We Are Motherboard's Infosec Reporters: Let's Talk Journalism and "Cyber." Ask Us Anything! Security News & Discussion

---

• We Are Motherboard's Infosec Reporters: Let's Talk Journalism and "Cyber." Ask Us Anything!
• Good Introduction to CORS (Cross-Origin Resource Sharing)
• Assume the Worst: Enumerating AWS Roles through ‘AssumeRole’
• WebAuthn Cryptography Flaws Round 2: IBM's ECDAA implementation
• Native Android Proxmark3 client (rootless)
• Fuzzing the .NET JIT Compiler

We Are Motherboard's Infosec Reporters: Let's Talk Journalism and "Cyber." Ask Us Anything! Posted: 29 Aug 2018 08:03 AM PDT We are Lorenzo Franceschi-Bicchierai and Joseph Cox. We cover infosec and hacking for Motherboard, VICE Media's tech and science website. Over the years, we have written about government hacking, consumer spyware, surveillance technology, cybercrime, and a loooooot of data breaches. Recently, we've been digging into SIM swapping scams, the iPhone zero-day market, the mysterious group doxing Chinese government hackers, and Facebook's impossible problem: content moderation. Today we will stand on the other side and take questions about how we pick stories, how we report articles, how we verify hacked or leaked data, and anything in between. Proof: https://i.redd.it/ojzd8pgcivi11.jpg *** EDIT: Hey everyone, looks like we are wapping up here. Thanks so much for asking us all these awesome questions. And thanks for reading, we couldn't do it without you guys. And if you have any tips or suggestions, please feel free to reach out. Lorenzo: Signal on +1 917 257 1382, OTR chat on lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com Joseph: Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com submitted by /u/motherboard [link] [comments]

Good Introduction to CORS (Cross-Origin Resource Sharing) Posted: 29 Aug 2018 12:12 AM PDT submitted by /u/CyberBullets [link] [comments]

Assume the Worst: Enumerating AWS Roles through ‘AssumeRole’ Posted: 29 Aug 2018 11:54 AM PDT submitted by /u/hackers_and_builders [link] [comments]

WebAuthn Cryptography Flaws Round 2: IBM's ECDAA implementation Posted: 29 Aug 2018 08:18 AM PDT Hi /r/netsec! This is a follow-up to my previous submission about Security Concerns Surrounding WebAuthn, which dove into the cryptography protocol design of ECDAA (a FIDO Alliance design which WebAuthn explicitly adds as a reserved COSE algorithm). I looked at the ECDAA implementation published on Github under the IBM-Research organization and discovered that they're just using BigInteger.mod(), which will produced biased output (because [0, order) doesn't evenly fill [0, 2^n), the remainder of the modulo will increase the probability of lower values). Given that IBM employees were the co-authors of the ECDAA specification, I'm led to believe that the IBM-Research repository is somewhat official. I reported this on Github, of course: https://github.com/ibm-research/ecdaa/issues/5 While I'm excited about the prospect of hardware-based 2FA (or even WebAuthn-powered single factor to eliminate passwords in corporate settings), the cryptography they're trying to standardize is too error-prone. We shouldn't trust it until these flaws are remedied. submitted by /u/sarciszewski [link] [comments]

Native Android Proxmark3 client (rootless) Posted: 29 Aug 2018 06:47 AM PDT submitted by /u/doylersec [link] [comments]

Fuzzing the .NET JIT Compiler Posted: 29 Aug 2018 12:04 AM PDT submitted by /u/0xad [link] [comments]

You are subscribed to email updates from /r/netsec - Information Security News & Discussion. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States