Search: [security] - ervin's web review

Google Details Two Zero-Day Bugs Reported in Zoom Clients and MMR Servers

Also a good reminder of why the fact that it's proprietary makes things harder security wise.

tech · zoom · security

January 24, 2022 at 10:33:15 AM GMT+1 * · permalink

·

https://thehackernews.com/2022/01/google-details-two-zero-day-bugs.html

·

The curious case of the Raspberry Pi in the network closet

Interesting forensic of a device left around to spy a network.

tech · raspberry-pi · security

January 18, 2022 at 11:18:04 AM GMT+1 * · permalink

·

https://blog.haschek.at/2019/the-curious-case-of-the-RasPi-in-our-network.html

·

You (probably) don’t need ReCAPTCHA | nearcyan

Indeed, don't use this by default. This is likely overkill and has terrible side effects. Look up for the alternatives proposed in this article first.

tech · web · security · captcha · gafam

January 3, 2022 at 12:04:01 PM GMT+1 * · permalink

·

https://nearcyan.com/you-probably-dont-need-recaptcha/

·

The Internet is Held Together With Spit & Baling Wire – Krebs on Security

Always amazed when such important routing systems are reached through very insecure means.

tech · internet · security · routing

November 27, 2021 at 3:45:11 PM GMT+1 * · permalink

·

https://krebsonsecurity.com/2021/11/the-internet-is-held-together-with-spit-baling-wire/

·

Your Fingerprint Can Be Hacked For $5. Here’s How. - Kraken Blog

Good reminder of why fingerprint readers are really a poor security device.

tech · security

November 23, 2021 at 11:42:20 AM GMT+1 * · permalink

·

https://blog.kraken.com/post/11905/your-fingerprint-can-be-hacked-for-5-heres-how/

·

‘Trojan Source’ Bug Threatens the Security of All Code – Krebs on Security

Now this one is really nasty...

tech · security · compiler · supply-chain

November 2, 2021 at 7:43:46 AM GMT+1 * · permalink

·

https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/

·

No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed as Stealth Windows Loaders - Lumen

Fascinating attack vector. It was just a matter of time I guess, the more you use blurry frontiers (be it between OSes or other important domains) the more opportunities for exploits show up.

tech · security · windows · linux

September 23, 2021 at 12:40:22 PM GMT+2 * · permalink

·

https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/

·

Asking nicely for root command execution (and getting it)

Pile up enough complexity and it'll quickly become insecure.

tech · security

August 18, 2021 at 11:22:52 AM GMT+2 * · permalink

·

https://rachelbythebay.com/w/2021/08/17/pop/

·

SAML is insecure by design

Interesting exploration and rough explanation of why SAML has so many issues. Complexity by design in such critical components is a bad idea...

tech · saml · security

August 7, 2021 at 11:33:07 PM GMT+2 * · permalink

·

https://joonas.fi/2021/08/saml-is-insecure-by-design/

·

Python developers are being targeted with malicious packages on PyPI

Another couple of attempts at supply chain attacks. This time in the Python ecosystem. The skill level of those attempts isn't high though.

tech · python · supply-chain · security

August 4, 2021 at 8:32:01 AM GMT+2 * · permalink

·

https://jfrog.com/blog/malicious-pypi-packages-stealing-credit-cards-injecting-code/

·

Empty npm package '-' has over 700,000 downloads — here's why

This ecosystem keeps baffling me... How come there are so little checks on what can get published or how the command line process parameters.

tech · supply-chain · npm · javascript · security

August 3, 2021 at 9:16:00 AM GMT+2 * · permalink

·

https://www.bleepingcomputer.com/news/software/empty-npm-package-has-over-700-000-downloads-heres-why/

·

From Stolen Laptop to Inside the Company Network — Dolos Group

Good reminder of why if you got mobile devices which are outside of a secured office (like most companies nowadays) you should never underestimate the Evil-Maid scenario...

tech · security · evil-maid

July 29, 2021 at 10:16:29 AM GMT+2 * · permalink

·

https://dolosgroup.io/blog/2021/7/9/from-stolen-laptop-to-inside-the-company-network

·

Windows 11, Amazon, and Uncomfortable Questions

Seeing the bad practices of Amazon with its Android AppStore, it really feels like another supply chain mess in the making with Windows 11 Android support...

tech · security · supply-chain · surveillance

June 28, 2021 at 9:12:41 AM GMT+2 * · permalink

·

https://commonsware.com/blog/2021/06/26/windows-11-amazon-uncomfortable-questions.html

·

Identify anything

Looks like a very interesting tool, in particular for security purposes.

tech · command-line · python · security

June 17, 2021 at 11:23:00 AM GMT+2 * · permalink

·

https://github.com/bee-san/pyWhat

·

Try This One Weird Trick Russian Hackers Hate – Krebs on Security

OK, now that's a funny consequence of how authorities behave which are taken into account by criminals.

tech · security · funny

May 18, 2021 at 11:15:24 AM GMT+2 * · permalink

·

https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/

·

FragAttacks: Security flaws in all Wi-Fi devices

Oops... security flaws ready to exploited in Wi-Fi again. And that includes WPA3.

tech · security · wifi

May 12, 2021 at 9:25:47 AM GMT+2 * · permalink

·

https://www.fragattacks.com/

·

CSRF, CORS, and HTTP Security headers Demystified

Nice summary of several security headers you can have to deal with for HTTP.

tech · http · security

May 3, 2021 at 2:01:17 PM GMT+2 * · permalink

·

https://blog.vnaik.com/posts/web-attacks.html

·

What are Insecure Direct Object References (IDOR)? | Hacker Noon

A way to common mistake which can blow the security of your service

tech · security

April 3, 2021 at 2:40:01 PM GMT+2 * · permalink

·

https://hackernoon.com/what-are-insecure-direct-object-references-idor-hz1j33e0

·

A Hacker Got All My Texts for $16

Or why you can't really trust SMS for 2FA... it's just too much of a wild west there.

tech · security · sms · 2fa

March 22, 2021 at 10:18:53 AM GMT+1 * · permalink

·

https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber

·

GitHub has a Permission Problem.

Yes, the permission model of GitHub gives me the creeps as well... A couple of the examples given in there are really problematic and need to be addressed. This is even more important seeing the amount of stuff hosted on GitHub nowadays.

tech · github · security

March 17, 2021 at 11:51:04 AM GMT+1 * · permalink

·

https://games.greggman.com/game/github-permission-problem/

·