Language Selection

English French German Italian Portuguese Spanish

Security

Tails 2.4, Edward Snowden's Favorite Anonymous Live CD, Brings Tor Browser 6.0

Filed under
GNU
Linux
Security
Debian

The Tails Project released Tails 2.4, a major version of the anonymous Live CD based on Debian GNU/Linux, which was used by ex-CIA employee Edward Snowden to stay hidden online and protect his privacy.

When compared with the previous release, we can notice that Tails 2.4 includes some big changes, among which we can mention the upgrade to Debian GNU/Linux 8.4 "Jessie" and the inclusion of the recently released Tor Browser 6.0 anonymous browser, which is based on the open-source Mozilla Firefox 45.2 web browser.

Read more

Also: TeX Live 2016 released

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Friday's security updates
  • electrum ssl vulnerabilities

    One full month after I filed these, there's been no activity, so I thought I'd make this a little more widely known. It's too hard to get CVEs assigned, and resgistering a snarky domain name is passe.

    I'm not actually using electrum myself currently, as I own no bitcoins. I only noticed these vulnerabilities when idly perusing the code. I have not tried to actually exploit them, and some of the higher levels of the SPV blockchain verification make them difficult to exploit. Or perhaps there are open wifi networks where all electrum connections get intercepted by a rogue server that successfully uses these security holes to pretend to be the entire electrum server network.

  • Stop it with those short PGP key IDs!

    PGP is secure, as it was 25 years ago. However, some uses of it might not be so.

  • Wolf: Stop it with those short PGP key IDs!
  • There's a Stuxnet Copycat, and We Have No Idea Where It Came From [iophk: "Windows strikes again"]

    After details emerged of Stuxnet, arguably the world's first digital weapon, there were concerns that other hackers would copy its techniques.

    Now, researchers have disclosed a piece of industrial control systems (ICS) malware inspired heavily by Stuxnet. Although the copycat malware—dubbed IRONGATE by cybersecurity company FireEye—only works in a simulated environment, it, like Stuxnet, replaces certain types of files, and was seemingly written to target a specific control system configuration.

    “In my mind, there is little room to say that these are the same actors,” behind Stuxnet and IRONGATE, Sean McBride, manager at FireEye iSIGHT Intelligence told Motherboard in a phone interview.

    But clearly, and perhaps to be expected, other hackers have paid very close attention to, and copied one of the most powerful pieces of malware ever, raising questions of who else might have decided to see how Stuxnet-style approaches to targeting critical infrastructure can be adapted.

  • Are firewalls still important? Making sense of networking's greatest security layer

    Firewalls have become the forgotten part of security and yet they are still the place an admin reaches goes in a crisis

  • Software Now To Blame For 15 Percent Of Car Recalls

    Apps freezing or crashing, unexpected sluggishness, and sudden reboots are all, unfortunately, within the normal range of behavior of the software in our smartphones and laptops.

    While losing that text message you were composing might be a crisis for the moment, it’s nothing compared to the catastrophe that could result from software in our cars not playing nice.

    Yes, we’re talking about nightmares like doors flying open without warning, or a sudden complete shutdown on the highway.

    The number of software-related issues, according to several sources tracking vehicle recalls, has been on the rise. According to financial advisors Stout Risius Ross (SSR), in their Automotive Warranty & Recall Report 2016, software-related recalls have gone from less than 5 percent of recalls in 2011 to 15 percent by the end of 2015.

  • Effective IT security habits of highly secure companies

    Critics may claim that applying patches “too fast” will lead to operational issues. Yet, the most successfully secure companies tell me they don’t see a lot of issues due to patching. Many say they’ve never had a downtime event due to a patch in their institutional memory.

  • Introducing Security Snake Oil

    It has become quite evident that crowd-funding websites like KickStarter do not take any consideration to review the claims made by individuals in their cyber security products. Efforts made to contact them have gone unanswered and the misleading initiatives continue to be fruitless so as a community, we have to go after them ourselves.

  • CloudFlare is ruining the internet (for me) [iophk: "FB-like bottleneck and control for now available for self-hosted sites"]

    CloudFlare is a very helpful service if you are a website owner and don’t want to deal with separate services for CDN, DNS, basic DDOS protection and other (superficial) security needs. You can have all these services in a one stop shop and you can have it all for free. It’s hard to pass up the offer and go for a commercial solution. Generally speaking, CloudFlare service is as stable as they come, their downtime and service interruption are within the same margin as other similar services, at least to my experience. I know this because I have used them for two of my other websites, until recently.

    But what about the users? If you live in a First World Country then for the most part you probably wouldn’t notice much difference, other than better speed and response time for the websites using CloudFlare services, you will be happy to know that because of their multiple datacenter locations mostly in USA, Canada, Europe and China, short downtimes won’t result in service interruptions for you because you will be automatically rerouted to their nearest CloudFlare data center and they have plenty to go around within the first world countries.

Security Leftovers

Filed under
Security
  • Hackers, your favourite pentesting OS Kali Linux can now be run in a browser
  • Core Infrastructure Initiative announces investment in security tool OWASP ZAP

    The Linux Foundation’s Core Infrastructure Initiative (CII) is continuing its commitment to help fund, support and improve open-source projects with a new investment. The organization has announced it is investing in the Open Web Application Security Project Zed Attack Proxy project (OWASP ZAP), a security tool designed to help developers identify vulnerabilities in their web apps.

  • The Linux Foundation's Core Infrastructure Initiative Invests in Security Tool for Identifying Web Application Vulnerabilities
  • Study Shows Lenovo, Other OEM Bloatware Still Poses Huge Security Risk [Ed: Microsoft Windows poses greater risks. Does Microsoft put back doors in Windows (all versions)? Yes. Does it spy on users? Yes. So why focus only on Asian OEMs all the time?]

    Lenovo hasn't had what you'd call a great track record over the last few years in terms of installing insecure crapware on the company's products. You'll recall that early last year, the company was busted for installing Superfish adware that opened all of its customers up to dangerous man-in-the-middle attacks, then tried to claim they didn't see what all the fuss was about. Not too long after that, the company was busted for using a BiOS trick to reinstall its bloatware on consumer laptops upon reboot -- even if the user had installed a fresh copy of the OS.

    Now Lenovo and its bloatware are making headlines once again, with the news that the company's "Accelerator Application" software makes customers vulnerable to hackers. The application is supposed to make the company's other bloatware, software, and pre-loaded tools run more quickly, but Lenovo was forced to issue a security advisory urging customers to uninstall it because it -- you guessed it -- opened them up to man-in-the-middle attacks.

Canonical Patches ImageTragick Exploit in All Supported Ubuntu OSes, Update Now

Filed under
Security
Ubuntu

Today, June 2, 2016, Canonical published an Ubuntu Security Notice to inform the community about an important security update to the ImageMagick packages for all supported Ubuntu OSes.

Read more

Security Leftovers

Filed under
Security
  • Security advisories for Thursday
  • Hertz: Abusing privileged and unprivileged Linux containers
  • How LinkedIn’s password sloppiness hurts us all

    Me: "The full dump from the 2012 LinkedIn breach just dropped, so you're probably not going to see much of me over the next week."

    Wife: "Again?"

    Yes, again. If you're just waking up from a coma you would be forgiven for thinking that it's still 2012. But no, it's 2016 and the LinkedIn breach is back from the dead—on its four-year anniversary, no less. If you had a LinkedIn account in 2012, there's a 98 percent chance your password has been cracked.

    Back in 2012, fellow professional password cracker d3ad0ne (who regretfully passed away in 2013) and I made short work out of the first LinkedIn password dump, cracking more than 90 percent of the 6.4 million password hashes in just under one week. Following that effort, I did a short write-up ironically titled The Final Word on the LinkedIn Leak.

  • The Internet of Things

    A common question is whether or not IoT is something new and revolutionary or a buzzword for old ideas? The answer is “yes”…

    Much of the foundation of IoT has been around for quite a while. SCADA systems, or Supervisory Control And Data Acquisition has been around since the 1950’s managing electrical power grids, railroads, and factories. Machine communications over telephone lines and microwave links has been around since the 1960’s. Machine control systems, starting on mainframes and minicomputers, have also been around since the 1960’s.

    The big changes are economics, software, and integration. Microsensors and SoC (System on a Chip) technology for CPUs and networking are driving the cost of devices down – in some cases by a factor of a thousand! Advances in networking – both networking technology as well as the availability of pervasive networking – are changing the ground rules and economics for machine to machine communication.

  • Signal and Google Cloud Services

    I just installed Signal on my Android phone.

    It wasn't an easy decision. I have been running Cyanogenmod, a Google-free version of Android, and installing apps from F-Droid, a repository of free software android apps, for several years now. This setup allows me to run all the applications I need without Google accessing any of my cell phone data. It has been a remarkably successful experiment leaving me with all the phone software I need. And it's consistent with my belief that Google's size, reach and goals are a menace to the left's ability to develop the autonomous communications systems on the Internet that we need to achieve any meaningful political change.

Security Leftovers

Filed under
Security
  • Security advisories for Wednesday
  • How the Top 5 PC Makers Open Your Laptop to Hackers [iophk: "Windows again"]
  • Google plans to replace smartphone passwords with trust scores [iophk: "if you have to travel unexpectedly, you'll probably get locked out."]

    Goodbye, Password1. Goodbye, 12345. You’ve been hearing about it for years but now it might really be happening: the password is almost dead.

    At Google’s I/O developer conference, Daniel Kaufman, head of Google’s advanced technology projects, announced that the company plans to phase out password access to its Android mobile platform in favour of a trust score by 2017. This would be based on a suite of identifiers: what Wi-Fi network and Bluetooth devices you’re connected to and your location, along with biometrics, including your typing speed, voice and face.

    The phone’s sensors will harvest this data continuously to keep a running tally on how much it trusts that the user is you. A low score will suffice for opening a gaming app. But a banking app will require more trust.

Security Leftovers

Filed under
Security
  • Allwinner Leaves Root Exploit in Linux Kernel, Putting ARM Devices at Risk

    Running a Bitcoin node on your ARM single board computer? Fan of cheap Chinese tablets and smartphones? Maybe you contributed to the recent CHIP computer Kickstarter, or host a wallet on one of these devices. Well, if any of these applies to you, and your device is powered by an Allwinner SoC, you should probably wipe it and put an OS on it with the most recent kernel release. Why? Allwinner left a development “tool” on their ARM Linux kernel that allows anyone to root their devices with a single command. This oversight has serious security implications for any Allwinner powered device, especially so for those of us hosting sensitive data on them.

  • 5 steps to reduce cyber vulnerabilities

    The National Vulnerability Database (NVD) — the U.S. government’s repository of standards-based vulnerability management data — says 2015 was another blockbuster year for security vulnerabilities with an average of 17 new vulnerabilities added per day.

    While IT managers can somewhat breathe a collective sigh of relief that the total number of vulnerabilities actually decreased from 7,937 in 2014 to 6,270 in 2015, there’s no time to relax. According to NVD data, 37 percent of vulnerabilities reported in 2015 were classified as highly severe, up from 24 percent in 2014.

  • How to Get an Open Source Security Badge from CII

    Everybody loves getting badges. Fitbit badges, Stack Overflow badges, Boy Scout merit badges, and even LEED certification are just a few examples that come to mind. A recent 538 article "Even psychologists love badges" publicized the value of a badge.

  • 4 Steps To Secure Serverless Applications

    Serverless applications remove a lot of the operational burdens from your team. No more managing operating systems or running low level infrastructure.

    This lets you and your team focus on building…and that’s a wonderful thing.

  • IPv6 support finally coming to Fail2Ban with next major release

    The reaction to this headline from sysadmins who deploy Fail2Ban on an IPv6 enabled system is probably: “Fail2Ban doesn’t support IPv6‽” At least, that seems to be the reaction most admins have posted on forums and social media when they learn that Fail2Ban doesn’t support IPv6. Now Fail2Ban’s IPv4-only limitation is about to be lifted.

    Fail2Ban is a tool that identifies unwanted behaviors by monitoring service logs, and can act upon that by banning offending IP addresses temporarily. Up until recently, Fail2Ban only supported IPv4 although it’s almost certainly running on many IPv6 capable systems as well.

  • Tor Browser announces stable 6.0 release

    The Tor Browser team has announced the first stable version of its 6.0 release. It can be downloaded from the project's website.

    The browser is based on Firefox ESR and this release brings it up-to-date with Firefox 45-ESR, providing better support for HTML5 video on YouTube.

Security Leftovers (Primarily Windows)

Filed under
Security
  • Doing a 'full scan' of the Internet right now

    I'm scanning at only 125kpps from 4 source IP addresses, or roughly 30kpps from each source address. This is so that I'll get below many thresholds for IDSs, which trigger when they see fast scans from a single address. The issue isn't to avoid detection, but to avoid generating work for people who get unnecessarily paranoid about the noise they see in their IDS logs.

  • A Hacker Is Selling Dangerous Windows Exploit, Making All Versions Of OS Hackable

    A hacker is selling a dangerous zero day vulnerability on a Russian cybercrime website. This exploit is said to be affecting more than 1.5 billion Windows users as it works on all version of Windows. The hacker wishes to sell the complete source code and demo of the exploit to any person who pays him $90,000 in bitcoin.

  • Microsoft warns of self-propagating ransomware

    The new ransomware, which Microsoft has dubbed Ransom:Win32/ZCryptor.A, is distributed through spam emails. It can also infect a machine running Windows through a malware installer or fake installers like a Flash player setup file.

    The ransomware would run at boot and drop a file autorun.inf in removable drives, a zycrypt.lnk in the start-up folder and a copy of itself as {Drive}:\system.exe and %APPDATA%\zcrypt.exe.

    It would then change the file attributes to hide itself from the user in file explorer.

  • Windows 10 Surface Book: Microsoft Keeps ‘Sleep of Death’ bug

    It seems like Microsoft will not be fixing the ‘Sleep of Death’ bug, even though most of the Surface Book users face the problem.

    During the recent quarterly earnings report, Microsoft pointed out that the Surface line is getting popularity in the market. Microsoft also said that it has turned out to be the growth leader in its More Personal Computing line of business.

    At the event, the company said that the device has brought 61 percent growth.

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Security challenges for the Qubes build process

    Ultimately, we would like to introduce a multiple-signature scheme, in which several developers (from different countries, social circles, etc.) can sign Qubes-produced binaries and ISOs. Then, an adversary would have to compromise all the build locations in order to get backdoored versions signed. For this to happen, we need to make the build process deterministic (i.e. reproducible). Yet, this task still seems to be years ahead of us. Ideally, we would also somehow combine this with Intel SGX, but this might be trickier than it sounds.

  • Katy Perry’s Twitter Account With 90 Million Followers Hacked

    Notably, with 90 million followers, Katy Perry is the most followed person on the platform.

Syndicate content

More in Tux Machines

Servo Night Builds Begin, Linux Packages Coming

The Mozilla developers working on the Servo browser layout engine and the Browser.html HTML-based web UI have kept to their goal of making a tech preview available in June. As of last night, the Servo developers hit their tech preview milestone we've been looking forward to seeing for months. Nightly builds of Servo and Browser.html have begun and they are going to be making available Linux packages shortly. Read more

Android Leftovers

Leftovers: OSS

  • Modern open source systems management
    Open source IT systems management is undergoing a renaissance. Adopters include global, household-name enterprises, as well as a groundswell of IT operations teams that are borrowing flexible, collaborative practices from the Agile software development movement. Some open source IT systems management tools are familiar to most admins, with broad adoption -- think Nagios or the Elasticsearch, Logstash and Kibana stack. Others -- Docker is a prime example -- burst onto the scene recently and are shaking up IT deployments.
  • Code Alliance connects nonprofits with tech volunteers
    Code Alliance is a Benetech initiative that connects technology professionals to volunteer opportunities with open source software projects for social good. On the first day of the CHI4GOOD conference, we brought over 40 projects to the San Jose Convention Center to participate in a hack4good Day of Service event. More than 100 developers, UX designers, and researchers came together to help our nonprofit cohort with their technological needs. The nonprofits benefitted from expert technical development work, and the volunteers were gracious, skilled, and excited to leverage their professional skills to give back.
  • Nonprofit's Open Source Designs Reduce Cost Barriers for Startups
    A project that originated in "The Middle of Nowhere, Missouri," as the founders call it, aims to lower the barrier to entry across a number of industries, all while maintaining a sustainable footprint. It's called Open Source Ecology (OSE), the brainchild of Marcin Jakubowski, founder of the Factor E Farm in Missouri where OSE is based.
  • The Open Building Institute - A Sustainable Way to Build Modular Housing
  • Open Building Institute is revolutionizing sustainable home building through open-source technologies
  • Pulp Smash Introduction
    Pulp Smash is a functional test suite for Pulp. It’s used by the Pulp developers and Pulp QE team on a daily basis. It’s implemented as a GPL licensed pure Python library, and getting started is as simple as installing Python and executing the following...
  • How Oracle’s business as usual is threatening to kill Java
    Stop me if you've heard this one before: Oracle has quietly pulled funding and development efforts away from a community-driven technology where customers and partners have invested time and code. It all seems to be happening for no reason other than the tech isn't currently printing money. It's a familiar pattern for open source projects that have become the property of Oracle. It started with OpenSolaris and continued with OpenOffice.org. And this time, it's happening to Java—more specifically to Java Enterprise Edition (Java EE), the server-side Java technology that is part of hundreds of thousands of Internet and business applications. Java EE even plays an integral role for many apps that aren't otherwise based on Java. For months as Oracle Corporation's attorneys have battled Google in the courts over the use of Java interfaces in Android's Davlik programming language, Oracle's Java development efforts have slowed. And in the case of Java EE, they've come to a complete halt. The outright freeze has caused concerns among companies that contribute to the Java platform and among other members of the Java community—a population that includes some of Oracle's biggest customers.
  • Friday's security updates

Openwashing