vocalounge.cafe is one of the many independent Mastodon servers you can use to participate in the fediverse.
A Mastodon instance specializing in Vocaloid, UTAU, and anything relevant to vocalsynth culture.

Administered by:

Server stats:

37
active users

#identification

0 posts0 participants0 posts today
Replied in thread

@fifonetworks : it's a taboo. Nobody really wants to accept that infosec is extremely hard, and most are in denial that they're at bigger risks than they think they are.

We (security people) often come up with a bunch of measures without explaining why they are a good idea, what side effects they have and which risks are not covered at all.

Here's one example: "use 2FA".

🔸 WEAK MFA
• Why use 2FA/MFA in the first place? Because most people use (and reuse) extremely weak passwords. 2FA does not _SOLVE_ *that* problem.

• SMS and voice are a bad idea anyway because of the risks of telephone "line" interception, call redirects or "SIM-swaps" (i.e. a miscreant hijacks your phone number).

• Many TOTP apps suck or sucked (see usenix.org/conference/usenixse by Conor Gilsenan
@conorgil et al. in infosec.exchange/@conorgil/109). A *lot* of people lost access to their accounts because Google Authenticator would not make backups of the underlying secrets, which people found out about after their phone died or was stolen. Authy in particular is bad (in Dutch: tweakers.net/nieuws/207532/#r_).

Effectively TOTP apps make people use a second password (unique for each website-account) that, supposedly, they do not have to remember, nor are they made aware that therefore (secure!) backups are a necessity. If those secrets are simply stored in their cloud-accounts, without encryption using an *independent* password, then they offer an extremy overestimated level of protection (it's mostly security by obscurity in such a case).

• None of the regular 2FA/MFA solutions protect against "evil proxies" (like those based on EvilGinx2) often provided by PhaaS (Phishing as a service) providers, used by a rapidly increasing number of attackers - as acknowledged by Microsoft in 2019 (link + details in infosec.exchange/@ErikvanStrat - whose marketeers, IMO misleading, still love to tell anyone that they should use Microsoft Authenticator).

🔸 STRONG MFA
Strong MFA (such as provided by passkeys and hardware keys) eliminates the *human* vulnerability of not knowing whether a given domain name belongs to the apparent (easily impersonated) owner of a website.

However, an increasing number of mis-issued certificates (this week, for potentially all of the .mobi TLD: arstechnica.com/security/2024/; some earlier attacks: infosec.exchange/@ErikvanStrat) means that passkeys and hardware keys are *not* as phishing-resistant as marketeers like us to believe.

That apart from the fact that passkeys and hardware keys are *not at all* without other issues.

🔸 PHISHING
There are roughly two types of phishing:

1) Where the user shares information with a website of an owner they believe to have interacted with before, or

2) Where they share personal info with, and/or pay money to, a website of an owner who is "new" to them (like a webshop that they've never done business with before).

Of course, 2FA/MFA do not help at all in case 2 (example in infosec.exchange/@ErikvanStrat).

IMO it is impossible to teach most people to reliably distinguish between fake and real on the internet (this is not only *my* opinion: security.googleblog.com/2024/0).

The common "instructions" to distinguish between fake an real websites are totaly unreliable, like "check for typos" or use a site like scamadvisor. There are way too many false positives *and* false negatives, while cybercriminals have an easy job to evade all such criteria. It should not be a requirement to be a forensics expert to safely use the internet.

🔸 INTERNET IS TOO INSECURE
We need to fix the internet first before we bother people with (currently unreliable) measures (typically without pointing out remaining or new risks).

🔸 FIX
Big tech have turned certificates into something comparable to passports that only show a totally meaningless SSN (Social Security Number). Which is why cybercrime is booming on the internet (for example, look at the approx. 1500 domain names listed below "Website data" in scamadviser.com/check-website/).

Fix: see infosec.exchange/@ErikvanStrat.

🔸 EXAMPLE
See the images below. When tapping "Scan", Chrome on my Android phone goes full screen and scans C:\Users\ (among others). Eventually it advised me to download "t4gf8h.zip" (virustotal.com/gui/file/0858ec).

🔸 FAKE VS REAL (AUTHENTIC)
Even strong MFA/2FA does not help. How are (non-nerd) Windows users supposed to know that this is *NOT* a McAfee website and *NOT* a McAfee virus scanner, with currently (according to VT, which may not be 100% correct, but -in my experience- provides a good indication) is detected by only 7/67 scanners?

In security.nl/posting/852814/DV+ schreef ik (in het Nederlands) waarom het internet één grote criminele bende is geworden, refererend naar een eerdere serie (van 3) Engelstalige toots van mijn hand (infosec.exchange/@ErikvanStrat).

In de tweede helft van security.nl/posting/852741 beschrijf ik een oplossing voor een deel van het probleem: dat websites, omwille van winstbejag van Big Tech, tot *eenheidsworst* zijn gemaakt.

Als bezoeker kunt u namelijk *nergens* meer uit opmaken of een website authentiek is, of dat er sprake is van inpersonatie van de echte website - door cybercriminelen.

Dat wordt veroorzaakt door browsermakers en certificaatuitgevers die alle mogelijke moeite hebben gedaan om u de informatie te onthouden *WIE* VERANTWOORDELIJK is voor een website (de domeinnaam daarvan om precies te zijn, die u ziet in de adresbalk van uw browser).

De *suggestie* van Big Tech dat het voor *u* goed genoeg is als u weet wat de domeinnaam is van een website, is absurd.

Dat is, in de praktijk, totale onzin omdat mensen uiterst slecht zijn in het exact (noodzakelijkerwijs 100% foutloos) kunnen herkennen van *volledige* domeinnamen - en eenvoudig gefopt kunnen worden (zelfs als zij begrijpen waar zij op moeten letten en hoe domeinnamen zijn opgebouwd).

Bij voor mensen nieuwe websites (zoals van een gegooglde loodgieter of een sandalenwebshop) zegt een domeinnaam meestal ofwel niets *betrouwbaars* over wie de eigenaar is, of is pure misleiding - terwijl elke pagina van de website zelf hartstikke nep kan zijn.

Kom in opstand tegen de geldwolven op internet!

www.security.nlDV certs: de maat is vol - Security.NL
Continued thread

🌘DV-CERT MIS-ISSUANCE INCIDENTS🌒
🧵#3/3

Note: this list (in reverse chronological order) is probably incomplete; please respond if you know of additional incidents!

2024-07-31 "Sitting Ducks" attacks/DNS hijacks: mis-issued certificates for possibly more than 35.000 domains by Let’s Encrypt and DigiCert: blogs.infoblox.com/threat-inte (src: bleepingcomputer.com/news/secu)

2024-07-23 Let's Encrypt mis-issued 34 certificates,revokes 27 for dydx.exchange: see 🧵#2/3 in this series of toots

2023-11-03 jabber.ru MitMed/AitMed in German hosting center notes.valdikss.org.ru/jabber.r

2023-11-01 KlaySwap en Celer Bridge BGP-hijacks described certik.com/resources/blog/1NHv

2023-09-01 Biggest BGP Incidents/BGP-hijacks/BGP hijacks blog.lacnic.net/en/routing/a-b

2022-09-22 BGP-hijack mis-issued GoGetSSL DV certificate arstechnica.com/information-te

2022-09-09 Celer Bridge incident analysis coinbase.com/en-nl/blog/celer-

2022-02-16 Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack bankinfosecurity.com/crypto-ex

🌘BACKGROUND INFO🌒
2024-08-01 "Cloudflare once again comes under pressure for enabling abusive sites
(Dan Goodin - Aug 1, 2024) arstechnica.com/security/2024/

2018-08-15 Usenix-18: "Bamboozling Certificate Authorities with BGP" usenix.org/conference/usenixse

Infoblox Blog · Who Knew? Domain Hijacking is So Easy | InfobloxLearn about the insidious DNS attack vector that threat actors are using to hijack domains from major brands, government institutions, and other organizations, large and small. Find out how to determine whether your domain name is at risk.
#DV#LE#LetsEncrypt

🌘DV-CERT MIS-ISSUANCES & OCSP ENDING🌒
🧵#1/3

On Jul 23, 2024, Josh Aas of Let's Encrypt wrote, while his nose was growing rapidly:

<<< Intent to End OCSP Service
[...]
We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet.
[...]
CRLs do not have this issue. >>>
letsencrypt.org/2024/07/23/rep

🚨 On THAT SAME DAY, Jul 23, 2024, LE (Let's Encrypt) issued at least 34 certs (certificates) for [*.]dydx.exchange to cybercriminals, of which LE revoked 27 mis-issued certs approximately 6.5 hours later.

Note that falsified DNS records may instruct DNS caching servers to retain entries for a long time; therefore speedy revocation helps reducing the number of victims.

Apart from this mis-issuance *blunder*, CRL's have HUGE issues that Josh does not mention: they are SSSLLLOOOWWW and files are potentially huge - while OCSP is instantaneous and uses little bandwith.

🌘NO OCSP INCREASES INTERNET RISKS🌒
If LE quits OCSP support, the average risk of using the internet will *increase*.

🌘LIES🌒
Furthermore, the privacy argument is mostly moot, as nearly every website makes people's browsers connect to domains owned by Google (and even let's those browsers execute Javascript from third party servers, allowing nearly unlimited espionage). In addition, IP-addresses are sent in the plain anyway (📎).

(📎 When using a VPN, source and destination IP-addresses *within the tunnel* are not visible for anyone with access to the *outside* of the tunnel - but they are sent in the plain between the end of the tunnel and the actual server.)

Worse, the remote endpoint of your E2EE https connection increasingly often is *not* the actual server (that website was moved to sombody else's server in the cloud anyway), but a CDN proxy server which has the ability to monitor everything you do (unencrypting your data: three letter agencies love it, FISA section 702 grants them unlimmited access - without anyone informing you).

🤷 LE may try to blame others for their mis-issuance blunder, but *THEY* chose to use old, notoriously untrustworthy, internet protocols (BGP and DNS, including database records - that DNSSEC will never protect) as the basis for authentication. By making that choice, LE and other DV cert suppliers were simply ASKING for trouble.

🔓 In fact, the promise that Let's Encrypt would make the internet safer was misleading from the start: domain names are mostly meaningless to users, 100% fault intolerant, unpredictable and easily forgotten. If your browser is communicating with a malicious server, encryption is pointless.

Josh, stop lying to us; your motives are purely economical.

🌘CORRUPT: BIG TECH FACILITATES CRIME🌒
DV-certs were heavily promoted by Google (not for phun but for profit) after their researchers "proved" that it was possible to show misleasing identification information in the browser's address bar after certificate mis-issuance (the "Stripe, Inc" incident, arstechnica.com/information-te).

This message was repeated by many specialists (e.g. troyhunt.com/paypals-beautiful) with stupid arguments: certificates do NOT directly warrant reliable websites.

OV and EV certificates, and QWAC's, more or less reliably, warrant *WHO OWNS* a domain name. That means that users know *who* they're doing business with, can depend on their reputation and can sue them if they violate laws.

"Of course" Google recently lost trust in Entrust for mis-issuing certificates (security.googleblog.com/2024/0).

Meanwhile the internet has become a corrupt and criminal mess; its users get to see misleading identification info in their browser's address bar WAY MORE OFTEN, e.g. https:⁄⁄us–usps–ny.com (for loads of examples see virustotal.com/gui/ip-address/; tap ••• a couple of times).

Supporting DN's like "ing–movil.com" and "m–santander.de" *is* facilitating cybercrime, by repeatedly mis-issuing certs for them (see crt.sh/?q=ing-movil.com and crt.sh/?q=m-santander.de) and by letting them hide behind a CDN (see virustotal.com/gui/domain/ing- and virustotal.com/gui/domain/m-sa).

In addition, *thousands* of DV-certs have been mis-issued - without *their* issuers getting distrusted by Google, Microsoft, Apple and Mozilla.

People have their bank accounts drained and companies get slammed with ransomware because of this.

But no Big Tech company (including the likes of Cloudflare) takes ANY responsibility; they make Big Money by facilitating cybercrime. Not by issuing "free" DV-certs, but by selling domain names, server space and CDN functionality, and by letting browsers no longer distinguish between useful and useless certs. They've deliberately made the internet insecure *FOR PROFIT*.

🌘CERT MIS-ISSUANCE ROOT CAUSE🌒
The mis-issuance of LE certs was caused by the unauthorized modification of customer DNS records managed by SquareSpace; this incident was further described in bleepingcomputer.com/news/secu.

Note that a similar attack, also affecting SquareSpace customers, occurred on July 11, 2024 (see bleepingcomputer.com/news/secu). Even if it *looks like* that no certs were mis-issued during the July 11 incident, because (AFAIK) none of them have been revoked, this does not warrant that none of them were mis-issued; such certs can still be abused by attackers, albeit on a smaller scale.

🌘MORE INFO🌒
Please find additional information in two followups of this toot:

🧵#2/3 Extensive details regarding Mis-issued dydx.exchange certs on 2024-07-23;

🧵#3/3 Links to descriptions of multiple other DV-cert mis-issuance issues.

🌘DISCLAIMER🌒
I am not (and have never been) associated with any certificate supplier. My goal is to obtain a safer internet, in particular for users who are not forensic experts. It is *way* too hard for ordinary internet users to destinguish between 'fake' and 'authentic' on the internet. Something that, IMO, can an must significantly improve ASAP.

Edited 08:16 UTC to add people:
@troyhunt
@dangoodin
@BleepingComputer
@agl

letsencrypt.org Intent to End OCSP Service - Let's Encrypt Today we are announcing our intent to end Online Certificate Status Protocol (OCSP) support in favor of Certificate Revocation Lists (CRLs) as soon as possible. OCSP and CRLs are both mechanisms by which CAs can communicate certificate revocation information, but CRLs have significant advantages over OCSP. Let’s Encrypt has been providing an OCSP responder since our launch nearly ten years ago. We added support for CRLs in 2022. Websites and people who visit them will not be affected by this change, but some non-browser software might be.
#DV#LE#LetsEncrypt

"Starting this year, the Washington Department of Licensing will offer a one-time original or renewed state ID card at no cost for those who are homeless and expected to live in Washington.....

Those who are homeless and seeking a free ID card can arrive at a driver’s licensing office with or without an appointment. If the person had a Washington driver’s license or ID in the past, employees can locate their record in the DOL system. No other documentation is needed.

People seeking identification will need a current mailing address, which could be a shelter, community organization or a church. Or they can request to pick up the ID directly from the licensing office.

If the person has never had a Washington ID, they will need a document showing proof of identity. If they don’t have one, DOL recommends they visit a licensing office to speak with a supervisor."

#WashingtonState #Identification

seattletimes.com/seattle-news/

The Seattle TimesFree ID cards now available for homeless people in WAThe Department of Licensing will offer a one-time original or renewed state ID card at no cost for those who are homeless and expected to continue living in Washington.