Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security advisories for Wednesday
  • How the Top 5 PC Makers Open Your Laptop to Hackers [iophk: "Windows again"]
  • Google plans to replace smartphone passwords with trust scores [iophk: "if you have to travel unexpectedly, you'll probably get locked out."]

    Goodbye, Password1. Goodbye, 12345. You’ve been hearing about it for years but now it might really be happening: the password is almost dead.

    At Google’s I/O developer conference, Daniel Kaufman, head of Google’s advanced technology projects, announced that the company plans to phase out password access to its Android mobile platform in favour of a trust score by 2017. This would be based on a suite of identifiers: what Wi-Fi network and Bluetooth devices you’re connected to and your location, along with biometrics, including your typing speed, voice and face.

    The phone’s sensors will harvest this data continuously to keep a running tally on how much it trusts that the user is you. A low score will suffice for opening a gaming app. But a banking app will require more trust.

Security Leftovers

Filed under
Security
  • Allwinner Leaves Root Exploit in Linux Kernel, Putting ARM Devices at Risk

    Running a Bitcoin node on your ARM single board computer? Fan of cheap Chinese tablets and smartphones? Maybe you contributed to the recent CHIP computer Kickstarter, or host a wallet on one of these devices. Well, if any of these applies to you, and your device is powered by an Allwinner SoC, you should probably wipe it and put an OS on it with the most recent kernel release. Why? Allwinner left a development “tool” on their ARM Linux kernel that allows anyone to root their devices with a single command. This oversight has serious security implications for any Allwinner powered device, especially so for those of us hosting sensitive data on them.

  • 5 steps to reduce cyber vulnerabilities

    The National Vulnerability Database (NVD) — the U.S. government’s repository of standards-based vulnerability management data — says 2015 was another blockbuster year for security vulnerabilities with an average of 17 new vulnerabilities added per day.

    While IT managers can somewhat breathe a collective sigh of relief that the total number of vulnerabilities actually decreased from 7,937 in 2014 to 6,270 in 2015, there’s no time to relax. According to NVD data, 37 percent of vulnerabilities reported in 2015 were classified as highly severe, up from 24 percent in 2014.

  • How to Get an Open Source Security Badge from CII

    Everybody loves getting badges. Fitbit badges, Stack Overflow badges, Boy Scout merit badges, and even LEED certification are just a few examples that come to mind. A recent 538 article "Even psychologists love badges" publicized the value of a badge.

  • 4 Steps To Secure Serverless Applications

    Serverless applications remove a lot of the operational burdens from your team. No more managing operating systems or running low level infrastructure.

    This lets you and your team focus on building…and that’s a wonderful thing.

  • IPv6 support finally coming to Fail2Ban with next major release

    The reaction to this headline from sysadmins who deploy Fail2Ban on an IPv6 enabled system is probably: “Fail2Ban doesn’t support IPv6‽” At least, that seems to be the reaction most admins have posted on forums and social media when they learn that Fail2Ban doesn’t support IPv6. Now Fail2Ban’s IPv4-only limitation is about to be lifted.

    Fail2Ban is a tool that identifies unwanted behaviors by monitoring service logs, and can act upon that by banning offending IP addresses temporarily. Up until recently, Fail2Ban only supported IPv4 although it’s almost certainly running on many IPv6 capable systems as well.

  • Tor Browser announces stable 6.0 release

    The Tor Browser team has announced the first stable version of its 6.0 release. It can be downloaded from the project's website.

    The browser is based on Firefox ESR and this release brings it up-to-date with Firefox 45-ESR, providing better support for HTML5 video on YouTube.

Security Leftovers (Primarily Windows)

Filed under
Security
  • Doing a 'full scan' of the Internet right now

    I'm scanning at only 125kpps from 4 source IP addresses, or roughly 30kpps from each source address. This is so that I'll get below many thresholds for IDSs, which trigger when they see fast scans from a single address. The issue isn't to avoid detection, but to avoid generating work for people who get unnecessarily paranoid about the noise they see in their IDS logs.

  • A Hacker Is Selling Dangerous Windows Exploit, Making All Versions Of OS Hackable

    A hacker is selling a dangerous zero day vulnerability on a Russian cybercrime website. This exploit is said to be affecting more than 1.5 billion Windows users as it works on all version of Windows. The hacker wishes to sell the complete source code and demo of the exploit to any person who pays him $90,000 in bitcoin.

  • Microsoft warns of self-propagating ransomware

    The new ransomware, which Microsoft has dubbed Ransom:Win32/ZCryptor.A, is distributed through spam emails. It can also infect a machine running Windows through a malware installer or fake installers like a Flash player setup file.

    The ransomware would run at boot and drop a file autorun.inf in removable drives, a zycrypt.lnk in the start-up folder and a copy of itself as {Drive}:\system.exe and %APPDATA%\zcrypt.exe.

    It would then change the file attributes to hide itself from the user in file explorer.

  • Windows 10 Surface Book: Microsoft Keeps ‘Sleep of Death’ bug

    It seems like Microsoft will not be fixing the ‘Sleep of Death’ bug, even though most of the Surface Book users face the problem.

    During the recent quarterly earnings report, Microsoft pointed out that the Surface line is getting popularity in the market. Microsoft also said that it has turned out to be the growth leader in its More Personal Computing line of business.

    At the event, the company said that the device has brought 61 percent growth.

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Security challenges for the Qubes build process

    Ultimately, we would like to introduce a multiple-signature scheme, in which several developers (from different countries, social circles, etc.) can sign Qubes-produced binaries and ISOs. Then, an adversary would have to compromise all the build locations in order to get backdoored versions signed. For this to happen, we need to make the build process deterministic (i.e. reproducible). Yet, this task still seems to be years ahead of us. Ideally, we would also somehow combine this with Intel SGX, but this might be trickier than it sounds.

  • Katy Perry’s Twitter Account With 90 Million Followers Hacked

    Notably, with 90 million followers, Katy Perry is the most followed person on the platform.

Google and Oracle

Filed under
Google
Security
Legal

Security Leftovers (Parrot Security OS 3.0 “Lithium”, Regulation)

Filed under
Security
  • Parrot Security OS 3.0 “Lithium” — Best Kali Linux Alternative Coming With New Features

    The Release Candidate of Parrot Security OS 3.0 ‘Lithium’ is now available for download. The much-anticipated final release will come in six different editions with the addition of Libre, LXDE, and Studio editions. The version 3.0 of this Kali Linux alternative is based on Debian Jessie and powered by custom hardened Linux 4.5 kernel.

  • Regulation can fix security, except you can't regulate security

    Every time I start a discussion about how we can solve some of our security problems it seems like the topics of professional organizations and regulation are where things end up. I think regulations and professional organizations can fix a lot of problems in an industry, I'm not sure they work for security. First let's talk about why regulation usually works, then, why it won't work for security.

Parrot Security OS 3.0 "Lithium" Is a Linux Distro for Cryptography & Anonymity

Filed under
GNU
Linux
Security

A few days ago, Parrot Security OS developer Frozenbox Network teased users on Twitter with the upcoming release of the long anticipated Parrot Security OS 3.0 "Lithium" distribution.

Based on the latest Debian GNU/Linux technologies and borrowing many of the packages from the Debian 8 "Jessie" stable repositories, Parrot Security OS 3.0 just received new Release Candidate (RC) ISO builds that users can now download and install on their personal computer if they want to get an early taste of what's coming.

Read more

Security Leftovers

Filed under
Security

Black Duck's Free Tool Digs Out Open Source Bugs

Filed under
OSS
Security

The main advantage of such tools is ease of use. The main limitation is that a tool is only as effective as its creators' list of vulnerabilities. Using a given tool implies that you trust the vendor to stay alert and on the job, noted King.

Developers have "a ton of other similar offerings out there," he said. By offering a free scanner, Black Duck can draw attention to its other products.

"If the new tool delivers what the company promises, it will help put the company in good stead with customer developers. Satisfied customers tend to be repeat customers," King said.

Read more

Security Leftovers

Filed under
Security
  • Friday's security updates
  • Judge Says The FBI Can Keep Its Hacking Tool Secret, But Not The Evidence Obtained With It

    Michaud hasn't had the case against him dismissed, but the government will now have to rely on evidence it didn't gain access to by using its illegal search. And there can't be much of that, considering the FBI had no idea who Michaud was or where he resided until after the malware-that-isn't-malware had stripped away Tor's protections and revealed his IP address.

    The FBI really can't blame anyone but itself for this outcome. Judge Bryan may have agreed that the FBI had good reason to keep its technique secret, but there was nothing preventing the FBI from voluntarily turning over details on its hacking tool to Michaud. But it chose not to, despite his lawyer's assurance it would maintain as much of the FBI's secrecy as possible while still defending his client.

    Judge Bryan found the FBI's ex parte arguments persuasive and declared the agency could keep the info out of Michaud's hands. But doing so meant the judicial playing field was no longer level, as he acknowledged in his written ruling. Fortunately, the court has decided it's not going to allow the government to have its secrecy cake and eat it, too. If it wants to deploy exploits with minimal judicial oversight, then it has to realize it can't successfully counter suppression requests with vows of silence.

  • Researcher Pockets $30,000 in Chrome Bounties

    Having cashed in earlier in May to the tune of $15,500, Mlynski pocketed another $30,000 courtesy of Google’s bug bounty program after four high-severity vulnerabilities were patched in the Chrome browser, each worth $7,500 to the white-hat hacker.

Syndicate content

More in Tux Machines

Chromium/Chrome News

It's Been A Quiet Year-End For BUS1, The Proposed In-Kernel IPC For Linux

With the Linux 4.10 kernel merge window expected to open this weekend, I was digging around to see whether there was anything new on the BUS1 front and whether we might see it for the next kernel cycle. While I have yet to see any official communication from the BUS1 developers, it doesn't look like it's happening for BUS1. In fact, it's been a rather quiet past few weeks for these developers working on this in-kernel IPC mechanism to succeed the never-merged KDBUS. Read more Also: Intel Working On 5-Level Paging To Increase Linux Virtual/Physical Address Space

Games for GNU/Linux

Fedora News

  • FEDORA and GNOME at the “1er Encuentro de Tecnología e innovación-Macro Región Lima 2016” Conference
  • 10 years of dgplug summer training
    In 2017 dgplug summer training will be happening for the 10th time. Let me tell you honestly, I had no clue that we will reach here when I started this back in 2008. The community gathered together, and we somehow managed to continue. In case, you do not know about this training, dgplug summer training is a 3 months long online IRC based course where we help people to become contributors to upstream projects. The sessions start around 6:30PM IST, and continues till 9PM (or sometimes till very late at night) for 3 months. You can read the logs of the sessions here.
  • 6 3D printing applications you can install on Fedora 25
    Do you have an interest in the 3D printing space but don’t know which 3D printing application will work on your favorite Linux distribution? You’re in luck, because in this article, you learn about 6 of such applications that you can install on Fedora 25 and other Linux distributions, like Ubuntu 16.10 and debian 8. Most of these you can install by selecting the 3D printing package when using the DVD or netinstall ISO image to install Fedora 25, but the rest you have to install individually.
  • FUDCon APAC Phnom Penh 2016
    FUDCon 2016, that was for me first of all a lot of work especially after the change of the venue in nearly last minute. Instead of ITC BarCamp happened this year at Norton University, what turned out not to be a good choice. A new hotel had to be found, not an easy task as on this side of the river are not many yet.