Explore top 10 tips to secure your open-source projects now. Read More
×Security researchers have discovered another sizeable haul of malicious packages on the npm and PyPI open source registries, which could cause issues if unwittingly downloaded by developers. . In January, Sonatype said it found 691 malicious npm packages and 49 malicious PyPI components containing crypto-miners, remote access Trojans (RATs) and more. The discoveries by the firm’s AI tooling brings its total haul to nearly 107,000 packages flagged as malicious, suspicious or proof-of-concept since 2019. It includes multiple packages that contain the same malicious package.go file – a Trojan designed to mine cryptocurrency from Linux systems. Sixteen of these were traced to the same actor, trendava, who has now been removed from the npm registry, according to Sonatype. Separate finds include PyPI malware “minimums,” which is designed to check for the presence of a virtual machine (VM) before executing. The idea is to disrupt attempts by security researchers, who often run suspected malware in VMs, to find out more about the threat. . Experts in cybersecurity have discovered an extensive collection of more than 800 harmful open source libraries available on the npm and PyPI platforms.. Malicious Packages,Npm,Pypi,Open Source Threats,Security Research. . LinuxSecurity.com Team
Researchers have discovered three vulnerabilities capable of granting attackers root privileges on Linux systems if they are able to gain access through other methods. These bugs, which affect the iSCSI kernel subsystem, have existed for more than 15 years. . Similarly, The Zero Day Initiative (ZDI) researchers uncovered another decade and a half old Linux vulnerability affecting ISC BIND servers configured to use GSS-TSIG features. The discovery of old but active bugs underscores the need for open-source maintainers to monitor external modules to ensure they observe the best security practices, according to the ZDI. . Legacy Linux flaws enable local rights escalation and information exposure; vital for developers to remedy vulnerabilities.. Linux Privilege Escalation, Open Source Vulnerability, Kernel Bug, Information Leak Risk. . Brittany Day
Chinese security researchers were able to successfully discover zero-day vulnerabilities in Chrome, Edge, Safari, Office 365, qemu-kvm + Ubuntu and more at a recently held hacking competition in the city of Chengdu in China. Learn more in an interesting TechWorm article: . The hacking contest held over last weekend – November 16 and 17 – saw China’s top hackers take part in the Tianfu Cup 2019 International Cyber Security Competition – the country’s top hacking competition – to test some of the world’s most popular applications. For those unaware, prior to 2018, Chinese experts had successfully dominated Pwn2Own, the world’s largest hacking contest, by winning the competition years in a row. The link for this article located at TechWorm is no longer available. . During the Tianfu Cup 2023 Hacking Contest, Chinese experts discovered critically unpatched vulnerabilities in widely-used web browsers.. Zero-Day Exploits, Hacking Contest, Browser Vulnerabilities, Chinese Hackers. . LinuxSecurity.com Team
The results of the 2019 Defcon Voting Village are in—and they paint an ugly picture for voting machine security. Learn more in an interesting Wired article: . In three short years, the Defcon Voting Village has gone from a radical hacking project to a stalwart that surfaces voting machine security issues. This afternoon, its organizers released findings from this year's event—including urgent vulnerabilities from a decade ago that still plague voting machines currently in use. Voting Village participants have confirmed the persistence of these flaws in previous years as well, along with a raft of new ones. But that makes their continued presence this year all the more alarming, underscoring how slow progress on replacing or repairing vulnerable machines remains. Participants vetted dozens of voting machines at Defcon this year, including a prototype model built on secure, verified hardware through a Defense Advanced Research Projects Agency program. Today's report highlights detailed vulnerability findings related to six models of voting machines, most of which are currently in use. That includes the ES&S AutoMARK, used in 28 states in 2018, and Premier/Diebold AccuVote-OS, used in 26 states that same year. The link for this article located at Wired is no longer available. . Ballot systems continue to retain issues from years past, prompting significant worries over electoral integrity and citizen confidence.. Voting Machine Security, Defcon Findings, Voting Flaws. . Brittany Day
Putting up a good and long password is advised by cybersecurity, however, cybersecurity doesn’t teach us how to identify the hacker hacking into your computer. It doesn’t matter how strong you are creating passwords, there is always be an option for hackers to crack your passwords.. The hackers nowadays have been creating well-developed algorithms, which can speed up the processes to discover your password codes. So if you are one of them who thought that putting up a tough password is a secure way to stay away from hacker then this article is just for you. Today we will discuss some password cracking techniques used by hackers to hack into our account. The link for this article located at TechViral is no longer available. . The hackers nowadays have been creating well-developed algorithms, which can speed up the processes . cybersecurity, putting, password, advised, however, doesn’t. . LinuxSecurity.com Team
A third of organisations would consider paying a ransom to hackers instead of investing more in security a survey has claimed.. For some organisations it seems, splashing out on cyber security products or training is viewed as investing in something which might actually never be needed, so some are choosing to invest elsewhere.Decision makers at organisations around the world were asked if they would consider paying a ransom by a hacker rather than invest in security because it's cheaper. The link for this article located at ZDNet is no longer available. . Many companies prioritize cost savings over safeguarding, considering ransom payouts more economical than committing resources to security measures.. Cybersecurity Investments, Threat Management, Ransom Payment Strategies. . LinuxSecurity.com Team
A spat between two security companies shows just how sensitive reporting software vulnerabilities can be, particularly when it involves a popular product. The kerfuffle between FireEye and ERNW, a consultancy in Germany, started after an ERNW researcher found five software flaws in FireEye's Malware Protection System (MPS) earlier this year. . One of the flaws, found by researcher Felix Wilhelm, could be exploited to gain access to the host system, according to an advisory published by ERNW. As is customary in the industry, ERNW contacted FireEye in early April with details of the problems. . Concerns emerge regarding the disclosure of weaknesses in the Malware Defense System between CrowdStrike and CERT over issues in threat assessment.. Malware Protection System, FireEye, Ethical Disclosure, Software Flaws, Cybersecurity. . LinuxSecurity.com Team
Gemalto, the Dutch maker of billions of mobile phone SIM cards, confirmed this morning that it was the target of attacks in 2010 and 2011. Gemalto came to this conclusion after just a weeklong investigation following a news report that the NSA and GCHQ had hacked into the firm The link for this article located at Wired is no longer available. . Gemalto confirms 2010-2011 attacks were real; NSA's involvement suggested but remains unverified after investigation.. Gemalto Hacking, Mobile Security Breach, Data Security Threat. . LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.