polonus
5481
Three new zero-days being abused in Word Press plug-ins:
https://www.wordfence.com/blog/2017/10/3-zero-day-plugin-vulnerabilities-exploited-wild/
PHP-based CMS, a disaster in the hands of the unsavvy!
polonus
polonus
5483
Win7 kernel security to be applied to Win10 kernel as well?
That is what Google wants: https://googleprojectzero.blogspot.nl/2017/10/using-binary-diffing-to-discover.html
polonus
P.S. See attached code txt attached, copyright 1989 by Dave Angel, providing a mem-dump for fuzzers. (pol)
Asyn
5484
bob3160
5485
Ouch. Would be nice if they informed their users. 
polonus
5486
Asyn
5487
Pondus
5488
DavidR
5489
The only thing is that Iâm not surprised about what MS gets up to or in this case doesnât get up to.
Pondus
5490
polonus
5491
Eddy
5492
Google allows 37,000 Chrome users to be tricked with a fake extension by fraudulent developer who clones popular name and spams keywords.
https://twitter.com/SwiftOnSecurity/status/917446126382526464
polonus
5493
Whatsapp and similar apps could be spied upon for data about your wake/sleeping patterns and other interesting dataâŚ
Re: https://robertheaton.com/2017/10/09/tracking-friends-and-strangers-using-whatsapp/
Re: https://news.ycombinator.com/item?id=15435822 (about other scenarioâs)âŚ
A phone number could be enough of a leadâŚ
Frightening is not it? A world without any privacy!
polonus
polonus
5494
Russia to block access to âdubiousâ cryprocurrency exchanges websites, as they call it:
https://www.theregister.co.uk/2017/10/10/russia_to_ban_cryptocurrency_exchanges/
Certainly there are bad bitcoin scam & fake miners sites: http://www.badbitcoin.org/thebadlist/
And these better schould be blocked.
polonus
polonus
5495
Alert https://www.ncsc.nl/actueel/factsheets/factsheet-tls-interceptie.html
Example where things are wrong: https://urlquery.net/report/be049d88-859c-4fa8-8cb9-8cc53e4de3fc
and http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fsd-1367041-l.dattaweb.com%2F
and -http://sd-1367041-l.dattaweb.com/
Warnings
TLS1.2
This server is vulnerable to a TLS renegotiation attack
Site cert has 2 errors
Wrong certificate installed.
The domain name does not match the certificate common name or SAN.
Intermediate certificate missing.
GeoTrust SSL CA - G3 â https://observatory.mozilla.org/analyze.html?host=sd-1367041-l.dattaweb.com
Normal user should trust those that keep these servers up.
polonus (checking it for you ;D )
polonus
5496
âResponsible encryptionâ to facilitate the Surveillance State a bad idea:
EFFâs response to the proposalsâŚ
https://www.eff.org/deeplinks/2017/10/deputy-attorney-general-rosensteins-responsible-encryption-demand-bad-and-he
What we need is good e2e encryption everywhere.
It is either full encryption or no encryption at all, and digi-n00b politicians wonât understand. (Rosenstein, Budd etc.).
Make sure to introduce TLS 1.3 on websites everywhere:
Enhanced Security
Most of the attacks on TLS from the last few years targeted vestigial pieces of the protocol left around from the 90s. TLS 1.2 is highly configurable, and vulnerable sites simply failed to disable the older features in hopes of being compatible with old browsers.
TLS 1.3 embraces the âless is moreâ philosophy, removing support for older broken forms of cryptography. That means you canât turn on the potentially vulnerable stuff, even if you try. The list of TLS 1.2 features that have been removed is extensive, and most of the exiled features have been associated with high profile attacks. These include:
RSA key transport â Doesnât provide forward secrecy
CBC mode ciphers â Responsible for BEAST, and Lucky 13
RC4 stream cipher â Not secure for use in HTTPS
SHA-1 hash function â Deprecated in favor of SHA-2
Arbitrary Diffie-Hellman groups â CVE-2016-0701
Export ciphers â Responsible for FREAK and LogJam
Quote from Introducing TLS 1,3 by CloudFlare CDN.
Google Chrome and firefox support TLS 1,3 as per default.
Let us make the world more secure in stead of less secure,
polonus (volunteer website security analyst and website error-hunter)
polonus
5497
Microsoft Corp. faces a coordinated investigation by European privacy regulators after it failed to do enough to address their concerns about the collection and processing of user data with a series of changes to Windows 10 last month.
https://www.bloomberg.com/news/articles/2017-02-21/microsoft-faces-european-privacy-probes-over-windows-10
Data-protection agencies from the Netherlands, Germany, France, the U.K., Spain, Hungary and Slovenia are collaborating on the Microsoft probes according to Dutch Watchdog.
polonus
polonus
5498
Pondus
5499
Pondus
5500
Key Reinstallation Attacks - Breaking WPA2 by forcing nonce reuse
https://www.krackattacks.com/
