Language Selection

English French German Italian Portuguese Spanish

Security

Tor Browser 7.0 is released

Filed under
Moz/FF
OSS
Security

The Tor Browser Team is proud to announce the first stable release in the 7.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release brings us up to date with Firefox 52 ESR which contains progress in a number of areas:

Most notably we hope having Mozilla's multiprocess mode (e10s) and content sandbox enabled will be one of the major new features in the Tor Browser 7.0 series, both security- and performance-wise. While we are still working on the sandboxing part for Windows (the e10s part is ready), both Linux and macOS have e10s and content sandboxing enabled by default in Tor Browser 7.0. In addition to that, Linux and macOS users have the option to further harden their Tor Browser setup by using only Unix Domain sockets for communication with tor.

Read more

Also: Firefox-Based Tor Browser 7.0 Officially Released for Anonymous Web Surfing

Microsoft Antitrust and Security Failures

Filed under
Microsoft
Security
  • Kaspersky sues Microsoft over claims Windows 10 is 'incompatible' with third-party AV

    In a sensational claim, Kaspersky says that a customer in France was told by a Microsoft representative that "Windows 10 is incompatible with third-party antivirus. It's a shame that you've spent money on a Kaspersky Lab product, but you can't reinstall it without running the risk of the appearance of new bugs."

  • Microsoft Targeted by Kaspersky Antitrust Complaint to EU

    Kaspersky sent a formal complaint to European Union and German antitrust regulators, saying “hurdles” created by Microsoft limit consumer choice and drive up the cost of security software.

  • If hacking {sic} back becomes law, what could possibly go wrong? [iophk: "any Windows machines even sending stray packet will then receive the full force of vault7+"]

    Representative Tom Graves, R-Ga., thinks that when anyone gets hacked {sic} -- individuals or companies -- they should be able to "fight back" and go "hunt for hackers {sic} outside of their own networks." The Active Cyber Defense Certainty ("ACDC") Act is getting closer to being put before lawmakers, and the congressman trying to make "hacking {sic} back" easy-breezy-legal believes it would've stopped the WannaCry ransomware.

  • Ransomware attack will count as data breach: security pro

    Ransomware attacks will be regarded as data breaches under Australia's new data breach legislation that comes into force on 22 February next year, according to the chief cyber security adviser at RSA.

Why you must patch the new Linux sudo security hole

Filed under
Linux
Security

If you want your Linux server to be really secure, you defend it with SELinux. Many sysadmins don't bother because SELinux can be difficult to set up. But, if you really want to nail down your server, you use SELinux. This makes the newly discovered Linux security hole -- with the sudo command that only hits SELinux-protected systems -- all the more annoying.

Read more

Security News: Microsoft Back Doors, Microsoft Lies, Microsoft Breakage, and Let’s Encrypt

Filed under
Security
  • Vietnamese hackers appear to be researching an NSA backdoor tool
  • EternalBlue NSA Exploit Becomes Commodity Hacking Tool, Spreads to Other Malware
  • Windows XP computers were mostly immune to WannaCry

    Windows XP isn’t as vulnerable to the WannaCry ransomware as many assumed, according to a new report from Kryptos research. The company’s researchers found that XP computers hit with the most common WannaCry attack tended to simply crash without successfully installing or spreading the ransomware. If true, the result would undercut much of the early reporting on Windows XP’s role in spreading the globe-spanning ransomware.

  • Whoops! Microsoft accidentally lets out a mobile-'bricking' OS update

    “A small portion” of Windows mobile users hoping the unexpected cool new update would start the month off the right way got burned yesterday. Microsoft “accidentally” released a development build of Windows 10 that can transform your phone into jelly if you try to install it.

    “We apologize for this inconvenience,” said Microsoft Windows and Devices Group software engineer Dona Sarkar in a blog post last night.

  • This is why Windows users don't install updates

    Although I use Linux for all day-to-day computing, I have two old laptops with Windows XP licenses, and I have them configured to dual-boot Windows or Linux. Every now and then I need to run a Windows application that won't work under Linux; they're handy then. And even though Windows XP support ended long ago, Microsoft decided to make a patch for the WannaCrypt worm available for XP.

  • "Foreign" denial-of-service attacks shut down social insurance sites

    The Social Insurance Institution (Kela) has been hit by a series of distributed denial-of-service (DDoS) attacks that crashed some of its online services on Friday and Saturday. Kela says it will provide more information as it becomes available. The state social services agency suffered disruptions for two and a half hours on Friday evening and for about four hours on Saturday.

  • [Older] Ping is okay? – Right?

    Of course, preventing covert channels using ICMP/DNS etc. is a good idea in general. But often in modern networks today there are so many other ways of getting data in and out of a network, that using a ICMP tunnel is something the attackers often does not need to do.

  • Creating a TXT only nsupdate connection for Let’s Encrypt

    I’m in the process of designing my own centralized Let’s Encrypt solution.

Security News

Filed under
Security
  • Vault 7: Implant can remotely infect Windows boxes

    WikiLeaks has resumed its release of material from the Vault 7 dump after missing a week, with the overnight release of documents from the CIA's Pandemic project, a persistent implant for Microsoft Windows machines that share files with remote users in a local network.

  • Why the Chinese love clunky QR codes, despite privacy and security shortcomings

    But one other aspect has become more of an issue. After $14.5 million was stolen from Chinese citizens through the use of fraudulent QR codes, the state-owned newspaper China Daily published an op-ed on the topic of QR fraud [...]

  • [Older] Code Blue: 8k Vulnerabilities in Software to manage Cardiac Devices

    The analysis of hardware and software associated with implantable cardiac devices spanned four, separate vendors and product families, but found a wide range of security weaknesses, among them the use of permanent (or “hardcoded”) authentication credentials like user names and passwords and the use of insecure communications, with one vendor transmitting patient data “in the clear.” All four product families were found to be highly susceptible to “reverse engineering” by a knowledgeable adversary, exposing design flaws that might then be exploited in remote or local attacks, researchers Billy Rios of Whitescope and Dr. Jonathan Butts wrote in their report.

  • [Older] 'Thousands' of known bugs found in pacemaker code

    They found that few of the manufacturers encrypted or otherwise protected data on a device or when it was being transferred to monitoring systems.

    Also, none was protected with the most basic login name and password systems or checked that devices they were connecting to were authentic.

  • European IT security talents preparing for contest

    Teams of budding IT security specialist have begun preparing for the European Cyber Security Challenge (ECSC). The 150 winners from national competitions will gather for the final tournament, to be held in Málaga (Spain) from 30 October - 3 November. This year teams from 12 EU Member States and the EFTA countries Lichtenstein, Norway and Switzerland ar participating in the hacking contest.

  • Could Firmware Expiration Dates Fix The Internet Of Broken Things...Before People Get Hurt?

    Clark argues that we've already figured out how to standardize our relationships with automobiles, with mandated regular inspection, maintenance and repairs governed by manufacturer recalls, DOT highway maintenance, and annual owner-obligated inspections. As such, she suggests similar requirements be imposed on internet-connected devices [...]

Security News: “Pandemic” for Windows, WannaCry, and Linux 'Flaw'

Filed under
Microsoft
Security
  • WikiLeaks says CIA’s “Pandemic” turns servers into infectious Patient Zero

    "Pandemic," as the implant is codenamed, turns file servers into a secret carrier of whatever malware CIA operatives want to install, according to documents published Thursday by WikiLeaks. When targeted computers attempt to access a file on the compromised server, Pandemic uses a clever bait-and-switch tactic to surreptitiously deliver malicious version of the requested file. The Trojan is then executed by the targeted computers. A user manual said Pandemic takes only 15 seconds to be installed. The documents didn't describe precisely how Pandemic would get installed on a file server.

  • WannaCry: Can Linux save us?

    The idea is simple if you don’t have the money to upgrade to the latest Windows operating system, move to Linux, because, piracy and price issues are antithetical to the world of Linux. Linux based operating systems are mostly free to use. Even the enterprise solutions, like Ubuntu Server, OpenSuse Linux Enterprise, and Red Hat Enterprise, come at a fraction of what Microsoft charges. So, the inability to update/upgrade arising out of piracy/price issues is ruled out.

  • Opsec for a world where the laptop ban goes global

    If the Trump administration makes good on its promise to pack all potentially explosive laptops together in a blast-multiplying steel case in the plane's hold, it will be good news for would-be bombers -- and bad news for your data security.

  • How to protect Samba from the SambaCry exploit
  • The Linux Virus: how it can be

    Downloaded the virus for Linux.

    Unzipped it.

    Installed it under root.

    It didn't start. Spent 2 hours googling. Realised that the virus instead of /usr/local/bin installed itself into /usr/bin where user malware does not have the write permissions. That's why the virus could not create a process file.

Security Leftovers

Filed under
Security
  • Could Firmware Expiration Dates Fix The Internet Of Broken Things...Before People Get Hurt?
  • Hacking and Linux Go Together Like 2 Keys in a Key Pair

    Ever since taking an interest Linux, with the specific aim of better understanding and enhancing my personal digital security, I have been fascinated by hacker conferences. As soon as I learned of their existence, I made a point of keeping tabs on the major conferences so I could browse through the latest videos in their archive once each one wraps up.

  • Backend Servers for 1,000 Apps Expose Terabytes of User Data

    There are 1,000 apps available for download today that despite not containing any malware or featuring glaring vulnerabilities, they communicate and store data on improperly secured backend servers, exposing user data along the way.

    This is the conclusion of an investigation conducted by mobile security experts from Appthority for their 2017 Q2 Enterprise Mobile Threat Report.

    The company's experts say they've analyzed the backend connections of 1,000 mobile apps to see if they connect to publicly-accessible servers.

  • Pandemic

    Today, June 1st 2017, WikiLeaks publishes documents from the "Pandemic" project of the CIA, a persistent implant for Microsoft Windows machines that share files (programs) with remote users in a local network. "Pandemic" targets remote users by replacing application code on-the-fly with a trojaned version if the program is retrieved from the infected machine. To obfuscate its activity, the original file on the file server remains unchanged; it is only modified/replaced while in transit from the pandemic file server before being executed on the computer of the remote user. The implant allows the replacement of up to 20 programs with a maximum size of 800 MB for a selected list of remote users (targets).

  • 7 Popular WordPress Security Myths

    Because of its incredible popularity as a platform, WordPress enjoys a sizable, generous community of users that spend their time sharing information, resources, tips and insights with other WordPress users online. Understandably, online security is at the forefront of concerns for many site owners, and a lot of the online conversation about WordPress centers around the best ways to keep your site safe from hackers and security breaches. Despite the best of intentions from most users, there are a few myths surrounding WordPress security that persist and spread like wildfire, even if the recommendations they make don’t do anything to keep your site safe.

Security Leftovers

Filed under
Security
  • Tech pro cautions on attribution of cyber attacks
  • Cyber crime to cost business US$8 trillion: Juniper

    The report, by Juniper Research, also forecasts that the number of personal data records stolen by cyber criminals will reach 2.8 billion in 2017, and almost double to 5 billion in 2020.

  • Russian Hackers Are Using Google’s Own Infrastructure to Hack Gmail Users

    The “Change Password” button linked to a short URL from the Tiny.cc link shortener service, a Bitly competitor. But the hackers cleverly disguised it as a legitimate link by using Google’s Accelerated Mobile Pages, or AMP. This is a service hosted by the internet giant that was originally designed to speed up web pages on mobile, especially for publishers. In practice, it works by creating a copy of a website’s page on Google’s servers, but it also acts as an open redirect.

  • The sudo tty bug and procps
  • Improving Linux Security with DevSecOps

    Ask people who run IT departments these days what keeps them up at night, and they'll probably tell you it's security—or the lack of it. With the explosive growth of malicious attacks on everything from hospitals to Fortune 500s, security—not hardware, software and even staff—is what currently makes life miserable.

    That's why organizations of all sizes are looking to change fundamentally how they do security. It's no longer a single team's job to make sure systems are secure and internal auditing is good enough to identify and mitigate attacks. Today, everyone is responsible for security, which is the guiding principal of DevSecOps.

    Just as in DevOps, which aims to speed the development of software by improving collaboration and balancing the competing interests of operations teams and developers, DevSecOps seeks to get everyone thinking about security together and up front. Trying to bake in security after systems are built and code is deployed is simply too late.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Stealing from customers

    Now let's think about insurance. Just like loss prevention insurance, cybersecurity insurance isn't there to protect customers. It exists to help protect the company from the losses of an attack. If customer data is stolen the customers are not really covered, in many instances there's nothing a customer can do. It could be impossible to prove your information was stolen, even if it gets used somewhere else can you prove it came from the business in question?

    After spending some time on the question of what if insurance covered the customers, I realize how hard this problem is to deal with. While real world customer theft isn't very common and it's basically not covered, there's probably no hope for information. It's so hard to prove things beyond a reasonable doubt and many of our laws require actual harm to happen before any action can be taken. Proving this harm is very very difficult. We're almost certainly going to need new laws to deal with these situations.

  • Microsoft patched more Malware Protection Engine bugs last week

    Project Zero's Mateusz Jurczyk didn't turn up just one “crazy bad” bug: while the new bugs are all named either “Microsoft Malware Protection Engine Denial of Service Vulnerability” or “Microsoft Malware Protection Engine Remote Code Execution Vulnerability”, there are eight individual bugs covered in Microsoft's announcement.

  • Security is hard ..

    The most recent print I had made was a collection of display cases, for holding an OLED display, as well as an ESP8266 device.

    Unfortunately at the same time as I was falling in love with the service I discovered a glaring XSS attack against the site itself.

  • WhiteEgret: New Linux Security Module For Execution Whitelisting

    WhiteEgret is the name of a new Linux Security Module (LSM) in-development by Toshiba for being able to limit what your system can execute via a whitelist.

  • Reproducible Builds: week 109 in Stretch cycle
Syndicate content

More in Tux Machines

OSS Leftovers

  • How Open Source Tech Helps Feds Solve Workforce Turnover Issues
    Just as a mainframe from decades ago might be ready for retirement, the IT staff who originally procured and installed that system might also be preparing for a new phase in their lives. It’s up to the current and next generation of government IT employees to prepare for that eventuality, but there are indications they may not be ready, despite evidence that older IT professionals are retiring or will soon be leaving their positions. Unfortunately, a skills gap exists even among younger generation IT workers. Agencies are scrambling to find personnel with expertise in cloud service management, cybersecurity, technical architecture and legacy technologies, such as common business-oriented language (COBOL) and mainframes, among other areas. At the same time that many workers are getting ready to retire, leaving behind a wealth of knowledge, many younger IT professionals are struggling to gain the knowledge they will need to take their agencies into the future.
  • Introducing Fn: “Serverless must be open, community-driven, and cloud-neutral”
    Fn, a new serverless open source project was announced at this year’s JavaOne. There’s no risk of cloud lock-in and you can write functions in your favorite programming language. “You can make anything, including existing libraries, into a function by packaging it in a Docker container.” We invited Bob Quillin, VP for the Oracle Container Group to talk about Fn, its best features, next milestones and more.
  • Debian seminar in Yokohama, 2017/11/18
    I had attended to Tokyo area debian seminar #157. The day’s special guest is Chris Lamb, the Debian Project Leader in 2017. He had attended to Open Compliance Summit, so we invited him as our guest.
  • Overclock Labs bets on Kubernetes to help companies automate their cloud infrastructure
    Overclock Labs wants to make it easier for developers to deploy and manage their applications across clouds. To do so, the company is building tools to automate distributed cloud infrastructure and, unsurprisingly, it is betting on containers — and specifically the Kubernetes container orchestration tools — to do this. Today, Overclock Labs, which was founded two years ago, is coming out of stealth and announcing that it raised a $1.3 million seed round from a number of Silicon Valley angel investors and CrunchFund — the fund that shares a bit of its name and history with TechCrunch but is otherwise completely unaffiliated with the blog you are currently reading.
  • MariaDB Energizes the Data Warehouse with Open Source Analytics Solution
    MariaDB® Corporation, the company behind the fastest growing open source database, today announced new product enhancements to MariaDB AX, delivering a modern approach to data warehousing that enables customers to easily perform fast and scalable analytics with better price performance over proprietary solutions. MariaDB AX expands the highly successful MariaDB Server, creating a solution that enables high performance analytics with distributed storage and parallel processing, and that scales with existing commodity hardware on premises or across any cloud platform. With MariaDB AX, data across every facet of the business is transformed into meaningful and actionable results.
  • AT&T Wants White Box Routers with an Open Operating System [Ed: AT&T wants to openwash its surveillance equipment]
    AT&T says it’s not enough to deploy white box hardware and to orchestrate its networks with the Open Network Automation Platform (ONAP) software. “Each individual machine also needs its own operating system,” writes Chris Rice, senior vice president of AT&T Labs, Domain 2.0 Architecture, in a blog post. To that end, AT&T announced its newest effort — the Open Architecture for a Disaggregated Network Operating System (dNOS).
  • Intel Lands Support For Vector Neural Network Instructions In LLVM
  • p2k17 Hackathon report: Antoine Jacoutot on ports+packages progress
  • GCC 8 Feature Development Is Over
    Feature development on the GCC 8 compiler is over with it now entering stage three of its development process. SUSE's Richard Biener announced minutes ago that GCC 8 entered stage three development, meaning only general bug fixing and documentation updates are permitted.
  • 2018 Is The Year For Open Source Software For The Pentagon
  • Open-source defenders turn on each other in 'bizarre' trademark fight sparked by GPL fall out
    Two organizations founded to help and support developers of free and open-source software have locked horns in public, betraying a long-running quarrel rumbling mostly behind the scenes. On one side, the Software Freedom Law Center, which today seeks to resolve licensing disputes amicably. On the other, the Software Freedom Conservancy, which takes a relatively harder line against the noncompliance of licensing terms. The battleground: the, er, US Patent and Trademark Office. The law center has demanded the cancellation of a trademark held by the conservancy.
  • Open Source Underwater Glider: An Interview with Alex Williams, Grand Prize Winner
    Alex Williams pulled off an incredible engineering project. He developed an Autonomous Underwater Vehicle (AUV) which uses a buoyancy engine rather than propellers as its propulsion mechanism and made the entire project Open Source and Open Hardware.

Programming Leftovers

Security: Linux, Free Software Principles, Microsoft and Intel

  • Some 'security people are f*cking morons' says Linus Torvalds
    Linux overlord Linus Torvalds has offered some very choice words about different approaches security, during a discussion about whitelisting features proposed for version 4.15 of the Linux kernel. Torvalds' ire was directed at open software aficionado and member of Google's Pixel security team Kees Cook, who he has previously accused of idiocy. Cook earned this round of shoutiness after he posted a request to “Please pull these hardened usercopy changes for v4.15-rc1.”
  • Free Software Principles
    Ten thousand dollars is more than $3,000, so the motives don't add up for me. Hutchins may or may not have written some code, and that code may or may not have been used to commit a crime. Tech-literate people, such as the readers of Linux Magazine, understand the difference between creating a work and using it to commit a crime, but most of the media coverage – in the UK, at least – has been desperate to follow the paradigm of building a man up only to gleefully knock him down. Even his achievement of stopping WannaCry is decried as "accidental," a word full of self-deprecating charm when used by Hutchins, but which simply sounds malicious in the hands of the Daily Mail and The Telegraph.
  • New warning over back door in Linux
    Researchers working at Russian cyber security firm Dr Web claim to have found a new vulnerability that enables remote attackers to crack Linux installations virtually unnoticed. According to the anti-malware company, cyber criminals are getting into the popular open-source operating system via a new backdoor. This, they say, is "indirect evidence" that cyber criminals are showing an increasing interest in targeting Linux and the applications it powers. The trojan, which it's calling Linux.BackDoor.Hook.1, targets the library libz primarily. It offers compression and extraction capabilities for a plethora of Linux-based programmes.
  • IN CHATLOGS, CELEBRATED HACKER AND ACTIVIST CONFESSES COUNTLESS SEXUAL ASSAULTS
  • Bipartisan Harvard panel recommends hacking [sic] safeguards for elections
     

    The guidelines are intended to reduce risks in low-budget local races as well as the high-stakes Congressional midterm contests next year. Though most of the suggestions cost little or nothing to implement and will strike security professionals as common sense, notorious attacks including the leak of the emails of Hillary Clinton’s campaign chair, John Podesta, have succeeded because basic security practices were not followed.  

  • Intel Chip Flaws Leave Millions of Devices Exposed
     

    On Monday, the chipmaker released a security advisory that lists new vulnerabilities in ME, as well as bugs in the remote server management tool Server Platform Services, and Intel’s hardware authentication tool Trusted Execution Engine. Intel found the vulnerabilities after conducting a security audit spurred by recent research. It has also published a Detection Tool so Windows and Linux administrators can check their systems to see if they're exposed.

Debian Buster-Based SparkyLinux 5 Development Version Adds Full Disk Encryption

Shipping a few days after the release of SparkyLinux 4.7 "Tyche" stable operating system based on Debian GNU/Linux 9 "Stretch," the SparkyLinux 5-dev20171120 development build includes up-to-date packages based on the repositories of the upcoming Debian GNU/Linux 10 "Buster" operating system. Apart from rebasing the operating system on the latest Debian Testing repos as of November 20, 2017, the new SparkyLinux 5 development images are the first to enable full disk encryption by default in the Calamares graphical installer, as you can see from the screenshots attached at the end of the article. Read more