Google announces date of death of consumer Google+:
– DOD will be April 2, 2019
– Google announced to delete Google+ accounts, pages, photos, videos, and album archive of consumer users
– G Suite users aren't affected
– all Google+ APIs will be shut down in March 2019
Airbus discloses security incident, resulting in "unauthorised access to data":
"we do know some personal data was accessed. This is mostly professional contact and IT identification details of some Airbus employees in Europe."
Airbus is in contact with the relevant regulatory authorities and the data protection authorities pursuant to the GDPR.
Czech train/bus operator Leo Express allowed unauthenticated access to data of its customers:
– website also allowed reflected XSS
– it was possible to read 10 out of 16 digits of stored credit card numbers (normally, credit card numbers are limited to the last four digits when masked)
– all vulnerabilities are fixed
Security Now 699 🎙️ "Browser Extension Security" with Steve Gibson:
https://twit.cachefly.net/audio/sn/sn0699/sn0699.mp3 (available soon)
#securitynow #stevegibson #SGgrc #infosec #podcast #cybersecurity #security #privacy #dns #hijacking #ios #macos #facetime #malware #websites #chrome #cisco #rv320 #rv325 #empoweb #browser #extensions
Chrome/Chromium 72 deprecates HPKP, TLS 1.0, and TLS 1.1:
– HTTP-Based Public Key Pinning (HPKP, RCF 7469) is now useless for Chrome/Chromium users
– full support for TLS 1.0 and 1.1 will be removed in Chrome 81 (2020)
– update contains fixes for 58 security bugs
Tor-focussed operating system Tails 3.12 released:
– new USB image for installation (macOS, Windows, Linux)
– updates for Linux kernel (4.19), Intel/AMD microcode, Tor Browser (8.0.5) and Thunderbird (60.4.0)
– drops RSS feed reader Liferea (use Thunderbird)
– bug fixes and minor changes
There is a known issue:
Sometimes, Tails fails to start a second time. Read the announcement above if you encounter this bug.
Tor Browser 8.0.5 released:
– based on FF 60.5.0esr
– updates for Tor, Torbutton, HTTPS Everywhere and NoScript
– sets security.pki.name_matching_mode to "enforce"
– several bug fixes for different operating systems
Today, an upset internet user complained about our "hilarious" Signal recommendation and "dumb arguments" regarding XMPP in https://infosec-handbook.eu/blog/xmpp-aitm/.
And there it is: The next episode of "Signal vs. XMPP". 📺
To be brief:
– we actually recommended in the same article to host your own XMPP server (besides using Signal)
– cleartext password logging and extensive server-side tracking can't be detected by XMPP users
– there is no secure messenger, see https://infosec-handbook.eu/blog/discussion-secure/#sm
Firefox 65.0 available:
– comes with enhanced tracking protection, and stronger stack smashing protection (macOS, Linux, Android)
– various security fixes
– supports Google's WebP image format which we will use instead of PNG soon (maybe)
French /e/ foundation develops Google-free Android ROM (in development):
– we are testing it on Moto G4 (Android 7.1.2, Patch Level Dec 2018)
– ROM comes with Signal, Magic Earth, K-9 Mail (fork), microG and more
– you can use F-Droid as an app store
– we will likely publish an article about it in the near future
Android –disable carrier/OEM bloatware without root access via adb:
– command is "pm uninstall -k --user 0 <name of package>"
– this command disables packages for the standard user
– packages return after factory reset
Many free mobile VPN apps are based in China:
Free VPN apps on Android–many apps leak your identity, ask for questionable permissions, or track you:
– tested: 150 free VPN apps with over 260M installs from Google Play Store
– 25% fail to protect user privacy due to DNS and other leaks
– 85% feature excessive permissions or functions with potential for privacy abuses
As recommended by Steve Gibson in SN 698 "Which Mobile VPN Client?":
Use OpenVPN, if possible.
Mastodon 2.7.0 introduced an opt-in directory per instance, making it easier to find interesting profiles on the instance:
To join, go to "settings" → "edit profile" and check "List this account on the directory".
Help others to find interesting profiles.
Cryptographic failures in 7-Zip:
– half of the initialization vector contains zeros, "RandomGenerator" uses PID and time(null) as seed
– according to the author, the problem is "Open-source 'many eyes have looked at it for years so it must be secure' crypto code"
– bug report: https://sourceforge.net/p/sevenzip/bugs/2176/
Security Now 698 🎙️ "Which Mobile VPN Client?" with Steve Gibson:
Security vulnerability in apt (Advanced Package Tool) affects Debian, Ubuntu, and other apt-based Linux derivates:
– vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection
– fixed in apt version 1.4.9
Avast PC Trends Report 2019—55% of all programs worldwide are out-of-date:
– most out-of-date programs are among others: VLC Media Player, Skype, JRE 6–10, 7-Zip, Foxit Reader, IrfanView, Mozilla Firefox, and Mozilla Thunderbird
– Windows 7 remains most used OS (43%) while 15% of Win 7 systems are out-of-date
– the average PC is 6 years old, 63% of PCs are laptops
Genode—toolkit for building highly secure special-purpose operating systems:
– scales from embedded systems to highly dynamic general-purpose workloads
– each program runs in a dedicated sandbox and gets granted only those access rights and resources that are needed for its specific purpose
mastodon.at is a microblogging site that federates with most instances on the Fediverse.