Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • BadTunnel: Critical vulnerability affects every version of Microsoft's OS since Windows 95

    A security researcher from Tencent, China's largest internet service portal, has discovered a critical security flaw in Microsoft's Windows operating system that affects every single version of Windows over the last two decades, from Windows 95 all the way to Windows 10.

  • Decentralized Security

    If you're a fan of the cryptocurrency projects, you've heard of something called Ethereum. It's similar to bitcoin, but is a seperate coin. It's been in the news lately due to an attack on the currency. Nobody is sure how this story will end at this point, there are a few possible options, none are good. This got me thinking about the future of security, there are some parallels when you compare traditional currency to crypto currency as well as where we see security heading (stick with me here).

    The current way currency works is there is some central organization that is responsible for minting and controlling the currency, usually a country. There are banks, exchanges, loans, interest, physical money, and countless other ways the currency interacts with society. We will compare this to how IT security has mostly worked in the past. You had one large organization responsible for everything. If something went wrong, you could rely on the owner to take control and make things better. There are some instances where this isn't true, but in general it holds.

    Now if we look at cryptocurrency, there isn't really a single group or person in charge. That's the whole point though. The idea is to have nobody in charge so the currency can be used with some level of anonymity. You don't have to rely on some sort of central organization to give the currency legitimacy, the system itself has legitimacy built in.

Parrot Security OS 3.0 Ethical Hacking Distro Is Out, Now Ready for Raspberry Pi

Filed under
OS
Security

Parrot Security OS developer Frozenbox Network was extremely proud to announce the release of the final Parrot Security OS 3.0 "Lithium" computer operating system.

Read more

Security Leftovers

Filed under
Security
  • Making a Case for Security Analytics

    Being a victim of a data breach no longer results in a slap on the wrist. Instead it can lead to costly fines, job loss, physical damage and an organization's massive loss of reputation. Case in point: Target. Following its high-profile breach in late 2013, Target suffered large losses in market valuation and paid more than $100 million in damages.

  • GoToMyPC password hack – urgent, change passwords NOW

    If you use the popular Citrix GoToMyPC remote access product for macOS, Windows, Kindle, iOS, and Android you will need to change all passwords now.

  • Web Application Defender's Field Report: Account Takeover Campaigns Spotlight

    ATO attacks (also known as credential stuffing) use previously breached username and password pairs to automate login attempts. This data may have been previously released on public dumpsites such as Pastebin or directly obtained by attackers through web application attacks such as SQLi. The goal of the attacks is to identify valid login credential data that can then be sold to gain fraudulent access to user accounts. ATO may be considered a subset of brute force attacks, however it is an increasing threat because it is harder to identify such attacks through traditional individual account authentication errors. The Akamai Threat Research Team analyzed web login transactions for one week across our customer base to identify ATO attack campaigns.

  • Google's security princess talks cybersecurity

    Her talk was even-keeled, informative, and included strong FOSS messaging about everyone's vested interest in internet security and privacy. After the talk was done, I watched her take audience questions (long enough for me to take a short conference call) where she patiently and handily fielded all manner of queries from up and down the stack.

BusyBotNet is a Fork of Busybox with Security Tools

Filed under
OSS
Security

Busybox provides a lightweight version of common command line utilities normally found on “big” Linux into a single binary, in order to bring them to embedded systems with limited memory and storage. As more and more embedded systems are now connected to the Internet, or as they are called nowadays the Internet of Things nodes, adding security tools, such as cryptographic utilities, could prove useful for administrators of such system, and so BusyBotNet project wsa born out of a fork of Busybox.

Read more

Security Leftovers

Filed under
Security
  • Intel x86s hide another CPU that can take over your machine (you can't audit it)

    Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. I've made it my mission to open up this system and make free, open replacements, before it's too late.

  • Let’s Encrypt Accidentally Spills 7,600 User Emails

    Certificate authority Let’s Encrypt accidentally disclosed the email addresses of several thousand of its users this weekend.

    Josh Aas, Executive Director for the Internet Security Research Group (ISRG), the nonprofit group that helped launch the CA, apologized for the error on Saturday. In what Let’s Encrypt dubbed a preliminary report posted shortly after it happened, Aas blamed the faux pas on a bug in the automated email system the group uses.

  • phpMyAdmin Project Successfully Completes Security Audit

    Software Freedom Conservancy congratulates its phpMyAdmin project on succesfuly completing completing a thorough security audit, as part of Mozilla's Secure Open Source Fund. No serious issues were found in the phyMyAdmin codebase.

  • StartCom launches a new service - StartEncrypt

    StartCom, a leading global Certificate Authority (CA) and provider of trusted identity and authentication services, announces a new service – StartEncrypt today, an automatic SSL certificate issuance and installation software for your web server.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Mozilla Funds Open Source Code Audits

    As part of the Mozilla Open Source Support program (MOSS), the Mozilla Foundation has set up a fund dedicated to helping open source software projects eradicate code vulnerabilities.

  • Intel Hidden Management Engine – x86 Security Risk?

    So it seems the latest generation of Intel x86 CPUs have implemented a Intel hidden management engine that cannot be audited or examined. We can also assume at some point it will be compromised and security researchers are labelling this as a Ring -3 level vulnerability.

  • Smart detection for passive sniffing in the Tor-network

    If you haven't yet read about my previous research regarding finding bad exit nodes in the Tor network you can read it here. But the tl;dr is that I sent unique passwords through every exit node in the Tor network over HTTP. This meant that is was possible for the exit node to sniff the credentials and use them to login on my fake website which I had control over.

  • Lone hacker, not Russian spies, responsible for Democratic Party breach

    RED-FACED SECURITY OUTFIT CrowdStrike has admitted that the Russian government wasn't responsible for a hack on the Democratic Party after lone hacker Guccifer 2 claimed that he was responsible for the breach.

Security Leftovers

Filed under
Security
  • Thursday's security updates
  • Network Security: The Unknown Unknowns

    I recently thought of the apocryphal story about the solid reliability of the IBM AS/400 systems. I’ve heard several variations on the story, but as the most common version of the story goes, an IBM service engineer shows up at a customer site one day to service an AS/400. The hapless employees have no idea what the service engineer is talking about. Eventually the system is found in a closet or even sealed in a walled off space where it had been reliably running the business for years completely forgotten and untouched. From a reliability perspective, this is a great story. From a security perspective, it is a nightmare. It represents Donald Rumsfeld’s infamous “unknown unknowns” statement regarding the lack of evidence linking the government of Iraq with the supply of weapons of mass destruction to terrorist groups.

  • The average cost of a data breach is now $4 million

    The average data breach cost has grown to $4 million, representing a 29 percent increase since 2013, according to the Ponemon Institute.

  • The story of a DDoS extortion attack – how one company decided to take a stand [iophk: “yet another way that cracked MS machines are big money”]

    Instead of simply ordering his company to defend itself in conventional fashion he was going to write to all 5,000 of Computop’s customers and partners telling them that on 15 June his firm’s website was likely to be hit with a DDoS attack big enough to cause everyone serious problems.

pfSense 2.3.1 FreeBSD Firewall Gets New Update to Patch Web GUI Security Issues

Filed under
Security
BSD

Chris Buechler from pfSense announced earlier today, June 16, 2016, that there's a new maintenance update available for the pfSense 2.3.1 FreeBSD-based firewall distribution.

pfSense 2.3.1 Update 5 (2.3.1_5) is a small bugfix release for the pfSense 2.3.1 major update announced last month, and since pfSense now lets its maintainers update only individual parts of the system, we see more and more small builds like this one, which patch the most annoying issues.

Read more

Security Leftovers

Filed under
Security
  • BadTunnel Bug Hijacks Network Traffic, Affects All Windows Versions

    The research of Yang Yu, founder of Tencent's Xuanwu Lab, has helped Microsoft patch a severe security issue in its implementation of the NetBIOS protocol that affected all Windows versions ever released.

  • 'BadTunnel' Bugs Left Every Microsoft Windows PC Vulnerable For 20 Years [Ed: no paywall/malware in this link]

    Microsoft is today closing off a vulnerability that one Chinese researcher claims has "probably the widest impact in the history of Windows." Every version of the Microsoft operating system going back to Windows 95 is affected, leaving anyone still running unsupported operating systems, such as XP, in danger of being surreptitiously surveilled.

    According to Yang Yu, founder of Tencent's Xuanwu Lab, the bug can be exploited silently with a "near-perfect success rate", as the problems lie in the design of Windows. The ultimate impact? An attacker can hijack all a target's web use, granting the hacker "Big Brother power", as soon as the victim opens a link or plugs in a USB stick, claimed Yu. He received $50,000 from Microsoft's bug bounty program for uncovering the weakness, which the researcher has dubbed BadTunnel. Microsoft issued a fix today in its Patch Tuesday list of updates.

    "Even security software equipped with active defense mechanisms are not able to detect the attack," Yu told FORBES. "Of course it is capable of execute malicious code on the target system if required."

  • Getting Things Wrong From The Beginning…

    GNU/Linux and never had any problems with software the rest of the school year. I’ve been using GNU/Linux ever since and have had no regrets. It’s been the right way to do IT. My wife saw the light a few years ago. She was tired of years of TOOS failing every now and then and needing re-installation. Once her business started using a web application, she had no more need of TOOS, none.

  • Intel x86s hide another CPU that can take over your machine (you can't audit it)

    Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. I've made it my mission to open up this system and make free, open replacements, before it's too late.

  • Hackers Show How To Hack Anyone’s Facebook Account Just By Knowing Phone Number

    By exploiting the SS7 flaw, a hacker can hack someone’s Facebook account just by knowing the associated phone number. This flaw allows a hacker to divert the OTP code to his/her own phone and use it to access the victim’s Facebook account. The security researchers, who have explained the hack in a video, advise the users to avoid adding their phone numbers to the public services.

Syndicate content

More in Tux Machines

Red Hat and Fedora

Leftovers: OSS and Sharing

  • Learn from the Experts at The Linux Foundation’s Europe Events
    The Linux Foundation has released session details for three major conferences coming up this fall: MesosCon Europe, Embedded Linux Conference / OpenIoT Summit Europe, and LinuxCon + ContainerCon Europe. MesosCon Europe, which will take place August 31-September 1 in Amsterdam, The Netherlands, is an annual conference organized by the Apache Mesos community, bringing together users and developers for two days of sessions about Mesos and related technologies. This year, the MesosCon program will include workshops to get started with Mesos, keynote speakers from industry leaders, and sessions led by adopters and contributors.
  • The Firebird Project's Firebird Relational Database
    Firebird distills its identity into the phrase "True universal open-source database" and boasts not only of being "free like free beer" but also, fittingly, of being "free like a bird". The latter permits anyone to build a custom version of the Firebird, as long as the modifications are made available for others to use and build upon.
  • Report: Austria can benefit from Big Data solutions
    Big Data solutions can contribute significantly to Austrian public administrations, a working group concludes in a report published in June. Benefits include improved quality of life, finding optimal business locations, and offering better guidance to citizens. The report by the Big Data working group aims to help public administration when considering Big Data solutions, providing legal, economic and technical context.
  • Report: over half of Spain’s regions now use SaaS
    In 2014, 59% of Spain’s regional governments used Software as a Service, according to the 2015 eGovernment report published on 30 June by PAe, Spain’s eGovernment portal. Next most-used cloud computing service is Infrastructure as a Service (40%), and third is Platform as a Service (20%). The usage of cloud computing is just one of the attributes of and indicators for eGovernment services that are aggregated in the report. The document shows the use of document management systems and support of electronic signatures. The text looks at interoperability, open data portals and eParticipation, lists region’s maturity levels of eGovernment services, from the availability to download forms online to the fully electronic management of applications.
  • Software Freedom in Kosovo, Waiting for Xfce Mint & More…
    It’s not FOSS, but I reckon the biggest story in tech this week, ignoring claims of Russia hacking for Trump, is the sale of Yahoo to Verizon for $4.8 billion. Considering that traffic watcher Alexa says the site is the fifth most visited address on the web, that seems like something of a bargain to me. Add to that Yahoo’s prime Silicon Valley real estate and the price seems to be in the “it fell of the truck” category. The sale puts Verizon in control of both America Online and Yahoo, so I suspect we’ll be seeing Verizon trying to compete with Google and Bing for a share of the search advertising market. [...] We’ve also heard from Software Freedom Kosova, which tells us it’s issued this year’s call for speakers, which will be open through September 15. This will be the seventh year for the Kosovo event, which aims to “promote free/libre open source software, free culture and open knowledge” — all laudable goals in my estimation. Potential speakers should know “the topic must be related to free software and hardware, open knowledge and culture.” Mike DuPont, the SFK member who made us aware of the event, told FOSS Force, “There might be travel expenses for qualified speakers.” The event will take place October 21-23.
  • Cloud, open source and DevOps: Technology at the GLA
    David Munn, head of IT at the Greater London Authority, explains what technology his organisation has adopted in order to help individuals keep innovating
  • Our attitude towards wealth played a crucial role in Brexit. We need a rethink
    Money was a key factor in the outcome of the EU referendum. We will now have to learn to collaborate and to share [...] Does money matter? Does wealth make us rich any more? These might seem like odd questions for a physicist to try to answer, but Britain’s referendum decision is a reminder that everything is connected and that if we wish to understand the fundamental nature of the universe, we’d be very foolish to ignore the role that wealth does and doesn’t play in our society.
  • France’s Insee and Drees publish microsimulation model to increase transparency
    Insee (Institut national de la statistique), the French public agency for statistics, and Drees (Direction des études du Ministère des Affaires sociales et de la santé), which is in charge of surveys at the Ministry of Social Affairs and Health, has published the source code of the microsimulation algorithmic model called Ines.
  • Plant Sciences pushing open-source berry model
    Several of those opportunities appear to lie in the development of so-called ‘open market’ breeding. Historically, Plant Sciences’ berry varieties have made it into the commercial arena under limited licensing arrangements, with individuals or groups of grower-shippers paying a premium to use them. While Nelson is eager to point out that this model continues to perform well, his company have decided to structure its business in Europe in such a way that it offers varieties to the “largest audience possible” at the most competitive price. “Given the price pressures that producers, marketers and retailers are under, we sense that such an approach is needed to remain most viable going forward and bring new varieties forward to the broadest market,” he explained.
  • Drug discovery test leads to malaria drug prospects at UW
  • Worldwide Open-Source Project Discovers Promising Disease-Fighting Compounds
  • Open-source drug discovery a success
  • The Global Open Data Index to be updated
    Open Knowledge International, a not-for-profit organisation that promotes openness and transparency, has decided to update the survey for its Global Open Data Index. This index measures Open Data publication in 122 countries.
  • This Startup Created the Ultimate Open-Source Prototyping Product
    The world has become a technologically focused place. Unless you’ve set up shop in a cabin in the woods, your life is likely filled with gadgets, wearables, devices, and doodads that control everything from your TV to your laptop. And with all this technology, it’s no wonder tech jobs have become so prevalent in the market. Fortunately, there are a number of ways to learn skills and prototyping projects that will impress even the most critical interviewer. And one startup has built the perfect product to do just that. Created by a group of students from the India Institute of Technology, evive is an open-source prototyping module that can make creating projects easier than ever. It has a power module, plug and play hardware interface, user interface, data acquisition module, shield stack space and more. It’s even IoT ready so it can connect to more devices than you can count. Plus, it works across multiple platforms like LabVIEW, MATLAB, Scratch, Eclipse, ROS, Python, Arduino IDE and many more.
  • Friday's security updates
  • Pwnie Express Open Sources Tools to Lock Down IoT/Android Security
    Pwnie Express isn't a name that everyone is familiar with, but in the security arena the company has a good reputation for its wired and wireless threat detection technologies. Now, the Boston-based firm has announced plans to open source key tools that it has used to secure the Internet of Things (IoT) and Android software. Blue Hydra is a Bluetooth utility that can detect Bluetooth devices, and also work as a sniffer to query devices it detects for threats. Meanwhile, the Android Open Pwn Project (AOPP), is an Android ROM built for security testers. It's based on the Android Open Source Project (AOSP) and community-developed ROMS -- one of which is CyanogenMod. It lets developers on the Android front sniff out threats on mobile platforms.

Openwashing

Sailfish OS 2.0.2

  • Sailfish OS 2.0.2 In Early Access With Variety Of Improvements
    Jolla announced today that their Sailfish OS 2.0.2 "Aurajoki" mobile operating system release is available as early access. Sailfish OS 2.0.2 makes it easier to take screenshots via the volume buttons, a variety of new keyboard layouts, a new layout on the media app, a new Sailfish OS logo, simplified backups, browser improvements, support for flash when recording videos, the cloud services now supports the VK service, dual SIM support on capable devices, Dropbox and OneDrive integration in the photo gallery, and a wide variety of other fixes and improvements.
  • [Early Access] Sailfish OS 2.0.2 Aurajoki
    This update contains of many bug fixes and new added features such as taking screenshot by holding down volume buttons for 0.5 seconds, added keyboard layouts for Indian languages Telugu, Malayalam, Kannada, Punjabi, Tamil and Bengali, new layout on Media app’s front page, new Sailfish OS logo and many more.