Press "Enter" to skip to content

Posts tagged as “security”

The NSA, Windows & Antivirus

Poor Microsoft. The beleaguered company just can’t catch a break. We’ve already told you about how Snowden’s revelations have forced the pride of Redmond to spend who knows how many millions opening two “transparency centers” to allow government IT experts to pore through source code to prove there’s no back doors baked into Windows or other Microsoft products. Trouble is, while its engineers have been busy plastering over all traces of old back doors, they’ve left a side door standing wide open, waiting to be exploited.

Boris and NatashaIronically, this side door is intended to be a security door for third party add-ons that every Windows machine needs to keep it safe from cracker hackers — if that’s indeed possible. And this security tool is usually more trusted by Microsoft system admins, especially those outside the U.S., than Windows itself.

Five Security Tips for New Linux Admins

It’s generally fairly easy for new Linux administrators to get up and running with the basics of installing, configuring and managing Linux systems at a basic level. Truthfully, though, it takes years to get the in-depth knowledge required in many server environments today. One thing I really recommend learning early on — i.e. from the beginning — is security.

Monitor padlockI participate in a group of professional penetration testers (the nice folks who help you test your security as if they were the bad guys) called Charlotte Hackers Anonymous. I asked the group what they thought were the most important tips for new system administrators, and below are their tips, along with my thoughts on each.

Don Parris

Don Parris wears a Facility Services cape by day, and transforms into LibreMan at night. He has written numerous articles about free tech, and hangs out with the Cha-Ha crowd, learning about computer security. He also enjoys making ceviche with his wife, and writing about his travels in PerĂș.

Linux Chromebooks, Securing the Web & More…

FOSS Week in Review

Unfortunately, Larry’s a little under the weather today, so here I am…

Put that on your Chromebook and run it

We hear from Softpedia that Chromixium is just about ready for prime time. Well, that may be jumping the gun a little bit. What we really hear is that the distro has now gone from beta to release candidate, and that a honest-to-goodness 1.0 stable version is virtually just around the corner. Trouble is: we’re not sure yet just how far away we are from that corner. Shouldn’t be too far, however. The beta version was only released in February, so these developers aren’t wasting time.

Christine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Sony & North Korea: Dumb & Dumber

Hacking, hacking, everywhere hacking. And not the good kind either. We’re talking cracking hacking.

Take the Sony hack for instance. Bunches of movies set for Christmas release are now available online for free, for those willing to break the law and invoke the displeasure of the MPAA while firing up the ol’ BitTorrent. Worse than that: even more bunches of Sony employees have had their financial lives turned upside down, with all of their personal information leaked. Not so bad, however, is the news that “The Interview” won’t be making an appearance on a screen near you anytime soon.

Oddly, it’s that last tidbit that’s been getting the most press. That, and the ongoing argument on who’s to blame for the Sony crack hack.

At first, U.S. authorities said that the North Koreans didn’t do it. Then they said they did. The North Koreans countered with a “no-way-Jose” and offered to help in the hunt to find the real culprit, which elicited an adamant “no-way-back-atcha” from the U.S.

Christine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

The Ongoing Wars Against Free Tech

After a few months of not hearing much from Microsoft, the company has been in the news a bit recently. First there was the brouhaha when it announced it was offering the .NET framework as open source. Then there were several big security problems with Windows, with one serious vulnerability going all the way back to Windows 95.

Although this would’ve been big news in the old days, the FOSS press has been relatively quiet about all this. There were a few articles about the .NET thing, with some writers pointing out that the MIT license which Redmond is using will offer no patent protection for Redmond owned .NET related patents, and the Windows security issues got next to no FOSS coverage at all.

My how times have changed.

A decade ago the open sourcing of any major program by Microsoft would have FOSS writers in a dither, even if released under the GPL. We would’ve been uber suspicious, certain that this was only the front end of a plan to end Linux and FOSS as we know it. As for the Windows security woes, we’d be rubbing our hands with glee, writing paragraph after paragraph on how much this proves the inferiority of Windows and the superiority of our beloved Linux. In those days, we had to take our good news wherever we could find it.

Christine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Drupal Hack & WordPress Users

It’s not a good day for Drupal users, with the security folks at the CMS platform telling all users to consider themselves compromised if they didn’t install a security patch within seven hours of its release on October 15th.

Fixing the infected sites will require a bit of work. Sites will need to be taken offline, and the current install of Drupal blown-up and replaced with a backup from before October 15th. Any changes made made to a site since that date will have to be redone. Site owners will also need to notify their hosting companies of the situation, since the Drupal exploit could also be used to hack into other sites on a host’s server. Hosts will not be happy to hear this.

Users of other CMS platforms can give a sigh of relief — after all, they’ve dodged a bullet — but they’d be well advised to pay attention; a similar scenario could play out on any platform at any time.

Christine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Tux Machines DDOS Attack Mostly Contained

For nearly a month now, we at FOSS Force have had no trouble reaching the popular FOSS sites Tux Machines and TechRights. Both sites are published by Roy Schestowitz and both sites, especially the former, had been offline during much of September due to a prolonged DDOS attack.

On October 4th, when we last reported on this, accessibility to both sites was greatly improved but still somewhat spotty. During most of this month, however, we’ve had no noticeable difficulty reaching either site.

According to Schestowitz, although the site continues to be under fire, he and his team have developed methods to deal with the attacks.

Should Everything in the World Be Facing the Internet?

From its inception, we knew the Internet to be an unsafe place. Before the first server was cracked by an online hacker, we knew that was bound to happen sooner or later. We knew because people were already breaking into computers, even without the Internet offering 24/7 cracker/hacker convenience.

Back in the early 90s, when I was living in the college town of Chapel Hill, I shelled-out five bucks or so at the local Egghead Software store for a shrink wrapped floppy disk loaded with “shareware” utilities for MS-DOS. Twenty years have passed, so I don’t remember what tool I needed, but I’d gone there specifically looking for something or another and had been directed to that particular product by a clerk at the store. Once I got home, I stuck the disk into the drive, looked over its contents and installed a couple of the apps.

securityThat was the end of it, or so I thought.

Several months later a biology major friend of mine with no computer skills — yes, in those days it was possible to earn an undergraduate science degree without knowing how to use a computer — dropped by to use my computer, a 486 with a whopping 4 megs of RAM. She was set to graduate soon and needed to use my machine to prepare a resume. I opened WordPerfect and set her loose to type away, answering any questions she had as she worked — such as how to remove a formatting code or preview how the document would look when printed.

An hour or so later, when she finished, I saved her work to a new blank floppy and sent her to see our mutual friend, Tony, to print it, as all I had was an old, noisy and beat-up Epson dot matrix printer and he had a fancy daisy wheel job. Two days later, she was back at my door, mad as hell.

Christine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Researchers Release USB Exploit & Incomplete Fix on GitHub

Now that a working exploit of the USB vulnerability that’s baked-in to the USB standard has been released, it might be a prudent move to no longer employ any USB devices that aren’t already under your control until this situation has been fixed.

The exploit was first made public two months ago at the Black Hat conference in Las Vegas when Karsten Nohl and Jakob Lell of Berlin based Security Research Labs (SRL) demonstrated an attack they called BadUSB to a standing-room-only crowd.

Secure Linux Systems Require Savvy Users

Linux securityPatches are available to fix the bash vulnerability known as Shellshock, along with three additional security issues recently found in the bash shell. The patches are available for all major Linux distros as well as for Solaris, with the patches being distributed through the various distros.

After the patch is applied, there are a couple of commands that can be run from a terminal to ascertain that a system is no longer vulnerable. For details, see the article Steven J. Vaughan-Nichols has written for ZDNet. As yet, there is no patch available for OS X, although Apple says that one is on the way, while assuring its users that Mac systems aren’t vulnerable except for the most advanced users.

The good news about all this is that it demonstrates how quickly the Linux community can get the word out and then rally to engineer a solution when a security problem is discovered. The bad news is that not all Linux users listen. Too many users believe that the security features that are baked into Linux offer complete protection, no matter what. Unfortunately, that’s not the case. It never was, nor can it ever be.

My friend Andrew Wyatt, who spent time some years back as the founder and lead developer of the Fuduntu Linux distro, attempted to address this fact recently in a comment to an article on FOSS Force:

Christine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

Breaking News: