Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Security advisories for Monday
  • Why do we do security?

    I had a discussion last week that ended with this question. "Why do we do security". There wasn't a great answer to this question. I guess I sort of knew this already, but it seems like something too obvious to not have an answer. Even as I think about it I can't come up with a simple answer. It's probably part of the problems you see in infosec.

    The purpose of security isn't just to be "secure", it's to manage risk in some meaningful way. In the real world this is usually pretty easy for us to understand. You have physical things, you want to keep them from getting broken, stolen, lost, pick something. It usually makes some sort of sense.

  • New release: usbguard-0.6.2
  • DNSync

    While setting up my new network at my house, I figured I’d do things right and set up an IPSec VPN (and a few other fancy bits). One thing that became annoying when I wasn’t on my LAN was I’d have to fiddle with the DNS Resolver to resolve names of machines on the LAN.

Security News

Filed under
Security
  • Why real hackers prefer Linux over Windows and Mac

    We have published many tutorials for hackers and security researchers. You may have noticed that most tutorials are based on Linux operating systems. Even the hacking tools out there are based on Linux barring a few which are written for Windows and Mac. The moot question here is that why do hackers prefer Linux over Mac or Windows?

    Today we look at the reason why hackers always prefer Linux over Mac, Windows, and other operating systems. You may have your own reasons for choosing Linux but what do hackers really look forward to while working with Linux.

  • HDDCryptor Ransomware Overwrites Your MBR Using Open Source Tools [Ed: Windows ransom but the headline only says “Open Source”]

    Most of the research on this infection has been done by Marinho, who says that his company was called in to investigate and fix a massive infection at a multi-national company that affected computers in its Brazil, India, and US subsidiaries.

  • The power of protocol analyzers

    In the complicated world of networking, problems happen. But determining the exact cause of a novel issue in the heat of the moment gets dicey. In these cases, even otherwise competent engineers may be forced to rely on trial and error once Google-fu gives out.

    Luckily, there’s a secret weapon waiting for willing engineers to deploy—the protocol analyzer. This tool allows you to definitively determine the source of nearly any error, provided you educate yourself on the underlying protocol. The only catch for now? Many engineers avoid it entirely due to (totally unwarranted) dread.

  • Bitcoin: A Sequence of Proofs

    A potential solution to the growing pains of Bitcoin is the use of proof-of-stake rather than proof-of-work. An attacker which has a stake in the history already on the blockchain is unlikely to jeopardize it. In proof-of-stake, the cryptocurrency is paid by the miners into the bets of the next block to win. If an attacker bets on multiple chains, then they're guaranteed to lose money. This, combined with the fact that buying a lot of currency is more expensive than a lot of computer power, makes proof-of-stake practical. We will cover Peercoin later, which does proof of stake and has other mitigations for certain attacks.

    An interesting idea is vote tattling. When an attacker votes on one block with a predecessor, and then votes on another with the same predecessor, peers can observe this. They can report double voting by using the votes as cryptographically-verified evidence, and taking the attacker's vote-money.

Security Leftovers

Filed under
Security
  • 20 Questions Security Leaders Need To Ask About Analytics

    It would be an understatement to say that the security world tends to be full of hype and noise. At times, it seems like vendors virtually xerox each other’s marketing materials. Everyone uses the same words, phrases, jargon, and buzzwords. This is a complicated phenomenon and there are many reasons why this is the case.

    The more important issue is why security leaders find ourselves in this state. How can we make sense of all the noise, cut through all the hype, and make the informed decisions that will improve the security of our respective organizations? One answer is by making precise, targeted, and incisive inquiries at the outset. Let’s start with a game of 20 questions. Our first technology focus: analytics.

  • Trend Micro shows that Linux systems not so bulletproof against trojans [Ed: very low risk (must fool the user or gain physical access)]
  • Sixth Linux DDoS Trojan Discovered in the Last 30 Days [Ed: drama over something that must fool users]

    Linux users have yet another trojan to worry about, and as always, crooks are deploying it mostly to hijack devices running Linux-based operating systems and use them to launch DDoS attacks at their behest.

  • Yet Another Linux Trojan Uncovered
  • Secure Docker on Linux or Windows platforms

    With Docker appearing in businesses of all shapes and sizes, security is a concern for many IT admins. Here's how to secure Docker on the container or the host machine.

  • New release: usbguard-0.6.1
  • Ransomware Getting More Targeted, Expensive

    I shared a meal not long ago with a source who works at a financial services company. The subject of ransomware came up and he told me that a server in his company had recently been infected with a particularly nasty strain that spread to several systems before the outbreak was quarantined. He said the folks in finance didn’t bat an eyelash when asked to authorize several payments of $600 to satisfy the Bitcoin ransom demanded by the intruders: After all, my source confessed, the data on one of the infected systems was worth millions — possibly tens of millions — of dollars, but for whatever reason the company didn’t have backups of it.

  • Web security CEO warns about control of internet falling into few hands

    The internet was designed to be a massive, decentralized system that nobody controlled, but it is increasingly controlled by a select few tech companies, including Google, Facebook, Apple and Amazon, and they are continuing to consolidate power, said the CEO of a cybersecurity company.

    "More and more of the internet is sitting behind fewer and fewer players, and there are benefits of that, but there are also real risks," said Matthew Prince, chief executive officer of web security company CloudFlare, in an interview with CNBC. His comments came at CloudFlare's Internet Summit — a conference featuring tech executives and government security experts — on Tuesday in San Francisco.

    Facebook has faced a lot of criticism for perceived abuse of its editorial sway among the 1.7 billion monthly active users who visit the site to consume news alongside family photos and ads. For example, a Norwegian newspaper editor recently slammed Mark Zuckerberg for Facebook's removal of a post featuring an iconic image known as the Napalm Girl that included a naked girl running from napalm bombs.

Security News

Filed under
Security

Security News

Filed under
Security
  • Security advisories for Wednesday
  • DevOps and the Art of Secure Application Deployment

    Secure application deployment principles must extend from the infrastructure layer all the way through the application and include how the application is actually deployed, according to Tim Mackey, Senior Technical Evangelist at Black Duck Software. In his upcoming talk, “Secure Application Development in the Age of Continuous Delivery” at LinuxCon + ContainerCon Europe, Mackey will discuss how DevOps principles are key to reducing the scope of compromise and examine why it’s important to focus efforts on what attackers’ view as vulnerable.

  • Sept 2016 Patch Tuesday: Microsoft released 14 security bulletins, rated 7 as critical

    Microsoft released 14 security bulletins for September, seven of which are rated critical due to remote code execution flaws. Microsoft in all its wisdom didn’t regard all RCEs as critical. There’s also an “important rated” patch for a publicly disclosed flaw which Microsoft claims isn’t a zero-day being exploited. But at least a 10-year-old hole is finally being plugged.

    Next month marks a significant change as Microsoft says it intends roll out "servicing changes" that include bundled patches. Unless things change, not all Windows users will be able to pick and choose specific security updates starting in October.

  • Microsoft Patches Zero Day Flaw Used In Two Massive Malvertising Campaigns [Ed: Microsoft, as usual, told the NSA about this months before patching]

    Microsoft was first notified about the so-called information disclosure bug in September 2015, security vendor Proofpoint said in an alert this week. But a patch for it became available only after Trend Micro and Proofpoint reported the bug again to Microsoft more recently when researching a massive malvertising campaign being operated by a group called AdGholas, the alert noted.

MySQL Patching

Filed under
Security
  • MySQL 0-day could lead to total system compromise
  • MySQL Exploit Evidently Patched

    News began circulating yesterday that the popular open source database MySQL contains a publicly disclosed vulnerability that could be used to compromise servers. The flaw was discovered by researcher Dawid Golunski and began getting media attention after he published a partial proof-of-concept of the exploit, which is purposefully incomplete to prevent abuse. He said the exploit affects "all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions." In addition, MariaDB and Percona DB which are derived from MySQL are affected.

Security News

Filed under
Security
  • Tuesday's security updates
  • [Mozilla:] Cybersecurity is a Shared Responsibility

    There have been far too many “incidents” recently that demonstrate the Internet is not as secure as it needs to be. Just in the past few weeks, we’ve seen countless headlines about online security breaches. From the alleged hack of the National Security Agency’s “cyberweapons” to the hack of the Democratic National Committee emails, and even recent iPhone security vulnerabilities, these stories reinforce how crucial it is to focus on security.

    Internet security is like a long chain and each link needs to be tested and re-tested to ensure its strength. When the chain is broken, bad things happen: a website that holds user credentials (e.g., email addresses and passwords) is compromised because of weak security; user credentials are stolen; and, those stolen credentials are then used to attack other websites to gain access to even more valuable information about the user.

    One weak link can break the chain of security and put Internet users at risk. The chain only remains strong if technology companies, governments, and users work together to keep the Internet as safe as it can be.

  • IoT malware exploits DVRs, home cameras via default passwords

    The Internet of Things business model dictates that devices be designed with the minimum viable security to keep the products from blowing up before the company is bought or runs out of money, so we're filling our homes with net-connected devices that have crummy default passwords, and the ability to probe our phones and laptops, and to crawl the whole internet for other vulnerable systems to infect.

    Linux/Mirai is an ELF trojan targeting IoT devices, which Malware Must Die describes as the most successful ELF trojan. It's very difficult to determine whether these minimal-interface devices are infected, but lab tests have discovered the malware in a wide range of gadgets.

  • Someone Is Learning How to Take Down the Internet

    First, a little background. If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack (DDoS). Like the name says, this is an attack designed to prevent legitimate users from getting to the site. There are subtleties, but basically it means blasting so much data at the site that it's overwhelmed. These attacks are not new: hackers do this to sites they don't like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it's a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.

  • Internet's defences being probed: security expert

    A big player, most possibly a nation state, has been testing the security of companies that run vital parts of the Internet's infrastructure, according to well-known security expert Bruce Schneier.

    In an essay written for the Lawfare blog, Schneier, an inventor of the Blowfish, Twofish and Yarrow algorithms, said that the probes which had been observed appeared to be very carefully targeted and seemed to be testing what exactly would be needed to compromise these corporations.

    Schneier said he did not know who was carrying out the probes but, at a first guess, said it was either China or Russia.

    Pointing out that the easiest way to take a network off the Internet was by using a distributed denial of service (DDoS) attack, he said that major firms that provide the basic infrastructure to make the Internet work had recently seen an escalation of such attacks.

  • Hackers smear Olympic athletes with data dump of medical files

    Hackers are trying to tarnish the U.S. Olympic team by releasing documents they claim show athletes including gymnast Simone Biles and tennis players Venus and Serena Williams used illegal substances during the Rio Games.

    The medical files, allegedly from the World Anti-Doping Agency, were posted Tuesday on a site bearing the name of the hacking group Fancy Bears. “Today we'd like to tell you about the U.S. Olympic team and their dirty methods to win,” said a message on the hackers' site.

    The World Anti-Doping Agency confirmed it had been hacked and blamed Fancy Bears, a Russian state-sponsored cyber espionage team that is also known as APT 28 -- the very same group that may have recently breached the Democratic National Committee.

Security News

Filed under
Security
  • Securing the Programmer

    I have a favorite saying: "If you are a systems administrator, you have the keys to the kingdom. If you are an open-source programmer, you don't know which or how many kingdoms you have the keys to." We send our programs out into the world to be run by anyone for any purpose. Think about that: by anyone, for any purpose. Your code might be running in a nuclear reactor right now, or on a missile system or on a medical device, and no one told you. This is not conjecture; this is everyday reality. Case in point: the US Army installed gpsd on all armor (tanks, armored personnel carriers and up-armored Humvees) without telling its developers.

    This article focuses on the needs of infrastructure software developers—that is, developers of anything that runs as root, has a security function, keeps the Internet as a whole working or is life-critical. Of course, one never knows where one's software will be run or under what circumstances, so feel free to follow this advice even if all you maintain is a toddler login manager. This article also covers basic security concepts and hygiene: how to think about security needs and how to keep your development system in good shape to reduce the risk of major computing security mishaps.

  • Software-Defined Security Market Worth 6.76 Billion USD by 2021
  • Two critical bugs and more malicious apps make for a bad week for Android
  • Let's Encrypt Aiming to Encrypt the Web

    By default, the web is not secure, enabling data to travel in the clear, but that's a situation that is easily corrected through the use of SSL/TLS. A challenge with implementing Secure Sockets Layer/Transport Layer Security has been the cost to acquire an SSL/TSL certificate from a known Certificate Authority (CA), but that has changed in 2016, thanks to the efforts of Let's Encrypt.

    Let's Encrypt is a non-profit effort that that was was announced in November 2014 and became a Linux Foundation Collaborative Project in April 2015. Let's Encrypt exited its beta period in April 2016 and to date has provided more than 5 million free certificates.

Syndicate content

More in Tux Machines

Leftovers: Software

Linux and FOSS Events

  • Debian SunCamp 2017 Is Taking Place May 18-21 in the Province of Girona, Spain
    It looks like last year's Debian SunCamp event for Debian developers was a total success and Martín Ferrari is back with a new proposal that should take place later this spring during four days full of hacking, socializing, and fun. That's right, we're talking about Debian SunCamp 2017, an event any Debian developer, contributor, or user can attend to meet his or hers Debian buddies, hack together on new projects or improve existing ones by sharing their knowledge, plan upcoming features and discuss ideas for the Debian GNU/Linux operating system.
  • Pieter Hintjens In Memoriam
    Pieter Hintjens was a writer, programmer and thinker who has spent decades building large software systems and on-line communities, which he describes as "Living Systems". He was an expert in distributed computing, having written over 30 protocols and distributed software systems. He designed AMQP in 2004, and founded the ZeroMQ free software project in 2007. He was the author of the O'Reilly ZeroMQ book, "Culture and Empire", "The Psychopath Code", "Social Architecture", and "Confessions of a Necromancer". He was the president of the Foundation for a Free Information Infrastructure (FFII), and fought the software patent directive and the standardisation of the Microsoft OOXML Office format. He also organized the Internet of Things (IOT) Devroom here at FOSDEM for the last 3 years. In April 2016 he was diagnosed with terminal metastasis of a previous cancer.
  • foss-gbg on Wednesday
    The topics are Yocto Linux on FPGA-based hardware, risk and license management in open source projects and a product release by the local start-up Zifra (an encryptable SD-card). More information and free tickets are available at the foss-gbg site.

Leftovers: OSS

  • When Open Source Meets the Enterprise
    Open source solutions have long been an option for the enterprise, but lately it seems they are becoming more of a necessity for advanced data operations than merely a luxury for IT techs who like to play with code. While it’s true that open platforms tend to provide a broader feature set compared to their proprietary brethren, due to their larger and more diverse development communities, this often comes at the cost of increased operational complexity. At a time when most enterprises are looking to shed their responsibilities for infrastructure and architecture to focus instead on core money-making services, open source requires a fairly high level of in-house technical skill. But as data environments become more distributed and reliant upon increasingly complex compilations of third-party systems, open source can provide at least a base layer of commonality for resources that support a given distribution.
  • EngineerBetter CTO: the logical truth about software 'packaging'
    Technologies such as Docker have blended these responsibilities, causing developers to need to care about what operating system and native libraries are available to their applications – after years of the industry striving for more abstraction and increased decoupling!
  • What will we do when everything is automated?
    Just translate the term "productivity of American factories" into the word "automation" and you get the picture. Other workers are not taking jobs away from the gainfully employed, machines are. This is not a new trend. It's been going on since before Eli Whitney invented the cotton gin. Industry creates machines that do the work of humans faster, cheaper, with more accuracy and with less failure. That's the nature of industry—nothing new here. However, what is new is the rate by which the displacement of human beings from the workforce in happening.
  • Want OpenStack benefits? Put your private cloud plan in place first
    The open source software promises hard-to-come-by cloud standards and no vendor lock-in, says Forrester's Lauren Nelson. But there's more to consider -- including containers.
  • Set the Agenda at OpenStack Summit Boston
    The next OpenStack Summit is just three months away now, and as is their custom, the organizers have once again invited you–the OpenStack Community–to vote on which presentations will and will not be featured at the event.
  • What’s new in the world of OpenStack Ambassadors
    Ambassadors act as liaisons between multiple User Groups, the Foundation and the community in their regions. Launched in 2013, the OpenStack Ambassador program aims to create a framework of community leaders to sustainably expand the reach of OpenStack around the world.
  • Boston summit preview, Ambassador program updates, and more OpenStack news

Proprietary Traps and Openwashing

  • Integrate ONLYOFFICE Online Editors with ownCloud [Ed: Proprietary software latches onto FOSS]
    ONLYOFFICE editors and ownCloud is the match made in heaven, wrote once one of our users. Inspired by this idea, we developed an integration app for you to use our online editors in ownCloud web interface.
  • Microsoft India projects itself as open source champion, says AI is the next step [Ed: Microsoft bribes to sabotage FOSS and blackmails it with patents; calls itself "open source"]
  • Open Source WSO2 IoT Server Advances Integration and Analytic Capabilities
    WSO2 has announced a new, fully-open-source WSO2 Internet of Things Server edition that "lowers the barriers to delivering enterprise-grad IoT and mobile solutions."
  • SAP license fees are due even for indirect users, court says
    SAP's named-user licensing fees apply even to related applications that only offer users indirect visibility of SAP data, a U.K. judge ruled Thursday in a case pitting SAP against Diageo, the alcoholic beverage giant behind Smirnoff vodka and Guinness beer. The consequences could be far-reaching for businesses that have integrated their customer-facing systems with an SAP database, potentially leaving them liable for license fees for every customer that accesses their online store. "If any SAP systems are being indirectly triggered, even if incidentally, and from anywhere in the world, then there are uncategorized and unpriced costs stacking up in the background," warned Robin Fry, a director at software licensing consultancy Cerno Professional Services, who has been following the case.
  • “Active Hours” in Windows 10 emphasizes how you are not in control of your own devices
    No edition of Windows 10, except Professional and Enterprise, is expected to function for more than 12 hours of the day. Microsoft most generously lets you set a block of 12 hours where you’re in control of the system, and will reserve the remaining 12 hours for it’s own purposes. How come we’re all fine with this? Windows 10 introduced the concept of “Active Hours”, a period of up to 12 hours when you expect to use the device, meant to reflect your work hours. The settings for changing the device’s active hours is hidden away among Windows Update settings, and it poorly fits with today’s lifestyles. Say you use your PC in the afternoon and into the late evening during the work week, but use it from morning to early afternoon in the weekends. You can’t fit all those hours nor accommodate home office hours in a period of just 12 hours. We’re always connected, and expect our devices to always be there for us when we need them.
  • Chrome 57 Will Permanently Enable DRM
    The next stable version of Chrome (Chrome 57) will not allow users to disable the Widevine DRM plugin anymore, therefore making it an always-on, permanent feature of Chrome. The new version of Chrome will also eliminate the “chrome://plugins” internal URL, which means if you want to disable Flash, you’ll have to do it from the Settings page.