Skip to main content

Search

Items tagged with: security


 
Firefox 67.0 :firefox: available:

https://www.mozilla.org/en-US/firefox/67.0/releasenotes/

– Content Blocking can block fingerprinting and cryptominers now
– extensions can be excluded from private tabs
– FIDO U2F API is now enabled

#firefox #mozilla #firefox67 #u2f #infosec #security #cybersecurity


 
Security researcher discloses leaky database issue to company without a public security point of contact by using leaking data from the same database.
#security #fail #win


 
Personal bookmark: https://www.sqreen.com/checklists/php-security-checklist.html

I doubt I can apply it in its entirety to #Friendica without major rewrites, but I'll try my best!

#php #webdev #security


 
Qualys SSL Labs adds 4 new tests for vulnerabilities, and considers cipher suites using CBC "weak":

https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities

– as an admin, you should disable all CBC cipher suites for several reasons (use GCM for block ciphers)
– SSL Labs tests for POODLE, GOLDENDOODLE, 0-Length OpenSSL, and Sleeping POODLE now
– servers affected by the vulnerabilities are downgraded to F

#ssllabs #infosec #security #serversecurity #qualys


 
Follow-up on tool that extracts GPG secret keys of Nitrokey Start tokens:

https://github.com/Nitrokey/nitrokey-start-firmware/issues/14

https://github.com/Nitrokey/nitrokey-start-firmware/issues/15

– obviously, the Nitrokey Start wasn't protected
– owners should update their firmware to release RTM.7 or above

Original toot: https://mastodon.at/@infosechandbook/102016334111560440

#gpg #nitrokey #infosec #cybersecurity #security


 
Protip: systemctl disable: disable from launching at boot time. If you want to make sure a service cannot be started at all, what you want is systemctl mask.

e.g., if the (insecure) rsync daemon could be running at the moment, these three should have you covered:

sudo systemctl stop rsync
sudo systemctl disable rsync
sudo systemctl mask rsync

(PS. Yeah, you really shouldn’t be running the rsync daemon. And you don’t need it to use rsync over ssh.)

#systemd #rsync #security


 
The Swiss NGO "Digitale Gesellschaft" offers two DNS resolvers with support for DNS-over-TLS/HTTPS:

DoT: dns.digitale-gesellschaft.ch:853
DoH: https://dns.digitale-gesellschaft.ch/dns-query

There is also a configuration guide for hosting your own resolver:

https://github.com/DigitaleGesellschaft/DNS-Resolver

We discuss client-side DNS security in our Home network security series:

https://infosec-handbook.eu/blog/hns5-dns-configuration/

#dns #dnssec #dot #doh #infosec #security


 
Just popped up on my XPS 13 updates:

“This update integrates the BIOSConnect feature into Dell SupportAssist OS Recovery. This feature connects the system to the Dell image server to download and recover the operating system.”

Umm… how about no, Dell, do not connect my BIOS to the Internet thank you very much.

Wtf is wrong with these people? *smh*

#security #privacy


 
Image/photo
Image/photo

#Tox is working really fine, !

The Tox Project

**https://tox.chat/index.html**


Tox began a few years ago, in the wake of Edward Snowden's leaks regarding NSA spying activity. The idea was to create an instant messaging application that ran without requiring the use of central servers. The system would be distributed, peer-to-peer, and end-to-end encrypted, with no way to disable any of the encryption features; at the same time, the application would be easily usable by the layperson with no practical knowledge of cryptography or distributed systems. During the Summer of 2013 a small group of developers from all around the globe formed and began working on a library implementing the Tox protocol. The library provides all of the messaging and encryption facilities, and is completely decoupled from any user-interface; for an end-user to make use of Tox, they need a Tox client. Fast-forward a few years to today, and there exist several independent Tox client projects, and the original Tox core library implementation continues to improve. Tox (both core library and clients) has thousands of users, hundreds of contributors, and the project shows no sign of slowing down.

Tox is a FOSS (Free and Open Source) project. All Tox code is open source and all development occurs in the open. Tox is developed by volunteer developers who spend their free time on it, believing in the idea of the project. Tox is not a company or any other legal organization. Currently we don't accept donations as a project, but you are welcome to reach out to developers individually.
#qTox #TRIfA #f-droid #fdroid #foss #floss #privacy #freesoftware #favs #recommendations #im #videocall #call #whatsapp #security #jami #federated #decentralized #snowden #nsa #instantmessaging #apps #p2p #peer-to-peer #e2e #end-to-end #encrypted #encryption #cryptography #crypto


 
Image/photo
Image/photo

#Tox is working really fine, !

The Tox Project

**https://tox.chat/index.html**


Tox began a few years ago, in the wake of Edward Snowden's leaks regarding NSA spying activity. The idea was to create an instant messaging application that ran without requiring the use of central servers. The system would be distributed, peer-to-peer, and end-to-end encrypted, with no way to disable any of the encryption features; at the same time, the application would be easily usable by the layperson with no practical knowledge of cryptography or distributed systems. During the Summer of 2013 a small group of developers from all around the globe formed and began working on a library implementing the Tox protocol. The library provides all of the messaging and encryption facilities, and is completely decoupled from any user-interface; for an end-user to make use of Tox, they need a Tox client. Fast-forward a few years to today, and there exist several independent Tox client projects, and the original Tox core library implementation continues to improve. Tox (both core library and clients) has thousands of users, hundreds of contributors, and the project shows no sign of slowing down.

Tox is a FOSS (Free and Open Source) project. All Tox code is open source and all development occurs in the open. Tox is developed by volunteer developers who spend their free time on it, believing in the idea of the project. Tox is not a company or any other legal organization. Currently we don't accept donations as a project, but you are welcome to reach out to developers individually.
#qTox #TRIfA #f-droid #fdroid #foss #floss #privacy #freesoftware #favs #recommendations #im #videocall #call #whatsapp #security #jami #federated #decentralized #snowden #nsa #instantmessaging #apps #p2p #peer-to-peer #e2e #end-to-end #encrypted #encryption #cryptography #crypto


 
A Fresh Approach to #Cybersecurity, Part 1

"Cybersecurity is not the ability to throw a piece of technology on your networks, but how to approach each facet of the cybersecurity triangle and implement the most effective version."

http://www.idenhaus.com/a-fresh-approach-to-cybersecurity-part-1/

#infosec #security #cybersecurite
Image/photo


 
We have developed a new, unique two-factor #2FA #authentication method: "yes it is really me". Learn more on the blog of our #security expert.
https://rullzer.com/2019/04/01/secure-and-easy-2fa-in-nextcloud/
Image/photo


 
Copying here:

> Attention #Riot Web Admins! We reset Scalar tokens to address a potential #security vuln. with some clients - if you run your own Riot instance please upgrade to at least v1.0.4 to keep using integrations (widgets, sticker picker, any bots and bridges configured through Scalar).

And same goes if you use #Dimension integration manager.

#Matrix


 
Putting your phone number in online services is very risky, especially as it is often used to verify accounts AND can be spoofed quite well with sim jacking on the rise!

Be careful.

#security #privacy #selfhosting
https://www.wired.co.uk/article/change-your-phone-number-online-privacy
Image/photo


 
2019 and some new shiny startups still send passwords by email when you ask to reset it. Do they think emails is a secure way of communication? #security


 
#Microsoft software is designed for back doors, not for #security , and that still shows. https://fossbytes.com/microsoft-office-most-exploited-software-by-cybercriminals/ see http://techrights.org/wiki/index.php/Microsoft_and_the_NSA
Microsoft Office Is The Most Exploited Software By Cybercriminals


 
#Microsoft software is designed for back doors, not for #security , and that still shows. https://fossbytes.com/microsoft-office-most-exploited-software-by-cybercriminals/ see http://techrights.org/wiki/index.php/Microsoft_and_the_NSA
Microsoft Office Is The Most Exploited Software By Cybercriminals


 
Which projects to scan for #WordPress & #drupal vulnerabilities is easy to use and do you recommend ? Already found and test wpscan in docker github.com/wpscanteam/wpscan. Any #KaliLinux tools I can install and use on Ubuntu ? #security
Blog post will be written to share my experience & recommendation in few days / weeks in consequence. Thanks for sharing & help.


 
Google Play–more than 200 apps contain "SimBad" adware, downloaded more than 150 million times:

https://techcrunch.com/2019/03/13/new-android-adware-google-play/

– the malware masquerades as an ad-serving platform
– SimBad is mostly contained in free games
– list of infected apps: https://assets.documentcloud.org/documents/5766854/SimBad-AppList-Package.txt

#simbad #malware #adware #android #google #googleplay #infosec #cybersecurity #security


 
WordPress 5.1–critical exploit chain that enables an unauthenticated attacker to gain remote code execution on any WordPress installation:

https://blog.ripstech.com/2019/wordpress-csrf-to-rce/

– exploit is possible due to a CSRF vulnerability in comment forms
– fixed in WordPress 5.1.1

#wordpress #rce #csrf #wordpress5 #infosec #cybersecurity #security


 
#Fediverse: I created `Cloud Firewall` addon. Block connections to big 5 tech clouds based on IP address ranges they own. If a site/page/resource IP matches a bundled list of IP address ranges, it's blocked

It's not a hosts/filterlist type "ad tracker blocker".

It's "firewall" - looks at IP address of URL bar and 1p/3p resources.

https://gitlab.com/gkrishnaks/cloud-firewall/blob/master/README.md

Also listed on #HumaneTech Awesome list. #CloudFirewall #SurveillanceCapitalism #Cloud #Privacy #Security #Decentralization

Pics:🖥 📱
Image/photo
Image/photo


 
Hello masto 🙋‍♂️ :mastodon:

J'ai un petit malin qui a essayé de se connecter à mon blog dans la nuit 🧐😤
Je ne vois pas ce que ça pourrait lui apporter... En espérant qu'il ne recommence pas 🤬👊

#blog #wordpress #iThemes #security


 
Proud to have won #Nextcloud goodies. In June when my daughter baby will be there, all familly will want to see & share her photos. And #nextcloud will allow it possible with #privacy and #security. Thanks #nextcloud and its community !
Image/photo


 
Comment sécuriser vos mots de passe sur tous vos appareils

Reprenez le contrôle de vos mots de passe en abandonnant les gestionnaires intégrés aux navigateurs Web et en migrant tous vos identifiants dans un gestionnaire tiers sécurisé, synchronisé sur tous vos appareils.

https://www.01net.com/astuces/comment-securiser-vos-mots-de-passe-sur-tous-vos-appareils-1630888.html

#motdepasse #password #bitwarden #securite #security #infosec
Image/photo


 
How long should my #password be? - ProtonMail Blog

A strong password doesn’t have to be 30 characters long. But if you’re using an eight-character password, you have a good chance of being hacked. This article will help you understand how long your password should be. For decades, information #security experts have tried to get people to create stronger passwords by requiring a minimum …

https://protonmail.com/blog/how-long-should-my-password-be/

#infosec #securite #motdepasse
Image/photo


 
Just saw on a statement that last year I received a "Low Income Contribution" by the government to my super fund. Feels like they took a look at me and went "Good try champ! Here's $200, don't tell your mum."

Not that I'm gonna say no ...

#finance #retirement #security


 
Do you set up a Turris Omnia or another OpenWrt-based router?

Check out our Home network security series:

https://infosec-handbook.eu/categories/home-network-security/

We cover first steps with Turris Omnia, HTTPS and TLS hardening, SMB/Nextcloud on the Omnia, Omnia as an ad blocker, and client-side DNS security features. There's more to come.

Ideas and feedback are welcome.

#homenetwork #turris #omnia #openwrt #networksecurity #security #cybersecurity #infosec #dns #nextcloud #adblocking


 
DNS flag day–changes affecting Extension mechanisms for DNS (EDNS):

https://dnsflagday.net/

– on or around Feb 1st, 2019, major open source resolver vendors will release updates that implement stricter EDNS handling, and public DNS provides will disable workarounds
– as a DNS server admin, check your EDNS compliance
– see also: https://www.isc.org/blogs/dns-flag-day/

#dns #security #infosec #cybersecurity #dnsflagday #edns #compliance




 
Collection #1 : un gigantesque fichier révèle plus de 700 millions de comptes et mots de passe

le chercheur en sécurité Troy Hunt a signalé l’existence d’un méga fichier regroupant pas moins de 772 904 991 d’adresses mail uniques et 21 millions de mots de passe.

https://www.blogdumoderateur.com/gigantesque-fichier-revele-comptes/

#infosec #hack #Security #motdepasse #password


 
https://twitter.com/TheHackersNews/status/1083283501061980160
“Google Public DNS Service (8.8.8.8) Now Supports DNS-over-TLS #Security Feature […] It not just helps in hiding your web-browsing history from ISPs and eavesdroppers, but also prevents DNS spoofing attacks.”

Am I the only paranoid guy who thinks that if I'm asking Google for a domain name, I'm effectively telling Google I'm accessing said domain?

ping @aral


 
Tip #7: We all have a lot of passwords, and it’s tough to remember long strings of random characters. Try a #password manager. Its secure & hassle free. A few better ones out there: bitwarden.com or lesspass.com #PrivacyMonth #privacy #security #Advocate4Privacy #mozilla
Image/photo


 
We will be attending #CES from January 7th to 11th! Come meet us and learn more about Jami at booth #29 of the Canadian delegation, Tech East, Westgate 1021. #Privacy #Innovation #communications #app #tech #technology #TechNews #CES2019 #security
Image/photo


 
35C3: Introducing OTR (Off-the-Record) version 4

https://github.com/otrv4/otrv4/blob/master/otrv4.md

– improved deniability properties by the use of a deniable authenticated key exchange (DAKE)
– improved forward secrecy through the use of double ratcheting
– works on top of an existing messaging protocol, such as XMPP

#otr #otrv4 #35c3 #xmpp #encryption #infosec #security #cybersecurity #dake #pfs


 
Nearly 19,500 Orange LiveBox ADSL modems are leaking WiFi credentials:

https://www.zdnet.com/article/over-19000-orange-modems-are-leaking-wifi-credentials/

– vulnerability (CVE-2018-20377) allows a remote attacker to obtain the WiFi password and SSID for the modem's internal WiFi network just by accessing the modem's get_getnetworkconf.cgi
– nearly all modems are located in France and Spain
– see also https://github.com/zadewg/LIVEBOX-0DAY

#modem #adsl #orange #livebox #vulnerability #infosec #cybersecurity #security


 
Google should look into what Firefox has been doing for a few years now: making the subdomains visually less significant. The average user can focus on the actual domain while not hiding essential parts of the URL using buggy regexps #security #UX #uxdesign https://t.co/3NGRgxytzj
Image/photo