Language Selection

English French German Italian Portuguese Spanish

Security

Hands-On: Kali Linux 2018.1 on the Raspberry Pi Zero W

Filed under
Linux
Reviews
Security

The installation image is actually on the Offensive Security Kali Linux ARM Images page, so don't get confused if you go to the normal Kali Linux Downloads page and don't see it. There is a link to the ARM images near the bottom of that page.

As with most Raspberry Pi installation images, the download is a compressed (xz) snapshot, not an ISO image.

Read more

Zerodium offers $45000 for Linux zero-day vulnerabilities

Filed under
Linux
Security

Zerodium is offering $45,000 to hackers willing to privately report zero-day vulnerabilities in the Linux operating system.

On Thursday, the private exploit acquisition program announced the new addition to its bounties on Twitter. Until 31 March, Zerodium is willing to offer increased payouts of up to $45,000 for local privilege escalation (LPE) exploits.

The zero-day, unreported vulnerabilities, should work with default installations of Linux such as the popular Ubuntu, Debian, CentOS, Red Hat Enterprise Linux (RHEL), and Fedora builds.

Read more

Security: Data Breaches, Apple, and DRM Threats

Filed under
Security
  • Data breach law: primary concern is information security, says expert

    The primary concern for businesses after the Australian data breach law takes effect on 22 February will be information security, as without that in place, it will not be possible to protect personal information, an expert in cyber security and law says.

  • Apple confirms source code for iBoot leaked to GitHub

    Apple has confirmed that the source code for iBoot from a version of iOS was posted on GitHub on Thursday, with the company forced to make the admission as it filed a DMCA takedown request to the hosting site.

  • Warning hackers quick to bypass anti-virus walls in latest attacks

    Anti-virus software doesn’t stop new threats or advanced malicious-email attacks.as hackers use scam emails to deliver new ‘fast-break’ or ‘zero-day’ attacks, according to security firm MailGuard.

  • Thousands of students affected in online data leak

    According to Helsingin Sanomat the leak was due to an online security breach on the servers of the matriculation examination board's website. Approximately 7,695 students have fallen victim to the leak.

  • EFF vs IoT DRM, OMG!

    What with the $400 juicers and the NSFW smart fridges, the Internet of Things has arrived at that point in the hype cycle midway between "bottom line" and "punchline." Hype and jokes aside, the reality is that fully featured computers capable of running any program are getting cheaper and more powerful and smaller with no end in sight, and the gadgets in our lives are transforming from dumb hunks of electronics to computers in fancy cases that are variously labeled "car" or "pacemaker" or "Alexa."

    We don't know which designs and products will be successful in the market, but we're dead certain that banning people from talking about flaws in existing designs and trying to fix those flaws will make all the Internet of Things' problems worse.

What Is Kali Linux, and Do You Need It?

Filed under
GNU
Linux
Security

If you’ve heard a 13-year-old would-be hacker talking about how 1337 they are, chances are, Kali Linux came up. Despite it’s script kiddie reputation, Kali is actually a real tool (or set of tools) for security professionals.

Kali is a Linux distribution based on Debian. Its goal is simple; include as many penetration and security audit tools as possible in one convenient package. Kali delivers, too. Many of the best open-source tools for conducting security tests are collected and ready to use.

Read more

Security: Meltdown and Spectre, Apple Code Leak, ​WordPress's Broken Automatic Update

Filed under
Security

Security: BT, Uber, Android

Filed under
Security

Security: Updates, Cryptocurrencies and More

Filed under
Security
  • Security updates for Wednesday
  • 6 Easy Ways To Block Cryptocurrency Mining In Your Web Browser

    Cryptocurrencies are digital or virtual currencies that make use of encryption for security. As they are anonymous and decentralized in nature, one can use them for making payments that can’t be tracked by governments.

  • The effect of Meltdown and Spectre in our communities

    A late-breaking development in the computing world led to a somewhat hastily arranged panel discussion at this year's linux.conf.au in Sydney. The embargo for the Meltdown and Spectre vulnerabilities broke on January 4; three weeks later, Jonathan Corbet convened representatives from five separate parts of our community, from cloud to kernel to the BSDs and beyond. As Corbet noted in the opening, the panel itself was organized much like the response to the vulnerabilities themselves, which is why it didn't even make it onto the conference schedule until a few hours earlier.
    Introductions

Security Catastrophe at Octoly

Filed under
Security
  • Bad Influence: How A Marketing Startup Exposed Thousands of Social Media Stars
  • More Than 12,000 Influencers, Brands Targeted in Latest Data Breach

    It happened to Target, Forever 21, Neiman Marcus, TJX Companies, and Yahoo. Their systems were infiltrated by hackers and the data that they had stored, including consumers’ names, addresses, payment information, and in some cases, social security numbers, were stolen. Now, influencers and high-end beauty and fashion brands, are the target, as Octoly, a Paris-based influencer agency, has confirmed that it has experienced a data breach, putting more than 12,000 prominent social media influencers from YouTube, Instagram, and Twitter at risk.

  • 12,000 Influencers Had Their Data Leaked by Marketing Firm Octoly

    Unfortunately, that is just what happened last month to around 12,000 social media stars who work with Paris-based influencer marketplace Octoly. According to cyber risk company UpGuard, carelessness on the part of Octoly led to influencers' personal information — like street addresses, phone numbers, birth dates, email addresses and more — becoming accessible in a public database.

Security: Windows, WiFi Routers, Privacy and More

Filed under
Security
  • The worst types of ransomware attacks [Ed: Windows]
  • All versions' of Windows vulnerable to tweaked Shadow Broker NSA exploits

    A security researcher has revealed how sophisticated NSA exploits, which were stolen and published online by hacker group Shadow Brokers, can be tweaked to exploit vulnerabilities in all versions of Windows, including Windows 10.

    Back in 2016, the hacker group named Shadow Brokers stole weaponised cyber-tools from the US National Security Agency and published them online, thereby enabling other cyber- criminals to use the tools to attack targeted organisations and to gain access to systems.

  • Leaked NSA Exploits Modified To Attack Every Windows Version Since 2000

    Probably, the most famous of the NSA tools leaked by the hacker group Shadow Brokers was EnternalBlue which gave birth to dangerous malware like WannaCry, Petya, and more recently, the cryptojacking malware WannaMine.

    Now, Sean Dillion, a security researcher at RiskSense, has modified the source code of three other leaked NSA tools called EnternalRomance, EternalChampion, and EnternalSynergy. In the past, he also ported the EternalBlue exploit to work on Windows 10.

  • WiFi Routers Riddled With Holes: Report [Ed: default passwords]

    Insignary, a startup security firm based in South Korea, conducted comprehensive binary code scans for known security vulnerabilities in WiFi routers. The company conducted scans across a spectrum of the firmware used by the most popular home, small and mid-sized business and enterprise-class WiFi routers.

  • As data protection laws strengthen open-source software governance becomes critical [Ed: Nothing to do with FOSS. Proprietary software has more holes and some cannot/will not be patched.]

    The cadence of delivery isn’t hampered by new layers of governance (as using automated security audits allows for real-time testing as new code is developed). And with accurate audit trails, organisations can prove the extent to which they have gone, to ensure secure code that culminates in safe and compliant applications.

  • Episode 81 - Autosploit, bug bounties, and the future of security

Linux module aims at security, but will it make the cut?

Filed under
Linux
Security

The Linux Kernel Runtime Guard has been devised by the Openwall project.

LKRG checks at runtime to find out if any exploits for security flaws are in a system; if so, it attempts to block such attacks.

It can also detect any privilege escalation in processes that are running and kill the guilty process before it can execute any code.

Read more

Syndicate content

More in Tux Machines

Logstash 6.2.0 Released, Alfresco Grabbed by Private Equity Firm

  • Logstash 6.2.0 Release Improves Open Source Data Processing Pipeline
    The "L" in the ELK stack gets updated with new features including advanced security capabilities. Many modern enterprises have adopted the ELK (Elasticsearch, Logstash, Kibana) stack to collect, process, search and visualize data. At the core of the ELK stack is the open-source Logstash project which defines itself as a server-side data processing pipeline - basically it helps to collect logs and then send them to a users' "stash" for searching, which in many cases is Elasticsearch.
  • Alfresco Software acquired by Private Equity Firm
    Enterprise apps company taken private in a deal that won't see a change in corporate direction. Alfresco has been developing its suite of Enterprise Content Management (ECM) and Business Process Management (BPM) technology since the company was founded back in June of 2005. On Feb. 8, Alfresco announced that it was being acquired by private equity firm Thomas H. Lee Partners (THL). Financial terms of the deal are not being publicly disclosed.

Servers and GPUs: Theano, DevOps, Kubernetes, AWS

  • Open Source Blockchain Computer Theano
    TigoCTM CEO Cindy Zimmerman says “we are excited to begin manufacturing our secure, private and open source desktops at our factory in the Panama Pacifico special economic zone. This is the first step towards a full line of secure, blockchain-powered hardware including desktops, servers, laptops, tablets, teller machines, and smartphones.” [...] Every component of each TigoCTM device is exhaustively researched and selected for its security profile based especially on open source hardware, firmware, and software. In addition, devices will run the GuldOS operating system, and open source applications like the Bitcoin, Ethereum and Dash blockchains. This fully auditable stack is ideal for use in enterprise signing environments such as banks and investment funds.
  • Enterprises identify 10 essential tools for DevOps [Ed: "Source code repository" and other old things co-opted to promote the stupid buzzword "devops"]
    Products branded with DevOps are everywhere, and the list of options grows every day, but the best DevOps tools are already well-known among enterprise IT pros.
  • The 4 Major Tenets of Kubernetes Security
    We look at security from the perspective of containers, Kubernetes deployment itself and network security. Such a holistic approach is needed to ensure that containers are deployed securely and that the attack surface is minimized. The best practices that arise from each of the above tenets apply to any Kubernetes deployment, whether you’re self-hosting a cluster or employing a managed service. We should note that there are related security controls outside of Kubernetes, such as the Secure Software Development Life Cycle (S-SDLC) or security monitoring, that can help reduce the likelihood of attacks and increase the defense posture. We strongly urge you to consider security across the entire application lifecycle rather than take a narrow focus on the deployment of containers with Kubernetes. However, for the sake of brevity, in this series, we will only cover security controls within the immediate Kubernetes environment.
  • GPUs on Google’s Kubernetes Engine are now available in open beta
    The Google Kubernetes Engine (previously known as the Google Container Engine and GKE) now allows all developers to attach Nvidia GPUs to their containers. GPUs on GKE (an acronym Google used to be quite fond of, but seems to be deemphasizing now) have been available in closed alpha for more than half a year. Now, however, this service is in beta and open to all developers who want to run machine learning applications or other workloads that could benefit from a GPU. As Google notes, the service offers access to both the Tesla P100 and K80 GPUs that are currently available on the Google Cloud Platform.
  • AWS lets users run SAP apps directly on SUSE Linux
  • SUSE collaborates with Amazon Web Services toaccelerate SAP migrations

Chrome and Firefox

  • The False Teeth of Chrome's Ad Filter.
    Today Google launched a new version of its Chrome browser with what they call an "ad filter"—which means that it sometimes blocks ads but is not an "ad blocker." EFF welcomes the elimination of the worst ad formats. But Google's approach here is a band-aid response to the crisis of trust in advertising that leaves massive user privacy issues unaddressed. Last year, a new industry organization, the Coalition for Better Ads, published user research investigating ad formats responsible for "bad ad experiences." The Coalition examined 55 ad formats, of which 12 were deemed unacceptable. These included various full page takeovers (prestitial, postitial, rollover), autoplay videos with sound, pop-ups of all types, and ad density of more than 35% on mobile. Google is supposed to check sites for the forbidden formats and give offenders 30 days to reform or have all their ads blocked in Chrome. Censured sites can purge the offending ads and request reexamination. [...] Some commentators have interpreted ad blocking as the "biggest boycott in history" against the abusive and intrusive nature of online advertising. Now the Coalition aims to slow the adoption of blockers by enacting minimal reforms. Pagefair, an adtech company that monitors adblocker use, estimates 600 million active users of blockers. Some see no ads at all, but most users of the two largest blockers, AdBlock and Adblock Plus, see ads "whitelisted" under the Acceptable Ads program. These companies leverage their position as gatekeepers to the user's eyeballs, obliging Google to buy back access to the "blocked" part of their user base through payments under Acceptable Ads. This is expensive (a German newspaper claims a figure as high as 25 million euros) and is viewed with disapproval by many advertisers and publishers.
  • Going Home
  • David Humphrey: Edge Cases
  • Experiments in productivity: the shared bug queue
    Over the next six months, Mozilla is planning to switch code review tools from mozreview/splinter to phabricator. Phabricator has more modern built-in tools like Herald that would have made setting up this shared queue a little easier, and that’s why I paused…briefly
  • Improving the web with small, composable tools
    Firefox Screenshots is the first Test Pilot experiment to graduate into Firefox, and it’s been surprisingly successful. You won’t see many people talking about it: it does what you expect, and it doesn’t cover new ground. Mozilla should do more of this.

today's howtos