Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Friday's security advisories
  • Here's How to Protect Linux Servers & Android Phones from Dirty COW Vulnerability
  • The Inevitability of Being Hacked

    The last attempted hack came 5 minutes ago, using the username root and the password root.

  • New Windows code injection method could let malware bypass detection

    Security researchers have discovered a new way that allows malware to inject malicious code into other processes without being detected by antivirus programs and other endpoint security systems.

    The new method was devised by researchers from security firm Ensilo who dubbed it AtomBombing because it relies on the Windows atom tables mechanism. These special tables are provided by the operating system and can be used to share data between applications.

    "What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table," Ensilo researcher Tal Liberman said in a blog post. "We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code."

    This new code-injection technique is not currently detected by antivirus and endpoint security programs because it is based on legitimate functionality, according to Liberman. Also, the atom tables mechanism is present in all Windows versions and it's not something that can be patched because it's not a vulnerability.

  • Of course smart homes are targets for hackers

    The Wirecutter, an in-depth comparative review site for various electrical and electronic devices, just published an opinion piece on whether users should be worried about security issues in IoT devices. The summary: avoid devices that don't require passwords (or don't force you to change a default and devices that want you to disable security, follow general network security best practices but otherwise don't worry - criminals aren't likely to target you.

  • OpenStack Security Project Aims to Protect the Open-Source Cloud

    The OpenStack Security project adds new tools and processes to help secure OpenStack technologies. The project technical leader offers insight on the program.
    Security is such a critical element of the open-source OpenStack cloud platform that there is an entire project—the OpenStack Security project—dedicated to the task of helping protect OpenStack technologies.

    In a well-attended session at the OpenStack Summit in Barcelona, Spain, on Oct. 27, Rob Clark, the project technical leader of the OpenStack Security project, detailed the group's most recent efforts.

Security News

Filed under
Security
  • GNU Tar "Pointy Feather" Vulnerability Disclosed (CVE-2016-6321)

    Last week was the disclosure of the Linux kernel's Dirty COW vulnerability while the latest high-profile open-source project going public with a new security CVE is GNU's Tar. Tar CVE-2016-6321 is also called POINTYFEATHER according to the security researchers.

    The GNU Pointy Feather vulnerability comes down to a pathname bypass on the Tar extraction process. Regardless of the path-name(s) specified on the command-line, the attack allows for file and directory overwrite attacks using specially crafted tar archives.

  • Let’s Encrypt and The Ford Foundation Aim To Create a More Inclusive Web

    Let’s Encrypt was awarded a grant from The Ford Foundation as part of its efforts to financially support its growing operations. This is the first grant that has been awarded to the young nonprofit, a Linux Foundation project which provides free, automated and open SSL certificates to more than 13 million fully-qualified domain names (FQDNs).

    The grant will help Let’s Encrypt make several improvements, including increased capacity to issue and manage certificates. It also covers costs of work recently done to add support for Internationalized Domain Name certificates.

    “The people and organizations that Ford Foundation serves often find themselves on the short end of the stick when fighting for change using systems we take for granted, like the Internet,” Michael Brennan, Internet Freedom Program Officer at Ford Foundation, said. “Initiatives like Let’s Encrypt help ensure that all people have the opportunity to leverage the Internet as a force for change.”

  • How security flaws work: SQL injection

    Thirty-one-year-old Laurie Love is currently staring down the possibility of 99 years in prison. After being extradited to the US recently, he stands accused of attacking systems belonging to the US government. The attack was allegedly part of the #OpLastResort hack in 2013, which targeted the US Army, the US Federal Reserve, the FBI, NASA, and the Missile Defense Agency in retaliation over the tragic suicide of Aaron Swartz as the hacktivist infamously awaited trial.

  • How To Build A Strong Security Awareness Program

    At the Security Awareness Summit this August in San Francisco, a video clip was shown that highlights the need to develop holistic security awareness. The segment showed an employee being interviewed as a subject matter expert in his office cubicle. Unfortunately, all his usernames and passwords were on sticky notes behind him, facing the camera and audience for all to see.

    I bring this story up not to pick on this poor chap but to highlight the fact that security awareness is about human behavior, first and foremost. Understand that point and you are well on your way to building a more secure culture and organization.

    My work as director of the Security Awareness Training program at the SANS Institute affords me a view across hundreds of organizations and hundreds of thousands of employees trying to build a more secure workforce and society. As we near the end of this year's National Cyber Security Awareness Month, here are two tips to incorporate robust security awareness training into your organization and daily work.

FOSS Security

Filed under
OSS
Security
  • European Parliament votes to extend Free Software security audits

    Remember how I raised €1 million to demonstrate security and freedom aren’t opposites? Well here’s what happened next and how we are going to move forward with this.

    In 2014, two major security vulnerabilities, Heartbleed and Shellshock, were discovered. Both concerned Free Software projects that are widely used throughout the Internet, on computers, tablets, and smartphones alike. My colleague Max Andersson from the Swedish Greens and I proposed a so-called “pilot project”, the Free and Open Source Software Audit (FOSSA).

  • Princeton Upskills U on Open Source Security

    During Wednesday's Upskill U course, lecturer Gary Sockrider, principal security technologist for Arbor Networks , explained the history of DDoS attacks, case studies of recent attacks, and the business impact of these security threats. DDoS attacks not only raise operational expenses, but can also negatively affect an organization's brand, and result in loss of revenue and customers. (Listen to Security: Tackling DDoS.)

    "Having visibility is key, you can't stop something you can't see. Having good visibility across your own network is vital in finding and stopping these attacks," said Sockrider. "You can leverage common tools and technology that are already available on the network equipment you own today such as flow technologies, looking at SIP logs … Obviously you'll want to get to some specific intelligent DDoS mitigation in the end."

CentOS 6 Linux Servers Receive Important Kernel Security Patch, Update Now

Filed under
Linux
Red Hat
Security

We reported a couple of days ago that Johnny Hughes from the CentOS Linux team published an important kernel security advisory for users of the CentOS 7 operating system.

Read more

Security News

Filed under
Security
  • Thursday's security updates
  • Mirai will be dwarfed by future Android botnet DDoS attacks, Lookout warns

    THE MIRAI BOTNET will seem like nothing compared to the havoc that is caused when hackers turn their attention to hijacking Android smartphones, Lookout’s security research chief has warned.

    Speaking to the INQUIRER, Mike Murray said it would be easy for cyber crooks to take over millions of smartphones, noting how often the Android requires patching.

  • Deal Seeks to Limit Open-Source Bugs

    Seeking to spot potential security vulnerabilities in systems that increasingly rely on open source software, software license optimization vendor Flexera Software has acquired a specialist in identifying potentially vulnerable software components.

    Flexera, Itasca, Ill., said Thursday (Oct. 27) it is acquiring San Francisco-based Palamida Inc. Terms of the transaction were not disclosed.

  • Senator Wants to Classify Insecure Internet of Things Devices As 'Harmful'

    A massive attack carried out with a zombie army of hacked internet-connected devices caused intermittent outages on Friday, preventing tens of thousands of people from accessing popular sites such as Twitter, Reddit, and Netflix.

    For many security experts, an attack like that one, which leveraged thousands of easy-to-hack Internet of Things such as DVRs and surveillance cameras—weaponized thanks to a mediocre but effective malware known as Mirai—is just a sign of things to come.

    That’s why Sen. Mark Warner (D-Va.) wants the US government to do something about it.

  • Senator Prods Federal Agencies on IoT Mess

    The co-founder of the newly launched Senate Cybersecurity Caucus is pushing federal agencies for possible solutions and responses to the security threat from insecure “Internet of Things” (IoT) devices, such as the network of hacked security cameras and digital video recorders that were reportedly used to help bring about last Friday’s major Internet outages.

    In letters to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS), Virginia Senator Mark Warner (D) called the proliferation of insecure IoT devices a threat to resiliency of the Internet.

Security Leftovers

Filed under
Security

Alpine Linux 3.4.5 Released with Linux Kernel 4.4.27 LTS, Latest Security Fixes

Filed under
Linux
Security

A new maintenance update of the server-oriented Alpine Linux 3.4 operating system has been released, bringing a new Linux kernel version from the long-term supported 4.4 series and the latest security patches.

Read more

More of That Cow...

Filed under
Security

Security News

Filed under
Security
  • Tuesday's security updates
  • We Got Phished

    She logged into her account but couldn’t find the document and, with other more urgent emails to deal with, she quickly moved on and put this brief event out of mind.

    This staff member will henceforth be known as PZ, or “patient zero.”

    The login page wasn’t really a login page. It was a decoy webpage, designed to look legitimate in order to trick unsuspecting recipients into typing in their private login credentials. Having fallen for the ruse, PZ had effectively handed over her email username and password to an unknown party outside the Exploratorium.

    This type of attack is known as “phishing.” Much like putting a lure into a lake and waiting to see what bites, a phishing attack puts out phony prompts, such as a fake login page, hoping that unwitting recipients can be manipulated into giving up personal information.

  • DDoS attacks against Dyn the work of 'script kiddies'

    Last week's distributed denial of service attack in the US against domain name services provider Dynamic Network Services are more likely to have been the work of "script kiddies", and not state actors.

    Security researchers at threat intelligence firm Flashpoint dismissed reports that linked the attack to WikiLeaks, the Russian government or the New World Hackers group.

    Instead, Flashpoint said, it was "moderately confident" that the Hackforums community was behind the attack which led to well-known sites like Twitter, Spotify, Netflix and Paypal being inaccessible on 21 October (US time).

  • How one rent-a-botnet army of cameras, DVRs caused Internet chaos

    Welcome to the Internet of Evil Things. The attack that disrupted much of the Internet on October 21 is still being teased apart by investigators, but evidence thus far points to multiple "botnets" of Internet-connected gadgets being responsible for blocking access to the Domain Name Service (DNS) infrastructure at DNS provider Dyn. Most of these botnets—coordinated armies of compromised devices that sent malicious network traffic to their targets—were controlled by Mirai, a self-spreading malware for Internet of Things (IoT) devices.

    in a blog post on the attack, Dyn reported "tens of millions" of devices were involved in the attack

    But other systems not matching the signature of Mirai were also involved in the coordinated attack on Dyn. "We believe that there might be one or more additional botnets involved in these attacks," Dale Drew, CSO of Level 3 Communications, told Ars. "This could mean that they are 'renting' several different botnets to launch an attack against a specific victim, in which multiple other sites have been impacted."

    The motive may have been blackmail, since the attacker sought a payout by Dyn to stop. But Drew warned that the huge disruption caused by the attack "could result in large copycat attacks, and [a] higher [number of] victim payouts [so] as to not be impacted in the same way. It could also be a signal that the bad guy is using multiple botnets in order to better avoid detection since they are not orchestrating the attack from a single botnet source."

  • ARM builds up security in the tiniest Internet of Things chips

    IoT is making devices smaller, smarter, and – we hope – safer. It’s not easy to make all those things happen at once, but chips that can help are starting to emerge.

    On Tuesday at ARM TechCon in Silicon Valley, ARM will introduce processors that are just a fraction of a millimeter across and incorporate the company’s TrustZone technology. TrustZone is hardware-based security built into SoC (system on chip) processors to establish a root of trust.

    It’s designed to prevent devices from being hacked and taken over by intruders, a danger that’s been in the news since the discovery of the Mirai botnet, which recently took over thousands of IP cameras to mount denial-of-service attacks.

  • Antique Kernel Flaw Opens Door to New Dirty Cow Exploit

Security Leftovers

Filed under
Security
  • The internet apocalypse map hides the major vulnerability that created it

    During Friday’s massive distributed denial of service (DDoS) attack on DNS service provider Dyn, one might be forgiven for mistaking the maps of network outages for images of some post-apocalyptic nuclear fallout. Screenshots from sites like downdetector.com showed menacingly red, fuzzy heat maps of, well, effectively just population centers of the United States experiencing serious difficulty accessing Twitter, Github, Etsy, or any of Dyn's other high-profile clients. Aside from offering little detail and making a DDoS literally into a glowing red menace, they also obscured the reality of just how centralized a lot of internet infrastructure really is. DNS is ground zero for the uneasy tension of the internet’s presumed decentralized resilience and the reality that as of now, translating IP addresses into domain names requires some kind of centralized, hierarchical platform, and that’s probably not going to radically change anytime soon.

    Other maps provided by various business to business network infrastructure companies weren’t much more helpful. These maps seem to exist mostly to signal that the companies in question have lots of cool data and that it can be made into a flashy map — which might impress potential customers, but that doesn’t offer a ton of insights for the layperson. For example, threat intelligence company Norse's map appears to be mostly a homage to the Matthew Broderick movie War Games: a constant barrage of DDoS attacks beaming like space invader rockets across a world map. Akamai has an impressive 3D visualization that renders traffic as points beaming into the atmosphere. And website monitoring service Pingdom offers a dot map at such a far-out zoom level that it's essentially useless for seeking out more meaningful patterns than "outages happen in population centers, also there are a lot of outages."

  • CoreOS Patched Against the "Dirty COW" Linux Kernel Vulnerability, Update Now
  • World’s first hack-proof router launched

    Turris Omnia router, tagged the world’s first hack-proof router, was launched yesterday at the CES Unveiled Show in Prague, Czech Republic.

    As an essential part of any home internet network, routers are rather poorly secured and protected against cyber attack. More often than not, the only security feature is the default password. With easily required internet knowledge and some skills, these routers can be hacked, providing unauthorized access to a complete internet network. From there on, anything is possible.

Syndicate content

More in Tux Machines

today's howtos

Software: LibreELEC 8.0.1 (Kodi), MKVToolnix 10.0.0, Claws Mail 3.15)

  • LibreELEC (Krypton) v8.0.1 MR
    LibreELEC (Krypton) v8.0.1 MR is available bringing Kodi v17.1, hardware support for the Raspberry Pi Zero W, improved software HEVC decoding on RPi3/CM3 hardware, driver support for Fe Pi audio cards, and support for Cirrus Logic DAC audio cards (thanks to @HiassofT). The bump to Kodi v17.1 resolves several upgrade and user-experience issues we have seen with the initial Kodi v17.0 release, and happiness is enhanced for users wearing an official LibreELEC tee-shirt or hoodie.
  • LibreELEC 8.0.1 Is Out Based on Kodi 17.1, Adds Support for Raspberry Pi Zero W
    LibreELEC developers announced the release and general availability of the first maintenance update to the major LibreELEC 8.0 stable series of the Linux-based operating system built around the Kodi open-source media center.
  • NetworkManager 1.8 to Support Handling of PINs for PKCS#11 Tokens as Secrets
    Lubomir Rintel announced that the development of the NetworkManager 1.8 major release has kicked off with the availability of the first snapshot, versioned 1.7.2, for public testing.
  • MKVToolnix 10.0.0 Open-Source MKV Manipulator Improves H.264 and H.265 Parsers
    MKVToolnix developer Moritz Bunkus released a new major branch of his popular, open-source and cross-platform MKV (Matroska) manipulation software, versioned 10.0.0.
  • Claws Mail 3.15.0
    Claws Mail is a GTK+ based, user-friendly, lightweight, and fast email client.
  • Claws Mail 3.15 Open-Source Email Client Brings New Hidden Preferences, Bugfixes
    Claws Mail, the lightweight and open-source GTK+ based email client for Linux, UNIX, and Windows operating systems, was updated recently to version 3.15.0, a maintenance update that adds new functionalities and addresses a lot of bugs. Claws Mail 3.15.0 comes more than four months after the first point release to the 3.14 series of the application, and among the new features implemented we can mention a bunch of options that should help users configure Claws Mail when opening a selected message, such as checkboxes on the Display and Summaries page of Preferences.

Games for GNU/Linux

  • It looks like we may be getting a Planescape Torment Enhanced Edition
    Back in January Beamdog was looking for testers on a new game. Now the Planescape website has a countdown timer. It's legitimate too, as tweeted by the Beamdog and the D&D twitter accounts.
  • RTS game 'Deadhold' could come to Linux, considering an experimental Beta
    The developers of Deadhold [Steam, Official Site] want to support Linux and they are thinking about releasing an experimental Linux Beta.
  • Ten amazing Linux games you can play without WINE
    Those of us who have taken up the mantle of a Linux gamer know that our path is rarely easy. For a long time, few games were released for our chosen platform. Those that were shipped riddled with bugs, compatibility issues and rarely worked out of the box. Getting games to work require using WINE and deeply complex almost arcane workarounds to force windows games to work on our quirky systems. Unfortunately, games rarely worked well and usually required hours of complex tweaking in order to get them to function properly. To top this all of, there were graphics driver problems, optimization issues, peripherals rarely worked out of the box and our lives were generally difficult.

Ubuntu-Based LXLE 16.04.2 Gets an RC Build, Promises to Be the Best Release Ever

LXLE 16.04.2 is on its way to becoming the best release ever of the Ubuntu-based distribution built around the lightweight LXDE desktop environment, and it just received a Release Candidate (RC) build. Continuing to get all the goodies from Ubuntu 16.04.2 LTS (Xenial Xerus), LXLE 16.04.2 Release Candidate is here only two weeks after the last Beta milestone, and adds quite a bunch of improvements and bug fixes. These include a reconfigured menu layout to be less cluttered for navigation, and a revamped Control Menu to act as a dynamic Control Panel. Read more