Notices by infosec-handbook.eu (infosechandbook@mastodon.at)

Firefox 69.0 :firefox: available:

https://www.mozilla.org/en-US/firefox/69.0/releasenotes/

– Enhanced Tracking Protection will be turned on by default; default standard setting for this feature now blocks third-party tracking cookies and cryptominers
– support for the Web Authentication HmacSecret extension via Windows Hello
– various security fixes

#firefox #mozilla #firefox69 #tracking #etp #webauthn #infosec #security #cybersecurity

Password survey – most people still reuse their passwords for different accounts:

https://www.security.org/resources/online-password-strategies/

– 72% use the same password for different accounts
– 68% tweak a formerly-used password to use it as a "new" one
– only 27% use a password management app

See also our comprehensive article on modern credential management: https://infosec-handbook.eu/blog/modern-credential-management/

#password #security #survey #infosec #authentication

Reports about some ISPs of Kazakhstan forcing people to install root certificates, resulting in MITM attacks:

https://bugzilla.mozilla.org/show_bug.cgi?id=1567114

https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/wnuKAhACo3E/cpsvHgcuDwAJ

– people get SMS informing them about the need to install government-issued root certificates

#mozilla #kazakhstan #mitm #root #certificate #security #infosec #cybersecurity

@Sp3r4z

The purpose is to show that logically decentralized networks are actually physically centralized. Your data shows the same as the top 7 providers of your list nearly host 50% of 3,345 servers.

Physical (de)centralization of Mastodon servers – after our XMPP scan, we took 1000+ random Mastodon servers and looked at their hosters:

https://gist.github.com/infosec-handbook/0cdb8da86cfe63be657fcf44bde291d1

– about 50% of these servers are hosted by only 5 companies in 4 countries
– 26% of servers are hosted in Japan, followed by the USA (24%) and France (23%)

#mastodon #decentralization #centralization #statistics

Notes on privacy and data collection of Matrix.org:

https://gist.github.com/maxidorius/5736fd09c9194b7a6dc03b6b8d7220d0

"matrix.org and vector.im receive a lot of private, personal and identifiable data on a regular basis, or metadata that can be used to precisely identify and/or track users/server, their social graph, usage pattern and potential location. This is possible both by the default configuration values in synapse/Riot […]"

#matrix #messaging #riot #security #privacy

GnuPG — "SKS Keyserver Network Under Attack":

https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

"If you fetch a poisoned certificate from the keyserver network, you will break your GnuPG installation."

"High-risk users should stop using the keyserver network immediately."

#gnupg #gpg #keyserver #infosec #security #cybersecurity

European GDPR – we published several articles about it:

– GDPR myths: https://infosec-handbook.eu/blog/gdpr-myths/
– How to identify incomplete privacy policies: https://infosec-handbook.eu/blog/guide-privacy-policy/
– 20 random privacy policies evaluated: https://infosec-handbook.eu/blog/one-year-gdpr/
– How to log GDPR-friendly: https://infosec-handbook.eu/blog/wss6-logging-monitoring/

#gdpr #privacy #rights #dataprotection #logging

Regarding recent discussions about ad blocking in web browsers:

Tech-savvy people can use network-level ad blocking like "adblock" for OpenWrt/Turris Omnia, or the dedicated Pi-hole project.

Centralized network-level ad blocking is easier to manage and independent from web browsers or any other app that uses the internet.

https://pi-hole.net/
https://infosec-handbook.eu/blog/hns4-adblocking/

#adblocking #turrisomnia #openwrt #pihole #turris #tip

SensorID – tracking smartphones by misusing their sensor data:

https://sensorid.cl.cam.ac.uk/

– iOS before 12.2 and some Android devices leak unique fingerprints via all common web browsers
– iOS 12.2 or higher adds random noise to prevent fingerprinting (CVE-2019-8541)
– Google Pixel 2 and 3 (and maybe more Android devices) are vulnerable and offer no fixes, according to the paper
– users should disable JavaScript, if possible

#android #ios #sensorid #fingerprinting #tracking #privacy

Kali Linux 2019.2, and Kali NetHunter 2019.2 available:

https://www.kali.org/news/kali-linux-2019-2-release/

– based on Linux kernel 4.19.28
– packages updated
– bug fixes

#pentest #kali #linux #kalilinux #infosec #cybersecurity #security #kalinethunter

Mozilla Firefox 66.0.4 :firefox: fixes certificate chain to re-enable web extensions:

https://www.mozilla.org/en-US/firefox/66.0.4/releasenotes/

– expired certificates resulted in disabled web extensions in Firefox and FF-based browsers like Tor Browser
– while some "security" experts recommended to temporarily disable signature checking, we recommend to never do so

#mozilla #firefox #broken #certificate #extensions #authenticity

Did you know?
You can directly search for hashtagged Mastodon/Fediverse posts.

For instance, the following link shows all of our posts about the Tor Browser:

https://mastodon.at/@infosechandbook/tagged/torbrowser

The following link shows all of our posts about vulnerabilities:

https://mastodon.at/@infosechandbook/tagged/vulnerability

Just replace the last part of the link ([hashtag]):

https://mastodon.at/@infosechandbook/tagged/[hashtag]

#infosechandbook #infosec #cybersecurity #security #blog #itsecurity #hashtag #mastodon #tip

@lnxw48a1

We published two articles about them:

https://infosec-handbook.eu/blog/yubikey4c-nitrokeypro/

https://infosec-handbook.eu/blog/yubico-security-key-nitrokey-u2f/

"Where do I find good InfoSec resources? I want to extend my knowledge!"

– basics: Start with some good InfoSec books. We list several books on https://infosec-handbook.eu/recommendations/#hn. Books are about basics that you must understand.
– in depth: Read in-depth books, watch videos, use virtual machines to delve into specific InfoSec topics like TLS configuration, or network monitoring.
– stay up-to-date: Read blogs, news sites, and websites like https://security.stackexchange.com/ to stay up-to-date.
– share your tips 😉

2+ million IoT devices vulnerable to man-in-the-middle attacks, allowing attackers to steal passwords:

https://hacked.camera/

– the website contains a list, so you can check if your devices are vulnerable
– CVE-2019-11219, CVE-2019-11220
– mitigation: dispose your vulnerable devices, or block OUTBOUND traffic to 32100/udp

#iot #vulnerability #cve201911219 cve201911220 #infosec #mitm #cybersecurity #security

"WooCommerce Checkout Manager" plugin for WooCommerce (WordPress), used by 60,000+ websites, vulnerable to arbitrary file uploads:

https://thehackernews.com/2019/04/wordpress-woocommerce-security.html

– the latest version of WooCommerce Checkout Manager (4.2.6) is still vulnerable to this
– there is no patch available
– mitigation: disable the "Categorize Uploaded Files" option in the setting, or disable the plugin completely

#woocommerce #wordpress #vulnerability #0day #zeroday #infosec #cybersecurity #security

Popular WordPress plugin "Social Warfare" actively exploited:

https://thehackernews.com/2019/04/wordpress-plugin-hacking.html

– last month, Social Warfare 3.5.3 was released, containing fixes for 2 security vulnerabilities (XSS, RCE)
– 37,000 WP websites out of 42,000 active sites use the outdated, vulnerable version
– update to Social Warfare 3.5.3

#wordpress #plugin #vulnerability #socialwarfare #infosec #security #cybersecurity

"Can I use my U2F security token for sudo instead of entering passwords?": Yes, you can.

We just updated our 2018 article about using a Yubico Security Key for local 2FA via PAM:

https://infosec-handbook.eu/blog/yubikey-2fa-pam/

– besides YubiKeys, you can also use Nitrokeys, or SoloKeys
– there are many more scenarios for U2F/WebAuthn
– post your own scenarios to help others

#u2f #webauthn #infosec #cybersecurity #security #yubikey #nitrokey #solokey #gdm #sudo

Steve Gibson on HTML pings:

"Imperva research has uncovered a DDoS attack […] to perform distributed denial of services attacks […]. In one attack, which peaked at 7500 requests per second, a total of 70 million requests were generated from approximately 4,000 IP address over the course of 4 hours."

See: https://grc.com/sn/SN-710-Notes.pdf

So, HTML pings (which are there for many years) are not only bad for privacy but also for security.

#html5 #ping #tracking #security #stevegibson #securitynow