Language Selection

English French German Italian Portuguese Spanish

Security

How to enable SSH access using a GPG key for authentication

Filed under
Linux
Security
HowTos

Many of us are familiar with Secure Shell (SSH), which allows us to connect to other systems using a key instead of a password. This guide will explain how to eliminate SSH keys and use a GNU Privacy Guard (GPG) subkey instead.

Using GPG does not make your SSH connections more secure. SSH is a secure protocol, and SSH keys are secure. Instead, it makes certain forms of key distribution and backup management easier. It also will not change your workflow for using SSH. All commands will continue to work as you expect, except that you will no longer have SSH private keys and you will unlock your GPG key instead.

Read more

Security Leftovers

Filed under
Security
  • How secure are your containerized apps? [Ed: Why does SJVN promote the Microsoft-connected anti-FOSS firm Snyk?]
  • IPFire 2.23 - Core Update 131 is available for testing

    Finally, the next major version of IPFire is ready to testing. We consider our new Intrusion Prevention System such an important change, that we are calling it "IPFire 2.23" from now on. This update also contains a number of other bug fixes and enhancements.

  • How hacking threats spurred secret U.S. blacklist

    U.S. energy regulators are pursuing a risky plan to share with electric utilities a secret "don't buy" list of foreign technology suppliers, according to multiple sources.

    The move reflects the federal government's growing concern that hackers and foreign spies are targeting America's vital energy infrastructure. And it's also raised new questions about the value of top-secret U.S. intelligence if it can't get into the hands of power industry executives who can act on it to avoid high-risk vendors.

    Joseph McClelland, director of the Federal Energy Regulatory Commission's Office of Energy Infrastructure Security, told a Department of Energy advisory committee last month that officials are working on "an open-source procurement list" for utilities to use when deciding where to source their software and equipment.

Security: Updates, One Year With Spectre, Purism Librem Key and Lanner’s 'Security Appliances' With Back-Doored Chips

Filed under
Security
  • Security updates for Tuesday
  • A year with Spectre: a V8 perspective

    On January 3, 2018, Google Project Zero and others disclosed the first three of a new class of vulnerabilities that affect CPUs that perform speculative execution, dubbed Spectre and Meltdown. Using the speculative execution mechanisms of CPUs, an attacker could temporarily bypass both implicit and explicit safety checks in code that prevent programs from reading unauthorized data in memory. While processor speculation was designed to be a microarchitectural detail, invisible at the architectural level, carefully crafted programs could read unauthorized information in speculation and disclose it through side channels such as the execution time of a program fragment.

    When it was shown that JavaScript could be used to mount Spectre attacks, the V8 team became involved in tackling the problem. We formed an emergency response team and worked closely with other teams at Google, our partners at other browser vendors, and our hardware partners. In concert with them, we proactively engaged in both offensive research (constructing proof-of-concept gadgets) and defensive research (mitigations for potential attacks).

  • The Purism Librem Key

    The Librem Key is a new hardware token for improving Linux security by adding a physical authentication factor to booting, login and disk decryption on supported systems. It also has some features that make it a good general-purpose OpenPGP smart card. This article looks at how the Librem Key stacks up against other multi-factor tokens like the YubiKey 5 and also considers what makes the Librem Key a unique trusted-computing tool.

    Purism is a new player in the security key and multi-factor authentication markets. With the introduction of the Librem Key, Purism joins the ranks of other players—such as Yubico, Google, RSA and so on—in providing hardware tokens for multi-factor authentication.

    In addition, like the YubiKey 5 series, the Librem Key also provides OpenPGP support with cryptographic functions that take place securely on-key. This allows users to generate and use GnuPG public and private keys without exposing any secret key material to the host computer where the USB device is attached.

    The Librem Key is based on the German-manufactured Nitrokey Pro 2, but it has been modified to focus on "trusted boot" when used with Purism's Linux laptops. (I take a closer look at what the trusted boot process is and how the Librem Key fits into that process, later in this article.)

  • Atom-based network security appliances focus on industrial control

    Lanner’s Apollo Lake based “LEC-6041” and Bay Trail “LEC-6032” are Linux-supported network security appliances for industrial control monitoring with up to 7x GbE ports, including SFP ports, plus magnetic isolation and extended temp support.

Security: Curl, Two Factor Authentication (2FA) and Hacking With Kali Linux

Filed under
Security
  • Daniel Stenberg: curl + hackerone = TRUE

    There seems to be no end to updated posts about bug bounties in the curl project these days. Not long ago I mentioned the then new program that sadly enough was cancelled only a few months after its birth.

    Now we are back with a new and refreshed bug bounty program! The curl bug bounty program reborn.

  • Liz Fong-Jones on how to secure SSH with Two Factor Authentication (2FA)

    Liz mentions that by adding passphrase encryption, the private keys become resistant to theft when at rest. However, when they are in use, the usability challenges of re-entering the passphrase on every connection means that “engineers began caching keys unencrypted in memory of their workstations, and worse yet, forwarding the agent to allow remote hosts to use the cached keys without further confirmation”.

    The Matrix breach, which took place on April 11 showcases an example of what happens when authenticated sessions are allowed to propagate without a middle-man. The intruder in the Matrix breach had access to the production databases, potentially giving them access to unencrypted message data, password hashes, and access tokens.

  • Hacking With Kali Linux

    Before I talk about the series that I am going to start, let us briefly talk about who should follow this series.

    I know there are so many people out there who are very curious to learn hacking just to hack their partner's social media account. Well, if you are such a person, please listen to me. Hacking is not about getting into somebody's personal life and steal their information. It is illegal.

    Somebody well said - “We need to have a talk on the subject of what's yours and what's mine.”

    So you should not hack information that is not yours.

    ​But if you are a tech enthusiast who wants to make a career as a penetration tester or white hat hacker, this series can be really a good way to start. So for such enthusiasts, I am creating a page where you can follow the series. You can also follow our social media pages so you get a notification when a new informative article comes out.

Security: 'Phone' Gimmicks, GNU/Linux Tools and More

Filed under
Security
  • Guess Who Fooled The Nokia9 PureView – A Pack Of Chewing Gum!

    We are all aware that smartphone security options such as fingerprint scanners and facial recognition aren’t 100% secure. This has been proved further with the case of the Nokia 9 PureView, which appears to have been unlocked by a pack of chewing gum.

    As per a couple of tweets, the Nokia 9 PureView is reportedly getting unlocked via unidentified fingerprints of another user and a pack of chewing gum.

  • Linux Distributions Should Enhance how Sudo Asks for Passwords

    One thing to be noticed from the picture above is that the password is hidden. When users write anything at that time, nothing will be displayed on the screen, not even asterisks. They’ll have to trust that there’s something written in the terminal and just write their passwords and hit Enter.

    Historically, this is done for both ease of implementation and security reasons. It makes it difficult for people standing near your shoulder from knowing your password length. If they don’t know your password length, it would be harder for them to guess it. They can, of course, listen to the keystrokes you are hitting and try to guess how many characters did you hit? But that’s more difficult than just looking at the screen and counting the number of asterisks there.

    Also, when they see that your password is too long, they might not even try to use your computer and guess your password. But if your password is less than few characters, it will give them hope.

    Additionally, in terms of implementation, displaying an asterisk instead of the password character requires more code and work to do. In the terminal, when you write normal commands and you see them in the terminal, it’s because the “echo mode” is set to On, meaning that all characters will be displayed on your screen. In sensitive commands, however, such as sudo or passwd, “echo mode” is set to Off, which simply doesn’t take the extra step of printing those characters to the screen. So that’s less work and code to do, and it went on like that since the Unix days to simply hide the password characters

  • Top 10 Best Linux Password Managers In 2019

    If you are a Linux users and struggling to get a proper password manager then this post is for you. In this post, We have listed the best (at least for us) Linux password managers for you.

  • Your Netflix Bandersnatch Choices Can Be Tracked By Hackers

    Netflix took the video streaming industry by storm when it debuted Black Mirror: Bandersnatch last year. The “choose your own adventure” themed movie puts viewers in charge of the story and flow of the movie. The success of Bandersnatch even led to the creation of a second interactive show ‘You vs. Wild’ featuring Bear Grylls.

  • Proactively Identifying Compromised Passwords | Roadmap to Securing Your Infrastructure

Using Ksplice To Detect Exploit Attempts

Filed under
Linux
Security
HowTos

Ksplice is a very cool technology. Ksplice allows you to patch important security updates to your system without a reboot. The in-memory code is patched as well as on-disk components, closing all the gaps for a security vulnerability. All the while, your applications keep running.

A new feature of Ksplice is Known Exploit Detection. When you patch your system with Ksplice, not only is the security vulnerability closed, but also tripwires are laid down for privilege escalation vulnerabilities. If an attacker attempts to exploit a CVE you’ve patched, Ksplice notifies you.

Ksplice is both protecting your system and alerting you to suspicious activity. Very cool.

Read more

Also: Oracle's Ksplice Live Kernel Patching Picks Up Known Exploit Detection

Security: Windows, Marcus Hutchins, Phishing, OpenVPN, DARPA, DINSIC

Filed under
Security
  • The latest Windows patch is breaking even more PCs with antivirus installed

    Earlier this week we reported that Microsoft halted updates to Windows PCs running Sophos and Avast’s security solutions, following user complaints that their machines were locking up or failing to boot. Since then, the list of known issues for the rogue update was itself updated to acknowledge compatibility issues with Avira and ArcaBit antivirus installed, with Microsoft temporarily blocking updates to those affected systems, too. Today, Ars Technica noticed that Microsoft is investigating compatibility issues for systems with McAfee antivirus installed, though it hasn’t started blocking the April 9 update from those PCs just yet.

  • ‘WannaCry Hero’ Marcus Hutchins Pleads Guilty to Making Banking Malware [iophk: "It looks like they squeezed malware tech with a “plea bargain”. So I would take reports of a guilty plea with a large grain of salt. They probably threatened him with 1000s of years in prison as an alternative. The plea “deal” is not mentioned in the summary, thus misleading the public about the situation."]

    Marcus Hutchins, a security researcher known for helping stop the destructive WannaCry ransomware, plead guilty to hacking crimes on Friday.

    Hutchins was accused of writing a banking malware called Kronos in 2014, after he finished high school. The researcher was arrested in Las Vegas after attending the hacker conference Def Con in 2017. Days later, he plead not guilty in a Milwaukee courtroom. He was scheduled to be tried this summer.

  • Google will begin to block sign-ins from embedded browser frameworks in June

    Phishing — schemes to nab personal data with disguised malicious webpages and emails — constituted more than 70% of all cyber attacks in 2016, according to a Verizon report. In an effort to combat them, Google last year announced it would require users to enable JavaScript during Google Account sign-in so that it could run attack-detecting risk assessments, and today, the company said it’ll begin to block all sign-ins from embedded browser frameworks like Chromium Embedded Framework starting in June.

  • A deeper look into OpenVPN: Security vulnerabilities

    OpenVPN is the backbone of online security. It is supported in many popular virtual private network (VPN) providers such as NordVPN and ExpressVPN, and continues to receive frequent updates well into its 17th year in operation.

    It’s an unwritten rule of information technology, however, that popular security protocols will attract the largest contingent of hackers. As OpenVPN is open source, it is therefore much easier for hackers to locate and exploit security vulnerabilities within the software design.

    Nevertheless, the value of the open-source model is that it promotes open collaboration, thus encouraging other programmers to suggest changes to the design. This way, security vulnerabilities can be communicated directly to the developers, who then have the option to patch the software and eliminate the vulnerability.

  • DARPA’s New/Old Plan for a Hack-Proof Voting Machine

    The Pentagon’s top research arm is working to build a hack-proof voting machine by combining something brand new with something old – specifically, secure open-source hardware and software using advanced cryptography on one end, and good old paper on the other.

    The Defense Advanced Research Projects Agency (DARPA) recently awarded the tech company Galois a $10 million contract for the project, which grew out of a broader agency project to remedy hardware vulnerabilities, the snappily named SSITH, for System Security Integrated Through Hardware and Firmware.

    Galois, which focuses on ensuring the trustworthiness of hardware and software, will design the system, which will start with a different approach used by established voting machine makers, who have come under criticism over the vulnerabilities in their systems, Motherboard reported. For one, it will use open-source software, rather than the proprietary systems used by companies such as Election Systems & Software. It also will use open-source hardware, built from designs developed under the SSITH program.

  • New Attacks (and Old Attacks Made New)

    This is shown again in Fortinet's latest Global Threat Landscape Report for the fourth quarter of 2018, where we reported that exploits that targeted individual organizations — often variations of existing malware or the misuse of FOSS (free/open source software) security tools — continue to grow at a rapid pace: 10% over the quarter, while the number of unique exploits they experienced increased by 5%. This suggests that, despite some reports suggesting that malicious actors follow the same work routines as their victims, cybercriminals didn't take much of a break over the holidays. And as you would expect, all of this malware — especially botnets — is becoming more complex and harder to detect.

  • Security flaw in French government messaging app exposed confidential conversations

    Tchap wasn’t built from scratch. The DINSIC, France’s government agency in charge of all things digital, forked an open-source project called Riot, which is based on an open-source protocol called Matrix.

    In a few words, Matrix is a messaging protocol that features end-to-end encryption. It competes with other protocols, such as the Signal Protocol that is widely used by consumer apps, such as WhatsApp, Signal, Messenger’s secret conversations and Google Allo’s incognito conversions — Messenger and Allo conversations aren’t end-to-end encrypted by default.

  • French Government's 'Secure' WhatsApp Replacement Hacked In Just 90 Minutes

    In order to better protect official conversations, the French government developed its own secure instant messaging alternative to WhatsApp.

Security: Iran, Google, GrammaTech, FireEye and Latest FUD From WhiteSource

Filed under
Security
  • Someone is Leaking an Iranian Hacking Group's Arsenal

    For the last few weeks, someone has been publishing the source code of the hacking tools used by a high-level attack team that’s been linked to the Iranian government. The tools belong to a group known variously as APT34 and OilRig, and whoever is dumping them appears to have some interest in not just exposing the tools but also the group’s operations.

    The leaks began in late March on a Telegram channel and have continued through this week. Researchers at Chronicle, a security company owned by Google’s parent company, Alphabet, have examined the leaked tools and confirmed that they are indeed the same ones used by the OilRig attackers. OilRig has been connected to a number of intrusions at companies and government agencies across the Middle East and Asia, including technology firms, telecom companies, and even gaming companies. Whoever is leaking the toolset also has been dumping information about the victims OilRig has targeted, as well as data identifying some of the servers the group uses in its attacks.

  • Google will examine new Android developer accounts more closely

    For the better part of two years, Google has made a concerted effort to improve control over data in Android apps, chiefly by introducing system-level changes in Android, refining its Google Play developer policies, requiring developers to disclose the collection and use of sensitive data, and restricting access to certain permissions (like those involving SMS and call logs). But it hasn’t always been fully transparent with about these changes, and toward that end, the Mountain View company today announced that it’s “clarifying” several of its rules and reviewing the way it handles noncompliant apps.

  • GrammaTech Releasing Binary Analysis and Rewriting Interface into Open Source
  • Adobe Flash security tool Flashmingo debuts in open source community [Ed: Just kill Adobe Trash. The sooner, the better. This one helps openwashing of that malicious proprietary software blob, courtesy of CBS.]
  • Open Source Tool From FireEye Automates Analysis of Flash Files

    Security company FireEye this week announced the release of an open source tool designed to automate the analysis of Adobe Flash files in order to identify malware and prevent infections.

  • Counting Vulnerabilities In Open Source Projects and Programming Languages [Ed: Microsoft partner and anti-FOSS front group WhiteSource is once again using FUD in order to promote its brand and its non-FOSS 'services'; they advertise by bashing FOSS. Microsoft proud.]

Security Leftovers

Filed under
Security
  • Riccardo Padovani: Responsible disclosure: improper access control in Gitlab private project.

    As I said back in September with regard to a responsible disclosure about Facebook, data access control isn’t easy. While it can sound quite simple (just give access to the authorized entities), it is very difficult, both on a theoretical side (who is an authorized entity? What does authorized mean? And how do we identify an entity?) and on a practical side.

  • Integrating Password and Privilege Management for Unix and Linux Systems[Ed: More spammy pages under the guise of "whitepaper"]

    Unix and Linux build the foundation for most business-critical systems. Thus, they present target-rich environments for cyber-attackers. Privileged Access Management (PAM) helps to mitigate such risks. To succeed, security teams must follow an integrated approach, covering both privilege elevation and centralized management of shared account credentials.

  • How Not to Acknowledge a Data Breach

    My guess is that what Wipro means by “zero-day” is a malicious email attachment that went undetected by all commercial antivirus tools before it infected Wipro employee systems with malware.

  • Facebook stored millions of Instagram passwords in plain text

    Facebook says it stored millions of Instagram users’ passwords in plain text, leaving them exposed to people with access to certain internal systems. The security lapse was first reported last month, but at the time, Facebook said it only happened to “tens of thousands of Instagram users,” whereas the number is now being revised up to “millions.” The issue also affected “hundreds of millions of Facebook Lite users” and “tens of millions of other Facebook users.”

  • Update: Facebook passwords for hundreds of millions of users were exposed to Facebook employees

    Facebook confirmed March 21 that hundreds of millions of user passwords were being stored in a “readable format” within its servers, accessible to internal Facebook employees—including millions more Instagram users than previously thought. Affected users will be notified, Facebook said, so they can change those passwords.

  • Facebook 'unintentionally' uploaded 1.5 million people's email contacts without asking

    This is how it unfolded: a security researcher spotted that Facebook was asking some users to put in their email passwords when they signed up with a new account to verify their identity. Business Insider then experimented with what would happen if you were brave/mad enough to do so and found that a message popped up saying it was "importing" its contacts without having the decency to check that was okay first.

    Apparently, 1.5 million people just accepted this as just one of those things, and the information was then used to build up Facebook's uncanny ability to predict when you know somebody.

  • In new gaffe, Facebook improperly collects email contacts for 1.5 million

    Facebook's privacy gaffes keep coming. On Wednesday, the social media company said it collected the stored email address lists of as many as 1.5 million users without permission. On Thursday, the company said the number of Instagram users affected by a previously reported password storage error was in the "millions," not the "tens of thousands" as previously estimated.

  • Facebook says it 'unintentionally uploaded' 1.5 million people's email contacts without their consent

    Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network, Business Insider can reveal. The Silicon Valley company said the contact data was "unintentionally uploaded to Facebook," and it is now deleting them.

  • With Nation Distracted by Mueller Report, Facebook Admits Millions of Users' Passwords Affected by Latest Privacy Breach

    On Thursday, Facebook added to a blog post from March 21 to let users know that instead of storing tens of thousands of Instagram passwords, as it had reported last month, the number of users affected by the privacy breach was in the millions. Facebook is the parent company of Instagram.

    "Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format," wrote Pedro Canahuati, vice president of Engineering, Security and Privacy. "We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others."

    The stored passwords were found in January during a routine security check, according to Facebook. In March, when the breach was first announced, the company said the passwords were never visible to anyone outside of Facebook.

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

today's howtos

Shows: mintCast 307 and LINUX Unplugged 298

  • mintCast 307 – Encryption Part 1
    This is Leo and with me I have Joe, Moss, and the return of Rob for this episode! We’re recording on Sunday April 21st 2019. First up, in our Wanderings, I talk Kernel 5.0 and transfer speed, Joe reformats and loses Windows but gains NVidia peace of mind, and finally Moss digests more distros and has some success with migrating Kodi Then, our news is filled with updates from top to bottom. In our Innards section, we dive into file and disk encryption.
  • Blame Joe | LINUX Unplugged 298
    This week we discover the good word of Xfce and admit Joe was right all along. And share our tips for making Xfce more modern. Plus a new Debian leader, the end of Scientific Linux, and behind the scenes of Librem 5 apps.

Android Leftovers

Today in Techrights