Notices by theruran 🌐🏴 (theruran@hackers.town)

@alcinnz I have a good feeling that GMP is a good target for fuzzing.

#MathML Best Practices for #Accessibility

https://www.hawkeslearning.com/Accessibility/guides/mathml_content.html

@nixfreak they developed something without a directive or contract for a machine with tiny resources. it was a hack! very clever hack...

Vulnerabilities Being Exploited Faster Than Ever: Analysis

https://www.securityweek.com/vulnerabilities-being-exploited-faster-than-ever-analysis/

“A large number of vulnerabilities are being exploited before security teams have any time to implement patches or other mitigations”

To be precise, 56% of the vulnerabilities in the report were exploited within seven days of public disclosure – a 12% increase over 2021, and an 87% increase over 2020. Resources for triaging and remediating vulnerabilities remain limited, and priorities can be misdirected.

Rapid7's Vulnerability Intelligence Report 2022 (PDF): https://www.rapid7.com/thank-you/2022-vulnerability-intelligence-report/

#infosec

for those that appeal to authority, the Director of CISA is telling the software industry to stop using C and C++

the era of products released to the public with "dozens, hundreds or thousands of defects" must end

https://www.bankinfosecurity.com/jen-easterly-dump-c-c-for-memory-safe-language-like-rust-a-21320

I would like to see a more official statement though, or at least a transcript of the speech.

#infosec

@alcinnz @vertigo @raccoonformality @neauoire has some reference material on their wiki: https://wiki.xxiivv.com/site/famicom.html and https://wiki.xxiivv.com/site/assembly.html

on cyber attacks becoming uninsurable:

first, the comments made by a CEO "of one of Europe's biggest insurance companies": https://www.irishtimes.com/business/2022/12/26/cyber-attacks-set-to-become-uninsurable-says-zurich-chief/

this report published a few days ago shares some more perspectives, that the situation is of course more complex, and that identify insurance companies as part of the problem: https://securityboulevard.com/2023/01/are-cyber-attacks-at-risk-of-becoming-uninsurable/

meanwhile, CISA recently got a $1.7 billion funding increase.

I'll be watching this area thru the future. #infosec

#Threema encrypted messenger got rekt:

In our work, we present seven attacks against the cryptographic protocols used by Threema, in three distinct threat models. All the attacks are accompanied by proof-of-concept implementations that demonstrate their feasibility in practice.

https://breakingthe3ma.app/
archived at: https://web.archive.org/web/20230111141555/https://breakingthe3ma.app/

In the event an ephemeral key is exposed even once, an attacker can permanently impersonate the client to the server and then obtain all metadata in all E2EE messages. This is a remarkable shortcoming because ephemeral keys should never be able to authenticate a user. With Threema, leaking of an ephemeral key has the same effect as leaking a long-term key.

reported by: https://arstechnica.com/information-technology/2023/01/messenger-billed-as-better-than-signal-is-riddled-with-vulnerabilities/

#infosec

The common cause is “rolling your own protocol”. At the time when #Threema first released, the space of messaging protocols was still pretty empty, but OTR (from 2004) did already achieve forward secrecy. Threema is entirely built upon NaCl, the cryptographic library by Daniel J Bernstein. It was interesting to see, when talking to the team, that some of the bad design decisions (such as not authenticating the metadata of messages) arose from limitations of the #NaCl APIs. Another point to be made is that a company whose main product is based on cryptography, should always have a cryptographer at hand to assess its security and to propose already-existing protocols when possible, for example the battle-tested TLS instead of creating their bespoke client-to-server protocol.

The Threema protocols lack(ed) basic properties that are nowadays considered de rigueur for a messenger app to be regarded as secure: forward secrecy with respect to a malicious server, and protection against replay, reflection, and reordering attacks. While developers mostly stopped “rolling their own” cryptographic primitives, rolling your own protocol can be as dangerous: the recent attacks on Mega and Matrix are also an example of this. We need more provable security, and more scrutiny for cryptographic protocols before they are deployed.

from page 2: https://arstechnica.com/information-technology/2023/01/messenger-billed-as-better-than-signal-is-riddled-with-vulnerabilities/2/

#infosec