Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • This Single Command Can Hack Your Windows AppLocker In Seconds

    If you use Windows AppLocker to restrict others from using some applications and locking down your Windows PC, here’s something to worry about. Casey Smith, a security researcher, has found a way to bypass the AppLocker whitelist and run arbitrary scripts. IT admins are advised to run this command on their systems and see if some loopholes exist in their network.

  • Here's how I verify data breaches

    Other headlines went on to suggest that you need to change your password right now if you're using the likes of Hotmail or Gmail, among others. The strong implication across the stories I've read is that these mail providers have been hacked and now there's a mega-list of stolen accounts floating around the webs.

  • The Top 4 in a Linux Environment
  • An update on SSH protocol 1

    At this stage, we're most of the way towards fully deprecating SSH protocol 1 - this outlines our plans to complete this task.

  • High-Severity OpenSSL Vulnerability allows Hackers to Decrypt HTTPS Traffic
  • Firejail 0.9.40-rc1 Release Announcement

    We are happy to announce the release candidate of Firejail version 0.9.40-rc1 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release includes a number of major features, such as X11 sandboxing support, file transfers between sandboxes and the host system, run-time configuration support, Ubuntu 14.04 AppArmor support, and firecfg, a desktop configuration utility. A number of smaller features, documentation and bugfixes are also included:

Security Leftovers

Filed under
Security
  • Friday's security updates
  • OpenSSL Patches Six Vulnerabilities

    Only two of the flaws patched are rated as high impact, and none is getting the Heartbleed treatment.
    The open-source OpenSSL cryptographic library project issued a security update this week that patched six issues, though only two of them are rated "critical."

  • Critical Linux Kernel Update for Ubuntu 16.04 LTS Patches 15 Vulnerabilities

    Canonical published a new security notice to inform the community about the availability of an important kernel update for the Ubuntu 16.04 LTS (Xenial Xerus) operating system.

  • Linus Torvalds Talks IoT, Smart Devices, Security Concerns, and More [Video]

    Torvalds remained customarily philosophical when Hohndel asked about the gaping security holes in IoT. “I don’t worry about security because there’s not a lot we can do,” he said. “IoT is unpatchable -- it’s a fact of life.”

    The Linux creator seemed more concerned about the lack of timely upstream contributions from one-off embedded projects, although he noted there have been significant improvements in recent years, partially due to consolidation on hardware.

    “The embedded world has traditionally been hard to interact with as an open source developer, but I think that’s improving,” Torvalds said. “The ARM community has become so much better. Kernel people can now actually keep up with some of the hardware improvements. It’s improving, but we’re not nearly there yet.”

    Torvalds admitted to being more at home on the desktop than in embedded and to having “two left hands” when it comes to hardware.

    “I’ve destroyed things with a soldering iron many times,” he said. “I’m not really set up to do hardware.” On the other hand, Torvalds guessed that if he were a teenager today, he would be fiddling around with a Raspberry Pi or BeagleBone. “The great part is if you’re not great at soldering, you can just buy a new one.”

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • OpenSSL patches two high-severity flaws

    OpenSSL has released versions 1.0.2h and 1.0.1t of its open source cryptographic library, fixing multiple security vulnerabilities that can lead to traffic being decrypted, denial-of-service attacks, and arbitrary code execution. One of the high-severity vulnerabilities is actually a hybrid of two low-risk bugs and can cause OpenSSL to crash.

  • Linux Foundation Advances Security Efforts via Badging Program

    The Linux Foundation Core Infrastructure Initiative's badging program matures, as the first projects to achieve security badges are announced.

  • Linux Foundation tackles open source security with new badge program
  • WordPress Plugin ‘Ninja Forms’ Security Vulnerability

    FOSS Force has just learned from Wordfence, a security company that focuses on the open source WordPress content management platform, that a popular plugin used by over 500,000 sites, Ninja Forms, contains serious security vulnerabilities.

  • Preparing Your Network for the IoT Revolution

    While there is no denying that IP-based connectivity continues to become more and more pervasive, this is not a fundamentally new thing. What is new is the target audience is changing and connectivity is becoming much more personal. It’s no longer limited to high end technology consumers (watches and drones) but rather, it is showing up in nearly everything from children’s toys to kitchen appliances (yes again) and media devices. The purchasers of these new technology-enabled products are far from security experts, or even security aware. Their primary purchasing requirements are ease of use.

  • regarding embargoes

    Yesterday I jumped the gun committing some patches to LibreSSL. We receive advance copies of the advisory and patches so that when the new OpenSSL ships, we’re ready to ship as well. Between the time we receive advance notice and the public release, we’re supposed to keep this information confidential. This is the embargo. During the embargo time we get patches lined up and a source tree for each cvs branch in a precommit state. Then we wait with our fingers on the trigger.

    What happened yesterday was I woke up to a couple OpenBSD developers talking about the EBCDIC CVE. Oh, it’s public already? Check the OpenSSL git repo and sure enough, there are a bunch of commits for embargoed issues. Pull the trigger! Pull the trigger! Launch the missiles! Alas, we didn’t look closely enough at the exact issues fixed and had missed the fact that only low severity issues had been made public. The high severity issues were still secret. We were too hasty.

  • Medical Equipment Crashes During Heart Procedure Because of Antivirus Scan [Ed: Windows]

    A critical medical equipment crashed during a heart procedure due to a timely scan triggered by the antivirus software installed on the PC to which the said device was sending data for logging and monitoring.

  • Hotel sector faces cybercrime surge as data breaches start to bite

    Since 2014, things have become a lot more serious with a cross section of mostly US hotels suffering major breaches during Point-of-Sale (POS) terminals. Panda Security lists a string of attacks on big brands including on Trump Hotels, Hilton Worldwide, Hyatt, Starwood, Rosen Hotels & Resorts as well two separate attacks on hotel management outfit White Lodging and another on non-US hotel Mandarin Oriental.

Security Leftovers

Filed under
Security

IPFire 2.19 - Core Update 102 released

Filed under
GNU
Linux
Security

This is the official release announcement for IPFire 2.19 – Core Update 102. This update contains various security fixes in the OpenSSL library. It is recommended to install this update as soon as possible.

Read more

Security Leftovers

Filed under
Security

ImageMagick Security Bug Puts Sites at Risk

Filed under
Security
  • Open Source ImageMagick Security Bug Puts Sites at Risk

    ImageMagick, an open source suite of tools for working with graphic images used by a large number of websites, has been found to contain a serious security vulnerability that puts sites using the software at risk for malicious code to be executed onsite. Security experts consider exploitation to be so easy they’re calling it “trivial,” and exploits are already circulating in the wild. The biggest risk is to sites that allows users to upload their own image files.

    Information about the vulnerability was made public Tuesday afternoon by Ryan Huber, a developer and security researcher, who wrote that he had little choice but to post about the exploit.

  • Huge number of sites imperiled by critical image-processing vulnerability

    A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images.

    The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.

  • Extreme photo-bombing: Bad ImageMagick bug puts countless websites at risk of hijacking

    A wildly popular software tool used by websites to process people's photos can be exploited to execute malicious code on servers and leak server-side files.

    Security bugs in the software are apparently being exploited in the wild right now to compromise at-risk systems. Patches to address the vulnerabilities are available in the latest source code – but are incomplete and have not been officially released, we're told.

Security Leftovers

Filed under
Security
  • Security advisories for Tuesday
  • Mozilla Releases Firefox 46.0.1 to Fix Bugs and Limit Sync Registration Updates

    Today, May 3, Mozilla has pushed the first point release of the recently launched Firefox 46.0 web browser to all supported platforms, including GNU/Linux, Mac OS X, and Microsoft Windows.

    Mozilla announced the release of Firefox 46.0 on April 26, 2016, bringing the long-anticipated GTK3 integration for the GNU/Linux platform. Other interesting features are enhanced security for the JavaScript JIT (Just In Time) compiler and improvements to the screen reader behavior with blank spaces for Google Docs.

  • Aging and bloated OpenSSL is purged of 2 high-severity bugs

    Maintainers of the OpenSSL cryptographic library have patched high-severity holes that could make it possible for attackers to decrypt login credentials or execute malicious code on Web servers.

Security Leftovers

Filed under
Security
  • Linux Foundation launches badge program to boost open source security

    The Linux Foundation has released the first round of CII Best Practices badges as part of a program designed to improve the quality and security of open-source software.

    Announced on Tuesday, the non-profit said the Core Infrastructure Initiative (CII), a project which brings tech firms, developers and stakeholders together to create best practice specifications and improve the security of critical open-source projects, has now entered a new stage with the issue of CII badges to a select number of open-source software.

  • Free Badge Program Signals What Open Source Projects Meet Criteria for Security, Quality and Stability
  • How to Conduct Internal Penetration Testing

    The best way to establish how vulnerable your network is to a hacker attack is to subject it to a penetration test carried out by outside experts. (You must get a qualified third party to help with penetration testing, of course, and eSecurity Planet recently published an article on finding the right penetration testing company.)

  • SSH for Fun and Profit

    In May last year, a new attack on the Diffie Hellman algorithm was released, called Logjam. At the time, I was working on a security team, so it was our responsiblity to check that none of our servers would be affected. We ran through our TLS config and decided it was safe, but also needed to check that our SSH config was too. That confused me – where in SSH is Diffie Hellman? In fact, come to think of it, how does SSH work at all? As a fun side project, I decided to answer that question by writing a very basic SSH client of my own.

IPFire 2.19 Core Update 101 Patches Cross-Site-Scripting Vulnerability in Web UI

Filed under
Security

The development team behind the IPFire software have announced the general availability of the Core Update 101 of the IPFire 2.19 Linux kernel-based firewall distribution.

Read more

Syndicate content

More in Tux Machines

Phoronix on AMD Linux Graphics News

Today in Techrights

today's leftovers

Leftovers: Software

  • Announcement: GnuCash 2.6.13 Release
  • Beamforming in PulseAudio
    In case you missed it — we got PulseAudio 9.0 out the door, with the echo cancellation improvements that I wrote about. Now is probably a good time for me to make good on my promise to expand upon the subject of beamforming.
  • Oracle Releases VirtualBox 5.0.24 to Add Better Linux 4.6 Support, Fix Bugs
    Today, June 28, 2016, Oracle has announced the general availability of the VirtualBox 5.0.24 virtualization software for all supported platforms, including GNU/Linux, Mac OS X, and Microsoft Windows.
  • Can't make it to GUADEC this year
    I loved attending the GNOME Users And Developers European Conference (GUADEC). I want to go back, but it's hard to get away for such a long trip.
  • Moving to the project phase in Outreachy
    I've coded the research phase in blue, and the usability testing phase in red. As you can see, we moved pretty quickly through the research phase, learning about "What is usability," different ways to test usability, personas, scenarios, and scenario tasks. And Ciarrai, Diana, and Renata have done very well here. We've taken the last week to settle into a project focus, and figure out who wants to do what. And today, we are officially starting the usability testing phase!
  • Watchmaster App Released for Tizen on the Gear S2
    WatchMaster features a collection of 200+ high quality and unique watch face designs that up to now have been available for Android wear devices, but have now finally been released for the Tizen based Gear S2. The company has many capable designers, such as Liongate, Pluto, Excalibur and Monostone that create a wide variety of watchfaces that include: Analog to illustration, moonphase, ambient and animation design. If your looking some aesthetically pleasing watches to enhance your individuality then they are definitely worth a look.
  • A first look at Google's Science Journal app
    Google recently announced the release of its Science Journal app, a tool intended to "inspire future makers and scientists." All you need to get started is an Android phone—it will make use of the sensors on your phone and offers a digital science notebook to record your findings. The app is free and slated to be released open source later this summer. Google has already released microcontroller firmware for Arduino-based sensors on GitHub.