Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Security updates for Thursday
  • Risk From Linux Kernel Hidden in Windows 10 Exposed at Black Hat [Ed: "Alex Ionescu, chief architect at Crowdstrike" - well, enough says. CrowdStrike Microsoft-tied. CrowdStrike are the same chronic liars who recently accused Russia of DNC leaks despite lack of evidence. The corporate press cited them. How can GNU and Linux running under a piece of malware with keyloggers and back doors be the main security concern?]
  • Italian-based Android RAT spies on mobiles in Japan and China, say researchers

    Researchers discover an Italian-based Android RAT designed for spying that is targeting mobile devices using their unique identification codes

  • keysafe

    Have you ever thought about using a gpg key to encrypt something, but didn't due to worries that you'd eventually lose the secret key? Or maybe you did use a gpg key to encrypt something and lost the key. There are nice tools like paperkey to back up gpg keys, but they require things like printers, and a secure place to store the backups.

    I feel that simple backup and restore of gpg keys (and encryption keys generally) is keeping some users from using gpg. If there was a nice automated solution for that, distributions could come preconfigured to generate encryption keys and use them for backups etc. I know this is a missing peice in the git-annex assistant, which makes it easy to generate a gpg key to encrypt your data, but can't help you back up the secret key.

    So, I'm thinking about storing secret keys in the cloud. Which seems scary to me, since when I was a Debian Developer, my gpg key could have been used to compromise millions of systems. But this is not about developers, it's about users, and so trading off some security for some ease of use may be appropriate. Especially since the alternative is no security. I know that some folks back up their gpg keys in the cloud using DropBox.. We can do better.

More Security News

Filed under
Security
  • Kaminsky Warns Black Hat Audience of Risks to the Internet
  • Severe vulnerabilities discovered in HTTP/2 protocol
  • ChaosKey v1.0 Released — USB Attached True Random Number Generator

    Support for this device is included in Linux starting with version 4.1. Plug ChaosKey into your system and the driver will automatically add entropy into the kernel pool, providing a constant supply of true random numbers to help keep the system secure.

    ChaosKey is free hardware running free software, built with free software on a free operating system.

  • Changes for GnuPG in Debian

    The GNU Privacy Guard (GnuPG) upstream team maintains three branches of development: 1.4 ("classic"), 2.0 ("stable"), and 2.1 ("modern").

    They differ in various ways: software architecture, supported algorithms, network transport mechanisms, protocol versions, development activity, co-installability, etc.

    Debian currently ships two versions of GnuPG in every maintained suite -- in particular, /usr/bin/gpg has historically always been provided by the "classic" branch.

    That's going to change!

    Debian unstable will soon be moving to the "modern" branch for providing /usr/bin/gpg. This will give several advantages for Debian and its users in the future, but it will require a transition. Hopefully we can make it a smooth one.

Security Leftovers

Filed under
Security
  • Kaspersky Lab Launches Bug Bounty Program With HackerOne

    The security firm allocates $50,000 to pay security researchers for responsibly disclosing flaws in its security products.
    Kaspersky Lab is no stranger to the world of vulnerability research, but the company is now opening up and enabling third-party security researchers to disclose vulnerabilities about Kaspersky's own software.

  • Reproducible builds for PaX/Grsecurity

    A series of scripts are created to do reproducible builds for Linux kernel with PaX/Grsecurity patch set.

    Thanks to:

    PaX/Grsecurity
    Debian GNU/Linux Community
    Shawn C[a.k.a “Citypw”]
    Linux From Scratch

    Without the contributions of the projects, community and people, the scripts cannot be accomplished.

  • Four flaws in HTTP/2 could bring down web servers

    SECURITY RESEARCHERS have uncovered at least four flaws in the HTTP/2 protocol, the successor to HTTP that was launched properly only in May last year, after Google rolled up its SPDY project into HTTP/2 in February.

    The flaws enable attackers to slow web servers by overwhelming them with seemingly innocent messages that carry a payload of gigabytes of data, putting them into infinite loops and even causing them to crash.

    The HTTP/2 protocol can be divided into three layers: the transmission layer, including streams, frames and flow control; the HPACK binary encoding and compression protocol; and the semantic layer, which is an enhanced version of HTTP/1.1 enriched with server-push capabilities.

Security News

Filed under
Security

Security News

Filed under
Security
  • Security Issue in Windows leaks Login Data [Ed: designed for back door access]

    An issue in all Windows systems might leak the user’s Windows login and password information. This is especially critical if the user is using a Microsoft account because this is linked to a number of other services the user may be using.

  • Get ready for an Internet of Things disaster, warns security guru Bruce Schneier

    Security guru Bruce Schneier, the author of multiple encryption algorithms, founder of security company Counterpane, and former chief technology officer of BT Managed Security Solutions, has warned that the ‘craze' for connecting devices to the internet with little thought about security will result in a major disaster.

    Schneier warned that "integrity and availability threats" are much worse than "confidentiality threats" with devices connected to the internet.

    "It's one thing if your smart door lock can be eavesdropped upon to know who is home. It's another thing entirely if it can be hacked to allow a burglar to open the door - or prevent you from opening your door. A hacker who can deny you control of your car, or take over control, is much more dangerous than one who can eavesdrop on your conversations or track your car's location," Schneier wrote.

    He continued: "With the advent of the Internet of Things and cyber-physical systems in general, we've given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete."

  • New Presidential Directive on Incident Response

    Last week, President Obama issued a policy directive (PPD-41) on cyber-incident response coordination. The FBI is in charge, which is no surprise. Actually, there's not much surprising in the document. I suppose it's important to formalize this stuff, but I think it's what happens now.

  • Kazakh dissidents and lawyers hit by cyber attacks: researchers

    Hackers believed to be working on behalf of Kazakhstan government officials tried to infect lawyers and other associates of exiled dissidents and publishers with spyware, according to a report to be presented at this week's Black Hat security conference in Las Vegas.

    The hacking campaign was part of a complicated tale that also involved physical surveillance and threats of violence - a rare instance of cyber attacks coming alongside real-world crimes.

    It is also unusual in that the campaign involved an Indian company that was apparently hired by the hackers, and it targeted Western lawyers along with alleged opponents of the Kazakh government.

    A spokesman at the Kazakhstan embassy in Washington did not respond to emailed questions.

  • Bruce Schneier: major IoT disaster could happen at any time

    THE CRAZE for connecting anything and everything and controlling it over the internet will result in a major disaster without better built-in security, according to security expert Bruce Schneier.

    Furthermore, if secret services really are trying to influence elections by hacking the systems of political parties and releasing embarrassing emails, they will almost certainly attempt to hack into the increasing number of internet-connected voting machines for the same ends.

    Schneier is the author of multiple encryption algorithms, founder of security company Counterpane, and former chief technology officer of BT Managed Security Solutions.

    "It's one thing if your smart door lock can be eavesdropped on to know who is home. It's another thing entirely if it can be hacked to allow a burglar to open the door or prevent you opening your door," Schneier wrote in an article published by Motherboard.

  • Linux botnets on the rise, says Kaspersky DDoS report [Ed: Kaspersky marketing with dramatic and misleading headlines]
  • Hackers break into Telegram, revealing 15 million users’ phone numbers

    Iranian hackers have compromised more than a dozen accounts on the Telegram instant messaging service and identified the phone numbers of 15 million Iranian users, the largest known breach of the encrypted communications system, cyber researchers told Reuters.

    The attacks, which took place this year and have not been previously reported, jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where Telegram is used by some 20 million people, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years.

    Telegram promotes itself as an ultra secure instant messaging system because all data is encrypted from start to finish, known in the industry as end-to-end encryption. A number of other messaging services, including Facebook Inc’s WhatsApp, say they have similar capabilities.

Tor 0.2.8.6

Filed under
Software
OSS
Security
Debian
  • Tor 0.2.8.6 is released

    Hi, all! After months of work, a new Tor release series is finally stable.

  • Tor browser a bit too unique?

    Ok, this is scary: tor browser on https://browserprint.info/test -- "Your browser fingerprint appears to be unique among the 8,440 tested so far. Currently, we estimate that your browser has a fingerprint that conveys 13.04 bits of identifying information."

  • Debian Project Enhances the Anonymity and Security of Debian Linux Users via Tor

    The Debian Project, through Peter Palfrader, announced recently that its services and repositories for the Debian GNU/Linux operating system would be accessible through the Tor network.

    To further enhance the anonymity and security of users when either accessing any of the Debian online services, such as the Debian website or Wiki, as well as when using the Debian GNU/Linux operating system, the Debian Project partnership with the Tor Project to enable Tor onion services for many of their services.

Gentoo-Based Pentoo 2015.0 Linux Distro for Ethical Hackers Gets New RC Release

Filed under
Gentoo
Security

The Pentoo Linux development team proudly announces today, August 2, 2016, the availability for download of the fifth Release Candidate (RC) build towards the Pentoo 2015.0 GNU/Linux operating system.

We don't write so often about the Pentoo GNU/Linux operating system because new releases are being made available to the public online when a new DEF CON event (the world's largest annual hacker convention) is taking place. So yes, it's now a tradition to see a new Pentoo release around a DEF CON conference.

Read more

Security Leftovers

Filed under
Security

Kaspersky Selling His Snake Oil

Filed under
GNU
Linux
Security
Syndicate content

More in Tux Machines

Mycroft AI Intelligent Personal Assistant Now Available as a Raspberry Pi Image

It's been very quiet lately for the Mycroft project, an open-source initiative to bring a full-featured intelligent personal assistant to Linux desktops, but it looks like it's still alive and kicking, and it's now available as a Raspberry Pi image. Read more

You Can Now Have All the Essential Ubuntu 14.04.5 LTS Flavors on a Single ISO

After informing Softpedia about the release of the Linux AIO Ubuntu 16.10 Live DVDs, Željko Popivoda from the Linux AIO team is now announcing the availability of Linux AIO Ubuntu 14.04.5. Read more

Benchmarking Radeon Open Compute ROCm 1.4 OpenCL

Last month with AMD/GPUOpen's ROCm 1.4 release they delivered on OpenCL support, albeit for this initial release all of the code is not yet open-source. I tried out ROCm 1.4 with the currently supported GPUs to see how the OpenCL performance compares to just using the AMDGPU-PRO OpenCL implementation. Read more

Canonical to Remove Old Unity 7 Scopes from Ubuntu Because They're Not Secure

Canonical's Will Cooke has revealed recently the company's plans on removing some old, unmaintained Unity 7 Scopes from the Ubuntu Linux archives because they could threaten the security of the entire operating system. Read more