Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Reproducible Builds: week 90 in Stretch cycle

    The F-Droid Verification Server has been launched. It rebuilds apps from source that were built by f-droid.org and checks that the results match.

  • 6 Week Progress Update for PGP Clean Room

    One of the PGP Clean Room’s aims is to provide users with the option to easily initialize one or more smartcards with personal info and pins, and subsequently transfer keys to the smartcard(s). The advantage of using smartcards is that users don’t have to expose their keys to their laptop for daily certification, signing, encryption or authentication purposes.

  • New Kali Linux Professional Information Security Certification to debut at Black Hat USA, 2017

    First Official Kali Linux book release will coincide with launch of the new information security training program as the Penetration Testing platform celebrates its 10th anniversary.

  • The flatpak security model – part 1: The basics

    This is the first part of a series talking about the approach flatpak takes to security and sandboxing.

    First of all, a lot of people think of container technology like docker, rkt or systemd-nspawn when they think of linux sandboxing. However, flatpak is fundamentally different to these in that it is unprivileged.

  • Newly discovered Mac malware found in the wild also works well on Linux [Ed: Only if fools are stupid enough to actually INSTALL malware.]

    The malware, which a recent Mac OS update released by Apple is detecting as Fruitfly, contains code that captures screenshots and webcam images, collects information about each device connected to the same network as the infected Mac, and can then connect to those devices, according to a blog post published by anti-malware provider Malwarebytes. It was discovered only this month, despite being painfully easy to detect and despite indications that it may have been circulating since the release of the Yosemite release of OS X in October 2014. It's still unclear how machines get infected.

    [...]

    Another intriguing finding: with the exception of Mac-formatted Mach object file binary, the entire Fruitfly malware library runs just fine on Linux computers.

Why Linux Installers Need to Add Security Features

Filed under
Linux
Security

Twelve years ago, Linux distributions were struggling to make installation simple. Led by Ubuntu and Fedora, they long ago achieved that goal. Now, with the growing concerns over security, they need to reverse directions slightly, and make basic security options prominently available in their installers rather than options that users can add manually later.

At the best of times, of course, convincing users to come anywhere near security features is difficult. Too many users are reluctant even to add features as simple as unprivileged user accounts or passwords, apparently preferring the convenience of the moment to reducing the risk of an intrusion that will require reinstallation, or a consultation with a computer expert at eighty dollars an hour.

Read more

Security News

Filed under
Security
  • Wednesday's security updates
  • Secure your Elasticsearch cluster and avoid ransomware

    Last week, news came out that unprotected MongoDB databases are being actively compromised: content copied and replaced by a message asking for a ransom to get it back. As The Register reports: Elasticsearch is next.

    Protecting access to Elasticsearch by a firewall is not always possible. But even in environments where it is possible, many admins are not protecting their databases. Even if you cannot use a firewall, you can secure connection to Elasticsearch by using encryption. Elasticsearch by itself does not provide any authentication or encryption possibilities. Still, there are many third-party solutions available, each with its own drawbacks and advantages.

  • Resolve to Follow These 8 Steps for Better Data Security in 2017

    Getting physically fit is a typical New Year's resolution. Given that most of us spend more time online than in a gym, the start of the new year also might be a great time to improve your security “fitness.” As with physical fitness challenges, the biggest issue with digital security is always stagnation. That is, if you don't move and don't change, atrophy sets in. In physical fitness, atrophy is a function of muscles not being exercised. In digital fitness, security risks increase when you fail to change passwords, update network systems and adopt improved security technology. Before long, your IT systems literally become a “sitting duck.” Given the volume of data breaches that occurred in 2016, it is highly likely that everyone reading this has had at least one breach of their accounts compromised in some way, such as their Yahoo data account. Hackers somewhere may have one of the passwords you’ve used at one point to access a particular site or service. If you're still using that same password somewhere, in a way that can connect that account to you, that's a non-trivial risk. Changing passwords is the first of eight security resolutions that can help to improve your online security fitness in 2017. Click through this eWEEK slide show to discover the rest.

  • Pwn2Own 2017 Takes Aim at Linux, Servers and Web Browsers

    10th anniversary edition of Pwn2Own hacking contest offers over $1M in prize money to security researchers across a long list of targets including Virtual Machines, servers, enterprise applications and web browsers.

    Over the last decade, the Zero Day Initiative's (ZDI) annual Pwn2Own competition has emerged to become one of the premiere events on the information security calendar and the 2017 edition does not look to be any different. For the tenth anniversary of the Pwn2Own contest, ZDI, now owned and operated by Trend Micro, is going farther than ever before, with more targets and more prize money available for security researchers to claim by successfully executing zero-day exploits.

  • 'Factorio' is another game that was being hit by key scammers

    In another case of scammers trying to buy keys with often stolen credit cards to sell on websites like G2A, the developers of 'Factorio' have written about their experience with it (and other stuff too).

Security News

Filed under
Security

  • Security advisories for Tuesday
  • FOI: NHS Trusts are ransomware pin cushions [Ed: Windows]

    The FOI requests found that 87 per cent of attacks came via a networked NHS device and that 80 per cent were down to phished staffers. However, only a small proportion of the 100 or so Trusts responded to this part of the requests.

    "These results are far from surprising. Public sector organisations make a soft target for fraudsters because budget and resource shortages frequently leave hospitals short-changed when it comes to security basics like regular software patching," said Tony Rowan, Chief Security Consultant at SentinelOne.

    "The results highlight the fact that old school AV technology is powerless to halt virulent, mutating forms of malware like ransomware and a new more dynamic approach to endpoint protection is needed.

Canonical to Remove Old Unity 7 Scopes from Ubuntu Because They're Not Secure

Filed under
Security

Canonical's Will Cooke has revealed recently the company's plans on removing some old, unmaintained Unity 7 Scopes from the Ubuntu Linux archives because they could threaten the security of the entire operating system.

Read more

Security Leftovers

Filed under
Security
  • 3 Lessons in Web Encryption from Let’s Encrypt

    As exciting as 2016 was for encryption on the Web, 2017 seems set to be an even more incredible year. Much of the infrastructure and many of the plans necessary for a 100 percent encrypted Web really solidified in 2016, and the Web will reap the rewards in 2017. Let’s Encrypt is proud to have been a key part of that.

    But before we start looking ahead, it’s helpful to look back and see what our project learned from our exciting first full year as a live certificate authority (CA). I’m incredibly proud of what our team and community accomplished during 2016. I’d like to share how we’ve changed, what we’ve accomplished, and what we’ve learned.

    At the start of 2016, Let’s Encrypt was supporting approximately 240,000 active (unexpired) certificates. That seemed like a lot at the time! Now we’re frequently issuing that many new certificates in a single day while supporting more than 22 million active certificates in total.

  • [Older] Kali Linux Cheat Sheet for Penetration Testers
  • Report: Attacks based on open source vulnerabilities will rise 20 percent this year [Ed: The Microsoft-connected Black Duck spreads FUD against FOSS again, together with IDG; Black Duck was created for the purpose of attacking the GPL, by its very own admission.]

    The number of commercial software projects that were composed of 50 percent or more of free, open source software went up from 3 percent in 2011 to 33 percent today, said Mike Pittenger, vice president of security strategy at Black Duck Software.

Security Leftovers

Filed under
Security
  • Truffle Hog Finds Security Keys Hidden in GitHub Code

    According to commentors on a Reddit thread about Truffle Hog, Amazon Web Services has already been using a similar tool for the same purpose. "I have accidentally committed my AWS secret keys before to a public repo," user KingOtar wrote. "Amazon actually found them and shut down my account until I created new ones. Kinda neat Amazon."

  • 5 Essential Tips for Securing Your WordPress Sites

    WordPress is by far the most popular blogging platform today.

    Being as popular as it is, it comes with its own strengths and weaknesses. The very fact that almost everybody uses it, makes it more prone to vulnerabilities. WordPress developers are doing a great job of fixing and patching the framework as new flaws are discovered, but that doesn’t mean that you can simply install and forget your installation.

    In this post, we will provide some of the most common ways of securing and strengthening a WordPress site.

  • Google ventures into public key encryption

    Google announced an early prototype of Key Transparency, its latest open source effort to ensure simpler, safer, and secure communications for everyone. The project’s goal is to make it easier for applications services to share and discover public keys for users, but it will be a while before it's ready for prime time.

    Secure communications should be de rigueur, but it remains frustratingly out of reach for most people, more than 20 years after the creation of Pretty Good Privacy (PGP). Existing methods where users need to manually find and verify the recipients’ keys are time-consuming and often complicated. Messaging apps and file sharing tools are limited in that users can communicate only within the service because there is no generic, secure method to look up public keys.

  • How to Keep Hackers out of Your Linux Machine Part 2: Three More Easy Security Tips

    In part 1 of this series, I shared two easy ways to prevent hackers from eating your Linux machine. Here are three more tips from my recent Linux Foundation webinar where I shared more tactics, tools and methods hackers use to invade your space. Watch the entire webinar on-demand for free.

Security News

Filed under
Security
  • Microsoft slates end to security bulletins in February [iophk: "further obscuring"; Ed: See this]

    Microsoft next month will stop issuing detailed security bulletins, which for nearly 20 years have provided individual users and IT professionals information about vulnerabilities and their patches.

    One patching expert crossed his fingers that Microsoft would make good on its pledge to publish the same information when it switches to a new online database. "I'm on the fence right now," said Chris Goettl, product manager with patch management vendor Shavlik, of the demise of bulletins. "We'll have to see [the database] in February before we know how well Microsoft has done [keeping its promise]."

  • Reflected XSS through AngularJS sandbox bypass causes password exposure of McDonald users

    By abusing an insecure cryptographic storage vulnerability (link) and a reflected server cross-site-scripting vulnerability (link) it is possible to steal and decrypt the password from a McDonald's user. Besides that, other personal details like the user's name, address & contact details can be stolen too.

  • DragonFlyBSD Installer Updated To Support UEFI System Setup

    DragonFlyBSD has been working on its (U)EFI support and with the latest Git code its installer now has basic UEFI support.

Tails 2.10 Will Upgrade to Linux Kernel 4.8 and Tor 0.2.9, Add exFAT Support

Filed under
Security

A new stable release of Tails, the beloved anonymous Live CD that helps you stay hidden online when navigating various websites on the Internet, is being prepared.

Security News

Filed under
Security
  • How we secure our infrastructure: a white paper

    Trust in the cloud is paramount to any business who is thinking about using it to power their critical applications, deliver new customer experiences and house their most sensitive data. Today, we're issuing a white paper by our security team that details how security is designed into our infrastructure from the ground up.

    Google Cloud’s global infrastructure provides security through the entire information processing lifecycle.This infrastructure provides secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication with customers over the internet and safe operation by administrators.

  • Google Infrastructure Security Design Overview [Ed: Google banned Windows internally]

    The content contained herein is correct as of January 2017, and represents the status quo as of the time it was written. Google’s security policies and systems may change going forward, as we continually improve protection for our customers.

  • Microsoft Says Windows 7 Has Outdated Security, Wants You to Move to Windows 10 [Ed: all versions are insecure BY DESIGN]

    Windows 10 is now running on more than 20 percent of the world’s desktop computers, and yet, Microsoft’s bigger challenge isn’t necessarily to boost the market share of its latest operating system, but to convince those on Windows 7 to upgrade.

  • Debian GNU/Linux 8.7 Officially Released, Includes over 85 Security Updates

    If you're using Debian Stable (a.k.a. Debian GNU/Linux 8 "Jessie"), it's time to update it now. Why? Because Debian Project launched a new release, Debian GNU/Linux 8.7, which includes over 170 bug fixes and security updates.

  • CVS: cvs.openbsd.org: src

    Disable and lock Silicon Debug feature on modern Intel CPUs

Syndicate content

More in Tux Machines

deepin 15.4 Linux Distro Promises to Let You Install the OS from Within Windows

At the end of February, the upcoming deepin 15.4 Linux distribution entered Beta stages of development, and now, one month later, the team published the Release Candidate version. Read more

Embedded NUC SBC expands upon quad-core -A53 Snapdragon

Seco announced a wireless-ready “SBC-B47-eNUC” SBC that complies with the 4×4-inch eNUC form factor, and runs Linux or Android on a Snapdragon 410E. Seco is prepping its first SBC based on the 101.6 x 101.6mm (4.0 x 4.0-inch) Embedded NUC (eNUC) SBC standard from the Standardization Group for Embedded Technologies (SGET). The eNUC form factor offers superior industrial grade characteristics, long term support, and efficient heat dissipation, claims Seco. The Linux- and Android-supported board supports applications including IoT gateways, home automation, robotics, digital signage, and HMI. Read more

netOS Server 10.65.1 Released, Based on Ubuntu 16.04 LTS and Xfce 4.12 Desktop

Black Lab Software CEO Roberto J. Dohnert is informing Softpedia today about the release and general availability of the netOS Server 10.65.1 server-oriented and open-source operating system. Read more

Ubuntu GNOME 17.04 Final Beta Features GNOME 3.24 with Night Light, Flatpak 0.8

As part of yesterday's Ubuntu 17.04 Final Beta release, the Ubuntu GNOME 17.04 operating system got its second Beta milestone bringing with it the latest development version of the recently released GNOME 3.24 desktop environment. Read more Also: Kubuntu 17.04 Beta 2 Includes KDE Plasma 5.9 Desktop, KDE Applications 16.12.3 Ubuntu Budgie 17.04 Beta 2 Brings Latest GNOME 3.24 Apps, Budgie 10.2.9 Desktop