Security

A more TLDR article about this: https://www.extremetech.com/defense/173108-researchers-crack-the-worlds-toughest-encryption-by-listening-to-the-tiny-sounds-made-by-your-computers-cpu

FAQs from the researchers: https://web.archive.org/web/20230130225254/http://www.cs.tau.ac.il/~tromer/acoustic/

cross-posted from: https://infosec.pub/post/5707149

I talk about a report I've made to MSRC in the beginning of the year regarding vscode.

It's a bit different. There's no in depth technical stuff, because I basically just reported the feature, not a bug.

Hi,

How can we (under Windows...) encrypt file (or stdout) asymmetrically ? (best will be with ECC)

I see I'm not alone with this question https://security.stackexchange.com/questions/86721/can-i-specify-a-public-key-file-instead-of-recipient-when-encrypting-with-gpg

Apparently with GnuPG (bin for Windows) it's not working the best, you have first to import the public key ..

And ideas, or alternatives ?

Thanks.

Hi,

If you don't know how work the chain of trust for the httpS

You might want to watch this video https://invidious.privacydev.net/watch?v=qXLD2UHq2vk ( if you know a better one I'm all ears )

So in my point of view this system have some huge concerns !

1. You need to relies to a preinstalled store certificate in your system or browser... Yeah but do you know those peoples ??!! it might seem weird, but actually you should TRUST people that YOU TRUST/KNOW !!

Here an extract from the certificate store om Firefox on Windows.

I do not know ( personally ) any of those COMMERCIAL company !

2. Of course we could use Self-certificate but this is not protecting against Man-in-the-middle_attack . Instead of using a chain (so few 3th party involved , so increasing the attack surface ! ) why not using something simpler !? like for example

• a DNS record that hold the HASH of the public key of the certificate of the website !
• a decentralized or federated system where the browser could check those hash ?

Really I don't understand why we are still using a chain of trust that is

1. not trusted
2. increase the surface of attack
3. super complex compare to my proposals ?

Cheers,

cross-posted from: https://programming.dev/post/5721685

“EtherHiding” presents a novel twist on serving malicious code by utilizing Binance’s Smart Chain contracts to host parts of a malicious code chain in what is the next level of Bullet-Proof Hosting.

cross-posted from: https://infosec.pub/post/2466014

This is my first write-up, on a vulnerability I discovered in iTerm2 (RCE). Would love to hear opinions on this. I tried to make the writing engaging.

cross-posted from: https://lemmy.capebreton.social/post/397946

Authors:

Lorenzo Neil, North Carolina State University; Harshini Sri Ramulu, The George Washington University; Yasemin Acar, Paderborn University & The George Washington University; Bradley Reaves, North Carolina State University

Abstract:

Users have a wealth of available security advice

far too much, according to prior work. Experts and users alike struggle to prioritize and practice advised behaviours, negating both the advice's purpose and potentially their security. While the problem is clear, no rigorous studies have established the root causes of overproduction, lack of prioritization, or other problems with security advice. Without understanding the causes, we cannot hope to remedy their effects.

In this paper, we investigate the processes that authors follow to develop published security advice. In a semi-structured interview study with 21 advice writers, we asked about the authors' backgrounds, advice creation processes in their organizations, the parties involved, and how they decide to review, update, or publish new content. Among the 17 themes we identified from our interviews, we learned that authors seek to cover as much content as possible, leverage multiple diverse external sources for content, typically only review or update content after major security events, and make few if any conscious attempts to deprioritize or curate less essential content. We recommend that researchers develop methods for curating security advice and guidance on messaging for technically diverse user bases and that authors then judiciously identify key messaging ideas and schedule periodic proactive content reviews. If implemented, these actionable recommendations would help authors and users both reduce the burden of advice overproduction while improving compliance with secure computing practices.

Open Access Media USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

Neil PDF
View the slides

Why Decentralization is the Only Way to Prevent Cybersecurity Breaches?

1/ A decentralized network is built by people, where individuals function as nodes within the network.

2/ There is no central server that stores data in a single location; instead, all data is distributed across random devices/nodes within the decentralized network.

3/ Data can only be decrypted using a unique private key specific to each user.

4/ Messages are sent with end-to-end encryption (E2EE) within a peer-to-peer (P2P) decentralized network, bypassing the need for a central server, unlike centralized platforms such as Telegram or WhatsApp.

The absence of a central server translates to no centralized data storage, which in turn means no potential entry point for hackers to exploit and compromise data, thus preventing data breaches.

Three decentralized tool that I tried:

1. SimpleX:

• Simply a decentralized messaging tool, safer than Session

2. Nostr:

• Fully decentralized social platform
• Full of spam, hard to use compares to mastodom.

3. WireMin:

• Not open sourced (if they are open sourced, it will be my top choice.)
• A combination of mastodon and Session

I think the title of the talk is click-bait, but the content is interesting otherwise. The talk is roughly 40min + 15min Q&A

As we often report here, it’s common for tech companies to help each other improve their security systems by sharing zero-day exploits found by security researchers. Google, for example, does this a lot. But recently, an Apple employee reportedly found a zero-day exploit in Google Chrome – and that bug was never reported to Apple by that person.

I tried looking the original Joint USSS/FBI Advisory shown in the end of the video, and found these:

• https://web.archive.org/web/20150910021244/https://usa.visa.com/download/merchants/20090212-usss_fbi_advisory.pdf
• https://www.researchgate.net/publication/346975125_Heartland_Data_Breach_Analysis

Security advisorys: https://github.com/mastodon/mastodon/security

cross-posted from: https://programming.dev/post/160750

Dominick Baier's talk is a great introduction to the often confusing world of OAuth. There are many good resources about details of a given flow, but the challenging thing is which flow to use for what.

Yeah, uh.... at least ublock's EasyPrivacy list catches most of them