| |
EnGarde Secure Community 3.0.22 Now Available! (Dec 9) |
| |
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy. http://www.linuxsecurity.com/content/view/145668
|
| |
Multiple vulnerabilities in VMware products (Feb 1) |
| |
VMware has advised of a number of vulnerabilities in several of its products, including ESX, Server, VirtualCenter and vCenter. According to the company, a number of the issues relate to problems in the Java Runtime Environment (JRE) and several of the 47 vulnerabilities can be used by an attacker to compromise a system. http://www.linuxsecurity.com/content/view/151566
|
| |
EFF online tool reveals 'fingerprint' browsers leave on the Web (Feb 1) |
| |
The Electronic Frontier Foundation has created an on-line tool that details the wealth of information a Web browser reveals, which can pose privacy concerns when used to profile users. http://www.linuxsecurity.com/content/view/151565
|
| |
Online Credit/Debit Card Security Failure (Feb 1) |
| |
Ross Anderson reports (via Bruce Schneier blog):
Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as "Verified by VISA" and "MasterCard SecureCode". This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It's getting hard to shop online without being forced to use it. http://www.linuxsecurity.com/content/view/151564
|
| |
Experts fret over iPad security risks (Feb 1) |
| |
Apple's much hyped iPad tablet may come tightly locked down but the device is still likely to be affected by many of the security issues that affect the iPhone, as well as some of its own.
Security experts polled by El Reg were concerned about a variety of risks, in particular phishing attacks and browser exploits. http://www.linuxsecurity.com/content/view/151563
|
| |
CIA, PayPal under bizarre SSL assault (Jan 31) |
| |
The Central Intelligence Agency, PayPal, and hundreds of other organizations are under an unexplained assault that's bombarding their websites with millions of compute-intensive requests. http://www.linuxsecurity.com/content/view/151561
|
| |
Researchers Devise Chip and PIN Crack (Jan 31) |
| |
Here is a hugely popular article on LinuxSecurity.com from 2007 that is even more true today.Two Cambridge researchers have devised a relay attack with a hacked chip and PIN terminal that could enable attackers to bypass bank card security measures.
Saar Drimer and Steven Murdoch, members of the Cambridge University Computer Laboratory, demonstrated in January how they could modify a supposedly tamper-proof chip and PIN terminal to play Tetris. They have now extended the hack to demonstrate how they can compromise the system by relaying card information between a fake card and a genuine one. http://www.linuxsecurity.com/content/view/126898
|
| |
Google Attack Highlights 'Zero-Day' Black Market (Jan 29) |
| |
The recent hacking attack that prompted Google's threat to leave China is underscoring the heightened dangers of previously undisclosed computer security flaws -- and renewing debate over buying and selling information about them in the black market. http://www.linuxsecurity.com/content/view/151553
|
| |
House leaders move swiftly to launch probe of hackers (Jan 29) |
| |
House Speaker Nancy Pelosi, D-Calif., and Minority Leader John Boehner, R-Ohio, have demanded "an immediate and comprehensive assessment" of how computer hackers were able to attack nearly 50 House Web sites Wednesday night after President Obama's State of the Union speech. http://www.linuxsecurity.com/content/view/151552
|
| |
FBI Arrests Alleged Cable Modem Hacker (Jan 29) |
| |
U.S. federal authorities arrested a 26-year-old man on Thursday for allegedly selling modified cable modems that enabled free Internet access, according to the U.S. Department of Justice. Matthew Delorey of New Bedford, Connecticut, is charged with one count of conspiracy and one count of wire fraud. If convicted, he could face up to 20 years in prison for each charge, and a $250,000 fine. http://www.linuxsecurity.com/content/view/151551
|
| |
Data breach report reveals need to boost internet security (Jan 29) |
| |
Research carried out by the University of Bedfordshire in conjunction with 7Safe, the IT forensics specialist, has found that there are a number of areas where organisations are commonly neglecting internet security and being rewarded with a data loss incident. http://www.linuxsecurity.com/content/view/151550
|
| |
We Don't Hack (Jan 29) |
| |
More than 1 million Chinese IP addresses were controlled by foreign sources and hackers attacked 42,000 websites last year. A Ministry of Industry and Information Technology (MIIT) spokesperson told Xinhua News Agency on January 24 that China is the biggest victim of Internet-based hacking attacks. The country, the spokesperson said, has enacted laws that make all cyber attacks illegal and is willing to work with international partners to promote Internet security and fight against hacking. http://www.linuxsecurity.com/content/view/151549
|
| |
Black Hat DC: Researchers To Release Web Development Platform Hacking Tool (Jan 29) |
| |
A technique used in Web application development platforms that provides a constant look-and-feel across multiple Web pages can potentially expose sensitive user data, such as credit-card numbers, according to researchers, who at next week's Black Hat DC will demonstrate a new class of vulnerabilities in Apache MyFaces, Sun Mojarra, and Microsoft ASP.NET. They will also release a tool that tests for the flaws. http://www.linuxsecurity.com/content/view/151547
|
| |
Privacy Bill Nears Introduction in House (Jan 29) |
| |
The House Democrat heading up the push for legislation that would set new online privacy safeguards that could dramatically reshape Internet marketing said he plans to introduce the bill shortly, with several Republicans likely signed on as co-sponsors. http://www.linuxsecurity.com/content/view/151546
|
| |
Mitigate the Security Risks of PHP System Command Execution (Jan 29) |
| |
As the Web continues its march towards becoming the de facto interface for the world's software applications, developers must find effective ways to not only communicate with server processes such as MySQL, but also other operating system tools such as a shell or Ruby script. In this tutorial, I'll show you how to securely execute a variety of system-based commands via a PHP script, demonstrating how to build web applications that can tightly integrate with both the operating system and third-party software. http://www.linuxsecurity.com/content/view/151545
|
| |
Moving Forward in Open Source (Jan 28) |
| |
I started my career with PCQuest as a Linux hacker 10 years ago. Since then, I've seen considerable amount of development happening in the Open Source space, especially in Linux-- high performance clustering, security and forensics, and virtualization. But despite that, I am a little disappointed about how things have actually moved in this domain. http://www.linuxsecurity.com/content/view/151535
|
| |
Set up rsyslog to store syslog messages in MySQL (Jan 28) |
| |
The de facto system logger on Linux systems is sysklogd, which provides the syslog and klog services that allow system events and application events to be logged and written to standard log files such as /var/log/messages. http://www.linuxsecurity.com/content/view/151534
|
| |
Scan your Linux machine for viruses with ClamTk (Jan 28) |
| |
What do you mean – "scan your Linux machine for viruses"? Linux is immune to viruses right? Well…mostly. Even though a proof of concept virus has been discussed, and nothing has actually made it into the wild…you still have email on your system. Some of that email could easily make its way (by way of forward for example) to another, non-Linux, machine. Because of that alone you should employ a virus scanner on ALL of your machines (Linux, Mac, Windows…) http://www.linuxsecurity.com/content/view/151533
|
| |
Google Chrome 4 Bolsters Browser Security with New Features (Jan 28) |
| |
Google is touting three new security features added to the latest version of its Chrome browser, including new protections against reflective cross-site scripting.
Google has beefed up the latest version of its Chrome browser with new security protections designed to help developers build secure Websites. http://www.linuxsecurity.com/content/view/151532
|
| |
Cybersecurity Chief Confronts Google Attack, Cloud Security (Jan 28) |
| |
The nation's new cybersecurity coordinator, Howard Schmidt, says the task of overseeing government-wide computer security has been "non-stop" in his first two weeks on the job.
Following the December announcement of his appointment by President Obama, Schmidt immediately had a cybersecurity crisis on his hands: Google's disclosure of a cyber attack on its system from within China. "I think everybody in the world who's in the security business is thinking about or working on that issue right now," Schmidt said in a brief interview at the Congressional Internet Caucus' annual State of the Net conference, where he gave his first public speech since taking office. http://www.linuxsecurity.com/content/view/151531
|
| |
Report: Layer 7 Increasingly Under DDoS Gun (Jan 28) |
| |
A report from the CYBER SECURITY Forum Initiative (CSFI) offers further evidence that botnet herders are getting a bigger bang out of distributed denial-of-service (DDoS) attacks by targeting security holes at layer 7, more commonly known as the application layer. http://www.linuxsecurity.com/content/view/151530
|
| |
How to make your iPhone a hacker's dream machine (Jan 28) |
| |
Apple fans are often smug about their immunity to virus attacks on their Macs and iPhones. Well, these devices are hardly safe from viruses, worms, or other attacks, but it's true that they're more secure than Windows PCs. A recent report from antivirus vendor Intego shows how few attacks made their way into the iPhone and Mac worlds last year. http://www.linuxsecurity.com/content/view/151529
|
| |
Congressional websites befouled by mucky-mouthed hackers (Jan 28) |
| |
A number of Congressional websites were defaced with abuse aimed at President Obama following Wednesday's State of the Union address.
Websites maintained by Congressmen including Charles Gonzalez (Texas), Spencer Bachus (Alabama) and Brian Baird (Washington) were replaced with a one-line abusive message aimed at Obama by the "Red Eye Crew" from Brazil in the early hours of Thursday morning. http://www.linuxsecurity.com/content/view/151528
|
| |
Leading voice encryption programs hacked in minutes (Jan 27) |
| |
Most voice encryption systems can be tapped in minutes by installing a voice-recording Trojan on the target computer, a security researcher has confirmed after testing a range of well-known products. http://www.linuxsecurity.com/content/view/151524
|
| |
Hacker pilfers browser GPS location via router attack (Jan 27) |
| |
If you're surfing the web from a wireless router supplied by some of the biggest device makers, there's a chance Samy Kamkar can identify your geographic location.
That's because WiFi access points made by Westell and others are vulnerable to XSS, or cross-site scripting, attacks that can siphon a device's media access control address with one wayward click of the mouse. http://www.linuxsecurity.com/content/view/151517
|
| |
Apache SpamAssassin 3.3.0 available (Jan 26) |
| |
This is a major release, incorporating enhancements and bug fixes that have accumulated in a year and a half of development since the 3.2.5 release. Apart from some new or changed dependencies on perl modules, this version is compatible to large extent with existing installations, so the upgrade is not expected to be problematic (neither is downgrading, if need arises). Please consult the list of known incompatibilities below before upgrading. http://www.linuxsecurity.com/content/view/151511
|
| |
Smut-peddling hackers pwn TechCrunch (Jan 26) |
| |
Popular technology site TechCrunch was hit by potty-mouth hackers late on Monday, leaving the site temporarily unavailable.
A notice on TechCrunch.com's front page on Tuesday morning explains that "TechCrunch.com was compromised by a security exploit". Access to the site's story archive has been suspended leaving a two para notice on the hack as the only content visible on the site. http://www.linuxsecurity.com/content/view/151510
|
| |
Geohot, the iPhone hacker, cracks Sony's PlayStation 3 console (Jan 26) |
| |
George Hotz, aka Geohot, the 20-year-old hacker who successfully cracked the Apple iPhone, claimed in a Friday blog post that after working on the PlayStation3 for nearly five weeks, he has finally managed to hack Sony's popular gaming console and run his own software on it. http://www.linuxsecurity.com/content/view/151509
|
| |
Cisco, NetApp, VMware team up on virtualization security (Jan 26) |
| |
Cisco, NetApp and VMware announced a project to improve the security of virtualization deployments, with a focus on isolating applications that use the same physical network, server and storage resources in multi-tenant systems. http://www.linuxsecurity.com/content/view/151508
|
| |
Stop 11 Hidden Security Threats (Jan 26) |
| |
Here's a basic guide on what you can do to improve your overall security posture on the Internet. Do you know how to guard against scareware? How about Trojan horse text messages? Or social network data harvesting? Malicious hackers are a resourceful bunch, and their methods continually evolve to target the ways we use our computers now. New attack techniques allow bad guys to stay one step ahead of security software and to get the better of even cautious and well-informed PC users. http://www.linuxsecurity.com/content/view/151507
|
| |
Tech-minded students improve software in Open Source Club (Jan 26) |
| |
Members of the Open Source Club, a student group formed in 1999, are exploring the world of technology. Specifically, they are interested in open source software.
The Open Source Club focuses "on building a strong community of open source users and developers in order to bring the benefits of open development, open standards, and free software to the university community," according to the club's Web site. http://www.linuxsecurity.com/content/view/151506
|
| |
Three years later, the PS3 gets hacked (Jan 25) |
| |
After over three years on the market, the PlayStation 3 has finally been hacked. Famous iPhone hacker George Hotz, aka "GeoHot", has become the first to achieve the feat, though what this means for the PS3 modding community remains to be seen. http://www.linuxsecurity.com/content/view/151503
|
| |
Making Your Passwords Harder on Hackers (Jan 25) |
| |
Even though passwords are critical to keeping prying eyes out of our computers, many people pick passwords that are very basic and hence, way too easy to crack, according to new data.
A recent analysis by computer security company Imperva showed one-out-of-five people choosing the simplest of passwords, such as 123456 or abc123 to protect their computers. http://www.linuxsecurity.com/content/view/151502
|
| |
Survey: Data breaches from malicious attacks doubled last year (Jan 25) |
| |
Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches, according to a new Ponemon survey to be released on Monday. http://www.linuxsecurity.com/content/view/151498
|
| |
"Bots and Spiders and Crawlers, be gone!" - or - "New Open Source WebAppSec tools, Huzzah!" (Jan 25) |
| |
Do you manage Apache based web server farms with Web Application Firewall (WAF) requirements that revolve primarily around a need for central thresholding/rate limiting features? Have you found an open source WAF solution that fulfills this need? Well if you haven't, I take extra special joy in the public sharing of two open projects that I'm involved with, serving the roles of cheerleader ;), tester and injecting scope creep whenever possible to solve various forms of abuse. http://www.linuxsecurity.com/content/view/151497
|
| |
Trusted Computer Solutions Releases Automated Operating System Hardening Tool to Support Novell (Jan 25) |
| |
-Trusted Computer Solutions (TCS), a leading developer of cross domain and cyber security solutions, today announced that its widely adopted automated Operating System (OS) hardening tool, Security Blanket, now supports Novell SUSE as well as openSUSE and Fedora 11. The product already supports Red Hat Enterprise Linux, Solaris, and Oracle Enterprise Linux. This new version of Security Blanket also provides role-based access control (RBAC) and a JAVA-based administration console. By providing such broad OS support TCS is expanding its market reach into new U.S. verticals and into Europe. http://www.linuxsecurity.com/content/view/151496
|
| |
Searching for the weak link in university network security (Jan 25) |
| |
Which is more important in a network: the client machines or the system infrastructure? This could be debated until the cows come home and further debated to include the cows. Personally I would say the latter, but as we have seen this week, one single client machines can open up an almighty can of whoop-ass on the entire network. http://www.linuxsecurity.com/content/view/151495
|
| |
Why There is no Kernel Hacker Sell-Out (Jan 25) |
| |
As you may have noticed, posting to this blog was light last week, as in non-existent (OK, so you didn't notice.) This was because I was engaged in some serious geeking-out at the LCA2010 conference.
One of the talks that I saw came from Jon Corbet, who gave a run-down on recent changes to the Linux kernel. A statistic that he mentioned along the way has garnered much comment: the fact that "75% of the code comes from people paid to do it." In particular, some have leapt on this figure as proof that kernel coders have "sold out", and that the famed altruistic impulse behind free software is dead. I think this is nonsense. http://www.linuxsecurity.com/content/view/151494
|
Only registered users can write comments.
Please login or register.
