
The entirely predictable problems with the Vulnonym naming scheme
An automated naming scheme intended to rid the security research field of “sensational names” predictably creates sensational, ambiguous, and suggestive names.
An automated naming scheme intended to rid the security research field of “sensational names” predictably creates sensational, ambiguous, and suggestive names.
A configuration error made the TeamViewer RPM repository vulnerable to an attacker-in-the-middle substituting TeamViewer with its own GPG keys and software.
Two-factor authentication requires users to commit to storing a secret code indefinitely. Popular apps lack tools to back up and data transfer those secrets.
Plan for the day your password manager stops working. Backing up your password manager is harder that it sounds.
systemd
directivesOpenSMTPD recently had a critical remote code execution vulnerability. I look at how you can limit impact with systemd-service security directives.
Last week was a busy week for email issues. Here’s what happened and why you got an empty blog newsletter this week.
systemd
service sandboxing and security hardening 101The systemd-analyze security command gives your systemd service units an automated security rating. This is a good starting point for security hardening.
A comparison of features, security, performance, and limitations of Firefox browser running in isolated sandboxes provided by Flatpak vs. Snap.
window.open()
featuresWindows opened from your website can redirect the opening tab to a new destination. Mitigations break window.open() functionality like sizing and positioning.
A quick tutorial for migrating from FirewallD and getting started with the Uncomplicated Firewall (UFW).
My aging PC’s processor didn’t support a new Windows 10 security feature, enabled by default, causing it to become slow and unstable.
The recall of the Feitian MultiPass FIDO security key demonstrates why you always should use multiple security key products from different vendors.
A case study in how timely Firefox derived web browsers ship critical security updates.
VPN providers are good advertisers and also pay good money to make even [formerly] reputable tech media websites “recommend” their services.
Comparison review of the two secure PGP-oriented email providers ProtonMail vs Mailbox.org. A huge price discrepancy for the same service.
Here are 6 services you can report malware websites and phishing emails to help make the internet a safer place for everyone.
Secure app-sandboxing makes Steam distributed via Flatpak for Linux a more secure gaming environment than macOS and Windows 10.
Any HTTP Content-Security-Policy blocks the default <audio>/<video> controls in Safari unless you deliberately make it less secure.
Ctrl blog was inaccessible in Turkey for five days as the country blocks the BunnyCDN content delivery network.
A Windows 10 security feature blocks WebP image files from loading in Microsoft Edge and modern apps.
A misapplied DNS CAA record blocked Certbot from obtaining a Let’s Encrypt certificate for my domain name.
How to use U2F security keys with Firefox and Google’s Advanced Account Protection.
Resolve a common DNS over TLS configuration mistake in the Unbound DNS server that makes you vulnerable to attacker-in-the-middle resolver interceptions.
Lenovo Wi-Fi Security sends information about your device and the networks it joins to an Isreali company called Coronet Cyber Security. But is it any good?
Do affiliate commissions make a difference in how PCMag rank VPN providers?
Many VPNs require you to install their root certificates to use their service. This also enables them to intercept your encrypted web traffic.
Bugs in the Windows Settings app cause problem when setting up VPN connections with IKEv2 EAP authentication profiles.
I found several privacy and security issues with the Vilfo VPN router during my week-long review.
Here’s why I stopped using LastPass and moved all my passwords and notes to the open-source Bitwarden password manager instead.
The LastPass password manager has discontinued support for one of Firefox for Android’s most popular extensions.
Firefox and Safari already integrate with the Google Safe Browsing fraud/malware protection service. Should they also adopt its new bad-ads blocking system?
How to change the language and keyboard layout used in the BitLocker Device Encryption pre-boot environment.
Adjust the default SELinux policies in CentOS and Fedora to not block the Apache HTTPD Server from OCSP stapling TLS certificates.
Two popular VPS providers no longer modify their Fedora images to disable the SELinux security feature by default.
Take some precautions, have a backup plan, and you can leave your Windows partition encrypted alongside a Linux distribution with secure boot enabled.
The Lenovo Companion app is supposed to keep your device’s drivers and firmware up-to-date. However, it won’t update your Lenovo PC’s TPM firmware.
Twitter-to-email-newsletter service Topical exposes its users’ subscriptions and interests through poor security practices.
Whether you get updated drivers for your TP-Link product or not depends on what country you’re checking from.
The new cost-free service sends you email notifications before your HTTPS certificates expire.
Protect your WordPress install against brute-force password guessing with SSHGuard.
New features and services in SSH brute-force protection utility SSHGuard version 2.1.
The SpiderOak ONE backup service is better than their client software. Good security and privacy protections but tough to use.
SSLPing can keep an eye on the health of your TLS certificates and email you before they expire.
Report Windows SmartScreen false-positives to Microsoft when the security suite gets your software wrong.
Let’s Encrypt has made it really easy to obtain TLS certificates. Here is how to block the service from issuing certificates for your domains.
I discovered a security vulnerability (CVE-2017-9604) in KMail while trying to delay sending of a PGP-encrypted private email.
Set up unattended auto-updates on Fedora Server or Workstation using dnf-automattic.
Stop using your old iOS devices when they no longer receive security updates. There are over 50 known security issues with iOS 9.3.5 to date!
A “security feature” on my network router began blocking all downloads through Steam.
How do you know how long devices will receive software updates? Clearly labeled expiration dates on packaging may be the answer.
A deep look at the ASUSWRT router firmware.
Add DNS CAA records for your domains to block unauthorized certificate authorities (CAs) from issuing certificates for your domain names.
Configure Firefox to check for extension updates more often than once per day.
Protect your Fedora/CentOS Linux-system against SSH brute-force credential-guessing with SSHGuard and FirewallD.
New features and services in SSH brute-force protection utility SSHGuard version 2.0.
Learn how to log in to and take control of Windows 10’s new SSH Server.
All the steps needed for running periodic malware scans on your Fedora installation. Recommended for Fedora Server setups!
All the leading web browsers protect you against web fraud and websites known to distribute malware. You don’t get this protection with the smaller browsers.
Windows Backup doesn’t support encrypted backups in itself. However, you can still get encrypted backups using built-in tools in Windows 10.
IPv6-capable websites can break the website security information displayed in the Netcraft anti-phishing toolbar for Firefox and Chrome.
Tutorial demonstrating how to validate code signing certificate signatures on macOS updates and other Apple software installers.
The popular SSH server brute-force login guessing protection utility Fail2Ban has finally added IPv6 support.
Protect your WordPress installation against bots probing for known WordPress core and plugin security vulnerabilities.
403 Forbidden
requests with Fail2BanProtect yourself against repeated users and bots who don’t get the hint the first couple of times your web server responds with HTTP 403 Forbidden.
Reduce brute-force password guessing and scripted attacks on your SSH service running on a Fedora Server by changing away from the default SSH port number.
How needs a Tor-enabled Wi-Fi access-point, anyway?
My early-experiences obtaining HTTPS certificates from Let’s Encrypt.
Patreon leaked customer email addresses and Bitcoin extortion spammers got hold of the leaked database.
Grindr doesn’t use HTTPS-encryption allowing network operators and attacker-in-the-middle (AITM) attackers to intercept private pics in the app.
Windows 10 introduces a new feature that freely shares all your Wi-Fi passwords with your Outlook, Skype, and Facebook contacts.
Microsoft got trashed by the security community for failing to deploy a firewall by default in Windows. Why are Apple products not given the same scrutiny?
An Android competitor has much better security and privacy tools than the original Android from Google.
I’ve re-reviewed the TLS configurations of Norwegian banks in light of the attention my last review got.
Windows has become your password manager, but it also syncs all your credentials to Microsoft. Should you trust it with the keys to your digital kingdom?
You shouldn’t use a Windows Administrative account for your everyday use. Setup one basic and one admin account to increase security.
I’ve reviewed the TLS configuration security of Norwegian banks. Many don’t follow best security practices.