Show more

Google :google: announces date of death of consumer Google+:

cloud.google.com/blog/products

– DOD will be April 2, 2019
– Google announced to delete Google+ accounts, pages, photos, videos, and album archive of consumer users
– G Suite users aren't affected
– all Google+ APIs will be shut down in March 2019

Airbus discloses security incident, resulting in "unauthorised access to data":

airbus.com/newsroom/press-rele

"we do know some personal data was accessed. This is mostly professional contact and IT identification details of some Airbus employees in Europe."

Airbus is in contact with the relevant regulatory authorities and the data protection authorities pursuant to the GDPR.

Czech train/bus operator Leo Express allowed unauthenticated access to data of its customers:

blog.thomasorlita.cz/vulns/leo

– website also allowed reflected XSS
– it was possible to read 10 out of 16 digits of stored credit card numbers (normally, credit card numbers are limited to the last four digits when masked)
– all vulnerabilities are fixed

Chrome/Chromium 72 :chrome: deprecates HPKP, TLS 1.0, and TLS 1.1:

zdnet.com/article/google-chrom

– HTTP-Based Public Key Pinning (HPKP, RCF 7469) is now useless for Chrome/Chromium users
– full support for TLS 1.0 and 1.1 will be removed in Chrome 81 (2020)
– update contains fixes for 58 security bugs

Tor-focussed :tor: operating system Tails 3.12 released:

tails.boum.org/news/version_3.

– new USB image for installation (macOS, Windows, Linux)
– updates for Linux kernel (4.19), Intel/AMD microcode, Tor Browser (8.0.5) and Thunderbird (60.4.0)
– drops RSS feed reader Liferea (use Thunderbird)
– bug fixes and minor changes

There is a known issue:

Sometimes, Tails fails to start a second time. Read the announcement above if you encounter this bug.

Tor Browser :tor: 8.0.5 released:

blog.torproject.org/new-releas

– based on FF 60.5.0esr
– updates for Tor, Torbutton, HTTPS Everywhere and NoScript
– sets security.pki.name_matching_mode to "enforce"
– several bug fixes for different operating systems

Today, an upset internet user complained about our "hilarious" Signal recommendation and "dumb arguments" regarding XMPP in infosec-handbook.eu/blog/xmpp-.

And there it is: The next episode of "Signal vs. XMPP". 📺

To be brief:

– we actually recommended in the same article to host your own XMPP server (besides using Signal)
– cleartext password logging and extensive server-side tracking can't be detected by XMPP users
– there is no secure messenger, see infosec-handbook.eu/blog/discu

Firefox 65.0 :firefox: available:

mozilla.org/en-US/firefox/65.0

– comes with enhanced tracking protection, and stronger stack smashing protection (macOS, Linux, Android)
– various security fixes
– supports Google's WebP image format which we will use instead of PNG soon (maybe)

French /e/ foundation develops Google-free Android :android: ROM (in development):

e.foundation/

– we are testing it on Moto G4 (Android 7.1.2, Patch Level Dec 2018)
– ROM comes with Signal, Magic Earth, K-9 Mail (fork), microG and more
– you can use F-Droid as an app store
– we will likely publish an article about it in the near future

Android :android:–disable carrier/OEM bloatware without root access via adb:

xda-developers.com/uninstall-c

– command is "pm uninstall -k --user 0 <name of package>"
– this command disables packages for the standard user
– packages return after factory reset

Free VPN apps on Android–many apps leak your identity, ask for questionable permissions, or track you:

top10vpn.com/free-vpn-android-

– tested: 150 free VPN apps with over 260M installs from Google Play Store
– 25% fail to protect user privacy due to DNS and other leaks
– 85% feature excessive permissions or functions with potential for privacy abuses

As recommended by Steve Gibson in SN 698 "Which Mobile VPN Client?":

Use OpenVPN, if possible.

Mastodon 2.7.0 :mastodon: introduced an opt-in directory per instance, making it easier to find interesting profiles on the instance:

mastodon.at/explore

To join, go to "settings" → "edit profile" and check "List this account on the directory".

Help others to find interesting profiles.

Cryptographic failures in 7-Zip:

threadreaderapp.com/thread/108

– half of the initialization vector contains zeros, "RandomGenerator" uses PID and time(null) as seed
– according to the author, the problem is "Open-source 'many eyes have looked at it for years so it must be secure' crypto code"
– bug report: sourceforge.net/p/sevenzip/bug

Security vulnerability in apt (Advanced Package Tool) affects Debian, Ubuntu, and other apt-based Linux derivates:

debian.org/security/2019/dsa-4
usn.ubuntu.com/3863-1/
usn.ubuntu.com/3863-2/

– vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection
– fixed in apt version 1.4.9

Avast PC Trends Report 2019—55% of all programs worldwide are out-of-date:

cdn2.hubspot.net/hubfs/486579/ (PDF file)

– most out-of-date programs are among others: VLC Media Player, Skype, JRE 6–10, 7-Zip, Foxit Reader, IrfanView, Mozilla Firefox, and Mozilla Thunderbird
– Windows 7 remains most used OS (43%) while 15% of Win 7 systems are out-of-date
– the average PC is 6 years old, 63% of PCs are laptops

Parrot OS 4.5 released:

parrotsec.org/blog/parrot-4-5-

– Parrot is 64bit only now
– new Docker templates introduced
– based on Linux 4.19
– contains Metasploit 5.0

Genode—toolkit for building highly secure special-purpose operating systems:

genode.org/

– scales from embedded systems to highly dynamic general-purpose workloads
– each program runs in a dedicated sandbox and gets granted only those access rights and resources that are needed for its specific purpose

Show more
Mastodon

mastodon.at is a microblogging site that federates with most instances on the Fediverse.