Latest updates

We update our website at the moment

Hello! 😊

We will upload more revised content soon. See our roadmap. Thank you for your patience.

InfoSec Handbook, November 2021

XMPP: Admin-in-the-middle

Some people promote XMPP-based instant messengers as the “privacy-friendly alternative” to other messengers. In our opinion, you can’t refer to XMPP-based messaging as “privacy-friendly” as long as you don’t control all XMPP servers.

In this article, we show the perspective of an XMPP server administrator. Unsurprisingly, an XMPP administrator (or any other server-side party) can inject arbitrary messages, modify address books, and log passwords in cleartext.

Exposed IP cameras may disclose your physical address

IP cameras are affordable and ubiquitous. You can conveniently monitor your home from almost everywhere. However, hundreds of IP cameras are unmaintained and vulnerable to attackers. In the worst case, exposed IP cameras can be misused to locate your physical address.

In this article, we show how attackers may locate your camera’s physical location and provide tips on securing your device.

Hi, I'm your unmaintained IP camera, broadcasting your life 24/7

Do you operate an IP camera, which is connected to the internet? Did you ever check its configuration? Did you check if the device runs the latest firmware? Did you check whether everybody on the internet can access your camera?

In this article, we share several risks coming with unmaintained IP cameras and tips on how you can secure your device.

Modern credential management — keep it simple

Each year, “the worst passwords of the year” make it into the news. Passwords like “123456,” “111111,” “querty,” or “password” are always on these lists. If you look at leaked passwords, you quickly realize that passwords are short, non-random, and may have a trailing “!” as the special character. Companies try to get rid of weak passwords by enforcing password rules; however, users find creative ways to bypass these unpopular rules, again using weak passwords.

While countless websites flood the internet with tips to create the “perfect” password, many of them forget about two essentials: Defining a threat model, and keeping credential management as simple as possible.

NTS – Securing NTP with RFC 8915

The Network Time Protocol (NTP) is one of the remaining protocols on the internet without state-of-the-art security. The RFC 8915 “Network Time Security for the Network Time Protocol” tries to change this by proposing cryptographic protection for NTP’s client-server mode. In this article, we use the NTP implementation “NTPsec” and NTS to synchronize the system’s time securely.