Mozilla OpenSSH secure guide. The goal of this document is to help operational teams with the configuration of OpenSSH server and client. All Mozilla sites and deployment should follow the recommendations below.
Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
Vérifiez que vous n'êtes pas infecté par doublepulsar
As anticipated in public comments, the Linux Foundation is already beginning a campaign to rewrite history and mislead Linux users. Their latest PR release can be found at: https://www.linux.com/news/greg-kh-update-linux-kernel-46-next-week-new-security-features, which I encourage you to read so you can see the spin and misleading (and just plain factually incorrect) information presented. If you've read any of our blog posts before or are familiar with our work, you'll know we always say "the details matter" and are very careful not to exaggerate claims about features beyond their realistic security expectations (see for instance our discussion of access control systems in the grsecurity wiki). In a few weeks I will be keynoting at the SSTIC conference in France, where a theme of my keynote involves how little critical thinking occurs in this industry and how that results in companies and users making poor security decisions. So let's take a critical eye to this latest PR spin and actually educate about the "security improvements" to Linux 4.6.
I spoke to a number of Twitter users who received the notice. A couple are engaged in activism and are connected to the Tor Project in some capacity. A few are located in Canada, and vaguely associated with the security community at large. However, I could not determine any common factors between all recipients. They all received the notice around the same time, between 5:15 and 5:16 PM EST.
“I don’t think this is the best response we’ve ever done to an attack situation,”
“There is no computer security program out there with 100% confidence that everything you do is going to be safe,” said Mathewson. “We can provide a high probability of safety and get better all the time. But no computer software ever written is able to provide absolute certainty. Have a back-up plan.”
Silk Road 2 : une université américaine a t-elle été payée par le FBI pour faire tomber les admins ?
http://d4n3ws.polux-hosting.com/2015/11/22/silk-road-2-une-universite-americaine-a-t-elle-ete-payee-par-le-fbi-pour-faire-tomber-les-admins/
Haka is an open source security oriented language which allows to describe protocols and apply security policies on (live) captured traffic.
The scope of Haka language is twofold. First of all, it allows to write security rules in order to filter/alter/drop unwanted packets and log and report malicious activities. Second, Haka features a grammar enabling to specify network protocols and their underlying state machine.
The overall goal of Haka is to abstract low-level stuff like memory management and packet reassembly to non developer experts and to provide an easy way to analyze quickly new network protocols.
http://thisissecurity.net/2015/11/23/hackers-do-the-haka-part-1/
« I see security as being more of a nuisance for the upstream kernel
developers. It's understandable, if someone makes a mistake, it can be
embarrassing, particularly when it gets into the news or has some
important impact. It also lessens the image of Linux as being an
enterprise-ready OS if someone can write up an exploit to take over the
entire system in a matter of hours in some cases. »
Lire aussi :
Grsecurity Developer Spender's Feelings on the State of Linux Security
https://news.ycombinator.com/item?id=10518480
Kernel Self Protection Project
http://openwall.com/lists/kernel-hardening/2015/11/05/1
« I'm organizing a community of people to work on the various kernel
self-protection technologies (most of which are found in PaX and
Grsecurity). I'm building on the presentation I gave at Kernel Summit
where I sought to convince the other upstream Linux kernel developers
that security is more than fixing bugs, and that we need to bring in
proactive defenses:
http://lwn.net/Articles/662219/
This is especially highlighted by the Washington Post article today:
The kernel of the argument
Fast, flexible and free, Linux is taking over the online world. But there is growing unease about security weaknesses.
http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/
Between the companies that recognize the critical nature of this work,
and with Linux Foundation's Core Infrastructure Initiative happy to
start funding specific work in this area, I think we can really make a
dent.
Let's start the work. I've built some wiki pages around my slides,
where we can take notes, list examples, and coordinate:
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
http://kernsec.org/files/lss2015/giant-bags-of-mostly-water.pdf
Vérifier avec ses gros doigts la validité d'une connexion TLS/SSL
README
SECURITY IN-A-BOX
About Security in-a-box
Security in-a-box is a collaborative effort of the Tactical Technology Collective and Front Line Defenders. It was created to meet the digital security and privacy needs of advocates and human rights defenders. Security in-a-box includes a How-to Booklet, which addresses a number of important digital security issues. It also provides a collection of Hands-on Guides, each of which includes a particular freeware or open source software tool, as well as instructions on how you can use that tool to secure your computer, protect your information or maintain the privacy of your Internet communication.
But mass surveillance isn’t just the United States’ problem. Research has shown that Canada's Levitation project, which also involves collecting large amounts of data in the service of fighting terrorism, may be just as questionable as the NSA’s own data collection practices. Meanwhile, in response to the Charlie Hebdo attacks in Paris, British Prime Minister David Cameron has reintroduced the Communications Data Bill, which would force telecom companies to keep track of all Internet, email, and cellphone activity and ban encrypted communication services.
But support for this type of legislation in Europe doesn't appear to be any stronger than in North America. Slate’s Ray Corrigan argued, “Even if your magic terrorist-catching machine has a false positive rate of 1 in 1,000—and no security technology comes anywhere near this—every time you asked it for suspects in the U.K., it would flag 60,000 innocent people.” [...]
You may believe Edward Snowden to be a traitor or a hero, but on this matter, there is virtually no question: Mass surveillance is not only unconstitutional, it is also the wrong way to fight terrorism.
Pour ceux qui ne serait pas forcément au courant, le DNS est à la base de tout l’Internet tel qu’on le connaît aujourd’hui.Sans lui nous serions contraint d’apprendre par cœur les adresses IP des serveurs qu’on souhaite consulter. Et forcément 62.210.124.124 ou pire 2001:bc8:3f23:100::1 c’est beaucoup moins sexy que imirhil.fr…
DeathRing et CoolReaper, des portes cachées installées dans des téléphones Android. Ils ont pu toucher des millions d’utilisateurs.
"A heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitary code with the permissions of the user running the application."
Gitrob is a command line tool that can help organizations and security professionals find such sensitive information. The tool will iterate over all public organization and member repositories and match filenames against a range of patterns for files that typically contain sensitive or dangerous information.
Riseup, a tech collective that provides security-minded communications to activists worldwide, sounded the alarm last month when a judge in Spain stated that the use of their email service is a practice, he believes, associated with terrorism.
Using NSEC is relatively simple, but it has a nasty side-effect: it allows anyone to list the zone content by following the linked list of NSEC records. This is called 'zone walking'. The 'ldns' library contains an tool called 'ldns-walk' that can be used to list all records inside a DNSSEC signed zone that uses NSEC:
(...)
For some DNS zones, this is an issue. The NSEC3 record option in DNSSEC solves this by creating the linked list using hashed domain-names, instead of clear-text domain names.
A few months ago I decided to get started on fuzzing. I chose the reference implementation of the Network Time Protocol (NTP), ntpd, as my first target, since I have some background with NTP and the protocol seemed simple enough to be a good learning experience. Also, ntpd is available for many platforms and widely in use, including being part of the default OS X installation.
Having empathy with people unlike one's self is hard — especially when trying to understand the world enough from their perspective that the design choices you make will serve them well. Nowhere is this more true or higher stakes than the design of security systems. I've talked about changing our thinking in security from a focus on assurance to a focus on outcomes, and empathy with the user and an understanding of what they're trying to do is a key part of this.
In this essay, I'm going to present a set of use cases or user outcome scenarios. I'm going to try to make them as human as possible — this by @SwiftOnSecurity is an amazing example of this — but I'm going to look at some slightly more specific cases and put a bit more emphasis on how actual technical countermeasures may be used by real users. I'm also concentrating somewhat more on specifically-targeted users than she did. For some great thinking on how one understands a scenario like this and moves toward applying it practically, this piece from Andie Nordgren at Alibis for Interaction on moving from user focus to participation design is really excellent. I'm going to focus mostly on small adversaries here, because as Quinn Norton states in her talk on them, they're much more common, often much more practically dangerous, and heavily overlooked by the security community. Eventually, I'm interested in exploring more how we can model adversaries, develop richer and more easily-empathized with and understood user personas, and how we can integrate that kind of rich knowledge of the world into threat modeling efforts. For now, though, we'll jump straight to some stories.