Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • “Robin Hood” Hacker Steals $11,000 In Bitcoin, Donates It To Help Fight ISIS

    The hacker who claimed to hack the Hacking Team and Gamma Group is back again. This time, he has sent about $11,000 of allegedly stolen Bitcoin to help fight ISIS.

  • Aqua Launches Container Security Platform

    Looking beyond just application vulnerability scanning, Aqua also provides a degree of runtime protections. Aqua uses a layered security approach to keep containers safe, according to Jerbi. The layered approach starts with running the container application images in learning mode, usually during functional testing. In the learning mode, Aqua examines a container's behavior in the application context and uses that to set granular runtime parameters, based on which files, executables and network connections a container is using.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Tuesday's security advisories
  • Secure Hardware vs. Open Source

    Recently there have been discussions regarding Yubico’s OpenPGP implementation on the YubiKey 4. While open source and security remains central to our mission, we think some clarifications and context around current OpenPGP support would be beneficial to explain what we are doing, why, and how it reflects our commitment to improved security and open source.

  • The Alarming Truth

    Car alarms don't deter criminals, and they're a public nuisance. Why are they still so common?

  • Security hole in Symantec antivirus exposes Windows, Linux and Macs

    A major security vulnerability has been uncovered by UK white hat hacker and Google Project Zero developer, Tavis Ormandy. The vulnerability applies to the Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products and could see Linux, Mac and Windows PCs compromised.

  • Patch now: Google and JetBrains warn developers of buggy IDE

    Google has emailed Android developers advising them to update Android Studio, the official Android IDE, to fix security bugs. Other versions of the JetBrains IntelliJ IDE, on which Android Studio is based, are also affected.

    The bugs are related to the built-in web server in the IDE. A cross-site request forgery (CSRF) flaw means that if the IDE is running and the developer visits a malicious web page in any browser, scripts on the malicious web page could access the local file system.

  • Researchers crack new version of CryptXXX ransomware
  • How to empty your bank's vault with a few clicks and lines of code

    A security researcher has demonstrated how he could have theoretically emptied an Indian bank's coffers with no more than a few clicks and lines of code.

    Earlier this week, researcher Sathya Prakash revealed the discovery of multiple, critical vulnerabilities and poor coding in an unnamed government-run Indian bank.

Security Leftovers

Filed under
Security
  • SourceForge Tightens Security With Malware Scans

    After taking down the controversial DevShare program in early February, the new owners of popular software repository, SourceForge, have begun scanning all projects it hosts for malware in an attempt to regain trust that was lost by Dice Holdings, the site’s previous owners.

  • Mozilla Issues Legal Challenge to FBI to Disclose Firefox Flaw
  • Judge In Child Porn Case Reverses Course, Says FBI Will Not Have To Turn Over Details On Its Hacking Tool

    Back in February, the judge presiding over the FBI's case against Jay Michaud ordered the agency to turn over information on the hacking tool it used to unmask Tor users who visited a seized child porn site. The FBI further solidified its status as a law unto itself by responding that it would not comply with the court's order, no matter what.

    Unfortunately, we won't be seeing any FBI officials tossed into jail cells indefinitely for contempt of court charges. The judge in that case has reversed course, as Motherboard reports.

  • Judge Changes Mind, Says FBI Doesn’t Have to Reveal Tor Browser Hack

    In February, a judge ordered the FBI to reveal the full malware code it used to identify visitors of a dark web child pornography site, including the exploit that circumvented the protections of the Tor Browser. The government fought back, largely in sealed motions, and tried to convince the judge to reconsider.

  • Symantec antivirus security flaw exposes Linux, Mac and Windows

    Security holes in antivirus software are nothing new, but holes that exist across multiple platforms? That's rare... but it just happened. Google's Tavis Ormandy has discovered a vulnerability in Symantec's antivirus engine (used in both Symantec- and Norton-branded suites) that compromises Linux, Mac and Windows computers. If you use an early version of a compression tool to squeeze executables, you can trigger a memory buffer overflow that gives you root-level control over a system.

  • Apache incubating project promises new Internet security framework

    The newly announced Apache Milagro (incubating) project seeks to end to centralized certificates and passwords in a world that has shifted from client-server to cloud, IoT and containerized applications.

More Security Leftovers

Filed under
Security
  • Security updates for Monday
  • The Truth about Linux 4.6

    As anticipated in public comments, the Linux Foundation is already beginning a campaign to rewrite history and mislead Linux users. Their latest PR release can be found at: https://www.linux.com/news/greg-kh-update-linux-kernel-46-next-week-new-security-features, which I encourage you to read so you can see the spin and misleading (and just plain factually incorrect) information presented. If you've read any of our blog posts before or are familiar with our work, you'll know we always say "the details matter" and are very careful not to exaggerate claims about features beyond their realistic security expectations (see for instance our discussion of access control systems in the grsecurity wiki). In a few weeks I will be keynoting at the SSTIC conference in France, where a theme of my keynote involves how little critical thinking occurs in this industry and how that results in companies and users making poor security decisions. So let's take a critical eye to this latest PR spin and actually educate about the "security improvements" to Linux 4.6.

  • Major Remote SSH Security Issue in CoreOS Linux Alpha, Subset of Users Affected

    A misconfiguration in the PAM subsystem in CoreOS Linux Alpha 1045.0.0 and 1047.0.0 allowed unauthorized users to gain access to accounts without a password or any other authentication token being required. This vulnerability affects a subset of machines running CoreOS Linux Alpha. Machines running CoreOS Linux Beta or Stable releases are unaffected. The Alpha was subsequently reverted back to the unaffected previous version (1032.1.0) and hosts configured to receive updates have been patched. The issue was reported at May 15 at 20:21 PDT and a fix was available 6 hours later at 02:29 PDT.

  • Let's Encrypt: The Good and the Bad

    By now, most of you have heard about the "Let's Encrypt" initiative. The idea being that it's high time more websites had a simple, easy to manage method to offer https encryption. As luck would have it, the initiative is just out of its beta phase and has been adding sponsors like Facebook, Cisco, and Mozilla to their list of organizations that view this initiative as important.

    In this article, I want to examine this initiative carefully, taking a look at the good and the bad of Let's Encrypt.

Security Leftovers

Filed under
Security
  • Security will fix itself, eventually

    Here's my prediction though. In the future, good security will be cheaper to build, deploy, and run that bad security. This sounds completely insane with today's technology. A statement like is some kook ten years ago telling everyone solar power is our future. Ten years ago solar wasn't a serious thing, today it is. Our challenge is figuring out what the new security future will look like. We don't really know yet. We know we can't train our way out of this, most existing technology is a band-aid at best. If I had to guess I'll use the worn out "Artificial Intelligence will save us all", but who knows what the future will bring. Thanks to Al Gore, I'm now more optimistic things will get better. I'm impatient though, I don't want to wait for the future, I want it now! So all you smart folks do me a favor and start inventing the future.

  • Does Microsoft care about security? [Ed: no, because leaks show it gives back doors to governments]

    On Wednesday, I also booted my laptop to Windows. I had not used the laptop for several days, so the AV definitions were three days old. It updated after around 3 hours. But the Vista system still has not updated.

    This is the third consecutive month when I have had problems with updating MSE, at around the time of patch Tuesday. The previous two months, I attempted to manually update. On the manual update, it did a search for virus updates, then seemed to hang there forever not actually downloading. It did eventually update, after repeating this for two days. This month, I decided to allow it to update without manual intervention, with the results described above.

    It seems pretty obvious that, recently, Microsoft has worsened the priority for updates to Windows 7 and to Vista. The priority worsening is greater for Vista than for Windows 7. It affects monthly patches as well as MSE virus table updates.

    The message to malware producers is loud and clear. Malware producers should distribute their malware on patch Tuesday, and Microsoft will give them a free run for several days.

How Fuzzing Can Make A Large Open Source Project More Secure

Filed under
OSS
Security

Emily Ratliff of the Linux Foundation explains the considerations to take when planning to fuzz your open source project

One of the best practices for secure development is dynamic analysis. Among such techniques, fuzzing has been highly popular since its invention and a multitude of fuzzing tools of varying sophistication have been developed.

Read more

Also: Despite New FCC Rules, Linksys, Asus Say They'll Still Support Third Party Router Firmware

Ubuntu 16.04 LTS Receives Minor Kernel Update That Patches Two Vulnerabilities

Filed under
Security
Ubuntu

Today, May 16, 2016, Canonical published multiple security notices to inform the Ubuntu community about the availability of a new kernel update for their operating systems.

Read more

Security Leftovers

Filed under
Security
  • Replacing /dev/urandom

    The kernel's random-number generator (RNG) has seen a great deal of attention over the years; that is appropriate, given that its proper functioning is vital to the security of the system as a whole. During that time, it has acquitted itself well. That said, there are some concerns about the RNG going forward that have led to various patches aimed at improving both randomness and performance. Now there are two patch sets that significantly change the RNG's operation to consider.

  • Mozilla asks the FBI for details of Tor vulnerability that could also affect Firefox

    Mozilla is fighting to force the FBI to disclose details of a vulnerability in the Tor web browser. The company fears that the same vulnerability could affect Firefox, and wants to have a chance to patch it before details are made public.

    The vulnerability was exploited by FBI agents to home in on a teacher who was accessing child pornography. Using a "network investigative technique", the FBI was able to identify the man from Vancouver, but Mozilla is concerned that it could also be used by bad actors.

    Perhaps unsurprisingly, the government says that it should be under no obligation to disclose details of the vulnerability to Mozilla ahead of anyone else. But the company has filed a brief with a view to forcing the FBI's hand. The argument is that users should be kept protected from known flaws by allowing software companies to patch them.

Security Leftovers

Filed under
Security
  • Thursday's security advisories
  • Friday's security updates
  • I never imagined a nuclear plant’s control system being online

    Many people think that the web is the internet. They see the Googles, the Facebooks, the Reddits… but the web is something built on top of the internet and so only the tip of the iceberg. The iceberg is composed of webcams, power plants, printers… billions of devices.

  • Heart Surgery Stalled For Five Minutes Thanks To Errant Anti-Virus Scan [Ed: Microsoft Windows]

    If you've ever had the pleasure of simply asking one medical outfit to transfer your records to another company or organization, you've probably become aware of the sorry state of medical IT. Billions are spent on medical hardware and software, yet this is a sector for which the fax machine remains the pinnacle of innovation and a cornerstone of daily business life. Meanwhile, getting systems to actually communicate with each other appears to be a bridge too far. And this hodge podge of discordant and often incompatible systems can very often have very real and troubling implications for patients.

  • How to make containers more secure

    CoreOS's Matthew Garrett talks about the security risks in containers and how he and others are working to mitigate such risks.

  • Docker Ramps Up Container Security

    Docker this week announced the rollout of security scanning technology to safeguard container content across the entire software supply chain.

  • Jenkins security patches could break plug-ins

    Popular open source automation server Jenkins has fixed multiple security vulnerabilities. The latest version changes how plug-ins use build parameters, though, so developers will need to adapt to the new process.

  • Security From Whom?

    To take advantage of the X11 protocol issues, you need to be able to speak X11 to the server. Assuming you haven’t misconfigured something (ssh or your file permissions) so other users’ software can talk to your server, that means causing you to run evil X11 protocol code like XEvilTeddy.

  • Convenience, security and freedom - can we pick all three?

    Moxie, the lead developer of the Signal secure communication application, recently blogged on the tradeoffs between providing a supportable federated service and providing a compelling application that gains significant adoption. There's a set of perfectly reasonable arguments around that that I don't want to rehash - regardless of feelings on the benefits of federation in general, there's certainly an increase in engineering cost in providing a stable intra-server protocol that still allows for addition of new features, and the person leading a project gets to make the decision about whether that's a valid tradeoff.

  • Announcing Certbot: EFF's Client for Let's Encrypt
  • Signal Return Orientated Programming attacks

    When a process is interrupted, the kernel suspends it and stores its state in a sigframe which is placed on the stack. The kernel then calls the appropriate signal handler code and after a sigreturn system call, reads the sigframe off the stack, restores state and resumes the process. However, by crafting a fake sigframe, we can trick the kernel into executing something else.

Syndicate content

More in Tux Machines

Android, Chromebook Make a Sweet Couple

Running Android apps on a Chromebook gives the Chrome OS added functionality. It has the potential to morph the Chromebook into a portable computing device that offers the best of two Linux worlds. Still, Google engineers have some tinkering to do before Android apps and the Chrome OS are fully implemented and functional. This transition will not be complete until the Google Play Store works out of the box on new Chromebooks without users having to "upgrade" through Developer's Mode. Read more

A Grand Experiment

The latest debacle over the "forced" upgrade to Windows 10 and Apple's increasingly locked-in ecosystem has got me thinking. Do I really need to use a proprietary operating system to get work done? And while I'm at it, do I need to use commercial cloud services to store my data? I've always used Linux since the first time I tried installing Slackware in the mid-90s. In 1998 we were the first national TV show to install Linux live (Red Hat). And I've often advocated Ubuntu to people with older computers. I usually have at least one computer running Linux around, in the past couple of years Dell XPS laptops have been great choices. And a couple of months ago I bought a 17" Oryx laptop from System76, an Ubuntu system integrator, for use in studio. But as time went by, even Ubuntu began to seem too commercial to me, and I've migrated to community supported Debian testing and the Arch-based Antergos distros for everything. (i use Antergos on my Oryx on the shows.) Read more Also: Microsoft lays off remaining handful of Microsoft Press staff

Karbonn confirms Android One smartphone(s) launching in Q1 next year

In an interview with TOI Tech, Karbonn Mobiles has confirmed it will be introducing new Android One-based smartphone(s) early next year. Karbonn's Managing Director Pradeep Jain said the company is in talks with Google for Android One, and we might see some Android One smartphone launch(es) in Q1 of next year. Read more