Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Reproducible Builds: week 99 in Stretch cycle
  • Government Agencies to be Rated on Cybersecurity Using NIST Framework

    The Trump administration has announced that it will impose new metrics on federal agencies related to cybersecurity. Agencies and departments will be required to comply with the framework developed by the National Institute of Standards and Technology (NIST) and report back to the Department of Homeland Security (DHS), the Office of Management and Budget (OMB), and the White House.

    Homeland security advisor Thomas Bossert stated that the President’s budget will include an increase in federal funding to combat cyber threats, and that the administration’s priorities vis-à-vis cybersecurity are to modernize and centralize the existing system. To this end, the Administration intends to partner with business, including Silicon Valley, and state and local governments, on cybersecurity.

  • Firefox gets complaint for labeling unencrypted login page insecure

    The operator of a website that accepts subscriber logins only over unencrypted HTTP pages has taken to Mozilla's Bugzilla bug-reporting service to complain that the Firefox browser is warning that the page isn't suitable for the transmission of passwords.

    "Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission," a person with the user name dgeorge wrote here (the link was made private shortly after this post went live). "Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business."

Security Leftovers

Filed under
Security
  • Security updates for Monday
  • Old Linux kernel security bug bites

    OK, hands up, who knows what High-Level Data Link Control (HDLC) is? It's an archaic networking data framing protocol that's used in modems, X.25, frame-relay, ISDN, and other now uncommon networking technologies. I know it because I used to work with them back in the day. You'll get to know it now because a researcher discovered a security hole hidden within the Linux kernel driver that implements it.

  • Seven year-old Linux vulnerability now patched

    An old vulnerability was just discovered in the Linux kernel, potentially allowing hackers to gain privilege escalation, or cause a denial of service. The vulnerability was quickly fixed and there have been no signs of it in the wild, although that does not necessarily mean it went unnoticed.

  • OpenSSH 7.5 released

    OpenSSH 7.5 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly.

  • OpenSSH 7.5 Has Security Fixes, Removes OpenSSL 1.0 Support for Portable OpenSSH

    OpenSSH, the cross-platform and open-source 100% complete SSH 2.0 protocol implementation offering both SFTP server and client support was updated today to version 7.5.

    OpenSSH 7.5 comes three months after the release of OpenSSH 7.4 in late December 2016, and promises to be a maintenance update that addresses two important security issues, implements support for the "=-" syntax to make removing of methods from algorithm lists a lot easier, and fix numerous reported bugs.

  • Is Linux Mint a secure distribution?

    Linux Mint has been lambasted by some in the media for security problems over the last few years. But how accurate are such perceptions? Does Linux Mint really suffer from security problems or is it all much ado about nothing?

    A writer at DistroWatch wades into the controversy and examines some of the myths and misunderstandings about Linux Mint and security.

  • Linux Mint's security record

    Some of the more common misunderstandings I have encountered recently have involved the Linux Mint distribution. Mint has been a popular project in recent years and, with many people using the distribution and talking about the project, there is bound to be some mis-communication. In particular, most of the rumours and misunderstandings I have encountered have revolved around Mint's security practises and history. I would like to clear up a few of the more common rumours.

  • Mozilla Firefox is the First Pwn2own 2017 Victim to be Patched

    Some vendors respond to security issues faster than others. Last week, the 10th annual Pwn2own hacking challenge was hosted by Trend Micro's Zero Day Initiative (ZDI), with multiple groups of researchers taking aim at web browsers, operating systems and virtualization technology.

    Mozilla's Firefox web browser was successfully exploited on March 16, the second day of the Pwn2own event. Researchers from Chaitin Security Research Lab were the only group to attack Mozilla Firefox, and earned $30,000 for demonstrating a new zero-day exploit. The day the exploit was demonstrated, the only thing publicly revealed about the exploit is that it made use of an integer overflow flaw in combination with an uninitialized memory buffer in the Windows kernel.

Tails 3.0 Anonymous LiveCD Gets Third Beta Release with Important Security Fixes

Filed under
Security
Debian

The developers of the Tails amnesic incognito live system announced the availability of the third Beta release of the upcoming major Tails 3.0 operating system, which will be based on the soon-to-be-released Debian GNU/Linux 9 "Stretch" OS.

Read more

Security Leftovers

Filed under
Security
  • More than 300 Cisco switch models vulnerable to CIA hack

    A cache of CIA documents was dropped on the internet two weeks ago via WikiLeaks. It was a huge volume of data, some of which detailed CIA tools for breaking into smartphones and even smart TVs. Now, Cisco has said its examination of the documents points to a gaping security hole in more than 300 models of its switches. There’s no patch for this critical vulnerability, but it’s possible to mitigate the risk with some settings changes.

    Cisco’s security arm sent out an advisory on Friday alerting customers that the IOS and IOS XE Software Cluster were vulnerable to hacks based on the leaked documents. The 318 affected switch models are mostly in the Catalyst series, but there are also some embedded systems and IE-series switches on the list. These are enterprise devices that cost a few thousand dollars at least. So, nothing in your house is affected by this particular attack.

  • Assange chastises companies who haven't responded to CIA vulnerability offers

    Wikileaks head Julian Assange slammed companies not taking the site up on the sites offer to share security flaws the CIA had exploited in their products.

    In a screen-shot statement tweeted on Saturday, Wikileaks noted that "Organizations such as Mozilla" had responded to the site's emails offering unreleased security vulnerabilities from leaked CIA files. "Google and other companies" had not.

    "Most of these lagging companies have conflicts of interest due to their classified work with US government agencies. In practice such associations limit industry staff with US security clearances from fixing holes based on leaked information from the CIA. Should such companies choose to not secure their users against CIA or NSA attacks users may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts," the statement read.

    Wikileaks recently published a trove of files leaked from the CIA, including descriptions of hacking techniques. The site made an effort to redact source code showing how to actually accomplish the techniques, although enough code slipped through the cracks for researchers to reverse engineer at least one of the security flaws.

  • Gentoo: 201703-02 Adobe Flash Player: Multiple vulnerabilities

OpenSSH 7.5 released

Filed under
OSS
Security

OpenSSH 7.5 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support. OpenSSH also includes
transitional support for the legacy SSH 1.3 and 1.5 protocols
that may be enabled at compile-time.

Read more

Also: OpenSSH 7.5 Released, Legacy Crypto Functions Still Heading For Retirement

Security Leftovers

Filed under
Security
  • Hire a DDoS service to take down your enemies

    According to Neustar, almost three quarters of all global brands, organizations and companies have been victims of a DDoS attack. And more than 3,700 DDoS attacks occur each day.

  • Apollo Lake 3.5-incher doubles down on security

    Kontron’s Linux-friendly, Intel Apollo Lake based “3.5″-SBC-APL” SBC features triple display support, a TPM 2.0 chip, and optional security services.

  • Leading Linux distros dawdle as kernel flaw persists

    A local privilege esclation flaw has been fixed in the Linux kernel, but several upstream distributions have yet to release updates. Administrators should plan on mitigating the vulnerability on Linux servers and workstations themselves and monitor the distributions for their update plans.

How to secure your Raspberry Pi

Filed under
Linux
Hardware
Security

The Raspberry Pi and many other inexpensive computer boards like it have become part of the "Internet of Things" or IoT revolution. Internet-connected computing devices have emerged beyond traditional servers, desktops, laptops, and mobile devices. Now your TV, DVR (digital video recorder), thermostat, refrigerator, Internet radio, Raspberry Pi, and other devices are on the network too.

IoT has been huge for experimentation and innovation. But as projects get rushed to completion, there have been severe consequences for ignoring security. And this applies both to commercial products and hobby projects. I'll talk about the Raspberry Pi specifically in this article, so this post is oriented more toward do-it-yourself projects.

Read more

Security Leftovers

Filed under
Security
  • Some HTTPS inspection tools might weaken security [iophk: "the death of web-mail UI"]

    In a typical enterprise environment, an HTTPS connection can even be intercepted and re-encrypted multiple times: at the network perimeter by gateway security products or data leak prevention systems and on endpoint systems by antivirus programs that need to inspect such traffic for malware.

    The problem is that users' browsers no longer get to validate the real server certificates because that task falls to the interception proxy. And as it turns out, security products are pretty bad at validating server certificates.

  • Defence against the Dark Arts involves controlling your hardware

    In light of the Vault 7 documents leak (and the rise to power of Lord Voldemort this year), it might make sense to rethink just how paranoid we need to be.

  • This laptop-bricking USB stick just got even more dangerous

    Remember that USB stick that would destroy almost anything in its path, from laptops, photo booths, kiosks, to even cars?

    Now there's a new version, and it's even more dangerous than before.

    In case you missed it the first time around, a Hong Kong-based company built a weaponized pocket-sized USB stick, which when plugged into a device, will rapidly charge its capacitors from the USB power supply and then discharge, frying the affected device's circuits.

  • Docker Image Vulnerability Research

    Managing known vulnerabilities is the first step towards a strong security posture. If we’re not updating our systems, and keeping an eye on emerging vulnerabilities that are yet to be patched upstream, we’re basically leaving the front door wide open.

Linux Security

Filed under
Security
  • Why Codethink is a founding member of the Civil Infrastructure Platform, a Linux Foundation initiative

    On April 4th 2016 a new Linux Foundation initiative called the Civil Infrastructure Platform was announced. CIP aims to share efforts around building a Linux-based commodity platform for industrial grade products that need to be maintained for anything between 25 and 50 years - in some cases even longer. Codethink is one of the founding members.

  • Ubuntu 12.04 Will Be End-Of-Life in April 28th 2017 & ESM Surprise
  • Update Shyness

    But the update madness had just started. A couple days after the PCLOS incident, I booted OpenMandriva and Discover notified me that there were updates. I must confess that the update process in OpenMandriva has not been easy for me: I prefer to use the Control Center, but sometimes it cannot install some packages and those have to be installed with Discover. Sometimes, the latter simply refuses to load the package list.

Security Leftovers

Filed under
Security
  • Security updates for Friday
  • Eight-year-old Linux security flaw finally fixed

    ANOTHER years-old vulnerability in the Linux kernel has been patched - the fourth such ageing security flaw that has been patched recently.

  • Paving with Good Intentions: The Attempt to Rescue the Network Time Protocol

    After the Heartbleed bug revealed in April 2014 how understaffed and under-funded the OpenSSL project was, the Network Time Foundation was discovered to be one of several projects in a similar condition. Unfortunately, thanks to a project fork, the efforts to lend NTP support have only divided the development community and created two projects scrambling for funds where originally there was only one.

  • Mozilla: Everyone's scared of hackers but clueless about fending them off

    According to Firefox maker Mozilla, we're nearly all afraid of hackers, but few of us feel we can protect ourselves from them.

    The non-profit's survey of 30,000 people found internet users' confidence is extremely low when it comes to privacy and security. The survey found that 90 percent of people are unsure how to protect themselves online, while 11.5 percent feel they know nothing about security.

Syndicate content

More in Tux Machines

Google in Devices

  • Glow LEDs with Google Home
    For the part one, the custom commands were possible thanks to Google Actions Apis. I used API.AI for my purpose since they had good documentation. I wont go into detail explaining the form fields in Api.ai, they have done a good job with documentation and explaining part, I will just share my configurations screenshot for your quick reference and understanding. In Api.ai the conversations are broken into intents. I used one intent (Default Welcome Intent) and a followup intent (Default Welcome Intent – custom) for my application.
  • Google Assistant SDK preview brings voice agent to the Raspberry Pi
    Google has released a Python-based Google Assistant SDK that’s designed for prototyping voice agent technology on the Raspberry Pi 3. Google’s developer preview aims to bring Google Assistant voice agent applications to Linux developers. The Google Assistant SDK is initially designed for prototyping voice agent technology on the Raspberry Pi 3 using Python and Raspbian Linux, but it works with most Linux distributions. The SDK lets developers add voice control, natural language understanding, and Google AI services to a variety of devices.
  • Huawei, Google create a high-powered single board computer for Android
    The Raspberry Pi is very popular with DIY enthusiasts because of the seemingly endless possibilities of how you can design devices with it. Huawei and Google have created their own single board computer (SBC), but this will probably benefit Android developers more than DIY enthusiasts. The HiKey 960 is a very robust SBC aimed at creating an Android PC or a testing tool for Android apps.
  • Huawei’s $239 HiKey 960 wants to be a high-end alternative to Raspberry Pi
    12.5 million sales in five years – Linaro and Huawei have unveiled a high-end (read: expensive) rival.

Mobile, Tizen, and Android

Leftovers: OSS

  • Is The Open Source Software Movement A Technological Religion?
  • Experts weigh in on open source platforms, market
    In this Advisory Board, our experts discuss the pros and cons of open source virtualization and which platforms are giving proprietary vendors a run for their money.
  • Light a fire under Cassandra with Apache Ignite
    Apache Cassandra is a popular database for several reasons. The open source, distributed, NoSQL database has no single point of failure, so it’s well suited for high-availability applications. It supports multi-datacenter replication, allowing organizations to achieve greater resiliency by, for example, storing data across multiple Amazon Web Services availability zones. It also offers massive and linear scalability, so any number of nodes can easily be added to any Cassandra cluster in any datacenter. For these reasons, companies such as Netflix, eBay, Expedia, and several others have been using Cassandra for key parts of their businesses for many years.
  • Proprietary Election Systems: Summarily Disqualified
    Hello Open Source Software Community & U.S. Voters, I and the California Association of Voting Officials, represent a group of renowned computer scientists that have pioneered open source election systems, including, "one4all," New Hampshire’s Open Source Accessible Voting System (see attached). Today government organizations like NASA, the Department of Defense, and the U.S. Air Force rely on open source software for mission critical operations. I and CAVO believe voting and elections are indeed mission-critical to protect democracy and fulfill the promise of the United States of America as a representative republic. Since 2004, the open source community has advocated for transparent and secure—publicly owned—election systems to replace the insecure, proprietary systems most often deployed within communities. Open source options for elections systems can reduce the costs to taxpayers by as much as 50% compared to traditional proprietary options, which also eliminates vendor lock-in, or the inability of an elections office to migrate away from a solution as costs rise or quality decreases.
  • Microsoft SQL Server on Linux – YES, Linux! [Ed: Marketing and PR from IDG's "Microsoft Subnet"; This headline is a lie from Microsoft; something running on DrawBridge (proprietary Wine-like Windows layer) is not GNU/Linux]

Creative Commons News

  • Creative Commons Is Resurrecting Palmyra
    Creative Commons launched its 2017 Global Summit today with a rather moving surprise: a seven-foot-tall 3D printed replica of the Tetrapylon from Palmyra, Syria. For those who don't know the tragic situation, Palmyra is one of the most historic cities in the world — but it is being steadily destroyed by ISIS, robbing the world of countless irreplaceable artifacts and murdering those who have tried to protect them (the folks at Extra History have a pair of good summary videos discussing the history and the current situation in the city). Among ISIS's human targets was Bassel Khartabil, who launched Syria's CC community several years ago and began a project to take 3D scans of the city, which CC has been gathering and releasing under a CC0 Public Domain license. He was captured and imprisoned, and for the past five years his whereabouts and status have been unknown. As the #FreeBassel campaign continues, Creative Commons is now working to bring his invaluable scans to life in the form of 3D-printed replicas, starting with today's unveiling of the Tetrapylon — which was destroyed in January along with part of a Roman theatre after ISIS captured the city for a second time.
  • Creative Commons: 1.2 billion strong and growing
    "The state of the commons is strong." The 2016 State of the Commons report, issued by Creative Commons this morning, does not begin with those words, but it could. The report shows an increase in adoption for the suite of licenses, but that is not the whole story.