Language Selection

English French German Italian Portuguese Spanish

Security

Canonical Patches Nvidia Graphics Drivers Vulnerability in All Ubuntu Releases

Filed under
Security

It's time to update your Ubuntu Linux operating system if you have a Nvidia graphics card running the Nvidia Legacy 340 or 304 binary X.Org drivers provided on the official software repositories.

Read more

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Reproducible Builds: week 90 in Stretch cycle

    The F-Droid Verification Server has been launched. It rebuilds apps from source that were built by f-droid.org and checks that the results match.

  • 6 Week Progress Update for PGP Clean Room

    One of the PGP Clean Room’s aims is to provide users with the option to easily initialize one or more smartcards with personal info and pins, and subsequently transfer keys to the smartcard(s). The advantage of using smartcards is that users don’t have to expose their keys to their laptop for daily certification, signing, encryption or authentication purposes.

  • New Kali Linux Professional Information Security Certification to debut at Black Hat USA, 2017

    First Official Kali Linux book release will coincide with launch of the new information security training program as the Penetration Testing platform celebrates its 10th anniversary.

  • The flatpak security model – part 1: The basics

    This is the first part of a series talking about the approach flatpak takes to security and sandboxing.

    First of all, a lot of people think of container technology like docker, rkt or systemd-nspawn when they think of linux sandboxing. However, flatpak is fundamentally different to these in that it is unprivileged.

  • Newly discovered Mac malware found in the wild also works well on Linux [Ed: Only if fools are stupid enough to actually INSTALL malware.]

    The malware, which a recent Mac OS update released by Apple is detecting as Fruitfly, contains code that captures screenshots and webcam images, collects information about each device connected to the same network as the infected Mac, and can then connect to those devices, according to a blog post published by anti-malware provider Malwarebytes. It was discovered only this month, despite being painfully easy to detect and despite indications that it may have been circulating since the release of the Yosemite release of OS X in October 2014. It's still unclear how machines get infected.

    [...]

    Another intriguing finding: with the exception of Mac-formatted Mach object file binary, the entire Fruitfly malware library runs just fine on Linux computers.

Why Linux Installers Need to Add Security Features

Filed under
Linux
Security

Twelve years ago, Linux distributions were struggling to make installation simple. Led by Ubuntu and Fedora, they long ago achieved that goal. Now, with the growing concerns over security, they need to reverse directions slightly, and make basic security options prominently available in their installers rather than options that users can add manually later.

At the best of times, of course, convincing users to come anywhere near security features is difficult. Too many users are reluctant even to add features as simple as unprivileged user accounts or passwords, apparently preferring the convenience of the moment to reducing the risk of an intrusion that will require reinstallation, or a consultation with a computer expert at eighty dollars an hour.

Read more

Security News

Filed under
Security
  • Wednesday's security updates
  • Secure your Elasticsearch cluster and avoid ransomware

    Last week, news came out that unprotected MongoDB databases are being actively compromised: content copied and replaced by a message asking for a ransom to get it back. As The Register reports: Elasticsearch is next.

    Protecting access to Elasticsearch by a firewall is not always possible. But even in environments where it is possible, many admins are not protecting their databases. Even if you cannot use a firewall, you can secure connection to Elasticsearch by using encryption. Elasticsearch by itself does not provide any authentication or encryption possibilities. Still, there are many third-party solutions available, each with its own drawbacks and advantages.

  • Resolve to Follow These 8 Steps for Better Data Security in 2017

    Getting physically fit is a typical New Year's resolution. Given that most of us spend more time online than in a gym, the start of the new year also might be a great time to improve your security “fitness.” As with physical fitness challenges, the biggest issue with digital security is always stagnation. That is, if you don't move and don't change, atrophy sets in. In physical fitness, atrophy is a function of muscles not being exercised. In digital fitness, security risks increase when you fail to change passwords, update network systems and adopt improved security technology. Before long, your IT systems literally become a “sitting duck.” Given the volume of data breaches that occurred in 2016, it is highly likely that everyone reading this has had at least one breach of their accounts compromised in some way, such as their Yahoo data account. Hackers somewhere may have one of the passwords you’ve used at one point to access a particular site or service. If you're still using that same password somewhere, in a way that can connect that account to you, that's a non-trivial risk. Changing passwords is the first of eight security resolutions that can help to improve your online security fitness in 2017. Click through this eWEEK slide show to discover the rest.

  • Pwn2Own 2017 Takes Aim at Linux, Servers and Web Browsers

    10th anniversary edition of Pwn2Own hacking contest offers over $1M in prize money to security researchers across a long list of targets including Virtual Machines, servers, enterprise applications and web browsers.

    Over the last decade, the Zero Day Initiative's (ZDI) annual Pwn2Own competition has emerged to become one of the premiere events on the information security calendar and the 2017 edition does not look to be any different. For the tenth anniversary of the Pwn2Own contest, ZDI, now owned and operated by Trend Micro, is going farther than ever before, with more targets and more prize money available for security researchers to claim by successfully executing zero-day exploits.

  • 'Factorio' is another game that was being hit by key scammers

    In another case of scammers trying to buy keys with often stolen credit cards to sell on websites like G2A, the developers of 'Factorio' have written about their experience with it (and other stuff too).

Security News

Filed under
Security

  • Security advisories for Tuesday
  • FOI: NHS Trusts are ransomware pin cushions [Ed: Windows]

    The FOI requests found that 87 per cent of attacks came via a networked NHS device and that 80 per cent were down to phished staffers. However, only a small proportion of the 100 or so Trusts responded to this part of the requests.

    "These results are far from surprising. Public sector organisations make a soft target for fraudsters because budget and resource shortages frequently leave hospitals short-changed when it comes to security basics like regular software patching," said Tony Rowan, Chief Security Consultant at SentinelOne.

    "The results highlight the fact that old school AV technology is powerless to halt virulent, mutating forms of malware like ransomware and a new more dynamic approach to endpoint protection is needed.

Canonical to Remove Old Unity 7 Scopes from Ubuntu Because They're Not Secure

Filed under
Security

Canonical's Will Cooke has revealed recently the company's plans on removing some old, unmaintained Unity 7 Scopes from the Ubuntu Linux archives because they could threaten the security of the entire operating system.

Read more

Security Leftovers

Filed under
Security
  • 3 Lessons in Web Encryption from Let’s Encrypt

    As exciting as 2016 was for encryption on the Web, 2017 seems set to be an even more incredible year. Much of the infrastructure and many of the plans necessary for a 100 percent encrypted Web really solidified in 2016, and the Web will reap the rewards in 2017. Let’s Encrypt is proud to have been a key part of that.

    But before we start looking ahead, it’s helpful to look back and see what our project learned from our exciting first full year as a live certificate authority (CA). I’m incredibly proud of what our team and community accomplished during 2016. I’d like to share how we’ve changed, what we’ve accomplished, and what we’ve learned.

    At the start of 2016, Let’s Encrypt was supporting approximately 240,000 active (unexpired) certificates. That seemed like a lot at the time! Now we’re frequently issuing that many new certificates in a single day while supporting more than 22 million active certificates in total.

  • [Older] Kali Linux Cheat Sheet for Penetration Testers
  • Report: Attacks based on open source vulnerabilities will rise 20 percent this year [Ed: The Microsoft-connected Black Duck spreads FUD against FOSS again, together with IDG; Black Duck was created for the purpose of attacking the GPL, by its very own admission.]

    The number of commercial software projects that were composed of 50 percent or more of free, open source software went up from 3 percent in 2011 to 33 percent today, said Mike Pittenger, vice president of security strategy at Black Duck Software.

Security Leftovers

Filed under
Security
  • Truffle Hog Finds Security Keys Hidden in GitHub Code

    According to commentors on a Reddit thread about Truffle Hog, Amazon Web Services has already been using a similar tool for the same purpose. "I have accidentally committed my AWS secret keys before to a public repo," user KingOtar wrote. "Amazon actually found them and shut down my account until I created new ones. Kinda neat Amazon."

  • 5 Essential Tips for Securing Your WordPress Sites

    WordPress is by far the most popular blogging platform today.

    Being as popular as it is, it comes with its own strengths and weaknesses. The very fact that almost everybody uses it, makes it more prone to vulnerabilities. WordPress developers are doing a great job of fixing and patching the framework as new flaws are discovered, but that doesn’t mean that you can simply install and forget your installation.

    In this post, we will provide some of the most common ways of securing and strengthening a WordPress site.

  • Google ventures into public key encryption

    Google announced an early prototype of Key Transparency, its latest open source effort to ensure simpler, safer, and secure communications for everyone. The project’s goal is to make it easier for applications services to share and discover public keys for users, but it will be a while before it's ready for prime time.

    Secure communications should be de rigueur, but it remains frustratingly out of reach for most people, more than 20 years after the creation of Pretty Good Privacy (PGP). Existing methods where users need to manually find and verify the recipients’ keys are time-consuming and often complicated. Messaging apps and file sharing tools are limited in that users can communicate only within the service because there is no generic, secure method to look up public keys.

  • How to Keep Hackers out of Your Linux Machine Part 2: Three More Easy Security Tips

    In part 1 of this series, I shared two easy ways to prevent hackers from eating your Linux machine. Here are three more tips from my recent Linux Foundation webinar where I shared more tactics, tools and methods hackers use to invade your space. Watch the entire webinar on-demand for free.

Syndicate content

More in Tux Machines

Security Leftovers

  • Atom Installer
    One thing that I miss about using Ubuntu is PPA’s there are lot’s of PPA in Ubuntu and you can hack around and install all types of software which are required for your usage. In the Fedora side of the world there are copr repos but they don’t have as many repos as in Ubuntu and you can’t build non-free software (don’t get me wrong here, I love FREEdom software but couldn’t resist not using some beautiful non-free applications such as Sublime). I am creating a work around for this by using shell scripts which are open source (cc0) but when those scripts are executed they install non-free software on your system.
  • MKVToolNix 9.9.0 MKV Manipulation Tool Released with New GUI Improvements, More
    MKVToolNix developer Moritz Bunkus announced today, February 20, 2017, the release and general availability of MKVToolNix 9.9.0 "Pick Up" for all supported platforms, including GNU/Linux, macOS, and Microsoft Windows. MKVToolNix 9.9.0 represents a month of hard work, during which the developer managed to add a bunch of new and interesting features, fix as many bugs reported by users since last month's MKVToolNix 9.8.0 point release, as well as to improve the build system, especially in regards to the man pages of the software.
  • Chakra GNU/Linux Users Get KDE Plasma 5.9.2 and KDE Applications 16.12.2, More
    The developers behind the Chakra GNU/Linux operating system have announced today the immediate availability of all the latest KDE technologies released this month in the stable repositories of the distribution. Yes, we're talking about the KDE Plasma 5.9.2 desktop environment, KDE Applications 16.12.2 software suite, KDE Frameworks 5.31.0, and KDE Development Platform 4.14.29, all of which can be found in your Chakra GNU/Linux's repos if you want to run the newest KDE software.

today's howtos

Leftovers: Ubuntu

  • IOTA: IoT revolutionized with a Ledger
    Ever since the introduction of digital money, the world quickly came to realize how dire and expensive the consequences of centralized systems are. Not only are these systems incredibly expensive to maintain, they are also “single points of failures” which expose a large number of users to unexpected service interruptions, fraudulent activities and vulnerabilities that can be exploited by malicious hackers. Thanks to Blockchain, which was first introduced through Bitcoin in 2009, the clear benefits of a decentralized and “trustless” transactional settlement system became apparent. No longer should expensive trusted third parties be used for handling transactions, instead, the flow of money should be handled in a direct, Peer-to-Peer fashion. This concept of a Blockchain (or more broadly, a distributed ledger) has since then become a global phenomenon attracting billions of dollars in investments to further develop the concept.
  • Return Home and Unify: My Case for Unity 8
  • Can netbooks be cool again?
    Earlier this week, my colleague Chaim Gartenberg covered a laptop called the GPD Pocket, which is currently being funded on Indiegogo. As Chaim pointed out, the Pocket’s main advantage is its size — with a 7-inch screen, the thing is really, really small — and its price, a reasonable $399. But he didn’t mention that the Pocket is the resurrection of one of the most compelling, yet fatally flawed, computing trends of the ‘00s: the netbook. So after ten years, are netbooks finally cool again? That might be putting it too strongly, but I’m willing to hope.

Linux Devices

  • Compact, rugged module runs Linux or Android on Apollo Lake
    Ubiqcomm’s 95 x 95mm, Apollo Lake-based “COM-AL6C” COM offers 4K video along with multiple SATA, USB, GbE, and PCIe interfaces, plus -40 to 85°C operation. Ubiqconn Technology Inc. has announced a “COM-AL6C” COM Express Type 6 Compact form factor computer-on-module built around Intel’s Apollo Lake processors and designed to withstand the rigors of both fixed and mobile industrial applications. The module offers a choice among three Intel Apollo Lake processors: the quad-core Atom x5-E3930, quad-core x5-E3940, and dual-core x7-E3950, which are clocked at up to 2.0GHz burst and offer TDPs from 6.5 to 12 Watts.
  • Internet-enable your microcontroller projects for under $6 with ESP8266
    To get started with IoT (the Internet of Things), your device needs, well, an Internet connection. Base Arduino microcontrollers don't have Internet connectivity by default, so you either need to add Ethernet, Wi-Fi shields, or adapters to them, or buy an Arduino that has built-in Internet connectivity. In addition to complexity, both approaches add cost and consume the already-precious Arduino flash RAM for program space, which limits what you can do. Another approach is to use a Raspberry Pi or similar single-board computer that runs a full-blown operating system like Linux. The Raspberry Pi is a solid choice in many IoT use cases, but it is often overkill when all you really want to do is read a sensor and send the reading up to a server in the cloud. Not only does the Raspberry Pi potentially drive up the costs, complexity, and power consumption of your project, but it is running a full operating system that needs to be patched, and it has a much larger attack surface than a simple microcontroller. When it comes to IoT devices and security, simpler is better, so you can spend more time making and less time patching what you already made.
  • Blinkenlights!
  • Blinkenlights, part 2
  • Blinkenlights, part 3
  • [Older] Shmoocon 2017: The Ins And Outs Of Manufacturing And Selling Hardware
    Every day, we see people building things. Sometimes, useful things. Very rarely, this thing becomes a product, but even then we don’t hear much about the ins and outs of manufacturing a bunch of these things or the economics of actually selling them. This past weekend at Shmoocon, [Conor Patrick] gave the crowd the inside scoop on selling a few hundred two factor authentication tokens. What started as a hobby is now a legitimate business, thanks to good engineering and abusing Amazon’s distribution program.
  • 1.8 Billion Mobile Internet Users NEVER use a PC, 200 Million PC Internet Users never use a mobile phone. Understanding the 3.5 Billion Internet Total Audience
    As I am working to finish the 2017 Edition of the TomiAhonen Almanac (last days now) I always get into various updates of numbers, that remind me 'I gotta tell this story'.. For example the internet user numbers. We have the December count by the ITU for year 2016, that says the world has now 3.5 Billion internet users in total (up from 3.2 Billion at the end of year 2015). So its no 'drama' to know what is 'that' number. The number of current internet total users is yes, 3.5 Billion, almost half of the planet's total population (47%).