Language Selection

English French German Italian Portuguese Spanish

Security

BusyBotNet is a Fork of Busybox with Security Tools

Filed under
OSS
Security

Busybox provides a lightweight version of common command line utilities normally found on “big” Linux into a single binary, in order to bring them to embedded systems with limited memory and storage. As more and more embedded systems are now connected to the Internet, or as they are called nowadays the Internet of Things nodes, adding security tools, such as cryptographic utilities, could prove useful for administrators of such system, and so BusyBotNet project wsa born out of a fork of Busybox.

Read more

Security Leftovers

Filed under
Security
  • Intel x86s hide another CPU that can take over your machine (you can't audit it)

    Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. I've made it my mission to open up this system and make free, open replacements, before it's too late.

  • Let’s Encrypt Accidentally Spills 7,600 User Emails

    Certificate authority Let’s Encrypt accidentally disclosed the email addresses of several thousand of its users this weekend.

    Josh Aas, Executive Director for the Internet Security Research Group (ISRG), the nonprofit group that helped launch the CA, apologized for the error on Saturday. In what Let’s Encrypt dubbed a preliminary report posted shortly after it happened, Aas blamed the faux pas on a bug in the automated email system the group uses.

  • phpMyAdmin Project Successfully Completes Security Audit

    Software Freedom Conservancy congratulates its phpMyAdmin project on succesfuly completing completing a thorough security audit, as part of Mozilla's Secure Open Source Fund. No serious issues were found in the phyMyAdmin codebase.

  • StartCom launches a new service - StartEncrypt

    StartCom, a leading global Certificate Authority (CA) and provider of trusted identity and authentication services, announces a new service – StartEncrypt today, an automatic SSL certificate issuance and installation software for your web server.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Mozilla Funds Open Source Code Audits

    As part of the Mozilla Open Source Support program (MOSS), the Mozilla Foundation has set up a fund dedicated to helping open source software projects eradicate code vulnerabilities.

  • Intel Hidden Management Engine – x86 Security Risk?

    So it seems the latest generation of Intel x86 CPUs have implemented a Intel hidden management engine that cannot be audited or examined. We can also assume at some point it will be compromised and security researchers are labelling this as a Ring -3 level vulnerability.

  • Smart detection for passive sniffing in the Tor-network

    If you haven't yet read about my previous research regarding finding bad exit nodes in the Tor network you can read it here. But the tl;dr is that I sent unique passwords through every exit node in the Tor network over HTTP. This meant that is was possible for the exit node to sniff the credentials and use them to login on my fake website which I had control over.

  • Lone hacker, not Russian spies, responsible for Democratic Party breach

    RED-FACED SECURITY OUTFIT CrowdStrike has admitted that the Russian government wasn't responsible for a hack on the Democratic Party after lone hacker Guccifer 2 claimed that he was responsible for the breach.

Security Leftovers

Filed under
Security
  • Thursday's security updates
  • Network Security: The Unknown Unknowns

    I recently thought of the apocryphal story about the solid reliability of the IBM AS/400 systems. I’ve heard several variations on the story, but as the most common version of the story goes, an IBM service engineer shows up at a customer site one day to service an AS/400. The hapless employees have no idea what the service engineer is talking about. Eventually the system is found in a closet or even sealed in a walled off space where it had been reliably running the business for years completely forgotten and untouched. From a reliability perspective, this is a great story. From a security perspective, it is a nightmare. It represents Donald Rumsfeld’s infamous “unknown unknowns” statement regarding the lack of evidence linking the government of Iraq with the supply of weapons of mass destruction to terrorist groups.

  • The average cost of a data breach is now $4 million

    The average data breach cost has grown to $4 million, representing a 29 percent increase since 2013, according to the Ponemon Institute.

  • The story of a DDoS extortion attack – how one company decided to take a stand [iophk: “yet another way that cracked MS machines are big money”]

    Instead of simply ordering his company to defend itself in conventional fashion he was going to write to all 5,000 of Computop’s customers and partners telling them that on 15 June his firm’s website was likely to be hit with a DDoS attack big enough to cause everyone serious problems.

pfSense 2.3.1 FreeBSD Firewall Gets New Update to Patch Web GUI Security Issues

Filed under
Security
BSD

Chris Buechler from pfSense announced earlier today, June 16, 2016, that there's a new maintenance update available for the pfSense 2.3.1 FreeBSD-based firewall distribution.

pfSense 2.3.1 Update 5 (2.3.1_5) is a small bugfix release for the pfSense 2.3.1 major update announced last month, and since pfSense now lets its maintainers update only individual parts of the system, we see more and more small builds like this one, which patch the most annoying issues.

Read more

Security Leftovers

Filed under
Security
  • BadTunnel Bug Hijacks Network Traffic, Affects All Windows Versions

    The research of Yang Yu, founder of Tencent's Xuanwu Lab, has helped Microsoft patch a severe security issue in its implementation of the NetBIOS protocol that affected all Windows versions ever released.

  • 'BadTunnel' Bugs Left Every Microsoft Windows PC Vulnerable For 20 Years [Ed: no paywall/malware in this link]

    Microsoft is today closing off a vulnerability that one Chinese researcher claims has "probably the widest impact in the history of Windows." Every version of the Microsoft operating system going back to Windows 95 is affected, leaving anyone still running unsupported operating systems, such as XP, in danger of being surreptitiously surveilled.

    According to Yang Yu, founder of Tencent's Xuanwu Lab, the bug can be exploited silently with a "near-perfect success rate", as the problems lie in the design of Windows. The ultimate impact? An attacker can hijack all a target's web use, granting the hacker "Big Brother power", as soon as the victim opens a link or plugs in a USB stick, claimed Yu. He received $50,000 from Microsoft's bug bounty program for uncovering the weakness, which the researcher has dubbed BadTunnel. Microsoft issued a fix today in its Patch Tuesday list of updates.

    "Even security software equipped with active defense mechanisms are not able to detect the attack," Yu told FORBES. "Of course it is capable of execute malicious code on the target system if required."

  • Getting Things Wrong From The Beginning…

    GNU/Linux and never had any problems with software the rest of the school year. I’ve been using GNU/Linux ever since and have had no regrets. It’s been the right way to do IT. My wife saw the light a few years ago. She was tired of years of TOOS failing every now and then and needing re-installation. Once her business started using a web application, she had no more need of TOOS, none.

  • Intel x86s hide another CPU that can take over your machine (you can't audit it)

    Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. I've made it my mission to open up this system and make free, open replacements, before it's too late.

  • Hackers Show How To Hack Anyone’s Facebook Account Just By Knowing Phone Number

    By exploiting the SS7 flaw, a hacker can hack someone’s Facebook account just by knowing the associated phone number. This flaw allows a hacker to divert the OTP code to his/her own phone and use it to access the victim’s Facebook account. The security researchers, who have explained the hack in a video, advise the users to avoid adding their phone numbers to the public services.

Security Leftovers

Filed under
Security
  • Russian government hackers penetrated DNC, stole opposition research on Trump [Ed: Microsoft Windows again]

    Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on GOP presidential candidate Donald Trump, according to committee officials and security experts who responded to the breach.

  • Bears in the Midst: Intrusion into the Democratic National Committee

    The COZY BEAR intrusion relied primarily on the SeaDaddy implant developed in Python and compiled with py2exe and another Powershell backdoor with persistence accomplished via Windows Management Instrumentation (WMI) system, which allowed the adversary to launch malicious code automatically after a specified period of system uptime or on a specific schedule. The Powershell backdoor is ingenious in its simplicity and power. It consists of a single obfuscated command setup to run persistently, such as...

  • Big data will fix internet security ... eventually [Ed: Microsoft’s Grimes says mass surveillance (‘big data’) will fix Internet security eventually]

    I’ve always thought that improved computer security controls would “fix” the internet and stop persistent criminality -- turns out it might be big data analytics instead.

  • Symantec dons a Blue Coat [Ed: two evil companies are now one]

    Symantec will pay US$4.65 billion in an all-cash deal to buy privately-held Blue Coat to ramp up its enterprise security offerings.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • Outdated authentication practices create an opportunity for threat hunter Infocyte

    “Having Linux allows us to look at web servers, for instance. If you’re going to bypass the biometrics, you’re going to need to get into that system itself,” Gerritz says. “That’s where we come in, is finding people who have inserted themselves under that authentication layer.”

  • Cable Sees NFV Enhancing Network Security

    Network functions virtualization is all the rage because of the money it can save, and because of the network flexibility it helps afford, but the cable industry is enthused about NFV for yet another, less publicized benefit: the potential NFV creates for improving network security.

  • IoT Consensus - A Solution Suggestion to the 'Baskets of Remote' Problem by Benedikt Herudek

    Bitcoin is able to integrate and have endpoints (in Bitcoin terminology ‘wallets’ and ‘miners’) seamlessly talk to each other in a large and dynamic network. Devices and their protocols do not have the ability to seamlessly communicate with other devices. This presentation will try to show where Bitcoin and the underlying Blockchain and Consenus Technology can offer an innovative approach to integrating members of a large and dynamic network.

  • Ready to form Voltron! why security is like a giant robot make of lions

    Due to various conversations about security this week, Voltron came up in the context of security. This is sort of a strange topic, but it makes sense when we ponder modern day security. If you talk to anyone, there is generally one thing they push as a solution for a problem. This is no different for security technologies. There is always one thing that will fix your problems. In reality this is never the case. Good security is about putting a number of technologies together to create something bigger and better than any one thing can do by itself.

  • Email Address Disclosures, Preliminary Report, June 11 2016

    On June 11 2016 (UTC), we started sending an email to all active subscribers who provided an email address, informing them of an update to our subscriber agreement. This was done via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email. The result was that recipients could see the email addresses of other recipients. The problem was noticed and the system was stopped after 7,618 out of approximately 383,000 emails (1.9%) were sent. Each email mistakenly contained the email addresses from the emails sent prior to it, so earlier emails contained fewer addresses than later ones.

  • Universities Become New Target for Ransomware Attacks [iophk: "Calgary has no excuse, given the particular tech activity headquartered specifically in their town. Some top Univ executives need firing +fines for having allowed Microsoft into their infrastructure."]

    This week the University of Calgary in Canada admitted paying C$20,000 (€13,900) to a hacker to regain access to files stored in 600 computers, after it suffered a ransomware attack compromising over 9,000 email accounts. In order to receive the keys, the school paid the equivalent of C$20,000 in Bitcoins.

  • Blue Coat to Sell Itself to Symantec, Abandoning I.P.O. Plans

    Blue Coat Systems seemed poised to begin life as a public company, after selling itself to a private equity firm last year.

    Now, the cybersecurity software company plans to sell itself to Symantec instead.

    Blue Coat said late on Sunday that it would sell itself to Symantec for $4.65 billion. As part of the deal, Blue Coat’s chief executive, Greg Clark, will take over as the chief executive of the combined security software maker.

    To help finance the transaction, Blue Coat’s existing majority investor, Bain Capital, will invest an additional $750 million in the deal. The private equity firm Silver Lake, which invested $500 million in Symantec in February, will invest an additional $500 million.

Syndicate content

More in Tux Machines

Remembering Vernon Adams

Open-source font developer Vernon Adams has passed away in California at the age of 49. [Vernon Adams] In 2014, Adams was injured in an automobile collision, sustaining serious trauma from which he never fully recovered. Perhaps best known within the Linux community as the creator of KDE's user-interface font Oxygen, Adams created a total of 51 font families published through Google Fonts, all under open licenses. He was also active in a number of related free-software projects, including FontForge, Metapolator, and the Open Font Library. In 2012, he co-authored the user's guide for FontForge as part of Google's Summer of Code Documentation Camp, which we reported on at that time. Read more

Fedora 24 review: The year’s best Linux distro is puzzlingly hard to recommend

Fedora 24 is one of the best Linux distro releases you're likely to see this year. And there are two other releases that I did not have room to cover in depth here: the Server and Cloud variants of Fedora 24, which pack in a ton of new features specific to those environments. The cloud platform especially continues to churn out the container-related features, with some new tools for OpenShift Origin, Fedora's Platform-as-a-Service system built around Google's Kubernetes project. Check out Fedora Magazine's release announcement for more on everything that's new in Server and Cloud. As always, Fedora WorkStation also comes in a variety of "Spins" that are pre-packaged setups for specific use cases. There are prepacked spins of all the major desktops, including Xfce, KDE, MATE, Cinnamon, and LXDE (you can also get alternative desktops in one go by downloading the DVD installer). Spins aren't just for desktops, though. For example, there's an astronomy spin, a design suite spin, robotics-focused spin, a security spin, and several more. None of these spins have anything you can't set up yourself, but if you don't want to put in the time and effort, Fedora can handle that for you. Read more

New NVIDIA SHIELD Android TV Console Shows Up At The FCC

While the Xiaomi Mi Box does seem to be inching closer towards its release and while this is expected to be the next big major device release for the Android TV platform, the last week has seen speculation mounting as to what NVIDIA might have up their sleeves. This is because a new SHIELD Controller popped up on the FCC and this was then followed by new filings for a new SHIELD Remote control. Of course, just because the two controller accessories were passing through the FCC, it does not automatically mean there will also be a new SHIELD Android TV device coming as well. Although on this particular occasion, that looks to be exactly what is happening. Read more

today's leftovers

  • BSODs at scale: we laugh at your puny five storeys, here's our SIX storey #fail
    It's an easy drive-by troll, isn't it? Last week, we asked readers to top the five-storey Blue Screen of Death spotted in Thailand, and examples big and small flooded the inbox. Manchester Piccadilly Station is either vying for the crown with last week's entry, or perhaps it's a display from the same maker. Thanks to James for catching this shot from 2013.
  • Monitoring of Monitoring
    I was recently asked to get data from a computer that controlled security cameras after a crime had been committed. Due to the potential issues I refused to collect the computer and insisted on performing the work at the office of the company in question. Hard drives are vulnerable to damage from vibration and there is always a risk involved in moving hard drives or systems containing them. A hard drive with evidence of a crime provides additional potential complications. So I wanted to stay within view of the man who commissioned the work just so there could be no misunderstanding. The system had a single IDE disk. The fact that it had an IDE disk is an indication of the age of the system. One of the benefits of SATA over IDE is that swapping disks is much easier, SATA is designed for hot-swap and even systems that don’t support hot-swap will have less risk of mechanical damage when changing disks if SATA is used instead of IDE. For an appliance type system where a disk might be expected to be changed by someone who’s not a sysadmin SATA provides more benefits over IDE than for some other use cases. I connected the IDE disk to a USB-IDE device so I could read it from my laptop. But the disk just made repeated buzzing sounds while failing to spin up. This is an indication that the drive was probably experiencing “stiction” which is where the heads stick to the platters and the drive motor isn’t strong enough to pull them off. In some cases hitting a drive will get it working again, but I’m certainly not going to hit a drive that might be subject to legal action! I recommended referring the drive to a data recovery company. The probability of getting useful data from the disk in question seems very low. It could be that the drive had stiction for months or years. If the drive is recovered it might turn out to have data from years ago and not the recent data that is desired. It is possible that the drive only got stiction after being turned off, but I’ll probably never know.
  • Blender 2.78 Is Adding Pascal Support, Fixes Maxwell Performance Issues
  • motranslator 1.1
    Four months after 1.0 release, motranslator 1.1 is out. If you happen to use it for untrusted data, this might be as well called security release, though this is still not good idea until we remove usage of eval() used to evaluate plural formula.
  • Live dmesg following
  • WineTricks has seen a massive amount of improvements this year
    WineTricks has seen allot of development recently, some of the notable changes are better IE 8 support, MetaTrader 4 support, Kindle improvements, Russian translation, A new self update function and a massive amount of other fixes and updates. The full changelog sense February 2016 and August 2016 is provided below with a download link to get the latest release.
  • Sunless Sea expansion Zubmariner releases on October 11th with Linux support
    Sunless Sea is about to get bigger, as Zubmariner has been confirmed for release on October 11th with Linux support.
  • Agenda, control an organization trying to take over the world in this strategy game
  • Clarity (Vector Design) Icon Theme for Linux Desktop’s
    Clarity Icon Theme is completely different from other icon themes because its purly based on Vector design. This theme is based on AwOken and Token, lots of shapes and basic color pallete was taken from these icons. Few icons was taken from Raphael. used some shapes from OpenClipart, Wikipedia, Humanity and AnyColorYouLike Themes. The rest of icons designed by developer by simplifying existed icons or logos. Two types of fonts used Impact and Cheboygan.
  • GUADEC 2016
    I have just returned from our annual users and developers conference. This years’ GUADEC has taken place in the lovely Karlsruhe, Germany. It once again was a fantastic opportunity to gather everyone who works pretty hard to make our desktop and platform the best out there. :)
  • GUADEC 2016, Karlsruhe
    Nice thing this year was that almost everyone was staying in the same place, or close; this favoured social gatherings even more than in the previous years. This was also helped by the organized events, every evenings, from barbecue to picnic, from local student-run bar to beer garden (thanks Centricular), and more. And during the days? Interesting talks of course, like the one offered by Rosanna about how the foundation runs (and how crazy is the US bank system), or the Builder update by Christian, and team meetings.
  • Debian-Based Q4OS 1.6 "Orion" Linux Distro Launches with Trinity Desktop 14.0.3
    Softpedia has been informed today, August 28, 2016, by the developer of the Debian-based Q4OS GNU/Linux distribution about the immediate availability for download of a new stable release to the "Orion" series, version 1.6. The biggest new feature of the Q4OS 1.6 "Orion" release is the latest Trinity Desktop Environment (TDE) 14.0.3 desktop environment, an open source project that tries to keep the spirit of the old-school KDE 3.5 desktop interface alive. Q4OS was used the most recent TDE version, so Q4OS 1.6 is here to update it. "The significant Q4OS 1.6 'Orion' release receives the most recent Trinity R14.0.3 stable version. Trinity R14.0.3 is the third maintenance release of the R14 series, it is intended to promptly bring bug fixes to users, while preserving overall stability," say the Q4OS developers in the release announcement.
  • Antergos installation guide with screenshots
  • Reproducible builds: week 70 in Stretch cycle
  • Ubuntu's Mir May Be Ready For FreeSync / Adaptive-Sync
    The Mir display server may already be ready for working with AMD's FreeSync or VESA's Adaptive-Sync, once all of the other pieces to the Linux graphics stack are ready. If the comments from this Mir commit are understood and correct, it looks like Mir may be ready for supporting FreeSync/Adaptive-Sync. While NVIDIA's proprietary driver supports their alternative G-SYNC technology on Linux, AMD FreeSync (or the similar VESA Adaptive-Sync standard) has yet to be supported by the AMD Linux stack. We won't be seeing any AMD FreeSync support until their DAL display stack lands. DAL still might come for Linux 4.9 but there hasn't been any commitment yet by AMD developers otherwise not until Linux 4.10+, and then after that point FreeSync can ultimately come to the open-source AMD driver. At least with the AMDGPU-PRO driver relying upon its own DKMS module, DAL with FreeSync can land there earlier.
  • Python vs. C/C++ in embedded systems
    The C/C++ programming languages dominate embedded systems programming, though they have a number of disadvantages. Python, on the other hand, has many strengths that make it a great language for embedded systems. Let's look at the pros and cons of each, and why you should consider Python for embedded programming.