Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Libgcrypt 1.8, Dow Jones Cracked, Windows Havoc Carries on

Filed under
Security

Hacking Devices (Repair), Misconfigured Samba, and Black Duck FUD Team

Filed under
Security

Security: Updates, DNS, Breach, Internet Cameras, Cryptoparty Belfast, Intel and More

Filed under
Security
  • Security updates for Tuesday
  • The Risks of DNS Hijacking Are Serious and You Should Take Countermeasures

    Over the years hackers have hijacked many domain names by manipulating their DNS records to redirect visitors to malicious servers. While there’s no perfect solution to prevent such security breaches, there are actions that domain owners can take to limit the impact of these attacks on their Web services and users.

  • Lawyers score big in settlement for Ashley Madison cheating site data breach

    The owners of the Ashley Madison cheating-dating website have agreed to pay $11.2 million to settle two dozen data breach lawsuits as a result of a 2015 incident involving as many as 37 million members' personal identifying information being exposed online. The deal (PDF) earmarks up to one-third, or about $3.7 million, for attorneys' fees and costs. An additional $500,000 has been set aside to administer the remaining $7 million earmarked for Ashley Madison members.

  • Representative IoT Device: IP Video Camera

    These IP cameras are available with full support and regular updates from industrial suppliers at prices ranging from several hundred to a few thousand dollars per camera. They are commonly sold in systems that include cameras, installation, monitoring and recording systems and software, integration, and service and support. There are a few actual manufacturers of the cameras, and many OEMs place their own brand names on the cameras.

  • Hack Brief: 'Devil's Ivy' Vulnerability Could Afflict Millions of IoT Devices
  • Devil's Ivy Open-Source Flaw Impacts Tens of Millions of IoT Devices
  • Nasty Bug Left Thousands of Internet of Things Devices Open to Hackers
  • Experts in Lather Over ‘gSOAP’ Security Flaw
  • Just because you can, doesn't mean you should

    There was a recent Cryptoparty Belfast event that was aimed at a wider audience than usual; rather than concentrating on how to protect ones self on the internet the 3 speakers concentrated more on why you might want to. As seems to be the way these days I was asked to say a few words about the intersection of technology and the law. I think people were most interested in all the gadgets on show at the end, but I hope they got something out of my talk. It was a very high level overview of some of the issues around the Investigatory Powers Act - if you’re familiar with it then I’m not adding anything new here, just trying to provide some sort of details about why it’s a bad thing from both a technological and a legal perspective.

  • [Old] "Super Malware" Steals Encryption Keys from Intel SGX Enclaves

    In a research paper published at the end of February, a team of five scientists from the Graz University of Technology has described a novel method of leaking data from SGX enclaves, a secure environment created by Intel CPUs for storing sensitive information for each process, such as encryption keys, passwords, and other.

    Starting with the Skylake line, Intel introduced a new hardware extension called SGX (Software Guard Extensions) that isolates the CPU memory at the hardware level, creating safe spaces where applications can store information that only they can write or read.

  • Avoiding TPM PCR fragility using Secure Boot

    In measured boot, each component of the boot process is "measured" (ie, hashed and that hash recorded) in a register in the Trusted Platform Module (TPM) build into the system. The TPM has several different registers (Platform Configuration Registers, or PCRs) which are typically used for different purposes - for instance, PCR0 contains measurements of various system firmware components, PCR2 contains any option ROMs, PCR4 contains information about the partition table and the bootloader. The allocation of these is defined by the PC Client working group of the Trusted Computing Group. However, once the boot loader takes over, we're outside the spec[1].

  • Open Source Security Podcast: Episode 56 -- Devil's Advocate and other fuzzy topics

Security Features in Next Linux

Filed under
Linux
Security
  • It Didn't Make It For Linux 4.13, But A New Random Number Generator Still In The Works

    Frequent Phoronix readers may recall that for more than one year a new Linux Random Number Generator has been in-development and today marked the 12th version of these patches being released.

    This new random number generator, LRNG, aims to provide sufficient entropy during the boot time and in virtual environments as well as when using SSDs or DM targets. LRNG has been in development by Stephan Müller.

  • Unix: How random is random?
  • AMD Secure Memory Encryption Patches Updated For Linux

    Adding to the list of changes/features you will not find in Linux 4.13 is AMD's Secure Memory Encryption as supported by the new EPYC processors.

    AMD has been posting Secure Memory Encryption patches for the Linux kernel going back to last year, but so far have not been merged to mainline. The code continues to be updated and published today was the tenth version of these patches.

A brief history of GnuPG: vital to online security but free and underfunded

Filed under
GNU
Security

Most people have never heard of the software that makes up the machinery of the internet. Outside developer circles, its authors receive little reward for their efforts, in terms of either money or public recognition.

One example is the encryption software GNU Privacy Guard (also known as GnuPG and GPG), and its authors are regularly forced to fundraise to continue the project.

GnuPG is part of the GNU collection of free and open source software, but its story is an interesting one, and it begins with software engineer Phil Zimmermann.

We do not know exactly what Zimmermann felt on January 11, 1996, but relief is probably a good guess. The United States government had just ended its investigation into him and his encryption software, PGP or “Pretty Good Privacy”.

Read more

Security and FOSS: Sonatype Report, Bitfury, and Nokia

Filed under
OSS
Security

Security Leftovers

Filed under
Security
  • Open source in the security world -- a liability or strength?

    To some, the terms ‘open source’ and ‘security’ may not exactly go hand in hand. Characterized by its transparent code—which means it’s highly accessible to anyone— as opposed to ‘closed’, proprietary systems, it’s no wonder that some still have the misperception that open source is the more vulnerable party. In an open source environment, companies as well as communities of sorts are able to access and contribute to the code. This often gives off the impression that because it is open, it must be fully exposed to risks and viruses.

    But today, open source is pervasive. The world as we know it is changing — technology is evolving faster today than it has at any other point in human history. And open source is the reason for that; it is the driving force behind many of today’s technology innovation that we see. Today’s enterprises simply cannot rely on a proprietary piece of source code to manage their increasing multitude of applications that are powering their critical business transactions.

    And with the rising adoption of this software, there has never been a better time to learn the truth about misconceptions of open source security.

  • How Active Intrusion Detection Can Seek and Block Attacks

    Ventura will this detail a more active approach to intrusion prevention - where defenders can use basic network software applications to look for threats and stop attacks - later this month in his Black Hat USA talk entitled "They're Coming for Your Tools: Exploiting Design Flaws for Active Intrusion Prevention."

  • Linux, Windows, macOS Affected By 21-year-old Kerberos Protocol Bug; Patch Now

Security: Kaspersky Ban, Email of Top U.S. Russia Intelligence Official Hacked, and Kali Linux

Filed under
Security

Security: Kerberos, Various Updates, and FUD

Filed under
Security

Security: Various Updates, Kerberos, Samba

Filed under
Security
Syndicate content

More in Tux Machines

Debian-Based Q4OS Linux Distro to Get a New Look with Debonaire Desktop Theme

Q4OS is a small GNU/Linux distribution based on the latest Debian GNU/Linux operating system and built around the Trinity Desktop Environment (TDE). It's explicitly designed to make the Microsoft Windows to Linux transition accessible and more straightforward as possible for anyone. Dubbed Debonaire, the new desktop theme uses dark-ish elements for the window titlebar and panel. Somehow it resembles the look and feels of the acclaimed Arc GTK+ theme, and it makes the Q4OS operating system more modern than the standard look offered by the Trinity Desktop Environment. Read more

today's leftovers

Software: GIMP, VLC, Cryptsetup, Caprine, KWin and NetworkManager

  • GIMP 2.9.8 Open-Source Image Editor Released with On-Canvas Gradient Editing
    GIMP 2.9.8, a development version towards the major GIMP 2.10 release, was announced by developer Alexandre Prokoudine for all supported platforms, including Linux, Mac, and Windows.
  • GIMP 2.9.8 Released
    Newly released GIMP 2.9.8 introduces on-canvas gradient editing and various enhancements while focusing on bugfixing and stability. For a complete list of changes please see NEWS.
  • It Looks Like VLC 3.0 Will Finally Be Released Soon
    VLC 3.0 is something we've been looking forward to for years and it's looking like that big multimedia player update could be released very soon. Thanks to Phoronix reader Fran for pointing out that VLC 3.0 release candidates have begun to not much attention. VLC 3.0 RC1 was tagged at the end of November and then on Tuesday marked VLC 3.0 RC2 being tagged, but without any official release announcements.
  • cryptsetup 2.0.0
  • Cryptsetup 2.0 Released With LUKS2 Format Support
    A new major release is available of Cryptsetup, the user-space utility for dealing with the DMCrypt kernel module for setting up encrypted disk volumes. Cryptsetup 2.0.0 is notable in that it introduces support for the new on-disk LUKS2 format but still retaining support for LUKS(1). The LUKS2 format is security hardened to a greater extent, more extensible than LUKS, supports in-place upgrading from LUKS, and other changes.
  • Caprine – An Unofficial Elegant Facebook Messenger Desktop App
    There is no doubt Facebook is one of the most popular and dynamic social network platform in the modern Internet era. It has revolutionized technology, social networking, and the future of how we live and interact. With Facebook, We can connect, communicate with one another, instantly share our memories, photos, files and even money to anyone, anywhere in the world. Even though Facebook has its own official messenger, some tech enthusiasts and developers are developing alternative and feature-rich apps to communicate with your buddies. The one we are going to discuss today is Caprine. It is a free, elegant, open source, and unofficial Facebook messenger desktop app built with Electron framework.
  • KWin On Wayland Without X11 Support Can Startup So Fast It Causes Problems
    It turns out that if firing up KDE's KWin Wayland compositor without XWayland support, it can start up so fast that it causes problems. Without XWayland for providing legacy X11 support to KDE Wayland clients, the KWin compositor fires up so fast that it can cause a crash in their Wayland integration as KWin's internal connection isn't even established... Yep, Wayland compositors are much leaner and cleaner than the aging X Server code-base that dates back 30+ years, granted most of the XWayland code is much newer than that.
  • NetworkManager Picks Up Support For Intel's IWD WiFi Daemon & Meson Build System
    NetworkManager now has support for Intel's lean "IWD" WiFi daemon. IWD is a lightweight daemon for managing WiFi devices via a D-Bus interface and has been in development since 2013 (but was only made public in 2016) and just depends upon GCC / Glibc / ELL (Embedded Linux Library).

Linux Foundation: Servers, Kubernetes and OpenContrail

  • Many cloud-native hands try to make light work of Kubernetes
    The Cloud Native Computing Foundation, home of the Kubernetes open-source community, grew wildly this year. It welcomed membership from industry giants like Amazon Web Services Inc. and broke attendance records at last week’s KubeCon + CloudNativeCon conference in Austin, Texas. This is all happy news for Kubernetes — the favored platform for orchestrating containers (a virtualized method for running distributed applications). The technology needs all the untangling, simplifying fingers it can get. This is also why most in the community are happy to tamp down their competitive instincts to chip away at common difficulties. “You kind of have to,” said Michelle Noorali (pictured), senior software engineer at Microsoft and co-chair of KubeCon + CloudNativeCon North America & Europe 2017. “These problems are really hard.”
  • Leveraging NFV and SDN for network slicing
    Network slicing is poised to play a pivotal role in the enablement of 5G. The technology allows operators to run multiple virtual networks on top of a single, physical infrastructure. With 5G commercialization set for 2020, many are wondering to what extend network functions virtualization (NFV) and software-defined networking (SDN) can help move network slicing forward.
  • Juniper moves OpenContrail's SDN codebase to Linux Foundation
    Juniper Networks has announced its intent to move the codebase for OpenContrail, an open-source network virtualisation platform for the cloud, to the Linux Foundation. OpenContrail provides both software-defined networking (SDN) and security features and has been deployed by various organisations, including cloud providers, telecom operators and enterprises to simplify operational complexities and automate workload management across diverse cloud environments.
  • Juniper moves OpenContrail’s codebase to Linux Foundation, advances cloud approach
    Juniper Networks plans to move the codebase for its OpenContrail open-source network virtualization platform for the cloud to the Linux Foundation, broadening its efforts to drive more software innovations into the broader IT and service provider community. The vendor is hardly a novice in developing open source platforms. In 2013, Juniper released its Contrail products as open sourced and built a user and developer community around the project. To drive its next growth phase, Juniper expanded the project’s governance, creating an even more open, community-led effort.
  • 3 Essential Questions to Ask at Your Next Tech Interview
    The annual Open Source Jobs Report from Dice and The Linux Foundation reveals a lot about prospects for open source professionals and hiring activity in the year ahead. In this year’s report, 86 percent of tech professionals said that knowing open source has advanced their careers. Yet what happens with all that experience when it comes time for advancing within their own organization or applying for a new roles elsewhere?