infosec-handbook.eu
HTML5 ping tracking – Firefox :firefox: will enable it by default:
– HTML5 ping attributes can be used to track people if they click a link (<a href=… ping=…>) by sending POST requests to an arbitrary amount of hosts
– tracking is possible without any JavaScript, or Cookies
– Steve Gibson talked about it in Security Now 709: https://mastodon.at/@infosechandbook/101899819296611698
– ping is enabled in Chrome, Opera, Edge, Safari by default
infosec-handbook.eu
Microsoft–compromised MS support agent account used to access e-mail accounts of customers:
https://techcrunch.com/2019/04/13/microsoft-support-agent-email-hack/
– Microsoft confirmed that "a limited number of people" had their accounts compromised
– affected are @msn.com and @hotmail.com accounts; no enterprise customers are affected
– the breach occurred between January 1 and March 28
#microsoft #databreach #breach #dataleak #leak #infosec #cybersecurity #security
infosec-handbook.eu
Matrix.org publishes timeline after security breach:
https://matrix.org/blog/2019/04/11/security-incident/
– the attacker exploited vulnerabilities in Jenkins
– the attacker had full database access, including access to unencrypted content like private messages, passwords hashes, access tokens
– Matrix.org recommends changing your password (including NickServ password)
infosec-handbook.eu
Thousands of D-Link routers have been hacked to redirect their DNS traffic:
– nearly 15,000 D-Link routers are affected, mostly DSL-2640B
– other affected manufacturers are TOTOLINK, and Secutech
– hacked routers modify the DNS settings of connected devices to redirect victims to malicious websites
#dlink #totolink #secutech #router #vulnerability #dsl2640b #infosec #cybersecurity #security #dns #dnschanger
infosec-handbook.eu
It seems that ASUS employees uploaded some of their passwords to GitHub:
https://techcrunch.com/2019/03/27/asus-hacking-risk/
If true, this may have led to the compromise of their update servers, now known as Operation ShadowHammer:
infosec-handbook.eu
Newly disclosed SQL injection in widespread e-commerce platform Magento:
https://www.ambionics.io/blog/magento-sqli
– according to the article, Magento 2.2.x/2.3.x is affected
– attackers can read anything from the database, including password hashes
– fixed in Magento 2.3.1 (along with many other vulnerabilities)
– besides, Magento 2.2.8 and 2.1.17 were released
infosec-handbook.eu
Compromissed ASUS update servers delivered signed malware to hundreds of thousands of customers in 2018:
– it is a targeted attack since the malware is only active if your device has certain MAC addresses
– most victims are in Russia, Germany, and France
– technical details, and affected MAC addresses: https://securelist.com/operation-shadowhammer/89992/
#asus #supplychain #attack #malware #update #security #infosec #cybersecurity #shadowhammer
infosec-handbook.eu
Repos hosted on GitHub and similar platforms often leak crypto secrets and API keys:
https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04B-3_Meli_paper.pdf (PDF file)
– researchers scanned 13% of public GitHub repos
– 100,000 repos contained secrets; thousands of new secrets are leaked every day
– GitHub develops "token scanning" to help removing secrets, however, dedicated scanners like TruffleHog are ineffective according to the paper
#github #gitlab #token #key #leak #infosec #cybersecurity #security #development #trufflehog
infosec-handbook.eu
Automatic Certificate Management Environment (ACME) is officially RFC 8555 now:
https://tools.ietf.org/html/rfc8555
"This document describes a protocol that a CA and an applicant can use to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation."
#acme #certificate #ca #letsencrypt #infosec #cybersecurity #security #https #rfc8555
infosec-handbook.eu
Wireshark 3.0.0 available:
https://www.wireshark.org/docs/relnotes/wireshark-3.0.0.html
– supports about 40 new protocols
– supports 4 new capture file formats
#wireshark #pcap #pcapng #packetinspection #pentest #network #infosec #cybersecurity #security
infosec-handbook.eu
Popular mobile apps send sensitive personal data to Facebook by using Facebook's SDK to collect this data:
https://www.cnet.com/news/facebook-receives-personal-info-like-your-heart-rate-from-popular-apps/
– at least 11 out of 70 popular apps are affected
– sensitive data includes blood pressure, pregnancy status, menstrual cycles, heartbeat rates, viewed real estate postings etc.
– some of these apps are "Instant Heart Rate", "Flo Period & Ovulation Tracker", "Realtor.com"
– also affects users without Facebook accounts
infosec-handbook.eu
WordPress vulnerabilities–path traversal + local file inclusion = remote code execution:
https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
– the vulnerability was there for 6 years
– fixed in WordPress 4.9.9 and 5.0.1, however, path traversal is still possible under certain circumstances
#wordpress #vulnerability #cms #infosec #security #cybersecurity #rce
infosec-handbook.eu
Some popular iPhone apps are secretly recording your screen:
– apps include Air Canada, Hollister, Expedia, Hotels.com
– these and other apps use a "session replay" feature of Glassbox
– Glassbox session replays are essentially real-time videos of how you interact with the app
#ios #glassbox #session #replay #leak #aircanada #hollister #expedia #hotelscom
infosec-handbook.eu
Project Fission–Firefox :firefox: will get a "site isolation" feature, similar to Chrome/Chromium:
https://mystor.github.io/fission-news-1.html
– no ETA for Project Fission
– Currently, Firefox comes with one process for the browser's user interface, and a few processes for the Firefox code that renders the websites
#mozilla #firefox #site #isolation #fission #infosec #webbrowser #cybersecurity #security
infosec-handbook.eu
Do you own a website/blog? There are several online tools to assess security features of it:
https://infosec-handbook.eu/blog/online-assessment-tools/
Keep in mind that most security features need client-side support and external scanning covers only a small fraction of web server security:
https://infosec-handbook.eu/blog/web-security-myths/#m1
We also provide a web server security series:
https://infosec-handbook.eu/as-wss/
(Part 4 coming soon.)
#websecurity #webserver #server #security #infosec #cybersecurity
infosec-handbook.eu
dank-selfhosted: playbook for self-hosting your own email, web hosting, XMPP chat, and DNS records using OpenBSD
https://github.com/cullum/dank-selfhosted
– automated solution for hosting email, web, DNS, XMPP, and ZNC on OpenBSD
#openbsd #xmpp #dns #email #webhosting #selfhosting #privacy
infosec-handbook.eu
An opinion on the future of OMEMO:
http://blogs.fsfe.org/vanitasvitae/2018/09/07/future-of-omemo/
– some users/developers consider forward secrecy needless
– OMEMO's trust management sucks
– OMEMO only protects the message body
– OMEMO isn't a standard and further development came to a standstill
– Messaging Layer Security (MLS) is an upcoming attempt to create a new encryption standard
infosec-handbook.eu
The Illustrated TLS Connection: Every byte of a TLS 1.2 connection explained and reproduced.
infosec-handbook.eu
Upcoming DNSSEC key rollover – how to check your Turris Omnia's knot resolver:
– connect to your Turris Omnia using SSH
– enter '# cat /etc/root.keys | grep "KeyTag:20326"'
If you see the key, no further action is required. All modern resolvers follow the process defined in RFC 5011 to update their root keys automatically.
See also:
https://www.icann.org/dns-resolvers-updating-latest-trust-anchor
#turris #omnia #knot #dnssec #key #rollover #dns #security #infosec #cybersecurity
infosec-handbook.eu
Ad-blocker uBlock Origin got per-site JavaScript master switch:
https://github.com/gorhill/uBlock/releases/tag/1.17.0
#ublockorigin #ublock #adblock #adblocker #javascript #js #privacy
Jonkman Microblog is a social network, courtesy of SOBAC Microcomputer Services. It runs on GNU social, version 1.2.0-beta5, available under the GNU Affero General Public License.
All Jonkman Microblog content and data are available under the Creative Commons Attribution 3.0 license.