101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.

Server stats:

487
active users

#CryptoAPI

0 posts0 participants0 posts today
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@cR0w" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>cR0w</span></a></span> too many.</p><ul><li>Jist like there are way too many applications suceptible to the <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> <a href="https://infosec.space/tags/backdoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoor</span></a> of <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a>.</li></ul><p><a href="http://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">http://</span><span class="ellipsis">github.com/kkarhan/windows-ca-</span><span class="invisible">backdoor-fix</span></a></p><p>So far testing by <span class="h-card" translate="no"><a href="https://social.heise.de/@ct_Magazin" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ct_Magazin</span></a></span> / <span class="h-card" translate="no"><a href="https://social.heise.de/@heiseonline" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>heiseonline</span></a></span> (and myseof later on) revealed only few <a href="https://infosec.space/tags/Apps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Apps</span></a> not vulnerable to this specifics <a href="https://infosec.space/tags/Govware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Govware</span></a>:</p><ul><li><a href="https://infosec.space/tags/Firefox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Firefox</span></a> (uses <span class="h-card" translate="no"><a href="https://mastodon.cc/@Mozilla" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>Mozilla</span></a></span> / <span class="h-card" translate="no"><a href="https://mastodon.social/@mozilla_support" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>mozilla_support</span></a></span> / <a href="https://infosec.space/tags/Mozilla" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Mozilla</span></a> <a href="https://infosec.space/tags/NSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NSS</span></a> &amp; has it's own <a href="https://infosec.space/tags/SSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSL</span></a> certificate storage)</li><li><span class="h-card" translate="no"><a href="https://mastodon.online/@thunderbird" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>thunderbird</span></a></span> (Mozilla NSS)</li><li><span class="h-card" translate="no"><a href="https://mastodon.social/@torproject" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>torproject</span></a></span> / <a href="https://infosec.space/tags/TorBrowser" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TorBrowser</span></a> (Mozilla NSS; custom certificates)</li><li><a href="https://infosec.space/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> (uses <span class="h-card" translate="no"><a href="https://mastodon.social/@bagder" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bagder</span></a></span> <a href="https://infosec.space/tags/WolfSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WolfSSL</span></a> and manages it's own certs)</li></ul><p>Anything else that uses the CryptoAPI is, espechally *all <a href="https://infosec.space/tags/Chromium" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Chromium</span></a>-Forks (aka. All Browsers except Firefox, Tor Browser, <a href="https://infosec.space/tags/dillo" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dillo</span></a>, <a href="https://infosec.space/tags/LynxBrowser" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LynxBrowser</span></a>…)</p>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://mas.to/@tokyo_0" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>tokyo_0</span></a></span> <a href="https://infosec.space/tags/TrueCrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TrueCrypt</span></a> is <a href="https://infosec.space/tags/abandonware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>abandonware</span></a> with serious security issues. </p><ul><li><em>DO NOT USE TRUECRYPT FFS!!!</em></li></ul><p>Use <a href="https://infosec.space/tags/VeraCrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VeraCrypt</span></a> or even better: migrate machines to <a href="https://infosec.space/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a> and use <a href="https://infosec.space/tags/LUKS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LUKS</span></a> / <a href="https://infosec.space/tags/dmcrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dmcrypt</span></a> instead, as it's the best option at hand.</p><ul><li>If you need to shuttle data to <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a> and <a href="https://infosec.space/tags/macOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>macOS</span></a> machines and using <a href="https://infosec.space/tags/SFTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SFTP</span></a> / <a href="https://infosec.space/tags/SSHFS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSHFS</span></a> to mount a secure storage over the network isn't an option, than you're stuck with VeraCrypt, as <a href="https://infosec.space/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a>' <a href="https://infosec.space/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> is evidently <a href="https://infosec.space/tags/backdoored" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>backdoored</span></a> to the point that every <a href="https://infosec.space/tags/Browser" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Browser</span></a> except <a href="https://infosec.space/tags/Firefox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Firefox</span></a> is susceptible to <a href="https://infosec.space/tags/SSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSL</span></a> hijacking with background updates...</li></ul><p><a href="https://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/kkarhan/windows-ca-</span><span class="invisible">backdoor-fix</span></a></p>
xoron :verified:<p>"Encryption at Rest" for JavaScript Projects</p><p>Following a previous post (<a href="https://infosec.exchange/@xoron/113446067764347249" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@xoron/113446</span><span class="invisible">067764347249</span></a>), which can be summarized as: I'm tackling state management with an extra twist: integrating encryption at rest!</p><p>I created some updates to the WIP pull-request. The behavior is as follows.</p><p>- The user is prompted for a password if one isn't provided programmatically.<br> - This will allow for developers to create a custom password prompts in their application. The default fallback is to use a JavaScript prompt().<br> - It also seems possible to enable something like "fingerprint/face encryption" for some devices using the webauthn api. (This works, but the functionality is a bit flaky and needs to be fixed before rolling out.)<br>- Using AES-GCM with 1000000 iterations of PBKDF2 to derive the key from the password.<br> - The iterations can be increased in exchange for slower performance. It isn't currently configurable, but it might be in the future.<br> - The salt and AAD need to be deterministic and so to simplify user input, the salt as AAD are derived as the sha256 hash of the password. (Is this a good idea?)</p><p>The latest version of the code can be seen in the PR: <a href="https://github.com/positive-intentions/dim/pull/9" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/positive-intentions</span><span class="invisible">/dim/pull/9</span></a></p><p>I'm keen to get feedback on the approach and the implementation before i merge it into the main branch.</p><p><a href="https://infosec.exchange/tags/JavaScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JavaScript</span></a> <a href="https://infosec.exchange/tags/Encryption" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Encryption</span></a> <a href="https://infosec.exchange/tags/IndexedDB" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IndexedDB</span></a> <a href="https://infosec.exchange/tags/WebDevelopment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebDevelopment</span></a> <a href="https://infosec.exchange/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> <a href="https://infosec.exchange/tags/FrontendDev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FrontendDev</span></a> <a href="https://infosec.exchange/tags/ReactHooks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReactHooks</span></a> <a href="https://infosec.exchange/tags/StateManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StateManagement</span></a> <a href="https://infosec.exchange/tags/WebSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebSecurity</span></a> <a href="https://infosec.exchange/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a> <a href="https://infosec.exchange/tags/PersonalProjects" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PersonalProjects</span></a></p>
xoron :verified:<p>"Encryption at Rest" for JavaScript Projects</p><p>I'm developing a JavaScript UI framework for personal projects, and I'm tackling state management with an extra twist: integrating encryption at rest!</p><p>Inspired by this React Hook: Async State Management (<a href="https://positive-intentions.com/blog/async-state-management" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">positive-intentions.com/blog/a</span><span class="invisible">sync-state-management</span></a>), I’m extending it to support encrypted persistent data. Here's how:</p><p>✨ The Approach:</p><p>Using IndexedDB for storage.</p><p>Data is encrypted before saving and decrypted when loading using the Browser Cryptography API.</p><p>Event listeners will also be encrypted/decrypted to avoid issues like browser extensions snooping on events.</p><p>The password (should never be stored) is entered by the user at runtime to decrypt the data. (Currently hardcoded for now!)</p><p>The salt will be stored unencrypted in IndexedDB to generate the key.</p><p>🔗 Proof of Concept:<br>You can try it out here: GitHub PR (<a href="https://github.com/positive-intentions/dim/pull/8" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/positive-intentions</span><span class="invisible">/dim/pull/8</span></a>). Clone or run it in Codespaces and let me know what you think!</p><p>❓ Looking for Feedback:<br>Have I missed anything? Are there better ways to make this storage secure?</p><p>Let's make secure web UIs a reality together! 🔒</p><p><a href="https://infosec.exchange/tags/JavaScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JavaScript</span></a> <a href="https://infosec.exchange/tags/Encryption" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Encryption</span></a> <a href="https://infosec.exchange/tags/IndexedDB" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IndexedDB</span></a> <a href="https://infosec.exchange/tags/WebDevelopment" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebDevelopment</span></a> <a href="https://infosec.exchange/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> <a href="https://infosec.exchange/tags/FrontendDev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FrontendDev</span></a> <a href="https://infosec.exchange/tags/ReactHooks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ReactHooks</span></a> <a href="https://infosec.exchange/tags/StateManagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>StateManagement</span></a> <a href="https://infosec.exchange/tags/WebSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebSecurity</span></a> <a href="https://infosec.exchange/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a> <a href="https://infosec.exchange/tags/PersonalProjects" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PersonalProjects</span></a></p>
Kevin Karhan :verified:<p><span class="h-card"><a href="https://social.tchncs.de/@kuketzblog" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>kuketzblog</span></a></span> <span class="h-card"><a href="https://mastodon.social/@heiseonline" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>heiseonline</span></a></span> <span class="h-card"><a href="https://social.tchncs.de/@heise_security" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>heise_security</span></a></span> <br>Dasselbe gilt auch für die <a href="https://mstdn.social/tags/GAFAM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GAFAM</span></a>, welche dank <a href="https://mstdn.social/tags/CloudAct" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudAct</span></a> inhärent keinerlei <a href="https://mstdn.social/tags/DSGVO" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DSGVO</span></a>- &amp; <a href="https://mstdn.social/tags/BDSG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BDSG</span></a>-Compliance leisten können!</p><p><a href="https://mstdn.social/tags/Office365" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Office365</span></a> / <a href="https://mstdn.social/tags/Microsoft365" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft365</span></a>, <a href="https://mstdn.social/tags/GoogleDocs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleDocs</span></a> / <a href="https://mstdn.social/tags/GoogleWorkspace" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleWorkspace</span></a>, etc. lassen sich nicht legal nutzen - genauso wie deren Standalone - Software wie <a href="https://mstdn.social/tags/Windows" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Windows</span></a> &amp; <a href="https://mstdn.social/tags/Office" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Office</span></a>, denn die haben auch <a href="https://mstdn.social/tags/Govware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Govware</span></a> - <a href="https://mstdn.social/tags/Backdoors" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Backdoors</span></a>! </p><p>Siehe <a href="https://mstdn.social/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a>: <br><a href="https://github.com/kkarhan/windows-ca-backdoor-fix" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/kkarhan/windows-ca-</span><span class="invisible">backdoor-fix</span></a></p>
tricia, queen of house cyberly :verified_paw: :donor:<p>Alrighty nerds, strap in - got another <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft</span></a> vulnerability write up, hot off the press!<br>&nbsp;<br>You may remember the vulnerability disclosed by the <a href="https://infosec.exchange/tags/NCSC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NCSC</span></a> and <a href="https://infosec.exchange/tags/NSA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NSA</span></a> to Microsoft about <a href="https://infosec.exchange/tags/CryptoAPI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptoAPI</span></a> (CVE-2022-34689) which can lead to masquerading as legitimate entities (such as google or Microsoft.)<br>&nbsp;<br>We analyzed and exploited it. Pretty neat. </p><p>in the PoC, you can see the source code for how it could be exploited in the wild using an old version of Chrome.<br>&nbsp;<br>Link to write-up: <a href="https://www.akamai.com/blog/security-research/exploiting-critical-spoofing-vulnerability-microsoft-cryptoapi" rel="nofollow noopener" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">akamai.com/blog/security-resea</span><span class="invisible">rch/exploiting-critical-spoofing-vulnerability-microsoft-cryptoapi</span></a></p><p>Link to github repo: <a href="https://github.com/akamai/akamai-security-research/tree/main/PoCs/CVE-2022-34689" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/akamai/akamai-secur</span><span class="invisible">ity-research/tree/main/PoCs/CVE-2022-34689</span></a></p><p>Awesome work Tomer and <span class="h-card"><a href="https://infosec.exchange/@yoni" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>yoni</span></a></span> !!!</p><p><a href="https://infosec.exchange/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://infosec.exchange/tags/Research" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Research</span></a> <a href="https://infosec.exchange/tags/SecurityResearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SecurityResearch</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a></p>