recentpopularlog in

jchris : security   425

« earlier  
Newly Released Amazon Patent Shows Just How Much Creepier Alexa Can Get
In theory, Alexa-enabled devices will only record what you say directly after the wakeword, which is then uploaded to Amazon, where remote servers use speech recognition to deduce your meaning, then relay commands back to your local speaker. -==- But one issue in this flow of events, as Amazon's recently revealed patent application argues, is it means that anything you say before the wakeword isn't actually heard. [...] -==- To overcome this barrier, Amazon is proposing an effective workaround: simply record everything the user says all the time, and figure it out later.
privacy  security  vulnerability 
7 weeks ago by jchris
Sessions don't work in Chrome but do in IE
Even though a request over http would cause Tomcat or ColdFusion to set a new JSESSIONID cookie, Chrome will not store that cookie if it already has a cookie with the same name and the secure flag is set.
browser  security  webmaster 
8 weeks ago by jchris
PhotoTAN-Banking ist nicht sicher › Friedrich-Alexander-Universität Erlangen-Nürnberg
Transaktionen via Smartphone sind nicht sicher. Das haben Informatiker der FAU mit einem erfolgreichen Angriff auf die photoTAN-Verfahren dreier Kreditinstitute bewiesen. Erst im vergangenen Jahr hatten die Wissenschaftler mit einer Manipulation der pushTAN-App der Sparkasse die konzeptionelle Schwäche des Ein-Geräte-Bankings aufgezeigt.
banking  security  mobile 
april 2019 by jchris
Password Leaks -- SMBlog -- 10 June 2012
The technical press is full of reports about the leak of a hashed password file from LinkedIn. Worse yet, we hear, the hashes weren't salted. The situation is probably both better and worse than it would appear; in any event, it's more complicated.
password  security 
april 2019 by jchris
SMBlog -- 24 February 2014
Following the logic in my previous post, I don't think that Apple's goto fail was a deliberate attack. Suppose it was, though. What can we learn about the attacker? (Steve Bellovin)
apple  security  vulnerability 
april 2019 by jchris
Defeating the Secrets of OTP Apps for Android – forensic blog
The paper of Philip Polleit and myself investigates 16 such 2FA apps for the Android operating system and focuses on the extent to which these applications can offer a similar level of protection when compared to classical hardware tokens (e.g., YubiKey, SecurID-Authenticator). The paper was presented at this years IMF conference in Hamburg.
android  password  security  vulnerability 
march 2019 by jchris
Ad targeters are pulling data from your browser’s password manager - The Verge
Ad targeters are pulling data from your browser’s password manager
New research shows an alarming new way to track web users
data-dealer  privatier  security  tracking 
february 2019 by jchris
Out-of-Office Messages are a Security Risk - The Lone Sysadmin
Every once in a while I get asked why I don’t have an out-of-office message for my email or voice mail. Truth is, I’ll often monitor my email even when I’m out, though I often practice good operations discipline by not responding. Just as intermittent problems with computer systems are hard to deal with, a staff member that’s supposed to be gone but isn’t acting like it is just as confusing. Humans can, and should, drain-stop and remove themselves from clusters for maintenance, too.
email  security  sysadmin 
february 2019 by jchris
GitHub - StreisandEffect/streisand: Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of
Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
github  privacy  security  sysadmin  vpn 
february 2019 by jchris
Quora Security Update - The Quora Blog - Quora
We recently discovered that some user data was compromised as a result of unauthorized access to one of our systems by a malicious third party. We are working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future.

We also want to be as transparent as possible without compromising our security systems or the steps we're taking, and in this post we’ll share what happened, what information was involved, what we're doing, and what you can do.

We're very sorry for any concern or inconvenience this may cause.
privacy  security  hack 
january 2019 by jchris
How to Encrypt Your DNS With DNSCrypt on Ubuntu and Debian -
DNSCrypt encrypts your DNS traffic automatically and sends it to DNS servers that also use encryption. This way, the entire transaction remains encrypted throughout. Not even your ISP will be able to see where you're browsing. DNSCrypt is actually one of the easiest services that you can set up on Linux, so there's really no reason not to use it.
dns  security 
january 2019 by jchris
Make Orwell Fiction Again Part 2: Micro Moments – Patrick Berlinquette – Medium
Today, 3 out of 4 smartphone owners turn to Google first to address their immediate needs. -==- As a result, Google marketers like me must survive on our ability to play on your impatience and impulsiveness when you’re using a mobile device.
marketing  mobile  security  surveillance 
december 2018 by jchris
Windows Sandbox - Microsoft Tech Community - 301849
At Microsoft we regularly encounter these situations, so we developed Windows Sandbox: an isolated, temporary, desktop environment where you can run untrusted software without the fear of lasting impact to your PC. Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all its files and state are permanently deleted.
security  windows  virtualization 
december 2018 by jchris
Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret - The New York Times
Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret
Dozens of companies use smartphone locations to help advertisers and even hedge funds. They say it’s anonymous, but the data shows how personal it is.
data-dealer  mobile  privacy  security 
december 2018 by jchris
PhotoTAN banking on mobile devices is not secure › Friedrich-Alexander-Universität Erlangen-Nürnberg
Mobile banking is convenient – it can be used anywhere, any time, with a single device. More and more people are using this form of banking, and more and more banks are offering this service. The problem is that transactions made using smartphones are not secure. FAU computer scientists have demonstrated this by successfully hacking the photoTAN procedures of three banks. This comes just a year after they highlighted the flaws in the concept of single-device banking by manipulating Sparkasse’s pushTAN app.
banking  security  vulnerability 
december 2018 by jchris
Christopher Soghoian: Government surveillance — this is just the beginning | TED Talk
Privacy researcher Christopher Soghoian sees the landscape of government surveillance shifting beneath our feet, as an industry grows to support monitoring programs. Through private companies, he says, governments are buying technology with the capacity to break into computers, steal documents and monitor activity — without detection. This TED Fellow gives an unsettling look at what's to come.
privacy  security  surveillance  2013 
december 2018 by jchris
A leaky database of SMS text messages exposed password resets and two-factor codes – TechCrunch
A security lapse has exposed a massive database containing tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more. -==- The exposed server belongs to Voxox (formerly Telcentris), a San Diego, Calif.-based communications company. The server wasn’t protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages.
hack  security  sms 
november 2018 by jchris
ProtonMail - Swiss-based private email
Official subreddit for ProtonMail, an secure email service based in Switzerland. ProtonMail is privacy-focused, uses end-to-end encryption, and offers a clean user interface and full support for PGP and standalone email clients.
email  privacy  security 
november 2018 by jchris
Passive WIFI Surveillance and Access Point Hijacking — ENISA
To reduce user burden when re-connecting to known AP, devices typically cache credentials and SSIDs and scan for nearby APs. If a known AP is discovered, the device re-connects automatically to it. Although APs periodically announce their SSID and it is possible to scan them passively, the preferred way for scanning is active scanning by the client using WIFI probe request frames. A probe request is essentially a broadcast question: "Is AP with SSID xxxx listening? Please respond".
security  wifi  vulnerability 
november 2018 by jchris
Google’s stealthy sign-in sentry can pick up pilfered passwords – Naked Security
The second, apparently timed to coincide with 31 October, was that Google is yet again modifying the background security checks it performs during accounts sign-in as well as modifying its recovery process in the event of unauthorised access. There’s also important news if you’re a hold-out against enabling JavaScript. -==- The main tweak is that Google is upping its detection of people pretending to be you. If you’re unwittingly tricked into handing over your Google username and password in a phishing attack, all isn’t lost. Google thinks it can distinguish a sign-in by the phishing attacker from a sign-in by you.
google  security 
november 2018 by jchris
Forscher warnen vor Tracking via TLS | heise Security
TLS Session Resumption soll den Aufbau verschlüsselter Verbindungen beschleunigen. Es ermöglicht aber unter Umständen auch, den Anwender im Netz zu verfolgen.

Vier Forscher der Uni-Hamburg warnen vor einer bislang wenig diskutierten Gefahr für die Privatsphäre von Internet-Nutzern: Ausgerechnet die immer weiter um sich greifende Verschlüsselung der Daten mit TLS ermögliche es, die Anwender beim Surfen im Internet zu verfolgen, warnen Erik Sy und Kollegen.
2fhg  privacy  security 
october 2018 by jchris
After data breach, Mark Zuckerberg can’t say why users should still trust Facebook.
A new, massive security breach let hackers take control of at least 50 million accounts. And Mark Zuckerberg has no answers.
data-dealer  facebook  security 
october 2018 by jchris
Digital IDs Are More Dangerous Than You Think | WIRED
THERE ARE SIGNIFICANT, real-world benefits to having an accepted and recognized identity. That’s why the concept of a digital identity is being pursued around the world, from Australia to India. From airports to health records systems, technologists and policy makers with good intentions are digitizing our identities, making modern life more efficient and streamlined. -==-
Governments seek to digitize their citizens in an effort to universalize government services, while the banking, travel, and insurance industries aim to create more seamless processes for their products and services. But this isn’t just about efficiency and market share. In places like Syria and Jordan, refugees are often displaced without an identity. Giving them proof of who they are can improve their settlement, financial security, and job prospects in foreign lands.
privacy  security 
october 2018 by jchris
Hardware Implants •
There’s recent news about some really interesting hardware implants. I wanted to take a bit to share more technical thoughts and details that can’t be reduced to a mainstream article on the topic. -==- The core of the claim is that someone implanted extra components on some server motherboards that would do malicious stuff, subvert the system and possibly allow it to ‘phone home’. I looked at the claims through a technical and feasibility lens.
hrdware  security 
october 2018 by jchris
Errata Security: Notes on the Bloomberg Supermicro supply chain hack story
Bloomberg has a story how Chinese intelligence inserted secret chips into servers bound for America. There are a couple issues with the story I wanted to address.

The story is based on anonymous sources, and not even good anonymous sources.
hardware  security 
october 2018 by jchris
Fast, Furious and Insecure: Passive Keyless Entry and Start in Modern Supercars | COSIC
High-end vehicles are often equipped with a Passive Keyless Entry and Start (PKES) system. These PKES systems allow to unlock and start the vehicle based on the physical proximity of a paired key fob; no user interaction is required.
auto  fallacy  security 
september 2018 by jchris
Researchers show Alexa “skill squatting” could hijack voice commands | Ars Technica
Homophones and mistakes in voice processing could be used to phish Echo users, research finds.
amazon  privacy  security 
september 2018 by jchris
No, eight characters, some capital letters and numbers is not a good password policy • The Register
Bad passwords are one of those problems that never goes out of fashion, and sure enough, 60,000 (26 per cent) of the state’s AD passwords were found to be somewhere between easily guessed and downright lamentable.
password  security 
august 2018 by jchris
So Hey You Should Stop Using Texts for Two-Factor Authentication | WIRED
The last few months have demonstrated that SMS text messages are often the weakest link in two-step logins: Attacks on political activists in Iran, Russia, and even here in the US have shown that determined hackers can sometimes hijack the SMS messages meant to keep you safe. Whenever possible, it's worth taking a minute to switch to a better system, like an authentication smartphone app or a physical token that generates one-time codes.
2fa  authentication  security  sms  2016 
august 2018 by jchris
Pentester's Blog: Internal IP Address Disclosure over HTTP Protocol Channel : Information Revealing Headers !
The disclosure of internal IP addresses to remote users reveals a substantial layout of the organizational network. It is highly advised that the web servers should not disclose internal IP addresses in the HTTP response headers. In a real time scenarios, this is not the case. The majority of web servers, load balancing devices and web applications disclose this information. This post simply discusses the different ways through which internal IP addresses are revealed over HTTP protocol.
fallacy  privacy  security  webmaster  2013 
august 2018 by jchris
Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug • The Register
Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug
Brinkmann files third signature spoof vulnerability in a month
gnupg  security  vulnerability 
june 2018 by jchris
Taking Back the DNS
Taking Back the DNS -- By Paul Vixie (Jul 30, 2010) I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. Domains are cheap, domains are plentiful, and as a result most of them are dreck or worse.
dns  security  spam 
june 2018 by jchris
Creating a 8192 bit GPG key to replace my 1024 bit one - Nick
My GPG key from 2003 to know has been a 1024 bit DSA key, which uses a 160 bit SHA-1 hash. As per the Debian Guidance, this isn't ideal, and I (along with many) have decided to move to a new, stronger key with a stronger hash.
gpg  security 
may 2018 by jchris
The Professional Pentester Guide – eLearnSecurity Blog
The demand for information security professionals and experts is rising as there is a huge skills gap! An introduction to aspiring students who want to understand what penetration testing really is and what a penetration tester does.
pentesting  security 
may 2018 by jchris
SFTP mit Key-Authentication auf (gehosteten) Linux-Servern für Web-Entwickler mit unterschiedlichen Privilegien – II | Linux-Blog – Dr. Mönchmeyer / anracon – Augsburg
Aufgrund der schon seit einiger Zeit erhöhten Sicherheitsanforderungen Anforderungen müssen wir die SSH-Einrichtung verbessern. Ich kann an dieser Stelle leider nicht auf Details eingehen - es sind aber vor allem bekannte Probleme im Bereich des initialen "Key Exchange" [KEX] zu beheben:
ssh  security  sysadmin 
april 2018 by jchris
Autocrypt in Enigmail 2.0 deaktivieren
Das Verfahren Autocrypt will den Nutzern den manuellen PGP-Schlüsselaustausch abnehmen und ihn dadurch nutzerfreundlich machen. Der PGP-Schlüssel soll im Header jeder E-Mail mitgesendet werden, damit der Empfänger sofort automatisch verschlüsselt antworten kann, ohne sich um den Schlüsseltausch (und Validierung?) kümmern zu müssen. -==- Für die theoretische Begründung der Sicherheit greift Autocrypt auf das Konzept Opportunistic Security (RFC 7435) zurück. Das bedeutet, das die Verschlüsselung nur noch gegen passive Angreifer schützt soll aber nicht mehr gegen aktive Angreifer, die sich als man-in-the-middle in die Kommunikation einschleichen können.
autocrypt  gnupg  openpgp  privacy  security 
april 2018 by jchris
Practical passwordless authentication comes a step closer with WebAuthn | Ars Technica
"WebAuthn is a specification to allow browsers to expose hardware authentication devices—USB, Bluetooth, or NFC—to sites on the Web. These hardware devices enable users to prove their identity to sites without requiring usernames and passwords."
authentication  browser  security  standard 
april 2018 by jchris
Plain Text Offenders - Developers FAQ
We are not perfect, and as a result, the software we make is not perfect. It can - and probably will - be hacked at one point or another. Users use the same password for most of the services they use (let’s be honest, you do this too), so when your product gets hacked, you will be exposing your users to having most of their online accounts stolen.
password  security 
april 2018 by jchris
Mythology about security… | jg's Ramblings
Infotech insecurity was not a "failure of imagination" -==- It was an intentionally imposed policy over the objections of technical contributors. -==- Jim Gettys was (and is) one of those contributors.
internet  design  history  security 
april 2018 by jchris
How to keep your ISP’s nose out of your browser history with encrypted DNS | Ars Technica
Security experts now there's a last mile problem—maybe encrypted DNS can help. -==- The death of network neutrality and the loosening of regulations on how Internet providers handle customers' network traffic have raised many concerns over privacy. Internet providers (and others watching traffic as it passes over the Internet) have long had a tool that allows them to monitor individuals' Internet habits with ease: their Domain Name System (DNS) servers. And if they haven't been cashing in on that data already (or using it to change how you see the Internet), they likely soon will.
dns  privacy  security  howto 
april 2018 by jchris
Arcfour and CipherSaber in Emacs Lisp « null program
I have previously talked about arcfour and CipherSaber and provided implementations in C. For fun, I made an implementation of arcfour in Emacs lisp (elisp), and built upon that to make a CipherSaber implementation in elisp. Check it out with Git,
code  elisp  cryptography  security 
march 2018 by jchris
Understanding the SSH Encryption and Connection Process | DigitalOcean
SSH, or secure shell, is a secure protocol and the most common way of safely administering remote servers. Using a number of encryption technologies, SSH provides a mechanism for establishing a cryptographically secured connection between two parties, authenticating each side to the other, and passing commands and output back and forth. -==- In other guides, we have discussed how to configure SSH key-based access, how to connect using SSH, and some SSH tips and tricks. -==- In this guide, we will be examining the underlying encryption techniques that SSH employs and the methods it uses to establish secure connections. This information can be useful for understanding the various layers of encryption and the different steps needed to form a connection and authenticate both parties.
encryption  security  ssh  tutorial 
march 2018 by jchris
0bin - encrypted pastebin
0 Bin. 0bin is a client-side-encrypted pastebin featuring burn after reading, an history and a clipboard
pastebin  privacy  security  notepad 
march 2018 by jchris
Checking ssh public key fingerprints
Checking of a ssh server key via DNS: You can put the server keys fingerprint in DNS (Domain Name System) and get ssh to tell you if what it the two fingerprints match. This is not a guarantee but it makes Mallory's job harder since he needs to spoof DNS as well as ssh, which can be done as few domains yet implement DNSSEC.
ssh  dns  security 
march 2018 by jchris
Sprites mods - Hard disk hacking - Intro
All that implies there's some intelligence in an hard disk, and intelligence usually implies hackability. I'm always interested in hackability, so I decided I wanted to look into how hard disks work on the non-mechanical level. Research like this has been done before for various bits of hardware: from PCI extension cards to embedded controllers in laptops to even Apple keyboards. Usually the research has been done in order to prove the hackability of these devices can lead to compromised software, so I decided to take the same approach: for this hack, I wanted to make a hard disk that could bypass software security.
hack  hardware  security 
february 2018 by jchris
Strava’s fitness heatmaps are a 'potential catastrophe'
You can run (or bike), but you can’t hide from big-data irresponsibility.
data-dealer  privacy  security  tracking  gps 
february 2018 by jchris
Wie Standorte geheimer Militärstützpunkte im Internet gelandet sind | NZZ
2013 verteilte das amerikanische Verteidigungsministerium tausende Fitbit-Armbänder, um Soldaten zum Sport zu animieren. Dieselben Armbänder haben jetzt dutzende geheime Militärstützpunkte enthüllt
security  data-dealer 
january 2018 by jchris
Why does APT not use HTTPS?
HTTPS can not detect if malicious tampering has occurred on the disks of the server you are downloading from. There is little point "securely" transfering a compromised package.
apt  debian  security  SSL 
january 2018 by jchris
Muster IT-Sicherheitskonzepte – Der Beauftragte für den Datenschutz der EKD
Die IT-Sicherheitsverordnung regelt vor allem die Verpflichtung zur Erstellung eines IT-Sicherheitskonzeptes. Entsprechende Muster und Hilfestellungen wurden vom Kirchenamt der EKD erarbeitet.
january 2018 by jchris
Introducing Cloudflare Access: Like BeyondCorp, But You Don’t Have To Be A Google Employee To Use It
Tell me if this sounds familiar: any connection from inside the corporate network is trusted and any connection from the outside is not. This is the security strategy used by most enterprises today. The problem is that once the firewall, or gateway, or VPN server creating this perimeter is breached, the attacker gets immediate, easy and trusted access to everything.
network  security  google  2fhg 
january 2018 by jchris
Self-Crashing Cars
With cyber security the first thing to understand is that the internet is ungovernable because locality is irrelevant and identity shroudable. This is by design—it's the internet—we're all supposed to be able to talk to everyone and it wasn't designed at the protocol level to require payment or identification.
identity  security  essay  selfdriving  car 
january 2018 by jchris
Dropbear SSH
Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is open source software, distributed under a MIT-style license. Dropbear is particularly useful for "embedded"-type Linux (or other Unix) systems, such as wireless routers.
linux  security  ssh  sysadmin 
january 2018 by jchris
That grumpy BSD guy: Why Not Use Port Knocking?
The robots currently at work knocking around for your guessable password could easily be repurposed to guess your Unicode password currently known as your port knocking sequence, and quite likely have been already. Plus, we already have authpf(8) for network-level restrictions on access.
security  ssh  2atis 
january 2018 by jchris
Making USB Great Again with USBFILTER – a USB layer firewall in the Linux kernel |
Our paper “Making USB Great Again with USBFILTER” has been accepted by USENIX Security’16. This post provides a summary of usbfilter. For details, please read the damn paper or download the presentation video/slides from USENIX website.
usb  security  paper  linux  kernel 
january 2018 by jchris
Andreas Pfitzmann: Wie es zum SchlAG kam
Wenn Sie danach nicht nur ungläubig staunen, sondern zutiefst entsetzt sind, dann tun sie was dagegen - das ist in einer Demokratie nicht nur Ihr Recht, sondern fast auch Ihre Pflicht. Schreiben Sie beispielsweise an den Innenminister, den Minister für Post und Telekommunikation (Bundesministerium für Post und Telekommunikation, Postfach 8001, D-53105 Bonn, Tel. 0228 / 14-0), den Bundeskanzler, die Parteien. Und wenn Sie einen Polizisten oder eine Polizistin treffen - spenden sie Trost, falls der Schlüssel zur Verbesserung der Welt fehlt. Nicht daß uns noch alle der SchlAG trifft.
encryption  security  satire  @goodie  1995 
january 2018 by jchris
« earlier      
per page:    204080120160

Copy this bookmark:

to read