Notices by infosec-handbook.eu (infosechandbook@mastodon.at)

VLC media player 3.0.8 released, fixes security vulnerabilities:

https://www.videolan.org/security/sb-vlc308.html

– 12 security vulnerabilities were fixed
– all versions prior to 3.0.8 are vulnerable to most of these vulnerabilities

#vlc #videolan #mediaplayer #update #infosec #security #cybersecurity

Physical (de)centralization of Mastodon servers – after our XMPP scan, we took 1000+ random Mastodon servers and looked at their hosters:

https://gist.github.com/infosec-handbook/0cdb8da86cfe63be657fcf44bde291d1

– about 50% of these servers are hosted by only 5 companies in 4 countries
– 26% of servers are hosted in Japan, followed by the USA (24%) and France (23%)

#mastodon #decentralization #centralization #statistics

Notes on privacy and data collection of Matrix.org:

https://gist.github.com/maxidorius/5736fd09c9194b7a6dc03b6b8d7220d0

"matrix.org and vector.im receive a lot of private, personal and identifiable data on a regular basis, or metadata that can be used to precisely identify and/or track users/server, their social graph, usage pattern and potential location. This is possible both by the default configuration values in synapse/Riot […]"

#matrix #messaging #riot #security #privacy

Tor-focussed :tor: operating system Tails 3.14.2 released:

https://tails.boum.org/news/version_3.14.2/index.en.html

– update for Tor Browser (8.5.3)
– ⚠ the Tails OS developers strongly advice against using Tails OS 3.14.1 or earlier: https://tails.boum.org/security/sandbox_escape_in_tor_browser/index.de.html

#tails #tor #torbrowser #privacy #anonymity

Tor Browser :tor: 8.5 released, comes with first stable version for Android:

https://blog.torproject.org/new-release-tor-browser-85

– based on FF 60.7.0esr
– updates for Torbutton, HTTPS Everywhere, OpenSSL, Tor Launcher
– fixes dozens of bugs

#tor #torbrowser #webbrowser #anonymity #privacy #android #torbrowser85

After major security vulnerabilities or data breaches, "security people" show up and tell you to delete your account immediately. "Oh, time to delete your account! Switch to service/product … instead!"

Such statements totally ignore that security vulnerabilities are widespread and the vast majority of data breaches won't become publicly-known. Full control over your data and devices requires 100% isolation from the internet, not just arbitrarily switching services or products.

#infosec

Tor-focussed :tor: operating system Tails 3.13.2 released:

https://tails.boum.org/news/version_3.13.2/index.en.html

– update for Tor Browser to fix disabled extensions
– updates for Debian (9.9), and Thunderbird 60.6.1
– bug fixes and minor changes

#tails #tor #torbrowser #privacy #anonymity

Tor Browser :tor: 8.0.9 released, fixes disabled extensions:

https://blog.torproject.org/new-release-tor-browser-809

– re-enable xpinstall.signatures.required if you disabled this
– updates for NoScript, and Torbutton

#tor #torbrowser #webbrowser #anonymity #privacy

2+ million IoT devices vulnerable to man-in-the-middle attacks, allowing attackers to steal passwords:

https://hacked.camera/

– the website contains a list, so you can check if your devices are vulnerable
– CVE-2019-11219, CVE-2019-11220
– mitigation: dispose your vulnerable devices, or block OUTBOUND traffic to 32100/udp

#iot #vulnerability #cve201911219 cve201911220 #infosec #mitm #cybersecurity #security

OpenSSH 8.0 available:

https://www.openssh.com/txt/release-8.0

– contains mitigations for an scp vulnerability (CVE-2019-6111)
– adds experimental post-quantum key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519
– increases the default RSA key size to 3072 bits
– includes several bug fixes

#openssh #ssh #infosec #security #cybersecurity #postquantum #crypto #x25519 #rsa

Facebook :facebook: always in the news. This time: Millions of passwords of Instagram users stored in plaintext:

https://thehackernews.com/2019/04/instagram-password-plaintext.html

– millions of plaintext passwords of Instagram and Facebook users were accessible to Facebook
– besides, Facebook stored 1.5 million records of users without their consent or knowledge

#facebook #instagram #privacy #password #infosec #cybersecurity #security

Dragonblood–vulnerabilities in WPA3 standard:

https://papers.mathyvanhoef.com/dragonblood.pdf (PDF file)

– the paper describes 5 different vulnerabilities (DoS, downgrade, side-channel attacks)
– researches believe that WPA3 "does not meet the standards of a modern security protocol"
– the Wi-Fi Alliance published a security update for the standard: https://www.wi-fi.org/security-update-april-2019

#wpa3 #wifi #wlan #infosec #security #cybersecurity #dragonblood #dragonfly #kex

Git–learn to contribute to e-mail-driven Git projects:

https://git-send-email.io/

#git #development #email

Facebook–security team spots 146GB dataset containing 540 million records of Facebook users:

https://www.upguard.com/breaches/facebook-user-data-leak

– dataset includes comments, likes, reactions, account names, Facebook IDs, and more
– origin of the leak is the Mexico-based media company Cultura Colectiva that develops third-party apps
– a second dataset contains 22,000 cleartext passwords from 2014

#facebook #leak #culturacolectiva #privacy #infosec #cybersecurity #security

Mozilla releases updates for two critical security vulnerabilities in Firefox:

https://www.mozilla.org/en-US/firefox/66.0.1/releasenotes/

https://www.mozilla.org/en-US/firefox/60.6.1/releasenotes/

Fixed versions are:

– Firefox 66.0.1
– Firefox for Android 66.0.1
– Firefox ESR 60.6.1
– Tor Browser 8.0.8

#firefox #mozilla #update #vulnerability #security #infosec #cybersecurity #pwn2own

As announced in January, we looked at the /e/ Android ROM, provided by the /e/ Foundation:

https://infosec-handbook.eu/blog/e-foundation-first-look/

– it isn't completely "ungoogled" as promised
– some traffic of preinstalled apps is unencrypted and contains personal data
– the security of their website is in great need of improvement

#efoundation #android #googlefree #privacy #signal #magicearth #microg #k9mail #fdroid

Google Play–more than 200 apps contain "SimBad" adware, downloaded more than 150 million times:

https://techcrunch.com/2019/03/13/new-android-adware-google-play/

– the malware masquerades as an ad-serving platform
– SimBad is mostly contained in free games
– list of infected apps: https://assets.documentcloud.org/documents/5766854/SimBad-AppList-Package.txt

#simbad #malware #adware #android #google #googleplay #infosec #cybersecurity #security

WordPress 5.1–critical exploit chain that enables an unauthenticated attacker to gain remote code execution on any WordPress installation:

https://blog.ripstech.com/2019/wordpress-csrf-to-rce/

– exploit is possible due to a CSRF vulnerability in comment forms
– fixed in WordPress 5.1.1

#wordpress #rce #csrf #wordpress5 #infosec #cybersecurity #security

French /e/ foundation develops Google-free Android :android: ROM (in development):

https://e.foundation/

– we are testing it on Moto G4 (Android 7.1.2, Patch Level Dec 2018)
– ROM comes with Signal, Magic Earth, K-9 Mail (fork), microG and more
– you can use F-Droid as an app store
– we will likely publish an article about it in the near future

#efoundation #android #googlefree #privacy #signal #magicearth #microg #k9mail #fdroid

Parrot OS 4.5 released:

https://www.parrotsec.org/blog/parrot-4-5-release-notes/

– Parrot is 64bit only now
– new Docker templates introduced
– based on Linux 4.19
– contains Metasploit 5.0

#parrot #os #pentesting #security #infosec #cybersecurity #metasploit