Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • XSS Hits Zen Cart Open-Source E-commerce App

    Multiple Cross-Site Scripting (XSS) vulnerabilities have been uncovered in the popular online open source shopping cart application, Zen Cart.

    XSS, allows the attacker to inject malicious client-side scripts into a website, which are later executed by the victims while browsing the website. There are different cross-site scripting variants, all of which can be used to craft different types of attacks. In this case, malicious XSS injections could result in hackers gaining access to cookies and sensitive information, and could allow site defacement, which can result in further attacks.

  • Popular Shopping Cart App Plugs Dozens of XSS Vulnerabilities

    Popular open source shopping cart app Zen Cart is warning its users of dozens of cross-site scripting vulnerabilities found in its software. Affected websites, security experts say, risk exposing customers to malware, theft of cookies data and site defacement.

    Researchers at the security firm Trustwave discovered the vulnerabilities in September 2015 and have worked closely with Zen Cart to update the (1.5.4) shopping cart software. On March 17, Zen Cart released a 1.5.5 update to its software along with a patch for previous versions of Zen Cart, for those customers that wanted to continue using the older platform. Public disclosure of the vulnerability was on Friday.

  • CVE-2016-0774 Linux Kernel moderate vulnerability

A Peek At Upcoming Open Source Enhancements In IBM i

Filed under
OSS
Security

It's hard to quantify the value created through open source development of software. Last year, the Linux Foundation released a white paper that found the total value of the development of the Linux operating system amounted to $5 billion. In 2013, IBM itself committed to donating $1 billion in cold hard cash to further development of Linux and other open source projects. When one considers that nearly all of the cutting-edge IT work being done in distributed computing (i.e., the worlds of Hadoop, Spark, Kafka, and NoSQL databases) involves open sharing of source code--mostly through the Apache Software Foundation--then the humongous value that open source brings comes into view.

Read more

Security Leftovers

Filed under
Security
  • Thursday's security updates
  • Secure code before or after sharing?[Ed: FUD season. US moving to FOSS, so parasites pop up]

    The White House wants federal agencies to share more of their custom code with each other, and also to provide more of it to the open source community. That kind of reuse and open source development of software could certainly cut costs and provide more able software in the future, but is this also an opening for more bugs and insecure code?

  • SMTP Strict Transport Security Standard Drafted for Email Security

    Love it or hate it, email remains a must-have tool in the modern Internet, though email isn't always as secure as it should be. When users connect to email servers, those connections have the potential to be intercepted by attackers, so there is a need for standards, like the new SMTP Strict Transport Security (STS) standard, published March 18 as an Internet Engineering Task Force (IEFT) draft.

  • Certified Ethical Hacker website caught spreading crypto ransomware
  • Certificate pinning is a useful thing, says Netcraft. So why do hardly any of you use it?

    Venerable net-scan outfit Netcraft has issued what cliché would describe as “a stinging rebuke” to sysadmins the world over, for ignoring HTTP Public Key Pinning (HPKP).

    Pinning is designed to defend users against impersonation attacks, in which an attacker tricks a certificate authority to issue a fraudulent certificate for a site.

    If the attacker can present a user with a certificate for fubar.com, they can impersonate the site, opening a path for malfeasance like credential harvesting.

  • Oracle issues emergency Java patch for bug leading to system hijack

    Oracle has released an emergency patch for Java which fixes a critical bug leading to remote code execution without the need for user credentials.

  • Hospital Declares ‘Internal State of Emergency’ After Ransomware Infection [iophk: The FBI needs to prosecute those that brought Windows into the hospital.]

    A Kentucky hospital says it is operating in an “internal state of emergency” after a ransomware attack rattled around inside its networks, encrypting files on computer systems and holding the data on them hostage unless and until the hospital pays up.

  • Judge Won’t Consider EFF’s Arguments in FBI Mass Hacking Case

    Earlier this month, digital rights group the Electronic Frontier Foundation (EFF) filed a strongly worded amicus brief arguing that the warrant used by the FBI for its use of malware to identify visitors of a dark web child pornography site was “unconstitutional,” and qualified as a broad, “general warrant.”

    But on Tuesday, Robert J. Bryan, the district judge overseeing the case rejected the group’s argument, saying it contained allegations of fact not supported in the record, and that it was simply repeating arguments already made by the defense.

    “According to EFF, a self-proclaimed ‘recognized expert’ on the intersection of civil liberties and technology, the law enforcement techniques employed in this case present novel questions of Fourth Amendment law,” Bryan writes in his order. The brief was signed by Mark Rumold, Nate Cardozo, and Andrew Crocker from the EFF, and Venkat Balasubramani, an attorney who is representing the organization.

  • Security education outfit EC-Council dishes out ransomware online

    Senior threat intelligence man Yonathan Klijnsma says the website of the EC-Council, the organisation responsible for the Ethical Hacker certification, is serving the dangerous Angler exploit kit to infect PCs.

    Klijnsma of Dutch firm Fox-IT says the website was serving the world's most highly-capable and dangerous exploit kit hours ago to users of Internet Explorer.

    Checks by this writer appear to show it is still serving the exploit at the time of publication.

  • Weak links in the blockchain: We're neglecting the foundations

    Premature infatuation with blockchain overlooks security weaknesses in the platform that underlies Bitcoin digital currency.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security

FreeNAS 9.10 Open-Source Storage Operating System Adds USB 3.0 & Skylake Support

Filed under
Security
BSD

Jordan Hubbard from the FreeNAS project, an open-source initiative to create a powerful, free, secure, and reliable NAS (Network-attached storage) operating system based on BSD technologies, announced the release of FreeNAS 9.10.

FreeNAS 9.10 is the tenth maintenance release in the current stable 9.x series of the project, thus bringing the latest security patches from upstream, support for new devices, as well as several under-the-hood updates. As expected, FreeNAS 9.10 has been rebased on the latest FreeBSD 10.3 RC3 (Release Candidate) release.

Read more

Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • Cryptostalker, a Tool to Detect Crypto-Ransomware on Linux

    A while back, we stumbled upon an interesting GitHub repo dubbed randumb, which included an example called Cryptostalker, advertised as a tool to detect crypto-ransomware on Linux.

    Cryptostalker and the original project randumb are the work of Sean Williams, a developer from San Francisco. Mr. Williams wanted to create a tool that monitored the filesystem for newly written files, and if the files contained random data, the sign of encrypted content, and they were written at high speed, it would alert the system's owner.

  • Google slings critical patch at exploited Linux kernel root hole

    Google has shipped an out-of-band patch for Android shuttering a bug that is under active exploitation to root devices.

    The vulnerability (CVE-2015-1805) affects all Android devices running Linux kernel versions below 3.18.

  • Everything is fine, nothing to see here!

    Today everyone who is REALLY, I mean REALLY REALLY good at security got there through blood sweat and tears. Nobody taught them what they know, they learned it on their own. Many of us didn't have training when we were learning these things. Regardless of this though, if training is fantastic, why does it seem there is a constant march toward things getting worse instead of better? That tells me we're not teaching the right skills to the right people. The skills of yesterday don't help you today, and especially don't help tomorrow. By its very definition, training can only cover the topics of yesterday.

  • Inside the Starburst-sized box that could save the Internet

    Cybercrime is costing us millions. Hacks drain the average American firm of $15.4 million per year, and, in the resulting panic, companies often spend more than $1.9 million to resolve a single attack. It’s time to face facts: Our defenses aren’t strong enough to keep the hackers out.

  • Utah’s Online Caucus Gives Security Experts Heart Attacks

    On Tuesday, registered Republicans in Utah who want to participate in their state’s caucus will have the option to either head to a polling station and cast a vote in person or log onto a new website and choose their candidate online. To make this happen, the Utah GOP paid more than $80,000 to the London-based company Smartmatic, which manages electronic voting systems and internet voting systems in 25 countries and will run the Utah GOP caucus system.

Security Leftovers

Filed under
Security

Snowden: “I Used Free And Open Source Software Like Debian And TOR. I Didn’t Trust Microsoft”

Filed under
GNU
Linux
Security
Debian

At the Free Software Foundation’s LibrePlanet2016 conference on Saturday, NSA whistleblower Edward Snowden participated in a discussion regarding free software and security. He joined the talk via video conferencing from Russia.

Edward Snowden told that he was able to disclose the secrets of American government and its projects of mass surveillance using free software. The event was being held in an MIT lecture hall and this statement drew a wide round of applause.

Praising the likes of Debian, Tails, and TOR, he said — “What happened in 2013 couldn’t have happened without free software.”

Read more

Also: OS X and Linux rise in developer market to threaten Windows

Antivirus Live CD 17.0-0.99.1 Uses ClamAV 0.99.1 to Clean Your PCs of Viruses

Filed under
Linux
Security

4MLinux developer Zbigniew Konojacki today informs Softpedia about the immediate availability for download of a new build of his Antivirus Live CD tool based on the latest 4MLinux and ClamAV projects.

Read more

Syndicate content

More in Tux Machines

FOSS and Linux Events

  • On speaking at community conferences
    Many people reading this have already suffered me talking to them about Prometheus. In personal conversation, or in the talks I gave at DebConf15 in Heidelberg, the Debian SunCamp in Lloret de Mar, BRMlab in Prague, and even at a talk on a different topic at the RABS in Cluj-Napoca.
  • TPM Microconference Accepted into LPC 2016
    Although trusted platform modules (TPMs) have been the subject of some controversy over the years, it is quite likely that they have important roles to play in preventing firmware-based attacks, protecting user keys, and so on. However, some work is required to enable TPMs to successfully play these roles, including getting TPM support into bootloaders, securely distributing known-good hashes, and providing robust and repeatable handling of upgrades. In short, given the ever-more-hostile environments that our systems must operate in, it seems quite likely that much help will be needed, including from TPMs. For more details, see the TPM Microconference wiki page.
  • More translations added to the SFD countdown
    Software Freedom Day is celebrated all around the world and as usual our community helps us to provide marketing materials in their specific languages. While the wiki is rather simple to translate, the Countdown remains a bit more complicated and time consuming to localize. One needs to edit the SVG file and generate roughly a 100 pictures, then upload them to the wiki. Still this doesn’t scare the SFD teams around the world and we are happy to announce three more languages are ready to be used: French, Chinese and German!

Second FreeBSD 11.0 Release Candidate Restores Support for 'nat global' in IPFW

Glen Barber from the FreeBSD project announced the availability of the second RC (Release Candidate) development build of the upcoming FreeBSD 11.0 operating system. Read more

ConnochaetOS 14.2 Officially Released Based on Slackware 14.2 and Salix Linux

Henry Jensen from ConnochaetOS was happy and proud to announce the official release and general availability of the ConnochaetOS 14.2 GNU/Linux-libre operating system. Read more

GNU/FSF/GPL

  • Unifont 9.0.02 Released
    Unifont 9.0.02 is released. The package and related files can be downloaded at ftp://ftp.gnu.org/gnu/unifont/unifont-9.0.02/
  • GCC 7 To Continue Improving Debug Messages, More Helpful Assembly Output
    Early on LLVM's Clang compiler offered much better debugging / error messages than GCC but in the past few years the GNU Compiler Collection developers have been working on generating more helpful messages too.
  • The Last LinuxCon, MariaDB Goes Open Core & More… [Ed: And a day later publicly attacks the Conservancy over GPL compliance against VMware]
    Linus Torvalds being interviewed by VMware’s Dirk Hohndel on the last day of the last LinuxCon North America. Next year’s event in Los Angeles will be renamed Open Source Summit.
  • GPL compliance suit against VMware dismissed
    In a setback to the Christoph Hellwig's efforts to enforce the GPL on code that he wrote in the Linux kernel, his suit against VMware in Germany has been dismissed on procedural grounds. The court ruled that he had not provided enough specificity about the code he was claiming had been used by the company. The merits of the GPL and whether the two main parts of VMware's product constitute a derived work of the kernel were not even considered. There may be another chance for the court to do so, however, as Hellwig will appeal the dismissal.