What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2017-12-08 14:00:00 | Things I Hearted this Week – 8th December 2017 (lien direct) | I’ve been spending a couple of days this week at the SANS EU Security awareness summit which has featured some exceptionally good speakers. Dr. Jessica Barker was the opening keynote and made some great points about optimism and how positive reinforcement is a far better motivator in security than the usual negativity. As I’m one that likes to take on board good ideas and implement them as quickly as possible – today’s wrap up will feature an optimistic and bright tone. So, put on your rose tinted glasses, sit back, and enjoy this week’s wrap up. Uber invests in Florida youth A hacker only identified as a 20-year old Florida man, was apparently behind the Uber breach a year ago. Uber was so grateful it awarded him $100,000 via HackerOne bug bounty platform, but wanted to keep its act of philanthropy quiet. No word on whether the youth will spend the money on an orphanage or an animal shelter, but we are hopeful. Uber hacked by a 20-year-old man in the US | Computer Weekly Uber paid 20-year-old man to hide hack, destroy data | ZDNet Three Uber security managers resign after CEO criticizes practices | Reuters $60m in bitcoin shared The days of Robin Hood aren’t over. Over $60m in cryptocurrency has been involuntarily redistributed after hackers bloke into Slovenian-based bitcoin mining marketplace NiceHash. More than $60 million worth of bitcoin potentially stolen after hack on cryptocurrency site | CNBC Bitcoin: $64m in cryptocurrency stolen in 'sophisticated' hack, exchange says | The Guardian $60m Bitcoin heist potentially hits cryptocurrency mining site | CBRonline Three ways to improve cybersecurity maturity I really like the name, “The Rochford Files” which is the contributed blog by Oliver Rochford on CSO. Keeping in tune with my optimistic theme, the subtitle is “here’s what’s holding us back” – but I’d rather rephrase it as “Here are our greatest opportunities”. 3 common cybersecurity maturity failings Predictions It’s that time of year for everyone to collectively gaze into crystal balls and predict what the new year will bring. I jumped onto the bandwagon myself and boldly made some predictions. The good thing about the future though is that it never comes, so you can never be proven wrong! Six Cybersecurity Predictions for The Year Ahead | AlienVault | Guideline | Uber | |
 |
2017-11-27 16:40:00 | Uber\'s Security Slip-ups: What Went Wrong (lien direct) | The ride-sharing company's decisions leading to a 2016 data breach and its handling of the incident should serve as a cautionary tale for enterprises facing a breach. | Guideline | Uber | |
 |
2017-11-22 10:03:03 | Uber Leak : Réaction de Malwarebytes (lien direct) | Suite au piratage survenu chez Uber et au vol de de données concernant 57 million d'utilisateurs, je vous adresse ci-après la réaction de Jérôme Segura, Lead Malware Intelligence Analyst chez Malwarebytes. " Ce que nous savons jusqu' à présent, c'est que les pirates ont réussi à accéder à des comptes GitHub privés contenant les identifiants et les mots de passe de certains développeurs d'Uber. (*) Grâce à ces informations, ils ont pu se connecter aux serveurs d'Amazon (utilisés par Uber), y télécharger des (...) - Marchés | Guideline | Uber | |
 |
2017-11-22 05:30:12 | Uber recognises need for consumer trust after breach cover up (lien direct) | New Uber leadership has recognised the importance of consumer trust and that they never should have attempted to cover up a 2016 data breach that affected millions of customers and drivers | Guideline | Uber | |
|
2017-11-03 13:00:00 | Things I Hearted this Week – 3rd November 2017 (lien direct) | It’s been another busy, interesting, and confusing week in the world of security and technology – so let’s just get down to it. 50k Aussie government and banks staff records breached The personal details of more than 4,000 government employees have been exposed in a massive data breach of 50,000 staff records from various companies across Australia. It is believed to be the second-largest data breach in Australian history after the details of just over half a million blood donors were accidentally leaked by the Red Cross in 2016. Contractor breach exposes 50k Aussie govt, bank staff records | IT News AMP among companies affected by data breach of 50,000 staff records | The Guardian Wrestling student hacks grades A former chemistry student allegedly used keystroke-logging gadgets to steal tutors' passwords, change classmates' grades and download copies of exams ahead of time. Amateur wrestler Trevor Graves, 22, who studied at the University of Iowa was arrested and indicted this month on two hacking charges – each of which could land him up to ten years in the clink if found guilty. In paperwork (pdf) submitted to an Iowa district court, FBI agent Jeffrey Huber recounted that in December of last year one of the university's teachers noticed that Graves' grades had mysteriously improved. High-tech cheating scheme prompts charges at University of Iowa | Press Citizen FBI: Student wrestler grappled grades after choking passwords from PCs using a key logger | The Register Hackers Using Default SSH Creds to Take Over Ethereum Mining Equipment A threat actor is mass-scanning the Internet for Ethereum mining equipment running ethOS that is still using the operating system's default SSH credentials. The attacker is using these creds to gain access to the mining rig and replace the owner's Ethereum wallet address with his own. Replacing this wallet ID sends all subsequent mining revenue to the attacker instead of the equipment's real owner. Change your default credentials, kids. Or better still, manufacturers – force users to change default credentials on first use! Hackers Using Default SSH Creds to Take Over Ethereum Mining Equipment | Bleeping Computer How to become a pentester This one is from the archives, but equally relevant today as it was two years ago when published. Going through a lot of the methodology and answering most questions budding pen testers would have. How to become a pentester | Corelan Team Circle with Disney web filter riddled with vulnerabilities A ‘smart’ thing made by Disney has more holes in it than swiss cheese. Who could have ever predicted such a thing? Circle | Guideline | Uber | |
|
2017-05-12 13:00:00 | AES 12th May 2017 - Keeping an Eye on IT Security So You Don\'t Have To (lien direct) |
It’s about ethics in bug bounties
I’m a big fan of bug bounty programmes and responsible disclosure. I think they work well as additional checks and balances that may slip through the initial security reviews.
Bug bounty platforms are similar to a dating service. They pair up companies with researchers that will look for vulnerabilities within the defined scope and facilitate the payment of the bounty.
But what happens when a company that sells morally dubious (but not necessarily illegal) software wants to run a bounty? It puts the bounty provider in a bit of a dilemma. On one hand it could remain completely impartial and simply act as a conduit to help create secure software. On the other hand, they are facilitating the betterment of software that could be used for malicious purposes.
Such was the case when spyware company, FlexiSPY, showed interest in moving their bug bounty program to HackerOne. The resultant blog post illustrates some of the ups and downs in arriving at an answer.
Casey Ellis, CEO of BugCrowd was far more direct in his approach and dismissal of FlexiSPY
On the bright side of bug bounties
It’s great to see researchers rewarded for finding bugs and vulnerabilities fixed.
But for the rest of the security community, it’s always great to read a detailed writeup on how the researcher discovered the bug and validated it. It serves as a good learning experience for the rest of us.
How my car insurance exposed my position
Hacking my trash company
Emergency Microsoft patch
It feels like the topic of responsible disclosure is never-ending. I’m going to add responsible disclosure to the list of things I won’t talk about in social settings, joining politics, religion, and passwords.
Last Friday, Google researcher Tavis Ormandy stated that he and fellow researcher Natalie Silvanovich had discovered “the worst Windows remote code exec in recent memory”
While no further details were released, it left many security professionals hanging over a nail-biting weekend to learn about this vulnerability.
Some disagreed with the approach and timing, stating that it was scaremongering, or an attempt to gain exposure.
Either way, Microsoft turned it around very quickly, earning the praise of Ormandy and others, and pushed a critical out-of-band update for the Microsoft Malware Protection Engine to plug the vulnerability.
MS plugs crazy bad bug with emergency pathc&
Crazy bad bug in microsoft’s windows malware scanner can be used to install malware
The Government's Role in Insecurity
As much as I personally try to steer clear of politics, cyber security and politics are well and truly bed-fellows in this day and age. Whether it be hacking during elections, leaks, or spying.
The Guardian ran a piece entitled Cyber-insecurity is a gift for hackers, but it’s our own gover |
Guideline | Uber | |
|
2017-03-24 13:00:00 | Alien Eye in the Sky 24th March, 2017 (lien direct) |
Keeping an eye on the latest in the world of information security week after week illustrates the variety of concerns, errors, and attacks that present themselves.
It has been reported that a British bank ‘identifying trafficked sex workers by tracking contraceptive spending’. While the cause may be good, one must wonder how long before banks are sharing full-scale analysis of spending and profiling with big brother?
Bug bounties and vulnerability disclosure co-ordination continue to be adopted. With Intel offering up to $30,000 for bugs in its hardware and the UK’s NCSC launching a vulnerability co-ordination pilot, it’s in the news.
Self-driving cars have been the fantasy of most kids who grew up in the 80’s watching Knight Rider. There have been many exciting developments in this space, but it still looks like truly self-driving cars have little more than lane-discipline and variable cruise control as Uber’s autonomous cars drove 20,354 miles and had to be taken over at every mile, according to documents.
An interesting and in-depth read, The New Handbook For Cyberwar Is Being Written By Russia.
People will often complain about government agencies such as the NSA, or GCHQ being able to spy on individuals. However, it’s important not to overlook those who seek to gain access to your systems and data for nefarious activities that can directly impact you. As this article takes the creepiness level up to 11, it’s worth remembering that even simple security measures such as webcam covers (or a bit of tape) can help save harassment. Meet the men who spy on women through their webcams.
How to Think About Likelihood, Probability and Frequency.
More interesting stories:
Hackers: We Will Remotely Wipe iPhones Unless Apple Pays Ransom
Saks Fifth Avenue, Three U.K. Mistakenly Expose Customer Data
Double Agent attack can turn antivirus into malware
With a couple of comments from me, How to keep your laptop safe under the new airline ban.
Russian man pleads guilty to over $500m malware s |
Guideline | Uber | |
 |
2017-02-09 13:09:38 | French man sues Uber after privacy bug led wife to suspect adultery (lien direct) | Modern technology has probably done more than its fair share to ignite illicit relationships, but it can also lead to a romantic affair's unravelling. | Guideline | Uber | |
|
2016-09-19 18:26:00 | Uber, Twitter, Other Major Tech Players Unite to Improve Cybersecurity Standards (lien direct) | Leading tech companies, including Uber, Twitter, Dropbox and Square, recently announced their collaboration to form the Vendor Security Alliance – a new coalition committed to improving Internet security. The VSA aims to establish cybersecurity standards that businesses can use to assess the security of potential third-party providers. The alliance will be releasing a yearly security […]… Read More | Guideline | Uber | |
|
2016-09-16 18:16:37 | DarkReading: Uber, Dropbox, Other Tech Leaders Team Up To Boost Vendor Securityhttp://ubm.io/2ceZ1Ly (lien direct) | DarkReading: Uber, Dropbox, Other Tech Leaders Team Up To Boost Vendor Securityhttp://ubm.io/2ceZ1Ly | Guideline | Uber | |
 |
2016-08-02 07:55:29 | Advertisers could be tracking you via your battery status (lien direct) | A legitimate reason to poll your battery's status is to stop intensive operations from executing if you're running low on juice.But it's also open to exploitation by those who want to track your online activity, writes Lukasz Olejnik:The information provided by the Battery Status API is not always changing fast. In other words, they are static for a period of time; it may give rise to a short-lived identifier. At the same time, users sometimes clear standard web identifiers (such as cookies). But a web script could analyze identifiers provided by Battery Status API, which could then possibly even lead to recreation of other identifiers. A simple sketch follows.An example web script continuously monitors the status of identifiers and the information obtained from Battery API. At some point, the user clears (e.g.) all the identifying cookies. The monitoring web script suddenly sees a new user - with no cookie - so it sets new ones. But battery level analysis could provide hints that this new user is - in fact - not a new user, but the previously known one. The script's operator could then conclude and reason that those this is a single user, and resume with tracking. This is an example scenario of identifier recreation, also known as respawning.A recent study [PDF] reported that battery status is being monitored by some tracking scripts.It sounds like it would be a positive step if browsers stopped accessing such detailed information about our battery.Aside from tracking, there are other ways that battery information could be exploited.Uber, for instance, says that it knows customers are more likely to accept a much higher price to hire a cab when their battery is running low. | Guideline | Uber |
To see everything:
Our RSS (filtrered)
