Pinned toot

InfoSec Handbook introduces experimental P2P support via Dat protocol:

dat://4354ef3fa9ae5df664fd4a40707cab7450a24d29d4d9f2770b29ebdc720c7151/

(The URL may change during testing.)

About the Dat Project:

datproject.org/

Mozilla releases updates for two critical security vulnerabilities in Firefox:

mozilla.org/en-US/firefox/66.0

mozilla.org/en-US/firefox/60.6

Fixed versions are:

– Firefox 66.0.1
– Firefox for Android 66.0.1
– Firefox ESR 60.6.1
– Tor Browser 8.0.8

Repos hosted on GitHub and similar platforms often leak crypto secrets and API keys:

ndss-symposium.org/wp-content/ (PDF file)

– researchers scanned 13% of public GitHub repos
– 100,000 repos contained secrets; thousands of new secrets are leaked every day
– GitHub develops "token scanning" to help removing secrets, however, dedicated scanners like TruffleHog are ineffective according to the paper

Zero-day vulnerability in "Easy WP SMTP" plugin for WordPress, currently exploited by attackers:

wordfence.com/blog/2019/03/hac

– the vulnerability is only present in Easy WP SMTP v1.3.9, and it is fixed in v1.3.9.1
– attackers can turn normal user accounts into administrative accounts, or redirect users to malicious websites
– as always, closely monitor your web server, and update ASAP

Tor-focussed :tor: operating system Tails 3.13 released:

tails.boum.org/news/version_3.

– updates for Linux kernel (4.19.28), Tor Browser (8.0.7), Tor, and Thunderbird (65.1.0)
– updates Intel microcode to 3.20180807a.2 to fix more variants of the Spectre, Meltdown, and Level 1 Terminal Fault (L1TF) vulnerabilities
– bug fixes and minor changes

Tor Browser :tor: 8.0.7 released, fixes several security vulnerabilities:

blog.torproject.org/new-releas

– based on FF 60.6.0esr
– updates for Tor, and Torbutton
– improves interoperability with NoScript

IPv6 unmasking via UPnP:

blog.talosintelligence.com/201

– a technique that uses the properties of the Universal Plug and Play (UPnP) protocol to get specific IPv4 hosts to divulge their IPv6 address
– keep UPnP disabled (there are other security reasons for doing so)

libssh2 1.8.1 available, patches 9 security vulnerabilities:

libssh2.org/changes.html

– libssh2 is an open source client-side C library implementing SSH 2
– all versions prior to 1.8.1 are affected

Firefox 66.0 :firefox: available, comes with "Passwordless Web Authentication Support via Windows Hello":

blog.mozilla.org/security/2019

– Windows 10 marks their first platform to support the new FIDO2 “passwordless” capabilities for Web Authentication
– for Firefox ESR users, this Windows Hello support is currently planned for ESR 60.0.7, being released mid-May

As announced in January, we looked at the /e/ Android ROM, provided by the /e/ Foundation:

infosec-handbook.eu/blog/e-fou

– it isn't completely "ungoogled" as promised
– some traffic of preinstalled apps is unencrypted and contains personal data
– the security of their website is in great need of improvement

SSH security–some people change the default port 22 of SSH to 2222 (since this is recommended by many "SSH security best practices" guides). Turns out that port 2222 is also well-known to attackers:

isc.sans.edu/forums/diary/A+Co

Password-storage field study with freelancers–mostly no security-by-design:

net.cs.uni-bonn.de/fileadmin/u (PDF file)

– freelance developers were tasked with developing password storage
– the majority of non-prompted freelancers did not think about security
– some developers "secured" passwords by "encrypting" them using Base64 encoding; others didn't understand the difference between hashing and encrypting

Android Q–next version of Android brings a number of additional privacy and security features:

android-developers.googleblog.

– more control over when apps can get location
– control apps' access to the Photos and Videos or the Audio collections via new runtime permissions
– support for TLS 1.3

Infecting gamers–39% of all Counter-Strike 1.6 servers were malicious and tried to infect users with malware "Belonard":

zdnet.com/article/malicious-co

– Belonard malware exploited four RCEs (two in the official CS1.6 game and two in a pirated version)
– 1,951 servers were infected
– infected servers displayed the game type as "Counter-Strike 1," "Counter-Strike 2," or ""Counter-Strike 3"
– the network has been shut down

Google Play–more than 200 apps contain "SimBad" adware, downloaded more than 150 million times:

techcrunch.com/2019/03/13/new-

– the malware masquerades as an ad-serving platform
– SimBad is mostly contained in free games
– list of infected apps: assets.documentcloud.org/docum

WordPress 5.1–critical exploit chain that enables an unauthenticated attacker to gain remote code execution on any WordPress installation:

blog.ripstech.com/2019/wordpre

– exploit is possible due to a CSRF vulnerability in comment forms
– fixed in WordPress 5.1.1

Automatic Certificate Management Environment (ACME) is officially RFC 8555 now:

tools.ietf.org/html/rfc8555

"This document describes a protocol that a CA and an applicant can use to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation."

Show more
Mastodon

mastodon.at is a microblogging site that federates with most instances on the Fediverse.