Monthly review – October 2019

Monthly review – October 2019

Each month, we publish a review that covers the most important activities of the last 30 days. This month, we talk about Simjacker (again), web browser support for TLS, important security updates, MinTOTP, and more.

Contents

  1. News of the month
  2. Tool of the month
  3. Tip of the month
  4. Readers’ questions of the month
  5. Our activities of the month
  6. Closing words
  7. Links

Always stay in the loop!
Subscribe to our RSS/Atom feeds.

News of the month

In October 2019, we read the following news:

  1. Simjacker attack: We mentioned this attack before. It can be used to locate phones, or retrieve information about them (IMEI, battery, network, language). This month, a report listing affected countries was released. In Europe, at least one mobile operator in Italy, Cyprus, and Bulgaria is/was affected. At least 61 mobile operators are/were affected worldwide. In total, about 861 million SIM cards are affected according to the report.
  2. Web browsers start disabling TLS 1.0 and 1.1 by default: Mozilla and Google started to remove support for TLS 1.0 and 1.1 in their web browsers (Firefox, Chromium, Chrome). During a transition period, users will be likely able to re-enable TLS 1.0/1.1 in their web browsers. The goal is to completely switch to TLS 1.2 or later for more secure transport encryption. Keep in mind that mobile apps and other web clients may still use legacy TLS. Besides, Mozilla changed the look of security indicators (similar to Google). You likely realize the removal of “https://” and the green lock icon in the address bar. On the other hand, “http://” is always marked as insecure now.
  3. Security updates for PuTTY, Exim Internet Mailer, and tcpdump: PuTTY 0.73 was released on September 29, fixing three different security vulnerabilities. Then, Exim Internet Mailer 4.92.3 was released, fixing a heap-based buffer overflow in Exim 4.92 to 4.92.2 (see CVE-2019-16928). Another notable release is tcpdump 4.9.3, which fixes nearly 30 security vulnerabilities. Some of them are rated “critical”.

Moreover, there were some data breaches. Have I Been Pwned added information about the following breaches:

  • Sephora (breached in January 2017)
  • StreetEasy (breached in June 2016)

Check if you were affected, and change your credentials. Besides, feel free to subscribe to our RSS/Atom feed, or directly follow us in the Fediverse to learn about data breaches and much more.

Tool of the month

This month, we look at a very small Python 3 script to generate OATH-TOTP and OATH-HOTP codes. TOTP is commonly used by web applications for two-factor authentication.

The script is called MinTOTP. You need Python 3.4 or later installed on your device. We like the simplicity of the script that consists of 30 lines of code. There is also comprehensive documentation available on GitHub.

To use the script, you can either download the py file or install MinTOTP via pip (pip install mintotp).

Afterwards, you can run mintotp <<< SECRETSECRETSECRET (if you installed it using pip) or python3 totp.py <<< SECRETSECRETSECRET (if you directly use the py file) to get a TOTP code.

More examples are shown on the GitHub page of MinTOTP. Keep in mind that the secret (e.g., SECRETSECRETSECRET) is a secret! Store it like a password and only use a second device to generate your OTPs. Do not use the device which you use for login. Do not store this secret and the normal password in the same database.

Tip: You can also use zbarimg and oathtool to generate TOTP codes, shown here.

Tip of the month

This month’s tip is about processes and organization. If you are a frequent reader of InfoSec Handbook, you likely know that information security consists of technology, processes/organization, and people. Only focusing on technology doesn’t give you more than 33% security.

An example in the physical world: There is a new fire extinguisher in the floor of your apartment building. Is it safe in case of fire now? No. Residents need information about the location of the fire extinguisher, and they need to know how to use it (raising awareness of people). Then, somebody has to maintain the fire extinguisher (checks, refills, replacement). Who is responsible here? You need processes and organization.

Some questions regarding information security at your home are:

  • How do I manage credentials (e.g., passwords, passphrases, 2FA codes, U2F tokens)?
  • How do I update my devices? (e.g., software on your router, firmware of IoT devices, software packages on your computer, apps on your smartphone)
  • How do I check security settings of software and web applications I use? (Keep in mind that updates may reset or change previous settings.)
  • How do I learn about data breaches that likely affect my personal data? (Leaked data makes you more vulnerable to phishing.)
  • Which devices are in my home network? Do they need internet access? Is there a way to put certain types of hardware or users in separate VLANs (e.g., guests using your internet access, or IoT devices)?
  • How do I monitor my home network for suspicious network traffic? How do I get alerts? How do I react in case of suspicious network traffic?
  • Do I have backups of my data? What happens in case of malware infection, esp. ransomware?

These are only several examples. A very important part of information security is actually thinking about it. How do you react in certain situations? How is something managed? Who is responsible? Thinking about all of this results in new questions and a better understanding of technology and threats. Think about it, ask questions, and discuss it. This is far more helpful than just installing arbitrary “security” software.

Readers’ questions of the month

Each month, readers send us questions via e-mail, Keybase, Mastodon (Fediverse), Threema, Signal, or via the forum of privacytools.io. In general, we directly reply to questions. However, we would like to list some questions and answers that are interesting for more than only one person:

  • “What is the current state of gzip and side channel attacks?”: This question is likely about the 2013 BREACH attack. BREACH works with any HTTP compression, even the new br (Brotli) compression. There is a difference between TLS compression and HTTP compression. TLS compression is always considered insecure (turn it off), HTTP compression is in a state of “it depends”. Disabling HTTP compression dramatically reduces performance of websites, so the majority of web servers didn’t disable it. There is no fix, but there are mitigations. For our blog, this isn’t an issue since we don’t transmit any personal or sensitive data.
  • “What is the best way to learn Kali Linux/infosec/ethical hacking?”: For Kali, there is a book on kali.training (and some paid trainings). For ethical hacking, look for certifications like CEH v10, or CompTIA PenTest+. There are many books, videos, and trainings to get certified. Use Hack The Box for practice. Information security itself is a very broad topic. You likely look for something like Security+. You don’t need to get certified, however, you get a structured approach this way. Read our blog post “Your career in information security”.
  • “Should I switch from search engine A to search engine B for more privacy?”: Switching from an online service provider to another online service provider is about trusting other parties. This is true for many different services like blogs, forums, search engines, VPNs, mail servers, and so on. The problem is you can’t check most server-side configuration as mentioned in “Pros and cons of online assessment tools for web server security”. If you can’t check this, you have to trust the service provider. In the end, it is all about trust, not about actual control. So be sure that you trust the service provider of the other search engine. Keep in mind that you can’t validate most of the provider’s statements like “we don’t log”.

Just send us your questions. Maybe, your question will be listed in the next monthly review.

Our activities of the month

In October, we published three new articles within the context of this year’s European Cyber Security Month:

Besides, we moved the Git repository containing our blog content from GitHub to codeberg.org. There, you can see every single change of our articles for transparency reasons. We will publish more information regarding codeberg.org soon.

Follow us on Mastodon:
@infosechandbook

Closing words

After two very busy months, we will proceed revising our Web server security series as announced before. Our goal is splitting general content and software-specific content for better maintainability.

See also