Language Selection

English French German Italian Portuguese Spanish

Security

Five free Android encryption tools for the paranoid user

Filed under
Android
Security

Do your hats tend to fall into the tinfoil range? Are you afraid there is always somebody watching you? If so, rest assured that the Android ecosystem offers plenty of apps to soothe your paranoia. But which apps are the must-haves? Here are five apps you should immediately install and put to work. They'll bring you peace in the knowledge that your mobile data is far more secure than those around you.

Read more

Open Source First Starting to Converge with Cloud First

Filed under
OSS
Security

Of course, PostgeSQL is only one instance where open source and the cloud are starting to converge. The same argument could also be applied to everything from Node.js to Docker containers. The point is that as the critical mass of open source software in the cloud continues to build, it’s only a matter of time before that same software starts showing up on premise in much greater numbers than it already has.

Read more

Mozilla defaults Tracking Protection for Firefox developer builds, but only for private browsing

Filed under
Moz/FF
Security

Pre-beta versions of Firefox will block domains known to track users by default when a private browser window is opened.

Read more

Security Leftovers

Filed under
Security
  • Friday's security advisories
  • Research Paper: Securing Linux Containers
  • Kaspersky Antivirus accused of creating fake malware for over 10 years

    It basically worked like this: Kaspersky would inject dangerous-looking code into common pieces of software. It would then anonymously submit the files to malware aggregators such as Google-owned VirusTotal. When competitors added the malware to their detection engines, they’d mistakenly flag the original files because of the similar code.

  • Investigating the Computer Security Practices and Needs of Journalists

    Though journalists are often cited as potential users of computer security technologies, their practices and mental models have not been deeply studied by the academic computer security community. Such an understanding, however, is critical to developing technical solutions that can address the real needs of journalists and integrate into their existing practices. We seek to provide that insight in this paper, by investigating the general and computer security practices of 15 journalists in the U.S. and France via in-depth, semi-structured interviews. Among our findings is evidence that existing security tools fail not only due to usability issues but when they actively interfere with other aspects of the journalistic process; that communication methods are typically driven by sources rather than journalists; and that journalists’ organizations play an important role in influencing journalists’ behaviors. Based on these and other findings, we make recommendations to the computer security community for improvements to existing tools and future lines of research.

  • Ten scary hacks I saw at Black Hat and DEF CON

    The highlight of this year’s Black Hat conference was a remote hack of the Jeep Cherokee and other Fiat Chrysler vehicles, demonstrated by security researches Charlie Miller and Chris Valasek.

    The attack was the culmination of a year of painstaking work that involved reverse-engineering car firmware and communications protocols. It eventually allowed the two researchers to hack into the car infotainment systems over mobile data connections and take over brake, steering and other critical systems. The research forced Chrysler to recall 1.4 million automobiles so they could be patched and prompted a car cybersafety legislative proposal from the U.S. Congress.

  • How to hack a Corvette with a text message

    Researchers have demonstrated how a simple text message can be used to control a vehicle.

  • Facebook issues Internet Defense Prize for vulnerability discovery tool

    Facebook has awarded $100,000 to a pair of Ph.D students for their work in the security of C++ programs which resulted in the detection and patching of zero-day vulnerabilities.

Security Leftovers

Filed under
Security
  • Linux Concerns: Convenience vs. Security

    Once upon a recent time, Linux was more secure than it is today. Only the root user could mount external device, and in many distributions new users were automatically assigned a few groups that limited the hardware they could access. Distributions followed the principle of least privilege (aka least access), under which users, applications, and devices receive only the access to the system that they absolutely require.

  • Security updates for Thursday
  • One Definition Of Lock-in: Running “2003” So Many Years Later

    Why do they do it? Run “2003” in 2015! It’s not cost, because Debian GNU/Linux would cost $0. It’s lock-in whether by habit or by application. Lots of folks have invested heavily in applications that still work so they are willing to risk everything, perhaps by adding other layers of security. Why?

  • Imploding Barrels and Other Highlights From Hackfest DefCon

    Visiting Las Vegas can feel a bit like being a metal sphere in a pinball machine—you’re tossed from bright lights to blaring shows and back again until you eventually (hopefully) emerge out a hole at your home airport. When you visit Vegas with a swarm of hackers and security researchers, the dizziness gets amped up tenfold and can be laced with a dose of dark mischief.

  • Cisco networking gear can be hijacked, warns company

    An attacker can swap out the device's firmware with altered, malicious software.

  • Video Shows a Terrifying Drug Infusion Pump Hack in Action

    It’s one thing to talk about security vulnerabilities in a product, but another to provide a proof-of-concept demonstration showing the device being hacked.

    That’s what occurred last month when BlackBerry Chief Security Officer David Kleidermacher and security professional Graham Murphy showed how easy it is for hackers to take control of a hospital drug infusion pump by overwriting the device’s firmware with malicious software.

  • August ’15 security fixes for Adobe Flash

    ...Adobe released updated Flash player plugins which adddress many new vulnerabilities (as usual).

Security Leftovers

Filed under
Security
  • Researchers reveal electronic car lock hack after 2-year injunction by Volkswagen

    In 2012, researchers at Radboud University in the Netherlands discovered a security flaw in a common automotive security chip used in theft prevention by Volkswagen, Audi, Fiat, Honda, and Volvo vehicles. But after they disclosed their results to the auto manufacturers—a full nine months before they planned to publish them—the automakers sued to keep them quiet.

  • How texting a Corvette could stop it in its tracks

    As if recent research on car hacking wasn’t frightening enough, a new study shows yet another danger to increasingly networked vehicles.

    This time around, academics with the University of California analyzed small, third-party devices that are sometimes plugged into a car’s dashboard, known as telematic control units (TCUs).

    Insurance companies issue the devices to monitor driving metrics in order to meter polices. Other uses include fleet management, automatic crash reporting and tracking stolen vehicles.

  • BlackBerry can't catch a break: Now it's fending off Jeep hacking claims

    BlackBerry has denied rumors that its software might have played a role in the infamous "Jeep hack," saying it's "unequivocally" not true.

    In July, security researchers revealed that certain cars built by Fiat Chrysler were vulnerable to potentially life-threatening remote attacks, thanks to a flaw in the automaker's uConnect in-vehicle infotainment system.

    The underlying operating system that powers uConnect is QNX Neutrino, a real-time OS that's made by a BlackBerry subsidiary. On Friday, investment website Seeking Alpha published an editorial questioning whether some kind of flaw in QNX might be implicated in the Jeep hack.

  • Intel left a fascinating security flaw in its chips for 16 years – here's how to exploit it

    A design flaw in Intel's processors can be exploited to install malware beneath operating systems and antivirus – making it tough to detect and remove.

    "It's a forgotten patch to a forgotten problem, but opens up an incredible vulnerability," said Christopher Domas, a security researcher with the Battelle Memorial Institute, who revealed the hardware bug at the Black Hat conference in Vegas last week.

  • Security updates for Tuesday
  • Security advisories for Wednesday
  • Tokenless Keystone

    One time paswords (OTPs) in conjunction with Basic Auth or some other way to curry the data to the server provides an interesting alternative. In theory, the user could pass the OTP along at the start of the request, the Horizon server would be responsible for timestamping it, and the password could then be used for the duration. This seems impractical, as we are essentially generating a new bearer token. For all-in-one deployments they would work as well as Basic-Auth.

Oracle's Lunacy

Filed under
Security
  • No, You Really Can’t

    Writing mysteries is a lot more fun than the other type of writing I’ve been doing. Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. This is why I’ve been writing a lot of letters to customers that start with “hi, howzit, aloha” but end with “please comply with your license agreement and stop reverse engineering our code, already.”

    [...]

    But you know, if Oracle's strongly-worded letters are written in Davidson's style, I think I'd quite enjoy the entertainment value.

  • No, You Really Can’t (Mary Ann Davidson Blog)
  • Oracle security chief to customers: Stop checking our code for vulnerabilities [Updated]

    Perhaps thinking that all the security researchers in the world were busy recovering from Black Hat and DEF CON and would be somehow more pliant to her earnest message, Mary Ann Davidson wrote a stern message to customers entitled "No, You Really Can't" (here in Google's Web cache; it's also been reproduced on SecLists.org in the event that Oracle gets Google to remove the cached copy). Her message: stop scanning Oracle's code for vulnerabilities or we will come after you. "I’ve been writing a lot of letters to customers that start with 'hi, howzit, aloha'," Davidson wrote, "but end with 'please comply with your license agreement and stop reverse engineering our code, already.'"

  • Oracle pulls CSO's BONKERS anti-bug bounty and infosec rant

    While other IT industry heavyweights have embraced bug bounties and working with security researchers more generally, Oracle has set its face in the opposite direction in a blog post likening reverse engineering to cheating on your spouse.

    Mary Ann Davidson, Oracle's chief security officer (CSO), expressed corporate dislike from the software giant for both reverse engineers and bug bounties in a long blog post on Monday. The post was pulled on Tuesday lunchtime, but its contents remain available via the Internet Archive here.

  • Oracle to 'sinner' customers: Reverse engineering is a sin and we know best

    Opinion: Stop sending vulnerability reports already. Oracle's chief security officer wants to go back to writing murder mysteries.

Tails 1.5 is out

Filed under
GNU
Linux
Security
Debian

There are numerous other changes that might not be apparent in the daily operation of a typical user. Technical details of all the changes are listed in the Changelog.

Read more

'CVE-2015-4495 and SELinux', Or why doesn't SELinux confine Firefox?

Filed under
Linux
Moz/FF
Security

Why don't we confine Firefox with SELinux?

That is one of the most often asked questions, especially after a new CVE like CVE-2015-4495, shows up. This vulnerability in firefox allows a remote session to grab any files in your home directory. If you can read the file then firefox can read it and send it back to the website that infected your browser.

The big problem with confining desktop applications is the way the desktop has been designed.

Read more

OpenSSH 7.0

Filed under
OSS
Security

OpenSSH 7.0 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support. OpenSSH also includes
transitional support for the legacy SSH 1.3 and 1.5 protocols
that may be enabled at compile-time.

Read more

Syndicate content

More in Tux Machines

today's howtos

Leftovers: Gaming

Red Hat and Fedora

Canonical and Ubuntu

  • OpenStack Solution Provider Awnix Joins Canonical's Cloud Partner Programme
    Canonical has been excited to announce that Awnix, an OpenStack solution provider with over 25 years of experience designing systems for enterprise data center environments, has joined its Partner Reseller Programme for cloud solutions.
  • Docker Has No Plans to Ditch Ubuntu in Favor of Alpine Linux - Report
    If you've been reading the news lately, you may have heard rumors that Docker founders hired the developer of Alpine Linux, a small, text-based distribution, to move the official Docker images away from the Ubuntu infrastructure.
  • More Android Vendors Said To Be Eyeing Ubuntu Phones This Year
    A greater number of Android smartphone/tablet vendors are said to be eyeing Ubuntu Phone for new devices later this year. In an interview published this morning by The Register, Canonical CEO Jane Silber talked about their communications with more (unnamed) Android vendors and supposedly seeing some other vendors offering Ubuntu Phone products later in 2016.