Micro guide: YubiKey U2F 2FA for Parrot OS
– Check if YubiKey is connected: "lsusb | grep U2F"
– Install libraries: "sudo apt install pamu2fcfg libpam-u2f"
– Create Yubico default dir: "mkdir -p ~/.config/Yubico"
– Enter "pamu2fcfg >> ~/.config/Yubico/u2f_keys" and press the YubiKey button
– Add "auth required pam_u2f.so" to /etc/pam.d/mate-screensaver
– 2FA is now enabled
Check our Arch guide: https://infosec-handbook.eu/blog/yubikey-2fa-pam/
Security Now 681 🎙️ "The Browser Extension Ecosystem" with Steve Gibson:
Western Digital's My Cloud (NAS) again vulnerable:
– allows unauthenticated attackers with network access to the device to escalate their privileges to admin-level without needing to provide a password
– allows attackers to run commands that would typically require administrative privileges
– attackers gain complete control of the affected NAS device
Recap: Secure your SSH access
– allow only whitelisted IP addresses to connect
– use a non-root account for access and disable root
– use keys instead of passwords
– only use modern algorithms
– enable 2FA for SSH
– back up your configuration
– (use dedicated hardware to store your keys)
Zero-day vulnerability in NUUO firmware used by different vendors of surveillance cameras:
– vendor-independent firmware used in up to 800,000 CCTV cameras
– 100 different cameras run the affected software
– CVE-2018-1149, CVE-2018-1150
– upgrade to NUUO's version 3.9.1 (03.09.0001.0000) or later
– and secure your cam: https://infosec-handbook.eu/blog/cameras-censys/
Troy Hunt on EV certificates: "Extended Validation Certificates are Dead".
– increasing use of mobile devices
– removal of the EV visual indicator
– removal from Safari on iOS
Veeam, a backup and data recovery company, leaked 200 GB of customer records:
– mostly names, email addresses, and in some cases IP addresses
– including two collections that had 199.1 million and 244.4 million email addresses between 2013 and 2017
– a goldmine for spammers or bad actors conducting phishing attacks
Security Now 680 🎙️ "Exploits & Updates" with Steve Gibson:
Details about zero-day vulnerability in Tor Browser 7.x published on Twitter by security company:
– full bypass of the "Safest" security level of the NoScript extension
– allows malicious code to run inside the Tor Browser
– Tor Browser 8.x is not affected
– update to NoScript "Classic" version 18.104.22.168 / Tor Browser 8.x
WPA3: Details on the upcoming WLAN encryption standard 📶 🔒
– focused on protection against known attacks on WPA2
– Simultaneous Authentication of Equals (SAE) will replace Pre-Shared Key (PSK)
– SAE offers forward secrecy
– WPA3-Enterprise features 192-bit encryption (vs. 128-bit in WPA2)
– no timeline set to make WPA3 de facto standard
Tor Browser 8.0 is available.
⚠️ It is now based on Firefox 60. Due to this, the User Agent string is changed, so servers can distinguish between this and older versions of Tor Browser. The User Agent string also includes the right OS (normally it always shows Windows).
European information security blog
no ads, no tracking, privacy and security by default
mastodon.at is open to all users and federates with most instances.
🇩🇪 🇦🇹 🇨🇭 mastodon.at ist offen für alle User und ist mit vielen anderen Instanzen verbunden.