Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Hackers [sic] boast of ease of bypassing security

    According to Pogue, the Nuix report challenges the common media narrative that data breaches are hard to prevent because cyber attacks are becoming more sophisticated and, he notes that nearly a quarter of Black Report respondents (22%) said they used the same attack techniques for a year or more.

  • One-in-five cybercriminals blow their earnings on drugs and hookers

    The research was carried out by Dr Mike McGuire, a senior lecturer in Criminology at the University of Surrey. He's presenting the full research paper in San Francisco later in the month.

  • Thousands of hacked websites are infecting visitors with malware

    The campaign, which has been running for at least four months, is able to compromise websites running a variety of content management systems, including WordPress, Joomla, and SquareSpace. That's according to a blog post by Jérôme Segura, lead malware intelligence analyst at Malwarebytes. The hackers, he wrote, cause the sites to display authentic-appearing messages to a narrowly targeted number of visitors that, depending on the browsers they're using, instruct them to install updates for Firefox, Chrome, or Flash.

    To escape detection, the attackers fingerprint potential targets to ensure, among other things, that the fake update notifications are served to a single IP address no more than once. [...]

  • Open Letter On Ending Attacks On Security Research

    The Center for Democracy and Technology has put together an important letter from experts on the importance of security research. This may sound obvious, but increasingly we're seeing attacks on security researchers, where the messenger is blamed for finding and/or disclosing bad security practices or breaches -- and that makes us all less safe by creating chilling effects.

  • D.C. Court: Accessing Public Information is Not a Computer Crime

    Good news for anyone who uses the Internet as a source of information: A district court in Washington, D.C. has ruled that using automated tools to access publicly available information on the open web is not a computer crime—even when a website bans automated access in its terms of service. The court ruled that the notoriously vague and outdated Computer Fraud and Abuse Act (CFAA)—a 1986 statute meant to target malicious computer break-ins—does not make it a crime to access information in a manner that the website doesn’t like if you are otherwise entitled to access that same information.

    The case, Sandvig v. Sessions, involves a First Amendment challenge to the CFAA’s overbroad and imprecise language. The plaintiffs are a group of discrimination researchers, computer scientists, and journalists who want to use automated access tools to investigate companies’ online practices and conduct audit testing. The problem: the automated web browsing tools they want to use (commonly called “web scrapers”) are prohibited by the targeted websites’ terms of service, and the CFAA has been interpreted by some courts as making violations of terms of service a crime. The CFAA is a serious criminal law, so the plaintiffs have refrained from using automated tools out of an understandable fear of prosecution. Instead, they decided to go to court. With the help of the ACLU, the plaintiffs have argued that the CFAA has chilled their constitutionally protected research and journalism.

    The CFAA makes it illegal to access a computer connected to the Internet “without authorization,” but the statute doesn’t tells us what “authorization” or “without authorization” means. Even though it was passed in the 1980s to punish computer intrusions, it has metastasized in some jurisdictions into a tool for companies and websites to enforce their computer use policies, like terms of service (which no one reads). Violating a computer use policy should by no stretch of the imagination count as a felony.

  • Blockchain Open Source Code Is Failing On Security Says CAST [Ed: Some so-called 'journalists' entertain self-serving publicity stunt of malicious firms that FUD FOSS for attention]
  • Open source lessons for the cyber security industry

    The only way to win the war against cyber "bad guys" is if cyber security follows the example set by the open source movement and democratises, making it everyone's responsibility.

    That's the view of Marten Micklos, CEO of HackerOne, the bug bounty and vulnerability coordination platform. Speaking at the recent Linux Foundation's Open Source Leadership Summit in California, he told delegates that the security industry could benefit from the way in which open source had built the functionality and conflict resolution governance that enabled people, including those who disagreed, to work together to achieve a common goal.

More in Tux Machines

GNU: The GNU C Library, IRC Break, and GNUstep

  • Intel CET With Indirect Branch Tracking & Shadow Stack Land In Glibc
    Landing yesterday in Glibc for Intel's Control-flow Enforcement Technology (CET) were the instructions for Indirect Branch Tracking (IBT) and Shadow Stack (SHSTK). These Intel CET bits for the GNU C Library amount to a fair amount of code being added. The commit message explains some of the CET steps taken. The Control-flow Enforcement Technology behavior can be changed for SHSTK/IBT at run-time through the "GLIBC_TUNABLES" environment variable.
  • No Friday Free Software Directory IRC meetup on Friday July 20th
    No meeting will be taking place this week due to travel, but meetings will return to our regular schedule starting on Friday, July 27th.
  • Graphos GNUstep and Tablet interface
    I have acquired a Thinkpad X41 Tablet and worked quite a bit on it making it usable and then installing Linux and of course GNUstep on it. The original battery was dead and the compatible replacement I got is bigger, it works very well, but makes the device unbalanced. Anyway, my interest about it how usable GNUstep applications would be and especially Graphos, its (and my) drawing application. Using the interface in Tablet mode is different: the stylus is very precise and allows clicking by pointing the tip and a second button is also possible. However, contrary to the mouse use, the keyboard is folded so no keyboard modifiers are possible. Furthermore GNUstep has no on-screen keyboard so typing is not possible.

Oracle Solaris 11.3 and Solaris 11.4

  • Oracle Solaris 11.3 SRU 34 Brings GCC 7.3, Other Package Updates
    While Solaris 11.4 is still in the oven being baked at Oracle, the thirty-fourth stable release update of Solaris 11.3 is now available.
  • Oracle Solaris 11.3 SRU 34 released
    Full details of this SRU can be found in My Oracle Support Doc 2421850.1. For the list of Service Alerts affecting each Oracle Solaris 11.3 SRU, see Important Oracle Solaris 11.3 SRU Issues (Doc ID 2076753.1).
  • Oracle Solaris 11.4 Open Beta Refresh 2
    As we continue to work toward release of Oracle Solaris 11.4, we present to you our third release of Oracle Solaris 11.4 open beta.
  • Oracle Solaris 11.4 Public Beta Updated With KPTI For Addressing Meltdown
    In addition to sending down a new SRU for Solaris 11.3, the Oracle developers left maintaining Solaris have issued their second beta of the upcoming Solaris 11.4. Oracle Solaris 11.4 Open Beta Refresh 2 is an updated version of their public beta of Solaris 11.4 originally introduced in January. They say this is the last planned public beta with the general availability release now nearing availability.

Security: Back Doors in Voting Machines, Two-Factor Authentication, Introduction to Cybersecurity, and Reproducible Builds

  • Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States
    The nation's top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them. In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006," which was installed on the election-management system ES&S sold them. The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. "None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software," the spokesperson said.
  • PSA: Make Sure You Have a Backup for Two-Factor Authentication
  • An Introduction to Cybersecurity: The First Five Steps
    You read all these headlines about the latest data breaches, and you worry your organization could be next. After all, if TalkTalk, Target, and Equifax can’t keep their data safe, what chance do you have? Well, thankfully, most organizations aren’t quite as high profile as those household names, and probably don’t receive quite so much attention from cybercriminals. At the same time, though, no organization is so small or insignificant that it can afford to neglect to take sensible security measures. If you’re just starting to take cybersecurity seriously, here are five steps you can take to secure your organization more effectively than 99 percent of your competitors.
  • Reproducible Builds: Weekly report #168

today's howtos