LSW
-
Posts
1,625 -
Joined
-
Last visited
-
Days Won
28
Content Type
Profiles
Forums
Events
Downloads
Gallery
Store
Posts posted by LSW
-
-
This Evil New Child Porn Phishing Attack Could Absolutely Ruin Your Life
QuoteOh my. Bad guys have come up with a sinister new strain of blackmail/sextortion. Just when you thought things couldn't get worse, the bad guys sink lower.Eric Howes, KnowBe4's Principal Lab Researcher sent me a screenshot of an attack now live out there in the wild. It claims the CIA will bust you for child porn unless you pay 5,000 dollars and only then "your records will be deleted".Apart from the very scary and expensive extortion, it also contains a malicious link. What lies behind that link (credentials phish or malware download) we don't know, as the target web page for that link has been taken down. But it sure looks like the bad guys have two attack vectors and are also trying to infect the workstation. -
Warning: ASUS Software Update Server Hacked to Distribute Malware
https://thehackernews.com/2019/03/asus-computer-hacking.html
QuoteSecurity researchers today revealed another massive supply chain attack that compromised over 1 million computers manufactured by Taiwan-based tech giant ASUS.A group of state-sponsored hackers last year managed to hijack ASUS Live automatic software update server between June and November 2018 and pushed malicious updates to install backdoors on over one million Windows computers worldwide.According to cybersecurity researchers from Russian firm Kaspersky Lab, who discovered the attack and dubbed it Operation ShadowHammer, Asus was informed about the ongoing supply chain attack on Jan 31, 2019. -
Vermont Agrees to Suspend Net Neutrality Law for Now
https://www.meritalkslg.com/articles/vermont-agrees-to-suspend-net-neutrality-law-for-now/
QuoteThe state of Vermont agreed on Thursday to suspend enforcement of its net neutrality lawsuit until a suit against the Federal Communication Commission (FCC) is resolved. Similarly, telecommunication sector trade groups, who were suing Vermont over the law, agreed to delay their litigation.The Vermont law, passed in October 2018, harkens back to Obama-era net neutrality regulations. Vermont Governor Phil Scott, a Republican, signed a law requiring all internet service providers doing business with Vermont to treat all web traffic equally, and earlier last year, he signed a similar Executive Order.Almost immediately, five telecommunication industry groups–CTIA, NCTA, USTelecom, American Cable Association, and the New England Cable & Telecommunications Association–filed suit against the state of Vermont over the law. -
Patched WinRAR Bug Still Under Active Attack—Thanks to No Auto-Updates
https://thehackernews.com/2019/03/winrar-hacking-malware.html
QuoteVarious cyber criminal groups and individual hackers are still exploiting a recently patched critical code execution vulnerability in WinRAR, a popular Windows file compression application with 500 million users worldwide.Why? Because the WinRAR software doesn't have an auto-update feature, which, unfortunately, leaves millions of its users vulnerable to cyber attacks.The critical vulnerability (CVE-2018-20250) that was patched late last month by the WinRAR team with the release of WinRAR version 5.70 beta 1 impacts all prior versions of WinRAR released over the past 19 years. -
http://digg.com/2019/web-turns-30
QuoteThirty years ago this week, Tim Berners-Lee, then a scientist at CERN, released "Information Management: A Proposal." While the capital-I Internet had been around for nearly two decades when Berners-Lee submitted his proposal on March 12, 1989, he laid the foundation for the World Wide Web — though in his own appraisal, he was merely taking existing technologies like the Internet Protocol, Domain Name Service and Hypertext, and organizing them into a unified system.Depending on the context, the World Wide Web has either been around forever, or not very long. It's old enough that the largest generation on the planet was just being born as the World Wide Web took shape. Millennials grew up on the web, and yet in 30 short years the industry that popped up around it has crashed once, revived itself, and spawned companies so large and so influential that it's nigh impossible to live without dealing with one or all of them.This week, as more and more folks share their fond memories of a World Wide Web running three-decades strong, you'll probably catch yourself pining for simpler times. A time before your personal information was forfeit; a time when browsing the web wasn't idly thumbing through a feed; a time when buying something online didn't mean perpetuating awful working conditions; a time when a single website didn't encourage genocide and sway presidential elections.It's easy to reminisce on what was. But for what it's worth, on the 30th anniversary of his creation, Tim Berners-Lee is not looking back. In his annual assessment of the state of the web, Berners-Lee is cautiously optimistic. "Against the backdrop of news stories about how the web is misused, it's understandable that many people feel afraid and unsure if the web is really a force for good," he writes. "But given how much the web has changed in the past 30 years, it would be defeatist and unimaginative to assume that the web as we know it can't be changed for the better in the next 30." -
New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites
https://thehackernews.com/2019/03/hack-wordpress-websites.html
QuoteIf for some reason your WordPress-based website has not yet been automatically updated to the latest version 5.1.1, it's highly recommended to immediately upgrade it before hackers could take advantage of a newly disclosed vulnerability to hack your website.Simon Scannell, a researcher at RIPS Technologies GmbH, who previously reported multiple critical vulnerabilities in WordPress, has once again discovered a new flaw in the content management software (CMS) that could potentially lead to remote code execution attacks.The flaw stems from a cross-site request forgery (CSRF) issue in the Wordpress' comment section, one of its core components that comes enabled by default and affects all WordPress installations prior to version 5.1.1. -
Zero-Day Flaws in Counter-Strike 1.6 Let Malicious Servers Hack Gamers' PCs
https://thehackernews.com/2019/03/counter-strike-game-servers.html
QuoteIf you are a Counter-Strike gamer, then beware, because 39% of all existing Counter-Strike 1.6 game servers available online are malicious that have been set-up to remotely hack gamers' computers.A team of cybersecurity researchers at Dr. Web has disclosed that an attacker has been using malicious gaming servers to silently compromise computers of Counter-Strike gamers worldwide by exploiting zero-day vulnerabilities in the game client.According to the researchers, Counter-Strike 1.6, a popular game that's almost two decades old, contains unpatched multiple remote code execution (RCE) vulnerabilities in its client software that let attackers execute arbitrary code on the gamer's computer as soon as they connect to a malicious server, without requiring any further interaction from the gamers. -
Firefox Send — Free Encrypted File Transfer Service Now Available For All
https://thehackernews.com/2019/03/firefox-send-encrypted-file-share.html
QuoteMozilla has made it easy for you to share large files securely and privately with whomever you want, eliminating the need to depend upon less secure free third-party services or file upload tools that burn a hole in your pocket.Mozilla has finally launched its free, end-to-end encrypted file-transfer service, called Firefox Send, to the public, allowing users to securely share large files like video, audio or photo files that can be too big to fit into an email attachment.Firefox Send was initially rolled out by Mozilla to test users way back in August 2017 as part of the company's now-defunct "Test Pilot" experimental program.Firefox Send allows you to send files up to 1GB in size, but if you sign up for a free Firefox account, you can upload files as large as 2.5GB in size. -
Adobe Releases Patches for Critical Flaws in Photoshop CC and Digital Edition
https://thehackernews.com/2019/03/adobe-software-updates.html
QuoteAdobe users would feel lighter this month, as Adobe has released patches for just two security vulnerability in its March Security Update.The company today released its monthly security updates to address two critical arbitrary code execution vulnerabilities—one in Adobe Photoshop CC and another in Adobe Digital Editions.Upon successful exploitation, both critical vulnerabilities could allow an attacker to achieve arbitrary code execution in the context of the current user and take control of an affected system.However, the good news is that the company found no evidence of any exploits in the wild for these security issues, Adobe said. -
Microsoft Releases Patches for 64 Flaws — Two Under Active Attack
https://thehackernews.com/2019/03/microsoft-windows-security-updates.html
QuoteMicrosoft today released its March 2019 software updates to address a total of 64 CVE-listed security vulnerabilities in its Windows operating systems and other products, 17 of which are rated critical, 45 important, one moderate and one low in severity.The update addresses flaws in Windows, Internet Explorer, Edge, MS Office, and MS Office SharePoint, ChakraCore, Skype for Business, and Visual Studio NuGet.Four of the security vulnerabilities, all rated important, patched by the tech giant this month were disclosed publicly, of which none were found exploited in the wild. -
Pre-Patch Tuesday:
Windows 10 Now Automatically Uninstalls Updates That Cause Problems
https://thehackernews.com/2019/03/windows-buggy-updates.html
QuoteDo you always think twice before installing Windows updates worrying that it could crash your system or leave it non-working the day after Patch Tuesdays?Don't worry.Microsoft has addressed this issue by adding a safety measure that would from now onwards automatically uninstall buggy software updates installed on your system if Windows 10 detects a startup failure, which could be due to incompatibility or issues in new software. -
BEWARE – New 'Creative' Phishing Attack You Really Should Pay Attention To
https://thehackernews.com/2019/03/ios-mobile-phishing-attack.html
QuoteA cybersecurity researcher who last month warned of a creative phishing campaign has now shared details of a new but similar attack campaign with The Hacker News that has specifically been designed to target mobile users.Just like the previous campaign, the new phishing attack is also based on the idea that a malicious web page could mimic look and feel of the browser window to trick even the most vigilant users into giving away their login credentials to attackers.Antoine Vincent Jebara, co-founder and CEO of password managing software Myki, shared a new video with The Hacker News, demonstrating how attackers can reproduce native iOS behavior, browser URL bar and tab switching animation effects of Safari in a very realistic manner on a web-page to present fake login pages, without actually opening or redirecting users to a new tab. -
New Google Chrome Zero-Day Vulnerability Found Actively Exploited in the Wild
https://thehackernews.com/2019/03/update-google-chrome-hack.html
QuoteYou must update your Google Chrome immediately to the latest version of the web browsing application.Security researcher Clement Lecigne of Google's Threat Analysis Group discovered and reported a high severity vulnerability in Chrome late last month that could allow remote attackers to execute arbitrary code and take full control of the computers.The vulnerability, assigned as CVE-2019-5786, affects the web browsing software for all major operating systems including Microsoft Windows, Apple macOS, and Linux. -
Oooops, almost deleted this as spam. But the apps part caught my attention. Sorry, LOL
-
Although users can hide their phone number on their profile so nobody can see it, it’s still possible to “look up” user profiles in other ways, such as “when someone uploads your contact info to Facebook from their mobile phone,” according to a Facebook help article. It’s a more restricted way than allowing users to search for user profiles using a person’s phone number, which Facebook restricted last year after admitting “most” users had their information scraped.Facebook won’t let you opt out of its phone number ‘look up’ setting
https://techcrunch.com/2019/03/03/facebook-phone-number-look-up/
QuoteUsers are complaining that the phone number Facebook hassled them to use to secure their account with two-factor authentication has also been associated with their user profile — which anyone can use to “look up” their profile.Worse, Facebook doesn’t give you an option to opt-out.Last year, Facebook was forced to admit that after months of pestering its users to switch on two-factor by signing up their phone number, it was also using those phone numbers to target users with ads. But some users are finding out just now that Facebook’s default setting allows everyone — with or without an account — to look up a user profile based off the same phone number previously added to their account. -
http://mentalfloss.com/article/575112/why-are-bots-unable-check-i-am-not-robot-checkboxes
QuoteHow complicated can one little checkbox be? You can't even imagine!For starters, Google invented an entire virtual machine—essentially a simulated computer inside a computer—just to run that checkbox.That virtual machine uses Google's own language, which they then encrypt. Twice.But this is no simple encryption. Normally, when you password protect something, you might use a key to decode it. Google’s invented language is decoded with a key that is changed by the process of reading the language, and the language also changes as it is read.... -
Adobe Sends Emails About Retirement of Shockwave on April 9th
QuoteAdobe has started sending out emails to enterprise clients about the imminent retirement of Adobe Shockwave. These emails state that Adobe Shockwave player for Windows will no longer be available for download starting on April 9th 2019.Released in 1995 by Macromedia, Shockwave brought interactive content and games to the web in a way that was never seen before. In 2005, Adobe purchased Macromedia and all of their interactive web products such as Flash and Shockwave continued under the Adobe name.With developers moving their interactive projects away from products like Flash and Shockwave and towards HTML5 and WebGL, Adobe had decided to retire Shockwave on April 9th, 2019. -
How to Stop Facebook App From Tracking Your Location In the Background
https://thehackernews.com/2019/02/facebook-location-tracking.html
QuoteEvery app installed on your smartphone with permission to access location service "can" continually collect your real-time location secretly, even in the background when you do not use them.
Do you know? — Installing the Facebook app on your Android and iOS smartphones automatically gives the social media company your rightful consent to collect the history of your precise location.If you are not aware, there is a setting called "Location History" in your Facebook app that comes enabled by default, allowing the company to track your every movement even when you are not using the social media app.So, every time you turn ON location service/GPS setting on your smartphone, let's say for using Uber app or Google Maps, Facebook starts tracking your location.Users can manually turn Facebook's Location History option OFF from the app settings to completely prevent Facebook from collecting your location data, even when the app is in use. -
https://thehackernews.com/2019/02/wordpress-remote-code-execution.html
QuoteExclusive — If you have not updated your website to the latest WordPress version 5.0.3, it’s a brilliant idea to upgrade the content management software of your site now. From now, I mean immediately.Cybersecurity researchers at RIPS Technologies GmbH today shared their latest research with The Hacker News, revealing the existence of a critical remote code execution vulnerability that affects all previous versions of WordPress content management software released in the past 6 years.The remote code execution attack, discovered and reported to the WordPress security team late last year, can be exploited by a low privileged attacker with at least an "author" account using a combination of two separate vulnerabilities—Path Traversal and Local File Inclusion—that reside in the WordPress core. -
Microsoft to Kill Updates for Legacy OS Using SHA-1
https://threatpost.com/microsoft-updates-os-sha-1/142000/
QuoteMicrosoft is in the process of phasing out use of the Secure Hash Algorithm 1 (SHA-1) code-signing encryption to deliver Windows OS updates – announcing that customers running legacy OS versions will be required to have SHA-2 code-signing support installed on their devices by July 2019.No SHA-2 support, no more updates: This will hold true for users of Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2, and some older versions of Windows Server Update Services.Windows for now uses both the SHA-1 and SHA-2 hash algorithms to authenticate its updates and prevent man-in-the-middle tampering, with newer systems supporting only SHA-2, and older ones only SHA-1. However, SHA-2 upgrades will roll out to the affected products over the course of several months, beginning March 12.[See additional Link - LSW]
Microsoft delays Windows 7's update-signing deadline to July
QuoteMicrosoft has revised its schedule to dump support for an outdated cryptographic hash standard by postponing the deadline for Windows 7.Microsoft, like other software vendors, digitally "signs" updates before they are distributed via the Internet. SHA-1 (Secure Hash Algorithm 1), which debuted in 1995, was declared insecure a decade later, but it was retained for backward-compatibility reasons, primarily for Windows 7. Microsoft wants to ditch SHA-1 and rely only on the more-secure SHA-2 (Secure Hash Algorithm 2). -
How Americans Leave their Personal Info Open to Thieves
QuoteA new poll by CreditCards.com found that 92 percent of Americans have taken at least one big data security risk in the past year.The most common error: reusing the same password online, which can increase odds of becoming a victim of identity theft. The poll found that more than eight in 10 U.S. adults (82 percent) recycle passwords, and most make this poor practice a habit. In fact, most internet users who do this use the same password at least half (61 percent) or all (22 percent) of the time, the poll said.The poll noted that despite this and other sloppy data security behavior, Americans are very worried about ID theft. Almost half (46 percent) say realizing their identity had been stolen would be worse than discovering that burglars broke into their home (27 percent). The rest said both would be equally bad. -
https://www.fastcompany.com/90309395/why-parallax-scrolling-needs-to-die
QuoteRemember about five years ago, when the new hotness in interaction design was to have flashy layers in your website scroll at different speeds, creating a faux-3D effect? The effect was called parallax scrolling, and it’s still easy to find across the web.According to the usability nerds at the Norman/Nielsen Group, parallax scrolling never really went away–it just got more subtle. Take Apple’s iPad Pro site: It scrolls horizontally instead of vertically, but the visual elements still slide around at different speeds like the background of a retro video game. That’s a shame, because as Norman/Nielsen researcher Katie Sherwin explains, this newer, subtler parallax effect still has all the same UX problems as the older, more obnoxious kind. All too often, it can cause pages to load slower, or it creates nonsensical interactions. -
How to Hack Facebook Accounts? Just Ask Your Targets to Open a Link
https://thehackernews.com/2019/02/hack-facebook-account-password.html
QuoteIt's 2019, and just clicking on a specially crafted URL would have allowed an attacker to hack your Facebook account without any further interaction.A security researcher discovered a critical cross-site request forgery (CSRF) vulnerability in the most popular social media platform that could have been allowed attackers to hijack Facebook accounts by simply tricking the targeted users into clicking on a link. -
WARNING – New Phishing Attack That Even Most Vigilant Users Could Fall For
https://thehackernews.com/2019/02/advance-phishing-login-page.html
QuoteHow do you check if a website asking for your credentials is fake or legit to log in?By checking if the URL is correct?By checking if the website address is not a homograph?By checking if the site is using HTTPS?Or using software or browser extensions that detect phishing domains?Well, if you, like most Internet users, are also relying on above basic security practices to spot if that "Facebook.com" or "Google.com" you have been served with is fake or not, you may still fall victim to a newly discovered creative phishing attack and end up in giving away your passwords to hackers.
Any good IT April Fool's Day jokes you have found?
in Open Forum
Posted