Language Selection

English French German Italian Portuguese Spanish

Security

Security: Fines for Insecurity, Open Source Security Podcast, Linux Security Questions, Updates and More

Filed under
Security

Security: HTTPS, System Administration, Botnets, Binary Scans, and Node.js

Filed under
Security
  • Everything is an HTTPS interface

    Serverless applications by their nature are heavily decomposed into a variety of services, such as autonomous functions, object storage, authentication services, document databases, and pub/sub message queues. The interfaces between these services are typically HTTPS. When you’re using the AWS SDK to call an AWS services, the interface it’s calling under the hood is an HTTPS interface. This is true for the majority of cloud platforms, with some alternative protocols occasionally being used (WebSockets and MQTT) in specific use cases.

  • Future Proof Your SysAdmin Career: Locking Down Security

    For today’s system administrators, gaining competencies that move them up the technology stack and broaden their skillsets is increasingly important. However, core skills like networking remain just as crucial. Previously in this series, we've provided an overview of essentials and looked at evolving network skills. In this part, we focus on another core skill: security.

    With ever more impactful security threats emerging, the demand for fluency with network security tools and practices is increasing for sysadmins. That means understanding everything from the Open Systems Interconnect (OSI) model to devices and protocols that facilitate communication across a network.

  • The IoT Botnet Wars: How to Harden Linux Devices from DoS Attacks

    While fighting botnets like Mirai and BrickerBot with another botnet, Hajime, may help prevent denial-of-service attacks on the IoT, the best defense is a basic system security-hardening plan.

  • Security Scan Checks Binary Open Source [Ed: Someone turned the openwashing press release into an article. Proprietary trying to come across as "open"]
  • Malicious code in the Node.js npm registry shakes open source trust model

    Software development relies heavily on trust, especially when it comes to open source components. JavaScript developers recently got a reminder just how fragile the trust model is with the news that 39 malicious packages were removed from npm, the Node.js package management registry.

Security: MalwareTech, F2FS, and WannaCry

Filed under
Security
  • MalwareTech released on bail; supporters to meet Wednesday

    MalwareTech, the cyber security researcher who halted the WannaCry ransomware virus earlier this year and was arrested in Las Vegas last week, will be released on bail today and will travel directly to Milwaukee for a court appearance tomorrow in the Eastern District of Wisconsin – Update: the arraignment is rescheduled for 10am on Monday, 14 August. After 24 hours of no information about his arrest, and a flurry of international news coverage, it was reported that MalwareTech, who lives in the UK and who was in the US for Defcon, was not a flight risk and will be allowed out on $30,000 bail.

  • Marcus Hutchins freed on bail, to face court on 14 Aug
  • Regarding Marcus Hutchins aka MalwareTech
  • F2FS Hit By Three Security Vulnerabilities: Memory Corruption, Possible Code Execution

    Btrfs isn't the only Linux file-system taking some heat but the Flash-Friendly File-System (F2FS) is now having a tough week with three CVEs going public.

  • How leaked exploits empower cyber criminals [Ed: The problem is the stockpiling and the back doors (e.g. by design,  see Microsoft-NSA collaborations), not just the leaks.]

    A central themes in the 2016 report was issues that arose from the Mirai botnet and the takeover of numerous insecure IoT devices. Although those record-setting DDoS attacks were vastly different from 2017’s outbreak of WannaCry ransomware and the destructive NotPetya malware, the events share a similar root cause: leaked exploits and source code. IoT botnets and data-encrypting malware were of course common before those incidents however the September 2016 release of the Mirai source code and the April 2017 release of NSA exploits exacerbated the crime.  

Canonical Outs Linux Security Patch for Ubuntu 14.04 LTS to Fix Several Issues

Filed under
Security
Ubuntu

Canonical on Monday published two Ubuntu Security Notice (USN) advisories to inform users of Ubuntu 14.04 LTS and Ubuntu 12.04 LTS operating systems about the availability of new kernel updates.

Read more

Security: Updates, OpenSSL, Women in Cybersecurity, Back to Radio and Latest Black Duck FUD

Filed under
Security
  • Security updates for Monday
  • Oracle Joins SafeLogic to Develop FIPS Module for OpenSSL Security

    Oracle announced on Aug. 3 that it is joining SafeLogic in an effort to develop a much needed FIPS 140-2 module for the open-source OpenSSL cryptographic library.

    OpenSSL is widely used to help secure internet communication and infrastructure, though it currently is lacking a critical module for government standards, known as FIPS 140-2. The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government cyber-security standard used to certify cryptographic modules.

  • OpenSSL drops TLS 1.0/1.1 support for Debian Unstable and what does it mean for Debian sid users?
  • What Women in Cybersecurity Really Think About Their Careers

    For once, some good news about women in the cybersecurity field: A new survey shows that despite the low number of women in the industry, many feel empowered in their jobs and consider themselves valuable members of the team.

    The newly published "Women in Cybersecurity:  A Progressive Movement" report — a survey of women by a woman — is the brainchild of security industry veteran Caroline Wong, vice president of security strategy at Cobalt, who formerly worked at Cigital, Symantec, eBay, and Zynga.

    Wong says she decided to conduct the survey after getting discouraged with all of the bad news about women being underrepresented, underpaid, and even harassed in the technology and cybersecurity fields. The number of women in the industry has basically plateaued at 11% over the past few years.

  • Radio navigation set to make global return as GPS backup, because cyber

    The risk to GPS has caused a number of countries to take a second look at terrestrial radio navigation. Today there's broad support worldwide for a new radio navigation network based on more modern technology—and the system taking the early lead for that role is eLoran. As Reuters reports, South Korea is preparing to bring back radio navigation with eLoran as a backup system for GPS, and the United States is planning to do the same.

  • Open source vulnerabilities pose a serious risk for software startups [Ed: The Microsoft-connected FUD firm is at it again]

Security: WebKitGTK+, DEF CON. OpenSSL, and Ebury

Filed under
Security
  • Endgame for WebKit Woes

    In my original blog post On WebKit Security Updates, I identified three separate problems affecting WebKit users on Linux:

        Distributions were not providing updates for WebKitGTK+. This was the main focus of that post.
        Distributions were shipping a insecure compatibility package for old, unmaintained WebKitGTK+ 2.4 (“WebKit1”).
        Distributions were shipping QtWebKit, which was also unmaintained and insecure.

    Let’s review these problems one at a time.

  • Hackers breach dozens of voting machines brought to conference

    One of the nation’s largest cybersecurity conferences is inviting attendees to get hands-on experience hacking a slew of voting machines, demonstrating to researchers how easy the process can be.

    “It took me only a few minutes to see how to hack it,” said security consultant Thomas Richards, glancing at a Premier Election Solutions machine currently in use in Georgia.

    The DEF CON cybersecurity conference is held annually in Las Vegas. This year, for the first time, the conference is hosting a "Voting Machine Village," where attendees can try to hack a number of systems and help catch vulnerabilities.

  • OpenSSL disables TLS 1.0 and 1.1

    I've just uploaded a version of OpenSSL to unstable that disables the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the only supported SSL/TLS protocol version.

  • Man jailed for role in spreading Linux malware

    OpenSSH is an implementation of the secure shell protocol; it runs on UNIX and Linux systems and is developed by the OpenBSD project.

    The malware in question is known as Ebury and is a backdoor that is used to steal OpenSSH credentials and keep access to a compromised server open.

Events: Hacker Summer Camp, DebConf

Filed under
Google
Security
Debian

Security: Kaspersky Ban, White Hat Hackers, and ESET FUD

Filed under
Security
  • US mulling complete federal ban on Kaspersky products

     

    Things are about to get worse for Kaspersky Lab in the US with the US Senate set to consider banning the use of its software in all federal agencies, using a provision in the National Defence Authorisation Act.  

  • If Hutchins is at fault, then the NSA needs to be pulled up too

    If American judicial authorities are going after British security researcher Marcus Hutchins for allegedly writing malware, then they will also have to indict people at the NSA who were responsible for creating Windows exploits that then leaked and led to massive ransomware attacks.

    Those attacks have left some companies incapable of returning to full production even now, with a case in point being the pharmaceutical giant Merck.

  • Protect the White Hat Hackers Who Are Just Doing Their Jobs

     

    Some lawmakers and regulators hope to protect security analysts who research, develop, and share tools across borders. The Wassenaar Arrangement, a voluntary agreement between 41 countries (including the US) that sets standards and licensing expectations for weapons export, specifically nods toward "intrusion software." But many security experts worry that vague language within the agreement could do more to hinder than support international digital defense research.

  • ESET Tries to Scare People Away From Using Torrents

Security: Updates, Keysigning, WannaCry, DJI and More

Filed under
Security
  • Security updates for Friday
  • DebConf17 Key Signing Party
  • Keysigning!
  • Faster reference-count overflow protection
  • A Solution to Hackers {sic}? More Hackers {sic}

     

    In other words: What if the problem we face is not too many bad hackers {sic}, but too few good ones?

  • Russian man sentenced to almost four years prison in US prison for 'botnet fraud'

     

    Maxim Senakh, of Veliky Novgorod in Russia, was arrested in Finland in 2015 and extradited to the USA to face charges. He pleaded guilty in March and was sentenced in Minnesota this month.

  • Staying Secure with Open Source [Ed: Let's talk about "Staying Secure with" proprietary software, where the code is all secret so you cannot see the bugs]

    Why did Heartbleed fail? One reason, while OSS may have more eyeballs on it, it suffers from inconsistent coding methodology.

  • Researchers say WannaCry operator moved bitcoins to “untraceable” Monero

     

    On Wednesday, the 52.2 bitcoins in the wallet were drained out over nine transactions, as detected by a bot created by Quartz's Keith Collins. Neutrino researchers traced the moved bitcoins to wallets associated with Monero.

  • What is the Kronos trojan and what is Marcus Hutchins accused of?

     

    Neither the indictment, nor the Department of Justice announcement, say how they connected him to the malware.  

  • The Indictment Against Malware Researcher Marcus Hutchines Is Really Weird

    So, yesterday, we wrote a quick post about recently-famous malware research Marcus Hutchins (famous for accidentally stopping the WannaCry attack) being detained by the FBI as he left Defcon. An hour or so later, we updated it with the details of the indictment which had been released. That had my quick response, which noted that the "evidence" didn't seem very strong. It just claims (without anything else) that Hutchins wrote the Kronos malware, and most of the indictment and most of the activity focuses on a second defendant (whose name is redacted) who apparently was out selling the malware. I was planning to write up a more thorough look at the indictment and its problems today, but last night, Orin Kerr beat me to it, and he (famed lawyer, law professor and former assistant US attorney) has a bit more expertise in the subject, so let's work off of his analysis.

  • WannaCry 'hero' to plead not guilty to accusation he wrote banking malware [iophk: "none of these even mention Microsoft Windows(tm)"]

     

    Marcus Hutchins, the celebrated security professional who was arrested Wednesday on federal charges he helped create and distribute malware that steals banking credentials, will be released from detention pending $30,000 bail, according to Las Vegas reporter Christy Wilcox and other news outlets.

  • Judge sets $30K bail in banking malware case for hacker who helped stop WannaCry attack

     

    "This is excellent news," said Nicholas Weaver, a computer scientist at the University of California at Berkeley. "The indictment is remarkably shallow even by indictment standards, which is disappointing because it adds considerable uncertainty and fosters distrust with the general security community."

  • Security researcher who neutralized WCry to be released on $30,000 bond

     

    Marcus Hutchins, the celebrated security professional who was arrested Wednesday on federal charges he helped create and distribute malware that steals banking credentials, will be released from detention pending $30,000 bail, according to Las Vegas reporter Christy Wilcox and other news outlets.

  • Army tells troops to stop using DJI drones immediately, because cyber

     

    But now all of those drones are getting pulled from service, as the result of classified findings in a May study by the Army Research Lab at Aberdeen Proving Grounds in Maryland, as well as a Navy memorandum citing "operational risks" in using DJI drones. The memorandum ordering the ban was obtained by Small UAS News.

  • US Army calls for units to discontinue use of DJI equipment

     

    According to a U.S. Army memo obtained by sUAS News, the U.S. Army Research Lab and U.S. Navy have concluded that there are operational risks associated with DJI equipment, a move that was run up the flag pole last month but kept under wraps.

  • US Army reportedly asks units to stop using DJI drones, citing cybersecurity concerns

     

    The memo notes that the Army had issued over 300 separate releases authorizing the use of DJI products for Army missions, meaning a lot of hardware may have been in active use prior to the memo, which is dated August 2nd, 2017.  

  • Siemens, DHS warn of “low skill” exploits against CT and PET Scanners

    The Department of Homeland Security's Industrial Control System Computer Emergency Response Team (ICS-CERT) has issued an alert warning of four vulnerabilities in multiple medical molecular imaging systems from Siemens. All of these systems have publicly available exploits that could allow an attacker to execute code remotely—potentially damaging or compromising the safety of the systems. "An attacker with a low skill would be able to exploit these vulnerabilities," ICS-CERT warned.

    Siemens identified the vulnerabilities in a customer alert on July 26, warning that the vulnerabilities were highly critical—giving them a rating of 9.8 out of a possible 10 using the Common Vulnerability Scoring System. The systems affected include Siemens CT, PET, and SPECT scanners and medical imaging workflow systems based on Windows 7.

  • Announcing Our 2017 Security Audit Results

    A few months ago, we hired an independent security research firm to conduct an audit on the encryption specification used by Standard Notes. In building out our product, we spent a lot of time making sure our encryption is as strong and fool-proof as possible. While it's easy for one to feel confident of their own work, a security audit is a must for any privacy-focused project to assure the developers and customers alike that data being encrypted and transferred is done safely and securely.

  • 20 Docker security tools compared

    There are quite a few Docker security tools in the ecosystem, how do they compare? This is a comprehensive list of Docker security tools that can help you implement some of the container security best practices.

    Is Docker insecure? Not at all. Actually features like process isolation with user namespaces, resource encapsulation with cgroups, immutable images and shipping the minimal software and dependencies reduce the attack vector providing a great deal of protection. But, is there anything else we can do? There is much more than image vulnerability scanning and these are 20 container and Docker specific security tools that can help.

  • Is Your Business Vulnerable to Cyberattack?

    If you still believe that to be the case, you must have been living under a rock for the last year or so. Cyber attacks have increased in scale and sophistication, but they have also increased in frequency. The WannaCry ransomware event from earlier this year was the largest cyber attack in history, impacting over 200,000 devices in 150 countries including hospitals in the UK, a large telecom corporation in Spain, FedEx in the US and even the Russian government.

Tails 3 Offers Easy Anonymity for All

Filed under
Security
Debian

If you’re seriously concerned about privacy, you want to ensure you’re doing all the right things and not leaving behind a trace of what you’ve browsed. There are many reasons for this—some good, some bad. I’d like to focus on the good (naturally). In the past few years, it has become clear that tracking web histories is not a myth. Businesses, governments—anyone with the skills can make use of your browsing history. That is the very reason why technology like Tor has recently gained popularity.

Read more

Syndicate content

More in Tux Machines

​Docker and Red Hat News

  • ​Docker has a business plan headache
    We love containers. And, for most of us, containers means Docker. As RightScale observed in its RightScale 2018 State of the Cloud report, Docker's adoption by the industry has increased to 49 percent from 35 percent in 2017.
  • Mycroft Widget, Atos and Red Hat's New Cloud Container Solution, npm Bug and More
    Atos and Red Hat announced this morning "a new fully-managed cloud container solution - Atos Managed OpenShift (AMOS) - built on Red Hat OpenShift Container Platform". The press release adds, "Because AMOS is built on Red Hat OpenShift Container Platform, a container-centric hybrid cloud solution, it can deliver the flexibility customers seek from cloud-native and container-based applications."
  • Red Hat Decision Manager 7 Boosts BPM with Low-Code Approach
    Red Hat is perhaps best known for its Enterprise Linux platform, but it has been a player in the Business Process Management (BPM) suite for over a decade too. On Feb. 21, Red Hat Decision Manager 7 was officially announced as the successor to the company's JBoss Business Rules Management System (BRMS) product. Red Hat first released BRMS back in May 2009 which itself was an evolution of the JBoss Rules Engine.
  • Red Hat, Inc. (NYSE:RHT) – Active Stock Evaluation

FATHOM releases Crystallon

  • FATHOM releases Crystallon, an open-source software for lattice-based design
    Lattice structures are integral to 3D printed designs, and Aaron Porterfield, an industrial designer at additive manufacturing service bureau FATHOM, has developed Crystallon, an open source project for shaping them into structures.
  • FATHOM Introduces Open Source Software Project for Generating 3D Lattice Structures
    California-based FATHOM, which expanded its on-site managed services and announced important partnerships with Stratasys and Desktop Metal last year, is introducing a fascinating new open source project called Crystallon, which uses Rhino and Grasshopper3D to create lattice structures. FATHOM industrial designer Aaron Porterfield, also an Instructables member, developed the project as an alternative to designing lattices with commercially available software. He joined the company’s design and engineering team three years ago, and is often a featured speaker for its Design for Additive Manufacturing (DfAM) Training Program – and as the project developer, who better to explain the Crystallon project?

Kernel and Graphics: Machine Learning, Mesa, Wayland/Mir, AMDGPU

  • AI-Powered / Machine Learning Linux Performance Tuning Is Now A Thing
    A year and a half ago I wrote about a start-up working on dynamically-tuned, self-optimizing Linux servers. That company is now known as Concertio and they just launched their "AI powered" toolkit for IT administrators and performance engineers to optimize their server performance. Concertio Optimizer Studio is their product making use of machine learning that aims to optimize Linux systems with Intel CPUs for peak performance by scoping out the impact of hundreds of different tunables for trying to deliver an optimal configuration package for that workload on that hardware.
  • Pengutronix Gets Open-Source 3D Working On MX8M/GC7000 Hardware
    We've known that Pengutronix developers had been working on i.MX8M / GC7000 graphics support within their Etnaviv open-source driver stack from initial patches posted in January. Those patches back at the start of the year were for the DRM kernel driver, but it turns out they have already got basic 3D acceleration working.
  • SDL Now Disables Mir By Default In Favor Of Wayland Compatibility
    With Mir focusing on Wayland compatibility now, toolkits and other software making direct use of Mir's APIs can begin making use of any existing Wayland back-end instead. GTK4 drops the Mir back-end since the same can be achieved with the Wayland compatibility and now SDL is now making a similar move.
  • Mesa 18.1 Receives OpenGL 3.1 With ARB_compatibility For Gallium3D Drivers
    Going back to last October, Marek of AMD's open-source driver team has been working on ARB_compatibility support for Mesa with a focus on RadeonSI/Gallium3D. Today that work was finally merged. The ARB_compatibility support allows use of deprecated/removed features of OpenGL by newer versions of the specification. ARB_compatibility is particularly useful for OpenGL workstation users where there are many applications notorious for relying upon compatibility contexts / deprecated GL functionality. But ARB_compatibility is also used by a handful of Linux games too.
  • AMDGPU In Linux 4.17 Exposes WattMan Features, GPU Voltage/Power Via Hwmon
    AMD's Alex Deucher today sent in the first pull request to DRM-Next of AMDGPU (and Radeon) DRM driver feature material that will in turn be merged with the Linux 4.17 kernel down the road. There's some fun features for AMDGPU users coming with this next kernel! First up, Linux is finally getting some WattMan-like functionality after it's been available via the Windows Radeon Software driver since 2016. WattMan allows for more fine-tuning of GPU clocks, voltages, and more for trying to maximize the power efficiency. See the aforelinked article for details but currently without any GUI panel for tweaking all of the driver tunables, this WattMan-like support needs to be toggled from the command-line.

Wine and Ganes: World of Warcraft, Farm Together, Madcap Castle, Cityglitch