/root

Category: security

GitHub – security breach affects 12 million auth secrets and keys

March 16th, 2024

“2.6% of the exposed secrets are revoked within the first hour, but a whopping 91.6% remain valid even after five days, which is when GitGuardian stops monitoring their status.”

https://www.bleepingcomputer.com/news/security/over-12-million-auth-secrets-and-keys-leaked-on-github-in-2023
An interesting publication for patient data hashing

February 17th, 2024

Use of a hash algorithm in patient’s sensitive information (Name, Date of Birth or Social Security Number) using salt has the advantage of de-identifying personal data and also yields a unique identifier. This unique identifier can be later used to compare the disease course or follow ups in a different clinic. On the contrary an alphanumeric code can not re-identify these individuals.

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10030136
OpenSSH 9.6

December 25th, 2023

Among notable changes, this release includes a fix for the Terrapin Attack.

https://www.undeadly.org/cgi?action=article;sid=20231219122431

https://www.openssh.com/releasenotes.html#9.6
New Terrapin attack with prefix truncation

December 21st, 2023

One of SSH’s few vulnerabilities

https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

https://terrapin-attack.com/
Apple leaked push notification data

December 6th, 2023

https://arstechnica.com/tech-policy/2023/12/apple-admits-to-secretly-giving-governments-push-notification-data/
Malicious bots make up nearly three-quarters of Internet traffic

December 2nd, 2023

AI definitely increased the number of bots over the past year.

https://www.techspot.com/news/101016-malicious-bots-make-up-nearly-three-quarters-internet.html
Critical zero-day in Chrome

December 1st, 2023

https://arstechnica.com/security/2023/11/google-researchers-report-critical-zero-days-in-chrome-and-all-apple-oses/

https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html
WinRAR zero-day vulnerability

October 19th, 2023

Who even uses WinRAR in 2023? 🙂

https://securityaffairs.com/152669/apt/apt-groups-winrar-flaw.html
OpenSSH 9.5

October 9th, 2023

Changes since OpenSSH 9.4

This release fixes a number of bugs and adds some small features.

Potentially incompatible changes:

* ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys are very convenient due to their small size. Ed25519 keys are specified in RFC 8709 and OpenSSH has supported them since version 6.5 (January 2014).

* sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. This may change behaviour for exotic configurations, but the most common subsystem configuration (sftp-server) is unlikely to be affected.

New features:

* ssh(1): add keystroke timing obfuscation to the client. This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake “chaff” keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword.

* ssh(1), sshd(8): Introduce a transport-level ping facility. This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the “local extensions” number space and are advertised using a “ping@openssh.com” ext-info message with a string version number of “0”.

* sshd(8): allow override of Subsystem directives in sshd Match blocks.
https://www.openssh.com/releasenotes.html#9.5p1
How to generate random passwords using OpenSSL

September 26th, 2023

run the command:

openssl rand -base64 16

rand denotes randomness, base64 denotes readable format and 16 the password length

the output: 4twmIodX5QwjWP+OsTePLg==
Linux kernel patched for Intel Downfall and AMD Inception vulnerabilities

August 13th, 2023

Intel reports up to 50% performance penalties after the microcode update

https://www.phoronix.com/news/New-Linux-Stable-Downfall

https://www.phoronix.com/review/downfall

https://www.phoronix.com/news/AMD-INCEPTION