Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Drupal Hardens Its Security in Response to Criticism

Filed under
OSS
Drupal
Security

The open-source Drupal content-management system (CMS) is talking steps to help protect against multiple potential risks that have been publicly revealed. On Jan. 6, security research vendor IOactive first disclosed the issues, which are focused on the Drupal update process. The Drupal project's security team is aware of the concerns and is fixing all the issues, though it is also downplaying the overall risk.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Monday
  • Gmail and a Can of Spam

    I am still trying to figure out the events that led to this intrusion. I’ve read almost everything there is to read on Google’s Gmail pages, without finding much. Google seems adamant about not giving-out one-on-one help, but maybe I just didn’t look long enough. On my own, I’ve evoked two step verification on my main email addresses, so that’s settled. But still…I’d like to figure out when and how this breach took place. What magic sequence of events happened to allow this?

    Did I mention I’m a security idiot? Yeah…I thought I did.

    It feels strange to again delve into antivirus and malware protection. I’ve been a smug, self-assured dummy when it comes to online threats and Linux in general. And while what happened can’t really be blamed on Linux per se, it happened in a Linux neighborhood, so I am going to arm myself against any and all malware comers

    Although I’m not above paying for good software, trying to discern what software is good and which is shiny junk can be a daunting challenge, especially in the Linuxsphere. In the tests I’ve studied over the past four days, ClamAV seems to be an online favorite, but they lack the one thing I am going to need on our Reglue kid’s computers: a friendly, useful graphical interface. I’m not going to tell an 11-year-old to drop to the command line to do anything, even if they do need to learn that the blinking prompt can make magic things happen. In time, I will teach them, but for now…. ClamAV failed the initial tests.

  • 602 Gbps! This May Have Been the Largest DDoS Attack in History

    Cyber attacks are getting evil and worst nightmare for companies day-by-day, and the Distributed Denial of Service (DDoS) attack is one of the favorite weapon for hackers to temporarily suspend services of a host connected to the Internet.

    Until now, nearly every big website had been a victim of this attack, and the most recent one was conducted against the BBC's websites and Republican presidential candidate Donald Trump's main campaign website over this past holiday weekend.

  • How to Set up a Successful Bug Bounty Program [VIDEO]

    A bug bounty program is among the most impactful additions to a software security process. With a bug bounty program, security researchers submit reports on potential vulnerabilities, typically with the promise of a reward or "bounty" for their efforts.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • 602 Gbps DDoS Attack On BBC Proves That 2016 Isn’t Going To Be Any Different

    On New Year’s eve, the BBC website and iPlayer service went down due to a massive Distributed Denial of Service (DDoS) attack. The attack peaked up to 602 Gbps, according to the claims made by the New World Hacking group, who took the responsibility of the attack. In another recent attack, the Republican presidential candidate Donald Trump’s main campaign website was also targeted by the same group.

  • Fatally weak MD5 function torpedoes crypto protections in HTTPS and IPSEC

    If you thought MD5 was banished from HTTPS encryption, you'd be wrong. It turns out the fatally weak cryptographic hash function, along with its only slightly stronger SHA1 cousin, are still widely used in the transport layer security protocol that underpins HTTPS. Now, researchers have devised a series of attacks that exploit the weaknesses to break or degrade key protections provided not only by HTTPS but also other encryption protocols, including Internet Protocol Security and secure shell.

Ubuntu Touch to Support Encryption of User Data

Filed under
Security
Ubuntu

The Ubuntu Touch operating system is also going to provide support for encryption of user data; developers have revealed.

It wasn’t a secret that Ubuntu Touch will get encryption, but it’s also not listed as an upcoming feature. It’s buried in a wiki entry with plans for Ubuntu Touch, but it’s nice to see that it’s still being considered, even if it’s not going to arrive anytime soon.

Read more

Also: Ubuntu ‘Spyware’ Will Be Disabled In Ubuntu 16.04 LTS

Tails 1.8.2 is out

Filed under
GNU
Linux
Security
Debian

This release fixes numerous security issues. All users must upgrade as soon as possible.

Read more

Also: Debian LTS Work December 2015

Security Leftovers

Filed under
Security
  • Friday's security updates
  • Hackers caused a major blackout for the first time

    Hackers were behind a cyber attack on Ukraine in December that had real offline consequences: A blackout that killed electricity to roughly 700,000 homes.

    On December 23, around half the homes in Ukraine's Ivano-Frankivsk region lost power for at least a few hours. Initially reported in Ukrainian media as being caused by hackers, cybersecurity experts have now confirmed that was the case, saying the power company was infected with malicious software.

  • Finland extradites Russian hacking suspect to US

    US authorities are to escort Maxim Senakh out of Finland within a month. They suspect him of stealing millions of dollars from infected computer servers in the US, Finland and elsewhere.

  • Linux Ransomware creators third time unlucky as researchers crack encryption again

    Researchers find Linux.Encoder 3 version still uses buggy encryption and allows file recovery

    Much to the delight of security researchers, a group of malware creators are currently having difficulty getting cryptographic implementations right in their ransomware. This has not happened once but thrice.

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • SHA-1 Deprecation: Pro, Con, or Extend?

    I read Ryan's article about why SHA-1 should be deprecated faster and why we should veto the proposed extensions. It is an excellent explanation of what's going on. I highly recommend it (and look forward to the complete series when he publishes it):

  • Legacy Verified: Legacy Solutions

    While the previous post explored the historical context in which the SHA-1 deprecation fits, and in the many failures to respond adequately to known risks, it didn’t really address the actual Legacy Verified proposal made by CloudFlare and Facebook, and subsequently endorsed by Twitter, nor how it attempts to mitigate the concerns with continuing SHA-1 allocation.

  • Let’s Encrypt Now Being Abused By Malvertisers

    Encrypting all HTTP traffic has long been considered a key security goal, but there have been two key obstacles to this. First, certificates are not free and many owners are unwilling to pay; secondly the certificates themselves are not always something that could be set up by a site owner.

  • Security Guide: How to Protect Your Infrastructure Against the Basic Attacker
  • Linux.Encoder Authors Couldn’t Correctly Disguise Encryption Key

    Renowned Security Software Company in Russia named Doctor Web happened to be first to detect as well as report one wholly working ransomware Trojan created to infect Linux computers. A sample named Linux.Encoder.1 recently showed quite resembling activity with the notorious CryptoWall ransomware. Fifty percent of the widely used AV engines of VirusTotal could not recognize the sample which broke new ground during the Linux domain. The malware chiefly concentrated on hijacking computers using Web servers as also encrypted critical folders utilized during Web-hosting as well as within Web-development ambience.

Syndicate content

More in Tux Machines

today's leftovers

Red Hat News

Linux Devices

Leftovers: OSS

  • Quantifying Benefits of Network Virtualization in the Data Center
    Modern data centers have increased significantly in scale and complexity as compute and storage resources become highly virtualized. The rise of the DevOps style of application deployment means that data center resources must be agile and respond rapidly to changing workload requirements. Data center network technologies have been challenged to keep up with these rapidly evolving application requirements.
  • Apache Zeppelin Joins Several Other Projects Gaining Top-Level Status
    As we've been reporting, The Apache Software Foundation, which incubates more than 350 open source projects and initiatives, has been elevating a lot of interesting new tools to Top-Level Status recently. The foundation has also made clear that you can expect more on this front, as graduating projects to Top-Level Status helps them get both advanced stewardship and certainly far more contributions. Only a few days ago, the foundation announced that a project called TinkerPop has graduated from the Apache Incubator to become a Top-Level Project (TLP). TinkerPop is a graph computing framework that provides developers the tools required to build modern graph applications in any application domain and at any scale. Now, it has announced that Apache Zeppelin has graduated as well. Zeppelin is a web-based notebook that enables interactive data analytics.
  • 6 Open Source Operating Systems for the Internet of Things (IoT)
    Whether you are small to large enterprises, IoT is one of the useful technology that can help you to be connected on-the-go.
  • 6 open source architecture projects to check out
    The world of architecture doesn't change as quickly as software, but architects are still finding new ways to share innovative designs and ideas. The open source architecture movement aims to make architectural designs, drawings, 3D renderings, and documentation freely available for integration into other projects under open source licenses. It owes much of its growth to the growing popularity of the maker movement, DIY culture, 3D printing, and CNC machines, as well as support from architects like Alejandro Aravana.
  • Yorubaname.com has gone opensource, codebase now on GitHub
    Online dictionary for yoruba names, YorubaName, has now made its backlog accessible to the public. In a post on their blog, the guys at YorubaName announced that the website codebase is now on GitHub.
  • A New Version of Rust Hits the Streets
    Version 1.9 of the Rust programming language has been released. Rust is a new language with a small but enthusiastic community of developers.
  • Here's how you can make a career in OpenStack
    OpenStack is one of the biggest open source movements. It is a free and open-source software platform for cloud computing, mostly deployed as an infrastructure-as-a-service (IaaS). The software platform consists of interrelated components that control hardware pools of processing, storage, and networking resources throughout a data centre. According to the official website, hundreds of the world's largest brands rely on OpenStack to run their businesses every day, reducing costs and helping them move faster. OpenStack has a strong ecosystem globally.
  • Compatibility before purity: Microsoft tweaks .NET Core again [Ed: Microsoft lied about .NET going Open Source; just forked it into Open Core version]
    Microsoft's open source fork of the .NET platform, called .NET Core, will be modified for better compatibility with existing applications, says Program Manager Immo Landwerth in a recent post.
  • EMC Ships Open Source Tool for Cloud and IoT Devices
  • Watch Benjamin Hindman Co-Creator of Apache Mesos Speak Live Tomorrow at MesosCon [Ed: Microsoft proxy in a sense]
  • MesosCon Preview: Q&A with Twitter’s Chris Pinkham
  • How to secure your open source code [Ed: more marketing nonsense of Black Duck]
  • Luxembourg launches open data portal
    The Grand Duchy of Luxembourg officially launched its national open data portal data.public.lu on April 8th. This portal, supported by Digital Luxembourg, the government agency in charge of digital affairs in the country, was presented during the Game of Code hackathon.
  • Denmark to accelerate government digitisation
    Open standards The existing shared solutions are to be adopted by all authorities and public sector institutions where relevant, according to a presentation in English. “Shared solutions need to be stable, secure and user-friendly, they will also be easy to implement because the infrastructure is based on open standards.” The strategy, an agreement involving the government, regions and municipalities, was announced on 12 May. It includes 33 initiatives, which among other things deal with ease of use, reuse of data, IT architecture, growth, security and digital skills, DIGST says.