Security Analysis of a Thirteenth-Century Venetian Election Protocol

Read Time:2 Minute, 12 Second

Interesting analysis:

This paper discusses the protocol used for electing the Doge of Venice between 1268 and the end of the Republic in 1797. We will show that it has some useful properties that in addition to being interesting in themselves, also suggest that its fundamental design principle is worth investigating for application to leader election protocols in computer science. For example, it gives some opportunities to minorities while ensuring that more popular candidates are more likely to win, and offers some resistance to corruption of voters.

The most obvious feature of this protocol is that it is complicated and would have taken a long time to carry out. We will also advance a hypothesis as to why it is so complicated, and describe a simplified protocol with very similar properties.

And the conclusion:

Schneier has used the phrase “security theatre” to describe public actions which do not increase security, but which are designed to make the public think that the organization carrying out the actions is taking security seriously. (He describes some examples of this in response to the 9/11 suicide attacks.) This phrase is usually used pejoratively. However, security theatre has positive aspects too, provided that it is not used as a substitute for actions that would actually improve security. In the context of the election of the Doge, the complexity of the protocol had the effect that all the oligarchs took part in a long, involved ritual in which they demonstrated individually and collectively to each other that they took seriously their responsibility to try to elect a Doge who would act for the good of Venice, and also that they would submit to the rule of the Doge after he was elected. This demonstration was particularly important given the disastrous consequences in other Mediaeval Italian city states of unsuitable rulers or civil strife between different aristocratic factions.

It would have served, too, as commercial brand-building for Venice, reassuring the oligarchs’ customers and trading partners that the city was likely to remain stable and business-friendly. After the election, the security theatre continued for several days of elaborate processions and parties. There is also some evidence of security theatre outside the election period. A 16th century engraving by Mateo Pagan depicting the lavish parade which took place in Venice each year on Palm Sunday shows the balotino in the parade, in a prominent position—next to the Grand Chancellor—and dressed in what appears to be a special costume.

I like that this paper has been accepted at a cybersecurity conference.

And, for the record, I have written about the positive aspects of security theater.

Read More

WordPress 6.4.2 Maintenance & Security Release

Read Time:2 Minute, 3 Second

WordPress 6.4.2 is now available!

This minor release features 7 bug fixes in Core. The fixes include a bug fix for an issue causing stylesheet and theme directories to sometimes return incorrect results.

This release also features one security fix. Because this is a security release, it is recommended that you update your sites immediately.

You can download WordPress 6.4.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”. If you have sites that support automatic background updates, the update process will begin automatically.

WordPress 6.4.2 is a short-cycle release. The next major release will be version 6.5 released in early 2024.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team addressed the following vulnerability in this release.

A Remote Code Execution vulnerability that is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs.

To help the security team and WordPressers around the world, you are encouraged to responsibly report vulnerabilities. This allows vulnerabilities to be fixed in future releases.

Thank you to these WordPress contributors

This release was led by Aaron Jorbin.

WordPress 6.4.2 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver maintenance and security fixes into a stable release is a testament to the power and capability of the WordPress community.

Aaron Jorbin, Aki Hamano, Akira Tachibana, Alex Concha, Angela Jin, Anton Vlasenko, Barry, bernhard-reiter, Caleb Burks, Corey Worrell, crstauf, Darren Ethier (nerrad), David Baumwald, Dennis Snell, Dion Hulse, Erik, Fabian Todt, Felix Arntz, Héctor Prieto, ironprogrammer, Isabel Brison, Jb Audras, Jeffrey Paul, Jessica Lyschik, Joe McGill, John Blackbourn, Jonathan Desrosiers, Kharis Sulistiyono, Krupal Panchal, Kylen Downs, meta4, Mike Schroder, Mukesh Panchal, partyfrikadelle, Peter Wilson, Pieterjan Deneys, rawrly, rebasaurus, Sergey Biryukov, Tonya Mork, vortfu

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core. Need help? Check out the Core Contributor Handbook.

As a final reminder, The WordPress Security Team will never email you requesting that you install a plugin or theme on your site, and will never ask for an administrator username and password. Please stay vigilant against phishing attacks.

Thanks to @angelasjin and @desrosj for proofreading.

Read More

ICANN Launches Service to Help With WHOIS Lookups

Read Time:3 Minute, 26 Second

More than five years after domain name registrars started redacting personal data from all public domain registration records, the non-profit organization overseeing the domain industry has introduced a centralized online service designed to make it easier for researchers, law enforcement and others to request the information directly from registrars.

In May 2018, the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit entity that manages the global domain name system — instructed all registrars to redact the customer’s name, address, phone number and email from WHOIS, the system for querying databases that store the registered users of domain names and blocks of Internet address ranges.

ICANN made the policy change in response to the General Data Protection Regulation (GDPR), a law enacted by the European Parliament that requires companies to gain affirmative consent for any personal information they collect on people within the European Union. In the meantime, registrars were to continue collecting the data but not publish it, and ICANN promised it would develop a system that facilitates access to this information.

At the end of November 2023, ICANN launched the Registration Data Request Service (RDRS), which is designed as a one-stop shop to submit registration data requests to participating registrars. This video from ICANN walks through how the system works.

Accredited registrars don’t have to participate, but ICANN is asking all registrars to join and says participants can opt out or stop using it at any time. ICANN contends that the use of a standardized request form makes it easier for the correct information and supporting documents to be provided to evaluate a request.

ICANN says the RDRS doesn’t guarantee access to requested registration data, and that all communication and data disclosure between the registrars and requestors takes place outside of the system. The service can’t be used to request WHOIS data tied to country-code top level domains (CCTLDs), such as those ending in .de (Germany) or .nz (New Zealand), for example.

The RDRS portal.

As Catalin Cimpanu writes for Risky Business News, currently investigators can file legal requests or abuse reports with each individual registrar, but the idea behind the RDRS is to create a place where requests from “verified” parties can be honored faster and with a higher degree of trust.

The registrar community generally views public WHOIS data as a nuisance issue for their domain customers and an unwelcome cost-center. Privacy advocates maintain that cybercriminals don’t provide their real information in registration records anyway, and that requiring WHOIS data to be public simply causes domain registrants to be pestered by spammers, scammers and stalkers.

Meanwhile, security experts argue that even in cases where online abusers provide intentionally misleading or false information in WHOIS records, that information is still extremely useful in mapping the extent of their malware, phishing and scamming operations. What’s more, the overwhelming majority of phishing is performed with the help of compromised domains, and the primary method for cleaning up those compromises is using WHOIS data to contact the victim and/or their hosting provider.

Anyone looking for copious examples of both need only to search this Web site for the term “WHOIS,” which yields dozens of stories and investigations that simply would not have been possible without the data available in the global WHOIS records.

KrebsOnSecurity remains doubtful that participating registrars will be any more likely to share WHOIS data with researchers just because the request comes through ICANN. But I look forward to being wrong on this one, and will certainly mention it in my reporting if the RDRS proves useful.

Regardless of whether the RDRS succeeds or fails, there is another European law that takes effect in 2024 which is likely to place additional pressure on registrars to respond to legitimate WHOIS data requests. The new Network and Information Security Directive (NIS2), which EU member states have until October 2024 to implement, requires registrars to keep much more accurate WHOIS records, and to respond within as little as 24 hours to WHOIS data requests tied everything from phishing, malware and spam to copyright and brand enforcement.

Read More

USN-6539-1: python-cryptography vulnerabilities

Read Time:29 Second

It was discovered that the python-cryptography Cipher.update_into function
would incorrectly accept objects with immutable buffers. This would result
in corrupted output, contrary to expectations. This issue only affected
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. (CVE-2023-23931)

It was dicovered that python-cryptography incorrectly handled loading
certain PKCS7 certificates. A remote attacker could possibly use this
issue to cause python-cryptography to crash, resulting in a denial of
service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and
Ubuntu 23.10. (CVE-2023-49083)

Read More

webkitgtk-2.42.3-1.fc38

Read Time:18 Second

FEDORA-2023-540bb86780

Packages in this update:

webkitgtk-2.42.3-1.fc38

Update description:

Fix flickering while playing videos with DMA-BUF sink.
Fix color picker being triggered in the inspector when typing “tan”.
Do not special case the “sans” font family name.
Fix several crashes and rendering issues.
Security fixes: CVE-2023-42916, CVE-2023-42917

Read More

webkitgtk-2.42.3-1.fc39

Read Time:18 Second

FEDORA-2023-f844a8fa64

Packages in this update:

webkitgtk-2.42.3-1.fc39

Update description:

Fix flickering while playing videos with DMA-BUF sink.
Fix color picker being triggered in the inspector when typing “tan”.
Do not special case the “sans” font family name.
Fix several crashes and rendering issues.
Security fixes: CVE-2023-42916, CVE-2023-42917

Read More

USN-6538-1: PostgreSQL vulnerabilities

Read Time:26 Second

Jingzhou Fu discovered that PostgreSQL incorrectly handled certain unknown
arguments in aggregate function calls. A remote attacker could possibly use
this issue to obtain sensitive information. (CVE-2023-5868)

Pedro Gallegos discovered that PostgreSQL incorrectly handled modifying
certain SQL array values. A remote attacker could use this issue to obtain
sensitive information, or possibly execute arbitrary code. (CVE-2023-5869)

Hemanth Sandrana and Mahendrakar Srinivasarao discovered that PostgreSQL
allowed the pg_signal_backend role to signal certain superuser processes,
contrary to expectations. (CVE-2023-5870)

Read More

Do I Really Need to be on Snapchat to be a Good Digital Parent?

Read Time:4 Minute, 1 Second

If you had to count the number of social media platforms your teen uses, I wonder what the score would be? 2, 5 or maybe even more? Well, surprisingly research from our Aussie eSafety Commissioner shows that Aussie kids use an average of 4 social media services. I bet you thought it would be more. I did! So, maybe this means we don’t need to worry too much about joining and understanding these platforms? Surely their skills must be quite polished if there are only using four platforms? Wrong!! Being a good digital parent means we need to take the time to understand our kids’ digital world – even when we think they have a handle on it. 

My Top Tip Ever – Get Involved  

Over the last 12 years in my job as Cybermum, I’ve shared an abundance of advice. But if I had to pick the most important piece it is this – the absolute best way to keep your kids safe online is to commit to understanding your kids’ online world, particularly when they are starting out on their digital journey. So, if they are on Facebook, Instagram, Snapchat and TikTok then you need to sign up, and spend time understanding how it works. If they love Minecraft, Fortnite or Among Us – then you now do too! I’m sure you’re figuring out the pattern by now… 

Getting Involved Means You’ll Earn Some Tech Cred 

I’m not sure how it works for you but one thing that does NOT work for me is listening to advice from someone who has no relevant experience. To be honest, it really grinds my gears!! So, isn’t it logical that our teens would feel the same? I honestly don’t think we can expect them to take advice from us about online safety if we have no lived experience. In my opinion, experience = credibility.  

So, when you join Snapchat or Instagram not only are you learning about your child’s digital life but you’re also developing credibility which may just be the most important ingredient in keeping your kids safe online. Because if and when your kids find themselves in tricky situation online, they will be far more likely to come to you with a problem if they know you understand how it all works. 

Don’t Forget – You’re The Role Model 

Taylor Swift fandom is massive in Australia right now. With many taking days off work to secure tickets to her upcoming shows and a hot movie release, you’d be hard pressed to find many young girls who don’t think she is the ‘bees knees’. And if your sons are made keen Le Bron, Tom Brady or Nathan Cleary fans then they wouldn’t be alone – my sons are all in awe of these spectacular athletes. But despite all the hype and the potential influence from these celebrities, I need to remind you of one very important thing – you are the most important role model for your kids. You hold the greatest influence in their decision making and value setting. 

If your kids see you using the same platforms they use in a healthy, balanced way – then you really have a tonne of ability to help them develop positive digital habits. Your ‘tech cred’ will mean they are even more likely to pick up on your habits. So, make sure you have a healthy mix of digital and non-digital activities into your life. Consider: 

Regular screen-free time in your day 
Having a technology free hour (or two) before bed 
Banning phones from the dinner table 
Putting your phone on silent to minimise distractions 
Being ‘all in’ when you are talking to your kids and don’t pick up your phone. Give them your undivided attention! 

Remember, they are watching and learning!!  

So, Do you Really Need To Join Snapchat? 

Now, I don’t want to force you to do anything that you are not comfortable with, but I do want you to understand how best to support your kids in their digital life. To me, it’s quite simple. Whatever platform your kids spend the bulk of their time online then that’s where you need to spend your time too. You’ll develop credibility which means they are more likely to come to you if they have an issue online. It also gives you an opportunity to model health digital habits which can be really powerful. So, if your kids use Snapchat then yes – you need to join!!! All the ‘know-how’ you amass while using it will absolutely help make you a great digital parent.  

Till next time 

Alex  

The post Do I Really Need to be on Snapchat to be a Good Digital Parent? appeared first on McAfee Blog.

Read More