Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

10 Best Linux Password Managers

Filed under
GNU
Linux
Security

Password managers are applications created to enable users to keep their passwords in a single place and absolve themselves of the need to remember every single one of their passwords.

They, in turn, encourage clients to use passwords that are as complex as possible and remember a single master password. Modern password managers even go an extra mile to keep other information such as card details, files, receipts, etc. safely locked away from prying eyes.

You might be wondering which password manager app will work best on your Linux machine and I am here to answer your question with my list of the 10 best Linux password managers.

Read more

Security: DNS, Windows, Kaspersky and Lethal USB

Filed under
Security
  • The wave of domain hijackings besetting the Internet is worse than we thought

    The report was published Wednesday by Cisco’s Talos security group. It indicates that three weeks ago, the highjacking campaign targeted the domain of Sweden-based consulting firm Cafax. Cafax’s only listed consultant is Lars-Johan Liman, who is a senior systems specialist at Netnod, a Swedish DNS provider. Netnod is also the operator of i.root, one of the Internet’s foundational 13 DNS root servers. Liman is listed as being responsible for the i-root. As KrebsOnSecurity reported previously, Netnod domains were hijacked in December and January in a campaign aimed at capturing credentials. The Cisco report assessed with high confidence that Cafax was targeted in an attempt to re-establish access to Netnod infrastructure.

  • New Windows Zero-Day Vulnerability Grants Hackers Full Control Over PCs [Ed: The NSA already had these permissions. Now everyone has these.]

    According to the latest Kaspersky Lab Report, a Windows Zero-Day vulnerability is serving as a backdoor for hackers to take control of users’ PCs.

    The latest exploit utilizes a use-after-free attack and has a technical name CVE-2019-0895. The exploit is found in win32k.sys and grants hackers Local Privilege meaning they’re able to access resources usually outside of users’ capabilities.

  • New zero-day vulnerability CVE-2019-0859 in win32k.sys
  • AP Exclusive: Mysterious operative haunted Kaspersky critics

    He also asked Giles to repeat himself or speak louder so persistently that Giles said he began wondering “whether I should be speaking into his tie or his briefcase or wherever the microphone was.”

    “He was drilling down hard on whether there had been any ulterior motives behind negative media commentary on Kaspersky,” said Giles, a Russia specialist with London’s Chatham House thinktank who often has urged caution about Kaspersky’s alleged Kremlin connections. “The angle he wanted to push was that individuals — like me — who had been quoted in the media had been induced by or motivated to do so by Kaspersky’s competitors.”

  • Feds: Saint Rose grad used 'killer' device to fry computers

    In 2016, College of Saint Rose graduate assistant Vishwanath Akuthota said he believed there was a "lot of opportunity" for him at the school.

    On Monday, federal prosecutors said he took advantage of a different kind of opportunity — access to campus — when he destroyed dozens of computers at a cost of more than $50,000.

  • Student Uses “USB Killer” To Fry $58,000 Worth of Computers

OpenSSH 8.0 released

Filed under
Security
BSD

This release contains mitigation for a weakness in the scp(1) tool
and protocol (CVE-2019-6111): when copying files from a remote system
to a local directory, scp(1) did not verify that the filenames that
the server sent matched those requested by the client. This could
allow a hostile server to create or clobber unexpected local files
with attacker-controlled content.

This release adds client-side checking that the filenames sent from
the server match the command-line request,

The scp protocol is outdated, inflexible and not readily fixed. We
recommend the use of more modern protocols like sftp and rsync for
file transfer instead.

Read more

Security: Updates, Oracle, Cisco, Buzzwords and Wi-Fi 'Hacking'

Filed under
Security

Gentoo News: Nitrokey partners with Gentoo Foundation to equip developers with USB keys

Filed under
Gentoo
Security

The Gentoo Foundation has partnered with Nitrokey to equip all Gentoo developers with free Nitrokey Pro 2 devices. Gentoo developers will use the Nitrokey devices to store cryptographic keys for signing of git commits and software packages, GnuPG keys, and SSH accounts.

Thanks to the Gentoo Foundation and Nitrokey’s discount, each Gentoo developer is eligible to receive one free Nitrokey Pro 2. To receive their Nitrokey, developers will need to register with their @gentoo.org email address at the dedicated order form.

A Nitrokey Pro 2 Guide is available on the Gentoo Wiki with FAQ & instructions for integrating Nitrokeys into developer workflow.

Read more

The Ecuadorean Authorities Have No Reason to Detain Free Software Developer Ola Bini

Filed under
Development
OSS
Security

Hours after the ejection of Julian Assange from the London Ecuadorean embassy last week, police officers in Ecuador detained the Swedish citizen and open source developer Ola Bini. They seized him as he prepared to travel from his home in Quito to Japan, claiming that he was attempting to flee the country in the wake of Assange’s arrest. Bini had, in fact, booked the vacation long ago, and had publicly mentioned it on his twitter account before Assange was arrested.

Ola’s detention was full of irregularities, as documented by his lawyers. His warrant was for a “Russian hacker” (Bini is neither); he was not read his rights, allowed to contact his lawyer nor offered a translator.

The charges against him, when they were finally made public, are tenuous. Ecuador’s general prosecutor has stated that Bini was accused of “alleged participation in the crime of assault on the integrity of computer systems” and attempts to destabilize the country. The “evidence” seized from Ola’s home that Ecuadorean police showed journalists to demonstrate his guilt was nothing more than a pile of USB drives, hard drives, two-factor authentication keys, and technical manuals: all familiar property for anyone working in his field.

Ola is a free software developer, who worked to improve the security and privacy of the Internet for all its users. He has worked on several key open source projects, including JRuby, several Ruby libraries, as well as multiple implementations of the secure and open communication protocol OTR. Ola’s team at ThoughtWorks contributed to Certbot, the EFF-managed tool that has provided strong encryption for millions of websites around the world.

Like many people working on the many distributed projects defending the Internet, Ola has no need to work from a particular location. He traveled the world, but chose to settle in Ecuador because of his love of that country and of South America in general. At the time of his arrest, he was putting down roots in his new home, including co-founding Centro de Autonomia Digital, a non-profit devoted to creating user-friendly security tools, based out of Ecuador’s capital, Quito.

Read more

Security: Updates, Spectre/Meltdown and Why Not to Install Software Packages From the Internet

Filed under
Security
  • Security updates for Tuesday
  • Revised Patches Out For New Kernel "mitigations=" Option For Toggling Spectre/Meltdown [Ed: Profoundly defective chips aren't being recalled/replaced (or even properly fixed). All the cost is being passed to the victim, the client, who should instead be compensated. Corporate greed has no bounds. They also hide NSA back doors in these chips. Imperial.]

    The effort to provide a more convenient / easy to remember kernel option for toggling Spectre/Meltdown mitigations is out with a second revision and they have also shortened the option to remember.

    See the aforelinked article if the topic is new to you, but this is about an arguably long overdue ability to easily control the Spectre/Meltdown behavior -- or configurable CPU mitigations in general to security vulnerabilities -- via a single kernel flag/switch. For the past year and a half of Spectre/Meltdown/L1TF mitigations there has been various different flags to tweak the behavior of these mitigations but not offering a single, easy-to-remember switch if say wanting to disable them in the name of restoring/better performance.

  • Why Not Install Software Packages From The Internet

    Someone from the Internet has told you not to execute random scripts you find on the Internet and now you're reading why we shouldn't install software packages from the Internet. Or more specifically, the aim of this article is why it's wise to stick to distribution maintained packages and not those latest software packages we find out there on the Internet even if it's distributed by the official brand's page.
    However, it's okay to download software packages that are not available on the distribution repository but not vice versa. Read on below to learn more about why.

Debian Web Team, Debian Long Term Support, and Security Leftovers

Filed under
Security
Debian
  • Debian Web Team Sprint 2019

    The Debian Web team held a sprint for the first time, in Madrid (Spain) from March 15th to March 17th, 2019.

    We discussed the status of the Debian website in general, review several important pages/sections and agreed on many things how to improve them.

  • Freexian’s report about Debian Long Term Support, March 2019

    Like each month, here comes a report about the work of paid contributors to Debian LTS.

  • Raphaël Hertzog: Freexian’s report about Debian Long Term Support, March 2019

    Like each month, here comes a report about the work of paid contributors to Debian LTS.

  • Your Favorite Ad Blocker Can Be Exploited To Infect PCs With Malicious Code

    In July 2018, the popular Adblock Plus software released its version 3.2 that brought a new feature called $rewrite. This feature allowed one to change the filter rules and decide which content got blocked and which didn’t. It was said that often there are content elements that are difficult to block. This feature was soon implemented by AdBlock as well as uBlock.

    In a troubling development, it has been revealed that this filter option can be exploited by notorious actors to inject arbitrary code into the web pages. With more than 100 million users of these ad blocking tools, this exploit has great potential to harm the web users.

  • Adblock Plus filter lists may execute arbitrary code in web pages

    A new version of Adblock Plus was released on July 17, 2018. Version 3.2 introduced a new filter option for rewriting requests. A day later AdBlock followed suit and released support for the new filter option. uBlock, being owned by AdBlock, also implemented the feature.

    Under certain conditions the $rewrite filter option enables filter list maintainers to inject arbitrary code in web pages.

    The affected extensions have more than 100 million active users, and the feature is trivial to exploit in order to attack any sufficiently complex web service, including Google services, while attacks are difficult to detect and are deployable in all major browsers.

  • Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong.

    The disputes ares playing out in court. In a closely watched legal battle, Mondelez sued Zurich Insurance last year for a breach of contract in an Illinois court, and Merck filed a similar suit in New Jersey in August. Merck sued more than 20 insurers that rejected claims related to the NotPetya attack, including several that cited the war exemption. The two cases could take years to resolve.

    The legal fights will set a precedent about who pays when businesses are hit by a cyberattack blamed on a foreign government. The cases have broader implications for government officials, who have increasingly taken a bolder approach to naming-and-shaming state sponsors of cyberattacks, but now risk becoming enmeshed in corporate disputes by giving insurance companies a rationale to deny claims.

Security: DARPA, Updates, Microsoft Windows Incidents and Outlook Fiasco

Filed under
Security
  • DARPA Making An Anonymous And Hack-Proof Mobile Communication System

    The United States’ Defense Advanced Research Projects Agency, or DARPA, develops technologies that are deployed by the US army and sometimes the agency makes the technologies available for civilians as well. DARPA is behind many breakthrough technologies, including the internet itself, GPS, Unix, and Tor.

    Now, DARPA is currently working on an anonymous, end-to-end mobile communication system that would be attack-resilient and reside entirely within a contested network environment.

  • Security updates for Monday
  • Passwords and Policies | Roadmap to Securing Your Infrastructure
  • Adblock Plus filter lists may execute arbitrary code
  • FBI now investigating "RobinHood" ransomware attack on Greenville computers [Ed: Microsoft Windows TCO]
  • RobinHood Ransomware Is “Honest” And Promises To “Respect Your Privacy”

    The world of cybersecurity is full of surprises. From using Game of Thrones torrents to exploiting popular porn websites — notorious cybercriminals keep coming up with new ways to cause you harm.

    In a related development, a ransomware called RobinHood is spreading havoc in North Carolina, where the ransomware has crippled most city-owned PCs. The FBI is currently investigating the issue along with local authorities.

  • Purism at SCaLE 2019 – Retrospective on Secure PureBoot

    Once again, we were so busy we barely had the time to leave our booth: people were very interested in the Librem 5 devkit hardware, in the latest version of the Librem laptops and PureOS, on having the same apps for the Librem laptops and the Librem 5 phone… so we got to do the full pitch. On a less technical note, our swag was quite a success. People told us they loved our paper notebook and carpenter pencil, and asked questions about the pencils – which, according to Kyle Rankin, Chief Security Officer of Purism, have a section that is “kind of shaped like our logo”, and being carpenter pencils “are designed so you can sharpen them without having to use a proprietary pencil sharpener.” Visitors (and team) loved them for being beautiful, unusual and useful.

  • Hackers could read non-corporate Outlook.com, Hotmail for six months

    Late on Friday, some users of Outlook.com/Hotmail/MSN Mail received an email from Microsoft stating that an unauthorized third party had gained limited access to their accounts and was able to read, among other things, the subject lines of emails (but not their bodies or attachments, nor their account passwords), between January 1 and March 28 of this year. Microsoft confirmed this to TechCrunch on Saturday.

    The hackers, however, dispute this characterization. They told Motherboard that they can indeed access email contents and have shown that publication screenshots to prove their point. They also claim that the hack lasted at least six months, doubling the period of vulnerability that Microsoft has claimed. After this pushback, Microsoft responded that around 6 percent of customers affected by the hack had suffered unauthorized access to their emails and that these customers received different breach notifications to make this clear. However, the company is still sticking to its claim that the hack only lasted three months.

    Not in dispute is the broad character of the attack. Both hackers and Microsoft's breach notifications say that access to customer accounts came through compromise of a support agent's credentials. With these credentials, the hackers could use Microsoft's internal customer support portal, which offers support agents some level of access to Outlook.com accounts. The hackers speculated to Motherboard that the compromised account belonged to a highly privileged user and that this may have been what granted them the ability to read mail bodies. The compromised account has subsequently been locked to prevent any further abuse.

  • Three encryption tools for the cloud

    Safeguard your cloud storage with some preemptive file encryption. Here are three open source tools that get the job done in Linux.

    From a security perspective, cloud storage ought never to have happened. The trouble is, it relies on the ability of users to trust the provider, yet often the only assurance available is the provider’s word. However, the convenience of cloud storage is too great for many companies and individuals to avoid it. Fortunately, security can be regained by users storing only encrypted files.

    Numerous tools exist for encrypting in the cloud. Some are proprietary. However, these solutions also require trust -- they only shift the trust requirement to a third party, and basic security requires the user to verify security for themselves.

Syndicate content

More in Tux Machines

OSS Leftovers

  • 8 Best Kodi Sports Addons For Streaming Live Sports In 2019
    Kodi media player is a boon for cord cutters. In an era where subscription-based streaming services are popping left and right, Kodi presents an easy method to watch movies free online. By installing some of the best Kodi addons and top Kodi repositories, you can access hundreds of millions of movies and TV shows.
  • NVMe Driver Now Available
    Due to the awesome work by long-time developer waddlesplash, nightly images after hrev53079 have read/write NVMe support built-in. What is NVMe? For those not keeping up with the latest advances in tech, NVMe is a M.2 form-factor flash-based storage device which attaches directly to the system’s PCI Express bus. These flash devices are present in modern desktops and laptops and offer transfer speeds of several GiB/s. These devices now show up in /dev/disk/nvme/ and are fully useable by Haiku.
  • Haiku OS Picks Up An NVMe Storage Driver
    Back during the BeOS days of the 90's, NVM Express solid-state storage obviously wasn't a thing but the open-source Haiku OS inspired by it now has an NVMe driver. Haiku that aims to be an open-source OS based off BeOS now has support for NVMe SSDs. This driver didn't make last September's Haiku R1 beta but now being found within the latest development code is for NVMe SSD hardware.
  • Join Us In New York City
    OSI Board Directors have broad backgrounds and experience, working in a variety of roles—Chief Open Source Officer, Chief Information Office, Chief Technology Officer, Open Source Program Manager, Community Manager, Developer, Architect, Engineer, Attorney—for both corporations and communities—Clojure Community, Cloud Native Computing Foundation, Debian Project, Free Software Foundation, Github, Google, Kubernetes Community, Microsoft, One Laptop Per Child, Open edX, Oracle, Python Software Foundation, Red Hat, Salesforce, Sun Microsystems , The Document Foundation, Wikimedia, Zalando... and many, many, more.
  • Mozilla Localization (L10N): L10n report: April edition
    The deadline to ship localization updates in Firefox 67 is quickly approaching (April 30). Firefox 68 is going to be an ESR version, so it’s particularly important to ship the best localization possible. The deadline for that will be June 25.
  • Why Companies Open Source Their Software?
    When a company releases its code as open source and contribute it to foundations like CNCF, it literally loses control over the project. What benefit is there in doing so? Why would you want to lose control over the very project you created? Dan Lahl of SAP has an answer: that’s the beauty of Open Source.
  • Avalanche Noise Generator Notes
    I’ll probably go through another iteration of tweaking before final integration, but afaik this is the smallest, lowest power open-source avalanche noise generator to date (slightly smaller than this one).

Software: LibreOffice, X-Gimp, COPR and Tauon Music Box

  • [LibreOffice] menubar updates [updated]
  • X-Gimp 2.10.10 [rev25]
    Image editors are ten-a-penny nowadays, so anything which wants attention from a divided audience needs to offer something quite special. X-Gimp is the portable version of GIMP (or the GNU Image Manipulation Program), which is one of the most powerful free image editors available and is frequently described as being a free alternative to the likes of Photoshop. This is a highly versatile tool which can be used as a basic drawing program but can also be employed to edit digital photographs to a professional level. Despite being free of charge, opting to use GIMP does not mean having to compromise on features. Layers, masks, channels, filters and special effects, in addition to the usual range of editing tools, are all on hand to make image editing as easy as possible. Powerful tools such as the correction mode which allows for the correction of barrel distortion and perspective problems are usually only found in expensive packages but are included here for anyone to try out. Whether you are an amateur digital photographer or a professional graphic artist, GIMP has something to offer you.
  • Fedora Magazine: 4 cool new projects to try in COPR for April 2019
    COPR is a collection of personal repositories for software that isn’t carried in Fedora. Some software doesn’t conform to standards that allow easy packaging. Or it may not meet other Fedora standards, despite being free and open source. COPR can offer these projects outside the Fedora set of packages. Software in COPR isn’t supported by Fedora infrastructure or signed by the project. However, it can be a neat way to try new or experimental software. Here’s a set of new and interesting projects in COPR.
  • Tauon Music Box – Excellent desktop music player
    Over the past few months I’ve covered scores of open source graphical music players. They’ve been a mixed bag. Some are genuinely excellent, others falling short of my (fairly) modest requirements. The music players I’ve mostly reviewed include ncmpy, ncmpc, and Cantata. I’ve also reviewed Nulloy, Museeks, Pragha Music Player, Yarock, qoob, aux.app, MellowPlayer, Kaku, Strawberry, Headset, Qmmp, and the truly sublime musikcube. The vast majority of the music players are GUI software. Continuing my series, here’s a further graphical music player. Bearing the moniker Tauon Music Box (Tauon), it’s based around disposable playlists and the assumption that folders are albums. They are also intended to function as a kind of workspace or to keep different music collections separate. The project instructs users to ensure they have an organized and structured music library, ideally with each album in its own folder. Sound advice. The software is written in the Python programming language. It uses Advanced Linux Sound Architecture (ALSA), not PulseAudio.

COBOL, C, C++ all due for updates in early 2020s

You have never heard of Chris Tandy, a Toronto-based programmer for IBM since 1985, but his work in standardizing computer programming languages is vital to everything you do as a software developer. Tandy chairs the American INCITS PL22 group and is an officer in the global ISO/IEC JTC 1/SC 22 committee, which are the primary standards bodies responsible not only for pivotal languages such as COBOL, C, and C++, but also for historic ones like Ada, APL (famously named as "A Programming Language"), and Fortran. They also deal in esoterica—try your hand at coding in PL/1 or REXX. Future versions of the COBOL standard are now entirely in ISO hands, while before it was mostly an American project, Tandy explained. The ISO working group members intend to have the next version, known as an FDIS (final draft international standard), done in 2020. Read more Also: GNU patch another_hunk Function Double-Free Vulnerability [CVE-2018-6952]

Kdenlive Video Editor 19.04 Arrives with Major Changes in Tow

A major update to the Kdenlive video editor is now available for download. Kdenlive 19.04 ships as part of KDE Applications 19.04, released on April 19. This is the vaunted “refactoring” release we’ve written lots about, as the release announcement explains further: “Kdenlive has gone through an extensive re-write of its core code as more than 60% of its internals has changed, improving its overall architecture.” Read more