Language Selection

English French German Italian Portuguese Spanish

Security

Debian Pushes Major Kernel Update to Debian Jessie, Fixes Over 20 Security Flaws

Filed under
Security
Debian

Today, June 28, 2016, Debian Project, through Salvatore Bonaccorso, published details about a major Linux kernel security update for the Debian GNU/Linux 8 "Jessie" operating system.

Read more

Security Leftovers

Filed under
Security
  • Chrome vulnerability lets attackers steal movies from streaming services

    A significant security vulnerability in Google technology that is supposed to protect videos streamed via Google Chrome has been discovered by researchers from the Ben-Gurion University of the Negev Cyber Security Research Center (CSRC) in collaboration with a security researcher from Telekom Innovation Laboratories in Berlin, Germany.

  • Large botnet of CCTV devices knock the snot out of jewelry website

    Researchers have encountered a denial-of-service botnet that's made up of more than 25,000 Internet-connected closed circuit TV devices.

    The researchers with Security firm Sucuri came across the malicious network while defending a small brick-and-mortar jewelry shop against a distributed denial-of-service attack. The unnamed site was choking on an assault that delivered almost 35,000 HTTP requests per second, making it unreachable to legitimate users. When Sucuri used a network addressing and routing system known as Anycast to neutralize the attack, the assailants increased the number of HTTP requests to 50,000 per second.

  • Study finds Password Misuse in Hospitals a Steaming Hot Mess

    Hospitals are pretty hygienic places – except when it comes to passwords, it seems.

    That’s the conclusion of a recent study by researchers at Dartmouth College, the University of Pennsylvania and USC, which found that efforts to circumvent password protections are “endemic” in healthcare environments and mostly go unnoticed by hospital IT staff.

    The report describes what can only be described as wholesale abandonment of security best practices at hospitals and other clinical environments – with the bad behavior being driven by necessity rather than malice.

  • Why are hackers increasingly targeting the healthcare industry?

    Cyber-attacks in the healthcare environment are on the rise, with recent research suggesting that critical healthcare systems could be vulnerable to attack.

    In general, the healthcare industry is proving lucrative for cybercriminals because medical data can be used in multiple ways, for example fraud or identify theft. This personal data often contains information regarding a patient’s medical history, which could be used in targeted spear-phishing attacks.

  • Making the internet more secure
  • Beyond Monocultures
  • Dodging Raindrops Escaping the Public Cloud

Security Leftovers

Filed under
Security

Canonical Patches Seven Linux Kernel Vulnerabilities in Ubuntu 16.04, Update Now

Filed under
Linux
Security
Ubuntu

Today, June 27, 2016, Canonical published a new security notice to inform users of the Ubuntu 16.04 LTS (Xenial Xerus) operating system about the availability of an important kernel update.

Read more

Leftovers: Security

Filed under
Security

Security Leftovers

Filed under
Security
  • Teardrop Attack: What Is It And How Does It Work?

    In Teardrop Attack, fragmented packets that are sent in the to the target machine, are buggy in nature and the victim’s machine is unable to reassemble those packets due to the bug in the TCP/IP fragmentation.

  • Updating code can mean fewer security headaches

    Organizations with high rates of code deployments spend half as much time fixing security issues as organizations without such frequent code updates, according to a newly released study.

    In its latest annual state-of-the-developer report, Devops software provider Puppet found that by better integrating security objectives into daily work, teams in "high-performing organizations" build more secure systems. The report, which surveyed 4,600 technical professionals worldwide, defines high IT performers as offering on-demand, multiple code deploys per day, with lead times for changes of less than one hour. Puppet has been publishing its annual report for five years.

  • Over half of world's top domains weak against email spoofing

    Over half of the world's most popular online services have misconfigured servers which could place users at risk from spoof emails, researchers have warned.

    According to Swedish cybersecurity firm Detectify, poor authentication processes and configuration settings in servers belonging to hundreds of major online domains are could put users at risk of legitimate-looking phishing campaigns and fraudulent emails.

Linux Kernel 4.6.3 Has Multiple Networking Improvements, Better SPARC Support

Filed under
Linux
Security

Today, June 24, 2016, renowned Linux kernel developer Greg Kroah-Hartman has announced the general availability of the third maintenance release for the Linux 4.6 kernel series.

Linux kernel 4.6.3 is here two weeks after the release of the second maintenance update in the series, Linux kernel 4.6.2, to change a total of 88 files, with 1302 insertions and 967 deletions. Unfortunately, very few GNU/Linux distributions have adopted the Linux 4.6 series, despite the fact that Greg Kroah-Hartman urged everyone to move to this most advanced kernel branch as soon as possible from Linux 4.5, which reached end of life.

Read more

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Google Hacker Donates His $15,000 Bug Bounty Cash Award To Charity

    Google’s leading security engineer Tavis Ormandy recently won a bug bounty challenge run by security solutions firm Bromium and decided to donate the money to charity. Following his gesture, Bromium matched Ormandy’s donation and donated $15,000 to Amnesty International organization.

  • Mozilla Awards $385,000 to Open Source Projects as part of MOSS “Mission Partners” Program

    For many years people with visual impairments and the legally blind have paid a steep price to access the Web on Windows-based computers. The market-leading software for screen readers costs well over $1,000. The high price is a considerable obstacle to keeping the Web open and accessible to all. The NVDA Project has developed an open source screen reader that is free to download and to use, and which works well with Firefox. NVDA aligns with one of the Mozilla Manifesto’s principles: “The Internet is a global public resource that must remain open and accessible.”

  • TOR Project And Security Experts Making A “Hardened” Version Of TOR To Defeat FBI

    The TOR Project is working closely with security researchers to implement a new technique to secure the TOR Browser against the FBI’s de-anonymization exploits. Called “Selfrando”, this technique will fight the FBI’s “Code Reuse” exploits and create a “hardened” version of TOR.

Security Leftovers

Filed under
Security
  • New RAA ransomware written in JavaScript discovered

    A new variety of ransomware called RAA has been discovered that has the somewhat unusual attribution of being coded in JavaScript instead of one of the more standard programming languages making it more effective in certain situations.

  • Want To Be A Cool Security Guru?

    Well it will take some work, security is not like what they show on TV. You don’t need green on black text, special goggles or an unlimited enhance function. Instead, it requires sitting down and understanding the history of the field, what it means to be “secure” and what limitations or assumptions you can work under. This summer I have decided to start my journey on the vast field of cryptography and am doing an online course at Stanford University that provides an introduction to cryptography. It is appropriately named “Cryptography I” and is the first part of a two part course, the second part being offered later in the Fall. Both are taught by a really awesome professor Dan Boneh who I find explains the material very well. I decided I would like to make some posts about what I have learned in this course as I go through the material so that I can share my knowledge and get a chance to write it down somewhere for later reference.

  • WordPress 4.5.3 Maintenance and Security Release

    WordPress 4.5.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

Syndicate content

More in Tux Machines

Games for GNU/Linux

  • Stardew Valley is now in beta for Linux
    The Stardew Valley developer tweeted out a password for a beta, but after discussing it with them on their forum I was able to show them that we can't actually access it yet. While what I was telling them may not have been entirely correct (SteamDB is confusing), the main point I made was correct. Normal keys are not able to access the beta yet, but beta/developer keys can, as it's not currently set for Linux/Mac as a platform for us.
  • Physics-based 3D puzzler Human: Fall Flat released on Steam for Linux
    Human: Fall Flat is an open-ended physics puzzler with an optional local co-op mode, developed by No Brakes Games, and available now on Steam for Linux.
  • 7 Mages brings a touch more of traditional dungeon crawling to Linux
    Controlling a party of adventurers, exploring dungeons and fighting weird magical creatures is an RPG tradition as old as the genre. Expect all that and more in this modern iteration of the classical dungeon crawler.

Linux and Graphics

Security News

  • Security advisories for Monday
  • EU to Give Free Security Audits to Apache HTTP Server and Keepass
    The European Commission announced on Wednesday that its IT engineers would provide a free security audit for the Apache HTTP Server and KeePass projects. The EC selected the two projects following a public survey that took place between June 17 and July 8 and that received 3,282 answers. The survey and security audit are part of the EU-FOSSA (EU-Free and Open Source Software Auditing) project, a test pilot program that received funding of €1 million until the end of the year.
  • What is your browser really doing?
    While Microsoft would prefer you use its Edge browser on Windows 10 as part of its ecosystem, the most popular Windows browser is Google’s Chrome. But there is a downside to Chrome – spying and battery life. It all started when Microsoft recently announced that its Edge browser used less battery power than Google Chrome, Mozilla Firefox or Opera on Windows 10 devices. It also measured telemetry – what the Windows 10 device was doing when using different browsers. What it found was that the other browsers had a significantly higher central processing unit (CPU), and graphics processing unit (GPU) overhead when viewing the same Web pages. It also proved that using Edge resulted in 36-53% more battery life when performing the same tasks as the others. Let’s not get into semantics about which search engine — Google or Bing — is better; this was about simple Web browsing, opening new tabs and watching videos. But it started a discussion as to why CPU and GPU usage was far higher. And it relates to spying and ad serving.
  • Is Computer Security Becoming a Hardware Problem?
    In December of 1967 the Silver Bridge collapsed into the Ohio River, killing 46 people. The cause was determined to be a single 2.5 millimeter defect in a single steel bar—some credit the Mothman for the disaster, but to most it was an avoidable engineering failure and a rebuttal to the design philosophy of substituting high-strength non-redundant building materials for lower-strength albeit layered and redundant materials. A partial failure is much better than a complete failure. [...] In 1996, Kocher co-authored the SSL v3.0 protocol, which would become the basis for the TLS standard. TLS is the difference between HTTP and HTTPS and is responsible for much of the security that allows for the modern internet. He argues that, barring some abrupt and unexpected advance in quantum computing or something yet unforeseen, TLS will continue to safeguard the web and do a very good job of it. What he's worried about is hardware: untested linkages in digital bridges.
  • Your Smart Robot Is Coming in Five Years, But It Might Get Hacked and Kill You
    A new report commissioned by the Department of Homeland Security forecasts that autonomous artificially intelligent robots are just five to 10 years away from hitting the mainstream—but there’s a catch. The new breed of smart robots will be eminently hackable. To the point that they might be re-programmed to kill you. The study, published in April, attempted to assess which emerging technology trends are most likely to go mainstream, while simultaneously posing serious “cybersecurity” problems. The good news is that the near future is going to see some rapid, revolutionary changes that could dramatically enhance our lives. The bad news is that the technologies pitched to “become successful and transformative” in the next decade or so are extremely vulnerable to all sorts of back-door, front-door, and side-door compromises.
  • Trump, DNC, RNC Flunk Email Security Test
    At issue is a fairly technical proposed standard called DMARC. Short for “domain-based messaging authentication reporting and conformance,” DMARC tries to solve a problem that has plagued email since its inception: It’s surprisingly difficult for email providers and end users alike to tell whether a given email is real – i.e. that it really was sent by the person or organization identified in the “from:” portion of the missive.
  • NIST Prepares to Ban SMS-Based Two-Factor Authentication
    The US National Institute of Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban on SMS-based Two-Factor Authentication (2FA). The Digital Authentication Guideline (DAG) is a set of rules used by software makers to build secure services, and by governments and private agencies to assess the security of their services and software. NIST experts are constantly updating the guideline, in an effort to keep pace with the rapid change in the IT sector.
  • 1.6m Clash of Kings forum accounts 'stolen'
    Details about 1.6 million users on the Clash of Kings online forum have been hacked, claims a breach notification site. The user data from the popular mobile game's discussion forum were allegedly targeted by a hacker on 14 July. Tech site ZDNet has reported the leaked data includes email addresses, IP addresses and usernames.
  • Hacker steals 1.6 million accounts from top mobile game's forum
    [Ed: vBulletin is proprietary software -- the same crap Canonical used for Ubuntu forums]

The saga continues with Slackware 14.2

Slackware is the oldest surviving Linux distribution and has been maintained since its birth by Patrick Volkerding. Slackware has a well deserved reputation for being stable, consistent and conservative. Slackware is released when it is ready, rather than on a set schedule, and fans of the distribution praise its no-frills and no-fuss design. Slackware adheres to a "keep it simple" philosophy similar to Arch Linux, in that the operating system does not do a lot of hand holding or automatic configuration. The user is expected to know what they are doing and the operating system generally stays out of the way. The latest release of Slackware, version 14.2, mostly offers software updates and accompanying hardware support. A few new features offer improved plug-n-play support for removable devices and this release of Slackware ships with the PulseAudio software. PulseAudio has been commonly found in the audio stack of most Linux distributions for several years, but that is a signature of Slackware: adding new features when they are needed, not when they become available. In this case PulseAudio was required as a dependency for another package. Slackware 14.2 is available in 32-bit and 64-bit builds for the x86 architecture. There is also an ARM build. While the main edition of Slackware is available as an installation disc only, there is a live edition of Slackware where we can explore a Slackware-powered desktop environment without installing the distribution. The live edition can be found on the Alien Base website. Both the live edition and the main installation media are approximately 2.6GB in size. For the purposes of this review I will be focusing on the main, installation-only edition. Booting from the install media brings us to a text screen where we are invited to type in any required kernel parameters. We can press the Enter key to take the default settings or wait two minutes for the media to continue booting. A text prompt then offers to let us load an alternative keyboard layout or use the default "US" layout. We are then brought to a text console where a brief blurb offers us tips for setting up disk partitions and swap space. The helpful text says we can create partitions and then run the system installer by typing "setup". Read more