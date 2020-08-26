Security Leftovers
Netcraft Extension adds credential leak detection
The Netcraft Browser Extension now offers credential leak detection for extra protection against shopping site skimmers.
With brick-and-mortar shops around the world closed due to COVID-19, consumers turned to online businesses to fulfil their shopping needs. According to Adobe’s Digital Economy Index report, US online spending in June was $73 billion, up 76% from $42 billion last year. Even with restrictions lifted, research commissioned by Visa suggests that 74% of Britons who shopped online more often during the lockdown will continue to do so.
Now more than ever it is important to protect against JavaScript skimmers. These are snippets of malicious code which criminals upload to compromised shops. Unbeknownst to the store owner or the user, they transmit entered card details directly to the criminal. Unlike scams such as phishing, which can often be avoided by a vigilant internet user, skimmers are invisible to the human eye without a tool such as the Netcraft Extension to expose them.
Spotting /tmp related vulnerabilities with TmpWatcher
Did you know that misuse of the /tmp directory is one of the most common security flaws? If you search mitre for the keyword “tmp”, you’ll find a plethora of vulnerabilities (529 at the time of this writing). Because /tmp is a world-writable directory, applications need to be very careful about how they create and use files in /tmp. Unfortunately, many developers are unaware that improper use of /tmp can lead to symlink race, TOCTOU, information disclosure, privilege escalation, and denial-of-service vulnerabilities.
How to Protect your cPanel Server from Backdoor Access, Plus a Warning for the Disabled Shell Access Setting in WHM
Use this command-line tool to find security flaws in your code
Testing is an important part of the software development lifecycle (SDLC), and there are several stages to it. Today, I want to talk about finding security issues in the code.
You can't ignore security when developing a piece of software. That's why there is a term called DevSecOps, which is fundamentally responsible for identifying and resolving security vulnerabilities in an application. There are open source solutions for checking OWASP vulnerabilities and which will derive insights by creating a threat model of the source code.
There are different approaches to handling security issues, e.g., static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST), software composition analysis, etc.
Static application security testing runs at the code level and analyzes applications by uncovering errors in the code that has already been written. This approach doesn't require the code to be running, which is why it's called static analysis.
I'll focus on static code analysis and use an open source tool to have a hands-on experience.
ORC – Anonymous Cloud Storage Helps Protect Investigative Journalism
ORC stands for Onion Routed Cloud is an anonymous cloud storage network. It is a free and open-source project. ORC allows anonymous file sharing online without the risk of leaking them to the Internet. Why Is Anonymous Cloud Storage Important? In times when Governments around the world are peeking into everyone’s life, Journalists and activists around the globe are finding it difficult to communicate safely on the Internet. Journalists around the globe are being murdered, facing death threats as a consequence of their journalism. If not put under law, even social networking sites can also be a threat to freedom in a free country.
Android Leftovers
Daniel Stenberg: tiny-curl 7.72.0 – Micrium
You remember my tiny-curl effort to port libcurl to more Real-time operating systems? Back in May 2020 I announced it in association with me porting tiny-curl to FreeRTOS. Today I’m happy to bring you the news that tiny-curl 7.72.0 was just released. Now it also builds and runs fine on the Micrium OS. Timed with this release, I changed the tiny-curl version number to use the same as the curl release on which this is based on, and I’ve created a new dedicated section on the curl web site for tiny-curl: https://curl.haxx.se/tiny/ Head over there to download. Also: Enabling better curl bindings
Slimbook & Kubuntu 18.04 - Combat report 13
There we go. I think my combat report experience has plateaued. There won't be any revolutionary new stuff coming up in this release, and I don't believe any of my long-standing annoying will go away unless I upgrade. And I think this could be the next sensible thing on my list - upgrade from Kubuntu 18.04 to 20.04. This should give me plenty of fun activities, and hopefully the revamped and refreshed Plasma desktop will make the naughty bugs go away. With disk encryption in place, plus a bunch of third-party apps, this ought to be interesting. In general, 18 months down the road, Slimbook & Kubuntu is a good combo, especially since I'm being extra rigorous. To put things into perspective, looking at my Windows-based systems, there are all sorts of tiny problems that won't go away. Keyboard repeat speed on my Y50-70 machine, fullscreen alt-tab gaming experience in Windows 10, Explorer search, and whatnot. But that does not absolve Kubuntu in any way. We want perfection. All in all, though, for most standard-use purposes - gaming and office aside, Kubuntu does a pretty solid job, and remains robust and dependable. Onto the next chapter in the adventure then!
