Language Selection

English French German Italian Portuguese Spanish


Security Leftovers

Filed under

Making the Internet Safer, One Secure Site at a Time: Let’s Encrypt Hits 1 Million Certificates

Filed under

Let’s Encrypt today issued its one millionth free certificate (at 9:04am GMT to be exact), just about 100 days after it released its beta version of the service. This is a major accomplishment for the group, but also big news for the web and the security of everyone online.

In the past three months, our online activities and web traffic have become much safer and better protected through the efforts of Let’s Encrypt, an open source project that is hosted by The Linux Foundation and supported by organizations like Mozilla, Cisco, Electronic Frontier Foundation, Facebook, and Google Chrome.

Read more

Security Leftovers

Filed under

10 do's and don'ts for securing your Android device

Filed under

Afraid being mobile means being insecure? These Android security measures will give you some peace of mind.

Read more

Security Leftovers

Filed under
  • Friday's security updates
  • Top 10 Critical CVEs That Can Lead To A Data Breach And How To Fix Them
  • CacheBleed: A Timing Attack on OpenSSL Constant Time RSA
  • How Mature is Your Vulnerability Coordination?

    Among the many best practices for security professionals is to have some process for handling inbound vulnerability reporting. So if someone finds a bug or exploit in a product or service, the company with the vulnerability is able to respond to a researcher and knows what to do with a report.

    It's a topic that security industry luminary Katie Moussouris, chief policy officer at HackerOne, is well versed in, as she is the author of the Vulnerability Coordination Maturity Model.

  • The Risk of Open WiFi on Display at RSA

    Security experts from around the globe descended on the Moscone Center here this week for the annual RSA Conference, which provided free WiFi throughout the sessions and exhibit halls. While the WiFi has been generally available, there has been one key problem with it--it's unencrypted.

  • A Day in the Life of Google's Security Chief

    Gerhard Eschelbeck, vice president of security engineering at Google, has one of the toughest jobs in IT security: He has to keep Google secure. In a session at the RSA Conference here March 1 titled "My Life as Chief Security Officer at Google," Eschelbeck gave attendees insight into how he spends his days working and his nights worrying about IT security.

  • DROWN Flaw Illustrates Dangers of Intentionally Weak Crypto

    Calls for encryption backdoors that date back to the 1990s are coming back to haunt the industry 20 years later with DROWN, security experts say. The flaw that researchers found with DROWN center around the fact that during the so called Crypto Wars of the 1990s President Bill Clinton’s administration insisted that US government have a way to break the encryption that was exported outside of the United States.

  • Truly Random Number Generator Promises Stronger Encryption Across All Devices, Cloud

    Before, Entropy Engine only worked on the local device. With NetRandom, they can feed randomness through the network and strengthen the encryption used by virtual machines, cloud instances, clients, servers, and embedded systems in Internet of Things devices. "One of them could support tens of thousands of virtual machines," says Newell.

  • RSA 2016: 4 Data Issues Faced by States, Localities in the Digital Age

    Industry experts discussed the risks, benefits and next steps around data in the government space during the 2016 RSA Conference in San Francisco.

  • How To Disable (Blacklist) Your Laptop Webcam & Microphone in Linux

    Since Linux isn't spyware and do not contain any backdoor like other popular operating system, that's another reason we all love to use this operating system. It is bit difficult for surveillance people to install an application on your Linux without special permissions or spyware doesn't work obviously on Linux like does on other OS's but if you install something from untrusted source or you physically gave access to somebody to your system then there might be chances that you can be victim of surveillance and the whole could be nightmare for you. There are couple of things you can do to prevent it like do a OS re-install or blacklist ports and non-removable devices like webcam and microphone, by the way you should physically cover your laptop and phone camera with sticker. So without further we go, lets start doing it.

  • Trouble at Linux Mint — and beyond [Ed: no more paywall]

    When the Linux Mint project announced that, for a while on February 20, its web site had been changed to point to a backdoored version of its distribution, the open-source community took notice. Everything we have done is based on the ability to obtain and install software from the net; this incident was a reminder that this act is not necessarily as safe as we would like to think. We would be well advised to think for a bit on the implications of this attack and how we might prevent similar attacks in the future.

Subgraph OS: Secure, Free, Open Source Linux Operating System For Non-technical Users

Filed under

To answer your security related concerns, Subgraph OS is here as a free, secure, open source Linux operating system for the non-technical users. This security-focused distro comes with complete TOR integration, full-disk encryption, OpenPGP mail integration, system hardening and other features. Know more about the OS and make your system secure.

Read more

JasPer Vulnerabilities Fixed in Ubuntu

Filed under

A couple of JasPer issues have been found and repaired in the Ubuntu 15.04, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS operating systems.

Read more

Security Leftovers

Filed under
  • Security advisories for Thursday
  • State Department Backs Off Criminalizing Security Research Tools

    Some good news for security researchers: the US government's adoption of the Wassenaar Arrangement will no longer treat the tools of security research like crates of machine guns. While exploits and penetration tools can be used by bad people for bad things, they're also invaluable to security researchers who use these to make the computing world a safer place.

    Vague wording in the US government's proposed adoption of the 2013 version of the Wassenaar Arrangement threatened to criminalize the development of security research tools and make any researcher traveling out of the country with a laptop full of exploits an exporter of forbidden weapons.

  • IRS Tool Designed To Protect Identity Theft Victims -- Exposes Users To Identity Theft

    Last year, the personal records of 100,000 taxpayers wound up in the hands of criminals, thanks to a flimsy authentication process in the agency's "Get Transcript" application. In short, the IRS used all-too-common static identifiers to verify taxpayer identity (information that could be found anywhere), allowing criminals to use the system to then obtain notably more sensitive taxpayer information and ultimately steal finances. At the time, the IRS breathlessly insisted it would be shoring up its security standards, though it failed to really detail how it would accomplish this.

  • 1Password sends your password across the loopback interface in clear text

    1Password sends your password in clear text across the loopback interface if you use the browser extensions.

  • Bruce Schneier: We're sleepwalking towards digital disaster and are too dumb to stop

    Security guru Bruce Schneier has issued a stark warning to the RSA 2016 conference – get smart or face a whole world of trouble.

    The level of interconnectedness of the world's technology is increasing daily, he said, and is becoming a world-sized web – which he acknowledged was a horrible term – made up of sensors, distributed computers, cloud systems, mobile, and autonomous data processing units. And no one is quite sure where it is all heading.

  • Latest attack against TLS shows the pitfalls of intentionally weakening encryption

Perl Vulnerabilities Closed in All Supported Ubuntu OSes

Filed under

Canonical has detailed three Perl vulnerabilities that have been identified and fixed in Ubuntu 15.10, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS operating systems.

Read more

Security Leftovers

Filed under
Syndicate content

More in Tux Machines

Linux 4.8.4

I'm announcing the release of the 4.8.4 kernel. And yeah, sorry about the quicker releases, I'll be away tomorrow and as they seem to have passed all of the normal testing, I figured it would be better to get them out earlier instead of later. And I like releasing stuff on this date every year... All users of the 4.8 kernel series must upgrade. The updated 4.8.y git tree can be found at: git:// linux-4.8.y and can be browsed at the normal git web browser: Read more Also: Linux 4.7.10 Linux 4.4.27

New Releases: Budgie, Solus, SalentOS, and Slackel

  • Open-Source Budgie Desktop Sees New Release
    The pet parakeet of the Linux world, Budgie has a new release available for download. in this post we lookout what's new and tell you how you can get it.
  • Solus Linux Making Performance Gains With Its BLAS Configuration
    - Those making use of the promising Solus Linux distribution will soon find their BLAS-based workloads are faster. Solus developer Peter O'Connor tweeted this week that he's found some issues with the BLAS linking on the distribution and he's made fixes for Solus. He also mentioned that he uncovered these BLAS issues by using our Phoronix Test Suite benchmarking software.
  • SalentOS “Luppìu” 1.0 released!
    With great pleasure the team announces the release of SalentOS “Luppìu” 1.0.
  • Slackel "Live kde" 4.14.21
    This release is available in both 32-bit and 64-bit architectures, while the 64-bit iso supports booting on UEFI systems. The 64-bit iso images support booting on UEFI systems. The 32-bit iso images support both i686 PAE SMP and i486, non-PAE capable systems. Iso images are isohybrid.

Security News

  • Free tool protects PCs from master boot record attacks [Ed: UEFI has repeatedly been found to be both a detriment to security and enabler of Microsoft lock-in]
    Cisco's Talos team has developed an open-source tool that can protect the master boot record of Windows computers from modification by ransomware and other malicious attacks. The tool, called MBRFilter, functions as a signed system driver and puts the disk's sector 0 into a read-only state. It is available for both 32-bit and 64-bit Windows versions and its source code has been published on GitHub. The master boot record (MBR) consists of executable code that's stored in the first sector (sector 0) of a hard disk drive and launches the operating system's boot loader. The MBR also contains information about the disk's partitions and their file systems. Since the MBR code is executed before the OS itself, it can be abused by malware programs to increase their persistence and gain a head start before antivirus programs. Malware programs that infect the MBR to hide from antivirus programs have historically been known as bootkits -- boot-level rootkits. Microsoft attempted to solve the bootkit problem by implementing cryptographic verification of the bootloader in Windows 8 and later. This feature is known as Secure Boot and is based on the Unified Extensible Firmware Interface (UEFI) -- the modern BIOS.
  • DDOS Attack On Internet Infrastructure
    I hope somebody's paying attention. There's been another big DDOS attack, this time against the infrastructure of the Internet. It began at 7:10 a.m. EDT today against Dyn, a major DNS host, and was brought under control at 9:36 a.m. According to Gizmodo, which was the first to report the story, at least 40 sites were made unreachable to users on the US East Coast. Many of the sites affected are among the most trafficed on the web, and included CNN, Twitter, PayPal, Pinterest and Reddit to name a few. The developer community was also touched, as GitHub was also made unreachable. This event comes on the heels of a record breaking 620 Gbps DDOS attack about a month ago that brought down security expert Brian Krebs' website, KrebsonSecurity. In that attack, Krebs determined the attack had been launched by botnets that primarily utilized compromised IoT devices, and was seen by some as ushering in a new era of Internet security woes.
  • This Is Why Half the Internet Shut Down Today [Update: It’s Getting Worse]
    Twitter, Spotify and Reddit, and a huge swath of other websites were down or screwed up this morning. This was happening as hackers unleashed a large distributed denial of service (DDoS) attack on the servers of Dyn, a major DNS host. It’s probably safe to assume that the two situations are related.
  • Major DNS provider Dyn hit with DDoS attack
    Attacks against DNS provider Dyn continued into Friday afternoon. Shortly before noon, the company said it began "monitoring and mitigating a DDoS attack" against its Dyn Managed DNS infrastructure. The attack may also have impacted Managed DNS advanced service "with possible delays in monitoring."
  • What We Know About Friday’s Massive East Coast Internet Outage
    Friday morning is prime time for some casual news reading, tweeting, and general Internet browsing, but you may have had some trouble accessing your usual sites and services this morning and throughout the day, from Spotify and Reddit to the New York Times and even good ol’ For that, you can thank a distributed denial of service attack (DDoS) that took down a big chunk of the Internet for most of the Eastern seaboard. This morning’s attack started around 7 am ET and was aimed at Dyn, an Internet infrastructure company headquartered in New Hampshire. That first bout was resolved after about two hours; a second attack began just before noon. Dyn reported a third wave of attacks a little after 4 pm ET. In all cases, traffic to Dyn’s Internet directory servers throughout the US—primarily on the East Coast but later on the opposite end of the country as well—was stopped by a flood of malicious requests from tens of millions of IP addresses disrupting the system. Late in the day, Dyn described the events as a “very sophisticated and complex attack.” Still ongoing, the situation is a definite reminder of the fragility of the web, and the power of the forces that aim to disrupt it.
  • Either IoT will be secure or the internet will be crippled forever
    First things first a disclaimer. I neither like nor trust the National Security Agency (NSA). I believe them to be mainly engaged in economic spying for the corporate American empire. Glenn Greenwald has clearly proven that in his book No Place to Hide. At the NSA, profit and power come first and I have no fucking clue as to how high they prioritize national security. Having said that, the NSA should hack the Internet of (insecure) Things (IoT) to death. I know Homeland Security and the FBI are investigating where the DDoS of doomsday proportions is coming from and the commentariat is already screaming RUSSIA! But it is really no secret what is enabling this clusterfuck. It’s the Mirai botnet. If you buy a “smart camera” from the Chinese company Hangzhou XiongMai Technologies and do not change the default password, it will be part of a botnet five minutes after you connect it to the internet. We were promised a future where we would have flying cars but we’re living in a future where camera’s, light-bulbs, doorbells and fridges can get you in serious trouble because your home appliances are breaking the law.
  • IoT at the Network Edge
    Fog computing, also known as fog networking, is a decentralized computing infrastructure. Computing resources and application services are distributed in logical, efficient places at any points along the connection from the data source (endpoint) to the cloud. The concept is to process data locally and then use the network for communicating with other resources for further processing and analysis. Data could be sent to a data center or a cloud service. A worthwhile reference published by Cisco is the white paper, "Fog Computing and the Internet of Things: Extend the Cloud to Where the Things Are."
  • Canonical now offers live kernel patching for Ubuntu 16.04 LTS users
    Canonical has announced its ‘Livepatch Service’ which any user can enable on their current installations to eliminate the need for rebooting their machine after installing an update for the Linux kernel. With the release of Linux 4.0, users have been able to update their kernel packages without rebooting, however, Ubuntu will be the first distribution to offer this feature for free.
  • ​The Dirty Cow Linux bug: A silly name for a serious problem
    Dirty Cow is a silly name, but it's a serious Linux kernel problem. According to the Red Hat bug report, "a race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system."
  • Ancient Privilege Escalation Bug Haunts Linux
  • October 21, 2016 Is Dirty COW a serious concern for Linux?
  • There is a Dirty Cow in Linux
  • Red Hat Discovers Dirty COW Archaic Linux Kernel Flaw Exploited In The Wild
  • Linux kernel bug being exploited in the wild
  • Update Linux now: Critical privilege escalation security flaw gives hackers full root access
  • Linux kernel bug: DirtyCOW “easyroot” hole and what you need to know
  • 'Most serious' Linux privilege-escalation bug ever discovered
  • New 'Dirty Cow' vulnerability threatens Linux systems
  • Serious Dirty Cow Linux Vulnerability Under Attack
  • Easy-to-exploit rooting flaw puts Linux PCs at risk
  • Linux just patched a vulnerability it's had for 9 years
  • Dirty COW Linux vulnerability has existed for nine years
  • 'Dirty Cow' Linux Vulnerability Found
  • 'Dirty Cow' Linux Vulnerability Found After Nine Years
  • FakeFile Trojan Opens Backdoors on Linux Computers, Except openSUSE
    Malware authors are taking aim at Linux computers, more precisely desktops and not servers, with a new trojan named FakeFile, currently distributed in live attacks. Russian antivirus vendor Dr.Web discovered this new trojan in October. The company's malware analysts say the trojan is spread in the form of an archived PDF, Microsoft Office, or OpenOffice file.

today's howtos