Security
Security: Twitter and Facebook
Submitted by Roy Schestowitz on Saturday 21st of April 2018 03:44:52 PM Filed under
-
Twitter banned Kaspersky Lab from advertising in Jan
Twitter has banned advertising from Russian security vendor Kaspersky Lab since January, the head of the firm, Eugene Kaspersky, has disclosed.
-
When you go to a security conference, and its mobile app leaks your data
A mobile application built by a third party for the RSA security conference in San Francisco this week was found to have a few security issues of its own—including hard-coded security keys and passwords that allowed a researcher to extract the conference's attendee list. The conference organizers acknowledged the vulnerability on Twitter, but they say that only the first and last names of 114 attendees were exposed.
-
The Security Risks of Logging in With Facebook
In a yet-to-be peer-reviewed study published on Freedom To Tinker, a site hosted by Princeton's Center for Information Technology Policy, three researchers document how third-party tracking scripts have the capability to scoop up information from Facebook's login API without users knowing. The tracking scripts documented by Steven Englehardt, Gunes Acar, and Arvind Narayanan represent a small slice of the invisible tracking ecosystem that follows users around the web largely without their knowledge.
-
Facebook Login data hijacked by hidden JavaScript trackers
If you login to websites through Facebook, we've got some bad news: hidden trackers can suck up more of your data than you'd intended to give away, potentially opening it up to abuse.
- Login or register to post comments
Printer-friendly version
- Read more
- 669 reads
PDF version
Security: Updates, IBM, Elytron and Container Vulnerability Scanning
Submitted by Roy Schestowitz on Saturday 21st of April 2018 04:45:08 AM Filed under
-
Security updates for Friday
-
IBM Security launches open-source AI
IBM Security unveiled an open-source toolkit at RSA 2018 that will allow the cyber community to test their AI-based security defenses against a strong and complex opponent in order to help build resilience and dependability into their systems.
-
Elytron: A New Security Framework in WildFly/JBoss EAP
Elytron is a new security framework that ships with WildFly version 10 and Red Hat JBoss Enterprise Application Platform (EAP) 7.1. This project is a complete replacement of PicketBox and JAAS. Elytron is a single security framework that will be usable for securing management access to the server and for securing applications deployed in WildFly. You can still use the legacy security framework, which is PicketBox, but it is a deprecated module; hence, there is no guarantee that PicketBox will be included in future releases of WildFly. In this article, we will explore the components of Elytron and how to configure them in Wildfly.
-
PodCTL #32 – Container Vulnerability Scanning
- Login or register to post comments
Printer-friendly version
- Read more
- 760 reads
PDF version
Security Leftovers
Submitted by Roy Schestowitz on Friday 20th of April 2018 02:07:22 AM Filed under
-
Hackers once stole a casino's high-roller database through a thermometer in the lobby fish tank
Hackers are increasingly targeting "internet of things" devices to access corporate systems, using things like CCTV cameras or air-conditioning units, according to the CEO of a cybersecurity firm.
The internet of things refers to devices hooked up to the internet, and it has expanded to include everything from household appliances to widgets in power plants.
Nicole Eagan, the CEO of Darktrace, told the WSJ CEO Council Conference in London on Thursday: "There's a lot of internet-of-things devices, everything from thermostats, refrigeration systems, HVAC systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface, and most of this isn't covered by traditional defenses."
-
Certificate Transparency and HTTPS
CT stands for “Certificate Transparency” and, in simple terms, means that all certificates for websites will need to be registered by the issuing Certificate Authority (CA) in at least two public Certificate Logs.
-
Security updates for Thursday
-
IBM introduces open-source library for protecting AI systems
-
How to combine SSH key authentication and two-factor authentication on Linux
-
openSUSE Heroes loves Let’s Encrypt™ – Expect certificate exchange
openSUSE loves Let's Encrypt™
Maybe some of you noticed, that our certificate *.opensuse.org on many of services will expire soon (on 2018-04-23).
As we noticed that – as well – we decided to put a bit of work into this topic and we will use Let’s Encrypt certificates for the encrypted services of the openSUSE community.
This is just a short notice / announcement for all of you, that we are working on this topic at the moment. We will announce, together with the deployment of the new certificate, the regarding hashes and maybe some further information on our way of implementing things.
- Login or register to post comments
Printer-friendly version
- Read more
- 803 reads
PDF version
Security Leftovers
Submitted by Roy Schestowitz on Thursday 19th of April 2018 12:26:53 PM Filed under
-
Mitigating Open Source Security Vulnerabilities
-
NHS slammed for 'alarming' lack of cybersecurity defences post-WannaCry [iophk: "Windows TCO"]
Despite 22 recommendation created by the Department of Health and Social Care, NHS England and NHS Improvement to help the NHS improve its cyber defences, the PAC noted it was "alarmed" that these measures had not yet been implemented.
-
House panel advances bills to guard energy grid from cyberattacks
The four bipartisan legislative proposals aim to elevate the Department of Energy’s efforts on cyber response and engagement and to create new programs to address grid and pipeline security.
-
A pirate-obsessed Nigerian hacking [sic] group is attacking the maritime industry
A business email compromise (BEC) scam is a highly targeted attack designed to convince finance departments or C-suite executives to sign off on fraudulent invoices.
-
Simplify and Secure Your Online Logins With a YubiKey
Several manufacturers make these types keys, and they all basically work the same way. They adhere to an industry standard called Universal 2nd Factor, or U2F. The standard weds hardware-based authentication with public key cryptography—a set of tools that’s extremely difficult to compromise. These U2F keys simplify the process of securely accessing online services like Google, Facebook, Dropbox, Windows, and Mac OS. They also support password managers like Lastpass, Dashlane and Keepass. U2F keys can even be used to unlock your Mac or Windows PC from the home screen.
-
Polyverse raises more cash for Linux cybersecurity product that can prevent zero-day attacks [Ed: Polyverse is selling snake oil pseudoscience like polygraph; nontechnical VCs fall for it, I hope technical companies do not.]
- Login or register to post comments
Printer-friendly version
- Read more
- 750 reads
PDF version
OSS and Security Leftovers
Submitted by Roy Schestowitz on Wednesday 18th of April 2018 06:07:13 PM Filed under

-
Open-source library for improving security of AI systems
Attacks against neural networks have recently been flagged as one of the biggest dangers in our modern world where AI systems are increasingly getting embedded in many technologies we use and depend on daily.
Adversaries can sometimes tamper with them even if they don’t know much about them, and “breaking” the system could result in very dangerous consequences.
[...]
The library is written in Python, as it is the most commonly used programming language for developing, testing and deploying Deep Neural Networks.
-
IBM launches open-source library for securing AI systems
On Tuesday at the RSA conference in San Francisco, IBM announced the launch of the Adversarial Robustness Toolbox to support developers and users of AI that may become the victims of attacks against AI systems including Deep Neural Networks (DNNs).
According to the tech giant, threat actors may be able to exploit weaknesses in AI systems through very subtle means. Simple, small, and often undetectable alterations in content including images, video, and audio recordings can be crafted to confuse AI systems, even without a deep knowledge of the AI or DNN a cyberattack is targeting.
-
IBM releases new toolbox to protect AI from adversarial attacks
IBM is releasing an open-source software library to combat against adversarial attacks in deep neural networks (DNNs). DNNs are machine learning models that are capable of recognizing patterns.
-
Build a serverless framework at home: Go on, bit of open sourcey hijinx won't hurt
First unveiled at SpringOne Platform in December, riff is still an early project. It emerged from the Spring Cloud Data Flow, a data integration project to run Java code as microservices created under Pivotal's open source Java-focused Spring framework.
"Riff is the next step in that evolution," says Jürgen Leschner, a riff organiser who works at Pivotal. Instead of running microservices that persist in containers, serverless models hide the containers from the developers and operations teams entirely. Instead, when a developer calls a software function, the container orchestration system (in riff's case, Kubernetes) spins one up and then kills it off silently.
[...]
The benefits of open source serverless
What do these open source serverless options bring to the party? Unless you're using them to slurp services on the AWS platform and minimise container fees by weeding out idle compute power, why bother?
Efficiency for developers is one driver, says Leschner. "Developers don’t have to worry about building the connectors and boilerplate stuff into their code. They can package a simpler project and the boilerplate is already in the platform."
-
Failure to secure open source code spurs DevSecOps boom [Ed: Yet another one of those 'journalists' who help marketing from anti-FOSS entity because it's disguised as 'research']
A survey of over 2,000 IT pros shows that fear of data breaches is increasing investments in DevSecOps tools, particularly automated security tools and oversight of open source software.
-
Security updates for Wednesday
- Login or register to post comments
Printer-friendly version
- Read more
- 1050 reads
PDF version
Security: Russia, Librem, and Apple's Faux Security
Submitted by Roy Schestowitz on Wednesday 18th of April 2018 09:41:51 AM Filed under
-
U.S. & U.K. Issue Joint Warning About Risks of Russian Cyberattacks
-
Demonstrating Tamper Detection with Heads
We are excited about the future of Heads on Librem laptops and the extra level of protection it can give customers. As a result we’ve both been writing about it a lot publicly and working on it a lot privately. What I’ve realized when I’ve talked to people about Heads and given demos, is that many people have never seen a tamper-evident boot process before. All of the concepts around tamper-evident boot are pretty abstract and it can be difficult to fully grasp how it protects you if you’ve never seen it work.
We have created a short demo that walks through a normal Heads boot process and demonstrates tamper detection. In the interest of keeping the demo short I only briefly described what was happening. In this post I will elaborate on what you are seeing in the video.
-
Stop Using Six Digit Numeric iPhone Passcodes Right Now
- Login or register to post comments
Printer-friendly version
- Read more
- 1126 reads
PDF version
Security Leftovers
Submitted by Roy Schestowitz on Wednesday 18th of April 2018 05:44:38 AM Filed under
-
Security updates for Tuesday
-
McAfee's Upgraded Cloud Security Protects Containers [Ed: Looks like marketing/spam from ECT]
-
Has a Russian intelligence agent hacked your wifi? [iophk: "AV is not relevant; there are two main ways to avoid malware" : *BSD and */Linux"]
In short, a global, invisible, low-level conflict is taking place across the internet and it is possible that your router has been conscripted as a foot soldier. Maybe it is worth getting your firewall and antivirus checked out after all.
-
55 Infosec Professionals Sign Letter Opposing Georgia’s Computer Crime Bill
In a letter to Georgia Gov. Nathan Deal, 55 cybersecurity professionals from around the country are calling for a veto for S.B. 315, a state bill that would give prosecutors new power to target independent security researchers.
This isn’t just a matter of solidarity among those in the profession. Georgia represents our nation’s third largest information security sector. The signers have clients, partners, and offices in Georgia. They attend conferences in Georgia. They teach and study in Georgia or recruit students from Georgia. And they all agree that S.B. 315, which would create a new crime of "unauthorized access," would do more harm than good.
- Login or register to post comments
Printer-friendly version
- Read more
- 898 reads
PDF version
Security and FUD Leftovers
Submitted by Roy Schestowitz on Tuesday 17th of April 2018 12:25:55 PM Filed under
-
Security updates for Monday
-
How one woman is helping others overcome "hacking [sic] abuse"
"It is extremely rare for victims who have been threatened by their attackers to actually have compromised devices, Galperin said. "Because if an attacker has compromised their device they usually want to keep quiet about it so they can keep getting the information."
-
2.6 Billion Data Records Compromised in 2017, Gemalto Reports [Ed: Marketing disguised as research from Gemalto today. Just hoping you forgot about their NSA breach.]
-
Survey finds frequent critical vulnerabilities in serverless open-source applications [Ed: Competing over who can bash FOSS the most/best to attract businesses, helped by complicit 'journalists']
-
Large scale data breaches provide drive for DevSecOps investments [Ed: So-called ‘journalists’ as agents (PR) of Sonatype based on a press release that stigmatises FOSS]
-
Application breaches jump 50pc as DevOps security bites
The firm published the findings from its 5th annual DevSecOps Community Survey of 2,076 IT professionals which shared practitioner perspectives on evolving DevSecOps practices, shifting investments and changing perceptions.
-
Survey finds data breaches are catalysts for DevSecOps investments
-
Developers Outnumber Security Pros 100:1 as Breaches Grow
Breaches related to open source components in applications have soared by 50% since 2017, according to a new study from Sonatype urging developers to adopt DevSecOps practices.
-
Windows servers running IIS 6.0 targeted by crypto-mining hackers [sic]
First identified by two researchers in China in March 2017, the CVE-2017-7269 vulnerability allows hackers [sic] to install a malware strain on the IIS 6.0 service.
- Login or register to post comments
Printer-friendly version
- Read more
- 1060 reads
PDF version
Security: Open Source Security Podcast, Old JavaScript Crypto Flaw and New FUD-based Marketing
Submitted by Roy Schestowitz on Monday 16th of April 2018 09:48:24 AM Filed under
-
Open Source Security Podcast: Episode 92 - Chat with Rami Saas the CEO of WhiteSource
-
Old JavaScript Crypto Flaw Puts Bitcoin Funds at Risk
Security researchers are warning that old Bitcoin addresses generated in the browser or through JavaScript-based wallet apps might be affected by a cryptographic flaw that allows attackers to brute-force private keys, take control of users' wallets, and steal funds.
The vulnerability resides in the use of the JavaScript SecureRandom() function for generating a random Bitcoin address and its adjacent private key (equivalent of a password).
-
Sonatype Survey Reveals Massive Data Breaches are Catalysts for DevSecOps Investments [Ed: When the only feasible way to market your product is saying stuff like "open source breaches jump 55%"?]
- Login or register to post comments
Printer-friendly version
- Read more
- 1061 reads
PDF version
Security: Cleartext Passwords, Windows Problems, and Meltdown Patches/Performance
Submitted by Roy Schestowitz on Sunday 15th of April 2018 10:25:14 PM Filed under
-
cleartext passwords and transparency
So let me just jump in with Lars blog post where he talks about cleartext passwords. While he has actually surmised and shared what a security problem they are, the pity is we come to know of this only because the people in question tacitly admitted to bad practises. How many more such bad actors are there, developers putting user credentials in cleartext god only knows. There was even an April Fool’s joke in 2014 which shared why putting passwords in cleartext is bad.
-
911 operator suspended over teen’s death griped about working overtime.
Plush called 911 again around 3:35 p.m., this time giving Smith a description of the vehicle, a gold Honda Odyssey in the parking lot at Seven Hills — information that never made it to the officers at the scene.
“This is not a joke,” the teen told Smith. “I’m almost dead.”
Smith tried to document the call when it came in but her computer screen had frozen, preventing her from entering information immediately, the review found.
-
Defense contractors face more aggressive ransomware attacks
The rise of ransomware attacks against defense contractors coincides with a rise in the use of ransomware in general. Attacks can spread even after the original target has been hit, hurting unintended victims.
-
A Look At The Meltdown Performance Impact With DragonFlyBSD 5.2
Besides looking at the HAMMER2 performance in DragonFlyBSD 5.2, another prominent change with this new BSD operating system release is the Spectre and Meltdown mitigations being shipped. In this article are some tests looking at the performance cost of DragonFlyBSD 5.2 for mitigating the Meltdown Intel CPU vulnerability.
With DragonFlyBSD 5.2 there is the machdep.meltdown_mitigation sysctl for checking on the Meltdown mitigation presence and toggling it. Back in January we ran some tests of DragonFlyBSD's Meltdown mitigation using the page table isolation approach while now testing was done using the DragonFlyBSD 5.2 stable release.
-
A Last Minute Linux 4.17 Pull To Help Non-PCID Systems With KPTI Meltdown Performance
While the Linux 4.17 kernel merge window is closing today and is already carrying a lot of interesting changes as covered by our Linux 4.17 feature overview, Thomas Gleixner today sent in a final round of x86 (K)PTI updates for Meltdown mitigation with this upcoming kernel release.
This latest round of page-table isolation updates should help out systems lacking PCID, Process Context Identifiers. The KPTI code makes use of PCID for reducing the performance overhead of this Meltdown mitigation technique. PCID has been around since the Intel Westmere days, but now the latest kernel patches will help offset the KPTI performance impact for systems lacking PCID.
- Login or register to post comments
Printer-friendly version
- Read more
- 875 reads
PDF version

More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
Softpedia Also | 16 hours 33 min ago |
More on Learning to Use GitHub | 1 day 21 hours ago |
1 day 22 hours ago | |
More Python | 2 days 10 hours ago |
One More | 2 days 11 hours ago |