Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security fail is people

    The other day I ran across someone trying to keep their locker secured by using a combination lock. As you can see in the picture, the lock is on the handle of the locker, not on the loop that actually locks the door. When I saw this I had a good chuckle, took a picture, and put out a snarky tweet. I then started to think about this quite a bit. Is this the user's fault or is this bad design? I'm going to blame bad design on this one. It's easy to blame users, we do it often, but I think in most instances, the problem is the design, not the user. If nothing is ever our fault, we will never improve anything. I suspect this is part of the problem we see across the cybersecurity universe.

  • Free software activities in April 2017

    Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.

    The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

Security Leftovers

Filed under
Security
  • Is there any way to truly secure Docker container contents?

    All this adds up to a lot of work, which is not taken care of for you by default in Docker. It is no surprise that many Docker images are insecure, given this picture. The unfortunate reality is that many Docker containers are running with known vulnerabilities that have known fixes, but just aren’t, and that’s sad.

  • Compromise recovery on Qubes OS

    Occasionally fuckups happen, even with Qubes (although not as often as some think).

    What should we – users or admins – do in such a situation? Patch, obviously. But is that really enough? What good is patching your system if it might have already been compromised a week earlier, before the patch was released, when an adversary may have learned of the bug and exploited it?

    That’s an inconvenient question for many of us – computer security professionals – to answer. Usually we would mutter something about Raising the Bar(TM), the high costs of targeted attacks, attackers not wanting to burn 0-days, or only nation state actors being able to afford such attacks, and that in case one is on their list of targets, the game is over anyway and no point in fighting. Plus some classic cartoon.

    While the above line of defense might work (temporarily), it really doesn’t provide for much comfort, long term, I think. We need better answers and better solutions. This post, together with a recently introduced feature in Qubes OS 3.2 and (upcoming) 4.0, is an attempt to offer such a solution.

  • Top 5 Kali Linux Pentest tools for WiFi/network and exploits
  • Linux/Shishiga Malware Brute-Forces SSH Credentials

    A new strain of Linux malware has been detected. Dubbed Linux/Shishiga, the malware could transform into a dangerous piece of malware. Linux/Shishiga was officially discovered and examined by researchers at Eset.

  • Cybercriminals have taken notice of leaked government spying techniques
  • Microsoft Closes Word/Wordpad Hole—6 Months after Report
  • [Older] The Pentagon’s Bug Bounty Program Should Be Expanded to Bases, DOD Official Says [iophk: "any version of Windows at all is inappropriate"]

    “About 75 percent of the devices that are control systems are on Windows XP or other nonsupported operating systems,” said Daryl Haegley, program manager for the Office of the Assistant Secretary of Defense for Energy, Installations and Environment.

    [...]

    “A lot of these systems are still Windows 95 or 98, and that’s OK—if they’re not connected to the internet,” Haegley added.

  • Don’t Info Op Until You See The Whites of Their Eyes
  • CFP P70

    This is the official CFP for P70.

  • VM escape - QEMU Case Study

    In this paper, we provide a in-depth analysis of CVE-2015-5165 (a memory-leak vulnerability) and CVE-2015-7504 (a heap-based overflow vulnerability), along with working exploits. The combination of these two exploits allows to break out from a VM and execute code on the target host. We discuss the technical details to exploit the vulnerabilities on QEMU's network card device emulation, and provide generic techniques that could be re-used to exploit future bugs in QEMU.

  • CIA’s anti-leaking tool leaked as ‘whistleblowers watch the watchers’

    Former MI5 intelligence officer Annie Machon and retired US Army Colonel Ann Wright, who is also a retired US State Department official, shared their views on these and other questions with RT.

    On Friday, WikiLeaks released a series of documentations on a US Central Intelligence Agency (CIA) project known as ‘Scribbles,’ which was allegedly created to allow ‘web beacon’ tags to be embedded “into documents that are likely to be copied.”

    WikiLeaks began publishing a huge cache of secret documents on the CIA named ‘Vault 7’ in March.

  • Vault 7: CIA tool to track people through Word docs released

    The documentation says: "Scribbles (SCRIB) is a document watermarking tool that can be used to batch process a number of documents in a pre-seeded input directory. It generates a random watermark for each document, inserts that watermark into the document, saves all such processed documents in an output directory, and creates a log file which identifies the watermarks inserted into each document."

    It says the tool was successfully tested on Office 2013 (on Windows 8.1 x64), documents from Office versions 97-2016 (Office 95 documents will not work!) and documents that are not locked forms, encrypted, or password-protected.

    There is a limitation to the Scribbles system: if a document that has the watermarks in it and is opened in OpenOffice, LibreOffice the watermark images and URLs may become visible.

  • The US Takes On the World in NATO’s Cyber War Games

    Last year, Capt. Sean Ruddy and his team of operator-soldiers from the US Cyber Brigade entered a Locked Shields, a NATO-organized cyber-defense war game that pits teams from dozens of countries against “live-fire” attacks. It was their first time. And of the 19 countries represented, the US finished dead last. This week, they got their shot at redemption.

More Security Leftovers

Filed under
Security
  • HardenedLinux: The way to the Ark

    We’ve been sharing some of our works on security practices ( STIG-4-Debian, Debian GNU/Linux profiles, etc) for servers running in data center. PaX/Grsecurity is the corner stone to most of our solutions. Evidences have revealed that PaX/Grsecurity can defeat multiple public exploits w/o any patch fixes in critical scenarios for a long run. With PaX/Grsecurity, for the 1st time we believe that we can build the defense based on free/libre & open source software/firmware solution to prevent many threats from Ring 3/0/-1/-2/-3. HardenedLinux is going to continue develop solutions of defense based on PaX/Grsecurity. From our point of view, we see no other option. Please remember this date: Apr 26 2017. This is the day we lost our Ark.

  • It's Official: Ubuntu 12.04 LTS (Precise Pangolin) Linux OS Reached End of Life

    Canonical, through Adam Conrad, informed us today that the Ubuntu 12.04 LTS (Precise Pangolin) operating system is now officially dead, reaching end of life on April 28, 2017.

    If you're still using Ubuntu 12.04 LTS on your desktop or server systems, it's time to upgrade to a newer, supported release. You can choose to upgrade to either Ubuntu 14.04 LTS (Trusty Tahr), which will be supported for two more years, until April 2019, or Ubuntu 16.04 LTS (Xenial Xerus), supported until April 2021.

Security Leftovers

Filed under
Security

IPFire 2.19 Now Supports On-Demand IPsec VPNs, Core Update 110 Is Now Available

Filed under
GNU
Linux
Security

IPFire's Michael Tremer announced today, April 28, 2017, the release of IPFire 2.19 Core Update 110, a new stable maintenance version of the open-source, Linux-based firewall operating system.

Coming two and a half months after the previous point release, IPFire 2.19 Core Update 110 is here to implement support for on-demand IPsec (Internet Protocol Security) VPNs (Virtual Private Networks), which might just come in handy to those who deal with a huge amount of IPsec net-to-net connections on their infrastructures.

Read more

Linux Mint-using terror nerd awaits sentence for training Islamic State

Filed under
Linux
Security

A paranoid Welsh Muslim who wore gloves while typing on his laptop, admitted being part of Islamic State, and, gasp, harbored a copy of Linux Mint, has been described as a “new and dangerous breed of terrorist.”

Samata Ullah, 34, who also used voice modulation software to disguise his thick Welsh accent while making instructional videos about encryption, pleaded guilty to five terrorism charges at Cardiff Crown Court. He was due to be sentenced Friday afternoon.

Read more

Security Leftovers

Filed under
Security

Tor 0.3.0.6 is released: a new series is stable!

Filed under
Security

Tor 0.3.0.6 is the first stable release of the Tor 0.3.0 series.

With the 0.3.0 series, clients and relays now use Ed25519 keys to authenticate their link connections to relays, rather than the old RSA1024 keys that they used before. (Circuit crypto has been Curve25519-authenticated since 0.2.4.8-alpha.) We have also replaced the guard selection and replacement algorithm to behave more robustly in the presence of unreliable networks, and to resist guard- capture attacks.

Read more

Easy ways to make your Android device more secure

Filed under
Android
Security

How secure is your data on that Android smartphone? On a scale of "Alcatraz" to "open field of flowers," where does yours rank? If you're truly concerned about the security of your mobile device (which you should be), you know there are always steps to take to further clamp it down. Because some of these steps a bit more complicated, they are often overlooked by the average user. That's why I want to offer up a few easy ways anyone can bring a bit more security to their Android device.

Read more

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

Distributions News: Ubuntu, Manjaro, and Lakka

  • Ubuntu founder retakes the CEO throne, many employees gone
    Mark Shuttleworth, the founder of Canonincal has once again returned to his positition of CEO, as Jane Silber, the previous CEO now heads to the Board of Directors; and big changes happen to the staff lineup as a result. In a blog bost by Sibler, she says, “I originally agreed to be CEO for 5 years and we’ve extended my tenure as CEO by a couple of years already. We’ve been preparing for a transition for some time by strengthening the executive leadership team and maturing every aspect of the company, and earlier this year Mark and I decided that now is the time to effect this transition.”
  • [Video] Manjaro 17.0 KDE Edition - See What’s New
    Manjaro 17.0 KDE is the latest release of Manjaro Linux. This release brings new KDE Plasma 5.9.x as desktop environment include the most of KDE applications 16.12 and KDE Frameworks 5.32.
  • Make your own NES Classic Edition with Lakka 2.0 LibreELEC Linux distro and Raspberry Pi
    The NES Classic Edition is a very fun nostalgia-based gaming console. As someone who grew up with Nintendo, I knew I wanted the mini system as soon as it was announced. A family member was able to score me one on launch day, and I've been very happy with it. Unfortunately, other people have not been so lucky. Supply was very limited and it has since been discontinued. If you do not already have it, you are sort of out of luck without paying high prices on eBay or Craigslist. If you are only looking to replay the NES games of your youth, and you are OK with doing it in an unofficial way, emulation is another route. In fact, if you'd rather not play these games on your PC, you can instead use a Linux-based operating system and a Raspberry Pi (or other devices) hooked to a television. One such distro is Lakka, which just reached version 2.0. It is arguably better than an NES Classic Edition as it can also play games from other systems, such as SNES, Sega Genesis, Nintendo 64, PlayStation 1, and many more.

Software: Monitoring Tools, VSXu, and FSearch

today's howtos

Linux Mint's Plans

  • Some Of The Features Coming To Linux Mint's Cinnamon 3.4 Desktop
    In the latest monthly progress report on Linux Mint, some of the upcoming changes for the GNOME3-forked Cinnamon Desktop Environment were shared.
  • Monthly News – April 2017
    Many thanks to all the people who donated to us and who help to fund our project. Donations are down to about 60% of what they were last year, but they’re still quite high. In the first trimesters of 2015, 2016 and 2017 we respectively received $23k, $40k and $25k. Our development team has gotten bigger and our budget is being extended to include some administrators and designers. Other figures and metrics indicate we’re growing so this probably just reflects an exceptional year for donations in 2016.
  • Linux Mint Is Adopting LightDM as its Login Manager
    Linux Mint is adopting the LightDM display manager to handle and authenticate user sessions. Revealing plans in its latest monthly update, Mint says it will formally drop the MDM Display Manager (MDM) in favour of LightDM with Mint 18.2, release date for which is as-yet unknown. The popular Ubuntu-based Linux distribution mooted a possible switch earlier this year, noting that it had a key feature MDM lacks (guest sessions), and has become something of a standard across distributions.
  • Linux Mint 13 support ends, LMDE to get MATE 1.18 soon, big changes heading to Cinnamon
    The news from the Linux Mint team was quite interesting this week. First up, Linux Mint 13 has officially hit EOL (end of life), so you really do need to upgrade. LMDE (Linux Mint Debian Edition) is set to get the MATE desktop version 1.18 "this week" and they have ported mintMenu over to GTK3, since the rest of MATE is now using GTK3 too it makes sense.