Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Hackers, your favourite pentesting OS Kali Linux can now be run in a browser
  • Core Infrastructure Initiative announces investment in security tool OWASP ZAP

    The Linux Foundation’s Core Infrastructure Initiative (CII) is continuing its commitment to help fund, support and improve open-source projects with a new investment. The organization has announced it is investing in the Open Web Application Security Project Zed Attack Proxy project (OWASP ZAP), a security tool designed to help developers identify vulnerabilities in their web apps.

  • The Linux Foundation's Core Infrastructure Initiative Invests in Security Tool for Identifying Web Application Vulnerabilities
  • Study Shows Lenovo, Other OEM Bloatware Still Poses Huge Security Risk [Ed: Microsoft Windows poses greater risks. Does Microsoft put back doors in Windows (all versions)? Yes. Does it spy on users? Yes. So why focus only on Asian OEMs all the time?]

    Lenovo hasn't had what you'd call a great track record over the last few years in terms of installing insecure crapware on the company's products. You'll recall that early last year, the company was busted for installing Superfish adware that opened all of its customers up to dangerous man-in-the-middle attacks, then tried to claim they didn't see what all the fuss was about. Not too long after that, the company was busted for using a BiOS trick to reinstall its bloatware on consumer laptops upon reboot -- even if the user had installed a fresh copy of the OS.

    Now Lenovo and its bloatware are making headlines once again, with the news that the company's "Accelerator Application" software makes customers vulnerable to hackers. The application is supposed to make the company's other bloatware, software, and pre-loaded tools run more quickly, but Lenovo was forced to issue a security advisory urging customers to uninstall it because it -- you guessed it -- opened them up to man-in-the-middle attacks.

Canonical Patches ImageTragick Exploit in All Supported Ubuntu OSes, Update Now

Filed under
Security
Ubuntu

Today, June 2, 2016, Canonical published an Ubuntu Security Notice to inform the community about an important security update to the ImageMagick packages for all supported Ubuntu OSes.

Read more

Security Leftovers

Filed under
Security
  • Security advisories for Thursday
  • Hertz: Abusing privileged and unprivileged Linux containers
  • How LinkedIn’s password sloppiness hurts us all

    Me: "The full dump from the 2012 LinkedIn breach just dropped, so you're probably not going to see much of me over the next week."

    Wife: "Again?"

    Yes, again. If you're just waking up from a coma you would be forgiven for thinking that it's still 2012. But no, it's 2016 and the LinkedIn breach is back from the dead—on its four-year anniversary, no less. If you had a LinkedIn account in 2012, there's a 98 percent chance your password has been cracked.

    Back in 2012, fellow professional password cracker d3ad0ne (who regretfully passed away in 2013) and I made short work out of the first LinkedIn password dump, cracking more than 90 percent of the 6.4 million password hashes in just under one week. Following that effort, I did a short write-up ironically titled The Final Word on the LinkedIn Leak.

  • The Internet of Things

    A common question is whether or not IoT is something new and revolutionary or a buzzword for old ideas? The answer is “yes”…

    Much of the foundation of IoT has been around for quite a while. SCADA systems, or Supervisory Control And Data Acquisition has been around since the 1950’s managing electrical power grids, railroads, and factories. Machine communications over telephone lines and microwave links has been around since the 1960’s. Machine control systems, starting on mainframes and minicomputers, have also been around since the 1960’s.

    The big changes are economics, software, and integration. Microsensors and SoC (System on a Chip) technology for CPUs and networking are driving the cost of devices down – in some cases by a factor of a thousand! Advances in networking – both networking technology as well as the availability of pervasive networking – are changing the ground rules and economics for machine to machine communication.

  • Signal and Google Cloud Services

    I just installed Signal on my Android phone.

    It wasn't an easy decision. I have been running Cyanogenmod, a Google-free version of Android, and installing apps from F-Droid, a repository of free software android apps, for several years now. This setup allows me to run all the applications I need without Google accessing any of my cell phone data. It has been a remarkably successful experiment leaving me with all the phone software I need. And it's consistent with my belief that Google's size, reach and goals are a menace to the left's ability to develop the autonomous communications systems on the Internet that we need to achieve any meaningful political change.

Security Leftovers

Filed under
Security
  • Security advisories for Wednesday
  • How the Top 5 PC Makers Open Your Laptop to Hackers [iophk: "Windows again"]
  • Google plans to replace smartphone passwords with trust scores [iophk: "if you have to travel unexpectedly, you'll probably get locked out."]

    Goodbye, Password1. Goodbye, 12345. You’ve been hearing about it for years but now it might really be happening: the password is almost dead.

    At Google’s I/O developer conference, Daniel Kaufman, head of Google’s advanced technology projects, announced that the company plans to phase out password access to its Android mobile platform in favour of a trust score by 2017. This would be based on a suite of identifiers: what Wi-Fi network and Bluetooth devices you’re connected to and your location, along with biometrics, including your typing speed, voice and face.

    The phone’s sensors will harvest this data continuously to keep a running tally on how much it trusts that the user is you. A low score will suffice for opening a gaming app. But a banking app will require more trust.

Security Leftovers

Filed under
Security
  • Allwinner Leaves Root Exploit in Linux Kernel, Putting ARM Devices at Risk

    Running a Bitcoin node on your ARM single board computer? Fan of cheap Chinese tablets and smartphones? Maybe you contributed to the recent CHIP computer Kickstarter, or host a wallet on one of these devices. Well, if any of these applies to you, and your device is powered by an Allwinner SoC, you should probably wipe it and put an OS on it with the most recent kernel release. Why? Allwinner left a development “tool” on their ARM Linux kernel that allows anyone to root their devices with a single command. This oversight has serious security implications for any Allwinner powered device, especially so for those of us hosting sensitive data on them.

  • 5 steps to reduce cyber vulnerabilities

    The National Vulnerability Database (NVD) — the U.S. government’s repository of standards-based vulnerability management data — says 2015 was another blockbuster year for security vulnerabilities with an average of 17 new vulnerabilities added per day.

    While IT managers can somewhat breathe a collective sigh of relief that the total number of vulnerabilities actually decreased from 7,937 in 2014 to 6,270 in 2015, there’s no time to relax. According to NVD data, 37 percent of vulnerabilities reported in 2015 were classified as highly severe, up from 24 percent in 2014.

  • How to Get an Open Source Security Badge from CII

    Everybody loves getting badges. Fitbit badges, Stack Overflow badges, Boy Scout merit badges, and even LEED certification are just a few examples that come to mind. A recent 538 article "Even psychologists love badges" publicized the value of a badge.

  • 4 Steps To Secure Serverless Applications

    Serverless applications remove a lot of the operational burdens from your team. No more managing operating systems or running low level infrastructure.

    This lets you and your team focus on building…and that’s a wonderful thing.

  • IPv6 support finally coming to Fail2Ban with next major release

    The reaction to this headline from sysadmins who deploy Fail2Ban on an IPv6 enabled system is probably: “Fail2Ban doesn’t support IPv6‽” At least, that seems to be the reaction most admins have posted on forums and social media when they learn that Fail2Ban doesn’t support IPv6. Now Fail2Ban’s IPv4-only limitation is about to be lifted.

    Fail2Ban is a tool that identifies unwanted behaviors by monitoring service logs, and can act upon that by banning offending IP addresses temporarily. Up until recently, Fail2Ban only supported IPv4 although it’s almost certainly running on many IPv6 capable systems as well.

  • Tor Browser announces stable 6.0 release

    The Tor Browser team has announced the first stable version of its 6.0 release. It can be downloaded from the project's website.

    The browser is based on Firefox ESR and this release brings it up-to-date with Firefox 45-ESR, providing better support for HTML5 video on YouTube.

Security Leftovers (Primarily Windows)

Filed under
Security
  • Doing a 'full scan' of the Internet right now

    I'm scanning at only 125kpps from 4 source IP addresses, or roughly 30kpps from each source address. This is so that I'll get below many thresholds for IDSs, which trigger when they see fast scans from a single address. The issue isn't to avoid detection, but to avoid generating work for people who get unnecessarily paranoid about the noise they see in their IDS logs.

  • A Hacker Is Selling Dangerous Windows Exploit, Making All Versions Of OS Hackable

    A hacker is selling a dangerous zero day vulnerability on a Russian cybercrime website. This exploit is said to be affecting more than 1.5 billion Windows users as it works on all version of Windows. The hacker wishes to sell the complete source code and demo of the exploit to any person who pays him $90,000 in bitcoin.

  • Microsoft warns of self-propagating ransomware

    The new ransomware, which Microsoft has dubbed Ransom:Win32/ZCryptor.A, is distributed through spam emails. It can also infect a machine running Windows through a malware installer or fake installers like a Flash player setup file.

    The ransomware would run at boot and drop a file autorun.inf in removable drives, a zycrypt.lnk in the start-up folder and a copy of itself as {Drive}:\system.exe and %APPDATA%\zcrypt.exe.

    It would then change the file attributes to hide itself from the user in file explorer.

  • Windows 10 Surface Book: Microsoft Keeps ‘Sleep of Death’ bug

    It seems like Microsoft will not be fixing the ‘Sleep of Death’ bug, even though most of the Surface Book users face the problem.

    During the recent quarterly earnings report, Microsoft pointed out that the Surface line is getting popularity in the market. Microsoft also said that it has turned out to be the growth leader in its More Personal Computing line of business.

    At the event, the company said that the device has brought 61 percent growth.

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Security challenges for the Qubes build process

    Ultimately, we would like to introduce a multiple-signature scheme, in which several developers (from different countries, social circles, etc.) can sign Qubes-produced binaries and ISOs. Then, an adversary would have to compromise all the build locations in order to get backdoored versions signed. For this to happen, we need to make the build process deterministic (i.e. reproducible). Yet, this task still seems to be years ahead of us. Ideally, we would also somehow combine this with Intel SGX, but this might be trickier than it sounds.

  • Katy Perry’s Twitter Account With 90 Million Followers Hacked

    Notably, with 90 million followers, Katy Perry is the most followed person on the platform.

Google and Oracle

Filed under
Google
Security
Legal

Security Leftovers (Parrot Security OS 3.0 “Lithium”, Regulation)

Filed under
Security
  • Parrot Security OS 3.0 “Lithium” — Best Kali Linux Alternative Coming With New Features

    The Release Candidate of Parrot Security OS 3.0 ‘Lithium’ is now available for download. The much-anticipated final release will come in six different editions with the addition of Libre, LXDE, and Studio editions. The version 3.0 of this Kali Linux alternative is based on Debian Jessie and powered by custom hardened Linux 4.5 kernel.

  • Regulation can fix security, except you can't regulate security

    Every time I start a discussion about how we can solve some of our security problems it seems like the topics of professional organizations and regulation are where things end up. I think regulations and professional organizations can fix a lot of problems in an industry, I'm not sure they work for security. First let's talk about why regulation usually works, then, why it won't work for security.

Parrot Security OS 3.0 "Lithium" Is a Linux Distro for Cryptography & Anonymity

Filed under
GNU
Linux
Security

A few days ago, Parrot Security OS developer Frozenbox Network teased users on Twitter with the upcoming release of the long anticipated Parrot Security OS 3.0 "Lithium" distribution.

Based on the latest Debian GNU/Linux technologies and borrowing many of the packages from the Debian 8 "Jessie" stable repositories, Parrot Security OS 3.0 just received new Release Candidate (RC) ISO builds that users can now download and install on their personal computer if they want to get an early taste of what's coming.

Read more

Syndicate content

More in Tux Machines

Q4OS 1.6, Orion

The significant Q4OS 1.6 'Orion' release receives the most recent Trinity R14.0.3 stable version. Trinity R14.0.3 is the third maintenance release of the R14 series, it is intended to promptly bring bug fixes to users, while preserving overall stability. The complete list and release notes you will find on the Trinity desktop environment website. New Q4OS 1.6 release includes set of new features and fixes. The default desktop look has been slightly changed, Q4OS 'Bourbon' start menu and taskbar has been polished a bit and has got a few enhancements, for example the icons size varies proportionally to the system panel. Native Desktop profiler tool has got new, optimized 'software to install' list. Read more

Learning More About Explicit Fencing & Android's Sync Framework

With the sync validation framework leaving the staging area in Linux 4.9 and other work going on around the Android sync framework and explicit fencing, this functionality is becoming a reality that ultimately benefits the Linux desktop. Collabora developer Gustavo Padovan presented at this week's LinuxCon 2016 conference about explicit fencing support in the mainline kernel with a "new era of graphics." Read more

Ubuntu Leftovers

Leftovers: Software Development

  • fakecloud
  • A new version of pristine-tar
  • Getting RSS feeds for news websites that don’t provide them
    On the technical side, this seems to be one of the most stable pieces of software I ever wrote. It never crashed or otherwise failed since I started running it, and fortunately I also didn’t have to update the HTML parsing code yet because of website changes. It’s written in Haskell, using the Scotty web framework, Cereal serialization library for storing the history of the past articles, http-conduit for fetching the websites, and html-conduit for parsing the HTML. Overall a very pleasant experience, thanks to the language being very convenient to write and preventing most silly mistakes at compile-time, and the high quality of the libraries.
  • Quick Highlight
    Martin Blanchard put together a new “quick highlight” plugin for Builder this last week. It was a great example of how to submit a new feature, so I just wanted to highlight it here. Post to bugzilla, attach a patch, and we will review quickly and help with any additional integration that might be necessary.