Language Selection

English French German Italian Portuguese Spanish

Security

A Privacy & Security Concern Regarding GNOME Software

Filed under
GNOME
Security

GNOME Software is the default application in the GNOME desktop environment to manage software. It also allows you to receive firmware updates through an underlaying daemon called “fwupd“, which is based on an platform called “LVFS“.

In order to understand the relationship in a clearer way, you can think of LVFS as the online platform where hardware vendors come and upload new versions of their firmware which will be later available to download via fwupd. GNOME Software utilizes the fwupd daemon in order to download and install these updates. fwupd is a dependency for GNOME Software.

The whole ecosystem is developed mainly by Richard Hughes, who is working currently for Red Hat, and who’s also the original creator of PackageKit. But it’s worthy to mention that Red Hat doesn’t develop/manage the project directly, but rather, contributes to it with financial & logistic support.

Read more

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Hackers [sic] boast of ease of bypassing security

    According to Pogue, the Nuix report challenges the common media narrative that data breaches are hard to prevent because cyber attacks are becoming more sophisticated and, he notes that nearly a quarter of Black Report respondents (22%) said they used the same attack techniques for a year or more.

  • One-in-five cybercriminals blow their earnings on drugs and hookers

    The research was carried out by Dr Mike McGuire, a senior lecturer in Criminology at the University of Surrey. He's presenting the full research paper in San Francisco later in the month.

  • Thousands of hacked websites are infecting visitors with malware

    The campaign, which has been running for at least four months, is able to compromise websites running a variety of content management systems, including WordPress, Joomla, and SquareSpace. That's according to a blog post by Jérôme Segura, lead malware intelligence analyst at Malwarebytes. The hackers, he wrote, cause the sites to display authentic-appearing messages to a narrowly targeted number of visitors that, depending on the browsers they're using, instruct them to install updates for Firefox, Chrome, or Flash.

    To escape detection, the attackers fingerprint potential targets to ensure, among other things, that the fake update notifications are served to a single IP address no more than once. [...]

  • Open Letter On Ending Attacks On Security Research

    The Center for Democracy and Technology has put together an important letter from experts on the importance of security research. This may sound obvious, but increasingly we're seeing attacks on security researchers, where the messenger is blamed for finding and/or disclosing bad security practices or breaches -- and that makes us all less safe by creating chilling effects.

  • D.C. Court: Accessing Public Information is Not a Computer Crime

    Good news for anyone who uses the Internet as a source of information: A district court in Washington, D.C. has ruled that using automated tools to access publicly available information on the open web is not a computer crime—even when a website bans automated access in its terms of service. The court ruled that the notoriously vague and outdated Computer Fraud and Abuse Act (CFAA)—a 1986 statute meant to target malicious computer break-ins—does not make it a crime to access information in a manner that the website doesn’t like if you are otherwise entitled to access that same information.

    The case, Sandvig v. Sessions, involves a First Amendment challenge to the CFAA’s overbroad and imprecise language. The plaintiffs are a group of discrimination researchers, computer scientists, and journalists who want to use automated access tools to investigate companies’ online practices and conduct audit testing. The problem: the automated web browsing tools they want to use (commonly called “web scrapers”) are prohibited by the targeted websites’ terms of service, and the CFAA has been interpreted by some courts as making violations of terms of service a crime. The CFAA is a serious criminal law, so the plaintiffs have refrained from using automated tools out of an understandable fear of prosecution. Instead, they decided to go to court. With the help of the ACLU, the plaintiffs have argued that the CFAA has chilled their constitutionally protected research and journalism.

    The CFAA makes it illegal to access a computer connected to the Internet “without authorization,” but the statute doesn’t tells us what “authorization” or “without authorization” means. Even though it was passed in the 1980s to punish computer intrusions, it has metastasized in some jurisdictions into a tool for companies and websites to enforce their computer use policies, like terms of service (which no one reads). Violating a computer use policy should by no stretch of the imagination count as a felony.

  • Blockchain Open Source Code Is Failing On Security Says CAST [Ed: Some so-called 'journalists' entertain self-serving publicity stunt of malicious firms that FUD FOSS for attention]
  • Open source lessons for the cyber security industry

    The only way to win the war against cyber "bad guys" is if cyber security follows the example set by the open source movement and democratises, making it everyone's responsibility.

    That's the view of Marten Micklos, CEO of HackerOne, the bug bounty and vulnerability coordination platform. Speaking at the recent Linux Foundation's Open Source Leadership Summit in California, he told delegates that the security industry could benefit from the way in which open source had built the functionality and conflict resolution governance that enabled people, including those who disagreed, to work together to achieve a common goal.

Security Leftovers and Lots of Self-Serving FUD Pieces

Filed under
Security

Security: ATI Systems, 'Smart' Meters, Despacito, AntiVirus Tools, Mitre ATT&CK Test Tools

Filed under
Security
  • Researchers Rickrolled Emergency Alert Sirens in Proof-of-Concept Hack

    A researcher from wireless security startup Bastille found that the emergency alert systems made by ATI Systems—which makes and installs emergency mass notification and alert warning systems—transmitted commands unencrypted, allowing anyone with a radio transmitter (and the ability to reverse engineer the commands) to hijack them.

  • The tricks power firms use to force us to switch to digital meters | This is Money
  • Here’s How Hackers Might Have Deleted Despacito Video From YouTube
  • Top 5 Absolutely Free Open-Source AntiVirus Tools for PC

    Antivirus software’s made us feel at ease in using our mobile phones, tablets, and computers. It allows us to browse safely on the net without the fear of making your private information spread to the others (or by any cause of viruses). Antivirus software also is known as anti-malware software, is a computer software that is used to prevent, detect and remove malicious software’s. It can protect the computer from malicious browser helper objects, ransomware, keyloggers, backdoors, trojan horses, worms, fraud tools, and adware etc.

    Some antivirus also includes protections from other computer threats like a spam, online banking attacks, infected and malicious URLs, scam and phishing attacks, online identity (privacy), social engineering techniques, advanced persistent threat (APT) and botnet DDoS attacks.

  • 4 open-source Mitre ATT&CK test tools compared

    One way to learn how to better defend your enterprise is to train a red team to simulate attacks. The Mitre ATT&CK framework, which can be a very useful collection of threat tactics and techniques for such a team. The framework classifies and describes a wide range of attacks. To make it even more effective, various commercial and open-source general testing tools have been built to complement its schemas.

Security: Updates, 'Cloud' Hardening, Two Factor Authentication, Launchpad

Filed under
Security

FUD Against FOSS From CA Technologies (Veracode and SourceClear)

Filed under
OSS
Security

Security: E-Mail Vulnerability, Reproducible Builds, 'IoT', YouTube and Mythology About Security (Back Doors Intentional)

Filed under
Security
  • Obscure E-Mail Vulnerability

     

    I think the problem is more subtle. It's an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we're going to see a lot more of these. And like this Google/Netflix interaction, it's going to be hard to figure out who to blame and who -- if anyone -- has the responsibility of fixing it.

  • Reproducible Builds: Weekly report #154
  • A Long-Awaited IoT Crisis Is Here, and Many Devices Aren't Ready

     

    ou know by now that Internet of Things devices like your router are often vulnerable to attack, the industry-wide lack of investment in security leaving the door open to a host of abuses. Worse still, known weaknesses and flaws can hang around for years after their initial discovery. Even decades. And Monday, the content and web services firm Akamai published new findings that it has observed attackers actively exploiting a flaw in devices like routers and video game consoles that was originally exposed in 2006.

  • Feral Interactive Releases GameMode, YouTube Music Videos Hacked, Oregon Passes Net Neutrality Law and More

    YouTube was hacked this morning, and many popular music videos were defaced, including the video for the hit song Despacito, as well as videos by Shakira, Selena Gomez, Drake and Taylor Swift. According to the BBC story, "A Twitter account that apparently belongs to one of the hackers posted: 'It's just for fun, I just use [the] script 'youtube-change-title-video' and I write 'hacked'."

  • Despacito YouTube music video hacked plus other Vevo clips

    YouTube's music video for the hit song Despacito, which has had over five billion views, has been hacked.

    More than a dozen other artists, including Shakira, Selena Gomez, Drake and Taylor Swift are also affected. The original clips had been posted by Vevo.

    [...]

    Cyber-security expert Prof Alan Woodward, from Surrey University, said it was unlikely that the hacker was able to gain access so easily.

  • YouTube Hacked? Most Watched Video “Despacito” And Other Clips Deleted (And Restored)

    Just five days ago, Luis Fonsi’s viral Despacito music video earned the title of world’s most watched video on YouTube with more than 5 billion views. Apparently, YouTube hackers managed to delete the video, along with other Vevo clips.

    However, as per the latest development, the deleted videos have been restored on the website. Earlier, after the hack, Despacito video showed a thumbnail with masked people holding guns. After clicking the video, it said: “This video is unavailable.”

  • Mythology about security…

    Government export controls crippled Internet security and the design of Internet protocols from the very beginning: we continue to pay the price to this day.  Getting security right is really, really hard, and current efforts towards “back doors”, or other access is misguided. We haven’t even recovered from the previous rounds of government regulations, which has caused excessive complexity in an already difficult problem and many serious security problems. Let us not repeat this mistake…

Security: Updates, Etherpad, Beep, Ubuntu, SourceClear

Filed under
Security

Security Leftovers

Filed under
Security
  • The dots do matter: how to scam a Gmail user

    And even in the rare case that a Gmail user is aware of their infinite set of addresses, and they’re aware of the phishing attacks that this can expose them to, this user is unlikely to pick up on it, because the user interfaces of Gmail and Inbox don’t hint anything about a possible scam. In fact it barely even acknowledges that the email was to a non-standard address. The only clue in the screenshot above is that the interface says “to james.hfisher”, instead of “to me”.

  • Episode 91 - Security lessons from a 7 year old

    Josh and Kurt talk to a 7 year old about security. We cover Minecraft security, passwords, hacking, and many many other nuggets of wisdom.

  • Update for Ubuntu 16.04 LTS patches security vulnerabilities

    Canonical has released a kernel update for Ubuntu 16.04 LTS.

    The “important update” patches 39 security vulnerabilities, according to a report by Softpedia.

    The update covers Ubuntu 16.04 LTS and its official derivatives, including Kubuntu, Lubuntu, and Xubuntu.

    Security fixes contained in the update cover a wide range of issues, such as vulnerabilities in the Linux kernel’s USB over IP implementation – which allowed remote attacks.

Syndicate content

More in Tux Machines

OpenBSD and NetBSD

Security: Twitter and Facebook

  • Twitter banned Kaspersky Lab from advertising in Jan
     

    Twitter has banned advertising from Russian security vendor Kaspersky Lab since January, the head of the firm, Eugene Kaspersky, has disclosed.  

  • When you go to a security conference, and its mobile app leaks your data
     

    A mobile application built by a third party for the RSA security conference in San Francisco this week was found to have a few security issues of its own—including hard-coded security keys and passwords that allowed a researcher to extract the conference's attendee list. The conference organizers acknowledged the vulnerability on Twitter, but they say that only the first and last names of 114 attendees were exposed.

  • The Security Risks of Logging in With Facebook
     

    In a yet-to-be peer-reviewed study published on Freedom To Tinker, a site hosted by Princeton's Center for Information Technology Policy, three researchers document how third-party tracking scripts have the capability to scoop up information from Facebook's login API without users knowing. The tracking scripts documented by Steven Englehardt, Gunes Acar, and Arvind Narayanan represent a small slice of the invisible tracking ecosystem that follows users around the web largely without their knowledge.

  • Facebook Login data hijacked by hidden JavaScript trackers
     

    If you login to websites through Facebook, we've got some bad news: hidden trackers can suck up more of your data than you'd intended to give away, potentially opening it up to abuse.

Beginner Friendly Gentoo Based Sabayon Linux Has a New Release

The team behind Sabayon Linux had issued a new release. Let’s take a quick look at what’s involved in this new release. Read more

Android Leftovers