Language Selection

English French German Italian Portuguese Spanish


Security News

Filed under
  • One bug to rule them all: 'State-supported' Project Sauron malware attacks world's top PCs

    Two top electronic security firms have discovered a new powerful malware suite being used to target just dozens of high-value targets around the world. The research shows that it was likely developed on the orders of a government engaging in cyber espionage.

    The California-based Symantec has labeled the group behind the attack Strider, while Moscow-based Kaspersky Labs dubbed it ProjectSauron. Both are references to J. R. R. Tolkien’s Lord of the Rings, a nod to the fact that the original malware code contained the word “Sauron.”

  • Disable WPAD now or have your accounts and private data compromised

    The Web Proxy Auto-Discovery Protocol (WPAD), enabled by default on Windows and supported by other operating systems, can expose computer users' online accounts, web searches, and other private data, security researchers warn.

    Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections, said Alex Chapman and Paul Stone, researchers with U.K.-based Context Information Security, during the DEF CON security conference this week.

  • With Anonymous' latest attacks in Rio, the digital games have begun

    A wave of denial of service (DDoS) attacks on state and city websites followed immediately after Anonymous delivered their statement. The group boasted taking down at least five sites, including,,, and They broadcast their exploits using the hashtags #OpOlympicHacking, #Leaked and #TangoDown, some of which were set up months ago.

  • Kaminsky Advocates for Greater Cloud Security

    There are a lot of different reasons why organizations choose to move to the cloud and many reasons why they do not. Speaking at a press conference during the Black Hat USA security event, security researcher Dan Kaminsky provided his views on what's wrong with the Internet today and where the cloud can fit in.

    "There's a saying we have," Kaminsky said. "There is no such thing as cloud, just other people's computers."

    While the cloud represents a utility model for computing, Kaminsky also suggests that there are ways to use the cloud to improve overall security. With the cloud, users and applications can be isolated or 'sandboxed' in a way that can limit risks.

    With proper configurations, including rate limiting approaches, the impact of data breaches could potentially be reduced as well. As an example, Kaminsky said that with rate limiting controls, only the money from a cash register is stolen by a hacker, as opposed to stealing all of a company's corporate profits for a month.

  • Linux TCP Flaw allows Hackers to Hijack Internet Traffic and Inject Malware Remotely
  • Our Encrypted Email Service is Safe Against Linux TCP Vulnerability

    ProtonMail is not vulnerable to the recently announced Linux TCP Vulnerability

In limiting open source efforts, the government takes a costly gamble

Filed under

The vast majority of companies are now realizing the value of open sourcing their software and almost all have done so for at least certain projects. These days Google, Facebook, Microsoft, Apple and almost every major company is releasing code to the open source community at a constant rate.

As is the case with many cutting edge developments it’s taking governments a while to catch on and understand the value in going open source. But now governments around the world are beginning to take the view that as their software is funded by the public, it belongs to the public and should be open for public use and are starting to define codified policies for its release.


The vast majority of code is still not classified and therefore, much higher levels of open sourcing are possible. While a bigger embrace of open source may seem like a risk, the real danger lies in small, overly-cautious implementation which is costing taxpayers by the day and making us all less secure.

Read more

More Security Leftovers

Filed under
  • Volkswagen Created A 'Backdoor' To Basically All Its Cars... And Now Hackers Can Open All Of Them

    In other words, VW created a backdoor, and assumed that it would remain hidden. But it did not.

    This is exactly the kind of point that we've been making about the problems of requiring any kind of backdoor and not enabling strong encryption. Using a single encryption key across every device is simply bad security. Forcing any kind of backdoor into any security system creates just these kinds of vulnerabilities -- and eventually someone's going to figure out how they work.

    On a related note, the article points out that the researchers who found this vulnerability are the same ones who also found another vulnerability a few years ago that allowed them to start the ignition of a bunch of VW vehicles. And VW's response... was to sue them and try to keep the vulnerability secret for nearly two years. Perhaps, rather than trying to sue these researchers, they should have thrown a bunch of money at them to continue their work, alert VW and help VW make their cars safer and better protected.

  • Software Freedom Doesn't Kill People, Your Security Through Obscurity Kills People

    The time has come that I must speak out against the inappropriate rhetoric used by those who (ostensibly) advocate for FLOSS usage in automotive applications.

    There was a catalyst that convinced me to finally speak up. I heard a talk today from a company representative of a software supplier for the automotive industry. He said during his talk: "putting GPLv3 software in cars will kill people" and "opening up the source code to cars will cause more harm than good". These statements are completely disingenuous. Most importantly, it ignores the fact that proprietary software in cars is at least equally, if not more, dangerous. At least one person has already been killed in a crash while using a proprietary software auto-control system. Volkswagen decided to take a different route; they decided to kill us all slowly (rather than quickly) by using proprietary software to lie about their emissions and illegally polluting our air.

    Meanwhile, there has been not a single example yet about use of GPLv3 software that has harmed anyone. If you have such an example, email it to me and I promise to add it right here to this blog post.

  • Linux Networking Flaw Allows Attacker To Trick Safety Mechanism

Security News

Filed under
  • White House aims to secure open source government programs

    The White House unveils a new open source government policy and new research estimates the government's zero-day exploit stockpile to be smaller than expected.

  • How Governments Open Sourcing Code Helps Us Be More Secure

    The idea of governments releasing their proprietary code isn’t some pipe dream, it’s slowly becoming a reality in many countries and starting a much needed public discussion in others. Governments around the world are beginning to understand that their software is funded by the public, and therefore belongs to the public and should be accessible for their use. Bulgaria just passed a law which mandates that all code written for the government must be released as open source. Similarly, the United States is starting a 3-year pilot requiring all US agencies to release at least 20% of all federally-funded custom code as open source. France, Norway, Brazil and other countries have also initiated their own government open source programs to ensure more government funded code will be released as open source.

  • 2046 is the last year your CEO has a business major [Ed: says Juniper which put back doors in its software?]
  • DARPA's Machine Challenge Solves CrackAddr Puzzle

    Seven autonomous supercomputers faced off against each other in DARPA's Cyber Grand Challenge (CGC) event on the first day of the DEFCON security conference. In the end, a system known as 'Mayhem' won the $2 million grand prize and in the process helped solve a decade-old security challenge that revolved around detecting a particular type of vulnerability.

    Mike Walker, the DARPA program manager responsible for CGC, commented during a press conference that some bugs are so well known that they become famous. One such example is CrackAddr, the name of a function that can split up parts of an email address.

  • New Linux Malware Installs Bitcoin Mining Software on Infected Device

Security News

Filed under
  • Security updates for Friday
  • Linux malware turns victim's machines into crypto-currency miners [Ed: Linux "malware exploits flaw in Redis NoSQL" is not correct. Not Linux problem, not a flaw either but misconfiguration]
  • Researchers announce Linux kernel “network snooping” bug
  • Microsoft's compromised Secure Boot implementation

    There's been a bunch of coverage of this attack on Microsoft's Secure Boot implementation, a lot of which has been somewhat confused or misleading. Here's my understanding of the situation.

    Windows RT devices were shipped without the ability to disable Secure Boot. Secure Boot is the root of trust for Microsoft's User Mode Code Integrity (UMCI) feature, which is what restricts Windows RT devices to running applications signed by Microsoft. This restriction is somewhat inconvenient for developers, so Microsoft added support in the bootloader to disable UMCI. If you were a member of the appropriate developer program, you could give your device's unique ID to Microsoft and receive a signed blob that disabled image validation. The bootloader would execute a (Microsoft-signed) utility that verified that the blob was appropriately signed and matched the device in question, and would then insert it into an EFI Boot Services variable[1]. On reboot, the boot loader reads the blob from that variable and integrates that policy, telling later stages to disable code integrity validation.

More Security News

Filed under
  • FreeBSD devs ponder changes to security processes

    The developers of FreeBSD have announced they'll change the way they go about their business, after users queried why known vulnerabilities weren't being communicated to users.

    This story starts with an anonymous GitHub post detailing some vulnerabilities in the OS, specifically in freebsd-update, libarchive, bspatch and portsnap. Some of the problems in that post were verified and the FreeBSD devs started working on repairs.

  • Your Linux Distro Can Be Hacked In 60 Seconds Due To Serious TCP Flaw: Research [Ed: This headline is nonsense and shows that the author lacks technical understanding of it.]
  • Virtual Machine Introspection: A Security Innovation With New Commercial Applications

    A few weeks ago, Citrix and Bitdefender launched XenServer 7 and Bitdefender Hypervisor Introspection, which together compose the first commercial application of the Xen Project Hypervisor’s Virtual Machine Introspection (VMI) infrastructure. In this article, we will cover why this technology is revolutionary and how members of the Xen Project Community and open source projects that were early adopters of VMI (most notably LibVMI and DRAKVUF) collaborated to enable this technology.

  • 10 IoT Security Best Practices For IT Pros

    IT professionals have to treat internet of things (IoT) vulnerabilities as they would vulnerabilities in databases or web applications. Any flaw can bring unwelcome attention, for those making affected products and those using them. Any flaw may prove useful to compromise other systems on the network. When everything is connected, security is only as strong as the weakest node on the network.

  • Like The Rest Of The Internet Of Things, Most 'Smart' Locks Are Easily Hacked

    Smart refrigerators that leak your e-mail credentials. Smart TVs that collect but then fail to secure your living room conversations. Smart thermostats that can be loaded with ransomware. Smart vehicles that can be hacked and potentially kill you. This is the end result of "Internet of Things" evangelists and companies that for the last half-decade put hype and profit (the cart) well ahead of consumer privacy and security (the horse), in the process exposing us all to thousands of new attack vectors in homes and businesses around the world.

Security News

Filed under

Security Leftovers

Filed under
  • Security advisories for Wednesday
  • Google: QuadRooter Threat Blocked On Most Android Devices
  • Linux Distributions Vulnerable to Cyber-Attacks: Report
  • Windows 10 Attack Surface Grows with Linux Support in Anniversary Update [Ed: Does Kaspersky not know CrowdStrike is a Microsoft-connected firm that spreads Linux FUD?]
  • Web pages, Word docs, PDF files, fonts – behold your latest keys to infecting Windows PCs

    Microsoft has fixed 38 CVE-listed security vulnerabilities in Edge, Internet Explorer, and Office, as well as high-profile flaws that have allowed researchers to circumvent Windows boot protections.

    None of the programming blunders were publicly disclosed or actively exploited in the wild prior to today's patch release.

  • If census site was taken down after DDoS attack it wasn't prepared: expert

    The attack against the census website that resulted in it being taken down last night appears, at face value, to have been nothing more than the standard attack perpetrated against countless sites every day by everyone from children to malcontents with an axe to grind, an expert says.

    That the site was attacked is not in the least bit surprising, security adviser Troy Hunt told Fairfax Media, but it was unexpected that an attack of this kind would result in the site going down.

  • Census 2016: ABS needs to provide proof of DDoS

    Technical people like him are what we need to cut through all the bulldust. One person who is an expert in this art is Craig Sanders, a systems administrator of many decades, and one who can speak plainly. Many years ago, following a major distributed denial of service of attack on the Internet's root name servers, he was one who educated me on the phenomenon. This time was no different with Sanders; he calmly and clearly pointed me in the direction of the evidence that was needed.

    If the census website crashed due to foreign intervention — either through a denial of service or a distributed denial of service — how is it that none of the major security companies around the world did not notice it? You would need an attack of some magnitude to take down the ABS census site.

  • Researchers crack Microsoft feature, say encryption backdoors similarly crackable [Ed: by design]

    Researchers who uncovered a security key that protects Windows devices as they boot up say their discovery is proof that encryption backdoors do not work.

    The pair of researchers, credited by their hacker nicknames MY123 and Slipstream, found the cryptographic key protecting a feature called Secure Boot.

    They believe the discovery highlights a problem with requests law enforcement officials have made for technology companies to provide police with some form of access to otherwise virtually unbreakable encryption that might be used by criminals.

    “Microsoft implemented a ‘secure golden key’ system. And the golden keys got released from [Microsoft's] own stupidity,” wrote the researchers in their report, in a section addressed by name to the FBI.

    “Now, what happens if you tell everyone to make a ‘secure golden key’ system? Hopefully you can add 2+2.”

    Secure Boot is a built into the firmware of computer — software unique to different types of hardware that exists outside the operating system and is used to boot the OS.

Syndicate content

More in Tux Machines

Security News

  • Security advisories for Thursday
  • More information about Dirty COW (aka CVE-2016-5195)
    The security hole fixed in the stable kernels released today has been dubbed Dirty COW (CVE-2016-5195) by a site devoted to the kernel privilege escalation vulnerability. There is some indication that it is being exploited in the wild. Ars Technica has some additional information. The Red Hat bugzilla entry and advisory are worth looking at as well.
  • CVE-2016-5195
    My prior post showed my research from earlier in the year at the 2016 Linux Security Summit on kernel security flaw lifetimes. Now that CVE-2016-5195 is public, here are updated graphs and statistics. Due to their rarity, the Critical bug average has now jumped from 3.3 years to 5.2 years. There aren’t many, but, as I mentioned, they still exist, whether you know about them or not. CVE-2016-5195 was sitting on everyone’s machine when I gave my LSS talk, and there are still other flaws on all our Linux machines right now. (And, I should note, this problem is not unique to Linux.) Dealing with knowing that there are always going to be bugs present requires proactive kernel self-protection (to minimize the effects of possible flaws) and vendors dedicated to updating their devices regularly and quickly (to keep the exposure window minimized once a flaw is widely known).
  • “Most serious” Linux privilege-escalation bug ever is under active exploit (updated)
    While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.
  • Linux users urged to protect against 'Dirty COW' security flaw
    Organisations and individuals have been urged to patch Linux servers immediately or risk falling victim to exploits for a Linux kernel security flaw dubbed ‘Dirty COW'. This follows a warning from open source software vendor Red Hat that the flaw is being exploited in the wild. Phil Oester, the Linux security researcher who uncovered the flaw, explained to V3 that the exploit is easy to execute and will almost certainly become more widely used. "The exploit in the wild is trivial to execute, never fails and has probably been around for years - the version I obtained was compiled with gcc 4.8," he said.
  • Hackers Hit U.S. Senate GOP Committee
    The national news media has been consumed of late with reports of Russian hackers breaking into networks of the Democratic National Committee. Lest the Republicans feel left out of all the excitement, a report this past week out of The Netherlands suggests Russian hackers have for the past six months been siphoning credit card data from visitors to the Web storefront of the National Republican Senatorial Committee (NRSC). [...] Dataflow markets itself as an “offshore” hosting provider with presences in Belize and The Seychelles. Dataflow has long been advertised on Russian-language cybercrime forums as an offshore haven that offers so-called “bulletproof hosting,” a phrase used to describe hosting firms that court all manner of sites that most legitimate hosting firms shun, including those that knowingly host spam and phishing sites as well as malicious software. De Groot published a list of the sites currently present at Dataflow. The list speaks for itself as a collection of badness, including quite a number of Russian-language sites selling synthetic drugs and stolen credit card data. According to De Groot, other sites that were retrofitted with the malware included e-commerce sites for the shoe maker Converse as well as the automaker Audi, although he says those sites and the NRSC’s have been scrubbed of the malicious software since his report was published. But De Groot said the hackers behind this scheme are continuing to find new sites to compromise. “Last Monday my scans found about 5,900 hacked sites,” he said. “When I did another scan two days later, I found about 340 of those had been fixed, but that another 170 were newly compromised.”
  • Thoughts on the BTB Paper
    The Branch Target Buffer (BTB) whitepaper presents some interesting information. It details potential side-channel attacks by utilizing timing attacks against the branch prediction hardware present in Intel Haswell processors. The article does not mention Intel processors later than Haswell, such as Broadwell or Skylake. Side-channel attacks are always interesting and fun. Indeed, the authors have stumbled into areas that need more research. Their research can be applicable in certain circumstances. As a side-note, KASLR in general is rather weak and can be considered a waste of time[1]. The discussion why is outside the scope of this article.

Android Leftovers

Debian-Based Parsix GNU/Linux 8.15 "Nev" Gets First Test Build, Ships GNOME 3.22

Today, October 21, 2016, the developers of the Debian-based Parsix GNU/Linux operating system proudly announced the availability for download of the first test build of the upcoming Parsix GNU/Linux 8.15 "Nev" release. Read more

Open source where possible in Polish Gdańsk

The city of Gdańsk, Poland’s sixth largest city, is using open source software applications where possible. Open source is called an ‘important element’ in the Operational Programmes, made public in August. This document describes the tasks and activities set out by the city to achieve the goals it defined in the Gdańsk 2030 Plus Development Strategy. Read more