Pinned toot

InfoSec Handbook introduces experimental P2P support via Dat protocol:

dat://4354ef3fa9ae5df664fd4a40707cab7450a24d29d4d9f2770b29ebdc720c7151/

(The URL may change during testing.)

About the Dat Project:

datproject.org/

SensorID – tracking smartphones by misusing their sensor data:

sensorid.cl.cam.ac.uk/

– iOS before 12.2 and some Android devices leak unique fingerprints via all common web browsers
– iOS 12.2 or higher adds random noise to prevent fingerprinting (CVE-2019-8541)
– Google Pixel 2 and 3 (and maybe more Android devices) are vulnerable and offer no fixes, according to the paper
– users should disable JavaScript, if possible

Tor-focussed :tor: operating system Tails 3.14 released:

tails.boum.org/news/version_3.

– updates for Linux kernel (4.19.37), firmware packages, and Tor Browser (8.5)
– includes mitigations for the Microarchitectural Data Sampling CPU vulnerability
– several packages were removed
– bug fixes and minor changes

Tor Browser :tor: 8.5 released, comes with first stable version for Android:

blog.torproject.org/new-releas

– based on FF 60.7.0esr
– updates for Torbutton, HTTPS Everywhere, OpenSSL, Tor Launcher
– fixes dozens of bugs

Firefox 67.0 :firefox: available:

mozilla.org/en-US/firefox/67.0

– Content Blocking can block fingerprinting and cryptominers now
– extensions can be excluded from private tabs
– FIDO U2F API is now enabled

Qualys SSL Labs adds 4 new tests for vulnerabilities, and considers cipher suites using CBC "weak":

blog.qualys.com/technology/201

– as an admin, you should disable all CBC cipher suites for several reasons (use GCM for block ciphers)
– SSL Labs tests for POODLE, GOLDENDOODLE, 0-Length OpenSSL, and Sleeping POODLE now
– servers affected by the vulnerabilities are downgraded to F

CVE-2019-0708 – vulnerability in Remote Desktop Services that affects old Windows versions:

blogs.technet.microsoft.com/ms

– patches are available for Windows XP SP3, Windows 7, Windows Server 2003, and Windows Server 2008 (R2)
– Windows 8, Windows 10, and Windows Server 2012 (or newer) aren't affected
– attackers can remotely execute arbitrary code if exploited

ZombieLoad – another Intel CPU side-channel attack to steal data:

zombieloadattack.com/

– a demo shows someone spying on a person who uses the Tor Browser in a VM
– Intel has released microcode patches; full protection is only possible if Hyper Threading is disabled
– related CVE ids: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

Linux Kernel vulnerable to remote code execution and denial of service attacks:

bleepingcomputer.com/news/secu

– attackers can execute arbitrary code by crafting special TCP packets
– fixed in Linux Kernel 5.0.8 and newer
– CVE-2019-11815 (CVSSv3 8.1)

After major security vulnerabilities or data breaches, "security people" show up and tell you to delete your account immediately. "Oh, time to delete your account! Switch to service/product … instead!"

Such statements totally ignore that security vulnerabilities are widespread and the vast majority of data breaches won't become publicly-known. Full control over your data and devices requires 100% isolation from the internet, not just arbitrarily switching services or products.

Follow-up on tool that extracts GPG secret keys of Nitrokey Start tokens:

github.com/Nitrokey/nitrokey-s

github.com/Nitrokey/nitrokey-s

– obviously, the Nitrokey Start wasn't protected
– owners should update their firmware to release RTM.7 or above

Original toot: mastodon.at/@infosechandbook/1

Do you know? There is our first InfoSec Handbook poll on Mastodon/in the Fediverse ongoing, about 6 hours left:

mastodon.at/@infosechandbook/1

We will discuss the results in a future article about web server security/self-hosting.

There is also a web server security series on our blog: infosec-handbook.eu/as-wss/

Honeypot for SSH – SSH Honey Keys:

kulinacs.com/ssh-honey-keys/

– the idea is to create dedicated SSH keys with restricted access, and additional logging/alerting
– the author has doubts whether SSH Honey Keys are practical in certain IT environments

Mozilla releases more Firefox :firefox: updates to re-enable web extensions:

Desktop: mozilla.org/en-US/firefox/66.0

Android: mozilla.org/en-US/firefox/andr

ESR: mozilla.org/en-US/firefox/60.6

– Firefox 66.0.4 and Firefox 60.6.2 ESR didn't fix the web extensions completely
– there will be likely more Tor Browser/Tails updates soon

Browser Fingerprinting – A survey:

arxiv.org/pdf/1905.01051 (PDF file)

– different tracking techniques are discussed
– different defensive techniques are compared (e.g. uBlock Origin, EFF Privacy Badger)
– VPN users "are particularly vulnerable to browser fingerprinting", according to the paper

Tor-focussed :tor: operating system Tails 3.13.2 released:

tails.boum.org/news/version_3.

– update for Tor Browser to fix disabled extensions
– updates for Debian (9.9), and Thunderbird 60.6.1
– bug fixes and minor changes

Show more