Language Selection

English French German Italian Portuguese Spanish

Security

Kali Linux 2019.1 Release

Filed under
GNU
Linux
Security

Welcome to our first release of 2019, Kali Linux 2019.1, which is available for immediate download. This release brings our kernel up to version 4.19.13, fixes numerous bugs, and includes many updated packages.

Read more

Top 20 Parrot OS Tools

Filed under
GNU
Linux
Security

Parrot Security OS is an Open source lightweight distro based on Debian Testing and also it doesn’t have mere Pentesting tools but it contains everything that Security researchers, security developers or privacy aware people might need. Unlike Kali Linux, it also has anonymity, cryptography and development tools with a loot of cool features. Here we’ll review some famous tools of Parrot Security OS which make it a preferable distribution among others.

Read more

Security: runc, Switzerland and More

Filed under
Security
  • Open Source Security Podcast: Episode 134 - What's up with the container runc security flaw?

    Josh and Kurt talk about the new runc container security flaw. How does the flaw work, what can you do about it, what should you do about it, and what the future of container security may look like.

  • Switzerland launches e-voting bug bounty

    The Swiss government is inviting hackers to test its electronic voting (e-voting) system for vulnerabilities, in a move aimed at improving the security and integrity of the country’s electoral process.

    The initiative was unveiled last week by Swiss Post, Switzerland’s national postal service and the organization tasked with deploying and managing the country’s e-voting platform.

    Ahead of the system’s planned nationwide rollout, a public intrusion test will take place between February 25 and March 24. A range of cash prizes are on offer for successful pen testers.

  • A Conversation about ZipSlip, NodeJS Security, and BBS Hacking

    Earlier this year, the popular Bower package manager was found vulnerable to archive extraction, allowing attackers to write arbitrary files on a user's disk. As Nodejs Security WG member and Snyk developer advocate Liran Tal wrote, the vector attacks used by this exploit have been known since the early days of BBS.

    As security researcher skyn3t reported on January 1st 2019, an attacker could craft a malicious zip archive to exploit improper validation of symlinks to write arbitrary files outside of the zip extraction directory. According to Tal, the culprit for enabling path transversal in Bower's case is a small Nodejs package, decompress-zip, but it is far from being an isolated case. In fact, this kind of vulnerability has been found in several ecosystems, including JavaScript, Ruby, .NET, Go, and Java, and seems to affect thousands of projects, making it deserve the ZipSlip moniker. What is even more striking is that the basic attack vector used by ZipSlip has been known, and potentially exploited many times, since the very early days of Bulletin Board Systems (BBS).

  • Vet third-party apps to reduce supply chain threats [Ed: At least NPM caught this; with proprietary software the back doors are there permanent, hidden, and you cannot remove them]

    Case in point: there was last fall's update to the event-stream Node Package Manager (NPM), which included cryptocurrency-stealing code, and which wasn't revealed until almost two months after the software was released. There have also been prior security issues identified in NPM packages.

    Jarrod Overson blogged about investigating the event-stream NPM package. The event-stream developer changed ownership of the project and the cryptocurrency-stealing code was added by the new developer in a subsequent update. The original developer hadn't used the module in years and agreed to give a new developer control of the package.

    Once the malicious code was added, the developer updated the version information so applications that used the module would install the updated version. The package was installed as a dependency to other modules and was reportedly downloaded two million times per week. NPM packages will follow best practices to determine if updates to dependencies are available and auto-install the updated modules, making these types of attacks difficult to combat.

Security: More Breaches, Phishing, Windows Problems and WireGuard

Filed under
Security

Security Leftovers

Filed under
Security

Security: Back Doors Running Amok, Container Runtime Flaw Patched, Cisco Ships Exploit Inside Products

Filed under
Security
  • Here We Go Again: 127 Million Accounts Stolen From 8 More Websites

    Several days ago, a hacker put 617 million accounts from 16 different websites for sale on the dark web. Now, the same hacker is offering 127 million more records from another eight websites.

  • Hacker who stole 620 million records strikes again, stealing 127 million more

    A hacker who stole close to 620 million user records from 16 websites has stolen another 127 million records from eight more websites, TechCrunch has learned.

    The hacker, whose listing was the previously disclosed data for about $20,000 in bitcoin on a dark web marketplace, stole the data last year from several major sites — some that had already been disclosed, like more than 151 million records from MyFitnessPal and 25 million records from Animoto. But several other hacked sites on the marketplace listing didn’t know or hadn’t disclosed yet — such as 500px and Coffee Meets Bagel.

    The Register, which first reported the story, said the data included names, email addresses and scrambled passwords, and in some cases other login and account data — though no financial data was included.

  • Vendors Issue Patches for Linux Container Runtime Flaw Enabling Host Attacks
  • How did the Dirty COW exploit get shipped in software?

    An exploit code for Dirty COW was accidentally shipped by Cisco with product software. Learn how this code ended up in a software release and what this vulnerability can do.

Security: Updates, Patches and Bugs

Filed under
Security

Security: Updates, Thread Safety and Crypto Policies in Red Hat Enterprise Linux 8

Filed under
Security
  • Security updates for Thursday
  • Hacks.Mozilla.Org: Fearless Security: Thread Safety

    While this allows programs to do more faster, it comes with a set of synchronization problems, namely deadlocks and data races. From a security standpoint, why do we care about thread safety? Memory safety bugs and thread safety bugs have the same core problem: invalid resource use. Concurrency attacks can lead to similar consequences as memory attacks, including privilege escalation, arbitrary code execution (ACE), and bypassing security checks.

    Concurrency bugs, like implementation bugs, are closely related to program correctness. While memory vulnerabilities are nearly always dangerous, implementation/logic bugs don’t always indicate a security concern, unless they occur in the part of the code that deals with ensuring security contracts are upheld (e.g. allowing a security check bypass). However, while security problems stemming from logic errors often occur near the error in sequential code, concurrency bugs often happen in different functions from their corresponding vulnerability, making them difficult to trace and resolve. Another complication is the overlap between mishandling memory and concurrency flaws, which we see in data races.

    Programming languages have evolved different concurrency strategies to help developers manage both the performance and security challenges of multi-threaded applications.

  • Consistent security by crypto policies in Red Hat Enterprise Linux 8

    Software development teams, whether open or closed source, are often composed of many groups that own individual components. Database applications typically come from a different team than ones developed by HTTP or SSH services, and others. Each group chooses libraries, languages, utilities, and cryptographic providers for their solution. Having specialized teams contributing to an application may improve the final product, but it often makes it challenging to enforce a consistent cryptographic policy on a system.

Security: WSL With Back Doors, 9 Best Linux-Based Security Tools and Systemd Security Fix

Filed under
Security
  • Microsoft Developer: You Still Should Have Anti-Virus With Windows Subsystem For Linux [Ed: Microsoft is making GNU/Linux "great again" with NSA back doors]
  • 9 Best Linux-Based Security Tools

    Information security specialists and sysadmins need to be sure their networks are sealed against malicious attacks. This is why the practice of penetration testing is commonly employed, to sniff out security vulnerabilities before malicious hackers. Home Linux users should also be wary about the security of their systems. There are a huge variety of tools for accomplishing this, but some stand out in the industry more than others.

    In this article, we are going to highlight 9 of the best Linux-based security tools, which every pentester should be familiar with. Note this is only a list of some of the most widely used tools - if you're interested in the latest security news, you can regularly read this website, which covers a lot of great infosec topics. Most of the tools on this list are also bundled with Kali Linux (specially designed for information security professionals, but not for home users or Linux newbies), but you can check out this literally massive list of all things related to hardware, security, programming, and other computer-related fields of interest to infosec people.

  • Systemd 241 Released With Security Fixes & Other Changes

    Lennart Poettering has just tagged the systemd 241 update that includes the "system down" security fixes and other improvements to this widely-used Linux init system.

Security: Macs Being Attacked by Windows Malware, Linux Attacked by Sensationalist Headlines

Filed under
Security
Syndicate content

More in Tux Machines

Today in Techrights

Q4OS Linux Revives Your Old Laptop and Give it Windows Looks

Q4OS is a lightweight Linux distribution based on Debian. It imitates the look and feel of Windows. Read the complete review to know more about Q4OS Linux. Read more

Android Leftovers

today's leftovers

  • Clear Linux Has A Goal To Get 3x More Upstream Components In Their Distro
    For those concerned that running Clear Linux means less available packages/bundles than the likes of Debian, Arch Linux, and Fedora with their immense collection of packaged software, Clear has a goal this year of increasing their upstream components available on the distribution by three times. Intel Fellow Arjan van de Ven provided an update on their bundling state/changes for the distribution. In this update he shared that the Clear Linux team at Intel established a goal this year to have "three times more upstream components in the distro. That's a steep growth, and we want to do that with some basic direction and without reducing quality/etc. We have some folks figuring out what things are the most desired that we lack, so we can add those with most priority... but this is where again we more than welcome feedback."
  • The results from our past three Linux distro polls
    You might think this annual poll would be fairly similar from year to year, from what distros we list to how people answer, but the results are wildly different from year to year. (At the time of the creation of each poll, we pull the top 15 distributions according to DistroWatch over the past 12 months.) Last year, the total votes tallied in at 15,574! And the winner was PCLinuxOS with Ubuntu a close second. Another interesting point is that in 2018, there were 950 votes for "other" and 122 comments compared to this year with only 367 votes for "other" and 69 comments.
  • Fedora Strategy FAQ Part 3: What does this mean for Fedora releases?
    Fedora operating system releases are (largely) time-based activity where a new base operating system (kernel, libraries, compilers) is built and tested against our Editions for functionality. This provides a new source for solutions to be built on. The base operating systems may continue to be maintained on the current 13 month life cycle — or services that extend that period may be provided in the future. A solution is never obligated to build against all currently maintained bases.
  • How open data and tools can save lives during a disaster
    If you've lived through a major, natural disaster, you know that during the first few days you'll probably have to rely on a mental map, instead of using a smartphone as an extension of your brain. Where's the closest hospital with disaster care? What about shelters? Gas stations? And how many soft story buildings—with their propensity to collapse—will you have to zig-zag around to get there? Trying to answer these questions after moving back to earthquake-prone San Francisco is why I started the Resiliency Maps project. The idea is to store information about assets, resources, and hazards in a given geographical area in a map that you can download and print out. The project contributes to and is powered by OpenStreetMap (OSM), and the project's entire toolkit is open source, ensuring that the maps will be available to anyone who wants to use them.
  • Millions of websites threatened by highly critical code-execution bug in Drupal

    Drupal is the third most-widely used CMS behind WordPress and Joomla. With an estimated 3 percent to 4 percent of the world's billion-plus websites, that means Drupal runs tens of millions of sites. Critical flaws in any CMS are popular with hackers, because the vulnerabilities can be unleashed against large numbers of sites with a single, often-easy-to-write script.

  • Avoiding the coming IoT dystopia
    Bradley Kuhn works for the Software Freedom Conservancy (SFC) and part of what that organization does is to think about the problems that software freedom may encounter in the future. SFC worries about what will happen with the four freedoms as things change in the world. One of those changes is already upon us: the Internet of Things (IoT) has become quite popular, but it has many dangers, he said. Copyleft can help; his talk is meant to show how. It is still an open question in his mind whether the IoT is beneficial or not. But the "deep trouble" that we are in from IoT can be mitigated to some extent by copyleft licenses that are "regularly and fairly enforced". Copyleft is not the solution to all of the problems, all of the time—no idea, no matter how great, can be—but it can help with the dangers of IoT. That is what he hoped to convince attendees with his talk. A joke that he had seen at least three times at the conference (and certainly before that as well) is that the "S" in IoT stands for security. As everyone knows by now, the IoT is not about security. He pointed to some recent incidents, including IoT baby monitors that were compromised by attackers in order to verbally threaten the parents. This is "scary stuff", he said.