Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Lockpicking in the IoT

    "Smart" devices using BTLE, a mobile phone and the Internet are becoming more and more popular. We will be using mechanical and electronic hardware attacks, TLS MitM, BTLE sniffing and App decompilation to show why those devices and their manufacturers aren't always that smart after all. And that even AES128 on top of the BTLE layer doesn't have to mean "unbreakable". Our main target will be electronic locks, but the methods shown apply to many other smart devices as well...

  • Photocopier Security

    A modern photocopier is basically a computer with a scanner and printer attached. This computer has a hard drive, and scans of images are regularly stored on that drive. This means that when a photocopier is thrown away, that hard drive is filled with pages that the machine copied over its lifetime. As you might expect, some of those pages will contain sensitive information.

  • OpenPGP really works

    After a day of analysis, PGP is used and significantly at various layers of my day-to-day activities. I can clearly said “PGP works”. Indeed, it’s not perfect (that’s the reality of a lot of cryptosystems) but PGP needs some love at the IETF, for the implementations or even some financial support.

Security News

Filed under
Security
  • Security advisories for Monday
  • Penetration Testing and Ethical Hacking Parrot Security OS 3.4.1 Includes GNUnet

    The ParrotSec project kicked off 2017 with the release of Parrot Security OS 3.4 on the first day of the year, followed the next day by a point release that brought improvements to the installer.

    Launched on January 1, 2016, Parrot Security OS 3.4 shipped with various updated packages and new features, among which we can mention the addition of the GNUNet open-source framework for secure peer-to-peer (P2P) networking, an early preview of the Freenet installer, as well as brand-new mirror servers for the netboot images.

  • Future Proof Security

    Are there times we should never make a tradeoff between “right” and “now”? Yes, yes there are. The single most important is verify data correctness. Especially if you think it’s trusted input. Today’s trusted input is tomorrow’s SQL injection. Let’s use a few examples (these are actual examples I saw in the past with the names of the innocent changed).

  • Linux Journal January 2017

    There have been epic battles over whether "insecure" or "unsecure" should be used when referring to computer security. Granted, those epic battles usually take place in really nerdy forums, but still, one sounds funny and the other seems to personify computers. Whichever grammatical construct you choose, the need for security is greater now than ever. As Linux users, we need to make sure we're not overconfident in the inherent security of our systems. Remember, they all have a weak link: us.

Security Leftovers

Filed under
Security
  • Smart electricity meters can be dangerously insecure, warns expert

    Smart electricity meters, of which there are more than 100m installed around the world, are frequently “dangerously insecure”, a security expert has said.

    The lack of security in the smart utilities raises the prospect of a single line of malicious code cutting power to a home or even causing a catastrophic overload leading to exploding meters or house fires, according to Netanel Rubin, co-founder of the security firm Vaultra.

    “Reclaim your home,” Rubin told a conference of hackers and security experts, “or someone else will.”

    If a hacker took control of a smart meter they would be able to know “exactly when and how much electricity you’re using”, Rubin told the 33rd Chaos Communications Congress in Hamburg. An attacker could also see whether a home had any expensive electronics.

  • London Ambulance Service hit by 'computer system crash' on New Year's Eve

    Officials confirmed there was a systems fault in the early hours, though staff are trained for such situations, and they continued to prioritise responses as normal.

    Calls were reportedly logged manually between 12.30am GMT and 5:15am.

  • 33c3 notes

    Some notes and highlights from #33c3. In particular, some talks I found worth watching. I intentionally don't mention any of the much interesting self-organized sessions and workshops I participated since these are not recorded. I'm just listing some interesting projects at the bottom. I wrote these notes quickly, so I'm certainly missing some stuff.

Security Leftovers

Filed under
Security
  • Ex-student charged with cyberattack on school’s internet

    A Connecticut juvenile has been charged with launching cyberattacks against a school’s internet service in connection with outages that happened in 2015 and earlier this year.

    Shelton police say the former Shelton High School student, whose name and age haven’t been released, was arrested Thursday on a charge of computer crimes in the third-degree. He’s due in juvenile court on Friday.

  • 5 signs we're finally getting our act together on security

    The high-water line in information security gets higher each year. Just as we think we’ve finally figured out how to defend against attacks, then attackers come up with something new and we are right back to trying to figure out what to do next.

  • You have one second extra tonight!

    Official clocks will hit 23:59:59 as usual, but then they'll say 23:59:60, before rolling over into 2017. This is known as a ‘leap second’ and timekeepers slip them in periodically to keep our clocks in sync with the Earth’s rotation. The laboratory with responsibility for maintaining the equipment to measure time interval (or frequency) in Ireland is the NSAI’s National Metrology Laboratory.

Security Leftovers

Filed under
Security
  • Washington Post Publishes False News Story About Russians Hacking Electrical Grid

    A story published by The Washington Post Friday claims Russia hacked the electrical grid in Vermont. This caused hysteria on social media but has been denied by a spokesman for a Vermont utility company.

    The Post story was titled, “Russian hackers penetrated U.S. electricity grid through a utility in Vermont, officials say.”

  • Recount 2016: An Uninvited Security Audit of the U.S. Presidential Election

    The 2016 U.S. presidential election was preceded by unprecedented cyberattacks and produced a result that surprised many people in the U.S. and abroad. Was it hacked? To find out, we teamed up with scientists and lawyers from around the country—and a presidential candidate—to initiate the first presidential election recounts motivated primarily by e-voting security concerns. In this talk, we will explain how the recounts took place, what we learned about the integrity of the election, and what needs to change to ensure that future U.S. elections are secure.

  • Malware Purveyor Serving Up Ransomware Via Bogus ICANN Blacklist Removal Emails

    Fun stuff ahead for some website owners, thanks to a breakdown in the registration process. A Swiss security researcher has spotted bogus ICANN blacklist removal emails being sent to site owners containing a Word document that acts as a trigger for ransomware.

Security Leftovers

Filed under
Security
  • A Chip to Protect the Internet of Things

    The Internet of Things offers the promise of all sorts of nifty gadgets, but each connected device is also a tempting target for hackers. As recent cybersecurity incidents have shown, IoT devices can be harnessed to wreak havoc or compromise the privacy of their owners. So Microchip Technology and Amazon.com have collaborated to create an add-on chip that’s designed to make it easier to combat certain types of attack—and, of course, encourage developers to use Amazon’s cloud-based infrastructure for the Internet of Things.

  • Reproducible Builds: week 87 in Stretch cycle

    100% Of The 289 Coreboot Images Are Now Built Reproducibly by Phoronix, with more details in German by Pro-Linux.de.

    We have further reports on our Reproducible Builds World summit #2 in Berlin from Rok Garbas of NixOS as well as Clemens Lang of MacPorts

  • Chrome will soon mark some HTTP pages as 'non-secure'

    Beginning next month, the company will tag web pages that include login or credit card fields with the message "Not Secure" if the page is not served using HTTPS, the secure version of the internet protocol.

    The company on Tuesday began sending messages through its Google Search Console, a tool for webmasters, warning them of the changes that take place starting in January 2017.

Security Leftovers

Filed under
Security
  • Security advisories for Wednesday
  • 17 Security Experts Share Predictions for the Top Cyber-Trends of 2017

    Enterprises, governments and end users faced no shortage of security challenges in 2016. As the year draws to a close, we wonder: What security trends will continue into 2017? What will be the big security stories of the year to come? Many trends emerged in 2016 that are very likely to remain key issues for organizations of all sizes and shapes in 2017. Among them is the continued and growing risk of ransomware, which emerged in 2016 as a primary attack vector for hackers aiming to cash in on their nefarious activities. In 2016, nation-states once again were identified by multiple organizations as being the source of serious cyber-threats, and there is no indication that will change in the year ahead. Among the emerging trends that could become more prominent in the new year are the widespread use of containers and microservices to improve security control. This eWEEK slide show will present 17 security predictions for the year ahead from 17 security experts.

  • Learning From A Year of Security Breaches

    This year (2016) I accepted as much incident response work as I could. I spent about 300 hours responding to security incidents and data breaches this year as a consultant or volunteer.

    This included hands on work with an in-progress breach, or coordinating a response with victim engineering teams and incident responders.

    These lessons come from my consolidated notes of those incidents. I mostly work with tech companies, though not exclusively, and you’ll see a bias in these lessons as a result.

  • Girl uses sleeping mom's thumbprint to buy $250 in Pokemon toys

    The most famous, and unlikeliest, hacker in the news this week is little Ashlynd Howell of Little Rock, Ark. The exploits of the enterprising 6-year-old first came to light in a Wall Street Journal story about the difficulties of keeping presents a secret in the digital age. It seems that while mom Bethany was sleeping on the couch, Ashlynd gently picked up her mother's thumb and used it to unlock the Amazon app on her phone. She then proceeded to order $250 worth of Pokemon presents for herself. When her parents got 13 confirmation notices about the purchases, they thought that either they'd been hacked (they were, as it turned out) or that their daughter had ordered them by mistake. But she proudly explained, "No, Mommy, I was shopping." The Howells were able to return only four of the items.

  • FDIC Latest Agency To Claim It Was Hacked By A Foreign Government

    Caught in the middle of all this are the financial transactions of millions of Americans, in addition to whatever sensitive government information might have been located on the FDIC's computers.

    But claiming the Chinese were involved seems premature, even according to Reuter's own reporting, which relies heavily on a bunch of anonymous government officials discussing documents no one at Reuters has seen.

  • Parrot Security 3.3 Ethical Hacking OS With Linux Kernel 4.8 Released

Parsix GNU/Linux 8.15 (Nev) and 8.10 (Erik) Get Latest Debian Security Patches

Filed under
Security

It's been two weeks since our last report on the latest security updates pushed to the stable repositories of the Debian-based Parsix GNU/Linux operating system, and a new set of patches for various software components arrived the other day.

Read more

KDE Plasma 5.8.5 Is the Last Bugfix Release for 2016, over 55 Issues Resolved

Filed under
KDE
Security

As expected, KDE announced today the general and immediate availability of the fifth maintenance update to the long-term supported KDE Plasma 5.8 desktop environment for GNU/Linux distributions.

Read more

Security News

Filed under
Security
  • Security advisories for Monday
  • Is Mirai Really as Black as It’s Being Painted?

    An important feature of the way the Mirai botnet scans devices is that the bot uses a login and password dictionary when trying to connect to a device. The author of the original Mirai included a relatively small list of logins and passwords for connecting to different devices. However, we have seen a significant expansion of the login and password list since then, achieved by including default logins and passwords for a variety of IoT devices, which means that multiple modifications of the bot now exist.

    [...]

    If you ignore trivial combinations like “root:root” or “admin:admin”, you can get a good idea of which equipment the botnet is looking for. For example, the pairs “root:xc3511” and “root:vizxv” are default accounts for IP cameras made by rather large Chinese manufacturers.

  • Parrot Security 3.3 Ethical Hacking OS Updates Anonsurf, Fixes Touchpad Support

    A new stable release of the Debian-based Parrot Security ethical hacking and penetration testing operating system has been released on Christmas Day, versioned 3.3.

    Powered by a kernel from the Linux 4.8 series, Parrot Security OS 3.3 is here a little over two months since the release of Parrot Security 3.2, but it doesn't look like it's a major update and all that, as it only updates a few core components and hacking tools, and addresses a few of the bugs reported by users since version 3.2.

  • Linux Top 3: Guix, Parrot Security and OpenMandriva Lx

    The GNU Guix project builds a transactional package manager system and it is the base feature around which Guix SD(system distribution) is built.

    [...]

    The 3.01 release brings a number of major fixes since 3.0 release:

    updated software
    new drivers and kernel – better support for newer hardware
    many bugs fixed
    stable Plasma running on Wayland

  • LibreOffice 5.2.4 packages

    The computers worked frantically while I relaxed with my family. Slackware 14.2 and -current packages are ready for LibreOffice 5.2.4. Enjoy the newest version of this highly popular office suite.

Syndicate content

More in Tux Machines

Linus Torvalds Announces Subsurface 4.6 Open-Source Dive Log and Planning App

Linus Torvalds not only works on the Linux kernel, but he's also part of the development team behind the open-source dive log and dive planning application most of you out there know as Subsurface. Read more

openSUSE Tumbleweed Gets XOrg Server 1.19 & Irssi 1.0, PulseAudio 10 Coming Soon

openSUSE Project's Douglas DeMaio is informing the Tumbleweed community today, January 18, 2017, about the latest software updates and other improvements delivered by a total of two snapshots released last week. Read more

today's leftovers

  • Linux use on Pornhub surged 14% in 2016
    Pornhub is one of the preeminent porn sites on the web. Each year Pornhub releases a year in review post with anonymous details about the site’s users. More and more Linux users are visiting Pornhub, Linux saw an impressive 14% increase in traffic share in 2016.
  • Amdocs partners with Linux Foundation to accelerate OpenECOMP adoption in Open Source
  • Calamares 2.4.6 Distribution-Independent Linux Installer Delivers Improvements
    The Calamares team is proud to announce the availability of the sixth maintenance update to the 2.4 stable series of the open-source, distribution-independent system installer Calamares, for Linux-based operating systems. Calamares 2.4.6 comes approximately two months after the release of the previous version, namely Calamares 2.4.5, and, as expected, it's a bugfix release that only delivers various improvements and bug fixes for some of the issues reported by users during all this time.
  • Shotwell Photo Manager 0.25.3 Released
    Photography fans will be pleased to hear that a new bug-fix release of photo management app Shotwell is now available to download.
  • AntiX 16.1 is available for public
    AntiX is Debian based Linux distribution. It uses lightweight desktop environments like Fluxbox, Icewm, Xfce, etc. This distribution is originated in Greece and is typically ideal for old systems. Few hours ago AntiX team released new version named AntiX 16.1. It is based on Debian Jessie.
  • Tumbleweed Preps for PulseAudio 10, Gets Ruby, Python Updates
    Developers using openSUSE Tumbleweed are always getting the newest packages as well as updated languages and past week’s snapshots delivered update versions of Python and Ruby. The most recent snapshot, 20170112, brought Python 2.x users version 2.7.13, which updated cipher lists for openSSL wrapper and supports versions equal to or greater than OpenSSL 1.1.0. Python-unidecode 0.04.20 was also updated in the snapshot. Another update related to OpenSSL 1.1.0 was PulseAudio 9.99.1, which is a release in preparation for PulseAudio 10.0. PulseAudio 10.0 includes compatibility with OpenSSL 1.1.0, a fix for hotplugged USB surround sound cards and and automatic switching of Bluetooth profile when using VoIP applications.
  • Genode OS Framework Planning For Async I/O, App ABI, Qt5 Plans For 2017
    The Genode Operating System Framework has announced their planned roadmap for this year as the involved developers continue working on this original OS initiative. The overall theme of the Genode OS work in 2017 is to focus on stability and scalability, but there is also much more on their road-map for this calendar year.
  • PrestaShop
    Helping people overcome the challenges of building and growing an online business is what the PrestaShop open-source ecommerce platform is all about. The significant PrestaShop 1.7 release provides innovations focused on three themes: sell faster, create easier and code better.
  • This Week in Spring: Reactor 3.0, Open Source CD, and All Kinds of Cloud

Linux on Servers

  • IBM i Open Source Business Architect Lays Out A Plan
    Enterprise level application development is no place for open source languages. Can you believe it? That was once the widely accepted truth. Jiminy Crickets! Things have changed. The number of the stable open source distributions available with comprehensive support and maintenance goes well beyond common knowledge. Industry giants, successful SMB players, and mom and pop businesses are finding good reasons to use open source. Even IBM uses open source for internal business reasons. There are reasons for you to do the same.
  • Lightning Talk - Realizing the Multi-Cloud Promise of Kubernetes by Blake White, The Walt Disney Co.
  • How Disney Is Realizing the Multi-Cloud Promise of Kubernetes
    The Walt Disney Company is famous for “making magic happen,” and their cross-cloud, enterprise level Kubernetes implementation is no different. In a brief but information-packed lightning talk at CloudNativeCon in Seattle in November, Disney senior cloud engineer Blake White laid out a few of the struggles and solutions in making Kubernetes work across clouds.
  • Puppet Launches its Latest State of DevOps Survey
    Folks who are focused on container technology and virtual machines as they are implemented today might want to give a hat tip to some of the early technologies and platforms that arrived in the same arena. Among those, Puppet, which was built on the legacy of the venerable Cfengine system, was an early platform that helped automate lots of virtual machine implementations. We covered it in depth all the way back in 2008. Fast-forward to today, and Puppet is still making news, creating jobs and more.