Atlanta ransomware attack locks down city computers
https://ift.tt/2GfStua
Submitted March 24, 2018 at 07:43AM by chull2058
via reddit https://ift.tt/2IJnF3f
https://ift.tt/2GfStua
Submitted March 24, 2018 at 07:43AM by chull2058
via reddit https://ift.tt/2IJnF3f
USA TODAY
Atlanta hit by ransomware attack, city employees told not to turn on computers
A ransomware attack on the city of Atlanta means city works at city hall can't turn on their computers and WiFi at the airport is off.
Hackers leave ransom note after wiping out MongoDB in 13 seconds
https://ift.tt/2IJEw67
Submitted March 24, 2018 at 07:42AM by chull2058
via reddit https://ift.tt/2ILyKAS
https://ift.tt/2IJEw67
Submitted March 24, 2018 at 07:42AM by chull2058
via reddit https://ift.tt/2ILyKAS
HackRead
Hackers leave ransom note after wiping out MongoDB in 13 seconds
Hackers have been exploiting unprotected MongoDB based servers but in this incident, hackers left a ransom note after wiping out MongoDB in just 13 seconds.
Who Am I Mail Bot
https://ift.tt/2INYE7l
Submitted March 24, 2018 at 08:22AM by mthbernardes
via reddit https://ift.tt/2pB0tMC
https://ift.tt/2INYE7l
Submitted March 24, 2018 at 08:22AM by mthbernardes
via reddit https://ift.tt/2pB0tMC
GitHub
mthbernardes/WhoAmIMailBot
Contribute to WhoAmIMailBot development by creating an account on GitHub.
Web Application Penetration Testing Cheat Sheet
https://ift.tt/2Gizuzg
Submitted March 24, 2018 at 09:07AM by 0xJDow
via reddit https://ift.tt/2udSjif
https://ift.tt/2Gizuzg
Submitted March 24, 2018 at 09:07AM by 0xJDow
via reddit https://ift.tt/2udSjif
JDow.io
Web Application Penetration Testing Cheat Sheet
This cheatsheet is intended to run down the typical steps performed when conducting a web application penetration test. I will break these steps down into sub-tasks and describe the tools I recommend using at each level.
Why do so many websites allow poor authentication? (and how it drives me to light social hacking for spam avoidance)
It seems like a lot of websites are at the mercy of users who type in an incorrect email address.tldr; I feel justified resetting users passwords if they give my email address by mistake. Is there a better way to deal with this? What security best practices are these websites failing at?My email address is like this: flast at gmail.comf is the first character of my first namelast is my last name.It seems that I become the unintended the target of lazy / absentminded / forgetful people about once a month that write or type their email address for some login or membership form.So I get an email saying please click here to confirm your email address.Whereupon, I click to confirm, go to a login page, click on forgot password, get emailed a reset link, then set the password to something like abcd123, login and change the name to first name:invalid login, last name: invalid login, username: invalidlogin, email invalidlogin@example.com. Basically hacking my way in the most low tech way possible to get my email address removed from the website.The funny recent example was xfinity comcast, which asked me an extra security question: "what's your favorite beverage?" It took me six tries to guess. This has to be one of the weakest security questions in the world, assuming the average person isn't paranoid enough to intentionally obfuscate their answer.Another example, someone must have bought a new jeep or at least shown interest and wrote my email on the form, by mistake or by lack of thought and consideration; giving a "dummy" email address.So, in part I guess I understand the problem. If someone's buying a new jeep and have to write their email on a form, they don't bother to give their real email address, the website doesn't feel any obligation to verify the email address correctly.Or in the previous above example, I think it was some trial free web usage, so they also don't feel obliged to check the email address thoroughly.But can someone comment on the best way these things should be done?, from the website's perspective. Perhaps the website should require you to remember your email address for the first login before any reset password requests or otherwise time out the verification links after a few hours and make the user recreate their login?I guess there's the time-old balance between ease of use for customers and (businesses that have a top priority of making it easy for customers to spend money) versus security.I feel somewhat justified logging in to reset the email address, so that my email address is no longer in a big database somewhere and I'm not going to get endless marketing spam in the future.Of course, I'm referring to big companies that have no-reply email address don't have a one-two click way of dealing with these mistakes. If I think it's going to take me more than a couple of minutes to deal with this issue, I'll do it the grey-hat hacker instead of jumping through hoops.To summarize, I thought I'd share my story because I'm sure some of you will find it funny (and I'm sure some of you will chide me too). And I wondered what people think. Any stories to tell? Better ways to do this?
Submitted March 24, 2018 at 10:59AM by johnnyjohnsmith
via reddit https://ift.tt/2G1bQIb
It seems like a lot of websites are at the mercy of users who type in an incorrect email address.tldr; I feel justified resetting users passwords if they give my email address by mistake. Is there a better way to deal with this? What security best practices are these websites failing at?My email address is like this: flast at gmail.comf is the first character of my first namelast is my last name.It seems that I become the unintended the target of lazy / absentminded / forgetful people about once a month that write or type their email address for some login or membership form.So I get an email saying please click here to confirm your email address.Whereupon, I click to confirm, go to a login page, click on forgot password, get emailed a reset link, then set the password to something like abcd123, login and change the name to first name:invalid login, last name: invalid login, username: invalidlogin, email invalidlogin@example.com. Basically hacking my way in the most low tech way possible to get my email address removed from the website.The funny recent example was xfinity comcast, which asked me an extra security question: "what's your favorite beverage?" It took me six tries to guess. This has to be one of the weakest security questions in the world, assuming the average person isn't paranoid enough to intentionally obfuscate their answer.Another example, someone must have bought a new jeep or at least shown interest and wrote my email on the form, by mistake or by lack of thought and consideration; giving a "dummy" email address.So, in part I guess I understand the problem. If someone's buying a new jeep and have to write their email on a form, they don't bother to give their real email address, the website doesn't feel any obligation to verify the email address correctly.Or in the previous above example, I think it was some trial free web usage, so they also don't feel obliged to check the email address thoroughly.But can someone comment on the best way these things should be done?, from the website's perspective. Perhaps the website should require you to remember your email address for the first login before any reset password requests or otherwise time out the verification links after a few hours and make the user recreate their login?I guess there's the time-old balance between ease of use for customers and (businesses that have a top priority of making it easy for customers to spend money) versus security.I feel somewhat justified logging in to reset the email address, so that my email address is no longer in a big database somewhere and I'm not going to get endless marketing spam in the future.Of course, I'm referring to big companies that have no-reply email address don't have a one-two click way of dealing with these mistakes. If I think it's going to take me more than a couple of minutes to deal with this issue, I'll do it the grey-hat hacker instead of jumping through hoops.To summarize, I thought I'd share my story because I'm sure some of you will find it funny (and I'm sure some of you will chide me too). And I wondered what people think. Any stories to tell? Better ways to do this?
Submitted March 24, 2018 at 10:59AM by johnnyjohnsmith
via reddit https://ift.tt/2G1bQIb
reddit
Why do so many websites allow poor authentication?... • r/security
It seems like a lot of websites are at the mercy of users who type in an incorrect email address. tldr; I feel justified resetting users...
Responsibility Deflected, the CLOUD Act Passes
https://ift.tt/2FW9ji9
Submitted March 24, 2018 at 05:59PM by _Steamed_Hams
via reddit https://ift.tt/2IR8NQE
https://ift.tt/2FW9ji9
Submitted March 24, 2018 at 05:59PM by _Steamed_Hams
via reddit https://ift.tt/2IR8NQE
Electronic Frontier Foundation
Responsibility Deflected, the CLOUD Act Passes
UPDATE, March 23, 2018: President Donald Trump signed the $1.3 trillion government spending bill—which includes the CLOUD Act—into law Friday morning. “People deserve the right to a better process.”Those are the words of Jim McGovern, representative for Massachusetts…
Coinbase glitch is another case for moving towards a decentralized exchange
https://ift.tt/2I0GZb8
Submitted March 24, 2018 at 06:29PM by bucketsofskill
via reddit https://ift.tt/2HXWtgc
https://ift.tt/2I0GZb8
Submitted March 24, 2018 at 06:29PM by bucketsofskill
via reddit https://ift.tt/2HXWtgc
Rados
Coinbase Free Ether bug? Another Case For Moving To A Decentralized Exchange
A quick look at how the recent bug on the Coinbase trading platform shows that decentralized exchanges are the way forward...
Tumblr finally names the 84 accounts it says were Russian trolls
https://ift.tt/2GiV2LX
Submitted March 24, 2018 at 08:11PM by DerBootsMann
via reddit https://ift.tt/2pAvXTe
https://ift.tt/2GiV2LX
Submitted March 24, 2018 at 08:11PM by DerBootsMann
via reddit https://ift.tt/2pAvXTe
Ars Technica
Tumblr finally names the 84 accounts it says were Russian trolls
Tumblr says it "helped indict 13 people who worked for" Internet Research Agency.
I work security at a bar and last night when I turned someone away because he was so drunk he could badly stand, he said it was because I was racist and he could see it in my face that was the reason he wasn’t allowed in. What is a professional response to this?
I just said ‘you’re wrong, it’s because you can badly stand up’, luckily to which his mates all agreed.This isn’t the first time it’s happened. It seems to be thrown around as the first excuse when someone hears something they disagree with quite a lot recently. I’m an Asian guy of Chinese decent and got quite frustrated when this was fired at me, so wanna learn a good way to deal with it, but like I say it seems to be getting more and more common as some kind of defence. I’ve seen other security guards actually get quite uncomfortable and actually reverse their decision through fear of being called racist in front of other people if the person escalates it.That seems insane to me.Is there a good, professional answer or response to give in this situation?
Submitted March 24, 2018 at 10:26PM by Bloc101
via reddit https://ift.tt/2I22okr
I just said ‘you’re wrong, it’s because you can badly stand up’, luckily to which his mates all agreed.This isn’t the first time it’s happened. It seems to be thrown around as the first excuse when someone hears something they disagree with quite a lot recently. I’m an Asian guy of Chinese decent and got quite frustrated when this was fired at me, so wanna learn a good way to deal with it, but like I say it seems to be getting more and more common as some kind of defence. I’ve seen other security guards actually get quite uncomfortable and actually reverse their decision through fear of being called racist in front of other people if the person escalates it.That seems insane to me.Is there a good, professional answer or response to give in this situation?
Submitted March 24, 2018 at 10:26PM by Bloc101
via reddit https://ift.tt/2I22okr
reddit
I work security at a bar and last night when I turned... • r/security
I just said ‘you’re wrong, it’s because you can badly stand up’, luckily to which his mates all agreed. This isn’t the first time it’s...
The AVCrypt Ransomware Tries To Uninstall Your AV Software
https://ift.tt/2GfGBZf
Submitted March 24, 2018 at 10:38PM by Alan976
via reddit https://ift.tt/2G1oIhw
https://ift.tt/2GfGBZf
Submitted March 24, 2018 at 10:38PM by Alan976
via reddit https://ift.tt/2G1oIhw
BleepingComputer
The AVCrypt Ransomware Tries To Uninstall Your AV Software
A new ransomware named AVCrypt has been discovered that tries to uninstall existing security software before it encrypts a computer. Furthermore, as it removes numerous services, including Windows Update, and provides no contact information, this ransomware may…
The Case for Regulating the Internet
https://ift.tt/2ptqA8m
Submitted March 24, 2018 at 10:57PM by ga-vu
via reddit https://ift.tt/2IPnzHF
https://ift.tt/2ptqA8m
Submitted March 24, 2018 at 10:57PM by ga-vu
via reddit https://ift.tt/2IPnzHF
The Atlantic
It’s Time to Regulate the Internet
Mark Zuckerberg might believe the world is better without privacy. He’s wrong.
Encryption Testing.
How does one test the level of encryption on a network?I have been searching online for some information on this for my assignment, but i haven't found much at all.Does anyone know anything about encryption testing and could lend a hand? maybe submit a few links for me, i would appreciate all the help i can getDan
Submitted March 25, 2018 at 02:15AM by Danjdunham_
via reddit https://ift.tt/2DVxQhO
How does one test the level of encryption on a network?I have been searching online for some information on this for my assignment, but i haven't found much at all.Does anyone know anything about encryption testing and could lend a hand? maybe submit a few links for me, i would appreciate all the help i can getDan
Submitted March 25, 2018 at 02:15AM by Danjdunham_
via reddit https://ift.tt/2DVxQhO
reddit
Encryption Testing. • r/security
How does one test the level of encryption on a network? I have been searching online for some information on this for my assignment, but i...
Delete Fb without deleting your profile. Stop targeted advertising and information gathering! Shoot me a message if you need advice. If you’re wondering what this is about, watch the news! lol
https://ift.tt/2G1WK5g
Submitted March 25, 2018 at 03:17AM by rweedn
via reddit https://ift.tt/2HYmhsg
https://ift.tt/2G1WK5g
Submitted March 25, 2018 at 03:17AM by rweedn
via reddit https://ift.tt/2HYmhsg
reddit
Delete Fb without deleting your profile. Stop... • r/security
1 points and 0 comments so far on reddit
Exploiting Blind OOB XXE in the Wild [Bug Bounty]
https://ift.tt/2IPBzRn
Submitted March 25, 2018 at 04:20AM by chocoluvin
via reddit https://ift.tt/2IQZwba
https://ift.tt/2IPBzRn
Submitted March 25, 2018 at 04:20AM by chocoluvin
via reddit https://ift.tt/2IQZwba
∞ Growing Web Security Blog
Gaining Filesystem Access via Blind OOB XXE
Today, I’d like to share my methodology behind how I found a blind, out of band xml external entities attack in a private bug bounty program. I have redacted the necessary information to hide…
Shodan Search Exposes Thousands of Servers Hosting Passwords and Keys
https://ift.tt/2pE8tvK
Submitted March 25, 2018 at 12:18PM by Horus_Sirius
via reddit https://ift.tt/2GlRSqN
https://ift.tt/2pE8tvK
Submitted March 25, 2018 at 12:18PM by Horus_Sirius
via reddit https://ift.tt/2GlRSqN
TSecurity Portal
Shodan Search Exposes Thousands of Servers Hosting Passwords and Keys
Apple's Tim Cook Calls for More Regulations on Data Privacy
https://ift.tt/2pAlUgL
Submitted March 25, 2018 at 12:16PM by Bastet1
via reddit https://ift.tt/2HYgZgz
https://ift.tt/2pAlUgL
Submitted March 25, 2018 at 12:16PM by Bastet1
via reddit https://ift.tt/2HYgZgz
Bloomberg.com
Apple's Tim Cook Calls for More Regulations on Data Privacy
Apple Inc. Chief Executive Tim Cook has called for stronger privacy regulations that prevent the misuse of data in the light of the controversial leak of Facebook user information.
Free Automated Malware Analysis Service
https://ift.tt/2pEH64J
Submitted March 25, 2018 at 01:28PM by Iot_Security
via reddit https://ift.tt/2pDeGJ8
https://ift.tt/2pEH64J
Submitted March 25, 2018 at 01:28PM by Iot_Security
via reddit https://ift.tt/2pDeGJ8
Hybrid-Analysis
Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'Purchase Order…
Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
Discovering Smart Contract Vulnerabilities with GOATCasino
https://ift.tt/2G2pvys
Submitted March 25, 2018 at 01:45PM by digicat
via reddit https://ift.tt/2pIetUn
https://ift.tt/2G2pvys
Submitted March 25, 2018 at 01:45PM by digicat
via reddit https://ift.tt/2pIetUn
reddit
Discovering Smart Contract Vulnerabilities with GOATCasino • r/netsec
2 points and 0 comments so far on reddit
Analyzing VPC flow logs
https://ift.tt/2FSZ1P5
Submitted March 25, 2018 at 05:59PM by tech-tramp
via reddit https://ift.tt/2pF6neP
https://ift.tt/2FSZ1P5
Submitted March 25, 2018 at 05:59PM by tech-tramp
via reddit https://ift.tt/2pF6neP
TotalCloud Blog
Analyze VPC flow logs | Security | Performance - TotalCloud Blog
The VPC flow logs capture important information about the IP traffic to and from network interfaces, subnets and VPCs in the AWS infrastructure. They are used to monitor security by tracking traffic reaching and leaving the resources(instance, databases,…
Open Source Chrome Extension to Alert IDN/Unicode URLs
https://ift.tt/2GirkXF
Submitted March 25, 2018 at 07:06PM by jekapats
via reddit https://ift.tt/2IPVfVp
https://ift.tt/2GirkXF
Submitted March 25, 2018 at 07:06PM by jekapats
via reddit https://ift.tt/2IPVfVp
GitHub
phishai/idn-protect-chrome
idn-protect-chrome - Chrome extension to alert and possibly block IDN/Unicode websites
Unauthorized Cryptocurrency Mining Surged in 2017, Symantec Reports
https://ift.tt/2GflWV7
Submitted March 25, 2018 at 06:45PM by ga-vu
via reddit https://ift.tt/2pAubS7
https://ift.tt/2GflWV7
Submitted March 25, 2018 at 06:45PM by ga-vu
via reddit https://ift.tt/2pAubS7
eWEEK
Unauthorized Cryptocurrency Mining Surged in 2017, Symantec Reports
Attackers increasingly turned to cryptocurrency mining operations in 2017, as Symantec finds there was a sharp increase in the volume of attacks across multiple platforms.