Pinned toot

InfoSec Handbook introduces experimental P2P support via Dat protocol:

dat://4354ef3fa9ae5df664fd4a40707cab7450a24d29d4d9f2770b29ebdc720c7151/

(The URL may change during testing.)

About the Dat Project:

datproject.org/

Nextcloud – Android client 3.8 comes with new security features:

nextcloud.com/blog/nextcloud-a

– U2F support for login
– support for TLS 1.3
– Remote Wipe: users can delete all the data of their devices from the Nextcloud web UI

Upcoming Firefox 71 – Mozilla plans to introduce new Certificates Viewer:

ghacks.net/2019/08/27/firefox-

– The new viewer is based on/similar to the WebExtension github.com/april/certainly-som.
– Contrary to the addon, there is no information about the handshake at the moment.
– The release of FF 71 is scheduled for Dec 12, 2019.

(The Screenshot shows the addon.)

Simjacker – abusing the S@T Browser to track phones:

adaptivemobile.com/blog/simjac

– it requires the S@T Browser on the targeted phone, and a mobile operator allowing special SMS
– many details are missing
– mobile operators can remotely uninstall S@T Browser; so this perfectly shows that you can't "take back control" of your phone by just installing some LineageOS on it

NetCAT – network-based cache side-channel attack:

vusec.net/projects/netcat/

– a feature of Intel server CPUs, DDIO, exposes servers in local untrusted networks to remote side-channel attacks
– NetCAT demonstrates a keystroke timing attack on SSH
– CVE-2019-11184

ProtonMail adds support for Web Key Directory (WKD), DANE, and MTA-STS:

protonmail.com/blog/security-u

– WKD is also available for external keys now
– DANE is also available for custom domains
– Besides, they added HTTP headers (Expect-CT, Public-Key-Pins-Report-Only), DNS CAA, and monitoring (e.g., TLSRPT)
– There will be an independent security audit of all Proton apps

Facebook :facebook: – 419+ million phone numbers found online:

techcrunch.com/2019/09/04/face

– each record contained a unique Facebook ID; some records listed the user's name, gender, and location by country
– Facebook: "This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers"

Tor-focussed :tor: operating system Tails 3.16 released:

tails.boum.org/news/version_3.

– updates for Linux kernel (4.19.37-5+deb10u2, fix for the SWAPGS variant of the Spectre vulnerability), and Tor Browser (8.5.5)
– updates for most firmware packages
– removes LibreOffice Math by default (additional software), and predefined configuration in Tor Browser and Pidgin

Tor Browser :tor: 8.5.5 released, fixes several security vulnerabilities:

blog.torproject.org/new-releas

– based on FF 60.9.0esr
– updates for NoScript, and Torbutton
– multiple bug fixes

Firefox 69.0 :firefox: available:

mozilla.org/en-US/firefox/69.0

– Enhanced Tracking Protection will be turned on by default; default standard setting for this feature now blocks third-party tracking cookies and cryptominers
– support for the Web Authentication HmacSecret extension via Windows Hello
– various security fixes

XKCD forums down after data breach:

twitter.com/haveibeenpwned/sta

– about 562,000 affected accounts
– passwords were stored in MD5
– 58% of affected e-mail addresses were already listed on haveibeenpwned.com

Kali Linux 2019.3 available:

kali.org/releases/kali-linux-2

– based on Linux kernel 5.2.9
– packages are updated via CloudFlare now
– new "helper scripts" available (e.g., PayloadsAllTheThings, SecLists, WebShells and Wordlists)
– more minor changes and bug fixes

"I'm using the Privacy Browser (f-droid.org/en/packages/com.st). Which user agent should I use for best privacy?":

Changing the user agent header doesn't change another problem: The Privacy Browser always sends X-Requested-With: com.stoutner.privacybrowser.standard, leaking its identidy. So it doesn't matter which one you choose.

Reasons for this are explained by its developer: stoutner.com/the-x-requested-w

An overview of the current state of GnuPG for e-mail encryption and signing:

infosec-handbook.eu/blog/gpg-f

TL;DR: Use ECC-based keys (Ed25519, Curve25519) as they are the future-default of GPG, smaller and faster than RSA, and Curve25519 is widely used by many different projects. If you use modern E2EE instant messengers for personal communication, there is likely no need to switch to GPG.

Monthly review, August 2019:

infosec-handbook.eu/blog/2019-

– news: KNOB attack, DejaBlue
– tool: minisign
– tip: faster GPG key pair generation
– 5 questions/answers

Obviously, Facebook :facebook: changed its landing page: "It's free and always will be." β†’ "It's quick and easy."

And they added: "Learn how we collect, use and share your data in our Data Policy"

Source: twitter.com/MaisaKamel/status/

Verifpal – tool to verify the security of cryptographic protocols:

verifpal.com/

– paper: eprint.iacr.org/2019/971.pdf (PDF file)
– user manual: verifpal.com/res/pdf/manual.pd (PDF file)
– Verifpal is still highly experimental software
– available for Windows, Linux and macOS

Dovecot/Pigeonhole – CVE-2019-11500 – critical security vulnerability:

openwall.com/lists/oss-securit

– fixed in Dovecot 2.3.7.2, 2.2.36.4; Pigeonhole 0.5.7
– no workarounds available
– allows for out-of-bounds writes […] can lead to leaking private information or remote code
execution

Show more
Mastodon

mastodon.at is a microblogging site that federates with most instances on the Fediverse.