mardi 19 mars 2019   -   22 : 19 : 57  
 
  Actualités (0 à 10)
  Classement
du plus : récent | ancien
[« 10 précédents]

- SUSE: 2019:0645-1 important: the Linux Kernel (Live Patch 33 for SLE 12)

    > LinuxSecurity.com by LinuxSecurity Advisories   - mis en cache le 19 March 2019 - 21:49
An update that fixes three vulnerabilities is now available.

- SUSE: 2019:0651-1 moderate: go1.11

    > LinuxSecurity.com by LinuxSecurity Advisories   - mis en cache le 19 March 2019 - 21:49
An update that fixes one vulnerability is now available.

- SUSE: 2019:0643-1 moderate: lftp

    > LinuxSecurity.com by LinuxSecurity Advisories   - mis en cache le 19 March 2019 - 21:49
An update that solves one vulnerability and has one errata is now available.

- openSUSE: 2019:0348-1: important: ovmf

    > LinuxSecurity.com by LinuxSecurity Advisories   - mis en cache le 19 March 2019 - 21:49
An update that fixes three vulnerabilities is now available.

- Issue #22 - Volume XXI - SANS Newsbites - March 19th, 2019

    > SANS Newsbites   - mis en cache le 19 March 2019 - 21:22

- How to obfuscate String literals?

    > Apple Security Updates at March 15, 2019, 6:33 pm   - mis en cache le 19 March 2019 - 21:14

Is there any compiler flag that we can use to entirely obfuscate string literals?

 

Quick example, an app contains urls for different servers:

 

fileprivate extension Environment {

  var url: String {
    switch self {
    case .dev:
      return "https://mydevserver.com/api"
   case .prod:
     return "https://myprodserver.com/api"
  }
}

 

But once the binary is compiled, it's quite easy to just open it and see the string inside.

 

https://i.ibb.co/3M2zX0F/Screen-Shot.png

 

Initially, I thought this was just related to Swift literals, but further testing indicates that it also happens to Obj-C string literals.

Shouldn't the compiled code be a safe binary, at least obfuscating any literals inside the code base?

 

I would rather not take the path of manipulating the string in the code base, like using it encrypted, base64, or scrambled string literals mixing parts of string, etc...

- JSON Web encryption (JWE) using Security Framework

    > Apple Security Updates at March 18, 2019, 1:45 pm   - mis en cache le 19 March 2019 - 21:14

Hi everyone,

 

Our iOS application uses a Web service that returns content encrypted using JWE (https://tools.ietf.org/html/rfc7516). The server encrypts the content using a public key provided by the app in a previous call, and the app decodes the JWE and decrypts the content using its private key.

 

We encounter issues to decrypt the content, in particular for algorithms that encrypt or derive a symmetric key which is then used to encrypt the content using AES GCM:

  • RSA OAEP 256 with A256 GCM: RSAES using Optimal Asymmetric Encryption Padding (OAEP) (RFC 3447), with the SHA-256 hash function and the MGF1 with SHA-256 mask generation function; AES in Galois/Counter Mode (GCM) (NIST.800-38D) using a 256 bit key
  • ECDH ES A256KW with A256GCM: Elliptic Curve Diffie-Hellman Ephemeral Static key agreement per "ECDH-ES", where the agreed-upon key is used to wrap the Content Encryption Key (CEK) with the "A256KW" function; AES in Galois/Counter Mode (GCM) (NIST.800-38D) using a 256 bit key

 

Is there a way to format JWE attributes (encrypted content key, IV, authentication tag, cipher text) so that it can be passed as parameter to the SecKeyCreateDecryptedData method with a SecKeyAlgorithm like < [...]

- SciLinux: Moderate: cloud-init on SL7.x (x86_64)

    > LinuxSecurity.com by LinuxSecurity Advisories   - mis en cache le 19 March 2019 - 20:21
cloud-init: extra ssh keys added to authorized_keys on the Azure platform (CVE-2019-0816) SL7 x86_64 cloud-init-18.2-1.el7_6.2.x86_64.rpm - Scientific Linux Development Team

- Nvidia dťvoile un kit de dťveloppement IA GPU ŗ 99$

    > LMI Securite by Brad Chacos, IDG NS (adapt√© par Jean Elyan) at March 19, 2019, 6:04 pm   - mis en cache le 19 March 2019 - 19:50
L'apprentissage machine se démocratise, et les hordes de drones et de robots DIY vont devenir beaucoup plus performants. Lundi, lors de sa première (...)

- Android Q ? Google Adds New Mobile Security and Privacy Features

    > The Hacker News   - mis en cache le 19 March 2019 - 19:23
Google has recently released the first beta version of Android Q, the next upcoming version of Google's popular mobile operating system, with a lot of new privacy improvements and other security enhancements. Android Q, where Q has not yet been named, offers more control over installed apps, their access, and permissions, and location settings; more support for passive authentication like face

 

connected from address ec2-34-236-145-124.compute-1.amazonaws.com (34.236.145.124:54682)
using CCBot/2.0 (https://commoncrawl.org/faq/)
served for Ironie.org by Debian GNU/Linux

Ironie.org : www | ftp |  news  | heberg | forums | listes | miroirs | musique | europe | france | petitions | support | webmail |