Search: [security] - ervin's web review

Google OAuth is broken (sort of) - Truffle Security

Interesting finding. This shows a potential issue in how identities are verified by providers.

tech · google · oauth · security

December 22, 2023 at 12:13:53 PM GMT+1 * · permalink

·

https://trufflesecurity.com/blog/google-oauth-is-broken-sort-of/

·

Terrapin Attack

Interesting new attack on the SSH protocol. This is hard to achieve outside of the LAN though.

tech · ssh · security

December 19, 2023 at 8:34:51 AM GMT+1 * · permalink

·

https://terrapin-attack.com/

·

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack

Fascinating vulnerability. When the BIOS is at fault with a crappy image parser... you can't do much to prevent problems from happening.

tech · security · bios

December 6, 2023 at 11:13:28 PM GMT+1 * · permalink

·

https://arstechnica.com/security/2023/12/just-about-every-windows-and-linux-device-vulnerable-to-new-logofail-firmware-attack/

·

reaction, in replacement of fail2ban

Could indeed turn into a nice alternative to fail2ban.

tech · security · server · self-hosting

December 3, 2023 at 6:10:08 PM GMT+1 * · permalink

·

https://blog.ppom.me/en-reaction/

·

cohost! - "Paper: You Want My Password or a Dead Patient?"

How the medical sector is struggling with badly designed software. Also important to note how security is just getting in the way of nurses and doctors jobs.

tech · medecine · usability · security · safety

November 25, 2023 at 4:58:50 PM GMT+1 * · permalink

·

https://cohost.org/mononcqc/post/3647311-paper-you-want-my-p

·

GWP-ASan: Sampling-Based Detection of Memory-Safety Bugs in Production - 2311.09394.pdf

Nice approach to also hunt for memory safety issues while software is in production.

tech · memory · safety · security

November 18, 2023 at 10:09:00 AM GMT+1 * · permalink

·

https://arxiv.org/pdf/2311.09394.pdf

·

RFC 9420 – A Messaging Layer Security Overview

Finally a standardized protocol for end-to-end encryption! Let's see where this gets used.

tech · protocols · standard · security

November 11, 2023 at 5:26:49 PM GMT+1 * · permalink

·

https://www.thestack.technology/rfc9420-ietf-mls-standard/

·

Critical vulnerability in Atlassian Confluence server is under “mass exploitation” | Ars Technica

This is indeed a very nasty vulnerability. This won't improve my low trust in this product. They've been trying to phase it out for a while, it shows now.

tech · atlassian · security

November 8, 2023 at 8:17:46 AM GMT+1 * · permalink

·

https://arstechnica.com/security/2023/11/critical-vulnerability-in-atlassian-confluence-server-is-under-mass-exploitation/

·

Last Chance to fix eIDAS

It's really coming from everywhere these days. Let's make sure this doesn't get adopted.

tech · security · privacy · politics

November 2, 2023 at 8:54:29 AM GMT+1 * · permalink

·

https://last-chance-for-eidas.org/

·

Help Everyone Do Better Security

Things could indeed be more convenient... if this was the case we'd probably have less security breaches. Making super complex tools and then complaining that people are holding them wrong isn't gonna help.

tech · security · complexity

October 28, 2023 at 3:54:49 PM GMT+2 * · permalink

·

https://matduggan.com/security-feels-pointless/

·

Welcome to the Offensive ML Framework - OffSecML Framework

Attacks on machine learning models are getting more accessible. This means even more care will have to be taken to deploy and use those.

tech · ai · machine-learning · gpt · security

October 28, 2023 at 11:47:43 AM GMT+2 * · permalink

·

https://wiki.offsecml.com/Welcome+to+the+Offensive+ML+Framework

·

Salt Labs | Oh-Auth - Abusing OAuth to take over millions of accounts

OAuth is nice and taking over the world... but don't weaken the security, follow all the steps and verify the tokens you get handed.

tech · security

October 27, 2023 at 10:30:15 AM GMT+2 * · permalink

·

https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts

·

iLeakage

The spectre attack still has real world effects... This affects Safari this time.

tech · apple · security

October 26, 2023 at 8:03:37 AM GMT+2 * · permalink

·

https://ileakage.com/

·

Stealing OAuth tokens of connected Microsoft accounts via open redirect in Harvest App | 0xcrypto

If you got to implement an OAuth integration. Please be responsible and don't do this... this could lead to very serious breaches for your users.

tech · security · web

October 23, 2023 at 7:31:24 AM GMT+2 * · permalink

·

https://eval.blog/research/microsoft-account-token-leaks-in-harvest/

·

Google-hosted malvertising leads to fake Keepass site that looks genuine | Ars Technica

This is a bad case of content moderation if it gets presented to users like this... but Google is not going to leave advertisement money on the table. The way browsers changed in recent years also make this kind of deceptions easier (harder to check certificates, hard to spot punycoding).