spica.wrk.ru

Search

Items tagged with: infosec

Guess what? GNSS (aka GPS) doesn't have a mechanism to verify legitimate signals and can be easily overpowered by a malicious transmitter. If you were planning to navigate an autonomous vehicle solely from satellite navigation data, you might want to not do that. #blackhat #infosec
 
Holy what!

"Amazon's home security company Ring has enlisted local police departments around the country to advertise its surveillance cameras in exchange for free Ring products and a “portal” that allows police to request footage from these cameras, a secret agreement obtained by Motherboard shows."

https://www.vice.com/en_us/article/mb88za/amazon-requires-police-to-shill-surveillance-cameras-in-secret-agreement

#infosec
 
Reports about some ISPs of Kazakhstan forcing people to install root certificates, resulting in MITM attacks:

https://bugzilla.mozilla.org/show_bug.cgi?id=1567114

https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/wnuKAhACo3E/cpsvHgcuDwAJ

– people get SMS informing them about the need to install government-issued root certificates

#mozilla #kazakhstan #mitm #root #certificate #security #infosec #cybersecurity
 
There was recently a lot of news about DNS over HTTPS. Some people say it's bad for privacy because it centralizes the DNS requests on Google, Cloudflare and Quad9.

Time to change that and run your own DNS over HTTPS server. I spend some time today in writing, documenting and arranging a small container setup to allow you to do this:

https://octo.sh/container-library/dns-over-https/blob/master/README.md

#DNSoverHTTPS #DoH #Docker #privacy #infosec #selfHosting #DNS
 
hello mastodon!

we now have an official mastodon account to keep you updated about the most recent development on sn0int, the only #osint framework that comes with a package manger.

https://github.com/kpcyrd/sn0int

We have some bigger features in the pipeline, stay tuned!

#introduction #infosec #security #privacy #opensource #rustlang
Изображение / Фото
 
Mozilla starts to offer "Firefox Send" for file exchange, promises "encryption & controls at your fingertips":

https://blog.mozilla.org/blog/2019/03/12/introducing-firefox-send-providing-free-file-transfers-while-keeping-your-personal-information-private/

#firefox #mozilla #send #firefoxsend #fileexchange #infosec #cybersecurity #security
Introducing Firefox Send, Providing Free File Transfers while Keeping your Personal Information Private
 
#Privacy? I don't have anything to hide.

> Over the last 16 months, as I've debated this issue around the world, every single time somebody has said to me, "I don't really worry about invasions of privacy because I don't have anything to hide." I always say the same thing to them. I get out a pen, I write down my email address. I say, "Here's my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you're doing online, read what I want to read and publish whatever I find interesting. After all, if you're not a bad person, if you're doing nothing wrong, you should have nothing to hide." Not a single person has taken me up on that offer.

-- Glenn Greenwald in Why privacy matters - TED Talk #quotes #infosec
 
~=8 Character Passwords Are Dead=~

New benchmark from the Hashcat Team shows a 2080Ti GPU passing 100 Billion password guesses per second (NTLM hash).

This means that the entire keyspace, or every possible combination of:
- Upper
- Lower
- Number
- Symbol

...of an 8 character password can be guessed in:

~2.5 hours

(8x 2080Ti GPUs against NTLM Windows hash)

#Hacking #Infosec
 
'When registering an account with #Telegram, the app helpfully uploads the entire Contacts database to Telegram's servers (optional on iOS).

This allows Telegram to build a huge social network map of all the users and how they know each other.

It is extremely difficult to remain anonymous while using Telegram because the social network of everyone you communicate with is known to them (and whomever has pwned their servers).'

more reasons why telegram is not a good choice for secure messaging:
https://gitlab.com/edu4rdshl/blog/blob/master/why-telegram-is-insecure.md
#infosec
 
#Cloudflare introduces a 1.1.1.1 #DNS resolver app for #Android and #iOS. Only concern for Android is that it asks for microphone recording and photo access for "bug reporting" #infosec #security #privacy
 
Experienced in #InfoSec? Want to help journalists stay safe and change the world? OCCRP is hiring a Security Analyst:
https://www.occrp.org/en/occrp-jobs/security-analyst

This can be a remote position, but relocation to beautiful Sarajevo is welcome. Don't let the requirement list put you off, apply even if you feel you might not fully meet all them.

You'll be working in a global team of techies, using FLOSS technologies, keeping data and people safe and secure in the changing digital landscape.

Tell your friends, too!
 
So Alpine Linux has a pretty serious set of vulnerabilities because

- It doesn’t download packages over TLS, making them prone to MitM. Which on its own isn’t terrible but it also...

- Doesn’t check hashes before extracting to root (!)

- And uses custom gzip code which is vulnerable to arbitrary code execution (!!)

#Infosec
 
Hey #InfoSec, I am starting to look for a new phone. FLOSS OS, good security, root access strongly preferred. Looked at #CopperheadOS before their unfortunate shooting themselves in both feet. Anything else that's interesting?
 
RT @0xUID@twitter.com: ALWAYS wiggle the card reader! Don't get scammed! #InfoSec
Изображение / Фото
 
At PCMag, we don't tell people to buy 2G phones, despite the low-cost niches they fill.
https://www.pcmag.com/news/362222/why-we-dont-recommend-2g-gsm-phones-in-the-us?amp=1

That's partly because they don't work as well in the US and partly because the encryption used to secure 2G GSM has been broken for decades.
https://www.washingtonpost.com/business/technology/by-cracking-cellphone-code-nsa-has-capacity-for-decoding-private-conversations/2013/12/13/e119b598-612f-11e3-bf45-61f69f54fc5f_story.html

#infosec
 
With all my gripes with# Signal (centralized, non-federated, server-based, Electron-based desktop app), the fact that in my circle of contacts it's not longer the "pretty good solution we should be using" but the "pretty good solution we are using but looking for something better" is such a win.

I just wanted to stop for a second and appreciate that.

If we're talking about the need to move to something better than Signal, we are in a pretty decent place.

#infosec
 
One of the paradoxes I struggle with in my work, is the conflict between crypto and reliability.

Crypto is important. But it is very binary in nature - either the stars align and you can decrypt, or it fails and there's no recovery. With that kind of binary, reliability suffers. This is inevitable.

As an example, most of the Mastodon downtime I've experienced has been related to minor SSL certificate blunders.

I feel like most of the #InfoSec community wilfully ignores this dynamic.
 
Later posts Earlier posts