Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

10 Best Linux Password Managers

Filed under
GNU
Linux
Security

Password managers are applications created to enable users to keep their passwords in a single place and absolve themselves of the need to remember every single one of their passwords.

They, in turn, encourage clients to use passwords that are as complex as possible and remember a single master password. Modern password managers even go an extra mile to keep other information such as card details, files, receipts, etc. safely locked away from prying eyes.

You might be wondering which password manager app will work best on your Linux machine and I am here to answer your question with my list of the 10 best Linux password managers.

Read more

Security: DNS, Windows, Kaspersky and Lethal USB

Filed under
Security
  • The wave of domain hijackings besetting the Internet is worse than we thought

    The report was published Wednesday by Cisco’s Talos security group. It indicates that three weeks ago, the highjacking campaign targeted the domain of Sweden-based consulting firm Cafax. Cafax’s only listed consultant is Lars-Johan Liman, who is a senior systems specialist at Netnod, a Swedish DNS provider. Netnod is also the operator of i.root, one of the Internet’s foundational 13 DNS root servers. Liman is listed as being responsible for the i-root. As KrebsOnSecurity reported previously, Netnod domains were hijacked in December and January in a campaign aimed at capturing credentials. The Cisco report assessed with high confidence that Cafax was targeted in an attempt to re-establish access to Netnod infrastructure.

  • New Windows Zero-Day Vulnerability Grants Hackers Full Control Over PCs [Ed: The NSA already had these permissions. Now everyone has these.]

    According to the latest Kaspersky Lab Report, a Windows Zero-Day vulnerability is serving as a backdoor for hackers to take control of users’ PCs.

    The latest exploit utilizes a use-after-free attack and has a technical name CVE-2019-0895. The exploit is found in win32k.sys and grants hackers Local Privilege meaning they’re able to access resources usually outside of users’ capabilities.

  • New zero-day vulnerability CVE-2019-0859 in win32k.sys
  • AP Exclusive: Mysterious operative haunted Kaspersky critics

    He also asked Giles to repeat himself or speak louder so persistently that Giles said he began wondering “whether I should be speaking into his tie or his briefcase or wherever the microphone was.”

    “He was drilling down hard on whether there had been any ulterior motives behind negative media commentary on Kaspersky,” said Giles, a Russia specialist with London’s Chatham House thinktank who often has urged caution about Kaspersky’s alleged Kremlin connections. “The angle he wanted to push was that individuals — like me — who had been quoted in the media had been induced by or motivated to do so by Kaspersky’s competitors.”

  • Feds: Saint Rose grad used 'killer' device to fry computers

    In 2016, College of Saint Rose graduate assistant Vishwanath Akuthota said he believed there was a "lot of opportunity" for him at the school.

    On Monday, federal prosecutors said he took advantage of a different kind of opportunity — access to campus — when he destroyed dozens of computers at a cost of more than $50,000.

  • Student Uses “USB Killer” To Fry $58,000 Worth of Computers

OpenSSH 8.0 released

Filed under
Security
BSD

This release contains mitigation for a weakness in the scp(1) tool
and protocol (CVE-2019-6111): when copying files from a remote system
to a local directory, scp(1) did not verify that the filenames that
the server sent matched those requested by the client. This could
allow a hostile server to create or clobber unexpected local files
with attacker-controlled content.

This release adds client-side checking that the filenames sent from
the server match the command-line request,

The scp protocol is outdated, inflexible and not readily fixed. We
recommend the use of more modern protocols like sftp and rsync for
file transfer instead.

Read more

Security: Updates, Oracle, Cisco, Buzzwords and Wi-Fi 'Hacking'

Filed under
Security

Gentoo News: Nitrokey partners with Gentoo Foundation to equip developers with USB keys

Filed under
Gentoo
Security

The Gentoo Foundation has partnered with Nitrokey to equip all Gentoo developers with free Nitrokey Pro 2 devices. Gentoo developers will use the Nitrokey devices to store cryptographic keys for signing of git commits and software packages, GnuPG keys, and SSH accounts.

Thanks to the Gentoo Foundation and Nitrokey’s discount, each Gentoo developer is eligible to receive one free Nitrokey Pro 2. To receive their Nitrokey, developers will need to register with their @gentoo.org email address at the dedicated order form.

A Nitrokey Pro 2 Guide is available on the Gentoo Wiki with FAQ & instructions for integrating Nitrokeys into developer workflow.

Read more

The Ecuadorean Authorities Have No Reason to Detain Free Software Developer Ola Bini

Filed under
Development
OSS
Security

Hours after the ejection of Julian Assange from the London Ecuadorean embassy last week, police officers in Ecuador detained the Swedish citizen and open source developer Ola Bini. They seized him as he prepared to travel from his home in Quito to Japan, claiming that he was attempting to flee the country in the wake of Assange’s arrest. Bini had, in fact, booked the vacation long ago, and had publicly mentioned it on his twitter account before Assange was arrested.

Ola’s detention was full of irregularities, as documented by his lawyers. His warrant was for a “Russian hacker” (Bini is neither); he was not read his rights, allowed to contact his lawyer nor offered a translator.

The charges against him, when they were finally made public, are tenuous. Ecuador’s general prosecutor has stated that Bini was accused of “alleged participation in the crime of assault on the integrity of computer systems” and attempts to destabilize the country. The “evidence” seized from Ola’s home that Ecuadorean police showed journalists to demonstrate his guilt was nothing more than a pile of USB drives, hard drives, two-factor authentication keys, and technical manuals: all familiar property for anyone working in his field.

Ola is a free software developer, who worked to improve the security and privacy of the Internet for all its users. He has worked on several key open source projects, including JRuby, several Ruby libraries, as well as multiple implementations of the secure and open communication protocol OTR. Ola’s team at ThoughtWorks contributed to Certbot, the EFF-managed tool that has provided strong encryption for millions of websites around the world.

Like many people working on the many distributed projects defending the Internet, Ola has no need to work from a particular location. He traveled the world, but chose to settle in Ecuador because of his love of that country and of South America in general. At the time of his arrest, he was putting down roots in his new home, including co-founding Centro de Autonomia Digital, a non-profit devoted to creating user-friendly security tools, based out of Ecuador’s capital, Quito.

Read more

Security: Updates, Spectre/Meltdown and Why Not to Install Software Packages From the Internet

Filed under
Security
  • Security updates for Tuesday
  • Revised Patches Out For New Kernel "mitigations=" Option For Toggling Spectre/Meltdown [Ed: Profoundly defective chips aren't being recalled/replaced (or even properly fixed). All the cost is being passed to the victim, the client, who should instead be compensated. Corporate greed has no bounds. They also hide NSA back doors in these chips. Imperial.]

    The effort to provide a more convenient / easy to remember kernel option for toggling Spectre/Meltdown mitigations is out with a second revision and they have also shortened the option to remember.

    See the aforelinked article if the topic is new to you, but this is about an arguably long overdue ability to easily control the Spectre/Meltdown behavior -- or configurable CPU mitigations in general to security vulnerabilities -- via a single kernel flag/switch. For the past year and a half of Spectre/Meltdown/L1TF mitigations there has been various different flags to tweak the behavior of these mitigations but not offering a single, easy-to-remember switch if say wanting to disable them in the name of restoring/better performance.

  • Why Not Install Software Packages From The Internet

    Someone from the Internet has told you not to execute random scripts you find on the Internet and now you're reading why we shouldn't install software packages from the Internet. Or more specifically, the aim of this article is why it's wise to stick to distribution maintained packages and not those latest software packages we find out there on the Internet even if it's distributed by the official brand's page.
    However, it's okay to download software packages that are not available on the distribution repository but not vice versa. Read on below to learn more about why.

Debian Web Team, Debian Long Term Support, and Security Leftovers

Filed under
Security
Debian
  • Debian Web Team Sprint 2019

    The Debian Web team held a sprint for the first time, in Madrid (Spain) from March 15th to March 17th, 2019.

    We discussed the status of the Debian website in general, review several important pages/sections and agreed on many things how to improve them.

  • Freexian’s report about Debian Long Term Support, March 2019

    Like each month, here comes a report about the work of paid contributors to Debian LTS.

  • Raphaël Hertzog: Freexian’s report about Debian Long Term Support, March 2019

    Like each month, here comes a report about the work of paid contributors to Debian LTS.

  • Your Favorite Ad Blocker Can Be Exploited To Infect PCs With Malicious Code

    In July 2018, the popular Adblock Plus software released its version 3.2 that brought a new feature called $rewrite. This feature allowed one to change the filter rules and decide which content got blocked and which didn’t. It was said that often there are content elements that are difficult to block. This feature was soon implemented by AdBlock as well as uBlock.

    In a troubling development, it has been revealed that this filter option can be exploited by notorious actors to inject arbitrary code into the web pages. With more than 100 million users of these ad blocking tools, this exploit has great potential to harm the web users.

  • Adblock Plus filter lists may execute arbitrary code in web pages

    A new version of Adblock Plus was released on July 17, 2018. Version 3.2 introduced a new filter option for rewriting requests. A day later AdBlock followed suit and released support for the new filter option. uBlock, being owned by AdBlock, also implemented the feature.

    Under certain conditions the $rewrite filter option enables filter list maintainers to inject arbitrary code in web pages.

    The affected extensions have more than 100 million active users, and the feature is trivial to exploit in order to attack any sufficiently complex web service, including Google services, while attacks are difficult to detect and are deployable in all major browsers.

  • Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong.

    The disputes ares playing out in court. In a closely watched legal battle, Mondelez sued Zurich Insurance last year for a breach of contract in an Illinois court, and Merck filed a similar suit in New Jersey in August. Merck sued more than 20 insurers that rejected claims related to the NotPetya attack, including several that cited the war exemption. The two cases could take years to resolve.

    The legal fights will set a precedent about who pays when businesses are hit by a cyberattack blamed on a foreign government. The cases have broader implications for government officials, who have increasingly taken a bolder approach to naming-and-shaming state sponsors of cyberattacks, but now risk becoming enmeshed in corporate disputes by giving insurance companies a rationale to deny claims.

Security: DARPA, Updates, Microsoft Windows Incidents and Outlook Fiasco

Filed under
Security
  • DARPA Making An Anonymous And Hack-Proof Mobile Communication System

    The United States’ Defense Advanced Research Projects Agency, or DARPA, develops technologies that are deployed by the US army and sometimes the agency makes the technologies available for civilians as well. DARPA is behind many breakthrough technologies, including the internet itself, GPS, Unix, and Tor.

    Now, DARPA is currently working on an anonymous, end-to-end mobile communication system that would be attack-resilient and reside entirely within a contested network environment.

  • Security updates for Monday
  • Passwords and Policies | Roadmap to Securing Your Infrastructure
  • Adblock Plus filter lists may execute arbitrary code
  • FBI now investigating "RobinHood" ransomware attack on Greenville computers [Ed: Microsoft Windows TCO]
  • RobinHood Ransomware Is “Honest” And Promises To “Respect Your Privacy”

    The world of cybersecurity is full of surprises. From using Game of Thrones torrents to exploiting popular porn websites — notorious cybercriminals keep coming up with new ways to cause you harm.

    In a related development, a ransomware called RobinHood is spreading havoc in North Carolina, where the ransomware has crippled most city-owned PCs. The FBI is currently investigating the issue along with local authorities.

  • Purism at SCaLE 2019 – Retrospective on Secure PureBoot

    Once again, we were so busy we barely had the time to leave our booth: people were very interested in the Librem 5 devkit hardware, in the latest version of the Librem laptops and PureOS, on having the same apps for the Librem laptops and the Librem 5 phone… so we got to do the full pitch. On a less technical note, our swag was quite a success. People told us they loved our paper notebook and carpenter pencil, and asked questions about the pencils – which, according to Kyle Rankin, Chief Security Officer of Purism, have a section that is “kind of shaped like our logo”, and being carpenter pencils “are designed so you can sharpen them without having to use a proprietary pencil sharpener.” Visitors (and team) loved them for being beautiful, unusual and useful.

  • Hackers could read non-corporate Outlook.com, Hotmail for six months

    Late on Friday, some users of Outlook.com/Hotmail/MSN Mail received an email from Microsoft stating that an unauthorized third party had gained limited access to their accounts and was able to read, among other things, the subject lines of emails (but not their bodies or attachments, nor their account passwords), between January 1 and March 28 of this year. Microsoft confirmed this to TechCrunch on Saturday.

    The hackers, however, dispute this characterization. They told Motherboard that they can indeed access email contents and have shown that publication screenshots to prove their point. They also claim that the hack lasted at least six months, doubling the period of vulnerability that Microsoft has claimed. After this pushback, Microsoft responded that around 6 percent of customers affected by the hack had suffered unauthorized access to their emails and that these customers received different breach notifications to make this clear. However, the company is still sticking to its claim that the hack only lasted three months.

    Not in dispute is the broad character of the attack. Both hackers and Microsoft's breach notifications say that access to customer accounts came through compromise of a support agent's credentials. With these credentials, the hackers could use Microsoft's internal customer support portal, which offers support agents some level of access to Outlook.com accounts. The hackers speculated to Motherboard that the compromised account belonged to a highly privileged user and that this may have been what granted them the ability to read mail bodies. The compromised account has subsequently been locked to prevent any further abuse.

  • Three encryption tools for the cloud

    Safeguard your cloud storage with some preemptive file encryption. Here are three open source tools that get the job done in Linux.

    From a security perspective, cloud storage ought never to have happened. The trouble is, it relies on the ability of users to trust the provider, yet often the only assurance available is the provider’s word. However, the convenience of cloud storage is too great for many companies and individuals to avoid it. Fortunately, security can be regained by users storing only encrypted files.

    Numerous tools exist for encrypting in the cloud. Some are proprietary. However, these solutions also require trust -- they only shift the trust requirement to a third party, and basic security requires the user to verify security for themselves.

Syndicate content

More in Tux Machines

10+ Open Source Software Writing Tools That Every Writer Should Know

Being a professional writer requires two key things to help ensure success: commitment and support. The former comes from the writer, and the latter comes from the tools he (or she) uses to get the job done. Below is a list of 11 great and lesser-known writing tools or apps, many of which are free and open-source, that can help improve the quality of your writing and make you a more productive and successful writer. Read more

today's leftovers

  • Newer isn't always better when performance is critical
    Some years before I formalised my engineering education, I was working as an instrument technician on a seismic survey vessel mapping an area off West Africa. These ships map the geology under the sea bed as the first stage of marine oil exploration. In full production, a single vessel will generate a revenue of several hundred thousand dollars a day. So you need to have a good excuse for when the recording system fails and you leave a hole in the survey coverage, especially when you have an ex-military Norwegian built like the proverbial Viking as party manager. The recording system was crashing; no error warnings, no smoke or fire. It just stopped recording. Repeatedly. The survey was looking like a cartoon Swiss cheese that had been attacked by hungry mice. What had changed? To save money the company had developed its own recording system, replacing Old Faithful with New Unreliable. I had my reservations when the prototype was tested in parallel with Old Faithful leading to my tearing out the connection between the two systems with under a minute to the start of a production line to go. I was younger then and could handle the excitement.
  • Minikube: 5 ways IT teams can use it
    As far as tool names go, Minikube is a pretty good reflection of what it does: It takes the vast cloud-scale of Kubernetes and shrinks it down so that it fits on your laptop. Don’t mistake that for a lack of power or functionality, though: You can do plenty with Minikube. And while developers, DevOps engineers, and the like might be the most likely to run it on a regular basis, IT leaders and the C-suite can use it, too. That’s part of the beauty. “With just a few installation commands, anyone can have a fully functioning Kubernetes cluster, ready for learning or supporting development efforts,” says Chris Ciborowski, CEO and cofounder at Nebulaworks.
  • Ubuntu Podcast from the UK LoCo: S12E02 – Light Force
    This week we have been upgrading disk drives (again) and playing Elite Dangerous. We discuss Mark’s homebrew Raspberry Pi based streaming box, bring you some command line love and go over your feedback. It’s Season 12 Episode 02 of the Ubuntu Podcast! Alan Pope, Mark Johnson and Martin Wimpress are connected and speaking to your brain.
  • Altered, a sweet looking puzzle game where you're part of the puzzle is coming to Linux
    Releasing sometime this Summer, Altered looks like a rather sweet take on the puzzle genre as you're a block that forms part of a puzzle. The developer, Glitchheart, describes it as a "meditative" puzzle game that mixes difficult puzzles in with a "soothing atmosphere". The description made me chuckle a little, as you can make it seem as soothing as you want but if the puzzles really do get difficult you can't stop players getting frustrated. Still, solving puzzles doesn't need to make you sweat which is more the point here as it seems there's no set time limits and no dangers.
  • How To Navigate Directories Faster In Linux

OSS Leftovers

  • 8 Best Kodi Sports Addons For Streaming Live Sports In 2019
    Kodi media player is a boon for cord cutters. In an era where subscription-based streaming services are popping left and right, Kodi presents an easy method to watch movies free online. By installing some of the best Kodi addons and top Kodi repositories, you can access hundreds of millions of movies and TV shows.
  • NVMe Driver Now Available
    Due to the awesome work by long-time developer waddlesplash, nightly images after hrev53079 have read/write NVMe support built-in. What is NVMe? For those not keeping up with the latest advances in tech, NVMe is a M.2 form-factor flash-based storage device which attaches directly to the system’s PCI Express bus. These flash devices are present in modern desktops and laptops and offer transfer speeds of several GiB/s. These devices now show up in /dev/disk/nvme/ and are fully useable by Haiku.
  • Haiku OS Picks Up An NVMe Storage Driver
    Back during the BeOS days of the 90's, NVM Express solid-state storage obviously wasn't a thing but the open-source Haiku OS inspired by it now has an NVMe driver. Haiku that aims to be an open-source OS based off BeOS now has support for NVMe SSDs. This driver didn't make last September's Haiku R1 beta but now being found within the latest development code is for NVMe SSD hardware.
  • Join Us In New York City
    OSI Board Directors have broad backgrounds and experience, working in a variety of roles—Chief Open Source Officer, Chief Information Office, Chief Technology Officer, Open Source Program Manager, Community Manager, Developer, Architect, Engineer, Attorney—for both corporations and communities—Clojure Community, Cloud Native Computing Foundation, Debian Project, Free Software Foundation, Github, Google, Kubernetes Community, Microsoft, One Laptop Per Child, Open edX, Oracle, Python Software Foundation, Red Hat, Salesforce, Sun Microsystems , The Document Foundation, Wikimedia, Zalando... and many, many, more.
  • Mozilla Localization (L10N): L10n report: April edition
    The deadline to ship localization updates in Firefox 67 is quickly approaching (April 30). Firefox 68 is going to be an ESR version, so it’s particularly important to ship the best localization possible. The deadline for that will be June 25.
  • Why Companies Open Source Their Software?
    When a company releases its code as open source and contribute it to foundations like CNCF, it literally loses control over the project. What benefit is there in doing so? Why would you want to lose control over the very project you created? Dan Lahl of SAP has an answer: that’s the beauty of Open Source.
  • Avalanche Noise Generator Notes
    I’ll probably go through another iteration of tweaking before final integration, but afaik this is the smallest, lowest power open-source avalanche noise generator to date (slightly smaller than this one).

Software: LibreOffice, X-Gimp, COPR and Tauon Music Box

  • [LibreOffice] menubar updates [updated]
  • X-Gimp 2.10.10 [rev25]
    Image editors are ten-a-penny nowadays, so anything which wants attention from a divided audience needs to offer something quite special. X-Gimp is the portable version of GIMP (or the GNU Image Manipulation Program), which is one of the most powerful free image editors available and is frequently described as being a free alternative to the likes of Photoshop. This is a highly versatile tool which can be used as a basic drawing program but can also be employed to edit digital photographs to a professional level. Despite being free of charge, opting to use GIMP does not mean having to compromise on features. Layers, masks, channels, filters and special effects, in addition to the usual range of editing tools, are all on hand to make image editing as easy as possible. Powerful tools such as the correction mode which allows for the correction of barrel distortion and perspective problems are usually only found in expensive packages but are included here for anyone to try out. Whether you are an amateur digital photographer or a professional graphic artist, GIMP has something to offer you.
  • Fedora Magazine: 4 cool new projects to try in COPR for April 2019
    COPR is a collection of personal repositories for software that isn’t carried in Fedora. Some software doesn’t conform to standards that allow easy packaging. Or it may not meet other Fedora standards, despite being free and open source. COPR can offer these projects outside the Fedora set of packages. Software in COPR isn’t supported by Fedora infrastructure or signed by the project. However, it can be a neat way to try new or experimental software. Here’s a set of new and interesting projects in COPR.
  • Tauon Music Box – Excellent desktop music player
    Over the past few months I’ve covered scores of open source graphical music players. They’ve been a mixed bag. Some are genuinely excellent, others falling short of my (fairly) modest requirements. The music players I’ve mostly reviewed include ncmpy, ncmpc, and Cantata. I’ve also reviewed Nulloy, Museeks, Pragha Music Player, Yarock, qoob, aux.app, MellowPlayer, Kaku, Strawberry, Headset, Qmmp, and the truly sublime musikcube. The vast majority of the music players are GUI software. Continuing my series, here’s a further graphical music player. Bearing the moniker Tauon Music Box (Tauon), it’s based around disposable playlists and the assumption that folders are albums. They are also intended to function as a kind of workspace or to keep different music collections separate. The project instructs users to ensure they have an organized and structured music library, ideally with each album in its own folder. Sound advice. The software is written in the Python programming language. It uses Advanced Linux Sound Architecture (ALSA), not PulseAudio.