Language Selection

English French German Italian Portuguese Spanish

Security

Security: Debian LTS, Linux Potential Local Privilege Escalation Bug, Australia Wants to Mandate Back Doors, Equifax Breach the Fault of Equifax

Filed under
Security

Linux and Open Source FAQs: Common Myths and Misconceptions Addressed

Filed under
OSS
Security

LinuxSecurity debunks some common myths and misconceptions regarding open source and Linux by answering a few Linux-related frequently asked questions.

Open source and Linux are becoming increasingly well-known and well-respected because of the myriad benefits they offer. Seventy-eight percent of businesses of all sizes across all industries are now choosing open source software over alternative proprietary solutions according to ZDNet (https://zd.net/2GCrTrk). Facebook, Twitter and Google are are among the many companies currently using, sponsoring and contributing to open source projects. Although Linux and open source are widely recognized for the advantages they provide, there are still many myths and misconceptions that surround these terms. Here are some answers to frequently asked questions about Linux and open source:

Question: What are the advantages of the open source development model? How can using and contributing to open source software benefit my business?

Answer: Open source offers an array of inherent advantages which include increased security, superior product quality, lower costs and greater freedom and flexibility compared to other models. It also is accompanied by strong community values and high standards, which encourage the highest levels of creativity and innovation in engineering.

Read more

Security: More Xbash Scare (Relies on Already-Compromised Systems), CCTV Weakness, and Red Hat's 'DevSecOps' Buzzwording

Filed under
Security
  • Windows, Linux Servers Beware: New Malware Encrypts Files Even After Ransom Is Paid

    Ransomware skyrocketed from obscurity to infamy in no time flat. Headline-grabbing campaigns like WannaCry, Petya and NotPetya preceded a substantial increase in the number of small attacks using similar techniques to extort unwary internet users. Now, researchers at Palo Alto Networks have revealed new malware that carries on NotPetya's legacy while combining various types of threats into a single package.

    The researchers, dubbed Unit 42, named this new malware Xbash. It's said to combines a bot net, ransomware and cryptocurrency mining software in a single worm and targets servers running Linux or Windows. The researchers blame an entity called the Iron Group for Xbash's creation, which has been linked to other ransomware attacks. The malware is thought to have first seen use in May 2018.

  • Xbash Malware Deletes Databases on Linux, Mines for Coins on Windows
  • CCTV Cameras Are Susceptible To Hacks; Hackers Can Modify Video Footage

    A vulnerability has been discovered in video surveillance camera software that could allow hackers to view, delete or modify video footage.

    A research paper published by Tenable, a security firm, has revealed a vulnerability named Peekaboo in the video surveillance systems of NUUO. By exploiting the software flaw, hackers can acquire the admin privileges and can monitor, tamper and disable the footage.

  • Tenable Research Discovers “Peekaboo” Zero-Day Vulnerability in Global Video Surveillance Software

    Tenable®, Inc., the Cyber Exposure company, today announced that its research team has discovered a zero-day vulnerability which would allow cybercriminals to view and tamper with video surveillance recordings via a remote code execution vulnerability in NUUO software — one of the leading global video surveillance solution providers. The vulnerability, dubbed Peekaboo by Tenable Research, would allow cybercriminals to remotely view video surveillance feeds and tamper with recordings using administrator privileges. For example, they could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras.

  • 5 ways DevSecOps changes security

    There’s been an ongoing kerfuffle over whether we need to expand DevOps to explicitly bring in security. After all, the thinking goes, DevOps has always been something of a shorthand for a broad set of new practices, using new tools (often open source) and built on more collaborative cultures. Why not DevBizOps for better aligning with business needs? Or DevChatOps to emphasize better and faster communications?

    However, as John Willis wrote earlier this year on his coming around to the DevSecOps terminology, “Hopefully, someday we will have a world where we no longer have to use the word DevSecOps and security will be an inherent part of all service delivery discussions. Until that day, and at this point, my general conclusion is that it’s just three new characters. More importantly, the name really differentiates the problem statement in a world where we as an industry are not doing a great job on information security.”

Security: Updates, Reproducible Builds, Microsoft's Spying Marketed as 'Security', and Xbash Hype

Filed under
Security

10 Free Open Source Tools for Creating Your Own VPN

Filed under
Software
Security

As more people use the Internet everyday they are becoming more conscious about their privacy with regards to how much of the information they don’t want to share at all is being compromised. Tons of VPN services have been created to solidify users’ safety but that doesn’t seem to be enough as there seems to be an increasing need to create custom VPNs.

It isn’t a bad thing to create a VPN service for yourself and there are actually a good number of developers and organizations that favour this habit.

Today, we bring you a list of the best open-source tools that you can use to create your own VPN. Some of them are relatively more difficult to set up and use than the others and they all have their feature highlights.

Depending on the reason why you want to deploy your own VPN, choose the title that is suitable for you.

Read more

Security: UIDAI, Wireshark, Hackers For Good

Filed under
Security
  • Software Patch Claimed To Allow Aadhaar's Security To Be Bypassed, Calling Into Question Biometric Database's Integrity

    As the Huffington Post article explains, creating a patch that is able to circumvent the main security features in this way was possible thanks to design choices made early on in the project. The unprecedented scale of the Aadhaar enrollment process -- so far around 1.2 billion people have been given an Aadhaar number and added to the database -- meant that a large number of private agencies and village-level computer kiosks were used for registration. Since connectivity was often poor, the main software was installed on local computers, rather than being run in the cloud. The patch can be used by anyone with local access to the computer system, and simply involves replacing a folder of Java libraries with versions lacking the security checks.

    The Unique Identification Authority of India (UIDAI), the government body responsible for the Aadhaar project, has responded to the Huffington Post article, but in a rather odd way: as a Donald Trump-like stream of tweets. The Huffington Post points out: "[the UIDAI] has simply stated that its systems are completely secure without any supporting evidence."

  • New CAS BACnet Wireshark Report Tool Helps User to Quickly Locate Intermittent Issues
  • Hackers For Good, Working To Gather Stakeholders To Find Answers To Cyberspace Challenges

    For a number of people, the word hacker means bad news. However, if some hackers have malevolent intentions, there are also hackers for good, and their skills were put to the challenge last week as they tried to save a fictitious city fallen into the hands of a group of cyber terrorists. The challenge was part of a two-day event organised by a young Geneva-based non-governmental organisation seeking to raise awareness about digital trust and bring accountability to cyberspace.

Security: Quantum Computing and Cryptography, Time to Rebuild Alpine Linux Docker Container

Filed under
Security
  • Quantum Computing and Cryptography

    Quantum computing is a new way of computing -- one that could allow humankind to perform computations that are simply impossible using today's computing technologies. It allows for very fast searching, something that would break some of the encryption algorithms we use today. And it allows us to easily factor large numbers, something that would break the RSA cryptosystem for any key length.

    This is why cryptographers are hard at work designing and analyzing "quantum-resistant" public-key algorithms. Currently, quantum computing is too nascent for cryptographers to be sure of what is secure and what isn't. But even assuming aliens have developed the technology to its full potential, quantum computing doesn't spell the end of the world for cryptography. Symmetric cryptography is easy to make quantum-resistant, and we're working on quantum-resistant public-key algorithms. If public-key cryptography ends up being a temporary anomaly based on our mathematical knowledge and computational ability, we'll still survive. And if some inconceivable alien technology can break all of cryptography, we still can have secrecy based on information theory -- albeit with significant loss of capability.

    At its core, cryptography relies on the mathematical quirk that some things are easier to do than to undo. Just as it's easier to smash a plate than to glue all the pieces back together, it's much easier to multiply two prime numbers together to obtain one large number than it is to factor that large number back into two prime numbers. Asymmetries of this kind -- one-way functions and trap-door one-way functions -- underlie all of cryptography.

  • This New CSS Attack Restarts iPhones & Freezes Macs
  • Time to Rebuild Alpine Linux Docker Containers After Package Manager Patch
  • GrrCon 2018 Augusta15 Automation and Open Source Turning the Tide on Attackers John Grigg

Security: Updates, PAM HaveIBeenPwned Module, Alpine Linux and Wireshark

Filed under
Security
  • Security updates for Monday
  • PAM HaveIBeenPwned module
  • Remote code exec found in Alpine Linux

    Users of Alpine Linux are advised to update their installations - especially those used for Docker production environments - after a researcher found a remotely exploitable bug in the distribution's package manager.

    Alpine Linux is popular with Docker users due to its small size and package repository.

    Crowdfunded bug bounty program BountyGraph co-founder Max Justicz managed to exploit Alpine .apk package files to create arbitrary files which could be turned into code execution.

  • What is Wireshark? What this essential troubleshooting tool does and how to use it

    Wireshark is the world's leading network traffic analyzer, and an essential tool for any security professional or systems administrator. This free software lets you analyze network traffic in real time, and is often the best tool for troubleshooting issues on your network.

    Common problems that Wireshark can help troubleshoot include dropped packets, latency issues, and malicious activity on your network. It lets you put your network traffic under a microscope, and provides tools to filter and drill down into that traffic, zooming in on the root cause of the problem. Administrators use it to identify faulty network appliances that are dropping packets, latency issues caused by machines routing traffic halfway around the world, and data exfiltration or even hacking attempts against your organization.

    [...]

    While Wireshark supports more than two thousand network protocols, many of them esoteric, uncommon, or old, the modern security professional will find analyzing IP packets to be of most immediate usefulness. The majority of the packets on your network are likely to be TCP, UDP, and ICMP.

    Given the large volume of traffic that crosses a typical business network, Wireshark's tools to help you filter that traffic are what make it especially useful. Capture filters will collect only the types of traffic you're interested in, and display filters will help you zoom in on the traffic you want to inspect. The network protocol analyzer provides search tools, including regular expressions and colored highlighting, to make it easy to find what you're looking for.

Apache SpamAssassin 3.4.2 released

Filed under
Security

On behalf of the Apache SpamAssassin Project Management Committee, I am
very pleased to announce the release of Apache SpamAssassin v3.4.2.
This release contains security bug fixes. A security announcement will
follow within the next 24 hours.

Apache SpamAssassin can be downloaded from
https://spamassassin.apache.org/downloads.cgi and via cpan
(Mail::SpamAssassin).

Our project website is https://spamassassin.apache.org/

Our DOAP is available at https://spamassassin.apache.org/doap.rdf

Read more

Security: Windows/NSA Back Doors, Election Cracking, and Open Source Security Podcast

Filed under
Security
  • Cryptocurrency mining attacks using leaked NSA hacking tools are still highly active a year later

    Yet, more than a year since Microsoft released patches that slammed the backdoor shut, almost a million computers and networks are still unpatched and vulnerable to attack.

  • Leaked NSA exploits are still used to infect at least 919K servers with cryptojacking malware [Ed: Microsoft gave the NSA back doors. It was inevitable that crackers who do not work for the US government would get in too.]

    Although Microsoft indicated that they have closed the backdoor used by this ransomware, more computers globally are not fully secured to prevent the infection by the malware. Interestingly, the hackers have shifted their game from asking for ransom and are now infecting new computers with cryptojacking malware.

  • Cybersecurity Is Only 1 Part of Election Security

    The DEF CON 2018 Voting Machine Hacking Village aimed to raise awareness in voting security through a full day of speakers and panel discussions along with a challenge for attendees to hack more than 30 pieces of voting equipment. A partnership with rOOtz Asylum offered youths between 8 and 16 years old an opportunity to hack replicas of the websites of secretaries of state to demonstrate that even hackers with limited years of experience can easily compromise critical systems. The goal was to break as many voting machine pieces as possible in order to draw attention to the vulnerabilities that will be present in the upcoming 2018 elections.

    The focus on election equipment, however, ignores the greater danger caused by hacking into the diverse collection of sensitive information that flows through political campaigns and the electoral process, and using that to influence and sow distrust among voters. While changing a vote or voting results can be traced back to a particular stakeholder, changing people's understanding of facts is far more insidious.

  • Open Source Security Podcast: Episode 114 - Review of "Click Here to Kill Everybody"

    Josh and Kurt review Bruce Schneier's new book Click Here to Kill Everybody. It's a book everyone could benefit from reading. It does a nice job explaining many existing security problems in a simple manner.

Syndicate content

More in Tux Machines

Pecking order stingy sldnfl no instruction

viagra from canada getting started viagra for men for sale viagra from canada online login with username password and session length viagra for men for sale - cialis 20mg dosage password how much cialis should i take each time viagra from canada getting started viagra for men for sale viagra from canada online login with username password and session length viagra for men for sale - cialis 20mg dosage password how much cialis should i take each time

Open-source hardware could defend against the next generation of hacking

Imagine you had a secret document you had to store away from prying eyes. And you have a choice: You could buy a safe made by a company that kept the workings of its locks secret. Or you could buy a safe whose manufacturer openly published the designs, letting everyone – including thieves – see how they’re made. Which would you choose? It might seem unexpected, but as an engineering professor, I’d pick the second option. The first one might be safe – but I simply don’t know. I’d have to take the company’s word for it. Maybe it’s a reputable company with a longstanding pedigree of quality, but I’d be betting my information’s security on the company upholding its traditions. By contrast, I can judge the security of the second safe for myself – or ask an expert to evaluate it. I’ll be better informed about how secure my safe is, and therefore more confident that my document is safe inside it. That’s the value of open-source technology. Read more

Ubuntu 18.10: What’s New? [Video]

But how do you follow up the brilliant Bionic Beaver? It’s far from being an easy task and, alas, the collected changes you’ll find accrued in the ‘Cosmic Cuttlefish’ are of the “down-to-earth” variety rather than the “out-of-this-world” ones you might’ve been hoping for. But don’t take our word for it; find out yourself by watching our Ubuntu 18.10 video (and it’s best watched with headphones because, ahem, I can level sound properly). In 3 minute and 18 seconds we whizz you through everything that’s new, neat and noticeable in Ubuntu 18.10. Read more

today's howtos