social.sokoll.com

Search

Items tagged with: Security

Zählen die Stunden, Tage, Wochen bis zu einem Patch #Security @Apple
 

reCaptcha


W3C has published an extensive list of reCAPTCHA alternatives:

https://www.w3.org/TR/turingtest/

W3C is requesting feedback for the document, if you'd like to make suggestions, please open an issue: https://github.com/w3c/apa/issues

"Google wants you to think reCaptcha is the ONLY tool. That way they can get more user data."

People should start to complain to every site which is using recaptcha, because it is just one of google's data hamstering tools (which fingerprints users, gets device information, ip and many more private data).

There are alternatives, don't use this google service!

#recaptcha #google #w3c #w3 #linux #bot #bots #gnu #security #spam #bsd
 

reCaptcha


W3C has published an extensive list of reCAPTCHA alternatives:

https://www.w3.org/TR/turingtest/

W3C is requesting feedback for the document, if you'd like to make suggestions, please open an issue: https://github.com/w3c/apa/issues

"Google wants you to think reCaptcha is the ONLY tool. That way they can get more user data."

People should start to complain to every site which is using recaptcha, because it is just one of google's data hamstering tools (which fingerprints users, gets device information, ip and many more private data).

There are alternatives, don't use this google service!

#recaptcha #google #w3c #w3 #linux #bot #bots #gnu #security #spam #bsd
 
 
Autopsy - A Digital Forensic Lab #security
 
(German translation below.)

If you're stuck at home and use Zoom as a video conferencing solution that works for you, that's fine. Keep using it. Here are some options you might want to check to enhance the overall security of your and your guests.

First, log in at https://zoom.us/signin and head to your settings at https://zoom.us/profile/setting.

* In the "Meeting" tab:
1. Set "Audio Type" to "Computer Audio". This will block people from using their phone to join a meeting - but that's required if you want to use End-to-End encryption all the time. Phones can't do encryption.
1. Make sure "Use Personal Meeting ID (PMI) when scheduling a meeting" is disabled. The PMI is a meeting ID that never changes, so don't use it. It should be disabled by default, but make sure.
1. Enable "Require a password for Personal Meeting ID (PMI)", so people can't join via your PMI even if you accidentally share it.
1. Make sure "Join before host" is disabled. If enabled, people can join your meetings before a host is there - meaning there won't be moderation.
1. Enable "Play sound when participants join or leave". That's useful, as everyone will be aware when someone joins unexpectedly.
1. Enable "Require Encryption for 3rd Party Endpoints (H323/SIP)".
* In the "Recording" tab:
1. Disable "Cloud recording". You can still record meetings to your local disk, but there is no need to store potentially private conversations on Zoom's servers.

If you have a more "presentation"-like format scheduled, where only you or a small number of presenters will be speaking to a high number of consuming participants, there are a couple of additional tips in addition to the settings above:

* Before the meeting: Require people to sign-up and collect their eMail addresses. Do not share the join-link publicly, and only send the credentials via eMail to the people who signed up.
* In the "Meeting" tab:
1. Enable "Mute participants upon entry" - this will force-mute everyone joining. You will have the option to decide whether people can speak or not.
1. Enable "Co-host" and promote someone you trust as Co-host to assist with muting/unmuting people as needed.
1. Set "Screen sharing" to "Host-Only" to avoid random people sharing their screens, which can be used for abuse. Promote people who need to share as Co-hosts, if you trust them.
1. Enable "Nonverbal feedback". This is useful if you have force-muted everyone. People can raise their hands if they want to say something, allowing you to unmute people for a short period.
1. Enable "Waiting room" for all participants if the nature of the call is sensitive/private. This means that people will not be able to join your meeting directly, but will be placed in a virtual waiting room, waiting for you to approve them to join the meeting. If you enable this, make sure to keep an eye on the participant list to avoid missing someone.
1. Make sure "Allow removed participants to rejoin" is disabled. This means that people that got kicked out of the meeting will not be able to rejoin, even if they know the credentials.
Wenn du zuhause festsitzt und Zoom als das Tool deiner Wahl für Videokonferenzen und Videotelefonate entdeckt hast, mach dir nicht zu viel Sorgen und bleibe dabei. Es ist wichtiger, ein Tool zu haben, dass stressfrei und problemlos die Aufgabe erledigt, als sich stundenlang mit Alternativen zu schlagen. Hier sind einige Tipps, wie du deine Meetings für dich und deine Teilnehmerinnen sicherer gestalten kannst.

Als Erstes, melde dich auf https://zoom.us/signin an und rufe deine Einstellungen unter https://zoom.us/profile/setting auf.

* Im "Meeting"-Tab:
1. Setze "Audiotyp" auf "Computeraudio". Damit deaktivierst du zwar die Möglichkeit, über ein Telefon am Meeting teilzunehmen, aber das ist wichtig, wenn du Ende-zu-Ende-Verschlüsselung verwenden willst. Telefone verstehen keine Verschlüsselung.
1. Stelle sicher, dass "Beim Planen eines Meetings die persönliche Meeting-ID (PMI) verwenden" nicht aktiv ist. Deine PMI ist eine Meeting-ID, die sich nie ändert, also sollte man davon besser die Finger lassen.
1. Schalte "Bei Personal-Meeting-ID (PMI) Kennwort verlangen" an, falls man doch mal versehentlich die fixe PMI weitergibt. Mit Kennwort kann dann trotzdem niemand das Meeting betreten.
1. Deaktiviere "Beitritt vor Moderator", dann können deine Gäste das Meeting erst betreten, wenn du da bist. Ist diese Option deaktiviert, können Leute ohne Moderation das Meeting betreten.
1. Aktiviere "Sound wiedergeben, wenn Teilnehmer teilnehmen oder verlassen". Dann wird immer, wenn eine Teilnehmerin beitritt, ein Ton für alle abgespielt. Damit wissen alle, wenn unerwartet jemand dazu kommt.
1. Aktiviere "Verschlüsselung für Endpunkte von Drittanbietern erforderlich (H323/SIP)".
* Im "Aufzeichnung"-Tab:
1. "Cloud-Aufzeichnung" ausschalten. Du kannst das Meeting immernoch auf deine Festplatte aufnehmen, aber es gibt keinen Grund, potenziell private Gespräche auf Zoom's Servern zu speichern.

Wenn man ein "vortragsähliches" Ding geplant hat, also ein Format in dem eine kleine Gruppe an Leuten aktiv zu einer großen, ggf. öffentlichen Gruppe spricht, gibt es zu den Einstellungen oben noch ein paar weitere Tipps:

* Vor dem Meeting: Stelle sicher, dass sich alle Teilnehmerinnen vor der Veranstaltung anmelden und sammle eMail-Adressen. Verteile den Zoom-Link oder die Meetingdaten dann nicht öffentlich, sondern nur per eMail an angemeldete Personen.
* Im "Meeting"-Tab:
1. Aktiviere "Teilnehmer beim Beitritt stumm schalten". Du hast dann bei jedem Meeting die Option, zu entscheiden, ob sich Teilnehmerinnen entstummen dürfen oder ob du das Sprechrecht einzeln vergeben willst.
1. Schalte "Co-Moderator" ein und befördere einer Person, der du vertraust, als Co-Moderator. Diese Person hat dann ebenfalls das Recht, Leute stummzuschalten oder zu kicken, und kann dir arbeit abnehmen.
1. Setze "Bildschirmübertragung" so, dass nur der Host den Bildschirm freigeben darf. Das verhindert, dass Leute ihren Bildschirm freigeben, um "Inhalte" zu präsentieren. Leute, die Vortragen müssen, können zum Co-Moderator befördert werden.
1. Aktiviere "Feedback ohne Worte". Das ist nützlich, damit Leute "die Hand heben können" wenn sie etwas sagen wollen - und dann kannst du als Host sie Entstummschalten und sie können reden.
1. Schalte den "Warteraum" für alle Teilnehmerinnen an, wenn das Gespräch persönlich ist. Das bedeutet, dass alle neuen Teilnehmerinnen in einen virtuellen Warteraum gesetzt werden, und die Moderatoren haben die Möglichkeit, diese Leute dann in das Meeting zu holen. Wenn du diese Option aktivierst, achte darauf, die Teilnehmerliste im Blick zu halten, damit du niemanden übersiehst.
1. Stelle sicher, dass "Entfernten Teilnehmern den erneuten Beitritt erlauben" deaktiviert ist. Das bedeutet, dass Leute, die aus dem Meeting geworfen wurden, nicht wieder beitreten können, auch wenn sie die Zugangsdaten kennen.
#zoom #privacy #security
 
(German translation below.)

If you're stuck at home and use Zoom as a video conferencing solution that works for you, that's fine. Keep using it. Here are some options you might want to check to enhance the overall security of your and your guests.

First, log in at https://zoom.us/signin and head to your settings at https://zoom.us/profile/setting.

* In the "Meeting" tab:
1. Set "Audio Type" to "Computer Audio". This will block people from using their phone to join a meeting - but that's required if you want to use End-to-End encryption all the time. Phones can't do encryption.
1. Make sure "Use Personal Meeting ID (PMI) when scheduling a meeting" is disabled. The PMI is a meeting ID that never changes, so don't use it. It should be disabled by default, but make sure.
1. Enable "Require a password for Personal Meeting ID (PMI)", so people can't join via your PMI even if you accidentally share it.
1. Make sure "Join before host" is disabled. If enabled, people can join your meetings before a host is there - meaning there won't be moderation.
1. Enable "Play sound when participants join or leave". That's useful, as everyone will be aware when someone joins unexpectedly.
1. Enable "Require Encryption for 3rd Party Endpoints (H323/SIP)".
* In the "Recording" tab:
1. Disable "Cloud recording". You can still record meetings to your local disk, but there is no need to store potentially private conversations on Zoom's servers.

If you have a more "presentation"-like format scheduled, where only you or a small number of presenters will be speaking to a high number of consuming participants, there are a couple of additional tips in addition to the settings above:

* Before the meeting: Require people to sign-up and collect their eMail addresses. Do not share the join-link publicly, and only send the credentials via eMail to the people who signed up.
* In the "Meeting" tab:
1. Enable "Mute participants upon entry" - this will force-mute everyone joining. You will have the option to decide whether people can speak or not.
1. Enable "Co-host" and promote someone you trust as Co-host to assist with muting/unmuting people as needed.
1. Set "Screen sharing" to "Host-Only" to avoid random people sharing their screens, which can be used for abuse. Promote people who need to share as Co-hosts, if you trust them.
1. Enable "Nonverbal feedback". This is useful if you have force-muted everyone. People can raise their hands if they want to say something, allowing you to unmute people for a short period.
1. Enable "Waiting room" for all participants if the nature of the call is sensitive/private. This means that people will not be able to join your meeting directly, but will be placed in a virtual waiting room, waiting for you to approve them to join the meeting. If you enable this, make sure to keep an eye on the participant list to avoid missing someone.
1. Make sure "Allow removed participants to rejoin" is disabled. This means that people that got kicked out of the meeting will not be able to rejoin, even if they know the credentials.
Wenn du zuhause festsitzt und Zoom als das Tool deiner Wahl für Videokonferenzen und Videotelefonate entdeckt hast, mach dir nicht zu viel Sorgen und bleibe dabei. Es ist wichtiger, ein Tool zu haben, dass stressfrei und problemlos die Aufgabe erledigt, als sich stundenlang mit Alternativen zu schlagen. Hier sind einige Tipps, wie du deine Meetings für dich und deine Teilnehmerinnen sicherer gestalten kannst.

Als Erstes, melde dich auf https://zoom.us/signin an und rufe deine Einstellungen unter https://zoom.us/profile/setting auf.

* Im "Meeting"-Tab:
1. Setze "Audiotyp" auf "Computeraudio". Damit deaktivierst du zwar die Möglichkeit, über ein Telefon am Meeting teilzunehmen, aber das ist wichtig, wenn du Ende-zu-Ende-Verschlüsselung verwenden willst. Telefone verstehen keine Verschlüsselung.
1. Stelle sicher, dass "Beim Planen eines Meetings die persönliche Meeting-ID (PMI) verwenden" nicht aktiv ist. Deine PMI ist eine Meeting-ID, die sich nie ändert, also sollte man davon besser die Finger lassen.
1. Schalte "Bei Personal-Meeting-ID (PMI) Kennwort verlangen" an, falls man doch mal versehentlich die fixe PMI weitergibt. Mit Kennwort kann dann trotzdem niemand das Meeting betreten.
1. Deaktiviere "Beitritt vor Moderator", dann können deine Gäste das Meeting erst betreten, wenn du da bist. Ist diese Option deaktiviert, können Leute ohne Moderation das Meeting betreten.
1. Aktiviere "Sound wiedergeben, wenn Teilnehmer teilnehmen oder verlassen". Dann wird immer, wenn eine Teilnehmerin beitritt, ein Ton für alle abgespielt. Damit wissen alle, wenn unerwartet jemand dazu kommt.
1. Aktiviere "Verschlüsselung für Endpunkte von Drittanbietern erforderlich (H323/SIP)".
* Im "Aufzeichnung"-Tab:
1. "Cloud-Aufzeichnung" ausschalten. Du kannst das Meeting immernoch auf deine Festplatte aufnehmen, aber es gibt keinen Grund, potenziell private Gespräche auf Zoom's Servern zu speichern.

Wenn man ein "vortragsähliches" Ding geplant hat, also ein Format in dem eine kleine Gruppe an Leuten aktiv zu einer großen, ggf. öffentlichen Gruppe spricht, gibt es zu den Einstellungen oben noch ein paar weitere Tipps:

* Vor dem Meeting: Stelle sicher, dass sich alle Teilnehmerinnen vor der Veranstaltung anmelden und sammle eMail-Adressen. Verteile den Zoom-Link oder die Meetingdaten dann nicht öffentlich, sondern nur per eMail an angemeldete Personen.
* Im "Meeting"-Tab:
1. Aktiviere "Teilnehmer beim Beitritt stumm schalten". Du hast dann bei jedem Meeting die Option, zu entscheiden, ob sich Teilnehmerinnen entstummen dürfen oder ob du das Sprechrecht einzeln vergeben willst.
1. Schalte "Co-Moderator" ein und befördere einer Person, der du vertraust, als Co-Moderator. Diese Person hat dann ebenfalls das Recht, Leute stummzuschalten oder zu kicken, und kann dir arbeit abnehmen.
1. Setze "Bildschirmübertragung" so, dass nur der Host den Bildschirm freigeben darf. Das verhindert, dass Leute ihren Bildschirm freigeben, um "Inhalte" zu präsentieren. Leute, die Vortragen müssen, können zum Co-Moderator befördert werden.
1. Aktiviere "Feedback ohne Worte". Das ist nützlich, damit Leute "die Hand heben können" wenn sie etwas sagen wollen - und dann kannst du als Host sie Entstummschalten und sie können reden.
1. Schalte den "Warteraum" für alle Teilnehmerinnen an, wenn das Gespräch persönlich ist. Das bedeutet, dass alle neuen Teilnehmerinnen in einen virtuellen Warteraum gesetzt werden, und die Moderatoren haben die Möglichkeit, diese Leute dann in das Meeting zu holen. Wenn du diese Option aktivierst, achte darauf, die Teilnehmerliste im Blick zu halten, damit du niemanden übersiehst.
1. Stelle sicher, dass "Entfernten Teilnehmern den erneuten Beitritt erlauben" deaktiviert ist. Das bedeutet, dass Leute, die aus dem Meeting geworfen wurden, nicht wieder beitreten können, auch wenn sie die Zugangsdaten kennen.
#zoom #privacy #security
 

Jackie Singh✨ auf Twitter: "Now that’s what I call a combination lock! https://t.co/mYGYHsRx1T" / Twitter


Maximum #security #lock !

https://twitter.com/find_evil/status/1241717265038479360

Twitter: IanWatson on Twitter (IanWatson)

 

Jackie Singh✨ auf Twitter: "Now that’s what I call a combination lock! https://t.co/mYGYHsRx1T" / Twitter


Maximum #security #lock !

https://twitter.com/find_evil/status/1241717265038479360

Twitter: IanWatson on Twitter (IanWatson)

 
Hackers can clone millions of Toyota, Hyundai, and Kia keys | Ars Technica

Anyone got a car with keyless go?
#security #toyota #hyundai #kia
 
FYI: When Virgin Media said it leaked 'limited contact info', it meant p0rno filter requests, IP addresses, IMEIs as well as names, addresses and more • The Register

That's a lot of content
#security #data
 
"A Virgin Media database containing the personal details of 900,000 people was left unsecured and accessible online for 10 months, the company has admitted."

The breach was not due to a hack or a criminal attack, but because the database had been "incorrectly configured" by a member of staff not following the correct procedures, Virgin Media said.
Which shows yet again people still don't get that digital security is not about giving people enormous power and writing a policy and process document that basically says thou shalt not f**k up.

A database does not spend 10 months unsecured because it was "incorrectly configured". It gets to spend 10 months unsecured becasuse a) your 'process' allowed the mistake to be made in the first place and didn't have enough automated and human checking and b) more importantly because someone didn't have effective monitoring and regular scanning of their assets in place to catch the problem later and sound the alarm.

An industrial site does not get burgled "because someone left the window opened for 10 months", it gets burgled because someone didn't have their security doing basic commonsense daily checks and closing it". Ditto in digital space.

#security #rant #virgin #verminmedia
 
"A Virgin Media database containing the personal details of 900,000 people was left unsecured and accessible online for 10 months, the company has admitted."

The breach was not due to a hack or a criminal attack, but because the database had been "incorrectly configured" by a member of staff not following the correct procedures, Virgin Media said.
Which shows yet again people still don't get that digital security is not about giving people enormous power and writing a policy and process document that basically says thou shalt not f**k up.

A database does not spend 10 months unsecured because it was "incorrectly configured". It gets to spend 10 months unsecured becasuse a) your 'process' allowed the mistake to be made in the first place and didn't have enough automated and human checking and b) more importantly because someone didn't have effective monitoring and regular scanning of their assets in place to catch the problem later and sound the alarm.

An industrial site does not get burgled "because someone left the window opened for 10 months", it gets burgled because someone didn't have their security doing basic commonsense daily checks and closing it". Ditto in digital space.

#security #rant #virgin #verminmedia
 
Concerned with #security ? #NetBSD includes #Postfix as its mail agent.
 
#eff #letsencrypt #security #tls #https
 
#eff #letsencrypt #security #tls #https
 
OMG. Just… no.

#InternetOfShit #IoT #TroyHunt #Security #InfoSec #RemoteControlDetonator
 
OMG. Just… no.

#InternetOfShit #IoT #TroyHunt #Security #InfoSec #RemoteControlDetonator
 

FBI recommends passphrases over password complexity | ZDNet


Correct horse battery staple

#password #security
 
Bild/Foto

Private WhatsApp groups visible in Google searches

Your #WhatsApp groups may not be as secure as you think they are


Google is indexing invite links to private WhatsApp group chats. This means with a simple search anyone can discover and join these groups including ones the administrator may want to keep private.

Does #Google care about your privacy and security? No.

Does #Facebook honestly care about your privacy and security? No.

https://www.dw.com/en/private-whatsapp-groups-visible-in-google-searches/a-52468603

#Facebook #chat #apps #privacy #security #surveillance #messaging #im
 
Bild/Foto

Private WhatsApp groups visible in Google searches

Your #WhatsApp groups may not be as secure as you think they are


Google is indexing invite links to private WhatsApp group chats. This means with a simple search anyone can discover and join these groups including ones the administrator may want to keep private.

Does #Google care about your privacy and security? No.

Does #Facebook honestly care about your privacy and security? No.

https://www.dw.com/en/private-whatsapp-groups-visible-in-google-searches/a-52468603

#Facebook #chat #apps #privacy #security #surveillance #messaging #im
 
Bild/Foto

Private WhatsApp groups visible in Google searches

Your #WhatsApp groups may not be as secure as you think they are


Google is indexing invite links to private WhatsApp group chats. This means with a simple search anyone can discover and join these groups including ones the administrator may want to keep private.

Does #Google care about your privacy and security? No.

Does #Facebook honestly care about your privacy and security? No.

https://www.dw.com/en/private-whatsapp-groups-visible-in-google-searches/a-52468603

#Facebook #chat #apps #privacy #security #surveillance #messaging #im
 

SHA-1 is a Shambles

First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust


https://eprint.iacr.org/2020/014.pdf

Below is the abstract from the article. The most concerning thing here is the ability to forge signatures of keys. As you know if you read my posts, I have always argued that we should never sign other people's keys. Even without the problem of possible forged signatures using the technique in the article, key-signing harms privacy.

The only key signature created by EasyGPG is the signature on a newly created key pair.

printf "${newkeyattr}" | env TZ=UTC gpg --homedir "${keydir}" --batch --use-agent --cert-digest-algo "SHA512" --s2k-cipher-algo "AES256" --s2k-digest-algo "SHA512" --s2k-mode 3 --s2k-count 32000000 --status-file "${temp}" --gen-key 2> /dev/null

Notice that SHA512 is used. As for signatures on messages and encrypted files, see below (after the abstract). EasyGPG always uses SHA512.

Abstract. The SHA-1 hash function was designed in 1995 and has been widely used
during two decades. A theoretical collision attack was first proposed in 2004 [WYY05],
but due to its high complexity it was only implemented in practice in 2017, using
a large GPU cluster [SBK + 17]. More recently, an almost practical chosen-prefix
collision attack against SHA-1 has been proposed [LP19]. This more powerful attack
allows to build colliding messages with two arbitrary prefixes, which is much more
threatening for real protocols.
In this paper, we report the first practical implementation of this attack, and its
impact on real-world security with a PGP/GnuPG impersonation attack. We managed
to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia
GTX 970, identical-prefix collisions can now be computed with a complexity of 2 61.2
rather than 2 64.7 , and chosen-prefix collisions with a complexity of 2 63.4 rather than
2 67.1 . When renting cheap GPUs, this translates to a cost of 11k US$ for a collision,
and 45k US$ for a chosen-prefix collision, within the means of academic researchers.
Our actual attack required two months of computations using 900 Nvidia GTX 1060
GPUs (we paid 75k US$ because GPU prices were higher, and we wasted some time
preparing the attack).
Therefore, the same attacks that have been practical on MD5 since 2009 are now
practical on SHA-1. In particular, chosen-prefix collisions can break signature schemes
and handshake security in secure channel protocols (TLS, SSH). We strongly advise
to remove SHA-1 from those type of applications as soon as possible.
We exemplify our cryptanalysis by creating a pair of PGP/GnuPG keys with different
identities, but colliding SHA-1 certificates. A SHA-1 certification of the first key can
therefore be transferred to the second key, leading to a forgery. This proves that
SHA-1 signatures now offers virtually no security in practice. The legacy branch of
GnuPG still uses SHA-1 by default for identity certifications, but after notifying the
authors, the modern branch now rejects SHA-1 signatures (the issue is tracked as
CVE-2019-14855).
Keywords:
$ grep "gpg" easygpg.sh | grep " -s " 
  encryptedText=`printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty -` 
  printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" --no-emit-version --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - | xclip -i -selection clipboard 
      (tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" --trust-model always -a -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" -) | zenity --progress --text="Encrypting..." --pulsate --auto-close --no-cancel 
      (tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" --trust-model always -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" -) | zenity --progress --text="Encrypting..." --pulsate --auto-close --no-cancel 
    tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" -a --trust-model always -s -u "${senderID}" --no-emit-version --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" - 
    printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e -R "${senderID}" --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - > "${savepath}" 
    printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e -R "${senderID}" --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - > "${savepath}"

#easygpg #gpg #encryption #privacy #surveillance #security #cryptography
 

SHA-1 is a Shambles

First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust


https://eprint.iacr.org/2020/014.pdf

Below is the abstract from the article. The most concerning thing here is the ability to forge signatures of keys. As you know if you read my posts, I have always argued that we should never sign other people's keys. Even without the problem of possible forged signatures using the technique in the article, key-signing harms privacy.

The only key signature created by EasyGPG is the signature on a newly created key pair.

printf "${newkeyattr}" | env TZ=UTC gpg --homedir "${keydir}" --batch --use-agent --cert-digest-algo "SHA512" --s2k-cipher-algo "AES256" --s2k-digest-algo "SHA512" --s2k-mode 3 --s2k-count 32000000 --status-file "${temp}" --gen-key 2> /dev/null

Notice that SHA512 is used. As for signatures on messages and encrypted files, see below (after the abstract). EasyGPG always uses SHA512.

Abstract. The SHA-1 hash function was designed in 1995 and has been widely used
during two decades. A theoretical collision attack was first proposed in 2004 [WYY05],
but due to its high complexity it was only implemented in practice in 2017, using
a large GPU cluster [SBK + 17]. More recently, an almost practical chosen-prefix
collision attack against SHA-1 has been proposed [LP19]. This more powerful attack
allows to build colliding messages with two arbitrary prefixes, which is much more
threatening for real protocols.
In this paper, we report the first practical implementation of this attack, and its
impact on real-world security with a PGP/GnuPG impersonation attack. We managed
to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia
GTX 970, identical-prefix collisions can now be computed with a complexity of 2 61.2
rather than 2 64.7 , and chosen-prefix collisions with a complexity of 2 63.4 rather than
2 67.1 . When renting cheap GPUs, this translates to a cost of 11k US$ for a collision,
and 45k US$ for a chosen-prefix collision, within the means of academic researchers.
Our actual attack required two months of computations using 900 Nvidia GTX 1060
GPUs (we paid 75k US$ because GPU prices were higher, and we wasted some time
preparing the attack).
Therefore, the same attacks that have been practical on MD5 since 2009 are now
practical on SHA-1. In particular, chosen-prefix collisions can break signature schemes
and handshake security in secure channel protocols (TLS, SSH). We strongly advise
to remove SHA-1 from those type of applications as soon as possible.
We exemplify our cryptanalysis by creating a pair of PGP/GnuPG keys with different
identities, but colliding SHA-1 certificates. A SHA-1 certification of the first key can
therefore be transferred to the second key, leading to a forgery. This proves that
SHA-1 signatures now offers virtually no security in practice. The legacy branch of
GnuPG still uses SHA-1 by default for identity certifications, but after notifying the
authors, the modern branch now rejects SHA-1 signatures (the issue is tracked as
CVE-2019-14855).
Keywords:
$ grep "gpg" easygpg.sh | grep " -s " 
  encryptedText=`printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty -` 
  printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" --no-emit-version --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - | xclip -i -selection clipboard 
      (tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" --trust-model always -a -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" -) | zenity --progress --text="Encrypting..." --pulsate --auto-close --no-cancel 
      (tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" --trust-model always -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" -) | zenity --progress --text="Encrypting..." --pulsate --auto-close --no-cancel 
    tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" -a --trust-model always -s -u "${senderID}" --no-emit-version --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" - 
    printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e -R "${senderID}" --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - > "${savepath}" 
    printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e -R "${senderID}" --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - > "${savepath}"

#easygpg #gpg #encryption #privacy #surveillance #security #cryptography
 

#UK #police deny responsibility for poster urging parents to report kids for using #Kali #Linux


source: https://www.zdnet.com/article/uk-police-distance-themselves-from-poster-warning-parents-to-report-kids-for-using-kali-linux/
Virtual machines, the #Tor Browser, Kali Linux, #WiFi Pineapple, #Discord, and #Metasploit are all deemed terrible finds and the poster urges parents to call the cops "so we can give advice and engage them into positive diversions."
Just a few years ago I would have been burnt at the stake.

#Danger #Warning #fail #Technology #Security #Crime #Cyber #children #news
 

#UK #police deny responsibility for poster urging parents to report kids for using #Kali #Linux


source: https://www.zdnet.com/article/uk-police-distance-themselves-from-poster-warning-parents-to-report-kids-for-using-kali-linux/
Virtual machines, the #Tor Browser, Kali Linux, #WiFi Pineapple, #Discord, and #Metasploit are all deemed terrible finds and the poster urges parents to call the cops "so we can give advice and engage them into positive diversions."
Just a few years ago I would have been burnt at the stake.

#Danger #Warning #fail #Technology #Security #Crime #Cyber #children #news
 
Shared via Fedilab @realramnit@chaos.social 🔗 https://chaos.social/users/realramnit/statuses/103645804448003773

Die Loki-Foundation hat sich den #Signal-Quellcode genommen und eine der größten Schwächen des Messengers entfernt - die Telefonnummernabhängigkeit!

Außerdem routen sie sämtlichen Traffic durch Tor. Das macht "Session" - wie der neue Messenger getauft wurde - zu einem interessanten Delta-Chat-Konkurrenten.

https://getsession.org/

#Session #Signal #Messenger #Chat # Privacy #Security

chaos.social: Matthias Kneiss (@realramnit@chaos.social) (Matthias Kneiss)

 
Shared via Fedilab @realramnit@chaos.social 🔗 https://chaos.social/users/realramnit/statuses/103645804448003773

Die Loki-Foundation hat sich den #Signal-Quellcode genommen und eine der größten Schwächen des Messengers entfernt - die Telefonnummernabhängigkeit!

Außerdem routen sie sämtlichen Traffic durch Tor. Das macht "Session" - wie der neue Messenger getauft wurde - zu einem interessanten Delta-Chat-Konkurrenten.

https://getsession.org/

#Session #Signal #Messenger #Chat # Privacy #Security

chaos.social: Matthias Kneiss (@realramnit@chaos.social) (Matthias Kneiss)

 
Bild/Foto
This image is typical of the current state of #cyber #security.

#code #source #lol #fail #fun #humor
 
Seems like #elasticsearch is the new #mongodb
How come people don't secure their installations?#
#security
 
Oops
#starbucks #security
 

media.ccc.de - Hirne Hacken


Sehr sehenswerter Votrag über die "Schwachstelle Mensch" im Bereich Passwortischerheit.
#security #36C3 #psychologie

media.ccc.de: Hirne Hacken

 
#centos #security
CentOS 8: sechs Wochen ohne Updates
 
#WordPress 5.3.1 #Security and Maintenance Release
WordPress 5.3.1 Security and Maintenance Release
 
Das Hersteller immer noch nicht verstanden haben, daß dies die schlechteste aller Strategien im Umgang mit Sicherheitslücken ist.

Mal von dem Umstand abgesehen, daß unverschlüsselte Kommunikation seit mindestens fünf Jahren obsolet sein sollte.

Ja, das war das böse Konjunktiv: sollte.

Update ohne Auth auf dem Zielserver? Unverschlüsselt?
Da ist dann aber doch wenigstens die Updatedatei durch Signaturen geschützt, oder?
Ein Angreifer hätte nun versuchen können, diesen Hash selbst zu berechnen. Aber das war gar nicht notwendig. In unseren Tests reichte es bereits, den entsprechenden Eintrag namens "dirhash" leer zu lassen. Einen leeren Wert akzeptierte Quincy als gültig und führte anschließend die von uns manipulierte setup.exe aus. Der Angriff funktionierte auf diese Weise mit der Version von Quincy, die zum Zeitpunkt unserer Tests Ende Oktober aktuell war
https://glm.io/145428

#FrauStreisand #Security #Software

Hersteller um Stellungnahme gebeten, Anwaltskanzlei antwortet https://www.golem.de/print.php?a=145428 RT Dr. Streisand bitte zur Post-Mortem-Analyse in Station 23, Dr. Streisand bitte https://twitter.com/nitram2342/status/1204531431214637058 #Quincy
Europa 
 

Datenleck: Daten von 20 Millionen Mixcloud-Nutzern im Darknet - Golem.de


@Herr Von Sinnen Nutzt du nicht den Dienst?

#mixcloud #security #leak
 
Officials warn about the dangers of using public USB charging stations | ZDNet

Using USB condoms...
#usb #security
 

How terrible software design decisions led to Uber’s deadly 2018 crash


https://arstechnica.com/cars/2019/11/how-terrible-software-design-decisions-led-to-ubers-deadly-2018-crash/
The NTSB report includes a second-by-second timeline showing what the software was "thinking" as it approached Herzberg, who was pushing a bicycle across a multi-lane road far from any crosswalk:

- 5.2 seconds before impact, the system classified her as an "other" object.
- 4.2 seconds before impact, she was reclassified as a vehicle.
- Between 3.8 and 2.7 seconds before impact, the classification alternated several times between "vehicle" and "other."
- 2.6 seconds before impact, the system classified Herzberg and her bike as a bicycle.
- 1.5 seconds before impact she became "unknown."
- 1.2 seconds before impact she became a "bicycle" again.
#uber, #security, #self-driving-car
 

How terrible software design decisions led to Uber’s deadly 2018 crash


https://arstechnica.com/cars/2019/11/how-terrible-software-design-decisions-led-to-ubers-deadly-2018-crash/
The NTSB report includes a second-by-second timeline showing what the software was "thinking" as it approached Herzberg, who was pushing a bicycle across a multi-lane road far from any crosswalk:

- 5.2 seconds before impact, the system classified her as an "other" object.
- 4.2 seconds before impact, she was reclassified as a vehicle.
- Between 3.8 and 2.7 seconds before impact, the classification alternated several times between "vehicle" and "other."
- 2.6 seconds before impact, the system classified Herzberg and her bike as a bicycle.
- 1.5 seconds before impact she became "unknown."
- 1.2 seconds before impact she became a "bicycle" again.
#uber, #security, #self-driving-car
 
#OPNsense 19.7.6 released opnsense.org/opnsense-19-7-… #security #update
OPNsense 19.7.6 released
 
/* Somit ist startpage nun verbrannt */ #security
Startpage verkauft Firmen-Anteile an System1 LLC
Startpage verkauft Firmen-Anteile an System1 LLC
 
.WAVs Hide Malware in Their Depths in Innovative Campaign | Threatpost
#security creative
.WAVs Hide Malware in Their Depths in Innovative Campaign
 

Twitter "Unintentionally" Used Your Phone Number for Targeted Advertising


#security #socialnetworks #electronicfrontierfoundation #eff #digitalrights #digitalprivacy
posted by pod_feeder_v2
 

Twitter "Unintentionally" Used Your Phone Number for Targeted Advertising


#security #socialnetworks #electronicfrontierfoundation #eff #digitalrights #digitalprivacy
posted by pod_feeder_v2
 
Later posts Earlier posts