Posted by jpluimers on 2019/10/25
If you find out bookmarklets like the [WayBack] Press-This or [Archive.is] SubToMe do not work on some pages but to on others.
Often it’s not the bookmarklet, but a combination the site disabling CSP (Content Security Policy) and browsers not coping well with that, see for instance:
via:
Posted in Bookmarklet, CSP, Power User, Security, Web Browsers | Leave a Comment »
Posted by jpluimers on 2019/10/18
via: [WayBack] Researchers “unblur” images to gain access to Bitcoin wallet. The lesson here is that blurring sensitive images is no longer safe. – Kevin Powick – Google+:
Two French researchers — Michel Sassano and Clement Storck — have reconstructed a blurred QR code to gain access to a Bitcoin wallet that was holding $1,000.
Background information:
–jeroen
Posted in Bitcoin, Cryptocurrency, Power User, Security | Leave a Comment »
Posted by jpluimers on 2019/10/14
When security prohibits getting work done, people will work around it.
Source: [WayBack] Bill Scannell @scannell Locked-out of a medical record after 60 seconds, becausesecurity? This is an actual workaround spotted today in the wild.
via:
–jeroen
Posted in Power User, Security | Leave a Comment »
Posted by jpluimers on 2019/09/27
So I won’t forget; the steps below based on and assumes ~/Versioned is the directory where you keep repositories in:
alt_override tree, shame on GitHub)# cd ~/Versioned # git clone https://github.com/certbot/certbot.git ... # cd certbot # git fetch --all Fetching origin # git checkout alt_override Branch 'alt_override' set up to track remote branch 'alt_override' from 'origin'. Switched to a new branch 'alt_override' # ./certbot-auto --os-packages-only OS packages installed. # ./tools/venv.sh ... very long log ... Please run the following command to activate developer environment: source venv/bin/activate # source ./venv/bin/activate [venv] # venv/bin/certbot renew --force-renewal
–jeroen
Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »
Posted by jpluimers on 2019/08/26
There are still sites limiting password lengt to low values like 20 or 15. Don’t!
The why at [WayBack] Implement Proper Password Strength Controls: Password Length has been in place since October 2012, since when cracking passwords has become way faster, so risk at length 20 back then is now a risk at something like length 40.
Password Length
Longer passwords provide a greater combination of characters and consequently make it more difficult for an attacker to guess.
- Minimum length of the passwords should be enforced by the application.
- Passwords shorter than 10 characters are considered to be weak (NIST SP800-132).
While minimum length enforcement may cause problems with memorizing passwords among some users, applications should encourage them to set passphrases (sentences or combination of words) that can be much longer than typical passwords and yet much easier to remember.
- Maximum password length should not be set too low, as it will prevent users from creating passphrases. Typical maximum length is 128 characters.
- Passphrases shorter than 20 characters are usually considered weak if they only consist of lower case Latin characters.
–jeroen
via:
Posted in LifeHacker, Power User, Security | Leave a Comment »
Posted by jpluimers on 2019/07/22
[WayBack] CAA Mandated by CA/Browser Forum | Qualys Blog
Certification Authority Authorization (CAA), specified in RFC 6844 in 2013, is a proposal to improve the strength of the PKI ecosystem with a new control to restrict which CAs can issue certificates…
Related:
–jeroen
Posted in Conference Topics, Conferences, DNS, Encryption, Event, HTTPS/TLS security, Internet, Power User, Security | Leave a Comment »
Posted by jpluimers on 2019/07/22
I wonder if this one is still exploitable: UPC Cable Modem / Ziggo Connect Box / Compal CH7465LG · Issue #122 · reverse-shell/routersploit
–jeroen
Posted in Power User, Security | Leave a Comment »
Posted by jpluimers on 2019/07/12
The archive is of late 2017; I wonder what the state is now: [Wayback] Government & Govt Owned – Netherlands – Phishing Scorecard
This Phishing Scorecard is the current situation of the security of e-mail stream banks compared. If a bank is one of the technical building blocks to implement in their e-mail security the red cross will be a green check mark. Once a bank’s security policy has only green check marks will stand up and protect them 40% of their customers.
–jeroen
Via: [WayBack] ‘Mailservers Tweede Kamer missen beveiliging tegen e-mailspoofing’ – update – IT Pro – Nieuws – Tweakers
De mailservers van de Tweede Kamer missen beveiligingsmaatregelen die e-mailspoofing tegen moeten gaan, waardoor het mogelijk is om uit naam van politici e-mails te versturen. Dat blijkt uit een onderzoek van Follow the Money.
Posted in Power User, Security | Leave a Comment »
Posted by jpluimers on 2019/06/20
The TCP SACK vulnerabilities as found by Netflix: [WayBack] security-bulletins/2019-001.md at master · Netflix/security-bulletins · GitHub.
Easy, but slow workaround from [WayBack] linux – How to disable TCP SACK for CentOS? – Super User:
Temporary (until boot):
echo "0" > /proc/sys/net/ipv4/tcp_sackPermanent (even after boot):
echo "net.ipv4.tcp_sack = 0" >> /etc/sysctl.conf sysctl -p
Coverage:
Don’t let miscreants play hacky-SACK with your gear. Apply these mitigations, patches now if you can
–jeroen
Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Power User, Security, TCP | Leave a Comment »
Posted by jpluimers on 2019/06/14
Reminder to self: see if this is till a thing in spreadsheet applications: [WayBack] The Absurdly Underestimated Dangers of CSV Injection.
That 7 was "=2+5" in the CSV, but it got much worse.
–jeroen
via: [WayBack] The Absurdly Underestimated Dangers of CSV Injection #Security – ThisIsWhyICode – Google+
Posted in Power User, Security | Leave a Comment »
The Wiert Corner - irregular stream of stuff 