Language Selection

English French German Italian Portuguese Spanish

Security

Security: Internet of Things (IoT), Sonatype, Windows Files on GNU/Linux, NSA Back Doors

Filed under
Security

Security: Updates, Libgcrypt 1.8, Dow Jones Cracked, Windows Havoc Carries on

Filed under
Security

Hacking Devices (Repair), Misconfigured Samba, and Black Duck FUD Team

Filed under
Security

Security: Updates, DNS, Breach, Internet Cameras, Cryptoparty Belfast, Intel and More

Filed under
Security
  • Security updates for Tuesday
  • The Risks of DNS Hijacking Are Serious and You Should Take Countermeasures

    Over the years hackers have hijacked many domain names by manipulating their DNS records to redirect visitors to malicious servers. While there’s no perfect solution to prevent such security breaches, there are actions that domain owners can take to limit the impact of these attacks on their Web services and users.

  • Lawyers score big in settlement for Ashley Madison cheating site data breach

    The owners of the Ashley Madison cheating-dating website have agreed to pay $11.2 million to settle two dozen data breach lawsuits as a result of a 2015 incident involving as many as 37 million members' personal identifying information being exposed online. The deal (PDF) earmarks up to one-third, or about $3.7 million, for attorneys' fees and costs. An additional $500,000 has been set aside to administer the remaining $7 million earmarked for Ashley Madison members.

  • Representative IoT Device: IP Video Camera

    These IP cameras are available with full support and regular updates from industrial suppliers at prices ranging from several hundred to a few thousand dollars per camera. They are commonly sold in systems that include cameras, installation, monitoring and recording systems and software, integration, and service and support. There are a few actual manufacturers of the cameras, and many OEMs place their own brand names on the cameras.

  • Hack Brief: 'Devil's Ivy' Vulnerability Could Afflict Millions of IoT Devices
  • Devil's Ivy Open-Source Flaw Impacts Tens of Millions of IoT Devices
  • Nasty Bug Left Thousands of Internet of Things Devices Open to Hackers
  • Experts in Lather Over ‘gSOAP’ Security Flaw
  • Just because you can, doesn't mean you should

    There was a recent Cryptoparty Belfast event that was aimed at a wider audience than usual; rather than concentrating on how to protect ones self on the internet the 3 speakers concentrated more on why you might want to. As seems to be the way these days I was asked to say a few words about the intersection of technology and the law. I think people were most interested in all the gadgets on show at the end, but I hope they got something out of my talk. It was a very high level overview of some of the issues around the Investigatory Powers Act - if you’re familiar with it then I’m not adding anything new here, just trying to provide some sort of details about why it’s a bad thing from both a technological and a legal perspective.

  • [Old] "Super Malware" Steals Encryption Keys from Intel SGX Enclaves

    In a research paper published at the end of February, a team of five scientists from the Graz University of Technology has described a novel method of leaking data from SGX enclaves, a secure environment created by Intel CPUs for storing sensitive information for each process, such as encryption keys, passwords, and other.

    Starting with the Skylake line, Intel introduced a new hardware extension called SGX (Software Guard Extensions) that isolates the CPU memory at the hardware level, creating safe spaces where applications can store information that only they can write or read.

  • Avoiding TPM PCR fragility using Secure Boot

    In measured boot, each component of the boot process is "measured" (ie, hashed and that hash recorded) in a register in the Trusted Platform Module (TPM) build into the system. The TPM has several different registers (Platform Configuration Registers, or PCRs) which are typically used for different purposes - for instance, PCR0 contains measurements of various system firmware components, PCR2 contains any option ROMs, PCR4 contains information about the partition table and the bootloader. The allocation of these is defined by the PC Client working group of the Trusted Computing Group. However, once the boot loader takes over, we're outside the spec[1].

  • Open Source Security Podcast: Episode 56 -- Devil's Advocate and other fuzzy topics

Security Features in Next Linux

Filed under
Linux
Security
  • It Didn't Make It For Linux 4.13, But A New Random Number Generator Still In The Works

    Frequent Phoronix readers may recall that for more than one year a new Linux Random Number Generator has been in-development and today marked the 12th version of these patches being released.

    This new random number generator, LRNG, aims to provide sufficient entropy during the boot time and in virtual environments as well as when using SSDs or DM targets. LRNG has been in development by Stephan Müller.

  • Unix: How random is random?
  • AMD Secure Memory Encryption Patches Updated For Linux

    Adding to the list of changes/features you will not find in Linux 4.13 is AMD's Secure Memory Encryption as supported by the new EPYC processors.

    AMD has been posting Secure Memory Encryption patches for the Linux kernel going back to last year, but so far have not been merged to mainline. The code continues to be updated and published today was the tenth version of these patches.

A brief history of GnuPG: vital to online security but free and underfunded

Filed under
GNU
Security

Most people have never heard of the software that makes up the machinery of the internet. Outside developer circles, its authors receive little reward for their efforts, in terms of either money or public recognition.

One example is the encryption software GNU Privacy Guard (also known as GnuPG and GPG), and its authors are regularly forced to fundraise to continue the project.

GnuPG is part of the GNU collection of free and open source software, but its story is an interesting one, and it begins with software engineer Phil Zimmermann.

We do not know exactly what Zimmermann felt on January 11, 1996, but relief is probably a good guess. The United States government had just ended its investigation into him and his encryption software, PGP or “Pretty Good Privacy”.

Read more

Security and FOSS: Sonatype Report, Bitfury, and Nokia

Filed under
OSS
Security

Security Leftovers

Filed under
Security
  • Open source in the security world -- a liability or strength?

    To some, the terms ‘open source’ and ‘security’ may not exactly go hand in hand. Characterized by its transparent code—which means it’s highly accessible to anyone— as opposed to ‘closed’, proprietary systems, it’s no wonder that some still have the misperception that open source is the more vulnerable party. In an open source environment, companies as well as communities of sorts are able to access and contribute to the code. This often gives off the impression that because it is open, it must be fully exposed to risks and viruses.

    But today, open source is pervasive. The world as we know it is changing — technology is evolving faster today than it has at any other point in human history. And open source is the reason for that; it is the driving force behind many of today’s technology innovation that we see. Today’s enterprises simply cannot rely on a proprietary piece of source code to manage their increasing multitude of applications that are powering their critical business transactions.

    And with the rising adoption of this software, there has never been a better time to learn the truth about misconceptions of open source security.

  • How Active Intrusion Detection Can Seek and Block Attacks

    Ventura will this detail a more active approach to intrusion prevention - where defenders can use basic network software applications to look for threats and stop attacks - later this month in his Black Hat USA talk entitled "They're Coming for Your Tools: Exploiting Design Flaws for Active Intrusion Prevention."

  • Linux, Windows, macOS Affected By 21-year-old Kerberos Protocol Bug; Patch Now

Security: Kaspersky Ban, Email of Top U.S. Russia Intelligence Official Hacked, and Kali Linux

Filed under
Security

Security: Kerberos, Various Updates, and FUD

Filed under
Security
Syndicate content

More in Tux Machines

Chromium and Firefox: New Features

  • Chromebook Owners Will Soon Be Able to Monitor CPU and RAM Usage in Real-Time
    Chromium evangelist François Beaufort announced today that Google's Chrome OS engineers have managed to implement a new feature that will let Chromebook owners monitor the CPU usage, RAM, and zRam statistics in real-time. The feature was implemented in the Chrome Canary experimental channel and can be easily enabled by opening the Google Chrome web browser and accessing the chrome://flags/#sys-internals flag. There you'll be able to monitor your Chromebook's hardware and see what's eating your memory or CPU during heavy workloads, all in real-time. "Chrome OS users can monitor in real-time their CPU usage, memory and zRam statistics thanks to the new internal page chrome://sys-internals in the latest Canary," said François Beaufort in a Google+ post. "For that, enable the experimental chrome://flags/#sys-internals flag, restart Chrome, and enjoy watching real-time resource consumption."
  • Tracking Protection for Firefox for iOS Plus Multi-Tasking in Focus for Android New Today
    Across the industry, September is always an exciting month in mobile, and the same is true here at Mozilla. Today, we’re launching the newest Firefox for iOS alongside an update for the popular Firefox Focus for Android, which we launched in June.

Ubuntu 17.10 (Artful Aardvark) Is Now Powered by Linux Kernel 4.13, GCC 7.2

Greg Kroah-Hartman published on Wednesday new maintenance updates for various of the supported Linux kernel branches that he maintains, including the Linux 4.12 series, which appears to have reached end of life. Read more

The ISS just got its own Linux supercomputer

A year-long project to determine how high-performance computers can perform in space has just cleared a major hurdle -- successfully booting up on the International Space Station (ISS). This experiment conducted by Hewlett Packard Enterprise (HPE) and NASA aims to run a commercial off-the-shelf high-performance computer in the harsh conditions of space for one year -- roughly the amount of time it will take to travel to Mars. Read more

Qt 5.6.3 Released

I am pleased to inform that Qt 5.6.3 has been released today. As always with a patch release Qt 5.6.3 does not bring any new features, just error corrections. For details of the bug fixes in Qt 5.6.3, please check the change logs for each module. Read more