Language Selection

English French German Italian Portuguese Spanish

Security

Security: Android, FUD, AMD, and Slackware Supports HTTP/2

Filed under
Security

Security: FUD. Sensationalist Headlines and Windows Unnamed

Filed under
Security
  • Cybercriminals Exploit PHP Weathermap Vulnerability to Install Cryptocurrency Miner on Linux Servers [Ed: Nothing to do with Linux; media never names Microsoft Windows when something bad happens on it.]
  • Is Application Security Dead?

    Spoiler alert: If application security isn't dead yet, its days are numbered. OK, this is an over-exaggeration, but fear not, application security engineers — the work you do is actually becoming more important than ever, and your budget will soon reflect this. Application security will never die, but it will have to morph to succeed.

  • Sweden Is Becoming a Haven for Cryptojackers [Ed: Microsoft Windows not named, but implied]

     

    The number of such attacks surged an estimated 10,100 percent in the biggest Nordic economy in the fourth quarter, about double the jump globally, according to Symantec Corp.’s 2018 Internet Security Threat Report.

LibreSSL 2.7.1 Released, OpenSSH 7.7 Being Tested

Filed under
Security
BSD

Security: Dropbox, FUD, CNCF, 'Cloud'

Filed under
Security
  • Dropbox has some genuinely great security reporting guidelines, but reserves the right to jail you if you disagree

    Dropbox's position, however reasonable in many of its aspects, is woefully deficient, because the company reserves the right to invoke DMCA 1201 and/or CFAA and other tools that give companies the power to choose who can say true things abour mistakes they've made.

    This is not normal. Before DRM in embedded software and cloud connectivity, became routine there were no restrictions on who could utter true words about defects in a product. [...]

  • Hackers Infect Linux Servers With Monero Miner via 5-Year-Old Vulnerability [Ed: A five-year-old vulnerability implies total neglect by sysadmins, not a GNU/Linux weakness]

    Attackers also modified the local cron jobs to trigger a "watchd0g" Bash script every three minutes, a script that checked to see if the Monero miner was still active and restarted XMRig's process whenever it was down.

  • GitHub: Our dependency scan has found four million security flaws in public repos [Ed: No, GitHub just ran a scan for old versions being used and reused. It cannot do this for proprietary software, but the issues are there and the risks are no better.]

    GitHub says its security scan for old vulnerabilities in JavaScript and Ruby libraries has turned up over four million bugs and sparked a major clean-up by project owners.

    The massive bug-find total was reached within a month of the initiative's launch in November, when GitHub began scanning for known vulnerabilities in certain popular open-source libraries and notifying project owners that they should be using an updated version.

  • Envoy CNCF Project Completes Security Audit, Delivers New Release

    The Cloud Native Computing Foundation (CNCF) has begun a process of performing third-party security audits for its projects, with the first completed audit coming from the Envoy proxy project.

    The Envoy proxy project was created by ride-sharing company Lyft and officially joined the CNCF in September 2017. Envoy is a service mesh reverse proxy technology that is used to help scale micro-services data traffic.

  • Hybrid cloud security: Emerging lessons [Ed: 'Cloud' and security do not belong in the same headline because 'cloud' is a data breach, typically involving a company giving all its (and customers') data to some spying giant abroad]

Security: FUD, Patches, and Misconfigured Servers

Filed under
Security
  • Hackers exploit old flaw to turn Linux servers into cryptocurrency miners [Ed: Neglect it relies on means GNU/Linux is not at all the issue here]
  • Security updates for Thursday
  • Security updates for Friday
  • Dealing with network hackers in 1995

    Going back to early 1995, I was working for Los Alamos National Labs as a contractor systems administrator. I didn't have a security clearance so could not work 'behind the fence' as they said. Instead, I worked with a large number of similarly uncleared post-docs, graduate students, and college interns in a strip mall converted into offices. The offices ran from nearly one end of the strip mall to the other with a large selection of Unix, PC, and Mac systems spread through the building connected together with 10base2 (or thin-wire). To make things even more fun, most of the systems were disk-less SunOS Sparc ELC/SLC and IPC systems booting off a Sparc 10 which had 64 MB of RAM and I think 2 2 GB disk drives.

    The first problem I had to deal with was my most of the systems would crash at different times during the day. I got a Digital network book my Dad had given me, and learned about common problems with networking as this was not something I had dealt with before. I found that the local network was connected to a T1 which ran back to the main campus about 2 miles away. The T1 went to a hub which had 7 thin-wire lines running out of it. That seemed fine until I traced the thin-wire out. I was worried there were bad connectors (there were) or kinks in the line (there were) but the real problem was that out of the 7 thin-wire lines 3 were used.  Most of the systems were on one line. 2 (my desktop and the Sparc 10) were on another one, and the Next and SGI's were on the third. The other lines were just laying under the carpets not used. I met with my new boss Dale, and showed him what I had found. I learned a lot from Dale. He got me a copy of the Unix System Administrators Handbook and told me to start reading it on networks.

  • How “Hacker Search Engine” Shodan Caught Leakage of 750MB Worth Of Server Passwords

    Remember Memcached servers? Now, we have another case of servers exposed online and fulfilling evil intentions of the hackers. This time, thousands of etcd servers maintained by corporates and organizations are spitting sensitive passwords and encrypted keys, allowing anyone to get access to important data.

    Security researcher Giovanni Collazo was able to harvest 8781 passwords, 650 AWS access keys, 23 secret keys, and 8 private keys.

  • The security footgun in etcd

    From an application security perspective databases are the most valuable parts of our systems. They store the data that gives value to our apps and companies. This data which has been entrusted to us by our users should be kept safe and away of the hands of criminals.

  • Thousands of servers found leaking 750MB worth of passwords and keys

    Thousands of servers operated by businesses and other organizations are openly sharing credentials that may allow anyone on the Internet to log in and read or modify potentially sensitive data stored online.

    In a blog post published late last week, researcher Giovanni Collazo said a quick query on the Shodan search engine returned almost 2,300 Internet-exposed servers running etcd, a type of database that computing clusters and other types of networks use to store and distribute passwords and configuration settings needed by various servers and applications. etcd comes with a programming interface that responds to simple queries that by default return administrative login credentials without first requiring authentication. The passwords, encryption keys, and other forms of credentials are used to access MySQL and PostgreSQL databases, content management systems, and other types of production servers.

The Kernel Self-Protection project aims to make Linux more secure

Filed under
Linux
Security

Security vulnerabilities in the kernel often remain undetected. The kernel hacker initiative, Kernel Self-Protection, promotes safe programming techniques to keep attackers off the network, and, if they do slip through the net, mitigate the consequences.

Any Black Hat who finds a previously unknown vulnerability in the Linux kernel has hit the jackpot. Potentially millions of servers and embedded devices are suddenly open to attack, and the attacker can usually gain root privileges. Users clearly don't want this to happen, and kernel makers try to prevent such events.

Read more

Security: AMD, Slingshot, Voting and Cryptocurrencies

Filed under
Security

Security: Syzbot, FOSS Updates, and AMD

Filed under
Security

Security Leftovers

Filed under
Security

  • 7 Questions to Ask About Your DevSecOps Program
  • Developers Are Ethical But Not Responsible?

    Ask a person if he or she is a racist and the answer is almost always no. Ask a developer if they consider ethical considerations when writing code and only six percent say no. If everyone acted the way they self-report, then there would be peace and love throughout the world.

    Based on over a hundred thousand respondents, StackOverflow’s Developer Survey 2018 presents a more complicated reality. If they were asked to write code for an unethical purpose, 59 percent would say no, but another 37 percent of developers were non-committal about whether they would comply. In another question, only about 5 percent said they definitely not report unethical problems with code. But sounding the alarm is about as far as most people will go.

  • Cloud Security: 10 Top Tips
  • Group Policy Objects (GPOs) for Linux®

Security: Updates, Synopsys/Black Duck FUD, and Software Security Over Convenience

Filed under
Security
  • Security updates for Tuesday
  • With Much of the Data Center Stack Open Source, Security is a Special Challenge [Ed: Black Duck.is attacking FOSS again in order to sell its proprietary products; does proprietary software have no security issues? Which cannot be fixed, either?]
  • Synopsys reveals its open-source rookies of the year [Ed: Anti-FOSS company Black Duck, which markets its proprietary software by attacking FOSS (it admitted being anti-GPL since inception, created by Microsoft employee), wants the public to think of it as a FOSS authority]
  • Software security over convenience

    Recently I got inspired (paranoid ?) by my boss who cares a lot about software security. Previously, I had almost the same password on all the websites I used, I had them synced to google servers (Chrome user previously), but once I started taking software security seriously, I knew the biggest mistake I was making was to have a single password everywhere, so I went one step forward and set randomly generated passwords on all online accounts and stored them in a keystore.

Syndicate content

More in Tux Machines

today's leftovers

  • CRI: The Second Boom of Container Runtimes
    Harry (Lei) Zhang, together with the CTO of HyperHQ, Xu Wang, will present “CRI: The Second Boom of Container Runtimes” at KubeCon + CloudNativeCon EU 2018, May 2-4 in Copenhagen, Denmark. The presentation will clarify about more about CRI, container runtimes, KataContainers and where they are going. Please join them if you are interested in learning more.
  • Meet Gloo, the ‘Function Gateway’ That Unifies Legacy APIs, Microservices, and Serverless
    Gloo, a single binary file written in Go, can be deployed as a Kubernetes pod, in a Docker container, and now also on Cloud Foundry. The setup also requires a copy of Envoy, though the installation process can be greatly simplified through additional software developed by the company, TheTool. The user then writes configuration objects to capture the workflow logic.
  • Why is the kernel community replacing iptables with BPF?

    The Linux kernel community recently announced bpfilter, which will replace the long-standing in-kernel implementation of iptables with high-performance network filtering powered by Linux BPF, all while guaranteeing a non-disruptive transition for Linux users.

  • The developer of Helium Rain gave an update on their sales, low overall sales but a high Linux percentage
    Helium Rain [Steam, Official Site], the gorgeous space sim from Deimos Games is really quite good so it's a shame they've seen such low overall sales. In total, they've had around 14,000€ (~$17,000) in sales which is not a lot for a game at all. The good news, is that out of the two thousand copies they say they've sold, a huge 14% of them have come from Linux. It's worth noting, that number has actually gone up since we last spoke to them, where they gave us a figure of 11% sales on Linux.
  • Want to try Wild Terra Online? We have another load of keys to give away (update: all gone)
    Wild Terra Online [Steam], the MMO from Juvty Worlds has a small but dedicated following, now is your chance to see if it's for you.
  • Arch Linux Finally Rolling Out Glibc 2.27
    Arch Linux is finally transitioning to glibc 2.27, which may make for a faster system. Glibc 2.27 was released at the start of February. This updated GNU C Library shipped with many performance optimizations particularly for Intel/x86_64 but also some ARM tuning and more. Glibc 2.27 also has memory protection keys support and other feature additions, but the performance potential has been most interesting to us.
  • Installed nvidia driver
  • Stephen Smoogen: Fedora Infrastructure Hackathon (day 1-5)
  • Design and Web team summary – 20 April 2018
    The team manages all web projects across Canonical. From www.ubuntu.com to the Juju GUI we help to bring beauty and consistency to all the web projects.
  • Costales: UbuCon Europe 2018 | 1 Week to go!!
    We'll have an awesome weekend of conferences (with 4 parallel talks), podcasts, stands, social events... Most of them are in English, but there will be in Spanish & Asturian too.
  • Tough, modular embedded PCs start at $875
    Advantech has launched two rugged, Linux-ready embedded DIN-rail computers with Intel Bay Trail SoCs and iDoor expansion: an “UNO-1372G-E” with 3x GbE ports and a smaller UNO-1372G-J with only 2x GbE, but with more serial and USB ports.

OSS Leftovers

  • IRS Website Crash Reminder of HealthCare.gov Debacle as OMB Pushes Open Source
    OMB is increasingly pushing agencies to adopt open source solutions, and in 2016 launched a pilot project requiring at least 20 percent of custom developed code to be released as open source – partly to strengthen and help maintain it by tapping a community of developers. OMB memo M-16-21 further asks agencies to make any code they develop available throughout the federal government in order to encourage its reuse. “Open source solutions give agencies access to a broad community of developers and the latest advancements in technology, which can help alleviate the issues of stagnated or out-dated systems while increasing flexibility as agency missions evolve over time,” says Henry Sowell, chief information security officer at Hortonworks Federal. “Enterprise open source also allows government agencies to reduce the risk of vendor lock-in and the vulnerabilities of un-supported software,” he adds.
  • Migrations: the sole scalable fix to tech debt.

    Migrations are both essential and frustratingly frequent as your codebase ages and your business grows: most tools and processes only support about one order of magnitude of growth before becoming ineffective, so rapid growth makes them a way of life. This isn't because they're bad processes or poor tools, quite the opposite: the fact that something stops working at significantly increased scale is a sign that it was designed appropriately to the previous constraints rather than being over designed.

  • Gui development is broken

    Why is this so hard? I just want low-level access to write a simple graphical interface in a somewhat obscure language.

OpenBSD and NetBSD

Security: Twitter and Facebook

  • Twitter banned Kaspersky Lab from advertising in Jan
     

    Twitter has banned advertising from Russian security vendor Kaspersky Lab since January, the head of the firm, Eugene Kaspersky, has disclosed.  

  • When you go to a security conference, and its mobile app leaks your data
     

    A mobile application built by a third party for the RSA security conference in San Francisco this week was found to have a few security issues of its own—including hard-coded security keys and passwords that allowed a researcher to extract the conference's attendee list. The conference organizers acknowledged the vulnerability on Twitter, but they say that only the first and last names of 114 attendees were exposed.

  • The Security Risks of Logging in With Facebook
     

    In a yet-to-be peer-reviewed study published on Freedom To Tinker, a site hosted by Princeton's Center for Information Technology Policy, three researchers document how third-party tracking scripts have the capability to scoop up information from Facebook's login API without users knowing. The tracking scripts documented by Steven Englehardt, Gunes Acar, and Arvind Narayanan represent a small slice of the invisible tracking ecosystem that follows users around the web largely without their knowledge.

  • Facebook Login data hijacked by hidden JavaScript trackers
     

    If you login to websites through Facebook, we've got some bad news: hidden trackers can suck up more of your data than you'd intended to give away, potentially opening it up to abuse.