Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Security updates for Thursday
  • Security updates for Wednesday
  • Researchers find “severe” flaw in WordPress plugin with 1 million installs

    More than 1 million websites running the WordPress content management system may be vulnerable to hacks that allow visitors to snatch password data and secret keys out of databases, at least under certain conditions.

    The vulnerability stems from a "severe" SQL injection bug in NextGEN Gallery, a WordPress plugin with more than 1 million installations. Until the flaw was recently fixed, NextGEN Gallery allowed input from untrusted visitors to be included in WordPress-prepared SQL queries. Under certain conditions, attackers can exploit the weakness to pipe powerful commands to a Web server's backend database.

  • cloudbleed hero graphics
  • Botnets

    Botnets have existed for at least a decade. As early as 2000, hackers were breaking into computers over the Internet and controlling them en masse from centralized systems. Among other things, the hackers used the combined computing power of these botnets to launch distributed denial-of-service attacks, which flood websites with traffic to take them down.

    But now the problem is getting worse, thanks to a flood of cheap webcams, digital video recorders, and other gadgets in the "Internet of things." Because these devices typically have little or no security, hackers can take them over with little effort. And that makes it easier than ever to build huge botnets that take down much more than one site at a time.

  • Yahoo boss Marissa Mayer loses millions in bonuses over security lapses

    Yahoo chief executive Marissa Mayer will lose her annual bonus and the company’s top lawyer has been removed over their mishandling of security breaches that exposed the personal information of more than 1 billion users.

    Mayer’s cash bonus is worth about $2m a year and her personal cost from the security flaws increased when the board also accepted her offer to relinquish an annual stock award worth millions of dollars.

    Mayer, whose management team was found by an internal review to have reacted too slowly to one breach in 2014, said on Wednesday she wanted the board to distribute her bonus to Yahoo’s entire workforce of 8,500 employees. The board did not say if it would do so.

  • Unlimited randomness with the ChaosKey?

    A few days ago I ordered a small batch of the ChaosKey, a small USB dongle for generating entropy created by Bdale Garbee and Keith Packard. Yesterday it arrived, and I am very happy to report that it work great! According to its designers, to get it to work out of the box, you need the Linux kernel version 4.1 or later. I tested on a Debian Stretch machine (kernel version 4.9), and there it worked just fine, increasing the available entropy very quickly. I wrote a small test oneliner to test. It first print the current entropy level, drain /dev/random, and then print the entropy level for five seconds.

  • Startup Offers Free ‘Bug Bounty’ Help to Open Source Projects

    Many people don't realize much of the Internet is built on free software. Even giant companies like Facebook, Google, and Amazon rely extensively on big libraries of code—known as "open source" software"—written by thousands of programmers, who share their work with everyone.

    But no software is perfect. Like the proprietary code developed by many companies, open source software contains flaws that hackers can exploit to steal information or spread viruses. That's why a new initiative to patch those holes is important.

  • 50 Google Engineers Volunteered to Patch Thousands of Java Open Source Projects

    A year ago, several Google engineers got together and lay the foundation of Operation Rosehub, a project during which Google employees used some of their official work time to patch thousands of open source projects against a severe and widespread Java vulnerability.

    Known internally at Google as the Mad Gadget vulnerability, the issue was discovered at the start of 2015 but came to everyone's attention in November 2015 after security researchers from Foxglove Security showcased how it could be used to steal data from WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS Java applications.

KDE Plasma 5.9.3 Linux Desktop Environment Released, over 40 Recorded Bug Fixed

Filed under
KDE
Security

The KDE project had the great pleasure of announcing the release of the third maintenance update to the recently released KDE Plasma 5.9 desktop environment stable series.

Read more

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Reproducible Builds: week 96 in Stretch cycle

    Christos also reported that that NetBSD's base system is now 100.0% reproducible in our current test framework.

  • Game theory says publicly shaming cyberattackers could backfire

    Know your enemy, the saying goes. But when it comes to cyberattacks, a game theory model suggests that just knowing the perpetrator and pointing the finger at them might not be the best tactic, and could even play into the hands of the attacker.

    [...]

    But naming who’s behind an attack may not be helpful if you’re not in a position to retaliate, says Benjamin Edwards at IBM Research, who led the modelling work.

  • X.Org Struck Again By Multiple Security Issues

    By now you probably know that X.Org's security is in bad shape and routinely new security issues are uncovered and that's the case today.

  • Bad bug found in Microsoft browsing code [Ed: And many bugs intentionally not patched]

    Google has released details of a bug in Microsoft's browsing programs that would allow attackers to build websites that make the software crash.

    Google researcher Ivan Fratric said the bug could, in some cases, allow attackers to hijack a victim's browser.

    The bug was found in November, but details are only now being released after the expiry of the 90-day deadline Google gave Microsoft to find a fix.

    Microsoft has yet to say when it will produce a patch that removes the bug.

Security News

Filed under
Security
  • Security updates for Tuesday
  • EU updates smartphone secure development guideline

    The European Union Agency for Network and Information Security (ENISA) has published an updated version of its Smartphone Secure Development Guidelines. This document details the risks faced by developers of smartphone application, and provides ways to mitigate these.

  • CloudLinux 7 Users Get New Beta Linux Kernel Update That Addresses CVE-2017-6074

    CloudLinux's Mykola Naugolnyi announced today the availability of a new Beta kernel for the CloudLinux 7 operating system series, which patches a recently discovered and critical security flaw.

  • Linus Torvalds shrugged off warnings about 'insecure' SHA-1 in 2005

    LINUX FOUNDER Linus Torvalds was warned in 2005 that the use of the SHA-1 hash to sign code in Linux and Git was insecure and urged to shift to something better protected, but rejected the advice outright.

    Free software evangelist John Gilmore warned Torvalds ten years ago that "SHA1 has been broken; it's possible to generate two different blobs that hash to the same SHA1 hash".

    Gilmore penned his warning to Torvalds in April 2005, when MD5 had already been cracked and SHA1 remained "hard to crack" - but still crackable.

  • Subversion SHA1 Collision Problem Statement — Prevention and Remediation Options

    You probably saw the news last week that researchers at Google had found a scenario where they were able to break the SHA1 algorithm by creating two PDF files with differing content that produced the same hash. If you are following this story then you may have also seen that the Webkit Subversion repository had problems after a user committed these example files to their repository so that they could be used in test cases for SHA1 collisions.

  • making git-annex secure in the face of SHA1 collisions

    git-annex has never used SHA1 by default. But, there are concerns about SHA1 collisions being used to exploit git repositories in various ways. Since git-annex builds on top of git, it inherits its foundational SHA1 weaknesses. Or does it?

  • SSH Fingerprint Verification via Tor

    OpenSSH (really, are there any other implementations?) requires Trust on First Use for fingerprint verification.

    Verification can be especially problematic when using remote services like VPS or colocation.

    How can you trust that the initial connection isn’t being Man In The Middle’d?

  • Almost all Windows vulnerabilities are enabled by liberal 'admin rights'

    NEARLY OF THE VULNERABILITIES THAT AFFECT Microsoft's Windows operating system could be mitigated through a little careful control.

    Avecto, a security company, is the source of the latest revelation in this direction, and it says that 94 per cent of security problems could have been killed off if admin rights had been removed from the affected computer.

    This makes a lot of sense, since a computer that cannot be molested by a user cannot be molested by a third party. 94 per cent is just one example of the differences that can be made and Avecto says that in the case of Internet Explorer 100 per cent of risks are mitigated when rights are removed.

  • More on Bluetooth Ingenico Overlay Skimmers

    This blog has featured several stories about “overlay” card and PIN skimmers made to be placed atop Ingenico-brand card readers at store self-checkout lanes. I’m revisiting the topic again because a security technician at a U.S.-based retailer recently shared a few photos of several of these devices pulled from compromised card terminals, and the images and his story offer a fair bit more detail than in previous articles.

Security News

Filed under
Security
  • Windows 10 least secure of Windows versions: study

    Windows 10 was the least secure of of current Windows versions in 2016, with 46% more vulnerabilities than either Windows 8 or 8.1, according to an analysis of Microsoft's own security bulletins in 2016.

    Security firm Avecto said its research, titled "2016 Microsoft Vulnerabilities Study: Mitigating risk by removing user privileges", had also found that a vast majority of vulnerabilities found in Microsoft products could be mitigated by removing admin rights.

    The research found that, despite its claims to being the "most secure" of Microsoft's operating systems, Windows 10 had 395 vulnerabilities in 2016, while Windows 8 and 8.1 each had 265.

    The research also found that while 530 Microsoft vulnerabilities were reported — marginally up from the 524 reported in 2015 — and 189 given a critical rating, 94% could be mitigated by removing admin rights. This was up from 85% in 2015.

  • Windows 10 Creators Update can block Win32 apps if they’re not from the Store [Ed: By Microsoft Peter. People who put Vista 10 on a PC totally lose control of that PC; remember, the OS itself is malware, as per textbook definitions. With DRM and other antifeatures expect copyright enforcement on the desktop soon.]

    The latest Windows 10 Insider Preview build doesn't add much in the way of features—it's mostly just bug fixes—but one small new feature has been spotted, and it could be contentious. Vitor Mikaelson noticed that the latest build lets you restrict the installation of applications built using the Win32 API.

  • Router assimilated into the Borg, sends 3TB in 24 hours

    "Well, f**k."

    Harsh language was appropriate under the circumstances. My router had just been hacked.

    Setting up a reliable home network has always been a challenge for me. I live in a cramped three-story house, and I don't like running cables. So my router's position is determined by the fiber modem in a corner on the bottom floor. Not long after we moved in, I realized that our old Airport Extreme was not delivering much signal to the attic, where two game-obsessed occupants fought for bandwidth.

    I tried all sorts of things. I extended the network. I used Ethernet-over-powerline connectors to deliver network access. I made a mystic circle and danced naked under the full moon. We lost neighbors, but we didn't gain a signal.

  • Purism's Librem 13 Coreboot Port Now "100%" Complete

    According to Purism's Youness Alaoui, their Coreboot port to the Librem 13 v1 laptop is now considered complete.

    The Librem 13 was long talked about having Coreboot over a proprietary BIOS while the initial models still had shipped with the conventional BIOS. Finally in 2017, they have now Coreboot at what they consider to be 100% complete for this Linux-friendly laptop.

  • The Librem 13 v1 coreboot port is now complete

    Here are the news you’ve been waiting for: the coreboot port for the Librem 13 v1 is 100% done! I fixed all of the remaining issues, it is now fully working and is stable, ready for others to enjoy. I fixed the instability problem with the M.2 SATA port, finished running all the tests to ensure coreboot is working correctly, fixed the headphone jack that was not working, made the boot prettier, and started investigating the Intel Management Engine issue.

  • Linux Update Fixes 11-Year-Old Flaw

    Andrey Konovalov, a security researcher at Google, found a use-after-free hole within Linux, CSO Online reported. This particular flaw is of interest because it appears to be situational. It only showed up in kernels built with a certain configuration option — CONFIG_IP_DCCP — enabled.

Security News

Filed under
Security

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Major Cloudflare bug leaked sensitive data from customers’ websites

    Cloudflare revealed a serious bug in its software today that caused sensitive data like passwords, cookies, authentication tokens to spill in plaintext from its customers’ websites. The announcement is a major blow for the content delivery network, which offers enhanced security and performance for more than 5 million websites.

    This could have allowed anyone who noticed the error to collect a variety of very personal information that is typically encrypted or obscured.

  • SHA1 collisions make Git vulnerable to attakcs by third-parties, not just repo maintainers

    After sitting through an endless flood of headless-chicken messages on multiple media about SHA-1 being fatally broken, I thought I'd do a quick writeup about what this actually means.

  • Torvalds patches git to mitigate against SHA-1 attacks

    Linux creator Linus Torvalds says two sets of patches have been posted for the distributed version control system git to mitigate against SHA-1 attacks which are based on the method that Dutch and Google engineers detailed last week.

    The post by Torvalds detailing this came after reports emerged of the version control system used by the WebKit browser engine repository becoming corrupted after the two proof-of-concept PDF files that were released by the Dutch and Google researchers were uploaded to the repository.

  • Linus Torvalds on "SHA1 collisions found"
  • More from Torvalds on SHA1 collisions

    I thought I'd write an update on git and SHA1, since the SHA1 collision attack was so prominently in the news.

    Quick overview first, with more in-depth explanation below:

    (1) First off - the sky isn't falling. There's a big difference between using a cryptographic hash for things like security signing, and using one for generating a "content identifier" for a content-addressable system like git.

    (2) Secondly, the nature of this particular SHA1 attack means that it's actually pretty easy to mitigate against, and there's already been two sets of patches posted for that mitigation.

    (3) And finally, there's actually a reasonably straightforward transition to some other hash that won't break the world - or even old git repositories.

  • [Older] Wire’s independent security review

    Ever since Wire launched end-to-end encryption and open sourced its apps one question has consistently popped up: “Is there an independent security review available?” Well, there is now!

  • Malware Lets a Drone Steal Data by Watching a Computer’s Blinking LED
  • FCC to halt rule that protects your private data from security breaches

    The Federal Communications Commission plans to halt implementation of a privacy rule that requires ISPs to protect the security of its customers' personal information.

    The data security rule is part of a broader privacy rulemaking implemented under former Chairman Tom Wheeler but opposed by the FCC's new Republican majority. The privacy order's data security obligations are scheduled to take effect on March 2, but Chairman Ajit Pai wants to prevent that from happening.

    The data security rule requires ISPs and phone companies to take "reasonable" steps to protect customers' information—such as Social Security numbers, financial and health information, and Web browsing data—from theft and data breaches.

    "Chairman Pai is seeking to act on a request to stay this rule before it takes effect on March 2," an FCC spokesperson said in a statement to Ars.

  • Google releases details of another Windows bug
  • How to secure the IoT in your organisation: advice and best practice for securing the Internet of Things

    All of the major technology vendors are making a play in the Internet of Things space and there are few organisations that won’t benefit from collecting and analysing the vast array of new data that will be made available.

    But the recent Mirai botnet is just one example of the tremendous vulnerabilities that exist with unsecured access points. What are the main security considerations and best practices, then, for businesses seeking to leverage the potential of IoT?

Syndicate content

More in Tux Machines

6 Reasons Your Favorite Linux OS Is Plagued by Bugs

  • 6 Reasons Your Favorite Linux OS Is Plagued by Bugs
  • I’ve been a long-time GNOME user, but for the past few months, I was in a loving relationship with Elementary OS. I found much to love in the minimalist Linux-based operating system, and I encouraged readers to give it a try. But that has changed. The number of bugs I encountered grew over time, and I’ve recently had enough. As a freelance writer, the only thing I need is a working laptop. If that’s not reliable, then I’m wasting time trying to fix the one tool my job requires.
  • Why do Linux distributions have software bugs?
    Linux is one of the best operating systems around, but no OS is perfect. All operating systems end up having bugs of one kind or another, including your favorite Linux distributions. A writer at MakeUseOf has listed six reasons why Linux distributions often have their share of bugs.

today's howtos

Linux and Linux Foundation

Red Hat and Fedora