Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security updates for Monday
  • FedEx Will Pay You $5 to Install Flash on Your Machine

    FedEx is making you an offer you can’t afford to accept. It’s offering to give you $5 (actually, it’s a discount on orders over $30) if you’ll just install Adobe Flash on your machine.

    Nobody who knows anything about online security uses Flash anymore, except when it’s absolutely necessary. Why? Because Flash is the poster child for the “security-vulnerability-of-the-hour” club — a group that includes another Adobe product, Acrobat. How unsafe is Flash? Let’s put it this way: seven years ago, Steve Jobs announced that Flash was to be forever banned from Apple’s mobile products. One of the reasons he cited was a report from Symantec that “highlighted Flash for having one of the worst security records in 2009.”

    Flash security hasn’t gotten any better since.

  • Every once in a while someone suggests to me that curl and libcurl would do better if rewritten in a “safe language”
  • An insecure dishwasher has entered the IoT war against humanity

    Regel says that he has contacted Miele on a number of occasions about the issue, but had failed to get a response to his missives, and this has no updated information on the vulnerability.

    He added, bleakly that "we are not aware of an actual fix."

  • Monday Witness: It's Time to Reconize a Civil Right Not to be Connected

    Along with death and taxes, two things appear inevitable. The first is that Internet of Things devices will not only be built into everything we can imagine, but into everything we can't as well. The second is that IoT devices will have wholly inadequate security, if they have any security at all. Even with strong defenses, there is the likelihood that governmental agencies will gain covert access to IoT devices anyway.

    What this says to me is that we need a law that guarantees consumers the right to buy versions of products that are not wirelessly enabled at all.

  • Remember kids, if you're going to disclose, disclose responsibly!

    If you pay any attention to the security universe, you're aware that Tavis Ormandy is basically on fire right now with his security research. He found the Cloudflare data leak issue a few weeks back, and is currently going to town on LastPass. The LastPass crew seems to be dealing with this pretty well, I'm not seeing a lot of complaining, mostly just info and fixes which is the right way to do these things.

Security Leftovers

Filed under
Security
  • NSA: We Disclose 90% of the Flaws We Find

    In the wake of the release of thousands of documents describing CIA hacking tools and techniques earlier this month, there has been a renewed discussion in the security and government communities about whether government agencies should disclose any vulnerabilities they discover. While raw numbers on vulnerability discovery are hard to come by, the NSA, which does much of the country’s offensive security operations, discloses more than nine of every 10 flaws it finds, the agency’s deputy director said.

  • EFF Launches Community Security Training Series

    EFF is pleased to announce a series of community security trainings in partnership with the San Francisco Public Library. High-profile data breaches and hard-fought battles against unlawful mass surveillance programs underscore that the public needs practical information about online security. We know more about potential threats each day, but we also know that encryption works and can help thwart digital spying. Lack of knowledge about best practices puts individuals at risk, so EFF will bring lessons from its comprehensive Surveillance Self-Defense guide to the SFPL.

    [...]

    With the Surveillance Self-Defense project and these local events, EFF strives to help make information about online security accessible to beginners as well as seasoned techno-activists and journalists. We hope you will consider our tips on how to protect your digital privacy, but we also hope you will encourage those around you to learn more and make better choices with technology. After all, privacy is a team sport and everyone wins.

  • NextCloud, a security analysis

    First, I would like to scare everyone a little bit in order to have people appreciate the extent of this statement.

    As the figure that opens the post indicates, there are thousands of vulnerable Owncloud/NextCloud instances out there. It will surprise many just how easy is to detect those by trying out common URL paths during an IP sweep.

  • FedEx will deliver you $5.00 just to install Flash

    Bribes on offer as courier's custom printing service needs Adobe's security sinkhole

Security Leftovers

Filed under
Security
  • Google Threatens to Distrust Symantec SSL/TLS Certificates

    Google is warning that it intends to deprecate and remove trust in Symantec-issued SSL/TLS certificates, as Symantec shoots back that the move is unwarranted.

  • Hackers Stole My Website…And I Pulled Off A $30,000 Sting Operation To Get It Back

    I learned that my site was stolen on a Saturday. Three days later I had it back, but only after the involvement of fifty or so employees of six different companies, middle-of-the-night conferences with lawyers, FBI intervention, and what amounted to a sting operation that probably should have starred Sandra Bullock instead of…well…me.

  • Google Summer of Code

    The Linux Foundation umbrella organization is responsible for this year's WireGuard GSoC, so if you're a student, write "Linux Foundation" as your mentoring organization, and then specify in your proposal your desire to work with WireGuard, listing "Jason Donenfeld" as your mentor.

  • Takeaways from Bruce Schneier’s talk: “Security and Privacy in a Hyper-connected World”

    Bruce Schneier is one of my favorite speakers when it comes to the topic of all things security. His talk from IBM Interconnect 2017, “Security and Privacy in a Hyper-connected World“, covered a wide range of security concerns.

  • [Older] Make America Secure Again: Trump Should Order U.S. Spy Agencies to Responsibly Disclose Cyber Vulnerabilities

    Last week, WikiLeaks released a trove of CIA documents that detail many of the spy agency’s hacking capabilities. These documents, if genuine (and early reports suggest that they are), validate concerns that U.S. spy agencies are stockpiling cybersecurity vulnerabilities. The intelligence community uses undisclosed vulnerabilities to develop tools that can penetrate the computer systems and networks of its foreign targets. Unfortunately, since everyone uses the same technology in today’s global economy, each of these vulnerabilities also represents a threat to American businesses and individuals. In the future, rather than hoard this information, the CIA and other intelligence agencies should commit to responsibly disclosing vulnerabilities it discovers to the private sector so that security holes can be patched.

  • Announcing Keyholder: Secure, shared shell access

    The new software is a ssh-agent proxy that allows a group of trusted users to share an SSH identity without exposing the contents of that identity’s private key.

    [...]

    A common use of the ssh-agent is to “forward” your agent to a remote machine (using the -A flag in the OpenSSH client). After you’ve forwarded your ssh-agent, you can use the socket that that agent creates to access any of your many (now unencrypted) keys, and login to any other machines for which you may have keys in your ssh-agent. So, too, potentially, can all the other folks that have root access to the machine to which you’ve forwarded your ssh-agent.

  • pitchfork

    After years of training journalists and NGOs communication and operational security, after years of conducting research into the tools and protocols used, it took some more years developing a reasonable answer to most of the issues encountered during all this time.

    In todays world of commercially available government malware you don't want to store your encryption keys on your easily infected computer. You want them stored on something that you could even take into a sauna or a hot-tub - maintaining continuous physical contact.

    So people who care about such things use external smartcard-based crypto devices like Ubikey Neos or Nitrokeys (formerly Cryptosticks). The problems with these devices is that you have to enter PIN codes on your computer that you shouldn't trust, that they are either designed for centralized use in organizations, or they are based mostly on PGP.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • How worried should your organisation be about cyber espionage - and what can you do about it?

    Computerworld UK speaks with Jarno Niemela, senior security researcher at F-Secure.

  • Inverse Law of CVEs

    I've started a project to put the CVE data into Elasticsearch and see if there is anything clever we can learn about it. Ever if there isn't anything overly clever, it's fun to do. And I get to make pretty graphs, which everyone likes to look at.

  • eBay Asks Users to Downgrade Security

    The company wanted me to switch from using a hardware key fob when logging into eBay to receiving a one-time code sent via text message. I found it remarkable that eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option.

  • Practical basics of reproducible builds
  • License Agreements and Changes Are Coming

    The OpenSSL license is rather unique and idiosyncratic. It reflects views from when its predecessor, SSLeay, started twenty years ago. As a further complication, the original authors were hired by RSA in 1998, and the code forked into two versions: OpenSSL and RSA BSAFE SSL-C. (See Wikipedia for discussion.) I don’t want get into any specific details, and I certainly don’t know them all.

Security and Bugs

Filed under
Security
  • Security updates for Thursday
  • Devops embraces security measures to build safer software

    Devops isn’t simply transforming how developers and operations work together to deliver better software faster, it is also changing how developers view application security. A recent survey from software automation and security company Sonatype found that devops teams are increasingly adopting security automation to create better and safer software.

  • This Xfce Bug Is Wrecking Users’ Monitors

    The Xfce desktop environment for Linux may be fast and flexible — but it’s currently affected by a very serious flaw.

    Users of this lightweight alternative to GNOME and KDE have reported that the choice of default wallpaper in Xfce is causing damaging to laptop displays and LCD monitors.

    And there’s damning photographic evidence to back the claims up.

Security Leftovers

Filed under
Security
  • Windows flaw lets attackers take over A-V software

    A 15-year-old flaw in every version of Windows right from XP to Windows 10 allows a malicious attacker to take control of a system through the anti-virus software running on the system.

  • Google Continues to Make Strides in Improving Android Security
  • Google cites progress in Android security, but patching issues linger
  • Dark Matter

    Today, March 23rd 2017, WikiLeaks releases Vault 7 "Dark Matter", which contains documentation for several CIA projects that infect Apple Mac Computer firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA's Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.

    Among others, these documents reveal the "Sonic Screwdriver" project which, as explained by the CIA, is a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting" allowing an attacker to boot its attack software for example from a USB stick "even when a firmware password is enabled". The CIA's "Sonic Screwdriver" infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • Customer security awareness: alerting you to vulnerabilities that are of real risk
  • Cisco's WikiLeaks Security Vulnerability Exposure: 10 Things Partners Need To Know

    Cisco's security team has discovered that hundreds of its networking devices contain a vulnerability that could allow attackers to remotely executive malicious code and take control of the affected device.

    "We are committed to responsible disclosure, protecting our customers, and building the strongest security architecture and products that are designed through our Trustworthy Systems initiatives," said a Cisco spokesperson in an email to CRN regarding the vulnerability.

    Some channel partners of the San Jose, Calif.-based networking giant are already advising customers on how to bypass the critical security flaw. Here are 10 important items that Cisco channel partners should know about the security vulnerability.

  • Linux had a killer flaw for 11 years and no one noticed

    One of the key advantages of Open sauce software is that it is supposed to be easier to spot and fix software flaws, however Linux has had a local privilege escalation flaw for 11 years and no-one has noticed.

    The vulnerability, tracked as CVE-2017-6074, is over 11 years old and was likely introduced in 2005 when the Linux kernel gained support for the Datagram Congestion Control Protocol (DCCP). It was discovered last week and was patched by the kernel developers on Friday.

  • 6 Hot Internet of Things (IoT) Security Technologies
  • Microsoft Losing Its Edge

    However, despite these improvements in code cleanness and security technologies, it hasn’t quite proven itself when faced with experienced hackers at contests such as Pwn2Own. At last year’s edition of Pwn2Own, Edge proved to be a little better than Internet Explorer and Safari, but it still ended up getting hacked twice, while Chrome was only partially hacked once.

    Things seem to have gotten worse, rather than better, for Edge. At this year’s Pwn2Own, Microsoft’s browser was hacked no less than five times.

  • Microsoft loses the Edge at hacking contest

    And for every hack perpetrated against Edge, there was a corresponding attack against the Windows 10 kernel, indicating that it has a way to go in terms of security, according to Tom's Hardware.

  • Wikileaks: Apple, Microsoft and Google must fix CIA exploits within 90 days

    The 90-day deadline is the same that Google's own Project Zero security group provides to companies when it uncovers flaws in their software. If a company has failed to patch its software accordingly, Project Zero publishes details of the flaw whether the vendor likes it or not.

  • NTPsec Project announces 0.9.7

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Reproducible Builds: week 99 in Stretch cycle
  • Government Agencies to be Rated on Cybersecurity Using NIST Framework

    The Trump administration has announced that it will impose new metrics on federal agencies related to cybersecurity. Agencies and departments will be required to comply with the framework developed by the National Institute of Standards and Technology (NIST) and report back to the Department of Homeland Security (DHS), the Office of Management and Budget (OMB), and the White House.

    Homeland security advisor Thomas Bossert stated that the President’s budget will include an increase in federal funding to combat cyber threats, and that the administration’s priorities vis-à-vis cybersecurity are to modernize and centralize the existing system. To this end, the Administration intends to partner with business, including Silicon Valley, and state and local governments, on cybersecurity.

  • Firefox gets complaint for labeling unencrypted login page insecure

    The operator of a website that accepts subscriber logins only over unencrypted HTTP pages has taken to Mozilla's Bugzilla bug-reporting service to complain that the Firefox browser is warning that the page isn't suitable for the transmission of passwords.

    "Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission," a person with the user name dgeorge wrote here (the link was made private shortly after this post went live). "Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business."

Security Leftovers

Filed under
Security
  • Security updates for Monday
  • Old Linux kernel security bug bites

    OK, hands up, who knows what High-Level Data Link Control (HDLC) is? It's an archaic networking data framing protocol that's used in modems, X.25, frame-relay, ISDN, and other now uncommon networking technologies. I know it because I used to work with them back in the day. You'll get to know it now because a researcher discovered a security hole hidden within the Linux kernel driver that implements it.

  • Seven year-old Linux vulnerability now patched

    An old vulnerability was just discovered in the Linux kernel, potentially allowing hackers to gain privilege escalation, or cause a denial of service. The vulnerability was quickly fixed and there have been no signs of it in the wild, although that does not necessarily mean it went unnoticed.

  • OpenSSH 7.5 released

    OpenSSH 7.5 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly.

  • OpenSSH 7.5 Has Security Fixes, Removes OpenSSL 1.0 Support for Portable OpenSSH

    OpenSSH, the cross-platform and open-source 100% complete SSH 2.0 protocol implementation offering both SFTP server and client support was updated today to version 7.5.

    OpenSSH 7.5 comes three months after the release of OpenSSH 7.4 in late December 2016, and promises to be a maintenance update that addresses two important security issues, implements support for the "=-" syntax to make removing of methods from algorithm lists a lot easier, and fix numerous reported bugs.

  • Is Linux Mint a secure distribution?

    Linux Mint has been lambasted by some in the media for security problems over the last few years. But how accurate are such perceptions? Does Linux Mint really suffer from security problems or is it all much ado about nothing?

    A writer at DistroWatch wades into the controversy and examines some of the myths and misunderstandings about Linux Mint and security.

  • Linux Mint's security record

    Some of the more common misunderstandings I have encountered recently have involved the Linux Mint distribution. Mint has been a popular project in recent years and, with many people using the distribution and talking about the project, there is bound to be some mis-communication. In particular, most of the rumours and misunderstandings I have encountered have revolved around Mint's security practises and history. I would like to clear up a few of the more common rumours.

  • Mozilla Firefox is the First Pwn2own 2017 Victim to be Patched

    Some vendors respond to security issues faster than others. Last week, the 10th annual Pwn2own hacking challenge was hosted by Trend Micro's Zero Day Initiative (ZDI), with multiple groups of researchers taking aim at web browsers, operating systems and virtualization technology.

    Mozilla's Firefox web browser was successfully exploited on March 16, the second day of the Pwn2own event. Researchers from Chaitin Security Research Lab were the only group to attack Mozilla Firefox, and earned $30,000 for demonstrating a new zero-day exploit. The day the exploit was demonstrated, the only thing publicly revealed about the exploit is that it made use of an integer overflow flaw in combination with an uninitialized memory buffer in the Windows kernel.

Syndicate content

More in Tux Machines

Leftovers: OSS and Sharing

  • Making your OpenStack monitoring stack highly available using Open Source tools
    Operators tasked with maintaining production environments are relying on monitoring stacks to provide insight to resource usage and a heads-up to threats of downtime. Perhaps the most critical function of a monitoring stack is providing alerts which trigger mitigation steps to ensure an environment stays up and running. Downtime of services can be business-critical, and often has extremely high cost ramifications. Operators working in cloud environments are especially reliant on monitoring stacks due to the increase in potential inefficiency and downtime that comes with greater resource usage. The constant visibility of resources and alerts that a monitoring stack provides, makes it a fundamental component of any cloud.
  • InfraRed: Deploying and Testing Openstack just made easier!
  • The journey of a new OpenStack service in RDO
    When new contributors join RDO, they ask for recommendations about how to add new services and help RDO users to adopt it. This post is not a official policy document nor a detailed description about how to carry out some activities, but provides some high level recommendations to newcomers based on what I have learned and observed in the last year working in RDO.
  • Getting to know the essential OpenStack components better
  • Getting to know core components, speed mentoring, and more OpenStack news
  • Testing LibreOffice 5.3 Notebookbar
    I teach an online CSCI class about usability. The course is "The Usability of Open Source Software" and provides a background on free software and open source software, and uses that as a basis to teach usability. The rest of the class is a pretty standard CSCI usability class. We explore a few interesting cases in open source software as part of our discussion. And using open source software makes it really easy for the students to pick a program to study for their usability test final project.
  • [Older] Drupal member sent out after BDSM lifestyle revealed

    Drupal, like many other open source projects, has a stated goal of welcoming and accepting all people, no matter their heritage, culture, sexual orientation, gender identity or other factors.

  • Controversy Erupts in Open-Source Community After Developer's Sex Life Made Public
    Drupal is a popular open-source content-management system, used to build websites. Like many other open-source projects, Drupal is guided by several committees that are supposed to be accountable to the community and its code of conduct, which enshrines values like "be considerate" and "be respectful." Also like many other open-source projects, Drupal attracts all sorts of people, some of whom are eclectic. Last week, under murky circumstances, Drupal creator Dries Buytaert banned one of the project's technical and community leaders, Larry Garfield. Buytaert attributed the decision to aspects of Garfield's private sex life. Many Drupal users and developers are up in arms about the perceived injustice of the move, exacerbated by what they see as a lack of transparency.
  • HospitalRun: Open Source Software for the Developing World
    When open source software is used for global health and global relief work, its benefits shine bright. The benefits of open source become very clear when human health and human lives are on the line. In this YouTube video, hear Harrisburg, Pennsylvania software developer Joel Worrall explain about HospitalRun software – open source cloud-based software used at developing world healthcare facilities.
  • Scotland emphasises sharing and reuse of ICT
    Scotland’s public administrations should focus on common, shared technology platforms, according to the new digital strategy, published on 22 March. The government says it wants to develop “shared infrastructure, services and standards in collaboration with our public sector partners, to reduce costs and enable resources to be focused on front-line services.”
  • [Older] OpenSSL Re-licensing to Apache License v. 2.0 To Encourage Broader Use with Other FOSS Projects and Products

    OpenSSL Launches New Website to Organize Process, Seeks to Contact All Contributors

  • Austria state secretary promotes open data
    The State Secretary at Austria’s Federal Chancellery, Muna Duzdar, is encouraging the making available of government data as open data. “The administration must set an example and support the open data culture by giving society its data back”, the State Secretary for Digitalisation said in a statement.
  • Study: Hungary should redouble open data initiatives
    The government of Hungary should redouble its efforts to make public sector information available as open data, and actively help to create market opportunities, a government white paper recommends. The ‘White Paper on National Data Policy’ was approved by the government in December.
  • Williamson School Board OKs developing open source science curriculum
    Science textbooks may be a thing of the past in Williamson County Schools. The Williamson County school board approved a proposal Monday night to use open source science resources instead of science textbooks. The switch will require a team of nine teachers to spend a year developing an open source curriculum.
  • How Elsevier plans to sabotage Open Access
    It was a long and difficult road to get the major publishing houses to open up to open access, but in the end the Dutch universities got their much awaited ‘gold deal’ for open access. A recently revealed contract between Elsevier and the Dutch research institutes lays bare the retardant tactics the publishing giant employs to stifle the growth of open access.
  • #0: Introducing R^4
  • RcppTOML 0.1.2

Security Leftovers

  • Security updates for Monday
  • FedEx Will Pay You $5 to Install Flash on Your Machine
    FedEx is making you an offer you can’t afford to accept. It’s offering to give you $5 (actually, it’s a discount on orders over $30) if you’ll just install Adobe Flash on your machine. Nobody who knows anything about online security uses Flash anymore, except when it’s absolutely necessary. Why? Because Flash is the poster child for the “security-vulnerability-of-the-hour” club — a group that includes another Adobe product, Acrobat. How unsafe is Flash? Let’s put it this way: seven years ago, Steve Jobs announced that Flash was to be forever banned from Apple’s mobile products. One of the reasons he cited was a report from Symantec that “highlighted Flash for having one of the worst security records in 2009.” Flash security hasn’t gotten any better since.
  • Every once in a while someone suggests to me that curl and libcurl would do better if rewritten in a “safe language”
  • An insecure dishwasher has entered the IoT war against humanity

    Regel says that he has contacted Miele on a number of occasions about the issue, but had failed to get a response to his missives, and this has no updated information on the vulnerability.

    He added, bleakly that "we are not aware of an actual fix."

  • Monday Witness: It's Time to Reconize a Civil Right Not to be Connected
    Along with death and taxes, two things appear inevitable. The first is that Internet of Things devices will not only be built into everything we can imagine, but into everything we can't as well. The second is that IoT devices will have wholly inadequate security, if they have any security at all. Even with strong defenses, there is the likelihood that governmental agencies will gain covert access to IoT devices anyway. What this says to me is that we need a law that guarantees consumers the right to buy versions of products that are not wirelessly enabled at all.
  • Remember kids, if you're going to disclose, disclose responsibly!
    If you pay any attention to the security universe, you're aware that Tavis Ormandy is basically on fire right now with his security research. He found the Cloudflare data leak issue a few weeks back, and is currently going to town on LastPass. The LastPass crew seems to be dealing with this pretty well, I'm not seeing a lot of complaining, mostly just info and fixes which is the right way to do these things.

Lightroom and Darktable: the verdict two years after switching

In summer 2015, I posted a detailed account of my tentative switch from Windows7 and Lightroom to Linux and Darktable. This was sparked by sudden crashes that were afflicting my system, but in a deeper sense grew from frustration with Windows and, to a lesser degree, with Lightroom. Once I headed for Linux, I decided to plunge in fully and commit to using Ubuntu and free, open-source photo software for several months – at least until the end of that year. That would give me a chance to see whether I could actually run my photography business on the new system. Read more

7 Linux Mainstream Distros Alternatives

Linux Mainstream Distros are quite popular as they have a large number of developers working on them as well as a large number of users using them. In addition, these distros also have strong support system. People often search alternatives for Linux Mainstream Distros but often get confused about which is the best one for them. So listed below are 7 best Linux mainstream distros alternative choices for you. Read more