Banner image of Monthly review – December 2019

Each month, we publish a review that covers essential activities of the last 30 days. This month, we talk about Python 2 EOL, malicious Python libraries, technical previews by Signal, WebAuthn for iOS, and more.

Always stay in the loop!
Subscribe to our RSS/Atom feeds.

News of the month

In December 2019, we read the following reports:

Python 2 EOL

Python 2 reaches its end of life (EOL) on January 1, 2020. (If you read this on Dec 31, 2019, then this is tomorrow.) The EOL date isn’t news but known for more than five years. There won’t be any planned security updates for Python 2 in the future. The final version of Python 2 will be 2.7.18 in mid-April 2020.

As a user, check whether any of your applications still require Python 2. If you don’t need Python 2 anymore, remove it from your devices. If some applications still require Python 2, check whether there are any announcements regarding migrating to Python 3. In case of doubt, look for alternatives.

As a developer, immediately consider migrating to Python 3 as the EOL date is known for years, and Python 2 won’t get any planned security updates in the future.

Malicious Python libraries stealing OpenPGP and SSH keys

Once again, people found malicious libraries for Python. The malicious libraries, python3-dateutil and jeIlyfish, try to copy SSH and OpenPGP keys to remote IP addresses. This is the third time the PyPI team intervened to remove typo-squatted malicious Python libraries from the official repository.

As a user, you should always be sure that you need specific libraries and remove unused libraries. This is not only true for Python libraries but for any other source of user-provided content (e.g., custom repositories for F-Droid, Arch AUR, NPM packages).

Signal released two technical previews

This month, Signal published two blog posts:

Both posts and a related scientific paper describe concepts for a group system and an account recovery system, which rely on servers while being cryptographically secured. Implementing these concepts could help Signal to overcome certain limitations of their client-side account management.

iOS and iPadOS support FIDO-compliant security keys

Finally, iOS and iPadOS 13.3 introduce support for FIDO-compliant security keys. After updating, you should be able to use your security token over Lightning, USB, or NFC for WebAuthn.

Security key-based biometrics or PIN (without the use of username and password) are not supported yet.

Data breaches and leaks

Moreover, there were some data breaches. Have I Been Pwned added information about the following breaches:

  • AgusiQ-Torrents.pl (breached in September 2019)
  • Zynga (breached in September 2019)
  • Factual (breached in March 2017)

Check if you were affected, and change your credentials. Besides, feel free to subscribe to our RSS/Atom feed, or directly follow us in the Fediverse to learn about data breaches and much more.

Tip of the month

This month’s tip is about pages on our blog that aren’t blog posts. If you only follow us in the Fediverse or via RSS/Atom feeds, you probably don’t know these pages:

  • Glossary: Our glossary already contains definitions for more than 130 terms related to information security and data protection.
  • Recommendations: This page lists recommendations for different uses cases.
  • Terminal tips: Finally, this growing collection lists CLI tools for different use cases.

Other pages are:

  • About us: This page contains information about our project “InfoSec Handbook” and frequent contributors.
  • Changelog: This page lists significant changes that don’t directly affect single articles, but the layout, style, or content of our blog. For every single change of our blog posts, you can go to our repository on codeberg.org.
  • Contact details: This page lists contact information like our e-mail address, OpenPGP keys, and our accounts on other websites.
  • Copyright: This page contains our copyright information.
  • Privacy policy: This is our privacy policy for our blog. In short, we never track you, we don’t collect any of your personal data, and we usually don’t keep any log files.
  • RSS/Atom: This page contains all current feeds covering our blog.
  • Security and disclosure policy: This is our security and disclosure policy. This page also contains our bug bounty program.
  • Series of articles: This central page contains links to our series.
  • Support us: This page shows different ways to support our work.

If you miss something or in case of any other ideas, feel free to contact us.

Readers’ questions of the month

Each month, readers send us questions via e-mail, Mastodon (Fediverse), Signal, or via the forum of privacytools.io. In general, we directly reply to questions. However, we would like to list some questions and answers that are interesting for more than only one person:

“Do you have a CPU purchasing guide?”

We don’t provide any recommendations regarding buying CPUs. This information is quickly outdated, and there is likely no perfect CPU for everybody. Buy the CPU that fits your use cases best. If you read about security vulnerabilities in CPUs, keep in mind that most of them aren’t relevant for non-virtualized systems or current attacks are purely theoretical.

“Do you plan to send findings of online assessment tools to organization XYZ?”

In general, we contact organizations and even private bloggers if we identify issues with their servers (e.g., vulnerable software, insecure configuration, incomplete privacy policies). We not only include arbitrary results but check if the findings are relevant. As of December 2019, we sent reports to about 120 different parties.

However, we won’t send any random findings of online assessment tools to anybody. We already covered the limitations of these tools in different articles on our blog. All online assessment tools have a very limited scope and don’t understand the context of their findings. The findings require security professionals looking into it. We could do this, but we are already happily employed. 😉

Not a question: “I found a security vulnerability on your website. If you want me to tell you, please pay me a bug bounty first.”

We frequently get e-mails from “security researchers” who claim that they found some security issues on our website. Instead of telling us, they demand their bug bounty first. Most of them neither read our disclosure policy nor provide any details.

We pay bug bounties. However, we won’t pay anything in advance. So if you found a security vulnerability, stay with our disclosure process. Besides, understand and use OpenPGP. Using OpenPGP shouldn’t be a problem for “security researchers.” 😉

Our activities of the month

In December, we published six new articles:

Besides, we changed several things on our blog:

  • The release of Hugo 0.60 forced us to get rid of inline HTML in Markdown files. The main reason for this was Hugo’s migration to Goldmark for rendering Markdown files. On the positive side, we introduced absolute file paths. This allowed us to offer another mirror of our blog on codeberg.org.
  • Furthermore, we changed the styles, content, and layout of our blog to comply with the W3C Web Content Accessibility Guidelines 2.1 (WCAG 2.1). Improved accessibility is beneficial for all of our readers.

Follow us on Mastodon:
@infosechandbook

Closing words

In 2019, we published 28 new blog posts (excluding monthly reviews) and updated 22 already-existing posts.

This year, we voluntarily spent 298.5 hours (equivalent to 37.5 workdays) writing and updating our blog posts, improving our technical setup and replying to questions of readers and forum posts. We offer our content for free without any tracking, sponsoring, or advertisements. This way, we remain 100% independent and 100% self-funded.

In early 2020, you can expect our updated Web server security series and new content for our Home network security series. There will also be an article on our server infrastructure.

We wish you a secure new year!

Read also