Language Selection

English French German Italian Portuguese Spanish

Security

Tor: Statement

Filed under
Security

Seven weeks ago, I published a blog post saying that Jacob Appelbaum had left the Tor Project, and I invited people to contact me as the Tor Project began an investigation into allegations regarding his behavior.

Since then, a number of people have come forward with first-person accounts and other information. The Tor Project hired a professional investigator, and she interviewed many individuals to determine the facts concerning the allegations. The investigator worked closely with me and our attorneys, helping us to understand the overall factual picture as it emerged.

Read more

Security Leftovers

Filed under
Security
  • Tuesday's security updates
  • Oops: Bounty-hunter found Vine's source code in plain sight

    A bounty-hunter has gone public with a complete howler made by Vine, the six-second-video-loop app Twitter acquired in 2012.

    According to this post by @avicoder (Vjex at GitHub), Vine's source code was for a while available on what was supposed to be a private Docker registry.

    While docker.vineapp.com, hosted at Amazon, wasn't meant to be available, @avicoder found he was able to download images with a simple pull request.

  • US standards lab says SMS is no good for authentication

    America's National Institute for Standards and Technology has advised abandonment of SMS-based two-factor authentication.

    That's the gist of the latest draft of its Digital Authentication Guideline, here. Down in section 5.1.3.2, the document says out-of-band verification using SMS is deprecated and won't appear in future releases of NIST's guidance.

Security News

Filed under
Security
  • Security advisories for Monday
  • EU to Give Free Security Audits to Apache HTTP Server and Keepass

    The European Commission announced on Wednesday that its IT engineers would provide a free security audit for the Apache HTTP Server and KeePass projects.

    The EC selected the two projects following a public survey that took place between June 17 and July 8 and that received 3,282 answers.

    The survey and security audit are part of the EU-FOSSA (EU-Free and Open Source Software Auditing) project, a test pilot program that received funding of €1 million until the end of the year.

  • What is your browser really doing?

    While Microsoft would prefer you use its Edge browser on Windows 10 as part of its ecosystem, the most popular Windows browser is Google’s Chrome. But there is a downside to Chrome – spying and battery life.

    It all started when Microsoft recently announced that its Edge browser used less battery power than Google Chrome, Mozilla Firefox or Opera on Windows 10 devices. It also measured telemetry – what the Windows 10 device was doing when using different browsers.

    What it found was that the other browsers had a significantly higher central processing unit (CPU), and graphics processing unit (GPU) overhead when viewing the same Web pages. It also proved that using Edge resulted in 36-53% more battery life when performing the same tasks as the others.

    Let’s not get into semantics about which search engine — Google or Bing — is better; this was about simple Web browsing, opening new tabs and watching videos. But it started a discussion as to why CPU and GPU usage was far higher. And it relates to spying and ad serving.

  • Is Computer Security Becoming a Hardware Problem?

    In December of 1967 the Silver Bridge collapsed into the Ohio River, killing 46 people. The cause was determined to be a single 2.5 millimeter defect in a single steel bar—some credit the Mothman for the disaster, but to most it was an avoidable engineering failure and a rebuttal to the design philosophy of substituting high-strength non-redundant building materials for lower-strength albeit layered and redundant materials. A partial failure is much better than a complete failure.

    [...]

    In 1996, Kocher co-authored the SSL v3.0 protocol, which would become the basis for the TLS standard. TLS is the difference between HTTP and HTTPS and is responsible for much of the security that allows for the modern internet. He argues that, barring some abrupt and unexpected advance in quantum computing or something yet unforeseen, TLS will continue to safeguard the web and do a very good job of it. What he's worried about is hardware: untested linkages in digital bridges.

  • Your Smart Robot Is Coming in Five Years, But It Might Get Hacked and Kill You

    A new report commissioned by the Department of Homeland Security forecasts that autonomous artificially intelligent robots are just five to 10 years away from hitting the mainstream—but there’s a catch.

    The new breed of smart robots will be eminently hackable. To the point that they might be re-programmed to kill you.

    The study, published in April, attempted to assess which emerging technology trends are most likely to go mainstream, while simultaneously posing serious “cybersecurity” problems.

    The good news is that the near future is going to see some rapid, revolutionary changes that could dramatically enhance our lives. The bad news is that the technologies pitched to “become successful and transformative” in the next decade or so are extremely vulnerable to all sorts of back-door, front-door, and side-door compromises.

  • Trump, DNC, RNC Flunk Email Security Test

    At issue is a fairly technical proposed standard called DMARC. Short for “domain-based messaging authentication reporting and conformance,” DMARC tries to solve a problem that has plagued email since its inception: It’s surprisingly difficult for email providers and end users alike to tell whether a given email is real – i.e. that it really was sent by the person or organization identified in the “from:” portion of the missive.

  • NIST Prepares to Ban SMS-Based Two-Factor Authentication

    The US National Institute of Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban on SMS-based Two-Factor Authentication (2FA).

    The Digital Authentication Guideline (DAG) is a set of rules used by software makers to build secure services, and by governments and private agencies to assess the security of their services and software.

    NIST experts are constantly updating the guideline, in an effort to keep pace with the rapid change in the IT sector.

  • 1.6m Clash of Kings forum accounts 'stolen'

    Details about 1.6 million users on the Clash of Kings online forum have been hacked, claims a breach notification site.

    The user data from the popular mobile game's discussion forum were allegedly targeted by a hacker on 14 July.

    Tech site ZDNet has reported the leaked data includes email addresses, IP addresses and usernames.

  • Hacker steals 1.6 million accounts from top mobile game's forum

    [Ed: vBulletin is proprietary software -- the same crap Canonical used for Ubuntu forums]

pfSense 2.3.2 Open Source BSD Firewall Distro Arrives with over 70 Improvements

Filed under
Security
BSD

Electric Sheep Fencing LLC, through Chris Buechler, proudly announced on July 25, 2016, the immediate availability for download of the second maintenance update aimed at the pfSense 2.3 series of the FreeBSD-based open-source firewall distribution.

Read more

Security Leftovers

Filed under
Security

OpenBSD 6.0 tightens security by losing Linux compatibility

Filed under
Security
BSD

OpenBSD, one of the more prominent variants of the BSD family of Unix-like operating systems, will be released at the beginning of September, according to a note on the official OpenBSD website.

Often touted as an alternative to Linux. OpenBSD is known for the lack of proprietary influence on its software and has garnered a reputation for shipping with better default security than other OSes and for being highly vigilant (some might say strident) about the safety of its users. Many software router/firewall projects are based on OpenBSD because of its security-conscious development process.

Read more

Security News

Filed under
Security

Security News

Filed under
Security
  • As a blockchain-based project teeters, questions about the technology’s security

    There’s no shortage of futurists, industry analysts, entrepreneurs and IT columnists who in the past year have churned out reports, articles and books touting blockchain-based ledgers as the next technology that will run the world.

  • Fix Bugs, Go Fast, and Update: 3 Approaches to Container Security

    Containers are becoming the central piece of the future of IT. Linux has had containers for ages, but they are still maturing as a technology to be used in production or mission-critical enterprise scenarios. With that, security is becoming a central theme around containers. There are many proposed solutions to the problem, including identifying exactly what technology is in place, fixing known bugs, restricting change, and generally implementing sound security policies. This article looks at these issues and how organizations can adapt their approach to security to keep pace with the rapid evolution of containers.

  • Preventing the next Heartbleed and making FOSS more secure [Ed: Preventing the next Microsoft-connected trademarked bug for FOSS and making FOSS more secure from Microsoft FUD]

    David Wheeler is a long-time leader in advising and working with the U.S. government on issues related to open source software. His personal webpage is a frequently cited source on open standards, open source software, and computer security. David is leading a new project, the CII Best Practices Badging project, which is part of the Linux Foundation's Core Infrastructure Initiative (CII) for strengthening the security of open source software. In this interview he talks about what it means for both government and other users.

Keeweb A Linux Password Manager

Filed under
Linux
Reviews
Security

Today we are depending on more and more online services. Each online service we sign up for, let us set a password and this way we have to remember hundreds of passwords. In this case, it is easy for anyone to forget passwords. In this article I am going to talk about Keeweb, a Linux password manager that can store all your passwords securely either online or offline.

Read<br />
more

Security News

Filed under
Security
  • Security updates for Thursday
  • Open Source Information Security Tool Aimed at MSSPs

    A Virginia software developer announced today the release of what’s billed as the first open source information security analytics tool for managed security services providers (MSSP) and enterprise.

    IKANOW says its new platform features multi-tenancy, enterprise scalability and is fully customizable.

  • Most companies still can't spot incoming cyberattacks

    Four out of five businesses lack the required infrastructure or security professionals with relevant skills to spot and defend against incoming cyberattacks.

    According to a new report by US cybersecurity and privacy think tank Ponemon Institute on behalf of cybersecurity firm BrandProtect, 79 percent of cybersecurity professionals say that their organisations are struggling to monitor the internet for the external threats posed by hackers and cybercriminals.

  • HTTpoxy Flaw Re-emerges After 15 Years and Gets Fixed

    After lying dormant for years, flaws in the HTTP Proxy header used in programming languages and applications, such as PHP, Go and Python, have now been fixed.
    Some flaws take longer—a lot longer—than others to get fixed. The newly named HTTpoxy vulnerability was first discovered back in March 2001 and fixed in the open-source Perl programming language, but it has sat dormant in multiple other languages and applications until July 18.

    The HTTPoxy flaw is a misconfiguration vulnerability in the HTTP_PROXY variable that is commonly used by Common Gateway Interface (CGI) environment scripts. The HTTPoxy flaw could potentially enable a remotely exploitable vulnerability on servers, enabling an attacker to run code or redirect traffic. The flaw at its core is a name space conflict between two different uses for a server variable known as HTTP Proxy.

  • Hack The World

    Currently HackerOne has 550+ customers, has paid over $8.9 million in bounties, and fixed over 25,000 vulnerabilities, which makes for a safer Internet.

  • EU aims to increase the security of password manager and web server software: KeePass and Apache chosen for open source audits [“pyrrhic because of Keepass : flushing the audit money down the toilet on MS based cruft” -iophk]

    For the FOSSA pilot project to improve the security of open source software that my colleague Max and I proposed, the European Commission sought your input on which tools to audit.

    The results are now in: The two overwhelming public favorites were KeePass (23%) and the Apache HTTP Server (19%). The EU has decided to follow these recommendations and audit both of these software projects for potential security issues.

  • KeeThief – A Case Study in Attacking KeePass Part 2

    The other week I published the “A Case Study in Attacking KeePass” post detailing a few notes on how to operationally “attack” KeePass installations. This generated an unexpected amount of responses, most good, but a few negative and dismissive. Some comments centered around the mentality of “if an attacker has code execution on your system you’re screwed already so who cares“. Our counterpoint to this is that protecting your computer from malicious compromise is a very different problem when it’s joined to a domain versus isolated for home use. As professional pentesters/red teamers we’re highly interested in post-exploitation techniques applicable to enterprise environments, which is why we started looking into ways to “attack” KeePass installations in the first place. Our targets are not isolated home users.

  • Giuliani calls for cybersecurity push

    Former New York mayor Rudy Giuliani made a surprise appearance at the BlackBerry Security Summit, warning of the rapid growth of cybercrime and cyberterrorism.

    Cybercrime and cyberterrorism are both growing at rates between 20% and 40%, said Giuliani, who made a brief return from the Republican National Convention in Cleveland to speak at BlackBerry's New York event.

    "Think of it like cancer. We can't cure it... but if we catch it early we can put it into remission," he said. The quicker you can spot an attack, the less chance there is of loss.

  • Notorious Hacker ‘Phineas Fisher’ Says He Hacked The Turkish Government

    A notorious hacker has claimed responsibility for hacking Turkey’s ruling party, the AKP, and stealing more than 300,000 internal emails and other files.

    The hacker, who’s known as Phineas Fisher and has gained international attention for his previous attacks on the surveillance tech companies FinFisher and Hacking Team, took credit for breaching the servers of Turkey’s ruling party, the Justice and Development Party or AKP.

    “I hacked AKP,” Phineas Fisher, who also goes by the nickname Hack Back, said in a message he spread through his Twitter account on Wednesday evening.

Syndicate content

More in Tux Machines

Mesa News

  • Mesa 13 Lands In Fedora 25
    While it was disappointing that Fedora 25 shipped with Mesa 12.0, the Mesa 13.0 version has now been sent down as a stable release update.
  • Stable Mesa PPA Offers Latest Drivers on Ubuntu
    Games company Feral Interactive’s call for a PPA be set up to offer the latest Stable Mesa drivers on Ubuntu has been semi-answered. Emphasis on semi, there. As noted by Gaming on Linux, a new stable Mesa PPA is now available — hurrah — but it is not “official” in the way that the stress-tested Nvidia drivers PPA is — boo.
  • Ubuntu now has a community-built PPA for stable versions of Mesa
    Feral Interactive's call for a stable Mesa PPA has already made progress, as there's now a stable PPA available for Mesa. Paulo Dias "Padoka" has setup another PPA here: https://launchpad.net/~paulo-miguel-dias/+archive/ubuntu/pkppa Note: This is a community-run PPA, so it's possible it may someday go out of date and/or have issues at times. This is likely a stop-gap measure until something more official is done. It currently hosts Mesa 13.0.2 and LLVM 3.9 along with RADV and ANV the AMD and Intel open source Vulkan drivers.

ROSA Desktop Fresh R8 Plasma 5: is it near-perfect?

ROSA is a Linux distribution forked some time ago from Mandriva Linux by a team of Russian developers, Rosa Lab, or officially LLC NTC-IT ROSA. I reviewed their distributions several times: ROSA KDE R7, ROSA Desktop 2012 and even interviewed the ROSA team. The most recent release of ROSA is now ROSA Desktop Fresh R8, which is available in several flavours: MATE, GNOME 3, KDE 4 and Plasma 5. I decided to try the Plasma 5 edition of this distribution, especially as my interest to Plasma increased after the good impression Kubuntu 16.10 left on me. There are links to the ISO images available on the ROSA download page, and I used it to get my own version of this Linux distribution. The size of ROSA Desktop Fresh R8 Plasma 5 64-bit image is 1.9 Gb. The dd command helped me to "burn" the image to the USB stick. So, the USB drive is attached to my Toshiba Satellite L500-19X laptop. Reboot. Choose to boot from USB. Let's go! Read more

Korora 25 Unleashed, Best KDE Distro, Notorious B.U.G.

Fedora-based Korora 25 was released Wednesday in 64-bit versions. Users are urged to upgrade. Elsewhere, Jack Wallen was seriously impressed by Fedora 25 and blogger DarkDuck said ROSA R8 is "near-perfect." Bruce Byfield discussed obstacles to Linux security just as a new kernel vulnerability comes to light. Dedoimedo declared the best KDE distro of 2016 and FOSSBYTES has 10 reasons to use Ubuntu. Read more

OnePlus 3T review: One of the best Android phones gets a little better

OnePlus has never been one to play by the rules. Back when it made its entrance into the crowded smartphone market with the One, it set itself apart by selling a premium handset at a mid-tier price and offering invitation-only purchases instead of the standard preorders. The 3T very much fits with this rebellious nature. Essentially a refreshed version of the 6-month-old OnePlus 3, the new phone undermines another smartphone constant: the yearly update. iPhone users are familiar with the concept of the mid-cycle model—a handset that keeps the same enclosure but beefs up features and internal components. But there’s always been a special hook with Apple’s S phones, a reason for current owners to rush out and buy the new model. The 3T could be seen as OnePlus’ attempt to mimic the success Apple has had with the formula (and in fact, the company says it picked T for the new phone’s surname simply because it’s a letter higher than S). Read more