Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

10 Best Linux Password Managers

Filed under
GNU
Linux
Security

Password managers are applications created to enable users to keep their passwords in a single place and absolve themselves of the need to remember every single one of their passwords.

They, in turn, encourage clients to use passwords that are as complex as possible and remember a single master password. Modern password managers even go an extra mile to keep other information such as card details, files, receipts, etc. safely locked away from prying eyes.

You might be wondering which password manager app will work best on your Linux machine and I am here to answer your question with my list of the 10 best Linux password managers.

Read more

Security: DNS, Windows, Kaspersky and Lethal USB

Filed under
Security
  • The wave of domain hijackings besetting the Internet is worse than we thought

    The report was published Wednesday by Cisco’s Talos security group. It indicates that three weeks ago, the highjacking campaign targeted the domain of Sweden-based consulting firm Cafax. Cafax’s only listed consultant is Lars-Johan Liman, who is a senior systems specialist at Netnod, a Swedish DNS provider. Netnod is also the operator of i.root, one of the Internet’s foundational 13 DNS root servers. Liman is listed as being responsible for the i-root. As KrebsOnSecurity reported previously, Netnod domains were hijacked in December and January in a campaign aimed at capturing credentials. The Cisco report assessed with high confidence that Cafax was targeted in an attempt to re-establish access to Netnod infrastructure.

  • New Windows Zero-Day Vulnerability Grants Hackers Full Control Over PCs [Ed: The NSA already had these permissions. Now everyone has these.]

    According to the latest Kaspersky Lab Report, a Windows Zero-Day vulnerability is serving as a backdoor for hackers to take control of users’ PCs.

    The latest exploit utilizes a use-after-free attack and has a technical name CVE-2019-0895. The exploit is found in win32k.sys and grants hackers Local Privilege meaning they’re able to access resources usually outside of users’ capabilities.

  • New zero-day vulnerability CVE-2019-0859 in win32k.sys
  • AP Exclusive: Mysterious operative haunted Kaspersky critics

    He also asked Giles to repeat himself or speak louder so persistently that Giles said he began wondering “whether I should be speaking into his tie or his briefcase or wherever the microphone was.”

    “He was drilling down hard on whether there had been any ulterior motives behind negative media commentary on Kaspersky,” said Giles, a Russia specialist with London’s Chatham House thinktank who often has urged caution about Kaspersky’s alleged Kremlin connections. “The angle he wanted to push was that individuals — like me — who had been quoted in the media had been induced by or motivated to do so by Kaspersky’s competitors.”

  • Feds: Saint Rose grad used 'killer' device to fry computers

    In 2016, College of Saint Rose graduate assistant Vishwanath Akuthota said he believed there was a "lot of opportunity" for him at the school.

    On Monday, federal prosecutors said he took advantage of a different kind of opportunity — access to campus — when he destroyed dozens of computers at a cost of more than $50,000.

  • Student Uses “USB Killer” To Fry $58,000 Worth of Computers

OpenSSH 8.0 released

Filed under
Security
BSD

This release contains mitigation for a weakness in the scp(1) tool
and protocol (CVE-2019-6111): when copying files from a remote system
to a local directory, scp(1) did not verify that the filenames that
the server sent matched those requested by the client. This could
allow a hostile server to create or clobber unexpected local files
with attacker-controlled content.

This release adds client-side checking that the filenames sent from
the server match the command-line request,

The scp protocol is outdated, inflexible and not readily fixed. We
recommend the use of more modern protocols like sftp and rsync for
file transfer instead.

Read more

Security: Updates, Oracle, Cisco, Buzzwords and Wi-Fi 'Hacking'

Filed under
Security

Gentoo News: Nitrokey partners with Gentoo Foundation to equip developers with USB keys

Filed under
Gentoo
Security

The Gentoo Foundation has partnered with Nitrokey to equip all Gentoo developers with free Nitrokey Pro 2 devices. Gentoo developers will use the Nitrokey devices to store cryptographic keys for signing of git commits and software packages, GnuPG keys, and SSH accounts.

Thanks to the Gentoo Foundation and Nitrokey’s discount, each Gentoo developer is eligible to receive one free Nitrokey Pro 2. To receive their Nitrokey, developers will need to register with their @gentoo.org email address at the dedicated order form.

A Nitrokey Pro 2 Guide is available on the Gentoo Wiki with FAQ & instructions for integrating Nitrokeys into developer workflow.

Read more

The Ecuadorean Authorities Have No Reason to Detain Free Software Developer Ola Bini

Filed under
Development
OSS
Security

Hours after the ejection of Julian Assange from the London Ecuadorean embassy last week, police officers in Ecuador detained the Swedish citizen and open source developer Ola Bini. They seized him as he prepared to travel from his home in Quito to Japan, claiming that he was attempting to flee the country in the wake of Assange’s arrest. Bini had, in fact, booked the vacation long ago, and had publicly mentioned it on his twitter account before Assange was arrested.

Ola’s detention was full of irregularities, as documented by his lawyers. His warrant was for a “Russian hacker” (Bini is neither); he was not read his rights, allowed to contact his lawyer nor offered a translator.

The charges against him, when they were finally made public, are tenuous. Ecuador’s general prosecutor has stated that Bini was accused of “alleged participation in the crime of assault on the integrity of computer systems” and attempts to destabilize the country. The “evidence” seized from Ola’s home that Ecuadorean police showed journalists to demonstrate his guilt was nothing more than a pile of USB drives, hard drives, two-factor authentication keys, and technical manuals: all familiar property for anyone working in his field.

Ola is a free software developer, who worked to improve the security and privacy of the Internet for all its users. He has worked on several key open source projects, including JRuby, several Ruby libraries, as well as multiple implementations of the secure and open communication protocol OTR. Ola’s team at ThoughtWorks contributed to Certbot, the EFF-managed tool that has provided strong encryption for millions of websites around the world.

Like many people working on the many distributed projects defending the Internet, Ola has no need to work from a particular location. He traveled the world, but chose to settle in Ecuador because of his love of that country and of South America in general. At the time of his arrest, he was putting down roots in his new home, including co-founding Centro de Autonomia Digital, a non-profit devoted to creating user-friendly security tools, based out of Ecuador’s capital, Quito.

Read more

Security: Updates, Spectre/Meltdown and Why Not to Install Software Packages From the Internet

Filed under
Security
  • Security updates for Tuesday
  • Revised Patches Out For New Kernel "mitigations=" Option For Toggling Spectre/Meltdown [Ed: Profoundly defective chips aren't being recalled/replaced (or even properly fixed). All the cost is being passed to the victim, the client, who should instead be compensated. Corporate greed has no bounds. They also hide NSA back doors in these chips. Imperial.]

    The effort to provide a more convenient / easy to remember kernel option for toggling Spectre/Meltdown mitigations is out with a second revision and they have also shortened the option to remember.

    See the aforelinked article if the topic is new to you, but this is about an arguably long overdue ability to easily control the Spectre/Meltdown behavior -- or configurable CPU mitigations in general to security vulnerabilities -- via a single kernel flag/switch. For the past year and a half of Spectre/Meltdown/L1TF mitigations there has been various different flags to tweak the behavior of these mitigations but not offering a single, easy-to-remember switch if say wanting to disable them in the name of restoring/better performance.

  • Why Not Install Software Packages From The Internet

    Someone from the Internet has told you not to execute random scripts you find on the Internet and now you're reading why we shouldn't install software packages from the Internet. Or more specifically, the aim of this article is why it's wise to stick to distribution maintained packages and not those latest software packages we find out there on the Internet even if it's distributed by the official brand's page.
    However, it's okay to download software packages that are not available on the distribution repository but not vice versa. Read on below to learn more about why.

Debian Web Team, Debian Long Term Support, and Security Leftovers

Filed under
Security
Debian
  • Debian Web Team Sprint 2019

    The Debian Web team held a sprint for the first time, in Madrid (Spain) from March 15th to March 17th, 2019.

    We discussed the status of the Debian website in general, review several important pages/sections and agreed on many things how to improve them.

  • Freexian’s report about Debian Long Term Support, March 2019

    Like each month, here comes a report about the work of paid contributors to Debian LTS.

  • Raphaël Hertzog: Freexian’s report about Debian Long Term Support, March 2019

    Like each month, here comes a report about the work of paid contributors to Debian LTS.

  • Your Favorite Ad Blocker Can Be Exploited To Infect PCs With Malicious Code

    In July 2018, the popular Adblock Plus software released its version 3.2 that brought a new feature called $rewrite. This feature allowed one to change the filter rules and decide which content got blocked and which didn’t. It was said that often there are content elements that are difficult to block. This feature was soon implemented by AdBlock as well as uBlock.

    In a troubling development, it has been revealed that this filter option can be exploited by notorious actors to inject arbitrary code into the web pages. With more than 100 million users of these ad blocking tools, this exploit has great potential to harm the web users.

  • Adblock Plus filter lists may execute arbitrary code in web pages

    A new version of Adblock Plus was released on July 17, 2018. Version 3.2 introduced a new filter option for rewriting requests. A day later AdBlock followed suit and released support for the new filter option. uBlock, being owned by AdBlock, also implemented the feature.

    Under certain conditions the $rewrite filter option enables filter list maintainers to inject arbitrary code in web pages.

    The affected extensions have more than 100 million active users, and the feature is trivial to exploit in order to attack any sufficiently complex web service, including Google services, while attacks are difficult to detect and are deployable in all major browsers.

  • Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong.

    The disputes ares playing out in court. In a closely watched legal battle, Mondelez sued Zurich Insurance last year for a breach of contract in an Illinois court, and Merck filed a similar suit in New Jersey in August. Merck sued more than 20 insurers that rejected claims related to the NotPetya attack, including several that cited the war exemption. The two cases could take years to resolve.

    The legal fights will set a precedent about who pays when businesses are hit by a cyberattack blamed on a foreign government. The cases have broader implications for government officials, who have increasingly taken a bolder approach to naming-and-shaming state sponsors of cyberattacks, but now risk becoming enmeshed in corporate disputes by giving insurance companies a rationale to deny claims.

Security: DARPA, Updates, Microsoft Windows Incidents and Outlook Fiasco

Filed under
Security
  • DARPA Making An Anonymous And Hack-Proof Mobile Communication System

    The United States’ Defense Advanced Research Projects Agency, or DARPA, develops technologies that are deployed by the US army and sometimes the agency makes the technologies available for civilians as well. DARPA is behind many breakthrough technologies, including the internet itself, GPS, Unix, and Tor.

    Now, DARPA is currently working on an anonymous, end-to-end mobile communication system that would be attack-resilient and reside entirely within a contested network environment.

  • Security updates for Monday
  • Passwords and Policies | Roadmap to Securing Your Infrastructure
  • Adblock Plus filter lists may execute arbitrary code
  • FBI now investigating "RobinHood" ransomware attack on Greenville computers [Ed: Microsoft Windows TCO]
  • RobinHood Ransomware Is “Honest” And Promises To “Respect Your Privacy”

    The world of cybersecurity is full of surprises. From using Game of Thrones torrents to exploiting popular porn websites — notorious cybercriminals keep coming up with new ways to cause you harm.

    In a related development, a ransomware called RobinHood is spreading havoc in North Carolina, where the ransomware has crippled most city-owned PCs. The FBI is currently investigating the issue along with local authorities.

  • Purism at SCaLE 2019 – Retrospective on Secure PureBoot

    Once again, we were so busy we barely had the time to leave our booth: people were very interested in the Librem 5 devkit hardware, in the latest version of the Librem laptops and PureOS, on having the same apps for the Librem laptops and the Librem 5 phone… so we got to do the full pitch. On a less technical note, our swag was quite a success. People told us they loved our paper notebook and carpenter pencil, and asked questions about the pencils – which, according to Kyle Rankin, Chief Security Officer of Purism, have a section that is “kind of shaped like our logo”, and being carpenter pencils “are designed so you can sharpen them without having to use a proprietary pencil sharpener.” Visitors (and team) loved them for being beautiful, unusual and useful.

  • Hackers could read non-corporate Outlook.com, Hotmail for six months

    Late on Friday, some users of Outlook.com/Hotmail/MSN Mail received an email from Microsoft stating that an unauthorized third party had gained limited access to their accounts and was able to read, among other things, the subject lines of emails (but not their bodies or attachments, nor their account passwords), between January 1 and March 28 of this year. Microsoft confirmed this to TechCrunch on Saturday.

    The hackers, however, dispute this characterization. They told Motherboard that they can indeed access email contents and have shown that publication screenshots to prove their point. They also claim that the hack lasted at least six months, doubling the period of vulnerability that Microsoft has claimed. After this pushback, Microsoft responded that around 6 percent of customers affected by the hack had suffered unauthorized access to their emails and that these customers received different breach notifications to make this clear. However, the company is still sticking to its claim that the hack only lasted three months.

    Not in dispute is the broad character of the attack. Both hackers and Microsoft's breach notifications say that access to customer accounts came through compromise of a support agent's credentials. With these credentials, the hackers could use Microsoft's internal customer support portal, which offers support agents some level of access to Outlook.com accounts. The hackers speculated to Motherboard that the compromised account belonged to a highly privileged user and that this may have been what granted them the ability to read mail bodies. The compromised account has subsequently been locked to prevent any further abuse.

  • Three encryption tools for the cloud

    Safeguard your cloud storage with some preemptive file encryption. Here are three open source tools that get the job done in Linux.

    From a security perspective, cloud storage ought never to have happened. The trouble is, it relies on the ability of users to trust the provider, yet often the only assurance available is the provider’s word. However, the convenience of cloud storage is too great for many companies and individuals to avoid it. Fortunately, security can be regained by users storing only encrypted files.

    Numerous tools exist for encrypting in the cloud. Some are proprietary. However, these solutions also require trust -- they only shift the trust requirement to a third party, and basic security requires the user to verify security for themselves.

Syndicate content

More in Tux Machines

Graphics: AMDGPU and X.Org Elections

  • amdgpu drm-next-5.2
  • AMDGPU Has Another Round Of Updates Ahead Of Linux 5.2
    Feature work on DRM-Next for the Linux 5.2 kernel cycle is winding down while today AMD has sent in what could be their last round of AMDGPU feature updates for this next kernel release. Building off their earlier Linux 5.2 feature work are more updates. That earlier round brought new SMU11 enablement code for Vega 20, various other Vega 20 features, HMM preparations, and other code changes.
  • 2019 Election Round 2 voting OPEN
    To all X.Org Foundation Members: The round 2 of X.Org Foundation's annual election is now open and will remain open until 23:59 UTC on 2 May 2019. Four of the eight director seats are open during this election, with the four nominees receiving the highest vote totals serving as directors for two year terms. There were six candidates nominated. For a complete list of the candidates and their personal statements, please visit the 2019 X.Org Elections page at https://www.x.org/wiki/BoardOfDirectors/Elections/2019/ The new bylaw changes were approved in the first round of voting. Here are some instructions on how to cast your vote: Login to the membership system at: https://members.x.org/ If you do not remember your password, you can click on the "lost password" button and enter your user name. An e-mail will be sent to you with your password. If you have problems with the membership system, please e-mail membership at x.org. When you login you will see an "Active Ballots" section with the "X.Org 2019 Elections Round 2" ballot. When you click on that you will be presented with a page describing the ballot. At the bottom you will find a number of dropdowns that let you rank your candidates by order of preference. For the election: There is a pull-down selection box for 1st choice, 2nd, choice, and so on. Pick your candidates top to bottom in order of preference, avoiding duplicates. After you have completed your ballot, click the "Cast vote" button. Note that once you click this button, your votes will be cast and you will not be able to make further changes, so please make sure you are satisfied with your votes before clicking the "Cast vote" button. After you click the "Vote" button, the system will verify that you have completed a valid ballot. If your ballot is invalid (e.g., you duplicated a selection or did not answer the By-laws approval question), it will return you to the previous voting page. If your ballot is valid, your votes will be recorded and the system will show you a notice that your votes were cast. Note that the election will close at 23:59 UTC on 2 May 2019. At that time, the election committee will count the votes and present the results to the current board for validation. After the current board validates the results, the election committee will present the results to the Members. Harry, on behalf of the X.Org elections committee
  • It's Time To Re-Vote Following The Botched 2019 X.Org Elections
    While there were the recent X.Org Foundation board elections, a do-over was needed as their new custom-written voting software wasn't properly recording votes... So here's now your reminder to re-vote in these X.Org elections. At least with the initial round of voting they reached a super majority and the ballot question of whether the X.Org Foundation should formally fold FreeDesktop.org into its umbrella worked and that X.Org + FreeDesktop.org hook-up passed so all is well on that front. But for the Board of Directors elections, that's where re-voting is needed with the voting software that now correctly records the votes.

today's howtos

Games: Lutris and More

  • Epic Games Store Now On Linux Thanks To Lutris
    While the Epic Games Store itself is not officially supported by the open source Linux operating system, a third-party gaming client has now made sure that you can access the store and launcher on your own distro. The Epic Games Store is now accessible on Linux via the Lutris Gaming client. The client is available to all Linux users, who in the past has provided the same users a way to play PC games without the need to have Windows installed in their machines. Although Linux is not necessarily the go-to platform when it comes to PC gaming, there is a very niche audience dedicated to making the platform work in favor of open-source and to counteract what could be perceived as a heavily Windows-biased PC gaming community. Linux gaming is somewhat tedious to the relatively casual or normal user, although there are some within the Linux community that advertise and try to foster its growth in terms of gaming, as there are some games that can run better on the operating system. That is to say, if you have a lot of patience to try and make it work.
  • You Died but a Necromancer revived you is good fun in a small package
    Sometimes, simplicity is what makes a game and in the case of You Died BaNRY that's very true. The game has little depth to it but makes up for that in just how frantic and fun it can be. The entire gameplay is just you (or you and friends) attempting to cross a small level filled with platforms, spikes and all sorts of crazy traps. It's ridiculously easy to get into as well, since the controls are so basic all you need to worry about is your movement.
  • Forager is a weirdly addictive casual grinding game that has mined into my heart
    I'm not usually one for games that have you endlessly wander around, collect resources, build a little and repeat but Forager is so ridiculously charming it's lovely.
  • DragonRuby Game Toolkit, a cross-platform way to make games with Ruby
    Now for something a little different! Ryan "Icculus" Gordon, a name known for many Linux ports and SDL2 teamed up with indie developer Amir Rajan to create a new cross-platform toolkit. Why was it created? Well, in a nutshell they both "hate the complexity of today's engines" and this toolkit was actually made to help ship A Dark Room for the Nintendo Switch, which shows how versatile it is.

10+ Open Source Software Writing Tools That Every Writer Should Know

Being a professional writer requires two key things to help ensure success: commitment and support. The former comes from the writer, and the latter comes from the tools he (or she) uses to get the job done. Below is a list of 11 great and lesser-known writing tools or apps, many of which are free and open-source, that can help improve the quality of your writing and make you a more productive and successful writer. Read more