Archiv: flaws / loopholes / vulnerabilities / backdoors (technics) / Schwachstellen / Schlupflöcher / Sicherheitslücken / Hintertüren (Technik)


24.09.2021 - 15:42 [ ORF.at ]

EU erhielt die zwölfte Cybersicherheitsorganisation

(04.07.2021)

Ein aktuelles, schlagendes Beispiel dafür ist die Neufassung der deutschen Cybersicherheitsstrategie. In Deutschland ist es Teil dieser Strategie, gewisse neuentdeckte Software-Sicherheitslücken für Polizei – und Geheimdienste offenzuhalten, die deutsche Cyberbehörde ZiTis soll die zugehörige Trojaner-Schadsoftware für mehrere Dutzend deutsche Bundes- Landesbehörden entwickeln.

08.09.2021 - 08:42 [ Tagesschau.de ]

IT-Sicherheitslücken: Wie weit darf der Staat gehen?

Eine Entscheidung des Bundesverfassungsgerichts zwingt nun die Bundesregierung dazu, eine Entscheidung zu treffen.

04.09.2021 - 19:46 [ SecurityMagazine.com ]

Disappearing DNS: DoT and DoH, Where one Letter Makes a Great Difference

(February 6, 2020)

While both offer encryption of DNS data using the same TLS protocol, there are some very important differences:

– Protocol layering: while DoT is essentially DNS over TLS, DoH is in fact DNS over HTTP over TLS.
– Different port numbers: DoT traffic uses a dedicated port 853, and can thus be distinguished at the network layer. DoH uses port 443 (HTTPS) due to the protocol layering.
– Different capabilities: DoT is largely the same DNS as we know it, while DoH to an extent combines features of DNS and HTTP.

03.09.2021 - 20:21 [ Wired ]

Apple Backs Down on Its Controversial Photo-Scanning Plans

In August, Apple detailed several new features intended to stop the dissemination of child sexual abuse materials. The backlash from cryptographers to privacy advocates to Edward Snowden himself was near-instantaneous, largely tied to Apple’s decision not only to scan iCloud photos for CSAM, but to also check for matches on your iPhone or iPad. After weeks of sustained outcry, Apple is standing down. At least for now.

09.08.2021 - 09:38 [ Eva, Director of Cybersecurity @EFF / Twitter ]

Apple distributed this internal memo this morning, dismissing their critics as „the screeching voices of the minority.“ I will never stop screeching about the importance of privacy, security, or civil liberties. And neither should you.

(06.08.2021)

09.08.2021 - 09:04 [ CyberPreserve / Twitter ]

A week after Apple introduced an important update iOS 14.7, which despite including critical security fixes, failed to address a vulnerability in iMessage that can be misused by the adversaries to pose a threat and attack iPhones via Pegasus malware.

(02.08.2021)

09.08.2021 - 08:53 [ Raya / Twitter ]

Shocking how Apple still has the nerve to claim they care about user privacy, just a few weeks after the Pegasus leak revealed that a spyware took advantage of (among other things) a big vulnerability on iMessage… the same app they’re now deploying a privacy backdoor to…

(06.08.2021)

09.08.2021 - 08:36 [ Will Cathcart, Head of @WhatsApp at @Facebook / Twitter ]

I read the information Apple put out yesterday and I’m concerned. I think this is the wrong approach and a setback for people’s privacy all over the world. People have asked if we’ll adopt this system for WhatsApp. The answer is no.

(06.08.2021)

09.08.2021 - 06:42 [ Electronic Frontier Foundation ]

Apple’s Plan to „Think Different“ About Encryption Opens a Backdoor to Your Private Life

(05.08.2021)

To say that we are disappointed by Apple’s plans is an understatement. Apple has historically been a champion of end-to-end encryption, for all of the same reasons that EFF has articulated time and time again. Apple’s compromise on end-to-end encryption may appease government agencies in the U.S. and abroad, but it is a shocking about-face for users who have relied on the company’s leadership in privacy and security.

There are two main features that the company is planning to install in every Apple device. One is a scanning feature that will scan all photos as they get uploaded into iCloud Photos to see if they match a photo in the database of known child sexual abuse material (CSAM) maintained by the National Center for Missing & Exploited Children (NCMEC). The other feature scans all iMessage images sent or received by child accounts—that is, accounts designated as owned by a minor—for sexually explicit material, and if the child is young enough, notifies the parent when these images are sent or received. This feature can be turned on or off by parents.

09.08.2021 - 06:37 [ Eva, Director of Cybersecurity @EFF / Twitter ]

Louder, for the people in the back: it’s impossible to build a client-side scanning system that can only be used for sexually explicit images sent or received by children.

(05.08.2021)

09.08.2021 - 06:31 [ newsnationnow.com ]

Apple’s plan to scan iPhone images raises privacy concerns

(05.08.2021)

Apple intends to install software on iPhones sold in the United States to scan for child abuse imagery, raising alarm that the move could open the door to surveillance of millions of personal devices.

Liberty Vittert, a professor of data science at Washington University in St. Louis and the features editor of the Harvard Data Science Review, says this is “a cosmic shift in big tech monitoring.”

09.08.2021 - 06:18 [ BGR.com ]

Apple just announced a major change that has privacy advocates totally freaked out

If the thousands of security and privacy experts who’ve raised an outcry on social media over the past few days — and signed at least one letter calling for change — are correct, then Apple is about to make a staggeringly awful miscalculation. More specifically, they’re warning that a new feature set baked into the company’s software in the name of cracking down on one very specific, very horrible act (using iPhones in the service of child exploitation) will actually open the door to the very dystopian privacy nightmare that Apple’s own leaders have warned about for years.

26.07.2021 - 12:05 [ ZDF ]

Reporter ohne Grenzen – Pegasus „nicht nur ein israelisches Problem“

Das sagt Mihr über Software als Waffe:

„Es fehlt der politische Wille. Es gibt seit 2013 im Rahmen des Wassenaar Arrangement zu konventionellen Waffen ein Regulierungsregime, aber da ist Israel nicht Mitglied. Und das ist nicht nur ein israelisches Problem. Das ist potenziell auch ein europäisches Problem.“

23.07.2021 - 06:49 [ ORF.at ]

EU erhielt die zwölfte Cybersicherheitsorganisation

(04.07.2021)

Ein aktuelles, schlagendes Beispiel dafür ist die Neufassung der deutschen Cybersicherheitsstrategie. In Deutschland ist es Teil dieser Strategie, gewisse neuentdeckte Software-Sicherheitslücken für Polizei – und Geheimdienste offenzuhalten, die deutsche Cyberbehörde ZiTis soll die zugehörige Trojaner-Schadsoftware für mehrere Dutzend deutsche Bundes- Landesbehörden entwickeln.

23.07.2021 - 06:44 [ Tagesschau.de ]

Spähsoftware: Merkel fordert Verkaufslimit für „Pegasus“

Merkel erklärte, der Verkauf der Software müsse an restriktive Bedingungen geknüpft werden. So solle sie nicht an Länder geliefert werden, „in den eine gerichtliche Überwachung von solchen Angriffen vielleicht nicht gesichert ist“.

19.07.2021 - 08:07 [ Tagesschau.de ]

Spionagesoftware „Pegasus“: Darf’s ein bisschen mehr sein?

Ein Jahr zuvor, im Oktober 2017, wurde NSO schon beim Bundeskriminalamt (BKA) in Wiesbaden vorstellig. Ebenso gab es Gespräche mit dem BND und dem Bundesamt für Verfassungsschutz. Mit den Cyberexperten vom bayerischen Landeskriminalamt (LKA) trafen sich die Vertreter der israelischen Firma im Jahr 2019 sogar gleich zwei Mal. Bei einer weiteren Vorführung im September 2019 im Innenministerium in München war sogar Minister Joachim Herrmann anwesend, wie ein Sprecher mitteilte.

Die deutschen Sicherheitsexperten waren sehr beeindruckt von der Technologie von NSO, berichten Teilnehmer der Produktvorführungen.

19.07.2021 - 06:19 [ Organized Crime and Corruption Reporting Project / Twitter ]

iMessage, WhatsApp, and FaceTime are vulnerable to „zero-click exploits“ — bugs that allow hackers to commandeer a mobile phone even when the target does nothing to trigger the breach. #PegasusProject

19.07.2021 - 06:15 [ Bill Marczak / Twitter ]

(1) @AmnestyTech saw an iOS 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. We at @citizenlab also saw 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. All this indicates that NSO Group can break into the latest iPhones.

19.07.2021 - 05:06 [ Tagesschau.de ]

Spähsoftware: Wie „Pegasus“ aufs Handy kommt

Sicherheitsexperten von Amnesty International fanden auf mehreren, auch aktuellen iPhones Spuren der „Pegasus“-Software, die anscheinend auf diesem Weg auf das Gerät gelangt war. Ihrer Analyse zufolge kann das Spähprogramm unter Ausnutzung des internetbasierten Dienstes iMessage aus der Ferne installiert werden. Die NSO-Kunden müssen dafür nur die Telefonnummer der Zielperson eingeben.

14.07.2021 - 08:22 [ .SearchEngineJournal.com ]

WordPress Powers 39.5% of All Websites

(04.01.2021)

WordPress is now powering 39.5% of all websites in 2021, up from powering 35% of sites in 2020.

Counting only sites that use a content management system (CMS), WordPress has a market share of 64.1%.

14.07.2021 - 08:17 [ Helen 侯-Sandí, @WordPress Lead Developer / Twitter, ]

Of the 35 WP core committers, 22 do not work for Automattic. Just in case you were still thinking that WordPress is an Automattic project.

(Dec 30, 2015)

14.07.2021 - 08:09 [ @codehawkfalcon / Twitter ]

Great quote I heard recently: „Wordpress is a backdoor with a blog feature“

(Oct 7, 2015)

14.07.2021 - 08:07 [ Websiteplanet.com ]

One of the Biggest Website Hosting Providers, DreamHost, Leaked 814 Million Records Online Including Customer Data

(25.07.2021)

A database owned by DreamHost, DreamPress managed WordPress hosting, was publically accessible online.

3 Years of DreamPress Customer and User Data Exposed Online 2021)

14.07.2021 - 07:55 [ MakeUseOf.com ]

Is WordPress Still Worth Using in 2021?

(09.06.2021)

1. Security Risks

WordPress is prone to cyber-attacks. Around 90 percent of CMS-based websites that are hacked use WordPress.

05.07.2021 - 04:10 [ ORF.at ]

EU erhielt die zwölfte Cybersicherheitsorganisation

Ein aktuelles, schlagendes Beispiel dafür ist die Neufassung der deutschen Cybersicherheitsstrategie. In Deutschland ist es Teil dieser Strategie, gewisse neuentdeckte Software-Sicherheitslücken für Polizei – und Geheimdienste offenzuhalten, die deutsche Cyberbehörde ZiTis soll die zugehörige Trojaner-Schadsoftware für mehrere Dutzend deutsche Bundes- Landesbehörden entwickeln.

24.06.2021 - 03:22 [ Aktion Freiheit statt Angst ]

Handyverkehr seit 30 Jahren abhörbar: Wir erfahren, was wir wissen dürfen

Die Verschlüsselung von Handys mit dem GEA-1 Algorithmus ist absolut unsicher. Das zeigen jetzt(!) Forschungsergebnisse von IT-Sicherheitsexperten der Ruhr-Uni Bochum, der Forschungsstelle Simula UiB aus Norwegen, der französischen Forschungsinstitute Irisa und Inria sowie der Uni Paris-Saclay. Der für GPRS (G2) Netze in den 90-iger Jahren entwicklelte Standard sollte damals mit 64-bit Schlüssellänge Sicherheit bieten. Der vermeintliche 64-Bit-Schlüssel wurde aber im Algorithmus „aus unbekannten Grpnden“ praktisch auf die Sicherheit eines 40-Bit-Schlüssels reduziert.

09.06.2021 - 17:01 [ Duo.com ]

Microsoft Fixes Publicly Known Flaws in Security Update

Overall, Microsoft’s May Patch Tuesday advisory addressed four critical flaws – all of which can allow for remote code execution – as well as 50 important-severity vulnerabilities and one moderate-severity bug.

09.06.2021 - 16:52 [ Heise.de ]

Patchday: Angreifer nutzen sechs Sicherheitslücken in Windows aus

Derzeit haben es Angreifer auf sechs Sicherheitslücken in verschiedenen Windows- und Windows-Server-Versionen abgesehen. In einigen Fällen könnte Schadcode auf Systemen landen. Klappt das, erlangen Angreifer in der Regel die volle Kontrolle über Computer. Microsoft zufolge ist eine weitere Schwachstelle öffentlich bekannt. Attacken könnten bevorstehen.

24.03.2021 - 17:09 [ free-proxy.cz/en/ ]

Free Proxy

There are currently … proxy servers in our database

24.03.2021 - 17:06 [ DeviceInfo.me ]

Device Info

Device Type / Model:

Operating System:

True Operating System Core:

Browser:

True Browser Core:

Browser Build Number / Identifier:

IP Address (WAN)

Tor Relay IP Address:

VPN IP Address:

Proxy IP Address:

Hostname:

Location:

Country:

Region:

City:

Latitude & Longitude:

Geolocation:

……………………………

24.03.2021 - 17:03 [ Browserleaks.com ]

What Is My IP Address

DNS Leak Test

Test Results:

24.03.2021 - 16:22 [ SecurityMagazine.com ]

Disappearing DNS: DoT and DoH, Where one Letter Makes a Great Difference

(February 6, 2020)

While both offer encryption of DNS data using the same TLS protocol, there are some very important differences:

– Protocol layering: while DoT is essentially DNS over TLS, DoH is in fact DNS over HTTP over TLS.
– Different port numbers: DoT traffic uses a dedicated port 853, and can thus be distinguished at the network layer. DoH uses port 443 (HTTPS) due to the protocol layering.
– Different capabilities: DoT is largely the same DNS as we know it, while DoH to an extent combines features of DNS and HTTP.

24.03.2021 - 15:12 [ LinuxSecurity.com ]

6 ways HTTP/3 benefits security (and 7 serious concerns)

(29 Jun 2020)

HTTP3, the third official version of hypertext transfer protocol (HTTP), will not use the transmission control protocol (TCP) as did its predecessors. Instead, it uses the quick UDP internet connections (QUIC) protocol developed by Google in 2012.

24.03.2021 - 15:08 [ Jake Miller / labs.bishopfox.com ]

h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c)

(Sep 8, 2020)

The revival of HTTP request smuggling has led to devastating vulnerabilities in our modern application deployments. An HTTP request smuggled past the validation of an edge server can lead to serious consequences, including forged internal headers, access to internal management endpoints, and a variety of opportunities for privilege escalation.

HTTP/2 (or HTTP/3) is a promising solution to the issues we’ve faced with request smuggling, but support for HTTP/1.1 isn’t going away anytime soon. In the meantime, we’re still in for more surprises from our good friend HTTP/1.1.

In this post, I demonstrate how upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers.

03.03.2021 - 12:07 [ free-proxy.cz/en/ ]

Free Proxy

There are currently 7156 proxy servers in our database

03.03.2021 - 12:04 [ Browserleaks.com ]

Browserleaks.com

It has long been believed that IP addresses and Cookies are the only reliable digital fingerprints used to track people online. But after a while, things got out of hand when modern web technologies allowed interested organizations to use new ways to identify and track users without their knowledge and with no way to avoid it.

BrowserLeaks is all about browsing privacy and web browser fingerprinting. Here you will find a gallery of web technologies security testing tools that will show you what kind of personal identity data can be leaked, and how to protect yourself from this.

03.03.2021 - 12:00 [ DeviceInfo.me ]

Device Info

Device Type / Model:

Operating System:

True Operating System Core:

Browser:

True Browser Core:

Browser Build Number / Identifier:

IP Address (WAN)

Tor Relay IP Address:

VPN IP Address:

Proxy IP Address:

Hostname:

Location:

Country:

Region:

City:

Latitude & Longitude:

Geolocation:

……………………………

17.02.2021 - 18:02 [ DeviceInfo.me ]

Device Info

Device Type / Model:

Operating System:

True Operating System Core:

Browser:

True Browser Core:

Browser Build Number / Identifier:

IP Address (WAN)

Tor Relay IP Address:

VPN IP Address:

Proxy IP Address:

Hostname:

Location:

Country:

Region:

City:

Latitude & Longitude:

Geolocation:

……………………………

17.02.2021 - 17:56 [ Browserleaks.com ]

Browserleaks.com

It has long been believed that IP addresses and Cookies are the only reliable digital fingerprints used to track people online. But after a while, things got out of hand when modern web technologies allowed interested organizations to use new ways to identify and track users without their knowledge and with no way to avoid it.

BrowserLeaks is all about browsing privacy and web browser fingerprinting. Here you will find a gallery of web technologies security testing tools that will show you what kind of personal identity data can be leaked, and how to protect yourself from this.

18.01.2021 - 15:47 [ securitymagazine.com ]

Disappearing DNS: DoT and DoH, Where one Letter Makes a Great Difference

(06.02.2020)

Obviously, time will tell if DoT continues to prevail or whether DoH will start to gain ground. As mentioned at the beginning of the article there is a hot debate going on right now about the direction the Internet industry should take. Suffice to say that even nation state authorities are involved in the debate, which speaks to the level and importance of the discussion.

18.01.2021 - 15:41 [ ZDNET.com ]

NSA warns against using DoH inside enterprise networks

The NSA urges companies to host their own DoH resolvers and avoid sending DNS traffic to third-parties.

18.01.2021 - 15:40 [ National Security Agency / Pentagon ]

Adopting Encrypted DNS in Enterprise Environments

Use of the Internet relies on translating domain names (like “nsa.gov”) to Internet Protocoladdresses. This is the job of the Domain Name System (DNS). In the past, DNS lookups were generally unencrypted, since they have to be handled by the network to direct traffic to the right locations. DNSover Hypertext Transfer Protocol over Transport Layer Security (HTTPS), often referred to as DNS over HTTPS (DoH), encrypts DNS requests by using HTTPS to provide privacy, integrity, and “last mile” source authenticationwith a client’s DNS resolver. Itis useful to prevent eavesdropping and manipulationof DNStraffic.While DoH can help protectthe privacy of DNS requests and the integrity of responses, enterprises that use DoH will lose some of the control needed to govern DNS usage within their networksunless they allow only their chosen DoH resolver to be used.Enterprise DNS controlscan prevent numerous threat techniques used by cyber threat actors for initial access, command and control, and exfiltration.

12.01.2019 - 19:22 [ ClassicPress.net ]

Switch your WordPress site to ClassicPress

Migrating your WordPress website to ClassicPress is easy and only takes a few minutes. Follow the simple steps below to get started:

12.01.2019 - 19:11 [ Yogesh Khetani Patel ‏/ Twitter ]

Worst ever #WordPress5 update ever! I hate Gutenberg, block system, hard to navigate to HTML editing mode and requires more clicks to draft a post. #WordPress

12.01.2019 - 19:09 [ David Waywell ‏/ Twitter ]

Just discovered that Wordpress have updated their editor. Holy crap, it’s a mess! I consider myself to be fairly computer savvy but this new update makes zero sense.

14.12.2018 - 12:57 [ nakedsecurity.sophos.com ]

Update now! WordPress 5.0.1 release fixes seven flaws

The update for that job is this week’s WordPress 5.0.1, which backports security fixes all the way to version 3.7, excepting a small number of documented compatibility issues.