75 Matching Annotations
  1. Mar 2023
    1. A new breach involving data from nine million AT&T customers is a fresh reminder that your mobile provider likely collects and shares a great deal of information about where you go and what you do with your mobile device — unless and until you affirmatively opt out of this data collection. Here’s a primer on why you might want to do that, and how.
    1. You can use authentication mechanisms such as OAuth2, JSON Web Tokens (JWT), or HTTP Basic Authentication to ensure that only authorized users or applications can access your API.
  2. Jan 2023
    1. Dykstra, J., Shortridge, K., Met, J., & Hough, D. (2022). Sludge for Good: Slowing and Imposing Costs on Cyber Attackers. arXiv. https://doi.org/10.48550/arXiv.2211.16626

      Choice architecture describes the design by which choices are presented to people. Nudges are an aspect intended to make "good" outcomes easy, such as using password meters to encourage strong passwords. Sludge, on the contrary, is friction that raises the transaction cost and is often seen as a negative to users. Turning this concept around, we propose applying sludge for positive cybersecurity outcomes by using it offensively to consume attackers' time and other resources. To date, most cyber defenses have been designed to be optimally strong and effective and prohibit or eliminate attackers as quickly as possible. Our complimentary approach is to also deploy defenses that seek to maximize the consumption of the attackers' time and other resources while causing as little damage as possible to the victim. This is consistent with zero trust and similar mindsets which assume breach. The Sludge Strategy introduces cost-imposing cyber defense by strategically deploying friction for attackers before, during, and after an attack using deception and authentic design features. We present the characteristics of effective sludge, and show a continuum from light to heavy sludge. We describe the quantitative and qualitative costs to attackers and offer practical considerations for deploying sludge in practice. Finally, we examine real-world examples of U.S. government operations to frustrate and impose cost on cyber adversaries.

      Found via author post: Kelly Shortridge: "How can we waste attackers’ ti…" - Hachyderm.io

  3. Dec 2022
    1. “Berla devices position CBP and ICE to perform sweeping searches of passengers’ lives, with easy access to cars' location history and most visited places and to passengers’ family and social contacts, their call logs, and even their social media feeds,” she said.
    2. Cybersecurity researcher Curry told Forbes that, after seeing what could be done with just a VIN, it was “terrifying” that those identifying numbers were public.
    3. For anyone with a Honda or Nissan car, it was possible for a hacker with a laptop to unlock or start their vehicles, locate them and raid personal data stored inside, cybersecurity researchers warned on Wednesday.
  4. Nov 2022
    1. The result is a pervasive lack of knowledge needed to safely navigate digital environments. According to the Fletcher School at Tufts University, only 40% of American adults can answer basic questions on topics including phishing, privacy and cookies. Confronting those deficiencies head on over the next year will necessitate including underserved and undereducated communities in the design process.

      This is a literacy problem akin to a nation-wide fire hazard.

  5. Oct 2022
    1. Use SSH and connect:

      Disposable root server:

      bash ssh root@segfault.net # Password is 'segfault'

  6. wifine.gitlab.io wifine.gitlab.io
    1. By using a VPN, you are only changing who can see your network layer traffic. It does not increase any security.
    2. any retailer doing credit card transaction processing is forced to use TLS
    1. You can unknowingly be sending your critical database traffic in the clear because your client uses a default of allow or disable while the server you’re connecting to does, in fact, support SSL.
    2. You can unknowingly be sending your critical database traffic in the clear because your client uses a default of prefer, allow or disable and the server you’re connecting to does not support SSL.
    3. What Should I Do?

      Advices to set verify-full encryption for: - developers - PostgreSQL server maintainers - users - PostgreSQL tool makers - PostgreSQL creators

    4. Many popular SQL clients do not use SSL by default. If you aren’t deliberate about choosing encryption, the connection will be unencrypted.

      Table with SQL clients and their default SSL mode:

    5. SSL is disabled by default in jdbc, npgsql, node-postgres, and pgx.

      Table with programming libraires and their default SSL mode:

    6. There are a lot of PostgreSQL servers connected to the Internet: we searched shodan.io and obtained a sample of more than 820,000 PostgreSQL servers connected to the Internet between September 1 and September 29. Only 36% of the servers examined had SSL certificates. More than 523,000 PostgreSQL servers listening on the Internet did not use SSL (64%)
    7. At most 15% of the approximately 820,000 PostgreSQL servers listening on the Internet require encryption. In fact, only 36% even support encryption. This puts PostgreSQL servers well behind the rest of the Internet in terms of security. In comparison, according to Google, over 96% of page loads in Chrome on a Mac are encrypted. The top 100 websites support encryption, and 97 of those default to encryption.
    1. En cas de non-respect de la Loi, la Commission d’accès à l’information pourra imposer des sanctionsimportantes, qui pourraient s’élever jusqu’à 25 M$ ou à 4 % du chiffre d’affaires mondial. Cette sanctionsera proportionnelle, notamment, à la gravité du manquement et à la capacité de payer de l’entreprise.ENTREPRISES
  7. Aug 2022
    1. Even though Chrome, Firefox, and Edge browsers all store passwords in encrypted databases, by default all three products intentionally leave the associated encryption keys completely unprotected in predictable locations.

      That's why one should use an external app to store passwords, instead of leaving them in a browser

  8. Jul 2022
    1. WiFi QR code is simply a text QR code with a special format as follows:WIFI:S:<SSID>;T:<WEP|WPA|blank>;P:<PASSWORD>;H:<true|false|blank>;;The S sets the SSID of the network, T defines the security in use, P is the password and H whether the network is hidden or not.

      WiFi QR code format

  9. May 2022
    1. Many companies send our passwords via email. Whether these emails come from our IT department, a colleague, a SaaS solution or elsewhere, it's not a good idea to send and receive passwords via email.

      Send passwords via email? A bad idea!

      Many companies send our passwords via email. Whether these emails come from our IT department, a colleague, a SaaS solution or elsewhere, it's not a good idea to send and receive passwords via email.

  10. Apr 2022
    1. Organizations should consider using a security platform built on a cybersecurity mesh architecture with security solutions that work together to combat developing threats, as well as keeping staff current on cyber hygiene and best practices. This holistic approach represents the strongest security posture and best defense against attackers.

      Security Best practices

  11. Mar 2022
    1. an onion address is a promise and a mechanism to assure that you are taking seriously the needs of the people who use Tor.

      Why offer an Onion Address rather than just encourage browsing-over-Tor

  12. Feb 2022
    1. blockchain-based crypto-currency networks are susceptible to denial-of-service and other nuisance attacks. Attacks that cannot violate the trust of the distributed asset ledger, but can clog the pipes and attempt to confuse the participants.

      I understand how a centralized system can be subject to DDoS, but how can a blockchain-based crypto-currency network (distributed on several identical nodes) be possibly affected by DDoS? Are we talking here of a single node being affected? Can we just remove the node and move on as is the case if there is attempt to falsify data in a specific node?

  13. Dec 2021
    1. docker scan elastic/logstash:7.13.3 | grep 'Arbitrary Code Execution'

      Example of scanning docker image for a log4j vulnerability

  14. Nov 2021
    1. Some cybersecurity tasks can be outsourced, however, to extend staff and/or acquire specialized skills.

      In what way can service providers have offerings that distinguish them from others?

    2. What were once clear distinctions among hardware, software, cloud, and services and between primary and secondary suppliers continue to blur and overlap to the point where they're no longer distinguishable as separate categories. That raises questions and challenges about identifying the perimeter—or, where institutionally owned and managed technology infrastructure ends. Additionally, the integration between technology run in-house and that run by an external supplier continues to blur boundaries between consumers' responsibilities and suppliers' responsibilities. That, in turn, creates the challenge of clarifying which technology and data components can and should be secured by institutions versus by suppliers versus by end users and, thus, where security risk factors and responsibilities reside. Sometimes suppliers' security and privacy controls may not be as tight as institutions require or realize.

      The overlap between these areas is going to required increased communication between service providers and campus personnel, and probably helping students/faculty understand where reporting of issues needs to happen.

    1. Dogadać się z firmami z podobnej branży i umieszczać u siebie zdjęcia ich produktów, bez żadnego kodu. Napisać czasem (odpowiednio oznaczony) artykuł sponsorowany. Dodać link do bezpośrednich wpłat na swoje konto. Pomysłów jest multum. Niestety wielu wybrało najłatwiejszą opcję i podpięcie się pod globalne sieci reklamowe. Niekoniecznie zyskują na tym „partnerstwie”. Elementy reklamowe zbierają informacje o użytkownikach nawet jeśli ich nie klikniemy (a zatem i tak nie przyniesiemy zarobków właścicielom stron).

      Why it's worth to use ad blockers & how site owners could replace this business model

    1. I’ll recap the steps in case you got lost. I start with the assumption that I’ve already downloaded the invite.ics file.

      5 simple steps how to spoof invite.ics files

  15. Oct 2021
    1. A screenshot from the document providing an overview of different data retention periods. Image: Motherboard.

      Is it possible that FBI stores this data on us?

    1. UPDATE--SHA-1, the 25-year-old hash function designed by the NSA and considered unsafe for most uses for the last 15 years, has now been “fully and practically broken” by a team that has developed a chosen-prefix collision for it.

      SHA-1 has been broken; therefore, make sure not to use it in a production based environment

  16. May 2021
  17. Apr 2021
    1. The facility, which includes a virtual reality lab and 3-D printer, houses the multimedia, data analytics and cybersecurity classes. S



  18. Mar 2021
    1. This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283

      Noticing a common text structure across all of the NIST guides. Another shout out to FISMA

    1. Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments.

      Definition of FCI

    1. Potential Impact on Organizations and Individuals

      Low = limited moderate = serious high = severe or catastrophic

    2. Security Objectives

      FISMA outlines three objectives around security:

      1. Confidentiality'
      2. Integrity
      3. Availability

      The low, medium, and high refer what risk of potential impact would the data have in any of the three got breached.

    1. pprove accreditation criteria for third-party assessment organizations (3PAOs) to provide independent assessments of CSPs’ implementation of the FedRAMP security authorization requirements9

      This is similar to the C3PAO model in cmmc

    2. Federal Risk and Authorization Management Program (FedRAMP)

      Created in 2011 by the OMB in compliance with FISMA act of 2002.

    1. The RMF emphasizes risk management by promoting the development of security and privacy capabilities into information systems throughout the system development life cycle (SDLC);10

      System Development Life Cycle,

      thing to stress requires a continuous monitoring and reporting system in place.

    2. Executive Order (E.O.) 13800 requires federal agencies to modernize their IT infrastructure and systems and recognizes the increasing interconnectedness of federal information systems and networks.

      People will need to know the requirement to modernize federal IT

    3. OMB Circular A-130,Managing Information as a Strategic Resource [OMB A-130], addresses responsibilities for protecting federal information resources and for managing personally identifiable information (PII).

      How we have to manage PII

    1. The SEI team dug into the CERT Resilience Management Model (CERT-RMM), the SEI's foundational process improvement approach to operational resilience management.

      People will need to know the process maturity approach derived from CERT-RMM

    2. Process maturity is stickiness, or how well the technical practices are embedded in the organization.

      Definition of process maturity. history of cmmc

    3. retain all the practices from NIST 800-171, and find a way for DIB members of varying cyber-sophistication to participate without POAMs.

      history of cmmc, two requirements and the connection to nist-800-171

    1. blication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347.

      Find the FISMA act

  19. Dec 2020
    1. BlackArch is a Linux distribution designed for penetration testing and security research. You can think of it like Kali Linux, with the exception of being based on Arch Linux. Its official repositories contain more than +2500 various penetration testing tools, and hence it can be considered a very good option for anyone wishing to explore this field and try to hack their own phones/routers/devices during the quarantine time.

      BlackArch <--- kind of Kali Linux based on Arch Linux

  20. Nov 2020
    1. Today, we’re excited to open up a beta of a third approach to keeping web browsing safe with Cloudflare Browser Isolation. Browser sessions run in sandboxed environments in Cloudflare data centers in 200 cities around the world, bringing the remote browser milliseconds away from the user so it feels like local web browsing.

      Cloudflare introduces sandboxed web browsing. It's like a browser inside a browser, so we can rest assured that we won't be infected by the websites we visit

  21. Sep 2020
    1. "Dorks" are search lines that utilize the search engine different features, with targeted search strings to pinpoint results. Here's a fun list of Google searches from the exploit DB.

      Database of Google's Dorks: Google Hacking Database

    2. The internet archive, also known as the "Wayback Machine" holds periodic scans of websites all over the internet for years and years back. This is a mining field for hackers with a target. With tools like waybackcurls (based on waybackcurls.py) one can scan any target of old files. This means that even if you've found and removed a key but did not rotate it, a hacker might still find it in an old version of your website and use it against you.

      Hackers do use Wayback machine to find specific security flaws on your website

    3. Enforce MFA everywhere - Google, GitHub, Cloud providers, VPNs, anywhere possible. If it's not optional, reconsider the system in use Rotate keys and passwords constantly, employ and enforce rotation policies Scan your code regularly. Preferably as part of the release process Delegate login profiles and access management to one central system where you control and monitor

      20% actions for 80% of effect to protect your API keys/passwords/SSH encrypted keys/certificates

    1. With your passport number, someone could: Book an international flight as youFootnote 2626. Apply for anything that requires proof of identity documentation with the government, e.g. Working with children check Activate a SIM card (and so get an internet connection that’s traceable to you, not them, hiding them from the government) Create a fake physical passport from a template, with the correct passport number (which they then use to cross a border, open a bank account, or anything) who knows what else, not me, bc i have never done a crime

      What can be done with out passport number

    2. I’d now found Tony Abbott’s: Passport details Phone number Weird Qantas staff comments.

      What information can be found on the "Manage Booking" page inside the website code

  22. Jun 2020
    1. Wyróżniamy 2 podstawowe metody wykrywania malware(można mówić o większej ilości, jednak na potrzeby przybliżenia podstaw wspomnę tylko o dwóch):

      2 ways antiviruses detect malware:

      • Signature-Based Detection - based on signatures (known byte sequences) updated continuously. For example, the method deletes software immediately after it's downloaded
      • Heuristic and Behavioral-Based Detection - based on malware's "behaviour" (each of its instructions)
    1. xposed the collective vulnerability to disruption and abuse. In one week in April 2020, there were over 18 million daily malware and

      It is important to underline that doesn't mean we have seen the surge in numbers of attacks or new malware (eg. AV test shows rather average number of new malware discovered throughout the top pandemics month comparing to last years: https://www.av-test.org/en/statistics/malware/). Instead, we are seeing new types of threats which take Covid19 as context: either specific phishing campaigns which are based on Covid19 hooks, or greater consequences of attacks against critical infrastructure like hospitals and medical centers - but also e-learning and e-commerce platforms (see the short video summary of threats: https://www.youtube.com/watch?v=XFCV_wIIEr8 ).

  23. May 2020
    1. The most common method of preventing CSRF is by generating a secret random string, known as a CSRF token, on the server, and checking for that token when the client performs a write.

      To completely defend the CSRF attack, one needs to generate a CSRF token

    2. CORS relaxes the Same-Origin Policy (SOP), a critical security measure that prevents scripts on one site (e.g. the attacker’s site) from accessing sensitive data on another site (e.g. the Definitely Secure Bank portal). If something was protecting you from CSRF, it would be the SOP.

      Thanks to Cross-Origin Resource Sharing (CORS), Same-Origin Policy (SOP) is being relaxed and CSRF is blocked from cross-origin reads, but not from writes (so POST is still effective but attacker cannot read the response)

    3. Cross-Site Request Forgery is a web security exploit where an attacker induces a victim to perform an action they didn’t mean to. In this case, the attacker tricked you into unintentionally transferring them money.

      Cross-Site Request Forgery (CSRF) attack example: sending cookies to the origin (bank site) even when the request originates from a different origin

  24. May 2019
    1. Several Businesses prefer to outsource their IoT Security compliance to third party agencies to ensure security measures to maintain IoT security and Device security of the organization. However merely entrusting your security compliance framework with an external body does not mitigate your risk of falling prey to Cyber Attacks and IoT security breaches. You need to ensure that the compliance framework takes into consideration the following factors in security audit checklist:

      IoT Security Compliance audit checklist must be followed by all developers working in this domain. Doing so can effectively prevent cyber attacks that have become so common.

  25. Nov 2017
    1. As an example, one of the most significant problems in healthcare security is the need for users to authenticate quickly to shared workstations in clinical environments. I could see a future version of Face ID embedded in an iMac solving that problem, changing an entire industry, and selling a lot of iMacs!

      Sounds very unlikely.

    1. Perhaps they will learn something about how a hacker can gain access to Web sites and why there is a burden on those of us who create on the Web to also secure what we create.
    1. Obviously, securing student data is critical. There are a lot of data sharing services that shouldn’t be offered until that security can be guaranteed.
  26. Feb 2017
    1. IBM research estimates that security teams have to deal with, on average, 200,000 individual events every single day.

      Wow, scary number!

    2. Evan and Mike Spisak invented an interface that could help fundamentally improve how cybersecurity works.

      Cybersecurity advances

  27. Jun 2016
    1. The cause of the security breach is under investigation by the University of Maryland Police Department, the U.S. Secret Service and federal law enforcement authorities, as well as forensic computer investigators.

      Despite this deposition from two years ago, U. Md. still hasn’t updated this page.

  28. Dec 2015
    1. Apple CEO Tim Cook has repeatedly and strongly criticized those in government who have demanded backdoors, explaining: “You can’t have a back door in the software because you can’t have a back door that’s only for the good guys.” And a representative of many of the large tech companies recently remarked: “Weakening security with the aim of advancing security simply does not make sense.” Eighty-five percent of cybersecurity experts recently surveyed by Politico called backdoors “a bad idea”. (We know, for example, the NSA in particular loves to prey on foreign phone companies’ backdoors.)
    1. A group of 19 civil liberties organizations from across the political spectrum this morning issued a letter to the White House and Congress urging lawmakers to oppose the final “conferenced” version of a dangerous cyber bill that experts say will dramatically expand government surveillance while failing to make us safer from cyber attacks.
    1. "It makes zero sense to lock up this information forever," said Jeremiah Grossman, who founded cybersecurity firm WhiteHat Security. "Certainly there are past breaches that the public should know about, is entitled to know about, and that others can learn from."

      I used to think the most fanciful thing about the movie "War Games" was not the A.I., but the defense computer connected to a public network. But if industrial control systems can be reached by the Internet or other public lines -- then maybe the government is that stupid.