Debunking 5 common web security and privacy myths:

infosec-handbook.eu/blog/web-s

– "external scanning of websites discovers all issues"
– "random HTTP response headers mean security"
– "HTTPS means security"
– "external content is bad"
– "JS/Cookies are bad"

CMSScan: a centralized security dashboard based on wpscan and other common tools.

github.com/ajinabraham/CMSScan

– you can scan WordPress, Drupal, Joomla, vBulletin websites
– it supports both on demand and scheduled scans and has the ability to sent email reports

(Security tip: If you don't need hulking CMS, use static site generators: infosec-handbook.eu/blog/stati)

CarsBlues: Bluetooth vulnerability that exploits infotainment systems of several makes via the Bluetooth protocol.

privacy4cars.com/can-my-car-be

– users who have synced a phone to their car may be affected, while tens of millions of vehicles in circulation are affected worldwide
– attackers might access contacts, call logs, text logs, and more
– the attack only requires cheap technology and no special technical skills

Vovox, a communications company, didn't set a password for its database server, exposing 26 million text messages:

techcrunch.com/2018/11/15/mill

– the leak includes password reset links, 2FA codes, shipping notifications
– Voxox pulled the database offline

AMP for WordPress: Critical vulnerability found that could allow a low-privileged attacker to inject malicious code on AMP pages:

thehackernews.com/2018/11/amp-

– AMP for WP has more than 100,000 installations
– was recently removed temporarily from the WordPress plugins library due to vulnerable code
– recently, other WP plugins also contained critical vulnerabilities

For nginx users:
nginxconfig.io/

Can be used to generate different nginx configuration files. (We did not test this service.)

The upcoming Raspberry Pi 3 Model A+ will be smaller and cheaper than the previous Pi 3 models while some features won't be available:

opensource.com/article/18/11/r

– no ethernet port, only one USB port
– 512 MB RAM
– Bluetooh 4, BLE and WiFi
– HDMI, camera and display interfaces

Like Signal, Twilio is used for SMS verification.

Unlike Signal, it is paid and (as usual for XMPP) all your XMPP account data like contacts, groups, messages etc. are processed and stored on the server in cleartext.

Quicksy.im: Centralized, closed-source and paid service that allows you to use your phone number for XMPP (to make life easier for XMPP newcomers). Also promotes licensing to operate non-federated XMPP services …

(Developed by Gultsch, main developer of Conversations, who complained about Signal being centralized, non-federated and using your phone number over and over again.)

Many free mobile VPN apps are based in China:

zdnet.com/article/many-free-mo

– 17 of the 30 apps analyzed had formal links to China, either being a legally registered Chinese entity or by having Chinese ownership
– 86 percent of the apps he analyzed had "unacceptable privacy policies"
– some VPN apps share data with third-parties, tracking users, and sending and sharing data with Chinese third-parties

Mozilla Security Blog: When does Firefox :firefox: alert for breached sites?

blog.mozilla.org/security/2018

– If the user has never seen a breach alert before, Firefox shows an alert when they visit any breached site added to HIBP (Have I Been Pwned) within the last 12 months
– After the user has seen their first alert, Firefox only shows an alert when they visit a breached site added to HIBP within the last 2 months

mailbox.org launches new web interface:

mailbox.org/en/

– new XMPP webchat (based on conversejs.org)
– security headers are less strict than before (will be changed soon, according to mailbox.org)
– DKIM key management will be released soon
– some features aren't available at the moment

7 more speculative execution flaws in the Spectre and Meltdown families:

arstechnica.com/gadgets/2018/1

– Intel says: The vulnerabilities documented in this paper can be fully addressed by applying existing mitigation techniques for Spectre and Meltdown, including those previously documented [by Intel and other chipmakers]

Attackers can use your GPU to spy on web activity, steal passwords, and break into cloud-based applications:

PDF file: cs.ucr.edu/~zhiyunq/pub/ccs18_

– attacks require the victim to first acquire a malicious program embedded in a downloaded app
– researchers monitored either GPU memory allocations over time or GPU performance counters, used machine learning and achieving website fingerprinting with high accuracy

Show more
Mastodon

mastodon.at is open to all users and federates with most instances.

🇩🇪 🇦🇹 🇨🇭 mastodon.at ist offen für alle User und ist mit vielen anderen Instanzen verbunden.