Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Tuesday's security updates
  • Oops: Bounty-hunter found Vine's source code in plain sight

    A bounty-hunter has gone public with a complete howler made by Vine, the six-second-video-loop app Twitter acquired in 2012.

    According to this post by @avicoder (Vjex at GitHub), Vine's source code was for a while available on what was supposed to be a private Docker registry.

    While docker.vineapp.com, hosted at Amazon, wasn't meant to be available, @avicoder found he was able to download images with a simple pull request.

  • US standards lab says SMS is no good for authentication

    America's National Institute for Standards and Technology has advised abandonment of SMS-based two-factor authentication.

    That's the gist of the latest draft of its Digital Authentication Guideline, here. Down in section 5.1.3.2, the document says out-of-band verification using SMS is deprecated and won't appear in future releases of NIST's guidance.

Security News

Filed under
Security
  • Security advisories for Monday
  • EU to Give Free Security Audits to Apache HTTP Server and Keepass

    The European Commission announced on Wednesday that its IT engineers would provide a free security audit for the Apache HTTP Server and KeePass projects.

    The EC selected the two projects following a public survey that took place between June 17 and July 8 and that received 3,282 answers.

    The survey and security audit are part of the EU-FOSSA (EU-Free and Open Source Software Auditing) project, a test pilot program that received funding of €1 million until the end of the year.

  • What is your browser really doing?

    While Microsoft would prefer you use its Edge browser on Windows 10 as part of its ecosystem, the most popular Windows browser is Google’s Chrome. But there is a downside to Chrome – spying and battery life.

    It all started when Microsoft recently announced that its Edge browser used less battery power than Google Chrome, Mozilla Firefox or Opera on Windows 10 devices. It also measured telemetry – what the Windows 10 device was doing when using different browsers.

    What it found was that the other browsers had a significantly higher central processing unit (CPU), and graphics processing unit (GPU) overhead when viewing the same Web pages. It also proved that using Edge resulted in 36-53% more battery life when performing the same tasks as the others.

    Let’s not get into semantics about which search engine — Google or Bing — is better; this was about simple Web browsing, opening new tabs and watching videos. But it started a discussion as to why CPU and GPU usage was far higher. And it relates to spying and ad serving.

  • Is Computer Security Becoming a Hardware Problem?

    In December of 1967 the Silver Bridge collapsed into the Ohio River, killing 46 people. The cause was determined to be a single 2.5 millimeter defect in a single steel bar—some credit the Mothman for the disaster, but to most it was an avoidable engineering failure and a rebuttal to the design philosophy of substituting high-strength non-redundant building materials for lower-strength albeit layered and redundant materials. A partial failure is much better than a complete failure.

    [...]

    In 1996, Kocher co-authored the SSL v3.0 protocol, which would become the basis for the TLS standard. TLS is the difference between HTTP and HTTPS and is responsible for much of the security that allows for the modern internet. He argues that, barring some abrupt and unexpected advance in quantum computing or something yet unforeseen, TLS will continue to safeguard the web and do a very good job of it. What he's worried about is hardware: untested linkages in digital bridges.

  • Your Smart Robot Is Coming in Five Years, But It Might Get Hacked and Kill You

    A new report commissioned by the Department of Homeland Security forecasts that autonomous artificially intelligent robots are just five to 10 years away from hitting the mainstream—but there’s a catch.

    The new breed of smart robots will be eminently hackable. To the point that they might be re-programmed to kill you.

    The study, published in April, attempted to assess which emerging technology trends are most likely to go mainstream, while simultaneously posing serious “cybersecurity” problems.

    The good news is that the near future is going to see some rapid, revolutionary changes that could dramatically enhance our lives. The bad news is that the technologies pitched to “become successful and transformative” in the next decade or so are extremely vulnerable to all sorts of back-door, front-door, and side-door compromises.

  • Trump, DNC, RNC Flunk Email Security Test

    At issue is a fairly technical proposed standard called DMARC. Short for “domain-based messaging authentication reporting and conformance,” DMARC tries to solve a problem that has plagued email since its inception: It’s surprisingly difficult for email providers and end users alike to tell whether a given email is real – i.e. that it really was sent by the person or organization identified in the “from:” portion of the missive.

  • NIST Prepares to Ban SMS-Based Two-Factor Authentication

    The US National Institute of Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban on SMS-based Two-Factor Authentication (2FA).

    The Digital Authentication Guideline (DAG) is a set of rules used by software makers to build secure services, and by governments and private agencies to assess the security of their services and software.

    NIST experts are constantly updating the guideline, in an effort to keep pace with the rapid change in the IT sector.

  • 1.6m Clash of Kings forum accounts 'stolen'

    Details about 1.6 million users on the Clash of Kings online forum have been hacked, claims a breach notification site.

    The user data from the popular mobile game's discussion forum were allegedly targeted by a hacker on 14 July.

    Tech site ZDNet has reported the leaked data includes email addresses, IP addresses and usernames.

  • Hacker steals 1.6 million accounts from top mobile game's forum

    [Ed: vBulletin is proprietary software -- the same crap Canonical used for Ubuntu forums]

pfSense 2.3.2 Open Source BSD Firewall Distro Arrives with over 70 Improvements

Filed under
Security
BSD

Electric Sheep Fencing LLC, through Chris Buechler, proudly announced on July 25, 2016, the immediate availability for download of the second maintenance update aimed at the pfSense 2.3 series of the FreeBSD-based open-source firewall distribution.

Read more

Security Leftovers

Filed under
Security

OpenBSD 6.0 tightens security by losing Linux compatibility

Filed under
Security
BSD

OpenBSD, one of the more prominent variants of the BSD family of Unix-like operating systems, will be released at the beginning of September, according to a note on the official OpenBSD website.

Often touted as an alternative to Linux. OpenBSD is known for the lack of proprietary influence on its software and has garnered a reputation for shipping with better default security than other OSes and for being highly vigilant (some might say strident) about the safety of its users. Many software router/firewall projects are based on OpenBSD because of its security-conscious development process.

Read more

Security News

Filed under
Security

Security News

Filed under
Security
  • As a blockchain-based project teeters, questions about the technology’s security

    There’s no shortage of futurists, industry analysts, entrepreneurs and IT columnists who in the past year have churned out reports, articles and books touting blockchain-based ledgers as the next technology that will run the world.

  • Fix Bugs, Go Fast, and Update: 3 Approaches to Container Security

    Containers are becoming the central piece of the future of IT. Linux has had containers for ages, but they are still maturing as a technology to be used in production or mission-critical enterprise scenarios. With that, security is becoming a central theme around containers. There are many proposed solutions to the problem, including identifying exactly what technology is in place, fixing known bugs, restricting change, and generally implementing sound security policies. This article looks at these issues and how organizations can adapt their approach to security to keep pace with the rapid evolution of containers.

  • Preventing the next Heartbleed and making FOSS more secure [Ed: Preventing the next Microsoft-connected trademarked bug for FOSS and making FOSS more secure from Microsoft FUD]

    David Wheeler is a long-time leader in advising and working with the U.S. government on issues related to open source software. His personal webpage is a frequently cited source on open standards, open source software, and computer security. David is leading a new project, the CII Best Practices Badging project, which is part of the Linux Foundation's Core Infrastructure Initiative (CII) for strengthening the security of open source software. In this interview he talks about what it means for both government and other users.

Keeweb A Linux Password Manager

Filed under
Linux
Reviews
Security

Today we are depending on more and more online services. Each online service we sign up for, let us set a password and this way we have to remember hundreds of passwords. In this case, it is easy for anyone to forget passwords. In this article I am going to talk about Keeweb, a Linux password manager that can store all your passwords securely either online or offline.

Read<br />
more

Security News

Filed under
Security
  • Security updates for Thursday
  • Open Source Information Security Tool Aimed at MSSPs

    A Virginia software developer announced today the release of what’s billed as the first open source information security analytics tool for managed security services providers (MSSP) and enterprise.

    IKANOW says its new platform features multi-tenancy, enterprise scalability and is fully customizable.

  • Most companies still can't spot incoming cyberattacks

    Four out of five businesses lack the required infrastructure or security professionals with relevant skills to spot and defend against incoming cyberattacks.

    According to a new report by US cybersecurity and privacy think tank Ponemon Institute on behalf of cybersecurity firm BrandProtect, 79 percent of cybersecurity professionals say that their organisations are struggling to monitor the internet for the external threats posed by hackers and cybercriminals.

  • HTTpoxy Flaw Re-emerges After 15 Years and Gets Fixed

    After lying dormant for years, flaws in the HTTP Proxy header used in programming languages and applications, such as PHP, Go and Python, have now been fixed.
    Some flaws take longer—a lot longer—than others to get fixed. The newly named HTTpoxy vulnerability was first discovered back in March 2001 and fixed in the open-source Perl programming language, but it has sat dormant in multiple other languages and applications until July 18.

    The HTTPoxy flaw is a misconfiguration vulnerability in the HTTP_PROXY variable that is commonly used by Common Gateway Interface (CGI) environment scripts. The HTTPoxy flaw could potentially enable a remotely exploitable vulnerability on servers, enabling an attacker to run code or redirect traffic. The flaw at its core is a name space conflict between two different uses for a server variable known as HTTP Proxy.

  • Hack The World

    Currently HackerOne has 550+ customers, has paid over $8.9 million in bounties, and fixed over 25,000 vulnerabilities, which makes for a safer Internet.

  • EU aims to increase the security of password manager and web server software: KeePass and Apache chosen for open source audits [“pyrrhic because of Keepass : flushing the audit money down the toilet on MS based cruft” -iophk]

    For the FOSSA pilot project to improve the security of open source software that my colleague Max and I proposed, the European Commission sought your input on which tools to audit.

    The results are now in: The two overwhelming public favorites were KeePass (23%) and the Apache HTTP Server (19%). The EU has decided to follow these recommendations and audit both of these software projects for potential security issues.

  • KeeThief – A Case Study in Attacking KeePass Part 2

    The other week I published the “A Case Study in Attacking KeePass” post detailing a few notes on how to operationally “attack” KeePass installations. This generated an unexpected amount of responses, most good, but a few negative and dismissive. Some comments centered around the mentality of “if an attacker has code execution on your system you’re screwed already so who cares“. Our counterpoint to this is that protecting your computer from malicious compromise is a very different problem when it’s joined to a domain versus isolated for home use. As professional pentesters/red teamers we’re highly interested in post-exploitation techniques applicable to enterprise environments, which is why we started looking into ways to “attack” KeePass installations in the first place. Our targets are not isolated home users.

  • Giuliani calls for cybersecurity push

    Former New York mayor Rudy Giuliani made a surprise appearance at the BlackBerry Security Summit, warning of the rapid growth of cybercrime and cyberterrorism.

    Cybercrime and cyberterrorism are both growing at rates between 20% and 40%, said Giuliani, who made a brief return from the Republican National Convention in Cleveland to speak at BlackBerry's New York event.

    "Think of it like cancer. We can't cure it... but if we catch it early we can put it into remission," he said. The quicker you can spot an attack, the less chance there is of loss.

  • Notorious Hacker ‘Phineas Fisher’ Says He Hacked The Turkish Government

    A notorious hacker has claimed responsibility for hacking Turkey’s ruling party, the AKP, and stealing more than 300,000 internal emails and other files.

    The hacker, who’s known as Phineas Fisher and has gained international attention for his previous attacks on the surveillance tech companies FinFisher and Hacking Team, took credit for breaching the servers of Turkey’s ruling party, the Justice and Development Party or AKP.

    “I hacked AKP,” Phineas Fisher, who also goes by the nickname Hack Back, said in a message he spread through his Twitter account on Wednesday evening.

Security News

Filed under
Security
Syndicate content

More in Tux Machines

Leftovers: Gaming

Leftovers: Software

Linux and FOSS Events

  • Debian SunCamp 2017 Is Taking Place May 18-21 in the Province of Girona, Spain
    It looks like last year's Debian SunCamp event for Debian developers was a total success and Martín Ferrari is back with a new proposal that should take place later this spring during four days full of hacking, socializing, and fun. That's right, we're talking about Debian SunCamp 2017, an event any Debian developer, contributor, or user can attend to meet his or hers Debian buddies, hack together on new projects or improve existing ones by sharing their knowledge, plan upcoming features and discuss ideas for the Debian GNU/Linux operating system.
  • Pieter Hintjens In Memoriam
    Pieter Hintjens was a writer, programmer and thinker who has spent decades building large software systems and on-line communities, which he describes as "Living Systems". He was an expert in distributed computing, having written over 30 protocols and distributed software systems. He designed AMQP in 2004, and founded the ZeroMQ free software project in 2007. He was the author of the O'Reilly ZeroMQ book, "Culture and Empire", "The Psychopath Code", "Social Architecture", and "Confessions of a Necromancer". He was the president of the Foundation for a Free Information Infrastructure (FFII), and fought the software patent directive and the standardisation of the Microsoft OOXML Office format. He also organized the Internet of Things (IOT) Devroom here at FOSDEM for the last 3 years. In April 2016 he was diagnosed with terminal metastasis of a previous cancer.
  • foss-gbg on Wednesday
    The topics are Yocto Linux on FPGA-based hardware, risk and license management in open source projects and a product release by the local start-up Zifra (an encryptable SD-card). More information and free tickets are available at the foss-gbg site.

Leftovers: OSS

  • When Open Source Meets the Enterprise
    Open source solutions have long been an option for the enterprise, but lately it seems they are becoming more of a necessity for advanced data operations than merely a luxury for IT techs who like to play with code. While it’s true that open platforms tend to provide a broader feature set compared to their proprietary brethren, due to their larger and more diverse development communities, this often comes at the cost of increased operational complexity. At a time when most enterprises are looking to shed their responsibilities for infrastructure and architecture to focus instead on core money-making services, open source requires a fairly high level of in-house technical skill. But as data environments become more distributed and reliant upon increasingly complex compilations of third-party systems, open source can provide at least a base layer of commonality for resources that support a given distribution.
  • EngineerBetter CTO: the logical truth about software 'packaging'
    Technologies such as Docker have blended these responsibilities, causing developers to need to care about what operating system and native libraries are available to their applications – after years of the industry striving for more abstraction and increased decoupling!
  • What will we do when everything is automated?
    Just translate the term "productivity of American factories" into the word "automation" and you get the picture. Other workers are not taking jobs away from the gainfully employed, machines are. This is not a new trend. It's been going on since before Eli Whitney invented the cotton gin. Industry creates machines that do the work of humans faster, cheaper, with more accuracy and with less failure. That's the nature of industry—nothing new here. However, what is new is the rate by which the displacement of human beings from the workforce in happening.
  • Want OpenStack benefits? Put your private cloud plan in place first
    The open source software promises hard-to-come-by cloud standards and no vendor lock-in, says Forrester's Lauren Nelson. But there's more to consider -- including containers.
  • Set the Agenda at OpenStack Summit Boston
    The next OpenStack Summit is just three months away now, and as is their custom, the organizers have once again invited you–the OpenStack Community–to vote on which presentations will and will not be featured at the event.
  • What’s new in the world of OpenStack Ambassadors
    Ambassadors act as liaisons between multiple User Groups, the Foundation and the community in their regions. Launched in 2013, the OpenStack Ambassador program aims to create a framework of community leaders to sustainably expand the reach of OpenStack around the world.
  • Boston summit preview, Ambassador program updates, and more OpenStack news