Get the LinuxSecurity news you want faster with RSS
Powered By
Featured Blogs
Welcome to the Linux Security Blog section! We continually scour the blogosphere to find informational and well-written blogs that cover Linux and Security. To give you a better idea of how we come to our choices here's some of our criteria:
Must have Linux/Open source as a component in >50% of all
posts.
Must have security as a component in >50% of all posts.
Must be updated at least twice a week. We are looking for blogs,
not conveniently updated sites. This is tracked, and if no post is
made for 2 weeks, we remove it.
Additionally, each month, we will
feature three of the best stand-out blogs for each month, highlighting
the best of what the Linux and security Blogosphere has to offer.
Feel free to contribute one of your favorite sites by sending an email
to
contribute@linuxsecurity.com
I had recently written about the anticipated release of Gimp 2.8 which brings revolutionary changes to the Gimp user interface and lots more under the hood. However, as of now, if you want to download and try Gimp 2.8 you have to do one of the two things, namely - Read more »
Linus Torvalds Bags the 2012 Millennium Technology Prize
Linus Torvalds has been awarded the 2012 Millennium Technology Prize. The award is offered by a Finnish foundation called Technology Academy Finland (TAF). TAF promotes scientific research and innovation to develop new technology which is based on humane values and has a positive impact on quality of life. Read more »
Raspberry Pi - A Detailed Review of the Product
Remember Raspberry Pi ? The credit card sized $35 computer that comes preloaded with a customized Linux distribution ?
Raspberry Pi Foundation (people behind this project) have released 2 models. Model A costs $25 and Model B costs $35 excluding taxes. Read more »
Thomas Mackenzie has reported a vulnerability affecting Wordpress >= 2.9. Versions before 2.9 are not vulnerable.
tmacuk quote:
Since version 2.9 a new feature was implemented so that users were able to retrieve posts that they may have deleted by accident. This new feature was labelled ?trash?. Any posts that are placed within the trash are only viewable [...]
WordPress Trackback < 2.8.5 Denial of Service
If you are running WordPress < 2.8.5 and finding your blog inaccessible at times this post may be for you.
A denial of vulnerability was released back in Oct 2009 that affects < WordPress 2.8.5.
The exploit sends a continuous stream of POST requests with overly large blog titles to wp-trackback.php. This could result in the [...]
Distributed WordPress Password Guessing
One of The Internet Storm Center readers recently discovered a malicious WordPress hacking script.
The script is nothing more then a password guessing tool. However, what makes it unique — as pointed out by ISC, is the fact that it uses a MySQL database backend to store password attempts. This means the script could be executed [...]
NfSpy ? ID-spoofing NFS Client Tool ? Mount NFS Shares Without Account
We wrote about this tool originally last year – NfSpy ? ID-spoofing NFS Client ? Falsify NFS Credentials – and a new version just came out! NfSpy has just been updated to support NFSv3, a more efficient and widespread protocol than the previous NFSv2. NfSpy is a FUSE filesystem written in Python that automatically changes [...]
Read the full post at darknet.org.uk
Android Trojan Targets Japanese Market ? Steals Personal Data
Early last year we wrote about China Facing Problems With Android Handsets & Pre-installed Trojans, then later last year there was a possibility Cybercrooks May Be Able To Force Mobile Phones To Send Premium-Rate SMS Messages. The latest news about Android malware is malicious apps that are in the official Google marketplace (called Play)...
Read the full post at darknet.org.uk
web-sorrow ? Remote Web Security Scanner (Enumeration/Version Detection etc)
web-sorrow is a PERL based tool used for checking a Web server for misconfiguration, version detection, enumeration, and server information. It is NOT a vulnerability scanner, inspection proxy, DDoS tool or an exploitation framework. Current Functionality -S – stands for standard. a set of Standard tests and includes: indexing of directories...
Like everyone on the planet, I am sent free phish every day. Since I can?t turn these into loaves or wine, I usually don?t waste time on them. Today?s phish caused me to reminisce, and when I reminisce, I get curious, so I looked further.First, here is the phish:
A document was scanned and sent to you using a Hewlett-Packard JET ON4412867SSent to you by: KRYSTIN Pages : 6 Filetype: Image (.jpeg) View
A document was scanned and sent to you using a Hewlett-Packard JET ON4412867S
Sent to you by: KRYSTIN Pages : 6 Filetype: Image (.jpeg) View http://donteverclickalinkinemail.example.com/oCzgKm43/index.html
Location: NPSK1.4FL. Device: OP218S5OD2054128
Mailprint: d72e6d72-e624bbbb
Really, I think it's been years since I last saw this type of phish. The initial URL runs through three secondary URLs (a .com, .ro, and .ir) that in turn point to a single host (173.44.136.197). At the time of this phish all three secondaries and the host were alive and serving the scam. The payload when I research the .ro link, the payload (using curl) at 16:43 PDT. The payload reported by another blogger dynamoo. The payload now on .ir link -- note that the folks in IR appear to have now blocked the scam, or are running something else, I am leaving their CGI alone.
According to wepawet the payload contains two vulnerabilities first reported in 2010, here, and here. The Adobe Reader vulnerability applies up to 9.3 and the Microsoft applies to Win2003sp2. So that's a decent target space.
?Before the intrusions were discovered nearly three yearsago, Chinese hackers actually sat in on what were supposed to have been secure,online program-progress conferences, the officials say.?
This sounds a lot like ?FBI Admits Hacker Group?s Eavesdropping.? So after at least three years we still haven?t learned howto keep our secure conference calls, well, um, actually secure ? but that?s adigression.
The article on the Joint Strike Fighter (JSF) goes on: ??needfor redesign of critical equipment. Examples include specialized communicationsand antenna arrays for stealth aircraft, as well as significant rewriting ofsoftware to protect systems vulnerable to hacking.?
The JSF?s software systems had serious vulnerabilities: ?Defenseanalysts note that the JSF?s information system was not designed withcyberespionage, now called advanced persistent threat, in mind.? The JSF?s MultifunctionAdvanced Data Link (MADL) was dropped entirely because of reported ?moneyissues.?
We were building one of the most ?computerized? and?networked? fighter planes in the world. Imagine if the plane went intoproduction with those serious software vulnerabilities and it was open toattack via it?s own aerial network? It?s not like adversaries haven?t alreadydemonstrated their ability to hack our communications channels in the field tohijack drone telemetry, video, and perhaps to crash them.
If there is a silver lining here, it?s that when the JSFdoes fly it?s systems will be better protected against software vulnerabilitiesand it won?t be broadcasting a SSID, although a Mach-2 WAP would have beenpretty cool.
I?ll tell you what I want, what I really, really want from a Cloud Provider
Elastic: scale up or down automatically within the limits I set
Available: stand up to hurricanes, DDOS, and replication storms.Your mistakes should never be my problem.
If you want my data,you better make it secure
Auditing: network and management
Network ? I need to audit and or inspect all the traffic between mysystems. This includes but is not limited to traffic between users, systems,and applications even where they share the same physical host and virtualswitch.
Management ? I need to see all management events that may impactthe security or configuration of my systems. This includes but is not limitedto privileged access to my systems or data through the hypervisor or cloudmanagement APIs.
Control: policy and assurance
Policy ? I need to express and apply security policies via a methodthat is both human understandable and translatable into a machine-interpretedlanguage.
Assurance ? I need to know when an event or incident occurs thatviolates a policy and I need a method for testing that controls exist and areeffective for enforcing my policies.
Metrics: continuous and interoperable
Continuous ? Per our agreed standards of measurement I must be ableto quantify the security attributes of my system. This may include but is notlimited to measurements for: vulnerability, configuration, performance,incident detection, incident response, and incident containment.
Interoperable ? All security relevant data and events must beavailable in a documented machine-readable format. It should either comply withstandards such as Cyberscope and SCAP or my preferred GR&C system.
If you want my money,you better not ask for much
Value ? Not just cheaper than if I do it myself. Your servicesshould give my organization new capabilities to meet our objectives. Thesecapabilities could include user experience, logistic support, and accessibility?
No lock-in ? I should be able to easily move my data and workloads backinside my enterprise or to one of your competitors.
It’s easy to learn the basics of video editing, especially in Linux! This software is based on the FFMPEG and MLT frameworks so it can handle almost any video file format you throw at it. This quick tutorial will teach you how to put together a video complete with titles, transitions and effects, the program I used is called Kdenlive; It’s like Sony Vegas, except it’s free and open-source!
Unfortunately in Linux, certainly Ubuntu, the default GUI file search is not always useful. With just a small amount of patience you can find files quickly and easily using the command line, and your options for this are really powerful if you want to learn a bit about it.
The easy, quick command is called "locate." To use this command at the terminal you simply type:
$ locate -i searchstring
This will search for all files and directories with "searchstring" in the name, and -i means the search is not case sensitive (i.e. it will find searchstring, Searchstring, sEaRcHsTrInG, and so on). The results are instantaneous because the system has created a database (also known as an index) to tell you where files are located. The only problem is that newly created or moved files may not be found correctly until the next database update, and you don’t have many options to choose from for your search. (forcing locate to update the database/index is done with $ sudo updatedb, and it doesn’t take a lot of time)
Example:
$ locate -i kdenlive.desktop
There is a much more powerful command available to you called "find." You can tell "find" where to look, what criteria to use in its search, and what actions to take once you have found what you are looking for. The syntax for "find" is:
$ find
If you don’t add any parameters, find will default to searching the current working directory (or "."), uses no search criteria (defaults to showing all files), and -print (which, despite its name, displays, or "prints," the results on screen) as the only action to take.
Two examples:
$ sudo find / -type f -mmin -10
This example will find (starting at the root directory, or /, and recursively search subdirectories) all normal files (-type f means normal files, without this it will find normal files + special files + directories) which were modified less than ten minutes ago (-mmin -10), and then display the results for you. This would be useful if you know you edited a file recently but don’t know where you put it, or have to find a log file for a program that crashed. I use sudo here because find does not search files/directories that the current user does not have permissions for, and it will return error messages. However, you should use caution when using sudo.
This will find everything in your home directory (~) with a name, case insensitive (-iname), containing xxx ("*xxx*") and execute (-exec) a move (mv) of the results ({}) to /media/pr0n/ ( \; is required by -exec to show the end of the command to be executed). So all your downloaded porn will be moved to the same place. mv -v displays the results of the move command with (-v)erbose messages. Another warning with -exec, though it is powerful, when used without care you can overwrite your whole home directory or whole disk – so be careful!
For those of you who simply can’t do without a GUI, you can find the program catfish in the repositories – this enables you to run both locate and find from a graphical front-end, but it is very limited in options. Think of it as an equivalent to Windows Search. If you want the full power of find, you’ll need to run it from the command line!
A big thanks to BigWhale (http://www.twm-kd.com/) for helping me find my footing with the find command.
This guide works for the gnome desktop manager (used by Ubuntu and other Linux distributions).
First we go to Gnome-looks. This is a large collection of themes and other artwork that can be used to make gnome look any which way you like. From there we select and download a theme. Since many people have asked what theme I use, I chose my theme, SlicknesS-black, for the example. Once we’ve downloaded our theme and saved it to the desktop, we will then extract it to the desktop.
Once it is extracted, in the terminal we enter the following commands to copy the theme files to the shared theme directory (where the themes manager looks for it) and change the permissions to make it available to all users of the computer:
Remember, file and directory names are case-sensitive in Linux, so be careful to use the correct case.
Next we open the theme manager (in this case System -> Preferences -> Appearance -> Themes) and we should see our new theme listed there!
For Ubuntu users only – you may notice if you choose to install SlicknesS-black an error that states the engine “ubuntulooks” is not found. If that is the case enter the following command in the terminal to install the missing theme engine:
$ sudo apt-get install gtk2-engines-ubuntulooks
Enjoy your new theme!
(The wallpapers I use can be found at beautifulfractals and are available under the Creative Commons license)
One of the perks of working for CA Technologies is the ability to work from home full-time. I?ve been doing this for almost a year now and while I don?t miss my old commute hour-each-way commute, I sometimes miss the people. (No offense to my dog, Henry, who is great company here at the house.)
Thankfully, there are a number of tools and technology to keep me connects with my colleagues around the country. We use Microsoft Communicator for instant messaging and I can dial into the corporate phone bridge without looking at the keypad, both of which I rely on for the connection to the outside world. But sometimes you miss actually seeing people.
Measuring Service Quality in the Cloud
Quantifying business service performance can represent a bit of a challenge for IT organizations supporting sophisticated environments and relying on external service providers in part to deliver IT services to end users and customers. The Service Measurement Index (SMI) could be the answer for high-tech organizations struggling to understand how services perform across hybrid cloud environments.
The growing popularity of cloud computing and the trend toward sending services outside of the company is causing some to wonder how they can gage performance off premise. Some companies are opting to develop private clouds, others rely mostly on public cloud offerings, but many are choosing the third option: hybrid cloud environments. That means not only are IT organizations providing business services across an internal infrastructure, but they are also depending upon third parties to deliver services to end users and customers. While there may be obvious operational, cost and other benefits, monitoring and measuring the performance of these services across disparate environments could stump some IT leaders and prevent them from realizing the full value of cloud services.
This problem certainly isn?t new, even if it is taking a fresh form under the cloud moniker. Applications teams have long worked toward better understanding application performance, in particular, from the end-user perspective. Efforts put into measuring how an internal user might encounter an application versus someone logging in remotely help those teams design better applications. And network teams would have to determine how an Internet service provider impacted the speed of the network across multiple locations from the local-area to the wide-area network. These types of measurement efforts and performance metrics now must be applied to the cloud.
Rolling Out a New App? How to Avoid 3 Performance Pitfalls
New applications bring the promise of increased productivity, happier end users and better business benefits. But if the new app stalls on the network, IT managers will only be hearing about the problems the technology causes.
Casey Louisiana, sales engineer at Network Instruments (a CA Technologies partner), meets with customers regularly as they work to deploy applications and keep the network running smoothly. He says there are a few common situations that happen frequently, which could be easily avoided. Here he offers a few fixes for these often overlooked areas when rolling out a new application.
Configuring Quality of Service
Often when IT departments are looking to add, say, voice over IP, to their application mix quality of service sometimes becomes an afterthought. With different management metrics for traffic (for instance, voice and data behave differently) and various prioritizations for some application traffic, IT managers don?t always configure routers, switches, servers and the like to optimally handle the traffic.
How to extract squid ink. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Liars & Outliers Update
Liars & Outliers has been available for about two months, and is selling well both in hardcover and e-book formats. More importantly, I'm very pleased with the book's reception. The reviews I've gotten have been great, and I read a lot of tweets from people who have enjoyed the book. My goal was to give people new ways to think...
TSA Behavioral Detection Statistics
Interesting data from the U.S. Government Accountability Office: But congressional auditors have questions about other efficiencies as well, like having 3,000 "behavior detection" officers assigned to question passengers. The officers sidetracked 50,000 passengers in 2010, resulting in the arrests of 300 passengers, the GAO found. None turned out to be terrorists. Yet in the same year, behavior detection teams apparently...
Rejecting paid reviews - the ethical dilemma. Tonight I did, and here's why...
It's always an honour when a software developer wishes to pay you to review their creation on your website. It represents a financial investment on their part; a leap of faith even. They might end up paying $100 for an honest but damning review of their product, condemning its very existence.
As such, tonight, I've declined my first ever review.
I have a good history of reviewing things
I'm always honest and almost never 100% positive. Whatever I do I aim to be constructive and this allows the creator a return on their investment. Aside from the SEO boost of the keyword-rich back-links they also get a brutally honest opinion from someone experienced in this field.
Tonight I was requested to review a piece of software, a key-logger to be precise. I won't link the exact one in question because that would be entirely unfair on the developer, but ethically I can't review something I don't agree with in principal.
Key loggers are legitimate pieces of software and technically have good reason for existing; it allows parents to keep a passive view of what their kids are doing on the Internet. However, even overlooking all the potential mis-use of such software, I personally think that key-loggers are too invasive - even for family security.
Aside from the wonders of denial, you really don't want to know what your kids are searching for or saying on the Internet.
You really don't. I'm not a parent but I was once a teenage boy with Internet and I know first hand that it's better for all involved if the life lessons learned were done so privately.
I simply don't trust software that has to work so hard to convince you that it has legitimate purposes.
As such, this brings me to my point.
As a blogger with aspirations of making money online, you need to make decisions like these. Do you accept whatever offers come your way because they help you achieve your goals, or do you stick to your ethical guns?
In this instance I stuck to my guns and have no second thoughts about doing so. I always review honestly and I wouldn't be giving the software developer value for money if I object to the fundamental nature of the application; then they're just paying for me to announce why I don't like key-loggers.
So ask yourself the same question - if you're blogging in the pursuit of making money, are there things you're not prepared to do?
Concrete5: The best open source CMS you aren't using yet
One of the biggest challenges as a web developer is finding a content management system that you're happy with. Or indeed, a suite of them suitable for the wider range of clients and projects you encounter. I've recently become a fan of Concrete5, but it isn't without its flaws.
Let's take a step back and address what I need.
For small, simple content managed sites there's Wordpress. Easy for clients to use, relatively easy to template and pretty scalable. Well documented and open-source means that clients aren't tied to some proprietary system and that's how I like it. If either of us aren't happy with how the relationship is going then their site can be managed by any respectable PHP developer.
However, once you start getting more involved requirements Wordpress can seem a bit cosy very quickly. You either need to make bespoke extensions (plugins) or become tangled in a web of increasingly rich taxonomies (managing everything as posts), Wordpress has its limitations. It's this next non-enterprise tier that is such a desirable territory for a CMS to reside.
Concrete5 is the prettiest, most intuitive CMS I've used
By default, C5 has a really rich feature-set and class-leading editing. Things like Drupal and Silverstripe are technically more powerful but are both hampered by interfaces which would confuse and annoy clients. Granted, this comment normally unleashes the hatred of the Drupal developers but I'm still waiting for a demonstration that is client-facing and intuitive. Powerful it is, but the admin area is not for the digitally shy.
Concrete5 has two really wonderful features which tend to win favour with clients:
1/ Put any kind of block wherever you like Clients love the notion that they can put any kind of content in any kind of content region. As a developer this makes me happy too. It means if I'm sensible in how the template is created, the primary content region negates the need for 4-5 other templates (as other CMS's may need). Clients can then put rich text, youtube videos, dynamically generated forms, etc. straight into the page using simple interfaces - no pasting of HTML here.
2/ Edit in-page Contextual editing always sits better with clients than when they edit content away from the page. It means they can quickly see how their content maps into the page region, rather than dumping content into a WYSIWYG editor in the administration area somewhere and trusting it'll appear fine in page. C5 launches an overlay for you to enter content into, submit that and it shows you that content in situ. Clients like this. Clients get this. Therefore I like this.
It's not all roses though, some bits need improvement
While C5 is the best I've used (by some measure), there are a few frustrating elements. The documentation is light and you tend to rely on the community to have posed and solved your exact problem - which isn't always the way. This can make working with C5 for the first time quite a frustrating experience - so there can be a bit of a learning curve when you break out of conventional requirements.
Structured data-sets would make this unstoppable The single biggest gripe I have with C5 is that it is frighteningly close to "the answer" but isn't quite there. Every content-managed website I've ever built for a client needs some form of "extra-bit". An interactive Google Map with office addresses, news, events, etc. Some of these can be achieved conventionally, but invariably you need to create some form of data structure which you can then use PHP to query. C5 doesn't natively give you this. Yet it's close.
To create a content-managed list of offices (say, name, address, latitude, longitude) you need to create a "package" to do this. Which means creating a new database table, then code the edit interface for this in the admin area (adhering to a loose MVC setup), then retrieve this through PHP for whatever front-end use you need.
However, C5 has this notion of "blocks", which are lumps of content. You can create new block-types, so you can define a block for "office" consisting of four text-fields. C5 handles the storage of this (negating any bespoke DB changes). C5 handles the editing and validation of this (through the native interface). Hell, using the Scrapbook or Stacks you can even group these things together. You just can't query them.
For C5 to achieve greatness, it needs to add this one piece of functionality We can already design new block types, we just need some kind of wrapper to simplify the querying and output of them. It seems pointless to continually write new packages to store content that the CMS is already able to. Writing new models to retrieve these when this could all be centralised.
If a wrapper was written to allow you to create "collections" of single-type blocks, which you could query for given attributes with the normal helpers available (pagination being a key one) the amount of bespoke extensions needed to make the CMS full-featured would decrease dramatically per instance.
Concrete5 conclusion
I love lots of things about C5. Creating custom views for blocks, default-blocks for pages and the big lumps of native functionality make it a really easy system to work with. Clients love the simple, intuitive interface. It handles basic workflow and permissions gracefully. It's really easy to theme and, assuming you're decent at PHP, it's not difficult to create new packages for. It's let down by light documentation and being perilously close to victory - add collections and it'll be there.
It's unquestionably the CMS against which all competitors are evaluated for me now, and it has won every comparison thus far.
Review: Online Logo Maker (and the online icon maker)
I'm always excited to undertake sponsored reviews because it forces me to look objectively at a website, piece of software or service that I may not have encountered otherwise. This time I've been approached by the creator of the Online Logo Maker.
One of the most important things to announce when looking at this application is that it's a free web-app. It's not even monetized so that always helps me calibrate how I review. If someone is charging $100 for a license then you expect it to be brilliant, whereas free things you are willing to accept flaws. It's simple.
So what is the Online Logo Maker? It is what it says on the tin. It's a basic online application with allows you to drag together uploaded images, stock clip-art and text into a downloadable logo.
How much control do you get? You can adjust the size, layout, colour and rotation of any element you add to the stage. You can add basic geometric shapes (although while you can increase their size, the rounded corners don't adjust to these changes, so it is very basic vector based work). You can upload images to, which would help you break out of the fairly basic clip-art on offer.
Is it useful? This is the important question here. It's a fantastic tool, easy to use and fairly customisable and yes, I would say it's useful, but only for a certain tier of work. Ultimately an online application is never going to have the level of quality and control that you'll need to create a fully accomplished logo for a proper business. Let me explain in greater detail;hellip;
Fonts It's hard to understate the importance of fonts and typography in logo design. The impressive functionality of the tool not withstanding, it needs more professional fonts. The ones on offer are more suitable for low-end local business logos than they are polished organisations or websites. Whether it's a licensing issue (fonts can be tricky), introducing the same set that Google offer as part of their web fonts would be a great addition. The selection on offer are too restrictive to be useful - aside from Arial there are no fonts I'd consider suitable for a professional organisation. So my constructive criticism here would be to improve the offering in line with the ones Google offer.
Clip-art While a great addition - allowing you to draft a logo together quite rapidly, the selection covers a wide range of topics but unfortunately, they are absolutely representative of the clip-art stereotype. Imagine the ones you're offered inside Microsoft Office and you're somewhere in the right ballpark. If the set could be increased with a new/wider set, even if some fairly generic shapes were added (such as cubes, orbs; the kind of things you see in generic logos) then it would be more useful.
What is it useful for? Well, it is a good product and whilst not perfectly suited to professional logo creation, it's a great platform for drafting together quick logos (for concepts, wireframes, etc). You can very quickly start pulling ideas together using this tool and the level of customisation means you really can create multiple concepts rapidly. Until the font situation improves I think you'd struggle to use it as part of a legitimate design strategy.
Online Icon Maker In parallel to the online logo maker there is the online icon maker, which is a beautifully simple free tool which takes a strict set of icons and modifies them with your required text and colours - which is actually probably more useful than the tool I was asked to review. There are six icons on offer and the customisation is perfect. You can adjust the text (and text colour) and the two gradient colours used on the icons. Simple! As with the logo maker, this tool is also free.
In summary, two excellent tools but the first flawed by a predictable clip-art set and restrictive fonts. Definitely useful, both of them and definitely items to keep an eye on. Visit the Online Logo Maker. Visit the Online Icon Maker.
