Language Selection

English French German Italian Portuguese Spanish

Security

Security: Linux, Free Software Principles, Microsoft and Intel

Filed under
Security
  • Some 'security people are f*cking morons' says Linus Torvalds

    Linux overlord Linus Torvalds has offered some very choice words about different approaches security, during a discussion about whitelisting features proposed for version 4.15 of the Linux kernel.

    Torvalds' ire was directed at open software aficionado and member of Google's Pixel security team Kees Cook, who he has previously accused of idiocy.

    Cook earned this round of shoutiness after he posted a request to “Please pull these hardened usercopy changes for v4.15-rc1.”

  • Free Software Principles

    Ten thousand dollars is more than $3,000, so the motives don't add up for me. Hutchins may or may not have written some code, and that code may or may not have been used to commit a crime. Tech-literate people, such as the readers of Linux Magazine, understand the difference between creating a work and using it to commit a crime, but most of the media coverage – in the UK, at least – has been desperate to follow the paradigm of building a man up only to gleefully knock him down. Even his achievement of stopping WannaCry is decried as "accidental," a word full of self-deprecating charm when used by Hutchins, but which simply sounds malicious in the hands of the Daily Mail and The Telegraph.

  • New warning over back door in Linux

    Researchers working at Russian cyber security firm Dr Web claim to have found a new vulnerability that enables remote attackers to crack Linux installations virtually unnoticed.

    According to the anti-malware company, cyber criminals are getting into the popular open-source operating system via a new backdoor.

    This, they say, is "indirect evidence" that cyber criminals are showing an increasing interest in targeting Linux and the applications it powers.

    The trojan, which it's calling Linux.BackDoor.Hook.1, targets the library libz primarily. It offers compression and extraction capabilities for a plethora of Linux-based programmes.

  • IN CHATLOGS, CELEBRATED HACKER AND ACTIVIST CONFESSES COUNTLESS SEXUAL ASSAULTS
  • Bipartisan Harvard panel recommends hacking [sic] safeguards for elections

     

    The guidelines are intended to reduce risks in low-budget local races as well as the high-stakes Congressional midterm contests next year. Though most of the suggestions cost little or nothing to implement and will strike security professionals as common sense, notorious attacks including the leak of the emails of Hillary Clinton’s campaign chair, John Podesta, have succeeded because basic security practices were not followed.  

  • Intel Chip Flaws Leave Millions of Devices Exposed

     

    On Monday, the chipmaker released a security advisory that lists new vulnerabilities in ME, as well as bugs in the remote server management tool Server Platform Services, and Intel’s hardware authentication tool Trusted Execution Engine. Intel found the vulnerabilities after conducting a security audit spurred by recent research. It has also published a Detection Tool so Windows and Linux administrators can check their systems to see if they're exposed.

Security: MuddyWater, DJI, Updates, Reproducible Builds and Excel

Filed under
Security

Security: FOSS Versus Windows

Filed under
Security

Security: Google and Morgan Marquis-Boire

Filed under
Security

  • Google: 25 per cent of black market passwords can access accounts

    The researchers used Google's proprietary data to see whether or not stolen passwords could be used to gain access to user accounts, and found that an estimated 25 per cent of the stolen credentials can successfully be used by cyber crooks to gain access to functioning Google accounts.

  • Data breaches, phishing, or malware? Understanding the risks of stolen credentials

    Drawing upon Google as a case study, we find 7--25\% of exposed passwords match a victim's Google account.

  • Infosec star accused of sexual assault booted from professional affiliations

    A well-known computer security researcher, Morgan Marquis-Boire, has been publicly accused of sexual assault.

    On Sunday, The Verge published a report saying that it had spoken with 10 women across North America and Marquis-Boire's home country of New Zealand who say that they were assaulted by him in episodes going back years.

    A woman that The Verge gave the pseudonym "Lila," provided The Verge with "both a chat log and a PGP signed and encrypted e-mail from Morgan Marquis-Boire. In the e-mail, he apologizes at great length for a terrible but unspecified wrong. And in the chat log, he explicitly confesses to raping and beating her in the hotel room in Toronto, and also confesses to raping multiple women in New Zealand and Australia."

Security: Amazon, Microsoft, and John Draper

Filed under
Security
  • Amazon security camera could be remotely disabled by rogue couriers

    However, researchers from Rhino Security Labs found attacking the camera's Wi-Fi with a distributed denial of service attack, which sends thousands of information requests to the device, allowed them to freeze the camera. It would then continue to show the last frame broadcast, rather than going offline or alerting the user it had stopped working.

  • Pentagon contractor leaves social media spy archive wide open on Amazon

    A Pentagon contractor left a vast archive of social-media posts on a publicly accessible Amazon account in what appears to be a military-sponsored intelligence-gathering operation that targeted people in the US and other parts of the world.

    The three cloud-based storage buckets contained at least 1.8 billion scraped online posts spanning eight years, researchers from security firm UpGuard's Cyber Risk Team said in a blog post published Friday. The cache included many posts that appeared to be benign, and in many cases those involved from people in the US, a finding that raises privacy and civil-liberties questions. Facebook was one of the sites that originally hosted the scraped content. Other venues included soccer discussion groups and video game forums. Topics in the scraped content were extremely wide ranging and included Arabic language posts mocking ISIS and Pashto language comments made on the official Facebook page of Pakistani politician Imran Khan.

  • Pirated Microsoft Software Enabled NSA Hack says Kaspersky

    Earlier reports accused Kaspersky's antivirus software which was running on the NSA worker's home computer to be the reason behind the Russian spies to access the machine and steal important documents which belonged to NSA hacking unit, Equation Group.

  • Iconic hacker booted from conferences after sexual misconduct claims surface

    John Draper, a legendary figure in the world of pre-digital phone hacking known as "phreaking," has been publicly accused of inappropriate sexual behavior going back nearly two decades.

    According to a new Friday report by BuzzFeed News, Draper, who is also known as "Captain Crunch," acted inappropriately with six adult men and minors between 1999 and 2007 during so-called "energy" exercises, which sometimes resulted in private invitations to his hotel room. There, Draper allegedly made unwanted sexual advances.

    As a result of the new revelations, Draper, 74, is now no longer welcome at Defcon. Michael Farnum, the founder of HOU.SEC.CON, told Ars on Friday afternoon that Draper, who had been scheduled to speak in April 2018, was disinvited.

Security: PeopleSoft, DJI, IoT, Amazon, Microsoft, ​Google, Ad Blocking and Codewarz

Filed under
Security
  • Oracle rushes out 5 patches for huge vulnerabilities in PeopleSoft app server

    Oracle issued a set of urgent security fixes on Tuesday that repair vulnerabilities revealed today by researchers from the managed security provider ERPScan at the DeepSec security conference in Vienna, Austria. The five vulnerabilities include one dubbed "JoltandBleed" by the researchers because of its similarity to the HeartBleed vulnerability discovered in OpenSSL in 2014. JoltandBleed is a serious vulnerability that could expose entire business applications running on PeopleSoft platforms accessible from the public Internet.

    The products affected include Oracle PeopleSoft Campus Solutions, Human Capital Management, Financial Management, and Supply Chain Management, as well as any other product using the Tuxedo 2 application server. According to recent research by ERPScan, more than 1,000 enterprises have their PeopleSoft systems exposed to the Internet, including a number of universities that use PeopleSoft Campus Solutions to manage student data.

  • Man gets threats—not bug bounty—after finding DJI customer data in public view

    DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

  • New Study Finds Poorly Secured Smart Toys Lets Attackers Listen In On Your Kids

    We've long noted how the painful lack of security and privacy standards in the internet of (broken) things is also very well-represented in the world of connected toys. Like IOT vendors, toymakers were so eager to make money, they left even basic privacy and security standards stranded in the rear view mirror as they rush to connect everything to the internet. As a result, we've seen repeated instances where your kids' conversations and interests are being hoovered up without consent, with the data frequently left unencrypted and openly accessible in the cloud.

    With Luddites everywhere failing to realize that modern Barbie needs a better firewall, this is increasingly becoming a bigger problem. The latest case in point: new research by Which? and the German consumer group Stiftung Warentest found yet more flaws in Bluetooth and wifi-enabled toys that allow a total stranger to listen in on or chat up your toddler:

  • Amazon Key flaw makes entering your home undetected a possibility
  • How to fix a program without the source code? Patch the binary directly
  • ​Google Home and Amazon Echo hit by big bad Bluetooth flaws
  • Senator urges ad blocking by feds as possible remedy to malvertising scourge

    A US Senator trying to eradicate the Internet scourge known as malvertising is proposing that all federal agencies block ads delivered to worker computers unless advertisers can ensure their networks are free of content that contains malicious code.

    In a letter sent today, Oregon Senator Ron Wyden asked White House Cybersecurity Coordinator Rob Joyce to begin discussions with advertising industry officials to ensure ads displayed on websites can't be used to infect US government computers. If, after 180 days, Joyce isn't "completely confident" the industry has curbed the problem, Wyden asked that Joyce direct the US Department of Homeland Security to issue a directive "requiring federal agencies to block the delivery to employees' computers of all Internet ads containing executable code."

    "Malware is increasingly delivered through code embedded in seemingly innocuous advertisements online," Wyden wrote. "Individuals do not even need to click on ads to get infected: this malicious software, including ransomware, is delivered without any interaction by the user."

  • Weekend code warriors prepare to clash in Codewarz

    If you didn't have any weekend plans yet—or maybe even if you did—and you're interested in scratching your programming itch, there's something to add to your calendar. Codewarz, a programming competition that presents participants with 24 coding challenges, is running its first live event starting at 1pm Eastern on November 18 and ending at 9pm on November 20.

    This is not a hacking competition—it’s strictly coding. Participants can use their language of choice as long as it's one of the 15 supported by the event: the various flavors of C, Python, Node.js, Scala, PHP, Go, Ruby, and even BASH. (Sorry, no one has asked them to support ADA or Eiffel yet.) There's no compiling required, either. Each submitted solution is run in an interpreted sandbox on a Linux machine for evaluation and scoring. And the challenges run the gamut from beginner (things like text parsing, math and basic networking) to advanced (more advanced parsing and math, hashing, cryptography, and forensics challenges).

Security: New Release of HardenedBSD, Windows Leaks Details of Windows Back Doors

Filed under
Security
  • Stable release: HardenedBSD-stable 11-STABLE v1100054
  • Kaspersky blames NSA hack on infected Microsoft software

    Embattled computer security firm Kaspersky Lab said Thursday that malware-infected Microsoft Office software and not its own was to blame for the hacking theft of top-secret US intelligence materials.

    Adding tantalizing new details to the cyber-espionage mystery that has rocked the US intelligence community, Kaspersky also said there was a China link to the hack.

  • Investigation Report for the September 2014 Equation malware detection incident in the US

    In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:

  • Kaspersky: Clumsy NSA leak snoop's PC was packed with malware

    Kaspersky Lab, the US government's least favorite computer security outfit, has published its full technical report into claims Russian intelligence used its antivirus tools to steal NSA secrets.

    Last month, anonymous sources alleged that in 2015, an NSA engineer took home a big bunch of the agency's cyber-weapons to work on them on his home Windows PC, which was running the Russian biz's antimalware software – kind of a compliment when you think about it. The classified exploit code and associated documents on the personal system were then slurped by Kremlin spies via his copy of Kaspersky antivirus, it was claimed.

Security: Google, Vulnerabilities Equities Process (VEP), Quad9 and More

Filed under
Security
  • Google investigators find hackers swipe nearly 250,000 passwords a week

    Hackers are constantly trying to break into Google accounts, so Google researchers spent a year tracing how hackers steal passwords and expose them on the internet's black market.

    To gather hard evidence about the tools hackers use to swipe passwords, Google collaborated with University of California Berkeley cybersecurity experts to track activity on some of these markets. On Thursday, they published their results.

  • Time Will Tell if the New Vulnerabilities Equities Process Is a Step Forward for Transparency

    The White House has released a new and apparently improved Vulnerabilities Equities Process (VEP), showing signs that there will be more transparency into the government’s knowledge and use of zero day vulnerabilities. In recent years, the U.S. intelligence community has faced questions about whether it “stockpiles” vulnerabilities rather than disclosing them to affected companies or organizations, and this scrutiny has only ramped up after groups like the Shadow Brokers have leaked powerful government exploits. According to White House Cybersecurity Coordinator Rob Joyce, the form of yesterday’s release and the revised policy itself are intended to highlight the government’s commitment to transparency because it’s “the right thing to do.”

  • Security updates for Friday
  • Quad9 Secure DNS Service Embeds IBM Security Intelligence
  • New “Quad9” DNS service blocks malicious domains for everyone

    The Global Cyber Alliance (GCA)—an organization founded by law enforcement and research organizations to help reduce cyber-crime—has partnered with IBM and Packet Clearing House to launch a free public Domain Name Service system. That system is intended to block domains associated with botnets, phishing attacks, and other malicious Internet hosts—primarily targeted at organizations that don't run their own DNS blacklisting and whitelisting services. Called Quad9 (after the 9.9.9.9 Internet Protocol address the service has obtained), the service works like any other public DNS server (such as Google's), except that it won't return name resolutions for sites that are identified via threat feeds the service aggregates daily.

  • The Internet of Shit is so manifestly insecure that people are staying away from it in droves
  • Security updates for Thursday
  • [Ubuntu] Security Team Weekly Summary: November 16, 2017
  • Hacking Blockchain with Smart Contracts to Control a Botnet

    Blockchain has been hailed by some in the technology industry as a potential method to help improve cyber security. However, security researcher Majid Malaika warns that Blockchain can potentially be abused to enable a new form of botnet that would be very difficult to take down.

    Malaika detailed his Blockchain-powered botnet in a session at the SecTor security conference on Nov. 15. The overall attack method has been dubbed "Botract" by Malaika, as it abuses inherent functionality in the smart contracts that help to enable Blockchain.

  • What Can The Philosophy of Unix Teach Us About Security?

Security: Boeing 757, Security Education Companion, Kaspersky 'Damage Control' and FUD

Filed under
Security

Security: Jobs, Linux 4.14, Bruce Schneier, Spyhunter

Filed under
Security
  • Security updates for Wednesday
  • Security Jobs Are Hot: Get Trained and Get Noticed

    The demand for security professionals is real. On Dice.com, 15 percent of the more than 75K jobs are security positions. “Every year in the U.S., 40,000 jobs for information security analysts go unfilled, and employers are struggling to fill 200,000 other cyber-security related roles, according to cyber security data tool CyberSeek” (Forbes). We know that there is a fast-increasing need for security specialists, but that the interest level is low.

  • security things in Linux v4.14
  • Schneier: It's Time to Regulate IoT to Improve Cyber-Security

    The time has come for the U.S. government and other governments around the world, to start regulating Internet of Things (IoT) security, according to Bruce Schneier, CTO of IBM's Resilient Systems.

    Schneier delivered his message during a keynote address at the SecTor security conference here. He noted that today everything is basically a computer, whether it's a car, a watch, a phone or a television. IoT today has several parts including sensors that collect data, computing power to figure out what to do with the collected data and then actuators that affect the real world.

  • Shady Anti-Spyware Developer Loses Lawsuit Against Competitor Who Flagged Its Software As Malicious

    Enigma Software makes Spyhunter, a malware-fighting program with a very questionable reputation. But the company isn't known so much for containing threats as it's known for issuing threats. It sued a review site for having the audacity to suggest its pay-to-clean anti-spyware software wasn't a good fit for most users… or really any users at all.

    Bleeping Computer found itself served with a defamation lawsuit for making fact-based claims (with links to supporting evidence) about Enigma's dubious product, dubious customer service tactics (like the always-popular "auto-renew"), and dubious lawsuits. Somehow, this dubious lawsuit managed to survive a motion to dismiss. Fortunately, Bleeping Computer was propped up by Malwarebytes' developers, who tossed $5,000 into Bleeping Computer's legal defense fund.

Syndicate content

More in Tux Machines

Android Leftovers

Latest KDE and Kubuntu

  • KDE Frameworks 5.41.0 Released with More Than 120 Improvements and Bugfixes
    The KDE Project released today a new version of its open-source KDE Frameworks software stack, a collection of over 70 add-on libraries to the Qt application framework, for GNU/Linux distributions. Each month, KDE releases a new KDE Frameworks build, and version 5.41.0 is now available for December 2017, bringing a month's worth of improvements, bug and security fixes, as well as updated translations.
  • KDE Frameworks 5.41 Released Ahead Of KDE Applications 17.12
    KDE Frameworks 5.41 is now available as the latest monthly update to this collection of add-on libraries complementing Qt5. KDE Frameworks 5.41 has a number of fixes including some crash fixes, updated translations, improvements to Kirigami, support for the idle inhibit manager protocol in KWayland, many Plasma Framework changes, and other updates.
  • Release of KDE Frameworks 5.41.0
    December 10, 2017. KDE today announces the release of KDE Frameworks 5.41.0. KDE Frameworks are 70 addon libraries to Qt which provide a wide variety of commonly needed functionality in mature, peer reviewed and well tested libraries with friendly licensing terms. For an introduction see the Frameworks 5.0 release announcement.
  • [Kubuntu] Testing a switch to default Breeze-Dark Plasma theme in Bionic daily isos and default settings
    Today’s daily ISO for Bionic Beaver 18.04 sees an experimental switch to the Breeze-Dark Plasma theme by default. Users running 18.04 development version who have not deliberately opted to use Breeze/Breeze-Light in their systemsettings will also see the change after upgrading packages. Users can easily revert back to the Breeze/Breeze-Light Plasma themes by changing this in systemsettings.

Games: Kim, ASTROKILL, Hearthlands and More

The Best Linux Laptop: A Buyer’s Guide with Picks from an RHCE

If you don’t posses the right knowledge & the experience, then finding the best Linux laptop can be a daunting task. And thus you can easily end-up with something that looks great, features great performance, but struggles to cope with ‘Linux’, shame! So, as a RedHat Certified Engineer, the author & the webmaster of this blog, and as a ‘Linux’ user with 14+ years of experience, I used all my knowledge to recommend to you a couple of laptops that I personally guarantee will let you run ‘Linux’ with ease. After 20+ hours of research (carefully looking through the hardware details & reading user feedback) I chose Dell XP S9360-3591-SLV, at the top of the line. If you want a laptop that’s equipped with modern features & excellent performance that ‘just works’ with Linux, then this is your best pick. It’s well built (aluminium chassis), lightweight (2.7 lb), features powerful hardware, long battery life, includes an excellent 13.3 inch Gorilla Glass touchscreen with 3200×1800 QHD resolution which should give you excellently sharp images without making anything too small & difficult to read, a good & roomy track-pad (earlier versions had a few issues with it, but now they seem to be gone) with rubber-like palm rest area and a good keyboard (the key travel is not deep, but it’s a very think laptop so…) with Backlit, two USB 3.0 ports. Most importantly, two of the most common elements of a laptop that can give ‘Linux’ user a headache, the wireless adapter & the GPU (yes the Intel HD Graphics 620 can play 4K videos at 60fps), they are both super compatible with ‘Linux’ on this Dell. Read more