Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Hacking Team’s Leak Helped Researchers Hunt Down a Zero-Day

    The vulnerability, which Microsoft called “critical” in a patch released to customers on Tuesday, would allow an attacker to infect your system after getting you to visit a malicious website where the exploit resides—usually through a phishing email that tricks you into clicking on a malicious link. The attack works with all of the top browsers except Chrome—but only because Google removed support for the Silverlight plug-in in its Chrome browser in 2014.

    [...]

    In July 2015, a hacker known only as “Phineas Fisher” targeted the Italian surveillance firm Hacking Team and stole some 400 GB of the company’s data, including internal emails, which he dumped online. The hack exposed the company’s business practices, but it also revealed the business of zero-day sellers who were trying to market their exploits to Hacking Team. The controversial surveillance firm, which sells its software to law enforcement and intelligence agencies around the world—including to oppressive regimes like Sudan, Bahrain, and Saudi Arabia—uses zero-day exploits to help sneak its surveillance tools onto targeted systems.

  • Flexible, secure SSH with DNSSEC

    With version 6.2 of OpenSSH came a feature that allows the remote host to retrieve a public key in a customised way, instead of the typical authorized_keys file in the ~/.ssh/ directory. For example, you can gather the keys of a group of users that require access to a number of machines on a single server (for example, an LDAP server), and have all the hosts query that server when they need the public key of the user attempting to log in. This saves a lot of editing of authorized_keys files on each and every host. The downside is that it's necessary to trust the source these hosts retrieve public keys from. An LDAP server on a private network is probably trustworthy (when looked after properly) but for hosts running in the cloud, that’s not really practical.

Security Leftovers

Filed under
Security
  • Friday's security updates
  • Server Hardening

    Server hardening. The very words conjure up images of tempering soft steel into an unbreakable blade, or taking soft clay and firing it in a kiln, producing a hardened vessel that will last many years. Indeed, server hardening is very much like that. Putting an unprotected server out on the Internet is like putting chum in the ocean water you are swimming in—it won't be long and you'll have a lot of excited sharks circling you, and the outcome is unlikely to be good. Everyone knows it, but sometimes under the pressure of deadlines, not to mention the inevitable push from the business interests to prioritize those things with more immediate visibility and that add to the bottom line, it can be difficult to keep up with even what threats you need to mitigate, much less the best techniques to use to do so. This is how corners get cut—corners that increase our risk of catastrophe.

  • There are no secure smartphones.
  • OpenSSH Flaw Could Leak Crypto Keys
  • How To Patch and Protect OpenSSH Client Vulnerability CVE-2016-0777 and CVE-2016-0778 [ 14/Jan/2016 ]

    The OpenSSH project released an ssh client bug info that can leak private keys to malicious servers. A man-in-the-middle kind of attack identified and fixed in OpenSSH are dubbed CVE-2016-0777 and CVE-2016-0778. How do I fix OpenSSH's client vulnerability on a Linux or Unix-like operating system?

OpenSSH vulnerability could expose private credentials

Filed under
Red Hat
Security

So what exactly does this announcement mean? Since OpenSSH client version 5.4, there has been a feature called roaming that allows the client to resume a session that has been interrupted. Both the server and client would need to support roaming for this to work.

Server support was never added, but the feature is on by default for OpenSSH clients up to version 7.1p2. There are two vulnerabilities that stem from this feature and could be exploited when a user connects to an “evil” SSH server.

Read more

Security Leftovers: Let's Encrypt, GM, Silverlight 0-day

Filed under
Security
  • Trend Micro: Internet scum grab Let's Encrypt certs to shield malware

    It was inevitable. Trend Micro says it has spotted crooks abusing the free Let's Encrypt certificate system to smuggle malware onto computers.

    The security biz's fraud bod Joseph Chen noticed the caper on December 21. Folks in Japan visited a website that served up malware over encrypted HTTPS using a Let's Encrypt-issued cert. The site used the Angler Exploit Kit to infect their machines with the software nasty, which is designed to raid their online bank accounts.

  • GM Asks Friendly Hackers to Report Its Cars’ Security Flaws

    As automotive cybersecurity has become an increasingly heated concern, security researchers and auto giants have been locked in an uneasy standoff. Now one Detroit mega-carmaker has taken a first baby step toward cooperating with friendly car hackers, asking for their help in identifying and fixing its vehicles’ security bugs.

  • The Mysterious Case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day [Ed: back door?]

    Perhaps one of the most explosively discussed subjects of 2015 was the compromise and data dump of Hacking Team, the infamous Italian spyware company.

    For those who are not familiar with the subject, Hacking Team was founded in 2003 and specialized in selling spyware and surveillance tools to governments and law enforcement agencies. On July 5, 2015, a large amount of data from the company was leaked to the Internet with a hacker known as “Phineas Fisher” claiming responsibility for the breach. Previously, “Phineas Fisher” did a similar attack against Gamma International, another company in the spyware/surveillance business.

Canonical Patches Critical OpenSSH Vulnerabilities in All Supported Ubuntu OSes

Filed under
Security
Ubuntu

The Ubuntu developers working for Canonical to patch the latest security flaws in various core components and applications of all supported Ubuntu Linux operating systems published today, January 14, 2016, a new security notice informing users about the availability of an update for the OpenSSH software.

Read more

SSH Hole and Other Security News

Filed under
Security

Pretty Nasty DHCP Vulnerabilty Closed in All Supported Ubuntu OSes

Filed under
Security
Ubuntu

Canonical has published details about a DHCP vulnerability that has been found and repaired in Ubuntu 15.10, Ubuntu 15.04, Ubuntu 14.04 LTS, and Ubuntu 12.04.

Read more

Zero-Day FFmpeg Vulnerability Lets Anyone Steal Files from Remote Machines

Filed under
OSS
Security

A zero-day vulnerability in the FFmpeg open-source multimedia framework, which is currently used in numerous Linux kernel-based operating systems and software applications, also for the Mac OS X and Windows platforms, has been discovered recently.

Read more

Tails Call for testing: 2.0~rc1

Filed under
GNU
Linux
Security
Debian

You can help Tails! The first release candidate for the upcoming version 2.0 is out. We are very excited and cannot wait to hear what you think about it Smile

Read more

Syndicate content

More in Tux Machines

Slackware Live Edition – on its way to 1.0?

Last week the second Beta of the upcoming Slackware 14.2 was released. My goal was to have a new Beta of my liveslak ready by that time, so that I could provide new ISO images to test the Slackware Beta2 on a live medium. Unfortunately, there was an attack of the flu in my team at work and things got a bit busier than usual. There was a plus side to this: some last moment bug fixes which could be applied to my scripts – the result of having more evenings available to test. Therefore the new release is not labeled “0.5.0” but “0.5.1” Read more

Leftovers: KDE

  • Cantor migrating to Phabricator: which tools our contributors must to use
    Projects and software developed by KDE community are going to migrate for a new tool to manage our code, commits, reviews, tasks, and more. This tool is Phabricator and you can visit the instance for KDE projects in this address. Since November 2015 we are migrating Cantor to Phabricator. After our first successful review code some days ago, I decided to write a post about which tools our contributors must to use while the migration process is not finished.
  • Kdenlive's sprint report
    Last week-end, Vincent and me met in Lausanne for a Kdenlive sprint. One of our goal was to merge Gurjot Singh Bhatti's GSoC work on curves for keyframes. This was more work than expected and we spent many hours trying fix the curves and make keyframes behave correctly. Not much time was left for sleep, but we still managed to get outside to make a group (!) picture in the woods above Lausanne.
  • Jekyll 3.x
    I’ve found three different types of transition issues (it is cool to look at these in a project I do not upgrade on a daily basis like Plasma and the rest of the KDE software).
  • kdev-python on Windows: try it!
    I spent the last two or three days playing around with KDE on Windows, with the aim of getting my Python language plugin for KDevelop to run there. In the end, it wasn’t that hard to get this to work — not as hard as I would have expected it to be, anyways.

Manjaro ARM launched

Hi community, wonderful news in regard of architecture expanding within Manjaro Linux. It all started with a simple post on our developers mailing list. Somebody wants to do Manjaro for ARM … Just after one month of development our first alpha release is now ready. So what is this all about? Manjaro Arm is a project aimed to bring you the simplicity and customability that is Manjaro to ARM devices. These devices are growing in numbers and can be used for any number of applications. Most famous is the Raspberry Pi series and BeagleBoard series. Read more

Plasma 5.5.4 and Calligra Suite 2.9.11 now available

The 4th update for KDE's Plasma 5.5.x series is now available to all Chakra users. According to the release schedule, unless new issues occur, this will be the last update for this series before 5.6 gets released next month. Plasma 5.5.4 as usually includes a month's translations and bugfixes, with the authors highlighting the improvements for handling multi-screen setups. The Calligra Suite also receives a bugfix update to version 2.9.11, which mainly provides fixes for krita and kexi. Read more