Language Selection

English French German Italian Portuguese Spanish

Security

Flatkill and Latest Security Patches

Filed under
Security

  • Confronting Flatkill: The Case Against Flatpaks - YouTube

    Flatpaks are are very useful tool however, they're not perfect and some people have taken it upon themselves to show off the problems that exist with them in this case this author discusses some of the security problems but they make a few very simple mistakes along the way.

  • Security updates for Tuesday [LWN.net]

    Security updates have been issued by Debian (thunderbird), Fedora (createrepo_c, dnf-plugins-core, dnf-plugins-extras, librepo, livecd-tools, and pdns-recursor), openSUSE (firefox and mailman), Oracle (firefox), Red Hat (chromium-browser, java-1.8.0-openjdk, and Satellite 6.8), Scientific Linux (java-1.8.0-openjdk), SUSE (libvirt), and Ubuntu (blueman, firefox, mysql-5.7, mysql-8.0, php7.4, and ruby-kramdown).

Tor, Proprietary Software, DRM, and Security

Filed under
Security
  • New Release: Tor Browser 10.0a9 (Android Only)

    Android Tor Browser 10.0a9 is now available from the Tor Browser Alpha download page and also from our distribution directory.

    Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

  • What Is Google Widevine DRM and Why Do You Need It?

    If you’re streaming content from services like Netflix and Hulu, you may have seen a prompt to install Google Widevine. Depending on your device and browser, it may already be built in by default. Either way, many users want to know exactly what it is and what it does. The good news is it isn’t a virus and it’s safe. It’s also required to view certain streaming content.

  • Nitro PDF maker hit by breach it says is 'isolated', sec firm claims otherwise

    A software firm that had its origins in Melbourne has suffered a data breach that it has described in a notice to the ASX as "an isolated security incident" but which cyber security provider Cyble has claimed is a massive leak that affects companies like Google, Microsoft, Apple, Chase and Citibank.

  • Biden Campaign App '[Crack]' Shows Him Wearing MAGA Hat, Telling People to Vote Trump

    According to a video demonstration published today by experts from Norwegian mobile security company Promon, the software is open to attack via a bug called StrandHogg, which can be abused by malicious hackers to put fake overlay screens over apps and steal sensitive information, including usernames and passwords.

    In a test showing how such an attack could appear in the real world, the team was able to exploit the bug and insert a picture overlay on the Biden campaign app.

  • ENTERPRISES SHOULD FIX THESE 25 FLAWS [Ed: NSA fails to mentions Microsoft Windows as a whole (because it has "good" back doors in it)]

    The United States National Security Agency identified 25 vulnerabilities in software that are most commonly targeted by state-sponsored attackers from China. Setting aside the question of whether or not the enterprise is more likely to be targeted by nation-state attackers or cyber-criminals, the list provides enterprise IT staff with a good starting place on which vulnerabilities to prioritize.

    The vulnerabilities on NSA’s list can be used to gain initial access to enterprise networks by targeting systems directly accessible from the Internet. Seven of the flaws are in remote access gateways, three are found in networking equipment, and three impact public-facing servers. Once in the network, the attacker can use other vulnerabilities to find other systems to compromise and carry out their activities. Seven flaws on the list involve internal servers, two affect Active Directory, and one exists in mobile device management.

IPFire 2.25 - Core Update 151 released

Filed under
OSS
Security

IPFire 2.25 - Core Update 151 has been released. It comes with various package updates and a number of bug fixes in IPFire Location and security improvements in the SSH service.

Since the rollout of our new location database, we have made various improvements on the software implementation to increase accuracy and speed. These are now all included in this Core Update.

In addition to that, we now show whether an IP address is marked as an "anonymous proxy", "satellite provider" or "anycast" which helps debugging network issues and investigating attacks.

Read more

Latest Security Patches and Reproducible Builds

Filed under
Security
  • Security updates for Monday [LWN.net]

    Security updates have been issued by Debian (fastd, freetype, openjdk-11, phpmyadmin, and thunderbird), Fedora (ant, firefox, freetype, kde-partitionmanager, kpmcore, mupdf, python-PyMuPDF, singularity, suricata, and zathura-pdf-mupdf), Mageia (claws-mail, nss, firefox, pdns-recursor, and thunderbird), openSUSE (atftp, chromium, firefox, freetype2, gnutls, hunspell, kleopatra, and opera), Oracle (firefox, java-11-openjdk, and kernel), Red Hat (firefox and kpatch-patch), SUSE (bluez, firefox, glibc, libcdio, rmt-server, and SDL), and Ubuntu (freetype, pam-python, and perl).

  • Reproducible Builds: Second Reproducible Builds IRC meeting

    Please join us on the #reproducible-builds channel on irc.oftc.net — an agenda is available. As mentioned in our previous meeting announcement, due to the unprecedented events in 2020, there will be no in-person Reproducible Builds event this year, but we plan to run these IRC meetings every fortnight.

Kodachi 7.4 The Secure OS

Filed under
GNU
Linux
Security

Linux Kodachi operating system is based on Xubuntu 18.04.5 it will provide you with a secure, anti-forensic, and anonymous operating system considering all features that a person who is concerned about privacy would need to have in order to be secure.

Kodachi is very easy to use all you have to do is boot it up on your PC via USB drive then you should have a fully running operating system with established VPN connection + Connection established + service running. No setup or knowledge is required from your side its all been automated for you. The entire OS is functional from your temporary memory RAM so once you shut it down no trace is left behind all your activities are wiped out.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Friday [LWN.net]

    Security updates have been issued by Gentoo (freetype), openSUSE (mailman), Red Hat (firefox, java-11-openjdk, OpenShift Container Platform 3.11.306 jenkins, and rh-maven35-jackson-databind), SUSE (kernel, mercurial, openldap2, python-pip, and xen), and Ubuntu (firefox, netty-3.9, and python-pip).

  • An Analysis of 5 Million OpenPGP Keys

    In July I finished my Bachelor’s Degree in IT Security at the University of Applied Sciences in St. Poelten. During the studies I did some elective courses, one of which was about Data Analysis using Python, Pandas and Jupyter Notebooks. I found it very interesting to do calculations on different data sets and to visualize them. Towards the end of the Bachelor I had to find a topic for my Bachelor Thesis and as a long time user of OpenPGP I thought it would be interesting to do an analysis of the collection of OpenPGP keys that are available on the keyservers of the SKS keyserver network.

    So in June 2019 I fetched a copy of one of the key dumps of the one of the keyservers (some keyserver publish these copies of their key database so people who want to join the SKS keyserver network can do an initial import). At that time the copy of the key database contained 5,499,675 keys and was around 12GB. Using the hockeypuck keyserver software I imported the keys into an PostgreSQL database. Hockeypuck uses a table called keys to store the keys and in there the column doc stores the OpenPGP keys in JSON format (always with a data field containing the original unparsed data).

    For the thesis I split the analysis in three parts, first looking at the Public Key packets, then analysing the User ID packets and finally studying the Signature Packets. To analyse the respective packets I used SQL to export the data to CSV files and then used the pandas read_csv method to create a dataframe of the values. In a couple of cases I did some parsing before converting to a DataFrame to make the analysis step faster. The parsing was done using the pgpdump python library.

    Together with my advisor I decided to submit the thesis for a journal, so we revised and compressed the whole paper and the outcome was now

  • Exploring 8chan's hosting infrastructure | Netcraft News

    In a recent post, Brian Krebs discussed a technique for disrupting 8chan, a controversial message board. Ron Guilmette, a security researcher, spotted that N.T. Technology, the hosting company owned by 8chan’s current operator, no longer has the right to transact business as it is in the “administrative hold” state. ARIN, the Internet registry N.T. Technology obtained its IP address allocation from, would be within its rights to reclaim the IP address space.

    Ron Guilmette is an expert in this type of analysis - last year he discovered the theft of $50 million worth of IP addresses in AFRINIC’s service region.

    However, taking down 8chan is unlikely to be as simple as requesting that ARIN deallocates its IP adddress space. After deallocation, the IP addresses may continue to be advertised as fullbogons - netblocks that are used on the Internet despite not being assigned to an end user. While some Internet service providers do block fullbogons, this is by no means universal.

  • 23 Extensions to Enhance your Security and Privacy on Google Chrome and Chromium-based Browser

    According to a statistical report published by Statista in July 2020, Google Chrome accounted for 69% of the global desktop web-browser market share by June 2020, with 11% increase from the last year.

    Google Chrome is mostly based on Chromium which is an open-source web-browser released and maintained by Google. Chromium itself is the base for a dozen other browsers that are compatible with Google Chrome Web store.

    In this article we will guide you through the best privacy and security browser extensions for Google Chrome and Chromium-based web browsers that support Google Chrome Web store.

Security Leftovers

Filed under
Security
  • Free XSS Tools – Linux Hint

    Cross-Site Scripting, commonly known as XSS, is a type of vulnerability in which attackers remotely inject custom scripts on web pages. It commonly occurs in sites where data input parameters are improperly sanitized.

    Sanitization of inputs is the process of cleansing of the inputs, so the data inserted is not used to find or exploit security holes in a website or server.

    Vulnerable sites are either unsanitized or very poorly and incompletely sanitized. It is an indirect attack. The payload is indirectly sent to the victim. The malicious code is inserted on the website by the attacker, and then it becomes a part of it. Whenever the user (victim) visits the webpage, the malicious code is moved to the browser. Hence, the user is unaware of anything happening.

  • Google Chrome Update for Windows, Mac, Linux Fixes Critical Zero-Day Bug | Technology News

    Google Chrome stable channel users are receiving an update that rings along multiple security fixes. Update v86.0.4240.111 includes a fix for zero-day vulnerability CVE-2020-15999 discovered by a member in Google's Project Zero team. This new zero-day vulnerability is reported to be a memory bug in the FreeType font rendering library. This was spotted being abused by a threat actor. Chrome users are recommended to install this latest update by going into the Help section.

    The tech giant has confirmed via a blog post that it has updated the Chrome stable channel to 86.0.4240.111 for Windows, Mac, and Linux users. This update will roll out for all users in the coming week. Chrome users can update to the latest version via the integrated update function inside the browser itself. Hit the three dots on the top right corner of the browser window and select Help > About Google Chrome. Here it will show you of any pending update, and after installation, it will ask you to relaunch the browser to finish the updating process.

  • Josh Bressers: Episode 218 – The past was a terrible place

    Josh and Kurt talk about change. Specifically we discuss how the past was a terrible place. Never believe anyone who tells you it was better. Part of a career now is learning how to learn. The things you learn today won’t be useful skills in a few years. The future is is always better than the past. Even in 2020.

  • Josh Bressers: Episode 219 – Chat with Larry Cashdollar

    Josh and Kurt have a chat with Larry Cashdollar. The three of us go way back. Larry has done some amazing things and he tells us all about it!

  • Josh Bressers: Episode 220 – Securing network time and IoT

    Josh and Kurt talk about Network Time Security (NTS) how it works and what it means for the world (probably not very much). We also talk about Singapore’s Cybersecurity Labelling Scheme (CLS). It probably won’t do a lot in the short term, but we hope it’s a beacon of hope for the future.

Security: Patches, FUD, and Incidents

Filed under
Security
  • Making the Grade with Linux and Cybersecurity at the Intelligent Edge

    As intelligent edge deployments accelerate, we have reached a crossroads where many are being forced to choose between the accessibility, ease of use, flexibility, and leading-edge capabilities of open source software and the safety and security of systems in the field. How we proceed has the potential to lead massive transformation in the embedded industry.

    “Using open source early in the proof-of-concept cycle means taking advantage of the rapid pace of open source innovation,” says Matt Jones, Chief Architect at Wind River. “Taking your solution to market comes with additional measures meant to protect your device throughout its lifecycle.”

  • Security updates for Thursday [LWN.net]

    Security updates have been issued by Arch Linux (freetype2), Debian (bluez, firefox-esr, and freetype), Fedora (firefox), openSUSE (chromium), Oracle (kernel), Red Hat (java-11-openjdk), Slackware (kernel), SUSE (freetype2, gnutls, kernel, php7, and tomcat), and Ubuntu (flightgear, italc, libapache2-mod-auth-mellon, libetpan, and php-imagick).

  • Snyk to automatically check Docker Official Images for security problems [Ed: ZDNet pushing FUD vendors again, ones connected to Microsoft]
  • OpenDev’s Gerrit deployment back online after suspected admin account compromise

    OpenDev.org’s Gerrit deployment has been restored after being taken offline following the detection of malicious activity on its repositories.

    The repositories were disabled two hours after project maintainers were alerted to a suspected security breach on Tuesday morning (October 20).
    “We believe an admin account in Gerrit was compromised allowing an attacker to escalate privileges within Gerrit,” said Clark Boylan in a service announcement issued later that day.
    “Around 02:00 UTC October 20 suspicious review activity was noticed, and we were made aware of it shortly afterwards.

    “The involved account was disabled and removed from privileged Gerrit groups. After further investigation we decided that we needed to stop the service, this happened at about 04:00 UTC.”

Gerrit code review tool taken offline after suspected admin account compromise

Filed under
Development
Security

Gerrit has been taken offline after malicious activity was flagged on the open source code collaboration platform.

The web-based Git code review service was disabled two hours after project maintainers were alerted to a suspected security breach on Tuesday morning (October 20).

“We believe an admin account in Gerrit was compromised allowing an attacker to escalate privileges within Gerrit,” said Clark Boylan in a service announcement issued later that day.
“Around 02:00 UTC October 20 suspicious review activity was noticed, and we were made aware of it shortly afterwards.

“The involved account was disabled and removed from privileged Gerrit groups. After further investigation we decided that we needed to stop the service, this happened at about 04:00 UTC.”

Read more

Security Leftovers

Filed under
Microsoft
Security
Syndicate content

More in Tux Machines

WordPress 5.6 Second Beta and WordPress Survey

  • News – WordPress 5.6 Beta 2 – WordPress.org

    WordPress 5.6 beta 2 is now available for testing! This software is still in development, so we recommend that you run this version on a test site.

  • News – Take the 2020 WordPress Annual Survey (and view the 2019 results)! – WordPress.org

    For many years, WordPress enthusiasts have filled out an annual survey to share their experiences and feelings about WordPress. Interesting results from this survey have been shared in the annual State of the Word address and/or here on WordPress News. This survey helps those who build WordPress understand more about how the software is used, and by whom. The survey also helps leaders in the WordPress open source project learn more about our contributors’ experience. To ensure that your WordPress experience is represented in the 2020 survey results, Take the 2020 Annual Survey! (English) You can also take the survey in French, German, Japanese, Russian, and Spanish! The survey will be open for at least 6 weeks, and results will be posted on this blog. [...] The WordPress Professionals group consists of those who: work for a company that designs/develops websites; use WordPress to build websites and/or blogs for others; design or develop themes, plugins, or other custom tools for WordPress sites; or are a designer, developer, or other web professional working with WordPress. This WordPress Professionals group is further divided into WordPress Company Pros (those who work for a company that designs/develops websites) and WordPress Freelancers/Hobbyists (all other professional types) subgroups.

FreeBSD 12.2

  • FreeBSD 12.2-RELEASE Announcement

    The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 12.2-RELEASE. This is the third release of the stable/12 branch.

  • October 2020

    27 October: FreeBSD 12.2-RELEASE is now available. Please be sure to check the Release Notes and Release Errata before installation for any late-breaking news and/or issues with 12.2. More information about FreeBSD releases can be found on the Release Information page.

Also: This summer in KDE-FreeBSD | [bobulate]

Games: Stadia, Graveyard Keeper and Wildermyth

  • Stadia Pro for November has Sniper Elite 4, Risk of Rain 2, Republique and new releases | GamingOnLinux

    Google has announced the latest set of Stadia Pro games, along with new titles about to release like Sekiro: Shadows Die Twice and Watch Dogs: Legion. PLUS news of Ubisoft+ coming to Stadia soon. What is Stadia? A quick primer for people not following: it's a game streaming service that uses Debian Linux under the hood along with the Vulkan graphics API. Playable on Linux in Chromium / Chrome browsers. You can either buy games, or subscribe to Stadia Pro to claim games each month (or do both).

  • Graveyard Keeper - Game Of Crone expansion is out now | GamingOnLinux

    Graveyard Keeper - Game Of Crone is an expansion to the medieval graveyard building and management sim that's like a morbid take on Stardew. This fresh expansion adds in another bunch of hours (6-12 they said approximately) to play through, along with a whole new story to follow where you help a bunch of escaped prisoners build up a camp. "You’ll have to help the escaped prisoners of the Inquisition survive in the wilderness by providing them with everything they need. To develop their camp to a fortified settlement while keeping in mind its benefits. To protect those who entrusted you with their lives, from the sword and fire. And also - to untangle the circumstances of the cruel game, which turned into the Great Blast and the return of the Ancient Curse."

  • Papercraft styled tactical-RPG 'Wildermyth' has a big new campaign out | GamingOnLinux

    Wildermyth is the character-driven, procedurally-generated tactical RPG with an art style resembling papercraft and it's brilliant. Now it's also bigger with a big campaign update out. In Wildermyth you play through various generated campaigns, each of which mixes things up like characters and events and so every play-through is different. You're supposed to see it as something resembling a classic tabletop RPG experience. Mixing together a party-based RPG with overworld exploration, random events and tactical turn-based combat there's a lot to love about it.

  • Godot Web export progress report #3

    Howdy Godotters! It's-a me! Fabio! It is time for an update on the Godot export for the Web. In the last few months, a lot has been going on regarding the Godot export for the Web. Most of the enhancements mentioned in the previous report have now been merged into the master branch, and backported to 3.2 (included in 3.2.4 beta 1). This sadly does not yet include the virtual keyboard support, since implementing it without impacting the experience on touchscreen-enabled devices that also have a physical keyboard has proven harder than expected. There is great news, though, on the other topic mentioned in that report, which is... GDNative support on HTML5 exports! Additionally, a new prototype version of the Godot Web Editor is now available for you to try out.

Android Leftovers