urn:uuid:c9e6cf53-c741-5de5-89b5-5cd48df7a6ce Topic: Security – Ctrl blog Daniel Aleksandersen https://www.daniel.priv.no/ Copyright © 2020 Daniel Aleksandersen. https://www.ctrl.blog/assets/favicon/favicon.svg 2020-11-04T09:27:00Z weekly 10 urn:uuid:17b6eb65-ca02-4f99-8988-6bfbc3dabff7 2020-11-04T09:27:00Z 2020-11-04T09:27:00Z The entirely predictable problems with the Vulnonym naming scheme An automated naming scheme intended to rid the security research field of “sensational names” predictably creates sensational, ambiguous, and suggestive names. <p>Security researchers increasingly give security vulnerabilities they discover a unique and memorable name and logo. Names (and cute logos) generate more exposure for the vulnerability and the researchers who found it. The Computer Emergency Response Team Coordination Center (CERT/CC) believes this naming trend invokes “fear, uncertainty, and doubt for vendors, researchers, and the general public.” To address the situation, it has introduced Vulnonyms: a system for automatically naming vulnerabilities. What could possibly go wrong?</p> <p><a href="https://www.ctrl.blog/entry/sensational-vulnonym.html#src=feed">Read more …</a></p> urn:uuid:7b2cbb43-ea0c-4d8e-84a0-a47c6dd87146 2020-11-02T15:50:00Z 2020-11-02T15:50:00Z TeamViewer RPM repo left door open for malicious packages A configuration error made the TeamViewer RPM repository vulnerable to an attacker-in-the-middle substituting TeamViewer with its own GPG keys and software. <p>Three months ago, I discovered a security vulnerability in TeamViewer RPM auto-updates on Linux. The vulnerability allowed an attacker-in-the-middle (AITM) to subvert the TeamViewer RPM package repository to install and execute arbitrary software with root permissions.</p> <p><a href="https://www.ctrl.blog/entry/teamviewer-rpm-repo-security.html#src=feed">Read more …</a></p> urn:uuid:6d646e35-c924-4ed2-83cd-47c70246a111 2020-05-26T18:31:00Z 2020-05-26T18:31:00Z Google Authenticator enables device-transfers, but no export options Two-factor authentication requires users to commit to storing a secret code indefinitely. Popular apps lack tools to back up and data transfer those secrets. <p>You’ve probably seen calls to “secure your account” with a second-factor authentication (2FA) app all over the web. Online services promote it as a way to improve the security of your online account. After you’ve enabled 2FA, you need to know your username and password as well as a one-time use token (a four–six digit code) generated by your 2FA app.</p> <p><a href="https://www.ctrl.blog/entry/google-authenticator-2fa-secrets.html#src=feed">Read more …</a></p> urn:uuid:d4ba67d5-78b1-45a3-ad80-958a43835501 2020-02-17T19:25:00Z 2020-02-17T19:25:00Z How to back up your password manager Plan for the day your password manager stops working. Backing up your password manager is harder that it sounds. <p>Password managers aren’t infallible. They suffer service outages like every other service. Yet, password managers ask their customers to trust them completely. They’re a single point of failure and are difficult to back up.</p> <p><a href="https://www.ctrl.blog/entry/password-manager-backup.html#src=feed">Read more …</a></p> urn:uuid:61a14de2-111b-452a-8b2d-9b0d95067495 2020-02-10T10:39:00Z 2020-02-10T10:39:00Z Limit the impact of a security intrusion with systemd directives Limit the impact of a security intrusion with <code translate=no>systemd</code> directives OpenSMTPD recently had a critical remote code execution vulnerability. I look at how you can limit impact with systemd-service security directives. <p>Three weeks ago, I wrote <code>systemd</code> service sandboxing and security hardening 101: an introduction to Linux security features for service processes managed by <code>systemd</code>.</p> <p><a href="https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html#src=feed">Read more …</a></p>