Improve accessibility ♿ of your Fediverse posts:

– Set a description for images and media.
– Capitalize the first character of each word in your hashtags.

For your websites, see the Web Content Accessibility Guidelines (WCAG): w3.org/TR/WCAG22/.

There are some useful accessibility tools on w3.org/WAI/ER/tools/.

Crates.io (Rust programming language) – all API keys revoked:

zdnet.com/article/rust-program

– Two issues are addressed by the revocation: For generating API keys, a not-so-random number generator was used + API keys for the packages were stored in cleartext.
– If you published any crates packages on crates.io, you need to generate new API keys.

InfoSec Handbook – AMA event: We categorized about 20 questions and answers to share them with everybody:

infosec-handbook.eu/blog/2020-

Feel free to send your questions about InfoSec topics (via e-mail or here). The event ends on July 23, 2020.

Just a very short comment on Signal discussions:

– Signal already stored encrypted data on their servers for a long time.
– Some people say the strength of the PIN is always "4 digits." This isn't true, you can set a long and strong password.
– Most other messengers (including "alternatives") store your data in cleartext on their servers and require setting passwords, too.

Besides, stay open-minded and don't create a toxic "us vs. them" mentality.

InfoSec Handbook – AMA event:

Beginning tomorrow, we host our first “Ask Me Anything” (AMA) event. The rules are simple: Ask us anything; don’t be afraid to ask.

– Start: Monday, July 13
– End: Thursday, July 23
– What can I ask? “Anything.” However, a focus on information security is appreciated.
– Where can I ask?: E-mail us or ask in the Fediverse.
– Who answers my questions?: Jakub and Benjamin.

You can already ask questions! 👍

Our delayed Monthly review, June 2020:

infosec-handbook.eu/blog/2020-

– news: changing passwords, Webbkoll detects reporting APIs, Turris OS 5.0
– internal: 2020 spring cleaning (part 2)
– Our first Ask Me Anything (AMA) event

Signal Android – How to disable the Signal PIN?

– You need Signal Android 4.66.1 beta or newer.
– Go to "Settings" → "Advanced" → "Advanced PIN settings" → "Disable PIN"
– Disabling the PIN also disables Registration Lock (against SIM swapping attacks), and requires you to manually backup and restore.

Misissued intermediate CA certificates for OCSP signing:

mail-archive.com/dev-security-

– Nearly 300 intermediate CA certificates must be renewed due to being issued incorrectly.
– You can check if you are affected using this script: github.com/hannob/badocspcert
– Alternatively, use hardenize.com: hardenize.com/blog/revocation-

Tails 4.8 (Tor-focussed operating system) released:

tails.boum.org/news/version_4.

– Updates for Linux (5.6.0), Tor Browser (9.5.1), and Thunderbird (68.9.0).
– The "Unsafe Browser" is now disabled by default since it can be used to deanonymize Tails users.

Tor Browser 9.5.1 released, fixes several security vulnerabilities:

blog.torproject.org/new-releas

– Based on FF 68.10.0esr.
– Updates for NoScript (11.0.32).
– Includes several bug fixes.

Firefox 78 available, includes a Protections Dashboard:

mozilla.org/en-US/firefox/78.0

– There is a new Protections Dashboard at about:protections. The dashboard gives an insight into tracking protection, data breaches, and password management.
– The Extended Support Release (ESR) is also updated to version 78, introducing the changes of the previous releases to ESR.
– All remaining DHE-based TLS cipher suites are disabled by default. TLS 1.0 and 1.1 are disabled (again).

Our "Monthly review – June 2020" will be published next week.

Furthermore, we plan to include some information regarding the already-announced Ask Me Anything (AMA) event in July.

Malicious JavaScript in image metadata used to steal data; then, images are used again to exfiltrate data:

blog.malwarebytes.com/threat-a

– Malware uses Exif metadata to inject JavaScript that steals data.
– Afterward, the data is exfiltrated as an image via GET/POST to another server.
– As a server admin, frequently update the server software, and monitor file integrity + network traffic. Moreover, set a strict Content Security Policy.

Malicious Docker containers used for cryptomining:

unit42.paloaltonetworks.com/cr

– The blog post describes six malicious Docker Hub images that were used for cryptomining, and gives an insight into the malicious code.
– The related Docker Hub account is disabled.
– Always ensure that you use software from trustworthy sources.

The state of OpenPGP key servers (or "server maintance is crucial"):

theregister.com/2020/06/24/ope

If you want to use OpenPGP and publish your public OpenPGP key, use keys.openpgp.org/.

Show more
chaos.social

chaos.social – a Fediverse instance for & by the Chaos community