FaceID and depth camera security issues
A lot of people are concerned about how secure your face data is on the new iPhone X, I have some answers but I ain’t 100% sure, when setting up faceID for the first time it is then saved and encrypted on the Secure Enclave (SEP) and is left there, no apps can see these details except for some instances that I’ll explain in a bit. When apps ask you to unlock with your faceID then it is safe as it is an API that is linked to the system that uses the normal FaceID scan process and then it tells the app if it is really you or it failed to authorize your face, this is completely safe but If you use an app that can see your pictures (in other words is allowed to go through your pictures) then you are screwed as starting from iOS 11 apple added depth information in photos taken as portrait mode that exists only on the iPhone 7+,8+ and X. So if you took a portrait selfie of yourself then it will create a depth information in that picture and that app can read it, but you don’t need to worry as this won’t help them to unlock your device.(If you have anything question then feel free to ask me)
Submitted November 03, 2017 at 11:40AM by pierre949
via reddit http://ift.tt/2ztikeW
A lot of people are concerned about how secure your face data is on the new iPhone X, I have some answers but I ain’t 100% sure, when setting up faceID for the first time it is then saved and encrypted on the Secure Enclave (SEP) and is left there, no apps can see these details except for some instances that I’ll explain in a bit. When apps ask you to unlock with your faceID then it is safe as it is an API that is linked to the system that uses the normal FaceID scan process and then it tells the app if it is really you or it failed to authorize your face, this is completely safe but If you use an app that can see your pictures (in other words is allowed to go through your pictures) then you are screwed as starting from iOS 11 apple added depth information in photos taken as portrait mode that exists only on the iPhone 7+,8+ and X. So if you took a portrait selfie of yourself then it will create a depth information in that picture and that app can read it, but you don’t need to worry as this won’t help them to unlock your device.(If you have anything question then feel free to ask me)
Submitted November 03, 2017 at 11:40AM by pierre949
via reddit http://ift.tt/2ztikeW
reddit
FaceID and depth camera security issues • r/security
A lot of people are concerned about how secure your face data is on the new iPhone X, I have some answers but I ain’t 100% sure, when setting up...
5 Practical Questions to ask from client before penetration testing engagement
http://ift.tt/2zpvVEg
Submitted November 03, 2017 at 02:12PM by InformationSecurity
via reddit http://ift.tt/2zejiuN
http://ift.tt/2zpvVEg
Submitted November 03, 2017 at 02:12PM by InformationSecurity
via reddit http://ift.tt/2zejiuN
Haider Mahmood Infosec Blog
5 Questions to ask from client before penetration testing engagement
Questions to ask from client before penetration testing engagement , penetration testing client, questions from penetration testers
‘Tis the Season: Gift Card Fraud Rampant on the Dark Web
http://ift.tt/2xMre2F
Submitted November 03, 2017 at 02:48PM by imr2017
via reddit http://ift.tt/2h8zual
http://ift.tt/2xMre2F
Submitted November 03, 2017 at 02:48PM by imr2017
via reddit http://ift.tt/2h8zual
SurfWatch Labs, Inc.
‘Tis the Season: Gift Card Fraud Rampant on the Dark Web
The holiday shopping season is right around the corner, and gift cards are expected to remain as the most requested holiday gift for the tenth year in a row. It should come as no surprise then that…
Why ransomware is a real threat regardless the industry
http://ift.tt/2gXox7N
Submitted November 03, 2017 at 05:06PM by NISMO1968
via reddit http://ift.tt/2hAaG86
http://ift.tt/2gXox7N
Submitted November 03, 2017 at 05:06PM by NISMO1968
via reddit http://ift.tt/2hAaG86
Veeam Software Official Blog
Why ransomware is a real threat regardless the industry
Learn more on how ransomware can impact any industry without discrimination, and what to do to avoid beeing attacked from our Solution Briefs.
Security vs. convenience? IoT requires another level of thinking about risk
http://ift.tt/2iXNCUl
Submitted November 03, 2017 at 05:06PM by NISMO1968
via reddit http://ift.tt/2A39G3j
http://ift.tt/2iXNCUl
Submitted November 03, 2017 at 05:06PM by NISMO1968
via reddit http://ift.tt/2A39G3j
Ars Technica
Security vs. convenience? IoT requires another level of thinking about risk
Op-ed: Devices like Amazon Key put too much risk assessment on users; bad decisions follow.
Let’s Talk About SSH Configuration Hardening...
The ProblemA lot of administrators install the SSH service and assume its in top shape. What they don't realize is that system packages tend to be optimized for compatibility, not security. While a lot of systems include defaults that are fine for most cases, there is still a lot of room for improvement--especially for high-security environments.Depending on how old the package for your distribution is, the default configuration may have the following problems:Small host keys: 1024-bit RSA or DSA.Weak key exchanges: Diffie-Hellman groups using small 1024-bit moduli, or exchanges using deprecated hash algorithms like SHA-1.Vulnerable ciphers: 3DES, RC4, and SWEET32-vulnerable ciphers like Blowfish and CAST.MACs based on weak hash algorithms: MD5 or SHA-1.As long as your users have reasonably modern SSH clients, you can fix all of the problems above without interoperability issues. And for those users who are lagging behind, well... chances are their client software has unpatched security problems anyway (note that 4 vulnerabilities have been fixed in PuTTY so far in 2017).Ubuntu and RHEL DefaultsLet's take a look at a fully-patched Ubuntu 16.04 LTS server. Its default config comes with a good selection of ciphers (chacha20-poly1305 is the default with backups using AES in CTR & GCM modes), but it supports some SHA-1 based algorithms for MACs and key exchange. Furthermore, its default RSA key is 2048-bit, which is equivalent to 112-bits of brute-force strength; to get 128-bits of security, this needs to be re-generated with a 3072-bit key. [1]Things are much worse for RHEL/CentOS 6 (which is supported until 2024). Its default config supports 1024-bit Diffie-Hellman key exchanges (this is believed to be breakable by state-level adversaries! [2]), along with the weak RC4 cipher, Blowfish & CAST (both affected by the SWEET32 attack), as well as several MACs based on MD5 and SHA-1! Unless you take specific steps after installation, the RHEL/CentOS 6 SSH service is pretty abysmal.Scanning ToolsThe excellent (and open-source) ssh-audit tool will help you find problematic options enabled in your SSH service. But since not all admins are comfortable with command-line tools, I've gone ahead and written a web front-end to it for convenience, which also includes a comprehensive list of references for all discovered problems. You can find it here: http://ift.tt/2ysa1zWHardening GuidesStribik András wrote this excellent, general-purpose hardening guide in early 2015. While it does a great job in breaking down the different options available, it is slowly becoming out of date, and doesn't take specific versions of OpenSSH into consideration (for example, newer versions of OpenSSH support DH Groups 16 & 18 from RFC3526, but a fully patched Ubuntu 16.04 LTS system uses a slightly older version that doesn’t include them). To compensate, I've written a set of guides specific to OS releases that optimize security for each platform.You can find the improved hardening guides here: http://ift.tt/2yqMuj9References[1] U.S. Department of Commerce, National Institute of Standards and Technology, "Special Publication 800-57, Part 1, Revision 4, Recommendation for Key Management, Part 1: General", http://ift.tt/1P17KJc, Jan. 2016, pg. 53.[2] Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Zanella-Béguelin, S., and Zimmermann, P., "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice", http://ift.tt/1RbPYEP, Oct. 2015.
Submitted November 01, 2017 at 08:36PM by therealjoetesta
via reddit http://ift.tt/2irX92j
The ProblemA lot of administrators install the SSH service and assume its in top shape. What they don't realize is that system packages tend to be optimized for compatibility, not security. While a lot of systems include defaults that are fine for most cases, there is still a lot of room for improvement--especially for high-security environments.Depending on how old the package for your distribution is, the default configuration may have the following problems:Small host keys: 1024-bit RSA or DSA.Weak key exchanges: Diffie-Hellman groups using small 1024-bit moduli, or exchanges using deprecated hash algorithms like SHA-1.Vulnerable ciphers: 3DES, RC4, and SWEET32-vulnerable ciphers like Blowfish and CAST.MACs based on weak hash algorithms: MD5 or SHA-1.As long as your users have reasonably modern SSH clients, you can fix all of the problems above without interoperability issues. And for those users who are lagging behind, well... chances are their client software has unpatched security problems anyway (note that 4 vulnerabilities have been fixed in PuTTY so far in 2017).Ubuntu and RHEL DefaultsLet's take a look at a fully-patched Ubuntu 16.04 LTS server. Its default config comes with a good selection of ciphers (chacha20-poly1305 is the default with backups using AES in CTR & GCM modes), but it supports some SHA-1 based algorithms for MACs and key exchange. Furthermore, its default RSA key is 2048-bit, which is equivalent to 112-bits of brute-force strength; to get 128-bits of security, this needs to be re-generated with a 3072-bit key. [1]Things are much worse for RHEL/CentOS 6 (which is supported until 2024). Its default config supports 1024-bit Diffie-Hellman key exchanges (this is believed to be breakable by state-level adversaries! [2]), along with the weak RC4 cipher, Blowfish & CAST (both affected by the SWEET32 attack), as well as several MACs based on MD5 and SHA-1! Unless you take specific steps after installation, the RHEL/CentOS 6 SSH service is pretty abysmal.Scanning ToolsThe excellent (and open-source) ssh-audit tool will help you find problematic options enabled in your SSH service. But since not all admins are comfortable with command-line tools, I've gone ahead and written a web front-end to it for convenience, which also includes a comprehensive list of references for all discovered problems. You can find it here: http://ift.tt/2ysa1zWHardening GuidesStribik András wrote this excellent, general-purpose hardening guide in early 2015. While it does a great job in breaking down the different options available, it is slowly becoming out of date, and doesn't take specific versions of OpenSSH into consideration (for example, newer versions of OpenSSH support DH Groups 16 & 18 from RFC3526, but a fully patched Ubuntu 16.04 LTS system uses a slightly older version that doesn’t include them). To compensate, I've written a set of guides specific to OS releases that optimize security for each platform.You can find the improved hardening guides here: http://ift.tt/2yqMuj9References[1] U.S. Department of Commerce, National Institute of Standards and Technology, "Special Publication 800-57, Part 1, Revision 4, Recommendation for Key Management, Part 1: General", http://ift.tt/1P17KJc, Jan. 2016, pg. 53.[2] Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Zanella-Béguelin, S., and Zimmermann, P., "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice", http://ift.tt/1RbPYEP, Oct. 2015.
Submitted November 01, 2017 at 08:36PM by therealjoetesta
via reddit http://ift.tt/2irX92j
GitHub
arthepsy/ssh-audit
ssh-audit - SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
🌏 iOS 11.1 Hacked One Day After Its Release
http://ift.tt/2gZceYy
Submitted November 03, 2017 at 06:52PM by securitynewsIO
via reddit http://ift.tt/2xVfoU7
http://ift.tt/2gZceYy
Submitted November 03, 2017 at 06:52PM by securitynewsIO
via reddit http://ift.tt/2xVfoU7
Security News iO
iOS 11.1 Hacked One Day After Its Release | Security News iO
Security News of the exploits came from Trend Micro's Mobile Pwn2Own contest in Tokyo, where security researchers found two vulnerabilities in Safari.
Security In 5: Episode 104 - Tools, Tips and Tricks - Mr. Whoer
http://ift.tt/2yqqULL
Submitted November 03, 2017 at 06:33PM by BinaryBlog
via reddit http://ift.tt/2lKjrRz
http://ift.tt/2yqqULL
Submitted November 03, 2017 at 06:33PM by BinaryBlog
via reddit http://ift.tt/2lKjrRz
Libsyn
Security In Five Podcast: Episode 104 - Tools, Tips and Tricks - Mr. Whoer
In this week's TTT episode I talk about a website called Mr. Whoer. This should be part of your bookmarks and used regularly. Mr. Whoer provides you with all the information about you and your system. It's handy for testing network connections, verifying…
TorMoil: TorBrowser unspecified critical security vulnerability
http://ift.tt/2A2rThu
Submitted November 03, 2017 at 09:36PM by filippo_cavallarin
via reddit http://ift.tt/2zuSAyY
http://ift.tt/2A2rThu
Submitted November 03, 2017 at 09:36PM by filippo_cavallarin
via reddit http://ift.tt/2zuSAyY
WeAreSegment
TorMoil: TorBrowser unspecified critical security vulnerability
Details
TorBrowser version 7.0.8, and probably prior,for Mac OS X and Linux, is affected by a critical security issue. According to the Tor Project, further details will be released in the near future.
Due to a Firefox bug in handling file:// URLs it is…
TorBrowser version 7.0.8, and probably prior,for Mac OS X and Linux, is affected by a critical security issue. According to the Tor Project, further details will be released in the near future.
Due to a Firefox bug in handling file:// URLs it is…
PROPagate – a new code injection trick – 64-bit and 32-bit
http://ift.tt/2A4z3BH
Submitted November 03, 2017 at 11:52PM by maxxori
via reddit http://ift.tt/2AglCQ2
http://ift.tt/2A4z3BH
Submitted November 03, 2017 at 11:52PM by maxxori
via reddit http://ift.tt/2AglCQ2
reddit
PROPagate – a new code injection trick – 64-bit and 32-bit • r/netsec
2 points and 1 comments so far on reddit
PE File Infection Part II
http://ift.tt/2yt95vu
Submitted November 04, 2017 at 01:29AM by Evil1337
via reddit http://ift.tt/2iXpzF1
http://ift.tt/2yt95vu
Submitted November 04, 2017 at 01:29AM by Evil1337
via reddit http://ift.tt/2iXpzF1
Exclusive: Government attempt to compromise us with NIT failed – TheDarkOverlord
http://ift.tt/2hCSElJ
Submitted November 04, 2017 at 01:36AM by imr2017
via reddit http://ift.tt/2zdFN14
http://ift.tt/2hCSElJ
Submitted November 04, 2017 at 01:36AM by imr2017
via reddit http://ift.tt/2zdFN14
www.databreaches.net
Exclusive: Government attempt to compromise us with NIT failed – TheDarkOverlord
Related Posts:Did a media blackout on reporting on TheDarkOverlord…UK Arrests 56 People For Data Theft, Hacking Attacks…A puzzling private...
CertStream - Real time streaming updates from the Certificate Transparency network.
http://ift.tt/2yrxSQt
Submitted November 04, 2017 at 02:25AM by zer01
via reddit http://ift.tt/2yrzpGd
http://ift.tt/2yrxSQt
Submitted November 04, 2017 at 02:25AM by zer01
via reddit http://ift.tt/2yrzpGd
reddit
CertStream - Real time streaming updates from the... • r/netsec
1 points and 1 comments so far on reddit
Cisco IOS XE Software Ethernet Virtual Private Network Border Gateway Protocol Denial of Service Vulnerability
http://ift.tt/2xY9IJ6
Submitted November 04, 2017 at 03:29AM by bagaudin
via reddit http://ift.tt/2zbpTUB
http://ift.tt/2xY9IJ6
Submitted November 04, 2017 at 03:29AM by bagaudin
via reddit http://ift.tt/2zbpTUB
Cisco
Cisco Security Threat and Vulnerability Intelligence
The Cisco Security portal provides actionable intelligence for security threats and vulnerabilities in Cisco products and services and third-party products.
Travis CI - encrypted environment variables uses a RSA encryption mode known to be vulnerable since 1998
http://ift.tt/2zbW88K
Submitted November 03, 2017 at 12:49AM by sarciszewski
via reddit http://ift.tt/2hbNOPh
http://ift.tt/2zbW88K
Submitted November 03, 2017 at 12:49AM by sarciszewski
via reddit http://ift.tt/2hbNOPh
GitHub
Encrypted environment variables shouldn't use PKCS1v15 padding · Issue #5394 · travis-ci/travis-ci
Currently when environment variables are encrypted, they use RSA keys with PKCS1v15 padding: https://github.com/travis-ci/travis.rb/blob/master/lib/travis/client/repository.rb#L15-L18 (it's the def...
It's Time To End The Social Security Number
http://ift.tt/2is10fF
Submitted November 04, 2017 at 06:48AM by WinglessIndependence
via reddit http://ift.tt/2h2Clhh
http://ift.tt/2is10fF
Submitted November 04, 2017 at 06:48AM by WinglessIndependence
via reddit http://ift.tt/2h2Clhh
TheStreet
It's Time To End The Social Security Number
Social Security numbers create convenience at the expense of enormous risk. It's time for them to go.
Estonia:760000 ID-cards vulnerable
http://ift.tt/2xRhOTD
Submitted November 04, 2017 at 04:51AM by bleahbloh
via reddit http://ift.tt/2h2YRGL
http://ift.tt/2xRhOTD
Submitted November 04, 2017 at 04:51AM by bleahbloh
via reddit http://ift.tt/2h2YRGL
Yahoo
Estonia blocks electronic ID cards over identity-theft risk
Cyber-savvy Estonia said on Thursday it would suspend security certificates for up to 760,000 state-issued electronic ID-cards with faulty chips as of Friday midnight to mitigate the risk of identity theft. Dubbed E-stonia for being one of the world's most…
Best Tips For Mobile Application Security
http://ift.tt/2ytt4Kv
Submitted November 04, 2017 at 10:18AM by Skytecher
via reddit http://ift.tt/2lP0q0m
http://ift.tt/2ytt4Kv
Submitted November 04, 2017 at 10:18AM by Skytecher
via reddit http://ift.tt/2lP0q0m
TheExtremeTech
Best Tips For Mobile Application Security
We all know and also are afraid of all those shitty apps that result to the outbreak of our Tips for Mobile, Application Security but when...
Best hacking reference and learning resource I’ve seen yet. Anyone can learn required skills here to become cybersecurity experts; it will take work...
http://ift.tt/2zjE8Je
Submitted November 04, 2017 at 12:23PM by PowerPuffSoldier
via reddit http://ift.tt/2Ak2oJu
http://ift.tt/2zjE8Je
Submitted November 04, 2017 at 12:23PM by PowerPuffSoldier
via reddit http://ift.tt/2Ak2oJu
GitHub
misterch0c/Awesome-Hacking
Awesome-Hacking - A collection of various awesome lists for hackers, pentesters and security researchers
Brihaspathi Technologies- CCTV Cameras Client Feedback
http://ift.tt/2y0Cn0d
Submitted November 04, 2017 at 05:39PM by cctvcamera3
via reddit http://ift.tt/2zesyNs
http://ift.tt/2y0Cn0d
Submitted November 04, 2017 at 05:39PM by cctvcamera3
via reddit http://ift.tt/2zesyNs
Hackers Exploit Weak Remote Desktop Protocol Credentials
http://ift.tt/2A5C1ps
Submitted November 04, 2017 at 06:06PM by snbt
via reddit http://ift.tt/2iv4SMW
http://ift.tt/2A5C1ps
Submitted November 04, 2017 at 06:06PM by snbt
via reddit http://ift.tt/2iv4SMW
Bankinfosecurity
Hackers Exploit Weak Remote Desktop Protocol Credentials
Many enterprises use remote desktop protocol to remotely administer their PCs and mobile devices. But security experts warn that weak RDP credentials are in wide