Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Reproducible Builds: week 90 in Stretch cycle

    The F-Droid Verification Server has been launched. It rebuilds apps from source that were built by f-droid.org and checks that the results match.

  • 6 Week Progress Update for PGP Clean Room

    One of the PGP Clean Room’s aims is to provide users with the option to easily initialize one or more smartcards with personal info and pins, and subsequently transfer keys to the smartcard(s). The advantage of using smartcards is that users don’t have to expose their keys to their laptop for daily certification, signing, encryption or authentication purposes.

  • New Kali Linux Professional Information Security Certification to debut at Black Hat USA, 2017

    First Official Kali Linux book release will coincide with launch of the new information security training program as the Penetration Testing platform celebrates its 10th anniversary.

  • The flatpak security model – part 1: The basics

    This is the first part of a series talking about the approach flatpak takes to security and sandboxing.

    First of all, a lot of people think of container technology like docker, rkt or systemd-nspawn when they think of linux sandboxing. However, flatpak is fundamentally different to these in that it is unprivileged.

  • Newly discovered Mac malware found in the wild also works well on Linux [Ed: Only if fools are stupid enough to actually INSTALL malware.]

    The malware, which a recent Mac OS update released by Apple is detecting as Fruitfly, contains code that captures screenshots and webcam images, collects information about each device connected to the same network as the infected Mac, and can then connect to those devices, according to a blog post published by anti-malware provider Malwarebytes. It was discovered only this month, despite being painfully easy to detect and despite indications that it may have been circulating since the release of the Yosemite release of OS X in October 2014. It's still unclear how machines get infected.

    [...]

    Another intriguing finding: with the exception of Mac-formatted Mach object file binary, the entire Fruitfly malware library runs just fine on Linux computers.

Why Linux Installers Need to Add Security Features

Filed under
Linux
Security

Twelve years ago, Linux distributions were struggling to make installation simple. Led by Ubuntu and Fedora, they long ago achieved that goal. Now, with the growing concerns over security, they need to reverse directions slightly, and make basic security options prominently available in their installers rather than options that users can add manually later.

At the best of times, of course, convincing users to come anywhere near security features is difficult. Too many users are reluctant even to add features as simple as unprivileged user accounts or passwords, apparently preferring the convenience of the moment to reducing the risk of an intrusion that will require reinstallation, or a consultation with a computer expert at eighty dollars an hour.

Read more

Security News

Filed under
Security
  • Wednesday's security updates
  • Secure your Elasticsearch cluster and avoid ransomware

    Last week, news came out that unprotected MongoDB databases are being actively compromised: content copied and replaced by a message asking for a ransom to get it back. As The Register reports: Elasticsearch is next.

    Protecting access to Elasticsearch by a firewall is not always possible. But even in environments where it is possible, many admins are not protecting their databases. Even if you cannot use a firewall, you can secure connection to Elasticsearch by using encryption. Elasticsearch by itself does not provide any authentication or encryption possibilities. Still, there are many third-party solutions available, each with its own drawbacks and advantages.

  • Resolve to Follow These 8 Steps for Better Data Security in 2017

    Getting physically fit is a typical New Year's resolution. Given that most of us spend more time online than in a gym, the start of the new year also might be a great time to improve your security “fitness.” As with physical fitness challenges, the biggest issue with digital security is always stagnation. That is, if you don't move and don't change, atrophy sets in. In physical fitness, atrophy is a function of muscles not being exercised. In digital fitness, security risks increase when you fail to change passwords, update network systems and adopt improved security technology. Before long, your IT systems literally become a “sitting duck.” Given the volume of data breaches that occurred in 2016, it is highly likely that everyone reading this has had at least one breach of their accounts compromised in some way, such as their Yahoo data account. Hackers somewhere may have one of the passwords you’ve used at one point to access a particular site or service. If you're still using that same password somewhere, in a way that can connect that account to you, that's a non-trivial risk. Changing passwords is the first of eight security resolutions that can help to improve your online security fitness in 2017. Click through this eWEEK slide show to discover the rest.

  • Pwn2Own 2017 Takes Aim at Linux, Servers and Web Browsers

    10th anniversary edition of Pwn2Own hacking contest offers over $1M in prize money to security researchers across a long list of targets including Virtual Machines, servers, enterprise applications and web browsers.

    Over the last decade, the Zero Day Initiative's (ZDI) annual Pwn2Own competition has emerged to become one of the premiere events on the information security calendar and the 2017 edition does not look to be any different. For the tenth anniversary of the Pwn2Own contest, ZDI, now owned and operated by Trend Micro, is going farther than ever before, with more targets and more prize money available for security researchers to claim by successfully executing zero-day exploits.

  • 'Factorio' is another game that was being hit by key scammers

    In another case of scammers trying to buy keys with often stolen credit cards to sell on websites like G2A, the developers of 'Factorio' have written about their experience with it (and other stuff too).

Security News

Filed under
Security

  • Security advisories for Tuesday
  • FOI: NHS Trusts are ransomware pin cushions [Ed: Windows]

    The FOI requests found that 87 per cent of attacks came via a networked NHS device and that 80 per cent were down to phished staffers. However, only a small proportion of the 100 or so Trusts responded to this part of the requests.

    "These results are far from surprising. Public sector organisations make a soft target for fraudsters because budget and resource shortages frequently leave hospitals short-changed when it comes to security basics like regular software patching," said Tony Rowan, Chief Security Consultant at SentinelOne.

    "The results highlight the fact that old school AV technology is powerless to halt virulent, mutating forms of malware like ransomware and a new more dynamic approach to endpoint protection is needed.

Canonical to Remove Old Unity 7 Scopes from Ubuntu Because They're Not Secure

Filed under
Security

Canonical's Will Cooke has revealed recently the company's plans on removing some old, unmaintained Unity 7 Scopes from the Ubuntu Linux archives because they could threaten the security of the entire operating system.

Read more

Security Leftovers

Filed under
Security
  • 3 Lessons in Web Encryption from Let’s Encrypt

    As exciting as 2016 was for encryption on the Web, 2017 seems set to be an even more incredible year. Much of the infrastructure and many of the plans necessary for a 100 percent encrypted Web really solidified in 2016, and the Web will reap the rewards in 2017. Let’s Encrypt is proud to have been a key part of that.

    But before we start looking ahead, it’s helpful to look back and see what our project learned from our exciting first full year as a live certificate authority (CA). I’m incredibly proud of what our team and community accomplished during 2016. I’d like to share how we’ve changed, what we’ve accomplished, and what we’ve learned.

    At the start of 2016, Let’s Encrypt was supporting approximately 240,000 active (unexpired) certificates. That seemed like a lot at the time! Now we’re frequently issuing that many new certificates in a single day while supporting more than 22 million active certificates in total.

  • [Older] Kali Linux Cheat Sheet for Penetration Testers
  • Report: Attacks based on open source vulnerabilities will rise 20 percent this year [Ed: The Microsoft-connected Black Duck spreads FUD against FOSS again, together with IDG; Black Duck was created for the purpose of attacking the GPL, by its very own admission.]

    The number of commercial software projects that were composed of 50 percent or more of free, open source software went up from 3 percent in 2011 to 33 percent today, said Mike Pittenger, vice president of security strategy at Black Duck Software.

Security Leftovers

Filed under
Security
  • Truffle Hog Finds Security Keys Hidden in GitHub Code

    According to commentors on a Reddit thread about Truffle Hog, Amazon Web Services has already been using a similar tool for the same purpose. "I have accidentally committed my AWS secret keys before to a public repo," user KingOtar wrote. "Amazon actually found them and shut down my account until I created new ones. Kinda neat Amazon."

  • 5 Essential Tips for Securing Your WordPress Sites

    WordPress is by far the most popular blogging platform today.

    Being as popular as it is, it comes with its own strengths and weaknesses. The very fact that almost everybody uses it, makes it more prone to vulnerabilities. WordPress developers are doing a great job of fixing and patching the framework as new flaws are discovered, but that doesn’t mean that you can simply install and forget your installation.

    In this post, we will provide some of the most common ways of securing and strengthening a WordPress site.

  • Google ventures into public key encryption

    Google announced an early prototype of Key Transparency, its latest open source effort to ensure simpler, safer, and secure communications for everyone. The project’s goal is to make it easier for applications services to share and discover public keys for users, but it will be a while before it's ready for prime time.

    Secure communications should be de rigueur, but it remains frustratingly out of reach for most people, more than 20 years after the creation of Pretty Good Privacy (PGP). Existing methods where users need to manually find and verify the recipients’ keys are time-consuming and often complicated. Messaging apps and file sharing tools are limited in that users can communicate only within the service because there is no generic, secure method to look up public keys.

  • How to Keep Hackers out of Your Linux Machine Part 2: Three More Easy Security Tips

    In part 1 of this series, I shared two easy ways to prevent hackers from eating your Linux machine. Here are three more tips from my recent Linux Foundation webinar where I shared more tactics, tools and methods hackers use to invade your space. Watch the entire webinar on-demand for free.

Security News

Filed under
Security
  • Microsoft slates end to security bulletins in February [iophk: "further obscuring"; Ed: See this]

    Microsoft next month will stop issuing detailed security bulletins, which for nearly 20 years have provided individual users and IT professionals information about vulnerabilities and their patches.

    One patching expert crossed his fingers that Microsoft would make good on its pledge to publish the same information when it switches to a new online database. "I'm on the fence right now," said Chris Goettl, product manager with patch management vendor Shavlik, of the demise of bulletins. "We'll have to see [the database] in February before we know how well Microsoft has done [keeping its promise]."

  • Reflected XSS through AngularJS sandbox bypass causes password exposure of McDonald users

    By abusing an insecure cryptographic storage vulnerability (link) and a reflected server cross-site-scripting vulnerability (link) it is possible to steal and decrypt the password from a McDonald's user. Besides that, other personal details like the user's name, address & contact details can be stolen too.

  • DragonFlyBSD Installer Updated To Support UEFI System Setup

    DragonFlyBSD has been working on its (U)EFI support and with the latest Git code its installer now has basic UEFI support.

Tails 2.10 Will Upgrade to Linux Kernel 4.8 and Tor 0.2.9, Add exFAT Support

Filed under
Security

A new stable release of Tails, the beloved anonymous Live CD that helps you stay hidden online when navigating various websites on the Internet, is being prepared.

Security News

Filed under
Security
  • How we secure our infrastructure: a white paper

    Trust in the cloud is paramount to any business who is thinking about using it to power their critical applications, deliver new customer experiences and house their most sensitive data. Today, we're issuing a white paper by our security team that details how security is designed into our infrastructure from the ground up.

    Google Cloud’s global infrastructure provides security through the entire information processing lifecycle.This infrastructure provides secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication with customers over the internet and safe operation by administrators.

  • Google Infrastructure Security Design Overview [Ed: Google banned Windows internally]

    The content contained herein is correct as of January 2017, and represents the status quo as of the time it was written. Google’s security policies and systems may change going forward, as we continually improve protection for our customers.

  • Microsoft Says Windows 7 Has Outdated Security, Wants You to Move to Windows 10 [Ed: all versions are insecure BY DESIGN]

    Windows 10 is now running on more than 20 percent of the world’s desktop computers, and yet, Microsoft’s bigger challenge isn’t necessarily to boost the market share of its latest operating system, but to convince those on Windows 7 to upgrade.

  • Debian GNU/Linux 8.7 Officially Released, Includes over 85 Security Updates

    If you're using Debian Stable (a.k.a. Debian GNU/Linux 8 "Jessie"), it's time to update it now. Why? Because Debian Project launched a new release, Debian GNU/Linux 8.7, which includes over 170 bug fixes and security updates.

  • CVS: cvs.openbsd.org: src

    Disable and lock Silicon Debug feature on modern Intel CPUs

Syndicate content

More in Tux Machines

today's leftovers

FOSS in the European Union

  • Competition authorities first to implement DMS services
    The DRS are published as open source software using the European Union’s open source software licence EUPL, and are available on Joinup. The software provides connectors for most commonly-used document management systems, and includes scripts to create a database to implement the connecting web services.
  • Czech Republic is at the forefront of an open data international project
    With the beginning of the new year, an international project “Open crowdsourcing data related to the quality of service of high-speed Internet” was launched, which aims to encourage the development of open data in the user’s measurement of high-speed Internet.

Arch Linux News

  • Linux Top 3: Arch Anywhere, Bitkey and Vinux
    Arch Linux is a powerful rolling Linux distribution, that hasn't always been particularly easy for new users to install and deploy. The goal of the Arch Anywhere system is to provide new and old users with the ability to install a fully custom Arch Linux system in minutes.
  • Arch Linux Preparing To Deprecate i686 Support
    Arch Linux is moving ahead with preparing to deprecate i686 (x86 32-bit) support in their distribution. Due to declining usage of Arch Linux i686, they will be phasing out official support for the architecture. Next month's ISO spin will be the last for offering a 32-bit Arch Linux install. Following that will be a nine month deprecation period where i686 packages will still see updates.
  • News draft for i686 deprecation
    Finally found some time to write a draft for news post on i686. Here it is: Title: i686 is dead, long live i686 Due to the decreasing popularity of i686 among the developers and the community, we have decided to phase out the support of this architecture. The decision means that February ISO will be the last that allows to install 32 bit Arch Linux. The next 9 months are deprecation period, during which i686 will be still receiving upgraded packages. Starting from November 2017, packaging and repository tools will no longer require that from maintainers, effectively making i686 unsupported. However, as there is still some interest in keeping i686 alive, we would like to encourage the community to make it happen with our guidance. Depending on the demand, an official channel and mailing list will be created for second tier architectures.

LinuxCon Europe on 100G Networking

  • The World of 100G Networking
    Capacity and speed requirements keep increasing for networking, but going from where are now to 100G networking isn’t a trivial matter, as Christopher Lameter and Fernando Garcia discussed recently in their LinuxCon Europe talk about the world of 100G networking. It may not be easy, but with recently developed machine learning algorithms combined with new, more powerful servers, the idea of 100G networking is becoming feasible and cost effective.
  • The World of 100G Networking by Christoph Lameter
    The idea of 100G networking is becoming feasible and cost effective. This talk gives an overview about the competing technologies in terms of technological differences and capabilities and then discusses the challenges of using various kernel interfaces to communicate at these high speeds.