Today, 16 years ago, Debian published a security advisory announcing CVE-2008-0166, a severe bug in their OpenSSL package that effectively broke the random number generator and limited the key space to a few ten thousand keys. The vulnerability affected Debian+Ubuntu between 2006 and 2008. In 2007, an email signature system called DKIM was introduced. Is it possible that people configured DKIM in 2007, never changed their key, and are still vulnerable to CVE-2008-0166?

https://mastodon.social/@hanno/112427156548148984

cross-posted from: https://lemmy.ml/post/15178977

FWIW, this isn't to do with me personally at all, I'm not looking to do anything dodgy here, but this came up as a theoretical question about remote work and geographical security, and I realised I didn't know enough about this (as an infosec noob)

Presuming:

• an employer provides the employee with their laptop
• with security software installed that enables snooping and wiping etc and,
• said employer does not want their employee to work remotely from within some undesirable geographical locations

How hard would it be for the employee to fool their employer and work from an undesirable location?

I personally figured that it's rather plausible. Use a personal VPN configured on a personal router and then manually switch off wifi, bluetooth and automatic time zone detection. I'd presume latency analysis could be used to some extent?? But also figure two VPNs, where the second one is that provided by/for the employer, would disrupt that enough depending on the geographies involved?

What else could be done on the laptop itself? Surreptitiously turn on wiki and scan? Can there be secret GPSs? Genuinely curious!

There’s a server, a client, and a hacker in a network. For encryption, the client and the server need to share their private keys. Wouldn’t the hacker be able to grab those during their transmission and decrypt further messages as they please?

cross-posted from: https://infosec.pub/post/11554206

Researchers have found two novel types of attacks that target the conditional branch predictor found in high-end Intel processors, which could be exploited to compromise billions of processors currently in use.

cross-posted from: https://infosec.pub/post/11143989

Fresh Social Engineering Attacks Resemble Tactics Used Against XZ Utils MaintainerMajor open-source software projects are warning that more pieces of code than XZ Utils may have been backdoored by attackers, based on ongoing supply-chain attack attempts that have targeted "popular JavaScript projects," apparently seeking to trick them into sharing code maintainer rights.

We've releasWe've released #PuTTY version 0.81. This is a SECURITY UPDATE, fixing a #vulnerability in ECDSA signing for #SSH.

If you've used a 521-bit ECDSA key (ecdsa-sha2-nistp521) with any previous version of PuTTY, consider it compromised! ed #PuTTY version 0.81. This is a SECURITY UPDATE, fixing a #vulnerability in ECDSA signing for #SSH.

If you've used a 521-bit ECDSA key (ecdsa-sha2-nistp521) with any previous version of PuTTY, consider it compromised!

https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html

cross-posted from: https://infosec.pub/post/10912691

Researchers have demonstrated the "first native Spectre v2 exploit" for a new speculative execution side-channel flaw that impacts Linux systems running on many modern Intel processors. [...]

https://discuss.systems/@ricci/112247553557306560

The XZ Utils backdoor, discovered last week, and the Heartbleed security vulnerability ten years ago, share the same ultimate root cause. Both of them, and in fact all critical infrastructure open source projects, should be fixed with the same solution: ensure baseline funding for proper open source maintenance.

https://wetdry.world/@ari/112230288896956003