Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • The Nintendo Switch already hacked through a known vulnerability?

    It appears that the not-so-well hidden Nintendo Switch browser shipped with a bunch of old vulnerabilities that hackers were able to leverage. Yesterday, hacker qwertyoruiop (known for Jailbreaks of multiple iOS versions, and who also contributed to the PS4 1.76 Jailbreak) posted a screenshot of what seems to be a Webkit exploit running on the Nintendo Switch.

  • Linux: fix an existing bug for 11 years in the Kernel
  • Security, Consumer Reports, and Failure

    As one can imagine there were a fair number of “they’ll get it wrong” sort of comments. They will get it wrong, at first, but that’s not a reason to pick on these guys. They’re quite brave to take this task on, it’s nearly impossible if you think about the state of security (especially consumer security). But this is how things start. There is no industry that has gone from broken to perfect in one step. It’s a long hard road when you have to deal with systemic problems in an industry. Consumer product security problems may be larger and more complex than any other industry has ever had to solve thanks to things such as globalization and how inexpensive tiny computers have become.

Security News

Filed under
Security
  • Apache Struts Vulnerability Under Attack

    An easy to exploit remote code execution flaw discovered in the widely used open-source Apache Struts 2 framework has been patched, but that's not stopping attackers from attempting to exploit vulnerable systems.

    The open-source Apache Struts 2 technology is a widely used framework component in Java applications and it's currently under attack. The attacks follow the March 6 disclosure by the Struts project for a Remote Code Execution (RCE) vulnerability identified as CVE-2017-5638.

  • An insecure mess: How flawed JavaScript is turning web into a hacker's playground

    An analysis of over 133,000 websites has found that 37 percent of them have at least one JavaScript library with a known vulnerability.

    Researchers from Northeastern University have followed up on research in 2014 that drew attention to potential security risks caused by loading outdated versions of JavaScript libraries, such as such as jQuery, and the AngularJS framework in the browser.

  • The Big Hack - the Day Cars Drove Themselves Into Walls and the Hospitals Froze

    I have decided to submit a story from the hypothetical future, published by New York Magazine 9 months ago, one that I picked while browsing whatever I missed since my last visit on Schneier on security.

  • Pennsylvania Senate Democrats resist ransom in cyberattack [iophk: "Microsoft on site to prevent defection"]

    Microsoft was doing a forensic audit to try to figure out who penetrated the network and how...

  • Security firm issues patch for another Windows 0-day

    A security firm that issued a patch for a Windows zero-day vulnerability last week has done a repeat, this time for a vulnerability that potentially allows arbitrary remote code execution in Internet Explorer 11.

  • Students to go head to head in cyber games competition [iophk: "cyber, cyber, cyber, cyber, ..."]
  • SCALE 15x Keynote: Karen Sandler - In the Scheme of Things, How Important is Software Freedom?
  • Church of England puts a stop to ransomware with Darktrace

    Attackers certainly were getting in: up until Jennings bumped into Darktrace at a trade show, the Church was being hit with ransomware attacks, as many as three or four in the space of six to eight weeks. In all instances the problem was internal – Jennings admits that IT literacy is not particularly high in the organisation – usually through a malicious email.

  • Australian start-up testing new online voting system [Ed: Another terrible idea; see Vault 7; everything has back doors. Use paper.]

    An Australian start-up that is currently testing what it says is the biggest dry run of an electronic voting system is confident that it can gradually make headway into getting its system taken up in the country.

    XO.1 is in the process of running a 24-hour stress test of its SecureVote system using the bitcoin blockchain network. The test began at 2am AEST this morning.

Security Leftovers

Filed under
Security
  • Payments Giant Verifone Investigating Breach

    Verifone circled back post-publication with the following update to their statement: “According to the forensic information to-date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame. We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational.”

  • Terabytes of Government Data Copied [iophk: "they need to publish via bittorrent more often to take out the single point of failure; they need to learn to use torrents from day one of their research"]
  • Millions of websites still using vulnerable SHA-1 certificate

    At least 21 percent of all public websites are using insecure SHA-1 certificates – past the migration deadline and after Google researchers demonstrated a real-world collision attack. And this is without taking into account private or closed networks that also might be using the hash.

  • Widespread Bug Bounty Program Could Help Harden Open Source Security

    One company is adding to its bug bounty program efforts by offering its professional services to the open source community for free. HackerOne’s platform, known as HackerOne Community Edition, will help open source software teams create a comprehensive approach to vulnerability management, including a bug bounty program.

  • Consumer Reports Proposes Open Source Security Standard To Keep The Internet Of Things From Sucking

    Thanks to a laundry list of lazy companies, everything from your Barbie doll to your tea kettle is now hackable. Worse, these devices are now being quickly incorporated into some of the largest botnets ever built, resulting in some of the most devastating DDoS attacks the internet has ever seen. In short: thanks to "internet of things" companies that prioritized profits over consumer privacy and the safety of the internet, we're now facing a security and privacy dumpster fire that many experts believe will, sooner or later, result in mass human fatalities.

    Hoping to, you know, help prevent that, the folks at Consumer Reports this week unveiled a new open source digital consumer-protection standard that safeguards consumers’ security and privacy in the internet-of-broken things era. According to the non-profit's explanation of the new standard, it's working with privacy software firm Disconnect, non-profit privacy research firm Ranking Digital Rights (RDR), and nonprofit software security-testing organization Cyber Independent Testing Lab (CITL) on the new effort, which it acknowledges is early and requires public and expert assistance.

  • Researchers warn augmented mobile and open source = malware opportunity [Ed: Well, and proprietary is never a malware ramp (sarcasm)]

    ESET researchers warn that augments mobile applications plus open source platforms like Google's open could be a recipe for clever malware to come, in a recent security post.

    Currently, Google only requires developers to make a onetime payment of $25 and within 24 hours they can have an application in the Google Play Store compared to Apple which requires a yearly license which costs more than $100 and a vetting period of up to two weeks.

  • Operation Rosehub patches Java vulnerabilities in open source projects

    Google employees recently completed Operation Rosehub, a grass roots effort that patches a set of serious Java vulnerabilities in thousands of open source projects.

  • [Video] CPU Backdoors Could Allow Government Spying
  • Moving Git past SHA-1 [Ed: no longer behind LWN paywall]

    The SHA-1 hash algorithm has been known for at least a decade to be weak; while no generated hash collisions had been reported, it was assumed that this would happen before too long. On February 23, Google announced that it had succeeded at this task. While the technique used is computationally expensive, this event has clarified what most developers have known for some time: it is time to move away from SHA-1. While the migration has essentially been completed in some areas (SSL certificates, for example), there are still important places where it is heavily used, including at the core of the Git source-code management system. Unsurprisingly, the long-simmering discussion in the Git community on moving away from SHA-1 is now at a full boil.

  • Linux kernel: CVE-2017-2636: local privilege escalation flaw in n_hdlc
  • Spammergate: The Fall of an Empire

Security News

Filed under
Security
  • Security updates for Friday
  • Reproducible Builds: week 97 in Stretch cycle
  • Linux says open source more secure than closed, responds to Wikileaks’ claims

    Apple has already released a statement that said the vulnerabilities have already been fixed. Google too has responded to the issue. Linux just released a statement assuring the users that its being open source is safer for most people. The idea is that open source software communities continue to work on securing systems.

  • MAC randomization: A massive failure that leaves iPhones, Android mobes open to tracking

    To protect mobile devices from being tracked as they move through Wi-Fi-rich environments, there's a technique known as MAC address randomization. This replaces the number that uniquely identifies a device's wireless hardware with randomly generated values.

    In theory, this prevents scumbags from tracking devices from network to network, and by extension the individuals using them, because the devices in question call out to these nearby networks using different hardware identifiers.

  • Open source security and ‘hacking robots before skynet’ [Ed: Let's pretend proprietary software is secure and robust, and has zero back doors (we cannot see)]

    In this case, the devices were used to form a botnet and attack other systems, conducting a denial of service attack that made Twitter, Etsy, and other popular sites unavailable to users. This was inconvenient to users, and likely cost revenue for Dyn customers. It was almost certainly costly for Dyn.

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • Hardening the LSM API

    The Linux Security Modules (LSM) API provides security hooks for all security-relevant access control operations within the kernel. It’s a pluggable API, allowing different security models to be configured during compilation, and selected at boot time. LSM has provided enough flexibility to implement several major access control schemes, including SELinux, AppArmor, and Smack.

  • Hackers exploit Apache Struts vulnerability to compromise corporate web servers
  • Critical vulnerability under “massive” attack imperils high-impact sites

    The code-execution bug resides in the Apache Struts 2 Web application framework and is trivial to exploit. Although maintainers of the open source project patched the vulnerability on Monday, it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update, researchers are warning. Making matters worse, at least two working exploits are publicly available.

  • How Safe Are Blockchains? It Depends.

    Blockchain, the distributed ledger technology underlying bitcoin, may prove to be far more valuable than the currency it supports. But it’s only as valuable as it is secure. As we begin to put distributed ledger technology into practice, it’s important to make sure that the initial conditions we’re setting up aren’t setting us up for security issues later on.

  • Three Overlooked Lessons about Container Security

    Last week was an exciting week for me — I’ve just joined container security specialists Aqua Security and spent a couple of days in Tel Aviv getting to know the team and the product. I’m sure I’m learning things that might be obvious to the seasoned security veteran, but perhaps aren’t so obvious to the rest of us! Here are three aspects I found interesting and hope you will too, even if you’ve never really thought about the security of your containerized deployment before:

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Security updates for Wednesday
  • Google leads ‘guerilla patching’ of big vulnerability in open source projects

    Google has revealed its emergency patching efforts to fix a widespread and “pernicious” software vulnerability that affected thousands of open source projects in 2015.

    Referred to as “Mad Gadget” by Google (aka the Java “Apache Commons Collections Deserialization Vulnerability” CVE 2015-6420), the flaw was first highlighted by FoxGlove Security in November of that year, months after the first proof-of-concept code garnered almost zero attention.

  • Microsoft and Samsung react to Vault 7 CIA leaks -- Google, Linux Foundation and others remain silent

    The Vault 7 document and code cache released yesterday by WikiLeaks revealed that many big software companies were being actively exploited by the CIA. Apple, Microsoft, Google, Samsung, and even Linux were all named as having vulnerabilities that could be used for surveillance.

  • Vault 7 fallout: Linux Foundation says it's "not surprising" Linux is targeted [Ed: "NSA Asked Linus Torvalds To Install Backdoors Into GNU/Linux"]

    In the wake of WikiLeaks' Vault 7 CIA leaks, Apple has been quick to point out that vulnerabilities mentioned in the documents have already been addressed. Microsoft and Samsung have said they are "looking into" things, and now the Linux Foundation has spoken out.

    Nicko van Someren, Chief Technology Officer at The Linux Foundation says that while it is "not surprising" that Linux would find itself a target, the open source project has a very fast release cycle, meaning that kernel updates are released every few days to address issues that are found.

  • The Linux Foundation responds to Wikileaks' CIA hacking revelations

    THE LINUX FOUNDATION has become the latest firm to responded to the revelations that its products have been compromised by the CIA.

    Wikileaks on Tuesday published 8,761 documents dubbed 'Year Zero', the first part in a series of leaks on the agency that Wikileaks has dubbed 'Vault 7'.

    The whistleblowing foundation claims the document dump reveals full details of the CIA's 'global covert hacking program', including 'weaponised exploits' used against operating systems including Android, iOS, Linux, macOS, Windows and "even Samsung TVs, which are turned into cover microphones".

Canonical Releases New Kernels for Ubuntu Linux to Fix a Single Vulnerability

Filed under
Security
Ubuntu

Canonical published several security advisories to inform Ubuntu users about new kernel versions for their Ubuntu 16.04 LTS (Xenial Xerus) and Ubuntu 16.10 (Yakkety Yak) operating systems.

Read more

Parrot Security OS 3.5 Ethical Hacking Distro Brings Cryptkeeper, Kernel 4.9.13

Filed under
Security

The developers of the Debian-based Parrot Security OS distribution have announced today, March 8, 2017, the general availability of version 3.5 of the ethical hacking and penetration testing oriented OS.

Read more

5 Best Privacy Centric Linux Distributions

Filed under
Linux
Security

Are you worried about your privacy and/or security on the Internet? Well, you should be if you’re not. In this age, there are many reasons that should make you think twice about your privacy and security online. Security includes keeping safe from prying eyes looking to sniff data or identity for fraudulent activities. For the average user, keeping an updated version of your favorite Linux distro should be good enough. That is Ubuntu, Fedora, SUSE and all your usual distros should be quite ok so long as you’re keeping them updated. You can also employ tools such as Tor and OpenPGP to raise your level of security. Trust me, your everyday distro does a whole lot better at security than Windows and MacOS do offer especially when it comes to most malware, viruses and spyware.

Read<br />
more

Security News

Filed under
Security
  • Put down the coffee, stop slacking your app chaps or whatever – and patch Wordpress

    The 4.7.3 update comes just days after WordPress admins were alerted to a separate security crisis in NextGEN Gallery, a WordPress plugin vulnerable to SQL injection attacks.

  • WordPress 4.7.3 Updates for Six Security Issues

    The open-source WordPress blogging and content management system fixes six vulnerabilities, including three Cross Site Scripting flaws.

    The open-source WordPress blogging and content management system (CMS) released a new incremental version on March 6, providing users with six new security patches and 39 bug fixes. The new WordPress 4.7.3 update is the third security update for WordPress so far in 2017, following the 4.7.2 update on Jan. 26 and the 4.7.1 update on Jan. 12.

  • New Stable CloudLinux 7 Kernel Update Released to Patch Multiple Security Issues

    CloudLinux's Mykola Naugolnyi announced today, March 7, 2017, the immediate availability of a new stable kernel update for the CloudLinux 7 operating system series.

    The updated CloudLinux 7 kernel was bumped to version 3.10.0-427.36.1.lve1.4.39 and is here to address a bunch of security vulnerabilities discovered recently. First of all, you should know that this new kernel replaces the 3.10.0-427.18.2.lve1.4.38 build that many of you have installed, and can be downloaded from CloudLinux's stable repository.

  • Frankfurt used as remote hacking base for the CIA: WikiLeaks

    WikiLeaks documents reveal CIA agents were given cover identities and diplomatic passports to enter the country. The base was used to develop hacking tools as part of the CIA's massive digital arsenal.

  • Wikileaks reveals how CIA is targeting your iPhone, Android, and smart TV

    Wikileaks just dropped a massive collection of information detailing how the US government is attacking the devices that many of us use every single day in an effort to gain intel for its own purposes. Tactics for breaching iPhones, iPads, Android devices, PCs, routers, and even smart TVs are included in the leak, which has some serious privacy and security implications if even a fraction of it proves to be accurate.

  • WikiLeaks publishes massive trove of CIA spying files in 'Vault 7' release

    WikiLeaks has published a huge trove of what appear to be CIA spying secrets.

    The files are the most comprehensive release of US spying files ever made public, according to Julian Assange. In all, there are 8,761 documents that account for "the entire hacking capacity of the CIA", Mr Assange claimed in a release, and the trove is just the first of a series of "Vault 7" leaks.

    Already, the files include far more pages than the Snowden files that exposed the vast hacking power of the NSA and other agencies.

  • Wikileaks posts alleged trove of CIA hacking tools
  • WikiLeaks' CIA document dump shows agency can compromise Android, TVs

    WikiLeaks has released more than 8,700 documents it says come from the CIA's Center for Cyber Intelligence, with some of the leaks saying the agency had 24 "weaponized" and previously undisclosed exploits for the Android operating system as of 2016.

Syndicate content

More in Tux Machines

6 Reasons Your Favorite Linux OS Is Plagued by Bugs

  • 6 Reasons Your Favorite Linux OS Is Plagued by Bugs
  • I’ve been a long-time GNOME user, but for the past few months, I was in a loving relationship with Elementary OS. I found much to love in the minimalist Linux-based operating system, and I encouraged readers to give it a try. But that has changed. The number of bugs I encountered grew over time, and I’ve recently had enough. As a freelance writer, the only thing I need is a working laptop. If that’s not reliable, then I’m wasting time trying to fix the one tool my job requires.
  • Why do Linux distributions have software bugs?
    Linux is one of the best operating systems around, but no OS is perfect. All operating systems end up having bugs of one kind or another, including your favorite Linux distributions. A writer at MakeUseOf has listed six reasons why Linux distributions often have their share of bugs.

today's howtos

Linux and Linux Foundation

Red Hat and Fedora