Language Selection

English French German Italian Portuguese Spanish

Security

Tails 2.10 Will Upgrade to Linux Kernel 4.8 and Tor 0.2.9, Add exFAT Support

Filed under
Security

A new stable release of Tails, the beloved anonymous Live CD that helps you stay hidden online when navigating various websites on the Internet, is being prepared.

Security News

Filed under
Security
  • How we secure our infrastructure: a white paper

    Trust in the cloud is paramount to any business who is thinking about using it to power their critical applications, deliver new customer experiences and house their most sensitive data. Today, we're issuing a white paper by our security team that details how security is designed into our infrastructure from the ground up.

    Google Cloud’s global infrastructure provides security through the entire information processing lifecycle.This infrastructure provides secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication with customers over the internet and safe operation by administrators.

  • Google Infrastructure Security Design Overview [Ed: Google banned Windows internally]

    The content contained herein is correct as of January 2017, and represents the status quo as of the time it was written. Google’s security policies and systems may change going forward, as we continually improve protection for our customers.

  • Microsoft Says Windows 7 Has Outdated Security, Wants You to Move to Windows 10 [Ed: all versions are insecure BY DESIGN]

    Windows 10 is now running on more than 20 percent of the world’s desktop computers, and yet, Microsoft’s bigger challenge isn’t necessarily to boost the market share of its latest operating system, but to convince those on Windows 7 to upgrade.

  • Debian GNU/Linux 8.7 Officially Released, Includes over 85 Security Updates

    If you're using Debian Stable (a.k.a. Debian GNU/Linux 8 "Jessie"), it's time to update it now. Why? Because Debian Project launched a new release, Debian GNU/Linux 8.7, which includes over 170 bug fixes and security updates.

  • CVS: cvs.openbsd.org: src

    Disable and lock Silicon Debug feature on modern Intel CPUs

Hide Complex Passwords in Plain Sight and Give Your Brain a Break

Filed under
Linux
Security
HowTos

As far as people are concerned, there are essentially two types of passwords: the ones we can remember and the ones that are too complex for us to recall. We've learned the latter type is more secure, but it requires us to store impossible-to-memorize-password lists, creating a whole new set of problems. There are some clever tricks to help our brains out a bit, but for most of us the limit of our memory is regrettable. This tip offers a way to pull passwords from unexpected places using the Linux terminal.

Read more

(via DMT/Linux Blog)

Security Leftovers (Back Doors in WhatsApp/Facebook and Microsoft Windows)

Filed under
Security
  • The eight security backdoors that helped kill faith in security

    With the news of WhatsApp's backdoor granting Facebook and government agencies access to user messages, fears over users' privacy issues are sure to be at an all-time high for WhatsApp's 1 billion users.

    Backdoors in computing equipment are the stuff of legend. A decade ago a security expert informed me with absolute certainty that a prominent non-US networking company had designed them into its products for years as a matter of course as if nobody much cared about this fact. Long before the average citizen had heard the letters NSA, it struck me at the time as extraordinary suggestion. It was almost as if the deliberate compromise of an important piece of network equipment was a harmless novelty.

  • Reported “backdoor” in WhatsApp is in fact a feature, defenders say

    The Guardian roiled security professionals everywhere on Friday when it published an article claiming a backdoor in Facebook's WhatsApp messaging service allows attackers to intercept and read encrypted messages. It's not a backdoor—at least as that term is defined by most security experts. Most would probably agree it's not even a vulnerability. Rather, it's a limitation in what cryptography can do in an app that caters to more than 1 billion users.

    At issue is the way WhatsApp behaves when an end user's encryption key changes. By default, the app will use the new key to encrypt messages without ever informing the sender of the change. By enabling a security setting, users can configure WhatsApp to notify the sender that a recently transmitted message used a new key.

    Critics of Friday's Guardian post, and most encryption practitioners, argue such behavior is common in encryption apps and often a necessary requirement. Among other things, it lets existing WhatsApp users who buy a new phone continue an ongoing conversation thread.

  • Security flaw leaves WhatsApp messages susceptible to man-in-the-middle attacks

    FLAWS in the way that WhatsApp deals with encryption keys leaves users wide open to man-in-the-middle attacks, enabling third-parties to tap their communications.

    The flaw has been described as a "security back door" by The Guardian and privacy campaigners (not unlike the back doors that governments of various stripes have been trying to mandate on all internet communications by law), but more sobre voices have described it as a minor bug and criticised The Guardian for going OTT.

    Nor is it new. Vulnerabilities in key handling were first discovered by German computer scientist Tobias Boelter in April 2016.

    The security flaw relates to situations where encryption keys are dropped and have to be re-issued and re-sent. In certain circumstances, a third-party could exploit the bug to persuade the app to resend messages because the authenticity of re-issued keys is not verified in WhatsApp by default.

  • There's No Security Backdoor in WhatsApp, Despite Reports

    This morning, the Guardian published a story with an alarming headline: “WhatsApp backdoor allows snooping on encrypted messages.” If true, this would have massive implications for the security and privacy of WhatsApp’s one-billion-plus users. Fortunately, there’s no backdoor in WhatsApp, and according to Alec Muffett, an experienced security researcher who spoke to Gizmodo, the Guardian’s story is “major league fuckwittage.”

  • WhatsApp vulnerability allows snooping on encrypted messages

    A security vulnerability that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.

    Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.

  • Hacker group Shadow Brokers retires, dumps more code as parting gift

    The Shadow Brokers claimed to have held even more valuable cyber tools in reserve and offered to sell them to the highest bidder in an unorthodox public auction. On Thursday, they said their sales effort had been unsuccessful and were therefore ceasing operations. “So long, farewell peoples. The Shadow Brokers is going dark, making exit,” the group said according to a screenshot of the webpage posted Thursday on the news website CyberScoop.

  • Suspected NSA tool hackers dump more cyberweapons in farewell

    The hacking group that stole cyberweapons suspected to be from the U.S. National Security Agency is signing off -- but not before releasing another arsenal of tools that appear designed to spy on Windows systems.

  • Shadow Brokers announce retirement, leak NSA Windows Hacking tools as parting gift
  • The Shadow Brokers Leaves the Stage with a Gift of So-Called NSA-Sourced Hacking Tools
  • Shadow Brokers group bids adieu, dumps hacking tools before going silent
  • 'It Always Being About Bitcoins': Shadow Brokers Retire
  • Hacking Group 'ShadowBrokers' Release NSA Exploits, Then Go Dark

Security News

Filed under
Security
  • Security advisories for Friday
  • New Windows backdoor targets intelligence gathering

    New versions of the MM Core Windows backdoor are being used to provide a channel into victims' machines for the purpose of intelligence gathering, according to Carl Leonard, principal security analyst at Forcepoint Security Labs.

    The new versions were found by members of the Forcepoint investigations team.

    MM Core, which is also known as BaneChant, is a file-less advanced persistent threat which is executed in memory by a downloaded component. It was first reported in 2013 with the version 2.0-LNK and used the tag BaneChant in the network request sent to its command-and-control centre.

    A second version, 2.1-LNK, found shortly thereafter, had the network tag StrangeLove.

    Forcepoint researchers Nicholas Griffin and Roland Dela Paz, whose write-up on MM Core was provided to iTWire, said the two new versions they had found were 2.2-LNK (network tag BigBoss) and 2.3-LNK (SillyGoose).

  • Implementing Medical Device Cybersecurity: A Two-Stage Process

    Connectivity is ubiquitous – it’s moved beyond an overhyped buzzword and become part of life. Offering ever-advancing levels of access, control, and convenience, widespread connectivity also increases the risk of unauthorised interference in our everyday lives.

    In what many experts believe was a world first, manufacturer Johnson & Johnson recently issued a warning to patients on a cyber-vulnerability in one of its medical devices. The company announced that an insulin pump it supplies had a potential connectivity vulnerability. The wireless communication link the device used contained a potential exploit that could have been used by an unauthorised third party to alter the insulin dosage delivered to the patient.

  • Dockerfile security tuneup

    I recently watched 2 great talks on container security by Justin Cormack from Docker at Devoxx Belgium and Adrian Mouat from Container Solutions at GOTO Stockholm. We were following many of the suggestions but there was still room for improvement. So we decided it was good time to do a security tuneup of our dockerfiles.

  • FTC Sues D-Link For Pretending To Give A Damn About Hardware Security

    If you've been paying attention, you've probably noticed that the so-called Internet of Things isn't particularly secure. Hardware vendors were so excited to market a universe of new internet-connected devices, they treated things like privacy, security, and end-user control as afterthoughts. As a result, we've now got smart TVs, smart tea kettles, WiFi-connected barbies and all manner of other devices that are not only leaking private customer data, but are being quickly hacked, rolled into botnets, and used in historically unprecedented new, larger DDoS attacks.

    This isn't a problem exclusive to new companies breaking into the IoT space. Long-standing hardware vendors that have consistently paid lip service to security are fueling the problem. Asus, you'll recall, was dinged by the FTC last year for marketing its routers as incredibly secure, yet shipping them with easily-guessed default username/login credentials and cloud-based functionality that was easily exploitable.

    The FTC is back again, this time suing D-Link for routers and video cameras that the company claimed were "easy to secure" and delivered "advanced network security," yet were about as secure as a kitten-guarded pillow fort. Like Asus, D-Link's hardware also frequently ships with easily-guessed default login credentials. This frequently allows "hackers" (that term is generous since it takes just a few keystrokes) to peruse an ocean of unsecured cameras via search engines like Shodan, allowing them to spy on families and businesses in real time.

Security News

Filed under
Security

Security News

Filed under
Security
  • Security updates for Wednesday
  • Third Party Patch Roundup – December 2016
  • The MongoDB hack and the importance of secure defaults

    If you have a MongoDB installation, now would be the time to verify that it is secure. Since just before Christmas, over 28,000 public MongoDB installs have been hacked. The attackers are holding the hacked data ransom, demanding companies pay using Bitcoins to get their data back. From the looks of it, at least 20 companies have given in and paid the ransom so far. This post explains the hack, how to protect yourself, and what we can learn from it.

  • Implantable Cardiac Devices Could Be Vulnerable to Hackers, FDA Warns

    Low-level hackers can play with your heart. Literally. Pacemakers, defibrillators and other devices manufactured by St. Jude Medical, a medical device company based in Minnesota, could have put patients’ lives at risk, the US Food & Drug Administration warned on Monday, the same day a new software patch was released to address these vulnerabilities.

    There are several confirmed vulnerabilities that could have granted hackers remote access a person’s implanted cardiac device. Then, they could change the heart rate, administer shocks, or quickly deplete the battery. There hadn’t been any report of patient harm related to these vulnerabilities as of Monday, the FDA said.

Security Leftovers

Filed under
Security

Security News

Filed under
Security

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

Desktop: Popcorn Linux, Purism, Distro Hopping, System76, and 2017 Linux Laptop Survey

  • Popcorn Linux OS gives processors a common language
    Thanks to a new operating system called Popcorn Linux, the Navy may be able to speed systems development and cut maintenance. Developed by engineering researchers at Virginia Tech with support from the Office of Naval Research,  Popcorn Linux can compile different programming languages into a common format. The operating system takes generic coding language and translates it into multiple specialized program languages. Then it determines what pieces of the code are needed to perform particular tasks and transfers these instruction “kernels” (the “popcorn” part) to the appropriate function, ONR officials said. Chips for video systems might be programmed in one language and those for networking functions in another. These multicore processors improve computing speed, but they also force programmers to design or upgrade applications based on what programs run on which processors. That means complex systems like battlespace awareness and artificial intelligence that require specialized processors must be manually adjusted so components can interact with each other.
  • Purism's Security Focused Librem Laptops Go Mainstream as GA Begins, with $2.5M in Total Project Funding and 35 Percent Average Monthly Growth
  • Now it’s easier to buy Purism’s Linux laptops
    After running a crowdfunding campaign in 2015 to raise money for a laptop that runs free and open source software, Purism has been able to ship a limited number of 13 and 15 inch laptops, and the corporation is taking pre-orders for a 2-in-1 tablet.
  • Are You a Distro Hopper?
    Is distro hopping a dying sport or have I just gotten too old? When I first started to use Linux I was the quintessential cliche distro hopper. I swapped and switched flavor of Linux seemingly every other day, certain that at some point I’d find the right fit and stop, content with at whatever combination of distro base and desktop environment I’d hit upon.
  • System76 Continues Working On GNOME Improvements For Future Ubuntu
    System76 continues working on improvements to the GNOME stack as part of their transition in-step to using it over Unity 7, in line with Canonical's decision to switch Ubuntu over to GNOME and abandon their grand Unity 8 ambitions.
  • 2017 Linux Laptop Survey
    It has been a few years since last running any Linux hardware surveys on Phoronix, as overall the ecosystem has rather matured nicely while of course there are still notable improvements to be had in the areas of GPUs and laptops. (Additionally, OpenBenchmarking.org provides a plethora of analytic capabilities when not seeking to collect subjective data / opinions.) But now we are hosting the 2017 Linux Laptop Survey to hopefully further improvements in this area.

Software and GNOME: Pass, Popcorn Time, Nixnote2, Grive, Curlew, and GtkActionMuxer

  • Pass – A Simple command-line Password Manager for Linux
    Keep tracking the password is one of the big challenge to everyone now a days since we has multiple password like email, bank, social media, online portal, and ftp, etc.,. Password managers are become very famous due to the demand and usage. In Linux so many alternatives are available, GUI based and CLI based. Today we are going to discuss about CLI based password manager called pass.
  • Popcorn Time Watch Movies and TV Shows On Linux
    ​Watching your favorite TV shows and movies series is what you all guys do every day. Flash, Iron Fist or Moana and many more awesome movies and tv shows that we love to watch. The problems come when you are traveling. Many of your shows or movies are restricted to a particular region and cannot be accessed when you are traveling or want to just quickly watch that awesome flash punch from an episode of 1 month old.
  • Nixnote2 – A Clone of Evernote for Linux
    When I created a list of Alternative Evernote Clients for Linux, the formerly known NeverNote was on the list as NixNote since it hadn’t gained a “2” to its title yet. It has been 4 months since and I decided to give the app its own review for you guys. Without further ado, let’s get to it. NixNote2 (also called NixNote) is an unofficial client of Evernote for Linux. It possesses most of the features Evernote provides including the use of Notebooks, tags, themes, emails, and multiple accounts.
  • Grive – A Dockerized Google Drive Client for Linux
    Not too long ago I reviewed Grive2 as an alternative Google Drive client for Linux. Today, I’ll introduce you to Grive, a Docker implementation for the Google Drive client, Grive2. Docker (if you don’t already know what it is), is a tool designed to benefit both system admins and developers thanks to its use of containers. Docker’s containers provide a way for developers to create and distribute their apps using containers.
  • Curlew is a GTK Media Converter for the GNOME desktop
    There are plenty of free multimedia converters for Ubuntu available, with command-line champ FFmpeg arguably the most powerful of them all. But this power comes with a complexity. Using FFMpeg to convert media through the command line can be intimidating and arcane. Which is why FFMpeg frontends are popular.
  • Dazzle spotlight – Multi Paned and Action Muxing
    The way the GtkActionMuxer works is by following the widget hierarchy to resolve GActions. Since the HeaderBar is a sibling to the content area (and not a direct ancestor) you cannot activate those actions. It would be nice for the muxer to gain more complex support, but until then… Dazzle.

Games: Witcher 2 & Rocket League, Ashes of the Singularity and More

today's howtos