Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines.
LinuxSecurity.com Feature Extras:
Press Release: Guardian Digital Leverages the Power of Open Source to Combat Evolving Email Security Threats - Cloud-based email security solution utilizes the open source methodology for securing business email, recognized by many as the best approach to the problem of maintaining security in the relentlessly dynamic environment of the Internet.
You've Been Pwned! Best Practices to Prevent Your Email Account from Being Compromised in a Data Breach - An Interview with Dave Wreski, CEO of Guardian Digital
Once again, it’s 123456: the password that says ‘I give up’ (Apr 23)
The essence of most people's regard for cybersecurity: we're DOOMED.
These are the most commonly hacked passwords - is one of them yours? (Apr 21)
Hundreds of millions of internet users continue to put themselves at risk of having their accounts hacked by using incredibly simple and commonly used passwords which can easily be guessed by cyber criminals - or worse, just plucked from databases of stolen information.
Android Antivirus Tests Show You Shouldn’t Rely on Google Play Protect (Apr 22)
A new set of antivirus tests conducted by AV-TEST show that Android users should not rely on Google Play Protect as their exclusive mobile security product.
Epic Bug Lets Anyone Unlock the Nokia 9 With a Pack of Gum (Apr 22)
A security issue on the high-end Nokia 9 PureView smartphone allows anyone to unlock the device, using not only unregistered fingerprints, but even things like a pack of gum.
DNS over HTTPS is coming whether ISPs and governments like it or not (Apr 24)
The penny has finally dropped inside ISPs and governments that a privacy technology called DNS over HTTPS (DoH), backed by Google, Mozilla and Cloudflare, is about to make web surveillance a lot more difficult.
Congress sends letter to Google for details on Sensorvault location tracking database (Apr 24)
US legislators have sent an open letter to Google CEO Sundar Pichai asking for details about Sensorvault, an internal Google database that keeps track of users' historical geo-location details.
Critical Flaws in Sierra Wireless 5G Gateway Allow RCE, Command Injection (Apr 26)
A 5G wireless gateway tailored for industrial internet of things (IoT), retail point-of-sale and enterprise redundancy applications is riddled with vulnerabilities, include two critical bugs that allow remote code-execution (RCE) and arbitrary command-injection.
Hotspot finder app blabs 2 million Wi-Fi network passwords (Apr 23)
This should come as no surprise, but it still sucks big-time: thousands of people who downloaded a random, very popular app called WiFi Finder found that it got handsy with users' own home Wi-Fi, uploading their network passwords to a database full of 2 million passwords that was found exposed and unprotected online.
Linux 5.1-rc6 Kernel Released In Linus Torvalds' Easter Day Message (Apr 21)
Linux 5.1-rc6 is larger than the previous release candidate, but he isn't too worried right now about the condition of the upcoming Linux 5.1 kernel.
Nutanix Kubernetes-based Karbon On-Prem Distro Hits GA (Apr 21)
Nutanix pushed general availability of its Karbon certified Kubernetes platform that runs as part of its broader Nutanix Cloud Native stack.
Encrypgen Completes ERC20 Integration – DNA Token Likely to Appreciate (Apr 27)
With Bitcoin (BTC) surging above 5,000 in recent weeks, traders might be wondering whether now is the time to get back into altcoins. I've written in the past that the market will likely be more critical of blockchain-based projects in the future. There are two reasons for this.
Three out of five IT workers share sensitive information by email (Apr 28)
Bosses should be worried about their employee behaviour around sensitive documents according to a recent report. With the high volume of data that IT teams handle, communicating efficiently and securely is essential to preventing a breach.
IBM Developers Looking At Adding System Call Isolation To Enhance Linux Security (Apr 26)
Developers at IBM are working on a new concept for the Linux kernel of "system call isolation" in order to isolate parts of the kernel when impacted by vulnerabilities.
Why the cybersecurity sector needs to start hiring more hackers (Apr 25)
Cybersecurity incidents are gaining an increasingly high profile. In the past, these incidents may have been perceived primarily as a somewhat distant issue for organizations such as banks to deal with. But recent attacks such as the 2017 Wannacry incident, in which a cyber attack disabled the IT systems of many organizations including the NHS, demonstrates the real-life consequences that cyber attacks can have.
How a Nigerian ISP Accidentally Hijacked the Internet (Apr 25)
On November 12, 2018, a small ISP in Nigeria made a mistake while updating its network infrastructure that highlights a critical flaw in the fabric of the Internet. The mistake effectively brought down Google -- one of the largest tech companies in the world -- for 74 minutes.
Docker Hub hack exposed data of 190,000 users (Apr 27)
Docker Hub, the official repository for Docker container images, has announced a security breach on late Friday night.
Microsoft drops password expiration from Windows 10 security (Apr 26)
What is it about a secure password that makes us think it's secure?
Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension (Apr 26)
If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new, unpatched vulnerability that has been made public and could allow attackers to compromise your online store.
Facebook clamps down on personality quizzes to plug data leaks (Apr 26)
Facebook is taking baby steps to plug data leaks on its platform. In a new blog post that was posted yesterday, the company's director of product management Eddie O'Neil wrote that it will be subjecting apps with "minimal utility," such as personality quizzes, to heightened scrutiny and "may not be permitted on the platform."
ISC patches three vulnerabilities in BIND (Apr 26)
The Internet Systems Consortium (ISC) has released security updates for its Berkeley Internet Name Domain (BIND), fixing vulnerabilities that if exploited could cause a denial of service condition.
A Rear-View Look at GDPR: Compliance Has No Brakes (Apr 29)