Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • 3 Lessons in Web Encryption from Let’s Encrypt

    As exciting as 2016 was for encryption on the Web, 2017 seems set to be an even more incredible year. Much of the infrastructure and many of the plans necessary for a 100 percent encrypted Web really solidified in 2016, and the Web will reap the rewards in 2017. Let’s Encrypt is proud to have been a key part of that.

    But before we start looking ahead, it’s helpful to look back and see what our project learned from our exciting first full year as a live certificate authority (CA). I’m incredibly proud of what our team and community accomplished during 2016. I’d like to share how we’ve changed, what we’ve accomplished, and what we’ve learned.

    At the start of 2016, Let’s Encrypt was supporting approximately 240,000 active (unexpired) certificates. That seemed like a lot at the time! Now we’re frequently issuing that many new certificates in a single day while supporting more than 22 million active certificates in total.

  • [Older] Kali Linux Cheat Sheet for Penetration Testers
  • Report: Attacks based on open source vulnerabilities will rise 20 percent this year [Ed: The Microsoft-connected Black Duck spreads FUD against FOSS again, together with IDG; Black Duck was created for the purpose of attacking the GPL, by its very own admission.]

    The number of commercial software projects that were composed of 50 percent or more of free, open source software went up from 3 percent in 2011 to 33 percent today, said Mike Pittenger, vice president of security strategy at Black Duck Software.

Security Leftovers

Filed under
Security
  • Truffle Hog Finds Security Keys Hidden in GitHub Code

    According to commentors on a Reddit thread about Truffle Hog, Amazon Web Services has already been using a similar tool for the same purpose. "I have accidentally committed my AWS secret keys before to a public repo," user KingOtar wrote. "Amazon actually found them and shut down my account until I created new ones. Kinda neat Amazon."

  • 5 Essential Tips for Securing Your WordPress Sites

    WordPress is by far the most popular blogging platform today.

    Being as popular as it is, it comes with its own strengths and weaknesses. The very fact that almost everybody uses it, makes it more prone to vulnerabilities. WordPress developers are doing a great job of fixing and patching the framework as new flaws are discovered, but that doesn’t mean that you can simply install and forget your installation.

    In this post, we will provide some of the most common ways of securing and strengthening a WordPress site.

  • Google ventures into public key encryption

    Google announced an early prototype of Key Transparency, its latest open source effort to ensure simpler, safer, and secure communications for everyone. The project’s goal is to make it easier for applications services to share and discover public keys for users, but it will be a while before it's ready for prime time.

    Secure communications should be de rigueur, but it remains frustratingly out of reach for most people, more than 20 years after the creation of Pretty Good Privacy (PGP). Existing methods where users need to manually find and verify the recipients’ keys are time-consuming and often complicated. Messaging apps and file sharing tools are limited in that users can communicate only within the service because there is no generic, secure method to look up public keys.

  • How to Keep Hackers out of Your Linux Machine Part 2: Three More Easy Security Tips

    In part 1 of this series, I shared two easy ways to prevent hackers from eating your Linux machine. Here are three more tips from my recent Linux Foundation webinar where I shared more tactics, tools and methods hackers use to invade your space. Watch the entire webinar on-demand for free.

Security News

Filed under
Security
  • Microsoft slates end to security bulletins in February [iophk: "further obscuring"; Ed: See this]

    Microsoft next month will stop issuing detailed security bulletins, which for nearly 20 years have provided individual users and IT professionals information about vulnerabilities and their patches.

    One patching expert crossed his fingers that Microsoft would make good on its pledge to publish the same information when it switches to a new online database. "I'm on the fence right now," said Chris Goettl, product manager with patch management vendor Shavlik, of the demise of bulletins. "We'll have to see [the database] in February before we know how well Microsoft has done [keeping its promise]."

  • Reflected XSS through AngularJS sandbox bypass causes password exposure of McDonald users

    By abusing an insecure cryptographic storage vulnerability (link) and a reflected server cross-site-scripting vulnerability (link) it is possible to steal and decrypt the password from a McDonald's user. Besides that, other personal details like the user's name, address & contact details can be stolen too.

  • DragonFlyBSD Installer Updated To Support UEFI System Setup

    DragonFlyBSD has been working on its (U)EFI support and with the latest Git code its installer now has basic UEFI support.

Tails 2.10 Will Upgrade to Linux Kernel 4.8 and Tor 0.2.9, Add exFAT Support

Filed under
Security

A new stable release of Tails, the beloved anonymous Live CD that helps you stay hidden online when navigating various websites on the Internet, is being prepared.

Security News

Filed under
Security
  • How we secure our infrastructure: a white paper

    Trust in the cloud is paramount to any business who is thinking about using it to power their critical applications, deliver new customer experiences and house their most sensitive data. Today, we're issuing a white paper by our security team that details how security is designed into our infrastructure from the ground up.

    Google Cloud’s global infrastructure provides security through the entire information processing lifecycle.This infrastructure provides secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication with customers over the internet and safe operation by administrators.

  • Google Infrastructure Security Design Overview [Ed: Google banned Windows internally]

    The content contained herein is correct as of January 2017, and represents the status quo as of the time it was written. Google’s security policies and systems may change going forward, as we continually improve protection for our customers.

  • Microsoft Says Windows 7 Has Outdated Security, Wants You to Move to Windows 10 [Ed: all versions are insecure BY DESIGN]

    Windows 10 is now running on more than 20 percent of the world’s desktop computers, and yet, Microsoft’s bigger challenge isn’t necessarily to boost the market share of its latest operating system, but to convince those on Windows 7 to upgrade.

  • Debian GNU/Linux 8.7 Officially Released, Includes over 85 Security Updates

    If you're using Debian Stable (a.k.a. Debian GNU/Linux 8 "Jessie"), it's time to update it now. Why? Because Debian Project launched a new release, Debian GNU/Linux 8.7, which includes over 170 bug fixes and security updates.

  • CVS: cvs.openbsd.org: src

    Disable and lock Silicon Debug feature on modern Intel CPUs

Hide Complex Passwords in Plain Sight and Give Your Brain a Break

Filed under
Linux
Security
HowTos

As far as people are concerned, there are essentially two types of passwords: the ones we can remember and the ones that are too complex for us to recall. We've learned the latter type is more secure, but it requires us to store impossible-to-memorize-password lists, creating a whole new set of problems. There are some clever tricks to help our brains out a bit, but for most of us the limit of our memory is regrettable. This tip offers a way to pull passwords from unexpected places using the Linux terminal.

Read more

(via DMT/Linux Blog)

Security Leftovers (Back Doors in WhatsApp/Facebook and Microsoft Windows)

Filed under
Security
  • The eight security backdoors that helped kill faith in security

    With the news of WhatsApp's backdoor granting Facebook and government agencies access to user messages, fears over users' privacy issues are sure to be at an all-time high for WhatsApp's 1 billion users.

    Backdoors in computing equipment are the stuff of legend. A decade ago a security expert informed me with absolute certainty that a prominent non-US networking company had designed them into its products for years as a matter of course as if nobody much cared about this fact. Long before the average citizen had heard the letters NSA, it struck me at the time as extraordinary suggestion. It was almost as if the deliberate compromise of an important piece of network equipment was a harmless novelty.

  • Reported “backdoor” in WhatsApp is in fact a feature, defenders say

    The Guardian roiled security professionals everywhere on Friday when it published an article claiming a backdoor in Facebook's WhatsApp messaging service allows attackers to intercept and read encrypted messages. It's not a backdoor—at least as that term is defined by most security experts. Most would probably agree it's not even a vulnerability. Rather, it's a limitation in what cryptography can do in an app that caters to more than 1 billion users.

    At issue is the way WhatsApp behaves when an end user's encryption key changes. By default, the app will use the new key to encrypt messages without ever informing the sender of the change. By enabling a security setting, users can configure WhatsApp to notify the sender that a recently transmitted message used a new key.

    Critics of Friday's Guardian post, and most encryption practitioners, argue such behavior is common in encryption apps and often a necessary requirement. Among other things, it lets existing WhatsApp users who buy a new phone continue an ongoing conversation thread.

  • Security flaw leaves WhatsApp messages susceptible to man-in-the-middle attacks

    FLAWS in the way that WhatsApp deals with encryption keys leaves users wide open to man-in-the-middle attacks, enabling third-parties to tap their communications.

    The flaw has been described as a "security back door" by The Guardian and privacy campaigners (not unlike the back doors that governments of various stripes have been trying to mandate on all internet communications by law), but more sobre voices have described it as a minor bug and criticised The Guardian for going OTT.

    Nor is it new. Vulnerabilities in key handling were first discovered by German computer scientist Tobias Boelter in April 2016.

    The security flaw relates to situations where encryption keys are dropped and have to be re-issued and re-sent. In certain circumstances, a third-party could exploit the bug to persuade the app to resend messages because the authenticity of re-issued keys is not verified in WhatsApp by default.

  • There's No Security Backdoor in WhatsApp, Despite Reports

    This morning, the Guardian published a story with an alarming headline: “WhatsApp backdoor allows snooping on encrypted messages.” If true, this would have massive implications for the security and privacy of WhatsApp’s one-billion-plus users. Fortunately, there’s no backdoor in WhatsApp, and according to Alec Muffett, an experienced security researcher who spoke to Gizmodo, the Guardian’s story is “major league fuckwittage.”

  • WhatsApp vulnerability allows snooping on encrypted messages

    A security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.

    Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.

  • Hacker group Shadow Brokers retires, dumps more code as parting gift

    The Shadow Brokers claimed to have held even more valuable cyber tools in reserve and offered to sell them to the highest bidder in an unorthodox public auction. On Thursday, they said their sales effort had been unsuccessful and were therefore ceasing operations. “So long, farewell peoples. The Shadow Brokers is going dark, making exit,” the group said according to a screenshot of the webpage posted Thursday on the news website CyberScoop.

  • Suspected NSA tool hackers dump more cyberweapons in farewell

    The hacking group that stole cyberweapons suspected to be from the U.S. National Security Agency is signing off -- but not before releasing another arsenal of tools that appear designed to spy on Windows systems.

  • Shadow Brokers announce retirement, leak NSA Windows Hacking tools as parting gift
  • The Shadow Brokers Leaves the Stage with a Gift of So-Called NSA-Sourced Hacking Tools
  • Shadow Brokers group bids adieu, dumps hacking tools before going silent
  • 'It Always Being About Bitcoins': Shadow Brokers Retire
  • Hacking Group 'ShadowBrokers' Release NSA Exploits, Then Go Dark

Security News

Filed under
Security
  • Security advisories for Friday
  • New Windows backdoor targets intelligence gathering

    New versions of the MM Core Windows backdoor are being used to provide a channel into victims' machines for the purpose of intelligence gathering, according to Carl Leonard, principal security analyst at Forcepoint Security Labs.

    The new versions were found by members of the Forcepoint investigations team.

    MM Core, which is also known as BaneChant, is a file-less advanced persistent threat which is executed in memory by a downloaded component. It was first reported in 2013 with the version 2.0-LNK and used the tag BaneChant in the network request sent to its command-and-control centre.

    A second version, 2.1-LNK, found shortly thereafter, had the network tag StrangeLove.

    Forcepoint researchers Nicholas Griffin and Roland Dela Paz, whose write-up on MM Core was provided to iTWire, said the two new versions they had found were 2.2-LNK (network tag BigBoss) and 2.3-LNK (SillyGoose).

  • Implementing Medical Device Cybersecurity: A Two-Stage Process

    Connectivity is ubiquitous – it’s moved beyond an overhyped buzzword and become part of life. Offering ever-advancing levels of access, control, and convenience, widespread connectivity also increases the risk of unauthorised interference in our everyday lives.

    In what many experts believe was a world first, manufacturer Johnson & Johnson recently issued a warning to patients on a cyber-vulnerability in one of its medical devices. The company announced that an insulin pump it supplies had a potential connectivity vulnerability. The wireless communication link the device used contained a potential exploit that could have been used by an unauthorised third party to alter the insulin dosage delivered to the patient.

  • Dockerfile security tuneup

    I recently watched 2 great talks on container security by Justin Cormack from Docker at Devoxx Belgium and Adrian Mouat from Container Solutions at GOTO Stockholm. We were following many of the suggestions but there was still room for improvement. So we decided it was good time to do a security tuneup of our dockerfiles.

  • FTC Sues D-Link For Pretending To Give A Damn About Hardware Security

    If you've been paying attention, you've probably noticed that the so-called Internet of Things isn't particularly secure. Hardware vendors were so excited to market a universe of new internet-connected devices, they treated things like privacy, security, and end-user control as afterthoughts. As a result, we've now got smart TVs, smart tea kettles, WiFi-connected barbies and all manner of other devices that are not only leaking private customer data, but are being quickly hacked, rolled into botnets, and used in historically unprecedented new, larger DDoS attacks.

    This isn't a problem exclusive to new companies breaking into the IoT space. Long-standing hardware vendors that have consistently paid lip service to security are fueling the problem. Asus, you'll recall, was dinged by the FTC last year for marketing its routers as incredibly secure, yet shipping them with easily-guessed default username/login credentials and cloud-based functionality that was easily exploitable.

    The FTC is back again, this time suing D-Link for routers and video cameras that the company claimed were "easy to secure" and delivered "advanced network security," yet were about as secure as a kitten-guarded pillow fort. Like Asus, D-Link's hardware also frequently ships with easily-guessed default login credentials. This frequently allows "hackers" (that term is generous since it takes just a few keystrokes) to peruse an ocean of unsecured cameras via search engines like Shodan, allowing them to spy on families and businesses in real time.

Security News

Filed under
Security

Security News

Filed under
Security
  • Security updates for Wednesday
  • Third Party Patch Roundup – December 2016
  • The MongoDB hack and the importance of secure defaults

    If you have a MongoDB installation, now would be the time to verify that it is secure. Since just before Christmas, over 28,000 public MongoDB installs have been hacked. The attackers are holding the hacked data ransom, demanding companies pay using Bitcoins to get their data back. From the looks of it, at least 20 companies have given in and paid the ransom so far. This post explains the hack, how to protect yourself, and what we can learn from it.

  • Implantable Cardiac Devices Could Be Vulnerable to Hackers, FDA Warns

    Low-level hackers can play with your heart. Literally. Pacemakers, defibrillators and other devices manufactured by St. Jude Medical, a medical device company based in Minnesota, could have put patients’ lives at risk, the US Food & Drug Administration warned on Monday, the same day a new software patch was released to address these vulnerabilities.

    There are several confirmed vulnerabilities that could have granted hackers remote access a person’s implanted cardiac device. Then, they could change the heart rate, administer shocks, or quickly deplete the battery. There hadn’t been any report of patient harm related to these vulnerabilities as of Monday, the FDA said.

Syndicate content

More in Tux Machines

Google launches new site to showcase its open source projects and processes

Google is launching a new site today that brings all of the company’s open source projects under a single umbrella. The code of these projects will still live on GitHub and Google’s self-hosted git service, of course, with the new site functioning as a central directory for them. While this new project is obviously meant to showcase Google’s projects, the company says it also wants to use it to provide “a look under the hood” of how it “does” open source. Read more

Tizen and Android

Day of Infamy, CRYENGINE, and Performance Tools

Red Hat: We're giving VMware a 'run for its money' in virtualization

Red Hat's enterprise virtualization product is proving stiff competition for VMware, Paul Cormier, EVP and president of products and technologies, claimed at Red Hat's North American Partner Conference in Las Vegas, Nevada yesterday. According to the executive, Red Hat Virtualization (RHV), the open source software vendor's mission-critical, end-to-end open source virtualization infrastructure, has made a name for itself in such a way that VMware customers are increasingly showing interest in the technology. Read more Also: Red Hat CEO says businesses remain confident under Trump Amazon, Red Hat, Tesaro Price Targets Raised; Snap Started At Hold Tech Today: Snap’d By Facebook, Apple’s Innovation, Red Hat Jumps