LSW
-
Posts
1,625 -
Joined
-
Last visited
-
Days Won
28
Content Type
Profiles
Forums
Events
Downloads
Gallery
Store
Posts posted by LSW
-
-
Smart Assistants (Alexa, Siri, Cortana etc.)
I decided to make this their own section though they can easily belong to Internet of Things (IoT). The more you connect to the internet the more chance of being hacked. At least run two networks, one for IoT like TVs, and these smart speakers etc., and a separate one for your computers. It is also a privacy question
Amazon
- Don't Buy Anyone an Echo [11/15/2018]
- Your Worst Alexa Nightmares Are Coming True [11/15/2018]
- Amazon Echo That Records Kids Draws Concern From U.S. Lawmakers [11/15/2018]
- Yes, Your Amazon Echo Is an Ad Machine [11/15/2018]
- Amazon Confirms Alexa Heard a Couple's Background Conversation as a Command to Record Them [11/15/2018]
-
Popular AMP Plugin for WordPress Patches Critical Flaw – Update Now
https://thehackernews.com/2018/11/amp-plugin-for-WordPress.html
QuoteA security researcher has disclosed details of a critical vulnerability in one of the popular and widely active plugins for WordPress that could allow a low-privileged attacker to inject malicious code on AMP pages of the targeted website.
The vulnerable WordPress plugin in question is "AMP for WP – Accelerated Mobile Pages" that lets websites automatically generate valid accelerated mobile pages for their blog posts and other web pages. -
63 New Flaws (Including 0-Days) Windows Users Need to Patch Now
https://thehackernews.com/2018/11/microsoft-patch-tuesday-updates.html
QuoteIt's Patch Tuesday once again…time for another round of security updates for the Windows operating system and other Microsoft products.
This month Windows users and system administrators need to immediately take care of a total of 63 security vulnerabilities, of which 12 are rated critical, 49 important and one moderate and one low in severity.Two of the vulnerabilities patched by the tech giant this month are listed as publicly known at the time of release, and one flaw is reported as being actively exploited in the wild by multiple cybercriminal groups.
-
Python is becoming the world’s most popular coding language
QuoteIn the past 12 months Americans have searched for Python on Google more often than for Kim Kardashian, a reality-TV star.
... 
... 
... Interesting comparison for sure.
This link comes from Nathan House of StationX who brought it up in his blog who goes on to explain the use of Python in the hacking community:
The World’s Most Popular Coding Language? Reasons to Get to Grips with Python…
QuoteIt’s versatile, it works on a minimum of code - and it’s also relatively easy to put to work: three factors which go a long way in explaining why Python is currently being touted as the “world’s most popular coding language”.
-
Why Do All Websites Look the Same?
https://medium.com/s/story/on-the-visual-weariness-of-the-web-8af1c969ce73
QuoteToday’s internet is bland. Everything looks the same: generic fonts, no layouts to speak of, interchangeable pages, and an absence of expressive visual language. Even micro-typography is a mess.
Web design today seems to be driven by technical and ideological constraints rather than creativity and ideas. Every page consists of containers in containers in containers; sometimes text, sometimes images. Nothing is truly designed, it’s simply assumed.
Ironically, today’s web technologies have enormous design capabilities. We have the capability to implement almost every conceivable idea and layout. We can create radical, surprising, and evocative websites. We can combine experimental typography with generative images and interactive experiences.
-
1
-
-
Google launches reCAPTCHA v3 that detects bad traffic without user interaction
QuoteGoogle today launched an update to its reCAPTCHA technology that the company has been offering since 2007 to fight off bots on the world wide web.
reCAPTCHA v3, as the new version has been branded, is a complete overhaul of the reCAPTCHA technology that we know and... most of the time hate.
The good news is that the new system does not require any user interaction anymore. Gone are the days of reCAPTCHA v1 when everyone was trying to decipher in garbled text, and gone are the days of v2 when everyone was getting annoyed at clicking on endless image streams of "store fronts," "roads," and "cars" for up to 2-3 minutes.
Instead, reCAPTCHA v3 will use a secret new Google proprietary technology to learn a website's normal traffic and user behavior.
-
Quote
Supreme Court Won’t Hear Industry Challenge to Net Neutrality Rules
(November 5, 2018)
The US Supreme Court has declined to hear a challenge of net neutrality rules brought by the broadband industry. The current federal Communications Commission (FCC) under Ajit Pai has already reversed net neutrality rules set by the FCC in 2015. The companies nevertheless sought to have the case heard, possibly to prevent future administrations from imposing similar rules. The issue of net neutrality could still potentially make it to the Supreme Court in another case. The FCC is defending its decision to repeal the rules in a case brought by 22 state attorneys general, tech companies, consumer advocacy groups and other litigants. In addition, California’s recently passed state-wide net neutrality law is being challenged by the current administration and the broadband industry.
Read more in:
- arstechnica.com: Supreme Court rejects industry challenge of 2015 net neutrality rules -
Don't we have all the buzz words down on that last one.
Locking the thread. it IS 5 YEARS old, I think it has been answered often enough.
-
Windows Built-in Antivirus Gets Secure Sandbox Mode – Turn It ON
https://thehackernews.com/2018/10/windows-defender-antivirus-sandbox.html
QuoteMicrosoft Windows built-in anti-malware tool, Windows Defender, has become the very first antivirus software to have the ability to run inside a sandbox environment.
Sandboxing is a process that runs an application in a safe environment isolated from the rest of the operating system and applications on a computer. So that if a sandboxed application gets compromised, the technique prevents its damage from spreading outside the closed area.
Since antivirus and anti-malware tools run with the highest level of privileges to scan all parts of a computer for malicious code, it has become a desired target for attackers.The need for sandboxing an antivirus tool has become necessary after multiple critical vulnerabilities were discovered in such powerful applications, including Windows Defender, in past years that could have allowed attackers to gain full control of a targeted system.
That's why Microsoft announced to add a sandbox mode to its Windows Defender. So, even if an attacker or a malicious app exploiting a flaw in Defender compromises the antivirus engine, the damage can't reach out to other parts of the system. -
From Computerphile on Youtube:
From Seeker on Youtube:
-
I plan to add future posts to this as I come across anything worthwhile. As computers grow faster the ability to crack passwords improves. If you are still using 8 character passwords, it can be cracked in minutes. Add to that the eventual use of quantum computers by governments and one day maybe all of us... ANY password will be cracked in minutes. A computer can compare pre-listed common hashes at about 350 Billion a second.
Also stay away from dictionary words. There are two primary attack types:
- Brute force: The attacker will just run his computer through combinations (a, ab, abc, abc1, abc2, etc.), literally using brute force of computing power to try every possible comination and for a average computer 8 characters is childs play.
- Dictionary attack: This is running through common words and includes modifying them (horse, Horse, h0rse, H0rse, H0r$3, etc.). Again, a really easy way to attack.
So here are a few suggestions from me:
- The longer the password, the better. You really should be using 12 characters at a minimum and I would suggest more like 14 - 18/20.
- Use a password manager so you need not remember them all and can use randomly generated gibberish.
- Move away from Passwords and use Passphrases. Lyrics, Poem lines, Quotes, etc. These can be complete with spaces and you need not have special characters or numbers. It would also be more easily remembered than "C9bgTkYhd9dr". You can type them without dealing with special characters that can be a pain on a mobile device and you have really long lengths.
- Stay away from dates, those can be guessed like wedding date, kids birthdays etc.
- Stay away from pets or their names, breeds, etc.
- Stay away from children's information.
- Stay away from favorite things like authors, bands, hobbies as these may be guessed as well.
- Maybe use other uncommon languages, I have used Potawattomee, Tklinget, Gaelic. You need not even know the language, use a dictionary and see how your favorite animal is called in Gaelic "Winter Horse" in Gaelic will not be quickly broken, there are at least 4 forms of Gaelic, so I have to break not only what you like, but Irish, Scottish, Nova Scotian gaelic or Whales? And the name may include weird character groupings and special characters. If you remember what it was in English you can just look it up to remind yourself again.
- Never ever repeat passwords for other sites. Make each unique.
- Never give it out... to anyone.
Hope you decide to get more secure and get some ideas from what I post here in the future.
LSW
-
Vermont’s Net Neutrality Law Spurs Lawsuits
https://www.meritalk.com/articles/vermonts-net-neutrality-law-spurs-lawsuits/
QuoteFive telecommunication industry groups–American Cable Association; CTIA – The Wireless Association; NCTA – The Internet & Television Association; USTelecom – The Broadband Association and the New England Cable & Telecommunications Association–filed suit against the state of Vermont on Thursday over the state’s net neutrality law. The law in question seeks to prevent companies that do not abide by the state’s net neutrality rules from receiving state contracts.
The industry groups allege that Vermont’s net neutrality law, which harkens back to Obama-era net neutrality policies, violates current Federal law and that companies cannot be expected to navigate competing state laws.
“Broadband providers are united in support of an open internet and committed to delivering the content and services consumers demand,” the groups said in a joint statement. “We oppose the actions in Vermont because states cannot use their spending and procurement authority to bypass federal laws they do not like.”
In May, Vermont Gov. Phil Scott, a Republican, signed a bill requiring all internet service providers doing business with Vermont to treat all web traffic equally. Earlier in the year, he signed a similar Executive Order.
-
Tumblr Patches A Flaw That Could Have Exposed Users’ Account Info
https://thehackernews.com/2018/10/tumblr-account-hacking.html
QuoteTumblr today published a report admitting the presence of a security vulnerability in its website that could have allowed hackers to steal login credentials and other private information for users' accounts.
The affected information included users email addresses, protected (hashed and salted) account passwords, self-reported location (a feature no longer available), previously used email addresses, last login IP addresses, and names of the blog associated with every account.According to the company, a security researcher discovered a critical vulnerability in the desktop version of its website and responsibly reported it to the Tumblr security team via its bug bounty program.If you used tumblr, this would be a good time to change your password to a strong passphrase. LSW
-
Really there is no need for a separate CSS for mobile devices. Just make all your CSS use flexible sizing using %. This way it will downsize to fit the screen whether it be cell phone, tablet, monitor or TV. This is a basic of accessible web design for all users and not just mobile users.
-
Tens of Millions of U.S. Voter Records for Sale
https://www.bleepingcomputer.com/news/security/tens-of-millions-of-us-voter-records-for-sale/
QuoteAn advertisement on a forum that sells data breach information is also offering the personally identifiable details and voting history of millions of US residents. The estimated size of the cache is in excess of 35 million records.
The announcement says that the data sold is from updated statewide voter lists, and includes millions of phone numbers, full addresses, and names. BleepingComputer counted it to be from 20 states.
The seller provides the number of records only for the lists in three of the states: Louisiana (3 million), Wisconsin (6 million) and Texas (14 million), offering them for prices between $1,300 and $12,500.
Other states on the list are Montana, Iowa, Utah, Oregon, South Carolina, Wisconsin, Kansas, Georgia, New Mexico, Minnesota, Wyoming, Kentucky, Idaho, South Carolina, Tennessee, South Dakota, Mississippi, and West Virginia.
-
To go along with this month's M$ patches, Adobe has released some as well.
Adobe Releases Security Patch Updates for 11 Vulnerabilities
https://thehackernews.com/2018/10/adobe-security-updates.html
QuoteAdobe has released its monthly security updates to address a total of 11 vulnerabilities in Adobe Digital Editions, Framemaker, and Technical Communications Suite, of which four are rated critical and rest 7 are important in severity.
Adobe has also released updated versions for Flash Player, but surprisingly this month the software received no security patch update.
Also, none of the security vulnerabilities patched this month were either publicly disclosed or found being actively exploited in the wild.-
1
-
-
Microsoft October Patch Tuesday Fixes 12 Critical Vulnerabilities
https://thehackernews.com/2018/10/microsoft-windows-update.html
QuoteMicrosoft has just released its latest monthly Patch Tuesday updates for October 2018, fixing a total of 49 security vulnerabilities in its products.
This month's security updates address security vulnerabilities in Microsoft Windows, Edge Browser, Internet Explorer, MS Office, MS Office Services and Web Apps, ChakraCore, SQL Server Management Studio, and Exchange Server.
Out of 49 flaws patched this month, 12 are rated as critical, 35 are rated as important, one moderate, and one is low in severity.Three of these vulnerabilities patched by the tech giant are listed as “publicly known” at the time of release, and one flaw is reported as being actively exploited in the wild. -
Adobe
News
- Adobe Issues Emergency Patches for Two Critical Flaws in Acrobat and Reader [1/4/2019]
- Adobe Releases Security Patch Updates for 11 Vulnerabilities [10/10/2018]
- Adobe is Finally Killing FLASH — At the End of 2020!
Flash
You should really block Flash on your browsers, it is a serious vulnerability for you.
- New Adobe Flash Zero-Day Exploit Found Hidden Inside MS Office Docs [12/6/2018]
- Adobe Issues Patch for Actively Exploited Flash Player Zero-Day Exploit [6/8/2018]
- (Unpatched) Adobe Flash Player Zero-Day Exploit Spotted in the Wild [1/2/2018]
- Hackers Use New Flash Zero-Day Exploit to Distribute FinFisher Spyware
-
From Now On, Only Default Android Apps Can Access Call Log and SMS Data
https://thehackernews.com/2018/10/android-app-privacy.html
QuoteA few hours ago the company announced its "non-shocking" plans to shut down Google+ social media network following a "shocking" data breach incident.
Now to prevent abuse and potential leakage of sensitive data to third-party app developers, Google has made several significant changes giving users more control over what type of data they choose to share with each app.Google announced some new changes to the way permissions are approved for Android apps to prevent abuse and potential leakage of sensitive call and text log data by third-party developers.
Maybe a little late, but good call!
-
Google Forced to Reveal Exposure of Private Data
https://www.databreachtoday.com/google-forced-to-reveal-exposure-private-data-a-11587
QuoteGoogle says a bug in an API for its Google+ social networking service exposed personal details for about 500,000 accounts, but it believes the data wasn't misused.
Google patched the bug in March but chose to not publicly disclose the problem, based on a recommendation made by its privacy and data protection office, writes Ben Smith, a Google fellow and vice president of engineering, in a blog post.
But the company was forced to acknowledge the incident after The Wall Street Journal on Monday reported on the data exposure. Citing anonymous sources and internal documents, the publication reported that Google feared it would be subjected to regulatory scrutiny and reputational damage if the details of the bug became known.
Google's decision to not disclose the data leak is likely to raise eyebrows because technology companies have faced increasing pressure and regulatory scrutiny over their data handling and privacy practices.
-
Google+ is Shutting Down After a Vulnerability Exposed 500,000 Users' Data
https://thehackernews.com/2018/10/google-plus-shutdown.html
QuoteGoogle is going to shut down its social media network Google+ after the company suffered a massive data breach that exposed the private data of hundreds of thousands of Google Plus users to third-party developers.
According to the tech giant, a security vulnerability in one of Google+'s People APIs allowed third-party developers to access data for more than 500,000 users, including their usernames, email addresses, occupation, date of birth, profile photos, and gender-related information.
Since Google+ servers do not keep API logs for more than two weeks, the company cannot confirm the number of users impacted by the vulnerability. -
How to Start a Career in Cybersecurity: All You Need to Know
https://thehackernews.com/2018/10/cybersecurity-jobs-salary.html
QuoteCybersecurity is one of the most dynamic and exciting fields in tech, combining cutting-edge information technology with crime fighting. It’s also an industry in serious need of qualified professionals.
Estimates show that there are over one million unfilled cybersecurity jobs. The U.S. Bureau of Labor Statistics projects that employment of information security analysts will grow 28 percent from 2016 to 2026, “much faster than the average for all occupations.”
This presents a massive opportunity for people looking to break into the industry. If you want to join the next generation of cybersecurity professionals, Springboard has done all of the research for you in building the Cybersecurity Career Track. Here’s what you need to know: -
Mine is more a hybrid 5 finger hunt and peck, first two fingers of each hand and one thumb.
I typed alright in high school, then 25 years in Germany doing the German keyboard and then back to 12 years on an English keyboard. I learned typing in English, but I learned coding in German. So typing emails I am faster, but typing in code, I still find myself going for the German keys on US keyboards so much more hunt and peck. I have a good speed for a modified two finger typer.
Have you ever heard this joke?: A boy stands in the study door watching his father peck away on a laptop. He then finds his mother in the kitchen typing away like a storm with all 10 fingers. He grunts and his mom looks up and asks him what he is grunting about. "I thought you were good at typing. But dad is better, he only needs two fingers."
Cheers!
-
1
-
-
SSO is almost everywhere, and once embedded it is as hard to dig out as a tick. It is a battle I have been fighting the last year, those in charge want things easy for the employees and the employees don't want to have to remember lots of passwords. I get it.
But I get paid to worry, and what I see is an attacker breaking the SSO password and now having access to all the applications our employees use, many of which have access to both personal Personally Identifiable Information (Pii) as well as Health information. So the issue is really simple, the user need only remember one password and the attacker need only break one password to have the keys to the kingdom.
Social logins are the same way. SSO is simply easier for you isn't it? But now Facebook has lost 50 mil. tokens that can be used to get into those users other sites. They can now breach your twitter account, facebook account, Google account and what else? If I can now get in your Google account, I can reset things, I can change your telephone number to mine, have your second authorization come to my phone.
Ask yourself, is my mobile phone number available on my accounts? Ever heard of SIM Switching? I can call a mobile phone host, create an account and say "I want to come to you, please switch my telephone number" and usually with little to no checking of authorization they will activate your number in my new phone, now I can get access to any account attached with that phone number, I can even empty your bank account.
So what is more important to you? Your security or your ability to quickly switch between facebook and twitter etc. without logging in again?
Experts' View: Avoid Social Networks' Single Sign-On
https://www.databreachtoday.com/blogs/experts-view-avoid-social-networks-single-sign-on-p-2670
QuoteThanks to Facebook's single sign-on feature, dubbed Facebook Social Login, whoever stole 50 million access tokens from Facebook could have used the SSO service's tokens to log into victims' accounts at third-party services and mobile apps (see Facebook Breach: Single Sign-On of Doom).
Furthermore, Facebook says that because it does not enforce its developer guidelines, it has no way to force a single sign-off for breached accounts. As a result, while it can reset the access tokens for Facebook users, which will automatically revoke them for third-party services that follow its developer guidelines, there are an unknown number of services for which automatic revocation does not work. As a result, those developers will have to manually review and revoke access certificates. But Facebook has offered no details about whether or when it might enforce this guideline (see Facebook Can't Reset All Breach Victims' Access Tokens).
In the bigger picture, security expert Troy Hunt, who runs the free Have I Been Pwned? breach notification service, says the Facebook breach is a warning sign for anyone who might use consumer single sign-on services offered by Facebook, Google, Twitter and other providers.
The Issue of Net Neutrality
in Open Forum
Posted
SCOTUS Says Net Neutrality Won’t Get Its Day in Court
https://www.meritalk.com/articles/scotus-says-net-neutrality-wont-get-its-day-in-court/