What's new arround internet
Last one

Src Date (GMT) Titre Description Tags Stories Notes
SecurityWeek.webp 2018-11-05 02:20:03 Kemp Cites Voter Database Hacking Attempt, Gives No Evidence (lien direct) The office of Secretary of State Brian Kemp, who is also the Republican gubernatorial nominee, said Sunday it is investigating the state Democratic Party in connection with an alleged attempt to hack Georgia's online voter database, which is used to check in voters at polling places in the midterm elections. Hack Uber
Chercheur.webp 2018-11-04 19:10:00 Who\'s In Your Online Shopping Cart? (lien direct) Crooks who hack online merchants to steal payment card data are constantly coming up with crafty ways to hide their malicious code on Web sites. In Internet ages past, this often meant obfuscating it as giant blobs of gibberish text that is obvious even to the untrained eye. These days, a compromised e-commerce site is more likely to be seeded with a tiny snippet of code that invokes a hostile domain which appears harmless or that is virtually indistinguishable from the hacked site's own domain. Hack
Blog.webp 2018-11-04 18:00:05 (Déjà vu) Hack the Box: Dropzone Walkthrough (lien direct) Today we are going to solve another CTF challenge “Dropzone”. It is a retired vulnerable lab presented by Hack the Box for helping pentester's to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level. Level: Expert Task: To find user.txt and... Continue reading → Hack
WiredThreatLevel.webp 2018-11-02 20:31:04 Hack Brief: Someone Posted Private Facebook Messages From 81,000 Accounts (lien direct) The data appears to have been stolen with malicious browser extensions, and not by exploiting an issue with Facebook's platform. Hack
no_ico.webp 2018-11-02 13:30:00 Eurostar Resets Customer Passwords After Hack Attack (lien direct) Eurostar has reset its customers’ login passwords after detecting attempts to break into an unspecified number of accounts. The rail service said it had notified those whose accounts had been targeted. Other passengers will be told they have been blocked the next time they try to log in and will be asked to reset their details. … The ISBuzz Post: This Post Eurostar Resets Customer Passwords After Hack Attack Hack
no_ico.webp 2018-11-02 12:15:00 Google Debunks Claims Its Home Hub Is A Security Nightmare (lien direct) Google has denied claims that its Home Hub is dangerously insecure after it was revealed that it’s easy to yank information off the smart home device. Security researcher Jerry Gamblin shared a set of instructions that uses basic lines of XML to guide would-be hackers through how to suck data from the Home Hub and even brick it. The hack … The ISBuzz Post: This Post Google Debunks Claims Its Home Hub Is A Security Nightmare Hack
SecurityAffairs.webp 2018-11-02 07:30:05 FIFA was hacked again, this is the second hack in a year (lien direct) According to the New York Times, FIFA has suffered the second hack in a year, new documents are set to be published on Friday by Football Leaks. The Fédération Internationale de Football Association, aka FIFA, is a governing body of association football, futsal, and beach soccer. FIFA reveals it was the victim of a new successful phishing campaign that resulted in the exposed […] Hack
ErrataRob.webp 2018-11-02 02:57:36 Why no cyber 9/11 for 15 years? (lien direct) This The Atlantic article asks why hasn't there been a cyber-terrorist attack for the last 15 years, or as it phrases it:National-security experts have been warning of terrorist cyberattacks for 15 years. Why hasn't one happened yet?As a pen-tester whose broken into power grids and found 0day exploits in control center systems, I thought I'd write up some comments.Instead of asking why one hasn't happened yet, maybe we should instead ask why national-security experts keep warning about them.One possible answer is that national-security experts are ignorant. I get the sense that "national security experts" have very little expertise in cyber. That's why I include a brief resume at the top of this article, I've actually broken into a power grid and found 0days in critical power grid products (specifically, the ABB implementation of ICCP on AIX -- it's rather an obvious buffer-overflow, *cough* ASN.1 *cough*, I don't know if they ever fixed it).Another possibility is that they are fear mongering in order to support their agenda. That's the problem with "experts", they get their expertise by being employed to achieve some goal. The ones who know most about an issue are simultaneously the ones most biased about an issue. They have every incentive to make people be afraid, and little incentive to tell the truth.The most likely answer, though, is simply because they can. Anybody can warn of "digital 9/11" and be taken seriously, regardless of expertise. They'll get all the press. It's always the Morally Right thing to say. You never have to back it up with evidence. Conversely, those who say the opposite don't get the same level of press, and are frequently challenged to defend their abnormal stance.Indeed, that's this article by The Atlantic works. It's entire premise is that the national security experts are still "right" even though their predictions haven't happened, and it's reality that's "wrong".Now let's consider the original question.One good answer in the article is "cause certain types of fear and terror, that garner certain media attention, that galvanize followers". Blowing something up causes more fear in the target population than deleting some data.But the same is true of the terrorists themselves, that they prefer violence. In other words, what motivates terrorists, the ends or the means? It is it the need to achieve a political goal? Or is it simply about looking for an excuse to commit violence?I suspect that it's the later issue. It's not that terrorists are violent so much as violent people are attracted to terrorism. This can explain a lot, such as why they have such poor op-sec and encryption, as I've written about before. They enjoy learning how to shoot guns and trigger bombs, but they don't enjoy learning how to use a computer correctly.I've explored the cyber Islamic dark web and come to a couple conclusions about it. The primary motivation of these hackers is gay porn. A frequent initiation rite to gain access to these forums is to send post pictures of your, well, equipment. Such things are repressed in their native countries and societies, so hacking becomes a necessary skill in order to get it.It's hard for us to understand their motivations. From our western perspective, we'd think gay young men would be on our side, motivated to fight against their own governments in defense of gay rights, in order to achieve marriage equality. None of them want that. Their goal is to get married and have children. Sure, they want gay sex and intimate relationships with men, but they also want a subservient wife who manages the household, and the deep family ties that Hack
ZDNet.webp 2018-11-02 00:59:00 FIFA admits hack and braces for new leaks (lien direct) March 2018 phishing incident pegged as possible origin of latest hack and subsequent data theft. Hack
no_ico.webp 2018-11-01 21:30:04 Eurostar Forces Customers To Reset Passwords, But Does It Really Need To (lien direct) Eurostar is the latest transportation company to be hit by a data breach following the recent BA breach. The breach, which occurred between 15 and 19 October, was noticed when Eurostar detected an “unauthorised attempt” to hack into its systems and access user accounts. Eurostar emailed customers with the information, stating that it had identified multiple … The ISBuzz Post: This Post Eurostar Forces Customers To Reset Passwords, But Does It Really Need To Hack
DarkReading.webp 2018-11-01 11:30:00 FIFA Reveals Second Hack (lien direct) Successful phishing campaign leads attackers to confidential information of world soccer's governing body. Hack Guideline
BBC.webp 2018-10-31 17:10:04 Eurostar resets customer passwords after hack attack (lien direct) The rail firm reset passwords after detecting efforts to break into some accounts earlier this month. Hack
Blog.webp 2018-10-31 15:49:05 (Déjà vu) Hack the Box: Bounty Walkthrough (lien direct) Today we are going to solve another CTF challenge “Bounty”. It is a retired vulnerable lab presented by Hack the Box for helping pentester's to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level. Level: Medium Task: To find user.txt and root.txt... Continue reading → Hack
no_ico.webp 2018-10-31 11:15:00 Iranian Hackers Hit U.K. Cybersecurity Universities (lien direct) Iranian Hackers have attempted to hack into UK universities offering government-certified cybersecurity courses. Students and employees with UK university log-ins were sent phishing emails in an attempt to trick them into giving their passwords. IT security experts commented below. Dr Guy Bunker, SVP of Products at Clearswift: “While this is not unexpected, we know that phishing and hacking attacks occur every … The ISBuzz Post: This Post Iranian Hackers Hit U.K. Cybersecurity Universities Hack
SecurityAffairs.webp 2018-10-31 09:33:02 Cyber mercenaries and insiders hired by Chinese intelligence to hack aerospace and tech firms (lien direct) According to the U.S. Department of Justice, the Chinese intelligence officers recruited hackers and insiders to hack aerospace and tech firms. US DoJ accuses the Chinese intelligence to have recruited hackers and insiders to steal confidential information from companies in aerospace and tech companies. US intelligence believes that the cyber espionage operation was under the control of Zha […] Hack
BBC.webp 2018-10-30 23:11:04 Fifa: Governing body reveals IT data hack earlier this year (lien direct) Football's world governing body Fifa says information was hacked from its IT systems earlier this year. Hack
grahamcluley.webp 2018-10-30 14:00:01 Post-breach, Cathay Pacific hit by group action by UK law firm (lien direct) Cathay thumbFresh from launching a £500 million group action against British Airways after a serious security breach, a UK law firm has wasted no time responding to the announcement last week of a hack at Cathay Pacific which saw the personal data of 9.4 million Cathay Pacific passengers breached. Hack
CSO.webp 2018-10-30 03:00:00 Biggest data breach penalties for 2018 (lien direct) Uber: $148 million2 uberImage by Getty/UberIn 2016 ride-hailing app Uber had 600,000 driver and 57 million user accounts were breached. Instead of reporting the incident the company paid the perpetrator $100,000 to keep the hack under wraps. Those actions, however, cost the company dearly. The company was fined $148 million -- the biggest data-breach payout in history – for violation of state data breach notification laws. Data Breach Hack Uber
SecurityAffairs.webp 2018-10-28 08:55:00 The Belgacom hack was the work of the UK GCHQ intelligence agency (lien direct) Belgian newspaper reported that investigators had found proof that the Belgacom hack was the work of the UK GCHQ intelligence agency. Back to September 2013, Belgacom (now Proximus), the largest telecommunications company in Belgium and primarily state-owned, announced its IT  infrastructure had suffered a malware-based attack. Here we are again to speak about this incident after […] Hack
grahamcluley.webp 2018-10-26 16:37:01 British Airways hack is worse than originally thought (lien direct) British Airways hack is worse than originally thoughtA deeper investigation has revealed that hackers were stealing information for much longer than initially thought, and an additional 185,000 British Airways customer payment cards were compromised. Hack
grahamcluley.webp 2018-10-26 13:55:01 23-year-old woman charged with stealing $320,000 worth of cryptocurrency (lien direct) 23-year-old woman charged with stealing $320,000 worth of cryptocurrencyPolice in Australia have arrested a 23-year-old woman in Melbourne, Australia, in connection with an email hack that resulted in a huge amount of virtual currency being stolen. Read more in my article on the Hot for Security blog. Hack
AlienVault.webp 2018-10-26 13:00:00 Things I Hearted this Week, 26th October 2018 (lien direct) Wordpress Wants to Erase its Past I was just flexing my clickbait title muscles with the heading here. But according to a talk at DerbyCon, the WordPress security team stated its biggest battle is not against hackers but its own users, millions of which continue to run sites on older versions of the CMS, and who regularly fail to apply updates to the CMS core, plugins, or themes. WordPress team working on "wiping older versions from existence on the internet" | ZDNet The Penalties Keep Rolling in Looks like the regulators have recently seen the Arnie classic, Pumping Iron, as they flex their muscles to penalise companies for lax security. First up, supermarket giant Morrisons has been told by the Court of Appeal that it is liable for the actions of a malicious insider who breached data on 100,000 employees, setting up a potential hefty class action pay-out. Morrisons Loses Insider Breach Liability Appeal | InfoSecurity Magazine In other news, Facebook has been fined £500,000 by the UK's data protection watchdog for its role in the Cambridge Analytica data scandal. The Information Commissioner's Office (ICO) said Facebook had let a "serious breach" of the law take place. The fine is the maximum allowed under the old data protection rules that applied before GDPR took effect in May. Facebook fined £500,000 for Cambridge Analytica scandal | BBC Breaches at 32,000 feet Cathay Pacific has admitted that personal data on up to 9.4 million passengers, including their passport numbers, has been accessed by unauthorised personnel in the latest security screw-up to hit the airline industry. Cathay Pacific hack: Personal data of up to 9.4 million airline passengers laid bare | The Register British Airways still encountering turbulence following its hack in September has revealed a further 185,000 customer details could have been compromised! British Airways reveals a further 185,000 users affected in September data hack | City AM Fool Me Once Children’s Hospital of Philadelphia has reported two data breaches that occurred in August and September of 2018. The hospital on August 24 discovered that hacker had accessed a physician’s email account on August 23 via a phishing attack. A second breach found on September 6 revealed unauthorized access to an additional email account on August 29. Children’s Hospital of Philadelphia victimized twice by phishing attacks | Health Data Management Some Notes for Journalists About Cybersecurity The recent Bloomberg article about Chinese hacking motherboards is a great opportunity to talk about problems with journalism. Journalism is about telling the truth, not a close approximation of the truth,  but the true tru Hack Guideline
TechRepublic.webp 2018-10-25 19:59:05 What attackers want when they hack email accounts (lien direct) Mark Risher, Google's director of product management for identity and account security, explains what hackers are looking for and how Google is ramping up account security. Hack
BBC.webp 2018-10-25 16:10:03 Second hack attack on BA website uncovered (lien direct) Details of the attack emerged as BA investigated a 'sophisticated' attack it suffered in September. Hack
BBC.webp 2018-10-25 04:42:04 (Déjà vu) Cathay Pacific data hack hits 9.4 million passengers (lien direct) The Hong Kong airline said personal details including passport and credit card numbers were accessed. Hack
TechRepublic.webp 2018-10-24 13:16:05 How Colorado voting became a cybersecurity leader long before Russians tried to hack it (lien direct) Colorado offers extensive election official cybersecurity training, paper ballots, and a strong auditing system, giving it top marks in election security. Hack
AlienVault.webp 2018-10-24 13:00:00 The Importance of Patch Management (lien direct) With each passing year, our world becomes more and more digital. Our social interactions and personal data as well as many of our jobs are based primarily on the internet. Although this shift has come with great benefits, it’s also opened us up to a heightened threat of cyber terrorism. 2017 saw some of the most devastating high-profile attacks in history, opening the eyes of business of all sizes to the importance of stronger security. With no end to cybercrime in sight, the best defense is to be better prepared. There are various practices that can be applied to achieve this, and implementing a patch management system is one of them. In its most basic sense, patching is the process of repairing IT system vulnerabilities that are discovered after the infrastructure components have been released on the market. These patches can apply to a variety of system components, including operating systems, servers, routers, desktops, emails, client info, office suites, mobile devices, firewalls and more. Depending on a company’s information system design, the method of patch management may differ slightly. Failure to follow adequate patch management procedures greatly increases the risk of falling victim to a devastating attack. In the second quarter of 2017, we saw a global ransomware hack the systems of over 150 countries and hundreds of organizations all as a result of poor patch management. These unattended vulnerabilities in IT infrastructure open companies up to numerous security challenges, the top five being: Absence of proper coordination of security measures taken by the operations department and the IT department. Inability to keep up with regulatory standards. Failure to develop an automated security channel. Inability to protect systems from malware, DDoS attacks and hacktivism. Failure to upgrade the existing software and applications to improve the system security. Outsourced patch management For many companies, the reason behind their failure to properly patch vulnerabilities is the simple fact that it’s difficult. The process is time-consuming and, depending on the size of a company, there could be numerous vulnerabilities opening simultaneously. Outsourcing patch management to a more qualified company can relieve IT teams of that immense burden and prevent potentially fatal neglect. Additionally, outsourced IT companies have the advantage of economies of scale and can spend the necessary time required for testing updates before updating client systems. Automated patch management Automation is a trending feature in technology this year, including patch management. With this method, a cloud-based automation system is able to regularly scan and apply patches to software and systems of any kind regardless of location. This reduces the need for ongoing management of the patching system itself, meaning even the most limited IT teams can stay up-to-date with security. Furthermore, as automation allows for patches to be applied 24/7, the downloading and installation processes won't disrupt a work day, and the potential for human error while installing patches is removed. Whichever route you choose, the importance of the matter stays the same. While hackers have made it clear they don’t discriminate against company size or industry, preventive measures are necessary for everyone. With a strong patch management system in place, the occurrence of a vulnerability can be immediately rectified by way of consistent monitoring of the system and a patch released Ransomware Hack Vulnerability Threat Patching Guideline
Kaspersky.webp 2018-10-23 14:48:02 Adult Website Hack Exposes 1.2M \'Wife Lover\' Fans (lien direct) A 40-year-old, easily cracked encryption method was used to protect the 98MB database of user information. Hack
DarkReading.webp 2018-10-23 12:00:00 Former HS Teacher Admits to \'Celebgate\' Hack (lien direct) Christopher Brannan accessed full iCloud backups, photos, and other personal data belonging to more than 200 victims. Hack
ZDNet.webp 2018-10-23 09:28:04 Super Micro trashes Bloomberg chip hack story in recent customer letter (lien direct) Server vendor calls Bloomberg report a "technical implausibility" and "wrong." Hack
ErrataRob.webp 2018-10-22 16:33:56 Some notes for journalists about cybersecurity (lien direct) The recent Bloomberg article about Chinese hacking motherboards is a great opportunity to talk about problems with journalism.Journalism is about telling the truth, not a close approximation of the truth,  but the true truth. They don't do a good job at this in cybersecurity.Take, for example, a recent incident where the Associated Press fired a reporter for photoshopping his shadow out of a photo. The AP took a scorched-earth approach, not simply firing the photographer, but removing all his photographs from their library.That's because there is a difference between truth and near truth.Now consider Bloomberg's story, such as a photograph of a tiny chip. Is that a photograph of the actual chip the Chinese inserted into the motherboard? Or is it another chip, representing the size of the real chip? Is it truth or near truth?Or consider the technical details in Bloomberg's story. They are garbled, as this discussion shows. Something like what Bloomberg describes is certainly plausible, something exactly what Bloomberg describes is impossible. Again there is the question of truth vs. near truth.There are other near truths involved. For example, we know that supply chains often replace high-quality expensive components with cheaper, lower-quality knockoffs. It's perfectly plausible that some of the incidents Bloomberg describes is that known issue, which they are then hyping as being hacker chips. This demonstrates how truth and near truth can be quite far apart, telling very different stories.Another example is a NYTimes story about a terrorist's use of encryption. As I've discussed before, the story has numerous "near truth" errors. The NYTimes story is based upon a transcript of an interrogation of the hacker. The French newspaper Le Monde published excerpts from that interrogation, with details that differ slightly from the NYTimes article.One the justifications journalists use is that near truth is easier for their readers to understand. First of all, that's not justification for false hoods. If the words mean something else, then it's false. It doesn't matter if its simpler. Secondly, I'm not sure they actually are easier to understand. It's still techy gobbledygook. In the Bloomberg article, if I as an expert can't figure out what actually happened, then I know that the average reader can't, either, no matter how much you've "simplified" the language.Stories can solve this by both giving the actual technical terms that experts can understand, then explain them. Yes, it eats up space, but if you care about the truth, it's necessary.In groundbreaking stories like Bloomberg's, the length is already enough that the average reader won't slog through it. Instead, it becomes a seed for lots of other coverage that explains the story. In such cases, you want to get the techy details, the actual truth, correct, so that we experts can stand behind the story and explain it. Otherwise, going for the simpler near truth means that all us experts simply question the veracity of the story.The companies mentioned in the Bloomberg story have called it an out Hack
ZDNet.webp 2018-10-22 10:33:00 Trade.io loses $7.5Mil worth of cryptocurrency in mysterious cold wallet hack (lien direct) Hackers stole over 50 million TIO tokens. Have already withdrawn 1.3 million tokens. Hack
SecurityWeek.webp 2018-10-19 11:13:02 EU Leaders Vow Tough Action on Cyber Attacks (lien direct) EU leaders on Thursday condemned the attempted hack on the global chemical weapons watchdog and vowed to step up the bloc's efforts to tackle cyber attacks. With concerns growing about the malign cyber activities of several countries around the world, notably Russia, the bloc's leaders called for work to begin to set up sanctions to punish hackers. Hack Guideline
SecurityAffairs.webp 2018-10-17 13:48:03 Thousands of servers easy to hack due to a LibSSH Flaw (lien direct) The Libssh library is affected by a severe flaw that could be exploited by attackers to completely bypass authentication and take over a vulnerable server. The Secure Shell (SSH) implementation library, the Libssh, is affected by a four-year-old severe vulnerability that could be exploited by attackers to completely bypass authentication and take over a vulnerable server without requiring a […] Hack Vulnerability
SecurityWeek.webp 2018-10-16 17:39:01 Insurer Anthem Will Pay Record $16M for Massive Data Breach (lien direct) The nation's second-largest health insurer has agreed to pay the government a record $16 million to settle potential privacy violations in the biggest known health care hack in U.S. history, officials said Monday. Data Breach Hack ★★★★★
ErrataRob.webp 2018-10-16 17:06:57 Notes on the UK IoT cybersec "Code of Practice" (lien direct) The British government has released a voluntary "Code of Practice" for securing IoT devices. I thought I'd write some notes on it.First, the good partsBefore I criticize the individual points, I want to praise if for having a clue. So many of these sorts of things are written by the clueless, those who want to be involved in telling people what to do, but who don't really understand the problem.The first part of the clue is restricting the scope. Consumer IoT is so vastly different from things like cars, medical devices, industrial control systems, or mobile phones that they should never really be talked about in the same guide.The next part of the clue is understanding the players. It's not just the device that's a problem, but also the cloud and mobile app part that relates to the device. Though they do go too far and include the "retailer", which is a bit nonsensical.Lastly, while I'm critical of most all the points on the list and how they are described, it's probably a complete list. There's not much missing, and the same time, it includes little that isn't necessary. In contrast, a lot of other IoT security guides lack important things, or take the "kitchen sink" approach and try to include everything conceivable.1) No default passwordsSince the Mirai botnet of 2016 famously exploited default passwords, this has been at the top of everyone's list. It's the most prominent feature of the recent California IoT law. It's the major feature of federal proposals.But this is only a superficial understanding of what really happened. The issue wasn't default passwords so much as Internet-exposed Telnet.IoT devices are generally based on Linux which maintains operating-system passwords in the /etc/passwd file. However, devices almost never use that. Instead, the web-based management interface maintains its own password database. The underlying Linux system is vestigial like an appendix and not really used.But these devices exposed Telnet, providing a path to this otherwise unused functionality. I bought several of the Mirai-vulnerable devices, and none of them used /etc/passwd for anything other than Telnet.Another way default passwords get exposed in IoT devices is through debugging interfaces. Manufacturers configure the system one way for easy development, and then ship a separate "release" version. Sometimes they make a mistake and ship the development backdoors as well. Programmers often insert secret backdoor accounts into products for development purposes without realizing how easy it is for hackers to discover those passwords.The point is that this focus on backdoor passwords is misunderstanding the problem. Device makers can easily believe they are compliant with this directive while still having backdoor passwords.As for the web management interface, saying "no default passwords" is useless. Users have to be able to setup the device the first time, so there has to be some means to connect to the device without passwords initially. Device makers don't know how to do this without default passwords. Instead of mindless guidance of what not to do, a document needs to be written that explains how devices can do this both securely as well as easy enough for users to use.Humorously, the footnotes in this section do reference external documents that might explain this, but they are the wrong documents, appropriate for things like website password policies, but inappropriate for IoT web interfaces. This again demonstrates how they have only a superficial understanding of the problem.2) Implement a vulnerability disclosure policyThis is a clueful item, and it should be the #1 item on every list. Hack
TechRepublic.webp 2018-10-16 11:00:01 10 easy ways to hack your culture to succeed at digital transformation (lien direct) Changing company culture doesn't have to be difficult, according to Gartner. Here are tips for how to change the employee mindsets and practices that shape behavior. Hack
zataz.webp 2018-10-15 17:07:03 Fortnite aimbot hack undetected : tricher à Fortnite, plus dangereux qu\'un simple ban (lien direct) Fortnite aimbot hack undetected – De nombreux joueurs sur le jeu phénomène Fortnite sont tentés de tricher pour atteindre les fameux top. Seulement, derrière de nombreux logiciels de triche se cachent des logiciels qui ont pour mission de pirater les tricheurs. Fortnite aimbot hack undetected ... Cet article Fortnite aimbot hack undetected : tricher à Fortnite, plus dangereux qu’un simple ban est apparu en premier sur ZATAZ. Hack
zataz.webp 2018-10-15 15:36:02 Yes We hack référencé par le Market Guide Gartner (lien direct) Pour une bonne nouvelle, c’est une bonne nouvelle ! Les copains de chez Yes We Hack viennent de rentrer dans le fameux “Market Guide” de Gartner. Gartner Inc. est une entreprise américaine de conseil et de recherche dans le domaine des techniques avancées. L’Américain a référ... Cet article Yes We hack référencé par le Market Guide Gartner est apparu en premier sur ZATAZ. Hack
WiredThreatLevel.webp 2018-10-15 15:00:00 Climate Change Might Double the Cost of a Beer (lien direct) More extreme droughts and heat waves will hit barley especially hard, so growers are trying to hack the grain to make it more resistant. Hack
BBC.webp 2018-10-15 11:45:00 UK seeks to secure smart home gadgets (lien direct) Makers of small, smart home gadgets will be encouraged to do more to protect them against hack attacks Hack
Blog.webp 2018-10-14 14:28:00 (Déjà vu) Hack the Box: DevOops Walkthrough (lien direct) Today we are going to solve another CTF challenge “DevOops”. DevOops is a retired vulnerable lab presented by Hack the Box for helping pentester's to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level. Level: Medium Task: To find user.txt and... Continue reading → Hack
TechWorm.webp 2018-10-14 12:23:01 Hackers accessed 29 million user accounts, says Facebook (lien direct) Facebook confirms 29 million users' data accessed by hackers: How to check if your account has been hacked Last month, Facebook was hit by the worst-security breach where the hackers accessed personal information of millions of users. Back then, Facebook had said that the hack had exposed data of approximately 50 million users. However, the […] Hack
ErrataRob.webp 2018-10-14 04:57:46 How to irregular cyber warfare (lien direct) Somebody (@thegrugq) pointed me to this article on "Lessons on Irregular Cyber Warfare", citing the masters like Sun Tzu, von Clausewitz, Mao, Che, and the usual characters. It tries to answer:...as an insurgent, which is in a weaker power position vis-a-vis a stronger nation state; how does cyber warfare plays an integral part in the irregular cyber conflicts in the twenty-first century between nation-states and violent non-state actors or insurgenciesI thought I'd write a rebuttal.None of these people provide any value. If you want to figure out cyber insurgency, then you want to focus on the technical "cyber" aspects, not "insurgency". I regularly read military articles about cyber written by those, like in the above article, which demonstrate little experience in cyber.The chief technical lesson for the cyber insurgent is the Birthday Paradox. Let's say, hypothetically, you go to a party with 23 people total. What's the chance that any two people at the party have the same birthday? The answer is 50.7%. With a party of 75 people, the chance rises to 99.9% that two will have the same birthday.The paradox is that your intuitive way of calculating the odds is wrong. You are thinking the odds are like those of somebody having the same birthday as yourself, which is in indeed roughly 23 out of 365. But we aren't talking about you vs. the remainder of the party, we are talking about any possible combination of two people. This dramatically changes how we do the math.In cryptography, this is known as the "Birthday Attack". One crypto task is to uniquely fingerprint documents. Historically, the most popular way of doing his was with an algorithm known as "MD5" which produces 128-bit fingerprints. Given a document, with an MD5 fingerprint, it's impossible to create a second document with the same fingerprint. However, with MD5, it's possible to create two documents with the same fingerprint. In other words, we can't modify only one document to get a match, but we can keep modifying two documents until their fingerprints match. Like a room, finding somebody with your birthday is hard, finding any two people with the same birthday is easier.The same principle works with insurgencies. Accomplishing one specific goal is hard, but accomplishing any goal is easy. Trying to do a narrowly defined task to disrupt the enemy is hard, but it's easy to support a group of motivated hackers and let them do any sort of disruption they can come up with.The above article suggests a means of using cyber to disrupt a carrier attack group. This is an example of something hard, a narrowly defined attack that is unlikely to actually work in the real world.Conversely, consider the attacks attributed to North Korea, like those against Sony or the Wannacry virus. These aren't the careful planning of a small state actor trying to accomplish specific goals. These are the actions of an actor that supports hacker groups, and lets them loose without a lot of oversight and direction. Wannacry in particular is an example of an undirected cyber attack. We know from our experience with network worms that its effects were impossible to predict. Somebody just stuck the newly discovered NSA EternalBlue payload into an existing virus framework and let it run to see what happens. As we worm experts know, nobody could have predicted the results of doing so, not even its creators.Another example is the DNC election hacks. The reason we can attribute them to Russia is because it wasn't their narrow goal. Instead, by looking at things like their URL shortener, we can see that they flailed around broadly all over cyberspace. The DNC was just one of thei Hack Guideline Wannacry
SecurityAffairs.webp 2018-10-10 20:44:05 GAO report reveals new Pentagon weapon systems vulnerable to hack (lien direct) According to a new report published by the Government Accountability Office (GAO) almost any new weapon systems in the arsenal of the Pentagon is vulnerable to hack. The new generation of weapon systems developed by the Pentagon is heavily computerized and for this reason more exposed to cyber attacks. According to a new 50-page report […] Hack
The_Hackers_News.webp 2018-10-10 00:43:04 Just Answering A Video Call Could Compromise Your WhatsApp Account (lien direct) What if just receiving a video call on WhatsApp could hack your smartphone? This sounds filmy, but Google Project Zero security researcher Natalie Silvanovich found a critical vulnerability in WhatsApp messenger that could have allowed hackers to remotely take full control of your WhatsApp just by video calling you over the messaging app. The vulnerability is a memory heap overflow issue Hack Vulnerability
ZDNet.webp 2018-10-09 22:22:05 Pentagon\'s new next-gen weapons systems are laughably easy to hack (lien direct) Bad passwords, non-encrypted communications, and a lot of unpatched bugs. Hack
Blog.webp 2018-10-09 17:00:05 Podcast Episode 115: Joe Grand on Unicorn Spotting and Bloomberg\'s Supply Chain Story (lien direct) In this week's episode (#115), noted hardware enthusiast and hacker Joe Grand (aka “Kingpin”) told reporters from Bloomberg that finding an in-the-wild supply chain hack implanting malicious hardware on motherboards was akin to witnessing “a unicorn jumping over a rainbow.” They went with their story about just such an...Read the whole entry...  _!fbztxtlnk!_ https://feeds.feedblitz.com/~/573788130/0/thesecurityledger -->» Hack
ZDNet.webp 2018-10-09 13:00:00 New Magecart hack detected at Shopper Approved (lien direct) Malicious code removed after two days. Impact is smaller compared to previous incidents at Ticketmaster, Feedify, or British Airways. Hack
AlienVault.webp 2018-10-09 13:00:00 5 Steps to Maximize Your Financial Data Protection (lien direct) A series of high-profile data breaches in 2017 made it clear that it's becoming more difficult to protect your and your customer's sensitive information from nefarious agents. As businesses expand, they develop and implement security policies that help protect their sensitive information from outsiders. Still, business growth means more computers, more laptops and more mobile phones—and more network endpoints means more security vulnerabilities and more opportunities for a small oversight to turn into a major data breach. Financial data breaches can spell disaster, especially for small businesses that have fewer resources to allocate toward proactive security measures and fraud prevention. To help out, we've outlined five steps that you can take to maximize your financial data protection in 2018. Take Inventory of Your Sensitive Financial Data The first step to effective financial data protection is to identify the data that is more important to protect. Your full assessment should answer the following questions: What data do I need to secure? What computers, servers, laptops, networks, or other devices is the information stored on? What devices can be used to access the data? What roles/titles will have permission to view the data? The best way to start enhancing data security is by restricting access. Isolate or segregate the data onto the fewest number of devices possible, and make it accessible to the fewest number of people. Conduct thorough background checks and ask for references when hiring employees that will come into contact with financial data. Implement Effective Password Controls Passwords are an important security measure used to prevent unauthorized users from accessing company laptops, e-mail accounts and other resources that could contain sensitive financial information. Password controls are a set of imposed guidelines for how your staff should set up the passwords that they use to access your sensitive data. Typical password controls include: Ensuring that passwords are long enough and that they contain a mixture of upper and lower-case letters, numbers and symbols. As passwords get longer, they become exponentially harder to hack by brute force. Hackers use all kinds of tricks to try and guess passwords—writing software that guesses dictionary words or combinations of words from the dictionary, or that guesses birth dates formatted in different ways. Passwords should be 10-12 characters long. Ensuring that passwords are changed on a regular basis, at least every 90 days for passwords used to access sensitive financial data. Ensuring that each individual user is assigned one username and password, and that login credentials are never shared. Protect Your Network with a Firewall Companies storing and transmitting financial data on an internal network should implement a firewall. A firewall is a hardware or software security device that monitors all incoming and outgoing network traffic and uses predefined security guidelines to determine whether it should be allowed or blocked. Firewalls establish a barrier between your trusted internal network and unauthorized external actors that might try to access or attack it. You may want to hire a cyber security expert who can help customize your firewall to your unique circumstances and advise you on how to address other potential network security threats. Look Out for Phishing Scams Sometimes, fraudsters don't have to gain access to your systems using technological means to attack your company financiall Hack Vulnerability
Last update at: 2024-07-01 07:09:18
See our sources.
My email:

To see everything: Our RSS (filtrered) Twitter