Language Selection

English French German Italian Portuguese Spanish

Security

Looking at the security of Plasma/Wayland

Filed under
Security

This can be used to create very interesting attacks. It’s one of the reasons why I for example think it’s a very bad idea to start the file manager as root on the same X server. I’m quite certain that if I wanted to I could exploit this relatively easily just through what X provides.

The insecurity of X11 also influenced the security design of applications running on X11. It’s pointless to think about preventing potential attacks if you could get the same by just using core X11 functionality. For example KWin’s scripting functionality allows to interact with the X11 windows. In general one could say that’s dangerous as it allows untrusted code to change aspects of the managed windows, but it’s nothing you could not get with plain X11.

Read more

Antivirus Live CD 15.0-0.98.7 Uses ClamAV 0.98.7 to Clean Your PCs of Viruses

Filed under
GNU
Linux
Security

Zbigniew Konojacki, the lead developer and maintainer of the independent 4MLinux GNU/Linux distribution, has been happy to inform us earlier about the release and immediate availability for download of Antivirus Live CD 15.0-0.98.7.

Read more

Security Leftovers

Filed under
Security
  • Chrome Extensions – AKA Total Absence of Privacy

    Google, claiming that Chrome is the safest web browser out there, is actually making it very simple for extensions to hide how aggressively they are tracking their users. We have also discovered exactly how intrusive this sort of tracking actually is and how these tracking companies actually do a lot of things trying to hide it. Due to the fact that the gathering of data is made inside an extension, all other extensions created to prevent tracking (such as Ghostery) are completely bypassed.

  • 10 dumb security mistakes sys admins make

    When you log in as root, you have full control over the box. This can be extremely dangerous because if your credentials get stolen, an attacker can do whatever he or she wants.

  • Friday's security updates

Libpng Vulnerabilities Fixed in All Supported Ubuntu OSes

Filed under
Security
Ubuntu

Canonical revealed details about three libpng vulnerabilities that have been identified and repaired in Ubuntu 15.10, Ubuntu 15.04, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS.

Read more

Security Leftovers

Filed under
Security
  • Web Stores Held Hostage

    Last week has seen an explosion of e-commerce sites infected with the Linux.Encoder.1 ransomware. For those not familiar with the term, ransomware is a particularly vicious type of malware that aims to extort money from the owners of compromised systems.

  • Ransomware Encrypting Files Proliferating Rapidly on Linux, warn security Researchers
  • The danger of 'exceptional access'

    In the wake of the horrific attacks in Paris on Friday, there have been renewed calls to find some way to allow the government to read encrypted communications. And on the surface, it sounds simple and obvious -- why wouldn't we want the government to be able to monitor terrorists? But the reality is that it's a very bad idea, not only because it won't work, but because it will hurt Internet security more broadly.

    Of course, at this point, we don't even know if the Paris attackers used encryption. There's speculation they did, because reports suggest that no intelligence agency has found any traffic by them. But right now it's just that: speculation.

Leftovers: Security

Filed under
Security

LXCFS Vulnerabilities Fixed in Ubuntu 15.10 and Ubuntu 15.04

Filed under
Security
Ubuntu

A couple of LXCFS vulnerabilities have been found and repaired in the Ubuntu 15.10 and Ubuntu 15.04 operating systems.

Read more

Security Leftovers

Filed under
Security
  • The most popular curl download – by a malware

    During October 2015 the curl web site sent out 1127 gigabytes of data. This was the first time we crossed the terabyte limit within a single month.

    [...]

    The downloads came from what appears to be different locations. They don’t use any HTTP referer headers and they used different User-agent headers. I couldn’t really see a search bot gone haywire or a malicious robot stuck in a crazy mode.

  • Your containers were built in some guy's barn!

    Except even with as new as this technology is, we are starting to see reports of how many security flaws exist in docker images. This will only get worse, not better, if nothing changes. Almost nobody is paying attention, containers mean we don't have to care about this stuff, right!? We're at a point where we have guys building cars in their barns. Would you trust your family in a car built in some guy's barn? No, you want a car built with good parts and has been safety tested. Your containers are being built in some guy's barn.

  • More Privacy, Less Latency - Improved Handshakes in TLS version 1.3

    TLS must be fast. Adoption will greatly benefit from speeding up the initial handshake that authenticates and secures the connection. You want to get the protocol out of the way and start delivering data to visitors as soon as possible. This is crucial if we want the web to succeed at deprecating non-secure HTTP.

​How to easily defeat Linux Encoder ransomware

Filed under
GNU
Linux
Security

This malware relies on a security hole in the Magento web e-commerce platform, not Linux.

Read more

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

today's leftovers

  • 6 Excellent Console Linux File Managers
    A console application is computer software which can be used with a text-only computer interface, the command line interface, or a text-based interface included within a graphical user interface operating system, such as a terminal emulator (such as GNOME Terminal or the aforementioned Terminator). Whereas a graphical user interface application generally involves using the mouse and keyboard (or touch control), with a console application the primary (and often only) input method is the keyboard. Many console applications are command line tools, but there is a wealth of software that has a text-based user interface making use of ncurses, a library which allow programmers to write text-based user interfaces.
  • PHP Tour 2016 Clermont-Ferrand
  • Enlightenment's EFL Getting New DRM Library
    Chris Michael of Samsung has been working on a new DRM library for the Enlightenment Foundation Libraries (EFL) with a number of improvements. The initial implementation of this new library, Ecore_Drm2, has been added to EFL Git.
  • Antergos 2016.05.28 Screenshot Tour
  • Gentoo Linux 20160514 Screenshot Tour
  • First coding week with openSUSE, Google Summer of Code
    Embedded below is the blog of Google Summer of Code student Martin Garcia Monterde. Martin detailed his first week coding with openSUSE and the Google Summer of Code.
  • OpenPHT 1.5.2 for Debian/sid
    I have updated the openpht repository with builds of OpenPHT 1.5.2 for Debian/sid for both amd64 and i386 architecture. For those who have forgotten it, OpenPHT is the open source fork of Plex Home Theater that is used on RasPlex, see my last post concerning OpenPHT for details.
  • vcswatch is now looking for tags
    About a week ago, I extended vcswatch to also look at tags in git repositories. Previously, it was solely paying attention to the version number in the top paragraph in debian/changelog, and would alert if that version didn't match the package version in Debian unstable or experimental. The idea is that "UNRELEASED" versions will keep nagging the maintainer (via DDPO) not to forget that some day this package needs an upload. This works for git, svn, bzr, hg, cvs, mtn, and darcs repositories (in decreasing order of actual usage numbers in Debian. I had actually tried to add arch support as well, but that VCS is so weird that it wasn't worth the trouble).

Google and Oracle

Leftovers: OSS

Security Leftovers (Parrot Security OS 3.0 “Lithium”, Regulation)

  • Parrot Security OS 3.0 “Lithium” — Best Kali Linux Alternative Coming With New Features
    The Release Candidate of Parrot Security OS 3.0 ‘Lithium’ is now available for download. The much-anticipated final release will come in six different editions with the addition of Libre, LXDE, and Studio editions. The version 3.0 of this Kali Linux alternative is based on Debian Jessie and powered by custom hardened Linux 4.5 kernel.
  • Regulation can fix security, except you can't regulate security
    Every time I start a discussion about how we can solve some of our security problems it seems like the topics of professional organizations and regulation are where things end up. I think regulations and professional organizations can fix a lot of problems in an industry, I'm not sure they work for security. First let's talk about why regulation usually works, then, why it won't work for security.