Language Selection

English French German Italian Portuguese Spanish

Security

FOSS and Security

Filed under
OSS
Security
  • Coffee Shop DevOps: How to use feedback loops to get smarter
  • How to design your project for participation

    Working openly means designing for participation. "Designing for participation" is a way of providing people with insight into your project, which you've built from the start to incorporate and act on that insight. Documenting how you intend to make decisions, which communication channels you’ll use, and how people can get in touch with you are the first steps in designing for participation. Other steps include working openly, being transparent, and using technologies that support collaboration and additional ways of inviting participation. In the end, it’s all about providing context: Interested people must be able to get up to speed and start participating in your project, team, or organization as quickly and easily as possible.

  • So long, Firefox Hello!

    After updating my PCLinuxOS install, I noticed that the icon of Firefox Hello had changed: it was read and displayed a message reading "Error!"

    I thought it was a simply login failure, so I logged in and the icon went green, as normal. However, I noticed that Hello did not display the "Start a conversation" window, but one that read "browse this page with a friend".

    A bit confused, I called Megatotoro, who read this statement from Mozilla to me. Apparently, I had missed the fact that Mozilla is discontinuing Hello starting from Firefox 49. Current Firefox version is 48, so...

  • FreeBSD 11.0 Up to Release Candidate State, Support for SSH Protocol v1 Removed

    The FreeBSD Project, through Glen Barber, has had the pleasure of announcing this past weekend the general availability of the first Release Candidate for the upcoming FreeBSD 11.0 operating system, due for release on September 2, 2016.

    It appears to us that the development cycle of FreeBSD 11.0 was accelerated a bit, as the RC1 milestone is here just one week after the release of the fourth Beta build. Again, the new snapshot is available for 64-bit (amd64), 32-bit (i386), PowerPC (PPC), PowerPC 64-bit (PPC64), SPARC64, AArch64 (ARM64), and ARMv6 hardware architectures.

  • Open Source//Open Society Conference Live Blog

    This conference offers 2 huge days of inspiration, professional development and connecting for those interested in policy, data, open technology, leadership, management and team building.

  • White House Source Code Policy Should Go Further

    A new federal government policy will result in the government releasing more of the software that it creates under free and open source software licenses. That’s great news, but doesn’t go far enough in its goals or in enabling public oversight.

    A few months ago, we wrote about a proposed White House policy regarding how the government handles source code written by or for government agencies. The White House Office of Management and Budget (OMB) has now officially enacted the policy with a few changes. While the new policy is a step forward for government transparency and open access, a few of the changes in it are flat-out baffling.

  • The Brewing Problem Of PGP Short-ID Collision Attacks
  • Starwood, Marriott, Hyatt, IHG hit by malware: HEI

    A data breach at 20 U.S. hotels operated by HEI Hotels & Resorts for Starwood, Marriott, Hyatt and Intercontinental may have divulged payment card data from tens of thousands of food, drink and other transactions, HEI said on Sunday.

  • Linux TCP Flaw Leaves 80% Android Phones Open To Spying
  • Good morning Android!

Security News

Filed under
Security
  • Serving Up Security? Microsoft Patches ‘Malicious Butler’ Exploit — Again

    It’s been a busy year for Windows security. Back in March, Microsoft bulletin MS16-027 addressed a remote code exploit that could grant cybercriminals total control of a PC if users opened “specially crafted media content that is hosted on a website.” Just last month, a problem with secure boot keys caused a minor panic among users.

    However, new Microsoft patches are still dealing with a flaw discovered in November of last year — it was first Evil Maid and now is back again as Malicious Butler. Previous attempts to slam this door shut have been unsuccessful. Has the Redmond giant finally served up software security?

  • PGP Short-ID Collision Attacks Continued, Now Targeted Linus Torvalds

    After contacted the owner, it turned out that one of the keys is a fake. In addition, labelled same names, emails, and even signatures created by more fake keys. Weeks later, more developers found their fake "mirror" keys on the keyserver, including the PGP Global Directory Verification Key.

  • Let's Encrypt: Why create a free, automated, and open CA?

    During the summer of 2012, Eric Rescorla and I decided to start a Certificate Authority (CA). A CA acts as a third-party to issue digital certificates, which certify public keys for certificate holders. The free, automated, and open CA we envisioned, which came to be called Let's Encrypt, has been built and is now one of the larger CAs in the world in terms of issuance volume.

    Starting a new CA is a lot of work—it's not a decision to be made lightly. In this article, I'll explain why we decided to start Let's Encrypt, and why we decided to build a new CA from scratch.

    We had a good reason to start building Let's Encrypt back in 2012. At that time, work on an HTTP/2 specification had started in the Internet Engineering Task Force (IETF), a standards body with a focus on network protocols. The question of whether or not to require encryption (via TLS) for HTTP/2 was hotly debated. My position, shared by my co-workers at Mozilla and many others, was that encryption should be required.

Security News

Filed under
Security

Security News

Filed under
Security
  • New FFS Rowhammer Attack Hijacks Linux VMs

    Researchers from the Vrije University in the Netherlands have revealed a new version of the infamous Rowhammer attack that is effective at compromising Linux VMs, often used for cloud hosting services.

  • Fixing Things

    Recent reports that TCP connections can be hijacked have kicked an anthill at Kernel.org. Linus and others have a patch.

  • Minica - lightweight TLS for everyone!

    A while back, I found myself in need of some TLS certificates set up and issued for a testing environment.

    I remembered there was some code for issuing TLS certs in Docker, so I yanked some of that code and made a sensable CLI API over it.

  • Guy Tricks Windows Tech Support Scammers Into Installing Ransomware Code

    A man named Ivan Kwiatkowski managed to install Locky ransomware on the machine of a person who was pretending to be a tech support executive of a reputed company. Ivan wrote his experiences in a blog post tells that how the tech support scammer fell into the pit he dug for innocent people.

Security News

Filed under
Security
  • Hacker demonstrates how voting machines can be compromised [Ed: Microsoft inside]

    Concerns are growing over the possibility of a rigged presidential election. Experts believe a cyberattack this year could be a reality, especially following last month's hack of Democratic National Committee emails.

    The ranking member of the Senate Homeland Security Committee sent a letter Monday to the Department of Homeland Security, saying in part: "Election security is critical, and a cyberattack by foreign actors on our elections systems could compromise the integrity of our voting process."

    Roughly 70 percent of states in the U.S. use some form of electronic voting. Hackers told CBS News that problems with electronic voting machines have been around for years. The machines and the software are old and antiquated. But now with millions heading to the polls in three months, security experts are sounding the alarm, reports CBS News correspondent Mireya Villarreal.

  • Another Expert Weighs in on Election Hacking

    Today the old Gray Lady, the New York Times, no less, weighed in on election hacking in an Op/Ed piece titled The Election Won't be Rigged. But it Could be Hacked. Of course, anyone who's read my second cybersecurity thriller, The Lafayette Campaign, a Tale of Election and Deceptions, already knew that.

    The particular focus of the NYT article is that since voting can be hacked, it's vital to have a way to audit elections after they occur to see whether that has been the case, and to reveal the true electoral result.

  • New release: usbguard-0.5.11
  • Linux.Lady Trojan Turns Redis Servers to Mining Rigs

Security Leftovers

Filed under
Security
  • Troyan Virus Turns Linux Servers into Bitcoin Miners

    A new and dangerous computer virus has been targeting Linux servers, its goal: to turn computer servers into Bitcoin miners. The attack is aimed at environments running the Redis NoSQL database, the virus is also able to probe the network interfaces of its hosts to propagate itself.

    Approximately more than 30,000 servers running the Redis database are in danger due to the lack of an access password. The virus is named “Linux.Lady” and it was discovered first by the Russian IT-security solutions vendor Dr. Web. The company released a report on the virus, classifying it into the Troyan subcategory.

  • A New Wireless Hack Can Unlock 100 Million Volkswagens

    In 2013, when University of Birmingham computer scientist Flavio Garcia and a team of researchers were preparing to reveal a vulnerability that allowed them to start the ignition of millions of Volkswagen cars and drive them off without a key, they were hit with a lawsuit that delayed the publication of their research for two years. But that experience doesn’t seem to have deterred Garcia and his colleagues from probing more of VW’s flaws: Now, a year after that hack was finally publicized, Garcia and a new team of researchers are back with another paper that shows how Volkswagen left not only its ignition vulnerable but the keyless entry system that unlocks the vehicle’s doors, too. And this time, they say, the flaw applies to practically every car Volkswagen has sold since 1995.

  • Almost every Volkswagen sold since 1995 can be unlocked with an Arduino

    The first affects almost every car Volkswagen has sold since 1995, with only the latest Golf-based models in the clear. Led by Flavio Garcia at the University of Birmingham in the UK, the group of hackers reverse-engineered an undisclosed Volkswagen component to extract a cryptographic key value that is common to many of the company's vehicles.

  • Road Warriors: Beware of ‘Video Jacking’

    A little-known feature of many modern smartphones is their ability to duplicate video on the device’s screen so that it also shows up on a much larger display — like a TV. However, new research shows that this feature may quietly expose users to a simple and cheap new form of digital eavesdropping.

    Dubbed “video jacking” by its masterminds, the attack uses custom electronics hidden inside what appears to be a USB charging station. As soon as you connect a vulnerable phone to the appropriate USB charging cord, the spy machine splits the phone’s video display and records a video of everything you tap, type or view on it as long as it’s plugged in — including PINs, passwords, account numbers, emails, texts, pictures and videos.

Security News

Filed under
Security
  • One bug to rule them all: 'State-supported' Project Sauron malware attacks world's top PCs

    Two top electronic security firms have discovered a new powerful malware suite being used to target just dozens of high-value targets around the world. The research shows that it was likely developed on the orders of a government engaging in cyber espionage.

    The California-based Symantec has labeled the group behind the attack Strider, while Moscow-based Kaspersky Labs dubbed it ProjectSauron. Both are references to J. R. R. Tolkien’s Lord of the Rings, a nod to the fact that the original malware code contained the word “Sauron.”

  • Disable WPAD now or have your accounts and private data compromised

    The Web Proxy Auto-Discovery Protocol (WPAD), enabled by default on Windows and supported by other operating systems, can expose computer users' online accounts, web searches, and other private data, security researchers warn.

    Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections, said Alex Chapman and Paul Stone, researchers with U.K.-based Context Information Security, during the DEF CON security conference this week.

  • With Anonymous' latest attacks in Rio, the digital games have begun

    A wave of denial of service (DDoS) attacks on state and city websites followed immediately after Anonymous delivered their statement. The group boasted taking down at least five sites, including www.brasil2016.gov.br, www.rio2016.com, www.esporte.gov.br, www.cob.org.br and www.rj.gov.br. They broadcast their exploits using the hashtags #OpOlympicHacking, #Leaked and #TangoDown, some of which were set up months ago.



  • Kaminsky Advocates for Greater Cloud Security

    There are a lot of different reasons why organizations choose to move to the cloud and many reasons why they do not. Speaking at a press conference during the Black Hat USA security event, security researcher Dan Kaminsky provided his views on what's wrong with the Internet today and where the cloud can fit in.

    "There's a saying we have," Kaminsky said. "There is no such thing as cloud, just other people's computers."

    While the cloud represents a utility model for computing, Kaminsky also suggests that there are ways to use the cloud to improve overall security. With the cloud, users and applications can be isolated or 'sandboxed' in a way that can limit risks.

    With proper configurations, including rate limiting approaches, the impact of data breaches could potentially be reduced as well. As an example, Kaminsky said that with rate limiting controls, only the money from a cash register is stolen by a hacker, as opposed to stealing all of a company's corporate profits for a month.

  • Linux TCP Flaw allows Hackers to Hijack Internet Traffic and Inject Malware Remotely
  • Our Encrypted Email Service is Safe Against Linux TCP Vulnerability

    ProtonMail is not vulnerable to the recently announced Linux TCP Vulnerability

In limiting open source efforts, the government takes a costly gamble

Filed under
OSS
Security

The vast majority of companies are now realizing the value of open sourcing their software and almost all have done so for at least certain projects. These days Google, Facebook, Microsoft, Apple and almost every major company is releasing code to the open source community at a constant rate.

As is the case with many cutting edge developments it’s taking governments a while to catch on and understand the value in going open source. But now governments around the world are beginning to take the view that as their software is funded by the public, it belongs to the public and should be open for public use and are starting to define codified policies for its release.

[...]

The vast majority of code is still not classified and therefore, much higher levels of open sourcing are possible. While a bigger embrace of open source may seem like a risk, the real danger lies in small, overly-cautious implementation which is costing taxpayers by the day and making us all less secure.

Read more

More Security Leftovers

Filed under
Security
  • Volkswagen Created A 'Backdoor' To Basically All Its Cars... And Now Hackers Can Open All Of Them

    In other words, VW created a backdoor, and assumed that it would remain hidden. But it did not.

    This is exactly the kind of point that we've been making about the problems of requiring any kind of backdoor and not enabling strong encryption. Using a single encryption key across every device is simply bad security. Forcing any kind of backdoor into any security system creates just these kinds of vulnerabilities -- and eventually someone's going to figure out how they work.

    On a related note, the article points out that the researchers who found this vulnerability are the same ones who also found another vulnerability a few years ago that allowed them to start the ignition of a bunch of VW vehicles. And VW's response... was to sue them and try to keep the vulnerability secret for nearly two years. Perhaps, rather than trying to sue these researchers, they should have thrown a bunch of money at them to continue their work, alert VW and help VW make their cars safer and better protected.

  • Software Freedom Doesn't Kill People, Your Security Through Obscurity Kills People

    The time has come that I must speak out against the inappropriate rhetoric used by those who (ostensibly) advocate for FLOSS usage in automotive applications.

    There was a catalyst that convinced me to finally speak up. I heard a talk today from a company representative of a software supplier for the automotive industry. He said during his talk: "putting GPLv3 software in cars will kill people" and "opening up the source code to cars will cause more harm than good". These statements are completely disingenuous. Most importantly, it ignores the fact that proprietary software in cars is at least equally, if not more, dangerous. At least one person has already been killed in a crash while using a proprietary software auto-control system. Volkswagen decided to take a different route; they decided to kill us all slowly (rather than quickly) by using proprietary software to lie about their emissions and illegally polluting our air.

    Meanwhile, there has been not a single example yet about use of GPLv3 software that has harmed anyone. If you have such an example, email it to me and I promise to add it right here to this blog post.

  • Linux Networking Flaw Allows Attacker To Trick Safety Mechanism

Security News

Filed under
Security
  • White House aims to secure open source government programs

    The White House unveils a new open source government policy and new research estimates the government's zero-day exploit stockpile to be smaller than expected.

  • How Governments Open Sourcing Code Helps Us Be More Secure

    The idea of governments releasing their proprietary code isn’t some pipe dream, it’s slowly becoming a reality in many countries and starting a much needed public discussion in others. Governments around the world are beginning to understand that their software is funded by the public, and therefore belongs to the public and should be accessible for their use. Bulgaria just passed a law which mandates that all code written for the government must be released as open source. Similarly, the United States is starting a 3-year pilot requiring all US agencies to release at least 20% of all federally-funded custom code as open source. France, Norway, Brazil and other countries have also initiated their own government open source programs to ensure more government funded code will be released as open source.

  • 2046 is the last year your CEO has a business major [Ed: says Juniper which put back doors in its software?]
  • DARPA's Machine Challenge Solves CrackAddr Puzzle

    Seven autonomous supercomputers faced off against each other in DARPA's Cyber Grand Challenge (CGC) event on the first day of the DEFCON security conference. In the end, a system known as 'Mayhem' won the $2 million grand prize and in the process helped solve a decade-old security challenge that revolved around detecting a particular type of vulnerability.

    Mike Walker, the DARPA program manager responsible for CGC, commented during a press conference that some bugs are so well known that they become famous. One such example is CrackAddr, the name of a function that can split up parts of an email address.

  • New Linux Malware Installs Bitcoin Mining Software on Infected Device
Syndicate content

More in Tux Machines

Security News

  • Tuesday's security updates
  • New Open Source Linux Ransomware Divides Infosec Community
    Following our investigation into this matter, and seeing the vitriol-filled reaction from some people in the infosec community, Zaitsev has told Softpedia that he decided to remove the project from GitHub, shortly after this article's publication. The original, unedited article is below.
  • Fax machines' custom Linux allows dial-up hack
    Party like it's 1999, phreakers: a bug in Epson multifunction printer firmware creates a vector to networks that don't have their own Internet connection. The exploit requirements are that an attacker can trick the victim into installing malicious firmware, and that the victim is using the device's fax line. The firmware is custom Linux, giving the printers a familiar networking environment for bad actors looking to exploit the fax line as an attack vector. Once they're in that ancient environment, it's possible to then move onto the network to which the the printer's connected. Yves-Noel Weweler, Ralf Spenneberg and Hendrik Schwartke of Open Source Training in Germany discovered the bug, which occurs because Epson WorkForce multifunction printers don't demand signed firmware images.
  • Google just saved the journalist who was hit by a 'record' cyberattack
    Google just stepped in with its massive server infrastructure to run interference for journalist Brian Krebs. Last week, Krebs' site, Krebs On Security, was hit by a massive distributed denial-of-service (DDoS) attack that took it offline, the likes of which was a "record" that was nearly double the traffic his host Akamai had previously seen in cyberattacks. Now just days later, Krebs is back online behind the protection of Google, which offers a little-known program called Project Shield to help protect independent journalists and activists' websites from censorship. And in the case of Krebs, the DDoS attack was certainly that: The attempt to take his site down was in response to his recent reporting on a website called vDOS, a service allegedly created by two Israeli men that would carry out cyberattacks on behalf of paying customers.
  • Krebs DDoS aftermath: industry in shock at size, depth and complexity of attack
    “This attack didn’t stop, it came in wave after wave, hundreds of millions of packets per second,” says Josh Shaul, Akamai’s vice president of product management, when Techworld spoke to him. “This was different from anything we’ve ever seen before in our history of DDoS attacks. They hit our systems pretty hard.” Clearly still a bit stunned, Shaul describes the Krebs DDoS as unprecedented. Unlike previous large DDoS attacks such as the infamous one carried out on cyber-campaign group Spamhaus in 2013, this one did not use fancy amplification or reflection to muster its traffic. It was straight packet assault from the old school.
  • iOS 10 makes it easier to crack iPhone back-ups, says security firm
    INSECURITY FIRM Elcomsoft has measured the security of iOS 10 and found that the software is easier to hack than ever before. Elcomsoft is not doing Apple any favours here. The fruity firm has just launched the iPhone 7, which has as many problems as it has good things. Of course, there are no circumstances when vulnerable software is a good thing, but when you have just launched that version of the software, it is really bad timing. Don't hate the player, though, as this is what Elcomsoft, and what Apple, are supposed to be doing right. "We discovered a major security flaw in the iOS 10 back-up protection mechanism. This security flaw allowed us to develop a new attack that is able to bypass certain security checks when enumerating passwords protecting local (iTunes) back-ups made by iOS 10 devices," said Elcomsoft's Oleg Afonin in a blog post.
  • After Tesla: why cybersecurity is central to the car industry's future
    The news that a Tesla car was hacked from 12 miles away tells us that the explosive growth in automotive connectivity may be rapidly outpacing automotive security. This story is illustrative of two persistent problems afflicting many connected industries: the continuing proliferation of vulnerabilities in new software, and the misguided view that cybersecurity is separate from concept, design, engineering and production. This leads to a ‘fire brigade approach’ to cybersecurity where security is not baked in at the design stage for either hardware or software but added in after vulnerabilities are discovered by cybersecurity specialists once the product is already on the market.

Ofcom blesses Linux-powered, open source DIY radio ‘revolution’

Small scale DAB radio was (quite literally) conceived in an Ofcom engineer’s garden shed in Brighton, on a Raspberry Pi, running a full open source stack, in his spare time. Four years later, Ofcom has given the thumbs up to small scale DAB after concluding that trials in 10 UK cities were judged to be a hit. We gave you an exclusive glimpse into the trials last year, where you could compare the specialised proprietary encoders with the Raspberry Pi-powered encoders. “We believe that there is a significant level of demand from smaller radio stations for small scale DAB, and that a wider roll-out of additional small scale services into more geographic areas would be both technically possible and commercially sustainable,” notes Ofcom. Read more

nginx

Case in point: I've been using the Apache HTTP server for many years now. Indeed, you could say that I've been using Apache since before it was even called "Apache"—what started as the original NCSA HTTP server, and then the patched server that some enterprising open-source developers distributed, and finally the Apache Foundation-backed open-source colossus that everyone recognizes, and even relies on, today—doing much more than just producing HTTP servers. Apache's genius was its modularity. You could, with minimal effort, configure Apache to use a custom configuration of modules. If you wanted to have a full-featured server with tons of debugging and diagnostics, you could do that. If you wanted to have high-level languages, such as Perl and Tcl, embedded inside your server for high-speed Web applications, you could do that. If you needed the ability to match, analyze and rewrite every part of an HTTP transaction, you could do that, with mod_rewrite. And of course, there were third-party modules as well. Read more

Linux and Open Source Hardware for IoT

Most of the new 21 open source software projects for IoT that we examined last week listed Linux hacker boards as their prime development platforms. This week, we’ll look at open source and developer-friendly Linux hardware for building Internet of Things devices, from simple microcontroller-based technology to Linux-based boards. In recent years, it’s become hard to find an embedded board that isn’t marketing with the IoT label. Yet, the overused term is best suited for boards with low prices, small footprints, low power consumption, and support for wireless communications and industrial interfaces. Camera support is useful for some IoT applications, but high-end multimedia is usually counterproductive to attributes like low cost and power consumption. Read more