Language Selection

English French German Italian Portuguese Spanish

Security

Security: DNA, Marcus Hutchins, and Microsoft Windows in Hotels

Filed under
Security

Slackware Security and Windows Insecurity

Filed under
Microsoft
Security
Slack
  • OpenJDK7 and Flash Player security updates (Aug ’17)

    On the blog of IcedTea release manager Andrew Hughes (aka GNU/Andrew) you can find the announcement for IcedTea 2.6.11 which builds OpenJDK 7u151_b01. This release includes the official July 2017 security fixes for Java 7. Note that the security updates for Java 8 were already pushed to my repository some time ago.

  • Kremlin's hackers 'wield stolen NSA exploit to spy on hotel guests in Europe, Mid East'

    Miscreants are using various techniques, including the leaked NSA EternalBlue exploit also wielded by the WannaCry malware, to hack into laptops and other devices used by government and business travelers, FireEye researchers declared on Friday.

Security: Canonical, CVE-2017-12836, GDPR, CIS, Fancy Bear and More

Filed under
Security

Change Control Security Fixes

Filed under
Development
Security

Ubuntu Received 29 Security Patches for 15 Supported Packages in the Last Week

Filed under
Security

Canonical's James Donner published the August 10, 2017, weekly update of Ubuntu Security team's activities, which managed to triage 242 security vulnerability reports and post 13 USNs (Ubuntu Security Notices).

Read more

Security: AI Apocalypse and Microsoft Windows Apocalypse

Filed under
Security

Security: Updates, Password Advice, Salesforce, Pacer and More

Filed under
Security
  • Security updates for Thursday
  • Password guru regrets past advice

    Bill Burr had advised users to change their password every 90 days and to muddle up words by adding capital letters, numbers and symbols - so, for example, "protected" might become "pr0t3cT3d4!".

    The problem, he believes, is that the theory came unstuck in practice.

    Mr Burr now acknowledges that his 2003 manual was "barking up the wrong tree".

  • Salesforce “red team” members present tool at Defcon, get fired

    At Defcon in Las Vegas last month, word rapidly spread that two speakers—members of Salesforce's internal "red team"—had been fired by a senior executive from Salesforce "as they left the stage." Those two speakers, who presented under their Twitter handles, were Josh "FuzzyNop" Schwartz, Salesforce's director of offensive security, and John Cramb, a senior offensive security engineer.

  • “Pretty egregious” security flaw raises questions about Pacer

    The Pacer court document service used by more than a million journalists and lawyers has raked in more than $1 billion since it was established in 1995, but a new report questions whether its administrators have put enough of that windfall into securing the system. Hanging in the balance is the reliability of a service that's crucial for the smooth functioning of the entire US federal court system.

    Until Wednesday, Pacer suffered from a vulnerability that made it possible for hackers to charge download and search-query fees to other users, as long as those users visited a booby-trapped webpage while logged in to a Pacer website. Officials with the non-profit known as the Free Law Project also speculate that the same flaw—known as a cross-site request forgery—may also have allowed hackers to file court documents on behalf of unsuspecting attorneys who happened to be logged in to Pacer. If the speculation is correct, the flaw had the potential to severely disrupt or complicate ongoing court cases. Pacer administrators, however, have told Free Law the fraudulent filing hack wasn't possible.

    Even if the hypothesis is wrong, the flaw still made it possible for hackers to cause Pacer users to be billed for services they never requested. The users would have a hard time figuring out why they were being charged for downloads and searches they never made. Even when the users changed passwords, their accounts could still rack up fraudulent charges whenever they were simultaneously logged in to the hacked or malicious site and one of the Pacer sites.

  • How cloud-native security can prevent modern attacks

    When I first set out to start my company, I received some backlash from a former colleague that cybersecurity was not “interesting anymore.” I disagreed, which I’m sure most people now do. As technology evolves, there will always be new ways  (and new groups) to hack into systems, whether it’s for fun, profit or for national security reasons. That’s why it’s no surprise that within the past few years, cybersecurity has been a top concern for businesses. According to a recent report, cybercrime damages will cost the world $6 trillion annually by 2021, up from $3 trillion just a year ago, proving that enterprises literally cannot afford to forgo strong cybersecurity measures.

  • We can stop hacking {sic} and trolls, but it would ruin the internet

     

    A new way to run the internet would scupper ransomware and hacking, but its authoritarian backers could control everything we do online

  • Mingis on Tech: Android vs iOS – Which is more secure?

Red Hat and Servers

Filed under
Red Hat
Security

Security: Updates, Mastering matplotlib, Carbon Black, DDOS Arrests, and HashiCorp

Filed under
Security
  • Security updates for Wednesday
  • Mastering matplotlib: Acknowledgments
  • More Details on the PACER Vulnerability We Shared with the Administrative Office of the Courts

    PACER/ECF is a system of 204 websites that is run by the Administrative Office of the Courts (AO) for the management of federal court documents. The main function of PACER/ECF is for lawyers and the public to upload and download court documents such as briefs, memos, orders, and opinions.

    In February we reported that we disclosed a major vulnerability in PACER/ECF to the AO. The proof of concept and disclosure/resolution timeline are available here.

  • Endpoint security firm leaking terabytes of data

     

    Endpoint security software vendor Carbon Black has been found to be exfiltrating data from several Fortune 1000 companies due to the architecture of its Cb Response software, the information security services and managed services provider DirectDefense claims.  

  • Teenagers charged over allegedly running huge DDoS operation

     

    Two Israeli teenagers, who have been alleged to have co-founded and run a company used for launching distributed denial of service attacks, have been arrested and indicted on conspiracy and hacking charges.  

  • HashiCorp Vault Brings Disaster Recovery to Secrets Management

    HashiCorp has released new versions of both its open-source and enterprise editions of its Vault secrets management platform, providing new scalability and security operations capabilities.

    Vault helps organizations securely store and access application tokens, passwords and authentication credentials, which collectively are commonly referred to as "secrets" in an information security context.

Security: Fines for Insecurity, Open Source Security Podcast, Linux Security Questions, Updates and More

Filed under
Security
Syndicate content

More in Tux Machines

GNU/Linux, Docker Gain in Rented Space

LibreOffice Help From FSF, Mike Saunders

  • New FSF membership benefit: LibreOffice certification
    The Free Software Foundation (FSF) today announced that the opportunity to apply for LibreOffice certification for migrations and trainings is now available to FSF Associate Members. LibreOffice is a free software project of The Document Foundation (TDF), a non-profit based in Germany. An office suite, LibreOffice encompasses word processing, and programs for the creation and editing of spreadsheets, slideshows, databases, diagrams and drawings, and mathematical formulae. It uses the ISO standard OpenDocument file format (ODF).
  • Marketing activities so far in 2017: Mike Saunders
    Thanks to donations to The Document Foundation, along with valued contributions from our community, we maintain a small team working on various aspects of LibreOffice including documentation, user interface design, quality assurance, release engineering and marketing. Together with Italo Vignoli, I help with the latter, and today I’ll summarise some of the achievements so far in 2017.

Debian/Ubuntu: Q4OS, Ubuntu Dock and LXD Weekly Status Update

  • There's Now a Windows 10 Installer for the Debian-Based Q4OS Linux Distribution
    The Q4OS development team is pleased to inform us today about the immediate availability for download of a Windows installer for their Debian-based GNU/Linux distribution, Q4OS, allowing users to create a dual-boot environment on their PCs. For those not familiar to Q4OS, it's an open-source and free Linux distro based on the popular Debian GNU/Linux operating system and built around the Trinity Desktop Environment (TDE), which resembles the look and feel of the old-school KDE 3.5 desktop environment. Created with an emphasis on Windows users who want to migrate to a free, open-source, and more secure operating system, Q4OS now lets them install the distribution alongside Microsoft Windows in an easy manner, without having to do any modifications to your personal computer or install any other apps.
  • Ubuntu Dock Now Has Dynamic Transparency
    Ubuntu devs have listened to our gripe on the jarring contrast between GNOME 3.26's transparent top bar and the Ubuntu Dock.
  • Ubuntu Dock Features Adaptive Transparency on Ubuntu 17.10, Here's How It Works
    Ubuntu contributor Didier Roche continues his development on the look and feel of the upcoming Ubuntu 17.10 (Artful Aardvark) operating system, and today he announced that Ubuntu Dock is getting adaptive transparency. Canonical confirmed that Ubuntu 17.10 would come with the GNOME 3.26 desktop environment by default, though the default session has suffered numerous modifications compared to the vanilla one to make things easier for those using the Unity interface on Ubuntu 17.04 (Zesty Zapus) or Ubuntu 16.04 LTS (Xenial Xerus). Most probably, Ubuntu 16.04 LTS users won't upgrade to Ubuntu 17.10, but we're sure Ubuntu 17.04 users will because it'll reach end of life in about four months from the moment of writing, sometime in January 2018. Therefore, Canonical wants to make their Unity to GNOME transition as painless as possible.
  • LXD: Weekly Status #15
    This week has been pretty quiet as far as upstream changes since half the team was attending the Open Source Summity, the Linux Plumbers Conference and the Linux Security Summit in Los Angeles, California.

Events: KDE/Randa 2017 and Linux Foundation

  • KMyMoney’s Łukasz Wojniłowicz in Randa
    Please read the following guest post from Łukasz who joined me last week in Randa to work on KMyMoney.
  • Randa 2017 – Databases are back to KMyMoney
    On the morning of Day 5 we chased and fixed a problem that was introduced a long time ago but never caused any trouble. The code goes back into the KDE3 version of KMyMoney and was caused by some changes inside Qt5. The fix prevents a crash when saving a transaction which opens an additional dialog to gather more information (e.g. price information). With the help of other devs here in Randa, we were able to drill down the problem and update the code to work on KF5/Qt5 keeping the existing functionality.
  • Randa 2017 – Days 3 and 4
    On Day 3, we started out at 7:02 as usual with the team responsible for breakfast meeting in the kitchen. KMyMoney wise, we worked some more on keyboard navigation and porting to KF5. The dialog to open a database and the logic around it have been rewritten/fixed, so that it is now possible to collect the information from the user and proceed with opening. The database I have on file for testing does not open though due to another problem which I still need to investigate.
  • Watch the Keynote Videos from Open Source Summit in Los Angeles
    If you weren’t able to attend Open Source Summit North America 2017 in Los Angeles, don’t worry! We’ve rounded up the following keynote presentations so you can hear from the experts about the growing impact of open source software.
  • uniprof: Transparent Unikernel for Performance Profiling and Debugging
    Unikernels are small and fast and give Docker a run for its money, while at the same time still giving stronger features of isolation, says Florian Schmidt, a researcher at NEC Europe, who has developed uniprof, a unikernel performance profiler that can also be used for debugging. Schmidt explained more in his presentation at Xen Summit in Budapest in July. Most developers think that unikernels are hard to create and debug. This is not entirely true: Unikernels are a single linked binary that come with a shared address space, which mean you can use gdb. That said, developers do lack tools, such as effective profilers, that would help create and maintain unikernels.