Tag: internet
-
The double-edged sword of ECH
Definition: ECH: Encrypted Client Hello Encrypted Client Hello (ECH) is a successor to ESNI and masks the Server Name Indication (SNI) that is used to negotiate a TLS handshake. This means that whenever a user visits a website that has ECH enabled, no one except for the user, and the website owner can determine which…
-
Google Chrome and privacy – opposing forces?
Audio transcription The Google Chrome browser was first released in Sep 2008 as an alternative to rival browsers, to “address perceived shortcomings in those browsers and to support complex web applications”. Google also wanted a browser that could better integrate with its own web services and technologies. That last statement speaks to the heart of…
-
Plex Discover: a lesson in privacy
Audio Transcript It’s a common refrain: my data isn’t important so I don’t need to protect it, I’m unimportant so my information doesn’t matter … There’s recently been some horror stories of overly ‘ambitious’ policing of internet-related activities. Like the father who sent pictures of his son with a developing issue to their doctor for…
-
PKI, processes and security
Audio transcript PKI, or Public Key Infrastructure, is the general term used for establishing and managing public key encryption, one of the most common forms of internet encryption. It is baked into every web browser (and many other applications) in use today to secure traffic across the public internet, but organizations can also deploy it…
-
KeePassXC – a review
Password managers have seen a new focus (both good and bad) over the last couple of years especially in mainstream news and media. With security folk like Rachel Tobac and Shannon Morse pushing the security mantra (in a relatable way), a lot more people are seeing the light so-to-say and coming around to the fact…
-
The trouble with SPAM
The queries I’ve been getting lately requesting checks on whether a particular email is spam or not, has been enlightening. It’s clear there’s a problem. Somewhere. Email users are not seeing the “wood for the trees” no matter the fact that spam has been an entrenched part of our lives for a couple of decades…
-
SSL/TLS Certificate lifetime
The SSL/TLS certificate revocation system (CRL and OCSP) is broken. This is a fact known for a long time by the whole certificate industry. Long-lived certificates that have issues (eg. a certificate that was fraudulently issued), hang around on the Internet for extended periods (currently up to 3 years) potentially causing security and authenticity issues.…
-
Browser Security
Browser technology and security events always make for interesting reading especially due to the fact that we do the majority of our online work these days through browsers, be it general web surfing, accessing enterprise apps or managing systems and devices. Browser features and security are therefore critical – this shouldn’t even need to be…
-
A lesson in supply chain attacks
What happens when the websites we visit and the companies we depend on to provide us with information, are compromised? Supply chain attacks go to the root of information we depend on rather than attack us directly. A recent attack on the Asus infrastructure paints the exact scenario for supply chain attacks. Attackers compromised an…
-
VPNFilter and other neat tricks
The Spectre and Meltdown attacks that came to light at the beginning of the year have been the main focus of this year’s security issues however there has been a lot more going on than that. On that note though, additional Spectre variations have been found (we’re up to v4 now); as well, the BSD…
-
South African Security (Fails)
It’s been a while since my last post but recent events in SA around security have prompted me to write this post. It starts with an open website containing what is now believed to be upwards of 70 million entries for names, ID numbers, income, addresses and other information on South African citizens/residents including possibly…
-
The NSA and Ransomware. Oh and a bit of HPE on the side.
If ever there was a perfect example of stupidity, the new highly virulent strain of WanaCrypt ransomware that is currently spreading like wildfire, is it. And that stupidity is care of the NSA; who in their infinite wisdom, wrote exploits based on 0-day vulnerabilities that should have been reported to the relevant vendors, but was…
-
Password Managers
The current mainstream method of authenticating to applications and systems remains a difficult prospect for most people. Password re-use is not a good idea but remembering a separate password for each system is not feasible. Biometrics and 2-factor-authentication are great solutions but not available in all circumstances, and typically the 1st factor is still a…
-
Your TV is being creepy
Of all the points of electronic insecurity one deals with every day, your TV is probably the last you’d expect. Not so, because Vizio has been caught spying on its customers – through approximately 11 million smart TVs in the US and since 2014. These TVs have automatically tracked consumers’ viewing habits and sent that data…
-
Fake news and false information
We live in the information age and information is arguably the most important form of currency now and we’re bombarded with it 24×365. A never ending stream of information, news and data fed through channels like Facebook, YouTube, Twitter and Instagram. And it’s this overload of information that can lead to bad decisions and behaviour.…