Starting a new Thread here for everyone to post all those news about the latest security news & events.
Note: If you come across a piece of interesting news but dont have the time to post it here, feel free to post it in the lounge with @catsay tag or DM me with the link and I will make a nicely formatted version with attribution to you when I have time.
Rules:
When possible always link to original articles unless below exceptions apply
Try to link the primary article references such as research PDF's to the article where possible.
No direct links to doxxed or leaked information.
No posting of personal/leaked information.
No posting links in spoiler tags.
Tin-Foil hats optional.
Appreciated but not necessary:
A short TLDR summary in quoted text of the article in question.
Use the template below for posting links:
Post Template
### Article Name
http://www.articlelink.com
#### Summary:
> Summary Text Here in Quote
#### Extra References (Optional)
> Links here
#### Severity & Fix
> Is there a fix and/or where can it be found.
Users and Mods suggestions and input wanted to make this a thing. Could use some help to improve the rules probably.
In addition if enough people are interested. I would also like to make this into an RSS feed with everyones contributions and mine included in a nicely formatted and digesteable format.
Malicious apps can take the simple movement and work out how to access people's most private details
Summary
Limited permission Apps on Android can monitor accelerometers and gyroscopes without permission in order to infer entered pincodes and password strings with a high degree of accuracy.
Extra References (Optional)
Severity & Fix
No Fix right now Academic Solutions suggested include: 1. restricting the sensor to one app 2. reducing the sampling rate 3. temporal pause of the sensor on sensitive entries such as keyboard 4. rearranging keyboard for password entrance (possible on some devices) 5. asking for explicit permission from the user 6. ranking apps based on their similarities to malware 7. obfuscating anomalies in sensor data.
Conclusion
After many years of research on showing the serious security risks of sensors such as accelerometer and gyroscope, none of the major mobile platforms have revised their in-app access policy.
Microsoft Word 0day used to push dangerous Dridex malware on millions
Summary:
The new vulnerability is notable because it "bypasses exploit mitigations built into Windows, doesn't require targets to enable macros, and works even against Windows 10, which is widely considered Microsoft's most secure operating system ever. The flaw is known to affect most or all Windows versions of Word, but so far no one has ruled out that exploits might also be possible against Mac versions."
Microsoft, which according to McAfee has known of the remote-code vulnerability since January, has yet to issue any sort of public advisory.
Just saying, I think these posts would be better as individual threads for sake of visibility. Mega threads get buried fast. Maybe a special category for "security" can be created.
Format seems fine, you could link to a discussion thread or something else and keep this as news posts only. The forum already acts as an RSS feed. just add .rss to the URL example:
I'm aware of the RSS forum feature. It's just really messy and all the discussion is also featured in it. I would be making a clean RSS feed that people can subscribe to and get just the articles and content.
And may be do what @Ethereal said and post them in the News section with [L1S] prefix and security tag at first, maybe separate category later. But we'll see I'll have to first do this for a while and see how it builds up.
Those where pretty much my concerns there. How to prevent clutter and keep the rules and in a nice readable format that isn't just a links dump.
I will start my RSS feed anyway since it's just the cleanest and most lightweight solution anyhow. On the forum side, we'll still have to work something out.
Separate topics for each story in a category that can be followed is a nice idea. (Clutter be damned)
How would the news group work, only approved users may post? That could work, would then have to approve users that have proven themselves with quality submissions. But that adds a lot of work.
I somewhat trust that the community wont post rubbish in the thread, I have not been disproven yet, that's anyway what the lounge is there for, it diverts & absorbs all of the junk posts for the main part.
I like the thread, but it would be better to have a tag instead of a summarizing thread, because having a solution for those problems or a patch or workaround would be really useful info imo.
So I would prefer a thread for every problem, with the opportunity for people to post fixes for that problem. The list of problems would then be a search on the security tag.
If you want, an "InfoSec" tag that would only be used for these topics, would be a solution to group them.
Grouping in threads is something we would want to avoid, we'd rather have the community use tags to group content, out of search facilitation reasons.
That seems like a plan. I've been leaning that way mostly after hearing everyones input. The main thing is to just keep the format for the thread nice and clean so the first post can have the primary info and article + fixes and the rest can be discussion. With fixes commented in the discussion making it into the intro post.
Is there a specific name for a first post on a thread with all the info etc in it?
An InfoSec tag would be nice to group them by yes.
I considered making one of these at some point but didn't since this is a forum. Security is too fast paced for forum style posting since days after a post a fix is usually applied negating the benefit off the post. Then you have a megathread of just outdated risks. It could be useful though as lomy as the CVE is attached... maybe.
An idea would be to make the title of the thread start with "InfoSec:" and then the subject. Makes it even easier to find them in a listing that is not filtered by the InfoSec tag.
I'm usually quite involved with security so I often hear things before the CVE shows up. Myself I'm qualified in Information Security, Business InfoSys Risk Assessment & 'Ethical' hacking to keep it short. That term... :shudders:
My main aim of this thread is as the title [somewhat] implies. 'Level 1' security. A way to bring Security and more in depth discussion to the less security involved that aren't able to keep up with everything but in a simpler form. It also gives the opportunity to cover aspects and topics that don't usually get coverage.
I'm planning to also write up some articles from time to time on various security topics and practices as regards to the power user (level1 community members).
Maybe covering some light hacking related topics, depending on interest and community policy.
Probably would be putting those on the L1T wiki since that seems to be in severe need of some TLC and attention.