Wednesday, 30 December 2015

Ian Murdock: founder of the Debian project passes away at the age of 42 RIP



Dear friends and members of the open source community,
It is with great sadness that we inform you that Ian Murdock passed away on Monday night. This is a tragic loss for his family, for the Docker community, and the broader open source world; we all mourn his passing. To Ian’s children, family and loved ones, we offer our full support and deepest sympathies.
Ian was perhaps best known professionally as the founder of the Debian project, which he created while still a student at Purdue University, where he earned his bachelor’s degree in computer science in 1996. Debian was one of the first Linux distros to be forged, and it is widely regarded as a one of the most successful open-source projects ever launched. Ian helped pioneer the notion of a truly open project and community, embracing open design and open contribution; in fact the formative document of the open source movement itself (the Open Source Definition) was originally a Debian position statement. It is a testament to Ian’s commitment to openness and community that there are now more than 1,000 people currently involved in Debian development.

Monday, 12 October 2015

ThoughtWorks - TechRadar May 2015 - on the basis it's better late than never


ThoughtWorks - TechRadar  May 2015 - on the basis it's better late than never


Latest trends - MAY 2015

Innovation in Architecture - Organizations have accepted that "cloud" is the de-facto platform of the future, and the benefits and flexibility it brings have ushered in a renaissance in software architecture. The disposable infrastructure of cloud has enabled the first "cloud native" architecture, microservices. Continuous Delivery, a technique that is radically changing how tech-based businesses evolve, amplifies the impact of cloud as an architecture. We expect architectural innovation to continue, with trends such as containerization and software-defined networking providing even more technical options and capability.

A New Wave of Openness at Microsoft - Whilst Microsoft has dabbled in open-source in the past—including their open-source hosting platform CodePlex—the company's core assets continued to be proprietary and closely guarded secrets. Now, though, Microsoft seems to be embracing a new strategy of openness, releasing large parts of the .NET platform and runtime as open-source projects on GitHub. We're hopeful that this could pave the way to Linux as a hosting platform for .NET, allowing the C# language to compete alongside the current bevy of JVM-based languages.

Security Struggles Continue in the Enterprise - Despite increased attention on security and privacy, the industry hasn't made much progress since the last Radar and we continue to highlight the issue. Developers are responding with increased security infrastructure and tooling, building automated test tools such as the Zed Attack Proxy into deployment pipelines. Such tools are of course only part of a holistic approach to security, and we believe all organizations need to "raise their game" in this space.

Full publication:
https://assets.thoughtworks.com/assets/technology-radar-may-2015-en.pdf



Tuesday, 6 October 2015

Microsoft’s Windows 10 hardware event in 9 minutes



The best way to watch IT events?

Microsoft debuted new phones, a new tablet and a Surface Book. They even threw in some augmented reality for good measure. Here's the highlights from the hardware event.

Subscribe: http://goo.gl/G5RXGs

Microsoft’s Windows 10 hardware event in 9 minutes

Thursday, 1 October 2015

Windows: security vulnerability in WinRAR could affect up to half a billion users!!!


A security vulnerability has been found in WinRAR, a file archiver and compressor utility for Windows that is estimated to be used by more than half a billion users. The vulnerability, if exploited, allows remote attackers to execute system specific code to compromise a computer.

A proof-of-concept exploit for WinRAR SFX v5.21 has been published. Iranian researcher Mohammad Reza Espargham reported the vulnerability to Full Disclosure, a popular forum for disclosure of security information. "The vulnerability allows unauthorised remote attackers to execute system specific code to compromise a target system," he said.

The vulnerability is said to affect all versions of WinRAR SFX, making its users extremely prone to attacks. Security firm MalwareBytes has independently confirmed the existence of the critical vulnerability in the said application.

Wednesday, 29 July 2015

Windows 10 review - better, but a winner? may be not if the browser is anything to go by.



Microsoft's new Windows 10 operating system is finally here. Windows 10 is a realization of Microsoft's big dream to have a single Windows that runs across all its products. Does it succeed?

Windows 10 review

Tuesday, 21 July 2015

Windows Security Breach Forces Microsoft to Release an Emergency Update


Microsoft has issued an emergency security update to patch vulnerability in several versions of Windows including the upcoming Windows 10. The security vulnerability was highlighted by an email unearthed post the hacking attack on the Italian Surveillance vendor Hacking Team.

The cybersecurity firm Hacking Team appears to have itself been the victim of a hack, with documents that purport to show it sold software to repressive regimes being posted to the company’s own Twitter feed. The Italy-based company offers security services to law enforcement and national security organisations. It offers legal offensive security services, using malware and vulnerabilities to gain access to target’s networks. Hacking Team is known for exposing zero-day vulnerabilities, the loopholes in software which are unknown to the vendor. The loopholes are further exploited by the clients to discreetly inject the target with their software. As a matter of fact, the researchers have also found out several zero-days in the deluge of leaked e-mails since last month.

Jeep Cherokee vulnerable to attack over the internet - taking control of car and killing the engine!



The Jeep Cherokee is vulnerable to remote cyberattack that allows hackers to take control. Photograph: NRMA Motoring and Services/Flickr

Security experts are urging owners of Fiat Chrysler Automobiles vehicles to update their onboard software after hackers took control of a Jeep over the internet and disabled the engine and brakes and crashed it into a ditch.

A security hole in FCA’s Uconnect internet-enabled software allows hackers to remotely access the car’s systems and take control. Unlike some other cyberattacks on cars where only the entertainment system is vulnerable, the Uconnect hack affects driving systems from the GPS and windscreen wipers to the steering, brakes and engine control.

The Uconnect system is installed in hundreds of thousands of cars made by the FCA group since late 2013 and allows owners to remotely start the car, unlock doors and flash the headlights using an app.

Full details http://www.theguardian.com/technology/2015/jul/21/jeep-owners-urged-update-car-software-hackers-remote-control

Thursday, 11 June 2015

Apple users vulnerable to slick iCloud password phishing emails



Ernst and Young forensic bod Jan Soucek has created a tool capable of generating slick iCloud password phishing emails he says exploits an unpatched bug affecting millions of Apple users.

The researcher created the iOS 8.3 Mail.app inject kit which exploits a bug in the operating system's native email client to produce a realistic pop-up of which Apple users are accustom.

Soucek (@jansoucek) says Cupertino did not respond when he informed it of the bug in January.

"Back in January 2015 I stumbled upon a bug in iOS's mail client, resulting in HTML tags in email messages not being ignored," Soucek says.

"This bug allows remote HTML content to be loaded, replacing the content of the original email message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password 'collector' using simple HTML and CSS.

Wednesday, 3 June 2015

Macs OS X vulnerable to permanent backdooring?

OSX permanent backdooring?

Macs older than a year are vulnerable to exploits that remotely overwrite the firmware that boots up the machine, a feat that allows attackers to control vulnerable devices from the very first instruction.

The attack, according to a blog post published Friday by well-known OS X security researcher Pedro Vilaca, affects Macs shipped prior to the middle of 2014 that are allowed to go into sleep mode. He found a way to re-flash a Mac's BIOS using functionality contained in userland, which is the part of an operating system where installed applications and drivers are executed. By exploiting vulnerabilities such as those regularly found in Safari and other Web browsers, attackers can install malicious firmware that survives hard drive reformatting and re-installation of the operating system.

Full arstechnica.com article

Survey says businesses taking months to fix vulnerabilities

ticking time bomb?

On average, nearly half a year passes by the time organizations in the financial services industry and the education sector remediate security vulnerabilities, according to new research from NopSec.

For the study, the security firm analyzed all the vulnerabilities in the National Vulnerability Database and then looked at a subset of more than 21,000 vulnerabilities identified in all industries across NopSec's client network, Michelangelo Sidagni, NopSec Chief Technology Officer and Head of NopSec Labs, told SCMagazine.com in a Tuesday email correspondence.

According to the findings, organizations in the financial services industry and the education sector remediate security vulnerabilities in 176 days, on average. Meanwhile, the healthcare industry takes roughly 97 days to address bugs, and cloud providers fix flaws in about 50 days.

Full article: http://www.scmagazine.com/financial-services-industry-education-take-half-a-year-to-remediate-vulnerabilities/article/418244/

Thursday, 7 May 2015

Malware turned Linux and BSD servers into spamming machines - unnoticed for over 5 years!



Unnoticed for years, malware turned Linux and BSD servers into spamming machines

For over 5 years, and perhaps even longer, servers around the world running Linux and BSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found. The researcher began their investigation with a piece of malware they found on a server that was blacklisted for sending spam. They dubbed it Mumblehard. After analyzing it, they found that it has several distinct components: a generic backdoor that contacts its C&C server and downloads the spammer component and a general purpose-proxy. Mumblehard components are mainly Perl scripts encrypted and packed inside ELF binaries. In some cases, the Perl script contains another ELF executable with the same packer in the fashion of a Russian nesting doll," researcher Marc-Etienne Leveille shared in a paper detailing their findings. "We got interested in this threat because the way the Perl scripts used by the cybercriminals are packed inside ELF executables is uncommon and more complex than the average server threat."

Full story http://www.net-security.org/malware_news.php?id=3030

Dell provide Windows on a Chromebook



Dell's Appliance for Wyse - vWorkspace product uses desktop virtualisation technology to deliver Windows desktop software to Chromebooks and other endpoints. Though brokered from a remote location, the Windows OS will be fully functional and run as if it were loaded locally.

As part of its Chrome for Work programme, Google has aggressively pushed Chromebooks into businesses as an alternative to Windows PCs. Chromebooks are thin, lightweight laptops for those who do most of their computing on the internet. Google has said that Chromebooks are tuned for the future of cloud computing, as they were built from the ground up to run rich web applications.

Watch this space on Microsoft cheaper windows devices on Windows 10

Full Storyhttp://www.cio.co.uk/news/enterprise-apps/windows-on-chromebook-with-dell-wyse-appliance-3610749/

Friday, 1 May 2015

PayPal takes four days to patch a critical remote code execution vulnerability



It only took PayPal four days to patch a critical remote code execution vulnerability with a Common Vulnerability Scoring System (CVSS) count of 9.3. The flaw, in the Java Debug Wire Protocol (JDWP) in PayPal's marketing online service web-server, allowed "remote attackers to execute system specific code against a target system to compromise the webserver."


JDWP, a component of the Java Platform Debugger Architecture, is the "protocol used for communication between a debugger and the Java virtual machine (VM) which it debugs,"explained independent security researcher Milan A. Solanki. "JDWP does not use any authentication and could be abused by an attacker to execute arbitrary code on the affected server." 

Thursday, 30 April 2015

Microsoft Build 2015 - news on Windows Edge - the new name for Internet Explorer



Big day for Microsoft. Catch up on all the announcements and demos from Build 2015, Microsoft's biggest event of the year.

interesting stuff
Code and test apple code
Android apps on windows phone
Windows 10
Project Spartan become Windows Edge web browser

Microsoft Build 2015 keynote in 9 minutes

Saturday, 18 April 2015

Security: Department of Defense give $3 million grant to scientists to defend nex gen cyberattacks


The next generation of cyberattacks will be more sophisticated, more difficult to detect and more capable of wreaking untold damage on the nation’s computer systems.

So the U.S. Department of Defense has given a $3 million grant to a team of computer scientists from the University of Utah and University of California, Irvine, to develop software that can hunt down a new kind of vulnerability that is nearly impossible to find with today’s technology.

The team is tasked with creating an analyzer that can thwart so-called algorithmic attacks that target the set of rules or calculations that a computer must follow to solve a problem. Algorithmic attacks are so new and sophisticated that only hackers hired by nation states are likely to have the resources necessary to mount them, but perhaps not for long.

“The military is looking ahead at what’s coming in terms of cyber security and it looks like they’re going to be algorithmic attacks,” says Matt Might, associate professor of computer science at the University of Utah and a co-leader on the team.

“Right now, the doors to the house are unlocked so there’s no point getting a ladder and scaling up to an unlocked window on the roof,”

More http://www.newswise.com/articles/fighting-the-next-generation-of-cyberattacks

Minecraft gets' its' very own security flaw!


A security flaw has been discovered in Minecraft’s code that could give perpetrators the ability to crash servers remotely. The vulnerability exploits the client’s privilege to send data to the server about the game’s inventory slots. The client then overloads the server with complex packets. The flaw was discovered by programmer Ammar Askar.

http://www.explosion.com/91542/minecraft-security-vulnerability-found-allows-users-crash-servers-remotely/

Wednesday, 18 March 2015

OpenSSL team warns of major vulnerability



The team behind the popular OpenSSL cryptographic library has warned of an impending patch, due for release this Thursday, which fixes an as-yet unreleased serious security vulnerability.

The OpenSSL project hit headlines in April last year when details of the 
Heartbleed vulnerability numerous versions found to be vulnerable to a serious flaw that was proven to allow a remote attacker to discover the private key from within the memory of the server without leaving a single trace...Details of the new vulnerability are being kept private until the patched builds are released, to prevent widespread attacks. 


Saturday, 28 February 2015

Uber security breach 50,000 drivers affected



Thousands of Uber’s driver names and license numbers may be in the hands of an unauthorized third party due to a data breach.

[Nathan] is a mobile application developer. He was recently debugging one of his new applications when he stumbled into an interesting security vulnerability while running a program called Charles. Charles is a web proxy that allows you to monitor and analyze the web traffic between your computer and the Internet. The program essentially acts as a man in the middle, allowing you to view all of the request and response data and usually giving you the ability to manipulate it. http://hackaday.com/2015/02/27/stumbling-upon-an-uber-vulnerability/

Saturday, 14 February 2015

Microsoft fix 10 year old bug rated Critical by Microsoft... now onto the 15 year old bug


Microsoft's list of updates for its Windows platform, released to the public as part of its regular Patch Tuesday update cycle earlier this week, included a patch for a decade-old flaw known as Jasbug. Described as a 'fundamental design flaw,' the security vulnerability - rated Critical by Microsoft, its highest designation - took Microsoft and discoverer JAS Global Advisors a year to resolve post-discovery. Now, details of another bug in the platform have been released by Breaking Malware - and this one stretches back even further, up to fifteen years... those still on unsupported platforms like Windows XP will not receive the patch.

http://www.bit-tech.net/news/bits/2015/02/11/microsoft-patches-jasbug/1

Facebook fixes security flaw that allowed "any" photo to be deleted



What if your photos get deleted without your knowledge?
Obviously that's very disgusting isn't it? Yup this post is about a vulnerability found by me which allows a malicious user to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted. http://www.zdnet.com/article/security-flaw-couldve-deleted-every-photo-on-facebook/

According to Facebook developers documentation, photo albums cannot be deleted using the album node in Graph API.

The bug was so severe that after he reported the bug to the social networking giant, it was fixed within two hours.

For his efforts, he was awarded $12,500, one of the highest rewards available.

http://www.bit-tech.net/news/bits/2015/02/12/microsoft-kernel-bug/1

Thursday, 5 February 2015

XSS security flaw in IE 11 affects fully patched versions



A newly-discovered, severe security flaw in fully patched versions of Internet Explorer allows attackers to steal user credentials or to conduct phishing attacks through any website.

The vulnerability, which affects fully patched versions of IE 11 running on both Windows 7 and 8.1, was disclosed by security researcher David Leo from security firm Deusen. Detailed on Full Disclosure, the Internet Explorer vulnerability allows hackers to bypass the Same-Origin Policy -- a fundamental element of web applications including the IE system which is meant to prevent cross-site forgeries -- and run scripts or inject malicious content into websites.

According to Leo, Microsoft was notified on Oct 13, 2014 http://www.zdnet.com/article/severe-xss-flaw-in-fully-patched-microsoft-internet-explorer-discovered/

Health insurer Anthem Inc, loses nearly 40 million US customers personal information



Health insurer Anthem Inc, which has nearly 40 million US customers, said late on Wednesday that hackers had breached one of its IT systems and stolen personal information relating to current and former consumers and employees... The information accessed during the “very sophisticated attack” did include names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data, the company said.

Just how safe is your information online? http://www.theguardian.com/us-news/2015/feb/05/millions-of-customers-health-insurance-details-stolen-in-anthem-hack-attack

Saturday, 31 January 2015

Hack of BMW’s Connected Drive system can send remote unlocking instructions to vehicles



A security vulnerability in BMW’s Connected Drive system allowed researchers to imitate BMW servers and send remote unlocking instructions to vehicles.

The problem was discovered by the Allgemeiner Deutscher Automobil-Club (ADAC), a German motoring association, and was verified on several models of BMW cars.

The attack took advantage of a feature that allows drivers who have been locked out of their vehicles to request remote unlocking of their car from a BMW assistance line.

“They were able to reverse engineer some of the software that we use for our telematics,” said Dave Buchko , a BMW spokesman. “With that they were able to mimic the BMW server.

http://www.pcworld.com/article/2878437/bmw-cars-found-vulnerable-in-connected-drive-hack.html

Monday, 26 January 2015

Google reveals Apple OS X Zero-Day Flaws




Google reveals Apple OS X Zero-Day Flaws

Project Zero team said that the flaws could lead to a successful attempt to elevate privilege levels and take over a machine.

The public disclosure follows the recent revealing of bugs in Microsoft Windows. However, the OS X vulnerabilities require an attacker to have access to a targeted Mac to execute such an attack.

The first flaw is OS X networkd effective_audit_token XPC type confusion sandbox escape, and is unsandboxed but runs as its own user.

It is reachable from many sandboxes, including the Safari WebProcess and ntpd, plus all those which allow system-network.

The second is OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator and the third is OS X IOKit kernel memory corruption due to bad bzero in IOBluetoothDevice.

Friday, 9 January 2015

Microsoft's Azure 16 times less reliable than Amazon AWS in 2014



Trying decide which cloud to use, Azure or AWS? (no mention of google's offering)

Microsoft may be gaining traction in the cloud, but Amazon Web Services is still widening the gap when it comes the reliability of those platforms — or at least that's what one benchmarking groups says.
According to data from California-based CloudHarmony, Microsoft Azure's Virtual Machines spent 16 times as many hours offline as AWS's similar service over the past year.
That includes one unprecedented global outage from Azure in November that shut down websites, took Microsoft's Xbox Live gaming platform offline and seriously shook faith in the company's system.

http://www.topix.com/com/microsoft/2015/01/microsofts-special-spartan-browser-for-windows-10-gets-further-detailed

Microsoft Dynamics security vulnerability - when is a security issue not a security issue... when we tell you it isn't?



A "DOM-based self-XSS vulnerability" for Microsoft Dynamics CRM 2013 SP1 was recently discovered by IT security firm High-Tech Bridge. If exploited, it could be used for cross-site scripting (XSS) attacks against authenticated Dynamics CRM users.

"We do not consider this a security vulnerability as it requires the use of social engineering to convince an authenticated user to enter some specific malicious code – in this instance putting it into a field on the Dynamics CRM application. We recommend that our customers always exercise caution when accepting content from untrusted sources. Additional protection guidance can be found at: www.microsoft.com/protect.” 

http://msdynamicsworld.com/story/new-dynamics-crm-2013-sp1-security-vulnerability-sparking-all-hands-deck-response-microsoft

Security begins at home - serious security vulnerability in many ASUS routers



There is a serious security vulnerability in the firmware of many ASUS routers that allows unauthenticated command execution.

“Several models of ASUS’s routers include a service called infosvr that listens on UDP broadcast port 9999 on the LAN interface. It’s used by one of ASUS’s tools to ease router configuration by automatically locating routers on the local subnet. This service runs with root privileges and contains an unauthenticated command execution vulnerability,” - See more at: https://threatpost.com/root-command-execution-flaw-haunts-asus-routers/110276

Wednesday, 7 January 2015

Moonpig security flaw remained unfixed for 17 months!



A major security vulnerability in card company Moonpig's website means that the personal data of 3 million customers - including partial credit card details - have been exposed.

According to the security researcher who discovered the vulnerability , Paul Price, Moonpig has known about the problem since August 2013 but it's remained unfixed for 17 MONTHS.

http://www.mirror.co.uk/news/technology-science/technology/moonpig-security-flaw-leaves-3-4926441

Saturday, 3 January 2015

Internet of things - Security Threats Emerge



Security Threats Emerge

That said, two-thirds of respondents are concerned about privacy. In fact, across age, gender and income, 66 percent of survey respondents express concern about privacy. Researchers say this finding highlights the need for industry participants to mitigate privacy and security concerns to drive the industry forward.

"Data security and identity protection are clearly top of mind for consumers looking at IoT products and services," said Jack Ogawa, Director of Marketing for NXP Semiconductors. "The developing IoT industry has an opportunity to utilize state of the art software and semiconductor technology to set the standard for secure connections, both in the Cloud and in the connected IoT products themselves."

Adam Kujawa, head of malware Intelligence at anti-malware and Internet security software firm Malwarebytes says we'll see the first major IoT attack in 2015.

Heartbleed still active as tax payers get personal information stolen from government run web site



The Heartbleed bug remained a concern for the federal government three months after it was supposed to have been patched to protect taxpayers’ personal information, according to an internal government report.

Heartbleed forced the Canada Revenue Agency to shut down its online services at the height of tax season and publicly admit that it had lost the personal information on 900 taxpayers. A London, Ontario man is facing multiple charges in relation to the incident.

A government report penned in July reviewing the lessons learned from Heartbleed provides a detailed timeline of events, showing how quickly and how many people across government were brought to mitigate the damage Heartbleed caused — and continued to cause even in July.

http://ottawacitizen.com/news/national/heartbleed-report-canada-government

Windows 8.1 - vulnerability remains unpatched for months!


A security researcher at Google has published details of an as-yet unpatched vulnerability in Windows 8.1, three months after reporting the problem to Microsoft.

Google's Security Research arm practices responsible disclosure, meaning that newly-discovered vulnerabilities are communicated in private to the maintainers of the affected software. The maintainers are then given a chance to investigate the issue and publish a patch to resolve the problem before the flaw is communicated to the general public - helping to prevent 'zero-day' scenarios where a widespread vulnerability becomes public knowledge before protections against its exploitation can be put in place.

Thursday, 1 January 2015

Start 2015 off with security in mind - so stop using PHP

example of hacked web site

With a string of SSL issues behind us in 2014 (Heartbleed, Poodle, Beast) maybe 2015 should be the year of increased security... first off PHP.

More than 78 per cent of all PHP installations are running with at least one known security vulnerability, a researcher has found.

Google developer advocate Anthony Ferrara reached this unpleasant conclusion by correlating statistics from web survey site W3Techs with lists of known vulnerabilities in various versions of PHP.


What he found is that many, many PHP-powered websites are using insecure versions of the interpreter – so much so that it's actually easier to find an insecure PHP setup on the internet than a secure one.

"This is absolutely and unequivocally pathetic," Ferrara wrote. More http://www.theregister.co.uk/2014/12/31/want_to_have_your_server_pwned_easy_run_php/