Language Selection

English French German Italian Portuguese Spanish

Security

IPFire 2.19 Linux Firewall OS Patched Against the Latest OpenSSL Vulnerabilities

Filed under
Linux
Security

Only three days after announcing the release of IPFire 2.19 Core Update 104, Michael Tremer informs the community about the availability of a new update, Core Update 105, which brings important OpenSSL patches.

Read more

Tor Project Releases Tor (The Onion Router) 0.2.8.8 with Important Bug Fixes

Filed under
GNU
Linux
Security

The Tor Project announced recently the release of yet another important maintenance update to the stable Tor 0.2.8.x series of the open-source and free software to protect your anonymity while surfing the Internet.

Read more

Security News

Filed under
Security
  • Security advisories for Monday
  • OpenSSL security advisory for September 26

    This OpenSSL security advisory is notable in that it's the second one in four days; sites that updated after the first one may need to do so again.

  • Who left all this fire everywhere?

    If you're paying attention, you saw the news about Yahoo's breach. Five hundred million accounts. That's a whole lot of data if you think about it. But here's the thing. If you're a security person, are you surprised by this? If you are, you've not been paying attention.

Antivirus Live CD 20.0-0.99.2 Uses ClamAV 0.99.2 to Protect Your PC from Viruses

Filed under
Linux
Security

Today, September 25, 2016, 4MLinux developer Zbigniew Konojacki informs Softpedia about the immediate availability for download of a new, updated version of his popular, independent, free, and open source Antivirus Live CD.

Read more

Parsix GNU/Linux 8.10 "Erik" Gets the Latest Debian Security Fixes, Update Now

Filed under
GNU
Linux
Security

A few minutes ago, the development team behind the Debian-based Parsix GNU/Linux computer operating system announced that new security fixes are now available for the Parsix GNU/Linux 8.10 "Erik" release.

Read more

Security Leftovers

Filed under
Security
  • Krebs Goes Down, Opera Gets a VPN & More…

    Krebs on Security in record DDOS attack: Everybody’s go-to site for news and views of security issues, has been temporarily knocked offline in a DDOS attack for the record books. We first heard about the attack on Thursday morning after Brian Krebs reported that his site was being hit by as much as 620 Gbs, more than double the previous record which was considered to be a mind-blower back in 2013 when the anti-spam site Spamhaus was brought to its knees.

    Security sites such as Krebs’ that perform investigative research into security issues are often targets of the bad guys. In this latest case, Ars Technica reported the attack came after Krebs published the identity of people connected with vDOS, Israeli black hats who launched DDOS attacks for pay and took in $600,000 in two years doing so. Akamai had been donating DDoS mitigation services to Krebs, but by 4 p.m. on the day the attack began they withdrew the service, motivated by the high cost of defending against such a massive attack. At this point, Krebs decided to shut down his site.

  • Upgrade your SSH keys!

    When generating the keypair, you're asked for a passphrase to encrypt the private key with. If you will ever lose your private key it should protect others from impersonating you because it will be encrypted with the passphrase. To actually prevent this, one should make sure to prevent easy brute-forcing of the passphrase.

    OpenSSH key generator offers two options to resistance to brute-force password cracking: using the new OpenSSH key format and increasing the amount of key derivation function rounds. It slows down the process of unlocking the key, but this is what prevents efficient brute-forcing by a malicious user too. I'd say experiment with the amount of rounds on your system. Start at about 100 rounds. On my system it takes about one second to decrypt and load the key once per day using an agent. Very much acceptable, imo.

  • Irssi 0.8.20 Released
  • What It Costs to Run Let's Encrypt

    Today we’d like to explain what it costs to run Let’s Encrypt. We’re doing this because we strive to be a transparent organization, we want people to have some context for their contributions to the project, and because it’s interesting.

    Let’s Encrypt will require about $2.9M USD to operate in 2017. We believe this is an incredible value for a secure and reliable service that is capable of issuing certificates globally, to every server on the Web free of charge.

    We’re currently working to raise the money we need to operate through the next year. Please consider donating or becoming a sponsor if you’re able to do so! In the event that we end up being able to raise more money than we need to just keep Let’s Encrypt running we can look into adding other services to improve access to a more secure and privacy-respecting Web.

  • North Korean DNS Leak reveals North Korean websites

    One of North Korea’s top level DNS servers was mis-configured today (20th September 2016) accidentally allowing global DNS zone transfers. This allowed anyone who makes a zone transfer request (AXFR) to retrieve a copy of the nation’s top level DNS data.

    [...]

    This data showed there are 28 domains configured inside North Korea, here is the list:

    airkoryo.com.kp
    cooks.org.kp
    friend.com.kp
    gnu.rep.kp
    kass.org.kp
    kcna.kp
    kiyctc.com.kp
    knic.com.kp
    koredufund.org.kp
    korelcfund.org.kp
    korfilm.com.kp
    ma.gov.kp
    masikryong.com.kp
    naenara.com.kp
    nta.gov.kp
    portal.net.kp
    rcc.net.kp
    rep.kp
    rodong.rep.kp
    ryongnamsan.edu.kp
    sdprk.org.kp
    silibank.net.kp
    star-co.net.kp
    star-di.net.kp
    star.co.kp
    star.edu.kp
    star.net.kp
    vok.rep.kp

  • Yahoo’s Three Hacks

    As a number of outlets have reported, Yahoo has announced that 500 million of its users’ accounts got hacked in 2014 by a suspected state actor.

    But that massive hack is actually one of three interesting hacks of Yahoo in recent years.

Security News

Filed under
Security
  • Friday's security updates
  • Impending cumulative updates unnerve Windows patch experts

    Microsoft's decision to force Windows 10's patch and maintenance model on customers running the older-but-more-popular Windows 7 has patch experts nervous.

    "Bottom line, everyone is holding their breath, hoping for the best, expecting the worst," said Susan Bradley in an email. Bradley is well known in Windows circles for her expertise on Microsoft's patching processes: She writes on the topic for the Windows Secrets newsletter and moderates the PatchMangement.org mailing list, where business IT administrators discuss update tradecraft.

  • Yahoo is sued for gross negligence over huge hacking

    Yahoo Inc (YHOO.O) was sued on Friday by a user who accused it of gross negligence over a massive 2014 hacking in which information was stolen from at least 500 million accounts.

    The lawsuit was filed in the federal court in San Jose, California, one day after Yahoo disclosed the hacking, unprecedented in size, by what it believed was a "state-sponsored actor."

    Ronald Schwartz, a New York resident, sued on behalf of all Yahoo users in the United States whose personal information was compromised. The lawsuit seeks class-action status and unspecified damages.

    A Yahoo spokeswoman said the Sunnyvale, California-based company does not discuss pending litigation.

  • Yahoo faces questions after hack of half a billion accounts

    Yahoo’s admission that the personal data of half a billion users has been stolen by “state-sponsored” hackers leaves pressing questions unanswered, according to security researchers.

    Details, including names, email addresses, phone numbers and security questions were taken from the company’s network in late 2014. Passwords were also taken, but in a “hashed” form, which prevents them from being immediately re-used, and the company believes that financial information held with it remains safe.

IPFire 2.19 - Core Update 105 released

Filed under
GNU
Linux
Security

This is the official release announcement for IPFire 2.19 – Core Update 105 which patches a number of security issues in two cryptographic libaries: openssl and libgcrypt. We recommend installing this update as soon as possible and reboot the IPFire system to complete the update.

Read more

Security News

Filed under
Security
  • A pile of security updates for Thursday
  • What this Yahoo data breach means for you

    On Thursday afternoon Yahoo confirmed a massive data leak of at least 500 million user accounts, which is a very big deal.

    Though the data breach obviously spells trouble for those with YahooMail accounts, users with hacked accounts need to keep in mind that the breach goes so much further.

    Yahoo owns a bunch of other major sites like Flickr, Tumblr and fantasy football site Rivals.com, which means the 500 million users affected by the data breach also have to worry about their personal information associated with all additional Yahoo services.

  • Hackers now have a treasure trove of user data with the Yahoo breach
  • Half! a! billion! Yahoo! email! accounts! raided! by! 'state! hackers!'

    Hackers strongly believed to be state-sponsored swiped account records for 500 million Yahoo! webmail users. And who knew there were that many people using its email?

    The troubled online giant said on Thursday that the break-in occurred in late 2014, and that names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, were lifted.

    This comes after a miscreant calling themselves Peace was touting copies of the Yahoo! account database on the dark web. At the time, in early August, Yahoo! said it was aware of claims that sensitive information was being sold online – and then today, nearly two months later, it alerted the world to the embarrassing security breach.

  • Brian Krebs' blog banged in bloody massive DDoS

    YOU KNOW that Brian Krebs guy? Well, his website has been hit with a huge denial-of-service (DDoS) attack that he couldn't handle on his own.

    Krebs is that security guy. He is bound to have some enemies out there, so we expect that sooner or later someone will take the credit for ruining the pathway to his pages.

    For now we have Krebs to explain what happened and who helped him deal with it. The short version is that there was great big whack of an attack on him, and that he needed assistance from security firm Akamai.

Security Fallacies

Filed under
Security
  • Matthew Garrett Explains How to Increase Security at Boot Time [Ed: Microsoft apologist Matthew Garrett is promoting UEFI again, even after the Lenovo debacle]

    Security of the boot chain is a vital component of any other security solution, said Matthew Garrett of CoreOS in his presentation at Linux Security Summit. If someone is able to tamper with your boot chain then any other security functionality can be subverted. And, if someone can interfere with your kernel, any amount of self-protection the kernel might have doesn’t really matter.

    “The boot loader is in a kind of intermediate position,” Garrett said. It can modify the kernel before it passes control to it, and then there’s no way the kernel can verify itself once it’s running. In the Linux ecosystem, he continued, the primary protection in the desktop and server space is UEFI secure boot, which is a firmware feature whereby the firmware verifies a signature on the bootloader before it executes it. The bootloader in turn verifies a signature on the next step of the boot process, and so on.

  • Is open source security software too much of a risk for enterprises? [Ed: inverses the truth; proprietary software has secret back doors that cannot be found and patched]

    Although free, there are many institutions that are reluctant to use open source software, for obvious reasons. Using open source software that is not controlled by the enterprise -- in production environments and in mission-critical applications -- introduces risks that could be detrimental to the basic tenants of cybersecurity, such as confidentiality, integrity and availability. This includes open source security software like the tools Netflix uses.

Syndicate content

More in Tux Machines

IPFire 2.19 Linux Firewall OS Patched Against the Latest OpenSSL Vulnerabilities

Only three days after announcing the release of IPFire 2.19 Core Update 104, Michael Tremer informs the community about the availability of a new update, Core Update 105, which brings important OpenSSL patches. Read more

Top Web Browsers for Linux

No matter which Linux distro you prefer, I believe the web browser remains the most commonly used software application. In this article, I'll share the best browsers available to Linux users. Chrome – No matter how you feel about the Chrome browser, one only need to realize the following: Local news still streams in Flash and Chrome supports this. Netflix is supported using Chrome. And of course, Chrome is faster than any other browser out there. Did I mention the oodles of Chrome extensions available including various remote desktop solutions? No matter how you slice it, Chrome is king of the jungle. Read more

Linux Kernel 4.4.22 LTS Brings ARM and EXT4 Improvements, Updated Drivers

Immediately after announcing the release of Linux kernel 4.7.5, renowned kernel developer and maintainer Greg Kroah-Hartman informed the community about the availability of Linux kernel 4.4.22 LTS Read more

Tor Project Releases Tor (The Onion Router) 0.2.8.8 with Important Bug Fixes

The Tor Project announced recently the release of yet another important maintenance update to the stable Tor 0.2.8.x series of the open-source and free software to protect your anonymity while surfing the Internet. Read more