Language Selection

English French German Italian Portuguese Spanish

Security

Security: Dashlane, Coverity, FireEye's GoCrack

Filed under
Security

Security: Pwn2Own, WordPress, Black Duck's Latest FUD (Sales Pitch), Claims of Russian Meddling

Filed under
Security

Security: Kaspersky, GDPR, NIST, Voting

Filed under
Security
  • Kaspersky purged from 'vast majority' of US government systems

    Michael Duffy, who leads cybersecurity and communications at the DHS, explained that fewer than half of their agencies were using Kaspersky's anti-virus software.

  • The EU’s GDPR is even more relevant to Linux systems, and here is why

    This new regulation represents a tightening of the data protection laws. The new regulation requires far faster responses to data breaches (within 72 hours), and the maximum penalty for breaching the legislation has increased by over four times to twenty million euros or four percent of a business’s annual global turnover, whichever is higher. In addition, GDPR will unify the processes by which EU countries regulate their data security. This will ensure breaches are easier to report, investigate and respond to the new supervisory authorities being introduced.

  • New Network Security Standards Will Protect Internet’s Routing

    Electronic messages traveling across the internet are under constant threat from data thieves, but new security standards created with the technical guidance of the National Institute of Standards and Technology (NIST) will reduce the risk of messages being intercepted or stolen. These standards address a security weakness that has been a part of the internet since its earliest days.

  • Disney-branded internet filter had Mickey Mouse security

    A Disney-branded home internet filtering device might keep bad content out, but it was an open door to bad actors until earlier this month.

    That's what Cisco Talos's William Largfent found when he took a look at "Circle with Disney", a Circle Media parental control device on which the entertainment giant slapped its brand.

    Whatever its qualities in filtering an screen time management, the US$99 box is riddled with 23 vulns, as the Talos post discloses.

  • Episode 68 - Ruining the Internet: Episode 68 - Ruining the Internet
  • Security updates for Wednesday
  • Trump administration reportedly kills vehicle-to-vehicle safety mandate [Updated]
  • Members of Congress want you to hack the US election voting system

    This summer, DefCon's "Voting Machine Hacking Village" turned up a host of US election vulnerabilities (PDF). Now, imagine a more mainstream national hacking event backed by the Department of Homeland Security that has the same goal: to discover weaknesses in voting machines used by states for local and national elections.

    That might just become a reality if federal legislation (PDF) unveiled Tuesday becomes law. The proposal comes with a safe harbor provision to exempt participants from federal hacking laws. Several federal exemptions for ethical hacking that paved the way for the DefCon hacking village expire next year.

    The bipartisan "Securing America's Voting Equipment Act" also would provide election funding to the states and would designate voting systems as critical infrastructure—a designation that would open up communication channels between the federal government and the states to share classified threat information.

Security: Nextcloud, Microsoft/Windows, Canonical/Ubuntu

Filed under
Security

pfSense 2.3.5-RELEASE now available

Filed under
Security

As we have promised, will will continue to deliver security and stability fixes to the pfSense 2.3.x line even after we have released pfSense 2.4.0, since i386 and NanoBSD were deprecated in pfSense 2.4.0. These updates will continue for a minimum of one year after the pfSense 2.4.0 release date, which means they will continue through at least October 2018.

Read more

Security: Certificate Authorities, Coverity SPAM, and WordPress Patches

Filed under
Security
  • Mozilla devs discuss ditching Dutch CA, because cryptowars

    Concerns at the effect of The Netherlands' new security laws could result in the country's certificate authority being pulled from Mozilla's trust list.

    The nation's Information and Security Services Act will come into force in January 2018. The law includes metadata retention powers similar to those enacted in other countries, and also grants broad-based interception powers to Dutch security services.

  • Francisco Partners Acquires Comodo's Certificate Authority Business

    Private equity firm Francisco Partners announced on Oct. 31 that it has acquired the SSL/TLS Certificate Authority (CA) business from security firm Comodo Group. Financial terms of the deal are not being publicly disclosed.

    "This is a carve-out of the Comodo SSL business, which is now going to be a separate legal and operational entity," Bill Holtz, CEO of Comodo CA told eWEEK.

  • Open source developers make progress in adopting secure practices [Ed: Coverity marketing disguised as an article. Because journalism is dead. The business model is PR as 'reports']
  • WordPress 4.8.3 Security Release

Security: UEFI, Windows and NSA Back Doors

Filed under
Security
  • Replace Your Exploit-Ridden Firmware with Linux

    With the WikiLeaks release of the vault7 material, the security of the UEFI (Unified Extensible Firmware Interface) firmware used in most PCs and laptops is once again a concern. UEFI is a proprietary and closed-source operating system, with a codebase almost as large as the Linux kernel, that runs when the system is powered on and continues to run after it boots the OS (hence its designation as a “Ring -2 hypervisor"). It is a great place to hide exploits since it never stops running, and these exploits are undetectable by kernels and programs.

  • Your Windows Login Details Can Be Stolen By Hackers Without User Interaction

    From time to time, the security researchers continue to make us realize that Windows operating system is full of loopholes that can be exploited by hackers to steal our data. One such vulnerability was patched by Redmond in recent patch Tuesday.

  • NSA hacking tool EternalRomance found in BadRabbit

    Several research firms have named EternalRomance as the tool BadRabbit used to spread through an organisation once the ransomware was installed in a host computer. When the cyber-attack first sprang up on 24 October there were many reports claiming that EternalBlue, the tool made famous with the Petya/NotPetya attacks that took place earlier this year, was the culprit, but this was quickly disproven by researchers. However, EternalRomance does share at least one similarity with the other attack, each exploits the same Microsoft vulnerability.

Security: Joanna Rutkowska and Microsoft's NSA Back Doors

Filed under
Security

Security: Updates, Reaper, KRACK, Cryptographic kKeycards, Flexera's FUD, Google Play, Windows BadRabbit

Filed under
Security
  • Security updates for Friday
  • Assessing the threat the Reaper botnet poses to the Internet—what we know now
  • KRACK, ROCA, and device insecurity

    It is a fairly bleak picture from a number of different viewpoints. One almost amusing outcome of this mess is contained near the end of Vanhoef's KRACK web page. He notified OpenBSD of the flaw in mid-July with an embargo (at the time) until the end of August. OpenBSD leader Theo de Raadt complained about the length of the embargo, so Vanhoef allowed OpenBSD to silently patch the flaw. "In hindsight this was a bad decision, since others might rediscover the vulnerability by inspecting their silent patch. To avoid this problem in the future, OpenBSD will now receive vulnerability notifications closer to the end of an embargo." That might not quite be the outcome De Raadt was hoping for with his (quite reasonable) complaint, especially given that Vanhoef strongly hints that there are other WiFi vulnerabilities in the pipeline.

  • A comparison of cryptographic keycards

    An earlier LWN article showed that private key storage is an important problem to solve in any cryptographic system and established keycards as a good way to store private key material offline. But which keycard should we use? This article examines the form factor, openness, and performance of four keycards to try to help readers choose the one that will fit their needs.

    I have personally been using a YubiKey NEO, since a 2015 announcement on GitHub promoting two-factor authentication. I was also able to hook up my SSH authentication key into the YubiKey's 2048 bit RSA slot. It seemed natural to move the other subkeys onto the keycard, provided that performance was sufficient. The mail client that I use, (Notmuch), blocks when decrypting messages, which could be a serious problems on large email threads from encrypted mailing lists.

    So I built a test harness and got access to some more keycards: I bought a FST-01 from its creator, Yutaka Niibe, at the last DebConf and Nitrokey donated a Nitrokey Pro. I also bought a YubiKey 4 when I got the NEO. There are of course other keycards out there, but those are the ones I could get my hands on. You'll notice none of those keycards have a physical keypad to enter passwords, so they are all vulnerable to keyloggers that could extract the key's PIN. Keep in mind, however, that even with the PIN, an attacker could only ask the keycard to decrypt or sign material but not extract the key that is protected by the card's firmware.

  • Study Examines Open Source Risks in Enterprise Software [Ed: Microsoft network promotes anti FOSS 'study' (marketing by Flexera)]
  • Google Play Protect is 'dead last' at fingering malware on Android

    Last month, German software testing laboratory AV-Test threw malware at 20 Android antivirus systems – and now the results aren't particularly great for Google.

    Its Play Protect system, which is supposed block malicious apps from running on your handheld, was beaten by every other anti-malware vendor.

  • NSA hacking tool EternalRomance found in BadRabbit

Security: UEFI Risks and Bad Rabbit (Microsoft Windows Strikes Again)

Filed under
Security
Syndicate content

More in Tux Machines

OSS Leftovers

  • Sunjun partners with Collabora to offer LibreOffice in the Cloud
  • Tackling the most important issue in a DevOps transformation
    You've been appointed the DevOps champion in your organisation: congratulations. So, what's the most important issue that you need to address?
  • PSBJ Innovator of the Year: Hacking cells at the Allen Institute
  • SUNY math professor makes the case for free and open educational resources
    The open educational resources (OER) movement has been gaining momentum over the past few years, as educators—from kindergarten classes to graduate schools—turn to free and open source educational content to counter the high cost of textbooks. Over the past year, the pace has accelerated. In 2017, OERs were a featured topic at the high-profile SXSW EDU Conference and Festival. Also last year, New York State generated a lot of excitement when it made an $8 million investment in developing OERs, with the goal of lowering the costs of college education in the state. David Usinski, a math and computer science professor and assistant chair of developmental education at the State University of New York's Erie Community College, is an advocate of OER content in the classroom. Before he joined SUNY Erie's staff in 2007, he spent a few years working for the Erie County public school system as a technology staff developer, training teachers how to infuse technology into the classroom.

Mozilla: Wireless Innovation for a Networked Society, New AirMozilla Audience Demo, Firefox Telemetry

  • Net Neutrality, NSF and Mozilla's WINS Challenge Winners, openSUSE Updates and More
    The National Science Foundation and Mozilla recently announced the first round of winners from their Wireless Innovation for a Networked Society (WINS) challenges—$2 million in prizes for "big ideas to connect the unconnected across the US". According to the press release, the winners "are building mesh networks, solar-powered Wi-Fi, and network infrastructure that fits inside a single backpack" and that the common denominator for all of them is "they're affordable, scalable, open-source and secure."
  • New AirMozilla Audience Demo
    The legacy AirMozilla platform will be decommissioned later this year. The reasons for the change are multiple; however, the urgency of the change is driven by deprecated support of both the complex back-end infrastructure by IT and the user interface by Firefox engineering teams in 2016. Additional reasons include a complex user workflow resulting in a poor user experience, no self-service model, poor usability metrics and a lack of integrated, required features.
  • Perplexing Graphs: The Case of the 0KB Virtual Memory Allocations
    Every Monday and Thursday around 3pm I check dev-telemetry-alerts to see if there have been any changes detected in the distribution of any of the 1500-or-so pieces of anonymous usage statistics we record in Firefox using Firefox Telemetry.

Games: All Walls Must Fall, Tales of Maj'Eyal

  • All Walls Must Fall, the quirky tech-noir tactics game, comes out of Early Access
    This isometric tactical RPG blends in sci-fi, a Cold War that never ended and lots of spirited action. It’s powered by Unreal Engine 4 and has good Linux support.
  • Non-Linux FOSS: Tales of Maj'Eyal
    I love gaming, but I have two main problems with being a gamer. First, I'm terrible at video games. Really. Second, I don't have the time to invest in order to increase my skills. So for me, a game that is easy to get started with while also providing an extensive gaming experience is key. It's also fairly rare. All the great games tend to have a horribly steep learning curve, and all the simple games seem to involve crushing candy. Thankfully, there are a few games like Tales of Maj'Eyal that are complex but with a really easy learning curve.

KDE and GNOME: KDE Discover, Okular, Librsvg, and Phone's UI Shell

  • This week in Discover, part 7
    The quest to make Discover the most-loved Linux app store continues at Warp 9 speed! You may laugh, but it’s happening! Mark my words, in a year Discover will be a beloved crown jewel of the KDE experience.
  • Okular gains some more JavaScript support
    With it we support recalculation of some fields based on others. An example that calculates sum, average, product, minimum and maximum of three numbers can be found in this youtube video.
  • Librsvg's continuous integration pipeline
    With the pre-built images, and caching of Rust artifacts, Jordan was able to reduce the time for the "test on every commit" builds from around 20 minutes, to little under 4 minutes in the current iteration. This will get even faster if the builds start using ccache and parallel builds from GNU make. Currently we have a problem in that tests are failing on 32-bit builds, and haven't had a chance to investigate the root cause. Hopefully we can add 32-bit jobs to the CI pipeline to catch this breakage as soon as possible.
  • Design report #3: designing the UI Shell, part 2
    Peter has been quite busy thinking about the most ergonomic mobile gestures and came up with a complete UI shell design. While the last design report was describing the design of the lock screen and the home screen, we will discuss here about navigating within the different features of the shell.