W̷a̷w̷a̷S̷e̷b̷ @wawa@nanao.cybtex.fr

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don't turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

Why is this bad?

Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵

#Privacy #Cybersecurity #InfoSec #2FA #Google #Security

Don't forget to use @misp feed overlap matrix. It's a quick way to spot the overlapping/similar feeds from different sources such as external CTI feeds but also the cached MISP instances.

#CTI #threatintel #misp

If you want to check on your instance, it's in /feeds/compareFeeds

Well, #twitter's last move is nuts... ???
https://twitter.com/ericfreyss/status/1604538198054535169

Finally it is there: A GUI version of PortexAnalyzer🔎

PortexAnalyzer is a free PE parser tailored for malware analysis. It uses the library PortEx.

🔽Download: https://github.com/struppigel/PortexAnalyzerGUI/releases
#PortEx #PortexAnalyzer

The best advice I have for anyone just coming here is to replace the location of the Twitter app on your phone with Mastodon and let your own muscle memory force you into adapting.

This will probably be my last direct post to Twitter. My account may or may not stay active, and I may or may not get to delete old posts. Auto-syncing from @rene_mobile has now been disabled. Please follow me on the Fediverse for further updates.

If you're trying to find journalists on Mastodon, I've created a verified database of several hundred here: http://presscheck.org. Since the backlog has become enormous, the unverified waiting list is now public also: http://presscheck.org/pending

On le sait, l'attribution d'une cyber-attaque (« c'est les Chinois ! ») est un exercice difficile. Il faut analyser l'attaque, parvenir à une certitude et, ensuite, assumer de révéler publiquement l'origine. Le livre de Mark Corcoral étudie cette question de l'attribution notamment sous l'angle des accusations par les États-Unis : comment se fait l'attribution publique et suivant quels méandres politiques ?

https://www.bortzmeyer.org/amerique-designe-ennemis.html