Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Open source in the security world -- a liability or strength?

    To some, the terms ‘open source’ and ‘security’ may not exactly go hand in hand. Characterized by its transparent code—which means it’s highly accessible to anyone— as opposed to ‘closed’, proprietary systems, it’s no wonder that some still have the misperception that open source is the more vulnerable party. In an open source environment, companies as well as communities of sorts are able to access and contribute to the code. This often gives off the impression that because it is open, it must be fully exposed to risks and viruses.

    But today, open source is pervasive. The world as we know it is changing — technology is evolving faster today than it has at any other point in human history. And open source is the reason for that; it is the driving force behind many of today’s technology innovation that we see. Today’s enterprises simply cannot rely on a proprietary piece of source code to manage their increasing multitude of applications that are powering their critical business transactions.

    And with the rising adoption of this software, there has never been a better time to learn the truth about misconceptions of open source security.

  • How Active Intrusion Detection Can Seek and Block Attacks

    Ventura will this detail a more active approach to intrusion prevention - where defenders can use basic network software applications to look for threats and stop attacks - later this month in his Black Hat USA talk entitled "They're Coming for Your Tools: Exploiting Design Flaws for Active Intrusion Prevention."

  • Linux, Windows, macOS Affected By 21-year-old Kerberos Protocol Bug; Patch Now

Security: Kaspersky Ban, Email of Top U.S. Russia Intelligence Official Hacked, and Kali Linux

Filed under
Security

Security: Kerberos, Various Updates, and FUD

Filed under
Security

Security: Various Updates, Kerberos, Samba

Filed under
Security

Security: Libgcrypt, Verizon, and BlackSuse/BlackMonitor

Filed under
Security
  • [Older but no more paywall] Breaking Libgcrypt RSA via a side channel

    A recent paper [PDF] by a group of eight cryptography researchers shows, once again, how cryptographic breakthroughs are made. They often start small, with just a reduction in the strength of a cipher or key search space, say, but then grow over time to reach the point of a full-on breaking of a cipher or the implementation of one. In this case, the RSA implementation in Libgcrypt for 1024-bit keys has been fully broken using a side-channel attack against the operation of the library—2048-bit keys are also susceptible, but not with the same reliability, at least using this exact technique.

    The RSA cryptosystem involves lots of exponentiation and modular math on large numbers with sizable exponents. For efficiency reasons, these operations are usually implemented by a square-and-multiply algorithm. Libgcrypt is part of the GNU Privacy Guard (GnuPG or GPG) project and underlies the cryptography in GPG 2.x; it uses a sliding window mechanism as part of its square-and-multiply implementation. It is this sliding window technique that was susceptible to analysis of the side channel and, thus, allowed for the break.

  • All Your Accounts Are Belong to Us

    It turns out someone called in to Verizon claiming to be me. The individual claimed his phone (my phone) had been stolen, and he wanted to transfer service to another device. He had enough information about me to pass whatever verification Verizon required, and if he'd been a little smoother on the phone, he'd have likely gotten my number. It turned out that the Verizon employee felt the call was suspicious and disabled the account instead of transferring service. (I know that only because the employee made a note on the account.) After a stressful day of back and forth, the company I work for was able to get my phone turned back on, and I still have the same phone number I've always had—thank goodness.

  • Explanation of what BlackSuse is for me

    BlackSuse OS is an opensuse-based system.
    Focused on security penetration testing and other small things
    Our repository is ready.
    The system is 80% functional.

Security: CIA Cracks Android, Kaspersky Shunned, Slackware Patch for Proprietary Software

Filed under
Security
  • Highrise

    Today, July 13th 2017, WikiLeaks publishes documents from the Highrise project of the CIA. HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field ("targets") and the listening post (LP) by proxying "incoming" and "outgoing" SMS messages to an internet LP. Highrise provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication.

  • How CIA Agents Covertly Steal Data From Hacked Smartphones (Without Internet)

    WikiLeaks has today published the 16th batch of its ongoing Vault 7 leak, this time instead of revealing new malware or hacking tool, the whistleblower organisation has unveiled how CIA operatives stealthy collect and forward stolen data from compromised smartphones.

    Previously we have reported about several CIA hacking tools, malware and implants used by the agency to remotely infiltrate and steal data from the targeted systems or smartphones.

  • Trump administration has removed Kaspersky from approved suppliers list

    Kaspersky Lab, a private company, seems to be caught in the middle of a geopolitical fight where each side is attempting to use the company as a pawn in their political game.

  • [Slackware] Adobe Flash security update July ’17

    This month’s security update for the Flash Player plugin has arrived. The new version is 26.0.0.137 for both the PPAPI (Google Chrome and friends) and the NPAPI (Mozilla Firefox and friends) based plugins.

    I know… Flash is a monster and should be killed. But as long as people need it on Slackware, and as long as Adobe keeps releasing Linux plugin updates, I will package them and add them to my repository.

Security: Data Safety Code, Open Data Model, Microsoft Breaks Windows, Free Software Movement 'Hacking', and FUD From PVS Studio

Filed under
Security
  • Cracking The Data Safety Code

    Keeping our data safe online is something that we get told about a lot. That is because as members of the information generation, it's all too easy for our most valuable assets our identity and privacy to be compromised. But how can we keep our data safer? Read on to find out.

  • Fighting Cyber Threats with an Open Data Model

    From ABTA, to election hacking to WannaCry, it seems not a day goes by without a cyber-attack dominating the headlines. Cybercrime doesn’t discriminate; it affects organizations of all shapes and sizes. Added to this is the mounting pressure caused by the EU General Data Protection Regulation (GDPR) which will penalize organizations that do not comply with laws that aim to keep customer data safe. It’s imperative for organizations to re-evaluate their security posture and plan for the future.

  • Windows 7 and 8.1 receive Patch Tuesday Updates [Ed: Mind last paragraph. Microsoft breaks Vista 7 again with a security update.]

    If an iSCSI target becomes unavailable, attempts to reconnect will cause a leak. Initiating a new connection to an available target will work as expected. Microsoft is working on a resolution and will provide an update in an upcoming release.

  • Hacker Ethic and Free Software Movement

    Why the word hacking go along with computers? The computer gives us a vast area to explore our creativity. It’s huge code base, and their intricacies and the complicated machines offer us opportunities to HACK.

  • Become a Certified Pentester with Super-Sized Ethical Hacking Course
  • 27 000 errors in the Tizen operating system [Ed: PVS Studio 'article' (marketing) that's made by liars. They extrapolate number of POTENTIAL bugs, based on 3.3% of code, then come up with this scary headline.]

Security: Open Source Security Podcast, Reproducible Builds, and Security Updates for Wednesday

Filed under
Security

Security: FOSS Updates, Windows Phone Dies, Unikernels, and National Security

Filed under
Security
  • Security updates for Tuesday
  • Windows Phone dies today

    Microsoft is killing off Windows Phone 8.1 support today, more than three years after the company first introduced the update. The end of support marks an end to the Windows Phone era, and the millions of devices still running the operating system. While most have accepted that the death of Windows Phone occurred more than a year ago, AdDuplex estimates that nearly 80 percent of all Windows-powered phones are still running Windows Phone 7, Windows Phone 8, or Windows Phone 8.1.

    [...]

    Microsoft has shied away from officially killing off its phone OS efforts, but it’s been evident over the past year that the company is no longer focusing its efforts on Windows for phones. Microsoft gutted its phone business last year, resulting in thousands of job cuts.

  •  

  • Unikernels are secure. Here is why.

    There have been put forth various arguments for why unikernels are the better choice security wise and also some contradictory opinions on why they are a disaster. I believe that from a security perspective unikernels can offer a level of security that is unprecedented in mainstream computing.

  • 'Hacking' Of US Nuclear Facilities Appears To Be Little More Than The Sort Of Spying The US Approves Of

    This is where the DHS fell down in its "sharing" of internal documents with the New York Times. No one bothered to correct the Times when it went off on a Stuxnet tangent. This could give some government officials the wrong idea about what's happening -- both here and in foreign nations. There are many people in power who get much of their information from the press. This leads to bad bills being hurriedly crafted and public calls to action based on hearsay from a document someone else viewed. And that's just here in the US.

    On top of that, there's how we behave and how we expect others to behave. We're going to do this sort of thing. So are our adversaries. Both sides will continue to play defense. But going from 0-to-Stuxnet in the DHS's Ambermobile isn't a great idea. And it allows US officials to further distance themselves from actions we condone as part of our national security efforts.

  • Kaspersky under scrutiny after Bloomberg story claims close links to FSB

    Shortly after Bloomberg Businessweek published an explosive story under the headline: "Kaspersky Lab Has Been Working With Russian Intelligence," the security firm released a lengthy statement noting that the company does not have "inappropriate ties with any government."

    The article, which was published in the early morning hours on Tuesday, says that the Moscow-based firm "has maintained a much closer working relationship with Russia's main intelligence agency, the FSB, than it has publicly admitted. It has developed security technology at the spy agency's behest and worked on joint projects the CEO knew would be embarrassing if made public." Media organization McClatchy made seemingly similar claims in a July 3 report.

W3C DRM Backlash

Filed under
Security
Web
  • "W3C Embraces DRM - Declares War on Humanity" - Lunduke Hour

    The W3C has voted to standardize DRM for all of the Web -- in direct opposition to their own Mission Statement. What they are doing could have dire consequences for the entire Web. I yell about that for an hour. Because I'm mad.

  • DRM free Smart TV

    Libreboot is a free BIOS replacement which removes the Intel Management Engine. The Intel Management Engine is proprietary malware which includes a back door and some DRM functions. Netflix uses this hardware DRM called the Protected Audio/Video Path on Windows 10 when watching 4K videos. The Thinkpad T400 does not even have an HDMI port, which is known to be encumbered by HDCP, an ineffective DRM that has been cracked.

    Instead of using DRM encumbered streaming services such as Netflix, Entertain or Vodafone TV, I still buy DVDs and pay them anonymously with cash. In my home there is a DVB-C connector, which I have connected to a FRITZ!WLAN Repeater DVB-C which streams the TV signal to the ThinkPad. The TV set is switched on and off using a FRITZ!DECT 200 which I control using a python script running on the ThinkPad. I also reuse an old IR remote and an IRDuino to control the ThinkPad.

  • Over many objections, W3C approves DRM for HTML5

    A narrower covenant not to sue was proposed, but even this much narrower covenant was rejected. The various members of W3C appeared unlikely agree to any particular set of terms, and ultimately were never polled to see if consensus could be reached. Since the original EME proposal didn't include such a covenant, Berners-Lee decreed that failure to form one should not be allowed to block publication as an official W3C Recommendation.

Syndicate content

More in Tux Machines

LWN (Now Open Access): Kernel Configuration, Linux 4.14 Merge Window, Running Android on a Mainline Graphics Stack

  • A different approach to kernel configuration
    The kernel's configuration system can be challenging to deal with; Linus Torvalds recently called it "one of the worst parts of the whole project". Thus, anything that might help users with the process of configuring a kernel build would be welcome. A talk by Junghwan Kang at the 2017 Open-Source Summit demonstrated an interesting approach, even if it's not quite ready for prime time yet. Kang is working on a Debian-based, cloud-oriented distribution; he wanted to tweak the kernel configuration to minimize the size of the kernel and, especially, to reduce its attack surface by removing features that were not needed. The problem is that the kernel is huge, and there are a lot of features that are controlled by configuration options. There are over 300 feature groups and over 20,000 configuration options in current kernels. Many of these options have complicated dependencies between them, adding to the challenge of configuring them properly.
  • The first half of the 4.14 merge window
    September 8, 2017 As of this writing, just over 8,000 non-merge changesets have been pulled into the mainline kernel repository for the 4.14 development cycle. In other words, it looks like the pace is not slowing down for this cycle either. The merge window is not yet done, but quite a few significant changes have been merged so far. Read on for a summary of the most interesting changes entering the mainline in the first half of this merge window.
  • Running Android on a mainline graphics stack
    The Android system may be based on the Linux kernel, but its developers have famously gone their own way for many other parts of the system. That includes the graphics subsystem, which avoids user-space components like X or Wayland and has special (often binary-only) kernel drivers as well. But that picture may be about to change. As Robert Foss described in his Open Source Summit North America presentation, running Android on the mainline graphics subsystem is becoming possible and brings a number of potential benefits. He started the talk by addressing the question of why one might want to use mainline graphics with Android. The core of the answer was simple enough: we use open-source software because it's better, and running mainline graphics takes us toward a fully open system. With mainline graphics, there are no proprietary blobs to deal with. That, in turn, makes it easy to run current versions of the kernel and higher-level graphics software like Mesa.

Beautify Your KDE Plasma 5 Desktop Environment with Freshly Ported Adapta Theme

Good morning! It's time to beautify your KDE Plasma 5 desktop environment, and we have just the perfect theme for that as it looks like the popular Adapta GTK theme was recently ported to Plasma 5. Read more

Roughing it, with Linux

I have been traveling for about two weeks now, spending 10 days camping in Iceland and now a few days on the ferry to get back. For this trip I brought along my Samsung N150 Plus (a very old netbook), loaded with openSUSE Linux 42.3. Read more

Red Hat: Ansible Tower, Patent Promise, and Shares Declining

  • Red Hat’s automation solution spreading among APAC enterprises
    Red Hat recently shared revealed its agentless automation platform is spreading among enterprises in APAC countries like Australia, China, India and Singapore. The company asserts its Ansible Tower helps enterprises cut through the complexities of modern IT environments with powerful automation capabilities that improve productivity and reduce downtime. “Today’s business demands can mean even greater complexity for many organisations. Such dynamic environments can necessitate a new approach to automation that can improve speed, scale and stability across IT environments,” says head of APAC office of technology at Red Hat, Frank Feldmann.
  • Red Hat broadens patent pledge to most open-source software
    Red Hat, the world's biggest open source company, has expanded its commitment on patents, which had originally been not to enforce its patents against free and open source software.
  • Red Hat expands Patent Promise
    Open-source software provider Red Hat has revised its Patent Promise, which was initially intended to discourage patent aggression against free and open-source software. The expanded version of the defensive patent aggregation scheme extends the zone of non-enforcement to all of Red Hat’s patents and all software under “well-recognised” open-source licenses. In its original Patent Promise in 2002, Red Hat said software patents are “inconsistent with open-source and free software”.
  • Red Hat Inc (RHT) AO Seeing a Consistent Downtrend
  • Red Hat, Inc. (RHT) noted a price change of -0.14% and RingCentral, Inc. (RNG) closes with a move of -2.09%