In: Computers, Life. Also: privacy.

Security

Security is freedom from, or resilience against potential harm caused by others.
Security is not only physical, it can also be virtual.

Computer security, cybersecurity or IT security is the protection of computer systems and networks from information disclosure, theft of or damage to the hardware, software, or electronic data.
Information security, or infosec, is the practice of protecting information by mitigating information risks. It is part of information risk management.
Data security means protecting digital data, such as a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.

Perceptions of security

Since it’s not possible to know with precision the extent to which something is ‘secure’, perceptions of security may vary greatly.
For example, a fear of death by earthquake is common in the US, but slipping on the bathroom floor kills more people; and in France, the UK and the US there are far fewer deaths caused by terrorism than there are women killed by their partners in the home.

Another problem of perception is the common assumption that the mere presence of a security system (such as armed forces, or antivirus software) implies security.
For example, two computer security programs installed on the same device can prevent each other from working properly, while the user assumes that he or she benefits from twice the protection that only one program would afford.

Security theater is a critical term for measures that change perceptions of security without necessarily affecting security itself.
For example, visual signs of security protections, such as a home that advertises its alarm system, may deter an intruder, whether or not the system functions properly.
Or, the increased presence of military personnel on the streets of a city after a terrorist attack may help to reassure the public, whether or not it diminishes the risk of further attacks.

– from Wikipedia


USB security

Librem key

USB security token to make encryption, key management, and tamper detection convenient and secure

Nitrokey

Protect emails, files, hard drives, server certificates and online accounts
Your private keys are always stored securely in the Nitrokey hardware and can’t be stolen

Secalot

A small USB dongle that packs a wide range of features:
Hardware cryptocurrency wallet; OpenPGP smart card; U2F authenticator; One-time password generator

Solo keys

Secure your logins with two-factor authentication
Works with anything that supports FIDO2 or FIDO U2F


Passwords

Bitwarden

The most trusted open source password manager for business
Store and share sensitive data from any device

Cryptsetup

Utility used to conveniently set up disk encryption based on the DMCrypt kernel module

KeePass

Free, open source, light-weight and easy-to-use password manager

LessPass

Stateless password manager
Stop wasting your time synchronizing your encrypted vault. Remember one master password to access your passwords, anywhere, anytime, from any device. No sync needed

Lord of Passwords

One password to rule them all.
The app generates a unique hashed password for each service using masterpassword. We use our own hashing algorithm to ensure the hashed password contains the needed amount of symbols of each type. These are at least 2 numbers, 1 Latin character in upper case and 1 in lower case. If the user chooses to use special symbols, the password should also contain at least 1 special character.

Spectre/ Masterpass

Stateless password manager
Delete your passwords: Goodbye password managers, hello digital independence


File encryption

Age

A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability
https://github.com/FiloSottile/age
https://age-encryption.org
https://github.com/C2SP/C2SP/blob/main/age.md

Cryptomator

The key to your data is in your hands. Cryptomator encrypts your data quickly and easily. Upload them protected to your favorite cloud service.
A simple tool for digital self-defense. It allows you to protect your cloud data by yourself and independently.

CryFS

Cryptographic filesystem for the cloud.

Pico - abandoned

Picocrypt is a small (hence Pico), very simple, yet secure encryption tool that you can use to protect your files
It’s built with Go’s standard x/crypto modules
https://github.com/HACKERALERT/Picocrypt

Tomb

A minimalistic commandline tool to manage encrypted volumes aka The Crypto Undertaker
Free and open source system for easy encryption and backup of personal files

VeraCrypt

Free open source disk encryption software for Windows, Mac OSX and Linux. Based on TrueCrypt 7.1a.

ZboxFS

Zero-details, privacy-focused in-app file system.
Similar with EncFS, APFS and ZFS, but also TrueCrypt, LUKS and VeraCrypt.
https://github.com/zboxfs/zbox
https://zbox.io/fs


Links

Don’t Let Google manage your passwords

By Neil J. Rubenking, posted Mar 13 2023
https://medium.com/pcmag-access/warning-dont-let-google-manage-your-passwords-6b20639daaff
Experts tell us that relying on Google Chrome (or any browser) to manage your passwords is a seriously bad idea

Curated checklist of 300+ tips for protecting digital security and privacy

https://github.com/Lissy93/personal-security-checklist

Lessons from a Professional Password Cracker

Posted September 24, 2022
https://themarkup.org/newsletter/hello-world/lessons-from-a-professional-password-cracker

What do we think about the potential criminal uses of Berty?

By Manfred Touron, posted August 25 2021
https://berty.tech/blog/liberty-vs-safety

Update your Apple devices now to patch a security flaw

By Katie Malone, posted February 14 2023
https://engadget.com/update-your-apple-devices-now-to-patch-a-security-flaw-185718120.html
According to Apple, “an app may be able to execute arbitrary code with kernel privileges,” and that with another vulnerability, “processing maliciously crafted web content may lead to arbitrary code execution,” which the company says “may have been actively exploited.”
Apple has responded to the vulnerability with updates for Safari 16.3.1, iOS 16.3.1 and iPadOS 16.3.1, and macOS 13.2.1.
“If you install Firefox (which has its own browser ‘engine’ called Gecko) or Edge (based on a underlying layer called Blink) on your Mac, those alternative browsers don’t use WebKit under the hood, and therefore won’t be vulnerable to WebKit bugs”

Data on ‘One Billion’ Chinese residents is being sold for 10 BTC

Published July 2022
https://coinmarketcap.com/alexandria/article/data-on-one-billion-chinese-residents-is-being-sold-for-10-btc
A hacker claims they’ve got their hands on 23TB of data - including the names and phone numbers of up to one billion Chinese citizens, as well as police and medical records
According to Binance’s CEO Changpeng Zhao, other sensitive information - including police and medical records - may also have been compromised
He warned this has an impact on detecting and preventing hackers from performing malicious acts, and urged exchanges to ramp up security measures
Although it’s difficult to verify whether the entire database is legitimate, cybersecurity experts have confirmed some of the records are genuine

UK: Tens of thousands of NHS patients private medical information leaked in shocking data breach

Published february 20, 2022
https://databreaches.net/uk-tens-of-thousands-of-nhs-patients-private-medical-information-leaked-in-shocking-data-breach
https://dailymail.co.uk/news/article-10531637/Tens-thousands-NHS-patients-private-medical-information-leaked-shocking-data-breach.html
The confidential files include hospital appointment letters for women who have suffered miscarriages, test results of cervical screening and letters to parents of children needing urgent surgery at Alder Hey Children’s Hospital, Liverpool
Thousands of letters were leaked in error by PSL Print Management, a Preston-based consultancy firm paid millions each year by the NHS.
The lost documents contain names, addresses, phone numbers and NHS numbers.
The information dates back as far as 2015 despite data protection laws stipulating that medical data be deleted as soon as it is no longer needed.
As the Information Commissioner’s Office last night said it had launched an investigation, data protection consultant Tim Turner said: ‘This is genuinely shocking. The NHS should be declaring a major incident’

NHS patient information in data breach by Diagnostic Health

By Michele Paduano, published 16 June 2014
https://bbc.com/news/uk-england-27864798
As many as 10,000 NHS patients may have been affected by a series of data protection breaches by a private firm.
A leaked report from the Information Commissioner’s Office (ICO) revealed patient data was stored unencrypted by Birmingham company Diagnostic Health.

Cyber attack on HSE Systems

https://tusla.ie/news/cyber-attack
https://tusla.ie/news/cyber-attack-on-hse-systems_2406

What’s going on with the HSE cyberattack?

Irish health service IT systems shut down following cyberattack
https://siliconrepublic.com/enterprise/hse-cyberattack-explainer-conti-ransomware
https://siliconrepublic.com/enterprise/hse-cyberattack-irish-health-service-it
~ May 2021
Healthcare services across the country were impacted in what was said to be the most serious cyberattack ever to hit the State’s critical infrastructure. Forced to shut down their IT systems on Friday, hospitals and other HSE services were left without access to electronic health records, causing significant disruption
Investigations into the HSE cyberattack are ongoing but what we do know so far is that Cobalt Strike Beacon, a tool that can give remote access to hackers, was found on the HSE’s IT system. This enabled attackers to move within the computer network and execute their malware. The malware unleashed by the hackers is a form of ransomware known as Conti.
Wizard Spider, an organised group of cybercriminals based in eastern Europe, is reportedly behind both the HSE cyberattack and the attempted attack on the Department of Health. This group has taken to targeting large organisations with high ransoms in recent years
Others have pointed to the dangers that overworked staff present to effective cybersecurity policies. “Given the nature of the industry, healthcare personnel are often severely time constrained, leading them to click, download and rapidly handle email, while possibly falling victim to carefully crafted social engineering-based email attacks” said Peter Carthew, director of public sector for UK and Ireland at Proofpoint
“Nearly all targeted attacks rely on human interaction to work. Educating and training workers on what to watch out for, maintaining offline backups, implementing strong password policies, and developing ransomware response playbooks are vital defences against the numerous threats facing the sector today”

How to disappear completely – Face recognition security

https://youtube.com/watch?v=LOulCAz4S0M

Linux server hardening security tips (2021 edition)

https://cyberciti.biz/tips/linux-security.html

How to secure & harden your Linux server

https://github.com/imthenachoman/How-To-Secure-A-Linux-Server

Random Linux security hardening and other tweaks

https://vez.mrsk.me/linux-hardening.html

First things first - Harden SSH server

https://linuxbabe.com/security/harden-ssh-server

Awesome software, libraries, documents, books, resources and cools stuffs about security

https://github.com/sbilly/awesome-security

The 2-man rule is a control mechanism designed to achieve a high level of security for especially critical material or operations

Under this rule all access and actions require the presence of two authorized people at all times:
https://wikipedia.org/wiki/Two-man_rule

Extreme security measures for the extra paranoid

Someone with serious tools is trying to pry open your digital secrets. Don’t let them.
The best way not to get your computer hacked? Don’t connect it to any other computer, a practice known as air-gapping.
If you truly don’t want to be tracked, turning off your phone helps some. But security experts have warned for years that sophisticated malware can track or use a phone for audio surveillance even when you think it’s powered down, likely by spoofing its “off” state while continuing to leave key functions running. Pulling out a phone’s battery can thwart that eavesdropping. But for the iPhone and other mobile devices without easily removable batteries, the supremely cautious rely on Faraday cages or bags.
If sophisticated spies want to hear your conversations, they may not need a bug in your office or home. Instead, they can use a tool known as a laser microphone, which bounces an invisible infrared laser off of a window and back to a light sensor. Laser eavesdropping could potentially be foiled by closing heavy curtains or playing loud music while having a private conversation.
Hackers can steal your passwords with malware, or by breaching the servers of the services you use. But they can also just watch over your shoulder as you type them in. And in cases where you think you might be under targeted video surveillance—say, it’s worth considering a silly-sounding but significant protection: A literal security blanket. By covering your head and hands, you can type in sensitive passwords without fear that a surveillance camera is watching over your shoulder.
https://wired.com/story/extreme-security-measures

Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us

By Dan Goodin, posted 7/26/2022
https://arstechnica.com/information-technology/2022/07/researchers-unpack-unkillable-uefi-rootkit-that-survives-os-reinstalls
Turns out they’re not all that rare. We just don’t know how to find them.

New Symbiote malware infects all running processes on Linux systems

By Bill Toulas, posted June 9, 2022
https://bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems
A newly discovered Linux malware known as Symbiote infects all running processes on compromised systems, steals account credentials, and gives its operators backdoor access.


Wiki

×