Language Selection

English French German Italian Portuguese Spanish

Security

The 6 Best Free Dropbox Alternatives for Linux

Filed under
OSS
Security

SpiderOak is an encrypted cloud storage service that gives access to your data while making use of its integrated group chat and secure file sharing features. Compared to Dropbox, however, it offers only 2 GB to free users and 100 GB to pro.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • Security Tips for Installing Linux on Your SysAdmin Workstation

    Once you’ve chosen a Linux distro that meets all the security guidelines set out in our last article, you’ll need to install the distro on your workstation.

  • Fedora 26 crypto policy Test Day today (2017-03-30)!
  • Open-source developers targeted in sophisticated malware attack

    For the past few months, developers who publish their code on GitHub have been targeted in an attack campaign that uses a little-known but potent cyberespionage malware.

    The attacks started in January and consisted of malicious emails specifically crafted to attract the attention of developers, such as requests for help with development projects and offers of payment for custom programming jobs.

    The emails had .gz attachments that contained Word documents with malicious macro code attached. If allowed to execute, the macro code executed a PowerShell script that reached out to a remote server and downloaded a malware program known as Dimnie.

  • A scramble at Cisco exposes uncomfortable truths about U.S. cyber defense

    When WikiLeaks founder Julian Assange disclosed earlier this month that his anti-secrecy group had obtained CIA tools for hacking into technology products made by U.S. companies, security engineers at Cisco Systems (CSCO.O) swung into action.

    The Wikileaks documents described how the Central Intelligence Agency had learned more than a year ago how to exploit flaws in Cisco's widely used Internet switches, which direct electronic traffic, to enable eavesdropping.

    Senior Cisco managers immediately reassigned staff from other projects to figure out how the CIA hacking tricks worked, so they could help customers patch their systems and prevent criminal hackers or spies from using the same methods, three employees told Reuters on condition of anonymity.

  • NTPsec: a Secure, Hardened NTP Implementation

    Network time synchronization—aligning your computer's clock to the same Universal Coordinated Time (UTC) that everyone else is using—is both necessary and a hard problem. Many internet protocols rely on being able to exchange UTC timestamps accurate to small tolerances, but the clock crystal in your computer drifts (its frequency varies by temperature), so it needs occasional adjustments.

    That's where life gets complicated. Sure, you can get another computer to tell you what time it thinks it is, but if you don't know how long that packet took to get to you, the report isn't very useful. On top of that, its clock might be broken—or lying.

    To get anywhere, you need to exchange packets with several computers that allow you to compare your notion of UTC with theirs, estimate network delays, apply statistical cluster analysis to the resulting inputs to get a plausible approximation of real UTC, and then adjust your local clock to it. Generally speaking, you can get sustained accuracy to on the close order of 10 milliseconds this way, although asymmetrical routing delays can make it much worse if you're in a bad neighborhood of the internet.

  • Zelda Coatings

    I assume that every permutation of scams will eventually be tried; it is interesting that the initial ones preyed on people's avarice and dishonesty: "I will transfer millions to your bank account, then you share with me" - with subsequent scams appealing to another demographic: "I want to donate a large sum to your religious charity" - to perhaps capture a more virtuous but still credulous lot. Where will it end ?

Security Leftovers

Filed under
Security
  • Someone is putting lots of work into hacking Github developers [Ed: Dan Goodin doesn't know that everything is under attack and cracking attempts just about all the time?]

    Open-source developers who use Github are in the cross-hairs of advanced malware that has steal passwords, download sensitive files, take screenshots, and self-destruct when necessary.

  • Security Orchestration and Incident Response

    Technology continues to advance, and this is all a changing target. Eventually, computers will become intelligent enough to replace people at real-time incident response. My guess, though, is that computers are not going to get there by collecting enough data to be certain. More likely, they'll develop the ability to exhibit understanding and operate in a world of uncertainty. That's a much harder goal.

    Yes, today, this is all science fiction. But it's not stupid science fiction, and it might become reality during the lifetimes of our children. Until then, we need people in the loop. Orchestration is a way to achieve that.

Security News

Filed under
Security
  • Security updates for Wednesday
  • Cisco learned from Wikileaks that the CIA had hacked its systems

    When WikiLeaks founder Julian Assange disclosed earlier this month that his anti-secrecy group had obtained CIA tools for hacking into technology products made by U.S. companies, security engineers at Cisco Systems swung into action.

    The Wikileaks documents described how the Central Intelligence Agency had learned more than a year ago how to exploit flaws in Cisco's widely used Internet switches, which direct electronic traffic, to enable eavesdropping.

  • Exposed files on Microsoft's document-sharing site

    Confidential documents, passwords and health data have been inadvertently shared by firms using Microsoft's Office 365 service, say researchers.

    The sensitive information was found via a publicly available search engine that is part of Office 365.

    Security researchers said many firms mistakenly thought documents would only be shared with colleagues not globally.

    Microsoft said it would "take steps" to change the service and remove the sensitive data.

  • Russian Hacker Pleads Guilty for Role in Infamous Linux Ebury Malware

    The US Department of Justice announced yesterday that Maxim Senakh, 41, of Velikii Novgorod, Russia, pleaded guilty for his role in the creation of the Ebury malware and for maintaining its infamous botnet.

    US authorities indicted Senakh in January 2015, and the law enforcement detained the hacker in Finland in August of the same year.

  • Changes coming to TLS: Part One

    Transport layer Security version 1.3 (TLS 1.3) is the latest version of the SSL/TLS protocol which is currently under development by the IETF. It offers several security and performance improvements as compared to the previous versions. While there are several technical resouces which discuss the finer aspects of this new protocol, this two-part article is a quick reference to new features and major changes in the TLS protocol.

Security Leftovers

Filed under
Security
  • How To Improve The Linux System’s Security Using Firejail

    As you already know, Linux kernel is secure by default. But, it doesn’t mean that the softwares on the Linux system are completely secure. Say for example, there is a possibility that any add-ons on your web browser may cause some serious security issues. While doing financial transactions over internet, some key logger may be active in browser which you are not aware of. Even though, we can’t completely give the bullet-proof security to our Linux box, we still can add an extra pinch of security using an application called Firejail. It is a security utility which can sandbox any such application and let it to run in a controlled environment. To put this simply, Firejail is a SUID (Set owner User ID up on execution) program that reduces the risk of security breaches by restricting the running environment of untrusted applications.

  • “Httpd and Relayd Mastery” off to copyedit
  • Kalyna Block Cipher

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Security updates for Monday
  • FedEx Will Pay You $5 to Install Flash on Your Machine

    FedEx is making you an offer you can’t afford to accept. It’s offering to give you $5 (actually, it’s a discount on orders over $30) if you’ll just install Adobe Flash on your machine.

    Nobody who knows anything about online security uses Flash anymore, except when it’s absolutely necessary. Why? Because Flash is the poster child for the “security-vulnerability-of-the-hour” club — a group that includes another Adobe product, Acrobat. How unsafe is Flash? Let’s put it this way: seven years ago, Steve Jobs announced that Flash was to be forever banned from Apple’s mobile products. One of the reasons he cited was a report from Symantec that “highlighted Flash for having one of the worst security records in 2009.”

    Flash security hasn’t gotten any better since.

  • Every once in a while someone suggests to me that curl and libcurl would do better if rewritten in a “safe language”
  • An insecure dishwasher has entered the IoT war against humanity

    Regel says that he has contacted Miele on a number of occasions about the issue, but had failed to get a response to his missives, and this has no updated information on the vulnerability.

    He added, bleakly that "we are not aware of an actual fix."

  • Monday Witness: It's Time to Reconize a Civil Right Not to be Connected

    Along with death and taxes, two things appear inevitable. The first is that Internet of Things devices will not only be built into everything we can imagine, but into everything we can't as well. The second is that IoT devices will have wholly inadequate security, if they have any security at all. Even with strong defenses, there is the likelihood that governmental agencies will gain covert access to IoT devices anyway.

    What this says to me is that we need a law that guarantees consumers the right to buy versions of products that are not wirelessly enabled at all.

  • Remember kids, if you're going to disclose, disclose responsibly!

    If you pay any attention to the security universe, you're aware that Tavis Ormandy is basically on fire right now with his security research. He found the Cloudflare data leak issue a few weeks back, and is currently going to town on LastPass. The LastPass crew seems to be dealing with this pretty well, I'm not seeing a lot of complaining, mostly just info and fixes which is the right way to do these things.

Security Leftovers

Filed under
Security
  • NSA: We Disclose 90% of the Flaws We Find

    In the wake of the release of thousands of documents describing CIA hacking tools and techniques earlier this month, there has been a renewed discussion in the security and government communities about whether government agencies should disclose any vulnerabilities they discover. While raw numbers on vulnerability discovery are hard to come by, the NSA, which does much of the country’s offensive security operations, discloses more than nine of every 10 flaws it finds, the agency’s deputy director said.

  • EFF Launches Community Security Training Series

    EFF is pleased to announce a series of community security trainings in partnership with the San Francisco Public Library. High-profile data breaches and hard-fought battles against unlawful mass surveillance programs underscore that the public needs practical information about online security. We know more about potential threats each day, but we also know that encryption works and can help thwart digital spying. Lack of knowledge about best practices puts individuals at risk, so EFF will bring lessons from its comprehensive Surveillance Self-Defense guide to the SFPL.

    [...]

    With the Surveillance Self-Defense project and these local events, EFF strives to help make information about online security accessible to beginners as well as seasoned techno-activists and journalists. We hope you will consider our tips on how to protect your digital privacy, but we also hope you will encourage those around you to learn more and make better choices with technology. After all, privacy is a team sport and everyone wins.

  • NextCloud, a security analysis

    First, I would like to scare everyone a little bit in order to have people appreciate the extent of this statement.

    As the figure that opens the post indicates, there are thousands of vulnerable Owncloud/NextCloud instances out there. It will surprise many just how easy is to detect those by trying out common URL paths during an IP sweep.

  • FedEx will deliver you $5.00 just to install Flash

    Bribes on offer as courier's custom printing service needs Adobe's security sinkhole

Syndicate content

More in Tux Machines

Oracle: New VirtualBox 5.2 Beta, SPARC M8 Processors Launched

  • VirtualBox 5.2 to Let Users Enable or Disable Audio Input and Output On-the-Fly
    Oracle announced new updates for its popular, cross-platform and open-source virtualization software, the third Beta of the upcoming VirtualBox 5.2 major release and VirtualBox 5.1.28 stable maintenance update. We'll start with the stable update, VirtualBox 5.1.28, as it's more important for our readers using Oracle VM VirtualBox for all of their virtualization needs. The VirtualBox 5.1 maintenance release 28 is here to improve audio support by fixing various issues with both the ALSA and OSS backends, as well as an accidental crash with AC'97.
  • SPARC M8 Processors Launched
    While Oracle recently let go of some of their SPARC team, today marks the launch of the SPARC M8. The initial SPARC M8 line-up includes the T8-1, T8-2, T8-4. M8-8, and SuperCluster M8-8 servers.

Wikileaks Releases Spy Files Russia, CCleaner Infected, Equifax Has a Dirty Little Secret

  • Spy Files Russia
    This publication continues WikiLeaks' Spy Files series with releases about surveillance contractors in Russia. While the surveillance of communication traffic is a global phenomena, the legal and technological framework of its operation is different for each country. Russia's laws - especially the new Yarovaya Law - make literally no distinction between Lawful Interception and mass surveillance by state intelligence authorities (SIAs) without court orders. Russian communication providers are required by Russian law to install the so-called SORM ( Система Оперативно-Розыскных Мероприятий) components for surveillance provided by the FSB at their own expense. The SORM infrastructure is developed and deployed in Russia with close cooperation between the FSB, the Interior Ministry of Russia and Russian surveillance contractors.
  • Malware-Infected CCleaner Installer Distributed to Users Via Official Servers for a Month
    Hackers have managed to embed malware into the installer of CCleaner, a popular Windows system optimization tool with over 2 billion downloads to date. The rogue package was distributed through official channels for almost a month. CCleaner is a utilities program that is used to delete temporary internet files such as cookies, empty the Recycling Bin, correct problems with the Windows Registry, among other tasks. First released in 2003, it has become hugely popular; up to 20 million people download it per month. Users who downloaded and installed CCleaner or CCleaner Cloud between Aug. 15 and Sept. 12 should scan their computers for malware and update their apps. The 32-bit versions of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were affected.
  • Equifax Suffered a Hack [sic] Almost Five Months Earlier Than the Date It Disclosed
  • This is why you shouldn’t use texts for two-factor authentication

    For a long time, security experts have warned that text messages are vulnerable to hijacking — and this morning, they showed what it looks like in practice.

Amazon Changes Rental ('Cloud') Model on GNU/Linux

Devices/Hardware: Embedded/Boards, CODESYS, and EPYC Linux Performance

  • Linux friendly IoT gateway runs on 3.5-inch Bay Trail SBC
    While the MB-80580 SBC lists SATA II, the gateway indicates SATA III. Also, the gateway datasheet notes that the RS232 ports can all be redirected to RS232/422/485. Software includes Windows IoT Core and Server, as well as Yocto, Ubuntu Snappy Core, and CentOS Linux distributions.
  • Rugged panel PC scales up to a 19-inch touchscreen
    The fanless, IP65-rated WinSystems “PPC65B-1x” panel PC runs Linux or Win 10 on a quad-core Atom E3845, and offers 10.4 to 19-inch resistive touchscreens.
  • CODESYS announces CODESYS-compatible SoftPLC for open Linux device platforms
  • EPYC Linux performance from AMD
    Phoronix have been hard at work testing out AMD's new server chip, specifically the 2.2/2.7/3.2GHz EPYC 7601 with 32 physical cores.  The frequency numbers now have a third member which is the top frequency all 32 cores can hit simultaneously, for this processor that would be 2.7GHz.  Benchmarking server processors is somewhat different from testing consumer CPUs, gaming performance is not as important as dealing with specific productivity applications.   Phoronix started their testing of EPYC, in both NUMA and non-NUMA configurations, comparing against several Xeon models and the performance delta is quite impressive, sometimes leaving even a system with dual Xeon Gold 6138's in the dust.  They also followed up with a look at how EPYC compares to Opteron, AMD's last server offerings.  The evolution is something to behold.
  • Opteron vs. EPYC Benchmarks & Performance-Per-Watt: How AMD Server Performance Evolved Over 10 Years
    By now you have likely seen our initial AMD EPYC 7601 Linux benchmarks. If you haven't, check them out, EPYC does really deliver on being competitive with current Intel hardware in the highly threaded space. If you have been curious to see some power numbers on EPYC, here they are from the Tyan Transport SX TN70A-B8026 2U server. Making things more interesting are some comparison benchmarks showing how the AMD EPYC performance compares to AMD Opteron processors from about ten years ago.