Language Selection

English French German Italian Portuguese Spanish

Security

Kali Linux: What You Must Know Before Using it

Filed under
GNU
Linux
Security

Kali Linux is the industry’s leading Linux distribution in penetration testing and ethical hacking. It is a distribution that comes shipped with tons and tons of hacking and penetration tools and software by default, and is widely recognized in all parts of the world, even among Windows users who may not even know what Linux is.

Because of the latter, many people are trying to get alone with Kali Linux although they don’t even understand the basics of a Linux system. The reasons may vary from having fun, faking being a hacker to impress a girlfriend or simply trying to hack the neighbors’ WiFi network to get a free Internet, all of which is a bad thing to do if you are planning to use Kali Linux.

Read more

Security: 'Cyber' Wars, IPFS, Updates and PHP FUD

Filed under
Security

IPFire 2.21 - Core Update 124 released

Filed under
GNU
Linux
Security

This is the official release announcement for IPFire 2.21 – Core Update 124. It brings new features and immensely improves security and performance of the whole system.

Read more

Security: 'Smart' Locks, Windows in Weapons

Filed under
Security

GNOME's Nautilus Gets Better Google Drive Support, Warns About Security Risks

Filed under
GNOME
Security

The GNOME 3.30 desktop environment is about to get its last scheduled point release, version 3.30.2, which should hit the streets later this month on October 24, and it looks like the Nautilus app was already updated to version 3.30.2, a bugfix release that adds quite a few improvements to the popular file manager.

According to the internal changelog, Nautilus 3.30.2 improves support for opening files stored on Google Drive accounts, improves searching by addressing various crashes, fixes the triple mouse click gesture in the pathbar to minimize the main window, as well as the "/" and "~" characters not opening the location bar.

Read more

Security: Electric-Scooter 'Hacking', Facebook Cracked, National Security Agency (NSA) Looks Into Fuchsia/Android and More

Filed under
Security
  • Inside the Lawless New World of Electric-Scooter Hacking

    If major corporations and voting infrastructure can be hacked, then it stands to reason that one could also, and much more easily, hack a $400 electric scooter. And in their rush to make dockless, app-enabled two-wheelers a way of life across every urban neighborhood worldwide — while throttling the competition — startups Bird, Lime, Scoot, Skip and Spin have caused localized backlashes while putting their tech at risk of both clever and stupid exploits.

    What’s funny is that the companies tend to dismiss these vulnerabilities as insignificant. Lime’s director of government relations and strategic development, Sam Sadle, told the Dallas Observer this summer that theft and vandalism of scooters is rare because they’re so often in use. Reacting to complaints that hacking has become common, he added: “It hasn’t in any way limited our ability to operate in the markets in which we do operate.”

  • How to Find Out if You Were Affected by the Recent Facebook Hack [Ed: Facebook is almost certainly lying/lowballing the number and far more people got cracked]

    Facebook has now confirmed that hackers stole access tokens for “only” 30 million people, not 50 million. For 15 million of those people, the hackers were able to get phone number, email address, or both. And for 14 million more people, the hackers were able to get a lot more information, like username, gender, relationship status, religious, birthday, and a ton of other information including things you’ve searched for.

  • Facebook Revises Data Breach Impact Downward, Provides New Details
  • Google Fuchsia: Here's what the NSA knows about it

    A while back, Google told us Fuchsia is not Linux. There have also been endless rumors, with little hard proof, it will eventually replace Android. Other than that, we don't know much. But the National Security Agency (NSA), of all groups, has been checking into Fuchsia and revealed its findings at the recent North American Linux Security Summit in Vancouver, B.C.

  • Course Review: Adversarial Attacks and Hunt Teaming

    At DerbyCon 8, I had the opportunity to take the “Adversarial Attacks and Hunt Teaming” presented by Ben Ten and Larry Spohn from TrustedSec. I went into the course hoping to get a refresher on the latest techniques for Windows domains (I do mostly Linux, IoT & Web Apps at work) as well as to get a better understanding of how hunt teaming is done. (As a Red Teamer, I feel understanding the work done by the blue team is critical to better success and reducing detection.)

Security: Chinese Crackers, Microsoft's Botched New Updates, Latest FOSS Updates

Filed under
Security
  • Hackers [sic] Are Using Stolen Apple IDs to Swipe Cash in China

    Ant Financial’s Alipay and Tencent Holdings Ltd. warned that cyber-attackers employed stolen Apple IDs to break into customers’ accounts and made off with an unknown amount of cash, in a rare security breach for China’s top digital payments providers.

  • Hackers [sic] loot digital wallets using stolen Apple IDs

    Two Chinese companies are warning customers that [crackers] used stolen Apple IDs to get into their digital payment accounts and steal money.

  • Microsoft October 2018 Patch Slightly Flawed and Unable To fully Rectify Jet Database Engine Vulnerability

    On the 20th of September, Trend Micro’s Zero Day Initiative (ZDI) went public with the information of a remove code execution vulnerability that would allow attackers to use the flawed Jet Database Engine to run macros through Microsoft Office programs and cause malicious activities in the targets computer. We covered this previously, you can read it here.

    Regarding this issue, ZDI released a micro-patch on the 21st September which fixed the vulnerability and urged Microsoft to correct this in the following patch. ZDI then did a review of the October 2018 update by Microsoft and found out that the security flaw while addressed has only limited the vulnerability rather than eliminating it.

  • Security updates for Friday

Security: National Security at Stake, Too

Filed under
Security
  • Supermicro boards were so bug ridden, why would hackers ever need implants?
  • New U.S. Weapons Systems Are a Hackers’ [sic] Bonanza, Investigators Find

    The report by the Government Accountability Office concluded that many of the weapons, or the systems that control them, could be neutralized within hours. In many cases, the military teams developing or testing the systems were oblivious to the hackingi [sic].

  • Cool Cool Cool Oversight Office Says It's Incredibly Easy To Hack The Defense Dept.'s Weapons Systems

    The GAO points out the DOD has spent more time locking down its accounting systems than its weapons systems, even as the latter has increasingly relied on computer hardware and software to operate. The systems used by the DOD are a melange of commercial and open-source software, which relies on vendors to provide regular updates and patch vulnerabilities. (Unfortunately for the DOD, some vulnerabilities may not have been disclosed to software/hardware vendors by other government agencies like the NSA.) But the DOD gives itself a 21-day window to apply patches and some remote weapons systems may go months without patching because they often need to return from deployment to be patched properly.

    The end result is a network of defense systems riddled with security holes. The GAO says it doesn't take much to commandeer weapons of mass destruction.

Security: Updates, US Weapons Systems, and Voting Risks

Filed under
Security
  • Security updates for Thursday
  • US Weapons Systems Are Easy Cyberattack Targets, New Report Finds

    Specifically, the report concludes that almost all weapons that the DOD tested between 2012 and 2017 have “mission critical” cyber vulnerabilities. “Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report states. And yet, perhaps more alarmingly, the officials who oversee those systems appeared dismissive of the results.

  • Election security groups warn of cyber vulnerabilities for emailed ballots

    Experts from both the private and public sector have warned about the vulnerabilities of online voting for years, but the report comes at a time of heightened alarm about election interference from hostile nation-states or cyber criminals.

Security: WhatsApp, Flatpak and DNS

Filed under
Security
  • Hackers Can Take Control Of Your WhatsApp Just With A Video Call: Update Now

    Natalie Silvanovich, a Google Project Zero security researcher, has uncovered a critical security flaw in WhatsApp. The flaw could allow a notorious actor to make a video call and take complete control of your messaging application.

  • Just Answering A Video Call Could Compromise Your WhatsApp Account
  • New Website Claims Flatpak is a “Security Nightmare”

    A newly launched website is warning users about Flatpak, branding the tech a “security nightmare”.

    The ‘Flatkills.org’ web page takes aim at a number of security claims routinely associated with the fledgling Flatpak app packaging and distribution format.

  • DNS Security Still an Issue

    DNS security is a decades-old issue that shows no signs of being fully resolved. Here's a quick overview of some of the problems with proposed solutions and the best way to move forward.

    ...After many years of availability, DNSSEC has yet to attain significant adoption, even though any security expert you might ask recognizes its value. As with any public key infrastructure, DNSSEC is complicated. You must follow a lot of rules carefully, although some network services providers are trying to make things easier.

    But DNSSEC does not encrypt the communications between the DNS client and server. Using the information in your DNS requests, an attacker between you and your DNS server could determine which sites you are attempting to communicate with just by reading packets on the network.

    So despite best efforts of various Internet groups, DNS remains insecure. Too many roadblocks exist that prevent the Internet-wide adoption of a DNS security solution. But it is time to revisit the concerns.

Syndicate content

More in Tux Machines

Ubuntu: Eurotech, LogMeIn Snap and Ubuntu Weekly Newsletter Issue 549

  • Canonical collaborates with Eurotech on edge computing solutions
    Coinciding with IoT World Solutions Congress in Barcelona this week, Canonical is pleased to announce a dual-pronged technological partnership with Eurotech to help organisations advance their internet of things enablement. Eurotech is a long time leader in embedded computing hardware as well as providing software solutions to aid enterprises to deliver their IoT projects either end to end or by providing intervening building blocks. As part of the partnership, Canonical has published a Snap for the Eclipse Kura project – the popular, open-source Java-based IoT edge framework. Having Kura available as a Snap – the universal Linux application packaging format – will enable a wider availability of Linux users across multiple distributions to take advantage of the framework and ensure it is supported on more hardware. Snap support will also extend on Eurotech’s commercially supported version; the Everywhere Software Framework (ESF). By installing Kura as a Snap on a device, users will benefit with automatic updates to ensure they are always working from the latest version while with the reassurance of a secure, confined environment.
  • Self-containing dependencies LogMeIn to publish their first Snap
  • Ubuntu Weekly Newsletter Issue 549
    Welcome to the Ubuntu Weekly Newsletter, Issue 549 for the week of October 7 – 13, 2018.

today's howtos

Fedora: Flock, Flatpaks, Fedora/RISC-V and More

  • CommOps takeaways from Flock 2018
    The annual Fedora contributor conference, Flock, took place from August 8-11, 2018. Several members of the Community Operations (CommOps) team were present for the conference. We also held a half-day team sprint for team members and interested people to participate and share feedback with the team.
  • Flatpaks, sandboxes and security
    Last week the Flatpak community woke to the “news” that we are making the world a less secure place and we need to rethink what we’re doing. Personally, I’m not sure this is a fair assessment of the situation. The “tl;dr” summary is: Flatpak confers many benefits besides the sandboxing, and even looking just at the sandboxing, improving app security is a huge problem space and so is a work in progress across multiple upstream projects. Much of what has been achieved so far already delivers incremental improvements in security, and we’re making solid progress on the wider app distribution and portability problem space. Sandboxing, like security in general, isn’t a binary thing – you can’t just say because you have a sandbox, you have 100% security. Like having two locks on your front door, two front doors, or locks on your windows too, sensible security is about defense in depth. Each barrier that you implement precludes some invalid or possibly malicious behaviour. You hope that in total, all of these barriers would prevent anything bad, but you can never really guarantee this – it’s about multiplying together probabilities to get a smaller number. A computer which is switched off, in a locked faraday cage, with no connectivity, is perfectly secure – but it’s also perfectly useless because you cannot actually use it. Sandboxing is very much the same – whilst you could easily take systemd-nspawn, Docker or any other container technology of choice and 100% lock down a desktop app, you wouldn’t be able to interact with it at all.
  • Fedora/RISC-V now mirrored as a Fedora “alternative” architecture
  • PSA: System update fails when trying to remove rtkit-0.11-19.fc29

GNU Guile and FSF Forum

  • GNU Guile 2.9.1 beta released JIT native code generation to speed up all Guile programs
    GNU released Guile 2.9.1 beta of the extension language for the GNU project. It is the first pre-release leading up to the 3.0 release series. In comparison to the current stable series, 2.2.x, Guile 2.9.1 brings support for just-in-time native code generation to speed up all Guile programs.
  • [FSF] Introducing our new associate member forum!
    I'm excited to share that we've launched a new forum for our associate members. We hope that you find this forum to be a great place to share your experiences and perspectives surrounding free software and to forge new bonds with the free software community. If you're a member of the FSF, head on over to https://forum.members.fsf.org to get started. You'll be able to log in using the Central Authentication Service (CAS) account that you used to create your membership. (Until we get WebLabels working for the site, you'll have to whitelist its JavaScript in order to log in and use it, but rest assured that all of the JavaScript is free software, and a link to all source code can be found in the footer of the site.) Participation in this forum is just one of many benefits of being an FSF member – if you're not a member yet, we encourage you to join today, for as little as $10 per month, or $5 per month for students. The purpose of this member forum is to provide a space where members can meet, communicate, and collaborate with each other about free software, using free software. While there are other places on the Internet to talk about free software, this forum is unique in that it is focused on the common interests of FSF members, who care very much about using, promoting, and creating free software. The forum software we chose to use is Discourse.