Language Selection

English French German Italian Portuguese Spanish

Security

Security News

Filed under
Security
  • Reproducible Builds: week 90 in Stretch cycle

    The F-Droid Verification Server has been launched. It rebuilds apps from source that were built by f-droid.org and checks that the results match.

  • 6 Week Progress Update for PGP Clean Room

    One of the PGP Clean Room’s aims is to provide users with the option to easily initialize one or more smartcards with personal info and pins, and subsequently transfer keys to the smartcard(s). The advantage of using smartcards is that users don’t have to expose their keys to their laptop for daily certification, signing, encryption or authentication purposes.

  • New Kali Linux Professional Information Security Certification to debut at Black Hat USA, 2017

    First Official Kali Linux book release will coincide with launch of the new information security training program as the Penetration Testing platform celebrates its 10th anniversary.

  • The flatpak security model – part 1: The basics

    This is the first part of a series talking about the approach flatpak takes to security and sandboxing.

    First of all, a lot of people think of container technology like docker, rkt or systemd-nspawn when they think of linux sandboxing. However, flatpak is fundamentally different to these in that it is unprivileged.

  • Newly discovered Mac malware found in the wild also works well on Linux [Ed: Only if fools are stupid enough to actually INSTALL malware.]

    The malware, which a recent Mac OS update released by Apple is detecting as Fruitfly, contains code that captures screenshots and webcam images, collects information about each device connected to the same network as the infected Mac, and can then connect to those devices, according to a blog post published by anti-malware provider Malwarebytes. It was discovered only this month, despite being painfully easy to detect and despite indications that it may have been circulating since the release of the Yosemite release of OS X in October 2014. It's still unclear how machines get infected.

    [...]

    Another intriguing finding: with the exception of Mac-formatted Mach object file binary, the entire Fruitfly malware library runs just fine on Linux computers.

Why Linux Installers Need to Add Security Features

Filed under
Linux
Security

Twelve years ago, Linux distributions were struggling to make installation simple. Led by Ubuntu and Fedora, they long ago achieved that goal. Now, with the growing concerns over security, they need to reverse directions slightly, and make basic security options prominently available in their installers rather than options that users can add manually later.

At the best of times, of course, convincing users to come anywhere near security features is difficult. Too many users are reluctant even to add features as simple as unprivileged user accounts or passwords, apparently preferring the convenience of the moment to reducing the risk of an intrusion that will require reinstallation, or a consultation with a computer expert at eighty dollars an hour.

Read more

Security News

Filed under
Security
  • Wednesday's security updates
  • Secure your Elasticsearch cluster and avoid ransomware

    Last week, news came out that unprotected MongoDB databases are being actively compromised: content copied and replaced by a message asking for a ransom to get it back. As The Register reports: Elasticsearch is next.

    Protecting access to Elasticsearch by a firewall is not always possible. But even in environments where it is possible, many admins are not protecting their databases. Even if you cannot use a firewall, you can secure connection to Elasticsearch by using encryption. Elasticsearch by itself does not provide any authentication or encryption possibilities. Still, there are many third-party solutions available, each with its own drawbacks and advantages.

  • Resolve to Follow These 8 Steps for Better Data Security in 2017

    Getting physically fit is a typical New Year's resolution. Given that most of us spend more time online than in a gym, the start of the new year also might be a great time to improve your security “fitness.” As with physical fitness challenges, the biggest issue with digital security is always stagnation. That is, if you don't move and don't change, atrophy sets in. In physical fitness, atrophy is a function of muscles not being exercised. In digital fitness, security risks increase when you fail to change passwords, update network systems and adopt improved security technology. Before long, your IT systems literally become a “sitting duck.” Given the volume of data breaches that occurred in 2016, it is highly likely that everyone reading this has had at least one breach of their accounts compromised in some way, such as their Yahoo data account. Hackers somewhere may have one of the passwords you’ve used at one point to access a particular site or service. If you're still using that same password somewhere, in a way that can connect that account to you, that's a non-trivial risk. Changing passwords is the first of eight security resolutions that can help to improve your online security fitness in 2017. Click through this eWEEK slide show to discover the rest.

  • Pwn2Own 2017 Takes Aim at Linux, Servers and Web Browsers

    10th anniversary edition of Pwn2Own hacking contest offers over $1M in prize money to security researchers across a long list of targets including Virtual Machines, servers, enterprise applications and web browsers.

    Over the last decade, the Zero Day Initiative's (ZDI) annual Pwn2Own competition has emerged to become one of the premiere events on the information security calendar and the 2017 edition does not look to be any different. For the tenth anniversary of the Pwn2Own contest, ZDI, now owned and operated by Trend Micro, is going farther than ever before, with more targets and more prize money available for security researchers to claim by successfully executing zero-day exploits.

  • 'Factorio' is another game that was being hit by key scammers

    In another case of scammers trying to buy keys with often stolen credit cards to sell on websites like G2A, the developers of 'Factorio' have written about their experience with it (and other stuff too).

Security News

Filed under
Security

  • Security advisories for Tuesday
  • FOI: NHS Trusts are ransomware pin cushions [Ed: Windows]

    The FOI requests found that 87 per cent of attacks came via a networked NHS device and that 80 per cent were down to phished staffers. However, only a small proportion of the 100 or so Trusts responded to this part of the requests.

    "These results are far from surprising. Public sector organisations make a soft target for fraudsters because budget and resource shortages frequently leave hospitals short-changed when it comes to security basics like regular software patching," said Tony Rowan, Chief Security Consultant at SentinelOne.

    "The results highlight the fact that old school AV technology is powerless to halt virulent, mutating forms of malware like ransomware and a new more dynamic approach to endpoint protection is needed.

Canonical to Remove Old Unity 7 Scopes from Ubuntu Because They're Not Secure

Filed under
Security

Canonical's Will Cooke has revealed recently the company's plans on removing some old, unmaintained Unity 7 Scopes from the Ubuntu Linux archives because they could threaten the security of the entire operating system.

Read more

Security Leftovers

Filed under
Security
  • 3 Lessons in Web Encryption from Let’s Encrypt

    As exciting as 2016 was for encryption on the Web, 2017 seems set to be an even more incredible year. Much of the infrastructure and many of the plans necessary for a 100 percent encrypted Web really solidified in 2016, and the Web will reap the rewards in 2017. Let’s Encrypt is proud to have been a key part of that.

    But before we start looking ahead, it’s helpful to look back and see what our project learned from our exciting first full year as a live certificate authority (CA). I’m incredibly proud of what our team and community accomplished during 2016. I’d like to share how we’ve changed, what we’ve accomplished, and what we’ve learned.

    At the start of 2016, Let’s Encrypt was supporting approximately 240,000 active (unexpired) certificates. That seemed like a lot at the time! Now we’re frequently issuing that many new certificates in a single day while supporting more than 22 million active certificates in total.

  • [Older] Kali Linux Cheat Sheet for Penetration Testers
  • Report: Attacks based on open source vulnerabilities will rise 20 percent this year [Ed: The Microsoft-connected Black Duck spreads FUD against FOSS again, together with IDG; Black Duck was created for the purpose of attacking the GPL, by its very own admission.]

    The number of commercial software projects that were composed of 50 percent or more of free, open source software went up from 3 percent in 2011 to 33 percent today, said Mike Pittenger, vice president of security strategy at Black Duck Software.

Security Leftovers

Filed under
Security
  • Truffle Hog Finds Security Keys Hidden in GitHub Code

    According to commentors on a Reddit thread about Truffle Hog, Amazon Web Services has already been using a similar tool for the same purpose. "I have accidentally committed my AWS secret keys before to a public repo," user KingOtar wrote. "Amazon actually found them and shut down my account until I created new ones. Kinda neat Amazon."

  • 5 Essential Tips for Securing Your WordPress Sites

    WordPress is by far the most popular blogging platform today.

    Being as popular as it is, it comes with its own strengths and weaknesses. The very fact that almost everybody uses it, makes it more prone to vulnerabilities. WordPress developers are doing a great job of fixing and patching the framework as new flaws are discovered, but that doesn’t mean that you can simply install and forget your installation.

    In this post, we will provide some of the most common ways of securing and strengthening a WordPress site.

  • Google ventures into public key encryption

    Google announced an early prototype of Key Transparency, its latest open source effort to ensure simpler, safer, and secure communications for everyone. The project’s goal is to make it easier for applications services to share and discover public keys for users, but it will be a while before it's ready for prime time.

    Secure communications should be de rigueur, but it remains frustratingly out of reach for most people, more than 20 years after the creation of Pretty Good Privacy (PGP). Existing methods where users need to manually find and verify the recipients’ keys are time-consuming and often complicated. Messaging apps and file sharing tools are limited in that users can communicate only within the service because there is no generic, secure method to look up public keys.

  • How to Keep Hackers out of Your Linux Machine Part 2: Three More Easy Security Tips

    In part 1 of this series, I shared two easy ways to prevent hackers from eating your Linux machine. Here are three more tips from my recent Linux Foundation webinar where I shared more tactics, tools and methods hackers use to invade your space. Watch the entire webinar on-demand for free.

Security News

Filed under
Security
  • Microsoft slates end to security bulletins in February [iophk: "further obscuring"; Ed: See this]

    Microsoft next month will stop issuing detailed security bulletins, which for nearly 20 years have provided individual users and IT professionals information about vulnerabilities and their patches.

    One patching expert crossed his fingers that Microsoft would make good on its pledge to publish the same information when it switches to a new online database. "I'm on the fence right now," said Chris Goettl, product manager with patch management vendor Shavlik, of the demise of bulletins. "We'll have to see [the database] in February before we know how well Microsoft has done [keeping its promise]."

  • Reflected XSS through AngularJS sandbox bypass causes password exposure of McDonald users

    By abusing an insecure cryptographic storage vulnerability (link) and a reflected server cross-site-scripting vulnerability (link) it is possible to steal and decrypt the password from a McDonald's user. Besides that, other personal details like the user's name, address & contact details can be stolen too.

  • DragonFlyBSD Installer Updated To Support UEFI System Setup

    DragonFlyBSD has been working on its (U)EFI support and with the latest Git code its installer now has basic UEFI support.

Tails 2.10 Will Upgrade to Linux Kernel 4.8 and Tor 0.2.9, Add exFAT Support

Filed under
Security

A new stable release of Tails, the beloved anonymous Live CD that helps you stay hidden online when navigating various websites on the Internet, is being prepared.

Syndicate content

More in Tux Machines

Linux 4.10

  • Linux 4.10
  • Linux Kernel 4.10 Officially Released with Virtual GPU Support, Many Features
    As expected, Linus Torvalds announced today the general availability of the Linux 4.10 kernel series, which add a great number of improvements, new security features, and support for the newest hardware components. Linux kernel 4.10 has been in development for the past seven weeks, during which it received a total of eight RC (Release Candidate) snapshots that implemented all the changes that you'll soon be able to enjoy on your favorite Linux-based operating system.
  • Linux 4.10 Kernel Released
    Linus Torvalds has released the Linux 4.10 kernel. As of writing this article, Torvalds hasn't put out anything on the mailing list but Linux 4.10 is out.

Desktop GNU/Linux/Chromebook

  • A Minimal Chrome OS Theme for Tint2
    I used to (and sort-of-still-do, I guess) run a sister site focused on Google Chrome, Chromecast and Chromebooks, i.e. the Chrome ecosystem. As such I am a fan of Chromebooks and Chrome OS, a Linux-based distribution based on Gentoo. The appearance of Chrome OS has waxed and waned in sync with Google’s ambitions and positioning for the OS, going form hyper-minimal to a full desktop clone (with the desktop-y Chrome Apps platform) through to a Material Design inspired Android + Chrome hybrid today.
  • Off-The-Shelf Hacker: Linux for Cheap Hardware, Then and Now
    Most people, don’t realize how prolific Linux has become. With the Embedded Linux Conference just a week away, I’ve been reflecting on how Linux has provided a sort of computing “circle of life” experience for me. It’s powered my computational hardware 20 years ago and continues to do so today.
  • [Video] XPS 13 Review | Linux Action Show 457
  • GParted 0.28.1
    This release of GParted restores the ability to move/resize primary partitions when an extended partition exists. The move/resize regression was introduced in version 0.28.0. This release also includes some minor bug fixes.
  • Antergos Linux : The beauty built on Arch
    Hi guys, welcome to the 16th segment of "Introduction with Linux Distro". Most of us know or heard about Arch Linux, which is one of the most widely used Linux distribution. For some reason, few users find it hard to install and use Arch. But in Linux world, there is almost always some alternative to your desired distribution. In today's segment, we will be introducing an Arch-based distribution which turned it completely on user-friendly side. So, let's get to know about Antergos Linux.

Kernel Space/Linux

Leftovers: Software

  • Picard 1.4 released
    The last time we put out a stable release was more than 2 years ago, so a lot of changes have made it into this new release. If you’re in a hurry and just want to try it out, the downloads are available from the Picard website.
  • Linux Digital Audio Workstations: Open Source Music Production
    Linux Digital Audio Workstations When most people think of music programs, they’ll usually think Mac OS or Windows. However, there are also a few Linux digital audio workstations. The support and features of these programs can vary, but they’re a good choice to setup a cheap recording studio. Some of them are even good competitors for paid programs, offering features such as multitrack recording, MIDI, and virtual instruments. Keep in mind that many audio editing programs for Linux rely on the Jack backend. You’ll need a dedicated system to install these programs on, since it doesn’t work properly in a virtual machine. In the following article, we’ll cover audio editing programs that are available for Linux. We’ll talk about the available features, as well as help you decide which program to use for your needs.
  • i2pd 2.12 released
    i2pd (I2P Daemon) is a full-featured C++ implementation of I2P client. I2P (Invisible Internet Protocol) is a universal anonymous network layer. All communications over I2P are anonymous and end-to-end encrypted, participants don't reveal their real IP addresses.
  • 4 Command-Line Graphics Tools for Linux
    For the most part, they’re wrong. Command-line image tools do much of what their GUI counterparts can, and they can do it just as well. Sometimes, especially when dealing with multiple image files or working on an older computer, command-line tools can do a better job. Let’s take a look at four command-line tools that can ably handle many of your basic (and not-so-basic) image manipulation tasks.
  • CloudStats - Best Server Monitoring Tool for Linux Servers
    CloudStats is an effective tool for Linux server monitoring and network monitoring. With CloudStats you get whole visibility into key performance criteria of your Linux Server. You can proactively track different server metrics like CPU, disk and memory usage, services, apps, processes and more. The best thing is that you don’t need to have any special technical skills – this tool for server monitoring is very easy to install and run from any device.
  • New Inkscape 0.92.1 fixes your previous works done with Inkscape
    This blog-post is about a happy-end after a previously published blog-post named New Inkscape 0.92 breaks your previous works done with Inkscape published on 20 January. A lot of reactions did happen about this previous blog-post and the news get quickly viral. That's why I thought it was nice to make another blog post to "close this case".
  • Qt 5.10 To Have Built-In Vulkan Support
    With Qt 5.8 there was experimental Direct3D 12 support that left some disappointed the toolkit didn't opt for supporting Vulkan first as a cross-platform, high-performance graphics API. Fortunately, with Qt 5.10, there will be built-in Vulkan support. Going back nearly one year there has been Vulkan work around Qt while with Qt 5.10 it's becoming a reality. However, with Qt 5.9 not even being released until the end of May, Qt 5.10 isn't going to officially debut until either the very end of 2017 or early 2018.
  • Rusty Builder
    Thanks to Georg Vienna, Builder can now manage your Rust installations using RustUp!
  • GNOME MPlayer knows how to grow your playlist size