Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines.

LinuxSecurity.com Feature Extras:

- Social engineering is the practice of learning and obtaining valuable information by exploiting human vulnerabilities. It is an art of deception that is considered to be vital for a penetration tester when there is a lack of information about the target that can be exploited.

- When you’re dealing with a security incident it’s essential you – and the rest of your team – not only have the skills they need to comprehensively deal with an issue, but also have a framework to support them as they approach it. This framework means they can focus purely on what they need to do, following a process that removes any vulnerabilities and threats in a proper way – so everyone who depends upon the software you protect can be confident that it’s secure and functioning properly.

  (Apr 26)
 

Keybase is a service that makes a security web of trust usable for everyone. It uses encryption to provide secure communications -- including chat, file sharing, and publishing documents. But it extends encryption into a social context, like Github or Gitlab do for project and source code control.
  (Apr 24)
 

Recently, The New Stack published an article titled "Containers and Storage: Why We Aren't There Yet" covering a talk from IBM's James Bottomley at the Linux Foundation's Vault conference in March. Both the talk and article focused on one of the central problems we've been working to address in the Cloud Foundry Foundation's Diego Persistence project team, so we thought it would be a good idea to highlight the features we've added to mitigate it.
  (Apr 27)
 

The GrSecurity initiative that hosts various out-of-tree patches to the mainline Linux kernel in order to enhance the security will no longer be available to non-paying users.
  (Apr 24)
 

Last week ended badly for Russian hackers.The United States Department of Justice revealed that Peter Yuryevich Levashov was picked up in Barcelona a couple of weeks back for his association with the Kelihos botnet. Levashov said he'd been told the arrest was due to his creation of a virus in some way linked to the Russia's suspected interference in the recent US presidential election.
  (Apr 27)
 

Google the words "David Dworken" and you'll find a picture of a teenager in an oversize gray suit shaking hands with former secretary of defense Ash Carter, along with a headline that reads: "Meet David Dworken, the Teenager Who Hacked the Pentagon." Which is pure clickbait. Last spring, the Pentagon sponsored a "bug bounty," inviting computer security enthusiasts to dig into Defense.gov, DoDLive, and a few of its other public-facing websites.
  (Apr 27)
 

Ten years of fighting for internet freedom, potentially out the window because Donald Trump was elected president and chose as his top telecom regulator a former Verizon lawyer who's hell-bent on killing federal rules safeguarding net neutrality, the internet's open access principle.
  (Apr 25)
 

FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as "Carbanak Group", although we do not equate all usage of the CARBANAK backdoor with FIN7. FireEye recently observed a FIN7 spear phishing campaign targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations.
  (Apr 25)
 

Before I explain the details of the vulnerability, you should take a look at the proof-of-concept.Punycode makes it possible to register domains with foreign characters. It works by converting individual domain label to an alternative format using only ASCII characters. For example, the domain "xn--s7y.co" is equivalent to "短.co".
  (Apr 28)
 

Google is giving web developers six months to prepare for the next phase of its plan to mark all HTTP pages as 'Not secure'.October will mark stage two of Google's plan to label all HTTP pages as 'Not secure' in Chrome.
  (Apr 28)
 

pemcracker is a tool for cracking PEM files that are encrypted and have a password. The purpose is to attempt to recover the password for encrypted PEM files while utilising all the CPU cores.
  (May 1)
 

Hacker Evaldas Rimasauskas, 48, of Vilnius, Lithuania, was arrested last month and charged with stealing more than $100 million from Facebook and Google, according to a Fortune report.
  (May 1)
 

Late on Friday afternoon, the Commissioner of the Australian Federal Police waltzed out in front of the microphones and admitted that his agency had misused the metadata that the nation's telecommunication companies are forced to store.