New-ish Asus routers seem to enable "Yandex.DNS" by default. This forwards all of your DNS lookups to Yandex, a large Russian search engine. I discovered this on my dad's router when he had troubles accessing his bank from his broadband but not on his phone. (Presumably, the bank geoblocked Russian IPs as a protest to the invasion of Ukraine.)

I get that you need to trust someone with your DNS lookups (your ISP, Google, Cloudfare, etc), but I didn't expect the non-ISP option to be the default...

Check your router!

#security #privacy

Some exciting news: Over the past few months I have been working on founding a new organization: Blodeuwedd Labs (@blodeuweddlabs)

We are now in a position to offer subsidized security assessments (and other services) for open source projects.

(In addition to a whole array of analysis, development, and custom research offerings for everyone else)

Announcement (and more info): blodeuweddlabs.com/news/open-s…

#infosec #security #appsec #canada #opensource

Launching our Open Source Review Scheme | Blodeuwedd Labs

To celebrate the founding of Blodeuwedd Labs we are excited to announce Subsidized Assessments for open source projects as part of our commitment to continually give back to the open source Community.

^{blodeuweddlabs.com}

A single missing line in a CVE-2023-28321 #security update backport broke libcurl wildcard certificate validation in #Ubuntu - regardless who is to blame for the initial mistake in the patch, this raises serious questions about quality and quantity of testing performed.

git.launchpad.net/ubuntu/+sour…

We're happy that #Apple has now joined the fight for encryption! 🔒

There is no magic key that allows the police to scan all chat messages, emails, and more for harmful content while not risking the security and privacy of everyone. This is technically not possible.

The more agree to this fact, the higher the chances that legislation is altered to protect everybody's privacy.

bbc.com/news/technology-660287…

#privacy #security #onlinesafetybill #chatkontrolle

Apple joins opposition to encrypted message app scanning

WhatsApp and iMessage could be forced to scan for child abuse images under the Online Safety Bill.

^{By Chris Vallance (BBC News)}

Mozilla: "In a well-intentioned yet dangerous move to fight online fraud, France is on the verge of forcing browsers to create a dystopian technical capability. It would force browser providers to create the means to mandatorily block websites present on a government provided list. Such a move will overturn decades of established content moderation norms and provide a playbook for authoritarian governments"

blog.mozilla.org/netpolicy/202…
#france #browser #cybersecurity #mozilla #security #surveillance

France’s browser-based website blocking proposal will set a disastrous precedent for the open internet - Open Policy & Advocacy

Article 3 (para II and III) of the SREN Bill would force providers to create the means to mandatorily block websites on a government provided list encoded into the browser.

^{Udbhav Tiwari (Open Policy & Advocacy)}

If you're using #bitwarden, make sure to change the KDF algorithm to Argon2id[^1] which is much more robust against GPU-powered attacks compared to its counterpart.

You can play around with this little calculator to see the impact of each algorithm on cracking cost estimation: passwordbits.com/passphrase-cr…

[^1]: bitwarden.com/help/what-encryp…

#security #infosec #password

Encryption | Bitwarden Help Center

Learn how Bitwarden salts and hashes password Vault data before sending it to the Cloud for secure storage.

^Bitwarden

Interesting: ProtonMail finally admits that Germany "is a good choice given Germany’s strong privacy laws and culture that make it almost as strong as Switzerland."

For once, we couldn't agree more. 😀

We'd even argue Germany is much better as we do not have data retention laws (which would be against the German constitution) - while in Switzerland large tech companies are forced by law to retain data: tutanota.com/blog/posts/data-r…

#germany #privacy #security

Sometimes logical isolation isn't enough

#Physical #Isolation #Security #Shit

✅ Staff able to watch customers in the bathroom?
✅ Obviously shabby infosec?
✅ Training AI as an excuse for data retention?

🕵🏽 No surprise here: "#Amazon Ring, Alexa accused of every nightmare #IoT #security fail you can imagine" #privacy

theregister.com/2023/06/01/ftc…

Amazon Ring, Alexa accused of every nightmare IoT security fail you can imagine

Staff able to watch customers in the bathroom? Tick! Obviously shabby infosec? Tick! Training AI as an excuse for data retention? Tick!

^{Simon Sharwood (The Register)}

Earlier this year we got into a surprising and somewhat annoying struggle with Web browser sandboxing failures related to our "web apps shared in a chat" feature. After much background work we released the hardened Delta Chat 1.36 series, also addressing a dedicated fourth independent security audit, and can finally share more of what was going on behind the scenes delta.chat/en/2023-05-22-webxd…

#chromium #deltachat #security #webxdc

Delta Chat: Bringing E2E privacy to the Web: 4th security audit 😅

Delta Chat’s “web apps shared in a chat” come with a unique privacy promise but in January it was shown to be compromised. We got into a surprising struggle with Web browser sandboxing issues that ...

^delta.chat

Journalists, whistleblowers, activists - they all risk their lives to make the truth public.

Let's fight for the right to #privacy and #pressfreedom.

Together with #Threema, #Tor #FightfortheFuture and others we call on policymakers to not undermine #encryption.

We ALL depend on encryption for #security and #privacy! 💪🔒

Read more: tutanota.com/blog/posts/press-…

New article: "Overview of Flatpak's Permission Models"

theevilskeleton.gitlab.io/2023…

Huge thanks to @orowith2os for proofreading the article :)

#Flatpak #Linux #GNU #Security #FOSS #OpenSource

Overview of Flatpak’s Permission Models

Flatpak’s permissions can be confusing. Some are technical and need knowledge on how they work, and others are self-explanatory.

^{TheEvilSkeleton}

2FA-Secrets offengelegt: Google Authenticator bläst geheime Daten in den Äther
tarnkappe.info/artikel/it-sich…

Wer den also mit Account Sync verwendet (hat), sollte dringend handeln.

#security

2FA-Secrets geleakt: Google Authenticator ist nicht ganz dicht

2FA, eine der wichtigsten Apps für die Sicherheit der eigenen Online-Welt hat offenbar Probleme den zweiten Faktor geheim zu halten.

^{Moritz Poldrack (Tarnkappe.info)}

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don't turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

Why is this bad?

Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵

#Privacy #Cybersecurity #InfoSec #2FA #Google #Security

Passt ja zu meiner Custom-ROM-Serie: "Smartphones mit verbreitetem Qualcomm-Chip senden heimlich private Informationen an US-Chiphersteller" 👇🤦

#android #security #qualcomm #backdoor #tracking #privacy #sicherheit #datenschutz

nitrokey.com/de/news/2023/smar…

Smartphones mit verbreitetem Qualcomm-Chip senden heimlich private Informationen an US-Chiphersteller

^{www.nitrokey.com}

Did you ever wonder how Tutanota's encryption is able to protect all your data? Check out our new encryption page with lots of interesting facts! 🔒😍

We ♥️ #encryption!

👉 tutanota.com/encryption

#security #privacy #email #data

Everything you need to know about Tutanota's encryption.

Details on how the encrypted email & calendar service Tutanota encrypts all data.

^Tutanota

The encrypted Tutanota mailbox makes sure your data belongs to you, and to you alone! 😎🔒

Make sure your friends enjoy the same level of privacy. Invite them to Tutanota! 🤩

👉 tutanota.com/blog/posts/refer-…

#privacy #security #Encryption

Security is the major reason why software updates are important. The LastPass breach demonstrates this dramatically.

If you search the web for why software updates are important, you will get loads of results that say there are "3 or 5 reasons why software updates are important". While this may be correct, there is only one major reason why you must keep your software up to date: Security.

Stay secure, update your systems! 😎💪🔒

tutanota.com/blog/posts/why-up…

#LastPass #Security

3 reasons why updates are important: No. 1 is Security!

^Tutanota

ChatGPT kennt übrigens auch den Kuketz-Blog! 😁

#chatgpt #KI #blog #security #privacy

Microsoft Authenticator prompts the user to accept sharing analytics during the first launch. The prompt only dismisses when the user taps on "Accept." In fact, the app starts sending analytics even before accepting the privacy statement.🤦‍♂️

In this video, we downloaded the authenticator app from the App Store and we opened it as we monitored the iPhone network traffic. While the app was showing the permission prompt, we captured at least 3 calls made by the app sending diagnostics to Microsoft. The app sent 14 KB of analytics even before accepting the prompt.

The message on the prompt actually says that Microsoft needs to collect diagnostic data in order to keep Authenticator secure and up to date. 😵‍💫

#Privacy #Cybersecurity #2FA #InfoSec #Security #Microsoft

youtu.be/r5456XXG6v0

Privacy: Microsoft Authenticator sends analytics even before accepting the privacy statement

When opening Microsoft Authenticator for the first time after downloading it from the App Store, it prompts the user to accept sharing diagnostics with Micro...

^YouTube

Today I learned that when you "edit" or "correct" a message in #XMPP, the original message is still technically stored on the server or device. It's the client side that understands that the new message is an edit of the previous message, and "displays" it as such. But, if you send a password or something sensitive, "editing" the message after it has been sent might not remove the actual contents of the original version of the message, so make sure you use #encryption too.

#privacy #security

Portmaster, eine Art Firewall zur Kontrolle des ausgehenden Datenverkehrs, ist nicht mehr Alpha, sondern in der Version 1.0.7 für Windows, Debian/Ubuntu und Fedora verfügbar. Gerade für Windows-Nutzer interessant, die Microsofts Schnüffelei eindämmen wollen.

safing.io/

#security #privacy #firewall #sicherheit #datenschutz #windows

Safing Portmaster - Easy Privacy

Portmaster is a free and open-source application that puts you back in charge over all your computer's network connections. Increase your privacy and security. Get peace of mind.

^safing.io

A #opensource #backup solution on your #Android device for your #data #security, distributet over @IzzyOnDroid on @fdroidorg:

📱 Android-DataBackup
github.com/XayahSuSuSu/Android…

Android-DataBackup/README_EN.md at main · XayahSuSuSu/Android-DataBackup

数据备份 DataBackup for Android. Contribute to XayahSuSuSu/Android-DataBackup development by creating an account on GitHub.

^GitHub

Happy #DataPrivacyDay! 🥳

Here are some privacy-first apps frequently recommended by the Tutanota community.

What are your favorite apps to quit #BigTech?

#DataProtection #Encryption #Security #Privacy

Going dark: Is encryption a threat to our security? The Swedish EU Council says yes.

But we say: Stop the #CryptoWars. Destroying everybody's #privacy will not increase #security.

Read here why: 👇
tutanota.com/blog/posts/going-…

#GoingDark

Going dark: Is encryption a threat to our security? The Swedish EU Council says yes.

Politicians often warn that criminals are 'going dark'. This warning is used like the argument to 'protect the children': to undermine encryption.

^Tutanota

Have you heard about #ReproducibleBuilds? This is one of the biggest #security benefits of #FOSS. On #Android, this technique ensures that the #FDroid version of an app exactly matches the developer's version.

Read our article below for more details and to see how easy it is for developers to get set up:
f-droid.org/en/2023/01/15/towa…

Towards a reproducible F-Droid | F-Droid - Free and Open Source Android App Repository

A common criticism directed at F-Droid is that F-Droid signs published APKswith its own keys. Using our own keys doesn’t mean insecure — we have a goodtrack ...

^f-droid.org

I've asked it in a poll in 8/2021 at Mastodon.technology, now it's time for a refresher: To improve #security I finally consider to really drop support for #TLS 1.0/1.1 (see blog.qualys.com/product-tech/2… and e.g. ssllabs.com/ssltest/analyze.ht…). This basically would affect devices running Android < 4.4. As I do not want to lock anybody out, I'd like to see how many of you would this effect.

🇩🇪 Noch wer mit Android < 4.4 unterwegs und somit auf TLS 1.0/1.1 angewiesen (1. ja, 2. macht nix, 3. nein)?

So:

SSL Labs Grade Change for TLS 1.0 and TLS 1.1 Protocols | Qualys Security Blog

Update 1/31/2020: The grade change is now live on www.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade. Update 1/16/2020: The grade change is now live on the development…

^{Qualys Security Blog}

• I still use such a device and need compatibility (1%, 4 votes)
• I still use such a device but wouldn't mind (6%, 21 votes)
• I don't care (92%, 320 votes)

Do you like security? Do you like privacy? Cryptography? Do you like working for a public benefit non-profit instead of an investor-beholden corporation?

Let's Encrypt is hiring for someone to join our SRE team and help run the largest Certificate Authority in the world! Come work with me and some of the most wonderful folks in tech, to make the web a better place.

abetterinternet.org/careers/le…

#jobs #sre #webPKI #security #privacy #cryptography

Let's Encrypt Software Engineer (SRE)

Posted: September 29, 2022 Start Date: January 2023 Position Status: Open Location: Remote within US Compensation: $140k USD, 100% 401k Match, Excellent Insurance We’re making HTTPS easier for developers to use, we’re doing it at scale, and we need y…

^{Internet Security Research Group}

What do you value the most in your devices?
Privacy, Security and/or Freedom?

At #CES2023, the biggest #tech event, we are asking people their thoughts about where they stand when it comes to #privacy, #security and #freedom when it comes to their #laptops, #phones, IoT devices

#ces

🔓 Like good neocolonizers, #humanitarian organizations & #nonprofits, like militaries, also collect vast amounts of #biometric & other private information about people with reckless disregard for basic #privacy and #security concepts.

✊🏽 We must hold them accountable for the risks and damages their actions cause: it's unacceptable to allow society to continue this way.

Thanks to #CCC for helping expose the dangerous truth.

#SurevillanceCapitalism #infosec

web.archive.org/web/2022122712…

For Sale on eBay: A Military Database of Fingerprints and Iris Scans

German security researchers studying biometric capture devices popular with the U.S. military got more than they expected for $68 on eBay.

^{Kashmir Hill (The New York Times)}

I recently wrote a post detailing the recent #LastPass breach from a #password cracker's perspective, and for the most part it was well-received and widely boosted. However, a good number of people questioned why I recommend ditching LastPass and expressed concern with me recommending people jump ship simply because they suffered a breach. Even more are questioning why I recommend #Bitwarden and #1Password, what advantages they hold over LastPass, and why would I dare recommend yet another cloud-based password manager (because obviously the problem is the entire #cloud, not a particular company.)

So, here are my responses to all of these concerns!

Let me start by saying I used to support LastPass. I recommended it for years and defended it publicly in the media. If you search Google for "jeremi gosney" + "lastpass" you'll find hundreds of articles where I've defended and/or pimped LastPass (including in Consumer Reports magazine). I defended it even in the face of vulnerabilities and breaches, because it had superior UX and still seemed like the best option for the masses despite its glaring flaws. And it still has a somewhat special place in my heart, being the password manager that actually turned me on to password managers. It set the bar for what I required from a password manager, and for a while it was unrivaled.

But things change, and in recent years I found myself unable to defend LastPass. I can't recall if there was a particular straw that broke the camel's back, but I do know that I stopped recommending it in 2017 and fully migrated away from it in 2019. Below is an unordered list of the reasons why I lost all faith in LastPass:

- LastPass's claim of "zero knowledge" is a bald-faced lie. They have about as much knowledge as a password manager can possibly get away with. Every time you login to a site, an event is generated and sent to LastPass for the sole purpose of tracking what sites you are logging into. You can disable telemetry, except disabling it doesn't do anything - it still phones home to LastPass every time you authenticate somewhere. Moreover, nearly everything in your LastPass vault is unencrypted. I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no -- with LastPass, your vault is a plaintext file and only a few select fields are encrypted. The only thing that would be worse is if...

- LastPass uses shit #encryption (or "encraption", as @sc00bz calls it). Padding oracle vulnerabilities, use of ECB mode (leaks information about password length and which passwords in the vault are similar/the same. recently switched to unauthenticated CBC, which isn't much better, plus old entries will still be encrypted with ECB mode), vault key uses AES256 but key is derived from only 128 bits of entropy, encryption key leaked through webui, silent KDF downgrade, KDF hash leaked in log files, they even roll their own version of AES - they essentially commit every "crypto 101" sin. All of these are trivial to identify (and fix!) by anyone with even basic familiarity with cryptography, and it's frankly appalling that an alleged security company whose product hinges on cryptography would have such glaring errors. The only thing that would be worse is if...

- LastPass has terrible secrets management. Your vault encryption key always resident in memory and never wiped, and not only that, but the entire vault is decrypted once and stored entirely in memory. If that wasn't enough, the vault recovery key and dOTP are stored on each device in plain text and can be read without root/admin access, rendering the master password rather useless. The only thing that would be worse is if...

- LastPass's browser extensions are garbage. Just pure, unadulterated garbage. Tavis Ormandy went on a hunting spree a few years back and found just about every possible bug -- including credential theft and RCE -- present in LastPass's browser extensions. They also render your browser's sandbox mostly ineffective. Again, for an alleged security company, the sheer amount of high and critical severity bugs was beyond unconscionable. All easy to identify, all easy to fix. Their presence can only be explained by apathy and negligence. The only thing that would be worse is if...

- LastPass's API is also garbage. Server-can-attack-client vulns (server can request encryption key from the client, server can instruct client to inject any javascript it wants on every web page, including code to steal plaintext credentials), JWT issues, HTTP verb confusion, account recovery links can be easily forged, the list goes on. Most of these are possibly low-risk, except in the event that LastPass loses control of its servers. The only thing that would be worse is if...

- LastPass has suffered 7 major #security breaches (malicious actors active on the internal network) in the last 10 years. I don't know what the threshold of "number of major breaches users should tolerate before they lose all faith in the service" is, but surely it's less than 7. So all those "this is only an issue if LastPass loses control of its servers" vulns are actually pretty damn plausible. The only thing that would be worse is if...

- LastPass has a history of ignoring security researchers and vuln reports, and does not participate in the infosec community nor the password cracking community. Vuln reports go unacknowledged and unresolved for months, if not years, if not ever. For a while, they even had an incorrect contact listed for their security team. Bugcrowd fields vulns for them now, and most if not all vuln reports are handled directly by Bugcrowd and not by LastPass. If you try to report a vulnerability to LastPass support, they will pretend they do not understand and will not escalate your ticket to the security team. Now, Tavis Ormandy has praised LastPass for their rapid response to vuln reports, but I have a feeling this is simply because it's Tavis / Project Zero reporting them as this is not the experience that most researchers have had.

You see, I'm not simply recommending that users bail on LastPass because of this latest breach. I'm recommending you run as far way as possible from LastPass due to its long history of incompetence, apathy, and negligence. It's abundantly clear that they do not care about their own security, and much less about your security.

So, why do I recommend Bitwarden and 1Password? It's quite simple:

- I personally know the people who architect 1Password and I can attest that not only are they extremely competent and very talented, but they also actively engage with the password cracking community and have a deep, *deep* desire to do everything in the most correct manner possible. Do they still get some things wrong? Sure. But they strive for continuous improvement and sincerely care about security. Also, their secret key feature ensures that if anyone does obtain a copy of your vault, they simply cannot access it with the master password alone, making it uncrackable.

- Bitwarden is 100% open source. I have not done a thorough code review, but I have taken a fairly long glance at the code and I am mostly pleased with what I've seen. I'm less thrilled about it being written in a garbage collected language and there are some tradeoffs that are made there, but overall Bitwarden is a solid product. I also prefer Bitwarden's UX. I've also considered crowdfunding a formal audit of Bitwarden, much in the way the Open Crypto Audit Project raised the funds to properly audit TrueCrypt. The community would greatly benefit from this.

Is the cloud the problem? No. The vast majority of issues LastPass has had have nothing to do with the fact that it is a cloud-based solution. Further, consider the fact that the threat model for a cloud-based password management solution should *start* with the vault being compromised. In fact, if password management is done correctly, I should be able to host my vault anywhere, even openly downloadable (open S3 bucket, unauthenticated HTTPS, etc.) without concern. I wouldn't do that, of course, but the point is the vault should be just that -- a vault, not a lockbox.

I hope this clarifies things! As always, if you found this useful, please boost for reach and give me a follow for more password insights!

Wikimedia is looking for a Director of Security.

#infosec #wikipedia #security #hiring

boards.greenhouse.io/wikimedia…

Director of Product Security

Remote

^{boards.greenhouse.io}