Language Selection

English French German Italian Portuguese Spanish

Security

Tor Browser 5.5 is released

Filed under
OSS
Security

Tor Browser 5.5, the first stable release in the 5.5 series, is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

On the privacy front we finally provide a defense against font enumeration attacks which we developed over the last weeks and months. While there is still room for improvement, it closes an important gap in our fingerprinting defenses. Additionally, we isolate Shared Workers to the first-party domain now and further improved our keyboard fingerprinting defense.

Read more

Security Leftovers

Filed under
Security
  • Security advisories for Wednesday
  • The Daily Startup: Snyk Nabs $3M to Help Make Open-Source Code Safer

    Software security breaches often happen because attackers exploit known vulnerabilities in open-source code built into programs. That is why new startup Snyk Ltd. is releasing developer tools in hopes that programmers would write more secure software from the get-go, Yuliya Chernova reports for Dow Jones VentureWire. Snyk started offering tools that find known vulnerabilities in a client’s code free. The company hopes to then sell monitoring tools that would scan a client’s code to identify holes that become known, as well as tools to fix and isolate the faulty code.

  • How Amazon customer service was the weak link that spilled my data

    As a security conscious user who follows the best practices—using unique passwords, two-factor authentication, only using a secure computer, and being able to spot phishing attacks from a mile away—I thought my accounts and details would be pretty safe. I was wrong.

    That's because when someone went after me, all those precautions were for nothing. That’s because most systems come with a backdoor called customer support. In this post I’m going to focus on the most grievous offender: Amazon.com. Amazon.com was one of the few companies I trusted with my personal information. I shop there, I am a heavy AWS user (raking up well over $600/month), and I used to work there as a software developer.

BackBox Linux 4.5 Security-Oriented OS Comes Preinstalled with New Hacking Tools

Filed under
GNU
Linux
Security

The developers of the BackBox Linux operating system have announced the release and immediate availability for download of the BackBox Linux 4.5 release, which promises to bring a new kernel and lots of updated packages.

According to the release notes, BackBox Linux 4.5 comes preinstalled with Linux kernel 4.2 and adds various new and special tools, such as Automotive Analysis and OpenVAS, which promise to make a big difference when talking about the overall performance of the system.

Read more

Also: Are There Open Source Vulnerability Assessment Options?

Managing Security Vulnerabilities and Risks

Security Leftovers

Filed under
Security

eCryptfs Vulnerability Closed in Ubuntu OSes

Filed under
Security
Ubuntu

A eCryptfs vulnerability has been found and repaired in Ubuntu 15.10, Ubuntu 15.04 and Ubuntu 14.04 LTS, and a new updated has been issued.

Read more

Which Linux Is Secure? The Analysis Of Top Popular Distributions

Filed under
Linux
Security

So, can I be sure that web site of my lovely Linux Distribution is real and hackers doesn’t replace it with infected software? Can I get a backdoor in my operating system from installed updates? No, but only with these conditions:

Read more

Security Leftovers

Filed under
Security

BlackArch Linux Expands Its Roster of Tools for Security Research

Filed under
Linux
Security

If having more tools is better for security, then the latest release of the BlackArch Linux distribution will be warmly received by security researchers. Version 2016.01.10 of BlackArch Linux, which was released on Jan. 10, boasts more than 30 new security tools, bringing the total number of security tools to 1,330. BlackArch is a security-focused operating system that is based on the Arch Linux distribution. Arch Linux is what is known as a rolling release Linux distribution because it is constantly being updated. BlackArch builds on top of Arch and includes anti-forensic, automation, backdoor, crypto, honeypot, networking, scanner, spoofer and wireless security tools for security research. Among the new tools is a utility to conduct attacks against IBM Lotus Domino servers. The new Jooforce tool, meanwhile, enables security researchers to attack the open-source Joomla content management system. Another interesting addition is the credential mapper (credmap) tool that aims to show researchers when user and account credentials have been reused. In this slide show, eWEEK takes a look at some of the features in the BlackArch 2016.01.10 milestone release.

Read more

Linux's Latest Security Vulnerability: Hype vs. Reality

Filed under
Linux
Security

In the latest bout of alarmist frenzy to sweep the security world, researchers disclosed a vulnerability in the Linux kernel's open source code last week. It turns out to pose little real threat.

The flaw, which has existed in Linux since 2012 but remained unknown, was reported by the Israeli security company Perception Point. It allows attackers to gain root access to computers running affected versions of the kernel. With root access, they can do anything they want to the system.

Read more

Security Leftovers

Filed under
Security
  • LeChiffre Ransomware Hits Three Indian Banks, Causes Millions in Damages

    An unknown hacker has breached the computer systems of three banks and a pharmaceutical company and infected most of their computers with crypto-ransomware.

    The incident took place at the start of January, all companies were located in India, and the hacker(s) used the LeChiffre ransomware family to encrypt files on the infected computers.

  • LeChiffre, Ransomware Ran Manually

    It encrypts files and appends to their names an extension “.LeChiffre”.

  • when preloads go sideways

    One solution would be to install an alternative operating system, like OpenBSD. Sorry, I meant to say ARCH LINUX.

    I note that a fair bit of the above foolishness revolves around adding some amount of pollution to the OS’s cabal store. Maybe we can use an OS that comes with a store we trust? For example, there’s several ways a user can install OpenBSD and verify that cert.pem has only the 4943 lines it’s supposed to have. That only pushes the question back a step, however. What lines are supposed to be in this file?

    [...]

    The trials and tribulations of bundleware mirror those of the government. For as long as most traffic was unencrypted, it was easy to inject value. But as sites started moving to full time https, the well of value started to dry up, requiring workarounds to stay in the game. Governments are facing much the same challenge, hence the large number of proposals to build a socialized, universal AV software, so that all citizens can enjoy its benefits on both desktop and mobile. How else will TrendMicro keep us safe from Let’s Encrypt?

    When asked to comment, Hillary Clinton responded with a statement. “I clearly specified that the problem was to be solved by Silicon Valley’s best and brightest, not bumbling mediocrity.” Donald Trump promised to build a wall around malware and make the neckbeards pay for it. Carly Fiorina simply tweeted, “Go Iowa!”

  • Microsoft putting users at risk by forcing Windows 10 upgrade

    Microsoft is forcing Windows users to upgrade to Windows 10 by quietly slipping in code through its regular updates. This has been confirmed by multiple sources.

    But what of those Windows users who want to stick with a known devil — in this case, their own versions of Windows, be they 7, 8 or 8.1 — until a little more is known by the public at large about the strengths and weaknesses of Windows 10?

  • Playing with Letsencrypt

    While I'm not convinced that encrypting everything by default is necessarily a good idea, it is certainly true that encryption has its uses. Unfortunately, for the longest time getting an SSL certificate from a CA was quite a hassle -- and then I'm not even mentioning the fact that it would cost money, too. In that light, the letsencrypt project is a useful alternative: rather than having to dabble with emails or webforms, letsencrypt does everything by way of a few scripts. Also, the letsencrypt CA is free to use, in contrast to many other certificate authorities.

Syndicate content

More in Tux Machines

Solving university needs with Drupal

A veteran of the web publishing and sports media industries, Jeff Diecks leads professional services and client delivery at Mediacurrent and is an active member of the Drupal community. Jeff also organizes events for his local Louisiana Drupal Users Group and Drupalcamp New Orleans. I was able to catch up with Jeff ahead of DrupalCon New Orleans 2016, where he'll share insights on site building tools to solve common university needs. Read more

Android dev kit takes Snapdragon 820A for a ride

Intrinsyc’s Automotive Development Platform S820A runs Android 6.0 on a Snapdragon 820A, and offers a 4K touchscreen, plus WiFi, BT, GPS, and optional LTE. Last December, Intrinsyc launched three Android 6.0 “Marshmallow” dev kits in phone, tablet, and embedded board form factors for Qualcomm’s 14nm Snapdragon 820 SoC. Now, the company has announced a Marshmallow kit for automotive applications running the similar, automotive focused Snapdragon 820A SoC. The Intrinsyc Snapdragon Automotive Development Platform (ADP) S820A kit is aimed at automotive OEMs, Tier1s, and ecosystem partners building in-vehicle infotainment (IVI) and advanced driver assistance systems (ADAS). Read more

Linux Foundation's Badge Program Launches to Boost Security of Open Source Apps

Today, May 3, 2016, Linux Foundation, a non-profit organization dedicated to promoting Linux and open source projects, has announced the general availability of its free badge program. Read more

Jolla's $12m lifeline will help push 'secure' Android rival Sailfish OS

Finnish mobile startup Jolla, the maker of Sailfish OS, has secured $12m in funding which should keep the firm afloat until the end of the year. The company announced the new round today, which will alleviate some of the financial troubles that have caused it to abandon the Jolla tablet, lay off staff, and apply for debt restructuring in Finland. The company split its hardware and software businesses last July. Read more