Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Microsoft slates end to security bulletins in February [iophk: "further obscuring"; Ed: See this]

    Microsoft next month will stop issuing detailed security bulletins, which for nearly 20 years have provided individual users and IT professionals information about vulnerabilities and their patches.

    One patching expert crossed his fingers that Microsoft would make good on its pledge to publish the same information when it switches to a new online database. "I'm on the fence right now," said Chris Goettl, product manager with patch management vendor Shavlik, of the demise of bulletins. "We'll have to see [the database] in February before we know how well Microsoft has done [keeping its promise]."

  • Reflected XSS through AngularJS sandbox bypass causes password exposure of McDonald users

    By abusing an insecure cryptographic storage vulnerability (link) and a reflected server cross-site-scripting vulnerability (link) it is possible to steal and decrypt the password from a McDonald's user. Besides that, other personal details like the user's name, address & contact details can be stolen too.

  • DragonFlyBSD Installer Updated To Support UEFI System Setup

    DragonFlyBSD has been working on its (U)EFI support and with the latest Git code its installer now has basic UEFI support.

Tails 2.10 Will Upgrade to Linux Kernel 4.8 and Tor 0.2.9, Add exFAT Support

Filed under
Security

A new stable release of Tails, the beloved anonymous Live CD that helps you stay hidden online when navigating various websites on the Internet, is being prepared.

Security News

Filed under
Security
  • How we secure our infrastructure: a white paper

    Trust in the cloud is paramount to any business who is thinking about using it to power their critical applications, deliver new customer experiences and house their most sensitive data. Today, we're issuing a white paper by our security team that details how security is designed into our infrastructure from the ground up.

    Google Cloud’s global infrastructure provides security through the entire information processing lifecycle.This infrastructure provides secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication with customers over the internet and safe operation by administrators.

  • Google Infrastructure Security Design Overview [Ed: Google banned Windows internally]

    The content contained herein is correct as of January 2017, and represents the status quo as of the time it was written. Google’s security policies and systems may change going forward, as we continually improve protection for our customers.

  • Microsoft Says Windows 7 Has Outdated Security, Wants You to Move to Windows 10 [Ed: all versions are insecure BY DESIGN]

    Windows 10 is now running on more than 20 percent of the world’s desktop computers, and yet, Microsoft’s bigger challenge isn’t necessarily to boost the market share of its latest operating system, but to convince those on Windows 7 to upgrade.

  • Debian GNU/Linux 8.7 Officially Released, Includes over 85 Security Updates

    If you're using Debian Stable (a.k.a. Debian GNU/Linux 8 "Jessie"), it's time to update it now. Why? Because Debian Project launched a new release, Debian GNU/Linux 8.7, which includes over 170 bug fixes and security updates.

  • CVS: cvs.openbsd.org: src

    Disable and lock Silicon Debug feature on modern Intel CPUs

Hide Complex Passwords in Plain Sight and Give Your Brain a Break

Filed under
Linux
Security
HowTos

As far as people are concerned, there are essentially two types of passwords: the ones we can remember and the ones that are too complex for us to recall. We've learned the latter type is more secure, but it requires us to store impossible-to-memorize-password lists, creating a whole new set of problems. There are some clever tricks to help our brains out a bit, but for most of us the limit of our memory is regrettable. This tip offers a way to pull passwords from unexpected places using the Linux terminal.

Read more

(via DMT/Linux Blog)

Security Leftovers (Back Doors in WhatsApp/Facebook and Microsoft Windows)

Filed under
Security
  • The eight security backdoors that helped kill faith in security

    With the news of WhatsApp's backdoor granting Facebook and government agencies access to user messages, fears over users' privacy issues are sure to be at an all-time high for WhatsApp's 1 billion users.

    Backdoors in computing equipment are the stuff of legend. A decade ago a security expert informed me with absolute certainty that a prominent non-US networking company had designed them into its products for years as a matter of course as if nobody much cared about this fact. Long before the average citizen had heard the letters NSA, it struck me at the time as extraordinary suggestion. It was almost as if the deliberate compromise of an important piece of network equipment was a harmless novelty.

  • Reported “backdoor” in WhatsApp is in fact a feature, defenders say

    The Guardian roiled security professionals everywhere on Friday when it published an article claiming a backdoor in Facebook's WhatsApp messaging service allows attackers to intercept and read encrypted messages. It's not a backdoor—at least as that term is defined by most security experts. Most would probably agree it's not even a vulnerability. Rather, it's a limitation in what cryptography can do in an app that caters to more than 1 billion users.

    At issue is the way WhatsApp behaves when an end user's encryption key changes. By default, the app will use the new key to encrypt messages without ever informing the sender of the change. By enabling a security setting, users can configure WhatsApp to notify the sender that a recently transmitted message used a new key.

    Critics of Friday's Guardian post, and most encryption practitioners, argue such behavior is common in encryption apps and often a necessary requirement. Among other things, it lets existing WhatsApp users who buy a new phone continue an ongoing conversation thread.

  • Security flaw leaves WhatsApp messages susceptible to man-in-the-middle attacks

    FLAWS in the way that WhatsApp deals with encryption keys leaves users wide open to man-in-the-middle attacks, enabling third-parties to tap their communications.

    The flaw has been described as a "security back door" by The Guardian and privacy campaigners (not unlike the back doors that governments of various stripes have been trying to mandate on all internet communications by law), but more sobre voices have described it as a minor bug and criticised The Guardian for going OTT.

    Nor is it new. Vulnerabilities in key handling were first discovered by German computer scientist Tobias Boelter in April 2016.

    The security flaw relates to situations where encryption keys are dropped and have to be re-issued and re-sent. In certain circumstances, a third-party could exploit the bug to persuade the app to resend messages because the authenticity of re-issued keys is not verified in WhatsApp by default.

  • There's No Security Backdoor in WhatsApp, Despite Reports

    This morning, the Guardian published a story with an alarming headline: “WhatsApp backdoor allows snooping on encrypted messages.” If true, this would have massive implications for the security and privacy of WhatsApp’s one-billion-plus users. Fortunately, there’s no backdoor in WhatsApp, and according to Alec Muffett, an experienced security researcher who spoke to Gizmodo, the Guardian’s story is “major league fuckwittage.”

  • WhatsApp vulnerability allows snooping on encrypted messages

    A security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.

    Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.

  • Hacker group Shadow Brokers retires, dumps more code as parting gift

    The Shadow Brokers claimed to have held even more valuable cyber tools in reserve and offered to sell them to the highest bidder in an unorthodox public auction. On Thursday, they said their sales effort had been unsuccessful and were therefore ceasing operations. “So long, farewell peoples. The Shadow Brokers is going dark, making exit,” the group said according to a screenshot of the webpage posted Thursday on the news website CyberScoop.

  • Suspected NSA tool hackers dump more cyberweapons in farewell

    The hacking group that stole cyberweapons suspected to be from the U.S. National Security Agency is signing off -- but not before releasing another arsenal of tools that appear designed to spy on Windows systems.

  • Shadow Brokers announce retirement, leak NSA Windows Hacking tools as parting gift
  • The Shadow Brokers Leaves the Stage with a Gift of So-Called NSA-Sourced Hacking Tools
  • Shadow Brokers group bids adieu, dumps hacking tools before going silent
  • 'It Always Being About Bitcoins': Shadow Brokers Retire
  • Hacking Group 'ShadowBrokers' Release NSA Exploits, Then Go Dark

Security News

Filed under
Security
  • Security advisories for Friday
  • New Windows backdoor targets intelligence gathering

    New versions of the MM Core Windows backdoor are being used to provide a channel into victims' machines for the purpose of intelligence gathering, according to Carl Leonard, principal security analyst at Forcepoint Security Labs.

    The new versions were found by members of the Forcepoint investigations team.

    MM Core, which is also known as BaneChant, is a file-less advanced persistent threat which is executed in memory by a downloaded component. It was first reported in 2013 with the version 2.0-LNK and used the tag BaneChant in the network request sent to its command-and-control centre.

    A second version, 2.1-LNK, found shortly thereafter, had the network tag StrangeLove.

    Forcepoint researchers Nicholas Griffin and Roland Dela Paz, whose write-up on MM Core was provided to iTWire, said the two new versions they had found were 2.2-LNK (network tag BigBoss) and 2.3-LNK (SillyGoose).

  • Implementing Medical Device Cybersecurity: A Two-Stage Process

    Connectivity is ubiquitous – it’s moved beyond an overhyped buzzword and become part of life. Offering ever-advancing levels of access, control, and convenience, widespread connectivity also increases the risk of unauthorised interference in our everyday lives.

    In what many experts believe was a world first, manufacturer Johnson & Johnson recently issued a warning to patients on a cyber-vulnerability in one of its medical devices. The company announced that an insulin pump it supplies had a potential connectivity vulnerability. The wireless communication link the device used contained a potential exploit that could have been used by an unauthorised third party to alter the insulin dosage delivered to the patient.

  • Dockerfile security tuneup

    I recently watched 2 great talks on container security by Justin Cormack from Docker at Devoxx Belgium and Adrian Mouat from Container Solutions at GOTO Stockholm. We were following many of the suggestions but there was still room for improvement. So we decided it was good time to do a security tuneup of our dockerfiles.

  • FTC Sues D-Link For Pretending To Give A Damn About Hardware Security

    If you've been paying attention, you've probably noticed that the so-called Internet of Things isn't particularly secure. Hardware vendors were so excited to market a universe of new internet-connected devices, they treated things like privacy, security, and end-user control as afterthoughts. As a result, we've now got smart TVs, smart tea kettles, WiFi-connected barbies and all manner of other devices that are not only leaking private customer data, but are being quickly hacked, rolled into botnets, and used in historically unprecedented new, larger DDoS attacks.

    This isn't a problem exclusive to new companies breaking into the IoT space. Long-standing hardware vendors that have consistently paid lip service to security are fueling the problem. Asus, you'll recall, was dinged by the FTC last year for marketing its routers as incredibly secure, yet shipping them with easily-guessed default username/login credentials and cloud-based functionality that was easily exploitable.

    The FTC is back again, this time suing D-Link for routers and video cameras that the company claimed were "easy to secure" and delivered "advanced network security," yet were about as secure as a kitten-guarded pillow fort. Like Asus, D-Link's hardware also frequently ships with easily-guessed default login credentials. This frequently allows "hackers" (that term is generous since it takes just a few keystrokes) to peruse an ocean of unsecured cameras via search engines like Shodan, allowing them to spy on families and businesses in real time.

Security News

Filed under
Security

Security News

Filed under
Security
  • Security updates for Wednesday
  • Third Party Patch Roundup – December 2016
  • The MongoDB hack and the importance of secure defaults

    If you have a MongoDB installation, now would be the time to verify that it is secure. Since just before Christmas, over 28,000 public MongoDB installs have been hacked. The attackers are holding the hacked data ransom, demanding companies pay using Bitcoins to get their data back. From the looks of it, at least 20 companies have given in and paid the ransom so far. This post explains the hack, how to protect yourself, and what we can learn from it.

  • Implantable Cardiac Devices Could Be Vulnerable to Hackers, FDA Warns

    Low-level hackers can play with your heart. Literally. Pacemakers, defibrillators and other devices manufactured by St. Jude Medical, a medical device company based in Minnesota, could have put patients’ lives at risk, the US Food & Drug Administration warned on Monday, the same day a new software patch was released to address these vulnerabilities.

    There are several confirmed vulnerabilities that could have granted hackers remote access a person’s implanted cardiac device. Then, they could change the heart rate, administer shocks, or quickly deplete the battery. There hadn’t been any report of patient harm related to these vulnerabilities as of Monday, the FDA said.

Security Leftovers

Filed under
Security

Security News

Filed under
Security
Syndicate content

More in Tux Machines

Today in Techrights

Linux Kernel and Linux Event

Red Hat News

Leftovers: Software and HowTos

  • Top Software
    The number of open source applications and tools that are available on today’s popular operating systems is simply mind-blowing. They come in all forms. Small scripts and console tools that can be easily integrated into large projects, feature-rich applications that offer everything a complete solution, well designed tools, games that encourage real participation, and eye catching candy. Open source software holds many compelling advantages over proprietary software. Open source improves the quality of the code, keeps costs down, encourages innovation and collaboration, combined with superior security, freedom, flexibility, interoperability, business agility, and much more.
  • Kodi 17.0 "Krypton" Release Candidate 3 Updates Estuary Skin, Fixes More Bugs
    The wait is almost over, and you'll finally be able to enjoy a much modern, improved, and full of new technologies Kodi media center on your PC or HTPC device, be it an Apple TV or Raspberry Pi. Martijn Kaijser announced the third Release Candidate (RC) development version for the Kodi 17.0 "Krypton" media center, and it looks to us like these pre-releases are getting smaller by the day, the RC3 build including only seven changes listed on the release notes attached to the official announcement.
  • Accessing Bingo Sites through Linux
  • Fedora - linux and shell.
  • Getting started with shell scripting