Security and Windows TCO Leftovers
-
Data Swamp ☛ Improve your SSH agent security
If you are using SSH quite often, it is likely you use an SSH agent which stores your private key in memory so you do not have to type your password every time.
This method is convenient, but it comes at the expense of your SSH key use security, anyone able to use your session while the agent holds the key unlocked can use your SSH key. This scenario is most likely to happen when using a compromised build script.
However, it is possible to harden this process at a small expense of convenience, make your SSH agent ask for confirmation every time the key has to be used.
The tooling provided with OpenSSH comes with a simple SSH agent named `ssh-agent`. On OpenBSD, the agent is automatically started and ask to unlock your key upon graphical login if it finds a SSH key in the default path (like `~/.ssh/id_rsa`).
-
LWN ☛ Security updates for Monday
Security updates have been issued by Debian (apache2, bluez, chromium, fossil, libreoffice, python-pymysql, redmine, and ruby-rack), Fedora (buildah, crosswords, dotnet7.0, glycin-loaders, gnome-tour, helix, helvum, libipuz, loupe, maturin, mingw-libxml2, ntpd-rs, perl-Email-MIME, and a huge list of Rust-based packages due to a "mini-mass-rebuild" that updated the toolchain to Rust 1.78 and picked up fixes for various pieces), Mageia (chromium-browser-stable, mariadb, and roundcubemail), Oracle (kernel, libreoffice, nodejs, and tomcat), and SUSE (cJSON, libfastjson, opera, postgresql15, python3, and qt6-networkauth).
-
LWN ☛ Huston: Calling Time on DNSSEC?
Geoff Huston suggests
that it is time to give up on DNSSEC and look for a better way to secure
the Internet namespace.
-
Hong Kong Free Press ☛ Website for anti-spam service HKJunkCall taken offline following hacking attempt
HKJunkCall – a service popular among Hongkongers looking to block spam and scam calls – has suffered a data breach attempt, it said in an email to users on Monday.
-
IT Wire ☛ Optus non-committal on releasing Deloitte report despite court ruling
Customer names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers were revealed.
Optus claimed at the time that payment details and account passwords had not been compromised.
-
New Yorker ☛ Notice of Security Incident
Regrettably, a data breach occurred involving the part of our network that stores digital replicas of your nude abdomen after you’ve eaten beef pad Thai.
-
Windows TCO
-
SANS ☛ Files with TXZ extension used as malspam attachments, (Mon, May 27th)
Malicious e-mail attachments come in all shapes and sizes.
-