubuntu 16.04 – My Experience so Far and Customization

While I earnestly anticipated the release of Unity 8 with Xenial Xerus (after watching a couple of videos that showcased its function), I was utterly disappointed that Canonical was going to further push its release — even though it was originally meant to debut with Ubuntu 14.04. Back to the point at hand, I immediately went ahead and installed Unity Tweak Tool, moved my dash to the bottom (very important) and then proceeded to replace Nautilus with the extensive Nemo file manager which is native to Linux Mint and by far superior to the former (my opinion). Read more

Raspberry Pi gets a hybrid tube audio amp HAT

Pi 2 Design’s 503HTA Hybrid Tube Amp is a HAT add-on for 40-pin Raspberry Pi’s that taps a 24-bit, 192Khz DAC for that old-time tube amplifier sound. The Raspberry Pi has inspired a variety of retro technology hacks, from resurrecting ancient televisions to breathing new life into vintage gaming platforms. So it’s not surprising to see the SBC matched with the guts of an old-school tube amplifier system, as it is in Pi 2 Design’s 503HTA Hybrid Tube Amp. Read more

Snapdragon SoCs to get Neural Processing Engine SDK

Qualcomm announced a deep learning toolkit for implementing neural processing and other AI functions directly on devices that integrate Snapdragon 820 SoCs. The “Snapdragon Neural Processing Engine” is Qualcomm’s first deep learning software development kit for devices based on its Snapdragon 820 SoCs. The SDK, which is due for release in the second half of 2016, brings the company’s “Zeroth Machine Intelligence Platform” to Snapdragon 820 based devices. Read more

Red Hat Donates Servers to the GNOME Project

The GNOME Project thanks Red Hat for their recent donation of two new servers. The donation is part of a wider plan aiming to consolidate the location of the various GNOME servers around the globe into one single datacenter. This will help ease day-to-day operations and reduce intervention time in the case of network disruptions or outages. Read more