Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Security Issue in Windows leaks Login Data [Ed: designed for back door access]

    An issue in all Windows systems might leak the user’s Windows login and password information. This is especially critical if the user is using a Microsoft account because this is linked to a number of other services the user may be using.

  • Get ready for an Internet of Things disaster, warns security guru Bruce Schneier

    Security guru Bruce Schneier, the author of multiple encryption algorithms, founder of security company Counterpane, and former chief technology officer of BT Managed Security Solutions, has warned that the ‘craze' for connecting devices to the internet with little thought about security will result in a major disaster.

    Schneier warned that "integrity and availability threats" are much worse than "confidentiality threats" with devices connected to the internet.

    "It's one thing if your smart door lock can be eavesdropped upon to know who is home. It's another thing entirely if it can be hacked to allow a burglar to open the door - or prevent you from opening your door. A hacker who can deny you control of your car, or take over control, is much more dangerous than one who can eavesdrop on your conversations or track your car's location," Schneier wrote.

    He continued: "With the advent of the Internet of Things and cyber-physical systems in general, we've given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete."

  • New Presidential Directive on Incident Response

    Last week, President Obama issued a policy directive (PPD-41) on cyber-incident response coordination. The FBI is in charge, which is no surprise. Actually, there's not much surprising in the document. I suppose it's important to formalize this stuff, but I think it's what happens now.

  • Kazakh dissidents and lawyers hit by cyber attacks: researchers

    Hackers believed to be working on behalf of Kazakhstan government officials tried to infect lawyers and other associates of exiled dissidents and publishers with spyware, according to a report to be presented at this week's Black Hat security conference in Las Vegas.

    The hacking campaign was part of a complicated tale that also involved physical surveillance and threats of violence - a rare instance of cyber attacks coming alongside real-world crimes.

    It is also unusual in that the campaign involved an Indian company that was apparently hired by the hackers, and it targeted Western lawyers along with alleged opponents of the Kazakh government.

    A spokesman at the Kazakhstan embassy in Washington did not respond to emailed questions.

  • Bruce Schneier: major IoT disaster could happen at any time

    THE CRAZE for connecting anything and everything and controlling it over the internet will result in a major disaster without better built-in security, according to security expert Bruce Schneier.

    Furthermore, if secret services really are trying to influence elections by hacking the systems of political parties and releasing embarrassing emails, they will almost certainly attempt to hack into the increasing number of internet-connected voting machines for the same ends.

    Schneier is the author of multiple encryption algorithms, founder of security company Counterpane, and former chief technology officer of BT Managed Security Solutions.

    "It's one thing if your smart door lock can be eavesdropped on to know who is home. It's another thing entirely if it can be hacked to allow a burglar to open the door or prevent you opening your door," Schneier wrote in an article published by Motherboard.

  • Linux botnets on the rise, says Kaspersky DDoS report [Ed: Kaspersky marketing with dramatic and misleading headlines]
  • Hackers break into Telegram, revealing 15 million users’ phone numbers

    Iranian hackers have compromised more than a dozen accounts on the Telegram instant messaging service and identified the phone numbers of 15 million Iranian users, the largest known breach of the encrypted communications system, cyber researchers told Reuters.

    The attacks, which took place this year and have not been previously reported, jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where Telegram is used by some 20 million people, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years.

    Telegram promotes itself as an ultra secure instant messaging system because all data is encrypted from start to finish, known in the industry as end-to-end encryption. A number of other messaging services, including Facebook Inc’s WhatsApp, say they have similar capabilities.

Tor 0.2.8.6

Filed under
Software
OSS
Security
Debian
  • Tor 0.2.8.6 is released

    Hi, all! After months of work, a new Tor release series is finally stable.

  • Tor browser a bit too unique?

    Ok, this is scary: tor browser on https://browserprint.info/test -- "Your browser fingerprint appears to be unique among the 8,440 tested so far. Currently, we estimate that your browser has a fingerprint that conveys 13.04 bits of identifying information."

  • Debian Project Enhances the Anonymity and Security of Debian Linux Users via Tor

    The Debian Project, through Peter Palfrader, announced recently that its services and repositories for the Debian GNU/Linux operating system would be accessible through the Tor network.

    To further enhance the anonymity and security of users when either accessing any of the Debian online services, such as the Debian website or Wiki, as well as when using the Debian GNU/Linux operating system, the Debian Project partnership with the Tor Project to enable Tor onion services for many of their services.

Gentoo-Based Pentoo 2015.0 Linux Distro for Ethical Hackers Gets New RC Release

Filed under
Gentoo
Security

The Pentoo Linux development team proudly announces today, August 2, 2016, the availability for download of the fifth Release Candidate (RC) build towards the Pentoo 2015.0 GNU/Linux operating system.

We don't write so often about the Pentoo GNU/Linux operating system because new releases are being made available to the public online when a new DEF CON event (the world's largest annual hacker convention) is taking place. So yes, it's now a tradition to see a new Pentoo release around a DEF CON conference.

Read more

Security Leftovers

Filed under
Security

Kaspersky Selling His Snake Oil

Filed under
GNU
Linux
Security

Security News

Filed under
Security
  • Securing Embedded Linux

    Until fairly recently, Linux developers have been spared many of the security threats that have bedeviled the Windows world. Yet, when moving from desktops and servers to the embedded Internet of Things, a much higher threat level awaits.

    “The basic rules for Linux security are the same whether it’s desktop, server, or embedded, but because IoT devices are typically on all the time, they pose some unique challenges,” said Mike Anderson, CTO and Chief Scientist for The PTR Group, Inc. during an Embedded Linux Conference talk called “Securing Embedded Linux.”

  • Security updates for Monday
  • Packt security bundle winner announced!
  • Everyone has been hacked

    Unless you live in a cave (if you do, I'm pretty jealous) you've heard about all the political hacking going on. I don't like to take sides, so let's put aside who is right or wrong and use it as a lesson in thinking about how we have to operate in what is the new world.

    In the past, there were ways to communicate that one could be relatively certain was secure and/or private. Long ago you didn't write everything down. There was a lot of verbal communication. When things were written down there was generally only one copy. Making copies of things was hard. Recording communications was hard. Even viewing or hearing many of these conversations if you weren't supposed to was hard. None of this is true anymore, it hasn't been true for a long time, yet we still act like what we do is just fine.

  • Android Security Bulletin—July 2016
  • The July 2016 Android security bulletin
  • How To Use Google For Hacking?
  • Securing Embedded Linux by Michael E. Anderson
  • Botnet DDoS attacks in Q2: Linux Botnets on the rise, length of attacks increase

    Kaspersky Lab has released its report on botnet-assisted DDoS attacks for the second quarter of 2016 based on data provided by Kaspersky DDoS Intelligence*. The number of attacks on resources located on Chinese servers grew considerably, while Brazil, Italy and Israel all appeared among the leading countries hosting C&C servers.

  • Cisco Cybersecurity Report Warns of Serious Ransomware Dangers

SubgraphOS: Security Becomes Accessible

Filed under
Software
Security

Increased security often comes at a price in Linux distributions. Tails, for example, allows anonymous browsing at the cost of running from a flash drive. Similarly, Qubes OS provides comprehensive security but with an enormous increase in memory requirements. By contrast, Subgraph OS (SGOS) increase security by installing existing security features that other distributions leave out, adding graphical access to them at a cost no higher than some extra configuration after installation.

The maker of SGOS is Subgraph, an open source security company based in Montreal, Canada. Subgraph is also the developer of Vega, a web application security testing tool, and Orchid, a Java Tor client. SGOS itself is a Debian-derivative running a GNOME desktop environment, and currently in a usable if somewhat rough alpha release.

SGOS uses the standard Debian installer, with options for a Live Disk, and a standard or advanced installation. The standard install differs from Debian’s chiefly in the fact that disk encryption is mandatory and that partitions are over-written with random data before set up before installation — a process that can be skipped, but at the cost of some unspecified loss os security. Somewhat surprisingly, it enforces strong passwords or passphrases only by the number of characters, although whether that is due a conviction that passwords are weak security, or of less concern with disk encryption is uncertain. Or possibly SGOS will enforce passwords that include characters and a variety of cases in later releases.

Read more

Security News

Filed under
Security
  • Endian Firewall Community 3.2.1 Adds Extended 3G Modem Support, Linux Kernel 4.1

    Today, July 31, 2016, the Endian Team proudly announced that the Endian Firewall Community 3.2 GNU/Linux distribution is out of Beta and ready to be deployed in stable, production environments.

    Endian Firewall Community 3.2.1 is now the latest stable and most advanced version of the CentOS-based GNU/Linux operating system that has been designed to be used in routers and network firewall devices. And it looks like it's also a pretty major update that introduces lots of enhancements, many new features, as well as the usual under-the-hood improvements.

  • HTTPS Bypassed On Windows, Mac, And Linux

    HTTPS encryption assured users that the addresses of the websites they visit could not be monitored or viewed by data snoopers and other such malicious users. However, a new hack has broken this encryption. This hack can be carried out on any network, most notably in Wi-Fi hotspots, where this encryption is most required.

  • Intel's Crosswalk open source dev library has serious SSL bug

    Developers using Intel's Crosswalk SSL library: it's time to patch and push out an upgrade.

    Crosswalk is a cross-platform library that supports deployment to Android, iOS and Windows Phone, but the bug is Android-specific.

    The library has a bug in how it handles SSL errors, and as a result, end users on Android could be tricked into accepting MITM certificates.

    As consultancy Nightwatch Cyber Security explains, if a user accepts one invalid or self-signed SSL certificate, Crosswalk remembers that choice and applies it to all future certificates.

Security Leftovers

Filed under
Security
  • Xen patches critical guest privilege escalation bug

    A freshly uncovered bug in the Xen virtualisation hypervisor could potentially allow guests to escalate their privileges until they have full control of the hosts they're running on.

    The Xen hypervisor is used by cloud giants Amazon Web Services, IBM and Rackspace.

    Inadequate security checks of how virtual machines access memory means a malicous, paravirtualised guest administrator can raise their system privileges to that of the host on unpatched installations, Xen said.

  • Xen Vulnerability Allows Hackers To Escape Qubes OS VM And Own the Host
  • The Security of Our Election Systems [Too much of Microsoft]

    The FBI is investigating. WikiLeaks promises there is more data to come. The political nature of this cyberattack means that Democrats and Republicans are trying to spin this as much as possible. Even so, we have to accept that someone is attacking our nation's computer systems in an apparent attempt to influence a presidential election. This kind of cyberattack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November ­ that our election systems and our voting machines could be vulnerable to a similar attack.

  • Data program accessed in cyber-attack on Democrats, says Clinton campaign [iophk: "Windows still"]

    A data program used by the campaign of the Democratic presidential candidate, Hillary Clinton, was “accessed” as a part of hack on the Democratic National Committee (DNC) that intelligence officials believe was carried out by Russia’s intelligence services, Clinton’s campaign said on Friday.

  • A Famed Hacker Is Grading Thousands of Programs — and May Revolutionize Software in the Process

    “There are applications out there that really do demonstrate good [security] hygiene … and the vast majority are somewhere else on the continuum from moderate to atrocious,” Peiter Zatko says. “But the nice thing is that now you can actually see where the software package lives on that continuum.”

    Joshua Corman, founder of I Am the Cavalry, a group aimed at improving the security of software in critical devices like cars and medical devices, and head of the Cyber Statecraft Initiative for the Atlantic Council, says the public is in sore need of data that can help people assess the security of software products.

    “Markets do well when an informed buyer can make an informed risk decision, and right now there is incredibly scant transparency in the buyer’s realm,” he says.

Syndicate content

More in Tux Machines

today's leftovers

  • Top Lightweight Linux Distributions To Try In 2017
    Today I am going to discuss the top lightweight Linux distros you can try this year on your computer. Although you got yourself a prettyLinuxle linux already but there is always something new to try in Linux. Remember I recommend to try this distros in virtualbox firstly or with the live boot before messing with your system. All distro that I will mention here will be new and somewhat differ from regular distros.
  • [ANNOUNCE] linux-4.10-ck1 / MuQSS CPU scheduler 0.152
  • MSAA Compression Support For Intel's ANV Vulkan Driver
    Intel developer Jason Ekstrand posted a patch over the weekend for enabling MSAA compression support within the ANV Vulkan driver.
  • Highlights of YaST development sprint 31
    As we announced in the previous report, our 31th Scrum sprint was slightly shorter than the usual ones. But you would never say so looking to this blog post. We have a lot of things to talk you about!
  • Comparing Mobile Subscriber Data Across Different Sources - How accurate is the TomiAhonen Almanac every year?
    You’ll see that last spring I felt the world had 7.6 Billion total mobile subscriptions when machine-to-machine (M2M) connections are included. I felt the world had 7.2 Billion total subscriptions when excluding M2M and just counting those in use by humans. And the most relevant number (bottom line) is the ‘unique’ mobile users, which I felt was an even 5.0 Billion humans in 2015. The chart also has the total handsets-in-use statistic which I felt was 5.6 Billion at the end of 2015. Note that I was literally the first person to report on the distinction of the unique user count vs total subscriptions and I have been urging, nearly begging for the big industry giants to also measure that number. They are slowly joining in that count. Similarly to M2M, we also are now starting to see others report M2M counts. I have yet to see a major mobile statistical provider give a global count of devices in use. That will hopefully come also, soon. But lets examine these three numbers that we now do have other sources, a year later, to see did I know what I was doing.

Leftovers: Gaming

Leftovers: Software

Linux and FOSS Events

  • Debian SunCamp 2017 Is Taking Place May 18-21 in the Province of Girona, Spain
    It looks like last year's Debian SunCamp event for Debian developers was a total success and Martín Ferrari is back with a new proposal that should take place later this spring during four days full of hacking, socializing, and fun. That's right, we're talking about Debian SunCamp 2017, an event any Debian developer, contributor, or user can attend to meet his or hers Debian buddies, hack together on new projects or improve existing ones by sharing their knowledge, plan upcoming features and discuss ideas for the Debian GNU/Linux operating system.
  • Pieter Hintjens In Memoriam
    Pieter Hintjens was a writer, programmer and thinker who has spent decades building large software systems and on-line communities, which he describes as "Living Systems". He was an expert in distributed computing, having written over 30 protocols and distributed software systems. He designed AMQP in 2004, and founded the ZeroMQ free software project in 2007. He was the author of the O'Reilly ZeroMQ book, "Culture and Empire", "The Psychopath Code", "Social Architecture", and "Confessions of a Necromancer". He was the president of the Foundation for a Free Information Infrastructure (FFII), and fought the software patent directive and the standardisation of the Microsoft OOXML Office format. He also organized the Internet of Things (IOT) Devroom here at FOSDEM for the last 3 years. In April 2016 he was diagnosed with terminal metastasis of a previous cancer.
  • foss-gbg on Wednesday
    The topics are Yocto Linux on FPGA-based hardware, risk and license management in open source projects and a product release by the local start-up Zifra (an encryptable SD-card). More information and free tickets are available at the foss-gbg site.