Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • New Report Shows Healthy Growth in Open Source Usage, but Security is Not Locked Down
  • Tuesday's security advisories
  • Security staff should talk to end users more

    IT security departments need to improve their relationships with their users by going out and talking to them, Red Hat's security strategist Josh Pressers has advised.

    Pressers warned that in order to stop the spread of 'shadow IT' within the enterprise, security professionals need to make a bigger effort to understand staff in other departments, warning that "we don't listen very well".

    Shadow IT has become an increasing problem for corporate IT managers, as employees use non-approved tools and technologies at work, rather than the systems provided by the in-house team.

  • Every version of Windows hit by "critical" security flaw [Ed: Microsoft Zack (Zack Whittaker, formerly Microsoft UK) on the latest back/bug door in Windows]

    Microsoft has patched a security vulnerability found in every supported version of Windows, which if exploited could allow an attacker to take over a system.

    The software giant said in a bulletin posted Tuesday as part of its monthly release of security fixes that the the "critical" flaw could let an attacker remotely install malware, which can be used to modify or delete data, or create new accounts with full user rights.

    The "critical"-rated flaw affects Windows Vista and later -- including Windows Server 2008 and later.

    Those who are logged in as an administrator, such as some home accounts and server users, are at the greatest risk.

Security Leftovers

Filed under
Security
  • CISSP certification: Are multiple choice tests the best way to hire infosec pros?

    Want a job in infosec? Your first task: hacking your way through what many call the "HR firewall" by adding a CISSP certification to your resume.

    Job listings for security roles often list the CISSP (Certified Information Systems Security Professional) or other cybersecurity certifications, such as those offered by SANS, CompTIA, and Cisco, as a requirement. This is especially true in the enterprise space, including banks, insurance companies, and FTSE 100 corporations. But at a time when the demand for good infosec people sees companies outbidding each other to hire top talent, and ominous studies warn of a looming cybersecurity skills shortage, experts are questioning whether certifications based on multiple choice tests are really the best way to recruit the right people.

  • Pokémon Go on iOS gives full access to Google accounts

    Signing into Pokémon Go on iOS with a Google account gives the game full access to that account, according to a systems architect, Adam Reeve.

    The Android version of the game apparently does not have these issues.

    Reeve said that the security situation was not the same for all iOS users.

    Pokémon Go was released last week and has been a huge hit. It is the latest in a series of games from Nintendo but is made by a developer named Niantic, which is part owned by Google.

  • Pokémon Go shouldn’t have full access to your Gmail, Docs and Google account — but it does

    When you use Google to sign into Pokémon Go, as so many of you have already, the popular game for some reason grants itself (for some iOS users, anyway) the highest possible level of access to your Google account, meaning it can read your email, location history… pretty much everything. Why does it need this, and why aren’t users told?

  • Have you given Pokémon Go full access to everything in your Google account?

    Gamers who have downloaded the Pokémon Go augmented reality game were given a scare on Monday, after noticing that the app had apparently been granted “full access” to their Google accounts.

    Taken at face value, the permissions would have represented a major security vulnerability, albeit one that only appeared to affect players who signed up to play the game using their Google account on Apple devices.

  • Pokémon Go Was Never Able To Read Your Email [Updated]

    Here’s even more confirmation that Pokémon Go never had the ability to access your Gmail or Calendar. A product security developer at Slack tested the token provided by Pokémon Go and found that it was never able to get data from services like Gmail or Calendar.

  • HTTPS is not a magic bullet for Web security

    We're in the midst of a major change sweeping the Web: the familiar HTTP prefix is rapidly being replaced by HTTPS. That extra "S" in an HTTPS URL means your connection is secure and that it's much harder for anyone else to see what you're doing. And on today's Web, everyone wants to see what you're doing.

    HTTPS has been around nearly as long as the Web, but it has been primarily used by sites that handle money—your bank's website, shopping carts, social networks, and webmail services like Gmail. But these days Google, Mozilla, the EFF, and others want every website to adopt HTTPS. The push for HTTPS everywhere is about to get a big boost from Mozilla and Google when both companies' Web browsers begin to actively call out sites that still use HTTP.

  • Now it’s easy to see if leaked passwords work on other sites

    Over the past few months, a cluster of megabreaches has dumped account credentials for a mind-boggling 642 million accounts into the public domain, where they can then be used to compromise other accounts that are protected by the same password. Now, there's software that can streamline this vicious cycle by testing for reused passcodes on Facebook and other popular sites.

  • What serverless computing really means [iophk: "securityless"]

    Arimura even goes as far as to use the controversial “no-ops,” coined by former Netflix cloud architect Adrain Cockcroft. Again, just as there will always be servers, there will always be ops to run them. Again, no-ops and serverless computing take the developer’s point of view: Someone else has to worry about that stuff, but not me while I create software.

  • An open letter to security researchers and practitioners

    Earlier this month, the World Wide Web Consortium's Encrypted Media
    Extensions (EME) spec progressed to Draft Recommendation phase. This is
    a controversial standard for transmitting DRM-encumbered videos, and it
    marks the very first time that the W3C has attempted to standardize a
    DRM system.

    This means that for the first time, W3C standards for browsers will fall
    under laws like the DMCA (and its international equivalents, which the
    US Trade Representative has spread all over the world). These laws allow
    companies to threaten security researchers who disclose vulnerabilities
    in DRM systems, on the grounds that these disclosures make it easier to
    figure out how to bypass the DRM.

    Last summer, the Copyright Office heard from security researchers about
    the effect that DRM has on their work; those filings detail showstopper
    bugs in consumer devices, cars, agricultural equipment, medical
    implants, and voting machines that researchers felt they couldn't
    readily publish about, lest they face punitive lawsuits from the
    companies they embarrassed.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • Is Your Antivirus Making Your PC More Hackable? Probably YES!f

    Is your antivirus software protecting you from all kinds of malware and security threats? The answer to this questions is a big NO. While one shouldn’t completely get rid of his/her antivirus solution, one shouldn’t be too carefree having them installed. We also advise our readers to follow the basic security practices to stay safe on the internet.

  • Social Media Accounts Of Twitter And Yahoo CEOs Hacked By OurMine

    Hacking group OurMine has now targetted Jack Dorsey and Marissa Mayer. OurMine recently hacked their Twitter accounts and posted messages on their profile. OurMine has triggered the frequency of its operations in the recent times and targeting multiple high-profile tech CEOs and celebrities.

  • Let's Encrypt torpedoes cost and maintenance issues for Free RTC

    Many people have now heard of the EFF-backed free certificate authority Let's Encrypt. Not only is it free of charge, it has also introduced a fully automated mechanism for certificate renewals, eliminating a tedious chore that has imposed upon busy sysadmins everywhere for many years.

    These two benefits - elimination of cost and elimination of annual maintenance effort - imply that server operators can now deploy certificates for far more services than they would have previously.

  • Voice Commands Hidden In YouTube Videos Can Hack Your Smartphone
  • This is quite a nice tool – magic-wormhole

    This beats doing a scp from system to system, especially if the receiving system is behind a NAT and/or firewall.

  • Entry level AI

    I was listening to the podcast Security Weekly and the topic of using AI For security work came up. This got me thinking about how most people make their way into security and what something like AI might mean for the industry.

    In virtually every industry you start out doing some sort of horrible job nobody else wants to do, but you have to start there because it's the place you start to learn the skills you need for more exciting and interesting work. Nobody wants to go over yesterday's security event log, but somebody does it.

Parrot Security OS 3.0 Ethical Hacking Distro Lands for Raspberry Pi, Cubieboard

Filed under
OS
Security

Frozenbox Network, the developer of the Parrot Security OS ethical hacking distribution for personal computers and embedded devices, announced the release of Raspberry Pi and Cubieboard 4 binary images for Parrot Security OS 3.0.

Read more

Security Leftovers

Filed under
Security
  • LWN.net Weekly Edition for June 30, 2016
  • TP-Link forgets to register domain name, leaves config pages open to hijack

    In common with many other vendors, TP-Link, one of the world's biggest sellers of Wi-Fi access points and home routers, has a domain name that owners of the hardware can use to quickly get to their router's configuration page. Unlike most other vendors, however, it appears that TP-Link has failed to renew its registration for the domain, leaving it available for anyone to buy. Any owner of the domain could feasibly use it for fake administration pages to phish credentials or upload bogus firmware. This omission was spotted by Amitay Dan, CEO of Cybermoon, and posted to the Bugtraq mailing list last week.

  • Experimenting with Post-Quantum Cryptography

    The study of cryptographic primitives that remain secure even against quantum computers is called “post-quantum cryptography”. Today we're announcing an experiment in Chrome where a small fraction of connections between desktop Chrome and Google's servers will use a post-quantum key-exchange algorithm in addition to the elliptic-curve key-exchange algorithm that would typically be used. By adding a post-quantum algorithm on top of the existing one, we are able to experiment without affecting user security. The post-quantum algorithm might turn out to be breakable even with today's computers, in which case the elliptic-curve algorithm will still provide the best security that today’s technology can offer. Alternatively, if the post-quantum algorithm turns out to be secure then it'll protect the connection even against a future, quantum computer.

  • HTTPS crypto’s days are numbered. Here’s how Google wants to save it

    Like many forms of encryption in use today, HTTPS protections are on the brink of a collapse that could bring down the world as we know it. Hanging in the balance are most encrypted communications sent over the last several decades. On Thursday, Google unveiled an experiment designed to head off, or at least lessen, the catastrophe.

    In the coming months, Google servers will add a new, experimental cryptographic algorithm to the more established elliptic curve algorithm it has been using for the past few years to help encrypt HTTPS communications. The algorithm—which goes by the wonky name "Ring Learning With Errors"—is a method of exchanging cryptographic keys that's currently considered one of the great new hopes in the age of quantum computing. Like other forms of public key encryption, it allows two parties who have never met to encrypt their communications, making it ideal for Internet usage.

Security Leftovers

Filed under
Security
  • WordPress Stays Focused on Security, More Open Source CMS News

    WordPress upgraded to version 4.5.3 last month with a security release for all versions of the content management system. But it quickly discovered a number of vulnerabilities.

    A total of 17 bugs were found in the last three releases from this year, many of which allowed attackers to take over websites running on WordPress. And according to the latest estimates from BuiltWith, 48 percent of the top million websites globally run on WordPress. But popularity has a price: It is also one of the most hacked platforms.

  • Security updates for Friday
  • Building a Safer Internet with HackerOne

    A while back my friend Mårten Mickos joined HackerOne as CEO. Around that time we had lunch and he shared with me more about the company. Mårten has an impressive track record, and I could see why he was so passionate about his new gig.

Use Linux or Tor? The NSA might just be tracking you

Filed under
Linux
Security

But it seems those intent on keeping pesky government agencies out of their online business may well be shooting themselves in the virtual foot.

As documents related to the XKeyscore snooping program reveal, the US's National Security Agency has started focusing its snooping efforts on Linux Journal readers, Tails Linux, and Tor users.

Read more

Security Leftovers

Filed under
Security
  • Symantec admits it won't patch 'catastrophic' security flaws until mid-July [Ed: that’s proprietary software for you…]

    SECURITY OUTFIT Symantec has warned customers that security flaws in the firm's systems outed by Google's Project Zero last month won't be fixed until mid-July.

  • Cybersecurity: MEPs back rules to help vital services resist online threats

    Firms supplying essential services, e.g. for energy, transport, banking and health, or digital ones, such as search engines and cloud services, will have to improve their ability to withstand cyber-attacks under the first EU-wide rules on cybersecurity, approved by MEPs on Wednesday.

    Setting common cybersecurity standards and stepping up cooperation among EU countries will help firms to protect themselves, and also help prevent attacks on EU countries’ interconnected infrastructure, say MEPs.

  • European Union’s First Cybersecurity Law Gets Green Light

    The European Union approved its first rules on cybersecurity, forcing businesses to strengthen defenses and companies such as Google Inc. and Amazon.com Inc. to report attacks.

    The European Parliament endorsed legislation that will impose security and reporting obligations on service operators in industries such as banking, energy, transport and health and on digital operators like search engines and online marketplaces. The law, voted through on Wednesday in Strasbourg, France, also requires EU national governments to cooperate among themselves in the field of network security.

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

Opera Data Breach, Security of Personal Data

  • Opera User? Your Stored Passwords May Have Been Stolen
    Barely a week passes without another well-known web company suffering a data breach or hack of some kind. This week it is Opera’s turn. Opera Software, the company behind the web-browser and recently sold to a Chinese consortium for $600 million, reported a ‘server breach incident’ on its blog this weekend.
  • When it comes to protecting personal data, security gurus make their own rules
    Marcin Kleczynski, CEO of a company devoted to protecting people from hackers, has safeguarded his Twitter account with a 14-character password and by turning on two-factor authentication, an extra precaution in case that password is cracked. But Cooper Quintin, a security researcher and chief technologist at the Electronic Frontier Foundation, doesn’t bother running an anti-virus program on his computer. And Bruce Schneier? The prominent cryptography expert and chief technology officer of IBM-owned security company Resilient Systems, won’t even risk talking about what he does to secure his devices and data.

Android Leftovers

FOSS and Linux Events

  • On speaking at community conferences
    Many people reading this have already suffered me talking to them about Prometheus. In personal conversation, or in the talks I gave at DebConf15 in Heidelberg, the Debian SunCamp in Lloret de Mar, BRMlab in Prague, and even at a talk on a different topic at the RABS in Cluj-Napoca.
  • TPM Microconference Accepted into LPC 2016
    Although trusted platform modules (TPMs) have been the subject of some controversy over the years, it is quite likely that they have important roles to play in preventing firmware-based attacks, protecting user keys, and so on. However, some work is required to enable TPMs to successfully play these roles, including getting TPM support into bootloaders, securely distributing known-good hashes, and providing robust and repeatable handling of upgrades. In short, given the ever-more-hostile environments that our systems must operate in, it seems quite likely that much help will be needed, including from TPMs. For more details, see the TPM Microconference wiki page.
  • More translations added to the SFD countdown
    Software Freedom Day is celebrated all around the world and as usual our community helps us to provide marketing materials in their specific languages. While the wiki is rather simple to translate, the Countdown remains a bit more complicated and time consuming to localize. One needs to edit the SVG file and generate roughly a 100 pictures, then upload them to the wiki. Still this doesn’t scare the SFD teams around the world and we are happy to announce three more languages are ready to be used: French, Chinese and German!

Second FreeBSD 11.0 Release Candidate Restores Support for 'nat global' in IPFW

Glen Barber from the FreeBSD project announced the availability of the second RC (Release Candidate) development build of the upcoming FreeBSD 11.0 operating system. Read more