Language Selection

English French German Italian Portuguese Spanish

Security

Raspberry Pi With Open Port 22

Filed under
Linux
Hardware
Security

Security Leftovers

Filed under
Security

Updated Fedora 25 Live ISOs Released with Linux Kernel 4.11.3, Security Updates

Filed under
Security

Ben Williams of the Fedora Respins-SIG project is back with his announcement about new sets of updated Fedora 25 Linux Live ISO respins, which bring all the latest security and software updates, as well as a new kernel.

Read more

Security Leftovers: Vault 7, uCareSystem, CryptoHarlem

Filed under
Security
  • Security updates for Wednesday
  • Vault 7: WikiLeaks exposes Pandemic, CIA infection tool for Windows machines

    After having disclosed information about CIA’s spyware tool Athena only last week, WikiLeaks has published new information from Pandemic, another alleged CIA project that “targets remote users by replacing application code on-the-fly with a trojaned version if the program is retrieved from the infected machine.”

    Part of the Vault 7 series of documents that were either leaked following an inside job or stolen from the CIA by hackers, Pandemic basically turns Windows machines from a targeted network into Patient Zero. It then covertly infects other computers linked to the system by delivering infected versions of the requested files. Because it is very persistent, the original source of infection is difficult to detect.

  • Hand in your notice – by 2022 there'll be 350,000 cybersecurity vacancies

    General Data Protection Regulation (GDPR) will force European organisations to expand their cyber workforce, causing demand to outstrip the supply of expertise.

    Two in five governments and companies will expand their cybersecurity divisions by more than 15 per cent in the next 12 months, according to a survey by the International Information System Security Certification Consortium, or (ISC)2. This will lead to a shortfall of 350,000 cyber workers across the continent by 2022.

    Europe's cyber workforce will expand faster than any other region in the world. Demand is driving record salaries with 39 per cent of UK cyber workers commanding annual salaries of more than £87,000.

  • uCareSystem – All-In-One System Update And Maintenance Tool For Ubuntu/LinuxMint

    uCareSystem Core is a thin utility that automates the basic system maintenance activity, in other hand it will reduce system administrator task in many ways and save some good amount of time. It doesn’t have any GUI and offers purely command line interface to perform the activity.

  • Matt Mitchell of CryptoHarlem is building an open source tool to help organizations prepare for data breaches

    This morning on the stage of TC Sessions: Justice, Matt Mitchell of CryptoHarlem discussed his views on the link between surveillance and minority oppression and the importance of taking a preventative approach to security and privacy. Mitchell, a specialist in digital safety and encryption, is dedicating time to creating Protect Your Org, a free, open source, tool for all organizations to prepare for inevitable data breaches.

Canonical Outs Major Linux Kernel Security Update for Ubuntu 17.04 and 16.04 LTS

Filed under
Security
Ubuntu

Canonical released new kernel security updates for all of its supported Ubuntu Linux operating systems, including Ubuntu 17.04 (Zesty Zapus), Ubuntu 16.04 LTS (Xenial Xerus), Ubuntu 16.10 (Yakkety Yak), and Ubuntu 14.04 LTS (Trusty Tahr).

Read more

Tor Browser 7.0 is released

Filed under
Moz/FF
OSS
Security

The Tor Browser Team is proud to announce the first stable release in the 7.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release brings us up to date with Firefox 52 ESR which contains progress in a number of areas:

Most notably we hope having Mozilla's multiprocess mode (e10s) and content sandbox enabled will be one of the major new features in the Tor Browser 7.0 series, both security- and performance-wise. While we are still working on the sandboxing part for Windows (the e10s part is ready), both Linux and macOS have e10s and content sandboxing enabled by default in Tor Browser 7.0. In addition to that, Linux and macOS users have the option to further harden their Tor Browser setup by using only Unix Domain sockets for communication with tor.

Read more

Also: Firefox-Based Tor Browser 7.0 Officially Released for Anonymous Web Surfing

Microsoft Antitrust and Security Failures

Filed under
Microsoft
Security
  • Kaspersky sues Microsoft over claims Windows 10 is 'incompatible' with third-party AV

    In a sensational claim, Kaspersky says that a customer in France was told by a Microsoft representative that "Windows 10 is incompatible with third-party antivirus. It's a shame that you've spent money on a Kaspersky Lab product, but you can't reinstall it without running the risk of the appearance of new bugs."

  • Microsoft Targeted by Kaspersky Antitrust Complaint to EU

    Kaspersky sent a formal complaint to European Union and German antitrust regulators, saying “hurdles” created by Microsoft limit consumer choice and drive up the cost of security software.

  • If hacking {sic} back becomes law, what could possibly go wrong? [iophk: "any Windows machines even sending stray packet will then receive the full force of vault7+"]

    Representative Tom Graves, R-Ga., thinks that when anyone gets hacked {sic} -- individuals or companies -- they should be able to "fight back" and go "hunt for hackers {sic} outside of their own networks." The Active Cyber Defense Certainty ("ACDC") Act is getting closer to being put before lawmakers, and the congressman trying to make "hacking {sic} back" easy-breezy-legal believes it would've stopped the WannaCry ransomware.

  • Ransomware attack will count as data breach: security pro

    Ransomware attacks will be regarded as data breaches under Australia's new data breach legislation that comes into force on 22 February next year, according to the chief cyber security adviser at RSA.

Why you must patch the new Linux sudo security hole

Filed under
Linux
Security

If you want your Linux server to be really secure, you defend it with SELinux. Many sysadmins don't bother because SELinux can be difficult to set up. But, if you really want to nail down your server, you use SELinux. This makes the newly discovered Linux security hole -- with the sudo command that only hits SELinux-protected systems -- all the more annoying.

Read more

Security News: Microsoft Back Doors, Microsoft Lies, Microsoft Breakage, and Let’s Encrypt

Filed under
Security
  • Vietnamese hackers appear to be researching an NSA backdoor tool
  • EternalBlue NSA Exploit Becomes Commodity Hacking Tool, Spreads to Other Malware
  • Windows XP computers were mostly immune to WannaCry

    Windows XP isn’t as vulnerable to the WannaCry ransomware as many assumed, according to a new report from Kryptos research. The company’s researchers found that XP computers hit with the most common WannaCry attack tended to simply crash without successfully installing or spreading the ransomware. If true, the result would undercut much of the early reporting on Windows XP’s role in spreading the globe-spanning ransomware.

  • Whoops! Microsoft accidentally lets out a mobile-'bricking' OS update

    “A small portion” of Windows mobile users hoping the unexpected cool new update would start the month off the right way got burned yesterday. Microsoft “accidentally” released a development build of Windows 10 that can transform your phone into jelly if you try to install it.

    “We apologize for this inconvenience,” said Microsoft Windows and Devices Group software engineer Dona Sarkar in a blog post last night.

  • This is why Windows users don't install updates

    Although I use Linux for all day-to-day computing, I have two old laptops with Windows XP licenses, and I have them configured to dual-boot Windows or Linux. Every now and then I need to run a Windows application that won't work under Linux; they're handy then. And even though Windows XP support ended long ago, Microsoft decided to make a patch for the WannaCrypt worm available for XP.

  • "Foreign" denial-of-service attacks shut down social insurance sites

    The Social Insurance Institution (Kela) has been hit by a series of distributed denial-of-service (DDoS) attacks that crashed some of its online services on Friday and Saturday. Kela says it will provide more information as it becomes available. The state social services agency suffered disruptions for two and a half hours on Friday evening and for about four hours on Saturday.

  • [Older] Ping is okay? – Right?

    Of course, preventing covert channels using ICMP/DNS etc. is a good idea in general. But often in modern networks today there are so many other ways of getting data in and out of a network, that using a ICMP tunnel is something the attackers often does not need to do.

  • Creating a TXT only nsupdate connection for Let’s Encrypt

    I’m in the process of designing my own centralized Let’s Encrypt solution.

Security News

Filed under
Security
  • Vault 7: Implant can remotely infect Windows boxes

    WikiLeaks has resumed its release of material from the Vault 7 dump after missing a week, with the overnight release of documents from the CIA's Pandemic project, a persistent implant for Microsoft Windows machines that share files with remote users in a local network.

  • Why the Chinese love clunky QR codes, despite privacy and security shortcomings

    But one other aspect has become more of an issue. After $14.5 million was stolen from Chinese citizens through the use of fraudulent QR codes, the state-owned newspaper China Daily published an op-ed on the topic of QR fraud [...]

  • [Older] Code Blue: 8k Vulnerabilities in Software to manage Cardiac Devices

    The analysis of hardware and software associated with implantable cardiac devices spanned four, separate vendors and product families, but found a wide range of security weaknesses, among them the use of permanent (or “hardcoded”) authentication credentials like user names and passwords and the use of insecure communications, with one vendor transmitting patient data “in the clear.” All four product families were found to be highly susceptible to “reverse engineering” by a knowledgeable adversary, exposing design flaws that might then be exploited in remote or local attacks, researchers Billy Rios of Whitescope and Dr. Jonathan Butts wrote in their report.

  • [Older] 'Thousands' of known bugs found in pacemaker code

    They found that few of the manufacturers encrypted or otherwise protected data on a device or when it was being transferred to monitoring systems.

    Also, none was protected with the most basic login name and password systems or checked that devices they were connecting to were authentic.

  • European IT security talents preparing for contest

    Teams of budding IT security specialist have begun preparing for the European Cyber Security Challenge (ECSC). The 150 winners from national competitions will gather for the final tournament, to be held in Málaga (Spain) from 30 October - 3 November. This year teams from 12 EU Member States and the EFTA countries Lichtenstein, Norway and Switzerland ar participating in the hacking contest.

  • Could Firmware Expiration Dates Fix The Internet Of Broken Things...Before People Get Hurt?

    Clark argues that we've already figured out how to standardize our relationships with automobiles, with mandated regular inspection, maintenance and repairs governed by manufacturer recalls, DOT highway maintenance, and annual owner-obligated inspections. As such, she suggests similar requirements be imposed on internet-connected devices [...]

Syndicate content

More in Tux Machines

Fedora: Fedora + Plasma + Unity, Design Interns, and New ISO Build

  • Fedora + Plasma + Unity = Nice looks?
    Hybrid things aren't usually the best option around. Like hybrid cars, for example. Technically, when you marry concepts, you change the energy state, and while this could make sense in that you blend the best of several worlds, when this is done in a forced manner over a short period of time rather than eons of evolution, you end with the worst bits as the product of your mutation. I read about the United theme for Plasma a few months ago, and given that I've spent a fair deal of time fiddling with themes and icons and fonts and making different desktop environments look prettier than their defaults, I was intrigued. So I decided to see whether the notion of having Plasma look like Unity is a sane option. Let us.  Fedora + Plasma + Unity = Nice looks? [...] What is thy point, Vanessa, the astute among you may ask? Well, I have nothing against United or its creators, but I did come to the conclusion that too much tweaking is worse than no tweaking, if this statement makes sense. I like the notion of trying to overcome the inherent problems in each desktop through the use of themes and extensions. After all, I've been doing that profusely for the past few months. But it gets undone when you cross the desktop environment space. Making Gnome better yes. Making Plasma better, absolutely. Unity as an overlay for Plasma, well tricky. There's too much disparity for you to be able to hide the underlying workflow mechanisms and UI philosophies. Then, every little inconsistency glares. You notice things you do not expect, and you get angry because there are certain things you do expect. Some transformations work quite well because they build on the foundations, e.g. various Gnome panels or Macbuntu. But Plasma has its own special charm and flow and making it into a weird version of Unity, which itself is a weird version of Gnome misses the bigger picture. And so, if you're asking me, Plasma and Unity are two separate worlds, best enjoyed in isolation. United is an interesting notion, but it also signifies the upper limit for my own wild ideas and tweaking. Yes, you can make it work, then again, it means taking away from the beauty and style of what these two desktops do, and that's not the purpose of my pimping guides. So we shall stop here, and explore other colors and shapes. Have fun, little penguins.
  • Fedora Design Interns 2017
    Here’s an update on internships. Older post linked to here. Quick recap: there’s been 2 long-term interns for Fedora design team since February, and one short-term guy, who came for 2 weeks at the beginning of June. Guys have been doing an amazing job, I can’t stress enough how happy I am to have them around.
  • F26-20170815 Updated ISOs released

today's howtos

Security: Hardware Back Doors, Microsoft Windows, Kronos

  • Hiding malware in boobytrapped replacement screens would undetectably compromise your mobile device
     

    On the one hand, if you let an untrusted stranger install hardware in your electronic device, you're opening yourself up to all kinds of potential mischief; on the other hand, an estimated one in five smartphones has a cracked screen and the easiest, most efficient and cheapest way to get that fixed is to go to your corner repair-shop.  

  • How hackers {sic} are targeting the shipping industry [iophk: "Microsoft TCO"]
     

    Whenever one of the firm's fuel suppliers would send an email asking for payment, the virus simply changed the text of the message before it was read, adding a different bank account number.  

  • Locky ransomware is back from the dead with two new strains [iophk: "Windows TCO"]
     

    What hasn't changed, though, is the method of distribution.Rather than rifling through the trove of spilt US National Security Agency exploits, as the groups behind WannaCry and NotPetya did, Locky is distributed via phishing emails containing malicious Microsoft Office files or zipped attachments containing a malicious script.

  • Connected cars could have an airbag problem
     

    "It's not the car manufacturers' fault, and it's not a problem introduced by them. The security issue that we leveraged in our research lies in the standard that specifies how the car device network (i.e., CAN) works," added Trend.

    [...] To eliminate the risk entirely, an updated CAN standard should be proposed, adopted, and implemented. This whole process would likely require another generation of vehicles."

  • Code chunk in Kronos malware used long before MalwareTech published it
    A chunk of code found in the Kronos bank-fraud malware originated more than six years before security researcher Marcus Hutchins is accused of developing the underlying code, a fellow security researcher said Friday. The conclusion, reached in an analysis of Kronos published by security firm Malwarebytes, by no means proves or disproves federal prosecutors' allegations that Hutchins wrote Kronos code and played a role in the sale of the malware. It does, however, clarify speculation over a Tweet from January 2015, in which MalwareTech—the online handle Hutchins used—complained that a complex piece of code he had published a month earlier had been added to an unnamed malware sample without his permission.
  • Secret chips in replacement parts can completely hijack your phone’s security
    People with cracked touch screens or similar smartphone maladies have a new headache to consider: the possibility the replacement parts installed by repair shops contain secret hardware that completely hijacks the security of the device. The concern arises from research that shows how replacement screens—one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0—can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it.

Ubuntu: Themes and Icons, MAAS, Podcast and More

  • Some interesting Ubuntu themes and icons
    Well, I guess there isn't much to say. If you like the stock looks, ignore this article. If you find the defaults not colorful or fun enough, or you just plain like tweaking, then you might want to consider some of the stuff I've outlined here. My taste is subjective, of course, but then, I aim for simple, clean designs and pleasing art work. Overall, you have a plenty of good options here. More icons than themes. Vimix or Arc seem like neat choices for the latter, and among the sea of icons, Moka, Numix and Uniform seem to do a great job. And of course, Macbuntu. I wish there were more monochrome or accented icons, but that's something I still haven't found. Anyhow, I hope you like this silly little piece. If you have suggestions, please send them, just remember my aesthetics criteria - simplicity of installation, clean lines, no gradients, no bugs. That would be all for today, fellas.
  • 7 of the Best Icon Themes for Ubuntu
    On a hunt to find the best icon themes for Ubuntu? Well, you’ve come to the right post place! In this post we will show you some of the best icon themes for Ubuntu, ranging from modern, flat icon sets, to a circular icon pack carrying a colourful twist. Oh, and as this article is constantly updated you don’t need to fret about any of the links or information being out of date. Feel free to bookmark this list for future reference, or share it on social media.
  • MAAS Development Summary – August 18th, 2017
  • S10E24 – Fierce Hurried Start
  • conjure-up dev summary: aws native integration, vsphere <3, and ADDONS