Language Selection

English French German Italian Portuguese Spanish

Security

Security: Internet of Things (IoT), Sonatype, Windows Files on GNU/Linux, NSA Back Doors

Filed under
Security

Security: Updates, Libgcrypt 1.8, Dow Jones Cracked, Windows Havoc Carries on

Filed under
Security

Hacking Devices (Repair), Misconfigured Samba, and Black Duck FUD Team

Filed under
Security

Security: Updates, DNS, Breach, Internet Cameras, Cryptoparty Belfast, Intel and More

Filed under
Security
  • Security updates for Tuesday
  • The Risks of DNS Hijacking Are Serious and You Should Take Countermeasures

    Over the years hackers have hijacked many domain names by manipulating their DNS records to redirect visitors to malicious servers. While there’s no perfect solution to prevent such security breaches, there are actions that domain owners can take to limit the impact of these attacks on their Web services and users.

  • Lawyers score big in settlement for Ashley Madison cheating site data breach

    The owners of the Ashley Madison cheating-dating website have agreed to pay $11.2 million to settle two dozen data breach lawsuits as a result of a 2015 incident involving as many as 37 million members' personal identifying information being exposed online. The deal (PDF) earmarks up to one-third, or about $3.7 million, for attorneys' fees and costs. An additional $500,000 has been set aside to administer the remaining $7 million earmarked for Ashley Madison members.

  • Representative IoT Device: IP Video Camera

    These IP cameras are available with full support and regular updates from industrial suppliers at prices ranging from several hundred to a few thousand dollars per camera. They are commonly sold in systems that include cameras, installation, monitoring and recording systems and software, integration, and service and support. There are a few actual manufacturers of the cameras, and many OEMs place their own brand names on the cameras.

  • Hack Brief: 'Devil's Ivy' Vulnerability Could Afflict Millions of IoT Devices
  • Devil's Ivy Open-Source Flaw Impacts Tens of Millions of IoT Devices
  • Nasty Bug Left Thousands of Internet of Things Devices Open to Hackers
  • Experts in Lather Over ‘gSOAP’ Security Flaw
  • Just because you can, doesn't mean you should

    There was a recent Cryptoparty Belfast event that was aimed at a wider audience than usual; rather than concentrating on how to protect ones self on the internet the 3 speakers concentrated more on why you might want to. As seems to be the way these days I was asked to say a few words about the intersection of technology and the law. I think people were most interested in all the gadgets on show at the end, but I hope they got something out of my talk. It was a very high level overview of some of the issues around the Investigatory Powers Act - if you’re familiar with it then I’m not adding anything new here, just trying to provide some sort of details about why it’s a bad thing from both a technological and a legal perspective.

  • [Old] "Super Malware" Steals Encryption Keys from Intel SGX Enclaves

    In a research paper published at the end of February, a team of five scientists from the Graz University of Technology has described a novel method of leaking data from SGX enclaves, a secure environment created by Intel CPUs for storing sensitive information for each process, such as encryption keys, passwords, and other.

    Starting with the Skylake line, Intel introduced a new hardware extension called SGX (Software Guard Extensions) that isolates the CPU memory at the hardware level, creating safe spaces where applications can store information that only they can write or read.

  • Avoiding TPM PCR fragility using Secure Boot

    In measured boot, each component of the boot process is "measured" (ie, hashed and that hash recorded) in a register in the Trusted Platform Module (TPM) build into the system. The TPM has several different registers (Platform Configuration Registers, or PCRs) which are typically used for different purposes - for instance, PCR0 contains measurements of various system firmware components, PCR2 contains any option ROMs, PCR4 contains information about the partition table and the bootloader. The allocation of these is defined by the PC Client working group of the Trusted Computing Group. However, once the boot loader takes over, we're outside the spec[1].

  • Open Source Security Podcast: Episode 56 -- Devil's Advocate and other fuzzy topics

Security Features in Next Linux

Filed under
Linux
Security
  • It Didn't Make It For Linux 4.13, But A New Random Number Generator Still In The Works

    Frequent Phoronix readers may recall that for more than one year a new Linux Random Number Generator has been in-development and today marked the 12th version of these patches being released.

    This new random number generator, LRNG, aims to provide sufficient entropy during the boot time and in virtual environments as well as when using SSDs or DM targets. LRNG has been in development by Stephan Müller.

  • Unix: How random is random?
  • AMD Secure Memory Encryption Patches Updated For Linux

    Adding to the list of changes/features you will not find in Linux 4.13 is AMD's Secure Memory Encryption as supported by the new EPYC processors.

    AMD has been posting Secure Memory Encryption patches for the Linux kernel going back to last year, but so far have not been merged to mainline. The code continues to be updated and published today was the tenth version of these patches.

A brief history of GnuPG: vital to online security but free and underfunded

Filed under
GNU
Security

Most people have never heard of the software that makes up the machinery of the internet. Outside developer circles, its authors receive little reward for their efforts, in terms of either money or public recognition.

One example is the encryption software GNU Privacy Guard (also known as GnuPG and GPG), and its authors are regularly forced to fundraise to continue the project.

GnuPG is part of the GNU collection of free and open source software, but its story is an interesting one, and it begins with software engineer Phil Zimmermann.

We do not know exactly what Zimmermann felt on January 11, 1996, but relief is probably a good guess. The United States government had just ended its investigation into him and his encryption software, PGP or “Pretty Good Privacy”.

Read more

Security and FOSS: Sonatype Report, Bitfury, and Nokia

Filed under
OSS
Security

Security Leftovers

Filed under
Security
  • Open source in the security world -- a liability or strength?

    To some, the terms ‘open source’ and ‘security’ may not exactly go hand in hand. Characterized by its transparent code—which means it’s highly accessible to anyone— as opposed to ‘closed’, proprietary systems, it’s no wonder that some still have the misperception that open source is the more vulnerable party. In an open source environment, companies as well as communities of sorts are able to access and contribute to the code. This often gives off the impression that because it is open, it must be fully exposed to risks and viruses.

    But today, open source is pervasive. The world as we know it is changing — technology is evolving faster today than it has at any other point in human history. And open source is the reason for that; it is the driving force behind many of today’s technology innovation that we see. Today’s enterprises simply cannot rely on a proprietary piece of source code to manage their increasing multitude of applications that are powering their critical business transactions.

    And with the rising adoption of this software, there has never been a better time to learn the truth about misconceptions of open source security.

  • How Active Intrusion Detection Can Seek and Block Attacks

    Ventura will this detail a more active approach to intrusion prevention - where defenders can use basic network software applications to look for threats and stop attacks - later this month in his Black Hat USA talk entitled "They're Coming for Your Tools: Exploiting Design Flaws for Active Intrusion Prevention."

  • Linux, Windows, macOS Affected By 21-year-old Kerberos Protocol Bug; Patch Now

Security: Kaspersky Ban, Email of Top U.S. Russia Intelligence Official Hacked, and Kali Linux

Filed under
Security

Security: Kerberos, Various Updates, and FUD

Filed under
Security
Syndicate content

More in Tux Machines

Some FreeBSD Users Are Still Running Into Random Lock-Ups With Ryzen

While Linux has been playing happily with Ryzen CPUs as long as you weren't affected by the performance marginality problem where you had to swap out for a newer CPU (and Threadripper and EPYC CPUs have been running splendid in all of my testing with not having any worries), it seems the BSDs (at least FreeBSD) are still having some quirks to address. This week on the FreeBSD mailing list has been another thread about Ryzen issues on FreeBSD. Some users are still encountering random lockups that do not correspond to any apparent load/activity on the system. Read more

PC desktop build, Intel, spectre issues etc.

Apart from the initial system bought, most of my systems when being changed were in the INR 20-25k/- budget including all and any accessories I bought later. The only real expensive parts I purchased have been external hdd ( 1 TB WD passport) and then a Viewsonic 17″ LCD which together sent me back by around INR 10k/- but both seem to give me adequate performance (both have outlived the warranty years) with the monitor being used almost 24×7 over 6 years or so, of course over GNU/Linux specifically Debian. Both have been extremely well value for the money. As I had been exposed to both the motherboards I had been following those and other motherboards as well. What was and has been interesting to observe what Asus did later was to focus more on the high-end gaming market while Gigabyte continued to dilute it energy both in the mid and high-end motherboards. Read more

Intel OpenGL vs. Vulkan Performance With Mesa 18.0

Given the very strong Vulkan vs. OpenGL performance in the recent low-end/older Linux gaming GPU tests with discrete graphics cards, I was curious to run some benchmarks seeing the current state of Intel's open-source OpenGL vs. Vulkan performance. With the Mesa 18.0 release to be branched soon, it was a good time seeing how the Intel i965 OpenGL and ANV Vulkan drivers compare. Read more

How To Install Themes Or Icons In Elementary OS

After installing Elementary OS, you may feel that you want to customize it to look more than Out-of-the-box system, and more of a personalized Operating system per se. It's very easy to install themes and icons for your Elementary OS. The process is pretty much the same as installing icons and themes in any ubuntu system since it is built upon Ubuntu. Read
more