Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Parrot Security OS – A Debian Based Distro for Penetration Testing, Hacking and Anonymity

Filed under
GNU
Linux
Security
Debian

Parrot Security operating system is a Debian-based Linux distribution built by Frozenbox Network for cloud oriented penetration testing. It is a comprehensive, portable security lab that you can use for cloud pentesting, computer forensics, reverse engineering, hacking, cryptography and privacy/anonymity.

Read more

OPNsense 16.7

Filed under
Security
BSD
  • OPNsense 16.7 released
  • pfSense/m0n0wall-Forked OPNsense 16.7 Released

    The latest major release is out of OPNsense, a BSD open-source firewall OS project derived from pfSense and m0n0wall.

    OPNsense 16.7 brings NetFlow-based reporting and export, trafic shaping support, two-factor authentication, HTTPS and ICAP support in the proxy server, and UEFI boot and installation modes.

Security News

Filed under
Security
  • Linux Security Automation at Scale in the Cloud

    Ten years ago it didn’t seem like Linux growth could increase any faster. Then, in 2006, Amazon launched Amazon Web Services (AWS). Linux growth went from linear to exponential. AWS competitors sprang up and were acquired by IBM, Microsoft, and other big players, accelerating Linux expansion even more.

    Linux became the platform of choice for the private cloud. But this movement wasn’t confined to the cloud. A rush to create Linux applications and services spilled over to traditional on premises. Linux had evolved from that obscure thing people ran web servers on to the backbone operating system of the majority of IT.

  • Don’t want to get hacked? Close your laptop.

    My friends often leave their computers open and unlocked. I tell them they should probably get in the habit of locking their computers, but they don’t listen to me. So I’ve created a simple project to hack my friends and show them the importance of computer security.

    All I need to do is wait for them to leave their computer unlocked for a few seconds, open up their terminal, and type a single, short command.

  • Citibank IT guy deliberately wiped routers, shut down 90% of firm’s networks across America

    It was just after 6pm on December 23, 2013, and Lennon Ray Brown, a computer engineer at the Citibank Regents Campus in Irving, Texas, was out for revenge.

    Earlier in the day, Brown – who was responsible for the bank’s IT systems – had attended a work performance review with his supervisor.

    It hadn’t gone well.

    Brown was now a ticking time bomb inside the organisation, waiting for his opportunity to strike. And with the insider privileges given to him by the company, he had more of an opportunity to wreak havoc than any external hacker.

  • Explo-Xen! Bunker buster bug breaks out guests from hypervisor

    A super-bug in the Xen hypervisor may allow privileged code running in guests to escape to the underlying host.

    This means, on vulnerable systems, malicious administrators within virtual machines can potentially break out of their confines and start interfering with the host server and other guests. This could be really bad news for shared environments.

    All versions of open-source Xen are affected (CVE-2016-6258, XSA-182) although it is only potentially exploitable on x86 hardware running paravirtualized (PV) guests. The bug was discovered by Jérémie Boutoille of Quarkslab, and publicly patched on Tuesday for Xen versions 4.3 to 4.7 and the latest bleeding-edge code.

  • Intel Puts Numbers on the Security Talent Shortage

    The cybersecurity shortfall in the workforce remains a critical vulnerability for companies and nations, according to an Intel Security report being issued today.

    Eighty-two percent of surveyed respondents reported a shortage of security skills, and respondents in every country said that cybersecurity education is deficient.

Antivirus Live CD 19.0-0.99.2 Released Based on 4MLinux 19.0 and ClamAV 0.99.2

Filed under
GNU
Linux
Security

Softpedia has been informed by GNU/Linux developer and creator of the 4MLinux project, Mr. Zbigniew Konojacki, about the immediate availability for download of the Antivirus Live CD 19.0-0.99.2 distrolette.

Read more

Security Leftovers

Filed under
Security

Tor: Statement

Filed under
Security

Seven weeks ago, I published a blog post saying that Jacob Appelbaum had left the Tor Project, and I invited people to contact me as the Tor Project began an investigation into allegations regarding his behavior.

Since then, a number of people have come forward with first-person accounts and other information. The Tor Project hired a professional investigator, and she interviewed many individuals to determine the facts concerning the allegations. The investigator worked closely with me and our attorneys, helping us to understand the overall factual picture as it emerged.

Read more

Security Leftovers

Filed under
Security
  • Tuesday's security updates
  • Oops: Bounty-hunter found Vine's source code in plain sight

    A bounty-hunter has gone public with a complete howler made by Vine, the six-second-video-loop app Twitter acquired in 2012.

    According to this post by @avicoder (Vjex at GitHub), Vine's source code was for a while available on what was supposed to be a private Docker registry.

    While docker.vineapp.com, hosted at Amazon, wasn't meant to be available, @avicoder found he was able to download images with a simple pull request.

  • US standards lab says SMS is no good for authentication

    America's National Institute for Standards and Technology has advised abandonment of SMS-based two-factor authentication.

    That's the gist of the latest draft of its Digital Authentication Guideline, here. Down in section 5.1.3.2, the document says out-of-band verification using SMS is deprecated and won't appear in future releases of NIST's guidance.

Security News

Filed under
Security
  • Security advisories for Monday
  • EU to Give Free Security Audits to Apache HTTP Server and Keepass

    The European Commission announced on Wednesday that its IT engineers would provide a free security audit for the Apache HTTP Server and KeePass projects.

    The EC selected the two projects following a public survey that took place between June 17 and July 8 and that received 3,282 answers.

    The survey and security audit are part of the EU-FOSSA (EU-Free and Open Source Software Auditing) project, a test pilot program that received funding of €1 million until the end of the year.

  • What is your browser really doing?

    While Microsoft would prefer you use its Edge browser on Windows 10 as part of its ecosystem, the most popular Windows browser is Google’s Chrome. But there is a downside to Chrome – spying and battery life.

    It all started when Microsoft recently announced that its Edge browser used less battery power than Google Chrome, Mozilla Firefox or Opera on Windows 10 devices. It also measured telemetry – what the Windows 10 device was doing when using different browsers.

    What it found was that the other browsers had a significantly higher central processing unit (CPU), and graphics processing unit (GPU) overhead when viewing the same Web pages. It also proved that using Edge resulted in 36-53% more battery life when performing the same tasks as the others.

    Let’s not get into semantics about which search engine — Google or Bing — is better; this was about simple Web browsing, opening new tabs and watching videos. But it started a discussion as to why CPU and GPU usage was far higher. And it relates to spying and ad serving.

  • Is Computer Security Becoming a Hardware Problem?

    In December of 1967 the Silver Bridge collapsed into the Ohio River, killing 46 people. The cause was determined to be a single 2.5 millimeter defect in a single steel bar—some credit the Mothman for the disaster, but to most it was an avoidable engineering failure and a rebuttal to the design philosophy of substituting high-strength non-redundant building materials for lower-strength albeit layered and redundant materials. A partial failure is much better than a complete failure.

    [...]

    In 1996, Kocher co-authored the SSL v3.0 protocol, which would become the basis for the TLS standard. TLS is the difference between HTTP and HTTPS and is responsible for much of the security that allows for the modern internet. He argues that, barring some abrupt and unexpected advance in quantum computing or something yet unforeseen, TLS will continue to safeguard the web and do a very good job of it. What he's worried about is hardware: untested linkages in digital bridges.

  • Your Smart Robot Is Coming in Five Years, But It Might Get Hacked and Kill You

    A new report commissioned by the Department of Homeland Security forecasts that autonomous artificially intelligent robots are just five to 10 years away from hitting the mainstream—but there’s a catch.

    The new breed of smart robots will be eminently hackable. To the point that they might be re-programmed to kill you.

    The study, published in April, attempted to assess which emerging technology trends are most likely to go mainstream, while simultaneously posing serious “cybersecurity” problems.

    The good news is that the near future is going to see some rapid, revolutionary changes that could dramatically enhance our lives. The bad news is that the technologies pitched to “become successful and transformative” in the next decade or so are extremely vulnerable to all sorts of back-door, front-door, and side-door compromises.

  • Trump, DNC, RNC Flunk Email Security Test

    At issue is a fairly technical proposed standard called DMARC. Short for “domain-based messaging authentication reporting and conformance,” DMARC tries to solve a problem that has plagued email since its inception: It’s surprisingly difficult for email providers and end users alike to tell whether a given email is real – i.e. that it really was sent by the person or organization identified in the “from:” portion of the missive.

  • NIST Prepares to Ban SMS-Based Two-Factor Authentication

    The US National Institute of Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban on SMS-based Two-Factor Authentication (2FA).

    The Digital Authentication Guideline (DAG) is a set of rules used by software makers to build secure services, and by governments and private agencies to assess the security of their services and software.

    NIST experts are constantly updating the guideline, in an effort to keep pace with the rapid change in the IT sector.

  • 1.6m Clash of Kings forum accounts 'stolen'

    Details about 1.6 million users on the Clash of Kings online forum have been hacked, claims a breach notification site.

    The user data from the popular mobile game's discussion forum were allegedly targeted by a hacker on 14 July.

    Tech site ZDNet has reported the leaked data includes email addresses, IP addresses and usernames.

  • Hacker steals 1.6 million accounts from top mobile game's forum

    [Ed: vBulletin is proprietary software -- the same crap Canonical used for Ubuntu forums]

pfSense 2.3.2 Open Source BSD Firewall Distro Arrives with over 70 Improvements

Filed under
Security
BSD

Electric Sheep Fencing LLC, through Chris Buechler, proudly announced on July 25, 2016, the immediate availability for download of the second maintenance update aimed at the pfSense 2.3 series of the FreeBSD-based open-source firewall distribution.

Read more

Syndicate content

More in Tux Machines

Leftovers: Software

  • A Quick Hands-On With Chatty, A Desktop Twitch Chat Client
    Chatty is a desktop Twitch Chat client for Windows, macOS and Linux written in Ja
  • HP Linux Imaging and Printing 3.16.8 Adds Support for Linux Mint 18, Fedora 24
    The open-source HP Linux Imaging and Printing (HPLIP) project has been updated on August 29, 2016, to version 3.16.8, a maintenance update that adds support for new printers and GNU/Linux operating systems. According to the release notes, HP Linux Imaging and Printing 3.16.8 adds support for new all-in-one HP printers, including HP OfficeJet Pro 6970, HP OfficeJet Pro 6960, HP OfficeJet 250 Mobile, HP DeskJet 3700, as well as HP DeskJet Ink Advantage 3700. Also new in the HPLIP 3.16.8 update is support for the recently released Linux Mint 18 "Sarah" Cinnamon, MATE, Xfce, and the upcoming KDE editions, the Fedora 24 Linux operating system, as well as the Debian GNU/Linux 8.5 "Jessie" distribution. So if you're using any of these OSes, you can now update to the latest HPLIP release.
  • MPlayer-Based MPV 0.20.0 Video Player Released with New Options and Commands
    The popular, open-source, and cross-platform MPV video player software received a new update, version 0.20.0, which comes only two weeks after the previous 0.19.0 maintenance release. MPV 0.20.0 is not a major update, and, according to the release notes, it only implements a couple of new options and commands, such as "--video-unscaled=downscale-big" for changing the aspect ratio. Additionally, the MPlayer-based video playback application also gets the "--image-display-duration" option for controlling the duration of image display, and a new "dcomposition" flag for controlling DirectComposition.
  • FFmpeg 3.1.3 "Laplace" Open-Source Multimedia Framework Now Available for Linux
    The major FFmpeg 3.1 "Laplace" open-source and cross-platform multimedia framework has received recently its third maintenance update, version 3.1.3, which brings updated components. FFmpeg 3.1 was announced two months ago, at the end of June, and it introduced a multitude of new features to make the popular multimedia backend even more reliable and handy to game and application developers. Dubbed Laplace, FFmpeg 3.1 is currently the most advanced FFmpeg release, cut from Git master on June 26, 2016.
  • GNU Scientific Library 2.2 released
    Version 2.2 of the GNU Scientific Library (GSL) is now available. GSL provides a large collection of routines for numerical computing in C. This release contains new linear algebra routines (Pivoted and Modified Cholesky, Complete Orthogonal Decomposition, matrix condition number estimation) as well as a completely rewritten nonlinear least squares module, including support for Levenberg-Marquardt, dogleg, double-dogleg, and Steihaug-Toint methods. The full NEWS file entry is appended below.

today's howtos

Leftovers: OSS

  • Report: If DOD Doesn't Embrace Open Source, It'll 'Be Left Behind'
    Unless the Defense Department and its military components levy increased importance on software development, they risk losing military technical superiority, according to a new report from the Center for a New American Security. In the report, the Washington, D.C.-based bipartisan think tank argues the Pentagon, which for years has relied heavily on proprietary software systems, “must actively embrace open source software” and buck the status quo. Currently, DOD uses open source software “infrequently and on an ad hoc basis,” unlike tech companies like Google, Amazon and Facebook that wouldn’t exist without open source software.
  • The Honey Trap of Copy/Pasting Open Source Code
    I couldn’t agree more with Bill Sourour’s article ‘Copy.Paste.Code?’ which says that copying and pasting code snippets from sources like Google and StackOverflow is fine as long as you understand how they work. However, the same logic can’t be applied to open source code. When I started open source coding at the tender age of fourteen, I was none the wiser to the pitfalls of copy/pasting open source code. I took it for granted that if a particular snippet performed my desired function, I could just insert it into my code, revelling in the fact that I'd just gotten one step closer to getting my software up and running. Yet, since then, through much trial and error, I’ve learned a thing or two about how to use open source code effectively.
  • Affordable, Open Source, 3D Printable CNC Machine is Now on Kickstarter
    The appeals of Kickstarter campaigns are many. There are the rewards for backers, frequently taking the form of either deep discounts on the final product or unusual items that can’t be found anywhere else. Pledging to support any crowdfunding campaign is a gamble, but it’s an exciting gamble; just browsing Kickstarter is pretty exciting, in fact, especially in the technological categories. Inventive individuals and startups offer new twists on machines like 3D printers and CNC machines – often for much less cost than others on the market.
  • Open Standards and Open Source
    Much has changed in the telecommunications industry in the years since Standards Development Organization (SDOs) such as 3GPP, ITU and OMA were formed. In the early days of telecom and the Internet, as fundamental technology was being invented, it was imperative for the growth of the new markets that standards were established prior to large-scale deployment of technology and related services. The process for development of these standards followed a traditional "waterfall" approach, which helped to harmonize (sometimes competing) pre-standard technical solutions to market needs.

Leftovers: BSD

  • The Voicemail Scammers Never Got Past Our OpenBSD Greylisting
    We usually don't see much of the scammy spam and malware. But that one time we went looking for them, we found a campaign where our OpenBSD greylisting setup was 100% effective in stopping the miscreants' messages. During August 23rd to August 24th 2016, a spam campaign was executed with what appears to have been a ransomware payload. I had not noticed anything particularly unusual about the bsdly.net and friends setup that morning, but then Xavier Mertens' post at isc.sans.edu Voice Message Notifications Deliver Ransomware caught my attention in the tweetstream, and I decided to have a look.
  • Why FreeBSD Doesn't Aim For OpenMP Support Out-Of-The-Box