Based on Cloudflare's observed traffic between September - November 2024, 41% of successful logins across websites protected by Cloudflare involve compromised passwords.

How do they know it exactly?

what is your mother's maiden name?

Pick random words or another password and store it in the password manager. It's easier that way.

Due to being random and unique per site, it's far more secure.

Encoding the malware as an array of UUIDs

The scroll-animated graphic is well made. It goes through the different topic step by step.

Loading a ressource can deanonymise a user:

1. Cloudflare CDN shares the nearest airport in its HTTP header Cf-Ray
2. A favicon cache works: "Since everytime you load their site, your browser automatically downloads this favicon, this means a user from each one of this locations has visited the Namecheap.com site within the 5 minutes with the last visit from Tokyo, Japan.". So if you lead a specific content created only to target one user, you can know from which data center the content is loaded (and its nearest airport).
3. As Signal uses Cloudflare caching for the attachments, the same attack can be exploited.

With an innocent-looking attachment, an attacker can deanonymize users and find their location within an approximate radius (tens of miles, depending of the datacenters).

It works only if the user clicks to download the attachment in this case.

4. Push notification of Signal with an image can trigger the cache... So a 0-click exploit can exist.

If the target has push notifications enabled (which it is by default), they don't even have to open the Signal conversation for their device to download the attachment. [...]
An attacker can run this deanonymization attack any time and grab a user's current location without a single interaction.

A similar exploit can be used on Discord with custom emojis: the custom emoji is a custom content downloaded by one user.

Conclusion:

his attack can be used to track Signal accounts, correlate identities, find employees meeting with journalists and much more.
Any app using a CDN for content delivery and caching can still be vulnerable if the proper precautions aren’t taken.

Useful to get alerted when one website copies another or someone is copying your achitecture.

I don't understand: 2FA in a password manager makes it vulmeran

For maximum security, you can store your 2FA token elsewhere, like a YubiKey (see Yubico Authenticator) or Google Authenticator, and keep the recovery codes safe somewhere outside your computer, but for general purpose use, storing your 2FA in your password manager is an acceptable solution due to the convenience benefits it provides.

I still think it is better to split passwords and 2FA on two systems for security purposes.

Utiliser des portes dérobées est à double tranchant: un attaquant peut aussi les exploiter. Pour un de ces raisons, les experts en cybersécurité déconseille les portes dérobées.

Instead of hash functions to store password, use Password-Based Key Derivation Functions (PBKDF) such as Argon2id.

bcrypt should be avoided due to its huge footgun: it truncates inputs longer than 72 characters. Okta AD/LDAP was vulnerable because of it.

Checksum functions such as CRC32 and xxh3 are optimized for pure speed and don't provide any security guarantees about their output, and it's easy to find collisions for a given checksum.

In 2024 based on I/O speed, a hash function with a throughput of 1 GB / s / core is considered fast enough for most use cases.

I skip the speed part because it is not relevant for me: 100MB/s or 1GB/s does not make much difference.

SHA3 and the BLAKE family which produced secures hash functions that are also misuse resistant.

A strength >= 128 bits is considered secure. The security agencies recommendation are a bit different. Hash length ranges from 256 (NIST) to 512 (ECRYPT-CSA).

SHA3 has many functions, SHA2 is vulnerable to length extension attacks (secret || message) but BLAKE3 has none of these issues.

Post-Quantum security from Grover's algorithm divides by 2 the preimage and 2nd-preimage resistance. The BHT algorithm predicts however that a quantum computer can find a collision in $2^{\mathrm{<mfrac><mtext>n</mtext><mtext>3</mtext></mfrac>}}$ operations instead of 2^n/2

So SHA2 for convenience or BLAKE for the rest. There is only C and Rust that have official support for BLAKE though.

The intention of this page is to collect and highlight malware written in the Rust programming language, so that malware reverse engineers have a collection of Rust samples to practice reversing on.

J'ouvre l'espace "dépôt de documents" sur le site de ma mutuelle, et je vois un Thumbs.db.
Purin encore un machin géré sous Windows. Non seulement géré sous Windows, mais accédé via cette saleté d'explorateur de fichiers Windows :facepalm:
J'imagine les employés qui viennent double-cliquer sur les fichiers déposés par les adhérents😬
Les probables problèmes de droits entre répertoires, les fausses manipulation (entre adhérents) trop vites arrivées quand on manipule de fichiers à la souris, etc