Avi Freedman has worked in networking for 30+ years and seen over 100 startups scale their infrastructure. Here are the most vital pieces of advice he has to share. They land themselves in Cloud Jail. They get sucked in by “hipster tools.” They don’t design for monitorability. Source: The Three Infrastructure Mistakes Your Company Must Read more about The Three Infrastructure Mistakes Your Company Must Not Make[…]
A tweak to Microsoft’s Outlook.com cloud service has blocked a good number of people from accessing their messages. Specifically, the baffling and unannounced change affects Outlook.com users with connected accounts: these are email accounts hosted on third-party servers (such as a company’s private server or an ISP’s mail server) that are accessed via the Outlook.com Read more about Never explain, never apologize: Microsoft silent on Outlook.com email server grief[…]
A typical test environment consists of a fresh Windows computer image loaded into a VM environment. The OS image usually lacks documents and other telltale signs of real world use, Fenton said. The malware sample that Fenton found inside of a Word document looks for existing documents on targeted PCs. If no Microsoft Word documents Read more about Malware Evades Detection by counting amount of documents in recent files[…]
MaterCard’s “selfie pay” will be coming to Europe next year after trials in the US, Canada and the Netherlands. The financial services firm is rolling out technologies that will allow European consumers to authenticate their identity without a password, but with a selfie, in order to provide customers with a more convenient method to sign Read more about Mastercard rolls out pay-by-selfie across Europe[…]
We show how an attacker can use DNS requests to mount highly precise website fingerprinting attacks: Mapping DNS traffic to websites is highly accurate even with simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring relatively unpopular websites. Our results show that DNS requests from Tor Read more about DNS requests destroy Tor’s Anonymity[…]
One of the key applications for this system is for authenticating to medical devices worn on patients’ bodies. Devices such as wearable glucose monitors typically use wireless protocols such as Bluetooth to communicate, and those signals can be intercepted by attackers without much effort. The on-body transmission system can send credentials or encryption keys through Read more about Sending passwords using your body[…]
A study from Cambridge University documents an immense drop in complaints against police officers when their departments began using body cameras. But even more surprising is that the data suggests everyone is on their best behavior whether the cameras are present or not. The data was collected in seven police departments in the UK and Read more about Police complaints drop 93 percent after deploying body cameras[…]
Android/iOS: “Free Airport Wi-Fi” is almost always slow, a security nightmare, or expensive—but it’s likely not all that’s available in the airport. Luckily, WiFox is packed with tons of network names and passwords for airports around the globe, so you can surf happily—and safely. Source: WiFox Puts Thousands of Airport Wi-Fi Networks and Their Passwords Read more about WiFox Puts Thousands of Airport Wi-Fi Networks and Their Passwords On Your Phone[…]
The new system, developed by Oberthur Technologies, is called Motion Code, and it changes the security code on the back of the credit card every hour. That way even if a thief does steal the info, it will be useless in less than an hour, preventing nearly all fraudulent transactions.Other than a small screen on Read more about This Credit Card Has a Screen So Its Security Code Can Change Every Hour[…]
Australian researchers have laid waste to the Federal Government’s plan to criminalise the decryption of anonymised state data sets, just a day after it was announced, by ‘easily’ cracking government-held medical data. Source: Researchers crack Oz Govt medical data in ‘easy’ attack with PCs Again it is surprising how governments try to criminalise that which Read more about Researchers crack Oz Govt medical data in ‘easy’ attack with PCs[…]
The documented D-Link DWR-932 vulnerabilities affect the latest available firmware. Kim first responsibly disclosed them to the D-Link Security Incident Response Team in June, but after the company said early this month that they don’t have a schedule for a firmware release, he decided to go public with the details about some of the flaws. Read more about D-Link DWR-932 router is chock-full of security holes[…]
Assistant Professor Matthew Green has asked US courts for protection so that he can write a textbook explaining cryptography without getting sued under the Digital Millennium Copyright Act. Green, who teaches at Johns Hopkins University in Maryland, is penning a tome called Practical Cryptographic Engineering that examines the cryptographic mechanisms behind the devices we use Read more about Crypto guru Matt Green asks courts for DMCA force field so he can safely write a textbook[…]
Microsoft Azure is wobbling all around the world at the moment, especially Azure DNS. According to a status update on Microsoft’s site, the issues began around lunchtime, although there is no mention of when they are likely to be fixed. Customers using Azure DNS in multiple regions are experiencing difficulties connecting to their goodies at Read more about Azure is on fire, your DNS is terrified[…]
Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who Read more about Someone Is Learning How to Take Down the Internet – Lawfare[…]
To accomplish the mammoth task of informing about 50 different vendors and various ISPs we teamed up with CERT/CC (VU#566724). We would really like to report that our efforts were successful, but as it turns out the number of devices on the web using known private keys for HTTPS server certificates has gone up by Read more about Using known private keys on internet connected devices has gone up 40% since 2015[…]
Several Inteno routers do not validate the Auto Configuration Server (ACS) certificate (CWE-295). An attacker in a privileged network position can Man-in-the-Middle the connection between the device and the Auto Configuration Server (ACS). If ACS has been preconfigured by the ISP (this is usually the case) no user actions are required for exploitation. Impact —— Read more about Interno Routers given out by ISPs allow full administrative access[…]
Microsoft and a team of concerned engineers from across the security sector have joined forces to suggest a major re-write of the arms control pact the Wassenaar Arrangement, as they fear the document’s terms are a threat tot he information security industry. The pitch is the result of brainstorming by the group to redefine the Read more about Microsoft and pals attempt to re-write Wassenaar cyber arms control pact written by people who have no idea about IT and will make IT security business almost impossible[…]
Investigators discovered that a company called the NSO Group, an Israeli outfit that sells software that invisibly tracks a target’s mobile phone, was responsible for the intrusions. The NSO Group’s software can read text messages and emails and track calls and contacts. It can even record sounds, collect passwords and trace the whereabouts of the Read more about IPhones completely compromised by NSO Group. Update now![…]
When a team of hackers discovered that St. Jude Medical Inc.’s pacemakers and defibrillators had security vulnerabilities that could put lives at risk, they didn’t warn St. Jude. Instead, the hackers, who work for cybersecurity startup MedSec, e-mailed Carson Block, who runs the Muddy Waters Capital LLC investment firm, in May. They had a money-making Read more about Hackers discover flaws in hospital security capitalise on it by shorting shares in the hospital[…]
Microsoft’s update for version 1607 doesn’t fix two widespread problems with Windows 10 Anniversary Update, and it causes problems with PowerShell DSC operations Source: Windows 10 cumulative update KB 3176934 breaks PowerShell This update contained a fix for the borked update below: The Windows 10 Anniversary Update has reportedly broken millions of webcams. If your Read more about Windows 10 shows why automatic updates are bad, breaking powershell, webcams and rebooting randomly during activities.[…]
Exactly a year ago, attackers used an advertisement on Yahoo to redirect users to a site infected by the Angler exploit kit. Just weeks before, users were exposed to more malicious software through compromised advertisements that showed up across the web. In total, at least 910 million users were potentially exposed to malware through these Read more about With TLS encryption, attackers can use this as a tunnel to hide attacks from legacy packet inspection tools.[…]
Report: Penetration testers’ five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software. Playing whack-a-mole with software vulnerabilities should not be top of security pros’ priority list because exploiting software doesn’t even rank among the top five plays in the attacker’s playbook, according to Read more about Attacker’s Playbook Top 5 Is High On Passwords, Low On Malware[…]
Popular online cosmetics site Strawberrynet has asked customers if a function that allows anyone to retrieve its customers names, billing addresses, and phone numbers with nothing more than an email address is a bug or a feature […] The feature means customers are able to checkout quickly by just putting their email address into a Read more about Strawberrynet Beauty site lets anyone read customers’ personal information[…]
Two hackers were able to steal email addresses and easily crackable passwords from three separate forums in this latest hack. Two hackers carried out attacks on three separate game-related forums in July and August. One forum alone accounted for almost half of the breached data — a little under 13 million records; the other two Read more about >25m accounts stolen after Russian mail.ru forums hacked[…]
secureboot is a part of the uefi firmware, when enabled, it only lets stuff run that’s signed by a cert in db, and whose hash is not in dbx (revoked). As you probably also know, there are devices where secure boot can NOT be disabled by the user (Windows RT, HoloLens, Windows Phone, maybe Surface Read more about MS Secureboot has a golden key – which has been hacked.[…]