Google tests new Content Security Policy value "trusted-types" to fight DOM-based XSS:
– web servers must define Trusted Types in their CSP, and register their website
– beginning with Chrome/Chromium 73, Google will conduct client-side testing
– XSS is one of the most prevalent vulnerability in websites for years
Data leaks–guy, who recently published 620 million data records, publishes second data set, containing another 127 million records:
– affected this time: Ixigo, YouNow, Houzz, Ge.tt, Coinmama, Roll20, Stronghold Kingdoms, PetFlow
– data sets are also "fresh" (2018)
– it looks like this guy exploited a zero-day vulnerability in PostgreSQL
Server hardening–some people install arbitrary security software to "harden" their server.
Hardening is about removing/disabling functions, accounts, services etc., not about installing random packages.
Basic hardening tips:
– install a minimal operating system + firewall
– regularly update your OS
– remove/disable unused packages, interfaces, services
– secure and monitor your log files
Tools like Lynis suggest more tips that need careful consideration.
Do you know the Dat protocol?
It is an open, decentralized, and secure protocol to share content.
InfoSec Handbook supports it since last November:
You need a web browser that supports Dat like Beaker Browser.
You can download a full copy of our content, and share/read it even if our blog is offline.
Kuketz beschwert sich oft über falsche Datenschutzerklärungen … bei ihm gibt es auch eine. 🤷♂️
Limits of Exodus privacy scanner:
Some people use online tools to scan things like websites or apps. We already wrote about limits of such tools in https://infosec-handbook.eu/blog/online-assessment-tools/.
Exodus provides static analysis of Android apps. It can't detect disabled trackers (like in Signal, Riot, or Orfox), and it can't detect custom or less-known trackers. Furthermore, it can't evaluate dynamic execution or data transfer.
Results provided by such tools must be always verified by humans.
Yes, Conversations and Riot deactivated it too.
However, static analysis tools like exodus aren't able to detect it, and some people use exodus without verifying the results.
Signal Messenger–Firebase Analytics inside?
Signal had to switch from GCM to FCM, as mentioned in this issue: https://github.com/signalapp/Signal-Android/issues/7778
It was implemented 20 days ago:
However, the AndroidManifest.xml clearly shows that Firebase Analytics is turned off.
This also affects other messengers like Conversations (XMPP), or Riot (Matrix).
Search for "firebase_analytics_collection_deactivated" == "true".
500px confirms data breach recently disclosed:
"an unauthorized party gained access to our systems and acquired partial user data on approximately July 5, 2018"
– affects first and last name, username, e-mail address, hashed password, DOB, city, gender
Security Now 701 🎙️ "Adiantum" with Steve Gibson:
https://twit.cachefly.net/audio/sn/sn0701/sn0701.mp3 (available soon)
Privilege Escalation in Ubuntu (CVE-2019-7304):
– there are multiple methods to obtain root
– affects Ubuntu 18.10, 18.04 LTS, 16.04 LTS, 14.04 LTS
– update snapd according to https://usn.ubuntu.com/3887-1/
Dunkin' Donuts 🍩 accounts hacked twice by using already leaked credentials:
– attackers used user credentials leaked at other sites to gain entry to DD Perks rewards accounts
– DD Perks accounts contain names, e-mail addresses, DD Perks account number and QR code
– that's why you use unique, strong passwords and 2FA, if possible
Wordpress plugins–critical security vulnerability in "Simple Social Buttons" affects 40,000+ active installations:
– an attacker who can register new accounts on a site can exploit this vulnerability to make modifications to a WordPress site's main settings
– update to version 2.0.22
– we added information about error logging, and the dat version of our blog
– there is a short version, and a clear scope now
– we updated the location of the data controller in terms of the GDPR
– by default, we still do not log any personal data (including IP addresses, user agents)
In case of any questions, feel free to contact us:
Zombie POODLE, and GOLDENPOODLE–two vulnerabilities in TLS 1.2, related to a major design flaw in SSL 3.0:
– the issue is cipher block-chaining (CBC) mode for block ciphers
– allows man-in-the-middle (MitM) attacks
– more details will be published at Black Hat Asia in March
– disable CBC-based ciphers (there is also the Lucky13 attack), or switch to TLS 1.3
Downgrade attack on TLS 1.3 and vulnerabilities in major TLS libraries:
– the attack leverages a side-channel leak via cache access timings (in OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, and GnuTLS)
– it affects all TLS versions, including TLS 1.3
– one requirement for the attack are RSA key exchanges
mastodon.at is a microblogging site that federates with most instances on the Fediverse.