friendica.prankgo.de

Search

Items tagged with: security

#unitoodailynews, #email, #security, #protonmail We support stronger privacy regulations in California - ProtonMail Blog
We support stronger privacy regulations in California
 
Subdomain Takeover: Microsoft loses control over Windows Tiles #Windows #Azure #Datensicherheit #Sicherheitslücke #WebService #RSS #Technologie #Microsoft #Internet #Security
 
Subdomain Takeover: Microsoft verliert Kontrolle über Windows-Kacheln #Windows #Azure #Datensicherheit #Sicherheitslücke #RSS #Technologie #Microsoft #Internet #Security
 
Google-Urteil: Anklicken von Datenschutzerklärung ist keine Einwilligung #Verbraucherschutz #Cookies #DSGVO #Datenschutz #Datensicherheit #VZBV #Google #Internet #PolitikRecht #Security
 
Adblock Plus: Adblock-Filterregeln können Code ausführen #AdBlocker #AdblockPlus #Datensicherheit #Javascript #Sicherheitslücke #Google #Technologie #Applikationen #Internet #Security
 

The Mathematics of (Hacking) Passwords - Scientific American


A very long read, but one that everyone who uses passwords on any device should read, study, and understand.





#security #passwords #encrypt #decrypt #hacking #mathematics #infosec
 
Part of the theory of letting big companies is that they can do your security properly for you. That presumably is why hackers have been able to read outlook, hotmail and msn emails for 3 months using what if reported correctly was a single hacked customer support account.

Think about that... one customer support account, three months to notice. What kind of process failure allows even legitimate staff that level of access without enough logging to sound alarms ? How many legitimate staff have that level of access. How many of them actually work for security agencies or organized criminals on the side ?

As with a lot of vulnerabilities and big hacks the big questions seem to be about process. When a company employee leaves a thousand email addresses on a USB stick the question really shouldn't be 'how could they be so stupid ?' it should be 'how did the systems in place allow it to even happen ?'

When it's Outlook and Microsoft there are some very serious process questions begging to be answered.

https://www.cnet.com/news/microsoft-outlook-hack-gave-full-access-to-email-contents/

#microsoft #outlook #security
 
Part of the theory of letting big companies is that they can do your security properly for you. That presumably is why hackers have been able to read outlook, hotmail and msn emails for 3 months using what if reported correctly was a single hacked customer support account.

Think about that... one customer support account, three months to notice. What kind of process failure allows even legitimate staff that level of access without enough logging to sound alarms ? How many legitimate staff have that level of access. How many of them actually work for security agencies or organized criminals on the side ?

As with a lot of vulnerabilities and big hacks the big questions seem to be about process. When a company employee leaves a thousand email addresses on a USB stick the question really shouldn't be 'how could they be so stupid ?' it should be 'how did the systems in place allow it to even happen ?'

When it's Outlook and Microsoft there are some very serious process questions begging to be answered.

https://www.cnet.com/news/microsoft-outlook-hack-gave-full-access-to-email-contents/

#microsoft #outlook #security
 
Dragonblood: Sicherheitslücken in WPA3 #WPA3 #BruteForce #Datensicherheit #ElliptischeKurven #Krack #Passwort #Sicherheitslücke #Applikationen #Security
 
Microsofts Outlook.com: Unbefugte hatten vollen Zugriff auf fremde E-Mails #Security #Cookies #Datenschutz #Datensicherheit #Hacker #Microsoft #Internet
 
Zero-Day: Internet Explorer erlaubt Auslesen von Dateien #InternetExplorer #Browser #Datensicherheit #Sicherheitslücke #Windows #Microsoft #Security
 
Wer darf eigentlich alles auf euren Googleaccount zugreifen? Checkt das besser mal: bit.ly/2H0OHpC Und aktiviert 2-Faktor-Authentifizierung! #security
 
Microsofts Outlook.com: Unbefugte hatten drei Monate lang Zugriff auf Kundendaten #Security #Cookies #Datenschutz #Datensicherheit #Hacker #Microsoft #Internet
 
At least 276 girls were taken from the government secondary school in Chibok town by Boko Haram in 2014. #Nigeria #BokoHaram #Africa #Security
 
Russia says it wants to help establish peace in CAR, but others believe it may exploit resources and cause instability. #Russia #CentralAfricanRepublic #Military #HumanRights #Africa #Security #VladimirPutin #War&Conflict
 
About $20 million went toward security for Mark Zuckerberg and his family, up from about $9 million the prior year. #MarkZuckerberg #Facebook #Socialmedia #Security
 

40 Linux Server Hardening Security Tips

Securing your Linux server is important to protect your data, intellectual property, and time, from the hands of crackers (hackers). The system administrator is responsible for security of the Linux box. In this first part of a Linux server security series, I will provide 40 hardening tips for default installation of Linux system.
https://www.cyberciti.biz/tips/linux-security.html
#Linux #Server #Security #Monitoring #Hardening
@Friendica Admins
Argentina/Buenos Aires 
Doctors were heading to work in Mandera when abductors ambushed them, killing a police escort officer, officials say. #Kenya #Al-Shabab #Africa #Somalia #Security
 

We have discovered and addressed a security breach - Matrix


https://matrix.org/blog/2019/04/11/security-incident/

If you have ever had an account on the matrix.org server, please reset the password and also any other sites passwords if you used the same password elsewhere.

More details by the team to follow.

#security #infosec #matrix
 
Matrix.org publishes timeline after security breach:

https://matrix.org/blog/2019/04/11/security-incident/

– the attacker exploited vulnerabilities in Jenkins
– the attacker had full database access, including access to unencrypted content like private messages, passwords hashes, access tokens
– Matrix.org recommends changing your password (including NickServ password)

#matrix #breach #infosec #cybersecurity #security
 
#unitoodailynews, #email, #security, #protonmail How to stop the 6 most common types of cyber crime methods against businesses - ProtonMail Blog
How to stop the 6 most common types of cyber crime methods against businesses
 
MTA-STS: Gmail unterstützt Verschlüsselung zwischen Mailservern #Gmail #Datensicherheit #E-Mail #Man-in-the-Middle #TLS #Verschlüsselung #Google #Internet #Security
 
Vergleich: Yahoo soll 118 Millionen US-Dollar für Hacks bezahlen #Yahoo #Datensicherheit #Hacker #Passwort #Verizon #Internet #Security
 
Von SHA-1 auf SHA-2: Zweiter Patch für die Windows-Update-Umstellung erschienen #SHA-1 #Datensicherheit #Patchday #Windows #Windows7 #Server #Microsoft #Security
 
Triton: Schadsoftware kann Kraftwerke beschädigen #Malware #Datensicherheit #Keylogger #SiS #Stuxnet #Virus #Applikationen #Security
 
Adobe-Patchday: Das letzte Shockwave-Sicherheitsupdate ist da #Flash #Datensicherheit #Patchday #Photoshop #Adobe #Applikationen #Security
 
US #SecretService captures a potential Chinese agent with a USB thumb drive in #Trump's Mar-a-Lago. Guess what they did with the thumb drive? Put in in their #Windows computer. 🤦
https://www.miamiherald.com/news/politics-government/article228963409.html
#security
 
Telemetrie-Daten: EU prüft Datenschutz bei Microsoft-Produkten #Windows10 #Cookies #DSGVO #Datenschutz #Datensicherheit #EFF #Office-Suite #Windows #Microsoft #Security
 
Überwachung: New Yorker Projekt zur Echtzeit-Gesichtserkennung scheitert #Gesichtserkennung #Datenschutz #Datensicherheit #Privatsphäre #PolitikRecht #Security
 
Sicherheitsprobleme: Schlechte Passwörter bei Ärzten #Medizin #BSI #Datensicherheit #Passwort #Phishing #Sicherheitslücke #TLS #Security
 
Verschlüsselung: Ärger für die PGP-Keyserver #OpenPGP #Datensicherheit #PGP #Server-Applikationen #Verschlüsselung #Server #Applikationen #Internet #Security
 
#unitoodailynews, #email, #security, #protonmail ProtonMail supports data journalists through the European Journalism Centre - ProtonMail Blog
ProtonMail supports data journalists through the European Journalism Centre
 
White Hat Hacking: In unter zwei Stunden in Universitätsnetzwerke gelangen #Hacker #BBC #Datensicherheit #Malware #Sicherheitslücke #Applikationen #Security #Wissenschaft
 
A Listening Post special on migration and the media's role in framing this era-defining story. #Media #UnitedStates #Immigration #RefugeeCrisis #HumanRights #US&Canada #Security #Refugees #DonaldTrump #Europe
 
Linux-Hersteller: Purism kooperiert mit Private Internet Access für VPN #Purism #Datensicherheit #EFF #Linux #Smartphone #VPN #librem5 #Handy #OpenSource #Security
 
Hackerangriff: Winnti im Firmennetzwerk von Bayer #Malware #Anti-Virus #Datensicherheit #Hacker #Phishing #Sicherheitslücke #Trojaner #Virus #Applikationen #Security
 
Datenleck: Nutzerdaten von Facebook-Apps ungeschützt im Internet #Facebook #App #Datenschutz #Datensicherheit #SozialesNetz #Internet #Security
 

EU and US government agencies converge on conclusion: US cloud platforms not GDPR compliant

We have covered the risks of public clouds frequently and governments seem to take notice. While the German Federal Government has already decided to rely on a Nextcloud-provided, private cloud solution, other governments are still searching. Many rely on US cloud services and, like the Dutch recently found out, have to conclude that these leak data. Now the Swedish government has essentially concluded US clouds are not GDPR compliant while US privacy regulators admit they haven’t been able to do any oversight in the last two years.

It is time to take back control over enterprise data in Europe!

the use of services delivered by US controlled
entities is in breach of GDPR
The Swedish Government Procurement Office

Incidents and reports


The Dutch incident, involved data, including what people wrote in documents and the subject of emails, being collected on US servers for diagnostic purposes. A report from the ministry of Justice noted that the use of Microsoft’s solution “brought high risk for the privacy of the users”.

In Sweden, the government procurement office published a report which confirmed that the use of services delivered by US controlled entities is in breach of GDPR Articles 44 to 50 in many ways.
for 20 months the board had no quorum,
it has insufficient funding and it doesn’t
receive the information its entitled to
The state of US Privacy oversight

Now, the US government’s Privacy and Civil Liberties Oversight Board (PCLOB) has published a set of statements made by the members of the board. From the statements, it appears that PCLOB hasn’t been able to operate to its full capacity and exercise its oversight duties as for 20 months the board had no quorum, it has insufficient funding and it doesn’t receive the information its entitled to from the Intelligence Community which would allow it to perform its duties.

The statements confirm also that several intelligence operations affecting EU citizens have been ongoing:
“The permitted purpose of surveillance under E.O. 12333 is quite broad, encompassing all activities and intentions of non-U.S. persons. This broad authority has resulted in broad surveillance programs, including ‘Co-Traveler’, through which the U.S. captured billions of location updates daily from mobile phones around the world, and ‘Muscular’, through which the NSA intercepted all data transmitted between certain Google and Yahoo! data centers outside the U.S.”

In another section the collection from third party “data brokers”, that could be anything from credit rating agencies to web sites analytics, used for “big data” analysis has drawn their attention:
“We are particularly concerned with the possible disclosure by data brokers to governmental entities of metadata which, if sought by the government directly from a communications service provider, could not be disclosed to governmental entities without legal process.”

The board noted they only knew what was happening due to the Snowden revelations and they have since been kept in the dark: “Now, nearly six years removed from the Snowden revelations, we are receiving very little new information.” Moreover: Although the government often defends its foreign intelligence surveillance authorities as important tools in its effort to detect and prevent terrorism, the reality is that the authorities sweep far more broadly.” So what else is collected and what is it used for? “The extent of the government’s use of its surveillance authorities to target journalists, dissidents, and others not engaged in wrongdoing is not known.”

Europe has noticed


It is probably not a big surprise that the current situation hasn’t gone entirely unnoticed. The European Data Protection Board (EDPB) stated in January of this year: “As a conclusion, the EDPB is not be in a position to conclude that the Ombudsperson is vested with sufficient powers to access information and to remedy non-compliance, and it can thus not state that the Ombudsperson can be considered an ‘effective remedy before a tribunal’ in the meaning of Art. 47 of the Charter of Fundamental Rights.”

And Giovanni Buttarelli, European Data Protection Supervisor (EDPS), stated in a recent interview:
“At the moment there is too much power in the hands of a few mega tech companies and governments. We need to decentralise the internet, give more power to people over their digital lives. Engineers have a valid voice but they need to be part of a conversation with lawyers, ethicists, experts from the humanities. IPEN, our initiative, seeks to do this.”

It isn’t unlikely action will come – for example, a challenge to the Privacy Shield regulation. If that goes through, companies currently betting on it will have to scramble to find other vendors and get their data back in Europe.

What does it all mean


Recapping the statements by the US and EU government, we can conclude:
  • The US’ oversight wrt privacy and surveillance is severely lacking, or entirely absent.
  • What they can tell us is that:
    • There is ongoing data collection of European Citizens
    • That data is collected far beyond what would be needed for anti-terrorism purposes, but it is unclear what it is used for
    • The collections and disclosures include data from ‘data brokers’, think Google, Facebook, credit card companies and so on
  • European institutions are slowly figuring this out.
    • Germany is moving to a self-hosted, federal cloud
    • Sweden has concluded that the use of US cloud services is not GDPR compliant
    • Pan-European organizations like European Data Protection Board and the European Data Protection Supervisor are also warning about it
It seems safe to say that, given the problem is now widely acknowledged, organizations still putting sensitive data abroad face a growing legal risk and should be searching for solutions that keep data under their control.

How to avoid the risks


Self-hosting data continues to be the easiest way to be compliant with privacy regulations. Of course, self-hosted solutions have to be competitive to the cloud services offered by US vendors.

By providing an extensible, flexible content collaboration platform, Nextcloud offers a solution for organizations looking to modernize while not losing control over their data.

Nextcloud makes data available to users wherever it is. No need for new storage solutions or moving all data over. Easy integration and quick deployment brings organizations immediately in a compliant, secure state.

Secure with a low barrier to entry


Its familiar, easy to use interface on web, mobile and desktop allows users to work efficiently and be confident everybody has access to the same, latest version of data. Its enterprise capabilities ensure IT maintains full control over sharing, retention and availability of data within and across the boundaries of the organization.

Decentralized and hybrid


Last but not least, Nextcloud is a perfect fit for a Hybrid Cloud strategy, enabling universal access to data irrespective of where it is stored: on an internal network, in the cloud or even at a partner. Through Global Scale, it is possible to host multiple separate Nextcloud servers to ensure data locality rules are while inter-server sharing and encryption of unsafe storage ensure data is both safe and seamlessly accessible at all times.

Bild/Foto

Why self-hosting?

Simply keeping your data behind your company firewall rather than the cloud makes compliance and security easy.

With Nextcloud, you don’t lose the benefits of modern cloud collaboration and team productivity!

Bild/Foto

Why file sync and share?

Your FTP or Windows Network Drive simply don’t suffice – employees work around, rather than with them, using Dropbox and other unsafe solutions.

Nextcloud puts your IT back in control over your data.

Bild/Foto

Why Nextcloud?

Nextcloud provides an unique combination of security and control over data without compromising usability.

Being open source means no vendor lock in and an unprecedented degree of integration in enterprise infrastructure.

Fast deployment: secure your data now

Nextcloud is famously easy to deploy and easy to use, a key reason behind its market leadership.

Learn more about how Nextcloud solves the problem of unsecured and uncontrolled sharing of data in modern organizations.

Thanks to Paolo Vecchi for his research
#blog, #business, #security
 

The ShadowHammer Attack - 1 Million Asus computers affected shows proprietary is no better than open source - But maybe what you don't see won't hurt you?

Cyber-security and antivirus company Kaspersky dropped a bomb on Asus laptop users this week, revealing that malware was distributed through the Asus Live Update utility. It masqueraded as a legitimate security update, and even boasted a "verified" certificate -- hosted on Asus servers -- to make it appear valid. Kaspersky has deemed this attack "one of the biggest supply-chain incidents ever." Such attacks spiked 78% between 2017 and 2018. This shouldn't raise alarms for just Asus users. It should prompt you to seriously consider whether you want Windows on your PC. Because the possibility of this ever happening on a desktop Linux OS like Ubuntu is minuscule.

What's even more frightening is that Kaspersky discovered the same type of technique used against the Asus Live Update software was also leveraged against three other vendors. The company promised to reveal more substantial information at an upcoming Security Analyst Summit in Singapore.

For Linux: In a nutshell, this means even if a trusted developer is compromised, there are various other individuals who will likely take notice. But even that isn't enough, so Canonical takes things a step further.

"From an end-user point of view, Ubuntu uses a signed archive approach where each package is cryptographically hashed and the list of hashes signed in such a manner that our package manager will not install packages which fail the signature and integrity checks," Murray explains.

This means that even if an Ubuntu mirror (an external software source not directly managed by Canonical) was compromised and someone uploaded malicious copies of packages there, it would fail the signature check and would not be installed.

One Linux distro Pop!_OS, uses the power of blockchain to ensure that the firmware updates being delivered to its users have no possible way of being manipulated.

See https://www.forbes.com/sites/jasonevangelho/2019/03/29/shadowhammer-asus-1-million-reasons-switch-from-windows-to-linux/

#security #linux #shadowhammer

 

Why build your own homebrew Linux router? Well for extremely high performance and security!

Security isn't something you tack on after the fact, or build on with a few thousand more lines of code. Security is a mindset, and it's a design — it's something you build in from the foundation. Heightened security is actually the entire reason why this author built his own personal bare Linux router.

Proprietary router firmware often goes months or years between upgrades — and when it does upgrade, it's more frequently to add some shiny to the UI—more than likely introducing more bugs — than to fix security problems. Open source firmware isn't really in much better territory. DD-WRT is one of the most popular, and while it has a new (and incredibly bug-ridden) beta release every few weeks, the project hasn't had a stable release in eight years. Eight years! pfSense is pretty much the darling of the industry, and rightly so — but it's still a big, complex pile of moving parts with web interface and pretty graphs and bits and bobs to toggle and you're never going to truly know everything that it's doing — you click the boxes in the web UI and you assume it's doing what you told it to, which is already pretty far abstracted from the reality of the underlying configs. It also goes months (or longer) between firmware updates being made available, with (again) no real guarantee that an update won't change major parts of the UI and the capabilities, not just fix bugs.

A homebrew router (or company own built) is going to be barebones, but they will know every moving part, and it will get regular patches and updates. Maybe the typical home user is not going to want to do this but what if your company is serious about performance and security? Maybe designing this as a standard and rolling it out to a few routers in use is going to make a big difference. For a start your company won't be using a typical standard vendor X router with known vulnerabilities - you become an "unknown".

See https://opensource.com/life/16/6/why-i-built-my-own-linux-router

#security #router #homebrew

Bild/Foto
 
#unitoodailynews, #email, #security, #protonmail Top cyber security solutions for small businesses - ProtonMail Blog
Top cyber security solutions for small businesses
 
Datenschutz: Facebook verlangte Passwort von privatem E-Mail-Konto #Facebook #Datenschutz #Datensicherheit #E-Mail #Passwort #SozialesNetz #Internet #Security
 
Single Sign-on: NetID startet Entwicklerportal #Identitätsmanagement #Cookies #DSGVO #Datenschutz #Datensicherheit #E-Commerce #Privatsphäre #RTL #Tracking #Security
 
MXSS: Cross-Site-Scripting in der Google-Suche #Javascript #Datensicherheit #GoogleClosure #HTML #Sicherheitslücke #Google #Server #Technologie #Applikationen #Security
 
Security Patch: Google beseitigt im April Qualcomm-Sicherheitslücken #Android #AOSP #Datensicherheit #Sicherheitslücke #Security
 
Sicherheitslücke: Nutzer des Apache-Webservers können Root-Rechte erlangen #Apache #Datensicherheit #Server-Applikationen #Sicherheitslücke #Server #Technologie #Applikationen #Internet #Security
 
BeA: Anwaltspostfach wird neu ausgeschrieben #BeA #Atos #Datensicherheit #Ende-zu-Ende-Verschlüsselung #Verschlüsselung #Applikationen #Internet #PolitikRecht #Security
 
Sicherheit: Tesla-Autopilot lässt sich in den Gegenverkehr steuern #Tesla #Auto #Datensicherheit #Elektroauto #Elektromobilität #Nachhaltigkeit #Technologie #Security #Wissenschaft
 
Official says Trump administration overruled experts to give security clearances to dozens of people, including Kushner #Security #UnitedStates #DonaldTrump #US&Canada
 
SR20: Zero-Day-Sicherheitslücke in TP-Link-Router #Router-Lücke #Datensicherheit #Netzwerk #Router #Sicherheitslücke #SmartHome #TP-Link #Security
 
Later posts Earlier posts