Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • How To Improve The Linux System’s Security Using Firejail

    As you already know, Linux kernel is secure by default. But, it doesn’t mean that the softwares on the Linux system are completely secure. Say for example, there is a possibility that any add-ons on your web browser may cause some serious security issues. While doing financial transactions over internet, some key logger may be active in browser which you are not aware of. Even though, we can’t completely give the bullet-proof security to our Linux box, we still can add an extra pinch of security using an application called Firejail. It is a security utility which can sandbox any such application and let it to run in a controlled environment. To put this simply, Firejail is a SUID (Set owner User ID up on execution) program that reduces the risk of security breaches by restricting the running environment of untrusted applications.

  • “Httpd and Relayd Mastery” off to copyedit
  • Kalyna Block Cipher

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security updates for Monday
  • FedEx Will Pay You $5 to Install Flash on Your Machine

    FedEx is making you an offer you can’t afford to accept. It’s offering to give you $5 (actually, it’s a discount on orders over $30) if you’ll just install Adobe Flash on your machine.

    Nobody who knows anything about online security uses Flash anymore, except when it’s absolutely necessary. Why? Because Flash is the poster child for the “security-vulnerability-of-the-hour” club — a group that includes another Adobe product, Acrobat. How unsafe is Flash? Let’s put it this way: seven years ago, Steve Jobs announced that Flash was to be forever banned from Apple’s mobile products. One of the reasons he cited was a report from Symantec that “highlighted Flash for having one of the worst security records in 2009.”

    Flash security hasn’t gotten any better since.

  • Every once in a while someone suggests to me that curl and libcurl would do better if rewritten in a “safe language”
  • An insecure dishwasher has entered the IoT war against humanity

    Regel says that he has contacted Miele on a number of occasions about the issue, but had failed to get a response to his missives, and this has no updated information on the vulnerability.

    He added, bleakly that "we are not aware of an actual fix."

  • Monday Witness: It's Time to Reconize a Civil Right Not to be Connected

    Along with death and taxes, two things appear inevitable. The first is that Internet of Things devices will not only be built into everything we can imagine, but into everything we can't as well. The second is that IoT devices will have wholly inadequate security, if they have any security at all. Even with strong defenses, there is the likelihood that governmental agencies will gain covert access to IoT devices anyway.

    What this says to me is that we need a law that guarantees consumers the right to buy versions of products that are not wirelessly enabled at all.

  • Remember kids, if you're going to disclose, disclose responsibly!

    If you pay any attention to the security universe, you're aware that Tavis Ormandy is basically on fire right now with his security research. He found the Cloudflare data leak issue a few weeks back, and is currently going to town on LastPass. The LastPass crew seems to be dealing with this pretty well, I'm not seeing a lot of complaining, mostly just info and fixes which is the right way to do these things.

Security Leftovers

Filed under
Security
  • NSA: We Disclose 90% of the Flaws We Find

    In the wake of the release of thousands of documents describing CIA hacking tools and techniques earlier this month, there has been a renewed discussion in the security and government communities about whether government agencies should disclose any vulnerabilities they discover. While raw numbers on vulnerability discovery are hard to come by, the NSA, which does much of the country’s offensive security operations, discloses more than nine of every 10 flaws it finds, the agency’s deputy director said.

  • EFF Launches Community Security Training Series

    EFF is pleased to announce a series of community security trainings in partnership with the San Francisco Public Library. High-profile data breaches and hard-fought battles against unlawful mass surveillance programs underscore that the public needs practical information about online security. We know more about potential threats each day, but we also know that encryption works and can help thwart digital spying. Lack of knowledge about best practices puts individuals at risk, so EFF will bring lessons from its comprehensive Surveillance Self-Defense guide to the SFPL.

    [...]

    With the Surveillance Self-Defense project and these local events, EFF strives to help make information about online security accessible to beginners as well as seasoned techno-activists and journalists. We hope you will consider our tips on how to protect your digital privacy, but we also hope you will encourage those around you to learn more and make better choices with technology. After all, privacy is a team sport and everyone wins.

  • NextCloud, a security analysis

    First, I would like to scare everyone a little bit in order to have people appreciate the extent of this statement.

    As the figure that opens the post indicates, there are thousands of vulnerable Owncloud/NextCloud instances out there. It will surprise many just how easy is to detect those by trying out common URL paths during an IP sweep.

  • FedEx will deliver you $5.00 just to install Flash

    Bribes on offer as courier's custom printing service needs Adobe's security sinkhole

Security Leftovers

Filed under
Security
  • Google Threatens to Distrust Symantec SSL/TLS Certificates

    Google is warning that it intends to deprecate and remove trust in Symantec-issued SSL/TLS certificates, as Symantec shoots back that the move is unwarranted.

  • Hackers Stole My Website…And I Pulled Off A $30,000 Sting Operation To Get It Back

    I learned that my site was stolen on a Saturday. Three days later I had it back, but only after the involvement of fifty or so employees of six different companies, middle-of-the-night conferences with lawyers, FBI intervention, and what amounted to a sting operation that probably should have starred Sandra Bullock instead of…well…me.

  • Google Summer of Code

    The Linux Foundation umbrella organization is responsible for this year's WireGuard GSoC, so if you're a student, write "Linux Foundation" as your mentoring organization, and then specify in your proposal your desire to work with WireGuard, listing "Jason Donenfeld" as your mentor.

  • Takeaways from Bruce Schneier’s talk: “Security and Privacy in a Hyper-connected World”

    Bruce Schneier is one of my favorite speakers when it comes to the topic of all things security. His talk from IBM Interconnect 2017, “Security and Privacy in a Hyper-connected World“, covered a wide range of security concerns.

  • [Older] Make America Secure Again: Trump Should Order U.S. Spy Agencies to Responsibly Disclose Cyber Vulnerabilities

    Last week, WikiLeaks released a trove of CIA documents that detail many of the spy agency’s hacking capabilities. These documents, if genuine (and early reports suggest that they are), validate concerns that U.S. spy agencies are stockpiling cybersecurity vulnerabilities. The intelligence community uses undisclosed vulnerabilities to develop tools that can penetrate the computer systems and networks of its foreign targets. Unfortunately, since everyone uses the same technology in today’s global economy, each of these vulnerabilities also represents a threat to American businesses and individuals. In the future, rather than hoard this information, the CIA and other intelligence agencies should commit to responsibly disclosing vulnerabilities it discovers to the private sector so that security holes can be patched.

  • Announcing Keyholder: Secure, shared shell access

    The new software is a ssh-agent proxy that allows a group of trusted users to share an SSH identity without exposing the contents of that identity’s private key.

    [...]

    A common use of the ssh-agent is to “forward” your agent to a remote machine (using the -A flag in the OpenSSH client). After you’ve forwarded your ssh-agent, you can use the socket that that agent creates to access any of your many (now unencrypted) keys, and login to any other machines for which you may have keys in your ssh-agent. So, too, potentially, can all the other folks that have root access to the machine to which you’ve forwarded your ssh-agent.

  • pitchfork

    After years of training journalists and NGOs communication and operational security, after years of conducting research into the tools and protocols used, it took some more years developing a reasonable answer to most of the issues encountered during all this time.

    In todays world of commercially available government malware you don't want to store your encryption keys on your easily infected computer. You want them stored on something that you could even take into a sauna or a hot-tub - maintaining continuous physical contact.

    So people who care about such things use external smartcard-based crypto devices like Ubikey Neos or Nitrokeys (formerly Cryptosticks). The problems with these devices is that you have to enter PIN codes on your computer that you shouldn't trust, that they are either designed for centralized use in organizations, or they are based mostly on PGP.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • How worried should your organisation be about cyber espionage - and what can you do about it?

    Computerworld UK speaks with Jarno Niemela, senior security researcher at F-Secure.

  • Inverse Law of CVEs

    I've started a project to put the CVE data into Elasticsearch and see if there is anything clever we can learn about it. Ever if there isn't anything overly clever, it's fun to do. And I get to make pretty graphs, which everyone likes to look at.

  • eBay Asks Users to Downgrade Security

    The company wanted me to switch from using a hardware key fob when logging into eBay to receiving a one-time code sent via text message. I found it remarkable that eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option.

  • Practical basics of reproducible builds
  • License Agreements and Changes Are Coming

    The OpenSSL license is rather unique and idiosyncratic. It reflects views from when its predecessor, SSLeay, started twenty years ago. As a further complication, the original authors were hired by RSA in 1998, and the code forked into two versions: OpenSSL and RSA BSAFE SSL-C. (See Wikipedia for discussion.) I don’t want get into any specific details, and I certainly don’t know them all.

Security and Bugs

Filed under
Security
  • Security updates for Thursday
  • Devops embraces security measures to build safer software

    Devops isn’t simply transforming how developers and operations work together to deliver better software faster, it is also changing how developers view application security. A recent survey from software automation and security company Sonatype found that devops teams are increasingly adopting security automation to create better and safer software.

  • This Xfce Bug Is Wrecking Users’ Monitors

    The Xfce desktop environment for Linux may be fast and flexible — but it’s currently affected by a very serious flaw.

    Users of this lightweight alternative to GNOME and KDE have reported that the choice of default wallpaper in Xfce is causing damaging to laptop displays and LCD monitors.

    And there’s damning photographic evidence to back the claims up.

Security Leftovers

Filed under
Security
  • Windows flaw lets attackers take over A-V software

    A 15-year-old flaw in every version of Windows right from XP to Windows 10 allows a malicious attacker to take control of a system through the anti-virus software running on the system.

  • Google Continues to Make Strides in Improving Android Security
  • Google cites progress in Android security, but patching issues linger
  • Dark Matter

    Today, March 23rd 2017, WikiLeaks releases Vault 7 "Dark Matter", which contains documentation for several CIA projects that infect Apple Mac Computer firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA's Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain 'persistence' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.

    Among others, these documents reveal the "Sonic Screwdriver" project which, as explained by the CIA, is a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting" allowing an attacker to boot its attack software for example from a USB stick "even when a firmware password is enabled". The CIA's "Sonic Screwdriver" infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.

Syndicate content

More in Tux Machines

Development News

Security Leftovers

  • How To Improve The Linux System’s Security Using Firejail
    As you already know, Linux kernel is secure by default. But, it doesn’t mean that the softwares on the Linux system are completely secure. Say for example, there is a possibility that any add-ons on your web browser may cause some serious security issues. While doing financial transactions over internet, some key logger may be active in browser which you are not aware of. Even though, we can’t completely give the bullet-proof security to our Linux box, we still can add an extra pinch of security using an application called Firejail. It is a security utility which can sandbox any such application and let it to run in a controlled environment. To put this simply, Firejail is a SUID (Set owner User ID up on execution) program that reduces the risk of security breaches by restricting the running environment of untrusted applications.
  • “Httpd and Relayd Mastery” off to copyedit
  • Kalyna Block Cipher

Containers vs. Zones vs. Jails vs. VMs

  • Setting the Record Straight: containers vs. Zones vs. Jails vs. VMs
    I’m tired of having the same conversation over and over again with people so I figured I would put it into a blog post. Many people ask me if I have tried or what I think of Solaris Zones / BSD Jails. The answer is simply: I have tried them and I definitely like them. The conversation then heads towards them telling me how Zones and Jails are far superior to containers and that I should basically just give up with Linux containers and use VMs. Which to be honest is a bit forward to someone who has spent a large portion of her career working with containers and trying to make containers more secure. Here is what I tell them:
  • [Old] Hadoop Has Failed Us, Tech Experts Say

    The Hadoop community has so far failed to account for the poor performance and high complexity of Hadoop, Johnson says. “The Hadoop ecosystem is still basically in the hands of a small number of experts,” he says. “If you have that power and you’ve learned know how to use these tools and you’re programmer, then this thing is super powerful. But there aren’t a lot of those people. I’ve read all these things how we need another million data scientists in the world, which I think means our tools aren’t very good.”

Wine and Games

  • [Wine] Packaging changes
    Today we want to announce some important changes regarding the Wine Staging packages provided at repos.wine-staging.com and dl.winehq.org. We completely reworked our build system to make the packages available sooner after a release and also added some new features, like downloading old packages for Debian / Ubuntu. The complete list of changes can be found in the announcement email on the Wine mailing list.
  • Planescape: Torment Enhanced Edition Announced for PC, Mac, Linux, and Mobile
  • Podcast #6 with Ethan Lee, Porter on Fez, Transistor
    Have you ever played Fez on Linux ? Transistor ? Speed Runners ? Shenzen I/O ? Bastion ? or more recently, Owlboy ? Well if you have, you have benefited from the work of Flibitijibibo who is directly responsible for the port of such titles to your platform.