‘Tis the Season: Gift Card Fraud Rampant on the Dark Web
http://ift.tt/2xMre2F

Submitted November 03, 2017 at 02:48PM by imr2017
via reddit http://ift.tt/2h8zual

Why ransomware is a real threat regardless the industry
http://ift.tt/2gXox7N

Submitted November 03, 2017 at 05:06PM by NISMO1968
via reddit http://ift.tt/2hAaG86

Security vs. convenience? IoT requires another level of thinking about risk
http://ift.tt/2iXNCUl

Submitted November 03, 2017 at 05:06PM by NISMO1968
via reddit http://ift.tt/2A39G3j

Let’s Talk About SSH Configuration Hardening...
The ProblemA lot of administrators install the SSH service and assume its in top shape. What they don't realize is that system packages tend to be optimized for compatibility, not security. While a lot of systems include defaults that are fine for most cases, there is still a lot of room for improvement--especially for high-security environments.Depending on how old the package for your distribution is, the default configuration may have the following problems:Small host keys: 1024-bit RSA or DSA.Weak key exchanges: Diffie-Hellman groups using small 1024-bit moduli, or exchanges using deprecated hash algorithms like SHA-1.Vulnerable ciphers: 3DES, RC4, and SWEET32-vulnerable ciphers like Blowfish and CAST.MACs based on weak hash algorithms: MD5 or SHA-1.As long as your users have reasonably modern SSH clients, you can fix all of the problems above without interoperability issues. And for those users who are lagging behind, well... chances are their client software has unpatched security problems anyway (note that 4 vulnerabilities have been fixed in PuTTY so far in 2017).Ubuntu and RHEL DefaultsLet's take a look at a fully-patched Ubuntu 16.04 LTS server. Its default config comes with a good selection of ciphers (chacha20-poly1305 is the default with backups using AES in CTR & GCM modes), but it supports some SHA-1 based algorithms for MACs and key exchange. Furthermore, its default RSA key is 2048-bit, which is equivalent to 112-bits of brute-force strength; to get 128-bits of security, this needs to be re-generated with a 3072-bit key. [1]Things are much worse for RHEL/CentOS 6 (which is supported until 2024). Its default config supports 1024-bit Diffie-Hellman key exchanges (this is believed to be breakable by state-level adversaries! [2]), along with the weak RC4 cipher, Blowfish & CAST (both affected by the SWEET32 attack), as well as several MACs based on MD5 and SHA-1! Unless you take specific steps after installation, the RHEL/CentOS 6 SSH service is pretty abysmal.Scanning ToolsThe excellent (and open-source) ssh-audit tool will help you find problematic options enabled in your SSH service. But since not all admins are comfortable with command-line tools, I've gone ahead and written a web front-end to it for convenience, which also includes a comprehensive list of references for all discovered problems. You can find it here: http://ift.tt/2ysa1zWHardening GuidesStribik András wrote this excellent, general-purpose hardening guide in early 2015. While it does a great job in breaking down the different options available, it is slowly becoming out of date, and doesn't take specific versions of OpenSSH into consideration (for example, newer versions of OpenSSH support DH Groups 16 & 18 from RFC3526, but a fully patched Ubuntu 16.04 LTS system uses a slightly older version that doesn’t include them). To compensate, I've written a set of guides specific to OS releases that optimize security for each platform.You can find the improved hardening guides here: http://ift.tt/2yqMuj9References[1] U.S. Department of Commerce, National Institute of Standards and Technology, "Special Publication 800-57, Part 1, Revision 4, Recommendation for Key Management, Part 1: General", http://ift.tt/1P17KJc, Jan. 2016, pg. 53.[2] Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Zanella-Béguelin, S., and Zimmermann, P., "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice", http://ift.tt/1RbPYEP, Oct. 2015.

Submitted November 01, 2017 at 08:36PM by therealjoetesta
via reddit http://ift.tt/2irX92j

🌏 iOS 11.1 Hacked One Day After Its Release
http://ift.tt/2gZceYy

Submitted November 03, 2017 at 06:52PM by securitynewsIO
via reddit http://ift.tt/2xVfoU7

Security In 5: Episode 104 - Tools, Tips and Tricks - Mr. Whoer
http://ift.tt/2yqqULL

Submitted November 03, 2017 at 06:33PM by BinaryBlog
via reddit http://ift.tt/2lKjrRz

TorMoil: TorBrowser unspecified critical security vulnerability
http://ift.tt/2A2rThu

Submitted November 03, 2017 at 09:36PM by filippo_cavallarin
via reddit http://ift.tt/2zuSAyY

PROPagate – a new code injection trick – 64-bit and 32-bit
http://ift.tt/2A4z3BH

Submitted November 03, 2017 at 11:52PM by maxxori
via reddit http://ift.tt/2AglCQ2

PE File Infection Part II
http://ift.tt/2yt95vu

Submitted November 04, 2017 at 01:29AM by Evil1337
via reddit http://ift.tt/2iXpzF1

Exclusive: Government attempt to compromise us with NIT failed – TheDarkOverlord
http://ift.tt/2hCSElJ

Submitted November 04, 2017 at 01:36AM by imr2017
via reddit http://ift.tt/2zdFN14

CertStream - Real time streaming updates from the Certificate Transparency network.
http://ift.tt/2yrxSQt

Submitted November 04, 2017 at 02:25AM by zer01
via reddit http://ift.tt/2yrzpGd

Cisco IOS XE Software Ethernet Virtual Private Network Border Gateway Protocol Denial of Service Vulnerability
http://ift.tt/2xY9IJ6

Submitted November 04, 2017 at 03:29AM by bagaudin
via reddit http://ift.tt/2zbpTUB

Travis CI - encrypted environment variables uses a RSA encryption mode known to be vulnerable since 1998
http://ift.tt/2zbW88K

Submitted November 03, 2017 at 12:49AM by sarciszewski
via reddit http://ift.tt/2hbNOPh

It's Time To End The Social Security Number
http://ift.tt/2is10fF

Submitted November 04, 2017 at 06:48AM by WinglessIndependence
via reddit http://ift.tt/2h2Clhh

Estonia:760000 ID-cards vulnerable
http://ift.tt/2xRhOTD

Submitted November 04, 2017 at 04:51AM by bleahbloh
via reddit http://ift.tt/2h2YRGL

Best Tips For Mobile Application Security
http://ift.tt/2ytt4Kv

Submitted November 04, 2017 at 10:18AM by Skytecher
via reddit http://ift.tt/2lP0q0m

Best hacking reference and learning resource I’ve seen yet. Anyone can learn required skills here to become cybersecurity experts; it will take work...
http://ift.tt/2zjE8Je

Submitted November 04, 2017 at 12:23PM by PowerPuffSoldier
via reddit http://ift.tt/2Ak2oJu

Brihaspathi Technologies- CCTV Cameras Client Feedback
http://ift.tt/2y0Cn0d

Submitted November 04, 2017 at 05:39PM by cctvcamera3
via reddit http://ift.tt/2zesyNs

Hackers Exploit Weak Remote Desktop Protocol Credentials
http://ift.tt/2A5C1ps

Submitted November 04, 2017 at 06:06PM by snbt
via reddit http://ift.tt/2iv4SMW

Best Android Security App!
https://youtu.be/bVii6Pd6fjA

Submitted November 04, 2017 at 06:32PM by heyanubhav
via reddit http://ift.tt/2xZBkxx

Critical Tor flaw leaks users’ real IP address—update now
http://ift.tt/2A6Z5o6

Submitted November 04, 2017 at 07:55PM by DerBootsMann
via reddit http://ift.tt/2lQzHAs