Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Beware: ScanGuard Scam

    My wife called this to my attention; a web site called "smartwebuser.org" (I refuse to post a link) that warned "If you live in Canada and have a Linux computer which is over 6 months old, then we advise you to keep reading." What followed was a puff piece for something called ScanGuard. It sounded suspiciously to me like all those "cleanup" apps that are advertised in email and occasionally on TV, that promise to protect your PC from viruses and malware, and make it run a zillion times faster. It sounded like a scam to me.

  • The Urgency of Protecting Your Online Data With Let's Encrypt

    We understand that online security is a necessity, so why is only 48.5% of online traffic encrypted? Josh Aas, co-founder of Let's Encrypt, gives us a simple answer: it's too difficult. So what do we do about it? Aas has answers for that as well in his LinuxCon North America presentation.

    Aas explains how the Achilles heel of managing Web encryption is not encryption itself, but authentication, which requires trusted third parties, and secure mechanisms for managing the trust chain. He says, "The encryption part is relatively easy. It's a software stack...it comes on most operating systems by default. It just needs to be configured. Most Web servers tie into it directly and take care of things for you. Your biggest challenge is protecting your private key. The authentication part is a bit of a nightmare, and it has been for a while, so if you want to authenticate, the way this works on the web is you need to get a certificate from a certificate authority, and it's complicated, even for really smart people like my friend Colin here at Cisco."

  • Is encrypted e-mail a must in the Trump presidential era?

    With Donald Trump poised to take over the U.S. presidency, does it make sense for all of us to move to encrypted e-mail if we want to preserve our privacy? Encrypted e-mail provider ProtonMail says yes, indeed.

  • New IoT botnet behind fake Instagram, Twitter and YouTube profiles

    Hackers have created thousands of fake accounts on popular social media platforms like Instagram, Twitter, YouTube and Periscope, via an IoT botnet, using the Linux/Moose malware. Security researchers claim that fake social media accounts are created by hackers to randomly follow people and browse content, in efforts to make the bots seem more "human" and avoid spam filters.

    According to security researchers, the Linux/Moose botnet is a "new generation" IoT botnet that operates on embedded systems such as routers, rather than computers. This makes the bot much more difficult to detect. The botnet can function on even limited computational power and specialises in "social media fraud".

  • Great. Now Even Your Headphones Can Spy on You

    Cautious computer users put a piece of tape over their webcam. Truly paranoid ones worry about their devices’ microphones, some even crack open their computers and phones to disable or remove those audio components so they can’t be hijacked by hackers. Now one group of Israeli researchers has taken that game of spy-versus-spy paranoia a step further, with malware that converts your headphones into makeshift microphones that can slyly record your conversations.

  • Watch out: ɢoogle.com isn’t the same as Google.com

    If you don’t watch where you’re going on the internet, you might be headed down a dark alley before you know it.

    Like a lot of big websites, we use Google Analytics to keep track of traffic on TNW. A few weeks ago, however, we spotted something that looked a bit out of the ordinary.

KDE Plasma 5.8.4 LTS Desktop Environment Released for Linux with More Bug Fixes

Filed under
KDE
Security

Today, November 22, 2016, KDE announced the release of the fourth maintenance update to the long-term supported KDE Plasma 5.8 desktop environment for Linux-based operating systems.

Read more

Security News

Filed under
Security
  • Security advisories for Monday
  • Fast security is the best security

    DevOps security is a bit like developing without a safety net. This is meant to be a reference to a trapeze act at the circus for those of you who have never had the joy of witnessing the heart stopping excitement of the circus trapeze. The idea is that when you watch a trapeze act with a net, you know that if something goes wrong, they just land in a net. The really exciting and scary trapeze acts have no net. If these folks fall, that's pretty much it for them. Someone pointed out to me that the current DevOps security is a bit like taking away the net.

  • Detecting fraudulent signups?

    I run a couple of different sites that allow users to sign-up and use various services. In each of these sites I have some minimal rules in place to detect bad signups, but these are a little ad hoc, because the nature of "badness" varies on a per-site basis.

  • Reproducible Builds: week 82 in Stretch cycle

    What happened in the Reproducible Builds effort between Sunday November 13 and Saturday November 19 2016...

Linux Kernel 3.2.84 LTS Released, Adds over 200 Improvements and Bug Fixes

Filed under
Linux
Security

On November 20, 2016, Linux kernel maintainer Ben Hutchings announced the release of the eighty-fourth maintenance update to the long-term supported Linux 3.2 kernel series.

Read more

Also: Linux Kernel 3.16.39 LTS Is a Massive Maintenance Update with 420 Improvements

Linux versus Unix hot patching

Filed under
GNU
Linux
Security

There has always been a debate about how close Linux can get to the real operating system (OS), the core proprietary Unix variants that for two decades defined the limits of non-mainframe scalability and reliability.

But times are changing, and the new narrative may be when will Unix catch up to Linux on critical reliability, availability, and serviceability (RAS) features such as hot patching?

Hot patching, the ability to apply updates to the OS kernel while it is running, is a long sought-after but elusive feature of a production OS.

It is sought after because both developers and operations teams recognise that bringing down an OS instance that is doing critical high-volume work is at best disruptive and at worst a logistical nightmare. Its level of difficulty also makes it somewhat elusive.

There have been several failed attempts and implementations that almost worked, but they were so fraught with exceptions that they were not really useful in production.

Read more

Also: Can I interest you in talking about Security?

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Security updates for Friday
  • Serious Linux Vulnerability Found By Just Holding Down The Enter Key For 70 Seconds

    Security researchers have found a rather frightening vulnerability in Linux that could ultimately allow an attacker to copy, modify, or destroy the contents of a hard drive, along with with configure the network to exfiltrate data. That in and of itself is cause for concern, but the real harrowing part about this is how easy it is to activate—an attacker need only boot up the system and hold down the enter key for 70 seconds.

  • Open Source Software: Secure Except When It Isn't

    There is still a flaw in the open source security model which the Core Infrastructure Initiative only partly addressed. Remember the thousands and thousands of eyes looking for vulnerabilities in the code? While that may be true in a generalized sense, there are some small but important projects that are flying under the radar and don't seem to be getting the necessary attention.

  • Adobe Fined $1M in Multistate Suit Over 2013 Breach; No Jail for Spamhaus Attacker

    Adobe will pay just $1 million to settle a lawsuit filed by 15 state attorneys general over its huge 2013 data breach that exposed payment records on approximately 38 million people. In other news, the 39-year-old Dutchman responsible for coordinating an epic, weeks-long distributed denial-of-service attack against anti-spam provider Spamhaus in 2013 will avoid any jail time for his crimes thanks to a court ruling in Amsterdam this week.

    On Oct. 3, 2013, KrebsOnSecurity broke the story that Adobe had just suffered a breach in which hackers siphoned usernames, passwords and payment card data on 38 million customers. The intruders also made off with digital truckloads of source code for some of Adobe’s most valuable software properties — including Adobe Acrobat and Reader, Photoshop and ColdFusion.

  • Half of companies have been hit with ransomware in the past year

    MORE TERRIFYING SECURITY RESEARCH has discovered that almost half of a collection of firms surveyed admitted that they have been the victim of a ransomware attack.

    Endpoint security outfit SentinelOne said that the ransomware attacks do not just go after monies these days, but have darker aims and can be used to threaten and terrorise people.

    "[Our] results point to a significant shift for ransomware. It's no longer just a tool for cyber crime, but a tool for cyber terrorism and espionage," said Tony Rowan, chief security consultant at SentinelOne, in the firm's Ransomware Research Data Summary (PDF).

  • Security Of FLOSS

    I’ve worked with IT since the 1960s. I’ve seen systems that fell down just idling. I’ve seen systems that were insecure by design. Their creators just didn’t seem to care. I’ve seen systems that were made to get you. Their creators wanted to own your soul. I’ve also used FLOSS.

Tails 3.0 Anonymous Live OS to Be Based on Debian 9 "Stretch", Require 64-bit PC

Filed under
GNU
Linux
Security
Debian

A few days after the announcement of Tails 2.7, the development team behind the popular amnesic incognito live system based on Debian GNU/Linux unveiled a few technical details about the next major release.

Yes, we're talking about Tails 3.0, which is now in development and appears to be the next major update of the anonymous live OS that ex-CIA employee Edward Snowden used to protect his identity online. Tails is a Debian-based GNU/Linux distribution built around the popular Tor anonymity network and Tor Browser anonymous browser.

Read more

Security News

Filed under
Security
  • Security updates for Thursday
  • Reproducible Builds: week 81 in Stretch cycle
  • Security-hardened Android, bounties for Tcl coders, and more open source news

    In a blog post yesterday, the Tor project announced a refresh of a prototype of a Tor-enabled Android phone aimed at reducing vulnerability to security and privacy issues. Combining several existing software packages together, the effort has created an installation tool for hardening your phone. While designed for a Nexus 6P reference device, the project hopes to expand to provide greater hardware choice.

  • Linux flaw exposed in a minute by pressing enter key

    Researchers have discovered a major vulnerability in the Cryptesetup utility that can impact many GNU/Linux systems, which is activated by pressing the enter key for about 70 seconds.

  • Chinese IoT Firm Siphoned Text Messages, Call Records

    A Chinese technology firm has been siphoning text messages and call records from cheap Android-based mobile smart phones and secretly sending the data to servers in China, researchers revealed this week. The revelations came the same day the White House and the U.S. Department of Homeland Security issued sweeping guidelines aimed at building security into Internet-connected devices, and just hours before a key congressional panel sought recommendations from industry in regulating basic security standards for so-called “Internet of Things” (IoT) devices.

  • Google security engineer slams antivirus software, cites better security methods

    Google senior security engineer Darren Bilby isn’t a fan of antivirus software, telling a conference in New Zealand that more time should be spent on more meaningful defenses such as whitelisting applications.

    Speaking at the Kiwicon hacking conference, Bilby said that antivirus apps are simply ineffective and the security world should concentrate its efforts on things that can make a difference.

    “Please no more magic,” Bilby told the conference, according to The Register. “We need to stop investing in those things we have shown do not work. Sure, you are going to have to spend some time on things like intrusion detection systems because that’s what the industry has decided is the plan, but allocate some time to working on things that actually genuinely help.”

    Antivirus software does some useful things, he said, “but in reality it is more like a canary in the coal mine. It is worse than that. It’s like we are standing around the dead canary saying, ‘Thank god it inhaled all the poisonous gas.’”

  • Dutch government wants to keep “zero days” available for exploitation

    The Dutch government is very clear about at least one thing: unknown software vulnerabilities, also known as “zero days”, may be left open by the government, in order to be exploited by secret services and the police.

    We all benefit from a secure and reliable digital infrastructure. It ensures the protection of sensitive personal data, security, company secrets and the national interest. It is essential for the protection of free communication and privacy. As a consequence, any vulnerability should be patched immediately. This is obviously only possible when unknown vulnerabilities are disclosed responsibly. Keeping a vulnerability under wraps is patently irresponsible: it may be found simultaneously by others who abuse it, for example to steal sensitive information or to attack other devices.

Mission Improbable: Hardening Android for Security And Privacy

Filed under
Security

This prototype is meant to show a possible direction for Tor on mobile. While I use it myself for my personal communications, it has some rough edges, and installation and update will require familiarity with Linux.

The prototype is also meant to show that it is still possible to replace and modify your mobile phone's operating system while retaining verified boot security - though only just barely. The Android ecosystem is moving very fast, and in this rapid development, we are concerned that the freedom of users to use, study, share, and improve the operating system software on their phones is being threatened. If we lose these freedoms on mobile, we may never get them back. This is especially troubling as mobile access to the Internet becomes the primary form of Internet usage worldwide.

Read more

Syndicate content

More in Tux Machines

Leftovers: OSS

  • Codesmith Students Garner National Praise for Open-Source Contributions
    Reactide is an Integrated Development Environment built for React, which intends to make React development easier for Software Engineers. The project has been widely praised, amassing over 6,000 stars on GitHub.
  • Airbnb’s new open source library lets you design with React and render to Sketch
    Today, Airbnb’s design team open sourced its internal library for writing React components that easily render directly to Sketch. Instead of trying to get Sketch to export to code, the Airbnb team spent its time on the opposite — putting the paintbrush in the hands of the engineer.
  • [Older] Telecoms copying cloud providers make beeline for open source, say analysts
    The supersonic growth of Amazon Web Services and other cloud providers in the past few years owes much to open-source communities that fed them cutting-edge tech free-of-charge. Now telecom is mimicking this strategy through involvement with the Linux Foundation, according to Scott Raynovich (@rayno) (pictured, right), guest host of theCUBE, SiliconANGLE Media’s mobile live streaming studio.
  • Get a Preview of Apache IoT Projects at Upcoming ApacheCon
    The countdown until ApacheCon North America has begun. The blockbuster event will be in Miami this year and runs May 16-18. The Apache community is made up of many niche communities and ApacheCon offers something for all of them. Here, Roman Shaposhnik, Director of Open Source, Pivotal Inc., who is heading the Apache IoT track at the ApacheCon conference, gave us a sneak peek of what the Apache Internet of Things community can look forward to at the event.
  • Free Webinar on Starting a Collaborative Open Source Project
  • Oracle draws curtains on OmniOS
    With its openly stated operational remit of ‘aggressive acquisitions’ (albeit positively aggressive), Oracle is (very) arguably a firm known for buying, swallowing, acquiring those companies it decides to consume.
  • Partners Healthcare, Persistent Systems to develop open-source platform
  • Libreboot Applies to Rejoin GNU
    Last week we reported that after reorganization, Libreboot was considering rejoining GNU and was seeking input from its community to determine the amount of support it had for such a move. From reading the comments posted both on our article on FOSS Force and on Libreboot’s website, it comes as no surprise that the project’s core members feel they have the necessary consesus to proceed. Last night, FOSS Force received an email — sent jointly to us and Phoronix — letting us know of the decision. Rather than repeat what’s already been written and said on the subject (for that, follow the first link above), we’re publishing a slightly edited version of the email, which will pretty much bring everyone up to date on the situation.

Security updates and no more patches from grsecurity (without a fee)

  • Security updates for Wednesday
  • GrSecurity Kernel Patches Will No Longer Be Free To The Public
    The GrSecurity initiative that hosts various out-of-tree patches to the mainline Linux kernel in order to enhance the security will no longer be available to non-paying users. GrSecurity has been around for the better part of two decades and going back to the 2.4 kernel days. In 2015 the stable GrSecurity patches became available to only commercial customers while the testing patches had still been public. That's now changing with all GrSecurity users needing to be customers.
  • Passing the Baton: FAQ
    This change is effective today, April 26th 2017. Public test patches have been removed from the download area. 4.9 was specifically chosen as the last public release as being the latest upstream LTS kernel will help ease the community transition.
  • grsecurity - Passing the Baton
    Anyone here use grsecurity and have any thoughts about this?

Microsoft-Connected Forrester and Black Duck Continue to Smear FOSS

More Coverage of Kali Linux 2017.1 Release

  • Kali Linux 2017.1 Security OS Brings Wireless Injection Attacks to 802.11 AC
    Offensive Security, the developers of the BackTrack-derived Kali Linux open-source, security-oriented operating system announced the availability of the Kali Linux 2017.1 rolling release. Since Kali Linux become a rolling distro, the importance of such updated images was never the same, but Kali Linux 2017.1 appears to be a major release of the ethical hacking distro, adding a bunch of exciting new features and improvements to the Debian-based operating system.
  • Kali Linux 2017.1 Released With New Features | Download ISO Files And Torrents Here
    Offensive Security has updated the Kali Linux images with new features and changes. Termed Kali Linux 2017.1, this release comes with support for wireless injection attacks to 802.11ac and Nvidia CUDA GPU. You can simply update your existing installation by running few commands if you don’t wish to download the updated images from Kali repos.