Language Selection

English French German Italian Portuguese Spanish

Security

Security: GNU/Linux Versus Windows

Filed under
Microsoft
Security
  • Towards (reasonably) trustworthy x86 laptops

    Can we build trustworthy client systems on x86 hardware? What are the main challenges? What can we do about them, realistically? Is there anything we can?

  • Recently Bought a Windows Computer? Microsoft Probably Has Your Encryption Key [Ed: yes, flawed by design]

    One of the excellent features of new Windows devices is that disk encryption is built-in and turned on by default, protecting your data in case your device is lost or stolen. But what is less well-known is that, if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key – which can be used to unlock your encrypted disk – to Microsoft’s servers, probably without your knowledge and without an option to opt-out.

    During the “crypto wars” of the nineties, the National Security Agency developed an encryption backdoor technology – endorsed and promoted by the Clinton administration – called the Clipper chip, which they hoped telecom companies would use to sell backdoored crypto phones. Essentially, every phone with a Clipper chip would come with an encryption key, but the government would also get a copy of that key – this is known as key escrow – with the promise to only use it in response to a valid warrant. But due to public outcry and the availability of encryption tools like PGP, which the government didn’t control, the Clipper chip program ceased to be relevant by 1996. (Today, most phone calls still aren’t encrypted. You can use the free, open source, backdoorless Signal app to make encrypted calls.)

Security Leftovers

Filed under
Security
  • Security Researchers Offer Warnings About Hackable Railroads

    The well-being of critical infrastructure and transportation has long been the elephant in the room when it comes to cybersecurity: plenty of researchers have warned about the possibility of attacks on power-plants, the national grid, and, more recently, even the emergence of internet connected cars.

    Now, researchers are warning of the gaping holes in the security of railroad systems. On Sunday at Chaos Communication Congress, a security, arts and politics conference held annually in Hamburg, Germany, members of the SCADA StrangeLove collective presented a long list of problems with railroad systems that attackers could exploit.

  • DLL Hijacking Just Won’t Die

    To make a long and complicated story short, a bad guy who exploits this vulnerability places a malicious DLL into your browser’s Downloads folder, then waits. When you run an installer built by an earlier version of NSIS from that folder, the elevation prompt (assuming it runs at admin) shows the legitimate installer’s signature asking you for permission to run the installer. After you grant permission, the victim installer loads the malicious DLL which runs its malicious code with the installer’s permissions. And then it’s not your computer anymore.

  • CA Council to Improve Internet Certificate Security in 2016

    At the heart of much of the Internet's security is the use of Secure Sockets Layer/Transport Layer Security (SSL/TLS), which provides encryption for data in motion. Certificate Authorities (CAs) are the trusted entities that issue TLS certificates, and as a group, the CAs are gearing up for big year in 2016, with multiple efforts designed to improve the security of the Internet.

  • Backspace Flaw Enables Linux Zero-Day Attack

Purism's Librem 13 laptop will come with Qubes OS installed

Filed under
GNU
Linux
Security

Most Linux distributions are fairly similar these days, but Qubes OS is different. Qubes OS is based on Linux, but it runs applications in lightweight virtual machines. Applications can be completely isolated from each other, limiting the damage a security vulnerability can cause and aiding in privacy. It's no surprise Edward Snowden said he was excited by Qubes OS.

Read more

Security Leftovers

Filed under
Security
  • #OLEOutlook - bypass almost every Corporate security control with a point’n’click GUI

    In this tutorial, I will show you how to embed an executable into a corporate network via email, behind the firewall(s), disguised as a Word document. There is no patch for this issue.

  • Somebody Tried to Get a Raspberry Pi Exec to Install Malware on Its Devices

    Liz Upton, the Director of Communications for the Raspberry Pi Foundation, has tweeted out a screenshot of an email where an unknown person has proposed that the Foundation install malware on all of its devices.

    In the email, a person named Linda, is proposing Mrs. Upton an agreement where their company would provide an EXE file that installs a desktop shortcut, that when clicked redirects users to a specific website. (Raspberry Pi devices can run Windows as well, not just Linux variants.)

  • Botnet of Aethra Routers Used for Brute-Forcing WordPress Sites

    Italian security researchers from VoidSec have come across a botnet structure that was using vulnerable Aethra Internet routers and modems to launch brute-force attacks on WordPress websites.

  • Steam Had A Very Rough Christmas With A Major Security Issue

    The security issue looks like it might be resolved now, but resulted in gamers being able to see other account holder's information. Seeing other accounts included partial credit card information, addresses, and other personal information. For a while, the Steam store was completely shut down. The issue seems to stem from some caching issues due to account holders being presented with the wrong information.

Security Leftovers

Filed under
Security
  • Thursday's security updates
  • MMD-0047-2015 - SSHV: SSH bruter ELF botnet malware w/hidden process kernel module
  • Another “critical” “VPN” “vulnerability” and why Port Fail is bullshit

    The morning of November 26 brought me interesting news: guys from Perfect Privacy disclosed the Port Fail vulnerability, which can lead to an IP address leak for clients of VPN services with a “port forwarding” feature. I was indignant about their use of the word “vulnerability”. It’s not a vulnerability, just a routing feature: Traffic to VPN server always goes via ISP, outside of VPN tunnel. Pretty obvious thing, I thought, which should be known by any network administrator. Besides that, the note is technically correct, so nothing to worry about. But then the headlines came, and shit hit the fan.

  • Cracking Linux with the backspace key?

    The source of these reports is a mildly hype-ridden disclosure of a vulnerability in the GRUB2 bootloader by Hector Marco and Ismael Ripoll. It seems that hitting the backspace character at the GRUB2 username prompt enough times will trigger an integer underflow, allowing a bypass of GRUB2's authentication stage. According to the authors, this vulnerability, exploitable for denial-of-service, information-disclosure, and code-execution attacks, "results in an incalculable number of affected devices." It is indeed a serious vulnerability in some settings and it needs to be fixed. Unfortunately, some of the most severely affected systems may also be the hardest to patch. But language like the above leads reporters to write that any Linux system can be broken into using the backspace key, which stretches the truth somewhat.

Pro tip: Check your Android device for vulnerabilities with Belarc Security Advisor

Filed under
Android
Security

For many admins, Belarc's Security Adviser is the go-to tool for information gathering on a Windows desktop system. Now, you can reach for Belarc Security Advisor on the Android platform.

Read more

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security

Git Vulnerability Founds and Fixed in All Supported Ubuntu OSes

Filed under
Security
Ubuntu

A Git vulnerability has been identified and repaired in Ubuntu 15.10, Ubuntu 15.04, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS operating systems.

Read more

Security Leftovers (still dominated by grub bug)

Filed under
Security
Syndicate content

More in Tux Machines

FOSS in 3D Printing

  • Open source wifi enabled 3D printer controller Franklin speeds up with new release
    3D printing hit the mainstream a few years ago thanks in part to the open-source 3D printer market. The origins of this transition had to do with expiring patents held by the traditionally held commercial 3D printing companies. Since then, several small businesses have sprung up around the emerging low-cost 3D printer market. Some of these companies embraced the open-source mentality, while others are seeking shelter with patents.
  • Hackaday Prize Entry: Open-Source Myoelectric Hand Prosthesis
    Hands can grab things, build things, communicate, and we control them intuitively with nothing more than a thought. To those who miss a hand, a prosthesis can be a life-changing tool for carrying out daily tasks. We are delighted to see that [Alvaro Villoslada] joined the Hackaday Prize with his contribution to advanced prosthesis technology: Dextra, the open-source myoelectric hand prosthesis.
  • BCN3D Technologies releases open source files for BCN3D Sigma 3D printer
    As our readers will know, an important part of the 3D printing community is the idea of accessibility. Of course, it is more than just an idea, as everyday makers around the world share their 3D designs and models for free, and even 3D printing companies exercise an open-source philosophy with DIY 3D printers and accessible models. Recently, Barcelona based 3D printer developer BCN3D Technologies decided to further embrace the additive manufacturing open-source philosophy with their latest initiative, Open Source 360º. As part of the initiative, the company has announced that it will share all of its engineering, design, and fabrication information used in the manufacturing of their flagship product, the BCN3D Sigma 3D printer.
  • Shellmo: Aquatic 3D printed robot for fun and education
    Recently I came across a very interesting open hardware project called Shellmo. What caught my eye was that it's a 3D printed crustacean that seems to have no apparent real world use, though with a little creativity I can see educational implications. Shellmo is a unique, almost cartoon-like creatures that could captivate the imagination of children while at the same time affording them an opportunity to 3D print their own robot. With the current emphasis on STEM in education, Shellmo appears to be the kind of project that would stimulate student interest.

LibreOffice Liberation

  • Sun, sea, and open source: How Spain's Balearic islands are trying to turn into a tech paradise
    However, work remains to be done, especially on civil servants' desktops. "We started by replacing MSN Office", explains Villoslada. "Thanks to free office suite LibreOffice 5, we may overcome compatibility problems with documents coming in from different versions of MSN Office. We already have 1,000 Office licenses which are not necessary anymore, and we plan not to renew over 5,500 licenses purchased in 2007", he adds.
  • The Document Liberation Project: What we do
    While The Document Foundation is best known for LibreOffice, it also backs the Document Liberation Project. But what exactly is that? We’ve made a short video to explain all…

Kali Linux Alternative: BackBox Linux 4.6 Released With Updated Hacking Tools

BackBox Linux, a Kali Linux alternative, is here with its latest version i.e. BackBox Linux 4.6. Based on Ubuntu Linux, this hacking operating system is now available for download with updated hacking tools and Ruby 2.2. Read more

Chromebook and GNU/Linux

  • Turn Your Old Laptop into a Chromebook
    Once the drive is ready with bootable CloudReady, plug it into the target PC and boot the system. It may take a while for the system to boot into Chromium OS. Once booted, you will see the screen shown in Figure 3.
  • Running Linux and Chrome OS Together Using Crouton
    Leo Laporte is a longtime technology commentator and also the host of the show “The Screen Savers,” on the TWiT Netcast Network. In this video he explains how to install Linux on a Chromebook using Crouton, an open source tool developed by Google employee David Schneider.