Language Selection

English French German Italian Portuguese Spanish


12 Best Operating Systems For Ethical Hacking And Penetration Testing | 2018 Edition

Filed under

Wondering which is the best operating system for ethical hacking and pen testing purposes? Trying to solve this problem, Fossbytes has prepared a list of the most efficient Linux distros for hacking purposes that you need to check out in 2018.

Read more

Security: TLS, Coverity/Synopsys Cracked, Penetration Tools for Kali Linux

Filed under
  • TLS 1.3 is approved: Here's how it could make the entire internet safer

    The version approved is actually the 28th draft of the upgrade to TLS 1.2 and has been in discussion by IETF members for over two years. TLS is a fundamental part of securing internet connections via HTTPS, which likely slowed down its adoption so that IETF members could be sure it didn't open up exploits.

  • Coverity Scan Service Hacked!
  • Coverity Scan code checker's systems crypto-jacked to run cheeky mining op

    The systems of freebie open-source code scanning tool Coverity Scan were hacked and abused to run a cryptocurrency mining operation, its operator has confirmed.

    Synopsys, the firm behind Coverity Scan, said its corporate systems were not affected by the previously unexplained incident, which resulted in the suspension of the service for around four weeks until last Friday.

  • The Best 20 Hacking and Penetration Tools for Kali Linux

    It is surprising how many people are interested in learning how to hack. Could it be because they usually have a Hollywood-based impression in their minds?

    Anyway, thanks to the open-source community we can list out a number of hacking tools to suit every one of your needs. Just remember to keep it ethical!

Security: Microsoft Windows in Atlanta, BranchScope, Reproducible Builds and More

Filed under
  • Atlanta, hit by ransomware attack, also fell victim to leaked NSA exploits [Ed: He meant to say Microsoft Windows back doors rather than "leaked NSA exploits". But he used to work for Microsoft UK, so blaming the NSA is convenient.]

    "The attack is an important reminder of the need to ensure that the city's digital infrastructure is secure and up to date," said Bottoms in a Monday press conference.

    But according to one security firm, last week's cyberattack was not a surprise because the city had fallen victim to leaked government exploits used in the WannaCry outbreak.

    New data provided by Augusta, Ga.-based cybersecurity firm Rendition Infosec, seen by ZDNet, shows that the city's network was silently infected last year with leaked exploits developed by the National Security Agency.

  • BranchScope: Intel CPUs Vulnerable To New Spectre-Like Attack

    In the computer security world, once a vulnerability is found it doesn’t take much longer for the security researchers to find similar flaws and propose new attack mechanisms. The researchers at College of William and Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamton University, have found a new Spectre-like attack.

    Before I go ahead and tell you something about this attack named “BranchScope,” let me talk about “speculative execution” — a feature of modern CPUs that’s responsible for such attacks.

  • Reproducible Builds: Weekly report #152

    Here's what happened in the Reproducible Builds effort between Sunday March 18 and Saturday March 24 201...

  • Zero coverage reports

    A study from Google Test Automation Conference 2016 showed that an uncovered line (or method) is twice as likely to have a bug fix than a covered line (or method). On top of that, testing a feature prevents unexpected behavior changes.

    Using these reports, we have managed to remove a good amount of code from mozilla-central, so far around 60 files with thousands of lines of code. We are confident that there’s even more code that we could remove or conditionally compile only if needed.

  • Defense through collaboration: The use of free software in preventing proprietary software based virus attacks

    In the summer of 2017, software powering the critical infrastructure of Ukraine came to a grinding halt after the country was hit with a surgically precise targeted cyber attack. A malware virus called NotPetya irreversibly encrypted the files of hundreds of thousands of computers. The impact was devastating: the Chernobyl radiation moderating system was shut down, governmental institutions lost access to critical data, and the total damage was estimated to cost over $100 million. This example, among others, points to an increasing weaponization of vulnerabilities in proprietary software to accomplish these attacks.

heads 0.4 released

Filed under

It's been a while, but heads is a part of a larger ecosystem that needed work, to enable heads moving forward. 0.4 (except possible bugfixes and updates) is probably the final release before heads is ready to apply for the GNU free distribution list, and of course, will bring cool new features.

Read more

Security: Updates, FUD and More

Filed under
  • New Open Source Standard Hopes To Cure The Internet Of Broken Things Of Some Awful Security Practices

    As we've pretty well documented, the internet of things is a security and privacy shitshow. Millions of poorly-secured internet-connected devices are now being sold annually, introducing massive new attack vectors and vulnerabilities into home and business networks nationwide. Thanks to IOT companies and evangelists that prioritize gee-whizzery and profits over privacy and security, your refrigerator can now leak your gmail credentials, your kids' Barbie doll can now be used as a surveillance tool, and your "smart" tea kettle can now open your wireless network to attack.

  • Security updates for Tuesday
  • US cops are using dead people's fingerprints to unlock iPhones

    Citing people close to local and federal police investigations in New York and Ohio, the report says that it is "relatively common fingerprints of the deceased to be depressed on the scanner of Apple iPhones" adding that there has been times where law enforcement has successfully gained access to a dead person's iPhone.

  • GCHQ's infosec crew plans to 'scale up' Web Check to improve site security

    The web certificate set-up and encryption offered by UK government and agency websites can sometimes fall below best practice, as recent issues with the Driver and Vehicle Licensing Agency (DVLA) illustrate. Almost all central government websites have started to follow best practice and website security - while there's still plenty of room for improvement - normally achieves at least a passing grade. The picture with local government websites is far less rosy, with examples of serious web security fails in Birmingham, Wigan and elsewhere thick on the ground.

  • $75,000 of Monero Cryptojacked Via Flaw in Weathermap Plugin [Ed: Headline used to be "$75,000 of Monero Cryptojacked Through Flaw in Linux," but they realised it was a lie. Not Linux at all!]
  • Forgot About Default Accounts? No Worries, GoScanSSH Didn’t [Ed: Media already twists that as a "Linux" issue (which it is not)]
  • GoScanSSH malware targets Linux systems but avoids government servers

    GoScanSSH, a new strain of malware written in Golang (Go), has been targeting Linux-based SSH servers exposed to the internet — as long as those systems do not belong to the government or military.

    In a new report, Cisco’s Talos Intelligence Group explained several other “interesting characteristics” of GoScanSSH, such as the fact that attackers create unique malware binaries for each host that is infected with the malware.

Security: DKIM, QR, TLS, Blackmailing Developers

Filed under
  • DKIM (DomainKeys Identified Mail) Modernization

    When DKIM was originally specified in 2007, 512 bit rsa-sha1 seemed like a great idea (well not a great idea, but not everyone could do rsa-sha256 yet, so rsa-sha1 was let live in the specification to ease transition from Yahoo!’s DomainKeys. Fast forward to 2012 and suddenly 512 bits wasn’t such a great idea. The most recent DKIM update the year before had not changed the original 2007 recommendations, but the operational community reacted and 768 bits became a de-facto minimum key length and 1024 bits or more preferred. All DKIM related packages in Debian were updated to match these more secure requirements.

  • Crooks infiltrate Google Play with malware in QR reading utilities

    SophosLabs just alerted us to a malware family that had infiltrated Google Play by presenting itself as a bunch of handy utilities.

    Sophos detects this malware as Andr/HiddnAd-AJ, and the name gives you an inkling of what the rogue apps do: blast you with ads, but only after lying low for a while to lull you into a false sense of security.

  • Play TLS 1.3 with curl

    The IESG recently approved the TLS 1.3 draft-28 for proposed standard and we can expect the real RFC for this protocol version to appear soon (within a few months probably).

    TLS 1.3 has been in development for quite some time by now, and a lot of TLS libraries already support it to some extent. At varying draft levels.

    curl and libcurl has supported an explicit option to select TLS 1.3 since curl 7.52.0 (December 2016) and assuming you build curl to use a TLS library with support, you’ve been able to use TLS 1.3 with curl since at least then. The support has gradually been expanded to cover more and more libraries since then.

  • You think you're not a target? A tale of three developers...

    If you develop or distribute software of any kind, you are vulnerable to whole categories of attacks upon yourself or your loved ones. This includes blackmail, extortion or "just" simple malware injection! By targeting software developers such as yourself, malicious actors, including nefarious governments, can infect and attack thousands -- if not millions -- of end users.

    How can we prevent these disasters? The idea behind reproducible builds is to allow verification that no flaws have been introduced during build processes; this prevents against the installation of backdoor-introducing malware on developers' machines, ensuring attempts at extortion and other forms of subterfuge are quickly uncovered and thus ultimately futile.

Security: TLS 1.3, Neglected Servers, and the Latest Updates

Filed under

Security: Android, FUD, AMD, and Slackware Supports HTTP/2

Filed under

Security: FUD. Sensationalist Headlines and Windows Unnamed

Filed under
  • Cybercriminals Exploit PHP Weathermap Vulnerability to Install Cryptocurrency Miner on Linux Servers [Ed: Nothing to do with Linux; media never names Microsoft Windows when something bad happens on it.]
  • Is Application Security Dead?

    Spoiler alert: If application security isn't dead yet, its days are numbered. OK, this is an over-exaggeration, but fear not, application security engineers — the work you do is actually becoming more important than ever, and your budget will soon reflect this. Application security will never die, but it will have to morph to succeed.

  • Sweden Is Becoming a Haven for Cryptojackers [Ed: Microsoft Windows not named, but implied]


    The number of such attacks surged an estimated 10,100 percent in the biggest Nordic economy in the fourth quarter, about double the jump globally, according to Symantec Corp.’s 2018 Internet Security Threat Report.

LibreSSL 2.7.1 Released, OpenSSH 7.7 Being Tested

Filed under
Syndicate content

More in Tux Machines

today's howtos

Graphics: VC4 and AMDVLK Driver

  • VC4 display, VC5 kernel submitted
    For VC5, I renamed the kernel driver to “v3d” and submitted it to the kernel. Daniel Vetter came back right away with a bunch of useful feedback, and next week I’m resolving that feedback and continuing to work on the GMP support. On the vc4 front, I did the investigation of the HDL to determine that the OLED matrix applies before the gamma tables, so we can expose it in the DRM for Android’s color correction. Stefan was also interested in reworking his fencing patches to use syncobjs, so hopefully we can merge those and get DRM HWC support in mainline soon. I also pushed Gustavo’s patch for using the new core DRM infrastructure for async cursor updates. This doesn’t simplify our code much yet, but Boris has a series he’s working on that gets rid of a lot of custom vc4 display code by switching more code over to the new async support.
  • V3D DRM Driver Revised As It Works To Get Into The Mainline Kernel
    Eric Anholt of Broadcom has sent out his revised patches for the "V3D" DRM driver, which up until last week was known as the VC5 DRM driver. As explained last week, the VC5 driver components are being renamed to V3D since it ends up supporting more than just VC5 with Broadcom VC6 hardware already being supported too. Eric is making preparations to get this VideoCore driver into the mainline Linux kernel and he will then also rename the VC5 Gallium3D driver to V3D Gallium3D.
  • AMDVLK Driver Gets Fixed For Rise of the Tomb Raider Using Application Profiles
    With last week's release of Rise of the Tomb Raider on Linux ported by Feral Interactive, when it came to Radeon GPU support for this Vulkan-only Linux game port the Mesa RADV driver was supported while the official AMDVLK driver would lead to GPU hangs. That's now been fixed. With the latest AMDVLK/XGL source code as of today, the GPU hang issue for Rise of the Tomb Raider should now be resolved.

AMD Ryzen 7 2700X Linux Performance Boosted By Updated BIOS/AGESA

With last week's initial launch-day Linux benchmarks of the Ryzen 5 2600X / Ryzen 7 2700X some found the Linux performance to be lower than Windows. While the root cause is undetermined, a BIOS/AGESA update does appear to help the Linux performance significantly at least with the motherboard where I've been doing most of my tests with the Ryzen 7 2700X. Here are the latest benchmark numbers. Read more

GNU: The GNU C Library 2.28 and Guix on Android

  • Glibc 2.28 Upstream Will Build/Run Cleanly On GNU Hurd
    While Linux distributions are still migrating to Glibc 2.27, in the two months since the release changes have continued building up for what will eventually become the GNU C Library 2.28. The Glibc 2.28 work queued thus far isn't nearly as exciting as all the performance optimizations and more introduced with Glibc 2.27, but it's a start. Most notable at this point for Glibc 2.28 is that it will now build and run cleanly on GNU/Hurd without requiring any out-of-tree patches. There has been a ton of Hurd-related commits to Glibc over the past month.
  • Guix on Android!
    Last year I thought to myself: since my phone is just a computer running an operating system called Android (or Replicant!), and that Android is based on a Linux kernel, it's just another foreign distribution I could install GNU Guix on, right? It turned out it was absolutely the case. Today I was reminded on IRC of my attempt last year at installing GNU Guix on my phone. Hence this blog post. I'll try to give you all the knowledge and commands required to install it on your own Android device.
  • GNU Guix Wrangled To Run On Android
    The GNU Guix transactional package manager can be made to run on Android smartphones/tablets, but not without lots of hoops to jump through first.