Jump to content
UncleStef Mentoring Update: New SEO course!

LSW

Moderators
 View Profile  See their activity

  • Posts

    1,625

  • Joined

  • Last visited

  • Days Won

    28

 Content Type 

Posts posted by LSW

  1. Drupal Users need to update now.

    in Cybersecurity

    Posted

    Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon2 Exploit

    https://thehackernews.com/2018/06/drupalgeddon2-exploit.html

    Quote

    Security researcher Troy Mursch scanned the whole Internet and found over 115,000 Drupal websites are still vulnerable to the Drupalgeddon2 flaw despite repetitive warnings.

    Drupalgeddon2 (CVE-2018-7600) is a highly critical remote code execution vulnerability discovered late March in Drupal CMS software (versions < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1) that could allow attackers to completely take over vulnerable websites.

    For those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or standard Drupal installations under the privileges of the user.

     

  2. Here's How to Download All the Data Apple Collects About You

    in Cybersecurity

    Posted

    Here's How to Download All the Data Apple Collects About You

    https://thehackernews.com/2018/05/download-apple-account-data.html

    Quote

    Apple has currently made this feature only available for people having accounts in European Union (along with Iceland, Liechtenstein, Norway and Switzerland), to comply with the General Data Protection Regulation (GDPR) act, which goes into effect on May 25.

    However, Apple is planning to roll out this feature worldwide in the coming months. "We intend to provide these capabilities to customers around the world in the coming months," the company wrote.

    -----------------------------------------------------------

    Apple is making it easier for its users to download their data the company has collected about them so far.

    On Wednesday, Apple just launched a new Data and Privacy website that allows you to download everything that the company knows about you, from Apple ID info, device info, App Store activity, AppleCare history, your online shopping habits to all of your data stored in its iCloud.

     

  3. SHOPIFY or PAY DEVELOPER..

    in Beginners Web Design

    Posted

    If it is Drag n' Drop, do it yourself. I certainly would not pay someone calling themselves a web developer for that. Those sites exists to allow you to do it yourself without a professional involved. Those of us who actually went to school to learn web design and what goes into it sort of cringe at the idea.

    You have no idea about the code background either, is it accessible for those with disabilities? Autistic, poor vision/blind, dyslexic? Will it be secure or leave you open to legal action under the new EU GDPR regulations?

    Off the top, to me it sounds like a lot of money for something you can do and who is to say this person even knows what they are really doing? Do they know CSS and HTML5 enough to modify it? Fix it when it gets broken? I feel someone who does not know how to code a site by hand has no business using drag n' drop. If you can do it by hand and do it that way to speed it up and you trust the software to do almost a good a job as you would by hand... then it is forgivable.

    Does that price include hosting? That makes a difference as well.

  4. The Issue of Net Neutrality

    in Open Forum

    Posted

    Good news on the Net Neutrality Issue, the Senate has voted to repeal Pi's decision. But it is not over yet, although the Senate voted to repeal it, the House of Representatives has not yet and the timer to do so is ticking down.

    For those of you who really care, pop off another letter or phone call to your representative and let them know a vote must take place and what you expect that vote to be, they are supposed to represent us and not big business.

    As for the Senate... the vote was 52 to 47, we won the vote, but only be 5 votes which I find to be a sorry margin indeed. But hey, horse shoes and hand grenades...

    • Like 2

  5. Microsoft Users: Run Updates. 67 security patches for May 2018

    in Cybersecurity

    Posted

    Microsoft Patches Two Zero-Day Flaws Under Active Attack

    https://thehackernews.com/2018/05/microsoft-patch-tuesday.html

    Quote

    Microsoft has today released security patches for a total of 67 vulnerabilities, including two zero-days that have actively been exploited in the wild by cybercriminals, and two publicly disclosed bugs.

    In brief, Microsoft is addressing 21 vulnerabilities that are rated as critical, 42 rated important, and 4 rated as low severity.

    These patch updates address security flaws in Microsoft Windows, Internet Explorer, Microsoft Edge, Microsoft Office, Microsoft Office Exchange Server, Outlook, .NET Framework, Microsoft Hyper-V, ChakraCore, Azure IoT SDK, and more.

     

  6. How To Use Boxes Instead Of Tables

    in Advanced Web Design

    Posted

    Just as a general rule to consider, Tables are only to be used for housing data, basically spreadsheets etc. Back in the middle ages of the 80s and 90s there was not a graphic way of placing web elements so tables were creatively misused. They did in fact limit what designers could do.

    The correct way to handle this is with CSS. You can place anything anywhere you want by simply creating empty boxes and filling them with data, images, or more boxes as you like where you like and this is really the best way to do it. It can e tricky to learn, but not really hard, you simply have to get used to thinking that way and in pixels.

    One benefit as well is doing so in this manner, it will leaver your source code and data cleaner. Those with disabilities will find the web site easier to navigate, including those with vision issues and search engine spiders. All your "Look and feel" elements can be placed in a separate external CSS file, separating your web site information from the web site graphical look and feel (this is what makes it better for disabilities and spyders). Also, you can then swap out the CSS file and change the look and feel of the web site with little to know changes to the actual HTML file if it is well planned and designed.

    If this is an issue that needs correcting fast than Daniel's code should work. But in the long run you will want to learn CSS and eventually change the site to boxes instead of tables. But to not fear creating sites in phases. Phase one - get it up there, phase two - clean it up and improve it.

  7. Twitter users need to change your passwords, NOW.

    in Cybersecurity

    Posted

    Twitter: We Goofed; Change Your Password Now

    https://www.databreachtoday.com/twitter-we-goofed-change-your-password-now-a-10972

    Quote

    Users would be at risk if a hacker penetrated Twitter's internal systems and obtained the log. But Twitter doesn't believe that the data has been misused or has left its systems, says Parag Agrawal, the company's CTO, in a Thursday blog post detailing the password flub.

    Nonetheless, the company is recommending a password reset for its more than 300 million users.

    "We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone," Agrawal writes. "We found this error ourselves, removed the passwords and are implementing plans to prevent this bug from happening again."

     

  10. Drupal Users need to update now.

    in Cybersecurity

    Posted

    Release of PoC Exploit for New Drupal Flaw Once Again Puts Sites Under Attack

    https://thehackernews.com/2018/04/drupalgeddon3-exploit-code.html

    Quote
    Only a few hours after the Drupal team releases latest updates to fix a new remote code execution flaw in its content management system software, hackers have already started exploiting the vulnerability in the wild.

    Announced yesterday, the newly discovered vulnerability (CVE-2018-7602) affects Drupal 7 and 8 core and allows remote attackers to achieve exactly same what previously discovered Drupalgeddon2 (CVE-2018-7600) flaw allowed—complete take over of affected websites.

    Although Drupal team has not released any technical details of the vulnerability to prevent immediate exploitation, two individual hackers have revealed some details, along with a proof-of-concept exploit just a few hours after the patch release.

    If you have been actively reading every latest story on The Hacker News, you must be aware of how the release of Drupalgeddon2 PoC exploit derived much attention, which eventually allowed attackers actively hijack websites and spread cryptocurrency miners, backdoors, and other malware.

    As expected, the Drupal team has warned that the new remote code execution flaw, let's refer it Drupalgeddon3, is now actively being exploited in the wild, again leaving millions of websites vulnerable to hackers.

     

  11. Drupal Users need to update now.

    in Cybersecurity

    Posted

    Third Critical Drupal Flaw Discovered - Patch Your Sites Immediately

    https://thehackernews.com/2018/04/drupal-vulnerability-exploit.html

    Quote
    Damn! You have to update your Drupal websites.

    Yes, of course once again—literally it’s the third time in last 30 days.

    As notified in advance two days back, Drupal has now released new versions of its software to patch yet another critical remote code execution (RCE) vulnerability, affecting its Drupal 7 and 8 core.

    Drupal is a popular open-source content management system software that powers millions of websites, and unfortunately, the CMS has been under active attacks since after the disclosure of a highly critical remote code execution vulnerability.
    The new vulnerability was discovered while exploring the previously disclosed RCE vulnerability, dubbed Drupalgeddon2 (CVE-2018-7600) that was patched on March 28, forcing the Drupal team to release this follow-up patch update.

     

  12. Cybersecurity News

    in Cybersecurity

    Posted · Edited by LSW
    Added new Links

    Drupal

    Vulnerabilities

  14. Drupal Users need to update now.

    in Cybersecurity

    Posted

    Make this thread: "Drupal Users need to update.. again!"

    Another Critical Flaw Found In Drupal Core-Patch Your Sites Immediately

    https://thehackernews.com/2018/04/drupal-site-vulnerability.html

    Quote
    For the second time within a month, Drupal has been found vulnerable to another critical vulnerability that could allow remote attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft.

    Discovered by the Drupal security team, the open source content management framework is vulnerable to cross-site scripting (XSS) vulnerability that resides in a third-party plugin CKEditor which comes pre-integrated in Drupal core to help site administrators and users create interactive content.

    CKEditor is a popular JavaScript-based WYSIWYG rich text editor which is being used by many websites, as well as comes pre-installed with some popular web projects.

    According to a security advisory released by CKEditor, the XSS vulnerability stems from the improper validation of "img" tag in Enhanced Image plugin for CKEditor 4.5.11 and later versions.
    This could allow an attacker to execute arbitrary HTML and JavaScript code in the victim's browser and gain access to sensitive information.

     

  15. Drupal Users need to update now.

    in Cybersecurity

    Posted

    Here is another article on the hacker attacks now happening against Drupal.

    Hackers Exploiting Drupal Vulnerability to Inject Cryptocurrency Miners

    https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html

    Quote
    Drupalgeddon2, a highly critical remote code execution vulnerability discovered two weeks ago in Drupal content management system software, was recently patched by the company without releasing its technical details.

    However, just a day after security researchers at Check Point and Dofinity published complete details, a Drupalgeddon2 proof-of-concept (PoC) exploit code was made widely available, and large-scale Internet scanning and exploitation attempts followed.
    At the time, no incident of targets being hacked was reported, but over the weekend, several security firms noticed that attackers have now started exploiting the vulnerability to install cryptocurrency miner and other malware on vulnerable websites.

    The SANS Internet Storm Center spotted some attacks to deliver a cryptocurrency miner, a PHP backdoor, and an IRC bot written in Perl.

     

  16. The problem with the Internet of Things (IoT) & a fish tank

    in Cybersecurity

    Posted

    Quick and Dirty Definition: The Internet of Things (IoT) is everything else connected to the internet that is not a traditional computer or optional tool (like printers).

    This means watches, washing machines, refrigerators, robots, vacuum cleaners, security cameras, baby phones, BBQ thermostats, water sensors, light bulbs, pace makers, insulin injectors, cars etc. etc. etc.

    You may have devices you connect to the internet that makes your life easier without thinking security... the issue is, is the manufacturer thinking security? You know OS developers worry about hackers, you know your router and your PC and your Tablet and your Phone have security settings... but does that light bulb? Was the manufacturer of your coffee pot worried about security? The answer is usually no.

    Manufacturers of security cameras are not controlled, so their is almost no protection built in. Jogging soldiers and airman have been found to be giving away important data on our bases due to apps tracking them as the jog. Robotic vacuum cleaners are collecting data on the layout of your house and the data is being sold.

    I present you with a new example of this:

    Casino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer

    https://thehackernews.com/2018/04/iot-hacking-thermometer.html

    Quote

    Internet-connected technology, also known as the Internet of Things (IoT), is now part of daily life, with smart assistants like Siri and Alexa to cars, watches, toasters, fridges, thermostats, lights, and the list goes on and on.

    But of much greater concern, enterprises are unable to secure each and every device on their network, giving cybercriminals hold on their network hostage with just one insecure device.

    Nicole Eagan, the CEO of cybersecurity company Darktrace, told attendees at an event in London on Thursday how cybercriminals hacked an unnamed casino through its Internet-connected thermometer in an aquarium in the lobby of the casino.

    According to what Eagan claimed, the hackers exploited a vulnerability in the thermostat to get a foothold in the network. Once there, they managed to access the high-roller database of gamblers and "then pulled it back across the network, out the thermostat, and up to the cloud."

    Manufacturers majorly focus on performance and usability of IoT devices but ignore security measures and encryption mechanisms, which is why they are routinely being hacked.

    Therefore, people can hardly do anything to protect themselves against these kinds of threats, until IoT device manufacturers timely secure and patch every security flaws or loopholes that might be present in their devices.

     

  17. Drupal Users need to update now.

    in Cybersecurity

    Posted

    Hackers Have Started Exploiting Drupal RCE Exploit Released Yesterday

    https://thehackernews.com/2018/04/drupal-rce-exploit-code.html

    Quote
    Two weeks ago, Drupal security team discovered a highly critical remote code execution vulnerability, dubbed Drupalgeddon2, in its content management system software that could allow attackers to completely take over vulnerable websites.
    To address this vulnerability the company immediately released updated versions of Drupal CMS without releasing any technical details of the vulnerability, giving more than a million sites enough time to patch the issue.

    The Drupalgeddon2 vulnerability that affects all versions of Drupal from 6 to 8 allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations.

    If you have not updated Drupal recently, good idea to do in sooner than later.

  18. Android Users: Your Phone may not be patched afterall

    in Cybersecurity

    Posted

    Popular Android Phone Manufacturers Caught Lying About Security Updates

    https://thehackernews.com/2018/04/android-security-update.html

    Quote
    According to a new study, most Android vendors have been lying to users about security updates and telling customers that their smartphones are running the latest updates.

    In other words, most smartphone manufacturers including big players like Samsung, Xiaomi, OnePlus, Sony, HTC, LG, and Huawei are not delivering you every critical security patch they're supposed to, a study by Karsten Nohl and Jakob Lell of German security firm Security Research Labs (SRL) revealed.
    Nohl and Lell examined the firmware of 1,200 smartphones from over a dozen vendors, for every Android patch released last year, and found that many devices have a "patch gap," leaving parts of the Android ecosystem exposed to hackers.
    SRL researchers investigated smartphones that had supposedly received and installed the latest Android updates and released the following breakdown of their findings:
    • 0-1 missed patches—Google, Sony, Samsung, Wiko Mobile
    • 1-3 missed patches—Xiaomi, OnePlus, Nokia
    • 3-4 missed patches—HTC, Huawei, LG, Motorola
    • 4+ missed patches—TCL, ZTE

    Meanwhile, SRL has developed an app called SnoopSnitch, which you can download for free, to measure the patch level of your own Android smartphone, helping you verify vendor claims about the security of your devices.

     

  19. Cybersecurity News

    in Cybersecurity

    Posted · Edited by LSW
    Added Facebook News Link

    Facebook

    News

    Vulnerabilities

  20. ATTENTION: Android Users

    in Cybersecurity

    Posted

    Pre-Installed Malware Found On 5 Million Popular Android Phones

    https://thehackernews.com/2018/03/android-botnet-malware.html

    Quote

    Security researchers have discovered a massive continuously growing malware campaign that has already infected nearly 5 million mobile devices worldwide.

    Dubbed RottenSys, the malware that disguised as a 'System Wi-Fi service' app came pre-installed on millions of brand new smartphones manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE—added somewhere along the supply chain.

    All these affected devices were shipped through Tian Pai, a Hangzhou-based mobile phone distributor, but researchers are not sure if the company has direct involvement in this campaign.

     

  21. Cybersecurity Need-to-Know for Web Developers

    in Cybersecurity

    Posted

    Cyber Security is a branch of it's own and I have been studying it for over a year now. Not only do they not need to know everything, but it would leave them no time to actually build web sites. Security is mostly the realm of ISPs, servers and hosts, but it is not something that you can ignore simply because you are "Simply the web developer". If they get hacked and it suggests it is do to something you did not do or did wrong, not good for your business. So aside from  making sure some simple rules are followed, it is a good idea to know that any Hosts you may suggest to a customer is trustworthy too. This is just 4 things web developers can do, I could suggest a lot more but that is more the hosts job.

    I am a former web developer and these are things I did not consider back then.

  22. FYI Yahoo Users

    in Cybersecurity

    Posted

    Federal Judge: Yahoo Breach Victims Can Sue

    https://www.databreachtoday.com/federal-judge-yahoo-breach-victims-sue-a-10712

    Quote

    A federal judge in California has largely rejected a motion by Verizon to dismiss a class-action lawsuit brought by victims of three Yahoo data breaches. The breaches appear to have compromised every Yahoo user's personal details at least once.

    In the defendant's favor, however, Judge Lucy Koh in her Friday ruling also denied several claims by the plaintiffs that Verizon had challenged, including deceit by concealment, negligence and breach of contract.

    Verizon closed its acquisition of Yahoo last June for $4.48 billion. Under the terms of the deal, Yahoo agreed to shoulder half of the costs related to government investigations and third-party litigation over its breaches. Yahoo also bears full liability for any shareholder lawsuits and faces a probe by the U.S. Securities and Exchange Commission.

    The search giant reportedly did not carry cyber insurance.

     

  23. Windows 10 'S Mode' Coming Soon

    in Cybersecurity

    Posted

    Windows 10 'S Mode' Coming Soon - For Security and Performance

    https://thehackernews.com/2018/03/windows-10-s-mode.html

    Quote
    Microsoft has confirmed that the company is planning to convert Windows 10 S from a dedicated operating system to a special "S Mode" that will be available in all versions of Windows.

    Windows 10 S, a new operating system designed for simplicity, security, and speed, was released by Microsoft last year. It locks a computer down to run applications only downloaded from official Windows Store, but the slimmed-down and restricted flavor of Windows did not exactly turn out to be a success.

    Therefore, the company has now decided Windows 10 S be offered as an optional mode rather than a dedicated operating system.
    Windows 10 S was developed to simplify administration for school or business sysadmins that want the 'low-hassle' guaranteed performance version. It has been designed to deliver predictable performance and quality through Microsoft-verified apps via the Microsoft Store.

     

  24. Run 'Kali Linux' Natively On Windows 10

    in Cybersecurity

    Posted

    Also good if you want to play with Linux and get used to it before switching, but Kali has lots of apps not normal on Linux distributions and used only for security work/hacking.

    Run 'Kali Linux' Natively On Windows 10 - Just Like That!

    https://thehackernews.com/2018/03/kali-linux-hacking-windows.html

    Quote

    Great news for hackers.

    Now you can download and install Kali Linux directly from the Microsoft App Store on Windows 10 just like any other application.

    Kali Linux, a very popular, free, and open-source Linux-based operating system widely used for hacking and penetration testing, is now natively available on Windows 10, without requiring dual boot or virtualization.

     

×
×
  • Create New...