Language Selection

English French German Italian Portuguese Spanish

Security

Security: Twitter and Facebook

Submitted by Roy Schestowitz on Saturday 21st of April 2018 03:44:52 PM Filed under
Security
  • Twitter banned Kaspersky Lab from advertising in Jan

     

    Twitter has banned advertising from Russian security vendor Kaspersky Lab since January, the head of the firm, Eugene Kaspersky, has disclosed.  

  • When you go to a security conference, and its mobile app leaks your data

     

    A mobile application built by a third party for the RSA security conference in San Francisco this week was found to have a few security issues of its own—including hard-coded security keys and passwords that allowed a researcher to extract the conference's attendee list. The conference organizers acknowledged the vulnerability on Twitter, but they say that only the first and last names of 114 attendees were exposed.

  • The Security Risks of Logging in With Facebook

     

    In a yet-to-be peer-reviewed study published on Freedom To Tinker, a site hosted by Princeton's Center for Information Technology Policy, three researchers document how third-party tracking scripts have the capability to scoop up information from Facebook's login API without users knowing. The tracking scripts documented by Steven Englehardt, Gunes Acar, and Arvind Narayanan represent a small slice of the invisible tracking ecosystem that follows users around the web largely without their knowledge.

  • Facebook Login data hijacked by hidden JavaScript trackers

     

    If you login to websites through Facebook, we've got some bad news: hidden trackers can suck up more of your data than you'd intended to give away, potentially opening it up to abuse.

»

Security: Updates, IBM, Elytron and Container Vulnerability Scanning

Submitted by Roy Schestowitz on Saturday 21st of April 2018 04:45:08 AM Filed under
Security
  • Security updates for Friday
  • IBM Security launches open-source AI

    IBM Security unveiled an open-source toolkit at RSA 2018 that will allow the cyber community to test their AI-based security defenses against a strong and complex opponent in order to help build resilience and dependability into their systems.

  • Elytron: A New Security Framework in WildFly/JBoss EAP

    Elytron is a new security framework that ships with WildFly version 10 and Red Hat JBoss Enterprise Application Platform (EAP) 7.1. This project is a complete replacement of PicketBox and JAAS. Elytron is a single security framework that will be usable for securing management access to the server and for securing applications deployed in WildFly. You can still use the legacy security framework, which is PicketBox, but it is a deprecated module; hence, there is no guarantee that PicketBox will be included in future releases of WildFly. In this article, we will explore the components of Elytron and how to configure them in Wildfly.

  • PodCTL #32 – Container Vulnerability Scanning
»

Security Leftovers

Submitted by Roy Schestowitz on Friday 20th of April 2018 02:07:22 AM Filed under
Security
  • Hackers once stole a casino's high-roller database through a thermometer in the lobby fish tank

    Hackers are increasingly targeting "internet of things" devices to access corporate systems, using things like CCTV cameras or air-conditioning units, according to the CEO of a cybersecurity firm.

    The internet of things refers to devices hooked up to the internet, and it has expanded to include everything from household appliances to widgets in power plants.

    Nicole Eagan, the CEO of Darktrace, told the WSJ CEO Council Conference in London on Thursday: "There's a lot of internet-of-things devices, everything from thermostats, refrigeration systems, HVAC systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface, and most of this isn't covered by traditional defenses."

  • Certificate Transparency and HTTPS

    CT stands for “Certificate Transparency” and, in simple terms, means that all certificates for websites will need to be registered by the issuing Certificate Authority (CA) in at least two public Certificate Logs.

  • Security updates for Thursday
  • IBM introduces open-source library for protecting AI systems
  • How to combine SSH key authentication and two-factor authentication on Linux
  • openSUSE Heroes loves Let’s Encrypt™ – Expect certificate exchange

    openSUSE loves Let's Encrypt™

    Maybe some of you noticed, that our certificate *.opensuse.org on many of services will expire soon (on 2018-04-23).

    As we noticed that – as well – we decided to put a bit of work into this topic and we will use Let’s Encrypt certificates for the encrypted services of the openSUSE community.

    This is just a short notice / announcement for all of you, that we are working on this topic at the moment. We will announce, together with the deployment of the new certificate, the regarding hashes and maybe some further information on our way of implementing things.

»

Security Leftovers

Submitted by Roy Schestowitz on Thursday 19th of April 2018 12:26:53 PM Filed under
Security
»

OSS and Security Leftovers

Submitted by Roy Schestowitz on Wednesday 18th of April 2018 06:07:13 PM Filed under
OSS
Security
  • Open-source library for improving security of AI systems

    Attacks against neural networks have recently been flagged as one of the biggest dangers in our modern world where AI systems are increasingly getting embedded in many technologies we use and depend on daily.

    Adversaries can sometimes tamper with them even if they don’t know much about them, and “breaking” the system could result in very dangerous consequences.

    [...]

    The library is written in Python, as it is the most commonly used programming language for developing, testing and deploying Deep Neural Networks.

  • IBM launches open-source library for securing AI systems

    On Tuesday at the RSA conference in San Francisco, IBM announced the launch of the Adversarial Robustness Toolbox to support developers and users of AI that may become the victims of attacks against AI systems including Deep Neural Networks (DNNs).

    According to the tech giant, threat actors may be able to exploit weaknesses in AI systems through very subtle means. Simple, small, and often undetectable alterations in content including images, video, and audio recordings can be crafted to confuse AI systems, even without a deep knowledge of the AI or DNN a cyberattack is targeting.

  • IBM releases new toolbox to protect AI from adversarial attacks

    IBM is releasing an open-source software library to combat against adversarial attacks in deep neural networks (DNNs). DNNs are machine learning models that are capable of recognizing patterns.

  • Build a serverless framework at home: Go on, bit of open sourcey hijinx won't hurt

    First unveiled at SpringOne Platform in December, riff is still an early project. It emerged from the Spring Cloud Data Flow, a data integration project to run Java code as microservices created under Pivotal's open source Java-focused Spring framework.

    "Riff is the next step in that evolution," says Jürgen Leschner, a riff organiser who works at Pivotal. Instead of running microservices that persist in containers, serverless models hide the containers from the developers and operations teams entirely. Instead, when a developer calls a software function, the container orchestration system (in riff's case, Kubernetes) spins one up and then kills it off silently.

    [...]

    The benefits of open source serverless

    What do these open source serverless options bring to the party? Unless you're using them to slurp services on the AWS platform and minimise container fees by weeding out idle compute power, why bother?

    Efficiency for developers is one driver, says Leschner. "Developers don’t have to worry about building the connectors and boilerplate stuff into their code. They can package a simpler project and the boilerplate is already in the platform."

  • Failure to secure open source code spurs DevSecOps boom [Ed: Yet another one of those 'journalists' who help marketing from anti-FOSS entity because it's disguised as 'research']

    A survey of over 2,000 IT pros shows that fear of data breaches is increasing investments in DevSecOps tools, particularly automated security tools and oversight of open source software.

  • Security updates for Wednesday
»

Security: Russia, Librem, and Apple's Faux Security

Submitted by Roy Schestowitz on Wednesday 18th of April 2018 09:41:51 AM Filed under
Security
  • U.S. & U.K. Issue Joint Warning About Risks of Russian Cyberattacks
  • Demonstrating Tamper Detection with Heads

    We are excited about the future of Heads on Librem laptops and the extra level of protection it can give customers. As a result we’ve both been writing about it a lot publicly and working on it a lot privately. What I’ve realized when I’ve talked to people about Heads and given demos, is that many people have never seen a tamper-evident boot process before. All of the concepts around tamper-evident boot are pretty abstract and it can be difficult to fully grasp how it protects you if you’ve never seen it work.

    We have created a short demo that walks through a normal Heads boot process and demonstrates tamper detection. In the interest of keeping the demo short I only briefly described what was happening. In this post I will elaborate on what you are seeing in the video.

  • Stop Using Six Digit Numeric iPhone Passcodes Right Now
»

Security Leftovers

Submitted by Roy Schestowitz on Wednesday 18th of April 2018 05:44:38 AM Filed under
Security
  • Security updates for Tuesday
  • McAfee's Upgraded Cloud Security Protects Containers [Ed: Looks like marketing/spam from ECT]
  • Has a Russian intelligence agent hacked your wifi? [iophk: "AV is not relevant; there are two main ways to avoid malware" : *BSD and */Linux"]

    In short, a global, invisible, low-level conflict is taking place across the internet and it is possible that your router has been conscripted as a foot soldier. Maybe it is worth getting your firewall and antivirus checked out after all.

  • 55 Infosec Professionals Sign Letter Opposing Georgia’s Computer Crime Bill

    In a letter to Georgia Gov. Nathan Deal, 55 cybersecurity professionals from around the country are calling for a veto for S.B. 315, a state bill that would give prosecutors new power to target independent security researchers.

    This isn’t just a matter of solidarity among those in the profession. Georgia represents our nation’s third largest information security sector. The signers have clients, partners, and offices in Georgia. They attend conferences in Georgia. They teach and study in Georgia or recruit students from Georgia. And they all agree that S.B. 315, which would create a new crime of "unauthorized access," would do more harm than good.

»

Security and FUD Leftovers

Submitted by Roy Schestowitz on Tuesday 17th of April 2018 12:25:55 PM Filed under
Security
»

Security: Open Source Security Podcast, Old JavaScript Crypto Flaw and New FUD-based Marketing

Submitted by Roy Schestowitz on Monday 16th of April 2018 09:48:24 AM Filed under
Security
»

Security: Cleartext Passwords, Windows Problems, and Meltdown Patches/Performance

Submitted by Roy Schestowitz on Sunday 15th of April 2018 10:25:14 PM Filed under
Security
  • cleartext passwords and transparency

    So let me just jump in with Lars blog post where he talks about cleartext passwords. While he has actually surmised and shared what a security problem they are, the pity is we come to know of this only because the people in question tacitly admitted to bad practises. How many more such bad actors are there, developers putting user credentials in cleartext god only knows. There was even an April Fool’s joke in 2014 which shared why putting passwords in cleartext is bad.

  • 911 operator suspended over teen’s death griped about working overtime.

    Plush called 911 again around 3:35 p.m., this time giving Smith a description of the vehicle, a gold Honda Odyssey in the parking lot at Seven Hills — information that never made it to the officers at the scene.

    “This is not a joke,” the teen told Smith. “I’m almost dead.”

    Smith tried to document the call when it came in but her computer screen had frozen, preventing her from entering information immediately, the review found.

  • Defense contractors face more aggressive ransomware attacks

    The rise of ransomware attacks against defense contractors coincides with a rise in the use of ransomware in general. Attacks can spread even after the original target has been hit, hurting unintended victims.

  • A Look At The Meltdown Performance Impact With DragonFlyBSD 5.2

    Besides looking at the HAMMER2 performance in DragonFlyBSD 5.2, another prominent change with this new BSD operating system release is the Spectre and Meltdown mitigations being shipped. In this article are some tests looking at the performance cost of DragonFlyBSD 5.2 for mitigating the Meltdown Intel CPU vulnerability.

    With DragonFlyBSD 5.2 there is the machdep.meltdown_mitigation sysctl for checking on the Meltdown mitigation presence and toggling it. Back in January we ran some tests of DragonFlyBSD's Meltdown mitigation using the page table isolation approach while now testing was done using the DragonFlyBSD 5.2 stable release.

  • A Last Minute Linux 4.17 Pull To Help Non-PCID Systems With KPTI Meltdown Performance

    While the Linux 4.17 kernel merge window is closing today and is already carrying a lot of interesting changes as covered by our Linux 4.17 feature overview, Thomas Gleixner today sent in a final round of x86 (K)PTI updates for Meltdown mitigation with this upcoming kernel release.

    This latest round of page-table isolation updates should help out systems lacking PCID, Process Context Identifiers. The KPTI code makes use of PCID for reducing the performance overhead of this Meltdown mitigation technique. PCID has been around since the Intel Westmere days, but now the latest kernel patches will help offset the KPTI performance impact for systems lacking PCID.

»
Syndicate content

More on Tux Machines: AboutGalleryForumBlogsSearchNewsRSS Feed

Part of Bytes Media ● Sister sites below.

TechBytes Techrights button

Powered by Drupal, an open source content management system

Content available under CC-BY-SA CC

© by original authors

Powered by CentOS 6.5 (GNU/Linux), Varnish, and Drupal 6