Micro guide: YubiKey U2F 2FA for Parrot OS

– Check if YubiKey is connected: "lsusb | grep U2F"
– Install libraries: "sudo apt install pamu2fcfg libpam-u2f"
– Create Yubico default dir: "mkdir -p ~/.config/Yubico"
– Enter "pamu2fcfg >> ~/.config/Yubico/u2f_keys" and press the YubiKey button
– Add "auth required pam_u2f.so" to /etc/pam.d/mate-screensaver
– 2FA is now enabled

Check our Arch guide: infosec-handbook.eu/blog/yubik

While we zero in on 300 followers on Mastodon :mastodon:, we want to thank all of you for the friendly and open Mastodon community. We had productive discussions and talked about very interesting InfoSec topics.

Thank you. :blobcheer:

@ragazzonoioso @Oka

Thanks.

In an upcoming article, we will also explain how to use Fail2ban to further harden your SSH access.

Western Digital's My Cloud (NAS) again vulnerable:

thehackernews.com/2018/09/wd-m

– allows unauthenticated attackers with network access to the device to escalate their privileges to admin-level without needing to provide a password
– allows attackers to run commands that would typically require administrative privileges
– attackers gain complete control of the affected NAS device
– CVE-2018-17153

Recap: Secure your SSH access

– allow only whitelisted IP addresses to connect
– use a non-root account for access and disable root
– use keys instead of passwords
– only use modern algorithms
– enable 2FA for SSH
– back up your configuration
– (use dedicated hardware to store your keys)

infosec-handbook.eu/blog/wss1-

Zero-day vulnerability in NUUO firmware used by different vendors of surveillance cameras:

threatpost.com/zero-day-bug-al

– vendor-independent firmware used in up to 800,000 CCTV cameras
– 100 different cameras run the affected software
– CVE-2018-1149, CVE-2018-1150
– upgrade to NUUO's version 3.9.1 (03.09.0001.0000) or later
– and secure your cam: infosec-handbook.eu/blog/camer

Troy Hunt on EV certificates: "Extended Validation Certificates are Dead".

troyhunt.com/extended-validati

Reasons:
– increasing use of mobile devices
– removal of the EV visual indicator
– removal from Safari on iOS

Veeam, a backup and data recovery company, leaked 200 GB of customer records:

techcrunch.com/2018/09/11/veea

– mostly names, email addresses, and in some cases IP addresses
– including two collections that had 199.1 million and 244.4 million email addresses between 2013 and 2017
– a goldmine for spammers or bad actors conducting phishing attacks

OpenSSL 1.1.1 is available

openssl.org/blog/blog/2018/09/

– supports TLSv1.3 (RFC 8446)
– Long Term Support (LTS) release
– users of OpenSSL 1.0.2 LTS are strongly advised to upgrade to OpenSSL 1.1.1

Details about zero-day vulnerability in :tor: Tor Browser 7.x published on Twitter by security company:

zdnet.com/article/exploit-vend

– full bypass of the "Safest" security level of the NoScript extension
– allows malicious code to run inside the Tor Browser
– Tor Browser 8.x is not affected
– update to NoScript "Classic" version 5.1.8.7 / Tor Browser 8.x

WPA3: Details on the upcoming WLAN encryption standard πŸ“Ά πŸ”’

spectrum.ieee.org/tech-talk/te

– focused on protection against known attacks on WPA2
– Simultaneous Authentication of Equals (SAE) will replace Pre-Shared Key (PSK)
– SAE offers forward secrecy
– WPA3-Enterprise features 192-bit encryption (vs. 128-bit in WPA2)
– no timeline set to make WPA3 de facto standard

Tor Browser 8.0 is available.

⚠️ It is now based on Firefox 60. Due to this, the User Agent string is changed, so servers can distinguish between this and older versions of Tor Browser. The User Agent string also includes the right OS (normally it always shows Windows).

blog.torproject.org/new-releas

Show more
Mastodon

mastodon.at is open to all users and federates with most instances.

πŸ‡©πŸ‡ͺ πŸ‡¦πŸ‡Ή πŸ‡¨πŸ‡­ mastodon.at ist offen fΓΌr alle User und ist mit vielen anderen Instanzen verbunden.