Pinned toot

InfoSec Handbook introduces experimental P2P support via Dat protocol:

dat://4354ef3fa9ae5df664fd4a40707cab7450a24d29d4d9f2770b29ebdc720c7151/

(The URL may change during testing.)

About the Dat Project:

datproject.org/

CMS vulnerabilities:
Imperva counted 542 vulnerabilities in WordPress in 2018, while 98% of these vulnerabilities were related to WP plugins.

That's why we use and recommend static websites. There is no CMS, no PHP, no database, no injections, no XSS–and static content is faster than most WP blogs even when WP uses cache proxies and other "tricks".

We updated our short Hugo article: infosec-handbook.eu/blog/stati

All Secure Copy Protocol (SCP) implementations contain 4 security vulnerabilities that allow malicious SCP servers to make changes on the client's side:

zdnet.com/article/scp-implemen

– all SCP implementations (OpenSSH, Putty, WinSCP etc.) are affected
– vulnerabilities are there since 1983
– CVE-2018-20685, CVE-2019-6111, CVE-2019-6109, CVE-2019-6110
– at the moment, only WinSCP provides a patch (WinSCP 5.14)

Phishing NG. Bypassing 2FA with Modlishka:

blog.duszynski.eu/phishing-ng-

GitHub repo: github.com/drk1wi/Modlishka

– penetration testing tool can automate phishing attacks, and can even lever out two-factor authentication (2FA)
– if attackers collect 2FA tokens in real-time, they can establish legitimate sessions
– attackers only need a domain name and valid TLS certificate to use the tool

85 malicious apps removed from Google Play Store:

blog.trendmicro.com/trendlabs-

– downloaded a total of 9 million times around the world
– all apps show full-screen ads (adware)
– apps have different makers and have different APK cert public keys

New (remote) hardware-agnostic side-channel attack against page caches of the memory:

arxiv.org/pdf/1901.01161.pdf (PDF file)

– the attack targets the operating system itself, allowing capturing more than 6 keystrokes per second, enough to capture keystrokes accurately
– according to the researches, at least Linux and Windows are affected
– patches for Windows and Linux are in the works

Tails OS 3.12–Call for testing of simplified installation methods:

tails.boum.org/news/test_usb_i

– Tails OS 3.12 will introduce USB images instead of ISO images
– the new setup doesn't require Tails Installer, intermediary Tails, or a second USB flash drive anymore

"Trying to deploy WPA3 on my home network":

gist.github.com/est31/d92d17ac

– developer added SAE (Simultaneous Authentication of Equals) support to OpenWRT 18.06, and Kubuntu 18.04
– nowadays, OpenWRT ships enabled SAE support by default

Dutch consumers' association "consumentenbond" tested the facial recognition feature of 105 smartphone models:

consumentenbond.nl/veilig-inte (Dutch)

– holding up a photo of the phone's owner is enough to unlock 42 of the tested smartphones (first list)
– 6 additional devices are only protected in "strict" mode (second list)
– the remaining 57 devices passed this simple test (last list)

"Town of Salem" leak: More than 2 million password hashes are already cracked and can be downloaded.

hashes.org/leaks.php?id=1142

– usernames, e-mail addresses, weakly-hashed passwords, IP addresses, activities, purchases were leaked
– Have I Been Pwned (HIBP) already included this data breach

Most consumer routers don't make use of modern security features of Linux:

cyber-itl.org/assets/papers/20 (PDF file)

– 28 popular routers don't make use of ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention), RELRO (RELocation Read-Only), and stack guards
– report contains Asus, D-Link, Linksys, Netgear, Synology, TP-Link, and Trendnet routers

Follow-up on the 2018 Marriott International Breach: less affected guests and unencrypted passport data.

nytimes.com/2019/01/04/us/poli

– approximately 383 million records were leaked
– 5.25 million passport numbers were kept in the Starwood system in plain, unencrypted data files
– an additional 20.3 million passport numbers were kept in encrypted files, which would require a master encryption key to read

Coming this weekend on infosec-handbook.eu:

– Client-side DNS security features (part 5 of our Home network security series)
– several technical improvements
– changes due to feedback of our readers

One of the first reported data breaches in 2019: "Town of Salem" leak exposed data of 7.6 million gamers.

zdnet.com/article/town-of-sale

– usernames, e-mail addresses, weakly-hashed passwords, IP addresses, activities, purchases
– Have I Been Pwned (HIBP) already included this data breach

TXQR (Transfer via QR)–protocol and set of tools and libs to transfer data via animated QR codes:

github.com/divan/txqr

Mozilla's plans for Thunderbird in 2019:

blog.mozilla.org/thunderbird/2

Roadmap: lists.thunderbird.net/pipermai

– UX/UI improvements in focus
– improving notifications by better integrating with each operating system’s built-in notification system
– UX/UI around encryption and settings will get an overhaul, whether or not all this work makes it into the next release is an open question

Show more
Mastodon

mastodon.at is a microblogging site that federates with most instances on the Fediverse.