#infosec
Multiple vulnerabilities in Hubzilla before version 7.2
Hubzilla < 7.2 - Multiple vulnerabilities : Harald Eilertsen's Homepage
While looking at the source code for Hubzilla, I discovered a few low-hanging security vulnerabilities. These are a Local File Inclusion vulnerability in the standard theme, and two vulnerabilities in the settings modules, a Cross-Site scripting (XSS) vulnerability and an Open Redirect vulnerability, both via the rpath URL query parameter.
Fixes for all of these issues were released in version 7.2 on March 29, 2022.
The full details at https://volse.net/~haraldei/infosec/disclosures/hubzilla-before-7-2-multiple-vulnerabilities/
If you haven't updated your hub to the latest version yet, I highly recommend that you do so as soon as possible.
Las claves RSA de 4096 bits se quedan chiquitas cuando tu #openssl modificado soporta #RainbowVclassic con una clave de 15444800 bits :O
Eso sí, demora un poco en transferir la clave del servidor al cliente :P
If you create any kind of software—big, small, commercial, free, open or closed souce—please provide some useful contact info for reporting security issues.
No, I will not register anywhere to do so. Not your forum, not twitter, definitely not Facebook! A contact form works, but email is prefered. If you can't handle reports by email or an open contact form, I'm very tempted to just go full disclosure on you right away!
Wohoo! My work was picked up by ArsTechnica: https://arstechnica.com/information-technology/2022/01/supply-chain-attack-used-legitimate-wordpress-add-ons-to-backdoor-sites/
Analyse av en BankID phishing svindel
Her om dagen dukket det opp en epost som vakte min interesse. Jeg fikk ikke tid til å se på den før i dag, men her er en kort oppsummering av hva jeg fant.
Tilsynelatende er eposten fra BankID, og ser tilforlatelig nok ut. De beklager ustabiliteten rundt tjenesten den siste tiden, og forklarer at dette skyldes at de har skiftet en underleverandør. Videre beroliger de oss med at de tar sikkerheten på alvår og kommer med noen gode tips for å ikke bli rammet av evt nedetid i fremtiden.
Så langt alt vel, men noe skurrer.
ALPHV (BlackCat) is the first professional ransomware gang to use Rust
Security researchers have discovered this week the first professional ransomware strain that was coded in the Rust programming language and was deployed against companies in real-world attacks.
It's a first of some sort at least.
I'm not sure it matters too much neither for the victims nor the analysts what programming language the malware authors used though.
Bugs in Our Pockets
... Client-side scanning, as the agencies’ new wet dream is called, has a range of possible missions. While Apple and the FBI talked about finding still images of sex abuse, the EU was talking last year about videos and text too, and of targeting terrorism once the argument had been won on child protection. It can also use a number of possible technologies; in addition to the perceptual hash functions in the Apple proposal, there’s talk of machine-learning models. And, as a leaked EU internal report made clear, the preferred outcome for governments may be a mix of client-side and server-side scanning.
In our report, we provide a detailed analysis of scanning capabilities at both the client and the server, the trade-offs between false positives and false negatives, and the side effects – such as the ways in which adding scanning systems to citizens’ devices will open them up to new types of attack. ...
...
If device vendors are compelled to install remote surveillance, the demands will start to roll in. Who could possibly be so cold-hearted as to argue against the system being extended to search for missing children? Then President Xi will want to know who has photos of the Dalai Lama, or of men standing in front of tanks; and copyright lawyers will get court orders blocking whatever they claim infringes their clients’ rights. Our phones, which have grown into extensions of our intimate private space, will be ours no more; they will be private no more; and we will all be less secure. ...
Authors are a who's who of cryptographic and security brilliance: Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Vanessa Teague, and Carmela Troncoso.
Full paper (PDF): https://arxiv.org/abs/2110.07450
https://www.lightbluetouchpaper.org/2021/10/15/bugs-in-our-pockets/
#privacy #infosec #infotech #cryptography #surveillance #smartphones #MobileComputing #HalAbelson #RossAnderson #SevenMBellovin #JoshBenaloh #MattBlaze #JonCallas #WhitfieldDiffie #SusanLandau #PeterGNeumann #RonaldRivest #JeffreISchiller #BruceSchneier #VanessaTeague #CarmelaTroncoso
Chris Kubecka 🇵🇷 ✈️ #BLM @MiddleEastInst auf Twitter: "The truth about #infosec policies.... https://t.co/mC69TE09DR" / Twitter
Also early #caturday
https://twitter.com/SecEvangelism/status/1435966920608542722
#China stops networked vehicle data going offshore under new #infosec rules https://www.theregister.com/2021/08/13/china_networked_car_rules/
A Defunct Video Hosting Site Is Flooding Normal Websites With Hardcore Porn
... As pointed out by Twitter user @dox_gay, hardcore porn is now embedded on the pages of the Huffington Post, New York magazine, The Washington Post, and a host of other websites. This is because a porn site called 5 Star Porn HD bought the domain for Vidme, a brief YouTube competitor founded in 2014 and shuttered in 2017. Its Twitter account is still up, but the domain lapsed. ...
The trend toward embeds rather than screenshots or direct copying has long struck me as ill-conceived.
At least it's only pr0n. As a vector for malware / spyware injection, this could be even more interesting.
HN discussion: https://news.ycombinator.com/item?id=27924777
#infosec #bitrot #pr0n #DNS #ItsAlwaysDNS #LapsedDomains #EmbeddedContent #malware #spyware #risks #infosec
There are six bills with bipartisan support currently being debated in the US Congress that could rein in the power of Big Tech.
https://protonmail.com/blog/big-tech-bills-us/
#Privacy #Security #Technology #InfoSec #Congress
TLDR:
The American Choice and Innovation Online Act forbids companies from self-preferring their products on their platforms.
The Ending Platform Monopolies Act bans a Big Tech company that stands as the monopolistic owner of a platform from selling and providing products on that platform and competing with its business users.
The Platform Competition and Opportunity Act bans Big Tech companies from buying competitors to increase market power.
The ACCESS Act makes data moving from comms. services easier via interoperability, data security, and data portability.
Merger Filing Fee Modernization Act increases merger fees and improves funding for the FTC and DoJ’s Antitrust Division.
State Antitrust Enforcement Venue Act of 2021 grants state attorney generals more control over which courts hear antitrust cases.
15 Yr-Old Linux Netfilter Bug Let Hackers Bypass All Security Mitigations
https://gbhackers.com/15-year-old-linux-netfilter-vulnerability/
Romanian Hackers Actively Attacking Linux-based Machines (via cybersecuritynews)
https://cybersecuritynews.com/romanian-hackers-actively-attacking-linux-based-machines/
