Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Internet Explorer zero-day lets hackers steal files from Windows PCs [Ed: Microsoft Windows has back doors, so this is "small potatoes"]

    A security researcher has published today details and proof-of-concept code for an Internet Explorer zero-day that can allow hackers to steal files from Windows systems.

  • MicroBriefly: The tiniest firewall I have seen – Firewalla

    ...BSD Unix, and about the size of a paperback novel (small by standards of those days). Now, solid state storage (SSD) and low power CPUs are tiny, enough to easily fit in a matchbox or lighter sized device.

  • 'World's First Smart Contract Firewall' for EOS Launched By SlowMist

    Developers of EOSIO, an initiative supported by Block.one, a Cayman Islands-registered open-source software development firm with $4 billion in total funding (to date), have published a blog post, noting they’ve carefully looked into improving smart contract security on EOS.

    According to EOSIO’s blog, published on April 11th, FireWall.X provides an effective set of tools for “protecting smart contracts built” on EOS from “malicious hacks.” As explained by Zhong Qifu, a product manager at SlowMist Technology Co., the firm that developed FireWall.X, the “world’s first firewall” system for smart contracts aims to ensure the security of all EOS-based decentralized applications (dApps).

  • Bootstrap supply chain attack is another attempt to poison the barrel [Ed: Happens in proprietary software but we don't hear about it. Full of back doors.]

    Somebody smuggled something bad into the vast third-party, open-source supply chain we all depend upon.

  • Framing supply chain attacks

    The increase in the demand for innovative software has effectively reshaped the software development industry itself. Today, speed and agility are paramount and development teams are pushed to deliver highly advanced applications in record time — which means that writing every single line of code from the ground up is often not a sustainable practice. As the NIST puts it, “This ecosystem has evolved to provide a set of highly refined, cost-effective, reusable ICT solutions.”.

  • Apache Axis servers vulnerable to RCE due to expired domain
  • Building a data pipeline to defend New York from cyber threats
  • Linux Foundation aims to improve the sustainability and security of open source projects [Ed: Zemlin PAC pushing a Microsoft-led proprietary software effort]
  • Why AV companies are making their technology open source

    Some AV developers are opening source code for their technology, a strategy they can use to collect data and tech from anyone using their code, and which could help bring products to market faster.

    Why it matters: Open source providers are experimenting with how much of their technology to share, while protecting their intellectual property to stay competitive. Their decisions will have lasting implications for how AV technology develops.

  • Open Source Web Application SSO
  • Magento sites under attack through easily exploitable SQLi flaw

    A recently patched SQL injection flaw affecting the popular open-source e-commerce platform Magento is being actively exploited by attackers, so if you haven’t implemented the provided security update or patch, now is the time to do it.

  • A security researcher with a grudge is dropping Web 0days on innocent users

    Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed.

    Over the past week, zeroday vulnerabilities in both the Yuzo Related Posts and Yellow Pencil Visual Theme Customizer WordPress plugins—used by 60,000 and 30,000 websites respectively—have come under attack. Both plugins were removed from the WordPress plugin repository around the time the zeroday posts were published, leaving websites little choice than to remove the plugins. On Friday (three days after the vulnerability was disclosed), Yellow Pencil issued a patch. At the time this post was being reported, Yuzo Related Posts remained closed with no patch available.

More in Tux Machines

Netrunner Rolling 2019.04 released

The Netrunner Team is happy to announce the immediate availability of Netrunner Rolling 2019.04 – 64bit ISO. Read more

Skrooge 2.19.0 released

The Skrooge Team announces the release 2.19.0 version of its popular Personal Finances Manager based on KDE Frameworks. Read more

Libreoffice vs Apache OpenOffice: how to choose the right free office suite for you

When it comes to free office software, there are two main choices: LibreOffice and OpenOffice (or, to give it its proper name, Apache OpenOffice). The two are remarkably similar, so how can you choose the right one for you? First, it's worth thinking carefully about whether you need desktop office software at all. Provided you have an internet connection, Google Docs, Sheets and Slides might offer everything you need, without the need to install anything, and with the extra bonus that everything you create will be automatically saved to the cloud. No more lost documents, or having to email work to yourself. Read more

today's leftovers

  • Plop Linux 19.1 released
  • How do you say SUSE?
    SUSECON 2019 has come and gone and was definitely one for the books. Whether you were able to attend the event in person or not, you can still view plenty of videos and content that was shared at the event. One of my favorite videos from the week was “How do you say SUSE” -which comically reminded attendees how to properly say “SUSE.” Don’t quite know exactly how to pronounce SUSE? We’ve got you covered….Broadway musical style. The keynote videos from each day are not to be missed as well as the series of amazing music parody videos that have recently been created. One of the major take-a-ways this year was the recent announcement that as of March 15, not only did SUSE become an independent company, we are now the largest independent open source company in the industry.
  • In 2019, Most Linux Distributions Still Aren't Restricting Dmesg Access
    Going back to the late Linux 2.6 kernel days has been the CONFIG_DMESG_RESTRICT (or for the past number of years, renamed to CONFIG_SECURITY_DMESG_RESTRICT) Kconfig option to restrict access to dmesg in the name of security and not allowing unprivileged users from accessing this system log. While it's been brought up from time to time, Linux distributions are still generally allowing any user access to dmesg even though it may contain information that could help bad actors exploit the system. The primary motivation of CONFIG_SECURITY_DMESG_RESTRICT and an associated sysctl tunable as well (dmesg_restrict) is for restricting access to dmesg so unprivileged users can't see the syslog to avoid possible kernel memory address exposures among other potentially sensitive information that could be leaked about the kernel to help anyone trying to exploit the system. But even with these options being available for years, most Linux distributions leave dmesg open to any user.
  • Is Email Making Professors Stupid?
     

    I can think of at least three strong arguments for why higher education should be that industry, significantly restructuring its work culture to provide professors more uninterrupted time for thinking and teaching, and require less time on email and administrative duties.

  • What is ZIL anyway?
     

    The Infocom ZIL code dump has kicked off a small whirlwind of news articles and blog posts. A lot of them are somewhat hazy on what ZIL is, and how it relates to MDL, Lisp, Z-code, Inform, and the rest of the Golden-Age IF ecosystem.

    So I'm going to talk a lot about it! With examples. But let's go through in chronological order.

  • Death by PowerPoint: the slide that killed seven people

    Edward Tufte’s full report makes for fascinating reading. Since being released in 1987 PowerPoint has grown exponentially to the point where it is now estimated than thirty million PowerPoint presentations are made every day. Yet, PowerPoint is blamed by academics for killing critical thought. Amazon’s CEO Jeff Bezos has banned it from meetings. Typing text on a screen and reading it out loud does not count as teaching. An audience reading text off the screen does not count as learning. Imagine if the engineers had put up a slide with just: “foam strike more than 600 times bigger than test data.” Maybe NASA would have listened. Maybe they wouldn’t have attempted re-entry. Next time you’re asked to give a talk remember Columbia. Don’t just jump to your laptop and write out slides of text. Think about your message. Don’t let that message be lost amongst text. Death by PowerPoint is a real thing. Sometimes literally.