Boost.Beast security assessment technical report
http://ift.tt/2Bsf9Rg
Submitted January 25, 2018 at 07:25AM by ryanaraine
via reddit http://ift.tt/2n8PysC
http://ift.tt/2Bsf9Rg
Submitted January 25, 2018 at 07:25AM by ryanaraine
via reddit http://ift.tt/2n8PysC
Quora and you
Do you have a Quora (quora.com) account? Quora has acknowledged and claimed as a feature a very serious authentication(-less?) issue. You may have noticed that when you receive an email digest (possibly others), you appear to auto-login to the site. This might not seem unusual, although still questionable, and it has been brought up before. It logs you into a new session.What you may not realize is that if you forward those emails to someone, say you wanted to share an interesting article, the recipient of your forwarded email WILL be able to login as YOU. Quora says the auto-login link ability expires at some point, but the countdown only begins after the link is clicked initially. As for how long this countdown is, I can't say, but the deeper issue is that every account that I can tell is vulnerable, since an auto-login feature comes with all those emails. Initially I thought that it required a google account connected and it may, but now I am not sure. I alerted Quora who acknowledged the risk of forwarded email recipients being able to login as the original recipient and concluded it was an acceptable risk. I would not have typed this up without the bug report having been marked closed by quora.Full access to the users quora account is given, which means you can unlink trusted accounts and link your own twitter, facebook, google or linkedin, effectively hi-jacking the account completely. You can impersonate, edit and modify comments and articles, or just delete the account altogether. So next time you want to forward an article to a friend, or receive a forward, keep that in mind.
Submitted January 25, 2018 at 08:06AM by sman2428
via reddit http://ift.tt/2n9P45v
Do you have a Quora (quora.com) account? Quora has acknowledged and claimed as a feature a very serious authentication(-less?) issue. You may have noticed that when you receive an email digest (possibly others), you appear to auto-login to the site. This might not seem unusual, although still questionable, and it has been brought up before. It logs you into a new session.What you may not realize is that if you forward those emails to someone, say you wanted to share an interesting article, the recipient of your forwarded email WILL be able to login as YOU. Quora says the auto-login link ability expires at some point, but the countdown only begins after the link is clicked initially. As for how long this countdown is, I can't say, but the deeper issue is that every account that I can tell is vulnerable, since an auto-login feature comes with all those emails. Initially I thought that it required a google account connected and it may, but now I am not sure. I alerted Quora who acknowledged the risk of forwarded email recipients being able to login as the original recipient and concluded it was an acceptable risk. I would not have typed this up without the bug report having been marked closed by quora.Full access to the users quora account is given, which means you can unlink trusted accounts and link your own twitter, facebook, google or linkedin, effectively hi-jacking the account completely. You can impersonate, edit and modify comments and articles, or just delete the account altogether. So next time you want to forward an article to a friend, or receive a forward, keep that in mind.
Submitted January 25, 2018 at 08:06AM by sman2428
via reddit http://ift.tt/2n9P45v
reddit
Quora and you • r/security
Do you have a Quora (quora.com) account? Quora has acknowledged and claimed as a feature a very serious authentication(-less?) issue. You may have...
What is a good security system to hide in my bedroom where I can track movement and record what someone is doing for a brief moment in time?
My step dad has been stealing money from me, and I know this for a fact but he doesnt know that I know. I have set up traps in my room and then the traps go off and he is the only one home. I need to get 100% concrete proof of it even though im 100% positive, I need it on video. I have been looking to get a pretty small camera of some sort that will record my room when I am gone and my mom is not home which is rare, but if it does happens we are only gone at an hour at a time, and that is when he does it. I need something that will ping my phone when movement occurs and maybe takes pictures or records it. Since he has taken several hundred from me, id prefer a recording device that isnt super expensive. Do you guys have any ideas? Thanks much!
Submitted January 25, 2018 at 09:23AM by ElvisDimera
via reddit http://ift.tt/2FcUiUw
My step dad has been stealing money from me, and I know this for a fact but he doesnt know that I know. I have set up traps in my room and then the traps go off and he is the only one home. I need to get 100% concrete proof of it even though im 100% positive, I need it on video. I have been looking to get a pretty small camera of some sort that will record my room when I am gone and my mom is not home which is rare, but if it does happens we are only gone at an hour at a time, and that is when he does it. I need something that will ping my phone when movement occurs and maybe takes pictures or records it. Since he has taken several hundred from me, id prefer a recording device that isnt super expensive. Do you guys have any ideas? Thanks much!
Submitted January 25, 2018 at 09:23AM by ElvisDimera
via reddit http://ift.tt/2FcUiUw
reddit
What is a good security system to hide in my bedroom... • r/security
My step dad has been stealing money from me, and I know this for a fact but he doesnt know that I know. I have set up traps in my room and then...
Google's Chronicle
http://ift.tt/2n7QxZ6
Submitted January 25, 2018 at 01:34PM by micgob
via reddit http://ift.tt/2FfpKS9
http://ift.tt/2n7QxZ6
Submitted January 25, 2018 at 01:34PM by micgob
via reddit http://ift.tt/2FfpKS9
Medium
Give Good the Advantage
Introducing Chronicle, a new Alphabet business dedicated to cybersecurity
Commercial Security Services at Tate Security Technology Ltd in UK
http://ift.tt/2Eb9sKR
Submitted January 25, 2018 at 03:46PM by TateSecurity
via reddit http://ift.tt/2DxIxHY
http://ift.tt/2Eb9sKR
Submitted January 25, 2018 at 03:46PM by TateSecurity
via reddit http://ift.tt/2DxIxHY
Tate Security Solutions
Tate Security Solutions (Abu Dhabi) UAE - Tate Security Solutions
Exploit Mitigation Techniques - Stack Canaries - Exploit Development
http://ift.tt/2rF6ueH
Submitted January 25, 2018 at 04:09PM by Jen0vah
via reddit http://ift.tt/2n6pC0I
http://ift.tt/2rF6ueH
Submitted January 25, 2018 at 04:09PM by Jen0vah
via reddit http://ift.tt/2n6pC0I
ASUS routers LAN-side unauthenticated remote code execution
http://ift.tt/2BsEyKX
Submitted January 25, 2018 at 05:13PM by jose_boneh
via reddit http://ift.tt/2Fce4iR
http://ift.tt/2BsEyKX
Submitted January 25, 2018 at 05:13PM by jose_boneh
via reddit http://ift.tt/2Fce4iR
Building a fully operational cyber incident response team
http://ift.tt/2DMDvL7
Submitted January 25, 2018 at 04:57PM by LiamBigDataDonoghue
via reddit http://ift.tt/2FdFVPO
http://ift.tt/2DMDvL7
Submitted January 25, 2018 at 04:57PM by LiamBigDataDonoghue
via reddit http://ift.tt/2FdFVPO
IT Recruitment Agency
Building a fully operational cyber incident response team - IT Recruitment Agency
Don’t sit back and wait until you are forced to change. Having a solid cyber incident response team will make a huge difference in your efforts when a major incident occurs.
Reddit now offers two-factor authentication to all !
http://ift.tt/2Bs9HxQ
Submitted January 25, 2018 at 04:54PM by time-pass
via reddit http://ift.tt/2DMDy9L
http://ift.tt/2Bs9HxQ
Submitted January 25, 2018 at 04:54PM by time-pass
via reddit http://ift.tt/2DMDy9L
The Verge
Reddit now offers two-factor authentication to all
Reddit’s two-factor authentication is now live
Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems
http://ift.tt/2BsSWmj
Submitted January 25, 2018 at 06:14PM by Vault10001
via reddit http://ift.tt/2nbQhZX
http://ift.tt/2BsSWmj
Submitted January 25, 2018 at 06:14PM by Vault10001
via reddit http://ift.tt/2nbQhZX
The Hacker News
Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems
Beware of new cross-platform CrossRAT spying malware, targeting Windows, MacOS, Solaris and Linux computers.
Rules and targets for Pwn2Own 2018 announced. Up to $2,000,000 in prizes available.
http://ift.tt/2DyknwF
Submitted January 25, 2018 at 07:02PM by RedmondSecGnome
via reddit http://ift.tt/2E86TZD
http://ift.tt/2DyknwF
Submitted January 25, 2018 at 07:02PM by RedmondSecGnome
via reddit http://ift.tt/2E86TZD
Zero Day Initiative
Pwn2Own Returns for 2018: Partners with Microsoft and Sponsored by VMware
The Quick Summary · Pwn2Own returns for 2018 with five categories of targets: virtualization, web browsers, enterprise applications, servers, and a special Windows Insider Preview Challenge category. · ZDI partners with Microsoft for the event and welcomes…
Security In 5: Episode 160 - Only 10% Of Gmail Users Have Two-Factor Authentication Enabled, Don't Be In The 90%
http://ift.tt/2DA6SAK
Submitted January 25, 2018 at 07:36PM by BinaryBlog
via reddit http://ift.tt/2nbuvVs
http://ift.tt/2DA6SAK
Submitted January 25, 2018 at 07:36PM by BinaryBlog
via reddit http://ift.tt/2nbuvVs
Libsyn
Security In Five Podcast: Episode 160 - Only 10% Of Gmail Users Have Two-Factor Authentication Enabled, Don't Be In The 90%
Google recently announced a report that only 10% of Gmail accounts have two-factor authentication enabled. Although the feature has been available since 2011 mass adoption has not occurred. This episode goes into what two-factor authentication is and why…
Spectre and Meltdown attack explained, simply, for non-programmers
http://ift.tt/2nc1zwt
Submitted January 25, 2018 at 07:18PM by kulious
via reddit http://ift.tt/2DD3EN1
http://ift.tt/2nc1zwt
Submitted January 25, 2018 at 07:18PM by kulious
via reddit http://ift.tt/2DD3EN1
The Pensieve
Spectre and Meltdown attack explained, simply, for non-programmers
I have seen a lot of discussions online about the Spectre and Meltdown attack. They opened a profoundly new way to think about computer architecture. However, the first time I talked about that idea to my parents, the only feedback I’ve got was confusion…
Students asking basic pointers for a hackathon (beginner level)
Hello,My school had an open invitation to attend a hackathon. I registered and was put into a group. There are several groups of students from my school participating in the same hackathon. There are 4 of us in this group. Apart from me and one other, we have some decent knowledge of linux, and use of the software. The other two students didn't really understand what and how KALI even was.Assuming you participate, and even if you don't find any vulnerabilities, we get credits for being apart of it.That said, we would like to at least have a fighting chance. We have been given some basic instructions. I'm not sure where to start once we are connected to the network and have scanned it.Note, I have set up my Kali linux. It's dist-upgraded and ready to go.These are my basic assumptions. Scan network with nmap, to find all available devices. We have been told they are 'hidden' somehow. I think this means scan the network with nmap at like T4? But what are the best options that I should be looking at?Once we find all the devices. Nmap should help with OS detection etc. As well as open ports and versions.This is where I get confused. They told us that the computers are like Windows 7 and full of holes.How do I know what program/port to use so that I can apply metasploit exploits to it?Clearly from reading this you can probably see my gaps in knowledge.If you would kindly point out some tips and tricks, we would appreciate having a fighting chance. :)
Submitted January 25, 2018 at 08:44PM by beangay
via reddit http://ift.tt/2naWs0u
Hello,My school had an open invitation to attend a hackathon. I registered and was put into a group. There are several groups of students from my school participating in the same hackathon. There are 4 of us in this group. Apart from me and one other, we have some decent knowledge of linux, and use of the software. The other two students didn't really understand what and how KALI even was.Assuming you participate, and even if you don't find any vulnerabilities, we get credits for being apart of it.That said, we would like to at least have a fighting chance. We have been given some basic instructions. I'm not sure where to start once we are connected to the network and have scanned it.Note, I have set up my Kali linux. It's dist-upgraded and ready to go.These are my basic assumptions. Scan network with nmap, to find all available devices. We have been told they are 'hidden' somehow. I think this means scan the network with nmap at like T4? But what are the best options that I should be looking at?Once we find all the devices. Nmap should help with OS detection etc. As well as open ports and versions.This is where I get confused. They told us that the computers are like Windows 7 and full of holes.How do I know what program/port to use so that I can apply metasploit exploits to it?Clearly from reading this you can probably see my gaps in knowledge.If you would kindly point out some tips and tricks, we would appreciate having a fighting chance. :)
Submitted January 25, 2018 at 08:44PM by beangay
via reddit http://ift.tt/2naWs0u
reddit
Students asking basic pointers for a hackathon... • r/security
Hello, My school had an open invitation to attend a hackathon. I registered and was put into a group. There are several groups of students from...
Why more sites don't use PGP/GPG for 2FA?
Reddit just enabled 2FA for all accounts using Google Authenticator. Many sites are using this method or text messaging. What if I don't want to use my phone or don't have it. If I forget my phone and head out for the day, I'm stuck.This made me curious about another form of 2FA which is not used all that often: PGP (or GPG). Given the nature of Reddit, I would think there would be a good number of us who would use it if it was offered.I assume it is because the number of people using PGP is relatively small when you consider the entire population of internet users. Other than that, is there another reason why more sites don't offer PGP as an option for 2FA?
Submitted January 25, 2018 at 09:15PM by flipjargendy
via reddit http://ift.tt/2E7pN2P
Reddit just enabled 2FA for all accounts using Google Authenticator. Many sites are using this method or text messaging. What if I don't want to use my phone or don't have it. If I forget my phone and head out for the day, I'm stuck.This made me curious about another form of 2FA which is not used all that often: PGP (or GPG). Given the nature of Reddit, I would think there would be a good number of us who would use it if it was offered.I assume it is because the number of people using PGP is relatively small when you consider the entire population of internet users. Other than that, is there another reason why more sites don't offer PGP as an option for 2FA?
Submitted January 25, 2018 at 09:15PM by flipjargendy
via reddit http://ift.tt/2E7pN2P
Reddit
From the announcements community on Reddit
Explore this post and more from the announcements community
Developers + GDPR/PCI question
Does anyone know if PCI or GDPR policy restrict the app developers having access to customers data? (e.g. some basic, some sensitive such as last 4 digits of card number).Ive been told yes but I don't believe thats reasonable. Fixing certain bugs seems impossible without setting the state of the data.
Submitted January 25, 2018 at 10:27PM by craigtaub
via reddit http://ift.tt/2naAY2F
Does anyone know if PCI or GDPR policy restrict the app developers having access to customers data? (e.g. some basic, some sensitive such as last 4 digits of card number).Ive been told yes but I don't believe thats reasonable. Fixing certain bugs seems impossible without setting the state of the data.
Submitted January 25, 2018 at 10:27PM by craigtaub
via reddit http://ift.tt/2naAY2F
reddit
Developers + GDPR/PCI question • r/security
Does anyone know if PCI or GDPR policy restrict the app developers having access to customers data? (e.g. some basic, some sensitive such as last...
How Secure Is Your Data When It's Stored in the Cloud?
http://ift.tt/2DyfV0Z
Submitted January 26, 2018 at 12:04AM by robert_brooks
via reddit http://ift.tt/2E7RloL
http://ift.tt/2DyfV0Z
Submitted January 26, 2018 at 12:04AM by robert_brooks
via reddit http://ift.tt/2E7RloL
Scientific American
How Secure Is Your Data When It’s Stored in the Cloud?
As cloud storage becomes more common, data security is an increasing concern
High Risk Vulnerabilities within the DoD from Coldfusion, Dotnet Nuke, Oracle, and more
http://ift.tt/2DD4VUi
Submitted January 26, 2018 at 12:18AM by alyssathegryphon
via reddit http://ift.tt/2Gh43m0
http://ift.tt/2DD4VUi
Submitted January 26, 2018 at 12:18AM by alyssathegryphon
via reddit http://ift.tt/2Gh43m0
Medium
High Risk Vulnerabilities within the DoD from Coldfusion, Dotnet Nuke, Oracle, and more
Introduction
Exploiting Electron RCE in Exodus wallet
http://ift.tt/2nd2FrN
Submitted January 26, 2018 at 02:09AM by JE_SHORT
via reddit http://ift.tt/2GjZwPB
http://ift.tt/2nd2FrN
Submitted January 26, 2018 at 02:09AM by JE_SHORT
via reddit http://ift.tt/2GjZwPB
Medium
Exploiting Electron RCE in Exodus wallet
While browsing Twitter I’ve noticed ElectronJS remote code execution vulnerability in protocol handler. That sounds severe. As stated in…
10 Solid Tips to Increase and optimize IIS Performance for 2018. Covers ASP.Net, WordPress,ColdFusion And SharePoint
http://ift.tt/2DMgoQt
Submitted January 26, 2018 at 01:44AM by BitsAndScrews
via reddit http://ift.tt/2FhYItp
http://ift.tt/2DMgoQt
Submitted January 26, 2018 at 01:44AM by BitsAndScrews
via reddit http://ift.tt/2FhYItp
Bits & Screws Tech Community
10 Solid Tips to Increase and optimize IIS Performance for 2018. Covers ASP.Net, WordPress,ColdFusion And SharePoint | Bits & Screws…
Here are 10 solid performance optimization tips to speed up IIS web sites Internet Information Service. IIS Version 5.1 to IIS Version 10
Microsoft releases updated VS compiler for Spectre V2. Let the builds begin. GCC backports to v7
http://ift.tt/2DKCVNU
Submitted January 26, 2018 at 02:02AM by kn1ght
via reddit http://ift.tt/2FdFjcX
http://ift.tt/2DKCVNU
Submitted January 26, 2018 at 02:02AM by kn1ght
via reddit http://ift.tt/2FdFjcX
VS.Modern
Visual Studio 2017 15.5 Release Notes
Release notes for the latest features and improvements in Visual Studio 2017. Plan better, code together and ship faster with Visual Studio.