Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines.


LinuxSecurity.com Feature Extras:

Social Engineering Methods for Penetration Testing - Social engineering is the practice of learning and obtaining valuable information by exploiting human vulnerabilities. It is an art of deception that is considered to be vital for a penetration tester when there is a lack of information about the target that can be exploited.

Putting Infosec Principles into Practice - When you’re dealing with a security incident it’s essential you – and the rest of your team – not only have the skills they need to comprehensively deal with an issue, but also have a framework to support them as they approach it. This framework means they can focus purely on what they need to do, following a process that removes any vulnerabilities and threats in a proper way – so everyone who depends upon the software you protect can be confident that it’s secure and functioning properly.


  WikiLeaks publishes docs from what it says is trove of CIA hacking tools (Mar 8)
 

This morning, WikiLeaks posted the first of what the organization's spokesperson says is a multi-part series of documents and files from the Central Intelligence Agency. "The first full part of the series, 'Year Zero', comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina [sic]," WikiLeaks' spokesperson said in a press release.

  Google's ‘SHA-1 Countdown Clock' Could Undermine Enterprise Security (Mar 8)
 

The recent announcement from Google that researchers documented a collision with theSecure Hash Algorithm 1 (SHA-1) cryptographic hash function has enormous implications for the IT industry.

  Wikileaks Just Dumped a Cache of Information on Alleged CIA Hacking Tools (Mar 7)
 

On Tuesday, Wikileaks published what it says are files related to the Central Intelligence Agency's hacking operations. Apparently the first in a series dubbed "Vault 7" by Wikileaks, the transparency organization claimed the dump was the largest-ever publication of confidential documents concerning the CIA.

  The Border Patrol can take your password. Now what? (Mar 6)
 

There's a whole world of bad security advice going around about traveling in and out of the United States. It's largely because under the Trump Administration there has been an uptick in Customs and Border Protection agents searching the phones and digital devices of travelers at airport checkpoints.

  HackerOne offers bug bounty service for free to open-source projects (Mar 6)
 

HackerOne, the company behind one of the most popular vulnerability coordination and bug bounty platforms, has decided to make its professional service available to open-source projects for free.

  Put down the coffee, stop slacking your app chaps or whatever – and patch Wordpress (Mar 7)
 

Internet scribblers who use WordPress must update their installation of the publishing tool following the disclosure and patching of six security holes.

  Hackers exploit Apache Struts vulnerability to compromise corporate web servers (Mar 9)
 

Attackers are widely exploiting a recently patched vulnerability in Apache Struts that allows them to remotely execute malicious code on web servers.Apache Struts is an open-source web development framework for Java web applications. It's widely used to build corporate websites in sectors including education, government, financial services, retail and media.

  Critical vulnerability under "massive" attack imperils high-impact sites (Mar 10)
 

In a string of attacks that have escalated over the past 48 hours, hackers are actively exploiting a critical vulnerability that allows them to take almost complete control of Web servers used by banks, government agencies, and large Internet companies.

  An insecure mess: How flawed JavaScript is turning web into a hacker's playground (Mar 10)
 

An analysis of over 133,000 websites has found that 37 percent of them have at least one JavaScript library with a known vulnerability.Researchers from Northeastern University have followed up on research in 2014 that drew attention to potential security risks caused by loading outdated versions of JavaScript libraries, such as such as jQuery, and the AngularJS framework in the browser.

  Google tries to beat AWS at cloud security (Mar 10)
 

Google knows that if enterprises are going to move their critical services to its cloud, then it has to offer something that AWS doesn't. At Google Cloud Next, the company's leadership made the case that Google Cloud was the most secure cloud.

  Operation Rosehub patches Java vulnerabilities in open source projects (Mar 13)
 

Google employees recently completed Operation Rosehub, a grass roots effort that patches a set of serious Java vulnerabilities in thousands of open source projects.