Language Selection

English French German Italian Portuguese Spanish

Security

And More Security Leftovers

Filed under
Security

Google Releases Test Set to Check Cryptographic Library Security

Filed under
Google
Security

Google has released a set of tests that developers can use to check some open source cryptographic libraries for known security vulnerabilities.

The company has named the set of tests Project Wycheproof, after a mountain in Australia, which has the distinction of being the world's smallest registered mountain.

Read more

Also: Project Wycheproof

What's new in Tor 0.2.9.8?

Filed under
Security

Today, we've released the first stable version of the 0.2.9.x series, bringing exciting new features to Tor. The series has seen 1406 commits from 32 different contributors. Please, see the ChangeLog for more details about what has been done.

This post will outline three features (among many other things) that we are quite proud of and want to describe in more detail.

Read more

Also: Tor 0.2.9 Rolls Out with New Shared-Randomness Protocol, Single Onion Services

DISA looks to open source to squash cyber bugs, reorganizes its data centers

Filed under
OSS
Security

As part of the response to two massive data breaches involving systems at the Office of Personnel Management, the federal government decided to put the Defense Department in charge of building a new information technology backbone to house and process all of the data involved in security clearance investigations, one that would be safer from foreign attacks.

As one way to achieve that goal, the Defense Information Systems Agency, the lead agency in charge of the IT development, is considering opening up the National Background Investigation System’s underlying source code to the general public as soon as it’s fully baked. The theory is that it’s far better for white-hat hackers to find and help squash security bugs before the new system comes online than for bad-guy hackers to discover and make use of them to steal yet another batch of data.

Maj. Gen. Sarah Zabel, DISA’s vice director, said the idea was first proposed to her agency by the Defense Digital Service.

Read more

Serious Ubuntu Linux desktop bugs found and fixed

Filed under
Security
Ubuntu

The good news is that the problems have been patched. So, now that you're almost done reading this, patch your system already.

The bad news is there still aren't enough eyes looking at older open-source code for overlooked security vulnerabilities.

Read more

Security News

Filed under
Security
  • SELinux, Seccomp, Falco, and You: A Technical Discussion

    One of the questions we often get when we talk about Sysdig Falco is “How does it compare to other tools like SELinux, AppArmor, Auditd, etc. that also have security policies?” To help answer some of those questions, we thought we’d present a summary of other related security products and how they compare to Sysdig Falco.

  • PGP Never Gonna Give You Up

    Seeing that I was planning on carrying my long-term private keys around on my telephone (BlackBerry PRIV, FDE encryption active FWIW), I had to double-check the security of the secret key encryption.

    It turns out that PGP encrypts each of your secret keys with a hash of the passphrase you supply. My passphrase is significantly longer than the average, and consists of random characters (uppercase, lowercase, numbers, symbols). Passphrase length and complexity is by far the most important factor determining the safety of your encrypted secret key.

  • McAfee Virus Scan for Linux

    A system running Intel's McAfee VirusScan Enterprise for Linux can be compromised by remote attackers due to a number of security vulnerabilities. Some of these vulnerabilities can be chained together to allow remote code execution as root.

  • The Coolest Hacks Of 2016

    No 400-pound hacker here: Lightbulb and 'do-gooder' worms, machines replacing humans to hack other machines, and high-speed car hacking were among the most innovative white-hat hacks this year.

    In a year when ransomware became the new malware and cyber espionage became a powerful political propaganda tool for Russia, it's easy to forget that not all hacking in 2016 was so ugly and destructive.

    Sure, cybercrime and cyber espionage this past year turned the corner into more manipulative and painful territory for victims. But 2016 also had its share of game-changing "good" hacks by security researchers, with some creative yet unsettling ways to break the already thin-to-no defenses of Internet of Things things, as well as crack locked-down computers and hijack computer mice. Hackers even took a back seat to machines in the first-ever machine-on-machine hacking contest this summer at DEF CON.

Security Leftovers

Filed under
Security

More Security News

Filed under
Security
  • Game Music Emulator Security Vulnerability Patched in Debian and Ubuntu Linux [Ed: The same news without the FUD of Dan Goodin]

    Security researcher Chris Evans has reported recently on yet another vulnerability in the Game Music Emulator (game-music-emu) package that's installed or found in the repositories of various popular GNU/Linux distributions.

    For those not aware, Game Music Emulator is a collection of video game music file emulators designed to playback a large number of formats and systems, including SPC (Super Nintendo/Super Famicom), where the problem was discovered by Chris Evans, which could allow an attacker to execute arbitrary code via a maliciously crafted file.

  • 0-day alert: Your favorite Linux distro may not be as secure as you think [Ed: Sensationalism from Dan Goodin is infectious. Beta News now parrots his dramatic ‘journalism’]
  • Ubuntu App Crash Reporter Bug Allows Remote Code Execution

    A security researcher has discovered a vulnerability in Ubuntu’s crash reporter that would allow remote code execution, making it possible for an attacker to compromise a system using just a malicious file.

  • Most Ubuntu Linux Installations Are Affected By A Dangerous Remote Code Execution Bug

    All recent Ubuntu Linux releases ship with Apport crash handling software. A security researcher has discovered a flaw in this utility that allows an attacker to remotely execute code using a malicious booby-trapped file. Ubuntu has released the fix for the same, which can be grabbed via simple Ubuntu update.

Security Leftovers

Filed under
Security
  • Security advisories for Thursday
  • Why My Heart Bleeds for Open Source [Ed: Name-dropping bugs with brands, logos, and Web sites to make FOSS look bad]
  • 0-days hitting Fedora and Ubuntu open desktops to a world of hurt

    If you run a mainstream distribution of Linux on a desktop computer, there's a good chance security researcher Chris Evans can hijack it when you do nothing more than open or even browse a specially crafted music file. And in the event you're running Chrome on the just-released Fedora 25, his code-execution attack works as a classic drive-by.

  • Reliably compromising Ubuntu desktops by attacking the crash reporter

    In this post I’ll describe how I found a remote code execution bug in Ubuntu Desktop which affects all default installations >= 12.10 (Quantal). The bug allows for reliable code injection when a user simply opens a malicious file. The following video demonstrates the exploit opening the Gnome calculator. The executed payload also replaces the exploit file with a decoy zip file to cover its tracks.

  • Dear hackers, Ubuntu's app crash reporter will happily execute your evil code on a victim's box

    Users and administrators of Ubuntu Linux desktops are being advised to patch their systems following the disclosure of serious security flaws.

    Researcher Donncha O'Cearbhaill, who discovered and privately reported the vulnerabilities to Ubuntu, said that a successful exploit of the bugs could allow an attacker to remotely execute code by way of a maliciously booby-trapped file.

  • LibreSSL documentation status report
  • Reproducible Builds: week 85 in Stretch cycle
  • Should we be pushing OpenPGP?

    Bjarni Rúnar, the author of Mailpile released a blog about recent blogs disparaging OpenPGP. It's a good read.

    There's one reason to support OpenPGP missing from the blog: OpenPGP protects you if your mail server is hacked. I'm sure that Debbie Wasserman Schultz wishes she had been using OpenPGP.

  • Security experts: 'No one should have faith in Yahoo at this point'

    Experts have attacked Yahoo’s weak security after the revelation it suffered a hack in 2013, which exposed the personal data of 1 billion users, just months after revealing a 500-million-user data breach from 2014.

    The hack saw the potential theft of login details, personal details and any confidential or sensitive information contained within email correspondences. Yahoo provided the email services for BT and Sky customers, as well as other services.

  • Yahoo admits it’s been hacked again, and 1 billion accounts were exposed

    On December 14, Yahoo announced that after an investigation into data provided by law enforcement officials in November, the company and outside forensics experts have determined that there was in fact a previously undetected breach of data from more than 1 billion user accounts. The breach took place in August 2013 and is apparently distinct from the previous mega-breach revealed this fall—one Yahoo claims was conducted by a "state-sponsored actor."

    The information accessed from potentially exposed accounts "may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers," Yahoo's chief information security officer, Bob Lord, reported in the statement issued by the company. "The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected."

  • Hacked Yahoo Data Is for Sale on Dark Web

    Some time around August 2013, hackers penetrated the email system of Yahoo, one of the world’s largest and oldest providers of free email services. The attackers quietly scooped up the records of more than 1 billion users, including names, birth dates, phone numbers and passwords that were encrypted with an easily broken form of security.

    The intruders also obtained the security questions and backup email addresses used to reset lost passwords — valuable information for someone trying to break into other accounts owned by the same user, and particularly useful to a hacker seeking to break into government computers around the world: Several million of the backup addresses belonged to military and civilian government employees from dozens of nations, including more than 150,000 Americans.

Security News

Filed under
Security
  • Security advisories for Wednesday
  • Things That Make You Go “Hmmm” From Adobe
  • Flaws Found in Security Software, Unlicensed Code

    A flurry of industry surveys have flagged open source and unlicensed software as growing security threats. Moreover, a review released by Flexera Software also found that the very security products designed to protect IT infrastructure are themselves riddled with vulnerabilities embedded in open source software.

    While agreeing that malware is a growing threat, other observers counter that the culprit is the growing use of unlicensed software.

    The Flexera security software survey conducted between August and October found that 11 security software products from vendors such as IBM (NYSE: IBM), McAfee and Splunk showed up on its list of 20 products with the most security vulnerabilities. Hence, the survey emphasizes that software developers need greater visibility into open source components so they can identify vulnerabilities and quickly issue security patches. Those patches are generally available as soon as vulnerabilities are announced.

  • Another Yahoo Security Breach Affects a Billion Accounts

    If you’re a Yahoo user, you should strongly consider closing your account. If you decide to keep your account open, you might as well post your username and password to Facebook and send them out in a tweet, for all the good Yahoo’s security precautions will do for you.

  • ‘Refer a Friend’ Ransomware Program

    If you need any proof that malware is a business much like any other — with the big exception that it’s illegal — all you have to do is look at the latest ploy being used by the currently-in-development ransomware called Popcorn Time that was discovered December 7 by MalwareHunterTeam. The folks behind the malware are incorporating a scheme to drum up business that’s directly from a Marketing 101 textbook.

    If Popcorn Time grabs a computer and encrypts it’s files, the hapless victim is offered two choices to get the data returned to its pristine state. One is the traditional method — the authors of the malware call it “the fast and easy way” — of paying a ransom of a Bitcoin, which is about $773 at the current rate. If the price is too steep for the victim’s pocketbook, there’s another option that the malware authors call “the nasty way,” which is a new twist on the tried and true “refer a friend” promotions that have been used by legitimate businesses forever.

Syndicate content

More in Tux Machines

Tizen in Bolivia and India

Security Leftovers

  • Security updates for Wednesday
  • Microsoft says its best not to fiddle with its Windows 10 group policies (that don't work)

    On Monday, we revealed that a security researcher had used a packet sniffer to show that many settings designed to prevent access to the internet were being ignored with connections to a range of third party servers including advertising hubs.

  • What's got a vast attack surface and runs on Linux? Windows Defender, of course
    Google Project Zero's Windows bug-hunter and fuzz-boffin Tavis Ormandy has given the world an insight into how he works so fast: he works on Linux, and with the release of a personal project on GitHub, others can too. Ormandy's project is to port Windows DLLs to Linux for his vuln tests (“So that's how he works so fast!” Penguinistas around the world are saying). Typically self-effacing, Ormandy made this simple announcement on Twitter (to a reception mixing admiration, humour, and horror):
  • Hacked in Translation – from Subtitles to Complete Takeover
    Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.
  • A Samba remote code execution vulnerability
    Distributors are already shipping the fix; there's also a workaround in the advisory for those who cannot update immediately.

KDE, Qt, GTK and GNOME News

  • KDE Plasma 5.8.7 LTS Desktop Environment Released with over 60 Improvements
    KDE has announced today the release and immediate availability of the seventh maintenance update to the long-term supported KDE Plasma 5.8 desktop environment. KDE Plasma 5.8.7 LTS is now considered the latest stable and most advanced version of the KDE Plasma 5.8 LTS (Long Term Support) desktop environment, which some of you out there are probably using on your favorite GNU/Linux distributions instead of a short-lived branch like KDE Plasma 5.9 or the upcoming KDE Plasma 5.10 release.
  • Summer of Coding!
    After a month of dread and panicking about the fact that Google Summer of Code results are announced in the middle of exam season... I'm happy to say I'll be doing the Rust plugin for KDevelop!
  • Qt 5.9 Release Candidate Available For Testing
  • Qt 5.9.0 RC released
    We have released Qt 5.9.0 RC today. You can update it at the top of your Qt 5.9 beta(4) online installation or do clean installation by using qt online installer. Detailed instructions here: https://wiki.qt.io/How_to_get_snapshot_via_online_installer .
  • The Road to GTK+ 4 Continues, New Milestone Adds Initial OS X and Meson Support
    A new milestone was released recently, GTK+ 3.91.0, which adds quite a bunch of improvements and bug fixes, but also some new APIs and compatibility with other supported operating systems besides those based on the Linux kernel. For example, GTK+ 3.91.0 implements initial support for Apple's macOS platform, which will make it possible to run apps written in GTK+ 4 on OS X.
  • Epiphany Browser Updated for GNOME 3.25.2 with New Shortcuts for Switching Tabs
    Ahead of today's GNOME 3.25.2 desktop environment development release, the team of developers behind the Epiphany web browser have released the second milestone towards the Epiphany 3.26 stable series, due out later this year.

Red Hat News: Flatpak, CloudLinux, Red Hat Enterprise Linux (RHEL) 7.4