urn:uuid:c9e6cf53-c741-5de5-89b5-5cd48df7a6ce Daniel Aleksandersen https://www.daniel.priv.no/ Copyright © 2020 Daniel Aleksandersen. https://www.ctrl.blog/assets/favicon/favicon.svg 2020-11-04T09:27:00Z weekly 10 urn:uuid:17b6eb65-ca02-4f99-8988-6bfbc3dabff7 2020-11-04T09:27:00Z 2020-11-04T09:27:00Z

An automated naming scheme intended to rid the security research field of “sensational names” predictably creates sensational, ambiguous, and suggestive names.

<p>Security researchers increasingly give security vulnerabilities they discover a unique and memorable name and logo. Names (and cute logos) generate more exposure for the vulnerability and the researchers who found it. The Computer Emergency Response Team Coordination Center (CERT/CC) believes this naming trend invokes “fear, uncertainty, and doubt for vendors, researchers, and the general public.” To address the situation, it has introduced Vulnonyms: a system for automatically naming vulnerabilities. What could possibly go wrong?</p> <p><a href="https://www.ctrl.blog/entry/sensational-vulnonym.html#src=feed">Read more …</a></p> urn:uuid:7b2cbb43-ea0c-4d8e-84a0-a47c6dd87146 2020-11-02T15:50:00Z 2020-11-02T15:50:00Z

A configuration error made the TeamViewer RPM repository vulnerable to an attacker-in-the-middle substituting TeamViewer with its own GPG keys and software.

<p>Three months ago, I discovered a security vulnerability in TeamViewer RPM auto-updates on Linux. The vulnerability allowed an attacker-in-the-middle (AITM) to subvert the TeamViewer RPM package repository to install and execute arbitrary software with root permissions.</p> <p><a href="https://www.ctrl.blog/entry/teamviewer-rpm-repo-security.html#src=feed">Read more …</a></p> urn:uuid:6d646e35-c924-4ed2-83cd-47c70246a111 2020-05-26T18:31:00Z 2020-05-26T18:31:00Z

Two-factor authentication requires users to commit to storing a secret code indefinitely. Popular apps lack tools to back up and data transfer those secrets.

<p>You’ve probably seen calls to “secure your account” with a second-factor authentication (2FA) app all over the web. Online services promote it as a way to improve the security of your online account. After you’ve enabled 2FA, you need to know your username and password as well as a one-time use token (a four–six digit code) generated by your 2FA app.</p> <p><a href="https://www.ctrl.blog/entry/google-authenticator-2fa-secrets.html#src=feed">Read more …</a></p> urn:uuid:d4ba67d5-78b1-45a3-ad80-958a43835501 2020-02-17T19:25:00Z 2020-02-17T19:25:00Z

Plan for the day your password manager stops working. Backing up your password manager is harder that it sounds.

<p>Password managers aren’t infallible. They suffer service outages like every other service. Yet, password managers ask their customers to trust them completely. They’re a single point of failure and are difficult to back up.</p> <p><a href="https://www.ctrl.blog/entry/password-manager-backup.html#src=feed">Read more …</a></p> urn:uuid:61a14de2-111b-452a-8b2d-9b0d95067495 2020-02-10T10:39:00Z 2020-02-10T10:39:00Z

OpenSMTPD recently had a critical remote code execution vulnerability. I look at how you can limit impact with systemd-service security directives.

<p>Three weeks ago, I wrote <code>systemd</code> service sandboxing and security hardening 101: an introduction to Linux security features for service processes managed by <code>systemd</code>.</p> <p><a href="https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html#src=feed">Read more …</a></p>