Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Friday's security updates
  • How to Hack an Election in 7 Minute

    When Princeton professor Andrew Appel decided to hack into a voting machine, he didn’t try to mimic the Russian attackers who hacked into the Democratic National Committee's database last month. He didn’t write malicious code, or linger near a polling place where the machines can go unguarded for days.

  • Apache OpenOffice and CVE-2016-1513

    The Apache OpenOffice (AOO) project has suffered from a lack of developers for some time now; releases are infrequent and development of new features is relatively slow. But a recent security advisory for CVE-2016-1513 is rather eye-opening in that it further shows that the project is in rough shape. Announcing a potential code execution vulnerability without quickly providing a new release of AOO may be putting users of the tool at more risk than they realize.

Let's Encrypt Root to be Trusted by Mozilla

Filed under
Moz/FF
Security

The Let’s Encrypt root key (ISRG Root X1) will be trusted by default in Firefox 50, which is scheduled to ship in Q4 2016. Acceptance into the Mozilla root program is a major milestone as we aim to rely on our own root for trust and have greater independence as a certificate authority (CA).

Public CAs need their certificates to be trusted by browsers and devices. CAs that want to issue independently under their own root accomplish this by either buying an existing trusted root, or by creating a new root and working to get it trusted. Let’s Encrypt chose to go the second route.

Read more

Security News

Filed under
Security
  • Linux Botnets on a Rampage [Ed: Kaspersky marketing in essence]

    Linux-operated botnet Distributed Denial of Service attacks surged in this year's second quarter, due to growing interest in targeting Chinese servers, according to a Kaspersky Lab report released this week. South Korea kept its top ranking for having the most command-and-control servers. Brazil, Italy and Israel ranked among the leaders behind South Korea for hosting C&C servers, according to Kaspersky Lab. DDoS attacks affected resources in 70 countries, with targets in China absorbing 77 percent of all attacks.

  • Machine-Learning Algorithm Combs the Darknet for Zero Day Exploits, and Finds Them

    In April, cybersecurity experts found an exploit based on this vulnerability for sale on a darknet marketplace where the seller was asking around $15,000. In July, the first malware appeared that used this vulnerability. This piece of malware, the Dyre Banking Trojan, targeted users all over the world and was designed to steal credit-card numbers from infected computers.

    The episode provided a key insight into the way malware evolves. In the space of just a few months, hackers had turned a vulnerability into an exploit, offered this for sale, and then saw it developed into malware that was released into the wild.

  • Frequent password changes are the enemy of security, FTC technologist says

    Shortly after Carnegie Mellon University professor Lorrie Cranor became chief technologist at the Federal Trade Commission in January, she was surprised by an official agency tweet that echoed some oft-repeated security advice. It read: "Encourage your loved ones to change passwords often, making them long, strong, and unique." Cranor wasted no time challenging it.

    The reasoning behind the advice is that an organization's network may have attackers inside who have yet to be discovered. Frequent password changes lock them out. But to a university professor who focuses on security, Cranor found the advice problematic for a couple of reasons. For one, a growing body of research suggests that frequent password changes make security worse. As if repeating advice that's based more on superstition than hard data wasn't bad enough, the tweet was even more annoying because all six of the government passwords she used had to be changed every 60 days.

  • Managing Encrypted Backups in Linux, Part 2

    In part 1, we learned how to make simple automated unencrypted and encrypted backups. In this article, I will show you how to fine-tune your file selection, and how to backup your encryption keys.

  • Getting started with Tails, the encrypted, leave-no-trace operating system

    Tails, an encrypted and anonymous OS that bundles widely used open source privacy tools on a tiny device, is one of the most secure operating systems in the world. The Linux distribution rose to popularity when it was revealed Edward Snowden relied on Tails to secure his identity while sharing NSA secrets with journalists Glenn Greenwald and Laura Poitras. In the past half decade, Tails has been embraced as an essential security suite by journalists, hackers, and IT workers.

    Tails is an acronym for The Amnesic Incognito Live System. The OS runs Debian and is easy to run on Macs and PCs from a USB drive. Tails encrypts all local files, runs every internet connection through Tor and blocks all non-secure connections, and provides a suite of secure communication tools like the Tor browser, HTTPS Everywhere, OpenPGP, the Claws Mail client, I2P, an IP address overlay network, and a Windows 8 camouflage mode to deter over-the-shoulder snooping.

  • Never Trust a Found USB Drive, Black Hat Demo Shows Why [Ed: Windows autoruns stuff]

    Does dropping an infected USB drive in a parking work when it comes to a hacker luring its prey into a digital trap? The answer is a resounding yes.

    At Black Hat USA, security researcher Elie Bursztein shared the results of an experiment where he dropped 297 USB drives with phone-home capabilities on the University of Illinois Urbana-Champaign campus. He also explained how an attacker might program and camouflage a malicious USB drive outfitted with a Teensy development board to take over a target’s computer within seconds after plugging the drive in.

Security News

Filed under
Security
  • Security updates for Thursday
  • Risk From Linux Kernel Hidden in Windows 10 Exposed at Black Hat [Ed: "Alex Ionescu, chief architect at Crowdstrike" - well, enough says. CrowdStrike Microsoft-tied. CrowdStrike are the same chronic liars who recently accused Russia of DNC leaks despite lack of evidence. The corporate press cited them. How can GNU and Linux running under a piece of malware with keyloggers and back doors be the main security concern?]
  • Italian-based Android RAT spies on mobiles in Japan and China, say researchers

    Researchers discover an Italian-based Android RAT designed for spying that is targeting mobile devices using their unique identification codes

  • keysafe

    Have you ever thought about using a gpg key to encrypt something, but didn't due to worries that you'd eventually lose the secret key? Or maybe you did use a gpg key to encrypt something and lost the key. There are nice tools like paperkey to back up gpg keys, but they require things like printers, and a secure place to store the backups.

    I feel that simple backup and restore of gpg keys (and encryption keys generally) is keeping some users from using gpg. If there was a nice automated solution for that, distributions could come preconfigured to generate encryption keys and use them for backups etc. I know this is a missing peice in the git-annex assistant, which makes it easy to generate a gpg key to encrypt your data, but can't help you back up the secret key.

    So, I'm thinking about storing secret keys in the cloud. Which seems scary to me, since when I was a Debian Developer, my gpg key could have been used to compromise millions of systems. But this is not about developers, it's about users, and so trading off some security for some ease of use may be appropriate. Especially since the alternative is no security. I know that some folks back up their gpg keys in the cloud using DropBox.. We can do better.

More Security News

Filed under
Security
  • Kaminsky Warns Black Hat Audience of Risks to the Internet
  • Severe vulnerabilities discovered in HTTP/2 protocol
  • ChaosKey v1.0 Released — USB Attached True Random Number Generator

    Support for this device is included in Linux starting with version 4.1. Plug ChaosKey into your system and the driver will automatically add entropy into the kernel pool, providing a constant supply of true random numbers to help keep the system secure.

    ChaosKey is free hardware running free software, built with free software on a free operating system.

  • Changes for GnuPG in Debian

    The GNU Privacy Guard (GnuPG) upstream team maintains three branches of development: 1.4 ("classic"), 2.0 ("stable"), and 2.1 ("modern").

    They differ in various ways: software architecture, supported algorithms, network transport mechanisms, protocol versions, development activity, co-installability, etc.

    Debian currently ships two versions of GnuPG in every maintained suite -- in particular, /usr/bin/gpg has historically always been provided by the "classic" branch.

    That's going to change!

    Debian unstable will soon be moving to the "modern" branch for providing /usr/bin/gpg. This will give several advantages for Debian and its users in the future, but it will require a transition. Hopefully we can make it a smooth one.

Security Leftovers

Filed under
Security
  • Kaspersky Lab Launches Bug Bounty Program With HackerOne

    The security firm allocates $50,000 to pay security researchers for responsibly disclosing flaws in its security products.
    Kaspersky Lab is no stranger to the world of vulnerability research, but the company is now opening up and enabling third-party security researchers to disclose vulnerabilities about Kaspersky's own software.

  • Reproducible builds for PaX/Grsecurity

    A series of scripts are created to do reproducible builds for Linux kernel with PaX/Grsecurity patch set.

    Thanks to:

    PaX/Grsecurity
    Debian GNU/Linux Community
    Shawn C[a.k.a “Citypw”]
    Linux From Scratch

    Without the contributions of the projects, community and people, the scripts cannot be accomplished.

  • Four flaws in HTTP/2 could bring down web servers

    SECURITY RESEARCHERS have uncovered at least four flaws in the HTTP/2 protocol, the successor to HTTP that was launched properly only in May last year, after Google rolled up its SPDY project into HTTP/2 in February.

    The flaws enable attackers to slow web servers by overwhelming them with seemingly innocent messages that carry a payload of gigabytes of data, putting them into infinite loops and even causing them to crash.

    The HTTP/2 protocol can be divided into three layers: the transmission layer, including streams, frames and flow control; the HPACK binary encoding and compression protocol; and the semantic layer, which is an enhanced version of HTTP/1.1 enriched with server-push capabilities.

Security News

Filed under
Security

Security News

Filed under
Security
  • Security Issue in Windows leaks Login Data [Ed: designed for back door access]

    An issue in all Windows systems might leak the user’s Windows login and password information. This is especially critical if the user is using a Microsoft account because this is linked to a number of other services the user may be using.

  • Get ready for an Internet of Things disaster, warns security guru Bruce Schneier

    Security guru Bruce Schneier, the author of multiple encryption algorithms, founder of security company Counterpane, and former chief technology officer of BT Managed Security Solutions, has warned that the ‘craze' for connecting devices to the internet with little thought about security will result in a major disaster.

    Schneier warned that "integrity and availability threats" are much worse than "confidentiality threats" with devices connected to the internet.

    "It's one thing if your smart door lock can be eavesdropped upon to know who is home. It's another thing entirely if it can be hacked to allow a burglar to open the door - or prevent you from opening your door. A hacker who can deny you control of your car, or take over control, is much more dangerous than one who can eavesdrop on your conversations or track your car's location," Schneier wrote.

    He continued: "With the advent of the Internet of Things and cyber-physical systems in general, we've given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete."

  • New Presidential Directive on Incident Response

    Last week, President Obama issued a policy directive (PPD-41) on cyber-incident response coordination. The FBI is in charge, which is no surprise. Actually, there's not much surprising in the document. I suppose it's important to formalize this stuff, but I think it's what happens now.

  • Kazakh dissidents and lawyers hit by cyber attacks: researchers

    Hackers believed to be working on behalf of Kazakhstan government officials tried to infect lawyers and other associates of exiled dissidents and publishers with spyware, according to a report to be presented at this week's Black Hat security conference in Las Vegas.

    The hacking campaign was part of a complicated tale that also involved physical surveillance and threats of violence - a rare instance of cyber attacks coming alongside real-world crimes.

    It is also unusual in that the campaign involved an Indian company that was apparently hired by the hackers, and it targeted Western lawyers along with alleged opponents of the Kazakh government.

    A spokesman at the Kazakhstan embassy in Washington did not respond to emailed questions.

  • Bruce Schneier: major IoT disaster could happen at any time

    THE CRAZE for connecting anything and everything and controlling it over the internet will result in a major disaster without better built-in security, according to security expert Bruce Schneier.

    Furthermore, if secret services really are trying to influence elections by hacking the systems of political parties and releasing embarrassing emails, they will almost certainly attempt to hack into the increasing number of internet-connected voting machines for the same ends.

    Schneier is the author of multiple encryption algorithms, founder of security company Counterpane, and former chief technology officer of BT Managed Security Solutions.

    "It's one thing if your smart door lock can be eavesdropped on to know who is home. It's another thing entirely if it can be hacked to allow a burglar to open the door or prevent you opening your door," Schneier wrote in an article published by Motherboard.

  • Linux botnets on the rise, says Kaspersky DDoS report [Ed: Kaspersky marketing with dramatic and misleading headlines]
  • Hackers break into Telegram, revealing 15 million users’ phone numbers

    Iranian hackers have compromised more than a dozen accounts on the Telegram instant messaging service and identified the phone numbers of 15 million Iranian users, the largest known breach of the encrypted communications system, cyber researchers told Reuters.

    The attacks, which took place this year and have not been previously reported, jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where Telegram is used by some 20 million people, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years.

    Telegram promotes itself as an ultra secure instant messaging system because all data is encrypted from start to finish, known in the industry as end-to-end encryption. A number of other messaging services, including Facebook Inc’s WhatsApp, say they have similar capabilities.

Tor 0.2.8.6

Filed under
Software
OSS
Security
Debian
  • Tor 0.2.8.6 is released

    Hi, all! After months of work, a new Tor release series is finally stable.

  • Tor browser a bit too unique?

    Ok, this is scary: tor browser on https://browserprint.info/test -- "Your browser fingerprint appears to be unique among the 8,440 tested so far. Currently, we estimate that your browser has a fingerprint that conveys 13.04 bits of identifying information."

  • Debian Project Enhances the Anonymity and Security of Debian Linux Users via Tor

    The Debian Project, through Peter Palfrader, announced recently that its services and repositories for the Debian GNU/Linux operating system would be accessible through the Tor network.

    To further enhance the anonymity and security of users when either accessing any of the Debian online services, such as the Debian website or Wiki, as well as when using the Debian GNU/Linux operating system, the Debian Project partnership with the Tor Project to enable Tor onion services for many of their services.

Syndicate content

More in Tux Machines

Linus Torvalds Announces Subsurface 4.6 Open-Source Dive Log and Planning App

Linus Torvalds not only works on the Linux kernel, but he's also part of the development team behind the open-source dive log and dive planning application most of you out there know as Subsurface. Read more

openSUSE Tumbleweed Gets XOrg Server 1.19 & Irssi 1.0, PulseAudio 10 Coming Soon

openSUSE Project's Douglas DeMaio is informing the Tumbleweed community today, January 18, 2017, about the latest software updates and other improvements delivered by a total of two snapshots released last week. Read more

today's leftovers

  • Linux use on Pornhub surged 14% in 2016
    Pornhub is one of the preeminent porn sites on the web. Each year Pornhub releases a year in review post with anonymous details about the site’s users. More and more Linux users are visiting Pornhub, Linux saw an impressive 14% increase in traffic share in 2016.
  • Amdocs partners with Linux Foundation to accelerate OpenECOMP adoption in Open Source
  • Calamares 2.4.6 Distribution-Independent Linux Installer Delivers Improvements
    The Calamares team is proud to announce the availability of the sixth maintenance update to the 2.4 stable series of the open-source, distribution-independent system installer Calamares, for Linux-based operating systems. Calamares 2.4.6 comes approximately two months after the release of the previous version, namely Calamares 2.4.5, and, as expected, it's a bugfix release that only delivers various improvements and bug fixes for some of the issues reported by users during all this time.
  • Shotwell Photo Manager 0.25.3 Released
    Photography fans will be pleased to hear that a new bug-fix release of photo management app Shotwell is now available to download.
  • AntiX 16.1 is available for public
    AntiX is Debian based Linux distribution. It uses lightweight desktop environments like Fluxbox, Icewm, Xfce, etc. This distribution is originated in Greece and is typically ideal for old systems. Few hours ago AntiX team released new version named AntiX 16.1. It is based on Debian Jessie.
  • Tumbleweed Preps for PulseAudio 10, Gets Ruby, Python Updates
    Developers using openSUSE Tumbleweed are always getting the newest packages as well as updated languages and past week’s snapshots delivered update versions of Python and Ruby. The most recent snapshot, 20170112, brought Python 2.x users version 2.7.13, which updated cipher lists for openSSL wrapper and supports versions equal to or greater than OpenSSL 1.1.0. Python-unidecode 0.04.20 was also updated in the snapshot. Another update related to OpenSSL 1.1.0 was PulseAudio 9.99.1, which is a release in preparation for PulseAudio 10.0. PulseAudio 10.0 includes compatibility with OpenSSL 1.1.0, a fix for hotplugged USB surround sound cards and and automatic switching of Bluetooth profile when using VoIP applications.
  • Genode OS Framework Planning For Async I/O, App ABI, Qt5 Plans For 2017
    The Genode Operating System Framework has announced their planned roadmap for this year as the involved developers continue working on this original OS initiative. The overall theme of the Genode OS work in 2017 is to focus on stability and scalability, but there is also much more on their road-map for this calendar year.
  • PrestaShop
    Helping people overcome the challenges of building and growing an online business is what the PrestaShop open-source ecommerce platform is all about. The significant PrestaShop 1.7 release provides innovations focused on three themes: sell faster, create easier and code better.
  • This Week in Spring: Reactor 3.0, Open Source CD, and All Kinds of Cloud

Linux on Servers

  • IBM i Open Source Business Architect Lays Out A Plan
    Enterprise level application development is no place for open source languages. Can you believe it? That was once the widely accepted truth. Jiminy Crickets! Things have changed. The number of the stable open source distributions available with comprehensive support and maintenance goes well beyond common knowledge. Industry giants, successful SMB players, and mom and pop businesses are finding good reasons to use open source. Even IBM uses open source for internal business reasons. There are reasons for you to do the same.
  • Lightning Talk - Realizing the Multi-Cloud Promise of Kubernetes by Blake White, The Walt Disney Co.
  • How Disney Is Realizing the Multi-Cloud Promise of Kubernetes
    The Walt Disney Company is famous for “making magic happen,” and their cross-cloud, enterprise level Kubernetes implementation is no different. In a brief but information-packed lightning talk at CloudNativeCon in Seattle in November, Disney senior cloud engineer Blake White laid out a few of the struggles and solutions in making Kubernetes work across clouds.
  • Puppet Launches its Latest State of DevOps Survey
    Folks who are focused on container technology and virtual machines as they are implemented today might want to give a hat tip to some of the early technologies and platforms that arrived in the same arena. Among those, Puppet, which was built on the legacy of the venerable Cfengine system, was an early platform that helped automate lots of virtual machine implementations. We covered it in depth all the way back in 2008. Fast-forward to today, and Puppet is still making news, creating jobs and more.