WebAuthn + GitHub

August 26, 2019 by Marc Handelman in WebAuthn, Web Security, Developers Developers, Development Security

via Lucas Garron, writing at GitHub's blog, of outstanding security news at the eponymous version control site: GitHub now fully supports WebAuthn (Web Authentication) for security keys.

"The future of authentication: secure and easy-to-use Account security is critical for GitHub. Although we support strong authentication options, many people still don’t use a password manager or two-factor authentication because individual passwords have always been the easiest choice." - via Lucas Garron, writing at GitHub's blog.

Hyperlink Auditing disabled in the Brave browser version 73.0.62.51 — Hyperlink Auditing *disabled* in the Brave browser version 73.0.62.51

URL "Ping" Tracking, The Exponential Evil of Tracking

April 15, 2019 by Marc Handelman in Web Security, Web Tracking, Death of Privacy

Well crafted piece by Lawrence Abrams, detailing the URL 'Ping' Tracking (aka Hyper-Text Protocol Auditing), and the consequences to users within many browser deployments. If you find yourself examining anything privacy related today, Mr. Abrams' post will certainly jump-start the ganglia, thereto.

The Federal TLS Chronicles: A Litany of Failed Certificate Governance

January 15, 2019 by Marc Handelman in Incompetence, Incompetent Governance, Government Incompetence, Information Security, Web Security

via the always informative Catalin Cimpanu, writing at ZDNet, comes the anticipated TLS Certificate renewal failures for at least 80 United States federal websites due to the federal government shutdown. Color us a bright shade of completely not surprised.

"In the end, nothing good will come out of this shutdown. May it be a cyber-attack that goes undetected or agencies losing cyber-security personnel leaving for the private sector, the ripple effects of this shutdown will haunt agencies for months or years to come." - via Catalin Cimpanu, writing at ZDNet, comes news of federal website TLS Certificate renewal failures.

Mozilla Firefox Slated To Block All Trackers: Crowd Goes Wild

September 03, 2018 by Marc Handelman in Web Security, Web Tracking, Information Security, Privacy Prophylaxis, Privacy

Alert The Media: Lawrence Abrams, writing at Bleeping Computer, reports on new security/privacy decisions at Mozilla Foundation targeting user securiity & privacy of the organization's Firefox browser: of which, is apparently slated to block all tracking bits... I'll believe it when I see it.

"According to Mozilla's announcement, enabling the Slow-Loading Trackers blocker will improve page performance while browsing the web as tracking scripts that take longer than 5 seconds will be blocked. If you wish to block cross-site tracking cookies, you would also want to make sure that the Third-Party Cookies and All Detected Trackers settings are enabled as well." - via Lawrence Abrams, writing at Bleeping Computer

En Garde, CnC!

July 27, 2018 by Marc Handelman in Penetration Testing, Information Security, Network Security, Web Security

Outstanding Command and Control using Web Sockets blog post, well-crafted and written by Craig Vincent of Black Hills Information Security, and focsing on the use of the web sockets vector to facilitate pen-testing heroics. Today's Must Read!

It's Time To Break-Up The Data Monopolies

July 18, 2018 by Marc Handelman in Data Monopolies, Danger!, Web Security, Information Security

By far, the most important thought piece you may read all week comes to us via MIT Technology Review author Martin Giles, in his superlative article 'It’s Time to Rein in the Data Barons'.

"Making the legal case for breakups will be hard, though, because the internet giants don’t fit the stereotype of rapacious monopolists (emphasis added) that raise prices and squeeze investment. They manipulate markets in a different and seemingly more benevolent way. They’ve become so dominant by developing products and services that many of us want to use. And they gain their immense power through collecting data about our online activity." - via Martin Giles writing at the MIT Technology Review

TOR, Mozilla Cozy Up

June 28, 2018 by Marc Handelman in OpenSource, Web Security, Browser Security, Tor Project, Mozilla Foundation, Onion Routing, Privacy

via Lucian Armasu, writing at Tom's Hardware, comes news of Project Fusion, a partnership - if-you-will of the Tor Project and Mozilla, in an effort to provision enhanced privacy and security to the Open Source browser. Today's Must Read!

The Exploitations of Password Managers, Web Tracker Edition

June 27, 2018 by Marc Handelman in Web Security, Web Tracking, Information Security, Demise of Privacy

via Martin Brinkmann writing at his eponymous blog: gHacks Technology News, tells the tale of Password Manager Exploitation by nefarious-minded Web Trackers. Certainly Wednesday's MustRead, yes?

'Research from Princeton's Center for Information Technology Policy suggest that newly discovered web trackers exploit password managers to track users.' - via Martin Brinkmann at gHacks.net

WebAuthn, Passwordless Authentication →

June 22, 2018 by Marc Handelman in WebAuthn, Web Security, Information Security, World Wide Web Consortium

via Peter Bright writing at Ars Technica, comes an interesting piece discussing the efforts to implement and deploy WebAuthn, the so-called passwordless authentican scheme promulgated by the W3C, and fully implemented in Mozilla Firefox 60 anf Google Chrome 67. Enjoy!

'This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web application. The user agent mediates access to public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to relying parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.' via the Web Authetication Working Group

BSides Leeds, Galid Yeduhai's 'Clustering Of Web Attacks: A Walk Outside The Lab' →

March 10, 2018 by Marc Handelman in BSides, Education, Conferences, Information Security, Web Security

Phishing Phish, Unicode Style →

March 02, 2018 by Marc Handelman in Phishing Attacks, Information Security, Web Security, Browser Security

Graham Cluley, writing at his eponymous blog, educates us in protecting the browser from Unicode Phishing Attacks. Today's MustRead.

OpenSnitch, The GNU/Linux Port of Application Firewall Little Snitch →

February 24, 2018 by Marc Handelman in Firewall, Application Firewall, Information Security, Network Security, Web Security, Browser Security

News, of the release of OpenSnitch - the GNU/ Linux port of Object Development's much beloved LittleSnitch - a native macOS Application Firewall is the big news around our locale today. As of the date of this post, OpenSnitch is in Alpha release state, with the caveat: 'Warning: This is still alpha quality software, don't rely on it (yet) for your computer security.' Additional information is available via the OpenSnitch GitHub Readme. H/T

Not 'API With Browser Codebases? →

February 20, 2018 by Marc Handelman in Code, Information Security, Web Security, Cybersecurity

Terrific bit of reportage by Richard Chirgwin, whilst writing at El Reg and detailing the so-called cost-benefit methodology explaining efforts underway to further protect browser bits; and, while you're at it, examine if you will the research paper mentioned in the post, quite likely one of the more interesting papers you may read today.

Coinhive Cryptojacker, The Prevaler →

February 12, 2018 by Marc Handelman in Crime, Cryptocurrency, Cryptomining, Information Security, Cloud Security, Web Security

Check Point Software Technologies Ltd. has noted (via the comapny's well traveled blog) a new milestone for malicious wares/scripts et cetera; this time Coinhive takes the blue ribbon award for the most pernicious installations on our beloved interwebs, according to the Check Point's research.

BSides Lisbon 2017, Pedro Fortuna & Paulo Silva's 'Crafting The Next-Generation Man-In-The-Browser Trojan' →

January 15, 2018 by Marc Handelman in BSides, Conferences, Education, Information Security, Browser Security, Web Security, Network Security

Web Tracker Purloins Passwords, The Hidden Login Field Gambit →

January 15, 2018 by Marc Handelman in Information Security, Authentication, Web Security

Via the inimitable Catalin Cimpanu, comes this tale of web-based subterfuge that should enrage all legitimate users on our vaunted interwebs. In this case, the use of hidden login fields (and their parent forms) used by evil usage trackers on seemingly legit sites. Is it any wonder that the effort to block both web advertising and the evil cousin to such: Web Trackers (both nefarious and otherwise) is a growth business in the browser addon market? Read it and Weep My Friends, for the demise of both privacy and your personal authentication data.

"The two services are Adthink (audienceinsights.net) and OnAudience (behavioralengine.com), and Princeton researchers said they identified scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list.' - via Catalin Cimpanu writing at Bleeping Computer

Not  Firefox., Is Red Panda (Ailurus fulgens),... — Not Firefox., Is Red Panda (*Ailurus fulgens)*,...

Mozilla Extension Store Laboring Under Spam Infection →

December 28, 2017 by Marc Handelman in Blatant Incompetence, Web Security, Browser Security, OpenSource

Martin Brinkmann, writing at GHacks, targets the proliferation of spam extensions flooding the Mozilla Foundation's Firefox AMO Web Extension Store. Further proof of deep administrative incompetence at Mozilla Foundation, or something else? You be the judge.

"The site is abused by spammers currently who flood it with extension listings designed to get users to click on links in the description. The method that these spammers use is simple: they have copied the Chrome extension Hide My IP and use it as the extension that they upload." - via Martin Brinkmann, writing at GHacks

OWASP Newly Minted Top Ten →

November 29, 2017 by Marc Handelman in OWASP, Information Security, Web Security

A Long-Awaited Milestone Has Been Announced...

Mozilla Foundation To Begin Collecting User Browsing Data

September 06, 2017 by Marc Handelman in Web Security, Privacy, Network Security, Information Security, Blatant Stupidity, Demise of Privacy

via gHacks author Martin Brinkmann, comes the astonishing tale of deeply flawed user data management at Mozilla Foundation. Along with the Foundation' Firefox browser Resource and Web Extension data leakage woes, now comes a highly user antagonistic decision to commence collecting user browsing data in an opt-out decision tree. Truly this weeks evidence that Blatant Stupidity still exists in the browser world.

"Mozilla's Georg Fritzsche published information on the plan to collect additional data yesterday on the Mozilla Governance group. In it, he describes the issue that Mozilla engineers face currently. While Firefox may collect the data when users opt-in, Mozilla believes that the data is biased and that only data collecting with opt-out would provide unbiased data that the engineers can work with. Questions that this data may help answer include "which top sites are users visiting", "which sites using Flash does a user encounter", and "which sites does a user see heavy Jank on" according to Fritzsche." excerpt via Martin Brinkmann writing at gHacks

Google Complicit In Fake Google Maps Site Listings? →

April 19, 2017 by Marc Handelman in Advertising, All is Information, Alternate Attack Vectors, Crime, Web Security, Information Security

Is Google Inc. aka Alphabet Inc (NasdaqGS: GOOG) complicit in the enormous numbers of fake links (of which, redirect users to false and/or fraudulent sites) in Google Maps? Of course they are, as, by definition, they own it. What's worse, the company possesses the in-built capability to police those links to protect it's users, but does not - in reality - do so.