Security Now 710 🎙️ "DragonBlood" with Steve Gibson:
https://twit.cachefly.net/audio/sn/sn0710/sn0710.mp3 (available soon)
instances.social lists more than 5,200 Mastodon instances. The vast majority of instances that are "up" has more than 5 users.
Besides, it is more likely that very small instances disappear, or are mostly down.
Sometimes, even medium-sized instances disappear. For example, we were on securitymastod.one before. This instance had more than 2,000 users and was shut down over night without prior notice.
The whole point of Keybase proofs is to cryptographically link _already public_ information. Keybase isn't the "leak" in this scenario, and the links are there on purpose.
Besides, tools like theHarvester allow you to extract the same info from "traditional" GPG key servers where you can't delete your keys, and others can upload fake keys.
Moreover, you can perfectly use Keybase without uploading any GPG keys or linking accounts.
A hashtag is a type of metadata tag used on social networks […], allowing users to apply dynamic, user-generated tagging which makes it possible for others to easily find messages with a specific theme or content.
Keybase: Some people state that they will never use Keybase since everybody is forced to upload their private, secret GPG keys. This is a myth …
Since 2015, Keybase solely relies on per-device NaCl keys:
NaCl was created by cryptologist Bernstein, who is also known for Curve25519:
You don't need to upload any secret GPG keys. You can even use Keybase without uploading any GPG key.
Two additional tips:
1. Prefer FIDO U2F over OATH-TOTP since TOTP relies on shared secrets while U2F relies on asymmetric keys. The newest standard WebAuthn is also supported by the latest YubiKey series.
2. You can also use YubiKeys/Nitrokeys for generating OATH-TOTP. This is more secure than storing TOTP secrets on your phone. Some tokens come with NFC for mobile use.
5 lessons learned from the matrix.org breach:
– purely focusing on technical security causes insecurity
– the cause of the breach isn’t limited to matrix.org at all
– think twice about using any service on the internet
– think twice about running your own server on the internet
– react to any security-related messages
Microsoft–compromised MS support agent account used to access e-mail accounts of customers:
– Microsoft confirmed that "a limited number of people" had their accounts compromised
– affected are @msn.com and @hotmail.com accounts; no enterprise customers are affected
– the breach occurred between January 1 and March 28
Matrix.org publishes timeline after security breach:
– the attacker exploited vulnerabilities in Jenkins
– the attacker had full database access, including access to unencrypted content like private messages, passwords hashes, access tokens
– Matrix.org recommends changing your password (including NickServ password)
Yesterday, Keybase published an update to address this:
Currently, 6 Mastodon instances are available for verification in Keybase:
Dragonblood–vulnerabilities in WPA3 standard:
– the paper describes 5 different vulnerabilities (DoS, downgrade, side-channel attacks)
– researches believe that WPA3 "does not meet the standards of a modern security protocol"
– the Wi-Fi Alliance published a security update for the standard: https://www.wi-fi.org/security-update-april-2019
Mastodon 2.8.0 available, adds support for Keybase proofs, polls, and more:
Related Keybase article:
Security Now 709 🎙️ "URL 'Ping' Tracking" with Steve Gibson:
#securitynow #stevegibson #SGgrc #infosec #podcast #cybersecurity #security #privacy #microsoft #browser #chromium #windows10 #update #biometrics #spoofing #android #bankingapps #apps #nsa #ghidra #html5 #ping
CVSS, CVE, CWE, CAPEC – common standards security professionals should know:
– CVSS: severity of a vulnerability
– CVE: unique identifier for a vulnerability
– CWE: list of clearly described software weaknesses
– CAPEC: list of clearly described attack patterns
Source code of the Ghidra Software Reverse Engineering Framework is now completely available:
– Ghidra is an open-sourced reverse engineering tool created by the National Security Agency
– there is the GhidraDev plugin for Eclipse to develop extensions and scripts
Mozilla plans to enable the FIDO U2F API for all Firefox users since U2F is more widespread than WebAuthn at the moment:
– WebAuthn is an official W3C Recommendation for one month and offers more secure authentication
– FIDO U2F (Universal 2nd Factor) offers secure second factor authentication and is roughly the predecessor of WebAuthn
– Firefox 60 brings support for WebAuthn
Thousands of D-Link routers have been hacked to redirect their DNS traffic:
– nearly 15,000 D-Link routers are affected, mostly DSL-2640B
– other affected manufacturers are TOTOLINK, and Secutech
– hacked routers modify the DNS settings of connected devices to redirect victims to malicious websites
Facebook–security team spots 146GB dataset containing 540 million records of Facebook users:
– dataset includes comments, likes, reactions, account names, Facebook IDs, and more
– origin of the leak is the Mexico-based media company Cultura Colectiva that develops third-party apps
– a second dataset contains 22,000 cleartext passwords from 2014
We sent e-mails to the e-mail address directly shown on uvnc.com (firstname.lastname@example.org).
Since they removed things immediately after being contacted by us, it is likely that they got the messages.
mastodon.at is a microblogging site that federates with most instances on the Fediverse.