Tags Posts tagged with "Security"


by -
0 19

Last week Google announced some changes to Chrome, specifically that come January 2017, practices like this are going to start resulting is browser warnings:

That’s just one of many such examples I’ve called out in the past and frankly, I have about zero sympathy for those who are doing this in the first place so a browser warning is only right.

But here’s the really interesting bit – that’s just the beginning because Google has a plan:

a long-term plan to mark all HTTP sites as non-secure

I want to show you the significance of this on everyday websites and we can do that today by virtue of jumping into chrome://flags then scrolling down to “Mark non-secure origins as non-secure”:

And then we’ll do just that – flag them as non-secure. Now let’s go browsing!

It’s first thing in the morning, so we’ll kick off with a bit of international news:

Ok, browser warning there so not that trustworthy. Tell you what – Jony Ive put me in an Apple trance during the keynote last week so let’s go and check out the new shiny there:

Huh, warning there too, it could even be a fake Tim Cook since it’s loaded over HTTP so better move on. I get accused of being a Microsoft apologist sometimes so we’ll try them next:

Shit. Now I honestly expected them to load over HTTP and show a warning but since they redirect to HTTPS by default everything looks cool. This makes a different point though – this is what the new normal will be when the non-secure exodus kicks in. But you already know what a site loaded over HTTPS looks like anyway, let’s go for a fly instead:

Dammit! Ok, big warning symbol there so that’s no good. I’m sick of flying anyway, let’s find a nice car:

Alright, that’s it, definitely not buying a Ferrari via the browser now! But at least the warning symbol is red…

Maybe we’ll set our sights a little lower and do some eBay shopping:

Right, not so good. At least our banks will be good, right? I mean they’re the ones with the bank grade security:

It’s one of the biggest banks in the country! Let’s go bigger – let’s grab one of the biggest in the world:

This is really disheartening, I’m gonna go straight to the Prime Minister and make my feelings known:

Well that’s surprising, our government seemed to be so good at getting tech right too…

Not to worry, I reckon we can go even higher still, let’s hit up the UN:

Huh. Is it possibly just that these sites don’t know how to implement HTTPS? Let’s go see if we can find some good guidance on that:

This is obviously intended to be a bit tongue in cheek but here’s the point: we are a very, very long way away from a “secure by default” web. Going HTTPS can be easy but it can also be a non-trivial exercise for the likes of Stack Overflow. We should all be going HTTPS only at the earliest opportunity, but the chances of seeing browsers do what they’re doing in the screens above in 2017 is near zero and frankly, at this rate even 2018 is hard to see happening. What the January change does is moves the needle just that little bit further around so that more sites use more SSL and better prepare the web for the inevitable transition described here.


Source : TroyHunt

What do you do to protect your ‘Privacy’ and keep yourself safe from potential hackers?

Well, Facebook CEO Mark Zuckerberg just need a bit of tape to cover his laptop webcam and mic jack in order to protect his privacy.

Yes, Zuck also does the same as the FBI Director James Comey.

Zuckerberg posted a photo on Tuesday to celebrate Instagram’s 500 Million monthly user milestone, but the picture end up revealing about another security measure he takes to ensure that nobody is spying on him – and it’s surprisingly simple.

Some eagle-eyed observers quickly noticed that the MacBook Pro on Zuckerberg’s desk in the background of the image has the tape covering not only the webcam, but also the laptop’s dual microphones.

While some tried to argue that it was not Zuckerberg’s desk, Gizmodo pointed out that Zuckerberg has posted videos, live streams and images from there before, so it seems like a safe assumption.

So, Zuckerberg joins FBI director James Comey and NSA whistleblower Edward Snowden, who admitted that they tape their webcams.

Although some called this move paranoid, taping up your webcam is a simple and excellent precaution that cost nothing and has appeared many times in the past.

Keeping aside the controversies over Zuck’s move, tapping your laptop’s webcam is a good take away for you to adopt, because we know the ability of spy agencies, including the FBI and NSA (National Security Agency), to turn on webcam to spy on targets.

Edward Snowden leaks revealed Optic Nerve – the NSA’s project to capture webcam images every five minutes from random Yahoo users. In just 6 months, 1.8 Million users’ images were captured and stored on the government servers in 2008.

However, putting a tape over your webcam would not stop hackers or government spying agencies from recording your voice, but, at least, this would prevent them watching or capturing your live visual feeds.

With Node.js having become a critical cog at places such as PayPal and Wal-Mart, developers need to be mindful of securing their Node.js applications, technologists are advising.

The server-side JavaScript platform is now being used to protect the likes of financial transactions and other enterprise client data, said Adam Baldwin, chief security officer at security consulting firm ^Lift Security. Node.js shares security issues with its client-side brother, JavaScript, as well with other platforms, Baldwin said. “The core of Node is JavaScript, so Node inherits any concerns there might be with JavaScript. However, the execution context of V8, the JavaScript engine Node uses, is entirely different than a browser because it executes on the server. That difference adds some unique surface area [for attacks].
Mark Stuart, a senior UI engineer at PayPal, advises developers to use good security defaults and scanning of modules. “Node is still JavaScript, so eval and all the terrible things on the client side still exist on the server side,” Stuart said. (The eval function evaluates code represented as a string but poses the risk of running malicious code.)

The importance of security on Node.js has led to formation of the Node Security Project, headed by Baldwin, which wants to audit NPMs (Node packaged modules). Developers need to actively address common security issues in their code, using resources such as the OWASP (Open Web Application Security Project) Top 10, which includes cross-site scripting, cross-site request forgery, security misconfiguration, and unvalidated redirects and forwards.

Smartphones have easily become the most important devices on the planet. Since their inception, they’ve ruled the way we live, becoming more like an appendage than a gadget. These devices store all of our personal information: our social media accounts, our credit card information, everything that you would ever want to keep safe from the outside world. It’s this high level of sensitivity in our smartphones that make people like Steve Lord, 15 year white hat hacker, so terrifying.

WhatMobile did an interview with Steve Lord, talking about what a white hat hacker does, why they’re important, and what the state of cyber security in the world is. It’s something that is, without a doubt, highly enlightening to anyone who lives their life through the screen of their smartphone. What should be especially interesting, however, is what Steve had to say about which smartphones are currently the most secure.


“All have benefits and drawbacks. Currently Windows Phone seems to be the hardest nut to crack. Blackberry has a long history of being very security-focused. If I have physical access to the device, I find Android’s usually the easiest target. Then comes iPhone, then older versions of BlackBerry. If it’s over a network or I have to attack via email or message, Android’s usually the softest target.”

It’s good to hear that Windows Phones are currently more secure than their competitors, though it’s not really that big of a surprise. Microsoft has always been a company that focuses on keeping phones secure – for a company whose audience consists largely of business executives, that security is absolutely vital. When you’re sporting the “most secure Windows ever,” you should always feel safe from hackers.

This doesn’t mean that Windows Phone is perfect, or entirely impenetrable. No device will ever be safe from hackers, and you should always take care to keep your information safe with your own precautions. That said, with Microsoft at your back, you should always feel like you’re one step ahead of the people who would want to take your personal information.

The major tech companies including Google, Facebook, and Yahoo! have joined their hands to launch a new program meant to block fake web traffic by blacklisting flagged IP addresses.

Today, majority of data center traffic is non-human or illegitimate, so to fight against this issue the Trustworthy Accountability Group(TAG) has announced a program that will tap into Google’s internal data-center blacklist to filter bots.

The new pilot program will reject traffic from web robots or bots by making use of a blacklist, cutting a significant portion of web traffic from within data centers, said Google Ad Manager Vegard Johnsen.

Google or any other big tech firm maintains a Blacklist that lists suspicious IP addresses of computer systems in data centers that may be trying to trick the human into clicking on advertisements. Google’s DoubleClick blacklist alone blocked some 8.9% of data-center trafficback in May.

Facebook and Yahoo to Contribute

Apart from Google, TAG’s new program will take help from other industry leaders, including Facebook, Yahoo, Dstillery, MediaMath, Quantcast, Rubicon Project and TubeMogul, to share their own internal data-center blacklists.

“By pooling our collective efforts and working with industry bodies, we can create strong defenses against those looking to take advantage of our ecosystem,” Johnsen said in a blog post.“We look forward to working with the TAG Anti-fraud working group to turn this pilot program into an industry-wide tool.”

Click fraud have become a major issue for big companies as it steals money from advertisers and reduces faith in online campaigns.

Fraudsters are making Millions

Some publishers even run specialized tools in data centers that generate fraudulent ad impressions to inflate user clicks.Two such tools are listed below:


UrlSpirit is a software that serves as a form of botnet. Named URLs are distributed among Internet Explorer (IE) instances running on most of the data center boxes that operate UrlSpirit.

The search engine giant discovered nearly 6,500 installations of UrlSpirit generating 500 Million fake ad requests or an average of 2,500 ad requests per installation per day.

On the other hand, HitLeap is another software that uses the Chromium Embedded Framework, instead of Internet Explorer.

HitLeap is larger with 4,800 installations network of which 16% are operating in data centers.

Mike Zaneis, Trustworthy Accountability Group’s chief executive, declared its new pilot program would also tackle fraudulent advertisements.

“This program is another piece of the interlocking set of solutions TAG is building to fight fraud across the entire ecosystem,” says Zaneis. “The industry is galvanizing its efforts and we will win the war against fraud.”

TAG will soon release a set of principles for online users comments that will be then incorporated into the final pilot program. The ad fraud detection tool will be available to the public by the end of 2015.

Google is making it safer and easier to add third-party accounts to Gmail for Android. Soon Gmail users will see the option to add Microsoft and Yahoo accounts via OAuth. That means users will no longer have to enter their user names and passwords into Gmail for Android to add these services.

Instead, Gmail will rely on Microsoft and Yahoo for authorization. If you’re logged in to your Outlook.com account, for example, Microsoft will present users with a button to allow Gmail for Android to access your account. Once that’s done, Microsoft gives Gmail a token (basically a text file) that allows the app access to that account.

If the user isn’t logged in to Microsoft, they’ll have to go through the Outlook.com login process before getting to the OAuth screen.

While OAuth is new to Gmail for Android, it’s something most users should be familiar with. Anyone who’s ever authorized an app to access a Facebook or Twitter account, for example, will be immediately familiar with the Gmail for Android process.

The new Gmail for Android feature is rolling out now. Google says it should be available to all in the next few days.

The impact on you at home: OAuth support offers a higher degree of security, because you don’t have to enter your account details into Gmail for Android. That means an unknown vulnerability in Gmail for Android could never leak your Microsoft or Yahoo credentials, because it doesn’t have them. In the event of a hack, OAuth also allows you to quickly de-authorize Gmail for Android with one click from your Microsoft or Yahoo account settings. In addition, Google says OAuth makes it easier to use added security features like two-step verification, which typically won’t work when you enter a primary password directly into a third-party app.

From the past days Many readers ask me to post that How to detect keylogger from our computer or laptop. Today you will learn how to detect keylogger and remove it from your computer.


System Protecting Tricks:

Steps to remove or detect key-logger from your computer:

  1. You should trace the behavior of you PC in order to find the common virus symptoms because the keylogger symptoms have much in common with the symptoms of other computer infections. We can refer slow computer performance, new icons on your desktop or in tray, network activity and unexpected pop-ups to these symptoms. Also you can notice that the text that you type can appear with little delay – this is the direct symptom that will help you in keystroke logger detection.
  2. Open Task Manager in order to end the process of the installed keylogger. You should know that not every keylogger can be found in Task Manager. Many of them hide their traces. But you should still check the possibility to end its process:
  • Press CTRL+ALT+DELETE, and then select Task Manager in the menu.
  • Select Processes tab, scroll the list. Find the process that is called winlogon.exe. One process with such a name is a normal thing, but if you have 2 processes with the same name, then you have a keylogger.
  • Highlight the second winlogon.exe and click End process (you should end only the second process with such a name).

If there is just one process with such a name, then you should check all other processes, using the special services that contain information about most of the processes to detect the malicious one. You can use Liutilities, Neuber or any other service that you know.

If you end the process that belongs to keylogger, then the program is deactivated till the next reboot and the third party will not get your personal information.

  1. You should also look through the list of the installed programs. So, click Start menu, then All programs, try to find there the program that you did not install. Uninstall such programs.
  2. How to detect keylogger? You can also detect this malicious program with the help of Startup list. So, you should follow the instructions:
  • Press Windows+R buttons, then type msconfig in the line and press Enter.
  • Select Startup tab and disable all the unknown programs.
  • Then restart your computer.

Everybody says that Linux is secure by default and agreed to some extend (It’s debatable topics).However, Linux has in-built security model in place by default. Need to tune it up and customize as per your need which may help to make more secure system. Linux is harder to manage but offers more flexibility and configuration options.

Securing a system in a production from the hands of hackers and crackers is a challenging task for a System Administrator. This is our first article related to “How to Secure Linux box” or “Hardening a Linux Box“. In this post We’ll explain 25 useful tips & tricks to secure your Linux system. Hope, below tips & tricks will help you some extend to secure your system.

by -
0 63
Researchers from Trusteer have discovered a new Banking Trojan dubbed as “Kronos” which is being sold in the Underground forum.
The malware is being sold for $7,000 and the cyber criminals are offering one week test for the price of $1,000 with full access to the command and control server without any limitation.

Similar to other banking Trojans, this new malware also capable of doing form grabbing and HTML Injection.

Kronos has user-mode rootkit(ring3) capabilities that will help this trojan to defend itself from other pieces of malware, will work in both 32bit and 64 bit Operating systems.

It is also designed to evade antivirus software and bypass Sandbox. The malware use encryption to communicate with the C&C server.

Trusteer said it has not yet analyzed the malware sample in order to validate the seller’s claims, all the information provided are based on the advertisement in the underground forum.