Preskoči na sadržaj
Korištenjem servisa na Twitteru pristajete na korištenje kolačića. Twitter i partneri rade globalno te koriste kolačiće za analize, personalizaciju i oglase.

Za najbolje sučelje na Twitteru koristite Microsoft Edge ili instalirajte aplikaciju Twitter iz trgovine Microsoft Store.

  • Naslovnica Naslovnica Naslovnica, trenutna stranica.
  • O Twitteru

Spremljena pretraživanja

  • obriši
  • U ovom razgovoru
    Ovjeren akauntZaštićeni tweetovi @
Predloženi korisnici
  • Ovjeren akauntZaštićeni tweetovi @
  • Ovjeren akauntZaštićeni tweetovi @
  • Jezik: Hrvatski
    • Bahasa Indonesia
    • Bahasa Melayu
    • Català
    • Čeština
    • Dansk
    • Deutsch
    • English
    • English UK
    • Español
    • Filipino
    • Français
    • Italiano
    • Magyar
    • Nederlands
    • Norsk
    • Polski
    • Português
    • Română
    • Slovenčina
    • Suomi
    • Svenska
    • Tiếng Việt
    • Türkçe
    • Български език
    • Русский
    • Српски
    • Українська мова
    • Ελληνικά
    • עִבְרִית
    • العربية
    • فارسی
    • मराठी
    • हिन्दी
    • বাংলা
    • ગુજરાતી
    • தமிழ்
    • ಕನ್ನಡ
    • ภาษาไทย
    • 한국어
    • 日本語
    • 简体中文
    • 繁體中文
  • Imate račun? Prijava
    Imate račun?
    · Zaboravili ste lozinku?

    Novi ste na Twitteru?
    Registrirajte se
Profil korisnika/ce SwiftOnSecurity
SwiftOnSecurity
SwiftOnSecurity
SwiftOnSecurity
@SwiftOnSecurity

Tweets

SwiftOnSecurity

@SwiftOnSecurity

Systems security, author http://DecentSecurity.com  + http://GotPhish.com , write SciFi, sysadmin, & use Oxford commas. they/them/tay

Cyber, USA
decentsecurity.com
Vrijeme pridruživanja: travanj 2014.

Tweets

  • © 2020 Twitter
  • O Twitteru
  • Centar za pomoć
  • Uvjeti
  • Pravila o privatnosti
  • Imprint
  • Kolačići
  • Informacije o oglasima
Odbaci
Prethodni
Sljedeće

Idite na profil osobe

Spremljena pretraživanja

  • obriši
  • U ovom razgovoru
    Ovjeren akauntZaštićeni tweetovi @
Predloženi korisnici
  • Ovjeren akauntZaštićeni tweetovi @
  • Ovjeren akauntZaštićeni tweetovi @

Odjava

Blokiraj

  • Objavi Tweet s lokacijom

    U tweetove putem weba ili aplikacija drugih proizvođača možete dodati podatke o lokaciji, kao što su grad ili točna lokacija. Povijest lokacija tweetova uvijek možete izbrisati. Saznajte više

    Vaši popisi

    Izradi novi popis


    Manje od 100 znakova, neobavezno

    Privatnost

    Kopiraj vezu u tweet

    Ugradi ovaj Tweet

    Embed this Video

    Dodajte ovaj Tweet na svoje web-mjesto kopiranjem koda u nastavku. Saznajte više

    Dodajte ovaj videozapis na svoje web-mjesto kopiranjem koda u nastavku. Saznajte više

    Hm, došlo je do problema prilikom povezivanja s poslužiteljem.

    Integracijom Twitterova sadržaja u svoje web-mjesto ili aplikaciju prihvaćate Twitterov Ugovor za programere i Pravila za programere.

    Pregled

    Razlog prikaza oglasa

    Prijavi se na Twitter

    · Zaboravili ste lozinku?
    Nemate račun? Registrirajte se »

    Prijavite se na Twitter

    Niste na Twitteru? Registrirajte se, uključite se u stvari koje vas zanimaju, i dobivajte promjene čim se dogode.

    Registrirajte se
    Imate račun? Prijava »

    Dvosmjerni (slanje i primanje) kratki kodovi:

    Država Kod Samo za korisnike
    Sjedinjene Američke Države 40404 (bilo koje)
    Kanada 21212 (bilo koje)
    Ujedinjeno Kraljevstvo 86444 Vodafone, Orange, 3, O2
    Brazil 40404 Nextel, TIM
    Haiti 40404 Digicel, Voila
    Irska 51210 Vodafone, O2
    Indija 53000 Bharti Airtel, Videocon, Reliance
    Indonezija 89887 AXIS, 3, Telkomsel, Indosat, XL Axiata
    Italija 4880804 Wind
    3424486444 Vodafone
    » Pogledajte SMS kratke šifre za druge zemlje

    Potvrda

     

    Dobro došli kući!

    Vremenska crta mjesto je na kojem ćete provesti najviše vremena i bez odgode dobivati novosti o svemu što vam je važno.

    Tweetovi vam ne valjaju?

    Prijeđite pokazivačem preko slike profila pa kliknite gumb Pratim da biste prestali pratiti neki račun.

    Kažite mnogo uz malo riječi

    Kada vidite Tweet koji volite, dodirnite srce – to osobi koja ga je napisala daje do znanja da vam se sviđa.

    Proširite glas

    Najbolji je način da podijelite nečiji Tweet s osobama koje vas prate prosljeđivanje. Dodirnite ikonu da biste smjesta poslali.

    Pridruži se razgovoru

    Pomoću odgovora dodajte sve što mislite o nekom tweetu. Pronađite temu koja vam je važna i uključite se.

    Saznajte najnovije vijesti

    Bez odgode pogledajte o čemu ljudi razgovaraju.

    Pratite više onoga što vam se sviđa

    Pratite više računa da biste dobivali novosti o temama do kojih vam je stalo.

    Saznajte što se događa

    Bez odgode pogledajte najnovije razgovore o bilo kojoj temi.

    Ne propustite nijedan aktualni događaj

    Bez odgode pratite kako se razvijaju događaji koje pratite.

    1. SwiftOnSecurity‏ @SwiftOnSecurity 14. sij
      • Prijavi Tweet

      COMMENTARY ON CVE-2020-0601: I have been speaking to several players on this on background and there are a few things they want to highlight / clarify based on the public discourse so far.

      12 replies 653 proslijeđena tweeta 1.208 korisnika označava da im se sviđa
      Prikaži ovu nit
    2. SwiftOnSecurity‏ @SwiftOnSecurity 14. sij
      • Prijavi Tweet

      When NSA says CVE-2020-0601 enables Remote Code Execution, they mean that trusted communication channels like automatic update downloads and non-validated input between systems could be modified in-transit by a MitM, to cause RCE or other malevolent ends.

      8 replies 70 proslijeđenih tweetova 338 korisnika označava da im se sviđa
      Prikaži ovu nit
    3. SwiftOnSecurity‏ @SwiftOnSecurity 14. sij
      • Prijavi Tweet

      This vulnerability is not about a wormable global takedown of computers, but instead resourced attackers who own network transit points being able to modify communication streams at-will. Basically, nation-state APTs who routinely compromise foreign network infrastructure.

      10 replies 81 proslijeđeni tweet 390 korisnika označava da im se sviđa
      Prikaži ovu nit
    4. SwiftOnSecurity‏ @SwiftOnSecurity 14. sij
      • Prijavi Tweet

      The gravest impacts of this are established societal and industrial infrastructure. Bank communications. Infrastructure control. Heavy industry. This is a much different threat than is traditionally discussed or news consumers really understand the ramifications of.

      6 replies 43 proslijeđena tweeta 327 korisnika označava da im se sviđa
      Prikaži ovu nit
    5. SwiftOnSecurity‏ @SwiftOnSecurity 14. sij
      • Prijavi Tweet

      Because both TLS communication stream encryption and Authenticode file validation are impacted by this flaw in PKI validation, the normal ways this is guarded against for program updates, are both compromised. There are a few that go beyond this, but it’s exceptionally rare.

      29 proslijeđenih tweetova 225 korisnika označava da im se sviđa
      Prikaži ovu nit
    6. SwiftOnSecurity‏ @SwiftOnSecurity 14. sij
      • Prijavi Tweet

      This is a fast-checkmate flaw for a hugely resourced and patient global actor like the NSA, but it’s a far greater systemic threat to the United States, which explains why this was properly disclosed to Microsoft.

      8 replies 48 proslijeđenih tweetova 297 korisnika označava da im se sviđa
      Prikaži ovu nit
    7. SwiftOnSecurity‏ @SwiftOnSecurity 14. sij
      • Prijavi Tweet

      Innumerable protocols and transactions are protected with x509. Enterprise voice, VPN, really everything these days is being wrapped up in HTTPS and sent over the Internet. And they all rely on Windows’ correct implementation, which is at fault here.

      38 proslijeđenih tweetova 247 korisnika označava da im se sviđa
      Prikaži ovu nit
    8. SwiftOnSecurity‏ @SwiftOnSecurity 14. sij
      • Prijavi Tweet

      This probably impacts SmartCards / authentication devices that emulate them, too. The US government uses them extensively for access control on secure networks worldwide. @dakami prodded me to mention this.

      6 replies 22 proslijeđena tweeta 178 korisnika označava da im se sviđa
      Prikaži ovu nit
    9. SwiftOnSecurity‏ @SwiftOnSecurity 14. sij
      • Prijavi Tweet

      Note this SmartCard attack scenario is pure speculation and not based on any background info. I’m not sure if it would work since it might be the wrong place in the chain, I’m not sure.

      5 replies 6 proslijeđenih tweetova 134 korisnika označavaju da im se sviđa
      Prikaži ovu nit
    10. SwiftOnSecurity‏ @SwiftOnSecurity 14. sij
      • Prijavi Tweet

      UPDATE: Attacking SmartCard through this flaw is not likely since it leverages elliptic curve, and those cards are very stuck on RSA. In theory it could be in an artisanal environment, not something to really worry about. I’m leaving these tweets up so others speculating can see.

      7 replies 13 proslijeđenih tweetova 166 korisnika označava da im se sviđa
      Prikaži ovu nit
      SwiftOnSecurity‏ @SwiftOnSecurity 14. sij
      • Prijavi Tweet

      NEW: @tqbf along with several other cryptographers speculate on how CVE-2020-0601 works at a technical level: https://news.ycombinator.com/item?id=22048619 …

      12:02 - 14. sij 2020.
      • 50 proslijeđenih tweetova
      • 185 oznaka „sviđa mi se”
      • xn--cr8h Curtis Buys gh0std4ncer McBylat's Employee Stephen Alex Hall Solehudin Thehu extratype Pilviaika
      1 reply 50 proslijeđenih tweetova 185 korisnika označava da im se sviđa
        1. Novi razgovor
        2. SwiftOnSecurity‏ @SwiftOnSecurity 14. sij
          • Prijavi Tweet

          ^ @BearSSLnews is the other cryptographer. Update on the SmartCard attack vector: It could work with right scenario, but in practice there aren’t really private roots signing with ECDSA, so there are likely no vulnerable intermediaries. And smartcards are pinned to a private root

          9 proslijeđenih tweetova 103 korisnika označavaju da im se sviđa
          Prikaži ovu nit
        3. SwiftOnSecurity‏ @SwiftOnSecurity 14. sij
          • Prijavi Tweet

          SwiftOnSecurity je proslijedio/a tweet korisnika/ceAmitai Rottem

          Microsoft have built extensive alerting for CVE-2020-0601 which will definitely complicate exploitation, since there’s few in a network position to interdict your traffic, except governments. Yes I know about WiFi/Responder that’s not the main problem here https://twitter.com/amitaitechie/status/1217156973268893696?s=21 …https://twitter.com/AmitaiTechie/status/1217156973268893696 …

          SwiftOnSecurity je dodan/na,

          Amitai Rottem @AmitaiTechie
          Windows Defender Antivirus detects files w/crafted certificates exploiting the certificate validation vulnerability: ​Exploit:Win32/CVE-2020-0601.A (PE files) Exploit:Win32/CVE-2020-0601.B (Scripts) Also, #Microsoft Defender ATP has a threat report on your posture. #CVE-2020-0601 pic.twitter.com/dFqJV5za8F
          29 proslijeđenih tweetova 130 korisnika označava da im se sviđa
          Prikaži ovu nit
        4. SwiftOnSecurity‏ @SwiftOnSecurity 15. sij
          • Prijavi Tweet

          SwiftOnSecurity je proslijedio/a tweet korisnika/ceKevin Beaumont

          After FLAME abused a Microsoft certificate for malware, MSFT added large numbers of hardening solutions to WinUpdate, even for significant security break scenarios. It appears because of this, Windows Update itself is not vulnerable to CVE-2020-0601.https://twitter.com/gossithedog/status/1217242998418935809 …

          SwiftOnSecurity je dodan/na,

          Kevin BeaumontOvjeren akaunt @GossiTheDog
          Odgovor korisnicima @mattwwaters @SwiftOnSecurity i sljedećem broju korisnika: 5
          No, even if you spoof signed with ECC, it validates dual RSA signing (which you can’t spoof).
          1 reply 64 proslijeđena tweeta 216 korisnika označava da im se sviđa
          Prikaži ovu nit
        5. SwiftOnSecurity‏ @SwiftOnSecurity 15. sij
          • Prijavi Tweet

          SwiftOnSecurity je proslijedio/a tweet korisnika/ceSaleem Rashid

          This appears to show a private exploit for CVE-2020-0601 has now been developed. Saleem is a trusted researcher.https://twitter.com/saleemrash1d/status/1217495681230954506 …

          SwiftOnSecurity je dodan/na,

          Saleem Rashid @saleemrash1d
          CVE-2020-0601 pic.twitter.com/8tJsJqvnHj
          Prikaži ovu nit
          75 proslijeđenih tweetova 158 korisnika označava da im se sviđa
          Prikaži ovu nit
        6. SwiftOnSecurity‏ @SwiftOnSecurity 15. sij
          • Prijavi Tweet

          SwiftOnSecurity je proslijedio/a tweet korisnika/ceSaleem Rashid

          Update: Chrome has also fallen to CVE-2020-0601 after a few extra constraints it imposes were met. It’s not a web browsers fault or responsibility to defeat an OS-level problem, it’s a flaw in the most basic tenets of Windows’ PKI validation.https://twitter.com/saleemrash1d/status/1217519809732259840 …

          SwiftOnSecurity je dodan/na,

          Saleem Rashid @saleemrash1d
          thanks to @CiPHPerCoder's hint :) the biggest constraints are Chrome's tight certificate policies and that the root CA must be cached, which you can trigger by visiting a legitimate site that uses the certificate pic.twitter.com/GgftwVvpY8
          Prikaži ovu nit
          37 proslijeđenih tweetova 91 korisnik označava da mu se sviđa
          Prikaži ovu nit
        7. SwiftOnSecurity‏ @SwiftOnSecurity 15. sij
          • Prijavi Tweet

          Sidenote: Intermediate CA certificate chaining and caching is an interesting problem that can happen in TLS. If you can’t figure out a validation problem, this may be the root cause. And it’s often overlooked since it “works on the developer’s machine” due to their own habits.

          1 reply 4 proslijeđena tweeta 47 korisnika označava da im se sviđa
          Prikaži ovu nit
        8. SwiftOnSecurity‏ @SwiftOnSecurity 15. sij
          • Prijavi Tweet

          Update: - Chrome’s next version (Beta pending release) will detect CVE-2020-0601. - The New Edge browser Microsoft released today also defeats it. It’s not their responsibility to do this, but it is cool to go the extra mile. I don’t have a contact in Firefox about their plans.

          6 replies 21 proslijeđeni tweet 101 korisnik označava da mu se sviđa
          Prikaži ovu nit
        9. SwiftOnSecurity‏ @SwiftOnSecurity 15. sij
          • Prijavi Tweet

          I don’t have public documentation to prove this, you’re going to have to contact a security researcher who has an exploit and ask them to test my information.

          1 reply 3 proslijeđena tweeta 32 korisnika označavaju da im se sviđa
          Prikaži ovu nit
        10. SwiftOnSecurity‏ @SwiftOnSecurity 15. sij
          • Prijavi Tweet

          SwiftOnSecurity je proslijedio/a tweet korisnika/ceSaleem Rashid

          Ah interesting! Firefox unaffected, makes sense, doh. Although Firefox has adopted parts of the Windows PKI engine for enterprise compatibility, they’re still based on their-in house NSS engine. My oversight. Thanks @saleemrash1d, follow them for more infohttps://twitter.com/saleemrash1d/status/1217533569213640705 …

          SwiftOnSecurity je dodan/na,

          Saleem Rashid @saleemrash1d
          Odgovor korisniku/ci @SwiftOnSecurity
          AFAIK Firefox is performing all the certificate validation in-house in NSS so it is unaffected — but i haven't done the legwork to fully verify this. what i can say is that Firefox is completely refusing to parse the certificates, not even just treating them as untrustworthy.
          29 proslijeđenih tweetova 127 korisnika označava da im se sviđa
          Prikaži ovu nit
        11. SwiftOnSecurity‏ @SwiftOnSecurity 15. sij
          • Prijavi Tweet

          Mozilla through their NSS engine and trusted certificate store program are a critical part of the global PKI system, we’re lucky to have their diversity of implementation. A very under-appreciated fact outside of small circles.

          63 proslijeđena tweeta 280 korisnika označava da im se sviđa
          Prikaži ovu nit
        12. SwiftOnSecurity‏ @SwiftOnSecurity 16. sij
          • Prijavi Tweet

          SwiftOnSecurity je proslijedio/a tweet korisnika/ceKenn White

          Well there we go, a public break released, after a couple of private examples provided yesterday. NSA obviously understood perfectly how fast this would happen. I did not properly gauge how that factored into their urgency.https://twitter.com/kennwhite/status/1217816643725930498 …

          SwiftOnSecurity je dodan/na,

          Kenn WhiteOvjeren akaunt @kennwhite
          And there it is: Public PoC released for 2020-0601. With ~50 lines of Python “we [are able to] sign a certificate with arbitrary domain name and subject alternative names.” Great work @AnomalRoil & @Pelissier_S! (And thanks for the shoutout 👍) https://twitter.com/AnomalRoil/status/1217723197992423426 …
          27 proslijeđenih tweetova 58 korisnika označava da im se sviđa
          Prikaži ovu nit
        13. Kraj razgovora

      Čini se da učitavanje traje već neko vrijeme.

      Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

        Sponzorirani tweet

        false

        • © 2020 Twitter
        • O Twitteru
        • Centar za pomoć
        • Uvjeti
        • Pravila o privatnosti
        • Imprint
        • Kolačići
        • Informacije o oglasima