Security

ID theft, vulnerabilities, privacy issues, etc

Put portable pwning power in your pocket with the Pwn Phone

Filed under
Android
Linux
Security

Mobile technology has made it possible for people to do an amazing amount with tablets and smartphones within the workplace—including hacking the living daylights out of the corporate network and other people’s devices. Pwnie Express is preparing to release a tool that will do just that. Its Pwn Phone aims to help IT departments and security professionals quickly get a handle on how vulnerable their networks are in an instant. All someone needs to do is walk around the office with a smartphone.

Pwnie Express’ Kevin Reilly gave Ars a personal walk-through of the latest Pwn Phone, the second generation of the company’s mobile penetration testing platform. While the 2012 first-generation Pwn Phone was based on the Nokia N900 and its Maemo 5 Linux-based operating system, the new phone is based on LG Nexus 5 phone hardware. However, it doesn’t exactly use Google’s vanilla Android.

Read more

The oRouter Is A Tor-Powered Linux Box That Secures Your Internet Connection

Filed under
Linux
Security

Longtime TechCrunch Disrupt NY hackathon participants, Kay Anar and Gilad Shai showed off their hardware hack today called the “oRouter” – a Linux-powered, Raspberry Pi-like computer offering secure Wi-Fi access via the Tor network. The idea is to offer an affordable alternative to downloading the Tor software to your computer, as well as a way to more easily connect to Tor over mobile devices like an iPhone.

Read more

Android home automation hub focuses on security

Filed under
Android
Security

The Android-based “ALYT” home automation system supports numerous wireless protocols, and offers self-learning algorithms and advanced security functions.

Read more

Designing a Prize for Usable Cryptography

Filed under
OSS
Security

To that end, EFF is evaluating the feasibility of offering a prize for the first usable, secure, and private end-to-end encrypted communication tool. We believe a prize based on objective usability metrics (such as the percentage of users who were able to install and start using the tool within a few minutes, and the percentage who survived simulated impersonation or man-in-the-middle attacks) might be an effective way to determine which project or projects are best delivering communication security to vulnerable user communities; to promote and energize those tools; and to encourage interaction between developers, interaction designers and academics interested in this space.

Read more

Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation Form New Initiative to Support Critical Open Source Projects

Filed under
OSS
Security

“We are expanding the work we already do for the Linux kernel to other projects that may need support,” said Jim Zemlin, executive director of The Linux Foundation. “Our global economy is built on top of many open source projects. Just as The Linux Foundation has funded Linus Torvalds to be able to focus 100% on Linux development, we will now be able to support additional developers and maintainers to work full-time supporting other essential open source projects. We are thankful for these industry leaders’ commitment to ensuring the continued growth and reliability of critical open source projects such as OpenSSL.”

Read more

OpenBSD forks, prunes, fixes OpenSSL

Filed under
Security
BSD

OpenSSL is the dominant SSL/TLS library on the Internet, but has suffered significant reputation damage in recent days for the Heartbleed bug. The incident has revived criticism of OpenSSL as a poorly-run project with source code that is impenetrable and documented, where it is at all documented, badly and inaccurately.

Read more

Easter egg: DSL router patch merely hides backdoor instead of closing it

Filed under
Hardware
Security
Legal

First, DSL router owners got an unwelcome Christmas present. Now, the same gift is back as an Easter egg. The same security researcher who originally discovered a backdoor in 24 models of wireless DSL routers has found that a patch intended to fix that problem doesn’t actually get rid of the backdoor—it just conceals it. And the nature of the “fix” suggests that the backdoor, which is part of the firmware for wireless DSL routers based on technology from the Taiwanese manufacturer Sercomm, was an intentional feature to begin with.

Back in December, Eloi Vanderbecken of Synacktiv Digital Security was visiting his family for the Christmas holiday, and for various reasons he had the need to gain administrative access to their Linksys WAG200G DSL gateway over Wi-Fi. He discovered that the device was listening on an undocumented Internet Protocol port number, and after analyzing the code in the firmware, he found that the port could be used to send administrative commands to the router without a password.

After Vanderbecken published his results, others confirmed that the same backdoor existed on other systems based on the same Sercomm modem, including home routers from Netgear, Cisco (both under the Cisco and Linksys brands), and Diamond. In January, Netgear and other vendors published a new version of the firmware that was supposed to close the back door.

Read more

Oracle updates users on Heartbleed progress

Filed under
Red Hat
Server
Security

The Heartbleed fallout continues, but enterprise customers can draw some comfort from the fact that the companies that keep them in software are clearly as concerned as they are. For example, Oracle Corp. has announced mostly good, some bad and a bit of ugly news when it comes to security holes in its products.

Read more

Safety you can bank on: Chromebook, Linux, phone

Filed under
GNU
Linux
Security

If you're not deterred by learning strange software, you can save hundreds of dollars by downloading a copy of the open-source Linux operating system and burning it to a CD or copying it to a flash drive. As security journalist Brian Krebs explained in the summer of 2012, you can pop that into your Windows PC, boot the machine off it, and go online insulated from whatever might lurk in your copy of Windows.

(In that post, Krebs endorsed a version of Linux with the charming name Puppy Linux; I usually recommend a different variety called Ubuntu, but the differences don't amount to much in this context.)

Using Linux just for online banking also insulates you from most of its potential complexity: You're only running a browser.

But if installing new apps in Windows already fills you with dread, or the thought of picking one version of Linux out of dozens makes your head hurt, spend money instead of time. A Chromebook just might work — and might be all the computer you needed in the first place.

Read more

OpenSSL and Linux: A Tale of Two Open-Source Projects

Filed under
Linux
Security

Linux, arguably the world’s most emblematic open-source project, provides a counterpoint to OpenSSL’s problems. Volunteers all over the world submit seven changes to Linux every hour, and millions of lines of code improvements and fixes are voluntarily added to the software every year. Over 180 major companies, including Hewlett-Packard, Oracle, IBM and Samsung, every year contribute around half a million dollars to the Linux Foundation, the nonprofit that supports the Linux system.

So what explains the discrepancy between the inattention to OpenSSL and the great fortune of Linux? Good old lack of awareness, experts say.

Open-source advocates and participants say Linux has simply had the benefit of strong brand ambassadors and better name recognition than OpenSSL.

Read more

Edward Snowden Used the Tails Linux Distro to Stay Hidden

Filed under
Security
Debian

The name Edward Snowden will be remembered as one of the biggest whistle-blowers in recent history, if not the most important one. People know more about Edward Snowden than they know about close relatives, but it seems that little has been revealed until now about this methods and how he managed to remain undetected. It all has to do with Linux, of course.

Read more ►

TrueCrypt audit finds “no evidence of backdoors” or malicious code

Filed under
Security

Since September 2013, a handful of cryptographers have been discussing new problems and alternatives to the popular security application. By February 2014, the Open Crypto Audit Project—a new organization based in North Carolina that seeks formal 501(c)3 non-profit status—raised around $80,000 towards this goal on various online fundraising sites.

"[The results] don't panic me,” Matthew Green, a Johns Hopkins cryptography professor who has been one of the people leading this effort, told Ars. “I think the code quality is not as high as it should be, but on the other hand, nothing terrible is in there, so that's reassuring”

Read more ►

Former Chief Security Officer for Microsoft the Chairman of the Board of Firm Behind Heartbleed®

Filed under
GNU
Linux
Microsoft
Security

A serious conflict of interests that nobody in the media is talking about; Codenomicon is headed by Microsoft’s Howard A. Schmidt

Read more ►

CyanogenMod reveals new branding that represents openness, security and customization

Filed under
Android
Security

Well, folks, it looks like CyanogenMod, Inc. is starting to shape up to look like a real legit company. The company has already made big deals with phone manufacturers and successfully raised a good deal of money to help in their endeavors, and now they are making some changes to the way they present themselves.

Read more ►

Security Exaggeration, Linux on ATMs, and Mac Ubuntu

Filed under
Linux
Security
Ubuntu

A lot of Websites are still covering the last couple of Linux security breaches and today Steven J. Vaughan-Nichols said, "It's not Linux's fault!" It rarely is. A lot of talk is heard lately about those last XP users and what they will use next, but yesterday ComputerWorld.com said ATMs will likely be migrated to Linux as well. That's a whole demographic we forgot to count. Jack Wallen says Google is "single-handedly" responsible for propelling Linux to the top. And Michael Larabel reports that Ubuntu 14.04 runs very well on MacBooks.

Read more ►

Why the media loves to exaggerate Linux security problems

Filed under
GNU
Linux
Security

There have been a lot of media reports about Linux security problems recently. ZDNet has taken a stand and pointed out that the problem isn't with Linux, the problem is with certain Linux users and administrators. I'd also argue that the problem is also with certain media outlets who jump on the "linux security stinks!" bandwagon at the earliest opportunity.

Read more ►

Cyber criminals capture 25,000 Unix servers

Filed under
Server
Security

Security boffins at ESET, in collaboration with CERT-Bund, the Swedish National Infrastructure for Computing as well as other agencies, have found a cybercriminal campaign that has taken control of over 25,000 Unix servers worldwide.

Dubbed "Operation Windigo" it has resulted in infected servers sending out millions of spam emails which are designed to hijack servers, infect the computers that visit them, and steal information.

Read more ►

Replicant developers find and close Samsung Galaxy back-door

Filed under
Android
Security

While working on Replicant, a fully free/libre version of Android, we discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a back-door that lets the modem perform remote file I/O operations on the file system.

Read more ►

Red Hat Risk Reflex (The Linux Security Flaw That Isn't)

Filed under
Red Hat
Security

News headlines screaming that yet another Microsoft Windows vulnerability has been discovered, is in the wild or has just been patched are two a penny. Such has it ever been. News headlines declaring that a 'major security problem' has been found with Linux are a different kettle of fish. So when reports of an attack that could circumvent verification of X.509 security certificates, and by so doing bypass both secure sockets layer (SSL) and Transport Layer Security (TLS) website protection, people sat up and took notice. Warnings have appeared that recount how the vulnerability can impact upon Debian, Red Hat and Ubuntu distributions. Red Hat itself issued an advisory warning that "GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification... An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid." In all, at least 200 operating systems actually use GnuTLS when it comes to implementing SSL and TLS and the knock-on effect could mean that web applications and email alike are vulnerable to attack. And it's all Linux's fault. Or is it?

Read more ►

Panic Over Transport Layer Security (TLS) Flaw Which is Already Patched

Filed under
GNU
Security

The only shocking thing is the amount of press coverage this received. PGP/GPG, OpenSSH, OpenSSL etc. were previously named here for flaws that had been found (in the context of Red Hat and the NSA [1, 2, 3]). These are not so uncommon. One just needs to keep up to date (patched) — one that which Apple’s customers cannot do. They can’t even write their own patches.

Read more ►

Syndicate content