How to use a hardware two-factor security key - Two-factor authentication is a good way to add an extra layer of security to online accounts
Danie van der Merwe · news.movim.eu / gadgeteerza-tech-blog · 6 days ago - 14:55
It requires the use of your smartphone, however, which is not only inconvenient, but can be a problem if your phone is lost or breached. Hardware security keys can offer an additional layer of security to password-protected online accounts and, in turn, your identity. They’re also not hard to install. Here’s how to set them up for your Google account, Facebook, and Twitter.
When you insert a security key into your computer or connect one wirelessly, your browser issues a challenge to the key, which includes the domain name of the specific site you are trying to access. The key then cryptographically signs and allows the challenge, logging you in to the service.
Many sites support U2F security keys, including Twitter, Facebook, Google, Instagram, GitHub, Dropbox, Electronic Arts, Epic Games, Microsoft account services, Nintendo, Okta, Reddit, and many more.
See how to set up and use them at https://www.theverge.com/22458935/two-factor-security-key-how-to-yubico
Amazon devices will soon automatically share your Internet with neighbors
news.movim.eu / ArsTechnica · Saturday, 29 May - 19:10
If you use Alexa, Echo, or any other Amazon device, you have only 10 days to opt out of an experiment that leaves your personal privacy and security hanging in the balance.
On June 8, the merchant, Web host, and entertainment behemoth will automatically enroll the devices in Amazon Sidewalk . The new wireless mesh service will share a small slice of your Internet bandwidth with nearby neighbors who don’t have connectivity and help you to their bandwidth when you don’t have a connection.
By default, Amazon devices including Alexa, Echo, Ring, security cams, outdoor lights, motion sensors, and Tile trackers will enroll in the system. And since only a tiny fraction of people take the time to change default settings, that means millions of people will be co-opted into the program whether they know anything about it or not.
Google detail 'Half-Double', a new Rowhammer vulnerability for DRAM
news.movim.eu / GamingOnLinux · Wednesday, 26 May - 09:10 · 1 minute
Is nothing sacred any more? Gosh, there's vulnerabilities everywhere. Just when you thought you were safe after updating to protect your CPU, now there's this. Thought RAM vendors had fixed Rowhammer from 2014? Think again, it's back with Half-Double .
As a reminder: Rowhammer is a DRAM vulnerability whereby repeated accesses to one address can tamper with the data stored at other addresses. It's kinda similar to the speculative execution vulnerabilities in CPUs. This newer Half-Double attack vector "capitalizes on the worsening physics of some of the newer DRAM chips" which sounds quite terrible.
Traditionally, Rowhammer was understood to operate at a distance of one row: when a DRAM row is accessed repeatedly (the “aggressor”), bit flips were found only in the two adjacent rows (the “victims”). However, with Half-Double, we have observed Rowhammer effects propagating to rows beyond adjacent neighbors, albeit at a reduced strength. Given three consecutive rows A, B, and C, we were able to attack C by directing a very large number of accesses to A, along with just a handful (~dozens) to B. Based on our experiments, accesses to B have a non-linear gating effect, in which they appear to “transport” the Rowhammer effect of A onto C. Unlike TRRespass, which exploits the blind spots of manufacturer-dependent defenses, Half-Double is an intrinsic property of the underlying silicon substrate. This is likely an indication that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down. Distances greater than two are conceivable.
This is particularly harsh and will need hardware adjustments, again, to get around it. Google mentioned how it has signifiant ramifications for the entire computing industry and they want all stakeholders (that being literally everyone doing computing - server, client, mobile, automotive, IoT), to help develop a solution to this.
Find the paper on GitHub .
4 vulnerabilities under attack give hackers full control of Android devices
news.movim.eu / ArsTechnica · Wednesday, 19 May - 20:45
Unknown hackers have been exploiting four Android vulnerabilities that allow the execution of malicious code that can take complete control of devices, Google warned on Wednesday.
All four of the vulnerabilities were disclosed two weeks ago in Google’s Android Security Bulletin for May. Google has released security updates to device manufacturers, who are then responsible for distributing the patches to users.
Google’s May 3 bulletin initially didn’t report that any of the roughly 50 vulnerabilities it covered were under active exploitation. On Wednesday, Google updated the advisory to say that there are “indications” that four of the vulnerabilities “may be under limited, targeted exploitation.” Maddie Stone, a member of Google’s Project Zero exploit research group, removed the ambiguity. She declared on Twitter that the “4 vulns were exploited in-the-wild” as zero-days.
Colonial Pipeline paid a $5 million ransom—and kept a vicious cycle turning
news.movim.eu / ArsTechnica · Saturday, 15 May - 10:00
Nearly a week after a ransomware attack led Colonial Pipeline to halt fuel distribution on the East Coast , reports emerged on Friday that the company paid a 75 bitcoin ransom—worth as much as $5 million, depending on the time of payment—in an attempt to restore service more quickly. And while the company was able to restart operations Wednesday night , the decision to give in to hackers' demands will only embolden other groups going forward. Real progress against the ransomware epidemic, experts say, will require more companies to say no.
Not to say that doing so is easy. The FBI and other law enforcement groups have long discouraged ransomware victims from paying digital extortion fees, but in practice many organizations resort to paying. They either don't have the backups and other infrastructure necessary to recover otherwise, can't or don't want to take the time to recover on their own, or decide that it's cheaper to just quietly pay the ransom and move on. Ransomware groups increasingly vet their victims' financials before springing their traps , allowing them to set the highest possible price that their victims can still potentially afford.
How To Use Nmap (Network Mapper) – A Comprehensive Guide: Basics To Advanced
Danie van der Merwe · news.movim.eu / gadgeteerza-tech-blog · Thursday, 13 May - 12:31
Nmap is a free and open-source network discovery and security audit tool. In simple terms, network discovery is the process of finding out the devices that are on the network. Whether you are a network engineer or a penetration tester, Nmap is one of the most important tools in your arsenal.
It can help show what devices are connected to your network, can scan what ports they have got open, and also glean some additional information about these devices (eg. those -sY and -O flags). If you suspect a neighbour is using your home network, then this is a tool that will show that connected device.
It runs on Linux, MacOS and Windows and this guide really covers all the basics including the background to IP addresses and ports and how a device connects to a network.
XMPP for IoT: Visualisation of Meteorological Live Data for Renewable Energy
debacle · pubsub.movim.eu / berlin-xmpp-meetup · Tuesday, 11 May - 15:29 edit
Dan and Tim will present a beautiful web application based on Strophe.js and Flot.js to visualise live measuremen data transmitted via XMPP PubSub/PEP. This is not about instant messaging at all, this is IoT, but security included.
When? Wednesday, 2021-05-12 18:00 CEST (always 2ⁿᵈ Wednesday of every month)
Where? Online, via our MUC (xmpp:firstname.lastname@example.org?join). A Jitsi video conference will be announced there.
See you then!