Gonçalo Valério @dethos@s.ovalerio.net
Admin
Full-stack developer, advocate of a free, secure and safe Internet. Nature lover and sports enthusiast.
Joined Apr 2017
Nice summary about how JWTs work and how they can be exploited.
Gonçalo Valério
boosted
TPM-FAIL – security vulnerabilities in Trusted Platform Modules:
http://tpm.fail/tpmfail.pdf (PDF file)
– Affected are Platform Trust Technology (Intel), and ST33 TPM chip (STMicroelectronics). TPMs from Nuvoton/Infineon aren't affected.
– A remote attacker could retrieve certain private keys (e.g., as used by ECDSA).
– Intel provides a firmware update; vulnerable ST33 chips can't be patched.
#tpm #tpmfail #sidechannel #attack #vulnerability #infosec #security #cybersecurity
"TL;DR: an attacker can mount a RIDL attack despite the in-silicon mitigations/microcode patches published in May 2019 being in place."
"Keylogging users via Slack themes "
How secrets are handled at Monzo:
https://monzo.com/blog/2019/10/11/how-our-security-team-handle-secrets
👍
"HSTS From Top to Bottom or GTFO"
https://www.troyhunt.com/hsts-from-top-to-bottom-or-gtfo/
This is one of the reasons "HTTPS Everywhere" extension is still relevant.
"Bypassing GitHub's OAuth flow"
https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html
"Use antitrust to promote interoperability, says Cory Doctorow, an author and tech activist"
"Stealing private keys from a secure file sharing service"
https://timvisee.com/blog/stealing-private-keys-from-secure-file-sharing-service/
Gonçalo Valério
boosted
What's that sound? AAAH, Zombies!
Sin and co are live on Twitch for some #7daystodie: https://www.twitch.tv/GamingOnLinux
"Urgent security issue in NGINX/php-fpm"
https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/
PHP issue: https://bugs.php.net/bug.php?id=78599
XXE to RCE in XML plugins for VS Code, Eclipse and other software based on LSP4XML.
https://www.shielder.it/blog/dont-open-that-xml-xxe-to-rce-in-xml-plugins-for-vs-code-eclipse-theia/
https://twitter.com/0xInfection/status/1148267196306427904
Be careful with those blacklists.
Gonçalo Valério
boosted
"Roads" by Max Böck https://mxb.dev/blog/roads/
Brilliant satire on modern web development.
https://darkport.co.uk/blog/ahh-shhgit!/
:thumbsup: tldr: Do not commit secrets to your code repo. There are some tools available to help detect and avoid when it happens accidentally.
"Samsung: Anyone's thumbprint can unlock Galaxy S10 phone"
https://www.bbc.com/news/technology-50080586
"biometrics" 🤷♂️
> When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.
Gonçalo Valério
boosted
ECSM 2019 – Tips for your cyber hygiene:
https://infosec-handbook.eu/blog/ecsm2019-cyber-hygiene/
We present about 20 quick actions to keep or improve your level of information security in day-to-day life. Feel free to share your tips.
#ecsm2019 #ecsm #cyberhygiene #security #infosec #cybersecurity
Several years too late, but built in PGP support is coming to Thunderbird.
https://blog.mozilla.org/thunderbird/2019/10/thunderbird-enigmail-and-openpgp/
Admin
Full-stack developer, advocate of a free, secure and safe Internet. Nature lover and sports enthusiast.
Joined Apr 2017
