Language Selection

English French German Italian Portuguese Spanish

Security

Three serious Linux kernel security holes patched

Filed under
Linux
Security

The good news is developers are looking very closely at Linux's core code for possible security holes. The bad news is they're finding them.

At least the best news is that they're fixing them as soon as they're uncovered.

The latest three kernel vulnerabilities are designated CVE-2016-8655, CVE-2016-6480, and CVE-2016-6828. Of these, CVE-2016-8655 is the worst of the bunch. It enables local users, which can include remote users with virtual and cloud-based Linux instances, to crash the system or run arbitrary code as root.

Read more

Antivirus Live CD 21.0-0.99.2 Helps You Protect Your Computer Against Viruses

Filed under
Security

4MLinux developer Zbigniew Konojacki proudly informs Softpedia today about the general availability of the Antivirus Live CD 21.0-0.99.2 bootable ISO image for scanning computers for viruses and other malware.

Read more

Security News

Filed under
Security

Canonical Outs Live Patch Kernel Update for Ubuntu 16.04 to Patch Security Flaws

Filed under
Security
Ubuntu

Just one day after announcing the availability of new kernel versions for all of its supported Ubuntu Linux operating systems, Canonical published a new kernel live patch security notice for Ubuntu 16.04 LTS (Xenial Xerus).

Read more

Security News

Filed under
Security
  • News in brief: DirtyCOW patched for Android; naked lack of security; South Korea hacked
  • Millions exposed to malvertising that hid attack code in banner pixels

    Researchers from antivirus provider Eset said "Stegano," as they've dubbed the campaign, dates back to 2014. Beginning in early October, its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors. Borrowing from the word steganography—the practice of concealing secret messages inside a larger document that dates back to at least 440 BC—Stegano hides parts of its malicious code in parameters controlling the transparency of pixels used to display banner ads. While the attack code alters the tone or color of the images, the changes are almost invisible to the untrained eye.

  • Backdoor accounts found in 80 Sony IP security camera models

    Many network security cameras made by Sony could be taken over by hackers and infected with botnet malware if their firmware is not updated to the latest version.

    Researchers from SEC Consult have found two backdoor accounts that exist in 80 models of professional Sony security cameras, mainly used by companies and government agencies given their high price.

    One set of hard-coded credentials is in the Web interface and allows a remote attacker to send requests that would enable the Telnet service on the camera, the SEC Consult researchers said in an advisory Tuesday.

  • I'm giving up on PGP

    After years of wrestling GnuPG with varying levels of enthusiasm, I came to the conclusion that it's just not worth it, and I'm giving up. At least on the concept of long term PGP keys.

    This is not about the gpg tool itself, or about tools at all. Many already wrote about that. It's about the long term PGP key model—be it secured by Web of Trust, fingerprints or Trust on First Use—and how it failed me.

Ubuntu Core has the keys to IoT security

Filed under
Security
Ubuntu

In October, a DDoS attack on Dyn's infrastructure took down a big chunk of the internet, making sites like Amazon and Twitter inaccessible. It was the first major attack involving IoT (internet of things) devices. Fortunately, it was also a benign attack: no one got hurt, no one died.

However, the next attack could be catastrophic. No one knows when it will happen. No one knows the magnitude.

Read more

Security Leftovers

Filed under
Security
  • Security advisories for Wednesday
  • There’s a new DDoS army, and it could soon rival record-setting Mirai

    For almost three months, Internet-of-things botnets built by software called Mirai have been a driving force behind a new breed of attacks so powerful they threaten the Internet as we know it. Now, a new botnet is emerging that could soon magnify or even rival that threat.

    The as-yet unnamed botnet was first detected on November 23, the day before the US Thanksgiving holiday. For exactly 8.5 hours, it delivered a non-stop stream of junk traffic to undisclosed targets, according to this post published Friday by content delivery network CloudFlare. Every day for the next six days at roughly the same time, the same network pumped out an almost identical barrage, which is aimed at a small number of targets mostly on the US West Coast. More recently, the attacks have run for 24 hours at a time.

  • Open source Roundcube webmail can be attacked ... by sending it an e-mail

    The developers of open source webmail package Roundcube want sysadmins to push in a patch, because a bug in versions prior to 1.2.3 let an attacker crash it remotely – by sending what looks like valid e-mail data.

    The authors overlooked sanitising the fifth argument (the _from parameter) in mail() – and that meant someone only needed to compose an e-mail with malicious info in that argument to attack Roundcube.

    [...]

    Roundcube posted a patch to GitHub at the end of November, and issued a version 1.2.3 here.

  • Latest Android security update fixes Dirty COW, GPS vulnerabilities
  • Open Source Flaws Found in Security Software

    Yet another industry survey has flagged open source software that according to one estimate accounts for half of the global code base as a growing security threat. Moreover, a review released by Flexera Software also found that the very security products designed to protect IT infrastructure are themselves riddled with vulnerabilities embedded in open source software.

FFmpeg 3.2.2 "Hypatia" Open-Source Multimedia Framework Released with 30 Fixes

Filed under
OSS
Security

Today, December 6, 2016, the development team behind the powerful, open-source, free, and cross-platform FFmpeg multimedia framework released a new maintenance update in the FFmpeg 3.2 "Hypatia" series.

Read more

Security News

Filed under
Security

Security News

Filed under
Security
  • HP shutting down default FTP, Telnet access to network printers

    Security experts consider the aging FTP and Telnet protocols unsafe, and HP has decided to clamp down on access to networked printers through the remote-access tools.

    Some of HP's new business printers will, by default, be closed to remote access via protocols like FTP and Telnet. However, customers can activate remote printing access through those protocols if needed.

  • Google Chrome 55 Fixes Flaws, Blocks Flash
  • Cyberattacks are going to get a lot worse, former NSA official says

    The face of cybercrime is changing. Healthcare has gone from a declared mission of stealing personal data to much more disruptive issues. In fact, healthcare has seen the largest jump in ransomware attacks than in any other industry.

    When Joel Brenner opened the HIMSS Privacy & Security Forum in Boston Monday morning, the Massachusetts Institute of Technology research fellow - who focuses on cybersecurity, privacy and intelligence policy - and former senior counsel at the National Security Agency, didn’t sugarcoat the state of healthcare security.

    The government isn’t going to sort out that problem until we suffer some great losses, Brenner said.

  • Google Debuts Continuous Fuzzer for Open Source Software

    A new Google program aimed at continuously fuzzing open source software has already detected over 150 bugs.

    The program, OSS-Fuzz, currently in beta mode, is designed to help unearth programming errors in open source software via fuzz testing. Fuzz testing, or fuzzing is when bits of randomly generated code is inputted into programs as a means to discover code and security flaws.

  • Chrome 55 Now Blocks Flash, Uses HTML5 by Default

    Chrome 55, released earlier this week, now blocks all Adobe Flash content by default, according to a plan set in motion by Google engineers earlier this year.

    Back in May, Google's staff announced that starting with Q4 2016, Chrome would use HTML5 by default, while Flash would be turned off.

    While some of the initial implementation details of the "HTML5 By Default" plan changed since May, Flash has been phased out in favor of HTML5 as the primary technology for playing multimedia content in Chrome.

Syndicate content

More in Tux Machines

Leftovers: OSS

  • Diving into Drupal: Princeton’s Multi-site Migration Success with Open-source
    Princeton University’s web team had a complex and overwhelming digital ecosystem comprised of many different websites, created from pre-built templates and hosted exclusively on internal servers. Fast forward six years: Princeton continues to manage a their multisite and flagship endeavors on the open-source Drupal platform, and have seen some great results since their migration back in 2011. However, this success did not come overnight. Organizational buy-in, multi-site migration and authentication were a few of the many challenges Princeton ran into when making the decision to move to the cloud.
  • GitHub Invites Developers to Contribute to the Open Source Guides
    GitHub has recently launched its Open Source Guides, a collection of resources addressing the most common scenarios and best practices for both contributors and maintainers of open source projects. The guides themselves are open source and GitHub is actively inviting developers to participate and share their stories.
  • Top open source projects
    TechRadar recently posted an article about "The best open source software 2017" where they list a few of their favorite open source software projects. It's really hard for an open source software project to become popular if it has poor usability—so I thought I'd add a few quick comments of my own about each.
  • Dropbox releases open-source Slack bot
    Dropbox is looking to tackle unauthorized access and other security incidents in the workplace with a chatbot. Called Securitybot, it that can automatically grab alerts from security monitoring tools and verify incidents with other employers. The company says that through the use of the chatbot, which is open source, it will no longer be necessary to manually reach out to employees to verify access, every time someone enters a sensitive part of the system. The bot is built primarily for Slack, but it is designed to be transferable to other platforms as well.
  • Dropbox’s tool shows how chatbots could be future of cybersecurity
    Disillusion with chatbots has set in across the tech industry and yet Dropbox’s deep thinkers believe they have spotted the technology’s hidden talent: cybersecurity.

Desktop GNU/Linux

  • Entroware have unleashed the 'Aether' laptop for Linux enthusiasts featuring Intel's 7th generation CPUs
  • New Entroware Aether Laptop Pairs Intel Kaby Lake with Ubuntu
    The new Entroware Aether is the latest Linux powered laptop from British company Entroware, and is powered by the latest Intel Kaby Lake processors.
  • Freedom From Microsoft v1.01
    But we can be Free from Microsoft! As we saw above, there is a powerful – and now popular movement afoot to make alternative software available. The Free Software Foundation, and the GNU Project, both founded by Richard Stallman, provide Free software to users with licenses that guarantee users rights: the rights to view, modify, and distribute the software source code. With GNU-licensed software, such as Linux, the user is in complete control over the software they employ. And as people contribute to modify Free Software source code, and are required to share those modifications again, the aggregate creative acts give rise to the availability of many more, much more useful results. Value is created beyond what anyone thought possible, and our freedom multiplies.
  • Review of the week 2017/08
    This week we had to cancel a couple snapshots, as a regression in grub was detected, that caused issues on chain-loading bootloaders. But thanks to our genius maintainers, the issue could be found, fixed and integrated into Tumbleweed (and this despite being busy with hackweek! A great THANK YOU!). Despite those canceled snapshots, this review will still span 4 revisions: 0216, 0218, 0219 and 0224. And believe me, there have been quite some things coming your way.

Security Leftovers

  • [Older] The Secure Linux OS - Tails
    Some people worry a lot about security issues. Anyone can worry about their personal information, such as credit card numbers, on the Internet. They can also be concerned with someone monitoring their activity on the Internet, such as the websites they visit. To help ease these frustrations about the Internet anyone can use the Internet without having to “look over their shoulder”.
  • Password management made easy as news of CloudFlare leak surfaces
    In the last 24 hours, news broke that a serious Cloudflare bug has been causing sensitive data leaks since September, exposing 5.5 million users across thousands of websites. In addition to login data cached by Google and other search engines, it is possible that some iOS applications have been affected as well. With the scale of this leak, the best course of action is to update every password for every site you have an account for. If there was ever a good time to modernize your password practices, this is it. As consumers and denizens of the Internet, we have a responsibility to be aware of the risks we face and make an attempt to mitigate that risk by taking best-effort precautions. Poor password and authentication hygiene leaves a user open to risks such as credit card fraud and identity theft, just like forgetting to brush your teeth regularly can lead to cavities and gum disease. This leaves us with the question of what good password and authentication hygiene looks like. If we stick with the (admittedly poorly chosen) dentistry analogy, then there are five easily identifiable aspects of good hygiene.
  • Security: You might want to change passwords on sites that use Cloudflare
  • Smoothwall Express
    The award-winning Smoothwall Express open-source firewall—designed specifically to be installed and administered by non-experts—continues its forward development march with a new 3.1 release.

Leftovers: Ubuntu and Derivatives

  • 'Big Bang Theory's' Stuart wears Ubuntu T-shirt
    Am I the only person to notice that comic book shop-owning Stuart (Kevin Sussman) on the "The Big Bang Theory" is wearing an Ubuntu T-shirt on the episode airing Thursday, Feb. 23, 2017? (It's Season 10, Episode 17, if that information helps you.) The T-shirt appearance isn't as overt as Sheldon's mention of the Ubuntu Linux operating system way back in Season 3 (Episode 22, according to one YouTube video title), but it's an unusual return for Ubuntu to the world of "Big Bang."
  • Unity Explained: A Look at Ubuntu’s Default Desktop Environment
    Ubuntu is the most well-known version of Linux around. It’s how millions of people have discovered Linux for the first time, and continues to draw new users into the world of open source operating systems. So the interface Ubuntu uses is one many people are going to see. In this area, Ubuntu is unique. Even as a new user, rarely will you confuse the default Ubuntu desktop for something else. That’s because Ubuntu has its own interface that you can — but probably won’t — find anywhere else. It’s called Unity.
  • A Look at Ubuntu MATE 16.04.2 LTS for Raspberry Pi
    Installing Ubuntu MATE onto my Raspberry Pi 3 was straight forward. You can easily use Etcher to write the image to a microSD card, the partition is automatically resized to fill your microSD card when the pi is powered up for the first time, and then you are sent through a typical guided installer. Installation takes several minutes and finally the system reboots and you arrive at the desktop. A Welcome app provides some good information on Ubuntu MATE, including a section specific for the Raspberry Pi. The Welcome app explains that the while the system is based on Ubuntu MATE and uses Ubuntu armhf base, it is in fact using the same kernel as Raspian. It also turns out that a whole set of Raspian software has been ported over such as raspi-config, rpi.gpio, sonic-pi, python-sent-hat, omxplayer, etc. I got in a very simple couple of tests that showed that GPIO control worked.
  • Zorin OS 12 Business Has Arrived [Ed: Zorin 12.1 has also just been released]
    This new release of Zorin OS Business takes advantage of the new features and enhancements in Zorin OS 12, our biggest release ever. These include an all new desktop environment, a new way to install software, entirely new desktop apps and much more. You can find more information about what’s new in Zorin OS 12 here.