urn:uuid:c9e6cf53-c741-5de5-89b5-5cd48df7a6ce Topic: Security – Ctrl blog Daniel Aleksandersen https://www.daniel.priv.no/ Copyright © 2021 Daniel Aleksandersen. https://www.ctrl.blog/assets/favicon/favicon.svg 2021-05-14T10:11:00Z weekly 10 urn:uuid:30538782-c9dd-44a6-9818-157aeeefcea4 2021-05-14T10:11:00Z 2021-05-14T10:11:00Z Your clipboard is only as secure as your device A review/critique of the complexity, security, and unpredictable user experience of modern feature-laden copy–paste clipboards in today’s operating systems. <p>The system clipboard is part of every modern operating system. It lets us copy and paste text, images, files, and data between different applications. Like everything else these days, it’s increasingly getting tied up with other people’s servers (“the cloud.”) So, what does that mean for your clipboard privacy?</p> <p><a href="https://www.ctrl.blog/entry/clipboard-security.html#src=feed">Read more …</a></p> urn:uuid:8b5d6a2e-74b8-4c41-b2a6-a0e4f4b1e9ee 2021-04-22T01:55:00Z 2021-04-24T00:59:00Z Superfeedr sends logins in plain-text (a HSTS case study) Superfeedr sends logins in plain-text (a <abbr title="HTTP Strict Transport Security">HSTS</abbr> case study) Superfeedr tried securing its website with HTTPS and HSTS, but failed to apply it correctly. User emails and credentials are sent in plain-text on the first login. <p>I recently signed up for an account with Superfeedr (a WebSub Hub provider.) I noticed a security issue in the sign-up process, and thought it would make an excellent case study for HTTP Strict Transport Security (HSTS). Here’s what Superfeedr did wrong, why they probably didn’t realize it, and how you can avoid making the same mistake in the future.</p> <p><a href="https://www.ctrl.blog/entry/superfeedr-hsts-oopsie.html#src=feed">Read more …</a></p> urn:uuid:17b6eb65-ca02-4f99-8988-6bfbc3dabff7 2020-11-04T09:27:00Z 2020-11-04T09:27:00Z The entirely predictable problems with the Vulnonym naming scheme An automated naming scheme intended to rid the security research field of “sensational names” predictably creates sensational, ambiguous, and suggestive names. <p>Security researchers increasingly give security vulnerabilities they discover a unique and memorable name and logo. Names (and cute logos) generate more exposure for the vulnerability and the researchers who found it. The Computer Emergency Response Team Coordination Center (CERT/CC) believes this naming trend invokes “fear, uncertainty, and doubt for vendors, researchers, and the general public.” To address the situation, it has introduced Vulnonyms: a system for automatically naming vulnerabilities. What could possibly go wrong?</p> <p><a href="https://www.ctrl.blog/entry/sensational-vulnonym.html#src=feed">Read more …</a></p> urn:uuid:7b2cbb43-ea0c-4d8e-84a0-a47c6dd87146 2020-11-02T15:50:00Z 2020-11-02T15:50:00Z TeamViewer RPM repo left door open for malicious packages A configuration error made the TeamViewer RPM repository vulnerable to an attacker-in-the-middle substituting TeamViewer with its own GPG keys and software. <p>Three months ago, I discovered a security vulnerability in TeamViewer RPM auto-updates on Linux. The vulnerability allowed an attacker-in-the-middle (AITM) to subvert the TeamViewer RPM package repository to install and execute arbitrary software with root permissions.</p> <p><a href="https://www.ctrl.blog/entry/teamviewer-rpm-repo-security.html#src=feed">Read more …</a></p> urn:uuid:6d646e35-c924-4ed2-83cd-47c70246a111 2020-05-26T18:31:00Z 2020-05-26T18:31:00Z Google Authenticator enables device-transfers, but no export options Two-factor authentication requires users to commit to storing a secret code indefinitely. Popular apps lack tools to back up and data transfer those secrets. <p>You’ve probably seen calls to “secure your account” with a second-factor authentication (2FA) app all over the web. Online services promote it as a way to improve the security of your online account. After you’ve enabled 2FA, you need to know your username and password as well as a one-time use token (a four–six digit code) generated by your 2FA app.</p> <p><a href="https://www.ctrl.blog/entry/google-authenticator-2fa-secrets.html#src=feed">Read more …</a></p>