Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Put down the coffee, stop slacking your app chaps or whatever – and patch Wordpress

    The 4.7.3 update comes just days after WordPress admins were alerted to a separate security crisis in NextGEN Gallery, a WordPress plugin vulnerable to SQL injection attacks.

  • WordPress 4.7.3 Updates for Six Security Issues

    The open-source WordPress blogging and content management system fixes six vulnerabilities, including three Cross Site Scripting flaws.

    The open-source WordPress blogging and content management system (CMS) released a new incremental version on March 6, providing users with six new security patches and 39 bug fixes. The new WordPress 4.7.3 update is the third security update for WordPress so far in 2017, following the 4.7.2 update on Jan. 26 and the 4.7.1 update on Jan. 12.

  • New Stable CloudLinux 7 Kernel Update Released to Patch Multiple Security Issues

    CloudLinux's Mykola Naugolnyi announced today, March 7, 2017, the immediate availability of a new stable kernel update for the CloudLinux 7 operating system series.

    The updated CloudLinux 7 kernel was bumped to version 3.10.0-427.36.1.lve1.4.39 and is here to address a bunch of security vulnerabilities discovered recently. First of all, you should know that this new kernel replaces the 3.10.0-427.18.2.lve1.4.38 build that many of you have installed, and can be downloaded from CloudLinux's stable repository.

  • Frankfurt used as remote hacking base for the CIA: WikiLeaks

    WikiLeaks documents reveal CIA agents were given cover identities and diplomatic passports to enter the country. The base was used to develop hacking tools as part of the CIA's massive digital arsenal.

  • Wikileaks reveals how CIA is targeting your iPhone, Android, and smart TV

    Wikileaks just dropped a massive collection of information detailing how the US government is attacking the devices that many of us use every single day in an effort to gain intel for its own purposes. Tactics for breaching iPhones, iPads, Android devices, PCs, routers, and even smart TVs are included in the leak, which has some serious privacy and security implications if even a fraction of it proves to be accurate.

  • WikiLeaks publishes massive trove of CIA spying files in 'Vault 7' release

    WikiLeaks has published a huge trove of what appear to be CIA spying secrets.

    The files are the most comprehensive release of US spying files ever made public, according to Julian Assange. In all, there are 8,761 documents that account for "the entire hacking capacity of the CIA", Mr Assange claimed in a release, and the trove is just the first of a series of "Vault 7" leaks.

    Already, the files include far more pages than the Snowden files that exposed the vast hacking power of the NSA and other agencies.

  • Wikileaks posts alleged trove of CIA hacking tools
  • WikiLeaks' CIA document dump shows agency can compromise Android, TVs

    WikiLeaks has released more than 8,700 documents it says come from the CIA's Center for Cyber Intelligence, with some of the leaks saying the agency had 24 "weaponized" and previously undisclosed exploits for the Android operating system as of 2016.

Security News

Filed under
Security

Security News

Filed under
Security
  • Third-Party Vendor Issues Temporary Patch for Windows GDI Vulnerability [Ed: Microsoft is so negligent when it comes to patching that some random companies out there attempt to patch binaries]

    A vulnerability discovered by Google Project Zero security researchers and left without a patch by Microsoft received a temporary fix from third-party security vendor ACROS Security.

    The vulnerability, tracked as CVE-2017-0038, is a bug in Windows GDI (Graphics Device Interface), a library that Windows uses to process graphics and formatted text, for both the video display and when sending data to local printers.

    According to Google researchers, attackers could leverage malformed EMF files to expose data found in the victim's memory, which can then be leveraged to bypass ASLR protection and execute code on the user's computer.

  • HackerOne opens up bug bounties to open source

    HackerOne is bringing bug hunting and software testing to open source developers to help make open source software more secure and safer to use.

    A lot of modern tools and technologies depend on open source software, so a security flaw can wind up having a widespread impact -- the Heartbleed flaw in OpenSSL, for example. Many open source projects still rely on the "thousand eyes" concept when it comes to software security -- that anyone being able to see the source code means defects are found and fixed faster. While it's true to some extent, it doesn't apply if no one is actually looking at the code, as we've learned repeatedly over the past few years.

  • WordPress 4.7.3 Security and Maintenance Release

    WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

Security News

Filed under
Security
  • Arbitrary code execution in TeX distributions

    Many out there use TeX or one of its distributions like TeX Live, LaTex, MiKTeX or teTeX. Sharing TeX files between authors is common, and often conference organizers, journal editors or university institutions offer TeX templates for papers and diploma theses. So what if a TeX file can take over your computer?

  • Security firm issues patch for Windows zero-day

    A security firm has released a patch for a remotely exploitable vulnerability in Windows that Microsoft is expected to patch on 14 March.

    0patch team member Luka Treiber said this was the first time the company had issued code to fix a zero-day exploit.

    He has provided a detailed rundown of his methodology on the firm's website.

    Anyone wishing to use the patch has to download 0patch's patching agent and the obtain the code.

  • The working dead: The security risks of outdated Linux kernels [Ed: IDG says that running old and unpatched Linux kernel is not a good idea, like that wasn't obvious.]

    Linux kernel security vulnerabilities are often in the headlines. Recently it was revealed a serious kernel vulnerability remained undiscovered for over a decade. But, what does this mean in a practical sense? Why is security of the Linux kernel important? And, what effects do vulnerabilities have on older or obsolete kernels that are persistent in many devices?

Talks and FOSS Events

Filed under
OSS
Security
  • Me at the RSA Conference

    This is my talk at the RSA Conference last month. It's on regulation and the Internet of Things, along the lines of this essay.

  • How to handle conflict like a boss

    I was initially afraid that a talk about conflict management would be touchy-feely to the point of uselessness, but found that every time Deb Nicholson described a scenario, I could remember a project that I'd been involved in where just such a problem had arisen. In the end, her "Handle conflict like a boss" presentation may turn out to have been one of the more rewarding talks I heard at FOSDEM 2017.

    Nicholson's first contention was that conflict happens because some people are missing some information. She related a story about a shared apartment where the resident who was responsible for dividing up the electricity bill was getting quite annoyed at the resident who had got behind on his share, until Nicholson pointed out that the latter resident was away at his grandmother's funeral. Instantly, the person who'd been angry was calm and concerned, through no change other than coming into possession of all the facts. Conflict is natural, said Nicholson, but it doesn't have to be the end of the world.

  • Principled free-software license enforcement

    Issues of when and how to enforce free-software licenses, and who should do it, have been on some people's minds recently, and Richard Fontana from Red Hat decided to continue the discussion at FOSDEM. This was a fairly lawyerly talk; phrases like "alleged violation" and "I think that..." were scattered throughout it to a degree not normally found in talks by developers. This is because Fontana is a lawyer at Red Hat, and he was talking about ideas which, while they are not official Red Hat positions, were developed following discussions between him and other members of the legal team at Red Hat.

    To his mind, GPL enforcement has always been an important element of free-software law; not that we should all be doing it, all the time, but like it or not, litigation is part of a legal system. Awareness of its possibility, however, was making some Red Hat customers and partners worried about the prospect. There has not, in fact, been much actual litigation around free-software licenses — certainly not compared to the amount of litigation software companies are capable of generating in the normal course of business — thus Fontana felt their fears were unreasonable.

Security Leftovers

Filed under
Security
  • Software Grand Exposure: SGX Cache Attacks Are Practical

    Side-channel information leakage is a known limitation of SGX. Researchers have demonstrated that secret-dependent information can be extracted from enclave execution through page-fault access patterns. Consequently, various recent research efforts are actively seeking countermeasures to SGX side-channel attacks. It is widely assumed that SGX may be vulnerable to other side channels, such as cache access pattern monitoring, as well. However, prior to our work, the practicality and the extent of such information leakage was not studied.

  • KDE issues security advisory for HTTPS KIO Slave

    The vulnerability here is that the full URL with all parameters (including usernames, passwords etc.) was passed to the FindProxyForURL function. A malicius attacker could manipulate the local network and distribute a PAC file which then leaks the full URL (e.g. over the network), even though HTTPS is supposed to protect the URL. The issue has been fixed for HTTPS in two commits (here and here). There is no fix for HTTP as it is unencrypted and the proxy can always see the full URL anyways.

  • Multiple Vulnerabilities in X.org
  • Sticky Password for Android 8.0.3646

Security Leftovers

Filed under
Security

7 Essential Tips for Linux Sysadmin Workstation Security

Filed under
Linux
Security

If you’re a sysadmin who works from home, logs in for after-hours emergency support or simply prefers to work from a laptop in your office, you need to do it securely. Preparation and vigilance are essential in keeping your workstation and network safe from hackers.

Anyone who uses a Linux workstation to access and manage their company’s or project's IT infrastructure runs the risk that his or her computer will become an incursion vector against the rest of that infrastructure.

Read more

Security Leftovers

Filed under
Security
  • Security-Oriented Alpine Linux 3.5.2 Distro Released with Kernel 4.4.52 LTS

    Alpine Linux, the open-source security-oriented GNU/Linux distribution based on BusyBox and musl libc, has been updated earlier to version 3.5.2, the second point release to the stable 3.5 series.

    Alpine Linux 3.5.2 comes one month after the release of Alpine Linux 3.5.1 and brings with it the recently released long-term supported Linux 4.4.52 kernel, as well as numerous up-to-date components, including PHP 7.0.16, lighttpd 1.4.45, Chromium 56.0.2924.76, PostgreSQL 9.6.2, nginx 1.10.3, ZoneMinder 1.30.2, and RackTables 0.20.12.

  • SSH Communications Security's Universal SSH Key Manager

    Today's IAM solutions, warns enterprise cybersecurity expert SSH Communications Security, fail to address fully the requirements of trusted access. Organizations lack an efficient way to manage and govern trusted access credentials and have no visibility into the activities that occur within the secure channels that are created for trusted access operations.

  • Three Years after Heartbleed, How Vulnerable Are You? [Ed: Fools who cling on to hype, marketing and FUD from a Microsoft-connected firm even 3 years later]

    Three years ago, the Heartbleed vulnerability in the OpenSSL cryptographic library sent the software industry and companies around the world into a panic. Software developers didn't know enough about the open source components used in their own products to understand whether their software was vulnerable — and customers using that software didn't know either.

Security Leftovers

Filed under
Security
  • Human error caused Amazon Web Services outage

    A wrong command entered by a member of its technical staff was responsible for the outage experienced by Amazon Web Services simple storage service this week.

    In a detailed explanation, the company said the S3 team was attempting to debug an issue that caused a slowdown in its billing system when, at 9.37am PST on Tuesday (4.30am Wednesday AEST), one of its technical staff ran a command that was intended to remove a few servers from one of the subsystems used by the S3 billing process.

    The worker entered one wrong input for the command and ended up removing a much larger number of servers than intended, some of which supported two other S3 subsystems.

  • Apple's macOS bitten by a brace of backdoors

    OH JEEZ, THE SANCTITY OF THE Apple operating system continues to be whittled away at, and now two reasonably fresh backdoors have been revealed by a concerned security company.

    Apple backdoors are much prized, just ask the FBI, so to have two in a day should be a thing to celebrate. But only if you like that kind of stuff.

    The Malwarebytes blog dishes the dirt on the pair and the threat that they pose to people who use Macs.

    One of them is XAgent, which Palo Alto Networks clocked onto in February. It is a nasty business indeed.

  • SHA-1 crack just got real: System Center uses it to talk to Linux

    When Google revealed last week that it had destroyed the SHA-1 algorithm, it hammered another nail into the venerable algo's coffin.

    But as we noted in our report on the feat, many applications still use SHA-1. And if you're one of the many Windows shops running Microsoft's System Center Operations Manager Management Server, you've got an exposure.

Syndicate content

More in Tux Machines

This Custom Android-x86 Build Puts Android 7.1.1 on Your PC, with Linux 4.11 RC7

GNU/Linux developer Arne Exton was happy to announce the release of a new build of his custom built Android-x86 project that lets uses runs the latest Android mobile operating system on their personal computers. Read more

Clear Linux Announces Intel Clear Containers 2.1.6 with Docker 17.04.0 Support

Clear Linux's Kent Helm was proud to announce the release and general availability of Intel Clear Containers 2.1.6, a maintenace update that promises to improve compatibility with recent Docker releases, but also adds various bug fixes. Read more

Nantes Métropole releases open source tool for LibreOffice transition

The French city of Nantes (Nantes Métropole) has released an open source tool used to schedule its migration to LibreOffice. The shift from commercial software to the free and open source LibreOffice productivity suite started in 2013 and is intended to save the administration EUR 260 000 per year. The transition was finalised in April 2016. Read more

Today in Techrights