Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • CVE-2016-5696 and its effects on Tor

    This vulnerability is quite serious, but it doesn’t affect the Tor network any more than it affects the rest of the internet. In particular, the Tor-specific attacks mentioned in the paper will not work as described.

  • Secure Boot Failure, Response, and Mitigation

    Last week, it became public that there is an attack against Secure Boot, utilizing one of Microsoft’s utilities to install a set of security policies which effectively disables bootloader verification.

  • Static Code Analyzer Reportedly Finds 10,000 Open Source Bugs

    A Russian company behind the PVS-Studio static code analyzer claims to have used the tool to discover more than 10,000 bugs in various open source projects, including well-known offerings such as the Firefox Web browser and the Linux kernel.

  • Linux.Lady the Crypto-Currency Mining Trojan Discovered

    Organizations reliant on Redis NoSQL a most sought after database require re-checking their configurations, security researchers advise. That's because the Linux.Lady crypto-currency Trojan, which mines digital money, has been discovered as it piggybacks on insufficient out-of-the-box security.

    It is possible that a maximum of 30K Redis servers are susceptible to attack mainly since inadvertent system admins gave them an Internet connection devoid of constructing a password for them in addition to not having Redis secured by default.

  • DDoS protection in the cloud

    OpenFlow and other software-defined networking controllers can discover and combat DDoS attacks, even from within your own network.

    Attacks based on the distributed denial of service (DDoS) model are, unfortunately, common practice, often used to extort protection money or sweep unwanted services off the web. Currently, such attacks can reach bandwidths of 300GBps or more. Admins usually defend themselves by securing the external borders of their own networks and listening for unusual traffic signatures on the gateways, but sometimes they fight attacks even farther outside the network – on the Internet provider's site – by diverting or blocking the attack before it overloads the line and paralyzes the victim's services.

    In the case of cloud solutions and traditional hosting providers, the attackers and their victims often reside on the same network. Thanks to virtualization, they could even share the same computer core. In this article, I show you how to identify such scenarios and fight them off with software-defined networking (SDN) technologies.

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Fake Linus Torvalds' Key Found in the Wild, No More Short-IDs.
  • NIST Denounces SMS 2FA - What are the Alternatives?

    Towards the end of July 2016, the National Institute of Standards and Technology (NIST) started the process of deprecating the use of SMS-based out-of-band authentication. This became clear in the issue of the DRAFT NIST Special Publication 800-63B, Digital Authentication Guideline.

  • It's pretty easy to hack traffic lights

    Researchers from the University of Michigan EE/Computer Science Department (previously) presented their work on hacking traffic signals at this year's Usenix Security Symposium (previously), and guess what? It's shockingly easy to pwn the traffic control system.

    The researchers targeted the wireless control systems at each intersection, avoiding any tampering with the actual junction boxes, which might be detected by passers-by (though seriously, some high-viz vests and a couple of traffic cones would likely serve as perfect camouflage), and worked with the permission of a local Michigan traffic authority.

Linux kernel 4.6 reaches end of life

Filed under
Linux
Security

Those using a GNU/Linux operating system powered by a kernel from the Linux 4.6 branch have been urged to move to Linux kernel 4.7.

According to a report by Softpedia, users have been advised to install the new Linux kernel 4.7.1 build.

Read more

Also: The Linux Foundation Announces 2016 LiFT Scholarship Recipients

Security News

Filed under
Security

FOSS and Security

Filed under
OSS
Security
  • Coffee Shop DevOps: How to use feedback loops to get smarter
  • How to design your project for participation

    Working openly means designing for participation. "Designing for participation" is a way of providing people with insight into your project, which you've built from the start to incorporate and act on that insight. Documenting how you intend to make decisions, which communication channels you’ll use, and how people can get in touch with you are the first steps in designing for participation. Other steps include working openly, being transparent, and using technologies that support collaboration and additional ways of inviting participation. In the end, it’s all about providing context: Interested people must be able to get up to speed and start participating in your project, team, or organization as quickly and easily as possible.

  • So long, Firefox Hello!

    After updating my PCLinuxOS install, I noticed that the icon of Firefox Hello had changed: it was read and displayed a message reading "Error!"

    I thought it was a simply login failure, so I logged in and the icon went green, as normal. However, I noticed that Hello did not display the "Start a conversation" window, but one that read "browse this page with a friend".

    A bit confused, I called Megatotoro, who read this statement from Mozilla to me. Apparently, I had missed the fact that Mozilla is discontinuing Hello starting from Firefox 49. Current Firefox version is 48, so...

  • FreeBSD 11.0 Up to Release Candidate State, Support for SSH Protocol v1 Removed

    The FreeBSD Project, through Glen Barber, has had the pleasure of announcing this past weekend the general availability of the first Release Candidate for the upcoming FreeBSD 11.0 operating system, due for release on September 2, 2016.

    It appears to us that the development cycle of FreeBSD 11.0 was accelerated a bit, as the RC1 milestone is here just one week after the release of the fourth Beta build. Again, the new snapshot is available for 64-bit (amd64), 32-bit (i386), PowerPC (PPC), PowerPC 64-bit (PPC64), SPARC64, AArch64 (ARM64), and ARMv6 hardware architectures.

  • Open Source//Open Society Conference Live Blog

    This conference offers 2 huge days of inspiration, professional development and connecting for those interested in policy, data, open technology, leadership, management and team building.

  • White House Source Code Policy Should Go Further

    A new federal government policy will result in the government releasing more of the software that it creates under free and open source software licenses. That’s great news, but doesn’t go far enough in its goals or in enabling public oversight.

    A few months ago, we wrote about a proposed White House policy regarding how the government handles source code written by or for government agencies. The White House Office of Management and Budget (OMB) has now officially enacted the policy with a few changes. While the new policy is a step forward for government transparency and open access, a few of the changes in it are flat-out baffling.

  • The Brewing Problem Of PGP Short-ID Collision Attacks
  • Starwood, Marriott, Hyatt, IHG hit by malware: HEI

    A data breach at 20 U.S. hotels operated by HEI Hotels & Resorts for Starwood, Marriott, Hyatt and Intercontinental may have divulged payment card data from tens of thousands of food, drink and other transactions, HEI said on Sunday.

  • Linux TCP Flaw Leaves 80% Android Phones Open To Spying
  • Good morning Android!

Security News

Filed under
Security
  • Serving Up Security? Microsoft Patches ‘Malicious Butler’ Exploit — Again

    It’s been a busy year for Windows security. Back in March, Microsoft bulletin MS16-027 addressed a remote code exploit that could grant cybercriminals total control of a PC if users opened “specially crafted media content that is hosted on a website.” Just last month, a problem with secure boot keys caused a minor panic among users.

    However, new Microsoft patches are still dealing with a flaw discovered in November of last year — it was first Evil Maid and now is back again as Malicious Butler. Previous attempts to slam this door shut have been unsuccessful. Has the Redmond giant finally served up software security?

  • PGP Short-ID Collision Attacks Continued, Now Targeted Linus Torvalds

    After contacted the owner, it turned out that one of the keys is a fake. In addition, labelled same names, emails, and even signatures created by more fake keys. Weeks later, more developers found their fake "mirror" keys on the keyserver, including the PGP Global Directory Verification Key.

  • Let's Encrypt: Why create a free, automated, and open CA?

    During the summer of 2012, Eric Rescorla and I decided to start a Certificate Authority (CA). A CA acts as a third-party to issue digital certificates, which certify public keys for certificate holders. The free, automated, and open CA we envisioned, which came to be called Let's Encrypt, has been built and is now one of the larger CAs in the world in terms of issuance volume.

    Starting a new CA is a lot of work—it's not a decision to be made lightly. In this article, I'll explain why we decided to start Let's Encrypt, and why we decided to build a new CA from scratch.

    We had a good reason to start building Let's Encrypt back in 2012. At that time, work on an HTTP/2 specification had started in the Internet Engineering Task Force (IETF), a standards body with a focus on network protocols. The question of whether or not to require encryption (via TLS) for HTTP/2 was hotly debated. My position, shared by my co-workers at Mozilla and many others, was that encryption should be required.

Security News

Filed under
Security

Security News

Filed under
Security
  • New FFS Rowhammer Attack Hijacks Linux VMs

    Researchers from the Vrije University in the Netherlands have revealed a new version of the infamous Rowhammer attack that is effective at compromising Linux VMs, often used for cloud hosting services.

  • Fixing Things

    Recent reports that TCP connections can be hijacked have kicked an anthill at Kernel.org. Linus and others have a patch.

  • Minica - lightweight TLS for everyone!

    A while back, I found myself in need of some TLS certificates set up and issued for a testing environment.

    I remembered there was some code for issuing TLS certs in Docker, so I yanked some of that code and made a sensable CLI API over it.

  • Guy Tricks Windows Tech Support Scammers Into Installing Ransomware Code

    A man named Ivan Kwiatkowski managed to install Locky ransomware on the machine of a person who was pretending to be a tech support executive of a reputed company. Ivan wrote his experiences in a blog post tells that how the tech support scammer fell into the pit he dug for innocent people.

Security News

Filed under
Security
  • Hacker demonstrates how voting machines can be compromised [Ed: Microsoft inside]

    Concerns are growing over the possibility of a rigged presidential election. Experts believe a cyberattack this year could be a reality, especially following last month's hack of Democratic National Committee emails.

    The ranking member of the Senate Homeland Security Committee sent a letter Monday to the Department of Homeland Security, saying in part: "Election security is critical, and a cyberattack by foreign actors on our elections systems could compromise the integrity of our voting process."

    Roughly 70 percent of states in the U.S. use some form of electronic voting. Hackers told CBS News that problems with electronic voting machines have been around for years. The machines and the software are old and antiquated. But now with millions heading to the polls in three months, security experts are sounding the alarm, reports CBS News correspondent Mireya Villarreal.

  • Another Expert Weighs in on Election Hacking

    Today the old Gray Lady, the New York Times, no less, weighed in on election hacking in an Op/Ed piece titled The Election Won't be Rigged. But it Could be Hacked. Of course, anyone who's read my second cybersecurity thriller, The Lafayette Campaign, a Tale of Election and Deceptions, already knew that.

    The particular focus of the NYT article is that since voting can be hacked, it's vital to have a way to audit elections after they occur to see whether that has been the case, and to reveal the true electoral result.

  • New release: usbguard-0.5.11
  • Linux.Lady Trojan Turns Redis Servers to Mining Rigs
Syndicate content

More in Tux Machines

KDE Frameworks 5.30.0 Released for KDE Plasma 5 Users with Over 100 Changes

A new monthly release of the KDE Frameworks collection of over 70 add-on libraries for the Qt 5 GUI (Graphical User Interface) toolkit has been released recently for KDE Plasma 5 desktop environments. Read more

GoboLinux: A Linux Distribution With New Filesystem Hierarchy

GoboLinux introduces a lot of new ideas and designs into the Linux distributions world. Things like the filesystem hierarchy and the compiling scripts are amazing examples of what “modernizing” Linux distributions may really mean. However, the distribution wasn’t intended to be “user-friendly” or “ready-out-of-the-box”. Because of this, it can be said actually that the distribution manages to achieve its goals. An experianced user with a lot of time would definitely enjoy using and tweaking GoboLinux to fit his needs and learn in his way. Read more

Vivo V5 Plus review: The Android phone for stylish selfies

The days of shelling out a large sum of money to buy a smartphone that offers premium looks and performance are long gone. Manufacturers like OnePlus, Xiaomi, Oppo, Vivo, etc are offering superior performance at significantly lower prices. These manufacturers tend to add their own USP to a smartphone, which you might not always get on an Apple or Samsung. In Vivo’s case, it has launched a new mid-range premium device called V5 Plus with the highlight being a dual selfie camera. Vivo V5 Plus can be described as many things, but original. The phone borrows its design cues from multiple flagship devices, but clearly its major influence is the iPhone 7. But is this dual-selfie camera, iPhone-lookalike worth its price? Here’s our review Read more

Latest Linux For All Release Is Based on Ubuntu 16.04.1 LTS and Linux 4.9.5

GNU/Linux developer Arne Exton is informing us about the availability of a new stable build of his Linux For All (LFA) open-source computer operating system, versioned 170121. Based on the Ubuntu 16.04.1 LTS (Xenial Xerus) and Debian GNU/Linux 8 "Jessie" operating systems, Linux For All (LFA) Build 170121 appears to be a total rebuilt of the GNU/Linux distribution, having nothing in common with any of the previous releases. It now uses the newest Linux 4.9.5 kernel and latest package versions. Read more