Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security advisories for Wednesday
  • Default settings in Apache may decloak Tor hidden services

    The information leak has long been known to careful administrators who take the time to read Tor documentation, but that hasn't prevented some Tor hidden services from falling victim to it. To plug the hole, darkweb sites that run Apache must disable the mod_status module that by default sets up a server status page displaying a variety of potentially sensitive information about the servers. Details include the number of requests per second sent to the server, the most recent HTTP requests received, CPU usage, and in some cases the approximate longitude of the server.

  • WordPress Update Patches Pair of Vulnerabilities

    Automatic updates that patch the two flaws and fix 17 bugs are now rolling out to users of the open-source WordPress CMS.
    A new update to the WordPress open-source blogging and content management system (CMS) has been released that patches a pair of security vulnerabilities and includes 17 bug fixes that improve functionality.

  • Linux Computers Becoming Increasingly Malware Prone
  • 10 Mistakes to Avoid to Make Open Source More Secure

    Open source is becoming more popular in the enterprise. But so are open-source vulnerabilities. Here is how you can prevent open source-related mishaps in 2016.

  • Custom and Open-Source Code: A New Approach to Application Security Management

    Use of open-source software is ubiquitous across the Web, cloud, containers, enterprise apps, mobile and the Internet of Things (IoT). Analysis from Black Duck, an IBM Security partner, showed that open-source code comprises about 30 percent of the average commercial software application; this figure can jump even higher for in-house applications. According to Gartner, open source will be included in mission-critical applications within 99 percent of Global 2000 enterprises by the end of 2016.

Ubuntu Phone Users Getting Patch for Mir Bug That Made Their Devices Unstable

Filed under
Security
Ubuntu

On February 3, 2016, Canonical's Łukasz Zemczak sent his daily report to inform all Ubuntu Phone users about the latest work done by the Ubuntu Touch development team on the upcoming OTA-9.5 hotfix.

Read more

Go phish your own staff: Dev builds open-source fool-testing tool

Filed under
OSS
Security

The platform was written in Go and has been posted to GitHub where it's had more than 300 commits at the time of writing. It differs from some other anti-phishing platforms in part because it is hosted on premise rather than in the cloud, “There are many commercial offerings that provide phishing simulation/training [but] unfortunately, these are SaaS solutions that require you to hand over your data to someone else,” the GoFish team says.

Read more

Security Leftovers

Filed under
Security
  • Tuesday's security advisories
  • Best practice - Don't serve writeable PHP files

    I deal with compromises often enough of PHP-based websites that I wish to improve hardening.

    One obvious way to improve things is to not serve PHP files which are writeable by the webserver-user. This would ensure that things like wp-content/uploads didn't get served as PHP if a compromise wrote valid PHP there.

  • New Cross-Platform Backdoors Go From Linux to Windows

    Kaspersky Lab has once again found a nasty little piece of malware that started out in Linux and made the jump to Windows. These cross-platform backdoors spy on the user and are by no means the first backdoor virus of this kind.

  • Obama’s $6bn Security Firewall EINSTEIN Is Not Good Enough To Protect The US Government

    The U.S. Department of Homeland Security (DHS) has spent about $6 billion on a firewall named EINSTEIN intrusion detection system. Officially known as the National Cybersecurity Protection System, the firewall is being developed with an intention to protect the U.S. government agencies against the malicious cyber attacks.

  • Another Serious Bug Hits OpenSSL, But this Time, It's No Heartbleed

    OpenSSL, the open source encryption toolkit that made headlines in 2014 for the Heartbleed security bug, has been hit by another serious vulnerability. This time, however, the real-world damage seems minimal.

    The project disclosed the bug, which results from a new method for generating numbers used for key exchanges, on Jan. 28. It assigned the bug a high severity level, presumably since the flaw could be exploited in order to decrypt data that is encrypted using OpenSSL, the protocol widely used for encrypting information transmitted to and from HTTPS-protected websites.

The top 10 Linux security distros

Filed under
Linux
Security

Linux distros can be used for a lot of things, from games to education, but when it comes to security, there’s a whole mini-universe available.

Not only can you find distros made to protect your privacy, making sure you leave no trace as you move around the web, but also those that help you test your network and system security.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Monday
  • Your Smartphone Can Be Hacked Due To A Backdoor In Your Processor

    A new security vulnerability has been reported in the smartphones which use MediaTek Processors. MediaTek company is a Taiwan-based company which manufacturers processors for the budget range smartphones. The security bug was found because a debug feature was not closed on the smartphone after testing.

    A new bug has surfaced lately on the Android smartphones or tablets which use a MediaTek processor. These devices are vulnerable to remote hacking via a backdoor. This security vulnerability was discovered by a security researcher, Justin Case. The MediaTek company has been informed about the flaw. This security vulnerability is apparently due to a debug tool which was left open by MediaTek in the shipped devices.

  • Using IPv6 with Linux? You’ve likely been visited by Shodan and other scanners
  • Trojanized Android games hide malicious code inside images

    Over 60 Android games hosted on Google Play had Trojan-like functionality that allowed them to download and execute malicious code hidden inside images.

    The rogue apps were discovered by researchers from Russian antivirus vendor Doctor Web and were reported to Google last week. The researchers dubbed the new threat Android.Xiny.19.origin.

  • Google fixes multiple Wi-Fi flaws, mediaserver bugs in Android
  • On WebKit Security Updates

    Major desktop browsers push automatic security updates directly to users on a regular basis, so most users don’t have to worry about security updates. But Linux users are dependent on their distributions to release updates. Apple fixed over 100 vulnerabilities in WebKit last year, so getting updates out to users is critical.

Celebrating 15 Years of SELinux

Filed under
Red Hat
Security

On Dec. 22, 2000, the NSA released their code to the wider open source world in the form of SELinux, and in doing so forever changed the security landscape of not just Linux, but the technology world at large. A combination of policies and security frameworks, SELinux is one of the most widely-used Linux security modules. Without these innovations, Common Criteria, a crucial government security certification, would likely not exist for Linux.

Read more

Kali Linux Literature

Filed under
GNU
Linux
Security
  • Migrating from Kali Linux 2 to Kali Linux 2016.1

    The first edition of Kali Linux Rolling, Kali 2016.1, was released more than a week ago. It marks the end of Kali Linux 2 and the beginning of a new release regime.

    It’s still based on Debian Testing, so existing users don’t have to do anything special but run a few commands to upgrade from Kali Linux 2 to Kali Linux 2016.1. Aside from installation images for the GNOME 3 desktop, there are also installation images for the Light edition, which uses the Xfce desktop environment. And there are also ARM installation images.

  • Kali Linux Cookbook eBook - $24 value, now free!

Lexumo Lands $4.89 Million Seed Round To Help Ensure Open Source Code Security

Filed under
OSS
Security

What has Lexumo created to warrant that kind of financial attention? It indexed all of the open source code in the world and created a cloud security service aimed at helping companies using open source code inside embedded systems or enterprise software. These groups can submit their code to the Lexumo service and it checks for any known security vulnerabilities. What’s more, it will then continuously monitor the code for updates and inform developers when one is available.

Read more

Syndicate content

More in Tux Machines

Today in Techrights

today's leftovers

  • iTWire - Microsoft to reduce global workforce
  • Microsoft Faces Two Lawsuits For Aggressive Windows 10 Upgrade Campaign
    The series of lawsuits against Microsoft doesn’t seem to terminate sooner.
  • Controlling access to the memory cache
    Access to main memory from the processor is mediated (and accelerated) by the L2 and L3 memory caches; developers working on performance-critical code quickly learn that cache utilization can have a huge effect on how quickly an application (or a kernel) runs. But, as Fenghua Yu noted in his LinuxCon Japan 2016 talk, the caches are a shared resource, so even a cache-optimal application can be slowed by an unrelated task, possibly running on a different CPU. Intel has been working on a mechanism that allows a system administrator to set cache-sharing policies; the talk described the need for this mechanism and how access to it is implemented in the current patch set.
  • Why Blockchain Matters
    If your familiarity with Bitcoin and Blockchain is limited to having heard about the trial of Silk Road’s Ross Ulbricht, you can be forgiven -- but your knowledge is out of date. Today, Bitcoin and especially Blockchain are moving into the mainstream, with governments and financial institutions launching experiments and prototypes to understand how they can take advantage of the unique characteristics of the technology.
  • Our Third Podcast, with Cybik, is Out Now
    Cybik comes back on how he came to know and use Linux in the first place, his gaming habits, how he got involved into the Skullgirls port, and shares with us his outlook on the Linux gaming landscape. The podcast is just an hour long and you can either download it below, and use our RSS feed (that has the additional benefit of making it easy for you to get new episodes from now on):
  • GSoC: final race and multi-disc implementation
    It’s been a while since I wrote a post here. A lot has happened since then. Now Gnome-games fully supports PlayStation games, with snapshoting capabilities. The next thing I’m working on is multi-disc support, specially for PlayStation titles. So far, there’s a working propotity although a lot needs to be re-engineered and polished. This last part of the project has involved working both in UI, persistance and logic layers.
  • This Week in GTK+ – 11
    In this last week, the master branch of GTK+ has seen 22 commits, with 6199 lines added and 1763 lines removed.
  • [Solus] Replacement of Release Schedule
    In the not so distant past, Solus followed a static point release model. Our most current release at this time is 1.2, with a 1.2.1 planned to drop in the near future. However, we also recently announced our move to a rolling release model. As such, these two schools of thought are in contradiction of one another.
  • First release of official ArchStrike ISO files! [Ed: last week]
  • July ’16 security fixes for Java 8
    On the heels of Oracle’s July 2016 security updates for Java 8, the icedtea folks have released version 3.1.0 of their build framework so that I could create packages for OpenJDK 8u101_b13 or “Java 8 Update 101 Build 13” (and the JRE too of course).
  • Pipelight update
    I decided to do an update of my “pipelight” package. I had not looked at it for a long time, basically because I do not use it anymore, but after I upgraded my “wine” package someone asked if I could please write up what could be done for wine-pipelight. As you know, pipelight is a Linux plugin wrapper for Mozilla-compatible browsers which lets you install and use Windows plugins on Linux. This configuration enables you to access online services which would otherwise be unavailable to you on a Linux platform. The pipelight plugin wrapper uses wine to load the Windows software.
  • Red Hat, Inc. (NYSE:RHT) Current Analyst Ratings
  • Friday Session Wrap for Red Hat, Inc. (NYSE:RHT)
  • Fedora @ EuroPython 2016 - event report
  • Android 7.0 Nougat could be release as soon as next month
  • Android gains anti-spam caller ID feature
  • Amazon Cloud Revenue Hits $2.9B
  • ServerMania – Discover High Availability Cloud Computing, powered by OpenStack
    Cloud computing is fast growing in the world of computer and Internet technology, many companies, organizations and even individuals are opting for shared pool of computing resources and services. For starters, Cloud computing is a type of Internet-based computing where users consume hosted services on shared server resources. There are fundamentally three types of cloud computing available today: private, public and hybrid cloud computing.

Leftovers: OSS and Sharing

  • Student survey data shows Open Source training uptake amongst women and young people remains extreme
    Future Cert, the UK and Ireland representative for the LPI (Linux Professional Institute), is calling for more awareness of Open Source software training amongst the under 21s and especially women, which the industry is so desperately in need of. New figures from a recent Future Cert student survey reveals that the number of women and young people taking LPI Certification in Open Source computing remains extremely low. Of those questioned, 98% were male, and just 2% were female, taking an LPI exam. This figure is significantly less than an already low figure of around 15% to 17% of women in IT careers in general. It raises the question, what does the industry need to do to make an Open Source career attractive to women?
  • Quality in open source: testing CRIU
    Checkpoint/Restore In Userspace, or CRIU, is a software tool for Linux that allows freezing a running application (or part of it) and checkpointing it to disk as a collection of files. The files can then be used to restore and run the application from the point where it was frozen. The distinctive feature of the CRIU project is that it is mainly implemented in user space. Back in 2012, when Andrew Morton accepted the first checkpoint/restore (C/R) patches to the Linux kernel, the idea to implement saving and restoring of running processes in user space seemed kind of crazy. Yet, four years later, not only is CRIU working, it has also attracted more and more attention. Before CRIU, there had been other attempts to implement checkpoint/restore in Linux (DMTCP, BLCR, OpenVZ, CKPT, and others), but none were merged into the mainline. Meanwhile CRIU survived, which attests to its viability. Some time ago, I implemented support for the Test Anything Protocol format into the CRIU test runner; creating that patch allowed me to better understand the nature of the CRIU testing process. Now I want to share this knowledge with LWN readers. [...] The CRIU tests are quite easy to use and available for everyone. Moreover, the CRIU team has a continuous-integration system that consists of Patchwork and Jenkins, which run the required test configurations per-patch and per-commit. Patchwork also allows the team to track the status of patch sets to make the maintainer's work easier. The developers from the team always keep an eye on regressions. If a commit breaks a tree, the patches in question will not be accepted.
  • Open-source Wire messenger gets encrypted screen-sharing
    Chat app Wire has been rapidly adding feature as of late as it looks to gain some traction against the myriad of competitors out there. The latest trick in its arsenal is screen sharing. Now you can click on the new screen-sharing button to, well, share your screen during a call (if you’re on a desktop, that is). It works during group chats too and, as with all Wire communications, is encrypted end-to-end. Wire believes it’s the first messaging app to include end-to-end encryption.
  • SPI board election results are available
    Software in the Public Interest (SPI) has completed its 2016 board elections. There were two open seats on the board in addition to four board members whose terms were expiring. The six newly elected members of the board are Luca Filipozzi, Joerg Jaspert, Jimmy Kaplowitz, Andrew Tridgell, Valerie Young, and Martin Zobel-Helas. The full results, including voter statistics, are also available.
  • SFK 2016 - Call for Speakers
    Software Freedom Kosova is an annual international conference in Kosovo organized to promote free/libre open source software, free culture and open knowledge, now in its 7th edition. It is organized by FLOSSK, a non governmental, not for profit organization, dedicated to promote software freedom and related philosophies.
  • Microsoft's Next Open Source Target Could Be PowerShell: Report
  • Open-source drug discovery project advances drug development
  • The First-Ever Test of Open-Source Drug-Discovery
  • Open-Source Drug Discovery a Success
  • CNS - Open-Source Project Spurs New Drug Discoveries
    Medicines for Malaria Venture, a nonprofit group based in Geneva, Switzerland, distributed 400 diverse compounds with antimalarial activity — called the Malaria Box — to 200 labs in 30 nations in late 2011. The findings from subsequent studies and analyses were published Thursday in the journal PLOS Pathogens. Distributing the Malaria Box to various labs enabled scientists to analyze the compounds and develop findings that have led to more than 30 new drug-development projects for a variety of diseases. As a stipulation to receiving the samples, the various research groups had to deposit the information from their studies in the public domain.
  • Wire and Launchkit go open source, a water flow monitoring system, and more news
  • Apache, astsu, Biscuit, Python, Puppet 4, systemd & more!
  • The Onion Omega2: The Latest Router Dev Board
  • Build a $700 open source bionic prosthesis with new tutorial by Nicolas Huchet of Bionico
    The 3D printing community has already successfully taken over the market for cosmetic prostheses, as fantastic initiatives like E-NABLE have proven. But the world of bionics is a different place and just a handful of makers have gone there with any form of success, such as the very inspiring Open Bionics. But even 3D printed bionic prostheses are definitely within our reach, as French open source fanatic Nicolas Huchet of Bionico has proven. Though by no means a making expert himself, he 3D printed his own open source bionic hand during a three month residency at FabLab Berlin and has now shared all the files – including an extensive tutorial – online. This means you can now 3D print your very own bionic prosthesis at home for just $700.
  • BCN3D Technologies develops open source 3D printed 'Moveo' robotic arm for schools
    Designed from scratch and developed by BCN3D engineers in collaboration with the Generalitat de Catalunya’s Departament d’Ensenyament (Department of Education), the BCN3D Moveo is an Arduino Mega 2560-powered, 3D printed robotic arm which could enable schools and colleges in Spain and elsewhere to teach students the basics of robotics, mechanical design, and industrial programming. When the Departament d’Ensenyament approached BCN3D one year ago regarding the possibility of an educative robotics project, the tech organization jumped at the chance to get on board.

Security Leftovers