Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • How to fix the Cryptsetup vulnerability in Linux

    Linux enjoys a level of security that most platforms cannot touch. That does not, in any way, mean it is perfect. In fact, over the last couple of years a number of really ugly vulnerabilities have been found — and very quickly patched. Enough time has passed since Heartbleed for those that do to find yet another security issue.

  • Get root on Linux: learn the secret password
  • Security advisories for Wednesday
  • The Web-Shaking Mirai Botnet Is Splintering—But Also Evolving

    Over the last few weeks, a series of powerful hacker attacks powered by the malware known as Mirai have used botnets created of internet-connected devices to clobber targets ranging from the internet backbone company Dyn to the French internet service provider OVH. And just when it seemed that Mirai might be losing steam, new evidence shows that it’s still dangerous—and even evolving.

    Researchers following Mirai say that while the number of daily assaults dipped briefly, they’re now observing development in the Mirai malware itself that seems designed to allow it to infect more of the vulnerable routers, DVRs and other internet-of-things (IoT) gadgets it’s hijacked to power its streams of malicious traffic. That progression could actually increase the total population available to the botnet, they warn, potentially giving it more total compute power to draw on.

    “There was an idea that maybe the bots would die off or darken over time, but I think what we are seeing is Mirai evolve,” says John Costello, a senior analyst at the security intelligence firm Flashpoint. “People are really being creative and finding new ways to infect devices that weren’t susceptible previously. Mirai is not going away.”

  • This $5 Device Can Hack Your Locked Computer In One Minute

    Next time you go out for lunch and leave your computer unattended at the office, be careful. A new tool makes it almost trivial for criminals to log onto websites as if they were you, and get access to your network router, allowing them to launch other types of attacks.

    Hackers and security researchers have long found ways to hack into computers left alone. But the new $5 tool called PoisonTap, created by the well-known hacker and developer Samy Kamkar, can even break into password-protected computers, as long as there’s a browser open in the background.Kamkar explained how it works in a blog post published on Wednesday.

Gone in 70 seconds: Holding Enter key can smash through defense

Filed under
Linux
Security

Attackers with a little more than a minute to spare can get their foot in the door on Linux boxes by holding down the Enter key for 70 seconds – an act that gifts them a root initramfs shell .

The simple exploit, which requires physical access to the system, exists due to a bug in the Linux Unified Key Setup (LUKS) used in popular variations of Linux. With access to an initramfs environment shell, an attacker could then attempt to decrypt the encrypted filesystem by brute-force. The attack also potentially works on virtual Linux boxen in clouds.

Read more

Also: Press the Enter Key For 70 Seconds To Bypass Linux Disk Encryption Authentication

Evolution of the SSL and TLS protocols

Filed under
Security

The Transport Layer Security (TLS) protocol is undoubtedly the most widely used protocol on the Internet today. If you have ever done an online banking transaction, visited a social networking website, or checked your email, you have most likely used TLS. Apart from wrapping the plain text HTTP protocol with cryptographic goodness, other lower level protocols like SMTP and FTP can also use TLS to ensure that all the data between client and server is inaccessible to attackers in between. This article takes a brief look at the evolution of the protocol and discusses why it was necessary to make changes to it.

Read more

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • You Can Bypass Linux Disk Encryption Authentication by Pressing the Enter Key for 70 Seconds

    An error in the implementation of the Cryptsetup utility used for encrypting hard drives allows an attacker to bypass the authentication procedures on some Linux systems just by pressing the Enter key for around 70 seconds. This results in the attacked system opening a shell with root privileges.

  • TalkTalk hack: 17-year-old admits to seven offences in court

    A 17-YEAR OLD has appeared in court today and admitted seven offences in relation to last October's TalkTalk hack.

    The teen, who cannot be named for legal reasons, was arrested in Norwich in November 2015 and charged with breaching the Computer Misuse Act 1990.

    The attacks on TalkTalk resulted in the personal data of almost 160,000 people, and the banking details of 15,656 people, being accessed.

  • 5 ways President Trump may affect computer security

    Trump campaigned as the “law and order” candidate, so I expect law enforcement to be better funded and sentences for breaking the law to be intensified. Law enforcement will probably be enabled with more ways to catch and identify hackers and those able to be brought to American justice will likely face longer and more severe sentences.

    I, of course, support these measures. Unfortunately, all administrations learn how hard it is to catch and prosecute hackers, especially when they are located in unreachable areas. On a related note, I don’t think the new administration will be any more successful in trying to put down all the Russian ransomware campaigns.

Tails 2.7 Anonymous Live CD Ships with Let's Encrypt Certificates, Tor 0.2.8.9

Filed under
Security
Debian

After a small delay, the Debian-based Tails amnesic incognito live system has been updated today, November 15, 2016, to version 2.7, bringing us all the latest tools and technologies for surfing the Web anonymously.

Read more

Major Cryptsetup Vulnerability Affects Some LUKS-Encrypted GNU/Linux Systems

Filed under
Security

According to a recent security advisory published by Hector Marco and Ismael Ripoll as CVE-2016-4484 and entitled "Cryptsetup Initrd root Shell," it would appear that there's a major vulnerability in Cryptsetup affecting many GNU/Linux systems.

Read more

Security Leftovers

Filed under
Security
  • Cryptsetup Vulnerability Allows Easily Getting To A Root Shell

    CVE-2016-4484 was disclosed on Monday as a Cryptsetup issue that allows users to easily gain access to a root initramfs shell on affected systems in a little over one minute of simply hitting the keyboard's enter key.

    This Cryptsetup vulnerability is widespread and easy to exploit, simply requiring a lot of invalid passwords before being dropped down a root shell. The data on the LUKS-encrypted volume is still protected, but you have root shell access. The CVE reads, "This vulnerability allows to obtain a root initramfs shell on affected systems. The vulnerability is very reliable because it doesn't depend on specific systems or configurations. Attackers can copy, modify or destroy the hard disc as well as set up the network to exflitrate data. This vulnerability is specially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protect (password in BIOS and GRUB) and we only have a keyboard or/and a mouse."

  • CVE-2016-4484: Cryptsetup Initrd root Shell
  • Security updates for Tuesday
  • Super Mari-owned: Startling Nintendo-based vulnerability discovered in Ubuntu

Security News

Filed under
Security
  • Boy, 17, admits TalkTalk hacking offences

    A 17-year-old boy has admitted hacking offences linked to a data breach at the communications firm TalkTalk.

    Norwich Youth Court was told he had used hacking tool software to identify vulnerabilities on target websites.

  • Upgrade for KDE neon Security Issue

    Last month we moved the neon archive to a new server so packages got built on our existing server then uploaded to the new server. Checking the config it seemed I’d made the nasty error of leaving it open to the world rather than requiring an ssh gateway to access the apt repository, so anyone scanning around could have uploaded packages. There’s no reason to think that happened but the default in security is to be paranoid for any possibility.

  • Security B-Sides conferences attract growing information security crowd

    The Security B-Sides DC conference is part of the B-Sides movement, which was created to provide a community framework to build events for and by information security practitioners. Alex Norman, the co-director of Security B-Sides DC, tells us how he wants to expand information security beyond security professionals, and to involve a larger, more diverse community.

Security News

Filed under
Security
  • Security advisories for Monday
  • Major Linux security hole gapes open

    An old Linux security 'feature' script, which activates LUKS disk encryption, has been hiding a major security hole in plain sight.

  • How to Secure Your Ubuntu Network

    In 2016, keeping your Ubuntu network secure is more important than ever. Despite what some people might think, there's much more to this than merely putting up a router to protect a network. You must also configure each of your PCs properly to ensure you're operating within a secure Ubuntu network. This article will show you how.

  • Linux Foundation Back Reproducible Builds Effort for Secure Software

    Building software securely requires a verifiable method of reproduction and that is why the Linux Foundation's Core Infrastructure Initiative is supporting the Reproducible Builds Project.

    In an effort to help open-source software developers build more secure software, the Linux Foundation is doubling down on its efforts to help the reproducible builds project. Among the most basic and often most difficult aspects of software development is making sure that the software end-users get is the same software that developers actually built.

Syndicate content

More in Tux Machines

Leftovers: Software

  • OpenShot 2.2 Offers Free, Open Source Pro Editing for 4K and 5K Videos
    4K ultra HD resolution is without a doubt now at least the mainstream near future standard for digital recording, content and display resolution and we don’t expect this to change for at least a few years. The majority of new larger 50 inch+ TVs going on sale today are 4K models, 4K monitors are becoming much more common and now virtually all mid-range to premium digital recording cameras offer ultra HD resolution of at least [email protected] x 2160 pixels and in many cases even higher.
  • Google Drive CLI Client For Linux
    Google Drive is one of the most popular services to store your files in the cloud. You can access to your Google Drive account through a web browser or using a client. This time I’m going to talk about one Google Drive client but without graphical interface, in this tutorial you’re going to know how to use a client through the command line interface to access, download and upload to your google drive.
  • Calligra 3.0 Open-Source Office Suite Officially Released, Krita and Author Out
    After a long time in development, Calligra, the open-source office suite designed for KDE Plasma desktops, makes a comeback in 2017 with the release of the 3.0 milestone. While many GNU/Linux users were able to download and install the new Calligra 3.0 office suite from the official channels of the project or the stable software repositories of their favorite GNU/Linux distribution since last week, an official announcement was published earlier this week.
  • Free Software Foundation Makes ‘Major Overhaul’ In High Priority Projects
    Coolness alert! The Free Software Foundation has announced an updated list of high priority projects on a global scale. Top priorities now include a free software phone operating system, clouds, hardware, voice and video chat, inclusiveness, security and internationalisation of free software. The announcement is available here. It includes a link to the new list. The update followed feedback from about 150 free software community members over the past year. FSF isn’t seeking to run or control the projects, but will encourage them whether they are under their auspices or not, they said.
  • GNU Screen v.4.5.0
    I’m proud to announce the release of GNU Screen v.4.5. This time it’s mostly a bugfix release. We added just one new feature: now it’s possible to specify logfile name by using parameter -L (default name stays screenlog.0). Myself also spent some time to make source code a bit cleaner. As you probably noticed we were going to release 4.5 until Christmas. Unfortunately, we could not do it because of some internal GNU problems. I’m very apologise for that.

OSS Leftovers

  • Why 2017 Will Bring Cheer for Open Source Enthusiasts
    A few years ago, open source was the less-glamourous and low-cost alternative in the enterprise world, and no one would have taken the trouble to predict what its future could look like. Fast-forward to 2016, many of us will be amazed by how open source has become the de facto standard for nearly everything inside an enterprise. Open source today is the primary engine for innovation and business transformation. Cost is probably the last reason for an organisation to go in for open source. An exclusive market study conducted by North Bridge and Black Duck brought some fascinating statistics a few months ago. In the study titled “Future of Open Source”, about 90 percent of surveyed organisations said that open source improves efficiency, interoperability and innovation. What is even more significant is the finding that the adoption of open source for production environments outpaced the proprietary software for the first time – more than 55 percent leverage OSS for production infrastructure.
  • Five ways open source accelerates IoT
    Just having seen Passengers in the theater the other night, I reflected on how soon we might see a self-piloted space vessel like this transporting passengers through deep space. This incredible film features a spacecraft that is a work of IoT art, where things interact with one another to manage some of the harshest conditions imaginable. As an advocate for open source software and the innovation derived from its collaborative development methodology, I have a deep interest in how the journey to an IoT where a future like this is possible can benefit from open source solutions. I would even argue that the acceptance of open source methodologies has helped IoT gain momentum, capture mindshare and quickly deliver real results.
  • How to gain confidence to participate in open source
    As your brain develops, you learn about what you can and should do in the world, and what you can't and shouldn't. Your actions are influenced by surroundings and norms, and many times what keeps you from participating is a lack of self-confidence.

Debian Isn't Difficult, Fedora Elections Winners, Fav Distro

Prospective users still avoid Debian initially because it's difficult to install, or so they believe. It turns out they're not basing their opinions on real life. Keith Curtis wrote up his experience installing Arch on his new Lenovo laptop, after a fairly complete hardware review as well. Jamie Watson got a new notebook too and today shared a bit on getting it ready for Linux. Part of that was booting Mint 18.1 which gave him something to smile about. Elsewhere, the Fedora committee elections results are in and Dominique Leuenberger posted a review of this week in Tumbleweed. Gary Newell test drove Elementary OS 0.4 and OpenSource.com asked, "What is your favorite Linux distribution?" Read more

Games for GNU/Linux