Language Selection

English French German Italian Portuguese Spanish

Security

Security: Nmap 7.30 is Out

Filed under
OSS
Security
  • Nmap 7.30

    Integrated all 12 of your IPv6 OS fingerprint submissions from June to September. No new groups, but several classifications were strengthened, especially Windows localhost and OS X.

  • Nmap 7.30 Released As Stable With Many Additions
  • Nmap 7.30 Security Scanner Adds 12 New IPv6 OS Fingerprints, 7 NSE Scripts

    Today, September 29, 2016, the Nmap developers proudly announced the release of Nmap 7.30, the latest stable version of the free, open source and cross-platform security scanner and network mapper software.

    As expected, Nmap 7.30 is a major release that adds numerous new features and improvements, among which we can mention twelve new IPv6 OS fingerprints and seven NSE (Nmap Scripting Engine) scripts that have been submitted by various developers. There are now a total of 541 NSE scripts included in Nmap.

Security News

Filed under
Security
  • Security updates for Thursday
  • How 1.5 Million Connected Cameras Were Hijacked to Make an Unprecedented Botnet

    Last week, hackers forced a well-known security journalist to take down his site after hitting him for more than two days with an unprecedented flood of traffic.

    That cyberattack was powered by something the internet had never seen before: an army made of more than one million hacked Internet of Things devices.

    The hackers, whose identity is still unknown at this point, used not one, but two networks—commonly referred to as “botnets” in hacking lingo—made of around 980,000 and 500,000 hacked devices, mostly internet-connected cameras, according to Level 3 Communications, one of the world’s largest internet backbone providers. The attackers used all those cameras and other unsecured online devices to connect to the journalists’ website, pummeling the site with requests in an attempt to make it collapse.

  • NHS Hospitals Are Running Thousands of Computers on Unsupported Windows XP

    Hospitals across England are running thousands of out-of-date Windows XP machines, potentially putting patient data and other sensitive information at risk.

    Motherboard has found that at least 42 National Health Service (NHS) trusts in England are still using the Windows XP operating system, with many of them confirming that they no longer receive security updates for the software. Legal experts say that the NHS hospitals may be in breach of data protection regulations.

    “If hospitals are knowingly using insecure XP machines and devices to hold and otherwise process patient data they may well be in serious contravention of their obligations,” Jon Baines, Chair of the National Association of Data Protection and Freedom of Information Officers (NADPO), wrote in an email.

    In April 2014, Microsoft officially ended support for Windows XP, meaning that the company would no longer release security patches for the aging operating system. Any vulnerabilities discovered after that date would therefore be left for hackers to exploit. Governments and businesses could pay Microsoft for a custom extended support deal; the Crown Commercial Service, which is sponsored by the Cabinet Office, spent £5.5 million ($9 million) to continue receiving updates for the public sector, including for the NHS. That agreement ended in April 2015 and was not renewed.

Security News

Filed under
Security
  • security things in Linux v4.5
  • Time to Kill Security Questions—or Answer Them With Lies

    The notion of using robust, random passwords has become all but mainstream—by now anyone with an inkling of security sense knows that “password1” and “1234567” aren’t doing them any favors. But even as password security improves, there’s something even more problematic that underlies them: security questions.

    Last week Yahoo revealed that it had been massively hacked, with at least 500 million of its users’ data compromised by state sponsored intruders. And included in the company’s list of breached data weren’t just the usual hashed passwords and email addresses, but the security questions and answers that victims had chosen as a backup means of resetting their passwords—supposedly secret information like your favorite place to vacation or the street you grew up on. Yahoo’s data debacle highlights how those innocuous-seeming questions remain a weak link in our online authentication systems. Ask the security community about security questions, and they’ll tell you that they should be abolished—and that until they are, you should never answer them honestly.

    From their dangerous guessability to the difficulty of changing them after a major breach like Yahoo’s, security questions have proven to be deeply inadequate as contingency mechanisms for passwords. They’re meant to be a reliable last-ditch recovery feature: Even if you forget a complicated password, the thinking goes, you won’t forget your mother’s maiden name or the city you were born in. But by relying on factual data that was never meant to be kept secret in the first place—web and social media searches can often reveal where someone grew up or what the make of their first car was—the approach puts accounts at risk. And since your first pet’s name never changes, your answers to security questions can be instantly compromised across many digital services if they are revealed through digital snooping or a data breach.

  • LibreSSL and the latest OpenSSL security advisory

    Just a quick note that LibreSSL is not impacted by either of the issues mentioned in the latest OpenSSL security advisory - both of the issues exist in code that was added to OpenSSL in the last release, which is not present in LibreSSL.

  • Record-breaking DDoS reportedly delivered by >145k hacked cameras

    Last week, security news site KrebsOnSecurity went dark for more than 24 hours following what was believed to be a record 620 gigabit-per-second denial of service attack brought on by an ensemble of routers, security cameras, or other so-called Internet of Things devices. Now, there's word of a similar attack on a French Web host that peaked at a staggering 1.1 terabits per second, more than 60 percent bigger.

    The attacks were first reported on September 19 by Octave Klaba, the founder and CTO of OVH. The first one reached 1.1 Tbps while a follow-on was 901 Gbps. Then, last Friday, he reported more attacks that were in the same almost incomprehensible range. He said the distributed denial-of-service (DDoS) attacks were delivered through a collection of hacked Internet-connected cameras and digital video recorders. With each one having the ability to bombard targets with 1 Mbps to 30 Mbps, he estimated the botnet had a capacity of 1.5 Tbps.

    On Monday, Klaba reported that more than 6,800 new cameras had joined the botnet and said further that over the previous 48 hours the hosting service was subjected to dozens of attacks, some ranging from 100 Gbps to 800 Gbps. On Wednesday, he said more than 15,000 new devices had participated in attacks over the past 48 hours.

Networking and Security

Filed under
Server
Security
Web
  • FAQ: What's so special about 802.11ad Wi-Fi?

    Here are the broad strokes about 802.11ad, the wireless technology that’s just starting to hit the market.

  • 2.5 and 5 Gigabit Ethernet Now Official Standards

    In 2014, multiple groups started efforts to create new mid-tier Ethernet speeds with the NBASE-T Alliance starting in October 2014 and MGBASE-T Alliance getting started a few months later in December 2014. While those groups started out on different paths, the final 802.3bz standard represents a unified protocol that is interoperable across multiple vendors.

    The promise of 2.5 and 5 Gbps Ethernet is that they can work over existing Cat5 cabling, which to date has only been able to support 1 Gbps. Now with the 802.3bz standard, organizations do not need to rip and replace cabling to get Ethernet that is up to five times faster.

    "Now, the 1000BASE-T uplink from the wireless to wired network is no longer sufficient, and users are searching for ways to tap into higher data rates without having to overhaul the 70 billion meters of Cat5e / Cat6 wiring already sold," David Chalupsky, board of directors of the Ethernet Alliance and Intel principal engineer, said in a statement. "IEEE 802.3bz is an elegant solution that not only addresses the demand for faster access to rapidly rising data volumes, but also capitalizes on previous infrastructure investments, thereby extending their life and maximizing value."

  • A quick fix for stupid password reset questions

    It didn’t take 500 million hacked Yahoo accounts to make me hate, hate, hate password reset questions (otherwise known as knowledge-based authentication or KBA). It didn't help when I heard that password reset questions and answers -- which are often identical, required, and reused on other websites -- were compromised in that massive hack, too.

    Is there any security person or respected security guidance that likes them? They are so last century. What is your mother’s maiden name? What is your favorite color? What was your first pet’s name?

  • French hosting provider hit by DDoS close to 1TBps

    A hosting provider in France has been hit by a distributed denial of service attack that went close to one terabyte per second.

    Concurrent attacks against OVH clocked in at 990GBps.

    The attack vector is said to be the same Internet-of-Things botnet of 152,464 devices that brought down the website of security expert Brian Krebs.

    OVH chief technology officer Octave Klaba tweeted that the network was capable of attacks up to 1.5TBps.

  • Latest IoT DDoS Attack Dwarfs Krebs Takedown At Nearly 1Tbps Driven By 150K Devices

    If you thought that the massive DDoS attack earlier this month on Brian Krebs’ security blog was record-breaking, take a look at what just happened to France-based hosting provider OVH. OVH was the victim of a wide-scale DDoS attack that was carried via network of over 152,000 IoT devices.

    According to OVH founder and CTO Octave Klaba, the DDoS attack reached nearly 1 Tbps at its peak. Of those IoT devices participating in the DDoS attack, they were primarily comprised of CCTV cameras and DVRs. Many of these types devices' network settings are improperly configured, which leaves them ripe for the picking for hackers that would love to use them to carry our destructive attacks.

Security News

Filed under
Security
  • Security advisories for Wednesday
  • Facebook, Uber, Slack, and Pandora Pros Praise Free Security Tools

    Proponents of open source software argue that by letting passionate developers get involved and tweak underlying code, the tools they create are stronger and more reliable. Plus, for companies looking to bolster their digital defenses, the software has the added benefit of being free.

  • LibreSSL 2.5
  • LibreSSL 2.5 Released With New Features, iOS Support

    LibreSSL 2.5.0 is available today as the newest version of this growing fork of OpenSSL led by the OpenBSD project.

    LibreSSL 2.5's libtls implementation now supports ALPN and SNI while handling four cipher suite groups, there is tightened error handling in some areas, support for OCSP intermediate certificates, initial support for Apple's iOS platform, and a variety of other fixes and functionality improvements.

Security News

Filed under
Security
  • Sloppy programming leads to OpenSSL woes
  • OpenSSL Fixes Critical Bug Introduced by Latest Update

    OpenSSL today released an emergency security update after a patch in its most recent update issued last week introduced a critical vulnerability in the cryptographic library.

  • The Internet Of Poorly Secured Things Is Fueling Unprecedented, Massive New DDoS Attacks

    Last week, an absolutely mammoth distributed denial of service (DDoS) attack brought down the website of security researcher Brian Krebs. His website, hosted by Akamai pro bono, was pulled offline after it was inundated with 620Gbps of malicious traffic, nearly double the size of the biggest attack Akamai (which tracks such things via their quarterly state of the internet report) has ever recorded. Krebs was ultimately able to get his website back online after Google stepped in to provide DDoS mitigation through its Project Shield service.

  • Trump Offers More Insight On His Cybersecurity Plans: 10-Year-Old Relatives Vs. 400-lb Bedroom Dwellers

    Look, anyone who refers to cybersecurity or cyberwarfare as "the cyber" is probably better off not discussing this. But Donald Trump, in last night's debate, felt compelled to further prove why he's in no position to be offering guidance on technological issues. And anyone who feels compelled to portray hackers as 400-lb bedroom dwellers probably shouldn't be opening their mouth in public at all.

    With this mindset, discussions about what "the Google" and "the Facebook" are doing about trimming back ISIS's social media presence can't be far behind. Trump did note that ISIS is "beating us at our game" when it comes to utilizing social media. Fair enough.

Security News

Filed under
Security
  • Tuesday's security updates
  • New Open Source Linux Ransomware Divides Infosec Community

    Following our investigation into this matter, and seeing the vitriol-filled reaction from some people in the infosec community, Zaitsev has told Softpedia that he decided to remove the project from GitHub, shortly after this article's publication. The original, unedited article is below.

  • Fax machines' custom Linux allows dial-up hack

    Party like it's 1999, phreakers: a bug in Epson multifunction printer firmware creates a vector to networks that don't have their own Internet connection.

    The exploit requirements are that an attacker can trick the victim into installing malicious firmware, and that the victim is using the device's fax line.

    The firmware is custom Linux, giving the printers a familiar networking environment for bad actors looking to exploit the fax line as an attack vector. Once they're in that ancient environment, it's possible to then move onto the network to which the the printer's connected.

    Yves-Noel Weweler, Ralf Spenneberg and Hendrik Schwartke of Open Source Training in Germany discovered the bug, which occurs because Epson WorkForce multifunction printers don't demand signed firmware images.

  • Google just saved the journalist who was hit by a 'record' cyberattack

    Google just stepped in with its massive server infrastructure to run interference for journalist Brian Krebs.

    Last week, Krebs' site, Krebs On Security, was hit by a massive distributed denial-of-service (DDoS) attack that took it offline, the likes of which was a "record" that was nearly double the traffic his host Akamai had previously seen in cyberattacks.

    Now just days later, Krebs is back online behind the protection of Google, which offers a little-known program called Project Shield to help protect independent journalists and activists' websites from censorship. And in the case of Krebs, the DDoS attack was certainly that: The attempt to take his site down was in response to his recent reporting on a website called vDOS, a service allegedly created by two Israeli men that would carry out cyberattacks on behalf of paying customers.

  • Krebs DDoS aftermath: industry in shock at size, depth and complexity of attack

    “This attack didn’t stop, it came in wave after wave, hundreds of millions of packets per second,” says Josh Shaul, Akamai’s vice president of product management, when Techworld spoke to him.

    “This was different from anything we’ve ever seen before in our history of DDoS attacks. They hit our systems pretty hard.”

    Clearly still a bit stunned, Shaul describes the Krebs DDoS as unprecedented. Unlike previous large DDoS attacks such as the infamous one carried out on cyber-campaign group Spamhaus in 2013, this one did not use fancy amplification or reflection to muster its traffic. It was straight packet assault from the old school.

  • iOS 10 makes it easier to crack iPhone back-ups, says security firm

    INSECURITY FIRM Elcomsoft has measured the security of iOS 10 and found that the software is easier to hack than ever before.

    Elcomsoft is not doing Apple any favours here. The fruity firm has just launched the iPhone 7, which has as many problems as it has good things. Of course, there are no circumstances when vulnerable software is a good thing, but when you have just launched that version of the software, it is really bad timing.

    Don't hate the player, though, as this is what Elcomsoft, and what Apple, are supposed to be doing right.

    "We discovered a major security flaw in the iOS 10 back-up protection mechanism. This security flaw allowed us to develop a new attack that is able to bypass certain security checks when enumerating passwords protecting local (iTunes) back-ups made by iOS 10 devices," said Elcomsoft's Oleg Afonin in a blog post.

  • After Tesla: why cybersecurity is central to the car industry's future

    The news that a Tesla car was hacked from 12 miles away tells us that the explosive growth in automotive connectivity may be rapidly outpacing automotive security.

    This story is illustrative of two persistent problems afflicting many connected industries: the continuing proliferation of vulnerabilities in new software, and the misguided view that cybersecurity is separate from concept, design, engineering and production.

    This leads to a ‘fire brigade approach’ to cybersecurity where security is not baked in at the design stage for either hardware or software but added in after vulnerabilities are discovered by cybersecurity specialists once the product is already on the market.

Security News

Filed under
Security
  • Canonical Patches OpenSSL Regression in Ubuntu 16.04 LTS, 14.04 LTS & 12.04 LTS

    After announcing a few days ago that a new, important OpenSSL update is available for all supported Ubuntu Linux operating systems, Canonical's Marc Deslauriers now informs the community about another patch to address a regression.

    The new security advisory (USN-3087-2) talks about a regression that was accidentally introduced along with the previous OpenSSL update (as detailed on USN-3087-1), which addressed no less than eleven (11) security vulnerabilities discovered upstream by the OpenSSL team.

  • Patch AGAIN: OpenSSL security fixes now need their own security fixes
  • Bangladesh Bank exposed to hackers by cheap switches, no firewall: Police
  • This is the Israeli company that can hack any iPhone and Android smartphone

    If Cellebrite sounds familiar, that’s because the name of this Israeli company came up during Apple’s standoff with the FBI over breaking iPhone encryption. The agency managed to crack the San Bernardino iPhone with the help of an undisclosed company. Many people believe it was Cellebrite that came to the rescue. Meanwhile, the company revealed that it could hack just about any modern smartphone, but refused to say whether its expertise is used by the police forces of repressive regimes.

  • Reproducible Builds: week 74 in Stretch cycle
  • East-West Encryption: The Next Security Frontier?

    Microsegmentation, a method to create secure, virtual connections in software-defined data centers (SDDCs), has already emerged as one of the primary reasons to embrace network virtualization (NV). But some vendors believe that East-West encryption of traffic inside the data center could be the next stop in data-center security.

    For example, VMware says it is looking at encrypting East-West traffic inside the data center, adding another layer of security to the SDDC. Why is that important? Today, most firewalls operate on the perimeter of the data center – either guarding or encrypting data leaving the data center for the WAN. And some security products may encrypt data at rest inside the data center. But encrypting the traffic in motion between servers inside the data center – known in the business as the East-West traffic – is not something that’s typically done.

  • DHS Offers Its Unsolicited 'Help' In Securing The Internet Of Things [Ed: In the UK, GCHQ meddles in the Surveillance of Things in the name of 'security' while at the same time, with Tories' consent, cracking PCs]

    It's generally agreed that the state of security for the Internet of Things runs from "abysmal" to "compromised during unboxing." The government -- despite no one asking it to -- is offering to help out… somehow. DHS Assistant Secretary for Cyber Policy Robert Silvers spoke at the Internet of Things forum, offering up a pile of words that indicates Silvers is pretty cool with the "cyber" part of his title... but not all that strong on the "policy" part.

IPFire 2.19 Linux Firewall OS Patched Against the Latest OpenSSL Vulnerabilities

Filed under
Linux
Security

Only three days after announcing the release of IPFire 2.19 Core Update 104, Michael Tremer informs the community about the availability of a new update, Core Update 105, which brings important OpenSSL patches.

Read more

Tor Project Releases Tor (The Onion Router) 0.2.8.8 with Important Bug Fixes

Filed under
GNU
Linux
Security

The Tor Project announced recently the release of yet another important maintenance update to the stable Tor 0.2.8.x series of the open-source and free software to protect your anonymity while surfing the Internet.

Read more

Syndicate content

More in Tux Machines

Wine 2.0 Takes Shape, First Release Candidate Updates the Mono Engine, More

A few moments ago, the Wine development team was proud to announce the general availability of the first Release Candidate of the upcoming Wine 2.0 open-source software for running Windows apps on Linux and UNIX-like operating systems. Read more Also: Wine 2.0-rc1 Arrives, Prepares For Wine 2.0

Antivirus Live CD 21.0-0.99.2 Helps You Protect Your Computer Against Viruses

4MLinux developer Zbigniew Konojacki proudly informs Softpedia today about the general availability of the Antivirus Live CD 21.0-0.99.2 bootable ISO image for scanning computers for viruses and other malware. Read more

Bulgaria to make EUPL preferred open source licence

Next week, the government of Bulgaria will make the European Union Public Licence (EUPL) the preferred licence to be used for governmental software development projects. An ordinance, to be adopted on Wednesday, will allow projects to use around ten popular free and open source software licence approved by the Open Source Initiative (OSI) - an open source advocacy organisation. Read more

Slovenia voting analysis tool shared as open source

The President of the Parliament of Slovenia, Milan Brglez, last Monday unveiled Parlameter, a web-based software solution that displays in the National Assembly voting results and helps analyse them. The software, made available as open source, is developed by ‘Danes je nov dan’ (Today is a new day) an NGO focusing on eParticipation, openness and government oversight. Read more