urn:uuid:c9e6cf53-c741-5de5-89b5-5cd48df7a6ce
Topic: Security – Ctrl blog
Daniel Aleksandersen
https://www.daniel.priv.no/
Copyright © 2020 Daniel Aleksandersen.
https://www.ctrl.blog/assets/favicon/favicon.svg
2020-11-04T09:27:00Z
weekly
10
urn:uuid:17b6eb65-ca02-4f99-8988-6bfbc3dabff7
2020-11-04T09:27:00Z
2020-11-04T09:27:00Z
The entirely predictable problems with the Vulnonym naming scheme
An automated naming scheme intended to rid the security research field of “sensational names” predictably creates sensational, ambiguous, and suggestive names.
<p>Security researchers increasingly give security vulnerabilities they discover a unique and memorable name and logo. Names (and cute logos) generate more exposure for the vulnerability and the researchers who found it. The Computer Emergency Response Team Coordination Center (CERT/CC) believes this naming trend invokes “fear, uncertainty, and doubt for vendors, researchers, and the general public.” To address the situation, it has introduced Vulnonyms: a system for automatically naming vulnerabilities. What could possibly go wrong?</p> <p><a href="https://www.ctrl.blog/entry/sensational-vulnonym.html#src=feed">Read more …</a></p>
urn:uuid:7b2cbb43-ea0c-4d8e-84a0-a47c6dd87146
2020-11-02T15:50:00Z
2020-11-02T15:50:00Z
TeamViewer RPM repo left door open for malicious packages
A configuration error made the TeamViewer RPM repository vulnerable to an attacker-in-the-middle substituting TeamViewer with its own GPG keys and software.
<p>Three months ago, I discovered a security vulnerability in TeamViewer RPM auto-updates on Linux. The vulnerability allowed an attacker-in-the-middle (AITM) to subvert the TeamViewer RPM package repository to install and execute arbitrary software with root permissions.</p> <p><a href="https://www.ctrl.blog/entry/teamviewer-rpm-repo-security.html#src=feed">Read more …</a></p>
urn:uuid:6d646e35-c924-4ed2-83cd-47c70246a111
2020-05-26T18:31:00Z
2020-05-26T18:31:00Z
Google Authenticator enables device-transfers, but no export options
Two-factor authentication requires users to commit to storing a secret code indefinitely. Popular apps lack tools to back up and data transfer those secrets.
<p>You’ve probably seen calls to “secure your account” with a second-factor authentication (2FA) app all over the web. Online services promote it as a way to improve the security of your online account. After you’ve enabled 2FA, you need to know your username and password as well as a one-time use token (a four–six digit code) generated by your 2FA app.</p> <p><a href="https://www.ctrl.blog/entry/google-authenticator-2fa-secrets.html#src=feed">Read more …</a></p>
urn:uuid:d4ba67d5-78b1-45a3-ad80-958a43835501
2020-02-17T19:25:00Z
2020-02-17T19:25:00Z
How to back up your password manager
Plan for the day your password manager stops working. Backing up your password manager is harder that it sounds.
<p>Password managers aren’t infallible. They suffer service outages like every other service. Yet, password managers ask their customers to trust them completely. They’re a single point of failure and are difficult to back up.</p> <p><a href="https://www.ctrl.blog/entry/password-manager-backup.html#src=feed">Read more …</a></p>
urn:uuid:61a14de2-111b-452a-8b2d-9b0d95067495
2020-02-10T10:39:00Z
2020-02-10T10:39:00Z
Limit the impact of a security intrusion with systemd directives
Limit the impact of a security intrusion with <code translate=no>systemd</code> directives
OpenSMTPD recently had a critical remote code execution vulnerability. I look at how you can limit impact with systemd-service security directives.
<p>Three weeks ago, I wrote <code>systemd</code> service sandboxing and security hardening 101: an introduction to Linux security features for service processes managed by <code>systemd</code>.</p> <p><a href="https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html#src=feed">Read more …</a></p>