Language Selection

English French German Italian Portuguese Spanish


Biometric Authentication Might Come to Some Ubuntu Phones in Future OTAs

Filed under

Now that most of the Ubuntu Phone and Ubuntu Tablet owners are enjoying the new features implemented by the Canonical's Ubuntu Touch developers in the OTA-11 update released last week, it's time to look forward to the OTA-12.

Canonical already said a few weeks ago that the Ubuntu Touch OTA-12 software update for supported Ubuntu Phone devices, as well as the Ubuntu Tablet, is more about fixes than features, but Łukasz Zemczak's latest report suggests that the Ubuntu Touch devs are preparing the long anticipated fingerprint reader support.

Read more

Security Leftovers

Filed under
  • Security updates for Monday
  • Password app developer overlooks security hole to preserve ads

    Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the "indirect costs" of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue. Yes, the implication is that profit is more important than protecting users.

    The impact is potentially quite severe, too. An attacker could hijack the update process and deliver malware that would compromise your PC.

  • Protecting your PC from ransomware gets harder with EMET-evading exploit

    Drive-by attacks that install the once-feared TeslaCrypt crypto ransomware are now able to bypass EMET, a Microsoft-provided tool designed to block entire classes of Windows-based exploits.

    The EMET-evading attacks are included in Angler, a toolkit for sale online that provides ready-to-use exploits that can be stitched into compromised websites. Short for Enhanced Mitigation Experience Toolkit, EMET has come to be regarded as one of the most effective ways of hardening Windows-based computers from attacks that exploit security vulnerabilities in both the operating system or installed applications. According to a blog post published Monday by researchers from security firm FireEye, the new Angler attacks are significant because they're the first exploits found in the wild that successfully pierce the mitigations.

    "The level of sophistication in exploit kits has increased significantly throughout the years," FireEye researchers wrote. "Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode."

  • Is there a future view that isn't a security dystopia?

    I recently finished reading the book Ghost Fleet, it's not a bad read if you're into what cyberwar could look like. It's not great though, I won't suggest it as the book of the summer. The biggest thing I keep thinking about is I've yet to really see any sort of book that takes place in the future, with a focus on technology, that isn't a dystopian warning. Ghost Fleet is no different.

  • Some work on a VyOS image with Let’s Encrypt certs

Tails 2.4, Edward Snowden's Favorite Anonymous Live CD, Brings Tor Browser 6.0

Filed under

The Tails Project released Tails 2.4, a major version of the anonymous Live CD based on Debian GNU/Linux, which was used by ex-CIA employee Edward Snowden to stay hidden online and protect his privacy.

When compared with the previous release, we can notice that Tails 2.4 includes some big changes, among which we can mention the upgrade to Debian GNU/Linux 8.4 "Jessie" and the inclusion of the recently released Tor Browser 6.0 anonymous browser, which is based on the open-source Mozilla Firefox 45.2 web browser.

Read more

Also: TeX Live 2016 released

Security Leftovers

Filed under

Security Leftovers

Filed under
  • Friday's security updates
  • electrum ssl vulnerabilities

    One full month after I filed these, there's been no activity, so I thought I'd make this a little more widely known. It's too hard to get CVEs assigned, and resgistering a snarky domain name is passe.

    I'm not actually using electrum myself currently, as I own no bitcoins. I only noticed these vulnerabilities when idly perusing the code. I have not tried to actually exploit them, and some of the higher levels of the SPV blockchain verification make them difficult to exploit. Or perhaps there are open wifi networks where all electrum connections get intercepted by a rogue server that successfully uses these security holes to pretend to be the entire electrum server network.

  • Stop it with those short PGP key IDs!

    PGP is secure, as it was 25 years ago. However, some uses of it might not be so.

  • Wolf: Stop it with those short PGP key IDs!
  • There's a Stuxnet Copycat, and We Have No Idea Where It Came From [iophk: "Windows strikes again"]

    After details emerged of Stuxnet, arguably the world's first digital weapon, there were concerns that other hackers would copy its techniques.

    Now, researchers have disclosed a piece of industrial control systems (ICS) malware inspired heavily by Stuxnet. Although the copycat malware—dubbed IRONGATE by cybersecurity company FireEye—only works in a simulated environment, it, like Stuxnet, replaces certain types of files, and was seemingly written to target a specific control system configuration.

    “In my mind, there is little room to say that these are the same actors,” behind Stuxnet and IRONGATE, Sean McBride, manager at FireEye iSIGHT Intelligence told Motherboard in a phone interview.

    But clearly, and perhaps to be expected, other hackers have paid very close attention to, and copied one of the most powerful pieces of malware ever, raising questions of who else might have decided to see how Stuxnet-style approaches to targeting critical infrastructure can be adapted.

  • Are firewalls still important? Making sense of networking's greatest security layer

    Firewalls have become the forgotten part of security and yet they are still the place an admin reaches goes in a crisis

  • Software Now To Blame For 15 Percent Of Car Recalls

    Apps freezing or crashing, unexpected sluggishness, and sudden reboots are all, unfortunately, within the normal range of behavior of the software in our smartphones and laptops.

    While losing that text message you were composing might be a crisis for the moment, it’s nothing compared to the catastrophe that could result from software in our cars not playing nice.

    Yes, we’re talking about nightmares like doors flying open without warning, or a sudden complete shutdown on the highway.

    The number of software-related issues, according to several sources tracking vehicle recalls, has been on the rise. According to financial advisors Stout Risius Ross (SSR), in their Automotive Warranty & Recall Report 2016, software-related recalls have gone from less than 5 percent of recalls in 2011 to 15 percent by the end of 2015.

  • Effective IT security habits of highly secure companies

    Critics may claim that applying patches “too fast” will lead to operational issues. Yet, the most successfully secure companies tell me they don’t see a lot of issues due to patching. Many say they’ve never had a downtime event due to a patch in their institutional memory.

  • Introducing Security Snake Oil

    It has become quite evident that crowd-funding websites like KickStarter do not take any consideration to review the claims made by individuals in their cyber security products. Efforts made to contact them have gone unanswered and the misleading initiatives continue to be fruitless so as a community, we have to go after them ourselves.

  • CloudFlare is ruining the internet (for me) [iophk: "FB-like bottleneck and control for now available for self-hosted sites"]

    CloudFlare is a very helpful service if you are a website owner and don’t want to deal with separate services for CDN, DNS, basic DDOS protection and other (superficial) security needs. You can have all these services in a one stop shop and you can have it all for free. It’s hard to pass up the offer and go for a commercial solution. Generally speaking, CloudFlare service is as stable as they come, their downtime and service interruption are within the same margin as other similar services, at least to my experience. I know this because I have used them for two of my other websites, until recently.

    But what about the users? If you live in a First World Country then for the most part you probably wouldn’t notice much difference, other than better speed and response time for the websites using CloudFlare services, you will be happy to know that because of their multiple datacenter locations mostly in USA, Canada, Europe and China, short downtimes won’t result in service interruptions for you because you will be automatically rerouted to their nearest CloudFlare data center and they have plenty to go around within the first world countries.

Security Leftovers

Filed under
  • Hackers, your favourite pentesting OS Kali Linux can now be run in a browser
  • Core Infrastructure Initiative announces investment in security tool OWASP ZAP

    The Linux Foundation’s Core Infrastructure Initiative (CII) is continuing its commitment to help fund, support and improve open-source projects with a new investment. The organization has announced it is investing in the Open Web Application Security Project Zed Attack Proxy project (OWASP ZAP), a security tool designed to help developers identify vulnerabilities in their web apps.

  • The Linux Foundation's Core Infrastructure Initiative Invests in Security Tool for Identifying Web Application Vulnerabilities
  • Study Shows Lenovo, Other OEM Bloatware Still Poses Huge Security Risk [Ed: Microsoft Windows poses greater risks. Does Microsoft put back doors in Windows (all versions)? Yes. Does it spy on users? Yes. So why focus only on Asian OEMs all the time?]

    Lenovo hasn't had what you'd call a great track record over the last few years in terms of installing insecure crapware on the company's products. You'll recall that early last year, the company was busted for installing Superfish adware that opened all of its customers up to dangerous man-in-the-middle attacks, then tried to claim they didn't see what all the fuss was about. Not too long after that, the company was busted for using a BiOS trick to reinstall its bloatware on consumer laptops upon reboot -- even if the user had installed a fresh copy of the OS.

    Now Lenovo and its bloatware are making headlines once again, with the news that the company's "Accelerator Application" software makes customers vulnerable to hackers. The application is supposed to make the company's other bloatware, software, and pre-loaded tools run more quickly, but Lenovo was forced to issue a security advisory urging customers to uninstall it because it -- you guessed it -- opened them up to man-in-the-middle attacks.

Canonical Patches ImageTragick Exploit in All Supported Ubuntu OSes, Update Now

Filed under

Today, June 2, 2016, Canonical published an Ubuntu Security Notice to inform the community about an important security update to the ImageMagick packages for all supported Ubuntu OSes.

Read more

Security Leftovers

Filed under
  • Security advisories for Thursday
  • Hertz: Abusing privileged and unprivileged Linux containers
  • How LinkedIn’s password sloppiness hurts us all

    Me: "The full dump from the 2012 LinkedIn breach just dropped, so you're probably not going to see much of me over the next week."

    Wife: "Again?"

    Yes, again. If you're just waking up from a coma you would be forgiven for thinking that it's still 2012. But no, it's 2016 and the LinkedIn breach is back from the dead—on its four-year anniversary, no less. If you had a LinkedIn account in 2012, there's a 98 percent chance your password has been cracked.

    Back in 2012, fellow professional password cracker d3ad0ne (who regretfully passed away in 2013) and I made short work out of the first LinkedIn password dump, cracking more than 90 percent of the 6.4 million password hashes in just under one week. Following that effort, I did a short write-up ironically titled The Final Word on the LinkedIn Leak.

  • The Internet of Things

    A common question is whether or not IoT is something new and revolutionary or a buzzword for old ideas? The answer is “yes”…

    Much of the foundation of IoT has been around for quite a while. SCADA systems, or Supervisory Control And Data Acquisition has been around since the 1950’s managing electrical power grids, railroads, and factories. Machine communications over telephone lines and microwave links has been around since the 1960’s. Machine control systems, starting on mainframes and minicomputers, have also been around since the 1960’s.

    The big changes are economics, software, and integration. Microsensors and SoC (System on a Chip) technology for CPUs and networking are driving the cost of devices down – in some cases by a factor of a thousand! Advances in networking – both networking technology as well as the availability of pervasive networking – are changing the ground rules and economics for machine to machine communication.

  • Signal and Google Cloud Services

    I just installed Signal on my Android phone.

    It wasn't an easy decision. I have been running Cyanogenmod, a Google-free version of Android, and installing apps from F-Droid, a repository of free software android apps, for several years now. This setup allows me to run all the applications I need without Google accessing any of my cell phone data. It has been a remarkably successful experiment leaving me with all the phone software I need. And it's consistent with my belief that Google's size, reach and goals are a menace to the left's ability to develop the autonomous communications systems on the Internet that we need to achieve any meaningful political change.

Security Leftovers

Filed under
  • Security advisories for Wednesday
  • How the Top 5 PC Makers Open Your Laptop to Hackers [iophk: "Windows again"]
  • Google plans to replace smartphone passwords with trust scores [iophk: "if you have to travel unexpectedly, you'll probably get locked out."]

    Goodbye, Password1. Goodbye, 12345. You’ve been hearing about it for years but now it might really be happening: the password is almost dead.

    At Google’s I/O developer conference, Daniel Kaufman, head of Google’s advanced technology projects, announced that the company plans to phase out password access to its Android mobile platform in favour of a trust score by 2017. This would be based on a suite of identifiers: what Wi-Fi network and Bluetooth devices you’re connected to and your location, along with biometrics, including your typing speed, voice and face.

    The phone’s sensors will harvest this data continuously to keep a running tally on how much it trusts that the user is you. A low score will suffice for opening a gaming app. But a banking app will require more trust.

Security Leftovers

Filed under
  • Allwinner Leaves Root Exploit in Linux Kernel, Putting ARM Devices at Risk

    Running a Bitcoin node on your ARM single board computer? Fan of cheap Chinese tablets and smartphones? Maybe you contributed to the recent CHIP computer Kickstarter, or host a wallet on one of these devices. Well, if any of these applies to you, and your device is powered by an Allwinner SoC, you should probably wipe it and put an OS on it with the most recent kernel release. Why? Allwinner left a development “tool” on their ARM Linux kernel that allows anyone to root their devices with a single command. This oversight has serious security implications for any Allwinner powered device, especially so for those of us hosting sensitive data on them.

  • 5 steps to reduce cyber vulnerabilities

    The National Vulnerability Database (NVD) — the U.S. government’s repository of standards-based vulnerability management data — says 2015 was another blockbuster year for security vulnerabilities with an average of 17 new vulnerabilities added per day.

    While IT managers can somewhat breathe a collective sigh of relief that the total number of vulnerabilities actually decreased from 7,937 in 2014 to 6,270 in 2015, there’s no time to relax. According to NVD data, 37 percent of vulnerabilities reported in 2015 were classified as highly severe, up from 24 percent in 2014.

  • How to Get an Open Source Security Badge from CII

    Everybody loves getting badges. Fitbit badges, Stack Overflow badges, Boy Scout merit badges, and even LEED certification are just a few examples that come to mind. A recent 538 article "Even psychologists love badges" publicized the value of a badge.

  • 4 Steps To Secure Serverless Applications

    Serverless applications remove a lot of the operational burdens from your team. No more managing operating systems or running low level infrastructure.

    This lets you and your team focus on building…and that’s a wonderful thing.

  • IPv6 support finally coming to Fail2Ban with next major release

    The reaction to this headline from sysadmins who deploy Fail2Ban on an IPv6 enabled system is probably: “Fail2Ban doesn’t support IPv6‽” At least, that seems to be the reaction most admins have posted on forums and social media when they learn that Fail2Ban doesn’t support IPv6. Now Fail2Ban’s IPv4-only limitation is about to be lifted.

    Fail2Ban is a tool that identifies unwanted behaviors by monitoring service logs, and can act upon that by banning offending IP addresses temporarily. Up until recently, Fail2Ban only supported IPv4 although it’s almost certainly running on many IPv6 capable systems as well.

  • Tor Browser announces stable 6.0 release

    The Tor Browser team has announced the first stable version of its 6.0 release. It can be downloaded from the project's website.

    The browser is based on Firefox ESR and this release brings it up-to-date with Firefox 45-ESR, providing better support for HTML5 video on YouTube.

Syndicate content

More in Tux Machines

6 smart settings to make your Android phone anticipate your needs

There's no denying that our smartphones have made our lives so much easier, putting our contacts and schedules, our driving directions, the whole internet, right at our fingertips. But if you're using an Android phone you might be leaving even more convenience on the table. There are a bunch of super-smart settings in Nougat and Google Now that’ll make your Android device feel like it’s 10 steps ahead of you. Your Android phone can be proactively telling you how long it’ll take to get to work in the morning, and nudging you when your favorite team is about to take the field. Your device can keep itself unlocked whenever it’s on you, and those snapshots you just took can automatically be arranged into beautiful collages. Battery running low? Android can know to dial down background activity to keep your phone alive. And if you love the idea of asking Google questions without ever touching your phone, you can train your phone to do that, too. Read more

Android and Tizen Leftovers

Update: Convictions Upheld, Sentences Extended In Romanian Microsoft Bribery Trial

According to the blog post, the trial ended on October 3rd, and investigators found that more than 100 people, including former ministers, the mayor of Bucharest, and various businessmen were involved in this latest corruption scandal involving Microsoft. More than 20 million euros were paid by Microsoft there as bribes. [...] These bribery convictions are just the tip of the iceberg. Multiple news outlets are reporting on investigations of bribery in other countries as well as separate investigations by the US Department of Justice and the US Securities And Exchange Commission. Read more

Red Hat News