Skip to main content

Recherche

Éléments taggés infosec


 
This doesn't look good. This doesn't look good at all:
https://thehackernews.com/2018/09/browser-address-spoofing-vulnerability.html

"Unpatched Safari Browser Hack Lets Attackers Spoof URLs"

"Discovered by Pakistan-based security researcher Rafay Baloch, the vulnerability (CVE-2018-8383) is due to a race condition type issue caused by the web browser allowing JavaScript to update the page address in the URL bar while the page is loading."

/via Dzemila

#InfoSec

 
Karma at its best. Blockchain betting app gets hacked four days after mocking competitor. Hacker steals roughly $125,000 by exploiting vulnerability in EOS smart contract. https://www.zdnet.com/article/blockchain-betting-app-mocks-competitor-for-getting-hacked-gets-hacked-four-days-later/
#Infosec

 
So Alpine Linux has a pretty serious set of vulnerabilities because

- It doesn’t download packages over TLS, making them prone to MitM. Which on its own isn’t terrible but it also...

- Doesn’t check hashes before extracting to root (!)

- And uses custom gzip code which is vulnerable to arbitrary code execution (!!)

#Infosec

 
"Code PIN en garde à vue : décryptage d’un coup de bluff" - https://paris-luttes.info/code-pin-en-garde-a-vue-decryptage-10696

Ca existe pas un système de code pin "honeypot" ? Du type, si ce code pin est utilisé, le téléphone se déverrouille mais :
- efface des données sensibles
- ne montre que des données sans intéret

#infosec

Code PIN en garde à vue : décryptage d’un coup de bluff

Ces derniers temps, on entend partout qu’il est désormais obligatoire de donner son code pin en garde-à-vue. Démontage de cette rumeur que les flics ne se privent pas d’alimenter. Par le Groupe légal Paris.


 
#Unix
La morale : il ne faut *rien* faire avec un fichier avant d'avoir vérifié sa signature (il ne faut même pas le détarer).

 
Adding this to #infosec

If you use Debian: you're not getting the recent Intel CPU bugfixes because Intel updated the firmware package's license to state that it's not redistributable.

If use Linux other than Debian and have the bugfixes: ask your maintainers why they're distributing software they're not legally allowed to.

And in any case: next time you purchase a CPU, evaluate whether AMD might be a better choice than Intel.

https://freeradical.zone/@tek/100583773163723577
via @stevelord @tek

 
More of a reason to use Linux for the security conscious.
#linux #spyware #webcam #infosec
Image/photo

 
So here's the situation:
- nginx does not forward AUTH to the SMTP back-end;
- Hitch requires processing of the cert files (catting them together, but still);
- stunnel doesn't, *unless* we want to use our own dhparams (which we'd rather do).

*sigh*

Any other TLS termination proxies I should check out? #sysadmin #infosec

 
Oh come the fsck on!

"Stunnel 4.40 and later contains hardcoded 2048-bit DH parameters."

This right there is why we cannot have nice things. #infosec

 
I need to set up a TLS tunnel in front of an SMTP server (low-traffic, internal stuff). stunnel? Hitch? Something else?

Tried with nginx (pretty interesting, but poorly documented): https://docs.nginx.com/nginx/admin-guide/mail-proxy/mail-proxy/

...but nginx does not support forwarding AUTH to the SMTP back-end: http://mailman.nginx.org/pipermail/nginx/2010-February/019029.html

#Sysadmin #InfoSec

 
@PierreCol Une question d'#infosec : comment est-ce que l'info a fuité ? Ils se sont fait pirater l'ordinateur où était le fichier ? #RGPD

 
Dear #InfoSec #SysAdmin, has anyone done an independent security analysis of Google Compute Engine / Google Cloud Platform data encryption?

So far I was only able to find Google's marketing:
https://cloudplatform.googleblog.com/2013/08/google-cloud-storage-now-provides.html

...but no actual technical info. And what I found suggests (unsurprisingly) that #Google has access to the encryption keys.

 
Be aware of a common scam running on the internet - someone emails you with a password that you will recognize and threaten to publicly bad post things about you on social media unless you pay a ransom. The password and email come from some web site breach, such as LinkedIn. Don’t fall for it. Delete and move on. Also, take this opportunity to get a password manager and use a different password on every site/service you use. ✌️
#infosec

 
Be aware of a common scam running on the internet - someone emails you with a password that you will recognize and threaten to publicly bad post things about you on social media unless you pay a ransom. The password and email come from some web site breach, such as LinkedIn. Don’t fall for it. Delete and move on. Also, take this opportunity to get a password manager and use a different password on every site/service you use. ✌️
#infosec

 
RT @0xUID@twitter.com: ALWAYS wiggle the card reader! Don't get scammed! #InfoSec
Image/photo

 
Javascript programmers, do you use `eslint`? pay attention to this:

https://github.com/eslint/eslint-scope/issues/39

that github organization has been somewhat compromised, please check the version you use, and stay tunned.

#security #infosec #javascript

 
Now this is Social Engineering.

Stuttering John live records his vishing (voice phishing / conning over the phone) of the White House.

He actually gets in touch with President Trump on Airforce One.

#SocEng #SocialEngineering #InfoSec #Phishing #Vishing

 
#infosec and #crypto people will understand!
Image/photo

 
With all my gripes with# Signal (centralized, non-federated, server-based, Electron-based desktop app), the fact that in my circle of contacts it's not longer the "pretty good solution we should be using" but the "pretty good solution we are using but looking for something better" is such a win.

I just wanted to stop for a second and appreciate that.

If we're talking about the need to move to something better than Signal, we are in a pretty decent place.

#infosec

 
No, PGP is not broken, not even with the Efail vulnerabilities - https://protonmail.com/blog/pgp-vulnerability-efail/

> Recently, news broke about potential vulnerabilities in PGP, dubbed Efail. However, despite reports to the contrary, PGP is not actually broken, as we will explain in this post.

#pgp #efail #infosec #security #mail
No, PGP is not broken, not even with the Efail vulnerabilities

 
#PGP and #GPG are so broken, the EFF is recommending that you immediately stop using them until after publication of the problem. #infosec #security #GoodLuck #WereAllDoomed

https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

Ominous: https://twitter.com/seecurity/status/995913231418961920

 
Security Flaw Impacts Electron-Based Apps - https://www.bleepingcomputer.com/news/security/security-flaw-impacts-electron-based-apps/

> Security researchers have found a security flaw in Electron, a software framework that has been used in the past half-decade for building a wealth of popular desktop applications.

#Security #infosec #Electron

 
I do not want to live on this planet anymore:
https://arstechnica.com/information-technology/2018/05/drive-by-rowhammer-attack-uses-gpu-to-compromise-an-android-phone/

"[T]he exploit is the first to show that GPUs can flip individual bits stored in dynamic random-access memory. (...) It's also the first Rowhammer attack that uses standard JavaScript to compromise a smartphone, meaning it can be executed when users do nothing more than visit a malicious website. Another key innovation: on average, GLitch takes less than two minutes to compromise a device"

#infosec

 
Merci à tou.te.s pour les boost de mon pouet sur de bonnes sources d'#infosec mais j'ai eu qu'une réponse en fait. xD
Je suis preneur de toutes vos bonnes adresses (site, forum, youtube, skyblog...).
Plein de bisous

 
Hello mes pouéteurs préférés. Je cherche des bons sites / chaînes YouTube (ou peertube) / podcasts... pour l'#infosec en anglais, français ou espagnol. Des suggestions?

 
Seems like SSLLabs is planning to collect personal data from its users soon: https://twitter.com/vcsjones/status/985338700807770123
I wonder what they need this for to "provide the service".
#infosec #ssl #privacy

 
T-Mobile Austria started a big old #infosec dumpster fire on birdsite: https://twitter.com/tmobileat/status/982190220798967809 /ht @bkero

 
MyFitnetssPal got hacked.

https://www.digitaltrends.com/computing/under-armour-myfitnesspal-accounts-hacked/

#infosec #news #hacked

 
Could you make my first steps in mastodon easier and give me some accounts writing about #itsec, #infosec, or #datascience?

 
I'm no fan of Facebook, but the #infosec trend of blaming consumers for giving away information, or saying we should all live in a hole doesn't help. Mozilla's trying to mitigate FB's worst habits, so people can keep using it. It's an idea worth exploring, and one I'm happy to see.

https://www.pcmag.com/news/360079/mozilla-stops-facebook-tracking-with-a-firefox-add-on
Image/photo

 
Hop, publié aussi sur Medium => Déployer #CSP : une approche en 5 étapes https://medium.com/@Nico3333fr/d%C3%A9ployer-csp-une-approche-en-5-%C3%A9tapes-783b490dd9cb #infosec #ContentSecurityPolicy #Security

 
Since there seems to be a new influx of people, I thought I'd give another #introduction. I work in #infosec at a very large technology company helping to protect it, and it's customers, from cyber threats. I am quite passionate about systemically improving security, and try to help through a weekly podcast I founded and co-host (defensivesecurity.org) and a blog (infosec.engineering). I also manage the infosec.exchange Mastodon instance.
I hope you all have a great weekend!
#introductions

 
"if you are publishing research behind a paywall, I don't know what you are doing, but it isn't Science."

"If you don't publish everything necessary to reproduce, including hardware decisions and settings, it isn't Science."

#TR18 #troopers #infosec #academia

 
its called a *private* key for a reason

don't let the certificate authority generate it for you and/or give it to the certificate authority

the only thing you are supposed to give to the certificate authority is the certificate signature request (CSR) and they give you the certificate after the validation process

#infosec

 
the more I read about this Trustico incident, the more absurd it gets

what the actual fuck

https://arstechnica.com/information-technology/2018/03/23000-https-certificates-axed-after-ceo-e-mails-private-keys/

#infosec

23,000 HTTPS certificates axed after CEO emails private keys

Flap that goes public renews troubling questions about issuance of certificates.

 
The most annoying thing about being in the #infosec industry are all those tiny blogs seeking for attention by finding new terms for existing threats and calling them “Super Threats” and why the world will end tomorrow, so people come and click.. 😒

 
Let's Encrypt has disabled ACME TLS-SNI validation a couple of days ago, and now announces it's not going to be a validation option for new accounts, and SNI validation will be deprecated for the new API.
No details on the reasons for that move, except that it's a risk in shared hosting environments.

https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188

#infosec

2018.01.11 Update Regarding ACME TLS-SNI and Shared Hosting Infrastructure

Please see this post for background information. The last 48 hours have been a busy time for Let’s Encrypt staff. We’ve been working hard to come up with a plan for ACME TLS-SNI validation that sufficiently protects the integrity of Web PKI while minimizing problems for people and organizations using TLS-SNI validation for HTTPS deployments. We’d like to thank our community and partners for the incredibly helpful input we’ve received. We have arrived at the conclusion that we cannot generally ...

 
#Signal protocol coming to #Skype near you: https://signal.org/blog/skype-partnership/

Of course it's optional. -_-;

#InfoSec

Signal partners with Microsoft to bring end-to-end encryption to Skype

In collaboration with Signal, Microsoft is introducing a Private Conversations feature in Skype, powered by Signal Protocol.

 
@jk

Lifesec hack: have no computers or data, live in a cabin and eat food you grow in a garden, fend off bears with an axe or a machine-printed gun

#infosec #lifesec #hacks

 
#InfoSec L’équivalent du fichier TES en Inde vient se faire trouer. 1.2 milliards d’identités compromises.

| Article https://www.buzzfeed.com/amphtml/pranavdixit/indias-national-id-database-with-private-information-of (BuzzFeed)

India's National ID Database With Private Information Of Nearly 1.2 Billion People Was Reportedly Breached

India's National ID Database With Private Information Of Nearly 1.2 Billion People Was Reportedly Breached

 
Network and protocol security specialist and teacher, searching for a defensive security/"secdevops"/architect job, or a good counterproposal, in France or its border countries.

Available on March 1, 2018.

https://www.x-cli.eu/cv.pdf

Boost appreciated.

#DNS #TLS #HTTP #infosec #crypto #Signal #OMEMO #OpenPGP #U2F

https://www.x-cli.eu/cv.pdf

 
#infosec trashpost
Cliquer pour ouvrir/fermer

 
#infosec trashpost
Cliquer pour ouvrir/fermer

 
#infosec trashpost
Cliquer pour ouvrir/fermer

 
#infosec trashpost
Cliquer pour ouvrir/fermer