Language Selection

English French German Italian Portuguese Spanish

Security

Canonical Patches Multiple Kernel Vulnerabilities in All Supported Ubuntu OSes

Filed under
Security

Today, November 11, 2016, Canonical published several security advisories to inform users of the Ubuntu Linux operating system about new kernel updates that patch multiple vulnerabilities discovered lately.

Read more

The Future of IoT: Containers Aim to Solve Security Crisis

Filed under
Security

Despite growing security threats, the Internet of Things hype shows no sign of abating. Feeling the FoMo, companies are busily rearranging their roadmaps for IoT. The transition to IoT runs even deeper and broader than the mobile revolution. Everything gets swallowed in the IoT maw, including smartphones, which are often our windows on the IoT world, and sometimes our hubs or sensor endpoints.

New IoT focused processors and embedded boards continue to reshape the tech landscape. Since our Linux and Open Source Hardware for IoT story in September, we’ve seen Intel Atom E3900 “Apollo Lake” SoCs aimed at IoT gateways, as well as new Samsung Artik modules, including a Linux-driven, 64-bit Artik7 COM for gateways and an RTOS-ready, Cortex-M4 Artik0. ARM announced Cortex-M23 and Cortex-M33 cores for IoT endpoints featuring ARMv8-M and TrustZone security.

Read more

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • IoTSeeker Scanner Finds Smart Devices With Dumb Credentials

    The IoTSeeker tool from Rapid7 is designed to comb through users’ networks and identify common IoT devices with default usernames and passwords enabled. Those are the devices upon which botnets such as Mirai feed, especially those with telnet exposed on default ports. Mirai searches for devices with telnet enabled and using default credentials and then compromises them and begins scanning again.

  • DDoS Attack and Resiliency Measures

    Recently DDoS has come into the news because of recent attack (by IoT devices) on Twitter. Although DDoS is not a new kind of attack, because of the advent of IoT, the "smart" devices are new victims for web-based attacks, and as per the predictions it is more likely to grow. What makes this situation even more perilous is the rapid growth of IoT devices out there on the market. As per the estimate, there would be around 50 billion connected devices by the year 2020.

    The DDoS attacks cannot be mitigated completely but by taking some measures the effect can be minimized. This is the theme of this article. Let’s first understand...

  • Donald Trump's campaign website 'hacked' by little poop emoji

    For a few hours the banner of Donald Trump's website contained a familar face. The poop emoji.

    Perhaps foreshadowing the state in which we're in, the little character appeared in the banner of donaldjtrump.com on Tuesday afternoon.

    This was a bug rather than a hack, and it allowed users to write in whatever they wished by adding it into the URL.

New Tor "The Onion Router" Anonymity Network Stable Branch Getting Closer

Filed under
Security

Nick Mathewson from the Tor Project announced on the 8th of November 2016, the release of yet another Alpha development snapshot towards the major Tor 0.2.9 "The Onion Router" release.

Read more

Security News

Filed under
Security
  • Security, Cyber, and Elections (part 1)

    The US election cycle has been quite heavily dominated by cyber security issues. A number of cyber security experts have even stepped forward to offer their solutions to how to keep safe. Everyone has problems with their proposals, that fundamentally they all stem from not understanding the actual threat.

    Achieving security is possible using counterintelligence principles, but it requires knowing what you want to protect, who you want to protect it from, and then implementing that plan. I expect this post to be deeply unpopular with everyone, but I’ll explain my position anyway.

  • DDoS attack halts heating in Finland amidst winter

    A Distributed Denial of Service (DDoS) attack halted heating distribution at least in two properties in the city of Lappeenranta, located in eastern finland. In both of the events the attacks disabled the computers that were controlling heating in the buildings.

    Both of the buildings where managed by Valtia. The company who is in charge of managing the buildings overall operation and maintenance. According to Valtia CEO, Simo Rounela, in both cases the systems that controlled the central heating and warm water circulation were temporarily disabled.

    In the city of Lappeenranta, there were at least two buildings whose systems were knocked down by the network attack. In a DDoS attack the network is overloaded by traffic from multiple locations with the aim of causing the system to fail.

  • Communications watchdog: Criminals behind home automation system cyber attack

    The Finnish communications regulator Ficora said it suspects criminal entities of coordinating a web attack that disrupted home automation systems in the southeastern city of Lappeenranta. However the agency said that the real target of the attack may not have been in Finland.

    "According to our information, the systems in question are not the intended targets in this case, but they were compromised in a cyber attack that focused on European entities. In other words, it seems that there was some criminal group behind it," said Jarkko Saarimäki, head of Ficora’s cyber security centre.

    Officials said that the event bore the hallmark of a denial of service (DoS) strike, which floods a service which so much web traffic that it is unable to provide services normally.

  • Researchers hack Philips Hue smart bulbs from the sky

    Security researchers in Canada and Israel have discovered a way to take over the Internet of Things (IoT) from the sky.

    Okay, that’s a little dramatic, but the researchers were able to take control of some Philips Hue lights using a drone. Based on an exploit for the ZigBee Light Link Touchlink system, white hat hackers were able to remotely control the Hue lights via drone and cause them to blink S-O-S in Morse code.

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Security advisories for Monday
  • Reproducible Builds: week 80 in Stretch cycle

    Patches to GCC to generate reproducible output independently of the build-path were submitted by Ximin Luo.

  • Security considerations with github continuous integration

    Continuous integration (CI) support in github is a very useful addition. Not only can you utilize existing services like Travis CI, you can utilize the github API and roll your own, which is exactly what we did for libStorageMgmt. LibStorageMgmt needs to run tests for hardware specific plugins, so we created our own tooling to hook up github and our hardware which is geographically located across the US. However, shortly after getting all this in place and working it became pretty obvious that we provided a nice attack vector…

  • The perfect cybercrime: selling fake followers to fake people

    Hackers are recruiting the internet of things into a botnet. But this time they’re not trying to take down the internet. They’re just using them to make fake social media accounts – which they can then sell to online narcissists to make an easy buck.

    Masarah-Cynthia Paquet-Clouston, a criminologist with the University of Montreal, and Olivier Bilodeau, a cybersecurity researcher at Montreal-based company GoSecure, have uncovered a large botnet that recruits everyday devices such as connected toasters, fridges or even your grandmother’s router to help commit social media fraud. They think that this stealthy, lucrative scheme is a glimpse into the future of low-level cybercrime.

  • Yet Another E-voting Machine Vulnerability Found

    We've been talking about the ridiculousness of e-voting machines for well over a decade. If a machine doesn't include a paper trail for backup, it's suspect. That's been the case since e-voting machines have been on the market, and many of us have been pointing this out all along. And the big e-voting companies have a long history of not really caring, even as their machines are shown to be vulnerable in a variety of ways. So it come as little to no surprise to find out that security firm Cylance has announced that it's found yet another set of e-voting vulnerabilities in the Sequoia AVC Edge Mk1 voting machine. Sequoia especially has a long history of buggy, faulty machines.

Parsix GNU/Linux 8.15 and 8.10 Get Linux Kernel 4.4.30 LTS, New Security Updates

Filed under
GNU
Linux
Security

Users of the Debian-based Parsix GNU/Linux 8.15 "Nev" and Parsix GNU/Linux 8.10 "Erik" distributions are in for a treat this weekend, as a new kernel update and latest Debian Stable security updates landed in the software repositories.

Read more

Security Leftovers

Filed under
Security
  • Admins, update your databases to avoid the MySQL bug

    MySQL, MariaDB, and PerconaDB administrators need to check their database versions, as attackers can chain two critical vulnerabilities and completely take over the server hosting the database.

    The two critical vulnerabilities, which can lead to arbitrary code execution, root privilege escalation, and server compromise, affect MySQL and forks like Percona Server, Percona XtraDB Cluster, and MariaDB, according to security researcher Dawid Golunski, who provided details of the vulnerability on LegalHackers. Administrators should install the latest updates as soon as possible, or in cases where the patches cannot be applied, they should disable symbolic link support within the database server configuration by setting symbolic-links=0 in my.cnf.

  • OOPS! MySQL Falls Down…

    While programming, it’s easy to get tunnel-vision or to accept some “tiny” risk that things could go wrong at some point but write the code that way anyway. That’s what happened with MySQL and MariaDB. Creating a database should not create a vulnerability but it does, because a repair operation allows changing permissions of a file with a particular name which a bad guy could substitute with malicious code…

  • Talk Recap: Holistic Security for OpenStack Clouds

    Thanks to everyone who attended my talk at the OpenStack Summit in Barcelona! I really enjoyed sharing some tips with the audience and it was great to meet some attendees in person afterwards.

    If you weren’t able to make it, don’t fret! This post will cover some of the main points of the talk and link to the video and slides.

  • [Older, out of paywall now] Dirty COW and clean commit messages
  • Book Review: PAM Mastery

    Linux, FreeBSD, and Unix-like systems are multi-user and need some way of authenticating individual users. Back in the old days, this was done in different ways. You need to change each Unix application to use different authentication scheme. Also, authentication schemes differed between a variant of Unix systems. Porting was a nightmare. For example to use Windows Server (Active Directory) or LDAP for authentication you need to make changes to an application. Each application had its way of authenticating users. So Open Group lead to the development of PAM for the Unix-like system. Today Linux, FreeBSD, MacOS X and many other Unix-like systems are configured to use a centralized authentication mechanism called Pluggable Authentication Modules (PAM). The book “PAM Mastery” deals with the black magic of PAM.

Security News

Filed under
Security
  • Security advisories for Friday
  • Netherlands to trial Internet voting [Ed: terrible idea, for many reasons.]

    The Dutch government will this year test the possibilities of voting via the Internet. The test will include citizens abroad: the pilot, by the Ministry of the Interior, will involve the city of The Hague, which manages the registration of citizens abroad.

    The city recently invited citizens to take part in the tests - a simulated election. Participants will be able to vote for fictitious political parties and candidates. The pilot is intended to test security measures, and to check if Internet voting reliable.

  • U.S. boosting cyber defenses, but not police presence, for election

    Federal and state authorities are beefing up cyber defenses against potential electronic attacks on voting systems ahead of U.S. elections on November 8, but taking few new steps to guard against possible civil unrest or violence.

    The threat of computer hacking and the potential for violent clashes is darkening an already rancorous presidential race between Democrat Hillary Clinton and Republican Donald Trump, amid fears that Russia or other actors could spread political misinformation online or perhaps tamper with voting.

  • 10 ways to make sure your remote workers are being safe

    With an ever-expanding mobile workforce, infosec teams are increasingly tasked with extending cybersecurity safeguards beyond the physical and virtual walls of their organizations. With endpoints not only increasing but on the move, the challenge is real. In addition to implementing the appropriate technical defenses, there is an important aspect to protecting corporate data and systems: Asking end-users to get involved.

  • Did the Mirai Botnet Really Take Liberia Offline?

    KrebsOnSecurity received many a missive over the past 24 hours from readers who wanted to know why I’d not written about widespread media reports that Mirai — a malware strain made from hacked “Internet of Things” (IoT) devices such as poorly secured routers and IP cameras — was used to knock the entire country of Liberia offline. The trouble is, as far as I can tell no such nationwide outage actually occurred.

    First, a quick recap on Mirai: This blog was taken offline in September following a record 620 Gpbs attack launched by a Mirai botnet. The source code for Mirai was leaked online at the end of September. Since then, the code has been forked several times, resulting in the emergence of several large Mirai-based botnets. In late October, many of the Internet’s top destinations went offline for the better part of a day when Mirai was used to attack Internet infrastructure firm Dyn.

Syndicate content

More in Tux Machines

today's leftovers

  • How fast is KVM? Host vs virtual machine performance!
  • Kernel maintenance, Brillo style
    Brillo, he said, is a software stack for the Internet of things based on the Android system. These deployments bring a number of challenges, starting with the need to support a different sort of hardware than Android normally runs on; target devices may have no display or input devices, but might well have "fun buses" to drive interesting peripherals. The mix of vendors interested in this area is different; handset vendors are present, but many more traditional embedded vendors can also be found there. Brillo is still in an early state of development.
  • Reviewing Project Management Service `Wrike` And Seems Interesting
    I have been testing some services for our project and found this amazing service, thought why not share it with you guys, it might be useful for you. Project management is a term that in some respects appears common, yet in practice still seems to be limited to large companies. While this may be true, the foundations of project management are actually rather simple and can be adopted by anyone, in any industry. One of the major requirements you need to consider when selecting a good project management software is the ability to run and operate it on the go via your mobile devices. Other factors include the ability to access the software from any platform whether it be Linux, Mac, or Windows. This can be achieved when the project management software is web-based. Wrike is a software that does of all this.
  • World Wine News Issue 403
  • OSVR on Steam, Unity drops legacy OpenGL, and more gaming news
  • GNOME Core Apps Hackfest 2016
    This November from Friday 25 to Sunday 27 was held in Berlin the GNOME Core Apps Hackfest. My focus during this hackfest was to start implementing a widget for the series view of the Videos application, following a mockup by Allan Day.
  • Worth Watching: What Will Happen to Red Hat Inc Next? The Stock Just Declined A Lot
  • Vetr Inc. Lowers Red Hat Inc. (RHT) to Buy
  • Redshift functionality on Fedora 25 (GNOME + Wayland). Yes, it's possible!
    For those who can't live without screen colour shifting technology such as Redshift or f.lux, myself being one of them, using Wayland did pose the challenge of having these existing tools not working with the Xorg replacement. Thankfully, all is not lost and it is possible even right now. Thanks to a copr repo, it's particularly easy on Fedora 25. One of the changes that comes with Wayland is there is currently no way for third-party apps to modify screen gamma curves. Therefore, no redshift apps, such as Redshift itself (which I recently covered here) will work while running under Wayland.
  • My Free Software Activities in November 2016
  • Google's ambitious smartwatch vision is failing to materialise
    In February this year, Google's smartwatch boss painted me a rosy picture of the future of wearable technology. The wrist is, David Singleton said, "the ideal place for the power of Google to help people with their lives."
  • Giving Thanks (along with a Shipping Update)
    Mycroft will soon be available as a pre-built Raspberry Pi 3 image for any hobbyist to use. The new backend we have been quietly building is emerging from beta, making the configuration and management of you devices simple. We are forming partnerships to get Mycroft onto laptops, desktops and other devices in the world. Mycroft will soon be speaking to you throughout your day.
  • App: Ixigo Indian Rail Train PNR Status for Tizen Smart Phones
    Going on a train journey in India? Ixigo will check the PNR status, the train arrival and departure & how many of the particular tickets are left that you can purchase. You can also do a PNR status check to make sure that your seat is booked and confirmed.

Networking and Servers

  • How We Knew It Was Time to Leave the Cloud
    In my last infrastructure update, I documented our challenges with storage as GitLab scales. We built a CephFS cluster to tackle both the capacity and performance issues of NFS and decided to replace PostgreSQL standard Vacuum with the pg_repack extension. Now, we're feeling the pain of running a high performance distributed filesystem on the cloud.
  • Hype Driven Development
  • SysAdmins Arena in a nutshell
    Sysadmins can use the product to improve their skills or prepare for an interview by practicing some day to day job scenarios. There is an invitation list opened for the first testers of the product.

Desktop GNU/Linux

  • PINEBOOK Latest News: Affordable Linux Laptop at Only $89 Made by Raspberry Pi Rival, PINE
    PINE, the rival company of Raspberry Pi and maker of the $20 Pine A64, has just announced its two below $100-priced Linux laptops, known as PINEBOOK. The affordable Linux laptop is powered by Quad-Core ARM Cortex A53 64-bit processor and comes with an 11.6" or 14" monitor.
  • Some thoughts about options for light Unix laptops
    I have an odd confession: sometimes I feel (irrationally) embarrassed that despite being a computer person, I don't have a laptop. Everyone else seems to have one, yet here I am, clearly behind the times, clinging to a desktop-only setup. At times like this I naturally wind up considering the issue of what laptop I might get if I was going to get one, and after my recent exposure to a Chromebook I've been thinking about this once again. I'll never be someone who uses a laptop by itself as my only computer, so I'm not interested in a giant laptop with a giant display; giant displays are one of the things that the desktop is for. Based on my experiences so far I think that a roughly 13" laptop is at the sweet spot of a display that's big enough without things being too big, and I would like something that's nicely portable.
  • What is HiDPI and Why Does it Matter?

Google and Mozilla

  • Google Rolls Out Continuous Fuzzing Service For Open Source Software
    Google has launched a new project for continuously testing open source software for security vulnerabilities. The company's new OSS-Fuzz service is available in beta starting this week, but at least initially it will only be available for open source projects that have a very large user base or are critical to global IT infrastructure.
  • Mozilla is doing well financially (2015)
    Mozilla announced a major change in November 2014 in regards to the company's main revenue stream. The organization had a contract with Google in 2014 and before that had Google pay Mozilla money for being the default search engine in the Firefox web browser. This deal was Mozilla's main source of revenue, about 329 million US Dollars in 2014. The change saw Mozilla broker deals with search providers instead for certain regions of the world.