Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security Researchers Find Several Bugs in Nest Security Cameras

    Researchers Lilith Wyatt and Claudio Bozzato of Cisco Talos discovered the vulnerabilities and disclosed them publicly on August 19. The two found eight vulnerabilities that are based in the Nest implementation of the Weave protocol. The Weave protocol is designed specifically for communications among Internet of Things or IoT devices.

  • Better SSH Authentication with Keybase

    With an SSH CA model, you start by generating a single SSH key called the CA key. The public key is placed on each server and the server is configured to trust any key signed by the CA key. This CA key is then used to sign user keys with an expiration window. This means that signed user keys can only be used for a finite, preferably short, period of time before a new signature is needed. This transforms the key management problem into a user management problem: How do we ensure that only certain people are able to provision new signed SSH keys?

  • Texas ransomware attacks deliver wake-up call to cities [iophk: Windows TCO]

    The Texas Department of Information Resources has confirmed that 22 Texas entities, mostly local governments, have been hit by the ransomware attacks that took place late last week. The department pointed to a “single threat actor” as being responsible for the attacks, which did not impact any statewide systems.

  • Texas Ransomware Attack

    On Security Now, Steve Gibson talks about a huge ransomware attack. 23 cities in Texas were hit with a well-coordinated ransomware attack last Friday, August 16th.

  • CVE-2019-10071: Timing Attack in HMAC Verification in Apache Tapestry

    Apache Tapestry uses HMACs to verify the integrity of objects stored on the client side. This was added to address the Java deserialization vulnerability disclosed in CVE-2014-1972. In the fix for the previous vulnerability, the HMACs were compared by string comparison, which is known to be vulnerable to timing attacks.

More in Tux Machines

Linux commands to display your hardware information

There are many reasons you might need to find out details about your computer hardware. For example, if you need help fixing something and post a plea in an online forum, people will immediately ask you for specifics about your computer. Or, if you want to upgrade your computer, you'll need to know what you have and what you can have. You need to interrogate your computer to discover its specifications. Alternatively, you could open up the box and read the labels on the disks, memory, and other devices. Or you could enter the boot-time panels—the so-called UEFI or BIOS panels. Just hit the proper program function key during the boot process to access them. These two methods give you hardware details but omit software information. Or, you could issue a Linux line command. Wait a minute… that sounds difficult. Why would you do this? Read more

Android Leftovers

BlackWeb 1.2

BlackWeb is a penetration and security testing distribution based on Debian. The project's website presents the distribution's features as follows: BlackWeb is a Linux distribution aimed at advanced penetration testing and security auditing. BlackWeb contains several hundred tools which are geared towards various information security tasks, such as penetration testing, security research, computer forensics and reverse engineering. Starting from an appropriately configured LXDE desktop manager it offers stability and speed. BlackWeb has been designed with the aim of achieving the maximum performance and minimum consumption of resources. There are 32-bit (x86) and 64-bit (x86_64) builds of BlackWeb available on the distribution's website. I downloaded the 64-bit build which is 2.6GB in size. Booting from the media brings up a menu asking if we would like to try BlackWeb's live desktop, run the installer or run the graphical installer. Taking the live desktop options presents us with a graphical login screen where we can sign in with the username "root" and the password "blackweb". Read more

Feh is a light-weight command-line image viewer for Linux

The default image viewer in most Linux distros is a fine option for many users, but if you want a distraction free alternative, Feh is a good option. Feh's interface is as barebones as it gets as it does not have any toolbars or buttons but is a command line interface application; because of that, it is very light on resources and still easy enough to use even for users who shy away from using the command line whenever possible. Read more