Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 514
Alerts This Week
Warning Icon 1 514

Stay Ahead With Linux Security News

Filter%20icon Refine news
X Clear Filters
X Clear Filters
View More
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security news

We found 1,204 articles for you...
67

Linux Kernel Gains Hardware-Wrapped Encryption Keys

Let’s dive into the latest leap for Linux security: hardware-wrapped inline encryption keys. You might have heard about this feature making its way into the mainline Linux kernel with version 6.16. It's a fascinating piece of technology, particularly if you're someone who frets about keeping your data secure , especially against physical attacks. This feature, initially used in Android devices, promises to add a robust layer of security for encryption keys using dedicated hardware capabilities. It's been a niche topic until now, mainly because it required specific hardware support—something that's increasingly common in modern devices. . So why should you care? Well, any place where keeping data secure is critical—think of corporate laptops, secure mobile devices, and servers that aren't in the most controlled environments—could benefit immensely from this development. Picture it like this: your encryption keys, which are as sensitive as it gets, never appear as plaintext in system memory. This means even if someone gets their hands on your machine and tries to perform a cold boot attack, they’d hit a wall. The keys are entirely managed by the secure hardware, essentially insulated from the rest of the system. Enhanced Protection Against Cold Boot Attacks One of the most compelling advantages of hardware-wrapped inline encryption keys is the enhanced defense against cold boot attacks. Picture a scenario where an attacker physically accesses a system and tries to extract sensitive information directly from the memory. It’s an old trick but a highly effective one if your keys are floating around in plain text. With hardware-wrapped keys, the encryption keys for file content are never exposed in plaintext in system memory. Instead, they’re generated, stored, and managed within secure hardware modules. This change makes a cold boot attack significantly more challenging. In systems equipped with proper hardware, such as Qualcomm’s Hardware Key Manager (HWKM) , encryption keys arelocked tightly within the hardware. The software and the system memory only ever interact with these keys in their securely wrapped state. This means that even if an attacker manages to dump the entire system memory, they won't get access to your plaintext keys. Inline Encryption for Filesystem-Level Security The way this system works in practice is by employing inline encryption hardware via blk-crypto. Think of it as taking the heavy lifting of encryption duties off your CPU and handing it over to a specialized component that's built just for this purpose. This allows you to offload the encryption work to hardware, which not only boosts performance but also enhances security. File operations like file content encryption are handled at the hardware level, significantly reducing the window of opportunity for key exposure. When this comes into play with Qualcomm’s Inline Crypto Engine (ICE) , you get a performance boost on top of the security enhancements. The encryption processes are streamlined and become almost invisible to the user, as the hardware handles everything in the background. What’s even better is that this offloading doesn’t just benefit security; it also means less strain on the CPU, leading to potentially better system performance and efficiency. Ready for Upstream Deployment The exciting part about this update is that it’s finally reaching the mainline kernel, making it accessible to more users. While Android has been using this feature for a while, it’s significant to see it upstream in Linux 6.16. For now, this feature’s full potential is realized on specific platforms, like those with Qualcomm SM8650 HDK, as they are the most ready for end-to-end hardware-wrapped key support. But don’t worry. The tech ecosystem evolves quickly, and more hardware and drivers supporting this feature are sure to be rolled out in future kernel releases. In other words, the framework is now in place, and it’s only a matter of time before more hardware supports it, broadeningits applicability. Filesystem Compatibility You might be wondering how this impacts the filesystems you use. The good news is that this feature isn’t tied to a specific filesystem. It works independently, meaning it’s been made compatible with popular filesystems like ext4 and f2fs. There is no need for significant modifications to these filesystems for you to start benefiting from hardware-wrapped keys. This compatibility ensures a smooth transition and early adoption without the need to overhaul your existing setup. It’s as if you’re upgrading your car with a top-of-the-line security system that doesn’t require changing the engine or the wheels. It becomes straightforward, almost seamless, for those looking to adopt it. There’s no steep learning curve or complicated integration process. You’re simply plugging into a more secure method of managing encryption keys, without disrupting your existing operations. What Misconceptions Exist About About Hardware-wrapped Keys? There might be a couple of misconceptions swirling around about hardware-wrapped keys that need addressing. First off, this isn’t purely a software upgrade. It heavily depends on hardware support. This means that if your platform lacks the necessary hardware elements, like Qualcomm’s ICE and HWKM, you’re out of luck on this one. This isn’t a magic fix you can apply with a software patch. Also, while hardware-wrapped keys significantly improve security, especially against physical attacks like cold boot attacks, they don’t make your system invincible to other forms of attack. For example, it doesn’t protect against remote exploits, privilege escalation, or many other attack vectors. Think of it as adding another layer of defense that makes your overall security posture way stronger but doesn’t solve all security threats outright. What Are the Implications for Security Planning? If you’re in charge of security for Linux systems, this development should get your gears turning. The first step isverifying whether your hardware supports this feature. It’s an essential step because, without the right hardware, you can’t use this feature. If your hardware checks out, the next step is planning the deployment. Incorporating hardware-wrapped keys can significantly enhance the security of systems that handle sensitive data or operate in less controlled environments. Imagine you handle corporate laptops that might be exposed to various physical threats, or perhaps you manage servers that aren’t always in the most secure facilities. Hardware-wrapped keys can make these systems much more resilient. You’re essentially adding a sophisticated, hardware-backed layer of protection that isolates the most sensitive part of your encryption infrastructure from potential attackers. Security planning will need to consider integrating this new feature in ways that maximize its benefits while acknowledging its limitations. It’s a game-changer in terms of protecting against specific types of physical attacks, but it should be one element of a multi-faceted security strategy. The New Standard in Secure Key Management Linux 6.16's introduction of hardware-wrapped inline encryption keys heralds a significant advancement in secure key management practices for Linux systems. By using secure hardware to generate, store, and manage encryption keys, this feature enhances protection against physical attacks, particularly cold boot attacks. As more compatible hardware becomes available, Linux systems will increasingly benefit from these modern cryptographic workflows, offering increased security without sacrificing performance. For those overseeing sensitive or critical systems, this is an advancement worth watching closely. It provides a robust, hardware-backed method of securing encryption keys, pushing the envelope of what’s possible in Linux security. . So why should you care? Well, any place where keeping data secure is critical—think of corporate l. let’s, latest, linux, security, hardware-wrapped,inline, encryption. . Brittany Day

Calendar%202 May 29, 2025 User Avatar Brittany Day Cryptography
67

When Security Hinges on a Single Key: A Wake-Up Call for Admins

Admins managing Linux systems know firsthand that security isn’t just about firewalls, encryption, and monitoring tools. Often, it’s the more minor, seemingly mundane details that make or break long-term protection. Recently, the Kali Linux community learned this the hard way when the maintainers of the widely used penetration testing distribution admitted they had lost access to their repository’s signing key. This incident disrupted how admins update their systems and offered crucial lessons about key management, emergency preparedness, and the importance of ensuring infrastructure security. . The signing key is a critical component of how Kali Linux—and most modern Linux distributions—verifies the authenticity and integrity of packages before users install or update them. Without a valid key, security-conscious users are left in an awkward position: they must trust unverified updates or halt updates altogether. To address the situation, Kali Linux rolled out a new signing key, but admins are now required to update their systems to continue receiving updates manually. This incident is a critical reminder of the fragility of key-dependent ecosystems and presents an ideal opportunity to discuss how we can build more resilient security models. Let's examine how this incident occurred, its impact on Kali Linux users, and what we can learn from this distressing event. How Did This Happen? Loss of access to an essential signing key can occur for various reasons, including human error, system mismanagement, personnel changes, or compromise or theft. While the Kali Linux team hasn't revealed specifics about why their signing key was lost, they have assured users that there is no evidence to indicate the old key has been compromised. Regardless of this reassurance, however, the practical impact on users is significant. Without this key, existing Kali installations can no longer verify updates and will be frozen until a replacement key is installed and verified. To address thisproblem, the Kali team issued detailed instructions on how users can download and manually install their new signing key. While this can be achieved successfully by experienced administrators, this requirement disrupts regular workflows while offering an important lesson about system design: how reliant modern Linux package management systems are on signing keys that represent trust-dependent relationships. Trust can be easily lost when this integrity is degraded. Additionally, this incident highlights one of the enduring challenges in open source: striking a balance between decentralization and accountability. Open-source projects rely on relatively small teams of maintainers - even for something as widely used as Kali Linux - who may lack resources or protocols that enterprise organizations typically establish for redundancy or recovery. The Crucial Role of Signing Keys in Linux Security Having a solid grasp of signing keys is essential to understanding the significance of an incident like what recently happened to Kali Linux. Every package or update is cryptographically signed using its private signing key before being installed or updated by users. Once downloaded or upgraded software arrives at users' package managers, they compare these signatures against local public keys. If valid signatures match those stored locally, the installation proceeds; otherwise, it stops immediately. Trust models help users ensure that the software they're installing comes from reliable sources and is unmodified. This forms the cornerstone of secure software distribution, protecting users against supply chain attacks that might include attempts by an adversary to inject malicious code into legitimate package repositories. However, the success of Kali Linux's model relies heavily on maintaining secure private keys. Should any become compromised, as was seen with Kali Linux, users lose the ability to verify the authenticity of packages, and therefore, updates to the infrastructure can halt completely. Whileno evidence suggests that malicious activity was behind this incident, if an organization loses access to its signing key without a recovery or rollover plan in place, updating its infrastructure can come to a complete halt. Lessons for CISOs and Administrators The Kali Linux signing key incident is a stark reminder of the vital importance of sound key management practices, especially when it comes to security protocols. There are multiple key takeaways from this experience that CISOs should consider when reviewing their security protocols. Key management should always take precedence and not be treated as an afterthought. This means securing private keys and ensuring they are stored safely, with restricted access and appropriate backup plans in place. If someone loses one, this loss should never lead to total disruption. Redundancy measures, such as secure backup keys stored in offline locations, should also be implemented to facilitate seamless rollovers between key holders. Second, organizations implementing their signing infrastructure must establish an incident response plan for managing key-related disruptions. While the Kali Linux team quickly issued new keys and communicated them to users, having a pre-tested plan ready can ensure transitions go more smoothly for those affected. Any confusion regarding key distribution can cause mistrust among users or administrative delays. Admins overseeing systems that rely on external repositories, such as Kali Linux, should regularly assess updates to maintain trust between systems. This involves verifying package integrity, validating signing keys, and monitoring announcements from upstream maintainers. Proactively monitoring key expiration dates and vulnerabilities published can reduce surprises. Finally, this incident serves as a wake-up call for organizations deploying Linux at scale to move beyond the assumptions underlying open-source security models. Although Linux provides mechanisms of trust built into its ecosystem, these mechanismsonly go as far as the humans and processes supporting them. Systems that depend on single points of failure — whether signing keys, maintainers, or repository servers — must be revised for continuity and resilience against unexpected disruptions. Our Final Thoughts: A Teachable Moment for All Kali Linux's signing key issues may appear minor at first glance, yet their implications extend well beyond mere inconvenience to users. This incident is a reminder of the key role signing keys play in building trust—and the repercussions of losing access to them. This event also served as a timely reminder about redundancy, preparedness, and clear communication during security incidents. Overall, this incident highlights the fragility of the infrastructure we depend on daily. By learning from it and reinforcing our protocols accordingly, we can better equip our systems to deal with anything unexpected - be it lost signing keys or more serious breaches of trust. In a world where security only stands as strong as its weakest link, every preparation counts! . Examining the critical lessons from the Kali Linux signing key incident, a reminder for effective key management practices.. admins, managing, linux, systems, firsthand, security, isn’t, about, firewalls, encryption. . Brittany Day

Calendar%202 Apr 30, 2025 User Avatar Brittany Day Cryptography
67

IPFire 2.29 Core Update 193: Key Improvements in Security and Defense

The latest IPFire 2.29 Core Update 193 release is a significant milestone for Linux security admins looking to boost their network defenses. This powerful, open-source firewall distribution has now integrated post-quantum cryptography, enhancing its resilience against future quantum computing threats. . By default, new IPsec tunnels will now leverage strong cryptographic algorithms like ML-KEM, securing your network's encrypted traffic against even the most sophisticated attacks. Alongside these security advancements, this update also brings crucial component updates like glibc 2.41 and Binutils 2.44, fortifying the firewall's performance and stability with optimized code generation techniques. With a host of updates across key packages and the inclusion of DNS-over-TLS for encrypted DNS queries, IPFire 2.29 is designed to provide cutting-edge protection in an ever-changing digital landscape. We Linux security admins should prioritize installing this update to harness these advanced security features and ensure our networks are safeguarded against present and emerging threats. In addition to implementing the new cryptographic protocols for IPsec tunnels, this update addresses several vulnerabilities. It includes comprehensive enhancements across various components, making it a critical upgrade for maintaining robust and secure network environments. In this article, I'll examine the new features and updates included in IPFire 2.29 Core Update 193, offering practical insights to help you make the most of these improvements. Preparing for Future Threats with Post-Quantum Cryptography One of the key updates in IPFire 2.29 is its implementation of post-quantum cryptography for IPsec tunnels. As quantum computing technology progresses, its decryption capabilities become an ever-increasing threat to existing cryptographic algorithms. Post-quantum cryptography uses quantum-resistant algorithms designed to protect data against the decryption abilities of quantum computers. By includingthis cryptography, IPFire ensures its IPsec tunnels provide robust protection from threats both present and anticipated in the future. IPsec tunnels that use strong cryptographic algorithms like ML-KEM by default greatly strengthen encrypted traffic within your network, creating more robust protection. As cybersecurity threats advance over time, IPFire's vision in including post-quantum cryptography displays its dedication to providing future-proof security solutions. We, Linux security administrators, should make this change to new IPsec tunnels so our networks stay ahead of this cyber arms race and gain superior protection. Enhanced Performance and Stability Through Updated Components IPFire 2.29 Core Update 193 introduces several important component updates alongside its quantum-resistant encryption feature. Notable among them are updates to the GNU C Library 2.41 and Binutils 2.44 , which have significant impacts. THE GNU C Library is integral to the Linux operating system's performance and application stability. By updating to version 2.41, this upgrade enhances system call performance while adding various security and functionality improvements. Binutils 2.44, including core tools like the GNU assembler and linker, further increases IPFire's performance. Optimized versions of these essential compilation tools help accelerate software compilation speeds. This means an even stronger firewall system capable of efficiently handling demanding network security tasks. Securing DNS Queries with DNS-over-TLS IPFire 2.29 Core Update 193 offers another significant advancement with support for DNS-over-TLS (DoT) . DNS queries provide essential services, but traditional ones sent as plain text leave them vulnerable to various attacks, such as man-in-the-middle attacks and eavesdropping. DNS-over-TLS encryption adds another level of protection against interception or manipulation by providing an extra layer of protection and keeping traffic secure from interruption. Security admins lookingto increase privacy and integrity can greatly benefit from configuring DNS-over-TLS (DoT) within IPFire. DoT encryption protects internal DNS resolutions against external threats while remaining private, providing additional layers of defense in environments where privacy and data security are paramount. Addressing Vulnerabilities for a Safer Network Environment Alongside new features, IPFire 2.29 Core Update 193 addresses multiple vulnerabilities to ensure system protection against known threats. Staying up-to-date with software patches and fixes is key for network security; thus, this update includes patches for multiple security issues that malicious actors might otherwise exploit. We, Linux security admins, must include updates in our routine maintenance schedule to safeguard our network against potential attacks. IPFire 2.29 helps create a safer network environment capable of withstanding various cyber threats by immediately addressing vulnerabilities as they arise. Staying Current with Comprehensive Package Updates Updating a firewall's core components is critical, but maintaining all associated packages also plays a key role in ensuring maximum security. IPFire 2.29 Core Update 193 includes updates for several packages, including bug fixes, security patches, and potentially new features. Admins prioritizing maintaining an up-to-date system can take advantage of technological innovations and security measures that keep pace with advancements while minimizing potential vulnerabilities and optimizing network security tools' functionality at maximum performance levels. IPFire's dedication to keeping its packages current displays its position as a reliable firewall solution. Our Final Thoughts on Improving Network Security with IPFire 2.29 Core Update 193 IPFire 2.29 Core Update 193 brings many enhancements and features essential for admins looking to maintain a robust network infrastructure. These features include post-quantum cryptography support, updated core components,DNS-over-TLS support, and ongoing vulnerability management, creating an up-to-date firewall solution suitable for the future. As cyber threats proliferate, our tools and strategies for mitigating them must advance. IPFire 2.29 Core Update 193 showcases this advancement with cutting-edge features designed to address both current and emerging threats—something security admins will appreciate as more than an incremental enhancement. Rather, it offers real solutions for protecting digital perimeters efficiently. You can download IPFire 2.29 Core Update 193 from the official IPFire website. . Upgrade IPFire by integrating post-quantum cryptography and DNS-over-TLS to bolster your defense against emerging threats.. IPFire, post-quantum cryptography, network security, DNS-over-TLS. . Brittany Day

Calendar%202 Apr 14, 2025 User Avatar Brittany Day Cryptography
67

How Passkey Solutions Revolutionize Authentication in Open-Source Security

Security in open-source projects has always been a challenge. The very nature of open-source software encourages collaboration, transparency, and improvement, all of which make the system potentially more exposed to risks. . One of the most critical yet vulnerable areas is user authentication. For decades, passwords have been the de facto method for authentication. Still, their poor user practices, susceptibility to phishing, and brute-force vulnerabilities have begun to make them an increasingly unreliable solution. Passkey solutions are emerging as a transformative authentication method addressing most of these issues by using public-key cryptography coupled with biometric factors. By implementing the best passkey software solutions for businesses , developers creating or supporting open-source projects can dramatically increase their security and align with the open-source approach. Passkey Solutions at the Technical Level of Understanding Its base is asymmetric cryptography , where authentication is done using a pair of keys: public and private. Here’s how the process works in practical terms: Registration : The user's device generates a cryptographic key pair. It sends the public key to the server and stores the private key securely on the device. Authentication : When logging in, the server sends a challenge (a random string) to the user’s device. The private key signs this challenge, and the server verifies the signature using the corresponding public key. Validation : If the signature is valid, the user has been authenticated without transmitting their private key. This way, even if a server is compromised, no sensitive user authentication data will be exposed. The decentralization aspect works exceptionally well for open-source projects that represent transparency and security. Addressing Common Security Weaknesses Open-source projects usually attract contributors worldwide, which can lead to inconsistencies in security practices. Forinstance, weak or reused passwords can easily compromise a project's integrity. Passkey solutions avoid this risk by eliminating passwords altogether. Another common concern is phishing, in which attackers trick users into providing their credentials. Phishing attacks no longer work with passkeys, which use device-stored private keys that cannot be shared. GitHub has already taken steps to address these challenges with their implementation of passkeys. GitHub’s Adoption of Passkeys: A Model for Open-Source Security GitHub , the world’s largest open-source collaboration platform, has adopted passkeys to enhance user authentication. Millions of developers rely on GitHub to host critical projects, including Kubernetes, React, and Linux distributions, so secure access is essential. GitHub’s integration of FIDO2 standards makes passkey adoption straightforward and compatible with modern devices. This move secures user accounts and strengthens trust in the open-source projects hosted on GitHub. By leading the way in adopting passkeys, GitHub sets a strong example for the open-source community, demonstrating how modern authentication can align with transparency and innovation. Integrating Passkey Solutions in Open-Source Frameworks Integrating passkey solutions may initially seem daunting for an open-source developer, but modern tools and frameworks make it easy. FIDO2 and WebAuthn are top standards that allow APIs to implement passkey authentication. Technical Guide on Implementing Passkey Solutions Passkeys are the next big thing in authentication. They replace passwords with secure cryptographic key pairs, making life easier for users and dramatically improving security. Adding passkeys can be a game-changer if you work on an open-source project. Here’s a no-frills guide to help you implement them. Why and How Passkeys Work Passkeys fix all that by replacing passwords with a pair of cryptographic keys. The private key stays safely on the user’s device, and the public keygets stored on your server. This setup makes passkeys very secure and protects against phishing, credential stuffing, and other common attacks. With big names like Google, Apple, and Microsoft on board, passkeys are quickly becoming the go-to solution for safer, easier logins. Here’s how it works: When someone signs up, their device creates a pair of keys. The private key stays locked down on their device, while the public key gets sent to your server. When they log in, your server sends a challenge to their device. The device signs it with the private key, and your server checks it against the public key. It’s smooth, secure, and way better than juggling passwords. This process eliminates the need for passwords, ensuring security and a seamless user experience. By adopting passkeys, your project gains both modern security and alignment with emerging authentication standards. Backend Setup You’ll need to set up endpoints to handle registration and authentication. If you're using Node.js, a library like @simplewebauthn/server can make this more manageable. Registration Endpoint This endpoint generates the challenge and other WebAuthn options for the front end. const { generateRegistrationOptions } = require('@simplewebauthn/server'); app.post('/register', (req, res) => { const options = generateRegistrationOptions({ rpName: "My Open-Source Project", userID: req.body.userID, // A unique user ID userName: req.body.username, attestationType: 'none', }); res.json(options); }); After verifying the response, you’ll save the public key (returned by the user’s device) in your database. Frontend Setup On the front end, you’ll use the navigator.credentials API to handle the WebAuthn flow. Let’s look at how to collect credentials during registration. Registration Flow The front end fetches the challenge from your server, uses it to generate a credential, and sends that credential back for verification. const options = awaitfetch('/register', { method: 'POST', body: JSON.stringify({ userID, username }), headers: { 'Content-Type': 'application/json' } }).then(res => res.json()); const credential = await navigator.credentials.create({ publicKey: options }); // Send credential back to the server await fetch('/verify-registration', { method: 'POST', body: JSON.stringify(credential), headers: { 'Content-Type': 'application/json' } }); It’s similar to logging in. You fetch the challenge, let the device sign it, and send the result back to your server. What You Need to Know HTTPS is Mandatory : WebAuthn only works over secure connections. Serialization : The credential object contains binary data, so you may need to serialize it (e.g., base64) before sending it to your server. Libraries Save Time : Use tools like @simplewebauthn to handle the heavy lifting for registration and authentication. Passkeys are a considerable upgrade for authentication, and they’re surprisingly straightforward to implement. You can make your project more secure and user-friendly with some backend setup and backend tweaks. Use libraries to simplify the process, test thoroughly, and you’ll be ahead of the curve. Happy coding! Comparing Passkey Solutions for Open-Source Projects Passkeys are redefining authentication, offering a secure and seamless alternative to passwords. With solutions like WebAuthn, FIDO2, and proprietary SDKs available, it’s crucial to pick one that fits your project’s needs. Let’s break them down so you can decide what works best. Passkey Solutions and Features WebAuthn is the standard for passkeys. Since it is W3C-backed, it works seamlessly across all platforms and browsers, making it an excellent choice for open-source projects. It focuses on cryptographic key pairs for secure, passwordless logins. FIDO2 extends this through WebAuthn by adding hardware authenticators such as USB security keys and is particularly suitable for environments withvery high-security demands, especially where multi-device authentication is required. Proprietary SDKs , such as those from Okta or Auth0, simplify integration by offering pre-built tools. While these save time, they can limit flexibility and often come with licensing costs. Pros and Cons Method Pros Cons WebAuthn - Open standard with no vendor lock-in. - Works seamlessly across browsers and devices. - Free and supported by extensive documentation. - Backend setup can be challenging with libraries. - Requires familiarity with cryptographic principles. FIDO2 - Supports external hardware authenticators for added security. - Ideal for multi-device authentication with top-tier security. - Backed by major industry players like Google and Microsoft. - Hardware dependencies can complicate implementation. - Steeper learning curve compared to WebAuthn. Proprietary SDKs - Simple to integrate, making it ideal for small teams or quick deployments. - Often includes extra features like analytics and user management. - Vendor lock-in reduces flexibility. - Licensing fees may not be feasible for open-source projects. Where Each Solution Works Best WebAuthn is an excellent fit for general-purpose open-source projects that need a flexible, passwordless login solution. Its broad support can benefit a CMS or a web app looking for cross-platform compatibility. FIDO2 shines in high-security use cases, such as financial or enterprise applications where hardware tokens and multi-factor authentication are essential. Think banking apps or secure employee portals. Proprietary SDKs work best for teams prioritizing speed and simplicity. If you don’t have the bandwidth for cryptography-heavy integration, these tools can get you up and running quickly—perfect for startups or MVPs. Comparison Feature WebAuthn FIDO2 Proprietary SDKs Integration Effort Moderate Moderate to High Low Security Strong Top-tier Varies Compatibility Cross-platform Adds hardware support Vendor-dependent Community support Large and active Strong via FIDO Alliance Varies Cost Free Free Licensing required Flexibility High High Limited to vendor APIs If you want a flexible, open solution that works across platforms, WebAuthn is your best bet. It’s free, well-supported, and ideal for most open-source projects. Thanks to its hardware-based authentication, FIDO2 is the clear winner for high-security needs. If you need something simple and fast, proprietary SDKs offer convenience but at the cost of flexibility and long-term control. Choose based on your project’s goals, resources, and future plans, and you’ll set yourself up for success with a secure, passwordless future. Future Trends and Innovations in Authentication Emerging technology already shapes how we think about secure logins and identity management, and for open-source developers, understanding these trends is essential to staying ahead. Here’s a look at what’s coming and how it could impact your projects. Decentralized Identity: User-Owned Credentials Decentralized identity (DI) systems are shifting credentials control from centralized databases to users. Tools like Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) store information in secure, user-owned wallets. This approach reduces liability and strengthens privacy for open-source projects, enabling seamless authentication across platforms without relying on passwords. Adopting DI frameworks like Hyperledger Indy or W3C-compliant tools can help future-proof projects while aligning with increasing demands for user control and data security. Smarter and More Secure Biometrics Biometricsare advancing beyond fingerprints and facial recognition. Behavioral biometrics, such as analyzing typing patterns or mouse movements, offer added security without requiring extra hardware. Wearable devices, like smartwatches, also enable continuous authentication through metrics like heart rate or motion. For developers, integrating biometrics into authentication workflows can enhance security while improving user experience. APIs leveraging device sensors or advanced biometric algorithms are becoming more accessible, making these features more straightforward to implement. Adaptive Security with AI AI is making authentication brighter. AI-driven systems can dynamically adjust security requirements by analyzing user behavior and context. For example, if a user logs in from an unusual location, the system can prompt for additional verification. These adaptive methods reduce friction for legitimate users while blocking suspicious activity. Integrating AI-powered libraries into authentication systems lets developers add context-aware security without needing to build models from scratch, making it a practical upgrade for many open-source projects. Regulatory Pressures and Quantum-Resistant Security New privacy regulations, such as GDPR and CCPA, have been one of the main drivers of how authentication systems treat user data. Truly decentralized and privacy-centered solutions will continue to have increasing relevance as governments press forward with demands for more secure and user-friendly authentication standards. Compliance is the key for open-source developers to ensure scalability globally and retain user trust. While currently in its infancy, quantum computing will eventually pose a significant threat to today's cryptography techniques. Researchers are developing a series of quantum-resistant algorithms. These studies result from projects like the National Institute of Standards and Technology Post-Quantum Cryptography Standardization project, which is leading the effort toward anew set of cryptographic techniques. Staying informed about quantum-safe tools will be critical for long-term security planning. Pair these innovations with awareness of regulatory changes and the potential impact of quantum computing, and you have a clear path to building future-ready systems. Open-source developers who adopt these trends will stay secure and set new standards in user-friendly and resilient authentication. Why Open-Source Projects Need Passkeys Open-source platforms are uniquely positioned to lead in the adoption of passkey solutions. Their open nature enables widespread testing, peer review, and rapid iterative, ideal conditions for implementing and refining cutting-edge authentication technologies. Further, as passkey systems become the new standard, open-source projects that integrate early will stand out as leaders in security and usability. The move towards passkey authentication follows the general trend of decentralization within the development of free and open-source software. By removing reliance on centralized password storage, these systems inherently reduce the risks of large-scale data breaches . This decentralization makes passkeys a natural fit for open-source, where community trust and transparency are essential. . Authentication methods are evolving in open-source initiatives, with passkey technologies enabling secure access without reliance on conventional password systems.. Passkey Solutions, User Authentication, Open-Source Security, FIDO2 Standards, WebAuthn Implementation. . MaK Ulac

Calendar%202 Nov 28, 2024 User Avatar MaK Ulac Cryptography
67

Abyss Locker Ransomware Targets Linux And Windows Systems: High Threat

A ransomware variant dubbed "Abyss Locker" has been observed targeting Microsoft Windows and Linux platforms. The Abyss Locker ransomware is believed to be based on the HelloKitty ransomware source code. It steals and encrypts victims' files, demanding ransom for decryption and preventing the release of stolen data. The ransomware's severity level is classified as high, showcasing the urgency of addressing this issue. . Intriguing Points & Security Implications Abyss Locker was first detected in July 2023, but its origins may date even further. This raises questions about the potential evolution of ransomware and the continuous importance of staying ahead of emerging threats. Another interesting aspect is the attack method of ransomware. The Windows version of Abyss Locker performs several actions to ensure successful encryption, such as deleting Volume Shadow Copies and system backups. On the Linux side, it attempts to shut down running VMware ESXi systems before encrypting files. This intricate approach reveals the attackers' sophistication and highlights the need for robust security measures. The ransomware avoids encrypting specific file extensions and directories to maintain system operability and enable victim-attacker communication for ransom negotiation. This indicates that the attackers are focused on maximizing their chances of receiving payment, leaving room for speculation about their motives and potential future enhancements to their tactics. The Abyss Locker ransomware presents a significant challenge for security practitioners. Its ability to target Windows and Linux platforms demonstrates the necessity for a comprehensive and multi-layered security strategy. Linux admins, in particular, must be attentive to the risks associated with VMware ESXi systems, as the ransomware specifically targets this environment. As security practitioners, it is essential to ask critical questions: How can we enhance our detection and prevention mechanisms to identify emergingransomware variants like Abyss Locker? Are our backup and recovery processes robust enough to mitigate the impact of ransomware attacks? What steps can be taken to counteract ransomware developers' sophisticated tactics, such as the multiple evasion techniques employed by Abyss Locker? Long-term consequences must also be considered. The successful targeting of both Windows and Linux platforms indicates a potential shift in ransomware strategies, revealing the adaptability and resourcefulness of cybercriminals. This calls for ongoing vigilance and the continuous development of proactive security measures. Our Final Thoughts on Abyss Locker The Abyss Locker ransomware represents a clear and present danger to Windows and Linux users. Its sophisticated attack methods, ability to encrypt files, and ransom demand raise serious concerns for security practitioners. By analyzing the implications and asking critical questions, security professionals can better understand this threat and take proactive measures to protect their systems. The long-term consequences of this ransomware highlight the need for ongoing adaptation and improvement in security practices. As we face the evolving landscape of cybersecurity, it is vital to stay informed , remain vigilant, and develop robust defenses against ransomware attacks. . Phantom Gate malware targets both Mac and Windows platforms, employing complex strategies for maximum damage. Remain vigilant.. Abyss Locker Ransomware, Linux Security Threat, Windows Cyber Attacks, Ransomware Defense Strategies. . Brittany Day

Calendar%202 Mar 02, 2024 User Avatar Brittany Day Cryptography
67

Linux Foundation and PQCA Collaborate for Robust Post-Quantum Security

The Linux Foundation recently launched its partnership with the Post-Quantum Cryptography Alliance (PQCA). This open and collaborative initiative aims to address the data and network security challenges that quantum computing presents by developing and adopting quantum-resistant cryptography.. It is paramount that organizations implement robust cryptographic solutions that can withstand attacks in network security through advancements in quantum computing. The PQCA brings together industry leaders, researchers, and developers to support sensitive data security and improved communications in the post-quantum era. This article will discuss quantum computing, PQCA, and the possible implications of the launch. What is Quantum Computing? Who Supports PQCA? Quantum computing combines various scientific fields to solve network security issues more efficiently and effectively. Computer science, physics, and math contribute to a successful cloud security framework, and quantum computing uses each aspect in its comprehensive solutions. PQCA has support from founding members such as Amazon Web Services (AWS), Cisco, Google, IBM, and NVIDIA. These industry giants understand the value of post-quantum cryptography cybersecurity and how correspondence can enhance secure cryptographic solutions during development. Matthew Campagna, Senior Principal Engineer at AWS, states, "Post-quantum cryptography is an emerging area of cryptographic security that AWS has already started to invest in… By joining the PQCA, we will be able to promote better the development of the open standards and software that will be essential to help advance the state of the industry and keep customer data secure." PQCA is a worthwhile organization that can help improve the security posture of any online company. What Security Implications Does PQCA Have? Our PQCA launch has a few setbacks that could shortly lead to certain network security risks. Here are the concerns and tactics we must keep in mind while working with PQCA: As quantum computing evolves and develops, current cryptographic algorithms may harbor cybersecurity vulnerabilities that can lead to challenges if an attack occurs. Security practitioners must stay on top of potential network security threats and improve security posture by implementing cryptographic solutions to prevent issues from harming quantum computers. Linux admins, infosec professionals, and sysadmins must keep up with the latest information security news to update their servers with the most recent quantum-resistant cryptography. PQCA has various technical cybersecurity projects that involve developing, evaluating, prototyping, and deploying new post-quantum algorithms so that every industry can benefit from their services. These secure solutions can help organizations increase their credibility and boost their reputation. Security practitioners must evaluate the issues organizations may encounter when transitioning to post-quantum cryptography and devise strategies to ensure their business has a smooth, secure migration. PQCA supports cryptographic agility and aligns with the U.S. National Security Agency's Cybersecurity Advisory concerning the Commercial National Security Algorithm Suite 2.0. Therefore, companies collaborating with PQCA must understand the impact of cryptographic standards on new post-quantum algorithms. Understanding the possible setbacks and the necessary reminders to utilize post-quantum computing is vital to improving security posture and helping your business thrive. Our Final Thoughts on the PQCA Launch The Linux Foundation Post-Quantum Cryptography Alliance enhances how valuable robust cryptographic solutions can improve data and network security in the face of quantum computing advancements. PQCA aims to develop and adopt post-quantum cryptography by collaborating with security practitioners. These professionals, including Linux admins, infosec users, internet security enthusiasts, and sysadmins, must actively participate in and follow PQCA's work toensure the newest cryptographic solutions are secure, beneficial, and robust. Before transitioning to post-quantum cryptography cybersecurity, businesses must evaluate the cryptographic agility of the software to ensure they have long-term data and network security and communications in the post-quantum era. . Strong encryption mechanisms are essential for mitigating the risks associated with the rapid evolution of quantum technologies.. Post-Quantum Cryptography, Network Security Solutions, Data Protection. . Brittany Day

Calendar%202 Feb 07, 2024 User Avatar Brittany Day Cryptography
67

MagiQ Technologies Launches Navajo: Secure Quantum Key Distribution Network

Start-up MagiQ Technologies, from Somerville, Massachusetts, has released the first commercial implementation of quantum cryptography, the much-heralded solution to the perfect encryption cipher. Theoretically, encryption ciphers created using quantum physics are unbreakable. . . . Start-up MagiQ Technologies, from Somerville, Massachusetts, has released the first commercial implementation of quantum cryptography, the much-heralded solution to the perfect encryption cipher. Theoretically, encryption ciphers created using quantum physics are unbreakable . While MagiQ Technologies' product, Navajo, isn't itself a quantum device it uses one of the fundamental tenets of quantum theory: Heisenberg's Uncertainty Principle, to create a Quantum Key Distribution (QKD) network. Werner Heisenberg first published his theory in 1927, stating that the more precisely the position of is known, the less precisely the momentum is known. This succinct statement addresses the uncertain relationship between the position and the momentum (mass times velocity) of a subatomic particle, such as an electron, and has profound impact on the development of future information systems. MagiQ's Navajo creates encryption keys that change up to 1,000 times a second to prevent eavesdroppers from deciphering the transmitted data packets. The keys are transmitted over a secure fiber optic link in a stream of polarized photons. If an eavesdropper (or other transmission failure) interrupt the flow of polarized photons, the data is immediately altered, and the encryption system can detect the change. Heisenberg's uncertainty principle comes into play in that even if the eavesdropper only looks at one of the polarized photons, the data stream will be changed, and the intrusion detected. Navajo works with off-the-shelf encryption ciphers, such as the U.S. Government-supported AES (Advanced Encryption Standard). While AES is very secure, the combination of AES and Navajo is theoretically absolutely secure: unbreakable. . Start-up MagiQ Technologies,from Somerville, Massachusetts, has released the first commercial imple. start-up, magiq, technologies, somerville, massachusetts, released, first, commercial, imple. . LinuxSecurity.com Team

Calendar%202 Jan 12, 2024 User Avatar LinuxSecurity.com Team Cryptography
67

Babuk Ransomware Recovery: Tortilla Decryptor Key for Quick Access

A new decryptor has been created for Babuk Tortilla ransomware victims, which will be included in a generic Babuk Decryptor that will contain all Babuk keys currently available. Let's examine the threat that Babuk ransomware poses to your systems and how to recover encrypted files should you fall victim to an attack. . Babuk Ransomware Versions to Be Aware Of Babuk ransomware was first discovered in 2021 and has been responsible for multiple high-profile attacks against industries such as manufacturing or law enforcement. The ransomware is a highly sophisticated strain, compiled on several hardware and software platforms. Windows and ARM Linux are the most common versions. Babuk can also interrupt the backup process of the victim's system and delete volume shadow copies. This makes recovery even more difficult. In September 2021, Babuk's code was published on an underground forum. This allowed multiple threat actors to create variations of strain. Security researchers have identified ransomware families that have exploited Babuk: Rook – December 2021 Night Sky - Jan 2022 Pandora - March 2022 Nokoyawa Cheerscrypt - May 2022 AstraLocker 2.0 - June 2022 ESXiArgs February 2023 Rorschach RTM Locker RA Group - April 2023 Tortilla was one of the threat actors responsible for Babuk ransomware attacks. In October 2021, Tortilla was observed targeting Microsoft Exchange servers that were vulnerable and trying to exploit ProxyShell to install the Babuk ransomware. In a later law enforcement investigation, Dutch Police were able to apprehend and discover the person behind Tortilla. The Tortilla decryptor key was recovered and has been added to a generic decryptor developed for a number of other Babuk variants. This decryptor results from the Babuk generator and leaked source code. Tortilla used one key pair for all of its victims, while attackers could generate different public/private keys per campaign. How Can I Recover Encrypted Files if I FallVictim to Babuk Ransomware? The updated version of Babuk can be downloaded from the NoMoreRansom or Avast decryptors pages. This decryptor allows users to recover files quickly. Recently, a number of decryptors were released to assist victims of ransomware. Security Research Labs has published tools enabling the recovery of files encrypted by Black Basta Ransomware . The FBI, in response to law enforcement actions, announced in December 2023 that it had developed a decryption program for the notorious BlackCat Group. Here are our top tips for preventing Linux ransomware attacks in the first place: Backup critical files and diversify the storage media to avoid a single point of failure (SPOF). This won’t prevent an attack but can mitigate potential damage. Keep servers and endpoints up to date to ensure that they use the latest security patches. Implement the principle of least privilege for user accounts. Monitor network activity and system logs closely. Keep tabs on event logs to identify anomalous behavior before it causes harm. Use a combination of IP filtering, an intrusion detection system (IDS), and an intrusion prevention system (IPS). Use Linux security extensions that control and restrict access to data or network resources. Implement robust network segmentation and data compartmentalization to minimize the impact of a potential ransomware attack. Audit systems regularly. Have additional questions on the measures you can take to prevent or recover from Linux ransomware attacks? Please reach out to us on X @lnxsec - we're here to help! Stay safe out there, fellow Linux users! . Discover the new decryption solution for Babuk Tortilla ransomware and examine strategies to restore affected files.. Babuk Ransomware, Decryption Tools, Linux Recovery, Prevent Ransomware, Cyber Threats. . LinuxSecurity.com Team

Calendar%202 Jan 09, 2024 User Avatar LinuxSecurity.com Team Cryptography
News Add Esm H340

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200