Monthly Archives: February 2015

Full Disclosure

Shakacon 2015 Last Call for Papers (July 6-9 2015, Honolulu, Hawaii)

Posted by Jonathan Brossard on Feb 12

—-++++++++++++++++++++++++++++++++++++—-
Shakacon VII – Honolulu, Hawaii

“Sun, Surf, and C Shells”

CALL FOR PAPERS

www.shakacon.org/CFP2015.html
—-++++++++++++++++++++++++++++++++++++—-

Who: Shakacon Crew
What: Shakacon VII
When: July 6-7 (Training) & July 8-9 (Conference) 2015
Where: Honolulu, HI – Hawaii Prince Hotel Waikiki
Why: World Class Speakers,…

Panda Security

5 Tips for becoming a hacker

hackerIn the twenty-first century many professions have become virtual. Programmers, designers, Web analysts and community managers are just some of the new professions created by the Internet.

However, there is one that without it this new Internet ecosystem could not survive, although sometimes you might not think so: The hacker who works to detect security flaws and fixes them. They are the guardians of the Internet and for that reason they are well paid for their work.

What do you have to do to become a good hacker? American Eric S. Raymond, who describes himself as “an open source evangelist” and maintains the Jargon File, a dictionary of hacker culture terms, includes a detailed document  on his website that offers some practical tips on how to become a good computer security expert, in response to the barrage of questions he has received about the topic in recent years.

If you think that this could be your ideal job, we summarize some of the tips of this open source guru.

5 Tips for becoming a hacker

  1. Hackers build, not destroy (although many people are not clear on that). If you want to be a hacker, the first thing is to be motivated. Raymond says that it is a fun profession but it takes a lot of effort and learning capacity. Intelligence, practice, dedication, and hard work are just some of the requirements. You have to approach this work as intense play rather than drudgery. This security expert upholds that no problem should ever have to be solved twice; you must always tackle new challenges.
  2. Learn how to program. Developers have to be multilingual and learn all of the latest programming languages. Hackers have to do the same. One of the languages that Raymond recommends learning (and that many companies are currently demanding) is Python. An open source programming language that its creator, Guido van Rossum, started working on in the late 1980s. Java, C++, Ruby and Django are other languages that you should get to know. Raymond has left some instructions on his website, but he warns that they are not easy.programming language
  3. Knowledge of Unix. You have to get past Windows and learn to manage operating systems like Unix or Linux (based on the former). Both are essential in the Internet era and any programmer worth their salt must know them.
  4. Learn how to use the World Wide Web and write HTML. It is vital to know by heart all of the secrets of HTML code. HTML tags, enclosed in ‘greater than’ and ‘less than’ symbols are the vocabulary of the Internet and of programmers. Version five of the standard, HTML 5, published definitively last year, is the latest.
  5. Earn status in the hacker culture. It is essential to speak English in order to take part in the hacker community; a language that is very specific for the most technical terminology. Then, do not simply copy the knowledge of others, take part in the community; write open-source software, help test and debug it, share your knowledge with others or do something for the hacker culture are just a few of his tips.hacker culture

Hackers (and creative people in general) should never be bored or have to drudge at stupid repetitive work, because when this happens it means they aren’t doing what only they can do — solve new problems,” says Raymond.

A hacker must have many skills but this computer security expert shows us that, with all of the opportunities offered by the Internet to learn how it works and the motivation to do something different every day, you can become a good hacker.

Raymond adds that reading science fiction, studying the Zen philosophy, doing martial arts and developing your appreciation of wordplay could be complementary activities. We will leave that for you to choose.

If you have been bitten by the bug, just visit his website, which some kind souls have translated into various languages.

The post 5 Tips for becoming a hacker appeared first on MediaCenter Panda Security.

Ubuntu

USN-2499-1: PostgreSQL vulnerabilities

Ubuntu Security Notice USN-2499-1

11th February, 2015

postgresql-8.4, postgresql-9.1, postgresql-9.3, postgresql-9.4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

Several security issues were fixed in PostgreSQL.

Software description

  • postgresql-8.4
    – Object-relational SQL database

  • postgresql-9.1
    – Object-relational SQL database

  • postgresql-9.3
    – Object-relational SQL database

  • postgresql-9.4
    – Object-relational SQL database

Details

Stephen Frost discovered that PostgreSQL incorrectly displayed certain
values in error messages. An authenticated user could gain access to seeing
certain values, contrary to expected permissions. (CVE-2014-8161)

Andres Freund, Peter Geoghegan and Noah Misch discovered that PostgreSQL
incorrectly handled buffers in to_char functions. An authenticated attacker
could possibly use this issue to cause PostgreSQL to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2015-0241)

It was discovered that PostgreSQL incorrectly handled memory in the
pgcrypto extension. An authenticated attacker could possibly use this issue
to cause PostgreSQL to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2015-0243)

Emil Lenngren discovered that PostgreSQL incorrectly handled extended
protocol message reading. An authenticated attacker could possibly use this
issue to cause PostgreSQL to crash, resulting in a denial of service, or
possibly inject query messages. (CVE-2015-0244)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
postgresql-9.4

9.4.1-0ubuntu0.14.10
Ubuntu 14.04 LTS:
postgresql-9.3

9.3.6-0ubuntu0.14.04
Ubuntu 12.04 LTS:
postgresql-9.1

9.1.15-0ubuntu0.12.04
Ubuntu 10.04 LTS:
postgresql-8.4

8.4.22-0ubuntu0.10.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

CVE-2014-8161,

CVE-2015-0241,

CVE-2015-0243,

CVE-2015-0244

Mandriva

[ MDVSA-2015:046 ] ntp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:046
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : ntp
 Date    : February 12, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated ntp packages fix security vulnerabilities:
 
 Stephen Roettger of the Google Security Team, Sebastian Krahmer of
 the SUSE Security Team and Harlan Stenn of Network Time Foundation
 discovered that the length value in extension fields is not properly
 validated in several code paths in ntp_crypto.c, which could lead to
 information leakage or denial of service (CVE-2014-9297).
 
 Stephen Roettger of the Google Security Team reported that ACLs based
 on IPv6 ::1 (localhost) addresses can be bypassed (CVE-2014-9298).
 ______
Mandriva

[ MDVSA-2015:045 ] e2fsprogs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:045
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : e2fsprogs
 Date    : February 12, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated e2fsprogs packages fix security vulnerability:
 
 The libext2fs library, part of e2fsprogs and utilized by its utilities,
 is affected by a boundary check error on block group descriptor
 information, leading to a heap based buffer overflow. A specially
 crafted filesystem image can be used to trigger the vulnerability
 (CVE-2015-0247).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0247
 http://advisories.mageia.org/MGAS
Mandriva

[ MDVSA-2015:044 ] perl-Gtk2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:044
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : perl-Gtk2
 Date    : February 12, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been discovered and corrected in perl-Gtk2:
 
 Incorrect memory management in Gtk2::Gdk::Display::list_devices in
 perl-Gtk2 before 1.2495, where, the code was freeing memory that gtk+
 still holds onto and might access later.
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://advisories.mageia.org/MGASA-2015-0059.html
 _______________________________________________________________________

 Upda