Latest articles

One year GDPR: looking at privacy policies of websites operated by private individuals

One year ago, the European General Data Protection Regulation (GDPR) became enforceable after a two-year transition period. In the wake of this event, the media reported about several administrators who decided to permanently shut down their (small) websites while many non-EU websites started to block all EU-based IP addresses. Some people spread myths, and soon afterwards the media lost interest in the GDPR. Taken as a whole, the GDPR caused confusion despite the fact that former national privacy laws were mostly as strict as the GDPR itself.

In this article, we look at the privacy policies of 20 websites (operated by private individuals) to check whether they provide information for their users according to Articles 12 and 13 (GDPR).

5 lessons learned from the matrix.org breach

This week, matrix.org identified that their server infrastructure got compromised. Matrix.org is the reference server of the open Matrix protocol used for real-time communication. People reacted differently: some tried to defend matrix.org since it is offering an open and decentralized communication platform, others stated that matrix.org is a security mess, and that they will stay with XMPP or their favorite instant messaging protocol. While matrix.org still recovers from the data breach, it seems to be already clear that this breach was possible due to human error and organizational shortcomings.

In this article, we discuss lessons learned from the matrix.org data breach that are important for everyone.

CVSS, CVE, CWE, CAPEC – common standards security professionals should know

CVSS, CVE, CWE, and CAPEC are widespread and well-known security standards to rate the severity of vulnerabilities, uniquely identify vulnerabilities, describe common weaknesses in software, and categorize common attack patterns of bad guys.

In this article, we present the four standards and give brief guidance for daily usage.

UltraVNC – a security nightmare

UltraVNC is open-source software to remotely control other systems and visually share desktops. If you look at its track record, it looks great: only 7 security vulnerabilities in 13 years. However, this month, Kaspersky published not only one newly-found vulnerability in UltraVNC, not two, not five, but 22 security vulnerabilities (KLCERT-19-003 to KLCERT-19-024) that all have their own CVE identifiers. Most vulnerabilities come with a CVSS v3.0 base score of 10.0 out of 10.0, which means that it can’t be worse anymore.

The official website and forum of UltraVNC aren’t better: there is no HTTPS, there are no modern security features, there was a file containing secrets, and the CMS is obviously totally outdated. In this article, we show several vulnerabilities of uvnc.com to raise awareness about insecure websites.