Language Selection

English French German Italian Portuguese Spanish

Security

Following Debian's GNU/Hurd in 2015

Filed under
Security
Debian

The Debian project is best known for its stable GNU/Linux operating system, a platform which is used as a base by over one hundred distributions. However, the Debian project is home to other operating systems, including a port of GNU's Hurd. The GNU/Hurd port combines Debian packages and package management with GNU userland software running on GNU's microkernel. The project offers this description: "The Hurd is a set of servers running on top of the GNU Mach microkernel. Together they build the base for the GNU operating system. Currently, Debian is only available for Linux and kFreeBSD, but with Debian GNU/Hurd we have started to offer GNU/Hurd as a development, server and desktop platform, too. We hope to be able to release Debian GNU/Hurd for Wheezy."

Read more

Security Leftovers

Filed under
Security
  • The scariest thing about the Chrysler hack is how hard it was to patch

    Chrysler is having a bad week. On Tuesday, Wired published a fantastic and gripping report detailing an open vulnerability in Chrysler's UConnect system, allowing attackers to take control of transmission, brakes, or even steering. There was already a patch available when the article was published, but because cars required physical updates, most cars hadn't received it. Today, Chrysler upped the ante, asking 1.4 million cars to report to dealerships or install a patch mailed out over USB. It's the biggest vulnerability we've ever seen from a car company, and a firsthand demonstration of how hard it is to patch a problem once it pops up.

  • 1/2 TRILLION spent on IT upgrades, but IRS, Feds still use DOS, old Windows

    President Obama's team has spent more than a half trillion dollars on information technology but some departments, notably the IRS, still run on DOS and old Windows, which isn't serviced anymore, according to House chairman.

  • US won’t publicly blame China for massive government hacks – reports

    Despite the fact that numerous American officials have blamed China for the massive hack that involved the personal data theft of millions of government employees, the United States has reportedly chosen not to publicly point the finger at Beijing.

    Two breaches at the Office of Personnel Management this year put the data of more than 22 million Americans at risk, raising concern about foreign cyberattacks and lax government security measures.

  • Car hack uses digital-radio broadcasts to seize control

    Several car infotainment systems are vulnerable to a hack attack that could potentially put lives at risk, a leading security company has said.

    NCC Group said the exploit could be used to seize control of a vehicle's brakes and other critical systems.

    The Manchester-based company told the BBC it had found a way to carry out the attacks by sending data via digital audio broadcasting (DAB) radio signals.

  • After Jeep Hack, Chrysler Recalls 1.4M Vehicles for Bug Fix

    Welcome to the age of hackable automobiles, when two security researchers can cause a 1.4 million product recall.

    On Friday, Chrysler announced that it’s issuing a formal recall for 1.4 million vehicles that may be affected by a hackable software vulnerability in Chrysler’s Uconnect dashboard computers. The vulnerability was first demonstrated to WIRED by security researchers Charlie Miller and Chris Valasek earlier this month when they wirelessly hacked a Jeep I was driving, taking over dashboard functions, steering, transmission and brakes. The recall doesn’t actually require Chrysler owners to bring their cars, trucks and SUVs to a dealer. Instead, they’ll be sent a USB drive with a software update they can install through the port on their vehicle’s dashboard.

  • Fiat Chrysler recalls 1.4 million cars over remote hack vulnerability
  • Valerie Plame: OPM breach is 'absolutely catastrophic' to security

    "When you have access to information about the friends, family members and health issues of someone who works for the U.S. government, you can use that to try to get close to that person and gather intelligence," she said. "To my mind, the OPM breach is absolutely catastrophic for our national security."

  • Newest Remote Car Hacking Raises More Questions About Reporter’s Death

    As readers of WhoWhatWhy know, our site has been one of the very few continuing to explore the fiery death two years ago of investigative journalist Michael Hastings, whose car left a straight segment of a Los Angeles street at a high speed, jumped the median, hit a tree, and blew up.

    Our original report described anomalies of the crash and surrounding events that suggest cutting-edge foul play—that an external hacker could have taken control of Hastings’s car in order to kill him. If this sounds too futuristic, a series of recent technical revelations has proven that “car hacking” is entirely possible. The latest just appeared this week.

  • This Jordanian Left Her Life as a Beauty Queen to Be an Islamic State-Fighting Hacktivist

    Lara Abdallat is not your average beauty queen. She was Miss Jordan 2010 and first runner-up to Miss Arab 2011, but she abandoned her career in pageantry to do something slightly more controversial and dangerous.

    Abdallat is currently fighting the Islamic State group and Islamic extremists as a hacktivist with Ghost Security, an international counterterrorism organization tenuously affiliated with Anonymous, perusing the Deep Web and the Darknet for suspicious activity.

Advanced spyware for Android now available to script kiddies everywhere

Filed under
Android
Security
Legal
  • Advanced spyware for Android now available to script kiddies everywhere

    One of the more recent discoveries resulting from the breach two weeks ago of malware-as-a-service provider Hacking Team is sure to interest Android enthusiasts. To wit, it's the source code to a fully featured malware suite that had the ability to infect devices even when they were running newer versions of the Google-developed mobile operating system.

    The leak of the code base for RCSAndroid—short for Remote Control System Android—is a mixed blessing. On the one hand, it provides the blueprints to a sophisticated, real-world surveillance program that can help Google and others better defend the Android platform against malware attacks. On the other, it provides even unskilled hackers with all the raw materials they need to deploy what's arguably one of the world's more advanced Android surveillance suites.

  • Security tool bod's hell: People think I wrote code for Hacking Team!

    A respected security researcher has denied any involvement with Hacking Team after open-source code he wrote was found in smartphone spyware sold by the surveillance-ware maker.

The French want to BAN .doc and .xls files from Le Gouvernement

Filed under
Microsoft
OSS
Security

Microsoft could get the boot from the French government if a new recommendation from an official advisor is adopted.

DISIC (Direction interministérielle des systèmes d'information et de communication de l'État) has recommended that French authorities ditch Microsoft Office tools in favour of the Open Document Format (ODF).

DISIC is responsible for harmonising and reducing the costs of all state computers, including government ministries, state and regional departments and local authorities, and sees ODF as the best way to make them all interoperable.

According to sources, an initial draft of the report envisaged outlawing Microsoft’s Open XML altogether, although with some agencies using tools specifically developed for use with Open XML, DISIC relented.

Read more

Security and Linux/FOSS/Proprietary

Filed under
Security
  • Security updates for Monday
  • Why DANE isn't going to win

    1024 bit RSA keys are quite common throughout the DNSSEC system. Getting rid of 1024 bit keys in the PKI has been a long-running effort; doing the same for DNSSEC is likely to take quite a while. Yes, rapid rotation is possible, by splitting key-signing and zone-signing (a good design choice), but since it can’t be enforced, it’s entirely likely that long-lived 1024 bit keys for signing DNSSEC zones is the rule, rather than exception.

  • RealVNC: more open remote access protocols will increase security

    Yes but RFB 5 is new... and it's a closed, secret, previously unpublished protocol (unlike earlier RFB 3.x versions).

    Hmm, still doesn't sound very secure.

    Security in remote access solutions will always be a concern for some it's true.

  • I worked at #HackingTeam, my emails were leaked to WikiLeaks and I’m ok with that

    Is radical transparency the best solution to expose injustice in this technocratic world, a world that is changing faster than law can keep up with?

    That question became even more relevant to me, a privacy activist, when I found myself in the Wikileaks archive, because I worked at Hacking Team 9 years ago.

    [...]

    This is a leak in the public interest, and I really feel that the personal and corporate damage is smaller than the improvement our society can gain from it. But to reach such an improvement, we have to focus on the bigger picture rather than getting distracted by the juicy details.

  • Hackers Remotely Kill a Jeep on the Highway—With Me in It

    Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

    At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.

  • 470,000 Vehicles At Risk After Hackers "Take Control & Crash" Jeep Cherokee From A Sofa 10 Miles Away

Researcher lashes out at Hacking Team over open-source code discovery

Filed under
OSS
Security

System security researcher Colin Mulliner said in a blog post on Tuesday that he discovered his open-source creations were being used -- without notice or permission by Hacking Team -- after individuals on Twitter pointed it out and he received a flood of emails and personal notifications.

Read more

OPSWAT adds support for Linux to their Multi Anti-Malware Scanner Metascan

Filed under
Linux
Security

OPSWAT, provider of solutions to secure and manage IT infrastructure, today announced the next generation of Metascan, that can be deployed on Linux. Metascan is a multi scanning solution for ISVs, IT admins and malware researchers that detects and prevents known and unknown threats. Metascan for Linux offers improved security and scalability, as well as enhanced usability and a new user interface.

Read more

The End of Adobe Flash?

Filed under
Software
Security
  • Hacking Team claims terrorists can now use its tools
  • Hacking Team: government-sponsored cyberattack company likely hacked by another country, it claims

    An elite cyberattack group that was employed by governments and agencies was probably hacked by another country, it has said — and the attack has led to its powerful hacking tools being released into the wild.

    Hacking Team was hacked last week, revealing private emails and documents as well as insights into its tools. The leaked documents showed many of the vulnerabilities that were being used by the group — such as a bug in Adobe Flash that can be exploited to get complete control of a computer — which has meant that anyone can counteract them as well as use them for their own ends.

  • Flash HOLED AGAIN TWICE below waterline in fresh Hacking Team reveals
  • Adobe to Patch Two More Zero-Day Flaws in Flash
  • Mozilla blocks Flash as Facebook security chief calls for its death

    After yesterday's news that Facebook's new chief security officer wants to set a date to kill Flash once and for all, the latest version Mozilla's Firefox browser now blocks Adobe's vulnerability-riddled software as standard. Mark Schmidt, the head of the Firefox support team at Mozilla, tweeted that all versions of Flash Player are blocked in the browser as of its latest update, accompanying the news with an image showing a raised fist and the phrase "Occupy Flash."

  • Can we kill Adobe Flash?

    Yesterday the usual tech news outlets were buzzing over an accidental tweet which the media incorrectly interpreted as Mozilla was ditching flash (Blame The Verge for the chain reaction of copied news articles) entirely as a policy. While that is not the case, I was just as excited as many at the faux-news. This got me thinking: what would it really take for the web to kill Adobe Flash? Could Mozilla really make such a move and kill Flash on its own if it wanted to?

  • No Flash 0.5 - still fighting the legacy

    Last week I released No Flash 0.5, my addon for Firefox to fix the legacy of video embedding done with Flash. If you are like me and don't have Flash installed, sometime you encounter embedded video that don't work. No Flash will fix some by replacing the Flash object with a HTML5 video. This is done using the proper video embedding for HTML5.

  • Facebook's New Security Chief Calls On Adobe To Kill Flash

    This message comes after it was revealed that the recently hacked "Hacking Team" was using Flash zero-day vulnerabilities to hack journalists, activists, governments and more. Alex Stamos, like other security experts, must have also gotten tired of hearing about so many security vulnerabilities that Flash has had during its entire lifetime.

  • How to disable Flash Player: Why now's a better time than ever

    Now more than ever, leaving Adobe Flash Player on your system is looking like a dubious proposition.

    While Flash has long been a popular vector for malware, last week’s security breach of surveillance software firm Hacking Team underscored just how vulnerable Flash can be. Hacking Team was relying on at least three unpatched Flash exploits, which cybercriminals immediately adapted for their own nefarious uses. Adobe is scrambling to patch the exploits, but at least one remains unfixed as of this writing.

The NSA Is Looking At Systemd's KDBUS

Filed under
Red Hat
Security

While it's true that an NSA analyst sent out an email about KDBUS security, it hopefully shouldn't raise any alarm bells. The thread in question is about credential faking for KDBUS and why it's even there. Stephen Smalley of the NSA was asking why there's support for credential faking for this soon-to-be-in-kernel code while it wasn't part of the original D-Bus daemon in user-space. The preference of Stephen Smalley is to actually get rood of this functionality that could be abused.

Read more

Core Linux tools top list of most at-risk software

Filed under
Linux
Security

In a Core Infrastructure Initiative survey of at-risk software most in need of close attention, many fundamental Linux utilities sit at the top

Read more

Syndicate content

More in Tux Machines

KDE Announces the Beta of KDE Applications 15.08, Based on KDE Frameworks 5

After having a lot of fun at Akademy 2015, the annual world summit of KDE, which took place in A Coruña, Galicia, Spain between July 25-31, the KDE developers finally decided to post the announcement for the Beta release of KDE Applications 15.08. Read more

Zorin OS 10 Core & Ultimate have arrived

We are excited to finally announce the release of Zorin OS 10 with the availability of the Zorin OS 10 Core and Ultimate editions. Zorin OS 10 is our best, most beautiful release yet. We have made major strides with the visual styling in Zorin OS. In addition to the refined & perfected desktop theme and the new default FreeSans desktop font, we have introduced a stunning new icon theme, based on the elementary and elementary-add icon themes. This is its first major overhaul since Zorin OS 2.0. Read more

Zidoo's 'X1' is a $59 Android media box that touts its 4K prowess

Bottom line, the Zidoo X1 checks all the boxes when it comes to streaming and playing local media. The X1 is affordable with an MSRP of $59 USD and comes with a one year warranty. Despite its paltry specifications, the X1 was able to handle pretty much all movie files and streaming duties. The only concern would be how well Zidoo would continue to support the device via software updates. While this doesn't quite beat pricing from the likes of the Chromecast or the MK808B it does provide more features. While this is my first time with an true Android media box, I found that the experience as pretty seamless when it was all set up. While the X1 was able to stand up the challenge of 4K, the real question is: when will see more 4K UHD content that is easily accessible. Read more

today's leftovers

  • Dawn of the data center operating system
    How microservices architecture and Linux containers will tame distributed computing for developers and ops
  • 30 Sys Admins to Follow on SysAdmin Day
    Systems administrators: They keep our high-tech world up and running. From capacity planning, to 3 a.m. phone calls, to retiring that 10-year-old server that uses more power than your whole house, sys admins do it all. Open source communities would not be able to thrive without the networks, services, and tools that allow for communication and collaboration, and sys admins are the ones who work thanklessly year-round to keep them going. July 31 is System Administrator Appreciation Day, a day for all of us to express our undying gratitude for sys admins. Sure, you could buy your favorite sys admin cake and ice cream, or perhaps a nice gift card. You could even go as far as not breaking the server for just one day. You also can follow these 30 sys admins.
  • See What Systemd 223 Brings New
  • Sparkfun's pcDuino Acadia Benchmarks Against Other ARM SBCs
    Sparkfun's pcDuino Acadia os a $119 USD development board powered by a Freescale i.MX6 quad-core Cortex-A9 SoC with Mali 400 graphics. There's 1GB of RAM and other connectivity options for this board.
  • Linux Based Solus OS Now Boots in Flat 1.2 Seconds
    Solus OS is a Linux distro that was built from scratch and uses a new desktop environment called Budgie. You can consider it as the next version of the Solus OS as it was built by the same developer team, so they didn’t bother changing the name for a new operating system.
  • Arch Linux 2015.08.01 Has Been Released. Upgrade Now!
    Arch Linux 2015.08.01 has been released and is powered by Kernel 4.1 and includes all the update patches since the 1st of July 2015.
  • uReadIt 3 – The Best Reddit Client For Ubuntu Touch
    As you may know, uReadIt is an open-source Reddit client for Ubuntu Touch, being one of the best native apps for Ubuntu mobile.
  • You Can Now Watch Flash Content With MPV On Ubuntu
    As you may know, Adobe Flash is not the safest thing on the internet this days. Mozilla even disabled it from the Firefox browser a while, due to the vulnerabilities found lately.
  • Ubuntu MATE 15.04 Running on the Rikomatic MK808B
    Ubuntu MATE, the latest member of the Ubuntu family, has been spotted running on the MK808B Plus Quad-Core mini TV box device. The device runs with Android 4.4 by default, but a third party developer has tweaked it to run Ubuntu.
  • LEGO Smart Home
    We spoke to Bhavana Srinivas and Geremy Cohen from PubNub about their LEGO Smart Home model, a proof of concept project that shows how you can use the Raspberry Pi with communication platform PubNub in order to automate your household electronics and other Internet of Things devices. You can read the full piece in the latest issue.
  • Compact module runs Linux on quad-core Braswell
    Congatec announced a compact, low power computer-on-module based on Intel’s 14nm “Braswell” SoCs, and featuring triple display outputs, and up to 4K video.