Language Selection

English French German Italian Portuguese Spanish

Security

Go phish your own staff: Dev builds open-source fool-testing tool

Filed under
OSS
Security

The platform was written in Go and has been posted to GitHub where it's had more than 300 commits at the time of writing. It differs from some other anti-phishing platforms in part because it is hosted on premise rather than in the cloud, “There are many commercial offerings that provide phishing simulation/training [but] unfortunately, these are SaaS solutions that require you to hand over your data to someone else,” the GoFish team says.

Read more

Security Leftovers

Filed under
Security
  • Tuesday's security advisories
  • Best practice - Don't serve writeable PHP files

    I deal with compromises often enough of PHP-based websites that I wish to improve hardening.

    One obvious way to improve things is to not serve PHP files which are writeable by the webserver-user. This would ensure that things like wp-content/uploads didn't get served as PHP if a compromise wrote valid PHP there.

  • New Cross-Platform Backdoors Go From Linux to Windows

    Kaspersky Lab has once again found a nasty little piece of malware that started out in Linux and made the jump to Windows. These cross-platform backdoors spy on the user and are by no means the first backdoor virus of this kind.

  • Obama’s $6bn Security Firewall EINSTEIN Is Not Good Enough To Protect The US Government

    The U.S. Department of Homeland Security (DHS) has spent about $6 billion on a firewall named EINSTEIN intrusion detection system. Officially known as the National Cybersecurity Protection System, the firewall is being developed with an intention to protect the U.S. government agencies against the malicious cyber attacks.

  • Another Serious Bug Hits OpenSSL, But this Time, It's No Heartbleed

    OpenSSL, the open source encryption toolkit that made headlines in 2014 for the Heartbleed security bug, has been hit by another serious vulnerability. This time, however, the real-world damage seems minimal.

    The project disclosed the bug, which results from a new method for generating numbers used for key exchanges, on Jan. 28. It assigned the bug a high severity level, presumably since the flaw could be exploited in order to decrypt data that is encrypted using OpenSSL, the protocol widely used for encrypting information transmitted to and from HTTPS-protected websites.

The top 10 Linux security distros

Filed under
Linux
Security

Linux distros can be used for a lot of things, from games to education, but when it comes to security, there’s a whole mini-universe available.

Not only can you find distros made to protect your privacy, making sure you leave no trace as you move around the web, but also those that help you test your network and system security.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Monday
  • Your Smartphone Can Be Hacked Due To A Backdoor In Your Processor

    A new security vulnerability has been reported in the smartphones which use MediaTek Processors. MediaTek company is a Taiwan-based company which manufacturers processors for the budget range smartphones. The security bug was found because a debug feature was not closed on the smartphone after testing.

    A new bug has surfaced lately on the Android smartphones or tablets which use a MediaTek processor. These devices are vulnerable to remote hacking via a backdoor. This security vulnerability was discovered by a security researcher, Justin Case. The MediaTek company has been informed about the flaw. This security vulnerability is apparently due to a debug tool which was left open by MediaTek in the shipped devices.

  • Using IPv6 with Linux? You’ve likely been visited by Shodan and other scanners
  • Trojanized Android games hide malicious code inside images

    Over 60 Android games hosted on Google Play had Trojan-like functionality that allowed them to download and execute malicious code hidden inside images.

    The rogue apps were discovered by researchers from Russian antivirus vendor Doctor Web and were reported to Google last week. The researchers dubbed the new threat Android.Xiny.19.origin.

  • Google fixes multiple Wi-Fi flaws, mediaserver bugs in Android
  • On WebKit Security Updates

    Major desktop browsers push automatic security updates directly to users on a regular basis, so most users don’t have to worry about security updates. But Linux users are dependent on their distributions to release updates. Apple fixed over 100 vulnerabilities in WebKit last year, so getting updates out to users is critical.

Celebrating 15 Years of SELinux

Filed under
Red Hat
Security

On Dec. 22, 2000, the NSA released their code to the wider open source world in the form of SELinux, and in doing so forever changed the security landscape of not just Linux, but the technology world at large. A combination of policies and security frameworks, SELinux is one of the most widely-used Linux security modules. Without these innovations, Common Criteria, a crucial government security certification, would likely not exist for Linux.

Read more

Kali Linux Literature

Filed under
GNU
Linux
Security
  • Migrating from Kali Linux 2 to Kali Linux 2016.1

    The first edition of Kali Linux Rolling, Kali 2016.1, was released more than a week ago. It marks the end of Kali Linux 2 and the beginning of a new release regime.

    It’s still based on Debian Testing, so existing users don’t have to do anything special but run a few commands to upgrade from Kali Linux 2 to Kali Linux 2016.1. Aside from installation images for the GNOME 3 desktop, there are also installation images for the Light edition, which uses the Xfce desktop environment. And there are also ARM installation images.

  • Kali Linux Cookbook eBook - $24 value, now free!

Lexumo Lands $4.89 Million Seed Round To Help Ensure Open Source Code Security

Filed under
OSS
Security

What has Lexumo created to warrant that kind of financial attention? It indexed all of the open source code in the world and created a cloud security service aimed at helping companies using open source code inside embedded systems or enterprise software. These groups can submit their code to the Lexumo service and it checks for any known security vulnerabilities. What’s more, it will then continuously monitor the code for updates and inform developers when one is available.

Read more

Security Leftovers

Filed under
Security
  • Forcing out bugs with stress-ng

    I've also tried to make stress-ng portable, so it can build fine on GNU/Hurd and Debian kFreeBSD (with Linux specific tests not built-in of course). It also contains some architecture specific features, such as handling the data and instruction cache as well as the x86 rdrand instruction and cache line locking. If there are any ARM specific features than can be stressed I'd like to know and perhaps implement stressors for them.

  • OpenSSH and the dangers of unused code

    Unused code is untested code, which probably means that it harbors bugs—sometimes significant security bugs. That lesson has been reinforced by the recent OpenSSH "roaming" vulnerability. Leaving a half-finished feature only in the client side of the equation might seem harmless on a cursory glance but, of course, is not. Those who mean harm can run servers that "implement" the feature to tickle the unused code. Given that the OpenSSH project has a strong security focus (and track record), it is truly surprising that a blunder like this could slip through—and keep slipping through for roughly six years.

  • Why Is Usable Security Hard, and What Should We Do about it?
  • Linux-Based Botnets Accounted for More than Half of DDoS Attacks in Q4 2015

IPFire 2.17 Open Source Linux Firewall OS Gets OpenSSL 1.0.2f and OpenSSH 7.1p2

Filed under
OSS
Security

The IPFire development team announced last evening the immediate availability for download or update of the IPFire 2.17 Core Update 97 Linux kernel-based firewall distribution.

Read more

Security Leftovers

Filed under
Security
  • Friday's security updates
  • Critical OpenSSL Patch Available. Patch Now!

    All versions of OpenSSL are vulnerable to CVE-2014-0195, but this vulnerability only affects DTLS clients or servers (look for SSL VPNs... not so much HTTPS).

  • Linux Trojan That Takes Screenshots and Records Audio Has a Windows Brother

    The Linux trojan that spied on users by taking screenshots of their desktop has now a Windows variant, as Kaspersky's security team has found out.

    The trojan, first discovered by Dr.Web and named Linux.Ekocms, and later also identified by Sophos as Linux/Mokes-A, and then by Kaspersky as Backdoor.Linux.Mokes.a, has caused some stir in the Linux community because it was one of the first spyware threats detected in the wild on the platform.

Syndicate content

More in Tux Machines

Open source SDR SBC runs Snappy Ubuntu on Cyclone V

The open source, $299 “LimeSDR” board runs Snappy Ubuntu Core on a Cyclone V, and supports user-defined radios ranging from ZigBee to LTE. UK-based Lime Microsystems, which develops field programmable RF (FPRF) transceivers for wireless broadband systems, has launched an open source software defined radio (SDR) board on CrowdSupply. Like other Linux-based SDR systems we’ve seen, the LimeSDR uses an FPGA to help orchestrate wireless communications that can be tuned, manipulated, and reconfigured to different wireless standards via software. Read more

Critical Infrastructure Goes Open Source

The electrical grid, water, roads and bridges—the infrastructure we take for granted—is seldom noticed until it's unavailable. The burgeoning open source software movement is taking steps to help rebuild crumbling U.S. civil infrastructure while capitalizing on expansion in emerging markets by providing software building blocks to help develop interoperable and secure transportation, electric power, oil and gas as well as the healthcare infrastructure. Under a program launched in April called the Civil Infrastructure Platform, the Linux Foundation said the initiative would provide "an open source base layer of industrial grade software to enable the use and implementation of software building blocks for civil infrastructure." Read more

Where have all the MacBooks gone at Linux conferences?

In past years, the vast ocean of Apple logos really undercut any statement of “Linux is great.” People would, inevitably, retort with, “Then why are all the 'Linux People' using Macs?” Admittedly, that was a great point and has been a source of shame for many of us for a very long time. But now things are different. The Apple logos are (mostly) gone from Linux conferences. This may be an unscientific observation from one person attending a few conferences in North America. Regardless, it's a great feeling. Read more

Leftovers: Ubuntu

  • Ubuntu 16.04 to-do list
    UBUNTU 16.04 or Xenial Xerus, the latest upgrade of the popular Linux distribution, became available as a free download last month, and early reviews have been favorable. Instead of upgrading my existing Ubuntu 15.10 system, this time I opted for a fresh install. I also decided to give the improved Unity 7 desktop a go, instead of installing my preferred alternative XFCE. The installation process was trouble-free, but because I started from scratch, I had quite a bit to add and tweak after the OS itself was installed.
  • Ubuntu Founder Pledges No Back Doors in Linux
    VIDEO: Mark Shuttleworth, founder of Canonical and Ubuntu, discusses what might be coming in Ubuntu 16.10 later this year and why security is something he will never compromise. Ubuntu developers are gathering this week for the Ubuntu Online Summit (UOS), which runs from May 3-5, to discuss development plans for the upcoming Ubuntu 16.10 Linux distribution release, code-named "Yakkety Yak."
  • Ubuntu & Other Ubuntu Spins Look At Making Room To Grow
    With Ubuntu's install images continuing to be oversized with pushing 1.4GB on recent releases, Ubuntu developer Steve Langasek has raised the new limit for Ubuntu desktop images to 2GB. Other Ubuntu flavors are also following in this move. Langasek has raised the size limit for images now to 2GB for being able to accomodate the current oversized images plus still having room to grow.
  • Ubuntu’s Snap packages aren’t yet as secure as Canonical’s marketing claims
    Canonical has been talking up Snaps, a new type of package format featured in Ubuntu 16.04 LTS. “Users can install a snap without having to worry whether it will have an impact on their other apps or their system,” reads Canonical’s announcement. But this isn’t true, as prominent free software developer Matthew Garrett recently pointed out.