Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • How OPNFV Earned Its Security Stripes and Received a CII Best Practices Badge

    Earning the CII badge will have a HUGE impact on OPNFV’s general approach to building security into the development model (something all open source projects should model). Statistics show that around 50 percent of vulnerabilities in a software are “flaws” (usually design fault/defective design, which is hard to fix after software has been released) and 50 percent bugs (implementation fault). Following these best practices will hopefully address both design and implementation faults before they become vulnerabilities.

  • MySQL Hit By "Critical" Remote Code Execution 0-Day

    The latest high-profile open-source software project having a bad security day is MySQL... MySQL 5.5/5.6/5.7 has a nasty zero-day vulnerability.

    Researchers have discovered multiple "severe" MySQL vulnerabilities with the CVE-2016-6662 being marked as critical and does affect the latest MySQL version.

    This 0-day is open for both local and remote attackers and could come via authenticated access to a MySQL database (including web UI administration panels) or via SQL injection attacks. The exploit could allow attackers to execute arbitrary code with root privileges.

  • CVE-2016-6662 - MySQL Remote Root Code Execution / Privilege Escalation ( 0day )
  • Is Debian the gold standard for Linux security?
  • 10 Best Password Managers For Linux Operating Systems

    With so many online accounts on the internet, it can be tediously difficult to remember all your passwords. Many people write them down or store them in a document, but that’s plain insecure. There are many password managers for Windows and OS X, but here we’ll look at some of the best password managers for Linux.

Security News

Filed under
Security
  • Moving towards a more secure web

    To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP sites that transmit passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

  • UK Politician's Campaign Staff Tweets Out Picture Of Login And Password To Phones During Campaign Phone Jam

    When we talk password security here at Techdirt, those conversations tend to revolve around stories a bit above and beyond the old "people don't use strong enough passwords" trope. While that certainly is the case, we tend to talk more about how major corporations aren't able to learn their lessons about storing customer passwords in plain text, or about how major media outlets are occasionally dumb enough to ask readers to submit their own passwords in an unsecure fashion.

    But for the truly silly, we obviously need to travel away from the world of private corporations and directly into the world of politicians, who often times are tasked with legislating on matters of data security and privacy, but who cannot help but show their own ineptness on the matter themselves. Take Owen Smith, for example. Smith is currently attempting to become the head of the UK's Labour Party, with his campaign working the phones as one would expect. And, because this is the age of social media engagement, one of his campaign staffers tweeted out the following photo of the crew hard at work.

  • WiredTree Warns Linux Server Administrators To Update In Wake Of Critical Off-Path Kernel Vulnerability

    WiredTree, a leading provider of managed server hosting, has warned Linux server administrators to update their servers in response to the discovery of a serious off-path vulnerability in the Linux kernel’s handling of TCP connections.

  • Reproducible Builds: week 72 in Stretch cycle

Security News

Filed under
Security
  • The H Factor – Why you should be building “human firewalls”

    It is often the illusive “H Factor” – the human element – that ends up being the weakest link that makes cyber-attacks and data breaches possible.

  • White House appoints first Federal Chief Information Security Officer

    The White House announced Thursday that retired Brigadier General Gregory J. Touhill will serve as the first federal Chief Information Security Officer (CISO).

    "The CISO will play a central role in helping to ensure the right set of policies, strategies, and practices are adopted across agencies and keeping the Federal Government at the leading edge of 21st century cybersecurity," read a blog post penned by Tony Scott, US Chief Information Officer, and J. Michael Daniel, special assistant to the president and cybersecurity coordinator.

  • Xen Project patches serious virtual machine escape flaws

    The Xen Project has fixed four vulnerabilities in its widely used virtualization software, two of which could allow malicious virtual machine administrators to take over host servers.

    Flaws that break the isolation layer between virtual machines are the most serious kind for a hypervisor like Xen, which allows users to run multiple VMs on the same underlying hardware in a secure manner.

  • This USB stick will fry your unsecured computer

    A Hong Kong-based technology manufacturer, USBKill.com, has taken data security to the "Mission Impossible" extreme by creating a USB stick that uses an electrical discharge to fry an unauthorized computer into which it's plugged.

    "When the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges -- all in the matter of seconds," the company said in a news release.

Security News

Filed under
Security
  • Home-router IoT Devices Compromised for Building DDoS Botnet

    IoT (Internet-of-Thing) devices have been used to make a botnet earlier also just like attackers recently compromised 8 different popular home-routers that are IoT brands to make a botnet out of them which executed a DDoS attack at the application-level against several servers of certain website. Discoverer of this application-level DDoS alternatively HTTPS flood assault of Layer 7 is Sucuri the security company.

  • New Linux Trojan Discovered Coded in Mozilla's Rust Language [Ed: don’t install it. Easy.]

    A new trojan coded in Rust is targeting Linux-based platforms and adding them to a botnet controlled through an IRC channel, according to a recent discovery by Dr.Web, a Russian antivirus maker.

    Initial analysis of this trojan, detected as Linux.BackDoor.Irc.16, reveals this may be only a proof-of-concept or a testing version in advance to a fully weaponized version.

    Currently, the trojan only infects victims, gathers information about the local system and sends it to its C&C server.

  • The Limits of SMS for 2-Factor Authentication

    A recent ping from a reader reminded me that I’ve been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication online. The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code.

  • Telnet is not dead – at least not on ‘smart’ devices

    Depending on your age, you either might or might not have used Telnet to connect to remote computers in the past. But regardless of your age, you would probably not consider Telnet for anything you currently use. SSH has become the de facto standard when it comes to remote shell connection as it offers higher security, data encryption and much more besides.

    When we created our first honeypots for the Turris project (see our older blog articles – 1, 2, 3), we started with SSH and Telnet, because both offer interactive console access and thus are very interesting for potential attackers. But SSH was our main goal, while Telnet was more of a complimentary feature. It came as a great surprise to discover that the traffic we drew to the Telnet honeypots is three orders of magnitude higher than in the case of SSH (note the logarithmic scale of the plot below). Though there is a small apples-to-oranges issue, as we compare the number of login attempts for Telnet with the number of issued commands for SSH, the huge difference is obvious and is also visible in other aspects, such as in the number of unique attacker IP addresses.

  • Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years

    vDOS — a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline — has been massively hacked, spilling secrets about tens of thousands of paying customers and their targets.

    The vDOS database, obtained by KrebsOnSecurity.com at the end of July 2016, points to two young men in Israel as the principal owners and masterminds of the attack service, with support services coming from several young hackers in the United States.

  • Cisco’s Network Bugs Are Front and Center in Bankruptcy Fight

    Game of War: Fire Age, your typical melange of swords and sorcery, has been one of the top-grossing mobile apps for three years, accounting for hundreds of millions of dollars in revenue. So publisher Machine Zone was furious when the game’s servers, run by hosting company Peak Web, went dark for 10 hours last October. Two days later, Machine Zone fired Peak Web, citing multiple outages, and later sued.

    Then came the countersuit. Peak Web argued in court filings that Machine Zone was voiding its contract illegally, because the software bug that caused the game outages resided in faulty network switches made by Cisco Systems, and according to Peak Web’s contract with Machine Zone, it wasn’t liable. In December, Cisco publicly acknowledged the bug’s existence—too late to help Peak Web, which filed for bankruptcy protection in June, citing the loss of Machine Zone’s business as the reason. The Machine Zone-Peak Web trial is slated for March 2017.

    “Machine Zone wasn’t acting in good faith,” says Steve Morrissey, a partner at law firm Susman Godfrey, which is representing Peak Web. “They were trying to get out of the contract.” Machine Zone has disputed that assertion in court documents, but it declined to comment for this story. Cisco also declined to comment on the case, saying only that it tries to publish confirmed problems quickly.

    There’s buggy code in virtually every electronic system. But few companies ever talk about the cost of dealing with bugs, for fear of being associated with error-prone products. The trial, along with Peak Web’s bankruptcy filings, promises a rare look at just how much or how little control a company may have over its own operations, depending on the software that undergirds it. Think of the corporate computers around the world rendered useless by a faulty update from McAfee in 2010, or of investment company Knight Capital, which lost $458 million in 30 minutes in 2012—and had to be sold months later—after new software made erratic, automated stock market trades.

Free Software Foundation stresses necessity of full user control over Internet-connected devices

Filed under
GNU
Security

The Internet of Things (IoT) refers to the integration of Internet technology into a wider range of home devices than previously envisaged by most users. Early adopters of IoT may now have homes with Internet-connected lightbulbs, alarm systems, baby monitors and even coffee machines. Internet integration allows owners to have greater flexibility over their devices, making it possible to turn on their air conditioning as they leave work to cool the house before they return, to have curtains that automatically close based on sunset time, or lights that automatically turn off after the owner has left the house. Each individual benefit may seem marginal, but overall they add significant benefit to the owners.

Read more

Security News

Filed under
Security
  • Friday's security updates
  • Ten-year-old Windows Media Player hack is the new black, again

    Net scum are still finding ways to take down users with a decade-old Windows Media Player attack.

    The vector is a reborn social engineering hatchet job not seen in years in which attackers convince users to run executable content through Windows Media Player's Digital Rights Management (DRM) functionality.

    Windows Media Player will throw a DRM warning whenever users do not have the rights to play content, opening a URL through which a licence can be acquired.

    Now malware villains are packing popular movies with malicious links so that the DRM warning leads to sites where they're fooled into downloading trojans masquerading as necessary video codecs.

  • Luabot Malware Turning Linux Based IoT Devices into DDoS Botnet

    The IT security researchers at MalwareMustDie have discovered a malware that is capable of infecting Linux-based Internet of Things (IoT) devices and web servers to launch DDoS (Distributed Denial of Service) attacks.

Security News

Filed under
Security

Security News

Filed under
Security

Wireshark 2.2

Filed under
Software
Security
  • Wireshark 2.2 Released

    Wireshark 2.2 features "Decode As" improvements, the various UIs now support exporting packets as JSON, there is new file format decoding support, and a wide range of new protocol support. New protocol coverage includes Apache Cassandra, USB3 Vision Protocol, USIP protocol, UserLog protocol, Zigbee Protocol Clusters, Cisco ttag, and much more.

  • Wireshark 2.2.0 Is Out as the World's Most Popular Network Vulnerability Scanner

    Today, September 7, 2016, the development team behind the world's most popular network protocol analyzer, Wireshark, proudly announced the release of a new major stable version, namely Wireshark 2.2.

    After being in development for the past couple of months, Wireshark 2.2.0 has finally hit the stable channel, bringing with it a huge number of improvements and updated protocols. For those of you who never heard of Wireshark, we want to remind them that it's an open-source network vulnerability scanner used by security researchers and network administrators for development, analysis, troubleshooting, as well as education purposes.

Syndicate content

More in Tux Machines

today's howtos

Leftovers: Software

  • HandBrake 1.0.2 Open-Source Video Transcoder Released for Linux, Mac and Windows
    After more than 13 years of development, the HandBrake open-source video transcoding app reached 1.0 milestone on Christmas Eve last year, and the second bugfix release is already available. HandBrake 1.0.2 is full of improvements and bug fixes enhancing the out-of-the-box video, audio, and subtitles support, but also adds various platform specific changes for all supported operating systems, including GNU/Linux, macOS, and Microsoft Windows.
  • SMPlayer 17.1 Open-Source Video Player Introduces Chromecast Support, More
    It's been two and a half months since you last updated your SMPlayer open-source video player, and a new stable release is now available, versioned 17.1, with some exciting features. Sporting initial Chromecast support, SMPlayer 17.1 will let you send video files from your personal computer to your Chromecast device to watch them on your big-screen TV, or your friends for that matter. The feature supports both online and local sources, including those from popular video hosting services like YouTube and Vimeo.
  • Firefox 51 Released with FLAC Support, Better CPU Usage
    A new month means a new release of the venerable Mozilla Firefox web browser. Firefox 51 ships with FLAC support, WebGL 2, and a whole heap more — come see!
  • Mozilla Firefox 51.0 Now Available for Download, Supports FLAC Playback, WebGL 2
    It's not yet official, but the binary and source packages of the Firefox 51.0 web browser are now available for download on your GNU/Linux, macOS, or Microsoft Windows operating system. Mozilla will have the pleasure of unveiling the Firefox 51.0 release tomorrow, January 24, according to the official schedule, but you can already get your hands on the final version of the web browser by downloading the installers for your favorite OS right now from our website (links are at the end of the article).

OSS Leftovers

  • Berkeley launches RISELab, enabling computers to make intelligent real-time decisions
  • Amazon, Google, Huawei, and Microsoft sponsor UC Berkeley RISELab, AMPLab's successor
  • Brotli: A new compression algorithm for faster Internet
    Brotli is a new open source compression algorithm designed to enable an Internet that's faster for users. Modern web pages can often be made up of dozens of megabytes of HTML, CSS, and JavaScript, and that's before accounting for images, videos, or other large file content, which all makes for hefty downloads. Such loads are why pages are transferred in compressed formats; they significantly reduce the time required between a website visitor requesting a web page and that page appearing fully loaded on the screen and ready for use. While the Brotli algorithm was announced by Google in September 2015, only recently have the majority of web browsers have adopted it. The HTTP servers Apache and nginx now offer Brotli compression as an option. Besides Google, other commercial vendors (such as Cloudflare and DreamHost) have begun to deploy support for Brotli as well.
  • New Year’s resolution: Donate to 1 free software project every month
    Free and open source software is an absolutely critical part of our world—and the future of technology and computing. One problem that consistently plagues many free software projects, though, is the challenge of funding ongoing development (and support and documentation). With that in mind, I have finally settled on a New Year’s resolution for 2017: to donate to one free software project (or group) every month—or the whole year. After all, these projects are saving me a boatload of money because I don’t need to buy expensive, proprietary packages to accomplish the same things.
  • Toyota and Ford Promote Open Source Smartphone Interfaces
    Ford and Toyota have formed a four-automaker consortium to speed up the deployment of open source software for connected in-car systems, according to a report by Bloomberg. The SmartDeviceLink Consortium, which includes Mazda, PSA Group, Fuji, and Suzuki, aims to prevent Apple and Google from controlling how drivers connect smartphones to their vehicles. Suppliers Elektrobit, Harma, Luxoft, QNX, and Xevo have also joined the organization, which is named after an open source version of Ford’s AppLink connectivity interface, a system used in over 5 million vehicles globally.
  • What your code repository says about you
    "You only get one chance to make a first impression," the old saying goes. It's cliche, but nevertheless sound, practical advice. In the realm of open source, it can make the difference between a project that succeeds and a project that fails. That's why making a positive first impression when you release a repo to the world is essential—at least if your motivations involve gaining users, building a community of contributors, and attracting valuable feedback.
  • The Open Source Way of Reaching Across Languages
    I don’t speak Spanish, but that doesn’t mean I can’t learn some important things from this video. The visuals alone are quite instructive. At my public library job, I mentor a number of wonderful Latino youth. One of them might ask me about open source CAD software — and I’ll direct them right to this FOSS Force article. Of course, I subscribed to the YouTube channel of the creator of this video, and also clicked on its like button. If the screencast creator comes back to look at this video in February, they’ll find that they have a number of new subscribers, a number of likes for the video and the video view count might be more than 100. All those indicators will be encouragement for them to make their next open source screencast. And so it goes. That’s how we support each other in the open source world.
  • School systems desperate for standards-aligned curricula find hope
    Open Up Resources is a nonprofit collaborative formed by 13 U.S. states that creates high-quality, standards-aligned open educational resources (OERs) that are openly licensed under CC BY-SA 4.0. Unlike other providers, Open Up Resources provides curriculum-scale OER options; they believe that while many people seem to know where to find supplemental materials, most curriculum directors would not know where to look if they were planning a textbook adoption next year.
  • Visual Studio Test joins Microsoft's open source push [Ed: More openwashing of proprietary software from Microsoft, which interjects surveillance into compiled code]
  • Microsoft Open-Sources DirectX Shader Compiler [Ed: Windows lock-in.]

Red Hat's Survey in India