Language Selection

English French German Italian Portuguese Spanish

Security

Linux Kernel 4.6.3 Has Multiple Networking Improvements, Better SPARC Support

Filed under
Linux
Security

Today, June 24, 2016, renowned Linux kernel developer Greg Kroah-Hartman has announced the general availability of the third maintenance release for the Linux 4.6 kernel series.

Linux kernel 4.6.3 is here two weeks after the release of the second maintenance update in the series, Linux kernel 4.6.2, to change a total of 88 files, with 1302 insertions and 967 deletions. Unfortunately, very few GNU/Linux distributions have adopted the Linux 4.6 series, despite the fact that Greg Kroah-Hartman urged everyone to move to this most advanced kernel branch as soon as possible from Linux 4.5, which reached end of life.

Read more

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Google Hacker Donates His $15,000 Bug Bounty Cash Award To Charity

    Google’s leading security engineer Tavis Ormandy recently won a bug bounty challenge run by security solutions firm Bromium and decided to donate the money to charity. Following his gesture, Bromium matched Ormandy’s donation and donated $15,000 to Amnesty International organization.

  • Mozilla Awards $385,000 to Open Source Projects as part of MOSS “Mission Partners” Program

    For many years people with visual impairments and the legally blind have paid a steep price to access the Web on Windows-based computers. The market-leading software for screen readers costs well over $1,000. The high price is a considerable obstacle to keeping the Web open and accessible to all. The NVDA Project has developed an open source screen reader that is free to download and to use, and which works well with Firefox. NVDA aligns with one of the Mozilla Manifesto’s principles: “The Internet is a global public resource that must remain open and accessible.”

  • TOR Project And Security Experts Making A “Hardened” Version Of TOR To Defeat FBI

    The TOR Project is working closely with security researchers to implement a new technique to secure the TOR Browser against the FBI’s de-anonymization exploits. Called “Selfrando”, this technique will fight the FBI’s “Code Reuse” exploits and create a “hardened” version of TOR.

Security Leftovers

Filed under
Security
  • New RAA ransomware written in JavaScript discovered

    A new variety of ransomware called RAA has been discovered that has the somewhat unusual attribution of being coded in JavaScript instead of one of the more standard programming languages making it more effective in certain situations.

  • Want To Be A Cool Security Guru?

    Well it will take some work, security is not like what they show on TV. You don’t need green on black text, special goggles or an unlimited enhance function. Instead, it requires sitting down and understanding the history of the field, what it means to be “secure” and what limitations or assumptions you can work under. This summer I have decided to start my journey on the vast field of cryptography and am doing an online course at Stanford University that provides an introduction to cryptography. It is appropriately named “Cryptography I” and is the first part of a two part course, the second part being offered later in the Fall. Both are taught by a really awesome professor Dan Boneh who I find explains the material very well. I decided I would like to make some posts about what I have learned in this course as I go through the material so that I can share my knowledge and get a chance to write it down somewhere for later reference.

  • WordPress 4.5.3 Maintenance and Security Release

    WordPress 4.5.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

Security Leftovers

Filed under
Security
  • Security advisories for Monday
  • BadTunnel: Critical vulnerability affects every version of Microsoft's OS since Windows 95

    A security researcher from Tencent, China's largest internet service portal, has discovered a critical security flaw in Microsoft's Windows operating system that affects every single version of Windows over the last two decades, from Windows 95 all the way to Windows 10.

  • Decentralized Security

    If you're a fan of the cryptocurrency projects, you've heard of something called Ethereum. It's similar to bitcoin, but is a seperate coin. It's been in the news lately due to an attack on the currency. Nobody is sure how this story will end at this point, there are a few possible options, none are good. This got me thinking about the future of security, there are some parallels when you compare traditional currency to crypto currency as well as where we see security heading (stick with me here).

    The current way currency works is there is some central organization that is responsible for minting and controlling the currency, usually a country. There are banks, exchanges, loans, interest, physical money, and countless other ways the currency interacts with society. We will compare this to how IT security has mostly worked in the past. You had one large organization responsible for everything. If something went wrong, you could rely on the owner to take control and make things better. There are some instances where this isn't true, but in general it holds.

    Now if we look at cryptocurrency, there isn't really a single group or person in charge. That's the whole point though. The idea is to have nobody in charge so the currency can be used with some level of anonymity. You don't have to rely on some sort of central organization to give the currency legitimacy, the system itself has legitimacy built in.

Parrot Security OS 3.0 Ethical Hacking Distro Is Out, Now Ready for Raspberry Pi

Filed under
OS
Security

Parrot Security OS developer Frozenbox Network was extremely proud to announce the release of the final Parrot Security OS 3.0 "Lithium" computer operating system.

Read more

Security Leftovers

Filed under
Security
  • Making a Case for Security Analytics

    Being a victim of a data breach no longer results in a slap on the wrist. Instead it can lead to costly fines, job loss, physical damage and an organization's massive loss of reputation. Case in point: Target. Following its high-profile breach in late 2013, Target suffered large losses in market valuation and paid more than $100 million in damages.

  • GoToMyPC password hack – urgent, change passwords NOW

    If you use the popular Citrix GoToMyPC remote access product for macOS, Windows, Kindle, iOS, and Android you will need to change all passwords now.

  • Web Application Defender's Field Report: Account Takeover Campaigns Spotlight

    ATO attacks (also known as credential stuffing) use previously breached username and password pairs to automate login attempts. This data may have been previously released on public dumpsites such as Pastebin or directly obtained by attackers through web application attacks such as SQLi. The goal of the attacks is to identify valid login credential data that can then be sold to gain fraudulent access to user accounts. ATO may be considered a subset of brute force attacks, however it is an increasing threat because it is harder to identify such attacks through traditional individual account authentication errors. The Akamai Threat Research Team analyzed web login transactions for one week across our customer base to identify ATO attack campaigns.

  • Google's security princess talks cybersecurity

    Her talk was even-keeled, informative, and included strong FOSS messaging about everyone's vested interest in internet security and privacy. After the talk was done, I watched her take audience questions (long enough for me to take a short conference call) where she patiently and handily fielded all manner of queries from up and down the stack.

BusyBotNet is a Fork of Busybox with Security Tools

Filed under
OSS
Security

Busybox provides a lightweight version of common command line utilities normally found on “big” Linux into a single binary, in order to bring them to embedded systems with limited memory and storage. As more and more embedded systems are now connected to the Internet, or as they are called nowadays the Internet of Things nodes, adding security tools, such as cryptographic utilities, could prove useful for administrators of such system, and so BusyBotNet project wsa born out of a fork of Busybox.

Read more

Security Leftovers

Filed under
Security
  • Intel x86s hide another CPU that can take over your machine (you can't audit it)

    Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. I've made it my mission to open up this system and make free, open replacements, before it's too late.

  • Let’s Encrypt Accidentally Spills 7,600 User Emails

    Certificate authority Let’s Encrypt accidentally disclosed the email addresses of several thousand of its users this weekend.

    Josh Aas, Executive Director for the Internet Security Research Group (ISRG), the nonprofit group that helped launch the CA, apologized for the error on Saturday. In what Let’s Encrypt dubbed a preliminary report posted shortly after it happened, Aas blamed the faux pas on a bug in the automated email system the group uses.

  • phpMyAdmin Project Successfully Completes Security Audit

    Software Freedom Conservancy congratulates its phpMyAdmin project on succesfuly completing completing a thorough security audit, as part of Mozilla's Secure Open Source Fund. No serious issues were found in the phyMyAdmin codebase.

  • StartCom launches a new service - StartEncrypt

    StartCom, a leading global Certificate Authority (CA) and provider of trusted identity and authentication services, announces a new service – StartEncrypt today, an automatic SSL certificate issuance and installation software for your web server.

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

Docker 1.13, Containers, and DevOps

  • Introducing Docker 1.13
    Today we’re releasing Docker 1.13 with lots of new features, improvements and fixes to help Docker users with New Year’s resolutions to build more and better container apps. Docker 1.13 builds on and improves Docker swarm mode introduced in Docker 1.12 and has lots of other fixes. Read on for Docker 1.13 highlights.
  • Docker 1.13 Officially Released, Docker for AWS and Azure Ready for Production
    Docker announced today the general availability of Docker 1.13, the third major update of the open-source application container engine for GNU/Linux, macOS, and Microsoft Windows operating systems. Docker 1.13 has been in development for the past couple of months, during which it received no less than seven RC (Release Candidate) versions that implemented numerous improvements for the new Swarm Mode introduced in Docker 1.12, a few security features, as well as a new Remote API (version 1.25) and Client.
  • Distributed Fabric: A New Architecture for Container-Based Applications
    There’s a palpable sense of excitement in the application development world around container technology. Containers bring a new level of agility and speed to app development, giving developers the ability to break large monolithic apps into small, manageable microservices that can talk to one another, be more easily tested and deployed, and operate more efficiently as a full application. However, containers also demand a new architecture for the application services managing these microservices and apps, particularly in regards to service discovery — locating and consuming the services of those microservices.
  • DevOps trends emerging for 2017 and beyond
    Finally, one of the biggest trends for 2017 will not be just a focus on engaging and implementing some of these DevOps best practices into your enterprise, but a sweeping adoption of the DevOps/agile culture. This is because one of the most important – if not the absolute most key –tenets to a successful DevOps organization is culture. The enterprises that most espouse the shared responsibility, the empowered autonomous teams, the can-do attitudes, and the continuous learning environment in which DevOps thrives will see the biggest benefits.

Kernel Space/Linux

  • Optimizing Linux for Slow Computers
    It’s interesting, to consider what constitutes a power user of an operating system. For most people in the wider world a power user is someone who knows their way around Windows and Microsoft Office a lot, and can help them get their print jobs to come out right. For those of us in our community, and in particular Linux users though it’s a more difficult thing to nail down. If you’re a LibreOffice power user like your Windows counterpart, you’ve only really scratched the surface. Even if you’ve made your Raspberry Pi do all sorts of tricks in Python from the command line, or spent a career shepherding websites onto virtual Linux machines loaded with Apache and MySQL, are you then a power user compared to the person who knows their way around the system at the lower level and has an understanding of the kernel? Probably not. It’s like climbing a mountain with false summits, there are so many layers to power usership. So while some of you readers will be au fait with your OS at its very lowest level, most of us will be somewhere intermediate. We’ll know our way around our OS in terms of the things we do with it, and while those things might be quite advanced we’ll rely on our distribution packager to take care of the vast majority of the hard work.
  • Long-Term Maintenance, or How to (Mis-)Manage Embedded Systems for 10+ Years
    In this presentation, kernel hacker Jan Lübbe will explain why apparently reasonable approaches to long-term maintenance fail and how to establish a sustainable workflow instead.
  • Linux 4.9 Is the Next Long-Term Supported Kernel Branch, Says Greg Kroah-Hartman
    Linux kernel maintainer Greg Kroah-Hartman confirmed today, January 19, 2017, in a short message, on his Google+ page, that the Linux 4.9 branch is now marked as "longterm," or as some of you know as LTS (Long-Term Support). The story behind Linux kernel 4.9 becoming the next long-term supported series dates from way before it's launch last month, on December 11, when Linus Torvalds officially announced the new branch. It all started back on August 12, 2016, when Greg Kroah-Hartman dropped a quick Google+ post to say "4.9 == next LTS kernel."
  • Maintainers Don't Scale
    First let’s look at how the kernel community works, and how a change gets merged into Linus Torvalds’ repository. Changes are submitted as patches to mailing list, then get some review and eventually get applied by a maintainer to that maintainer’s git tree. Each maintainer then sends pull request, often directly to Linus. With a few big subsystems (networking, graphics and ARM-SoC are the major ones) there’s a second or third level of sub-maintainers in. 80% of the patches get merged this way, only 20% are committed by a maintainer directly. Most maintainers are just that, a single person, and often responsible for a bunch of different areas in the kernel with corresponding different git branches and repositories. To my knowledge there are only three subsystems that have embraced group maintainership models of different kinds: TIP (x86 and core kernel), ARM-SoC and the graphics subsystem (DRM).

Graphics in Linux

  • RADV Vulkan Driver Has Geometry Shader Support For Testing
    David Airlie has published a set of 31 patches for testing that provide initial support for geometry shaders within the RADV Radeon Vulkan driver. While RadeonSI has long supported geometry shaders, it's been a bigger work item bringing it to this open-source Radeon Vulkan driver within Mesa. The patches are enough for Vulkan geometry shaders to get working on RADV, but Airlie explains that the support isn't gold: "This is a first pass at geometry shader support on radv, all the code should be here in reviewable pieces, it seems to mostly pass CTS tests but triggers some llvm 3.9 bugs around kill, and there might still be a GPU hang in here, but this should still be a good place to start reviewing."
  • libinput 1.6.0
    This release fixes the slow touchpad acceleration on touchpads with less than 1000dpi, a missing call to normalized the deltas was the source of the issue.
  • Libinput 1.6 Released With New Touchpad Acceleration
    Libinput 1.6.0 was announced a short time ago on wayland-devel.
  • Mesa 17 Gets a First Release Candidate, Final Planned for Early February 2017
    Collabora's Emil Velikov announced today, January 19, 2017, the availability of the first of many Release Candidate (RC) development versions of the upcoming and highly anticipated Mesa 17.0.0 3D Graphics Library. Mesa 17 is shaping up to be a huge milestone that should dramatically improve the performance of the bundled open-source graphics drivers for Intel, AMD Radeon, Nvidia graphics cards on a Linux-based operating system. Just the other day it enabled OpenGL 4.5 support for Intel Haswell GPUs, which is already a big achievement.

Android Leftovers

  • Donald Trump has surrendered his Android phone
    Donald Trump has given up his beloved Android phone ahead of today’s inauguration, the Associated Press reports, though it is unclear what type of device he will use in the White House. According to The New York Times, Trump is now using a more secure, encrypted handset that was approved by the Secret Service. He also has a different phone number, the Times reports, citing people close to the president-elect. Trump doesn’t use email, but he does use his Android phone to tweet. He’s also been very accessible throughout the presidential campaign and transition, taking calls from reporters, politicians, and world leaders. Malcolm Turnbull, the prime minister of Australia, called Trump to congratulate him on his electoral victory after getting his cellphone number from professional golfer Greg Norman.
  • Best affordable Android smartphones you can buy [January 2017]
    There are new smartphones hitting the market constantly, but which is the best to pick up when you’re trying to save a buck or two? We’ve seen some great launches this summer and we’re only expecting more over the coming months, but for now, let’s go over the best affordable Android smartphones you can go pick up today…
  • A list of every Samsung phone getting Android 7.0 Nougat this year
  • WatchMaker to support Gear S2 & Gear S3, 1000s of watchfaces incoming
    WatchMaker, a popular Android and Android Wear watchface platform, has some good news for our readers. They are currently in the process of expanding their supported platforms and will be targeting Tizen and its latest wearable smartwatches, the Samsung Gear S2 and Gear S3.