Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • OpenSSL After Heartbleed by Rich Salz & Tim Hudson, OpenSSL

    In this video from LinuxCon Europe, Rich Salz and Tim Hudson from the OpenSSL team take a deep dive into what happened with Heartbleed and the steps the OpenSSL team are taking to improve the project.

  • OpenSSL after Heartbleed
  • Container Security: Your Questions Answered

    To help you better understand containers, container security, and the role they can play in your enterprise, The Linux Foundation recently produced a free webinar hosted by John Kinsella, Founder and CTO of Layered Insight. Kinsella covered several topics, including container orchestration, the security advantages and disadvantages of containers and microservices, and some common security concerns, such as image and host security, vulnerability management, and container isolation.

  • Google scales tiny mountain to hunt down crypto bugs

    Google's Project Wycheproof is a new effort by Google to improve the security of widely used cryptography code.

    Many of the algorithms used in cryptography for encryption, decryption, and authentication are complicated, especially when asymmetric, public key cryptography is being used. Over the years, these complexities have resulted in a wide range of bugs in real crypto libraries and the software that uses them.

  • Mysterious Rakos Botnet Rises in the Shadows by Targeting Linux Servers, IoT Devices

    Somebody is building a botnet by infecting Linux servers and Linux-based IoT devices with a new malware strain named Rakos.

Where Does Ubuntu Fit Into the Internet of Things?

Filed under
Security
Ubuntu

Ubuntu Linux started off as a desktop focused Linux distribution, but has expanded to multiple areas of the years. Ubuntu Linux is today a leading Linux server and cloud vendor and has aspirations to move into the embedded world, known today as the Internet of Things (IoT).

In a video interview, Mark Shuttleworth, founder of Ubuntu and Canonical Inc., details some of the progress his firm has made in 2016 in the IoT world.

Ubuntu has made past announcements about phone and TV efforts. While multiple Ubuntu phones exist, the standalone Ubuntu TV effort has evolved somewhat. Shuttleworth explained that Ubuntu Core, which is an optimized distribution of Ubuntu for embedded systems, is making some headway with TVs.

Read more

Security News

Filed under
Security
  • Security advisories for Tuesday
  • New Linux/Rakos threat: devices and servers under SSH scan (again) [Ed: No, it’s not a “Linux” problem that some people or developers use a crappy and predictable password]

    Apparently, frustrated users complain more often recently on various forums about their embedded devices being overloaded with computing and network tasks. What these particular posts have in common is the name of the process causing the problem. It is executed from a temporary directory and disguised as a part of the Java framework, namely “.javaxxx”. Additional names like “.swap” or “kworker” are also used. A few weeks ago, we discussed the recent Mirai incidents and Mirai-connected IoT security problems in The Hive Mind: When IoT devices go rogue and all that was written then still holds true.

  • Oi! Linux users! Want some really insecure closed-source software?

    Back in August Adobe reversed its decision to stop offering an NPAPI Flash plugin for Linux and promised that version 23 would come Penguinistas' way real soon now.

    At the time the decision was greeted with surprise, because Adobe had not thought to update Flash for Linux since 2012's version 11.2. But the company decided that Linux users deserved a security upgrade to the infamously hole-ridden product.

And More Security Leftovers

Filed under
Security

Google Releases Test Set to Check Cryptographic Library Security

Filed under
Google
Security

Google has released a set of tests that developers can use to check some open source cryptographic libraries for known security vulnerabilities.

The company has named the set of tests Project Wycheproof, after a mountain in Australia, which has the distinction of being the world's smallest registered mountain.

Read more

Also: Project Wycheproof

What's new in Tor 0.2.9.8?

Filed under
Security

Today, we've released the first stable version of the 0.2.9.x series, bringing exciting new features to Tor. The series has seen 1406 commits from 32 different contributors. Please, see the ChangeLog for more details about what has been done.

This post will outline three features (among many other things) that we are quite proud of and want to describe in more detail.

Read more

Also: Tor 0.2.9 Rolls Out with New Shared-Randomness Protocol, Single Onion Services

DISA looks to open source to squash cyber bugs, reorganizes its data centers

Filed under
OSS
Security

As part of the response to two massive data breaches involving systems at the Office of Personnel Management, the federal government decided to put the Defense Department in charge of building a new information technology backbone to house and process all of the data involved in security clearance investigations, one that would be safer from foreign attacks.

As one way to achieve that goal, the Defense Information Systems Agency, the lead agency in charge of the IT development, is considering opening up the National Background Investigation System’s underlying source code to the general public as soon as it’s fully baked. The theory is that it’s far better for white-hat hackers to find and help squash security bugs before the new system comes online than for bad-guy hackers to discover and make use of them to steal yet another batch of data.

Maj. Gen. Sarah Zabel, DISA’s vice director, said the idea was first proposed to her agency by the Defense Digital Service.

Read more

Serious Ubuntu Linux desktop bugs found and fixed

Filed under
Security
Ubuntu

The good news is that the problems have been patched. So, now that you're almost done reading this, patch your system already.

The bad news is there still aren't enough eyes looking at older open-source code for overlooked security vulnerabilities.

Read more

Security News

Filed under
Security
  • SELinux, Seccomp, Falco, and You: A Technical Discussion

    One of the questions we often get when we talk about Sysdig Falco is “How does it compare to other tools like SELinux, AppArmor, Auditd, etc. that also have security policies?” To help answer some of those questions, we thought we’d present a summary of other related security products and how they compare to Sysdig Falco.

  • PGP Never Gonna Give You Up

    Seeing that I was planning on carrying my long-term private keys around on my telephone (BlackBerry PRIV, FDE encryption active FWIW), I had to double-check the security of the secret key encryption.

    It turns out that PGP encrypts each of your secret keys with a hash of the passphrase you supply. My passphrase is significantly longer than the average, and consists of random characters (uppercase, lowercase, numbers, symbols). Passphrase length and complexity is by far the most important factor determining the safety of your encrypted secret key.

  • McAfee Virus Scan for Linux

    A system running Intel's McAfee VirusScan Enterprise for Linux can be compromised by remote attackers due to a number of security vulnerabilities. Some of these vulnerabilities can be chained together to allow remote code execution as root.

  • The Coolest Hacks Of 2016

    No 400-pound hacker here: Lightbulb and 'do-gooder' worms, machines replacing humans to hack other machines, and high-speed car hacking were among the most innovative white-hat hacks this year.

    In a year when ransomware became the new malware and cyber espionage became a powerful political propaganda tool for Russia, it's easy to forget that not all hacking in 2016 was so ugly and destructive.

    Sure, cybercrime and cyber espionage this past year turned the corner into more manipulative and painful territory for victims. But 2016 also had its share of game-changing "good" hacks by security researchers, with some creative yet unsettling ways to break the already thin-to-no defenses of Internet of Things things, as well as crack locked-down computers and hijack computer mice. Hackers even took a back seat to machines in the first-ever machine-on-machine hacking contest this summer at DEF CON.

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

Security News

  • Windows 10 least secure of Windows versions: study
    Windows 10 was the least secure of of current Windows versions in 2016, with 46% more vulnerabilities than either Windows 8 or 8.1, according to an analysis of Microsoft's own security bulletins in 2016. Security firm Avecto said its research, titled "2016 Microsoft Vulnerabilities Study: Mitigating risk by removing user privileges", had also found that a vast majority of vulnerabilities found in Microsoft products could be mitigated by removing admin rights. The research found that, despite its claims to being the "most secure" of Microsoft's operating systems, Windows 10 had 395 vulnerabilities in 2016, while Windows 8 and 8.1 each had 265. The research also found that while 530 Microsoft vulnerabilities were reported — marginally up from the 524 reported in 2015 — and 189 given a critical rating, 94% could be mitigated by removing admin rights. This was up from 85% in 2015.
  • Windows 10 Creators Update can block Win32 apps if they’re not from the Store [Ed: By Microsoft Peter. People who put Vista 10 on a PC totally lose control of that PC; remember, the OS itself is malware, as per textbook definitions. With DRM and other antifeatures expect copyright enforcement on the desktop soon.]
    The latest Windows 10 Insider Preview build doesn't add much in the way of features—it's mostly just bug fixes—but one small new feature has been spotted, and it could be contentious. Vitor Mikaelson noticed that the latest build lets you restrict the installation of applications built using the Win32 API.
  • Router assimilated into the Borg, sends 3TB in 24 hours
    "Well, f**k." Harsh language was appropriate under the circumstances. My router had just been hacked. Setting up a reliable home network has always been a challenge for me. I live in a cramped three-story house, and I don't like running cables. So my router's position is determined by the fiber modem in a corner on the bottom floor. Not long after we moved in, I realized that our old Airport Extreme was not delivering much signal to the attic, where two game-obsessed occupants fought for bandwidth. I tried all sorts of things. I extended the network. I used Ethernet-over-powerline connectors to deliver network access. I made a mystic circle and danced naked under the full moon. We lost neighbors, but we didn't gain a signal.
  • Purism's Librem 13 Coreboot Port Now "100%" Complete
    According to Purism's Youness Alaoui, their Coreboot port to the Librem 13 v1 laptop is now considered complete. The Librem 13 was long talked about having Coreboot over a proprietary BIOS while the initial models still had shipped with the conventional BIOS. Finally in 2017, they have now Coreboot at what they consider to be 100% complete for this Linux-friendly laptop.
  • The Librem 13 v1 coreboot port is now complete
    Here are the news you’ve been waiting for: the coreboot port for the Librem 13 v1 is 100% done! I fixed all of the remaining issues, it is now fully working and is stable, ready for others to enjoy. I fixed the instability problem with the M.2 SATA port, finished running all the tests to ensure coreboot is working correctly, fixed the headphone jack that was not working, made the boot prettier, and started investigating the Intel Management Engine issue.
  • Linux Update Fixes 11-Year-Old Flaw
    Andrey Konovalov, a security researcher at Google, found a use-after-free hole within Linux, CSO Online reported. This particular flaw is of interest because it appears to be situational. It only showed up in kernels built with a certain configuration option — CONFIG_IP_DCCP — enabled.

Kerala saves Rs 300 cr as schools switch to open software

The Kerala government has made a saving of Rs 300 crore through introduction and adoption of Free & Open Source Software (FOSS) in the school education sector, said a state government official on Sunday. IT became a compulsory subject in Kerala schools from 2003, but it was in 2005 only that FOSS was introduced in a phased manner and started to replace proprietary software. The decision made by the curriculum committee to implement it in the higher secondary sector has also been completed now. Read more

Tired of Windows and MAC computer systems? Linux may now be ready for prime time

Are you a bit tired of the same old options of salt and pepper, meaning having to choose only between the venerable Windows and MAC computer operating systems? Looking to branch out a bit, maybe take a walk on the wild side, learn some new things and save money? If so, the Linux operating system, which has been around for a long time and is used and loved by many hard-core techies and developers, may now be ready for prime time with the masses. Read more

Braswell based Pico-ITX SBC offers multiple expansion options

Axiomtek’s PICO300 is a Pico-ITX SBC with Intel Braswell, SATA-600, extended temperature support, and both a mini-PCIe and homegrown expansion connector. Axiomtek has launched a variation on its recently announced Intel Apollo Lake based PICO312 SBC that switches to the older Intel Braswell generation and offers a slightly reduced feature set. The board layout has also changed somewhat, with LVDS, SATA, and USB ports all changing location. Read more