Thoughts about Best Cyber Monday VPN offers

We at Privacy Now 2.0 finds a lot of articles about Best Cyber Monday VPN deals.

Disclosure: BleepingComputer has partnered with this vendor to promote special offers and discounts to our visitors. If a visitor purchases a product through a link in this article, BleepingComputer.com will earn a commission.

Bleeping Computer

Our conclusion

Please remember that all those articles are paid for by the VPN providers. Why does providers have to pay to get attention? Because they are not “best”? Yest, because they are not best!

Our recommendation

We recommend mullvad.net a VPN provider!

Video: The production of Nitrokeys – A look behind the scenes

Nitrokey

In 2015, when we transferred our hobby project Crypto Stick to the professional company Nitrokey, it was clear to us from the beginning that we would carry out the serial production of Nitrokeys in Germany. Of course we also buy components on the world market. But the final production of all Nitrokeys takes place in Germany. So we can ensure that the production meets our safety requirements. In addition, production remains flexible, so that we can produce customer-specific firmware and logos on request, even for relatively small quantities.

For us as a small company, it is a special challenge to produce manageable quantities in a high-priced country while keeping production costs competitive. We have successfully mastered this challenge through a high degree of automation. Instead of using high-priced or unsuitable industrial robots, we have developed tailor-made automation systems ourselves.

A self-developed three-axis automatic machine programs and tests up to 250 nitrokeys sequentially and fully automatically. Compared to manual work, only four minutes of working time are required instead of four hours. Thus we can produce up to 8000 Nitrokeys in one day.

Initializing the encrypted mass storage of the Nitrokey storage with random numbers is a lengthy process that takes up to 1.5 hours per Nitrokey. A sequential processing would take several weeks. Therefore we have developed a system that initializes 49 Nitrokeys in parallel and can be easily enlarged if necessary.

Full article

WordPress 5.4.2 released

It is time to update WordPress to version 5.4.2 released on June 10th, 2020.

Five security issues are fixed in the new version together with twenty-two bug and regression fixes.

The security issues affect WordPress versions 5.4 and earlier; version 5.4.2 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the security issues.

  • Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor
  • Props to Luigi – (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files.
  • Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect().
  • Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads
  • Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation
  • Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions.

More info

What a Passwordless World Looks Like

Nitrokey

The introduction today of passwordless authentication support in Nextcloud Hub is a big step forward for organizations that want to reduce or even eliminate the use of passwords. In addition to Windows Hello, Nextcloud Hub is the 2nd popular service (we are aware of) supporting passwordless logins. What does that look like, a password-less world with WebAuthn and Nitrokeys? Read on!

What’s wrong with passwords?

Let’s first, quickly, revisit the problem with passwords. XKCD’s take on password strength is probably overly familiar by now, but it still sums up what is wrong with many passwords. Passwords don’t scale with the large amount of accounts everybody possesses nowadays. Therefore passwords need to be “enhanced” by the usage of password managers and second factor authentication methods. But those can be complicated to use and therefore lack acceptance. How to do better?

Full article

Thunderbird 68.7 is available!

Thunderbird version 68.7.0, first offered to channel users on April 8, 2020 is now available to Ubuntu users.

In the release notes we can read what is new, changed and fixed.

Below is the Ubuntu Security Notice USN-4328-1

A security issue affects these releases of Ubuntu and
its derivatives:

- Ubuntu 19.10
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup
  client

Details:

It was discovered that Message ID calculation was
based on uninitialized data. An attacker could
potentially exploit this to obtain sensitive
information. (CVE-2020-6792)

Mutiple security issues were discovered in
Thunderbird. If a user were tricked in to opening
a specially crafted message, an attacker could
potentially exploit these to cause a denial of
service, obtain sensitive information, or execute
arbitrary code. (CVE-2020-6793, CVE-2020-6795,
CVE-2020-6822)

It was discovered that if a user saved passwords
before Thunderbird 60 and then later set a master
password, an unencrypted copy of these passwords
would still be accessible. A local user could
exploit this to obtain sensitive information.
(CVE-2020-6794)

Multiple security issues were discovered in
Thunderbird. If a user were tricked in to opening a
specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a
denial of service, conduct cross-site scripting (XSS)
attacks, obtain sensitive information, or execute
arbitrary code. (CVE-2019-20503, CVE-2020-6798,
CVE-2020-6800, CVE-2020-6805, CVE-2020-6806,
CVE-2020-6807, CVE-2020-6812, CVE-2020-6814,
CVE-2020-6819, CVE-2020-6820, CVE-2020-6821,
CVE-2020-6825)

It was discovered that the Devtools’ ‘Copy as cURL’
feature did not fully escape website-controlled data.
If a user were tricked in to using the ‘Copy as cURL’
feature to copy and paste a command with specially
crafted data in to a terminal, an attacker could
potentially exploit this to execute arbitrary
commands via command injection. (CVE-2020-6811)

Update instructions:

The problem can be corrected by updating your system
to the followingpackage versions:

Ubuntu 19.10:
  thunderbird        1:68.7.0+build1-0ubuntu0.19.10.1

Ubuntu 18.04 LTS:
  thunderbird        1:68.7.0+build1-0ubuntu0.18.04.1

After a standard system update you need to restart
Thunderbird to make all the necessary changes.

References:
  https://usn.ubuntu.com/4328-1
  CVE-2019-20503, CVE-2020-6792, CVE-2020-6793,
  CVE-2020-6794, CVE-2020-6795, CVE-2020-6798,
  CVE-2020-6800, CVE-2020-6805, CVE-2020-6806,
  CVE-2020-6807, CVE-2020-6811, CVE-2020-6812,
  CVE-2020-6814, CVE-2020-6819, CVE-2020-6820,
  CVE-2020-6821, CVE-2020-6822, CVE-2020-6825

Package Information:

1:68.7.0+build1-0ubuntu0.19.10.1

1:68.7.0+build1-0ubuntu0.18.04.1

Time to update!

Tor Browser 9.0.8 was released a few days ago and now you can update to Firefox Browser 75.0.

Welcome

We are so sorry for the inconvenience but during the last few days we had an issue with the WordPress installation we made about two weeks ago.

Not due to security reasons but to scalability we had to make it all over again.

Stay tuned for blog posts and pages to help you keep your privacy and integrity while being online.