Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Friday
  • Security updates for Thursday
  • Black Hat Researchers Hack Rifle for Fun

    "The reason we started doing this in the first place is Runa [Sandvik] is from Norway and has a very romanticized vision of the U.S., so loving all things America, we needed to go to a gun show," Augur said.

    At to the gun show, Sandvik became interested in the TrackingPoint weapon after learning that it is a Linux-powered device that could be connected to a phone via a mobile app.

  • And even Wintel is not safe

    At the annual Black Hat conference delegates have been shown a new exploit for Intel and AMD x86 central processor units that has hitherto existed since 1977!

    [...]

    Christopher Domas, a security researcher with the Battelle Memorial Institute discovered the flaw. “By leveraging the flaw, attackers could install a rootkit in the processors System Management Mode (SMM), a protected region of code that underpins all the firmware security features in modern computers. Once installed, the rootkit could be used for destructive attacks like wiping the UEFI (Unified Extensible Firmware Interface) the modern BIOS or even to re-infect the OS after a clean install. Protection features like Secure Boot wouldn’t help, because they too rely on the SMM to be secure. The attack essentially breaks the hardware roots of trust,” Domas said.

  • HTML5 privacy hole left users open to tracking for three years

    A feature of HTML5 that allows sites to detect battery life on a visitor's device can also be used to track behaviour, a piece of research has revealed.

  • Sick of Flash security holes? HTML5 has its own

    HTML5 has been billed as the natural, standards-based successor to proprietary plug-ins such as Adobe's Flash Player for providing rich multimedia services on the Web. But when it comes to security, one of Flash's major weaknesses, HTML5 is no panacea.

    In fact, HTML5 has security issues of its own. Julien Bellanger, CEO of application security monitoring firm Prevoty, says HTML5 makes security more complex, not simpler. HTML5 security has been a question mark for years, and it has not improved over the stretch, he says.

  • Attackers can access Dropbox, Google Drive, OneDrive files without a user's password

    The attack differs from traditional man-in-the-middle attacks, which rely on tapping data in transit between two servers or users, because it exploits a vulnerability in the design of many file synchronization offerings, including Google, Box, Microsoft, and Dropbox services.

  • SDN switches aren't hard to compromise, researcher says

    Onie is a small, Linux based operating system that runs on a bare-metal switch. A network operating system is installed on top of Onie, which is designed to make it easy and fast for the OS to be swapped with a different one.

  • Open Network Switches Pose Security Risk, Researcher Says

    At the Black Hat show, a security expert demonstrates how vulnerable SDN switches that use the ONIE software are open to attacks by hackers.

  • OPM wins Pwnie, Google on Android security, DoJ on CFAA: Black Hat 2015 roundup

    Black Hat USA is finishing up in Las Vegas. News from its 18th year includes nuclear nightmares, Department of Justice on computer crime and research, Google on the state of Android security and much more.

  • on the detection of quantum insert

    The NSA has a secret project that can redirect web browsers to sites containing more sophisticated exploits called QUANTUM INSERT. (Do I still need to say allegedly?) It works by injecting packets into the TCP stream, though overwriting the stream may be a more accurate description. Refer to Deep dive into QUANTUM INSERT for more details. At the end of that post, there’s links to some code that can help one detect QI attacks in the wild. As noted by Wired and Bruce Schneier, among dozens of others, now we can defend ourselves against this attack (well, at least detect it).

More in Tux Machines

today's howtos

  • How to Install Pip on Ubuntu

    In this tutorial, we’re going to show you how to install and use Pip (Python) on Ubuntu. This tutorial works for Ubuntu 22.04, Ubuntu 20.04, any other Ubuntu release, and even distros like Linux Mint. If you tried running a pip command and got a similar error to “Command ‘pip’ not found…”, you need to install pip on your Ubuntu. This tutorial will show you how to install Pip on Ubuntu 22.04, 20.04, 22.10, etc. with step-by-step instructions.

  • How to Install Xfce Desktop on AlmaLinux 9 - LinuxCapable

    Xfce is a lightweight free, open-source desktop environment for UNIX-like operating systems. It is designed to be fast and light on system resources while visually appealing to the default desktop environments that ship with most operating systems. Xfce is very popular with older systems, with hardware as a key feature in its design to conserve memory and CPU cycles. For example, the desktop panel will not hog resources by constantly polling for changes, and the file manager has been designed to use minimal memory and CPU cycles. In addition, Xfce includes several power management features that can help reduce your carbon footprint. Overall, Xfce is an excellent choice for users who want a fast and stable desktop environment without sacrificing visual appeal or functionality. In the following tutorial, you will learn how to install Xfce DE on AlmaLinux 9 desktop using the command line terminal, along with some basic tips on running an update and removing the Xfce desktop environment.

  • How to Install Opera Browser on Debian 11 Bullseye - LinuxCapable

    Opera is a freeware, cross-platform web browser developed by Opera Software and operates as a Chromium-based browser. Opera offers a clean, modern web browser that is an alternative to the other major players in the Browser race. Its famous Opera Turbo mode and its renowned battery-saving mode are the best amongst all known web browsers by quite a margin, with a built-in VPN and much more. In the following tutorial, you will learn how to install Opera Browser stable, beta, or development (nightly) on Debian 11 Bullseye, including installing, updating, and removing the browser using the command line terminal.

  • How to Install Nginx Mainline on Debian 11 Bullseye - LinuxCapable

    For those using Debian 11 Bullseye, you might have noticed that installing Nginx directly from its repository does not install the latest stable or mainline version. This is a common trend in most distributions that focus on the stability of packages and provide only urgent bug or security updates until the subsequent major distribution. For most, using the default Nginx that comes bundled with the repository will be preferred, but often many require and want the latest version of stable or mainline for updated features. The following tutorial will cover installing the last stable or mainline versions of Nginx on Debian 11 Bullseye desktop or server utilizing the APT package manager with the PPA model Ondřej Surý or by importing the official Nginx.org APT repository and installing the latest version directly from Nginx.

EasyOS 4.2.3 Released

  • EasyOS Dunfell-series 4.2.3

    EasyOS was created in 2017, derived from Quirky Linux, which in turn was derived from Puppy Linux in 2013. Easy is built in woofQ, which takes as input binary packages from any distribution, and uses them on top of the unique EasyOS infrastructure. Throughout 2020, the official release for x86_64 PCs was the Buster-series, built with Debian 10.x Buster DEBs. EasyOS has also been built with packages compiled from source, using a fork of OpenEmbedded (OE). Currently, the Dunfell release of OE has been used, to compile two sets of binary packages, for x86_64 and aarch64. The latter have been used to build EasyOS for the Raspberry Pi4, and first official release, 2.6.1, was in January 2021. The page that you are reading now has the release notes for EasyOS Dunfell-series on x86_64 PCs, also debuting in 2021. Ongoing development is now focused on the x86_64 Dunfell-series. The last version in the x86_64 Buster-series is 2.6.2, on June 29, 2021, and that is likely to be the end of that series. Releases for the Pi4 Dunfell-series are still planned but very intermittent. The version number is for EasyOS itself, independent of the target hardware; that is, the infrastructure, support-glue, system scripts and system management and configuration applications. The latest version is becoming mature, though Easy is an experimental distribution and some parts are under development and are still considered as beta-quality. However, you will find this distro to be a very pleasant surprise, or so we hope.

  • EasyOS Dunfell-series version 4.2.3 released

    If you have already installed version 4.1 or later, you can click the "update" icon on the desktop to download a small "difference file" -- updating 4.2.2 to 4.2.3, the difference-file is 57MB.

  • OE and woofQ projects and kernel source for Easy 4.2.3

    Announcement of Easy 4.2.3 is pending.

Review: The Murena One phone running /e/OS 1.0

Earlier this year the Murena team announced the release of version 1.0 their /e/OS mobile operating system. To accompany this new milestone, the project also announced two smartphones which will be sold with /e/OS pre-installed. These devices are the Murena Teracube 2e and the Murena One. These devices sell for about $330 USD and $370 USD, respectively. (These amounts were converted to USD from the Canadian prices at time of writing and may change over time.) I currently own a Samsung S9 running /e/OS. I've had it for just over two years and it's been an unusually positive experience for a mobile device. The /e/OS platform is basically Android, but with the Google components, ads, and nag screens removed. The Google cloud services - storage, contact synchronization, and file sharing - have been swapped out in favour of Murena services. These services run on a custom, open source Nextcloud platform. It's a setup which I've found useful, convenient, and unusually trouble-free so far. I asked the Murena team if I could test drive one of their new phones and they kindly sent me a Murena One. The package, a small black box, arrived containing the Murena One and some useful accessories. Along with the phone is a USB charge cable, a power adaptor which appears to work with both North American and (I believe) European outlets. There is a quick-start guide which explains how to insert a SIM card into the phone, go through the configuration screens and, optionally connect to the Murena cloud service. There is a small widget for opening the SIM bay, a couple of screen cleaning wipes, and a protective case for the phone. The phone, I was happy to note, had a full battery when it arrived. Read more

Black Box is a GTK4 Terminal App With Unique Look

Tired of the standard GNOME Terminal but cool on its successor Console? You’ll definitely want to check in with Black Box. Black Box is a new GTK4 terminal emulator built in Vala and GTK4. The debutant release on Flathub has all of the core features you’d expect, plus a large dose of ones you might not. Yes, this app has a few innovative UI approaches that make it stand out from the (many) terminal apps already available for Linux desktops. I do think of Black Box as the “eye candy terminal”. It may sound like contradiction given that CLIs are usually focused on raw function (and it may sound like a negative, but it’s not; things are allowed to look nice). Thing is, Black Box isn’t afraid to be ‘beautiful’, as its immersive ‘headerbar-less’ mode proves. When enabled this gives every inch of the console’s canvas over to whatever command is running. Read more