Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Surveillance video shows a case of high-tech grand theft auto, more than 100 cars stolen [Ed: proprietary software, recall this about Jeep]

    Houston, Texas police announced the arrest of two men accused of stealing about 30 Jeep and Dodge vehicles. Authorities say they did it by using a laptop computer.

    Police tell KTRK they've been watching these guys for a while but were never able to catch them in the act stealing Jeeps - until last Friday.

    Police say Michael Arce and Jesse Zelaya stole more than 30 Jeeps in the Houston area over the last six months.

  • Openssh backdoor used on compromised Linux servers

    Some times ago, I have installed honeypot services on one of my servers, in order to see what happens in the real outside world. I especially installed the cowrie ssh honeypot which simulate a Linux shell and gather binaries that people want to install on the server (this tool is awesome, check here to install it).

  • random failures

    Lots of examples of random numbers failing, leading to cryptographic failure.

    The always classic Debian, OpenSSL, and the year of the zero.

    The time Sony signed Playstation code with the same nonce and leaked the keys.

    Samy phpwned session IDS.

    The Bitcoin app Blockchain used random.org for entropy. Bonus giggles for not following the HTTP redirect, but actually using “301 Moved Permanently” as a random number.

    The paper Mining Your Ps and Qs has pretty extensive investigation into weak keys on network devices, many of which result from poor entropy.

    Now here’s a question. How many of these vulnerabilities could have been prevented by plugging in some sort of “true random” USB gizmo of the sort that regularly appears on kickstarter? I’m going to go with not many. USB gizmos don’t prevent inopportune calls to memset. USB gizmos don’t prevent nonce reuse. USB gizmos don’t block utterly retarded HTTP requests.

Security Leftovers

Filed under
Security
  • Desktop / Laptop privacy & security of web browsers on Linux part 1: concepts and theory
  • In DARPA challenge, smart machines compete to fend off cyberattacks

    The first all-machine hacking competition is taking place today in Las Vegas.

    Seven teams, each running a high-performance computer and autonomous systems, are going head-to-head to see which one can best detect, evaluate and patch software vulnerabilities before adversaries have a chance to exploit them.

    It’s the first event where machines – with no human involvement – are competing in a round of "capture the flag, according to DARPA (Defense Advanced Research Projects Agency), which is sponsoring and running the event. DARPA is the research arm of the U.S. Defense Department.

    The teams are vying for a prize pool of $3.75 million, with the winning team receiving $2 million, the runner-up getting $1 million and the third-place team taking home $750,000. The winner will be announced Friday morning.

  • Let's Encrypt will be trusted by Firefox 50

Security News

Filed under
Security
  • How Public Shame Might Force a Revolution in Computer Security

    The numbers are depressing. An estimated 700 million data records were stolen in 2015. But despite the billions spent on computer security, flaws that allow such attacks are fixed slowly. A June report found that financial companies, for example, take on average over five months to fix known online security vulnerabilities.

    “The security industry gets $75 billion every year to try to secure things, and what you get for that is everybody is hacked all the time,” said Jeremiah Grossman, chief of security strategy at SentinelOne, speaking at the Black Hat security conference in Las Vegas on Wednesday.

    Yet Grossman and some other veterans of the security industry have lately become more optimistic. They see a chance that companies will soon have much stronger financial incentives to invest in securing and maintaining software.

  • DefCon: How the Hacker Tracker Mobile App Stays Secure

    The DefCon hacker conference here at the Bally's and Paris Hotels is a massive affair with many rooms, events and workshops spread across multiple times and days. While there is a paper schedule, many hackers now rely on Hacker Tracker, which has become the de facto mobile app of the DefCon conference.

    The Hacker Tracker was developed by two volunteers, Whitney Champion, systems engineer at SPARC, and Seth Law, chief security officer at nVisium. Champion built the Android version of the app while Law built the iOS version.

    In a video interview at DefCon, Law provided details on how Hacker Tracker is built and the steps he and Champion have taken to keep it and hacker data secure.

  • Windows 10 Linux Feature Brings Real, but Manageable Security Risks [Ed: Vista 10 is malware with intentional (baked in) back doors, Linux and GNU won’t make it any worse]

    The Bash shell support in the Anniversary Update for Windows 10 is a valuable tool for developers, but it needs to be used carefully because of potential security risks.

  • Linux Botnets Dominate the DDoS Landscape [Ed: Kaspersky marketing]

Security News

Filed under
Security
  • Friday's security updates
  • How to Hack an Election in 7 Minute

    When Princeton professor Andrew Appel decided to hack into a voting machine, he didn’t try to mimic the Russian attackers who hacked into the Democratic National Committee's database last month. He didn’t write malicious code, or linger near a polling place where the machines can go unguarded for days.

  • Apache OpenOffice and CVE-2016-1513

    The Apache OpenOffice (AOO) project has suffered from a lack of developers for some time now; releases are infrequent and development of new features is relatively slow. But a recent security advisory for CVE-2016-1513 is rather eye-opening in that it further shows that the project is in rough shape. Announcing a potential code execution vulnerability without quickly providing a new release of AOO may be putting users of the tool at more risk than they realize.

Let's Encrypt Root to be Trusted by Mozilla

Filed under
Moz/FF
Security

The Let’s Encrypt root key (ISRG Root X1) will be trusted by default in Firefox 50, which is scheduled to ship in Q4 2016. Acceptance into the Mozilla root program is a major milestone as we aim to rely on our own root for trust and have greater independence as a certificate authority (CA).

Public CAs need their certificates to be trusted by browsers and devices. CAs that want to issue independently under their own root accomplish this by either buying an existing trusted root, or by creating a new root and working to get it trusted. Let’s Encrypt chose to go the second route.

Read more

Security News

Filed under
Security
  • Linux Botnets on a Rampage [Ed: Kaspersky marketing in essence]

    Linux-operated botnet Distributed Denial of Service attacks surged in this year's second quarter, due to growing interest in targeting Chinese servers, according to a Kaspersky Lab report released this week. South Korea kept its top ranking for having the most command-and-control servers. Brazil, Italy and Israel ranked among the leaders behind South Korea for hosting C&C servers, according to Kaspersky Lab. DDoS attacks affected resources in 70 countries, with targets in China absorbing 77 percent of all attacks.

  • Machine-Learning Algorithm Combs the Darknet for Zero Day Exploits, and Finds Them

    In April, cybersecurity experts found an exploit based on this vulnerability for sale on a darknet marketplace where the seller was asking around $15,000. In July, the first malware appeared that used this vulnerability. This piece of malware, the Dyre Banking Trojan, targeted users all over the world and was designed to steal credit-card numbers from infected computers.

    The episode provided a key insight into the way malware evolves. In the space of just a few months, hackers had turned a vulnerability into an exploit, offered this for sale, and then saw it developed into malware that was released into the wild.

  • Frequent password changes are the enemy of security, FTC technologist says

    Shortly after Carnegie Mellon University professor Lorrie Cranor became chief technologist at the Federal Trade Commission in January, she was surprised by an official agency tweet that echoed some oft-repeated security advice. It read: "Encourage your loved ones to change passwords often, making them long, strong, and unique." Cranor wasted no time challenging it.

    The reasoning behind the advice is that an organization's network may have attackers inside who have yet to be discovered. Frequent password changes lock them out. But to a university professor who focuses on security, Cranor found the advice problematic for a couple of reasons. For one, a growing body of research suggests that frequent password changes make security worse. As if repeating advice that's based more on superstition than hard data wasn't bad enough, the tweet was even more annoying because all six of the government passwords she used had to be changed every 60 days.

  • Managing Encrypted Backups in Linux, Part 2

    In part 1, we learned how to make simple automated unencrypted and encrypted backups. In this article, I will show you how to fine-tune your file selection, and how to backup your encryption keys.

  • Getting started with Tails, the encrypted, leave-no-trace operating system

    Tails, an encrypted and anonymous OS that bundles widely used open source privacy tools on a tiny device, is one of the most secure operating systems in the world. The Linux distribution rose to popularity when it was revealed Edward Snowden relied on Tails to secure his identity while sharing NSA secrets with journalists Glenn Greenwald and Laura Poitras. In the past half decade, Tails has been embraced as an essential security suite by journalists, hackers, and IT workers.

    Tails is an acronym for The Amnesic Incognito Live System. The OS runs Debian and is easy to run on Macs and PCs from a USB drive. Tails encrypts all local files, runs every internet connection through Tor and blocks all non-secure connections, and provides a suite of secure communication tools like the Tor browser, HTTPS Everywhere, OpenPGP, the Claws Mail client, I2P, an IP address overlay network, and a Windows 8 camouflage mode to deter over-the-shoulder snooping.

  • Never Trust a Found USB Drive, Black Hat Demo Shows Why [Ed: Windows autoruns stuff]

    Does dropping an infected USB drive in a parking work when it comes to a hacker luring its prey into a digital trap? The answer is a resounding yes.

    At Black Hat USA, security researcher Elie Bursztein shared the results of an experiment where he dropped 297 USB drives with phone-home capabilities on the University of Illinois Urbana-Champaign campus. He also explained how an attacker might program and camouflage a malicious USB drive outfitted with a Teensy development board to take over a target’s computer within seconds after plugging the drive in.

Security News

Filed under
Security
  • Security updates for Thursday
  • Risk From Linux Kernel Hidden in Windows 10 Exposed at Black Hat [Ed: "Alex Ionescu, chief architect at Crowdstrike" - well, enough says. CrowdStrike Microsoft-tied. CrowdStrike are the same chronic liars who recently accused Russia of DNC leaks despite lack of evidence. The corporate press cited them. How can GNU and Linux running under a piece of malware with keyloggers and back doors be the main security concern?]
  • Italian-based Android RAT spies on mobiles in Japan and China, say researchers

    Researchers discover an Italian-based Android RAT designed for spying that is targeting mobile devices using their unique identification codes

  • keysafe

    Have you ever thought about using a gpg key to encrypt something, but didn't due to worries that you'd eventually lose the secret key? Or maybe you did use a gpg key to encrypt something and lost the key. There are nice tools like paperkey to back up gpg keys, but they require things like printers, and a secure place to store the backups.

    I feel that simple backup and restore of gpg keys (and encryption keys generally) is keeping some users from using gpg. If there was a nice automated solution for that, distributions could come preconfigured to generate encryption keys and use them for backups etc. I know this is a missing peice in the git-annex assistant, which makes it easy to generate a gpg key to encrypt your data, but can't help you back up the secret key.

    So, I'm thinking about storing secret keys in the cloud. Which seems scary to me, since when I was a Debian Developer, my gpg key could have been used to compromise millions of systems. But this is not about developers, it's about users, and so trading off some security for some ease of use may be appropriate. Especially since the alternative is no security. I know that some folks back up their gpg keys in the cloud using DropBox.. We can do better.

More Security News

Filed under
Security
  • Kaminsky Warns Black Hat Audience of Risks to the Internet
  • Severe vulnerabilities discovered in HTTP/2 protocol
  • ChaosKey v1.0 Released — USB Attached True Random Number Generator

    Support for this device is included in Linux starting with version 4.1. Plug ChaosKey into your system and the driver will automatically add entropy into the kernel pool, providing a constant supply of true random numbers to help keep the system secure.

    ChaosKey is free hardware running free software, built with free software on a free operating system.

  • Changes for GnuPG in Debian

    The GNU Privacy Guard (GnuPG) upstream team maintains three branches of development: 1.4 ("classic"), 2.0 ("stable"), and 2.1 ("modern").

    They differ in various ways: software architecture, supported algorithms, network transport mechanisms, protocol versions, development activity, co-installability, etc.

    Debian currently ships two versions of GnuPG in every maintained suite -- in particular, /usr/bin/gpg has historically always been provided by the "classic" branch.

    That's going to change!

    Debian unstable will soon be moving to the "modern" branch for providing /usr/bin/gpg. This will give several advantages for Debian and its users in the future, but it will require a transition. Hopefully we can make it a smooth one.

Security Leftovers

Filed under
Security
  • Kaspersky Lab Launches Bug Bounty Program With HackerOne

    The security firm allocates $50,000 to pay security researchers for responsibly disclosing flaws in its security products.
    Kaspersky Lab is no stranger to the world of vulnerability research, but the company is now opening up and enabling third-party security researchers to disclose vulnerabilities about Kaspersky's own software.

  • Reproducible builds for PaX/Grsecurity

    A series of scripts are created to do reproducible builds for Linux kernel with PaX/Grsecurity patch set.

    Thanks to:

    PaX/Grsecurity
    Debian GNU/Linux Community
    Shawn C[a.k.a “Citypw”]
    Linux From Scratch

    Without the contributions of the projects, community and people, the scripts cannot be accomplished.

  • Four flaws in HTTP/2 could bring down web servers

    SECURITY RESEARCHERS have uncovered at least four flaws in the HTTP/2 protocol, the successor to HTTP that was launched properly only in May last year, after Google rolled up its SPDY project into HTTP/2 in February.

    The flaws enable attackers to slow web servers by overwhelming them with seemingly innocent messages that carry a payload of gigabytes of data, putting them into infinite loops and even causing them to crash.

    The HTTP/2 protocol can be divided into three layers: the transmission layer, including streams, frames and flow control; the HPACK binary encoding and compression protocol; and the semantic layer, which is an enhanced version of HTTP/1.1 enriched with server-push capabilities.

Syndicate content

More in Tux Machines

ROSA Desktop Fresh R8 Plasma 5: is it near-perfect?

ROSA is a Linux distribution forked some time ago from Mandriva Linux by a team of Russian developers, Rosa Lab, or officially LLC NTC-IT ROSA. I reviewed their distributions several times: ROSA KDE R7, ROSA Desktop 2012 and even interviewed the ROSA team. The most recent release of ROSA is now ROSA Desktop Fresh R8, which is available in several flavours: MATE, GNOME 3, KDE 4 and Plasma 5. I decided to try the Plasma 5 edition of this distribution, especially as my interest to Plasma increased after the good impression Kubuntu 16.10 left on me. There are links to the ISO images available on the ROSA download page, and I used it to get my own version of this Linux distribution. The size of ROSA Desktop Fresh R8 Plasma 5 64-bit image is 1.9 Gb. The dd command helped me to "burn" the image to the USB stick. So, the USB drive is attached to my Toshiba Satellite L500-19X laptop. Reboot. Choose to boot from USB. Let's go! Read more

Korora 25 Unleashed, Best KDE Distro, Notorious B.U.G.

Fedora-based Korora 25 was released Wednesday in 64-bit versions. Users are urged to upgrade. Elsewhere, Jack Wallen was seriously impressed by Fedora 25 and blogger DarkDuck said ROSA R8 is "near-perfect." Bruce Byfield discussed obstacles to Linux security just as a new kernel vulnerability comes to light. Dedoimedo declared the best KDE distro of 2016 and FOSSBYTES has 10 reasons to use Ubuntu. Read more

OnePlus 3T review: One of the best Android phones gets a little better

OnePlus has never been one to play by the rules. Back when it made its entrance into the crowded smartphone market with the One, it set itself apart by selling a premium handset at a mid-tier price and offering invitation-only purchases instead of the standard preorders. The 3T very much fits with this rebellious nature. Essentially a refreshed version of the 6-month-old OnePlus 3, the new phone undermines another smartphone constant: the yearly update. iPhone users are familiar with the concept of the mid-cycle model—a handset that keeps the same enclosure but beefs up features and internal components. But there’s always been a special hook with Apple’s S phones, a reason for current owners to rush out and buy the new model. The 3T could be seen as OnePlus’ attempt to mimic the success Apple has had with the formula (and in fact, the company says it picked T for the new phone’s surname simply because it’s a letter higher than S). Read more

Linux Foundation adds an open source networking specialist to the team

In recognition of the increasingly central role open source technology has played for the networking sector, the Linux Foundation today named Arpit Joshipura as its general manager for networking and orchestration. Joshipura, a veteran tech executive who has worked at Dell, Ericsson, and Nortel, among others, is considered by the organization to be a foundational contributor to open source software in general and networking in particular. Currently, he’s the chief marketing officer for Prevoty, an application security startup in Los Angeles. Read more