Full Disclosure - Seclist

Positive Hack Days 8 CFP is now open

Full Disclosure - Seclist

Posted by Alexander Lashkov on Jan 17

PHDays 8 Call for Papers starts. Speakers are welcome to apply till March 10. Our international program committee
comprising independent researchers and lead experts in information security and IT will review all your applications
and select the most exciting reports. If you've got something to say, we look forward to you saying it at PHDays 8.

The upcoming forum is called Digital Bet and it focuses on potential security threats and...
  • open
  • next
Linux Security

Fedora 27: transmission Security Update

Linux Security
LinuxSecurity.com: Security fix for CVE-2018-5702 (Mitigate dns rebinding attacks against daemon)
  • open
  • next
Linux Security

Fedora 27: icecat Security Update

Linux Security
LinuxSecurity.com: - Update to 52.5.3 - Patched for mozilla bug-1427870 (spectre mitigation)
  • open
  • next
DistroWatch

DragonFly drops legacy remote tools

DistroWatch
  • open
  • next
Linux Security

Fedora 26: icecat Security Update

Linux Security
LinuxSecurity.com: - Update to 52.5.3 - Patched for mozilla bug-1427870 (spectre mitigation)
  • open
  • next
Ars Technica

Scientists racing to save vital medical isotopes imperiled by shabby reactors

Ars Technica
image

Enlarge / A dose of Tc-99m to be used in an upcoming scan. (credit: Getty | Rene Johnston)

There’s a mad dash for a vital radioactive isotope that’s used in about 50,000 medical procedures every day in the US, including spotting deadly cancers and looming heart problems. Currently, access to it hinges on a shaky supply chain and a handful of aging nuclear reactors in foreign countries. But federal regulators and a few US companies are pushing hard and spending millions to produce it domestically and shore up access, Kaiser Health News reports.

The isotope, molybdenum-99 (Mo-99), decays to the short-lived Technetium-99m (Tc-99m) and other isotopes, which are used as radiotracers in medical imaging. Injected into patients, the isotopes spotlight how the heart is pumping, what parts of the brain are active, or if tumors are forming in bones.

But, to get to those useful endpoints, Mo-99 has to wind through a fraught journey. According to KHN, most Mo-99 in the US is made by irradiating Cold War-era uranium from America’s nuclear stockpile. The US Department of Energy’s National Nuclear Security Administration secretly ships it to aging reactors abroad. The reactors—and five subsequent processing plants—are in Australia, Canada, Europe (Netherlands, Belgium, Poland, and the Czech Republic), and South Africa, according to a 2016 report by The National Academies of Sciences, Engineering and Medicine. Private companies then rent irradiation time at the reactors, send the resulting medley of isotopes to processing plants, book the final Mo-99 on commercial flights back to the US, and distribute it to hospitals and pharmacies.

Read 9 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Nintendo’s Labo playset slaps the Switch into build-your-own cardboard toys

Ars Technica
image

Enlarge / Labo looks like a trip, Nintendo. (credit: Nintendo)

Nintendo has announced a new build-your-own-accessories line for the Switch console, dubbed Nintendo Labo. It will arrive on April 20 in the United States and Japan and April 27 in Europe.

Labo's two playsets, the $69.99 Variety Kit and the $79.99 Robot Kit, will come with marked cardboard sheets that must be punched and folded by players, along with connecting string, reflective stickers (for controller-sensing purposes), and other accessories. The foldable parts resemble everything from pianos to fishing rods, along with a full-body robot outfit. They accept both the Switch console and its Joy-Con controllers in various slots.

image

Read 6 remaining paragraphs | Comments

  • open
  • next
Ars Technica

With HomePod around the corner, Siri’s “give me the news” feature exits beta

Ars Technica
image

Enlarge (credit: Apple)

When you say "Hey Siri, give me the news" to your iOS device, Siri will now immediately begin playing a daily news update from a popular news podcast—NPR by default in the United States. Coming shortly before the launch of the HomePod smart speaker, also powered by Siri, this small feature is the latest that brings some Alexa or Google Assistant-style interactions to Apple's ecosystem.

In the US, NPR's News Now podcast immediately begins playing as soon as you say the words. Note that hitting the home button and then saying, "Give me the news," won't do it, though. The feature has to be activated by the hands-free "Hey Siri" prompt used in CarPlay or in the upcoming HomePod's screenless interface.

image

Samuel Axon

Read 4 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Hackers can’t dig into latest Xiaomi phone due to GPL violations

Ars Technica
image

Enlarge

Yet another Android OEM is dragging its feet with its GPL compliance. This time, it's Xiaomi with the Mi A1 Android One device, which still hasn't seen a kernel source code release.

Android vendors are required to release their kernel sources thanks to the Linux kernel's GPLv2 licensing. The Mi A1 has been out for about three months now, and there's still no source code release on Xiaomi's official github account.

Unfortunately, GPL non-compliance is par for the course in the world of Android. Budget SoC company MediaTek once tried charging users for access to GPL'd code. Motorola under Lenovo has been regularly accused of violating the GPL and releasing incomplete sources or sources that differ from the kernel shipping on devices. Unsurprisingly, the majority of these alleged GPL violators are from China, which often plays fast and loose with IP law.

Read 4 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Apple to pay $38 billion in US taxes on overseas cash

Ars Technica
image

Enlarge (credit: Getty Images | Gary Waters)

Apple announced on Wednesday that it would pay $38 billion in taxes to the federal government as it brings cash earned overseas into the United States. The big payment is the result of President Donald Trump's tax cut bill, passed last month, which created a new, special tax rate for overseas cash.

Apple is likely to be the biggest beneficiary of that provision. The American company had around $250 billion in cash and other short-term assets held by overseas affiliates. Under previous tax law, Apple would have had to pay a tax of 35 percent in order to bring overseas cash back to the United States. Under the new law, that rate is cut to 15.5 percent, saving Apple tens of billions of dollars compared to what it would have paid to bring the cash home in 2017.

Apple didn't have a choice about this. Under the new tax bill, all overseas cash is subject to a one-time 15.5 percent tax whether Apple leaves it overseas or moves it to the United States.

Read 3 remaining paragraphs | Comments

  • open
  • next
Linux Security

Slackware: 2018-017-01: bind Security Update

Linux Security
LinuxSecurity.com: New bind packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue.
  • open
  • next
Ars Technica

New botnet infects cryptocurrency mining computers, replaces wallet address

Ars Technica
image

Enlarge / A cryptocurrency mining farm. (credit: Marco Krohn)

Satori—the malware family that wrangles routers, security cameras, and other Internet-connected devices into potent botnets—is crashing the cryptocurrency party with a new variant that surreptitiously infects computers dedicated to the mining of digital coins.

A version of Satori that appeared on January 8 exploits one or more weaknesses in the Claymore Miner, researchers from China-based Netlab 360 said in a report published Wednesday. After gaining control of the coin-mining software, the malware replaces the wallet address the computer owner uses to collect newly minted currency with an address controlled by the attacker. From then on, the attacker receives all coins generated, and owners are none the wiser unless they take time to manually inspect their software configuration.

Records show that the attacker-controlled wallet has already cashed out slightly more than 1 Etherium coin. The coin was valued at as much as $1,300 when the transaction was made. At the time this post was being prepared, the records also showed that the attacker had a current balance of slightly more than 1 Etherium coin and was actively mining more, with a calculation power of about 2,100 million hashes per second. That's roughly equivalent to the output of 85 computers each running a Radeon Rx 480 graphics card or 1,135 computers running a GeForce GTX 560M, based on figures provided here.

Read 7 remaining paragraphs | Comments

  • open
  • next
Linux Security

SciLinux: Important: java-1.8.0-openjdk on SL6.x, SL7.x i386/x86_64

Linux Security
LinuxSecurity.com: It was discovered that multiple encryption key classes in the Librariescomponent of OpenJDK did not properly synchronize access to their internaldata. This could possibly cause a multi-threaded Java application to applyweak encryption to data because of the use of a key that was zeroed out.(CVE-2018-2579)Note: If the web browser plug-in provided by the icedtea-web package wasinstalled, the issues exposed via Java applets could have been exploitedwithout user interaction if a user visited a malicious website.
  • open
  • next
Hak.5

Hak5 2319 – [[ PAYLOAD ]] – OS Detection Payload

Hak.5

——————————-
Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.org
Contact Us: http://www.twitter.com/hak5
Threat Wire RSS: https://shannonmorse.podbean.com/feed/
Threat Wire iTunes: https://itunes.apple.com/us/podcast/threat-wire/id1197048999
Help us with Translations! http://www.youtube.com/timedtext_cs_panel?tab=2&c=UC3s0BtrBJpwNDaflRSoiieQ
——————————

  • open
  • next
Ars Technica

Fitbit Coach arrives on your TV with new Windows 10 and Xbox One apps

Ars Technica
image

Enlarge (credit: Fitbit)

Now that FitStar's transition to Fitbit Coach is officially complete, Fitbit is expanding the devices that support its revamped personal training app. The company announced that the Fitbit Coach apps for Windows 10 and Xbox One devices will be available for download later today.

Fitbit owned FitStar for a while before it announced its impending transformation into Fitbit Coach last year. The app, which is separate from the main Fitbit app that all of the company's wearables connect to, holds guided workouts, video routines, and other personalized fitness programs.

Fitbit built off of FitStar's previous offerings and added more content that customers can access fully with a $39.99-per-year Premium subscription. There are some routines that users can access for free after downloading the app (which is free to download as well), but most of the content lies behind Fitbit's paywall.

Read 3 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Report: GM and Waymo lead driverless car race; Tesla lags far behind

Ars Technica
image

Enlarge / Cruise second-generation test vehicles, assembled at GM’s Lake Orion plant in Michigan. (credit: Cruise)

In November, Waymo announced it would begin testing fully driverless vehicles with no one in the driver's seat. Then, last week, GM petitioned the federal government for approval to mass-produce a car with no steering wheel or pedals—with plans to release it in 2019. In short, driverless cars are on the cusp of shifting from laboratory research projects to real, shipping products.

A new report from the consulting firm Navigant ranks the major players in this emerging driverless car industry. Navigant analysts see GM and Waymo as the clear industry leaders, while Ford, Daimler (teamed up with auto supplier Bosch), and Volkswagen Group are also strong contenders in Navigant's view.

Dominating the driverless car business will require both advanced autonomous vehicle technology as well as the ability to mass-produce cars with the necessary sensors and computing hardware. In this respect, Silicon Valley tech companies and the OEMs face opposite challenges. Waymo has long been the leader in driverless software, but it needs to find a partner to help it manufacture the cars that will run that software. Conversely, car companies know how to build cars but don't necessarily have the expertise to create the kind of sophisticated software required for fully self-driving vehicles.

Read 31 remaining paragraphs | Comments

  • open
  • next
Ars Technica

“Free TV” box lawyer says video industry is “digging its own grave”

Ars Technica
image

Enlarge / The Dragon Box. (credit: Dragon Media)

The entertainment industry is lining up against the maker of a "free TV" box in a lawsuit that alleges piracy, but the defendant's lawyer says the industry is in for a difficult and dangerous fight.

"I think this is a very, very dangerous lawsuit by plaintiffs," lawyer Erik Syverson told Ars yesterday. "If the case does not go the plaintiffs' way, they will have established very unfavorable law to their business models and they may be digging their own grave."

Syverson represents Dragon Media Inc., whose "Dragon Box" device connects to TVs and lets users watch video without a cable TV or streaming service subscription.

Read 23 remaining paragraphs | Comments

  • open
  • next
Ars Technica

The 2019 Audi A7 is a sleek-looking fastback with some pretty cool tech

Ars Technica
image

Jonathan Gitlin

DETROIT—It's fair to say that this year's North American International Auto Show has been a little lackluster. But one of the standouts was the North American debut of the new Audi A7. The previous model was—to my eyes—Audi's best-looking model, and I was worried that its successor wouldn't live up. Happily, that isn't the case.

But the new A7 is not just a pretty face; under the skin, you'll find almost all the same technology that Audi is packing into its A8 flagship sedan. That means class-leading infotainment and—once regulators are happy—some seriously advanced headlights and level 3 autonomous driving.

Read 9 remaining paragraphs | Comments

  • open
  • next
Krebs on Security

Some Basic Rules for Securing Your IoT Stuff

Krebs on Security

Most readers here have likely heard or read various prognostications about the impending doom from the proliferation of poorly-secured “Internet of Things” or IoT devices. Loosely defined as any gadget or gizmo that connects to the Internet but which most consumers probably wouldn’t begin to know how to secure, IoT encompasses everything from security cameras, routers and digital video recorders to printers, wearable devices and “smart” lightbulbs.

Throughout 2016 and 2017, attacks from massive botnets made up entirely of hacked IoT devices had many experts warning of a dire outlook for Internet security. But the future of IoT doesn’t have to be so bleak. Here’s a primer on minimizing the chances that your IoT things become a security liability for you or for the Internet at large.

-Rule #1: Avoid connecting your devices directly to the Internet — either without a firewall or in front it, by poking holes in your firewall so you can access them remotely. Putting your devices in front of your firewall is generally a bad idea because many IoT products were simply not designed with security in mind and making these things accessible over the public Internet could invite attackers into your network. If you have a router, chances are it also comes with a built-in firewall. Keep your IoT devices behind the firewall as best you can.

-Rule #2: If you can, change the thing’s default credentials to a complex password that only you will know and can remember. And if you do happen to forget the password, it’s not the end of the world: Most devices have a recessed reset switch that can be used to restore to the thing to its factory-default settings (and credentials). Here’s some advice on picking better ones.

I say “if you can,” at the beginning of Rule #2 because very often IoT devices — particularly security cameras and DVRs — are so poorly designed from a security perspective that even changing the default password to the thing’s built-in Web interface does nothing to prevent the things from being reachable and vulnerable once connected to the Internet.

Also, many of these devices are found to have hidden, undocumented “backdoor” accounts that attackers can use to remotely control the devices. That’s why Rule #1 is so important.

-Rule #3: Update the firmware. Hardware vendors sometimes make available security updates for the software that powers their consumer devices (known as “firmware). It’s a good idea to visit the vendor’s Web site and check for any firmware updates before putting your IoT things to use, and to check back periodically for any new updates.

-Rule #4: Check the defaults, and make sure features you may not want or need like UPnP (Universal Plug and Play — which can easily poke holes in your firewall without you knowing it) — are disabled.

Want to know if something has poked a hole in your router’s firewall? Censys has a decent scanner that may give you clues about any cracks in your firewall. Browse to whatismyipaddress.com, then cut and paste the resulting address into the text box at Censys.io, select “IPv4 hosts” from the drop-down menu, and hit “search.”

If that sounds too complicated (or if your ISP’s addresses are on Censys’s blacklist) check out Steve Gibson‘s Shield’s Up page, which features a point-and-click tool that can give you information about which network doorways or “ports” may be open or exposed on your network. A quick Internet search on exposed port number(s) can often yield useful results indicating which of your devices may have poked a hole.

If you run antivirus software on your computer, consider upgrading to a “network security” or “Internet security” version of these products, which ship with more full-featured software firewalls that can make it easier to block traffic going into and out of specific ports.

Alternatively, Glasswire is a useful tool that offers a full-featured firewall as well as the ability to tell which of your applications and devices are using the most bandwidth on your network. Glasswire recently came in handy to help me determine which application was using gigabytes worth of bandwidth each day (it turned out to be a version of Amazon Music’s software client that had a glitchy updater).

-Rule #5: Avoid IoT devices that advertise Peer-to-Peer (P2P) capabilities built-in. P2P IoT devices are notoriously difficult to secure, and research has repeatedly shown that they can be reachable even through a firewall remotely over the Internet because they’re configured to continuously find ways to connect to a global, shared network so that people can access them remotely. For examples of this, see previous stories here, including This is Why People Fear the Internet of Things, and Researchers Find Fresh Fodder for IoT Attack Cannons.

-Rule #6: Consider the cost. Bear in mind that when it comes to IoT devices, cheaper usually is not better. There is no direct correlation between price and security, but history has shown the devices that tend to be toward the lower end of the price ranges for their class tend to have the most vulnerabilities and backdoors, with the least amount of vendor upkeep or support.

In the wake of last month’s guilty pleas by several individuals who created Mirai — one of the biggest IoT malware threats ever — the U.S. Justice Department released a series of tips on securing IoT devices.

One final note: I realize that the people who probably need to be reading these tips the most likely won’t ever know they need to care enough to act on them. But at least by taking proactive steps, you can reduce the likelihood that your IoT things will contribute to the global IoT security problem.

  • open
  • next
Security Week

Zyklon Malware Delivered via Recent Office Flaws

Security Week

A piece of malware known as Zyklon has been delivered by cybercriminals using some relatively new vulnerabilities in Microsoft Office, FireEye reported on Wednesday.

read more

image image image image image image image image
  • open
  • next
Ars Technica

Immigrant-friendly policies make most whites feel welcomed, too

Ars Technica
image

Enlarge (credit: National Park Service)

Immigration policy in the US has grown increasingly contentious, seemingly pitting different communities and ideologies against each other. But a new study suggests that a large majority of Americans appreciate a welcoming policy toward immigrants. Only a specific minority—white conservatives—generally feels otherwise. And the effect isn't limited to policy, as it influenced whether citizens felt welcome in the place that they lived.

The research, performed by a collaboration of US-based researchers, focused on New Mexico and Arizona. These states have similar demographics but radically different policies toward immigrants. Arizona has state policies that encourage police to check the immigration status of people they encounter; controversial Arizona sheriff Joe Arpaio ended up in trouble with the court system in part due to how aggressively he pursued this program. New Mexico, by contrast, will provide state IDs and tuition benefits to immigrants regardless of their documentation status.

The researchers reasoned that these states would provide a reasonable test as to how immigration policies align with the feelings of the public. So they surveyed nearly 2,000 residents of the two states, including immigrants, naturalized US citizens, and people born in the US, focusing on the states' Caucasian and Hispanic populations.

Read 8 remaining paragraphs | Comments

  • open
  • next
Ars Technica

NASA’s internal schedule for the commercial crew program is pretty grim

Ars Technica
image

Enlarge / Despite her smiles here, NASA's commercial crew program manager has concerns about schedules for Boeing and SpaceX. (credit: NASA)

Publicly, both Boeing and SpaceX maintain that they will fly demonstration missions by the end of this year that carry astronauts to the International Space Station. This would put them on course to become certified for "operational" missions to the station in early 2019, to ensure NASA's access to the orbiting laboratory.

On Wednesday, during a congressional hearing, representatives from both companies reiterated this position. "We have high confidence in our plan," Boeing's commercial crew program manager, John Mulholland, said. SpaceX Vice President Hans Koenigsmann said his company would be ready, too.

However their testimony before the US House Subcommittee on Space was undercut by the release of a report Wednesday by the US Government Accountability Office. The lead author of that report, Christina Chaplain, told Congress during the same hearing that she anticipated these certification dates would be much later. For SpaceX, operational flights to the station were unlikely before December, 2019, and Boeing unlikely before February, 2020, Chaplain said.

Read 6 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Meteor lights up southern Michigan

Ars Technica
image

Enlarge / That's no moon!

Early last night local time, a meteor rocketed through the skies of southern Michigan, giving local residents a dramatic (if brief) light show. It also generated an imperceptible thump, as the US Geological Survey confirmed that there was a coincident magnitude 2.0 earthquake.

The American Meteor Society has collected more than 350 eyewitness accounts, which ranged from western Pennsylvania out to Illinois and Wisconsin. They were heavily concentrated over southern Michigan, notably around the Detroit area. A number of people have also posted videos of the fireball online; one of the better compilations is below.

A compilation of several videos from Syracuse.com.

The American Meteor Society estimates that the rock was relatively slow-moving at a sedate 45,000km an hour. Combined with its production of a large fireball, the researchers conclude it was probably a big rock. NASA's meteorwatch Facebook page largely agrees and suggests that this probably means that pieces of the rock made it to Earth. If you were on the flight path, you might want to check your yard.

Read 3 remaining paragraphs | Comments

  • open
  • next
Ars Technica

Selling used PC games through the blockchain? We’re not buying it

Ars Technica
image

Enlarge / A foolproof plan! (credit: Aurich / Getty)

Companies in industries ranging from iced tea to image processing to fast-casual dining are jumping on the recent blockchain-mania as a way to try to revolutionize often-moribund businesses. Now, startup Robot Cache wants to bring that same technology to bear in revolutionizing the way we buy and sell PC game downloads, with the backing of game industry luminaries like InXile's Brian Fargo and Atari founder Nolan Bushnell.

Robot Cache CEO Lee Jacobson said in a press release that "expertly leveraging the power, flexibility, safety, and transparency of blockchain technology" will bring benefits like lower fees for game publishers and the ability to resell digital purchases for gamers. But despite the buzzword-heavy promise, there are a lot of risks involved that have us skeptical of whether Robot Cache can actually deliver on its vision.

How it works

Read 14 remaining paragraphs | Comments

  • open
  • next
Linux Security

RedHat: RHSA-2018-0095:01 Important: java-1.8.0-openjdk security update

Linux Security
LinuxSecurity.com: An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  • open
  • next
Ars Technica

How gold nanoparticles may make killing tumors easier

Ars Technica
image

Enlarge / Nanoparticles (black dots) sit in the remains of a cell they've helped kill. (credit: University of Michigan)

One of the ways to kill a cancer is to cook it, since heat can kill cells. The trick, of course, is to only cook the cancer and not the surrounding tissue. To do this, you need to have an accurate idea of the extent of a tumor, a precise mechanism for delivering heat, and a damn good thermometer. It may surprise you to learn that gold nanoparticles do a pretty good job of achieving the first two. The third—a good thermometer—has eluded researchers for quite some time. But, now it seems that gold nanoparticles may provide the full trifecta.

Drowning a tumor in molten gold

Some cancers—the ones most people imagine when they think of cancer—form lumps of tissue. At some point, these lumps require a blood supply. Once supplied with blood vessels, the tumor can not only grow, but it has a readily available transport system to deliver the cells that can spread the cancer throughout the body. For the patient, this is not good news.

The development of a blood supply opens up new imaging and treatment options, though. Cancer tumors are not well-organized tissues compared to healthy tissue like muscle or kidney tissue. So there are lots of nooks and crannies in a tumor that can trap small particles. And this disorganization is exactly what researchers hope to take advantage of. Gold nanoparticles are injected into the blood stream; these exit the blood supply, but, in most of the body, they get rapidly cleaned out. Except that, inside tumors, the nanoparticles lodge all over the place.

Read 22 remaining paragraphs | Comments

  • open
  • next
Security Week

Stack Ranking SSL Vulnerabilities: The ROBOT Attack

Security Week

At least two additional security vendors, including IBM and Palo Alto Networks, have been added to the list of vendors vulnerable to a variation on the Bleichenbacher attack called the ROBOT attack.

read more

image image image image image image image image
  • open
  • next
Linux Security

CentOS: CESA-2018-0094: Important CentOS 7 linux-firmware

Linux Security
LinuxSecurity.com: Upstream details at : https://access.redhat.com/errata/RHSA-2018:0094
  • open
  • next
Linux Security

CentOS: CESA-2018-0093: Important CentOS 7 microcode_ctl

Linux Security
LinuxSecurity.com: Upstream details at : https://access.redhat.com/errata/RHSA-2018:0093
  • open
  • next
Linux Security

SciLinux: Important: linux-firmware on SL7.x (noarch)

Linux Security
LinuxSecurity.com:
  • open
  • next
Linux Security

Fedora 27: irssi Security Update

Linux Security
LinuxSecurity.com: This is new version of irssi. It contains security fixes for CVE-2018-5205 CVE-2018-5206 CVE-2018-5207 CVE-2018-5208 .
  • open
  • next
Linux Security

Fedora 27: docker Security Update

Linux Security
LinuxSecurity.com: - Resolves: #1510351 - CVE-2017-14992 - built docker @projectatomic/docker-1.13.1 commit 584d391 - built docker-novolume-plugin commit 385ec70 - built rhel-push-plugin commit af9107b - built docker-lvm-plugin commit 8647404 - built docker-runc @projectatomic/docker-1.13.1 commit 1c91122 - built docker-containerd @projectatomic/docker-1.13.1 commit 62a9c60 - built
  • open
  • next
Ars Technica

If you can’t beat them… Lamborghini joins the SUV set

Ars Technica
image

Jim Resnick

Let me pre-empt you.

"Why?" you ask. "You're Lamborghini, not Range Rover!"

Read 14 remaining paragraphs | Comments

  • open
  • next
Security Week

Briton Pleads Guilty to Running Malware Services

Security Week

Goncalo Esteves, a 24-year-old man from the United Kingdom, has pleaded guilty to charges related to creating and running services designed to help cybercriminals develop malware that would not be detected by antivirus products.

read more

image image image image image image image image
  • open
  • next
Ars Technica

Cryptocurrency bloodbath continues as bitcoin falls below $10,000

Ars Technica
image

Enlarge (credit: Oliver Mallich)

Bitcoin fell below the psychologically significant level of $10,000 on Wednesday morning, marking a second day of double-digit declines for the virtual currency. One bitcoin is now worth $9,700, less than half its peak value of $19,500 achieved just last month.

Bitcoin's fall is part of a broader cryptocurrency sell-off. For the second day in a row, every major cryptocurrency has suffered double-digit declines over the previous 24 hours.

Ethereum is now worth $810, down 42 percent from its peak above $1,400 just four days ago. Litecoin has fallen to $150—down 58 percent from its peak of $360 on December 19. Bitcoin Cash, a rival version of bitcoin, was worth more than $4,000 on December 20. It's now down to $1,500, a 65 percent decline.

Read 4 remaining paragraphs | Comments

  • open
  • next
Security Week

Threat Actors Quickly Adopt Effective Exploits

Security Week

Cybercriminals and nation state groups were quick to adopt the most effective exploits last year, a new AlienVault report reveals.

read more

image image image image image image image image
  • open
  • next
Security Week

Crypto-Mining Attack Targets Web Servers Globally

Security Week

A new malware family is targeting web servers worldwide in an attempt to ensnare them into a crypto-mining botnet, security researchers have discovered.

read more

image image image image image image image image
  • open
  • next
Linux Security

CentOS: CESA-2018-0093: Important CentOS 6 microcode_ctl

Linux Security
LinuxSecurity.com: Upstream details at : https://access.redhat.com/errata/RHSA-2018:0093
  • open
  • next
Ars Technica

YouTube raises subscriber, view threshold for Partner Program monetization

Ars Technica
image

(credit: Flickr: Rego Korosi )

After a tumultuous 2017, YouTube is making yet another change to its guidelines surrounding channel monetization and advertiser approval. In posts to its Advertiser and Creator blogs, YouTube details how it's changing the threshold for monetization through its YouTube Partner Program (YPP), from 10,000 lifetime views to 1,000 subscribers and 4,000 hours of watch time within the past 12 months. That means that small creators who already passed the previous 10,000 lifetime view milestone, but not the new goals, will be removed from the YouTube Partner Program starting February 20 and will be unable to monetize their videos in that manner,

As of yesterday, any channels that newly apply for YPP will have to pass this new threshold in order to monetize videos. On its Creators blog, YouTube explains that the new required milestones "will allow us to significantly improve our ability to identify creators who contribute positively to the community and help drive more ad revenue to them (and away from bad actors). These higher standards will also help us prevent potentially inappropriate videos from monetizing which can hurt revenue for everyone."

The company made a point of noting the types of channels that will be affected by the new rules. "Though these changes will affect a significant number of channels, 99 percent of those affected were making less than $100 per year in the last year, with 90 percent earning less than $2.50 in the last month. Any of the channels who no longer meet this threshold will be paid what they’ve already earned based on our AdSense policies."

Read 7 remaining paragraphs | Comments

  • open
  • next
Security Week

Threat Intelligence Tech Firm Anomali Raises $40 Million

Security Week

Anomali, a security technology firm that offers a SaaS-based threat intelligence platform, today announced that it has raised $40 million in series D funding. 

The additional funding brings the total amount raised to-date by the company to $96 million.

read more

image image image image image image image image
  • open
  • next
Linux Security

SciLinux: Important: microcode_ctl on SL6.x, SL7.x i386/x86_64

Linux Security
LinuxSecurity.com:
  • open
  • next
Security Week

PureSec Emerges From Stealth With Security Product for Serverless Apps

Security Week

Tel Aviv, Israel-based startup PureSec emerged from stealth mode on Wednesday with a security platform designed for serverless architectures and a guide that describes the top 10 risks for serverless applications.

read more

image image image image image image image image
  • open
  • next
Ars Technica

The impromptu Slack war room where ‘Net companies unite to fight Spectre-Meltdown

Ars Technica
image

Enlarge / The early disclosure of Meltdown and Spectre by Google and the fumbled responses by hardware vendors left cloud companies scrambling to react. So they united to fight the dumpster fire of poor communication and bad patches. (credit: US Air Force)

Meltdown and Spectre created something of a meltdown in the cloud computing world. And by translation, the flaws found in the processors at the heart of much of the world's computing infrastructure have had a direct or indirect effect on the interconnected services driving today's Internet. That is especially true for one variant of the Spectre vulnerability revealed abruptly by Google on January 3, since this particular vulnerability could allow malware running in one user's virtual machine or other "sandboxed" environment to read data from another—or, from the host server itself.

In June 2017, Intel learned of these threats from researchers who kept the information under wraps so hardware and operating system vendors could furiously work on fixes. But while places like Amazon, Google, and Microsoft were clued in early because of their "Tier 1" nature, most smaller infrastructure companies and data center operators were left in the dark until the news broke on January 3. This sent many organizations immediately scrambling: no warning of the exploits came before proof-of-concept code for exploiting them was already public.

Tory Kulick, director of operations and security at the hosting company Linode, described this as chaos. "How could something this big be disclosed like this without any proper warning? We were feeling out of the loop, like 'What did we miss? Which of the POCs [proofs of concept of the vulnerabilities] are out there now?' All that was going through my mind."

Read 50 remaining paragraphs | Comments

  • open
  • next
Linux Security

Gentoo: GLSA-201801-18: Newsbeuter: User-assisted execution of arbitrary code

Linux Security
LinuxSecurity.com: Insufficient input validation in Newsbeuter may allow remote attackers to execute arbitrary shell commands.
  • open
  • next
Linux Security

Gentoo: GLSA-201801-17: Poppler: Multiple vulnerabilities

Linux Security
LinuxSecurity.com: Multiple vulnerabilities have been found in Poppler, the worst of which could allow the execution of arbitrary code.
  • open
  • next
Linux Security

Debian: DSA-4090-1: wordpress security update

Linux Security
LinuxSecurity.com: Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform SQL injections and various Cross-Side Scripting (XSS) and Server-Side Request Forgery (SSRF) attacks, as well as bypass some access restrictions.
  • open
  • next
Security Week

Former CIA Agent Arrested With Top Secret Info

Security Week

US authorities said Tuesday they had arrested a former CIA agent, Hong Kong resident Jerry Chun Shing Lee, after discovering he had an unauthorized notebook that had the identities of undercover US spies.

Lee, a naturalized US citizen also known as Zhen Cheng Li, was arrested late Monday after he arrived at JFK International Airport in New York.

read more

image image image image image image image image
  • open
  • next
Security Week

Oracle Fixes Spectre, Meltdown Flaws With Critical Patch Update

Security Week

Oracle on Tuesday released its first Critical Patch Update for 2018 to deliver 237 new security fixes across its product portfolio. Over half of the addressed vulnerabilities could be remotely exploited without authentication.

read more

image image image image image image image image
  • open
  • next
Schneier on Security

Article from a Former Chinese PLA General on Cyber Sovereignty

Schneier on Security

Interesting article by Major General Hao Yeli, Chinese People's Liberation Army (ret.), a senior advisor at the China International Institute for Strategic Society, Vice President of China Institute for Innovation and Development Strategy, and the Chair of the Guanchao Cyber Forum.

Against the background of globalization and the internet era, the emerging cyber sovereignty concept calls for breaking through the limitations of physical space and avoiding misunderstandings based on perceptions of binary opposition. Reinforcing a cyberspace community with a common destiny, it reconciles the tension between exclusivity and transferability, leading to a comprehensive perspective. China insists on its cyber sovereignty, meanwhile, it transfers segments of its cyber sovereignty reasonably. China rightly attaches importance to its national security, meanwhile, it promotes international cooperation and open development.

China has never been opposed to multi-party governance when appropriate, but rejects the denial of government's proper role and responsibilities with respect to major issues. The multilateral and multiparty models are complementary rather than exclusive. Governments and multi-stakeholders can play different leading roles at the different levels of cyberspace.

In the internet era, the law of the jungle should give way to solidarity and shared responsibilities. Restricted connections should give way to openness and sharing. Intolerance should be replaced by understanding. And unilateral values should yield to respect for differences while recognizing the importance of diversity.

  • open
  • next
Linux Security News

The first lawsuits to save net neutrality have been filed

Linux Security News
LinuxSecurity.com: The first lawsuits to overturn the Federal Communications Commission's rollback of Obama-era net neutrality rules have been filed. Attorneys general from 22 states filed a lawsuit on Tuesday to block the repeal of the rules. Mozilla, maker of the Firefox browser, also said it has filed a suit against the FCC, and several public interest groups have filed petitions in court.
  • open
  • next
more
mark as read