Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • The Intel remote vulnerability is much, much worse than you thought

    Let’s take that again: a blank password to an always-open port sidesteps every single bit of authentication and security that is otherwise present.

  • The hijacking flaw that lurked in Intel chips is worse than anyone thought

    A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined, because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password. This is according to technical analyses published Friday.

  • The enduring myth of the hacker boy-band

    If it had seemed to infosec that the magazine might've had to go out of its way to find such an un-diverse group of hackers ... turns out, it did. Thompson's social media post revealed that during the course of reporting the story, there was "a meeting with the woman who runs the college's official hacking group."

  • SS7 flaw exploited by hackers to drain customers' bank accounts

    The weakness within the protocol has been known about since 2014, and in January, criminals exploited it to bypass the two-factor authentication method that banks use to protect unauthorised withdrawals from online accounts, German newspaper Suddeutsche Zeitung has reported.

  • Google phishing attack was foretold by researchers—and it may have used their code

    The "Google Docs" phishing attack that wormed its way through thousands of e-mail inboxes earlier this week exploited a threat that had been flagged earlier by at least three security researchers—one raised issues about the threat as early as October of 2011. In fact, the person or persons behind the attack may have copied the technique from a proof of concept posted by one security researcher to GitHub in February.

  • WPSeku – A Vulnerability Scanner to Find Security Issues in WordPress

    WordPress is a free and open-source, highly customizable content management system (CMS) that is being used by millions around the world to run blogs and fully functional websites. Because it is the most used CMS out there, there are so many potential WordPress security issues/vulnerabilities to be concerned about.

GNU/Linux Security: A look at QubesOS

Filed under
OS
Reviews
Security

Using GNU/Linux is by default more secure than using Microsoft Windows, this is common knowledge; however just because you use GNU/Linux, does not mean that your system is secure, and that is why some distributions have been created in order to maximize security; such as QubesOS.

QubesOS is very different from your typical run of the mill distro, such as Ubuntu or even the more hardcore like Arch Linux and Gentoo. QubesOS runs multiple virtual machines linked together under a single user-interface, to form a container based / compartmentalized operating system.

Read more

Security Leftovers

Filed under
Security
  • SELinux and --no-new-privs and the setpriv command.
  • Qualcomm study says sure, you can control a drone over LTE

    Internet-connected drones will be necessary if you're going to see fliers that can communicate when they're delivering packages, livestreaming video or otherwise coordinating with the outside world. But how well can you control them over an LTE data connection when they're soaring hundreds of feet above the ground? Quite well, if you ask Qualcomm. The chip maker has published the results of a trial run using LTE-linked drones, and it believes that they're ready for prime time... mostly.

    The dry run (which included over 1,000 flights) showed that existing cellular networks are up to the job. Drones will still get a strong LTE signal at altitudes as high as 400 feet, and they get "comparable" coverage. In fact, they have an advantage over the phone in your pocket -- they don't have to hand over connections as often as ground-based devices.

  • Fake Google Docs phishing deluge hits Gmail
  • 7 Steps to Fight Ransomware

    Perpetrators are shifting to more specific targets. This means companies must strengthen their defenses, and these strategies can help.

    Ransomware can be a highly lucrative system for extracting money from a customer. Victims are faced with an unpleasant choice: either pay the ransom or lose access to the encrypted files forever. Until now, ransomware has appeared to be opportunistic and driven through random phishing campaigns. These campaigns often, but not always, rely on large numbers of emails that are harvested without a singular focus on a company or individual.

  • Open Source Security Audit 'Should Be a Wake-Up Call' [Ed: Microsoft-connected media uses Microsoft-connected Black Duck to smear FOSS]

pfSense 2.3.4 RELEASE Now Available!

Filed under
Security
BSD

We are happy to announce the release of pfSense® software version 2.3.4!

This is a maintenance release in the 2.3.x series, bringing stability and bug fixes, fixes for a few security issues, and a handful of new features. The full list of changes is on the 2.3.4 New Features and Changes page, including a list of FreeBSD and internal security advisories addressed by this release.

This release includes fixes for 24 bugs and 11 Features.

Read more

Security Leftovers

Filed under
Security
  • CII Project Advances Linux Kernel Security as Firm Ends Free Patches

    There has been some public discussion in the last week regarding the decision by Open Source Security Inc. and the creators of the Grsecurity® patches for the Linux kernel to cease making these patches freely available to users who are not paid subscribers to their service. While we at the Core Infrastructure Initiative (CII) would have preferred them to keep these patches freely available, the decision is absolutely theirs to make.

    From the point of view of the CII, we would much rather have security capabilities such as those offered by Grsecurity® in the main upstream kernel rather than available as a patch that needs to be applied by the user. That said, we fully understand that there is a lot of work involved in upstreaming extensive patches such as these and we will not criticise the Grsecurity® team for not doing so. Instead we will continue to support work to make the kernel as secure as possible.

  • Google Was Warned About This Week’s Mass Phishing Email Attack Six Years Ago

    For almost six years, Google knew about the exact technique that someone used to trick around one million people into giving away access to their Google accounts to hackers on Wednesday. Even more worrisome: other hackers might have known about this technique as well.

  • Mobile phone security's been busted for years, and now 2-factor auth is busted too [iophk: "now we are reminded that a phone never was a second authentication factor"]

    SS7 is now confirmed to be exploited in the wild, with crooks taking big scores through it.

  • We Were Warned About Flaws in the Mobile Data Backbone for Years. Now 2FA Is Screwed.

    But on Wednesday, German newspaper The Süddeutsche Zeitung reported that financially-motivated hackers {sic} had used those flaws to help drain bank accounts.

  • Mac malware: Coming soon to a computer near you

    In fact, the number of malware attacks on Apple’s operating system skyrocketed by 744 percent in 2016. Despite this, most people still believe that Macs don’t get viruses. Add to this the fact that, despite the seeming ubiquity of Apple’s products, the company’s user base is still growing. There are nearly 100 million Apple users worldwide, myself included.

  • IT meltdown forces Barts Health NHS Trust to cancel hundreds of appointments

    Earlier thsi year, Barts Health admitted that it has fallen victim to a "ransomware virus attack," likely because it's PCs are still running Microsoft's now-defunct Windows [...]

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security

Kali Linux Review: Not Everyone’s Cup of Tea

Filed under
Reviews
Security

Kali Linux has gained a lot of popularity recently. And there is a reason for that. Hacking is back as the cool-thing-to-do in popular culture and this can be attributed significantly to the TV series Mr. Robot.

Kali is one of the few hacking focused Linux distributions and quite obviously, Mr. Robot’s popularity helped Kali Linux in getting new users. The graph below validates this claim.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • Serverless Security implications—from infra to OWASP
  • Xen hypervisor faces third highly critical VM escape bug in 10 months

    The Xen paravirtualization mode is proving to be a constant source of serious vulnerabilities, allowing attackers to escape from virtual machines

  • Security like it's 2005!

    The 2017 world has a solution to these problems. Use the cloud. Stuff as a Service is without question the way to solve these problems because it makes them go away. There are plenty who will naysay public cloud citing various breeches, companies leaking data, companies selling data, and plenty of other problems. The cloud isn't magic, but it lets you trade a lot of horrible problems for "slightly bad". I guarantee the problems with the cloud are substantially better than letting most people try to run their own infrastructure. I see this a bit like airplane vs automobile crashes. There are magnitudes more deaths by automobile every year, but it's the airplane crashes that really get the attention. It's much much safer to fly than to drive, just as it's much much safer to use services than to manage your own infrastructure.

  • Security Sessions: Why CSOs should care about machine learning
  • Reproducible builds folks: Reproducing R packages
  • Hacker Extortion Attempt Falls Flat Because Netflix Actually Competes With Piracy

    A hacking group calling itself TheDarkOverlord (TDO) has tried, and failed (so far) to extort Netflix and several other companies after stumbling onto a server of unreleased content. TDO was apparently able to compromise the servers of an audio post-production company by the name of Larson Studios. Among the content acquired from the hackers were ten episodes of the as-yet-unreleased new season of the popular Netflix show "Orange is the New Black," which isn't supposed to see full release until June. Outside of some free advertising in the news media and some wasted calories, the group's efforts don't appear to have culminated in much.

  • Free search engine tool hunts down malware-infected computers

    Internet search engine Shodan provides enterprise security teams a wealth of information about open ports on servers and other internet-connected devices. Now, as part of a partnership with threat intelligence company Recorded Future, security analysts and researchers can work with Shodan to uncover systems manipulated to control malware-infected devices.

Syndicate content

More in Tux Machines

XFree KWin, Plasma, KDE, and Qt/GTK

  • Announcing the XFree KWin project
    Over the last weeks I concentrated my work on KWin on what I call the XFree KWin project. The idea is to be able to start KWin/Wayland without XWayland support. While most of the changes required for it are already in Plasma 5.11, not everything got ready in time, but now everything is under review on phabricator, so it’s a good point in time to talk about this project.
  • Adapta Theme is Now Available for the #KDE Plasma Desktop
    A new port brings the Adapta GTK theme to the KDE Plasma 5 desktop for the first time, news that will please fans of its famous flat stylings.
  • A New Project To Let You Run Qt Apps With GTK+ Windowing System Integration
    A Norwegian developer has developed a new Qt platform abstraction plug-in to let Qt applications make use of GTK+ for windowing system integration. The Qt apps rely upon GTK+ as a host toolkit to provide GTK menus, GTK for input, and other integration bits.
  • Ant is a Flat GTK Theme with a Bloody Bite
    Between Arc, Adapta and Numix it kind of feels like Linux has the whole flat GTK theme thing covered. But proving their’s always room for one more is Ant.

Android Leftovers

Development: Blockchain for Good Hackathon, ASUS Tinker Board, React License, JavaScript, Pascal, Python

  • Blockchain for Good Hackathon, Saturday, 30 September and Sunday, 1 October
    The Blockchain for Good Hackathon takes place Saturday, 30 September and Sunday, 1 October. Full agenda can be found here.
  • ASUS Tinker Board Is An Interesting ARM SBC For About $60 USD
    Earlier this year ASUS announced the Tinker Board as their first step into the ARM single board computer world. Earlier this month I finally received a Tinker Board for testing and it has been quite interesting to say the least. The Tinker Board with its Rockchip SoC has been among the most competitive ARM SBCs we have tested to date in its price range and the form factor is compatible with the Raspberry Pi.
  • Configure Thunderbird to send patch friendly
  • Facebook to Relicense React Under MIT [Ed: as we hoped [1, 2]]
    Facebook has decided to change the React license from BSD+Patents to MIT to make it possible for companies to include React in Apache projects, and to avoid uncertain relationship with the open source community. Adam Wolff, an Engineering Director at Facebook, has announced that a number of projects - React, Jest, Flow, and Immutable.js – will soon start using the more standard MIT License instead of BSD+Patents. The reason provided is "because React is the foundation of a broad ecosystem of open source software for the web, and we don't want to hold back forward progress for nontechnical reasons." While aware that the React’s BSD+Patents license has created "uncertainty" among users of the library, prompting some to select an alternative solution, Facebook does not "expect to win these teams back" but they still hope some will reconsider the issue. The change in license will become effective when React 16 will be released next week. Regarding other projects, Wolff said that "many of our popular projects will keep the BSD + Patents license for now", while they are "evaluating those projects' licenses too, but each project is different and alternative licensing options will depend on a variety of factors." It seems from this clause that Facebook plans to get rid of the BSD+Patents license entirely, but they need to figure out the best option for each project. [...] Facebook’s plan to switch to a standard license MIT, supported by Apache, completely solves this problem with React and several other projects. It remains to see what happens with the license of other Facebook projects, and how much this license issue has affected how React is perceived by the community.
  • To type or not to type: quantifying detectable bugs in JavaScript
  • Plug For PASCAL
  • V. Anton Spraul's Think Like a Programmer, Python Edition

New Manjaro Release

What a week we had. With this update we have removed most of our EOL tagged kernels. Please adopt to newer series of each, when still be used. PulseAudio and Gstreamer got renewed. Also most of our kernels got newer point-releases. Series v4.12 is now marked as EOL. Guillaume worked on Pamac to solve reported issues within our v6 series. The user experience should be much better now. Latest NetworkManager, Python and Haskell updates complete this update-pack. Please report back and give us feedback for given changes made to our repositories. Read more