Pinned toot

⚠️ Post-migration status ⚠️

InfoSec Handbook just moved from mastodon.at to chaos.social.

The built-in migration feature of Mastodon 3 didn't move all followers as expected. So if you are one of the remaining 275 followers of our old mastodon.at account, please follow our new account on chaos.social.

Background:
Today, the instance admin announced that mastodon.at will be shut down in 3 months. So we moved to a new home.

Malicious Python libraries stealing OpenPGP and SSH keys:

zdnet.com/article/two-maliciou

– Look for python3-dateutil, and jeIlyfish.
– Both modules try to exfiltrate SSH/OpenPGP keys and send them to an IP address.
– This is the third time the PyPI team intervenes to remove typo-squatted malicious Python libraries from the official repository.

Tor-focussed operating system Tails 4.1 released:

tails.boum.org/news/version_4.

– updates for Linux kernel (5.3.9), Tor Browser (9.0.2), Tor, Thunderbird (68.2.2), and Enigmail (2.1.3)
– keys.openpgp.org/ is now the default OpenPGP keyserver

Tor Browser :tor: 9.0.2 released, fixes several security vulnerabilities in Firefox:

blog.torproject.org/new-releas

– based on FF 68.3.0esr
– updates for NoScript, and HTTPS Everywhere
– several minor bug fixes
– provides properly localized Android bundles again

security.plist – A proposed standard which allows iOS applications to define security policies:

securityplist.ivrodriguez.com/

– iOS app developers create a new property file that contains standardized information for security researchers.
– The idea is very similar to security.txt, a proposed standard which allows websites to define security policies (securitytxt.org/).

Monthly review, November 2019:

infosec-handbook.eu/blog/2019-

– news: Attacks on RCS, VNC vulnerabilities, huge data leak (PDL and OxyData)
– tool: fscrypt
– 3 questions/answers

In July, we wrote about some legacy HTTP response headers like X-XSS-Protection (mastodon.at/@infosechandbook/1).

Recently, OWASP added this information to their cheat sheet about XSS prevention: github.com/OWASP/CheatSheetSer

So don't blindly set HTTP response headers but try to understand their purpose and check if they are still supported.

The Finnish Transport and Communications Agency Traficom launched a cyber security label for IoT devices:

kyberturvallisuuskeskus.fi/en/

– It guarantees that labeled devices have basic information security features.
– Certification criteria are based on ETSI EN 303 645.
– Also see tietoturvamerkki.fi/ (Finnish).

Public SSH keys can leak your private infrastructure:

rushter.com/blog/public-ssh-ke

"An attacker can grab a bunch of public keys from GitHub and run an internet-wide scan of SSH servers on all IPv4 addresses. … For most people, that is not a big deal, but for some companies with critical and industrial infrastructure, this can be a problem."

All Splunk platforms need to be patched due to two bugs that result in wrong parsing of timestamps and possible data loss:

docs.splunk.com/Documentation/

– This issue affects all un-patched Splunk platform instance types, on any operating system.
– Splunk Cloud customers will receive the fix automatically; on-premises customers need to update or modify their setup.

GnuPG 2.2.18 available:

gnupg.org/download/

– GnuPG 2.2.18 can also use non-OpenPGP cards. The commands --full-gen-key and --quick-gen-key can be used to directly create keys on supported cards.
– All SHA-1-based key signatures newer than 2019-01-19 are removed from the web-of-trust to prepare against chosen-prefix SHA-1 collisions.

Did you know? We are also on Keybase:
keybase.io/team/infosec_news

This is a read-only mirror of our former Mastodon account (mastodon.at) and our new account here on chaos.social. So you can get all InfoSec news also via Keybase if you are using it.

There is also the channel of @privacytools: keybase.io/team/privacytools_i

Kali Linux 2019.4 available:

kali.org/news/kali-linux-2019-

– Based on Linux kernel 5.3.9.
– The default desktop environment is Xfce now, and there is a new GTK3 theme.
– There is a new "undercover mode" (some of you may remember the famous boss key!).
– Furthermore, documentation is now Git-based, the root filesystem uses BTRFS, and there is NetHunter KeX for Android.

CNAME Cloaking – the next level of ad blocker evasion to track you:

medium.com/nextdns/cname-cloak

adguard.com/en/blog/disguised-

– Some ad companies use DNS records to hide their identity.
– Web browsers likely can't detect this.
– uBlock Origin currently doesn't protect you against this, see github.com/uBlockOrigin/uBlock.

⚠️ New link of our Mastodon RSS feed ⚠️

Due to the migration of our account from mastodon.at to chaos.social, our RSS feed link changed to:

chaos.social/@infosechandbook.

If you didn't know InfoSec Handbook so far: We are a growing community of European information security professionals and privacy activists who like to share their knowledge for free.

Our blog is at infosec-handbook.eu/.

There is also a full-text feed for blog posts:

infosec-handbook.eu/blog/index

⚠️ Post-migration status ⚠️

InfoSec Handbook just moved from mastodon.at to chaos.social.

The built-in migration feature of Mastodon 3 didn't move all followers as expected. So if you are one of the remaining 275 followers of our old mastodon.at account, please follow our new account on chaos.social.

Background:
Today, the instance admin announced that mastodon.at will be shut down in 3 months. So we moved to a new home.

chaos.social

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!