news
Security and Standards: NTP Security, New Attack Against Wi-Fi, AirSnitch, and More
-
LWN ☛ Security updates for Monday
Security updates have been issued by AlmaLinux (delve, git-lfs, and postgresql16), Fedora (cef, chezmoi, chromium, coturn, erlang-hex_core, firefox, gh, gimp, k9s, keylime, keylime-agent-rust, libsixel, microcode_ctl, nextcloud, nss, perl-Crypt-URandom, pgadmin4, php-zumba-json-serializer, postgresql16-anonymizer, prometheus, python-asyncmy, python3.10, python3.11, python3.9, staticcheck, valkey, and vim), SUSE (chromedriver, chromium, coredns, expat, freetype2-devel, gitea-tea, go1.24-openssl, go1.25-openssl, grpc, gstreamer-rtsp-server, gstreamer-plugins-ugly,, helm, jetty-annotations, kubeshark-cli, libaec, libblkid-devel, libsoup, libxml2, libxslt, NetworkManager-applet-strongswan, podman, python-joserfc, python-Markdown, python-pypdf2, python-tornado, python-uv, python311-Django, python311-joserfc, python311-nltk, roundcubemail, and valkey), and Ubuntu (python3.4, python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, python3.14).
-
Bruce Schneier ☛ New Attack Against Wi-Fi - Schneier on Security
-
Internet Society ☛ AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks - NDSS Symposium
In this paper, we undertake a structured security analysis of Wi-Fi client isolation and uncover new classes of attacks that bypass this protection. We identify several root causes behind these weaknesses. First, Wi-Fi keys that protect broadcast frames are improperly managed and can be abused to bypass client isolation. Second, isolation is often only enforced at the MAC or IP layer, but not both. Third, weak synchronization of a client's identity across the network stack allows one to bypass Wi-Fi client isolation at the network layer instead, enabling the interception of uplink and downlink traffic of other clients as well as internal backend devices. Every tested router and network was vulnerable to at least one attack. More broadly, the lack of standardization leads to inconsistent, ad hoc, and often incomplete implementations of isolation across vendors.
-
[Old] Peter Hofmann ☛ Why octal notation should be used for UTF-8 (and Unicode)
Disclaimer: I read about this topic in another blog first, but I just can't find that posting anymore. If you, the "original author", happen to read this, drop me a note and I'll add a link to your posting.
Now. It's 2016 and I finally took the time to write a very basic UTF-8 encoder and decoder. This is an important thing that, IMHO, anyone should do to get a better understanding of what's going on.
Securing NTP
On 31 December 2016, the world’s clocks briefly hiccupped as Coordinated Universal Time (UTC) inserted an extra second into the final minute of the year. Such adjustments are not unusual; it was the 27th leap second added to the UTC timescale.