25 Matching Annotations
  1. Dec 2020
    1. BlackArch is a Linux distribution designed for penetration testing and security research. You can think of it like Kali Linux, with the exception of being based on Arch Linux. Its official repositories contain more than +2500 various penetration testing tools, and hence it can be considered a very good option for anyone wishing to explore this field and try to hack their own phones/routers/devices during the quarantine time.

      BlackArch <--- kind of Kali Linux based on Arch Linux

  2. Nov 2020
    1. Today, we’re excited to open up a beta of a third approach to keeping web browsing safe with Cloudflare Browser Isolation. Browser sessions run in sandboxed environments in Cloudflare data centers in 200 cities around the world, bringing the remote browser milliseconds away from the user so it feels like local web browsing.

      Cloudflare introduces sandboxed web browsing. It's like a browser inside a browser, so we can rest assured that we won't be infected by the websites we visit

  3. Sep 2020
    1. "Dorks" are search lines that utilize the search engine different features, with targeted search strings to pinpoint results. Here's a fun list of Google searches from the exploit DB.

      Database of Google's Dorks: Google Hacking Database

    2. The internet archive, also known as the "Wayback Machine" holds periodic scans of websites all over the internet for years and years back. This is a mining field for hackers with a target. With tools like waybackcurls (based on waybackcurls.py) one can scan any target of old files. This means that even if you've found and removed a key but did not rotate it, a hacker might still find it in an old version of your website and use it against you.

      Hackers do use Wayback machine to find specific security flaws on your website

    3. Enforce MFA everywhere - Google, GitHub, Cloud providers, VPNs, anywhere possible. If it's not optional, reconsider the system in use Rotate keys and passwords constantly, employ and enforce rotation policies Scan your code regularly. Preferably as part of the release process Delegate login profiles and access management to one central system where you control and monitor

      20% actions for 80% of effect to protect your API keys/passwords/SSH encrypted keys/certificates

    1. With your passport number, someone could: Book an international flight as youFootnote 2626. Apply for anything that requires proof of identity documentation with the government, e.g. Working with children check Activate a SIM card (and so get an internet connection that’s traceable to you, not them, hiding them from the government) Create a fake physical passport from a template, with the correct passport number (which they then use to cross a border, open a bank account, or anything) who knows what else, not me, bc i have never done a crime

      What can be done with out passport number

    2. I’d now found Tony Abbott’s: Passport details Phone number Weird Qantas staff comments.

      What information can be found on the "Manage Booking" page inside the website code

  4. Jun 2020
    1. Wyróżniamy 2 podstawowe metody wykrywania malware(można mówić o większej ilości, jednak na potrzeby przybliżenia podstaw wspomnę tylko o dwóch):

      2 ways antiviruses detect malware:

      • Signature-Based Detection - based on signatures (known byte sequences) updated continuously. For example, the method deletes software immediately after it's downloaded
      • Heuristic and Behavioral-Based Detection - based on malware's "behaviour" (each of its instructions)
    1. xposed the collective vulnerability to disruption and abuse. In one week in April 2020, there were over 18 million daily malware and

      It is important to underline that doesn't mean we have seen the surge in numbers of attacks or new malware (eg. AV test shows rather average number of new malware discovered throughout the top pandemics month comparing to last years: https://www.av-test.org/en/statistics/malware/). Instead, we are seeing new types of threats which take Covid19 as context: either specific phishing campaigns which are based on Covid19 hooks, or greater consequences of attacks against critical infrastructure like hospitals and medical centers - but also e-learning and e-commerce platforms (see the short video summary of threats: https://www.youtube.com/watch?v=XFCV_wIIEr8 ).

  5. May 2020
    1. The most common method of preventing CSRF is by generating a secret random string, known as a CSRF token, on the server, and checking for that token when the client performs a write.

      To completely defend the CSRF attack, one needs to generate a CSRF token

    2. CORS relaxes the Same-Origin Policy (SOP), a critical security measure that prevents scripts on one site (e.g. the attacker’s site) from accessing sensitive data on another site (e.g. the Definitely Secure Bank portal). If something was protecting you from CSRF, it would be the SOP.

      Thanks to Cross-Origin Resource Sharing (CORS), Same-Origin Policy (SOP) is being relaxed and CSRF is blocked from cross-origin reads, but not from writes (so POST is still effective but attacker cannot read the response)

    3. Cross-Site Request Forgery is a web security exploit where an attacker induces a victim to perform an action they didn’t mean to. In this case, the attacker tricked you into unintentionally transferring them money.

      Cross-Site Request Forgery (CSRF) attack example: sending cookies to the origin (bank site) even when the request originates from a different origin

  6. May 2019
    1. Several Businesses prefer to outsource their IoT Security compliance to third party agencies to ensure security measures to maintain IoT security and Device security of the organization. However merely entrusting your security compliance framework with an external body does not mitigate your risk of falling prey to Cyber Attacks and IoT security breaches. You need to ensure that the compliance framework takes into consideration the following factors in security audit checklist:

      IoT Security Compliance audit checklist must be followed by all developers working in this domain. Doing so can effectively prevent cyber attacks that have become so common.

  7. Nov 2017
    1. As an example, one of the most significant problems in healthcare security is the need for users to authenticate quickly to shared workstations in clinical environments. I could see a future version of Face ID embedded in an iMac solving that problem, changing an entire industry, and selling a lot of iMacs!

      Sounds very unlikely.

    1. Perhaps they will learn something about how a hacker can gain access to Web sites and why there is a burden on those of us who create on the Web to also secure what we create.
    1. Obviously, securing student data is critical. There are a lot of data sharing services that shouldn’t be offered until that security can be guaranteed.
  8. Feb 2017
    1. IBM research estimates that security teams have to deal with, on average, 200,000 individual events every single day.

      Wow, scary number!

    2. Evan and Mike Spisak invented an interface that could help fundamentally improve how cybersecurity works.

      Cybersecurity advances

  9. Jun 2016
    1. The cause of the security breach is under investigation by the University of Maryland Police Department, the U.S. Secret Service and federal law enforcement authorities, as well as forensic computer investigators.

      Despite this deposition from two years ago, U. Md. still hasn’t updated this page.

  10. Dec 2015
    1. Apple CEO Tim Cook has repeatedly and strongly criticized those in government who have demanded backdoors, explaining: “You can’t have a back door in the software because you can’t have a back door that’s only for the good guys.” And a representative of many of the large tech companies recently remarked: “Weakening security with the aim of advancing security simply does not make sense.” Eighty-five percent of cybersecurity experts recently surveyed by Politico called backdoors “a bad idea”. (We know, for example, the NSA in particular loves to prey on foreign phone companies’ backdoors.)
    1. A group of 19 civil liberties organizations from across the political spectrum this morning issued a letter to the White House and Congress urging lawmakers to oppose the final “conferenced” version of a dangerous cyber bill that experts say will dramatically expand government surveillance while failing to make us safer from cyber attacks.
    1. "It makes zero sense to lock up this information forever," said Jeremiah Grossman, who founded cybersecurity firm WhiteHat Security. "Certainly there are past breaches that the public should know about, is entitled to know about, and that others can learn from."

      I used to think the most fanciful thing about the movie "War Games" was not the A.I., but the defense computer connected to a public network. But if industrial control systems can be reached by the Internet or other public lines -- then maybe the government is that stupid.