recentpopularlog in

mcherm : security   1181

« earlier  
Your Pa$$word doesn't matter - Microsoft Tech Community - 731984
Choosing good passwords doesn't even matter. If the attacker does not download the password file then they only get to try a few guesses before they're blocked. If they do download the password file high speed cracker hardware is cheap.
security  via:reddit 
22 days ago by mcherm
Moscow's blockchain voting system cracked a month before election | ZDNet
In case you needed it, here is yet another example of why voting should not be performed on cutting edge technology.
blockchain  ethereum  voting  via:HackerNews  security 
24 days ago by mcherm
Researcher publishes second Steam zero day after getting banned on Valve's bug bounty program | ZDNet
Valve doesn't give out bounties for security bugs that risk takeover of your machine rather than risking takeover of your steam account. they also do not seem to allow security researchers to report such bugs.
security  steam  responsibledisclosure 
28 days ago by mcherm
Black Hat: GDPR privacy law exploited to reveal personal data - BBC News
He tested and found that LOTS of companies gave away information on someone else when it was asked for via GDPR channels.
security  law  via:HackerNews 
5 weeks ago by mcherm
Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
A serious security issue in zoom (on Mac it installs a web server locally which does things like launching the zoom client). Also a very clear example of responsible disclosure by a professional.
security  zoom  via:HackerNews 
10 weeks ago by mcherm
A better zip bomb
Flaws in the design of the zip file format make it abuseable in interesting ways.
security  via:reddit 
11 weeks ago by mcherm
How does Apple (privately) find your offline devices? – A Few Thoughts on Cryptographic Engineering
Wild speculation about what protocol COULD protect privacy while continuously reporting on the location of RFID tags.
algorithms  security  privacy  via:HackerNews  apple 
june 2019 by mcherm
I can see your local web servers
Yipes! Local stuff accessable via http (but ONLY on your local machine) is vulnerable to probing by malicious web pages.
security  web  internet  via:HackerNews 
may 2019 by mcherm
What I Learned Trying To Secure Congressional Campaigns (Idle Words)
A really good description of the author's experience and learnings from trying to help political campaigns with their security.
security  politics  via:HackerNews 
may 2019 by mcherm
The search for the kryptonite that can stop CRISPR - MIT Technology Review
CRISPR can do a lot of harm. Can we build something that STOPS it from editing genes? Several labs are trying.
security  biology  via:HackerNews  science 
may 2019 by mcherm
Graphing Calculator Story
The story of a couple of developers who built an entire product for Apple by sneaking into the building.
history  apple  via:reddit  hacking  culture  startup  security 
may 2019 by mcherm
A Conspiracy To Kill IE6
How a couple of Google programmers working on YouTube decided on their own (without permission) to deprecate IE6 for the good of web developers around the world.
history  easteregg  browsers  web  via:HackerNews  security  google 
may 2019 by mcherm
The sim swap the US isn’t using | Ars Technica
To prevent the theft of SIM numbers for defeating text-based multi-factor authentication, mobile phone carriers around the world are letting banks know when a number has been recently changed. Except in the US, where the phone carriers won't participate.
security  banking  ArsTechnica  via:ArsTechnica 
april 2019 by mcherm
The inception bar: a new phishing method
Chrome hides the nav bar once you scroll. A malicious website can show a fake nav bar.
security  phishing  browsers  via:HackerNews 
april 2019 by mcherm
Don’t trust the locals: investigating the prevalence of persistent client-side cross-site scripting in the wild | the morning paper
A security attack on web apps that use local storage: compromise in one visit to the site, then lock in that access for future sessions by injecting an attack into the data in local storage.
webdevelopment  security  via:HackerNews 
april 2019 by mcherm
Phishing and Security Keys – Mark Risher – Medium
Physical keys are better against phishing because time-based keys and sent-to-phone keys can both be compromised by man-in-the-middle during a brief window of time.
security  via:boingboing 
april 2019 by mcherm
No one should have to travel in fear – Andreas Gal – Medium
Quote: "When I became a U.S. citizen I swore to defend the Constitution. I’m a proud U.S. citizen and I take my oath seriously. It is in that spirit that I have filed a civil rights complaint with the help of the ACLU"
police  policeabuse  TSA  security  via:Techdirt 
april 2019 by mcherm
How To Spoof PDF Signatures
How digital signatures in PDFs work. Oh, and the researchers found 3 major flaws that affected nearly every PDF viewer program they could find.
security  via:HackerNews  PDF 
march 2019 by mcherm
The Line of Death | text/plain
In browsers, there is a concept of trying to maintain separation between those pixels controlled by the browser (thus trustworthy) and those controlled by the page (unreliable). It's much harder than it sounds.
ui  design  security  via:IanBicking 
march 2019 by mcherm
FIDO2 Project - FIDO Alliance
An overall approach to web authentication. WehAuthn (part of it) was just approved as a W3C standard. I should read up on this and learn it.
security  programming  authentication  web  internet  standards  via:HackerNews 
march 2019 by mcherm
Mozilla Says Australia's Compelled Access Law Could Turn Staff There Into 'Insider Threats' | Techdirt
Australia passed a law which arguably allows them to order people to put back doors into tech products. Some companies now say they'll have to treat Australian employees as security threats.
law  security  techdirt  via:Techdirt 
march 2019 by mcherm
CISA issued its first Emergency Directive
Someone is using DNS hijacking to make probes or outright attacks against US government systems. The recently-formed US government agency has now issued instructions to protect against DNS hijacking.
security  via:HackerNews 
february 2019 by mcherm
Equifax mystery: Where is the data?
The Equifax data (full credit bureau data on half the population of the US) never turned up anywhere and hasn't (obviously) been used. The guess is that it was a government actor.
security  via:slashdot 
february 2019 by mcherm
The Linux Backdoor Attempt of 2003
Someone attempted to put a backdoor into the Linux kernel through subtly malicious C code. They were caught and it didn't work.
security  bug  hacking  opensource  via:reddit 
february 2019 by mcherm
Apple revokes Facebook’s developer certificate over data-snooping app—Google could be next | Ars Technica
Facebook was using Apple's certificate for distributing beta copies to internal company users in order to distribute (to end customers) an app that spied on them. Apple cut off their cert for misuse. Google may have used their cert similarly, but they immediately apologized and ceased the usage. Tightly controlled appstore - can it protect your privacy?
appstore  apple  facebook  google  privacy  security  ios 
january 2019 by mcherm
GoDaddy is sneakily injecting JavaScript into your website and how to stop it | Igor Kromin
Never use GoDaddy for hosting! Unless you opt out they inject some JavaScript into your pages before serving them.
hosting  security  via:reddit 
january 2019 by mcherm
T-Mobile, Sprint, and AT&T Are Selling Customers' Real-Time Location Data, And It's Falling Into the Wrong Hands
The mobile phone carriers promised not to sell location data to shady companies after law enforcement was found to be abusing it. This reporter caught T-Mobile selling data to a company that sold it to a company that was shady.
privacy  security  t-mobile  via:reddit 
january 2019 by mcherm
CenturyLink is blocking its customer's internet while saying Utah legislators told them to -
Evil ISP is effectively blocking all internet access to insert an ad via HTTP hijacking and pretends that the state law required them to do it.
isp  security  via:HackerNews 
december 2018 by mcherm
When Trump Phones Friends, the Chinese and the Russians Listen and Learn - The New York Times
The dude is so dumb he won't use a secure phone! Yes, I remember when Obama insisted on continuing to use his BlackBerry but he allowed the security services to modify it until it was secure. Intelligence agencies say the Russians and Chinese are listening to Trump's calls!
via:HackerNews  DonaldTrump  security 
december 2018 by mcherm
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies - Bloomberg
This news report claims (over denials) that hardware was altered at Chinese manufacturers to create network vulnerabilities at major US corporations. [Basically proven to be false]
security  via:reddit 
december 2018 by mcherm
Troy Hunt: Extended Validation Certificates are Dead
Unless you are a bank there is no reason to use Extended Validation SSL certificates.
web  security  ssl  internet  via:HackerNews 
december 2018 by mcherm
How I Got Locked Out of the NFC Chip Implant in My Hand
Apparently you not only need the right PIN, but also the same software to access the PIN-protected NFC chip he had surgically implanted in his hand. As he didn't know this, he couldn't access it.
via:slashdot  security  wearable 
november 2018 by mcherm
Private by Design: How we built Firefox Sync - Mozilla Hacks - the Web developer blog
Firefox sync keeps data secure from Mozilla by using the passphrase to generate 2 keys - one authenticates to Mozilla's servers and the other is used to encrypt/decrypt *in the client*. Article discusses why they thought this approach was better for users than several alternatives used by other browsers.
privacy  security  encryption  firefox  via:HackerNews  design  architecture  chrome  browsers 
november 2018 by mcherm
U.S. Secret Service Warns ID Thieves are Abusing USPS’s Mail Scanning Service — Krebs on Security
Sign up to receive a scanned copy of the outside of all mail. Then abuse this to commit credit card fraud.
via:slashdot  security  postalmail 
november 2018 by mcherm
Retailers Are Using Facial-Recognition Technology Too
A few stores are starting to use facial recognition software on their security cameras to get a detailed picture of who is shopping and how. Some legislators are considering restricting this, but face strong lobbying by the likes of Facebook.
privacy  via:HackerNews  security 
october 2018 by mcherm
A timing attack with CSS selectors and Javascript
A way to use JQuery to execute a timing attack that can extract fields from another webpage running in the same browser.
security  browsers  internet  javascript  hacking  via:HackerNews 
october 2018 by mcherm
The World’s Oldest Blockchain Has Been Hiding in the New York Times Since 1995 - Motherboard
A hash-certified chain has been running with timestamps in the New York Times since 1995.
cryptography  blockchain  nytimes  security 
august 2018 by mcherm
Myths about /dev/urandom [2uo]
A long and detailed piece about why you shouldn't block waiting for "more entropy" for your random number generator.
cryptography  security  programming  via:HackerNews 
august 2018 by mcherm
An 11-year-old changed election results on a replica Florida state website in under 10 minutes | PBS NewsHour
Great demonstration of just how insecure voting machines are: this conference had KIDS go ahead and hack the machines.
security  voting  via:Techdirt 
august 2018 by mcherm
Botched CIA Communications System Helped Blow Cover of Chinese Agents – Foreign Policy
All of the CIA's spies in China were executed. The cause was probably the internet communication system that they used.
via:HackerNews  security 
august 2018 by mcherm
How I gained commit access to Homebrew in 30 minutes
It is surprisingly easy to attack packagers as a way of delivering a malicious payload to machines quite broadly.
security  via:reddit 
august 2018 by mcherm
Voting By Cell Phone Is A Terrible Idea, And West Virginia Is Probably The Last State That Should Try It Anyway | Techdirt
West Virginia's plan to allow voting by cell phone is really stupid. And what on earth does the company offering it mean about "using blockchain to secure" it?
via:Techdirt  techdirt  voting  security 
august 2018 by mcherm
The $250 Biohack That’s Revolutionizing Life With Diabetes - Bloomberg
Someone hacked the interface to control an insulin pump which allowed the DIY community to build devices to continually monitor blood sugar and adjust insulin levels. No equivalent commercial product exists on the market.
medicine  bureaucracy  security  via:HackerNews 
august 2018 by mcherm
Florida Didn't Run FBI Background Checks on Concealed Weapon Applicants for a Year Because of a Forgotten Login
I can't tell if this is shocking incompetence, or secretly malicious because the entire responsibility for the state was given to a single unqualified individual.
via:reddit  security 
june 2018 by mcherm
Cost of a 51% Attack for Different Cryptocurrencies | 51Crypto
It's shockingly cheap to perform a 51% attack on nearly all cryptocurrencies because incredible hashing power is available for rent cheaply.
security  cryptocurrency  bitcoin  via:HackerNews 
may 2018 by mcherm
Microsoft Word Document Upload to Stored XSS: A Case Study
An XSS attack using MS Word Documents that can be uploaded and downloaded. Lists a few defenses against the attack also.
xss  security  webdevelopment  via:HackerNews 
may 2018 by mcherm
Our Approach to Employee Security Training | PagerDuty
Really good quality security training. How he did it and the slides in case you want to use them.
security  teaching  opensource  via:HackerNews 
may 2018 by mcherm
This ‘Demonically Clever’ Backdoor Hides In a Tiny Slice of a Computer Chip | WIRED
A way to introduce a vulnerability into a chip which uses very little extra silicon and only triggers if you do a specific action thousands of times.
security  hardware  via:HackerNews  wired 
april 2018 by mcherm
Exclusive: NSA encryption plan for ‘internet of things’ rejected by international body – WikiTribune
The US has pushed for certain encryption algorithms to become the new standard for internet of things. The international standards body rejected it because they suspect the NSA will attempt to insert back doors or breakable algorithms.
cryptography  security  standards  NSA  via:boingboing 
april 2018 by mcherm
Teen charged in Nova Scotia government breach says he had 'no malicious intent' | CBC News
Even in Canada, even in 2018, governments are still prosecuting people for "hacking" when all they do is increment the number on the end of a URL.
security  overprosecution  law  via:HackerNews  hacking 
april 2018 by mcherm
A Casino Was Hacked Thanks To The Internet Of Broken Things & A Fish Tank Thermometer | Techdirt
Casino hacked through an aquarium thermometer; the internet of things is dangerously insecure.
techdirt  via:Techdirt  security  internetofthings 
april 2018 by mcherm
Four cents to deanonymize: Companies reverse hashed email addresses
Lots of folks pass around lists of hashes of email addresses. These aren't secure because only a few billion email addresses exist and all can be hashed cheaply. Use salt (unless your goal is uniqueness testing, in which case don't share the list).
security  cryptography  email  via:boingboing 
april 2018 by mcherm
Mythology about security… | jg's Ramblings
He claims poor security in early computer systems was due to US export controls, not a willing failure to build secure systems (and he built X-Windows and sat by the guy who built Kerberos).
security  history  via:HackerNews  law 
april 2018 by mcherm
How Mark Zuckerberg Hacked The Harvard Crimson
Claim: early in the history of Facebook, Mark Zuckerberg used failed login attempts to deduce user's passwords to a separate email system in order to access their accounts.
facebook  security  MarkZuckerberg  hacking 
april 2018 by mcherm
Death Note: L, Anonymity & Eluding Entropy -
Contains an amazing list of ways to identify an anonymous individual.
via:HackerNews  anonyminity  security 
april 2018 by mcherm
Be careful what you copy: Invisibly inserting usernames into text with Zero-Width Characters
Use zero-width characters to fingerprint text served to each user. If they copy-paste it to someplace you can tell who did it from the fingerprint.
security  steganography  via:HackerNews 
april 2018 by mcherm
Attacking Merkle Trees with a Second Preimage Attack –
Generate data that gives the same hash as a known value and you can undermine a merkle tree. Use some known structure and/or track depth to protect against this attack.
cryptography  security  via:HackerNews 
march 2018 by mcherm
BAD TRAFFIC: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?
Some governments are intercepting download requests for popular programs like 7zip and injecting them with spyware.
security  internet  via:EdwardSnowden 
march 2018 by mcherm
What Is Your Bank’s Security Banking On? — Krebs on Security
A great number of smaller Banks use Fiserv for online banking and it has terrible, horrible security practices.
banking  security  via:HackerNews 
march 2018 by mcherm
Third party CSS is not safe -
CSS that gets loaded from an untrusted source can do nearly as much to your page as Javascript from an untrusted source.
security  webdevelopment  css  via:HackerNews 
march 2018 by mcherm
« earlier      
per page:    204080120160

Copy this bookmark:

to read