Language Selection

English French German Italian Portuguese Spanish

Security

10 best Linux distros for privacy fiends and security buffs in 2017

Filed under
Linux
Security

The awesome operating system Linux is free and open source. As such, there are thousands of different ‘flavours’ available – and some types of Linux such as Ubuntu are generic and meant for many different uses.

But security-conscious users will be pleased to know that there are also a number of Linux distributions (distros) specifically designed for privacy. They can help to keep your data safe through encryption and operating in a ‘live’ mode where no data is written to your hard drive in use.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Wireshark 2.2.4 Open-Source Network Protocol Analyzer Released with Bug Fixes

    Wireshark, the world's most popular network protocol analyzer software, has been updated today to version 2.2.4, the fourth bugfix and security update to the stable 2.2 series.

    Wireshark 2.2.4 comes approximately five weeks after maintenance update 2.2.3 and provides patches for two recently discovered vulnerabilities, namely wnpa-sec-2017-01 and wnpa-sec-2017-01. While the first one could make the ASTERIX dissector go into an infinite loop, the second could make the DHCPv6 dissector go into a large loop.

  • Penguins force-fed root: Cruel security flaw found in systemd v228

    Some Linux distros will need to be updated following the discovery of an easily exploitable flaw in a core system management component.

    The CVE-2016-10156 security hole in systemd v228 opens the door to privilege escalation attacks, creating a means for hackers to root systems locally if not across the internet. The vulnerability is fixed in systemd v229.

  • Linux Systemd Flaw Gives Attackers Root Access

    Security researcher Sebastian Krahmer has recently discovered that a previously known security flaw in the systemd project can be used for more than crashing a Linux distro but also to grant local attackers root access to the device.

  • Trojan Transforms Linux Devices into Proxies for Malicious Traffic
  • Bad bots account for 30 per cent of all web traffic

    OH LORD, THE INTERNET HAS A BAD TIME OF IT. According to a report from Imperva, it spends around a third of its time trafficking bot crap that no one wants.

    The Imperva Incapsula Bot Traffic Report is a regular thing from the firm, and it bases its study on more than 16.7 billion visits to some 100,000 randomly-selected domains on its Incapsula network. It has found, for an almost consistent five years, that bots account for more traffic than actual bloody people, though only by a slight margin and not in 2015.

    "In 2015 we documented a downward shift in bot activity on our network, resulting in a drop below the 50 per cent line for the first time in years. In 2016 we witnessed a correction of that trend, with bot traffic scaling back to 51.8 per cent—only slightly higher than what it was in 2012," explains the firm.

New Tor Security Updates Patch DoS Bug That Let Attackers Crash Relays, Clients

Filed under
Security

Two new Tor security updates have been published recently, stable version 2.9.9.9 and development release 0.3.0.2 Alpha, patching a few important vulnerabilities discovered lately.

Read more

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • DB Ransom Attacks Spread to CouchDB and Hadoop [Ed: Get sysadmins who know what they are doing, as misconfigurations are expensive]
  • Security advisories for Monday
  • Return on Risk Investment
  • Widely used WebEx plugin for Chrome will execute attack code—patch now!

    The Chrome browser extension for Cisco Systems WebEx communications and collaboration service was just updated to fix a vulnerability that leaves all 20 million users susceptible to drive-by attacks that can be carried out by just about any website they visit.

  • DDoS attacks larger, more frequent and complex says Arbor

    Distributed denial-of-service (DDoS) attacks are becoming more frequent and complex, forcing businesses to deploy purpose-built DDoS protection solutions, according to a new infrastructure security report which warns that the threat landscape has been transformed by the emergence of Internet of Things (IoT) botnets.

    The annual worldwide infrastructure security report from Arbor Networks - the security division of NETSCOUT - reveals that the largest distributed denial-of-service (DDoS) attack reported in 2016 was 800 Gbps, a 60% increase over 2015’s largest attack of 500 Gbps.

Security Leftovers

Filed under
Security

Why it's time to stop blaming open source for ransomware attacks

Filed under
OSS
Security

Developers may be the new kingmakers, to quote Redmonk, but they're not very careful about locking the gates. That's the primary take-away from a slew of ransomware attacks against MongoDB, CouchDB, Elasticsearch, and Hadoop, as I've argued.

Some people, however, have learned the exact wrong lesson from this debacle. Exhibit A is David Ramel's article wherein he suggests that open source is ultimately to blame for the attacks. This is wrong on so many levels, but let's address just a few.

Read more

Security Leftovers

Filed under
Security
  • The long road to getrandom() in glibc

    The GNU C library (glibc) 2.25 release is expected to be available at the beginning of February; among the new features in this release will be a wrapper for the Linux getrandom() system call. One might well wonder why getrandom() is only appearing in this release, given that kernel support arrived with the 3.17 release in 2014 and that the glibc project is supposed to be more receptive to new features these days. A look at the history of this particular change highlights some of the reasons why getting new features into glibc is still hard.

  • Maintainers for desktop "critical infrastructure"

    That work is great, but it is limited by a number of factors: funding and the interests of its members, primarily. Few of the companies involved have much, if any, interest in the Linux desktop. Some might argue that there aren't any companies with that particular interest, though that would be disingenuous. In any case, though, desktop Linux is a community-supported endeavor, at least more so than server or cloud Linux, which likely means some things are slipping through the cracks.

    Kaskinen left his job in 2015 to be able to spend more time on PulseAudio (and some audio packages that he maintains for OpenEmbedded). For the last four months or so, he has been soliciting funds on Patreon. Unlike Kickstarter and other similar systems, Patreon is set up to provide ongoing funding, rather than just a chunk of money for a particular feature or project. Donors pledge a monthly amount to try to support someone's work going forward.

  • Important CentOS 7 Linux Kernel Security Patch Released, 3 Vulnerabilities Fixed

    CentOS developer and maintainer Johnny Hughes is announcing the availability of a new, important Linux kernel security update for the CentOS 7 series of operating systems.

    CentOS 7 is derived from the freely distributed source code of the commercial Red Hat Enterprise Linux 7 operating system series, which means that it also benefits of its security patches. According to the recently published RHSA-2017:0086-1 security advisory, which was marked as important, three security vulnerabilities are patched.

  • Trump's New Cyber-Security Advisor Runs a Very, Very Insecure Website

    According to Phonos Group founder Dan Tentler, Giuliani's security company website runs a very, very old Joomla distribution, an open-source, free-to-use CMS.

    That's Joomla 3.1.1, released in April 2013. Since then, two major zero-days have plagued Joomla, so grave that they could allow attackers to take full control over a Joomla installation. Those are CVE-2016-9838 and CVE-2015-8562.

    But that's not the worse of it. The Joomla admin panel login page is also freely available, meaning anyone could access it and attempt to brute-force the admin password.

  • Reminder: Microsoft to no longer update original Windows 10 release after March 26 [Ed: Microsoft will leave even more Vista 10 back doors open, unless you install the latest doors]

    As Microsoft noted last year, the company plans to update only two Current Branch for Business versions of Windows 10 at any given time.

  • St. Louis' public library computers hacked for ransom [iophk: “Those who installed Windows on them have not been brought to justice”]

    Hackers have infected every public computer in the St. Louis Public Library system, stopping all book borrowing and cutting off internet access to those who rely on it for computers.

    The computer system was hit by ransomware, a particularly nasty type of computer virus that encrypts computer files.

    This form of attack renders computers unusable -- unless victims are willing to pay an extortion fee and obtain a key to unlock the machines.

  • Microsoft Targets Chrome Users With Windows 10 Pop-up Ad

    Microsoft really wants you to use its software products as well as running Windows 10, and that includes the Edge browser. But it can't stop you choosing to use an alternative web browser. However, if you opt to use Chrome, then expect to start seeing adverts right on your Windows desktop.

  • United Airlines Domestic Flights Grounded for 2 Hours by Computer Outage

    All of United Airlines' domestic flights were grounded for more than two hours Sunday night because of a computer outage, the Federal Aviation Administration said as scores of angry travelers sounded off on social media.

  • There’s no glory in patching

    Regular patching is essential but not without risks. Missing a critical patch is an easy way of getting your service compromised but insufficient testing is an even easier way of getting it to fall over. Here at drie we talk a lot about why trying to build your own infrastructure around AWS can be, to put it mildly, a bit of a pain. Today I’d like to go a little deeper on one issue most people encounter when going it alone in AWS and why you’re better off making it someone else’s problem. While it may seem like a mundane concern, keeping up to date with the latest patches and security fixes for your dependencies is a significant undertaking and neglecting server patches is a swift route to getting your infrastructure hacked.

Your Computer's Clipboard is a Security Problem - Fix it in Linux With xsel and cron

Filed under
Security
HowTos

Any program you run can read your clipboard, and its contents linger until another copy event or a reboot. Modern browsers enable multiple ways for malicious websites to read the clipboard contents (or add items in), so eliminate the worry by using a script with cron that auto-clears your clipboard regularly.

Read more

via DMT/Linux Blog

Security Leftovers

Filed under
Security
  • After MongoDB Debacle, Expect More Ransomware, Open Source Attacks in 2017 [Ed: Black Duck is at it again]

    "Black Duck's Open Source Security Audit Report found that, on average, vulnerabilities in open source components used in commercial application were over 5 years old," Pittenger said. "The Linux kernel vulnerability discovered 8/16 (CVE-2016-5195) had been in the Linux code base since 2012. Most organizations don't know about the open source vulnerabilities in their code because they don't track the open source components they use, and don't actively monitor open source vulnerability information."

  • Mirai: Student behind IoT malware used it in Minecraft server protection racket, claims Krebs

    SECURITY BLOGGER BRIAN KREBS has suggested that "Anna Senpai", the reprobate behind the Mirai Internet-of-shonky-Things (IoT) botnet, is a student studying at Rutgers University in the US.

    Krebs made his disclosure after conducting an in-depth investigation and finding out that Mirai had been developed and deployed over the past three years or so - it didn't suddenly emerge last year.

    Krebs believes that Mirai has been used a number of times in connection with what looks suspiciously likes an online protection racket: companies running, for example, Minecraft servers being offered distributed denial of service (DDoS) protection, on the one hand, just before being taken offline in massive DDoS attacks on the other.

  • Gmail phishing scam has everyone reaching for 2FA

    STOP WHAT YOU ARE DOING, unless you don't have a Gmail account. Carry on if that is the case.

    If you do use Gmail you apparently really, really, need to be aware of a crafty phishing scam that will have you hooked, lined, sinkered, gutted, covered in batter and served with curry sauce before you have a chance to realise that anything is happening.

    The scam that has everyone in a lather uses a deceptive URL, and quite a sneaky one. People probably won't even notice it because, for the most part, it looks fine. It is only once it is clicked and the bastard gateway is broken through that the phishing and the stealing begins.

Syndicate content

More in Tux Machines

Security Leftovers

  • Atom Installer
    One thing that I miss about using Ubuntu is PPA’s there are lot’s of PPA in Ubuntu and you can hack around and install all types of software which are required for your usage. In the Fedora side of the world there are copr repos but they don’t have as many repos as in Ubuntu and you can’t build non-free software (don’t get me wrong here, I love FREEdom software but couldn’t resist not using some beautiful non-free applications such as Sublime). I am creating a work around for this by using shell scripts which are open source (cc0) but when those scripts are executed they install non-free software on your system.
  • MKVToolNix 9.9.0 MKV Manipulation Tool Released with New GUI Improvements, More
    MKVToolNix developer Moritz Bunkus announced today, February 20, 2017, the release and general availability of MKVToolNix 9.9.0 "Pick Up" for all supported platforms, including GNU/Linux, macOS, and Microsoft Windows. MKVToolNix 9.9.0 represents a month of hard work, during which the developer managed to add a bunch of new and interesting features, fix as many bugs reported by users since last month's MKVToolNix 9.8.0 point release, as well as to improve the build system, especially in regards to the man pages of the software.
  • Chakra GNU/Linux Users Get KDE Plasma 5.9.2 and KDE Applications 16.12.2, More
    The developers behind the Chakra GNU/Linux operating system have announced today the immediate availability of all the latest KDE technologies released this month in the stable repositories of the distribution. Yes, we're talking about the KDE Plasma 5.9.2 desktop environment, KDE Applications 16.12.2 software suite, KDE Frameworks 5.31.0, and KDE Development Platform 4.14.29, all of which can be found in your Chakra GNU/Linux's repos if you want to run the newest KDE software.

today's howtos

Leftovers: Ubuntu

  • IOTA: IoT revolutionized with a Ledger
    Ever since the introduction of digital money, the world quickly came to realize how dire and expensive the consequences of centralized systems are. Not only are these systems incredibly expensive to maintain, they are also “single points of failures” which expose a large number of users to unexpected service interruptions, fraudulent activities and vulnerabilities that can be exploited by malicious hackers. Thanks to Blockchain, which was first introduced through Bitcoin in 2009, the clear benefits of a decentralized and “trustless” transactional settlement system became apparent. No longer should expensive trusted third parties be used for handling transactions, instead, the flow of money should be handled in a direct, Peer-to-Peer fashion. This concept of a Blockchain (or more broadly, a distributed ledger) has since then become a global phenomenon attracting billions of dollars in investments to further develop the concept.
  • Return Home and Unify: My Case for Unity 8
  • Can netbooks be cool again?
    Earlier this week, my colleague Chaim Gartenberg covered a laptop called the GPD Pocket, which is currently being funded on Indiegogo. As Chaim pointed out, the Pocket’s main advantage is its size — with a 7-inch screen, the thing is really, really small — and its price, a reasonable $399. But he didn’t mention that the Pocket is the resurrection of one of the most compelling, yet fatally flawed, computing trends of the ‘00s: the netbook. So after ten years, are netbooks finally cool again? That might be putting it too strongly, but I’m willing to hope.

Linux Devices

  • Compact, rugged module runs Linux or Android on Apollo Lake
    Ubiqcomm’s 95 x 95mm, Apollo Lake-based “COM-AL6C” COM offers 4K video along with multiple SATA, USB, GbE, and PCIe interfaces, plus -40 to 85°C operation. Ubiqconn Technology Inc. has announced a “COM-AL6C” COM Express Type 6 Compact form factor computer-on-module built around Intel’s Apollo Lake processors and designed to withstand the rigors of both fixed and mobile industrial applications. The module offers a choice among three Intel Apollo Lake processors: the quad-core Atom x5-E3930, quad-core x5-E3940, and dual-core x7-E3950, which are clocked at up to 2.0GHz burst and offer TDPs from 6.5 to 12 Watts.
  • Internet-enable your microcontroller projects for under $6 with ESP8266
    To get started with IoT (the Internet of Things), your device needs, well, an Internet connection. Base Arduino microcontrollers don't have Internet connectivity by default, so you either need to add Ethernet, Wi-Fi shields, or adapters to them, or buy an Arduino that has built-in Internet connectivity. In addition to complexity, both approaches add cost and consume the already-precious Arduino flash RAM for program space, which limits what you can do. Another approach is to use a Raspberry Pi or similar single-board computer that runs a full-blown operating system like Linux. The Raspberry Pi is a solid choice in many IoT use cases, but it is often overkill when all you really want to do is read a sensor and send the reading up to a server in the cloud. Not only does the Raspberry Pi potentially drive up the costs, complexity, and power consumption of your project, but it is running a full operating system that needs to be patched, and it has a much larger attack surface than a simple microcontroller. When it comes to IoT devices and security, simpler is better, so you can spend more time making and less time patching what you already made.
  • Blinkenlights!
  • Blinkenlights, part 2
  • Blinkenlights, part 3
  • [Older] Shmoocon 2017: The Ins And Outs Of Manufacturing And Selling Hardware
    Every day, we see people building things. Sometimes, useful things. Very rarely, this thing becomes a product, but even then we don’t hear much about the ins and outs of manufacturing a bunch of these things or the economics of actually selling them. This past weekend at Shmoocon, [Conor Patrick] gave the crowd the inside scoop on selling a few hundred two factor authentication tokens. What started as a hobby is now a legitimate business, thanks to good engineering and abusing Amazon’s distribution program.
  • 1.8 Billion Mobile Internet Users NEVER use a PC, 200 Million PC Internet Users never use a mobile phone. Understanding the 3.5 Billion Internet Total Audience
    As I am working to finish the 2017 Edition of the TomiAhonen Almanac (last days now) I always get into various updates of numbers, that remind me 'I gotta tell this story'.. For example the internet user numbers. We have the December count by the ITU for year 2016, that says the world has now 3.5 Billion internet users in total (up from 3.2 Billion at the end of year 2015). So its no 'drama' to know what is 'that' number. The number of current internet total users is yes, 3.5 Billion, almost half of the planet's total population (47%).