Pinned toot

InfoSec Handbook introduces experimental P2P support via Dat protocol:

dat://4354ef3fa9ae5df664fd4a40707cab7450a24d29d4d9f2770b29ebdc720c7151/

(The URL may change during testing.)

About the Dat Project:

datproject.org/

⚠️ Instance migration announcement ⚠️

Today, the admin of mastodon.at notified all users that mastodon.at will be shut down in 3 months (February 2020).

Due to this, we currently evaluate a new reliable Mastodon instance. Since Mastodon 3.0.0 allows us to move all readers from one account to another, there shouldn't be any inconveniences for you.

Thanks @pfigel for hosting mastodon.at. πŸ‘

37 security vulnerabilities found in VNC software:

ics-cert.kaspersky.com/reports

– VNC (Virtual Network Computing) is used to remotely access computers.
– Several vulnerabilities could lead to RCE, and many had a very long lifetime.
– We wrote about UltraVNC's bad state of website security in infosec-handbook.eu/blog/uvnc-.

"Why do we see Elasticsearch leaks all the time?":

The problem are internal services unknowingly exposed to the internet. This isn't unique to Elasticsearch. Other examples are exposed IP cameras, PLCs in industrial environments, and office printers.

Regularly scan your own IP address ranges to detect open ports and services, and apply common security practices. Never just assume something is configured – actually check and document it.

Data leak that affects 1.2 billion people:

dataviper.io/blog/2019/pdl-dat

– Many data sets contain lots of personal data.
– Sources of the leak are likely People Data Labs, and OxyData, so-called data enrichment companies.
– Data was hosted on an unprotected Elasticsearch server, accessible by everyone.

146 Android Firmware Vulnerabilities:

kryptowire.com/android-firmwar

– "found using automatic tools, and it is extremely likely that many of the vulnerabilities are not exploitable"
– "since they're firmware bugs, in many cases there is no ability to patch them"
– Comment by B. Schneier: schneier.com/blog/archives/201

The maker of Magic: The Gathering leaks 450,000 data sets of players:

techcrunch.com/2019/11/16/magi

– Source of the leak was a publicly-accessible database backup file.
– The file contains user names, date and time of account creation and last access, e-mail addresses, and hashed+salted passwords.
– This leak again shows that you need more than only some HTTPS and HTTP headers for security.

Some news regarding our blog (infosec-handbook.eu):

– We now cryptographically sign all Git commits to codeberg.org using a dedicated key that is linked to the account. So the open padlock is now locked and green for people who like this. πŸ˜‰
– We added information on how to support us: infosec-handbook.eu/support-us. As before, we don't accept financial attributions or sponsoring to remain 100% independent.

TPM-FAIL – security vulnerabilities in Trusted Platform Modules:

tpm.fail/tpmfail.pdf (PDF file)

– Affected are Platform Trust Technology (Intel), and ST33 TPM chip (STMicroelectronics). TPMs from Nuvoton/Infineon aren't affected.
– A remote attacker could retrieve certain private keys (e.g., as used by ECDSA).
– Intel provides a firmware update; vulnerable ST33 chips can't be patched.

Regarding "IP leaks everywhere" posts:

IP addresses aren't secrets. IP addresses are essential to route network traffic.

Some people/companies write their marketing lingo like you have to hide your IP address from the world. However, there is always another computer/device that learns about your IP address, even if you are using VPNs or Tor.

(The same is true for MAC addresses and ports.)

We sometimes read "My blog is super secure since it uses TLS 1.2+/AEAD/PFS/CSP/OCSP/CAA…". At the same time, such blogs use CMS like WordPress (with a large attack surface), and need database servers, PHP etc.

However, these features don't protect databases – the valuable thing for bad guys. They don't keep software up-to-date, or configure software properly. They only protect data in transit – if supported by clients.

So it is all about self-promotion, not about actual security.

Tor Browser :tor: 9.0.1 released, the first bugfix release in the 9.0 series:

blog.torproject.org/new-releas

– updates for NoScript, and Tor Launcher
– fixes 20 bugs

An example of how not to remove personal data in documents. (We removed the name here.)

You can easily copy the blackened line, and paste it somewhere else with data that shouldn't be there.

If you want to avoid something like this, black out lines, print out the file, and scan it afterwards.

Falsehoods Computer Science Students (Still) Believe Upon Graduating:

netmeister.org/blog/cs-falseho

Security-related myths:

– Open Source means it has fewer bugs and is more secure.
– 'Privacy' and 'Confidentiality' are synonymous.
– 'Encryption' and 'Security' are synonymous.

(And no, most CS students neither are good programmers nor security specialists upon graduating.)

Monthly review, October 2019:

infosec-handbook.eu/blog/2019-

– news: Simjacker (again), web browser support for TLS, important security updates
– tool: MinTOTP
– tip: processes/organization as an important part of InfoSec
– 3 questions/answers

ECSM 2019 – Securing emerging technology (IoT) at home:

infosec-handbook.eu/blog/ecsm2

Nowadays, there are dozens of IoT devices available for private users/consumers. We present several problems with IoT devices, and ways to secure them.

Show more