This media is not supported in your browser
VIEW IN TELEGRAM
SandboxEscaper today discloses a second zero-day exploit that apparently bypasses Microsoft's patch for a Windows EoP vulnerability (CVE-2019-0841)
https://thehackernews.com/2019/06/windows-eop-exploit.html
Polarbearrepo
https://github.com/SandboxEscaper/polarbearrepo/tree/master/ByeBear
#SandboxEscaper #Polarbearrepo #ZeroDay #exploit #microsoft #poc #video
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
https://thehackernews.com/2019/06/windows-eop-exploit.html
Polarbearrepo
https://github.com/SandboxEscaper/polarbearrepo/tree/master/ByeBear
#SandboxEscaper #Polarbearrepo #ZeroDay #exploit #microsoft #poc #video
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
GnuPG Key Generation and Smartcard Transfer - Nitrokey (Part2)
1. key material
Depending on the version, a Nitrokey supports different application scenarios. In this article of the article series "Nitrokey" I describe the commissioning of a Nitrokey under GNU/Linux and the following GnuPG key generation. An (RSA) key pair is a basic requirement for the two application scenarios OpenPGP/GnuPG e-mail encryption and OpenSSH public key authentication.
The procedure described for creating a (RSA) key pair and then transferring it to the smart card of the Nitrokey should also be transferable to other security tokens such as the YubiKey.
2. start-up: Nitrokey
The start-up of a security token differs depending on the Nitrokey variant and operating system. On the Nitrokey website you will find installation instructions for each key and operating system. In the following I will describe the setup of a Nitrokey storage under Debian GNU/Linux - the instructions can also be transferred 1:1 to the Nitrokey Pro.
2.1 Installing Necessary Packages
For Debian GNU/Linux to access the Nitrokey smartcard, the libccid library must be installed:
After installing these two packages you should first change the user and admin PIN. The user PIN will be requested if you open an encrypted e-mail within Thunderbird, for example, which will then be decrypted using the secret key on the smartcard. You will need the admin PIN for various operations, such as transferring key material or resetting the nitrokey. In short: You should change the default settings "123456" (user PIN) and "12345678" (admin PIN) for your own protection.
Open the Nitrokey app and navigate to Menu -> Configure -> Change User PIN and Change Administrator PIN:
3. (RSA) key material
A necessary prerequisite for OpenPGP/GnuPG e-mail encryption and other application scenarios is the public key encryption method. In this concept, a user generates a key pair consisting of a secret part (private key) and a non secret part (public key). Anyone wishing to exchange encrypted e-mails based on GnuPG with other participants must first generate a key pair.
We can generate this key pair either directly on the nitrokey or on a trustworthy computer. The key generation on the nitrokey has the advantage that the secret, private key can never leave the smartcard. However, this also means that no backups of the keys can be made. If the nitrokey is lost or defective, the keys on it are inevitably lost - decryption of e-mails, for example, is then no longer possible. All in all, generating the key pair directly on the Nitrokey is the safest option, but also the one that does not allow backup of the key material. The key generation directly on the Nitrokey is explained in detail in a manual on the Nitrokey website.
Personally, I recommend to do the GnuPG key generation in a "secure" environment or computer instead of generating it directly on the Nitrokey. This means not only more flexibility, but also a backup of the keys. Therefore I will explain in the following how to create an RSA key pair on a GNU/Linux system.
โ ๏ธ Advice
If you have already created a GnuPG key pair, you should create a backup of the keys and then jump to the number "5. transfer to the nitrokey".
3.1 Master key and subkeys: Purpose of use
An RSA key pair always consists of a public and secret (primary) key. The primary, secret key (master key) must be specially protected. If it is lost, an attacker can create new identities (UIDs), revoke valid keys, and completely impersonate the original owner.
1. key material
Depending on the version, a Nitrokey supports different application scenarios. In this article of the article series "Nitrokey" I describe the commissioning of a Nitrokey under GNU/Linux and the following GnuPG key generation. An (RSA) key pair is a basic requirement for the two application scenarios OpenPGP/GnuPG e-mail encryption and OpenSSH public key authentication.
The procedure described for creating a (RSA) key pair and then transferring it to the smart card of the Nitrokey should also be transferable to other security tokens such as the YubiKey.
2. start-up: Nitrokey
The start-up of a security token differs depending on the Nitrokey variant and operating system. On the Nitrokey website you will find installation instructions for each key and operating system. In the following I will describe the setup of a Nitrokey storage under Debian GNU/Linux - the instructions can also be transferred 1:1 to the Nitrokey Pro.
2.1 Installing Necessary Packages
For Debian GNU/Linux to access the Nitrokey smartcard, the libccid library must be installed:
apt-get install libccid
The Debian package sources also provide the Nitrokeys management program:apt-get install nitrokey-app
2.2 Changing the User and Admin PINAfter installing these two packages you should first change the user and admin PIN. The user PIN will be requested if you open an encrypted e-mail within Thunderbird, for example, which will then be decrypted using the secret key on the smartcard. You will need the admin PIN for various operations, such as transferring key material or resetting the nitrokey. In short: You should change the default settings "123456" (user PIN) and "12345678" (admin PIN) for your own protection.
Open the Nitrokey app and navigate to Menu -> Configure -> Change User PIN and Change Administrator PIN:
3. (RSA) key material
A necessary prerequisite for OpenPGP/GnuPG e-mail encryption and other application scenarios is the public key encryption method. In this concept, a user generates a key pair consisting of a secret part (private key) and a non secret part (public key). Anyone wishing to exchange encrypted e-mails based on GnuPG with other participants must first generate a key pair.
We can generate this key pair either directly on the nitrokey or on a trustworthy computer. The key generation on the nitrokey has the advantage that the secret, private key can never leave the smartcard. However, this also means that no backups of the keys can be made. If the nitrokey is lost or defective, the keys on it are inevitably lost - decryption of e-mails, for example, is then no longer possible. All in all, generating the key pair directly on the Nitrokey is the safest option, but also the one that does not allow backup of the key material. The key generation directly on the Nitrokey is explained in detail in a manual on the Nitrokey website.
Personally, I recommend to do the GnuPG key generation in a "secure" environment or computer instead of generating it directly on the Nitrokey. This means not only more flexibility, but also a backup of the keys. Therefore I will explain in the following how to create an RSA key pair on a GNU/Linux system.
โ ๏ธ Advice
If you have already created a GnuPG key pair, you should create a backup of the keys and then jump to the number "5. transfer to the nitrokey".
3.1 Master key and subkeys: Purpose of use
An RSA key pair always consists of a public and secret (primary) key. The primary, secret key (master key) must be specially protected. If it is lost, an attacker can create new identities (UIDs), revoke valid keys, and completely impersonate the original owner.
Subkeys can be derived from a primary master key. They behave like normal keys, but are bound to the master key pair. A subkey can be used for signing, encrypting, or authenticating. The advantage of subkeys is that they can be revoked and stored separately from the master key. Subkeys are like a separate key pair, but they are logically linked to the master key pair.
Let's take a look at the different uses and capabilities of private keys:
Certification:
The certification function is normally bound to the master key. Among other things, it is used to create new identities (UIDs) or to change existing key data. It can also be used to authenticate other public keys or confirm their authenticity. The background is the Web of Trust to check the authenticity of a key.
Encrypt:
A key with this capability can decrypt messages that have been encrypted with the appropriate public key. The private key is used in email encryption, for example, where someone uses your public key to encrypt a message to you. Since only you have the appropriate private key (trapdoor function), you can undo the encryption.
Sign it:
A key that has this capability can generate digital signatures of messages. This digital signature can be attached to an e-mail, for example. The sender can thus prove beyond doubt that a message originates from him. Prerequisite: The recipient has already checked the authenticity of a key or the sender in advance.
Authentication:
This function is used as part of the challenge-response protocol and is used, for example, for OpenSSH public key authentication. A key with this capability is therefore used to authenticate one's own identity.
In general, it is an advantage if you familiarize yourself with the concept of asymmetric encryption or OpenPGP/GnuPG before using your key pair in practice. In this article, I have only touched on a little of the elementary basic knowledge.
3.2 Sichere Umgebung
Die initiale Erzeugung eines RSA-Schlรผsselpรคrchens sollte innerhalb einer ยปsicherenยซ Umgebung erfolgen. Im Idealfall ist dies ein Rechner, der nicht mit dem Internet verbunden ist. Mein Vorschlag beinhaltet folgende Komponenten:
USB stick (from 8 GB) with tails:
Tails is a suitable system environment for generating the key pair. In the Tails Wiki you will find instructions on how to install Tails on a bootable USB stick. The installation instructions also describe in an optional step 6 how to create an encrypted, persistent memory. This storage area on the USB stick is encrypted and additionally protected by a password. It serves the following purposes:
๐๐ผ Storage of sensitive data
๐๐ผ Additional Software
๐๐ผ Storage of encryption keys
USB stick as backup:
storage of generated master keys, subkeys and revocation certificate
After creating the bootable Tails USB stick, the system is booted from a computer that is not connected to the Internet or any other network - i.e. completely "airgapped". The persistent storage area is then created (optional step), where the keys are then generated.
Depending on your personal threat model, the creation of a RSA key pair can also be done under different conditions - in the end you have to decide for yourself. For comparison: On a Windows XP gaming computer that has all kinds of software installed and is also connected to the Internet, you can of course also create the RSA keys. However, you also run a considerably higher risk that the key will be compromised or read by third parties during the creation process.
4. GnuPG key generation
For the RSA key generation you need GnuPG (from version 2.0.22). You can use a command line to check which version is pre-installed:
By default, GnuPG generates a master key with the functions:
Let's take a look at the different uses and capabilities of private keys:
Certification:
The certification function is normally bound to the master key. Among other things, it is used to create new identities (UIDs) or to change existing key data. It can also be used to authenticate other public keys or confirm their authenticity. The background is the Web of Trust to check the authenticity of a key.
Encrypt:
A key with this capability can decrypt messages that have been encrypted with the appropriate public key. The private key is used in email encryption, for example, where someone uses your public key to encrypt a message to you. Since only you have the appropriate private key (trapdoor function), you can undo the encryption.
Sign it:
A key that has this capability can generate digital signatures of messages. This digital signature can be attached to an e-mail, for example. The sender can thus prove beyond doubt that a message originates from him. Prerequisite: The recipient has already checked the authenticity of a key or the sender in advance.
Authentication:
This function is used as part of the challenge-response protocol and is used, for example, for OpenSSH public key authentication. A key with this capability is therefore used to authenticate one's own identity.
In general, it is an advantage if you familiarize yourself with the concept of asymmetric encryption or OpenPGP/GnuPG before using your key pair in practice. In this article, I have only touched on a little of the elementary basic knowledge.
3.2 Sichere Umgebung
Die initiale Erzeugung eines RSA-Schlรผsselpรคrchens sollte innerhalb einer ยปsicherenยซ Umgebung erfolgen. Im Idealfall ist dies ein Rechner, der nicht mit dem Internet verbunden ist. Mein Vorschlag beinhaltet folgende Komponenten:
USB stick (from 8 GB) with tails:
Tails is a suitable system environment for generating the key pair. In the Tails Wiki you will find instructions on how to install Tails on a bootable USB stick. The installation instructions also describe in an optional step 6 how to create an encrypted, persistent memory. This storage area on the USB stick is encrypted and additionally protected by a password. It serves the following purposes:
๐๐ผ Storage of sensitive data
๐๐ผ Additional Software
๐๐ผ Storage of encryption keys
USB stick as backup:
storage of generated master keys, subkeys and revocation certificate
After creating the bootable Tails USB stick, the system is booted from a computer that is not connected to the Internet or any other network - i.e. completely "airgapped". The persistent storage area is then created (optional step), where the keys are then generated.
Depending on your personal threat model, the creation of a RSA key pair can also be done under different conditions - in the end you have to decide for yourself. For comparison: On a Windows XP gaming computer that has all kinds of software installed and is also connected to the Internet, you can of course also create the RSA keys. However, you also run a considerably higher risk that the key will be compromised or read by third parties during the creation process.
4. GnuPG key generation
For the RSA key generation you need GnuPG (from version 2.0.22). You can use a command line to check which version is pre-installed:
gpg --version
Output:gpg (GnuPG) 2.2.12
libgcrypt 1.8.4
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
4.1 Key generationBy default, GnuPG generates a master key with the functions:
๐๐ผ Certification and Signing
๐๐ผ including a subkey with the Encrypt function.
We will keep that, but add another subkey with the function Authentication via the expert mode. Let's start with the guided key generation:
[1] RSA and RSA:
Keys for both the master key and the subkeys are generated on the basis of the RSA cryptosystem.
[4096] Key length in bit for master key:
The master key should have a size of 4096 bits. This corresponds to about a 140-bit key space. For comparison: RSA-2048 bit has a key space of approx. 112 bit and RSA-3072 has a key space of approx. 128 bit.
[4096] Key length in bits for subkeys:
We also select a 4096-bit key length for the subkeys.
[3y] Validity of keys:
For security reasons, keys should always have an expiration time. This ensures that keys will become invalid at some point - e.g. if the secret key is no longer accessible for any reason. You can extend the expiration time later, even if the keys have already expired.
[Mike Kuketz] Name:
A name or pseudonym.
[nitrokey@kuketz.de] E-mail address:
The email address you have that you would like to use later to encrypt emails with other participants. You can later add more email addresses to which you want the keys to be valid.
[] Comment:
The specification is not mandatory or purely optional.
[F] Finish:
The F entry completes the process and generates the keys.
During the process, a popup will appear on the screen prompting you to enter a password. Please choose a "secure" password here - if the keys get lost, they are at least protected by the password.
We have now generated a master key with the function Certify / Sign and a sub key with the function Encrypt:
pub:
The pub attribute identifies the master key that is capable of the two functions [S] (signing) and [C] (certification).
sub:
The sub attribute marks the subkey that supports the [E] (Encrypt) function.
uid:
Your user ID resp. the UID
๐๐ผ including a subkey with the Encrypt function.
We will keep that, but add another subkey with the function Authentication via the expert mode. Let's start with the guided key generation:
gpg --full-generate-key --expert
Output:gpg --full-generate-key --expert
Please select the type of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign/certify only)
(4) RSA (sign/certify only)
(7) DSA (use adjustable)
(8) RSA (use adjustable)
(9) ECC and ECC
(10) ECC (sign only)
(11) ECC (use adjustable)
(13) Existing key
Your choice? 1
RSA keys can be between 1024 and 4096 bits long.
What key length do you want? (3072) 4096
The required key length is 4096 bits.
RSA keys can be between 1024 and 4096 bits long.
What key length do you want for the subkey? (3072) 4096
The required key length is 4096 bits.
Please select how long you want the key to remain valid.
0 = Key never expires
= Key expires after n days
w = key expires after n weeks
m = key expires after n months
y = Key expires after n years
How long does the key remain valid? (0) 3y
Key expires Mo 06 Jun 2022 09:01:58 CEST
Is this right? (y/N) y
GnuPG creates a User ID to make your key identifiable.
Your Name ("First Name Last Name"): Mike Kuketz
Email address: nitrokey@kuketz.de
Comment:
You have chosen this User-ID:
"Mike Kuketz <nitrokey@kuketz.de>"
Change (N)ame, (K)ommentar, (E)-Mail or (F)ertig/(A)break? F
We have to generate a whole lot of random values. You can do this
by e.g. doing something in another window/console.
type, use the mouse or use any other program.
The selection summarized:[1] RSA and RSA:
Keys for both the master key and the subkeys are generated on the basis of the RSA cryptosystem.
[4096] Key length in bit for master key:
The master key should have a size of 4096 bits. This corresponds to about a 140-bit key space. For comparison: RSA-2048 bit has a key space of approx. 112 bit and RSA-3072 has a key space of approx. 128 bit.
[4096] Key length in bits for subkeys:
We also select a 4096-bit key length for the subkeys.
[3y] Validity of keys:
For security reasons, keys should always have an expiration time. This ensures that keys will become invalid at some point - e.g. if the secret key is no longer accessible for any reason. You can extend the expiration time later, even if the keys have already expired.
[Mike Kuketz] Name:
A name or pseudonym.
[nitrokey@kuketz.de] E-mail address:
The email address you have that you would like to use later to encrypt emails with other participants. You can later add more email addresses to which you want the keys to be valid.
[] Comment:
The specification is not mandatory or purely optional.
[F] Finish:
The F entry completes the process and generates the keys.
During the process, a popup will appear on the screen prompting you to enter a password. Please choose a "secure" password here - if the keys get lost, they are at least protected by the password.
We have now generated a master key with the function Certify / Sign and a sub key with the function Encrypt:
gpg: key 206C95DB985E7CC0 is marked as ultimate trustworthy
gpg: revocation certificate was saved as '/home/mike/.gnupg/openpgp-revocs.d/E83AB97F53CAE4AAE858BD06206C95DB985E7CC0.rev'.
Public and secret key generated and signed.
pub rsa4096 2019-06-07 [SC] [expires: 2022-06-06]
E83AB97F53CAE4AAE858BD06206C95DB985E7CC0
uid Mike Kuketz <nitrokey@kuketz.de>
sub rsa4096 2019-06-07 [E] [expires: 2022-06-06]
I would like to briefly discuss a few attributes:pub:
The pub attribute identifies the master key that is capable of the two functions [S] (signing) and [C] (certification).
sub:
The sub attribute marks the subkey that supports the [E] (Encrypt) function.
uid:
Your user ID resp. the UID
Revocation certificate:
A revocation certificate is also generated during the process. If the private key is compromised or lost, the key with the revocation certificate should be marked as invalid. Other participants will then be informed when the key is updated that the key has been revoked or is no longer valid. A revoked key can still be used to verify old signatures or decrypt emails - if the private key is still accessible. However, new emails can no longer be decrypted with this key.
4.2 Adding subkeys
For the OpenSSH Public Key Authentication application scenario, it is necessary to add an additional subkey with the Authentication function. With the --edit-key command, the key already created is called and can then be extended or changed:
With the command addkey another subkey can be added:
[8] RSA (use adjustable):
We would like to add the authentication function. This only works via the menu item [8].
[S] Switch the signature usability:
The function Sign and Encrypt is displayed in the output under "Currently permitted processes". However, the new subkey should not be able to do either. Therefore, the Sign function is deselected first.
[V] Switching the encryption usability:
We also do not need the Encrypt function and therefore deselect it.
[A] Switching authentication usability:
However, the new subkey should support the Authenticate function, which is why it is activated.
[3y] Validity of keys:
The validity of the subkey is again set to 3 years.
This is followed by the following output:
A revocation certificate is also generated during the process. If the private key is compromised or lost, the key with the revocation certificate should be marked as invalid. Other participants will then be informed when the key is updated that the key has been revoked or is no longer valid. A revoked key can still be used to verify old signatures or decrypt emails - if the private key is still accessible. However, new emails can no longer be decrypted with this key.
4.2 Adding subkeys
For the OpenSSH Public Key Authentication application scenario, it is necessary to add an additional subkey with the Authentication function. With the --edit-key command, the key already created is called and can then be extended or changed:
gpg --edit-key --expert nitrokey@kuketz.de
Output:Secret key is present.
sec rsa4096/206C95DB985E7CC0
generated: 2019-06-07 expires: 2022-06-06 Usage: SC
Trust: ultimate Validity: ultimate
ssb rsa4096/966F11EA5DF244EA
generated: 2019-06-07 expires: 2022-06-06 Usage: E
[ ultimate ] (1). Mike Kuketz <nitrokey@kuketz.de>
In the interactive mode of GnuPG we can call a lot of functions. If you want to get an overview, you should first enter help.With the command addkey another subkey can be added:
gpg> addkey
Please select the type of key you want:
(3) DSA (sign/certify only)
(4) RSA (sign/certify only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (use adjustable)
(8) RSA (use adjustable)
(10) ECC (sign only)
(11) ECC (use adjustable)
(12) ECC (encrypt only)
(13) Existing key
Your choice? 8
Possible processes of an RSA key: Sign Encrypted Authentication
Currently permitted processes: Sign Verschl.
(S) Switching the signature usability
(V) Switching the Encryption Utility
(A) Switching authentication usability
(Q) Exit
Your choice? S
Possible processes of an RSA key: Sign Encrypted Authentication
Currently allowed operations: Verschl.
(S) Switching the signature usability
(V) Switching the Encryption Utility
(A) Switching authentication usability
(Q) Exit
Your choice? V
Possible processes of an RSA key: Sign Encrypted Authentication
Currently permitted operations:
(S) Switching the signature usability
(V) Switching the Encryption Utility
(A) Switching authentication usability
(Q) Exit
Your choice? A
Possible processes of an RSA key: Sign Encrypted Authentication
Processes currently allowed: Authentication
(S) Switching the signature usability
(V) Switching the Encryption Utility
(A) Switching authentication usability
(Q) Exit
Your choice? Q
RSA keys can be between 1024 and 4096 bits long.
What key length do you want? (3072) 4096
The required key length is 4096 bits.
Please select how long you want the key to remain valid.
0 = Key never expires
= Key expires after n days
w = key expires after n weeks
m = key expires after n months
y = Key expires after n years
How long does the key remain valid? (0) 3y
Key expires Mo 06 Jun 2022 10:36:29 CEST
Is this right? (y/N) y
Really generate? (y/N) j
We have to generate a whole lot of random values. You can do this
by e.g. doing something in another window/console.
type, use the mouse or use any other program.
The selection summarized:[8] RSA (use adjustable):
We would like to add the authentication function. This only works via the menu item [8].
[S] Switch the signature usability:
The function Sign and Encrypt is displayed in the output under "Currently permitted processes". However, the new subkey should not be able to do either. Therefore, the Sign function is deselected first.
[V] Switching the encryption usability:
We also do not need the Encrypt function and therefore deselect it.
[A] Switching authentication usability:
However, the new subkey should support the Authenticate function, which is why it is activated.
[3y] Validity of keys:
The validity of the subkey is again set to 3 years.
This is followed by the following output:
sec rsa4096/206C95DB985E7CC0
generated: 2019-06-07 expires: 2022-06-06 Usage: SC
Trust: ultimate Validity: ultimate
ssb rsa4096/966F11EA5DF244EA
generated: 2019-06-07 expires: 2022-06-06 Usage: E
ssb rsa4096/6A2B2209DF66A331
generated: 2019-06-07 expires: 2022-06-06 Usage: A
[ ultimate ] (1). Mike Kuketz <nitrokey@kuketz.de>
The new subkey with the Authentication function has therefore been added. By entering quit we leave the interactive mode again and confirm the question about......Save changes?
with the input of y:
gpg> quit
Save changes? (y/N) y
4.3 Backup of the key materialBefore we transfer the key material to the Nitrokey, we first create a backup on an external storage medium (e.g. USB stick). This can be additionally encrypted by dm-crypt / LUKS and should be kept safe afterwards:
gpg --armor --output privkey_nitrokey@kuketz.de.asc --export-secret-key nitrokey@kuketz.deOr simplified:
gpg --armor --output subkeys_nitrokey@kuketz.de.asc --export-secret-subkeys nitrokey@kuketz.de
gpg --armor --output pubkey_nitrokey@kuketz.de.asc --export nitrokey@kuketz.de
gpg--export-ownertrust > nitrokey@kuketz.de.txt
gpg --armor --output privkey_nitrokey@kuketz.de.asc --export-secret-keys nitrokey@kuketz.de
gpg --armor --output pubkey_nitrokey@kuketz.de.asc --export nitrokey@kuketz.de
gpg--export-ownertrust > nitrokey@kuketz.de.txt
The revocation certificate should also be secured:gpg --output revoke_nitrokey@kuketz.de.asc --gen-revoke nitrokey@kuketz.de
5. transfer to the nitrokeyWe have now generated a master key (signing, certifying) and two subkeys for encryption and authentication. Before you transfer these keys to the Nitrokey, please make sure that you have made backup copies. Once the keys are on the nitrokey, you will no longer be able to extract them from there.
An OpenPGP smartcard like the one used on the Nitrokey has three separate key slots. This means: On a security token like the Nitrokey or YubiKey you can usually store a private GPG key or up to three subkeys. That's exactly what we're going to do and start GnuPG's interactive mode again to transfer the keys to the smart card:
gpg --edit-key --expert nitrokey@kuketz.de
Output:Secret key is present.
sec rsa4096/206C95DB985E7CC0
generated: 2019-06-07 expires: 2022-06-06 Usage: SC
Trust: ultimate Validity: ultimate
ssb rsa4096/966F11EA5DF244EA
generated: 2019-06-07 expires: 2022-06-06 Usage: E
ssb rsa4096/6A2B2209DF66A331
generated: 2019-06-07 expires: 2022-06-06 Usage: A
[ ultimate ] (1). Mike Kuketz <nitrokey@kuketz.de>
gpg> keytocard
Really move the master key? (y/N) j
Select the storage location for the key:
(1) Signature key
(3) Authentication key
Your choice? 1
sec rsa4096/206C95DB985E7CC0
generated: 2019-06-07 expires: 2022-06-06 Usage: SC
Trust: ultimate Validity: ultimate
ssb rsa4096/966F11EA5DF244EA
generated: 2019-06-07 expires: 2022-06-06 Usage: E
ssb rsa4096/6A2B2209DF66A331
generated: 2019-06-07 expires: 2022-06-06 Usage: A
[ ultimate ] (1). Mike Kuketz <nitrokey@kuketz.de>
The master key has just been stored with the command keytocard in the key slot (1) signature key of the smartcard. To transfer the two subkeys to the smartcard or the nitrokey we proceed as follows:Curve25519:
Only the Nitrokey Start controls the elliptical curve Curve25519, which is one of the SaveCurves - the only curve where the choice of curve is completely transparent and therefore rear doors can practically be excluded. The other Nitrokeys only support the algorithms NIST P, Brainpool, and/or SECG/Koblitz. So if you really want to use ECC keys, you should currently use a Nitrokey Start - and update its firmware, as it may be affected by a vulnerability.
Compatibility:
In order for ECC keys to work smoothly in practice and, for example, to be used for e-mail encryption, all communication partners must use at least GnuPG 2.1 or newer. If this is not the case, problems may occur.
Apart from that, the use of ECC has a decisive advantage over RSA:
With smaller key lengths, the procedure is just as secure as longer RSA keys and is much faster in practice - especially on the security tokens, where all crypto operations (encryption, decryption, authentication, etc.) take place directly on the hardware, this is noticeable.
6.2 RSA-4096-Bit
The greater the RSA key length used, the longer a crypto operation on the smart card will take. For example, if you want to open an encrypted email, using an RSA-2048-bit key is much faster than using an RSA-4096-bit key. However, it is not only the Federal Office for Information Security (BSI) that recommends not using RSA keys of 2048-bit length from 2022 at the latest.
So you can still choose between RSA-3072-bit and RSA-4096-bit. The GnuPG project has an interesting answer to the question Why do people advise against using RSA-4096? in the FAQ:
"Almost always when people use 4096-bit RSA theyโre doing so because they believe RSA-4096 to be much stronger than it is. The United Statesโ National Institute of Standards and Technology (NIST) states that RSA-2048 gives roughly 112 bits of security and RSA-3072 gives roughly 128. There is no formal recommendation on where RSA-4096 lies, but the general consensus is that it would come in somewhere around 140 bits โ 28 bits of improvement over RSA-2048. This is an improvement so marginal that itโs really not worth mentioning.
If you need more security than RSA-2048 offers, the way to go would be to switch to elliptical curve cryptography โ not to continue using RSA."
Do what, then? Since RSA does not support Perfect Forward Secrecy, I recommend using at least RSA-3072-bit or RSA-4096-bit. The decision may be at the expense of speed, but in view of the security gain it is a reasonable compromise.
7. conclusion
Both the GPG master key (sign / certify) and the two subkeys for encryption and authentication are now stored on the Nitrokey. Thus all three key slots of the OpenPGP smart card are occupied. The advantage of the variant shown is that if the nitrokey is lost or defective, a backup of the keys can be imported.
In the next part of the article series we will use the Nitrokey for the exchange of encrypted e-mails based on GnuPG. We will use the free email client Thunderbird in combination with the add-on Enigmail to decrypt / encrypt and sign emails.
Source (German) and more info on Nitrokey (part 2):
https://www.kuketz-blog.de/gnupg-schluesselerstellung-und-smartcard-transfer-nitrokey-teil2/
Nitrokey part 1:
https://t.me/BlackBox_Archiv/404
#Nitrokey #SecurityKeys #usb #guide #kuketz #part2
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
Only the Nitrokey Start controls the elliptical curve Curve25519, which is one of the SaveCurves - the only curve where the choice of curve is completely transparent and therefore rear doors can practically be excluded. The other Nitrokeys only support the algorithms NIST P, Brainpool, and/or SECG/Koblitz. So if you really want to use ECC keys, you should currently use a Nitrokey Start - and update its firmware, as it may be affected by a vulnerability.
Compatibility:
In order for ECC keys to work smoothly in practice and, for example, to be used for e-mail encryption, all communication partners must use at least GnuPG 2.1 or newer. If this is not the case, problems may occur.
Apart from that, the use of ECC has a decisive advantage over RSA:
With smaller key lengths, the procedure is just as secure as longer RSA keys and is much faster in practice - especially on the security tokens, where all crypto operations (encryption, decryption, authentication, etc.) take place directly on the hardware, this is noticeable.
6.2 RSA-4096-Bit
The greater the RSA key length used, the longer a crypto operation on the smart card will take. For example, if you want to open an encrypted email, using an RSA-2048-bit key is much faster than using an RSA-4096-bit key. However, it is not only the Federal Office for Information Security (BSI) that recommends not using RSA keys of 2048-bit length from 2022 at the latest.
So you can still choose between RSA-3072-bit and RSA-4096-bit. The GnuPG project has an interesting answer to the question Why do people advise against using RSA-4096? in the FAQ:
"Almost always when people use 4096-bit RSA theyโre doing so because they believe RSA-4096 to be much stronger than it is. The United Statesโ National Institute of Standards and Technology (NIST) states that RSA-2048 gives roughly 112 bits of security and RSA-3072 gives roughly 128. There is no formal recommendation on where RSA-4096 lies, but the general consensus is that it would come in somewhere around 140 bits โ 28 bits of improvement over RSA-2048. This is an improvement so marginal that itโs really not worth mentioning.
If you need more security than RSA-2048 offers, the way to go would be to switch to elliptical curve cryptography โ not to continue using RSA."
Do what, then? Since RSA does not support Perfect Forward Secrecy, I recommend using at least RSA-3072-bit or RSA-4096-bit. The decision may be at the expense of speed, but in view of the security gain it is a reasonable compromise.
7. conclusion
Both the GPG master key (sign / certify) and the two subkeys for encryption and authentication are now stored on the Nitrokey. Thus all three key slots of the OpenPGP smart card are occupied. The advantage of the variant shown is that if the nitrokey is lost or defective, a backup of the keys can be imported.
In the next part of the article series we will use the Nitrokey for the exchange of encrypted e-mails based on GnuPG. We will use the free email client Thunderbird in combination with the add-on Enigmail to decrypt / encrypt and sign emails.
Source (German) and more info on Nitrokey (part 2):
https://www.kuketz-blog.de/gnupg-schluesselerstellung-und-smartcard-transfer-nitrokey-teil2/
Nitrokey part 1:
https://t.me/BlackBox_Archiv/404
#Nitrokey #SecurityKeys #usb #guide #kuketz #part2
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
gpg> key 1
sec rsa4096/206C95DB985E7CC0
generated: 2019-06-07 expires: 2022-06-06 Usage: SC
Trust: ultimate Validity: ultimate
ssb* rsa4096/966F11EA5DF244EA
generated: 2019-06-07 expires: 2022-06-06 Usage: E
ssb rsa4096/6A2B2209DF66A331
generated: 2019-06-07 expires: 2022-06-06 Usage: A
[ ultimate ] (1). Mike Kuketz <nitrokey@kuketz.de>
gpg> keytocard
Select the storage location for the key:
(2) Encryption key
Your choice? 2
sec rsa4096/206C95DB985E7CC0
generated: 2019-06-07 expires: 2022-06-06 Usage: SC
Trust: ultimate Validity: ultimate
ssb* rsa4096/966F11EA5DF244EA
generated: 2019-06-07 expires: 2022-06-06 Usage: E
ssb rsa4096/6A2B2209DF66A331
generated: 2019-06-07 expires: 2022-06-06 Usage: A
[ ultimate ] (1). Mike Kuketz <nitrokey@kuketz.de>
With the command key 1 we first switch to the first subkey, which provides the encryption function. The subkey is then transferred to the smartcard again using the keytocard command. This time into the key slot (2) Encryption key. Then we can also transfer the second subkey:gpg> key 1
sec rsa4096/206C95DB985E7CC0
generated: 2019-06-07 expires: 2022-06-06 Usage: SC
Trust: ultimate Validity: ultimate
ssb rsa4096/966F11EA5DF244EA
generated: 2019-06-07 expires: 2022-06-06 Usage: E
ssb rsa4096/6A2B2209DF66A331
generated: 2019-06-07 expires: 2022-06-06 Usage: A
[ ultimate ] (1). Mike Kuketz <nitrokey@kuketz.de>
gpg> key 2
sec rsa4096/206C95DB985E7CC0
generated: 2019-06-07 expires: 2022-06-06 Usage: SC
Trust: ultimate Validity: ultimate
ssb rsa4096/966F11EA5DF244EA
generated: 2019-06-07 expires: 2022-06-06 Usage: E
ssb* rsa4096/6A2B2209DF66A331
generated: 2019-06-07 expires: 2022-06-06 Usage: A
[ ultimate ] (1). Mike Kuketz <nitrokey@kuketz.de>
gpg> keytocard
Select the storage location for the key:
(3) Authentication key
Your choice? 3
sec rsa4096/206C95DB985E7CC0
generated: 2019-06-07 expires: 2022-06-06 Usage: SC
Trust: ultimate Validity: ultimate
ssb rsa4096/966F11EA5DF244EA
generated: 2019-06-07 expires: 2022-06-06 Usage: E
ssb* rsa4096/6A2B2209DF66A331
generated: 2019-06-07 expires: 2022-06-06 Usage: A
[ ultimate ] (1). Mike Kuketz <nitrokey@kuketz.de>
The last key or subkey has now also been transferred to the key slot (3) Authentication key on the smart card.As soon as you exit the interactive mode with quit and agree to save the changes, your keys will be irrevocably transferred to the nitrokey. From this point on, the GnuPG-KeyRing only points to the smartcard with a pointer - but the keys are no longer on the computer on which they were created:
gpg> quit
Save changes? (y/N) y
This completes the RSA key creation and transfer to the Nitrokey. Your keys are located in the secure smart card environment of the Nitrokey.5.1 Important: Making the public key known
To be able to use the Nitrokey and the keys on it on your system, you must import the public key of the RSA key pair you just created on each system you wish to use the Nitrokey on. As we have already created a backup of the public key, we can import it into the GnuPG-KeyRing or make it known there with a command:
gpg --import pubkey_nitrokey@kuketz.de.asc
gpg --import-ownertrust nitrokey@kuketz.de.txt
Then we link the keys stored on the smartcard with the local GnuPG-KeyRing:gpg --card-status
6. ECC key and RSA key length6.1 ECC Dilemma
In addition to RSA keys, keys based on Elliptic Curve Cryptography (ECC) are also suitable in practice for the planned OpenPGP/GnuPG e-mail encryption and OpenSSH public key authentication application scenarios. However, there are a few pitfalls to consider when using ECC:
๐ช๐ธ El mensaje "Forbidden" de Zippyshare llega a Espaรฑa.
Los misteriosos esfuerzos de bloqueo del popular servicio de hospedaje de archivos Zippyshare continรบan expandiรฉndose. Despuรฉs de que a los usuarios britรกnicos y alemanes se les prohibiera el acceso al sitio, los visitantes espaรฑoles estรกn recibiendo el mismo trato. Los operadores del sitio, mientras tanto, permanecen en silencio.
Fundado en 2006, el servicio de hospedaje de archivos Zippyshare existe desde hace mรกs de una dรฉcada.
El centro de intercambio, con unos 100 millones de usuarios, figura entre los 500 sitios mรกs visitados de Internet.
Sin embargo, en los รบltimos meses Zippyshare comenzรณ a cerrar selectivamente sus puertas en varias regiones. En marzo informamos de que los visitantes del Reino Unido habรญan sido bloqueados, y unas semanas mรกs tarde los visitantes alemanes recibieron el mismo tratamiento.
En lugar de ser bienvenidos en la pรกgina de inicio habitual, ven un error "Forbidden" en su navegador, lo que sugiere que los operadores han prohibido especรญficamente estas regiones.
Este mes los misteriosos esfuerzos de bloqueo de Zippyshare se expandieron a Espaรฑa. Los visitantes de paรญses del sur de Europa, o cualquier persona que acceda al sitio desde una direcciรณn IP espaรฑola, ya no pueden acceder al sitio.
El mensaje de error no explica lo que estรก sucediendo, lo que ha resultado en que algunos simplemente supongan que el sitio se ha cerrado, voluntariamente o no. Sin embargo, ese no es el caso.
Otros creen que Zippyshare estรก bloqueado o prohibido en Espaรฑa, seรฑalando que todavรญa se puede acceder a รฉl a travรฉs de un servidor VPN francรฉs.
Aunque eso es mรกs parecido a la verdad, el sitio no estรก siendo bloqueado por los ISPs. Por el contrario, parece que Zippyshare es responsable del bloqueo aquรญ. Por alguna razรณn, la gente del Reino Unido, Alemania y Espaรฑa ya no son bienvenidos.
Intentamos obtener un comentario de los operadores del sitio esta semana, pero aรบn no hemos recibido respuesta. Nuestras investigaciones anteriores tambiรฉn quedaron sin respuesta.
Una explicaciรณn probable es que Zippyshare dio este paso despuรฉs de algรบn tipo de presiรณn legal. No serรญa la primera vez que un sitio web hace esto. Anteriormente, varios desgarradores de secuencias tambiรฉn bloqueaban el trรกfico en el Reino Unido, presumiblemente debido a problemas similares.
Aunque no estamos al tanto de ningรบn problema legal concreto, la RIAA reportรณ a Zippyshare como un sitio pirata "notorio" al Representante de Comercio de los Estados Unidos a finales del aรฑo pasado. Dicho esto, el sitio sigue estando disponible gratuitamente en los Estados Unidos.
Cualquiera que sea la razรณn o la fuente del bloqueo localizado, la gente siempre puede encontrar una soluciรณn. Se puede acceder al sitio a travรฉs de una VPN, siempre y cuando no sea desde un servidor en uno de los paรญses bloqueados.
https://torrentfreak.com/zippyshares-forbidden-message-spreads-to-spain/
#bloqueo #zippyshare
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
Los misteriosos esfuerzos de bloqueo del popular servicio de hospedaje de archivos Zippyshare continรบan expandiรฉndose. Despuรฉs de que a los usuarios britรกnicos y alemanes se les prohibiera el acceso al sitio, los visitantes espaรฑoles estรกn recibiendo el mismo trato. Los operadores del sitio, mientras tanto, permanecen en silencio.
Fundado en 2006, el servicio de hospedaje de archivos Zippyshare existe desde hace mรกs de una dรฉcada.
El centro de intercambio, con unos 100 millones de usuarios, figura entre los 500 sitios mรกs visitados de Internet.
Sin embargo, en los รบltimos meses Zippyshare comenzรณ a cerrar selectivamente sus puertas en varias regiones. En marzo informamos de que los visitantes del Reino Unido habรญan sido bloqueados, y unas semanas mรกs tarde los visitantes alemanes recibieron el mismo tratamiento.
En lugar de ser bienvenidos en la pรกgina de inicio habitual, ven un error "Forbidden" en su navegador, lo que sugiere que los operadores han prohibido especรญficamente estas regiones.
Este mes los misteriosos esfuerzos de bloqueo de Zippyshare se expandieron a Espaรฑa. Los visitantes de paรญses del sur de Europa, o cualquier persona que acceda al sitio desde una direcciรณn IP espaรฑola, ya no pueden acceder al sitio.
El mensaje de error no explica lo que estรก sucediendo, lo que ha resultado en que algunos simplemente supongan que el sitio se ha cerrado, voluntariamente o no. Sin embargo, ese no es el caso.
Otros creen que Zippyshare estรก bloqueado o prohibido en Espaรฑa, seรฑalando que todavรญa se puede acceder a รฉl a travรฉs de un servidor VPN francรฉs.
Aunque eso es mรกs parecido a la verdad, el sitio no estรก siendo bloqueado por los ISPs. Por el contrario, parece que Zippyshare es responsable del bloqueo aquรญ. Por alguna razรณn, la gente del Reino Unido, Alemania y Espaรฑa ya no son bienvenidos.
Intentamos obtener un comentario de los operadores del sitio esta semana, pero aรบn no hemos recibido respuesta. Nuestras investigaciones anteriores tambiรฉn quedaron sin respuesta.
Una explicaciรณn probable es que Zippyshare dio este paso despuรฉs de algรบn tipo de presiรณn legal. No serรญa la primera vez que un sitio web hace esto. Anteriormente, varios desgarradores de secuencias tambiรฉn bloqueaban el trรกfico en el Reino Unido, presumiblemente debido a problemas similares.
Aunque no estamos al tanto de ningรบn problema legal concreto, la RIAA reportรณ a Zippyshare como un sitio pirata "notorio" al Representante de Comercio de los Estados Unidos a finales del aรฑo pasado. Dicho esto, el sitio sigue estando disponible gratuitamente en los Estados Unidos.
Cualquiera que sea la razรณn o la fuente del bloqueo localizado, la gente siempre puede encontrar una soluciรณn. Se puede acceder al sitio a travรฉs de una VPN, siempre y cuando no sea desde un servidor en uno de los paรญses bloqueados.
https://torrentfreak.com/zippyshares-forbidden-message-spreads-to-spain/
#bloqueo #zippyshare
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
Torrentfreak
Zippyshare's "Forbidden" Message Spreads to Spain * TorrentFreak
The mysterious blocking efforts of popular file-hosting service Zippyshare continue to expand. After UK and German users were 'forbidden' from accessing the site, Spanish visitors are now getting the same treatment. The operators of the site, meanwhile, remainโฆ
This media is not supported in your browser
VIEW IN TELEGRAM
Code Execution Flaw in Vim and Neovim
Razmjou discovered a flaw in the way Vim editor handles "modelines," a feature that's enabled-by-default to automatically find and apply a set of custom preferences mentioned by the creator of a file near the starting and ending lines in the document.
Though the editor only allows a subset of options in modelines (for security reasons) and uses sandbox protection if it contains an unsafe expression, Razmjou revealed that using ":source!" command (with a bang [!] modifier) can be used to bypass the sandbox.
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md
Patches and NVIM 0.3.6:
https://github.com/vim/vim/commit/5357552
https://github.com/neovim/neovim/pull/10082
https://github.com/neovim/neovim/releases/tag/v0.3.6
#patch #vulnerability #vim #neovim #alert #update
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
Razmjou discovered a flaw in the way Vim editor handles "modelines," a feature that's enabled-by-default to automatically find and apply a set of custom preferences mentioned by the creator of a file near the starting and ending lines in the document.
Though the editor only allows a subset of options in modelines (for security reasons) and uses sandbox protection if it contains an unsafe expression, Razmjou revealed that using ":source!" command (with a bang [!] modifier) can be used to bypass the sandbox.
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md
Patches and NVIM 0.3.6:
https://github.com/vim/vim/commit/5357552
https://github.com/neovim/neovim/pull/10082
https://github.com/neovim/neovim/releases/tag/v0.3.6
#patch #vulnerability #vim #neovim #alert #update
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
Amazon is the most valuable brand in the world
An increase in value of more than 52 percent last year made Amazon the most valuable company in the world, according to a report. The online retailer is now ahead of Apple and Google for the first time.
Google was the most valuable brand in 2018, but now fell to third place with a brand value of just under 273 billion dollars. Apple remained in second place with a good 273.5 billion dollars. Visa ranked fifth, Facebook sixth. The seventh place went to the Chinese online retailer Alibaba, which climbed two places with a brand value of 116 billion dollars. He thus positioned himself ahead of Tencent. McDonald's and the telecommunications group AT&T ranked ninth and tenth respectively.
๐บ https://youtu.be/ti5manNDF_c
https://www.brandz.com/
#DeleteAmazon #DeleteGoogle #DeleteApple #DeleteFacebook #brandz
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
An increase in value of more than 52 percent last year made Amazon the most valuable company in the world, according to a report. The online retailer is now ahead of Apple and Google for the first time.
Google was the most valuable brand in 2018, but now fell to third place with a brand value of just under 273 billion dollars. Apple remained in second place with a good 273.5 billion dollars. Visa ranked fifth, Facebook sixth. The seventh place went to the Chinese online retailer Alibaba, which climbed two places with a brand value of 116 billion dollars. He thus positioned himself ahead of Tencent. McDonald's and the telecommunications group AT&T ranked ninth and tenth respectively.
๐บ https://youtu.be/ti5manNDF_c
https://www.brandz.com/
#DeleteAmazon #DeleteGoogle #DeleteApple #DeleteFacebook #brandz
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
Risky Business #543 -- NYTimes blames NSA for Baltimore hacks, Assangeโฆ
Risky.Biz
Risky Business #543 -- NYTimes blames NSA for Baltimore hacks, Assange faces espionage charges
NYTimes report blames Baltimore ransomware attack on leaked NSA exploit
Assange to face espionage charges, extradition fight looming
SanboxEscaper just keeps dropping those 0days
Fury over Facebookโs response to doctored Pelosi video
The news that in 2019 Germany had decided to support backdoors in messengers such as Whatsapp and Threema
Much, much more
๐ป Risky Business #543 #podcast
https://risky.biz/RB543/
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
NYTimes report blames Baltimore ransomware attack on leaked NSA exploit
Assange to face espionage charges, extradition fight looming
SanboxEscaper just keeps dropping those 0days
Fury over Facebookโs response to doctored Pelosi video
The news that in 2019 Germany had decided to support backdoors in messengers such as Whatsapp and Threema
Much, much more
๐ป Risky Business #543 #podcast
https://risky.biz/RB543/
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
Bellingcatโs Online Investigation Toolkit
Welcome to Bellingcatโs freely available online open source investigation toolkit.
You can follow our work on via our website, Twitter and Facebook. (We also provide three to five day open source investigation workshops.) This is version 4.7 (May 13, 2019). The list includes satellite and mapping services, tools for verifying photos and videos, websites to archive web pages, and much more. The list is long, and may seem daunting. There are guides at the end of the document, highlighting the methods and use of these tools in further detail. We also provide tailored digital forensics workshops. Feel free to suggest tools via email (christiaantriebert@bellingcat.com) or Twitter (@trbrtc). To view an outline of the document, click โViewโ and then โShow document outlineโ. Thereโs also one below. The โOSINT Landscapeโ โ a condensed version of the online investigation toolkit below โ can be download in high resolution here. https://pbs.twimg.com/media/DXM63T0WsAA7E-a.jpg:large
https://docs.google.com/document/d/1BfLPJpRtyq4RFtHJoNpvWQjmGnyVkfE2HYoICKOGguA/mobilebasic
#Bellingcat #investigation #tool
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
Welcome to Bellingcatโs freely available online open source investigation toolkit.
You can follow our work on via our website, Twitter and Facebook. (We also provide three to five day open source investigation workshops.) This is version 4.7 (May 13, 2019). The list includes satellite and mapping services, tools for verifying photos and videos, websites to archive web pages, and much more. The list is long, and may seem daunting. There are guides at the end of the document, highlighting the methods and use of these tools in further detail. We also provide tailored digital forensics workshops. Feel free to suggest tools via email (christiaantriebert@bellingcat.com) or Twitter (@trbrtc). To view an outline of the document, click โViewโ and then โShow document outlineโ. Thereโs also one below. The โOSINT Landscapeโ โ a condensed version of the online investigation toolkit below โ can be download in high resolution here. https://pbs.twimg.com/media/DXM63T0WsAA7E-a.jpg:large
https://docs.google.com/document/d/1BfLPJpRtyq4RFtHJoNpvWQjmGnyVkfE2HYoICKOGguA/mobilebasic
#Bellingcat #investigation #tool
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
Each of us eats one credit card per week.
The particles are smaller than five millimeters and are found in food, drinking water and air. Depending on where they live and their diet, people take in five grams of microplastic every week. The big question is: How bad is this for the body?
People consume microplastics daily - through food, drinking water or just breathing. Up to five grams of these tiny particles enter the body of an earth citizen every week - depending on his or her circumstances. This is appreciated by researchers at the University of Newcastle (Australia), who have taken a closer look at existing studies on behalf of the environmental foundation WWF. By way of comparison, a credit card also weighs about five grams.
The researchers' study is based on data on microplastics - particles smaller than five millimetres - in the air we breathe, in drinking water, in salt, beer and in shellfish. According to WWF microplastics expert Caroline Kraas, microplastics, which may be recorded in other ways, was not included in the Australian analysis. The researchers also excluded fish despite available data, as it is not clear how much microplastic is eaten and how much remains in the animals' intestines.
The WWF calls for a global agreement against plastic pollution with binding targets. "If we don't want plastic in our bodies, we must prevent millions of tons of plastic waste from ending up in nature every year," said Heike Vesper, head of marine conservation at WWF Germany, according to a statement.
PDF Frauenhofer:
https://www.umsicht.fraunhofer.de/content/dam/umsicht/de/dokumente/publikationen/2018/kunststoffe-id-umwelt-konsortialstudie-mikroplastik.pdf
PDF WWF:
https://www.wwf.de/fileadmin/fm-wwf/Publikationen-PDF/WWF-Faktenblatt-Mikroplastik.pdf
#microplastics #pollution #why #thinkabout
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
The particles are smaller than five millimeters and are found in food, drinking water and air. Depending on where they live and their diet, people take in five grams of microplastic every week. The big question is: How bad is this for the body?
People consume microplastics daily - through food, drinking water or just breathing. Up to five grams of these tiny particles enter the body of an earth citizen every week - depending on his or her circumstances. This is appreciated by researchers at the University of Newcastle (Australia), who have taken a closer look at existing studies on behalf of the environmental foundation WWF. By way of comparison, a credit card also weighs about five grams.
The researchers' study is based on data on microplastics - particles smaller than five millimetres - in the air we breathe, in drinking water, in salt, beer and in shellfish. According to WWF microplastics expert Caroline Kraas, microplastics, which may be recorded in other ways, was not included in the Australian analysis. The researchers also excluded fish despite available data, as it is not clear how much microplastic is eaten and how much remains in the animals' intestines.
The WWF calls for a global agreement against plastic pollution with binding targets. "If we don't want plastic in our bodies, we must prevent millions of tons of plastic waste from ending up in nature every year," said Heike Vesper, head of marine conservation at WWF Germany, according to a statement.
PDF Frauenhofer:
https://www.umsicht.fraunhofer.de/content/dam/umsicht/de/dokumente/publikationen/2018/kunststoffe-id-umwelt-konsortialstudie-mikroplastik.pdf
PDF WWF:
https://www.wwf.de/fileadmin/fm-wwf/Publikationen-PDF/WWF-Faktenblatt-Mikroplastik.pdf
Read more ๐ฉ๐ช:https://www.welt.de/gesundheit/article195127017/Mikroplastik-Jeder-von-uns-isst-eine-Kreditkarte-pro-Woche.html
#microplastics #pollution #why #thinkabout
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
Hongkong - Police use tear gas against demonstrators
The protests in Hong Kong against the controversial extradition law led to riots. According to eyewitnesses, police used tear gas and pepper spray against demonstrators near government buildings and tried to disperse them.
https://twitter.com/hongkonghermit?lang=en
#freehongkong #humanrights
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
The protests in Hong Kong against the controversial extradition law led to riots. According to eyewitnesses, police used tear gas and pepper spray against demonstrators near government buildings and tried to disperse them.
https://twitter.com/hongkonghermit?lang=en
#freehongkong #humanrights
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
This media is not supported in your browser
VIEW IN TELEGRAM
A Fake Zuckerberg Video Challenges Facebookโs Rules
Two weeks ago, Facebook declined to remove a doctored video in which the speaker of the House, Nancy Pelosi, seemed to drunkenly slur her speech. Over the weekend, two British artists released a doctored video of Facebookโs chief executive, Mark Zuckerberg, as a sly comment on the spread of false information online.
Posted to the Facebook-owned social network Instagram, the video shows Mr. Zuckerberg speaking directly into the camera, boasting of nefarious motives behind his online empire.
https://www.nytimes.com/2019/06/11/technology/fake-zuckerberg-video-facebook.html
#deepfake #video
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
Two weeks ago, Facebook declined to remove a doctored video in which the speaker of the House, Nancy Pelosi, seemed to drunkenly slur her speech. Over the weekend, two British artists released a doctored video of Facebookโs chief executive, Mark Zuckerberg, as a sly comment on the spread of false information online.
Posted to the Facebook-owned social network Instagram, the video shows Mr. Zuckerberg speaking directly into the camera, boasting of nefarious motives behind his online empire.
https://www.nytimes.com/2019/06/11/technology/fake-zuckerberg-video-facebook.html
#deepfake #video
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
Google Workers Rise Up: Inside the Protests
๐ง Google Workers Rise Up: Inside the Protests
Google has long had a special relationship with staff, encouraging employee input on all sorts of internal matters. For the last two decades, this approach has worked well. But after a series of controversies and protests in the last two years, some workers are openly at war with Google. This week on Decrypted, editor Alistair Barr speaks to Irene Knapp, a senior software engineer who has had a front-row seat during the tumult inside the company.
๐ป https://www.bloomberg.com/news/audio/2019-06-10/google-workers-rise-up-inside-the-protests-podcast
#DeleteGoogle #bloomberg #podcast
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
Google has long had a special relationship with staff, encouraging employee input on all sorts of internal matters. For the last two decades, this approach has worked well. But after a series of controversies and protests in the last two years, some workers are openly at war with Google. This week on Decrypted, editor Alistair Barr speaks to Irene Knapp, a senior software engineer who has had a front-row seat during the tumult inside the company.
๐ป https://www.bloomberg.com/news/audio/2019-06-10/google-workers-rise-up-inside-the-protests-podcast
#DeleteGoogle #bloomberg #podcast
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
This media is not supported in your browser
VIEW IN TELEGRAM
Critical Flaw Reported in Popular Evernote Extension for Chrome Users
As shown in the video demonstration, the researchers also developed a Proof-of-Concept (PoC) exploit that can inject a customized payload on targeted websites, and steal cookies, credentials, and other private information from an unsuspecting user.
https://thehackernews.com/2019/06/evernote-extension-hacking.html
#exploit #evernote #extension #chrome #browser #poc
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
As shown in the video demonstration, the researchers also developed a Proof-of-Concept (PoC) exploit that can inject a customized payload on targeted websites, and steal cookies, credentials, and other private information from an unsuspecting user.
https://thehackernews.com/2019/06/evernote-extension-hacking.html
#exploit #evernote #extension #chrome #browser #poc
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
How Hong Kong demonstrators organised
Tens of thousands of protesters have taken to Hong Kong's streets in opposition to a bill that would allow extradition to mainland China.
The demonstrators have said they are not operating in a planned movement, but have been cooperating on the ground as they have come under pressure to disperse from security forces.
๐บ https://www.bbc.com/news/av/world-asia-48622346/how-hong-kong-demonstrators-organised
Hongkong - Police use tear gas against demonstrators
๐บ https://t.me/BlackBox_Archiv/429
#FreeHongKong
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
Tens of thousands of protesters have taken to Hong Kong's streets in opposition to a bill that would allow extradition to mainland China.
The demonstrators have said they are not operating in a planned movement, but have been cooperating on the ground as they have come under pressure to disperse from security forces.
๐บ https://www.bbc.com/news/av/world-asia-48622346/how-hong-kong-demonstrators-organised
Hongkong - Police use tear gas against demonstrators
๐บ https://t.me/BlackBox_Archiv/429
#FreeHongKong
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
๐บ Language is a Weapon
โIn our time it is broadly true that political writing is bad writingโ wrote George Orwell 70 years ago, and the observation remains true today. But bad writing is not just bad writing; the language employed by politicians (and their string pullers) can literally be a matter of life and death. Join James today on the podcast as he delves into the tyrantsโ linguistic weapons and how we can arm ourselves against them.
๐บ #CorbettReport Episode 357 โ #Language is a #Weapon #video #podcast
https://www.corbettreport.com/episode-357-language-is-a-weapon/
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN
โIn our time it is broadly true that political writing is bad writingโ wrote George Orwell 70 years ago, and the observation remains true today. But bad writing is not just bad writing; the language employed by politicians (and their string pullers) can literally be a matter of life and death. Join James today on the podcast as he delves into the tyrantsโ linguistic weapons and how we can arm ourselves against them.
๐บ #CorbettReport Episode 357 โ #Language is a #Weapon #video #podcast
https://www.corbettreport.com/episode-357-language-is-a-weapon/
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
๐ก@FLOSSb0xIN