Gonçalo Valério @dethos@s.ovalerio.net
Admin
Full-stack developer, advocate of a free, secure and safe Internet. Nature lover and sports enthusiast.
Joined Apr 2017
Gonçalo Valério
boosted
LastPass releases update for security vulnerability:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1930
– The vulnerability allowed extracting credentials of previously-visited websites.
– Tavis Ormandy: "I think it's fair to call this 'High' severity, even if it won't work for *all* URLs."
– fixed in v4.33.0/v4.33.
#lastpass #security #vulnerability #tavisormandy #projectzero #infosec #cybersecurity
"Basic Electron Framework Exploitation"
https://www.contextis.com/en/blog/basic-electron-framework-exploitation
On using certificate authentication with SSH:
https://smallstep.com/blog/use-ssh-certificates/
An good and open source tool to help you with this is Hashicorps Vault.
Gonçalo Valério
boosted
ProtonMail adds support for Web Key Directory (WKD), DANE, and MTA-STS:
https://protonmail.com/blog/security-updates-2019/
– WKD is also available for external keys now
– DANE is also available for custom domains
– Besides, they added HTTP headers (Expect-CT, Public-Key-Pins-Report-Only), DNS CAA, and monitoring (e.g., TLSRPT)
– There will be an independent security audit of all Proton apps
#protonmail #gpg #infosec #security #cybersecurity #openpgp #wkd #wks #dane #mtasts
> A lot of Chromebook and Chromebox users don't realize this, but all ChromeOS devices have an expiration date.
🤦♂️ put linux on it or don't buy this kind of stuff.
"Security analysis of <portal> element"
https://research.securitum.com/security-analysis-of-portal-element/
Some tips to increase the security of your kubernetes cluster:
Gonçalo Valério
boosted
Mysterious iOS Attack Changes Everything We Know About iPhone Hacking. For two years, a handful of websites have indiscriminately hacked thousands of iPhones.
https://www.wired.com/story/ios-attack-watering-hole-project-zero/
Gonçalo Valério
boosted
Fun fact: wizzair.com let's you set a long password, but behind the scenes it truncates it to 16 characters (because obviously every byte is precious these days, I guess?).
When you try to log-in with your long long password, it fails. You have to *know* to truncate it yourself to 16 chars.
This is a major airline in 2019.
What happens when you launch your browser for the first time:
https://news.ycombinator.com/item?id=20794937
Interesting read. I was kind of disappointed to learn that:
"The http://mozilla.org tab discussing the importance of Privacy loads in the background, bringing along with it the Google Tag Manager and Google Analytics. Hello, Google."
Gonçalo Valério
boosted
Hey #cccamp19, you know everything you buy from Decathlon has a long-range UHF RFID tag on it, and I have a reader with 10m range?
145 unique tags scanned from a quick walk around the Milliways area.
Typechecking Django and DRF
Gonçalo Valério
boosted
To avoid confusion, here's a step-by-step guide to putting your #Wordpress blog on the #Fediverse:
1. Log into your Wordpress site
2. Go to "Plugins", "Add New", search for "ActivityPub" plugin, install and activate it.
3. Go to "Users", then "Your Profile". Scroll down, and right at the bottom there's a new section called "Fediverse" with the blog's Fediverse address.
4. Share this address on #Mastodon etc, people will be able to follow it by pasting it into the search box and following it!
"The entropy of Bluetooth session keys is negotiated in an unauthenticated protocol between the participants. The attacker can manipulate this to the lowest entropy allowed, 1 byte. The resulting session key can then easily be brute forced."
Gonçalo Valério
boosted
Yikes. "The fingerprints of over 1 million people, as well as facial recognition information... was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks." https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms
Matrix of affected web servers: https://vuls.cert.org/confluence/pages/viewpage.action?pageId=56393752
"HTTP/2 Denial of Service Advisory"
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
"It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed."
https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html
Admin
Full-stack developer, advocate of a free, secure and safe Internet. Nature lover and sports enthusiast.
Joined Apr 2017
