kravietz 🦇 @kravietz@social.privacytools.io

CyBOK has just published release v1.1 - this is an extremely useful set of frequently updated cyber security guidelines managed by a number of universities across UK covering topics from risk & governance to low-level tech like #cryptography and web application #security

https://www.cybok.org/knowledgebase1_1/

PRECIS, the next step in Unicode validation

https://krvtz.net/posts/precis-the-next-step-in-unicode-validation.html #unicode #security

You Really Shouldn't Roll Your Own Crypto: An Empirical Study of Vulnerabilities in Cryptographic Libraries

"Among our most interesting findings is that only 27.2% of vulnerabilities in cryptographic libraries are cryptographic issues while 37.2% of vulnerabilities are memory safety issues, indicating that systems-level bugs are a greater security concern than the actual cryptographic procedures."

https://arxiv.org/abs/2107.04940

#cryptography #security

Local root exploit in Linux #security, do patch your kernelz

oss-security - CVE-2021-33909: size_t-to-int vulnerability in Linux's filesystem layer

https://www.openwall.com/lists/oss-security/2021/07/20/1

Upgrade your Apache #Tomcat instances #security

https://cve.circl.lu/cve/CVE-2021-33037

Since ~2005 all EU countries have Electronic Signature legislation (1999/93/EC), later renewed as eIDAS (Regulation 910/2014).

It's 2021, companies are still scammed by fake PDF pretending to be an order by a German court, notable judiciary institution, sent with *no* digital signature at all, in a industry where these attacks are frequent 🤷

#security #phishing

Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities #security from 🇩🇪 @BSI_Bund

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP11/Hardening_Guideline.pdf

Linux Foundation has been quietly developing a project that might solve the supply chain attacks that are now on the rise - basically, a cryptographic transparency log of signed artifacts such as libraries, packages etc. It's in early phase but looks very promising #security

https://sigstore.dev/what_is_sigstore/

Many organisations by principle only apply product updates that are explicitly marked as security fixes. I argue why this policy is not sufficient with examples on how general updates also have impact on #security

https://krvtz.net/posts/why-only-security-updates-approach-is-not-sufficient.html

Very, very true... #security "if you cast your gaze across pentest reports and bug bounty findings, you'll discover another insidious theme emerges: 'vulnerabilities' that simply don't make sense."

https://portswigger.net/research/notwasp-bottom-10-vulnerabilities-that-make-you-cry

Someone backdoored official #php distro to execute custom code if an app is accessed with User-Agent containing "zerodium" string... 🤔

https://therecord.media/hackers-backdoor-php-source-code-after-internal-repo-hack/ #security

https://leaky.page/

#security #spectre

A pretty comprehensive introduction into what end-to-end encryption *actually* means in the context of instant messengers (mostly): what data specifically is encrypted where, and what popular misconceptions in this field are routinely used for marketing purposes.

https://www.youtube.com/watch?v=CqsrA4eeGSs

#cryptography #security

2021

"remote code execution (...) because sprintf is used unsafely"

😩

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177

#python #security

From the "reality vs crypto nerd's imagination" department #android #apple #security

https://www.wired.com/story/smartphone-encryption-law-enforcement-tools/

Fortunately, spread of trojanized packages is limited to newly built applications only because nobody updates NPM libs anyway 🤷‍♂️

So as long everyone sticks to the tried strategy of "lets hold and wait if others get infected" we don't need any package signatures etc #security

https://www.zdnet.com/article/malicious-npm-packages-caught-installing-remote-access-trojans/

My article on #unicode input validation with some updates, formatting fixes and video from #owasp #security conference

https://krvtz.net/posts/input-validation-of-free-form-unicode-text-in-python.html

One of my favourite features of Wazuh is command monitoring which, combined with rules, allows creating sophisticated sanity checks on critical infrastructure services. #wazuh #devsecops #security https://krvtz.net/posts/checking-for-critical-failures-with-wazuh.html

Software security scanner market today is now mature enough to have its own jargon, built largely by vendor marketing teams. As such, it's primarily designed to help you get rid of your infosec budget rather than help you design a reasonable security assurance architecture. This is first part of series that looks at SAST and DAST advantages and limitations. #infosec #software #sast #dast #iast #rasp #ssdlc #security https://krvtz.net/posts/making-sense-of-the-sast-dast-iast-rasp-soup-1.html

How Slack's STUN/TURN servers running Coturn were abused and how to fix it?

Important for anyone running #jitsi with their own STUN/TURN servers #security

https://www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/