News Category: Security

lets-encrypt.png

Let's Encrypt
“We want every server on the Internet to have a certificate,” said Josh Aas, speaking about the Let’s Encrypt project at LinuxCon North America.

Let's Encrypt: Every Server on the Internet Should Have a Certificate

The web is not secure. As of August 2016, only 45.5 percent of Firefox page loads are HTTPS, according to Josh Aas, co-founder and executive director of Internet Security Research Group. This number should be 100 percent, he said in his talk called “Let’s Encrypt: A Free, Automated, and Open...
Read 0 Comments

NIST Denounces SMS 2FA - What are the Alternatives?

Towards the end of July 2016, the National Institute of Standards and Technology (NIST) started the process of deprecating the use of SMS-based out-of-band authentication. This became clear in the issue of the DRAFT NIST Special Publication 800-63B, Digital Authentication Guideline.  NIST Special...
Read 0 Comments

Let's Encrypt: Why Create a Free, Automated, and Open CA?

During the summer of 2012, Eric Rescorla and I decided to start a Certificate Authority (CA). A CA acts as a third-party to issue digital certificates, which certify public keys for certificate holders. The free, automated, and open CA we envisioned, which came to be called Let's Encrypt, has been...
Read 0 Comments

Powerful Bit-Flipping Attack

New research: "Flip Feng Shui: Hammering a Needle in the Software Stack," by Kaveh Razavi, Ben Gras, Erik Bosman Bart Preneel, Cristiano Giuffrida, and Herbert Bos. Abstract: We introduce Flip Feng Shui (FFS), a new exploitation vector which allows an attacker to induce bit flips over arbitrary ...
Read 0 Comments

Your Next 10 Security Pain Points

  Going to security conferences always stimulates my imagination. It makes me think outside of the box and remove the cruff that develops when I sit inside my lab too long—staring at vCenter monitors, 10 open bash sessions, security consoles, and emails from colleagues swallowing Xanax. If advanced...
Read 0 Comments

Container Defense in Depth

The new age of image-based containers exploded onto the scene in early to mid-2013. Since the early days of the Docker container engine, we heard questions of whether they were secure enough. Our very own Dan Walsh was heard many times saying, Docker containers dont contain  so the question is, can...
Read 0 Comments

Multifactor Authentication with Google Authenticator

Google Authenticator provides one-time passwords to smartphone owners for multifactor authentication, or you can integrate it into other applications, such as blogs. Login security increases significantly when using a combination of factors to authenticate a user (i.e., multifactor authentication...
Read 0 Comments

Linux Flaw Allows Attackers to Hijack Web Connections

Researchers discovered that a Transmission Control Protocol (TCP) specification implemented in Linux creates a vulnerability that can be exploited to terminate connections and conduct data injection attacks. The flaw, tracked as CVE-2016-5696, is related to a feature described in RFC 5961, which...
Read 0 Comments

10 IoT Security Best Practices For IT Pros

IT professionals have to treat internet of things (IoT) vulnerabilities as they would vulnerabilities in databases or web applications. Any flaw can bring unwelcome attention, for those making affected products and those using them. Any flaw may prove useful to compromise other systems on the...
Read 0 Comments

Linux.Lady Trojan Turns Linux Servers into Bitcoin Miners

A NEW TROJAN targeting Linux servers has been discovered in the wild, exploiting servers running the Redis NoSQL database to use them for bitcoin mining. Up to 30,000 Redis servers may be vulnerable, largely because careless systems administrators have put them online without setting a password....
Read 0 Comments

Pages