Israel Sent a Letter to American Hackers Asking for Zero-Days
http://ift.tt/2CV7ZWs
Submitted March 03, 2018 at 04:37AM by bluefish009
via reddit http://ift.tt/2FaH5fv
http://ift.tt/2CV7ZWs
Submitted March 03, 2018 at 04:37AM by bluefish009
via reddit http://ift.tt/2FaH5fv
Wccftech
Israel Sent a Letter to American Hackers Asking for Zero-Days
How Governments Find Latest Zero-Day Exploits and Hacking Tools - They Just Ask... Israel Sent an Unsolicited Letter to Multiple US Companies.
Public disclosure in the public interest?
I have discovered a security bug related to authentication on a major US based website (estimated 10M monthly users). The bug allows anyone with local physical access to a computer to access the last logged-in users full account - even after that victim believes they've signed out. This includes after the browser is closed, quit, and the computer has been restarted. This bug exposes personal identity information, financial information, and financial account access - including the ability to withdraw funds (some accounts may have additional security protecting against funds withdrawn, but not all).I have responsibly disclosed this bug through the company's bug bounty program on January 26th. I have made at least four attempts to be aggressive in helping the company support/security team recognize the severity of this bug. But their responses have all been a form of "working as designed" and "it's not great, but that's the way it works". (Unbelievable I know, but those are the facts for this case).I attempted to report this bug to the relevant US government regulators. The regulators responded, but did not request any details about the specifics of the bug. They had no follow up after a simple "who are you" call. I have informed the company that I contacted the US regulators.I believe this bug is likely one of the worst kind of bugs - because while it is not a remote access vulnerability, it is a very high impact vulnerability. It is very likely to cause a lot of damage to a few users. To those users, and perhaps even to the company, it will be completely inexplicable. Victims of un-authorized funds transfers will know they are victims, but to the company it will appear as a "one off case of user-error". Because there are so many users on this site, the exploit could occur many times before the company, regulators, or users identify the access vulnerability.Questions:1) Are there any resources or experts that I could consult on whether public disclosure, for the purposes of applying pressure to the company, would be appropriate? (My hypothesis is that public disclosure is appropriate, based on the severity of the impact, the disinterest of the company, and the elusiveness of the cause)2) Are there any other paths for disclosure that I should attempt before public disclosure?3) If I were to publicly disclose, I would inform the company of a date of pending public disclosure. How many days of pre-disclosure time should I provide the company? (It has already been 30 days).
Submitted March 03, 2018 at 05:23AM by dreamingwell
via reddit http://ift.tt/2F7VAV7
I have discovered a security bug related to authentication on a major US based website (estimated 10M monthly users). The bug allows anyone with local physical access to a computer to access the last logged-in users full account - even after that victim believes they've signed out. This includes after the browser is closed, quit, and the computer has been restarted. This bug exposes personal identity information, financial information, and financial account access - including the ability to withdraw funds (some accounts may have additional security protecting against funds withdrawn, but not all).I have responsibly disclosed this bug through the company's bug bounty program on January 26th. I have made at least four attempts to be aggressive in helping the company support/security team recognize the severity of this bug. But their responses have all been a form of "working as designed" and "it's not great, but that's the way it works". (Unbelievable I know, but those are the facts for this case).I attempted to report this bug to the relevant US government regulators. The regulators responded, but did not request any details about the specifics of the bug. They had no follow up after a simple "who are you" call. I have informed the company that I contacted the US regulators.I believe this bug is likely one of the worst kind of bugs - because while it is not a remote access vulnerability, it is a very high impact vulnerability. It is very likely to cause a lot of damage to a few users. To those users, and perhaps even to the company, it will be completely inexplicable. Victims of un-authorized funds transfers will know they are victims, but to the company it will appear as a "one off case of user-error". Because there are so many users on this site, the exploit could occur many times before the company, regulators, or users identify the access vulnerability.Questions:1) Are there any resources or experts that I could consult on whether public disclosure, for the purposes of applying pressure to the company, would be appropriate? (My hypothesis is that public disclosure is appropriate, based on the severity of the impact, the disinterest of the company, and the elusiveness of the cause)2) Are there any other paths for disclosure that I should attempt before public disclosure?3) If I were to publicly disclose, I would inform the company of a date of pending public disclosure. How many days of pre-disclosure time should I provide the company? (It has already been 30 days).
Submitted March 03, 2018 at 05:23AM by dreamingwell
via reddit http://ift.tt/2F7VAV7
reddit
Public disclosure in the public interest? • r/security
I have discovered a security bug related to authentication on a major US based website (estimated 10M monthly users). The bug allows anyone with...
Issues installing Kaspersky on Windows 10.
Anybody here every seen issues with this? I only use Kaspersky cause it's the one I pay for and it works. Just got Windows 10 installed and it gets 10% then says error can't connect to server, check your internet connection. My connection is perfect. My friend thinks it's the firewall.
Submitted March 03, 2018 at 07:33AM by ChampionDreamerMusic
via reddit http://ift.tt/2I13OvZ
Anybody here every seen issues with this? I only use Kaspersky cause it's the one I pay for and it works. Just got Windows 10 installed and it gets 10% then says error can't connect to server, check your internet connection. My connection is perfect. My friend thinks it's the firewall.
Submitted March 03, 2018 at 07:33AM by ChampionDreamerMusic
via reddit http://ift.tt/2I13OvZ
reddit
Issues installing Kaspersky on Windows 10. • r/security
Anybody here every seen issues with this? I only use Kaspersky cause it's the one I pay for and it works. Just got Windows 10 installed and it...
Turning your web traffic into a Super Computer
http://ift.tt/2FN16JP
Submitted March 03, 2018 at 08:57AM by eloquinees_husband
via reddit http://ift.tt/2CVjP2M
http://ift.tt/2FN16JP
Submitted March 03, 2018 at 08:57AM by eloquinees_husband
via reddit http://ift.tt/2CVjP2M
Chrome Lets Hackers Phish Even 'Unphishable' Yubikey Users
http://ift.tt/2oyV1cM
Submitted March 03, 2018 at 10:19AM by adriankoshcha
via reddit http://ift.tt/2FlmBnC
http://ift.tt/2oyV1cM
Submitted March 03, 2018 at 10:19AM by adriankoshcha
via reddit http://ift.tt/2FlmBnC
WIRED
Chrome Lets Hackers Phish Even 'Unphishable' Yubikey Users
While still the best protection against phishing attacks, some Yubikey models are vulnerable after a recent update to Google Chrome.
EclecticIQ Fusion Center Report: Report DDoS Attack Stemming from Memcached Servers Hits GitHub
http://ift.tt/2oJmJnp
Submitted March 03, 2018 at 01:30PM by EclecticIQ
via reddit http://ift.tt/2F7CCdj
http://ift.tt/2oJmJnp
Submitted March 03, 2018 at 01:30PM by EclecticIQ
via reddit http://ift.tt/2F7CCdj
EclecticIQ
EclecticIQ Fusion Center Report: Report DDoS Attack Stemming from Memcached Servers Hits GitHub
Earlier this week Cloudflare and various security researchers were reporting on an obscure amplification attack vector using the memcached protocol, coming from UDP port 11211. On Wednesday. GitHub experienced a DDoS attack stemming from memcached servers.
23,000 TLS certificates compromised because the CA's CEO emailed all the private keys to a partner without encryption
http://ift.tt/2GU2JEW
Submitted March 03, 2018 at 03:23PM by thestarflyer
via reddit http://ift.tt/2oMBLI3
http://ift.tt/2GU2JEW
Submitted March 03, 2018 at 03:23PM by thestarflyer
via reddit http://ift.tt/2oMBLI3
Ars Technica
23,000 HTTPS certificates axed after CEO emails private keys
Flap that goes public renews troubling questions about issuance of certificates.
High Security Padlock
http://ift.tt/2HYDCCk
Submitted March 03, 2018 at 03:00PM by katieralston70
via reddit http://ift.tt/2oMKkme
http://ift.tt/2HYDCCk
Submitted March 03, 2018 at 03:00PM by katieralston70
via reddit http://ift.tt/2oMKkme
Citysafeuk
High Security Padlocks Online | Buy Squire CP60 Combi Padlock
High security Squire CP60 Combi Padlock is re-codable so you can choose your own code. It comes with an 10mm diameter hardened steel shackle.
Upgrading security cameras
Currently I am upgrading our security system and cameras come first. We currently have a 16 channel nvr that is outdated and barely works so here are my questionsIs there an nvr out there that is affordable that can utilize more than just one brand?I have blue iris software that I could use but I’m not sure it’s cost effective to build a computer for this or better to go with an nvr.Should I just stick to one brand? If so, I’d amcrest going to be around a while? Reolink? What brand will allow me to not get stuck 4 years later being outdated and unable to expand?Amcrest makes a 32 channel nvr that is cheap. Are they a good brand?I am open to whatever suggestions. I currently have an outdated interlogix system with 16 poe 1mp cameras. I upgraded to blue iris software thinking I could expand that way because the program can use any poe camera. Unfortunately my computer (16gb ram, i7-4900 processor, with he graphics card and 4tb nas) can’t keep up with the recording process.Any advice?
Submitted March 03, 2018 at 08:20PM by jeffers049
via reddit http://ift.tt/2FaLoau
Currently I am upgrading our security system and cameras come first. We currently have a 16 channel nvr that is outdated and barely works so here are my questionsIs there an nvr out there that is affordable that can utilize more than just one brand?I have blue iris software that I could use but I’m not sure it’s cost effective to build a computer for this or better to go with an nvr.Should I just stick to one brand? If so, I’d amcrest going to be around a while? Reolink? What brand will allow me to not get stuck 4 years later being outdated and unable to expand?Amcrest makes a 32 channel nvr that is cheap. Are they a good brand?I am open to whatever suggestions. I currently have an outdated interlogix system with 16 poe 1mp cameras. I upgraded to blue iris software thinking I could expand that way because the program can use any poe camera. Unfortunately my computer (16gb ram, i7-4900 processor, with he graphics card and 4tb nas) can’t keep up with the recording process.Any advice?
Submitted March 03, 2018 at 08:20PM by jeffers049
via reddit http://ift.tt/2FaLoau
reddit
Upgrading security cameras • r/security
Currently I am upgrading our security system and cameras come first. We currently have a 16 channel nvr that is outdated and barely works so here...
Hacking into NET router for fun and profit [FULL DISCLOSURE]
http://ift.tt/2FjGVWg
Submitted March 03, 2018 at 09:45PM by mthbernardes
via reddit http://ift.tt/2F7U5Xg
http://ift.tt/2FjGVWg
Submitted March 03, 2018 at 09:45PM by mthbernardes
via reddit http://ift.tt/2F7U5Xg
mthbernardes.github.io
Gambler - Hacking and other stuffs
Posts about hacking, coding and other stuffs
Is Your School Safe? Our Mission: Make it Safer
http://ift.tt/2FN6Hjr
Submitted March 03, 2018 at 11:50PM by Zaddyboy
via reddit http://ift.tt/2F7opNp
http://ift.tt/2FN6Hjr
Submitted March 03, 2018 at 11:50PM by Zaddyboy
via reddit http://ift.tt/2F7opNp
Safer Schools
Is Your School Safe?
The world’s largest DDoS attack took GitHub offline for fewer than 10 minutes
http://ift.tt/2taj5ar
Submitted March 04, 2018 at 12:09AM by doorbellguy
via reddit http://ift.tt/2oMBvIV
http://ift.tt/2taj5ar
Submitted March 04, 2018 at 12:09AM by doorbellguy
via reddit http://ift.tt/2oMBvIV
TechCrunch
The world’s largest DDoS attack took GitHub offline for fewer than 10 minutes
In a growing sign of the increased sophistication of both cyber attacks and defenses, GitHub has revealed that this week it weathered the largest-known DDoS attack in history. DDoS — or…
Is your Wi-Fi network secure?
http://ift.tt/2Fn3UzQ
Submitted March 04, 2018 at 09:26AM by djmackphunk
via reddit http://ift.tt/2tezV8n
http://ift.tt/2Fn3UzQ
Submitted March 04, 2018 at 09:26AM by djmackphunk
via reddit http://ift.tt/2tezV8n
Medium
Is Your WiFi Network Secure?
A Few Simple Steps Can Help Protect You and Your Family
Betraying the BIOS: Where the Guardians of the BIOS are Failing [See Comment for more Details]
http://ift.tt/2HZ2B8u
Submitted March 04, 2018 at 12:07PM by TechLord2
via reddit http://ift.tt/2Fid54z
http://ift.tt/2HZ2B8u
Submitted March 04, 2018 at 12:07PM by TechLord2
via reddit http://ift.tt/2Fid54z
GitHub
REhints/Publications
Publications - Conference slides and White-papers
OSINT tool to generate targeted lists of probable usernames from LinkedIn. No API key required. Built this to use with the great LyncSmash tool and had excellent results on a recent external pentest.
http://ift.tt/2Fmrg8I
Submitted March 04, 2018 at 04:28PM by initstring
via reddit http://ift.tt/2H2xKGO
http://ift.tt/2Fmrg8I
Submitted March 04, 2018 at 04:28PM by initstring
via reddit http://ift.tt/2H2xKGO
GitHub
initstring/linkedin2username
linkedin2username - OSINT Tool: Generate username lists for companies on LinkedIn
WIRED VS WIRELESS
Hi guys, talked with a telecommunication student about the way I would communicate with some security doors and he said that if I use wires it will be super easy to breach and I should go for wireless wpa2 psk instead, and I was baffled and it ruined everything I knew about physical security. Please understand that the telecommunication student had only wireless courses so he might be 99% wrong and I cant confirm, need some assistance on the topic, just opinions not professional advice, don't send me to :( asknetsec.tldr: just some electronic doors connected to a special server, was thinking how to connect them
Submitted March 04, 2018 at 04:50PM by TrueFlamelord
via reddit http://ift.tt/2tfTJbj
Hi guys, talked with a telecommunication student about the way I would communicate with some security doors and he said that if I use wires it will be super easy to breach and I should go for wireless wpa2 psk instead, and I was baffled and it ruined everything I knew about physical security. Please understand that the telecommunication student had only wireless courses so he might be 99% wrong and I cant confirm, need some assistance on the topic, just opinions not professional advice, don't send me to :( asknetsec.tldr: just some electronic doors connected to a special server, was thinking how to connect them
Submitted March 04, 2018 at 04:50PM by TrueFlamelord
via reddit http://ift.tt/2tfTJbj
reddit
WIRED VS WIRELESS • r/security
Hi guys, talked with a telecommunication student about the way I would communicate with some security doors and he said that if I use wires it...
Is Your WiFi Network Secure?
http://ift.tt/2oOQemG
Submitted March 04, 2018 at 05:27PM by wewewawa
via reddit http://ift.tt/2I2HNgy
http://ift.tt/2oOQemG
Submitted March 04, 2018 at 05:27PM by wewewawa
via reddit http://ift.tt/2I2HNgy
Medium
Is Your WiFi Network Secure?
A Few Simple Steps Can Help Protect You and Your Family
[question] Is it possible to Restart (not reset) the wifi router without knowing its admin username and password?
Hello guys so i have shared internet for which I am paying for but the guy who has the router doesn't want to share its login details with me I am ok with that because its applied on his name but the problem is that every once in a while the router would randomly disconnect from the internet and to most of the time to make it connect again is to restart the router, since i do not have the access to it nor i can do it physically because I live in another house and connected to it via WiFi. Is it possible to send a command to force it to restart?Any ideas?
Submitted March 04, 2018 at 10:22PM by Climbing_a_Mountain
via reddit http://ift.tt/2CXmucC
Hello guys so i have shared internet for which I am paying for but the guy who has the router doesn't want to share its login details with me I am ok with that because its applied on his name but the problem is that every once in a while the router would randomly disconnect from the internet and to most of the time to make it connect again is to restart the router, since i do not have the access to it nor i can do it physically because I live in another house and connected to it via WiFi. Is it possible to send a command to force it to restart?Any ideas?
Submitted March 04, 2018 at 10:22PM by Climbing_a_Mountain
via reddit http://ift.tt/2CXmucC
reddit
[question] Is it possible to Restart (not reset) the... • r/security
Hello guys so i have shared internet for which I am paying for but the guy who has the router doesn't want to share its login details with me I am...
Paseto is a Secure Alternative to the JOSE Standards (JWT, etc.)
http://ift.tt/2FbGEWh
Submitted March 04, 2018 at 10:57PM by sarciszewski
via reddit http://ift.tt/2tifwPC
http://ift.tt/2FbGEWh
Submitted March 04, 2018 at 10:57PM by sarciszewski
via reddit http://ift.tt/2tifwPC
Paragonie
Paseto is a Secure Alternative to the JOSE Standards (JWT, etc.) - Paragon Initiative Enterprises Blog
Paseto (Platform-Agnostic Security Tokens) is everything JWT should be, but isn't (namely, secure)
RIP CERT.org – You Will Be Missed
http://ift.tt/2FeA8Ki
Submitted March 05, 2018 at 01:08AM by campuscodi
via reddit http://ift.tt/2CYUNQo
http://ift.tt/2FeA8Ki
Submitted March 05, 2018 at 01:08AM by campuscodi
via reddit http://ift.tt/2CYUNQo
Infosec news app now includes /r/netsec
http://ift.tt/2GxMdKy
Submitted March 05, 2018 at 12:31AM by acmegahz123
via reddit http://ift.tt/2oO7fxB
http://ift.tt/2GxMdKy
Submitted March 05, 2018 at 12:31AM by acmegahz123
via reddit http://ift.tt/2oO7fxB
Google Play
All around InfoSec - Android Apps on Google Play
Security News delivered to your Smartphone