Skip to main content

Search

Items tagged with: security


 
Microsoft warnt vor kritischer Sicherheitslücke in Windows

#Microsoft warnt vor zwei kritischen Sicherheitslücken in der Schriftenverwaltung der Adobe Type 1 Manager Bibliothek, die bereits ausgenutzt werden. Ein Angreifer kann über ein entsprechend präpariertes Dokument die Schwachstelle für eine Remote-Code-Aus­füh­rung nutzen. Betroffen sind alle #Windows-Versionen. http://blog.schockwellenreiter.de/2020/03/2020032402.html #Security
Bild/Foto

 

Jackie Singh✨ auf Twitter: "Now that’s what I call a combination lock! https://t.co/mYGYHsRx1T" / Twitter


Maximum #security #lock !

https://twitter.com/find_evil/status/1241717265038479360

Twitter: IanWatson on Twitter (IanWatson)


 

Jackie Singh✨ auf Twitter: "Now that’s what I call a combination lock! https://t.co/mYGYHsRx1T" / Twitter


Maximum #security #lock !

https://twitter.com/find_evil/status/1241717265038479360

Twitter: IanWatson on Twitter (IanWatson)


 

Jackie Singh✨ auf Twitter: "Now that’s what I call a combination lock! https://t.co/mYGYHsRx1T" / Twitter


Maximum #security #lock !

https://twitter.com/find_evil/status/1241717265038479360

Twitter: IanWatson on Twitter (IanWatson)


 
Regarding Jitsi Meet servers:
There is a recent trend to use Jitsi Meet, a JavaScript WebRTC application, for videoconferencing.

Please note that these video conferences aren't end-to-end encrypted. This means server-side parties can monitor your activity. If you want to use Jitsi hosted by others, look for a comprehensive privacy policy as always.

There could be additional legal requirements if you want to use third-party Jitsi servers for school or work.

#jitsi #privacy #security #infosec

 

Food Delivery Service in Germany Under DDoS Attack


#security #bleeping computer #bleepingcomputer #computers #technology #news #education #updates #tech
generated by pod_feeder_v2

 

Food Delivery Service in Germany Under DDoS Attack


#security #bleeping computer #bleepingcomputer #computers #technology #news #education #updates #tech
generated by pod_feeder_v2

 
Research Finds Microsoft Edge Has Privacy-Invading Telemetry




#BleepingComputer #Microsoft #Browser #Edge #Privacy #Security

 

Something is going on in #LA 😵


Source: https://twitter.com/cjjohnsonjr/status/1238868541689880576

#usa #fail #coronavirus #security #fear #gun

 
Bild/Foto
#disease #health #security

The Transportation Security Administration (TSA) will now allow passengers to bring on board hand sanitizer containers up to 12 ounces in size, which is much larger than the standard 3.4 ounces (100 milliliters) previously allowed.

The Verge reports:
There are some caveats, though. The updated policy only applies to hand sanitizer. And larger containers will be subject to additional screening by TSA agents, which will likely lead to increased wait times. So ask yourself before heading out to the airport: how much sanitizer do you really need? Airports are said to be stocking up on disinfectants and other cleaning equipment. Passengers are likely to see hand sanitizer stations everywhere at airports reflecting this new reality, so no worries for those who don't feel like lugging a huge bottle of the stuff on the plane with them.

 
Bild/Foto
#disease #health #security

The Transportation Security Administration (TSA) will now allow passengers to bring on board hand sanitizer containers up to 12 ounces in size, which is much larger than the standard 3.4 ounces (100 milliliters) previously allowed.

The Verge reports:
There are some caveats, though. The updated policy only applies to hand sanitizer. And larger containers will be subject to additional screening by TSA agents, which will likely lead to increased wait times. So ask yourself before heading out to the airport: how much sanitizer do you really need? Airports are said to be stocking up on disinfectants and other cleaning equipment. Passengers are likely to see hand sanitizer stations everywhere at airports reflecting this new reality, so no worries for those who don't feel like lugging a huge bottle of the stuff on the plane with them.

 

Telekom: T-Systems baut keine Konnektoren für E-Gesundheitskarte mehr - Golem.de


Rückzug oder Strategiewechsel? Eigene Konnektoren aus Hardware kommen nicht mehr von T-Systems.
Telekom: T-Systems baut keine Konnektoren für E-Gesundheitskarte mehr - Golem.de
#T-Systems #Datenschutz #Datensicherheit #Gesundheitskarte #Telematik #Server #Internet #Security

 

Telekom: T-Systems baut keine Konnektoren für E-Gesundheitskarte mehr - Golem.de


Rückzug oder Strategiewechsel? Eigene Konnektoren aus Hardware kommen nicht mehr von T-Systems.
Telekom: T-Systems baut keine Konnektoren für E-Gesundheitskarte mehr - Golem.de
#T-Systems #Datenschutz #Datensicherheit #Gesundheitskarte #Telematik #Server #Internet #Security

 
It is indeed interesting to skim through a webserver's logs and find entries obviously related to cheap #IoT door locks trying to download and run some external scripts on them.

Apparentlly the safest door lock of the future is a strictly mechanical one.

#attack #security

 
Hackers can clone millions of Toyota, Hyundai, and Kia keys | Ars Technica

Anyone got a car with keyless go?
#security #toyota #hyundai #kia

 
FYI: When Virgin Media said it leaked 'limited contact info', it meant p0rno filter requests, IP addresses, IMEIs as well as names, addresses and more • The Register

That's a lot of content
#security #data

 

'Unfixable' boot ROM security flaw in millions of Intel chips could spell 'utter chaos' for DRM, file encryption, etc • The Register


https://www.theregister.co.uk/2020/03/05/unfixable_intel_csme_flaw/

The short version here: A new vulnerability has been discovered in Intel's Converged Security and Manageability Engine (CSME), the embedded system that oversees management of Intel system chipsets (not processors, this time). The vulnerability is a DMA race that potentially allows hostile code to overwrite memory in the embedded management engine before the management engine enables memory protection on its own memory space. Key to the vulnerability is the fact that this memory protection is disabled by default until and unless the management engine enables it — i.e, it is unsafe by default, and fails unsafe.
During that timing gap, other hardware – physically attached or present on the motherboard – that is able to fire off a DMA transfer into the CSME's private RAM may do so, overwriting variables and pointers and hijacking its execution. At that point, the CSME can be commandeered for malicious purposes, all out of view of the software running above it.
The vulnerability is exploitable whenever the chipset is starting up. The chipset is vulnerable from the time the CSME boot ROM first initializes the memory page direvctory, up until the IOMMU (Input/Output Memory Management Unit) is turned on. Critically, this occurs not only at system boot time, but every time the CSME or the IOMMU resets.

What this means is that every time the CSME comes out of sleep mode, or any time the CSME is reset, it is briefly vulnerable to attack.
The CSME provides, among other things, something called Enhanced Privacy ID, or EPID. This is used for things like providing anti-piracy DRM protections, and Internet-of-Things attestation. The engine also provides TPM functions, which allow applications and operating system software to securely store and manage digital keys for things like file-system encryption. At the heart of this cryptography is a Chipset Key that is encrypted by another key baked into the silicon, and you can't do too much damage, it seems, until you can decrypt the Chipset Key.

If someone manages to extract that hardware key, though, they can unlock the Chipset Key, and, with code execution within the CSME, they can undo Intel's root of trust on large swathes of products at once, we're told.

"To fully compromise EPID, hackers would need to extract the hardware key used to encrypt the Chipset Key, which resides in Secure Key Storage (SKS)," explained Positive's Mark Ermolov.

"However, this key is not platform-specific. A single key is used for an entire generation of Intel chipsets. And since the ROM vulnerability allows seizing control of code execution before the hardware key generation mechanism in the SKS is locked, and the ROM vulnerability cannot be fixed, we believe that extracting this key is only a matter of time.

"When this happens, utter chaos will reign. Hardware IDs will be forged, digital content will be extracted, and data from encrypted hard disks will be decrypted."
#hardware #security #intel

 

'Unfixable' boot ROM security flaw in millions of Intel chips could spell 'utter chaos' for DRM, file encryption, etc • The Register


https://www.theregister.co.uk/2020/03/05/unfixable_intel_csme_flaw/

The short version here: A new vulnerability has been discovered in Intel's Converged Security and Manageability Engine (CSME), the embedded system that oversees management of Intel system chipsets (not processors, this time). The vulnerability is a DMA race that potentially allows hostile code to overwrite memory in the embedded management engine before the management engine enables memory protection on its own memory space. Key to the vulnerability is the fact that this memory protection is disabled by default until and unless the management engine enables it — i.e, it is unsafe by default, and fails unsafe.
During that timing gap, other hardware – physically attached or present on the motherboard – that is able to fire off a DMA transfer into the CSME's private RAM may do so, overwriting variables and pointers and hijacking its execution. At that point, the CSME can be commandeered for malicious purposes, all out of view of the software running above it.
The vulnerability is exploitable whenever the chipset is starting up. The chipset is vulnerable from the time the CSME boot ROM first initializes the memory page direvctory, up until the IOMMU (Input/Output Memory Management Unit) is turned on. Critically, this occurs not only at system boot time, but every time the CSME or the IOMMU resets.

What this means is that every time the CSME comes out of sleep mode, or any time the CSME is reset, it is briefly vulnerable to attack.
The CSME provides, among other things, something called Enhanced Privacy ID, or EPID. This is used for things like providing anti-piracy DRM protections, and Internet-of-Things attestation. The engine also provides TPM functions, which allow applications and operating system software to securely store and manage digital keys for things like file-system encryption. At the heart of this cryptography is a Chipset Key that is encrypted by another key baked into the silicon, and you can't do too much damage, it seems, until you can decrypt the Chipset Key.

If someone manages to extract that hardware key, though, they can unlock the Chipset Key, and, with code execution within the CSME, they can undo Intel's root of trust on large swathes of products at once, we're told.

"To fully compromise EPID, hackers would need to extract the hardware key used to encrypt the Chipset Key, which resides in Secure Key Storage (SKS)," explained Positive's Mark Ermolov.

"However, this key is not platform-specific. A single key is used for an entire generation of Intel chipsets. And since the ROM vulnerability allows seizing control of code execution before the hardware key generation mechanism in the SKS is locked, and the ROM vulnerability cannot be fixed, we believe that extracting this key is only a matter of time.

"When this happens, utter chaos will reign. Hardware IDs will be forged, digital content will be extracted, and data from encrypted hard disks will be decrypted."
#hardware #security #intel

 
"A Virgin Media database containing the personal details of 900,000 people was left unsecured and accessible online for 10 months, the company has admitted."

The breach was not due to a hack or a criminal attack, but because the database had been "incorrectly configured" by a member of staff not following the correct procedures, Virgin Media said.
Which shows yet again people still don't get that digital security is not about giving people enormous power and writing a policy and process document that basically says thou shalt not f**k up.

A database does not spend 10 months unsecured because it was "incorrectly configured". It gets to spend 10 months unsecured becasuse a) your 'process' allowed the mistake to be made in the first place and didn't have enough automated and human checking and b) more importantly because someone didn't have effective monitoring and regular scanning of their assets in place to catch the problem later and sound the alarm.

An industrial site does not get burgled "because someone left the window opened for 10 months", it gets burgled because someone didn't have their security doing basic commonsense daily checks and closing it". Ditto in digital space.

#security #rant #virgin #verminmedia

 
"A Virgin Media database containing the personal details of 900,000 people was left unsecured and accessible online for 10 months, the company has admitted."

The breach was not due to a hack or a criminal attack, but because the database had been "incorrectly configured" by a member of staff not following the correct procedures, Virgin Media said.
Which shows yet again people still don't get that digital security is not about giving people enormous power and writing a policy and process document that basically says thou shalt not f**k up.

A database does not spend 10 months unsecured because it was "incorrectly configured". It gets to spend 10 months unsecured becasuse a) your 'process' allowed the mistake to be made in the first place and didn't have enough automated and human checking and b) more importantly because someone didn't have effective monitoring and regular scanning of their assets in place to catch the problem later and sound the alarm.

An industrial site does not get burgled "because someone left the window opened for 10 months", it gets burgled because someone didn't have their security doing basic commonsense daily checks and closing it". Ditto in digital space.

#security #rant #virgin #verminmedia

 
"A Virgin Media database containing the personal details of 900,000 people was left unsecured and accessible online for 10 months, the company has admitted."

The breach was not due to a hack or a criminal attack, but because the database had been "incorrectly configured" by a member of staff not following the correct procedures, Virgin Media said.
Which shows yet again people still don't get that digital security is not about giving people enormous power and writing a policy and process document that basically says thou shalt not f**k up.

A database does not spend 10 months unsecured because it was "incorrectly configured". It gets to spend 10 months unsecured becasuse a) your 'process' allowed the mistake to be made in the first place and didn't have enough automated and human checking and b) more importantly because someone didn't have effective monitoring and regular scanning of their assets in place to catch the problem later and sound the alarm.

An industrial site does not get burgled "because someone left the window opened for 10 months", it gets burgled because someone didn't have their security doing basic commonsense daily checks and closing it". Ditto in digital space.

#security #rant #virgin #verminmedia

 
Concerned with #security ? #NetBSD includes #Postfix as its mail agent.

 
#eff #letsencrypt #security #tls #https

 
#eff #letsencrypt #security #tls #https

 
We are happy to announce that @opensuse Leap 15.2 has reached the beta phase of the rolling development model. Multiple beta builds will be released until the final #goldmaster, at which point it will transition to #security & #maintenance updates 😀 - http://bit.ly/2HUDPI0
Bild/Foto

 
OMG. Just… no.

#InternetOfShit #IoT #TroyHunt #Security #InfoSec #RemoteControlDetonator

 
OMG. Just… no.

#InternetOfShit #IoT #TroyHunt #Security #InfoSec #RemoteControlDetonator

 

FBI recommends passphrases over password complexity | ZDNet


Correct horse battery staple

#password #security

 
Bild/Foto

Private WhatsApp groups visible in Google searches

Your #WhatsApp groups may not be as secure as you think they are


Google is indexing invite links to private WhatsApp group chats. This means with a simple search anyone can discover and join these groups including ones the administrator may want to keep private.

Does #Google care about your privacy and security? No.

Does #Facebook honestly care about your privacy and security? No.

https://www.dw.com/en/private-whatsapp-groups-visible-in-google-searches/a-52468603

#Facebook #chat #apps #privacy #security #surveillance #messaging #im

 
Bild/Foto

Private WhatsApp groups visible in Google searches

Your #WhatsApp groups may not be as secure as you think they are


Google is indexing invite links to private WhatsApp group chats. This means with a simple search anyone can discover and join these groups including ones the administrator may want to keep private.

Does #Google care about your privacy and security? No.

Does #Facebook honestly care about your privacy and security? No.

https://www.dw.com/en/private-whatsapp-groups-visible-in-google-searches/a-52468603

#Facebook #chat #apps #privacy #security #surveillance #messaging #im

 
Bild/Foto

Private WhatsApp groups visible in Google searches

Your #WhatsApp groups may not be as secure as you think they are


Google is indexing invite links to private WhatsApp group chats. This means with a simple search anyone can discover and join these groups including ones the administrator may want to keep private.

Does #Google care about your privacy and security? No.

Does #Facebook honestly care about your privacy and security? No.

https://www.dw.com/en/private-whatsapp-groups-visible-in-google-searches/a-52468603

#Facebook #chat #apps #privacy #security #surveillance #messaging #im

 
Encryption backdoors must never be allowed. To prove that Tutanota is free from any backdoor, the entire client code is published as open source. Let's fight against mass surveillance! ✊
https://tutanota.com/blog/posts/why-a-backdoor-is-a-security-risk/
#privacy #dataprotection #datasecurity #security #encryption #surveillance #backdoors
Bild/Foto

 
Welchen Cloudspeicher könnt ihr mir empfehlen:

- min 200 GB
- max 10 € im Monat
- Leicht mit Familien Dateien zu Teilen

Tja das sind so die min. Anforderungen. Habt ihr da vielleicht was, was ich bis jetzt ausprobiert habe:

- ondrive & Google Drive (mit Cryptomator gibt es aber nicht bei F-Droid)
- pCloud und Tresorit (siehe 1)
- Nextcloud, zu viel Zeit in Pflege und Wartung gesteckt.

#cloud #encryption #security

 

SHA-1 is a Shambles

First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust


https://eprint.iacr.org/2020/014.pdf

Below is the abstract from the article. The most concerning thing here is the ability to forge signatures of keys. As you know if you read my posts, I have always argued that we should never sign other people's keys. Even without the problem of possible forged signatures using the technique in the article, key-signing harms privacy.

The only key signature created by EasyGPG is the signature on a newly created key pair.

printf "${newkeyattr}" | env TZ=UTC gpg --homedir "${keydir}" --batch --use-agent --cert-digest-algo "SHA512" --s2k-cipher-algo "AES256" --s2k-digest-algo "SHA512" --s2k-mode 3 --s2k-count 32000000 --status-file "${temp}" --gen-key 2> /dev/null

Notice that SHA512 is used. As for signatures on messages and encrypted files, see below (after the abstract). EasyGPG always uses SHA512.

Abstract. The SHA-1 hash function was designed in 1995 and has been widely used
during two decades. A theoretical collision attack was first proposed in 2004 [WYY05],
but due to its high complexity it was only implemented in practice in 2017, using
a large GPU cluster [SBK + 17]. More recently, an almost practical chosen-prefix
collision attack against SHA-1 has been proposed [LP19]. This more powerful attack
allows to build colliding messages with two arbitrary prefixes, which is much more
threatening for real protocols.
In this paper, we report the first practical implementation of this attack, and its
impact on real-world security with a PGP/GnuPG impersonation attack. We managed
to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia
GTX 970, identical-prefix collisions can now be computed with a complexity of 2 61.2
rather than 2 64.7 , and chosen-prefix collisions with a complexity of 2 63.4 rather than
2 67.1 . When renting cheap GPUs, this translates to a cost of 11k US$ for a collision,
and 45k US$ for a chosen-prefix collision, within the means of academic researchers.
Our actual attack required two months of computations using 900 Nvidia GTX 1060
GPUs (we paid 75k US$ because GPU prices were higher, and we wasted some time
preparing the attack).
Therefore, the same attacks that have been practical on MD5 since 2009 are now
practical on SHA-1. In particular, chosen-prefix collisions can break signature schemes
and handshake security in secure channel protocols (TLS, SSH). We strongly advise
to remove SHA-1 from those type of applications as soon as possible.
We exemplify our cryptanalysis by creating a pair of PGP/GnuPG keys with different
identities, but colliding SHA-1 certificates. A SHA-1 certification of the first key can
therefore be transferred to the second key, leading to a forgery. This proves that
SHA-1 signatures now offers virtually no security in practice. The legacy branch of
GnuPG still uses SHA-1 by default for identity certifications, but after notifying the
authors, the modern branch now rejects SHA-1 signatures (the issue is tracked as
CVE-2019-14855).
Keywords:
$ grep "gpg" easygpg.sh | grep " -s " 
  encryptedText=`printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty -` 
  printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" --no-emit-version --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - | xclip -i -selection clipboard 
      (tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" --trust-model always -a -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" -) | zenity --progress --text="Encrypting..." --pulsate --auto-close --no-cancel 
      (tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" --trust-model always -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" -) | zenity --progress --text="Encrypting..." --pulsate --auto-close --no-cancel 
    tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" -a --trust-model always -s -u "${senderID}" --no-emit-version --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" - 
    printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e -R "${senderID}" --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - > "${savepath}" 
    printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e -R "${senderID}" --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - > "${savepath}"

#easygpg #gpg #encryption #privacy #surveillance #security #cryptography

 

SHA-1 is a Shambles

First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust


https://eprint.iacr.org/2020/014.pdf

Below is the abstract from the article. The most concerning thing here is the ability to forge signatures of keys. As you know if you read my posts, I have always argued that we should never sign other people's keys. Even without the problem of possible forged signatures using the technique in the article, key-signing harms privacy.

The only key signature created by EasyGPG is the signature on a newly created key pair.

printf "${newkeyattr}" | env TZ=UTC gpg --homedir "${keydir}" --batch --use-agent --cert-digest-algo "SHA512" --s2k-cipher-algo "AES256" --s2k-digest-algo "SHA512" --s2k-mode 3 --s2k-count 32000000 --status-file "${temp}" --gen-key 2> /dev/null

Notice that SHA512 is used. As for signatures on messages and encrypted files, see below (after the abstract). EasyGPG always uses SHA512.

Abstract. The SHA-1 hash function was designed in 1995 and has been widely used
during two decades. A theoretical collision attack was first proposed in 2004 [WYY05],
but due to its high complexity it was only implemented in practice in 2017, using
a large GPU cluster [SBK + 17]. More recently, an almost practical chosen-prefix
collision attack against SHA-1 has been proposed [LP19]. This more powerful attack
allows to build colliding messages with two arbitrary prefixes, which is much more
threatening for real protocols.
In this paper, we report the first practical implementation of this attack, and its
impact on real-world security with a PGP/GnuPG impersonation attack. We managed
to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia
GTX 970, identical-prefix collisions can now be computed with a complexity of 2 61.2
rather than 2 64.7 , and chosen-prefix collisions with a complexity of 2 63.4 rather than
2 67.1 . When renting cheap GPUs, this translates to a cost of 11k US$ for a collision,
and 45k US$ for a chosen-prefix collision, within the means of academic researchers.
Our actual attack required two months of computations using 900 Nvidia GTX 1060
GPUs (we paid 75k US$ because GPU prices were higher, and we wasted some time
preparing the attack).
Therefore, the same attacks that have been practical on MD5 since 2009 are now
practical on SHA-1. In particular, chosen-prefix collisions can break signature schemes
and handshake security in secure channel protocols (TLS, SSH). We strongly advise
to remove SHA-1 from those type of applications as soon as possible.
We exemplify our cryptanalysis by creating a pair of PGP/GnuPG keys with different
identities, but colliding SHA-1 certificates. A SHA-1 certification of the first key can
therefore be transferred to the second key, leading to a forgery. This proves that
SHA-1 signatures now offers virtually no security in practice. The legacy branch of
GnuPG still uses SHA-1 by default for identity certifications, but after notifying the
authors, the modern branch now rejects SHA-1 signatures (the issue is tracked as
CVE-2019-14855).
Keywords:
$ grep "gpg" easygpg.sh | grep " -s " 
  encryptedText=`printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty -` 
  printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" --no-emit-version --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - | xclip -i -selection clipboard 
      (tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" --trust-model always -a -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" -) | zenity --progress --text="Encrypting..." --pulsate --auto-close --no-cancel 
      (tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" --trust-model always -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" -) | zenity --progress --text="Encrypting..." --pulsate --auto-close --no-cancel 
    tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" -a --trust-model always -s -u "${senderID}" --no-emit-version --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" - 
    printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e -R "${senderID}" --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - > "${savepath}" 
    printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e -R "${senderID}" --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - > "${savepath}"

#easygpg #gpg #encryption #privacy #surveillance #security #cryptography

 

Activate This ‘Bracelet of Silence,’ and Alexa Can’t Eavesdrop | The New York Times

Microphones and cameras lurk everywhere. You may want to slip on some privacy armor.
#technology #tech #security #privacy #Alexa #Amazon

 

Activate This ‘Bracelet of Silence,’ and Alexa Can’t Eavesdrop | The New York Times

Microphones and cameras lurk everywhere. You may want to slip on some privacy armor.
#technology #tech #security #privacy #Alexa #Amazon

 

#UK #police deny responsibility for poster urging parents to report kids for using #Kali #Linux


source: https://www.zdnet.com/article/uk-police-distance-themselves-from-poster-warning-parents-to-report-kids-for-using-kali-linux/
Virtual machines, the #Tor Browser, Kali Linux, #WiFi Pineapple, #Discord, and #Metasploit are all deemed terrible finds and the poster urges parents to call the cops "so we can give advice and engage them into positive diversions."
Just a few years ago I would have been burnt at the stake.

#Danger #Warning #fail #Technology #Security #Crime #Cyber #children #news

 

#UK #police deny responsibility for poster urging parents to report kids for using #Kali #Linux


source: https://www.zdnet.com/article/uk-police-distance-themselves-from-poster-warning-parents-to-report-kids-for-using-kali-linux/
Virtual machines, the #Tor Browser, Kali Linux, #WiFi Pineapple, #Discord, and #Metasploit are all deemed terrible finds and the poster urges parents to call the cops "so we can give advice and engage them into positive diversions."
Just a few years ago I would have been burnt at the stake.

#Danger #Warning #fail #Technology #Security #Crime #Cyber #children #news

 
Kennt jemand diesen Signal-Fork?

Shared via Fedilab @realramnit@chaos.social 🔗 https://chaos.social/users/realramnit/statuses/103645804448003773

Die Loki-Foundation hat sich den #Signal-Quellcode genommen und eine der größten Schwächen des Messengers entfernt - die Telefonnummernabhängigkeit!

Außerdem routen sie sämtlichen Traffic durch Tor. Das macht "Session" - wie der neue Messenger getauft wurde - zu einem interessanten Delta-Chat-Konkurrenten.

https://getsession.org/

#Session #Signal #Messenger #Chat # Privacy #Security

chaos.social: Matthias Kneiss (@realramnit@chaos.social) (Matthias Kneiss)


 
Shared via Fedilab @realramnit@chaos.social 🔗 https://chaos.social/users/realramnit/statuses/103645804448003773

Die Loki-Foundation hat sich den #Signal-Quellcode genommen und eine der größten Schwächen des Messengers entfernt - die Telefonnummernabhängigkeit!

Außerdem routen sie sämtlichen Traffic durch Tor. Das macht "Session" - wie der neue Messenger getauft wurde - zu einem interessanten Delta-Chat-Konkurrenten.

https://getsession.org/

#Session #Signal #Messenger #Chat # Privacy #Security

chaos.social: Matthias Kneiss (@realramnit@chaos.social) (Matthias Kneiss)


 
Shared via Fedilab @realramnit@chaos.social 🔗 https://chaos.social/users/realramnit/statuses/103645804448003773

Die Loki-Foundation hat sich den #Signal-Quellcode genommen und eine der größten Schwächen des Messengers entfernt - die Telefonnummernabhängigkeit!

Außerdem routen sie sämtlichen Traffic durch Tor. Das macht "Session" - wie der neue Messenger getauft wurde - zu einem interessanten Delta-Chat-Konkurrenten.

https://getsession.org/

#Session #Signal #Messenger #Chat # Privacy #Security

chaos.social: Matthias Kneiss (@realramnit@chaos.social) (Matthias Kneiss)


 
Love this idea: graceful degradation of cryptographic certificates

#Security #Usability

 
#Security #Updates on #Android are really that bad: They take months to never to be rolled out and manufacturers stop supporting them after one year anyway.

This is one of the core problems of #digital #sustainability: good performing hardware cannot be used only because software / manufacturers do not support them anymore.

Solutions:
a) use #FreeSoftware e.g. Custom Rom and
b) help to include smartphones in the European ecodesign guidelines by signing this petition:

https://repair.eu/smartphones/
Bild/Foto