Ctrl blog

The entirely predictable problems with the Vulnonym naming scheme

An automated naming scheme intended to rid the security research field of “sensational names” predictably creates sensational, ambiguous, and suggestive names.

TeamViewer RPM repo left door open for malicious packages

A configuration error made the TeamViewer RPM repository vulnerable to an attacker-in-the-middle substituting TeamViewer with its own GPG keys and software.

Google Authenticator enables device-transfers, but no export options

Two-factor authentication requires users to commit to storing a secret code indefinitely. Popular apps lack tools to back up and data transfer those secrets.

How to back up your password manager

Plan for the day your password manager stops working. Backing up your password manager is harder that it sounds.

Limit the impact of a security intrusion with systemd directives

OpenSMTPD recently had a critical remote code execution vulnerability. I look at how you can limit impact with systemd-service security directives.

Email politics, security, and why you got an empty newsletter

Last week was a busy week for email issues. Here’s what happened and why you got an empty blog newsletter this week.

systemd service sandboxing and security hardening 101

The systemd-analyze security command gives your systemd service units an automated security rating. This is a good starting point for security hardening.

Firefox contained in Flatpak vs Snap comparison

A comparison of features, security, performance, and limitations of Firefox browser running in isolated sandboxes provided by Flatpak vs. Snap.

Mitigate “tabnabbing” without breaking window.open() features

Windows opened from your website can redirect the opening tab to a new destination. Mitigations break window.open() functionality like sizing and positioning.

How to switch firewalls from FirewallD to UFW

A quick tutorial for migrating from FirewallD and getting started with the Uncomplicated Firewall (UFW).

Why my 7-year old Windows 10 laptop became unbearably slow

My aging PC’s processor didn’t support a new Windows 10 security feature, enabled by default, causing it to become slow and unstable.

Feitian MultiPass recall highlights need to use multiple security keys

The recall of the Feitian MultiPass FIDO security key demonstrates why you always should use multiple security key products from different vendors.

How quickly do Firefox derived browsers receive security updates

A case study in how timely Firefox derived web browsers ship critical security updates.

What’s with the tech media’s obsession with VPN services

VPN providers are good advertisers and also pay good money to make even [formerly] reputable tech media websites “recommend” their services.

ProtonMail vs Mailbox.org comparison

Comparison review of the two secure PGP-oriented email providers ProtonMail vs Mailbox.org. A huge price discrepancy for the same service.

6 places to report phishing emails and websites

Here are 6 services you can report malware websites and phishing emails to help make the internet a safer place for everyone.

Steam for Linux is more secure than on macOS and Win32

Secure app-sandboxing makes Steam distributed via Flatpak for Linux a more secure gaming environment than macOS and Windows 10.

Safari’s default media controls get blocked when CSP is applied

Any HTTP Content-Security-Policy blocks the default <audio>/<video> controls in Safari unless you deliberately make it less secure.

Turkey blocks BunnyCDN; Ctrl blog and 14 000 websites inaccessible

Ctrl blog was inaccessible in Turkey for five days as the country blocks the BunnyCDN content delivery network.

WebP images won’t load in Microsoft Edge with Application Guard

A Windows 10 security feature blocks WebP image files from loading in Microsoft Edge and modern apps.

How I blocked myself from obtaining a Let’s Encrypt TLS certificates

A misapplied DNS CAA record blocked Certbot from obtaining a Let’s Encrypt certificate for my domain name.

Firefox, Security Keys, U2F, and Google Advanced Protection

How to use U2F security keys with Firefox and Google’s Advanced Account Protection.

Actually secure DNS over TLS in Unbound

Resolve a common DNS over TLS configuration mistake in the Unbound DNS server that makes you vulnerable to attacker-in-the-middle resolver interceptions.

What is Lenovo Wi-Fi Security and should you enable or ignore it?

Lenovo Wi-Fi Security sends information about your device and the networks it joins to an Isreali company called Coronet Cyber Security. But is it any good?

PCMag’s VPN review-ratings compared to sales commissions"

Do affiliate commissions make a difference in how PCMag rank VPN providers?

VPN root certificates leaves you more vulnerable to snooping

Many VPNs require you to install their root certificates to use their service. This also enables them to intercept your encrypted web traffic.

How to work around the IKEv2 EAP authentication issue in Windows 10

Bugs in the Windows Settings app cause problem when setting up VPN connections with IKEv2 EAP authentication profiles.

Vilfo review: Not designed for security or privacy – Part 3:4

I found several privacy and security issues with the Vilfo VPN router during my week-long review.

Why I migrated from LastPass to Bitwarden

Here’s why I stopped using LastPass and moved all my passwords and notes to the open-source Bitwarden password manager instead.

LastPass quietly deprecates Firefox for Android extension

The LastPass password manager has discontinued support for one of Firefox for Android’s most popular extensions.

Should web browsers adopt Google’s new selective ad-blocking tech?

Firefox and Safari already integrate with the Google Safe Browsing fraud/malware protection service. Should they also adopt its new bad-ads blocking system?

How to change BitLocker boot-screen language and keyboard layout

How to change the language and keyboard layout used in the BitLocker Device Encryption pre-boot environment.

Allow OCSP stapling in Apache Web Server with SELinux policies

Adjust the default SELinux policies in CentOS and Fedora to not block the Apache HTTPD Server from OCSP stapling TLS certificates.

Linode and Vultr no longer disables SELinux in Fedora Server

Two popular VPS providers no longer modify their Fedora images to disable the SELinux security feature by default.

Dual-booting Linux with BitLocker Device Encryption and Secure Boot

Take some precautions, have a backup plan, and you can leave your Windows partition encrypted alongside a Linux distribution with secure boot enabled.

Lenovo Companion app doesn’t notify you about TPM firmware updates

The Lenovo Companion app is supposed to keep your device’s drivers and firmware up-to-date. However, it won’t update your Lenovo PC’s TPM firmware.

Topical leaks users’ email addresses and interests

Twitter-to-email-newsletter service Topical exposes its users’ subscriptions and interests through poor security practices.

TP-Link serves outdated firmware on ⅓ of its European websites

Whether you get updated drivers for your TP-Link product or not depends on what country you’re checking from.

First impressions of KeyChest – A TLS certificate expiration tracker

The new cost-free service sends you email notifications before your HTTPS certificates expire.

Tutorial: WordPress brute-force login protection with SSHGuard

Protect your WordPress install against brute-force password guessing with SSHGuard.

What’s new in SSHGuard 2.1

New features and services in SSH brute-force protection utility SSHGuard version 2.1.

SpiderOak ONE review: Okay backup service, clunky software

The SpiderOak ONE backup service is better than their client software. Good security and privacy protections but tough to use.

Keep an eye on your certificates with SSLPing

SSLPing can keep an eye on the health of your TLS certificates and email you before they expire.

How to report a false-positive in Microsoft SmartScreen

Report Windows SmartScreen false-positives to Microsoft when the security suite gets your software wrong.

How to prevent Let’s Encrypt from issuing certificates for your domain

Let’s Encrypt has made it really easy to obtain TLS certificates. Here is how to block the service from issuing certificates for your domains.

KMail’s Send Later sent PGP encrypted emails in plain-text

I discovered a security vulnerability (CVE-2017-9604) in KMail while trying to delay sending of a PGP-encrypted private email.

How to get Fedora to take care of its own updates

Set up unattended auto-updates on Fedora Server or Workstation using dnf-automattic.

50+ unpatched security vulnerabilities in A5-generation iOS devices

Stop using your old iOS devices when they no longer receive security updates. There are over 50 known security issues with iOS 9.3.5 to date!

Trend Micro router security feature broke Steam

A “security feature” on my network router began blocking all downloads through Steam.

Internet connected devices should be sold with best before dates

How do you know how long devices will receive software updates? Clearly labeled expiration dates on packaging may be the answer.

Review: ASUSWRT router firmware

A deep look at the ASUSWRT router firmware.

Stop CAs from misissuing certificates for your domains with CAA

Add DNS CAA records for your domains to block unauthorized certificate authorities (CAs) from issuing certificates for your domain names.

How to get Firefox to check for extension updates more often

Configure Firefox to check for extension updates more often than once per day.

How to protect SSH remote login in Fedora with SSHGuard and FirewallD

Protect your Fedora/CentOS Linux-system against SSH brute-force credential-guessing with SSHGuard and FirewallD.

What’s new in SSHGuard 2.0

New features and services in SSH brute-force protection utility SSHGuard version 2.0.

How to enable, login to, or disable Microsoft SSH Server in Windows 10

Learn how to log in to and take control of Windows 10’s new SSH Server.

How to set up ClamAV to periodically scan for badware on Fedora Linux

All the steps needed for running periodic malware scans on your Fedora installation. Recommended for Fedora Server setups!

Most of alternate web browsers don’t have fraud and malware protection

All the leading web browsers protect you against web fraud and websites known to distribute malware. You don’t get this protection with the smaller browsers.

How to encrypt backups using Windows 10’s built-in tools

Windows Backup doesn’t support encrypted backups in itself. However, you can still get encrypted backups using built-in tools in Windows 10.

Netcraft anti-phishing toolbar breaks on IPv6 enabled networks

IPv6-capable websites can break the website security information displayed in the Netcraft anti-phishing toolbar for Firefox and Chrome.

How to verify that you’ve downloaded genuine Apple software

Tutorial demonstrating how to validate code signing certificate signatures on macOS updates and other Apple software installers.

IPv6 support finally arrive in Fail2Ban 0.10

The popular SSH server brute-force login guessing protection utility Fail2Ban has finally added IPv6 support.

How to block common WordPress vulnerability probes

Protect your WordPress installation against bots probing for known WordPress core and plugin security vulnerabilities.

Block repeated 403 Forbidden requests with Fail2Ban

Protect yourself against repeated users and bots who don’t get the hint the first couple of times your web server responds with HTTP 403 Forbidden.

Change the default SSH port in Fedora

Reduce brute-force password guessing and scripted attacks on your SSH service running on a Fedora Server by changing away from the default SSH port number.

InvizBox review: Tor anonymity in a box

How needs a Tor-enabled Wi-Fi access-point, anyway?

My experience with Let’s Encrypt

My early-experiences obtaining HTTPS certificates from Let’s Encrypt.

Leaked Patreon data used to extort Bitcoins from affected users

Patreon leaked customer email addresses and Bitcoin extortion spammers got hold of the leaked database.

Photos on the gay dating app Grindr are by no means private

Grindr doesn’t use HTTPS-encryption allowing network operators and attacker-in-the-middle (AITM) attackers to intercept private pics in the app.

Wi-Fi Sense in Windows 10 to reduce users’ network security

Windows 10 introduces a new feature that freely shares all your Wi-Fi passwords with your Outlook, Skype, and Facebook contacts.

It’s high time Apple enabled the OS X firewall by default

Microsoft got trashed by the security community for failing to deploy a firewall by default in Windows. Why are Apple products not given the same scrutiny?

CyanogenMod’s one big advantage over stock Android

An Android competitor has much better security and privacy tools than the original Android from Google.

Do you trust Microsoft with all your passwords?

Windows has become your password manager, but it also syncs all your credentials to Microsoft. Should you trust it with the keys to your digital kingdom?