background preloader

Security

Fascism and the Security State

Fascism USA - A Review of the Growing Loss of Democracy
The Arizona massacre, the Tea Party and the capitalist state By Fred Goldstein Published Jan 30, 2011 10:05 PM The following is the first of two articles loosely based on a talk given at a Workers World Party membership meeting on Jan. 21. The Arizona massacre and attempted assassination of Rep. The public discussion of this subject arose quickly in the hours after the massacre. What happened next is of considerable importance to the working class and the oppressed. The event was so horrendous that it immediately drew the attention of the capitalist media and then all classes in society. Consider just the background in Arizona. Anti-immigrant racism is at a fever pitch in Arizona, where the new law SB1070 declared open season on immigrants and undocumented workers. Shefiff Joe Arpaio of Maricopa County set up a virtual police state over the years for African-American prisoners and for Latinas and Latinos. The Minutemen are extremely active in Arizona. Fascism: What it is and how to fight it Fascism: What it is and how to fight it
Welcome to the FEMA Corps Inaugural Class | Homeland Security Welcome to the FEMA Corps Inaugural Class | Homeland Security Originially posted by Federal Emergency Management Agency (FEMA) Deputy Administrator Rich Serino on Thursday, August 13, 2012 Yesterday, we welcomed 231 energetic members into the first ever FEMA Corps class. The members just finished off their first month of training with our partners at the Corporation for National and Community Service (CNCS) and are one step closer to working in the field on disaster response and recovery. They will now head to FEMA’s Center for Domestic Preparedness to spend the next two weeks training in their FEMA position-specific roles. Once they complete both the CNCS and FEMA training, these 231 dedicated FEMA Corps members will be qualified to work in one of a variety of disaster related roles, ranging from Community Relations to Disaster Recovery Center support. FEMA Corps builds on the great work of AmeriCorps to establish a service cadre dedicated to disaster response and recover.
PayPal fixes critical account switcheroo bug after researcher tipoff High performance access to file storage Could not load plugins: File not found PayPal has fixed a critical flaw that allowed an attacker to delete any account at will and replace it with one of their own. In April, security researcher Ionut Cernica discovered that US PayPal account holders could add an email address to someone else's account by visiting a PayPal webpage. "After you added an existing email to your account if you go to the account profile and you delete the unconfirmed email, the original account will be deleted too," Cernica's report reads. "After you removed the account, you can make another one with same username with your desired password, but you will have no money and is not confirmed." In order to achieve verified PayPal status, the attacker would simply need to assign a bank account or credit card to the replacement username and go through the standard accreditation procedure. PayPal fixes critical account switcheroo bug after researcher tipoff
PayPal post-checkout cash slurp a FEATURE not a BUG PayPal post-checkout cash slurp a FEATURE not a BUG Build a business case: developing custom apps An apparent flaw that lets users add any amount of money onto already processed PayPal transactions is a feature, not a bug, according to the payments giant. The function was designed to allow sellers to add additional costs for services like shipping on the top of transaction totals which customers had approved through the PayPal website. Sellers would be expected to add small amounts but TU-Berlin IT student Jan Kechel found PayPal had not limited the amount of cash that could be swindled and sent the company a proof of concept script. "In PayPal Express Checkout the online shop can transfer any amount, no matter which amount the client actual confirmed at the PayPal website," Kechel said. "This proof of concept transfers only one Euro more than the confirmed amount, but I also tried with 200 Euros and it works just the same." PayPal told Vulture South Kechel's bug was more of a shiny button. Build a business case: developing custom apps
Researchers have identified a new method that can be used to bypass the two-factor authentication (2FA) mechanism that is supposed to give PayPal customers an extra layer of protection for their accounts. PayPal's 2FA system, called "Security Key," is designed to ensure that accounts can't be accessed even if login credentials fall into the wrong hands. Such features can be very useful especially since usernames and passwords, which people often use on multiple websites, are regularly obtained by hackers after breaching the databases of various online services. Researchers at Escalate Internet have found that PayPal's 2FA mechanism can be easily bypassed through Adaptive Payments, a system that enables merchants and developers to manage payments in both simple and complex scenarios. Companies that use Adaptive Payments require users to connect their PayPal accounts to an application. Contacted by SecurityWeek, PayPal says it's aware of the issue and is working on fixing it. PayPal Confirms New Two-factor Authentication Bypass Issue PayPal Confirms New Two-factor Authentication Bypass Issue
Summary Discussion Salt might not be good for your diet, but it can be good for your password security. Instead of storing passwords in plain text, a common practice is to apply a one-way hash, which effectively randomizes the output and can make it more difficult if (or when?) attackers gain access to your password database. Prevention and Mitigations Related CWEs Related Attack Patterns CAPEC-IDs: [view all]16, 20, 49, 55, 97 Monster Mitigations These mitigations will be effective in eliminating or reducing the severity of the Top 25. A Monster Mitigation Matrix is also available to show how these mitigations apply to weaknesses in the Top 25. See the Monster Mitigation Matrix that maps these mitigations to Top 25 weaknesses. Appendix A: Selection Criteria and Supporting Fields Entries on the 2011 Top 25 were selected using three primary criteria: weakness prevalence, importance, and likelihood of exploit. Prevalence Acceptable ratings were: Importance Ratings for Importance were: Additional Fields CWE - 2011 CWE/SANS Top 25 Most Dangerous Software Errors CWE - 2011 CWE/SANS Top 25 Most Dangerous Software Errors
Welcome to The Internet of Compromised Things This post is a bit of a public service announcement, so I'll get right to the point: Every time you use WiFi, ask yourself: could I be connecting to the Internet through a compromised router with malware? It's becoming more and more common to see malware installed not at the server, desktop, laptop, or smartphone level, but at the router level. Routers have become quite capable, powerful little computers in their own right over the last 5 years, and that means they can, unfortunately, be harnessed to work against you. I write about this because it recently happened to two people I know. In both cases, they eventually determined the source of the problem was that the router they were connecting to the Internet through had been compromised. This is way more evil genius than infecting a mere computer. Hilarious meme images I am contractually obligated to add to each blog post aside, this is scary stuff and you should be scared. Router malware is the ultimate man-in-the-middle attack. Probably. Welcome to The Internet of Compromised Things
Exploit Exercises
SQL Injection Attacks by Example SQL Injection Attacks by Example A customer asked that we check out his intranet site, which was used by the company's employees and customers. This was part of a larger security review, and though we'd not actually used SQL injection to penetrate a network before, we were pretty familiar with the general concepts. We were completely successful in this engagement, and wanted to recount the steps taken as an illustration. "SQL Injection" is subset of the an unverified/unsanitized user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended. If the application is creating SQL strings naively on the fly and then running them, it's straightforward to create some real surprises. We'll note that this was a somewhat winding road with more than one wrong turn, and others with more experience will certainly have different -- and better -- approaches. We speculate that the underlying SQL code looks something like this: A standalone query of
Information Security

Zarp - Network Attack Tool Zarp - Network Attack Tool Zarp is a network attack tool centred around the exploitation of local networks. This does not include system exploitation, but rather abusing networking protocols and stacks to take over, infiltrate, and knock out. Sessions can be managed to quickly poison and sniff multiple systems at once, dumping sensitive information automatically or to the attacker directly. Various sniffers are included to automatically parse usernames and passwords from various protocols, as well as view HTTP traffic and more. Features zarp has around 30+ modules grouped into categories of attack and has multiple functionalities under each group: PoisonersDenial of ServiceSniffersScannersServicesParameterAttacks Installation zarp is intended to be as dependency-free as possible. LinuxPython 2.7.xScapy (packaged with zarp) It is also recommended that user’s have the following installed for access to specific modules: Usage . The Future You can download zarp here: zarp-0.1.8.zip
"s243aSo someone on FMS was asking how to leak things....
"IceCat has some additional features to promote free...
Cyber Security

Security snapshot reveals massive personal data loss Security snapshot reveals massive personal data loss Image copyright Reuters More than 500 million digital identities were stolen or exposed in 2015, suggests a report from security firm Symantec. In addition, it said, fake technical support scams rose by 200% and crypto-based ransomware attacks grew by 35%. Hackers also made more use of unknown software bugs to make sure attacks work, said the annual threat report. It said the gangs behind the attacks had become more professional and now resembled legitimate software firms. "They have extensive resources and highly skilled technical staff that operate with such efficiency that they maintain normal business hours and even take the weekends and holidays off," said Kevin Haley, director of Symantec security response in a statement. Call centres had been set up by some gangs to make scams and cons more effective, he said. Some of these groups were involved in tech support scams that try to trick people into paying to fix non-existent problems on their home computers. Image copyright PA
Image copyright Thinkstock A cyber-attack, similar to one that saw $81m (£56m) stolen from Bangladesh's central bank, has hit a second bank. The warning about the second attack came from Swift, which oversees the financial messaging network that underpins global money transfers. Swift said the target was a commercial bank but did not name the organisation or reveal if any cash had been taken. The attack used techniques and tools resembling those used to steal cash from Bangladesh in February, it said. Swift is used by about 11,000 financial institutions around the world to move large amounts of cash. The attackers had a "deep and sophisticated knowledge of specific operational controls" at the targeted bank, and could have been aided in their theft by "malicious insiders", said Swift. In both attacks the thieves sought to submit fraudulent messages to the Swift network to transfer large amounts of cash to accounts they controlled. Second bank cyber-attack detected by Swift after Bangladesh raid
Rental fraud is rising sharply, the BBC has learned during an investigation in which it confronted two online fraudsters for their crimes. Scam artists offer cheap flats for rental, demanding instant deposits. But they do not actually own the homes - and would-be tenants' cash is lost. Reports of rental fraud in England and Wales leapt from 2,216 in 2014 to 3,193 in 2015. BBC researchers posed as tenants to expose tricks used by fake landlords. More news on this and other stories from London One advert fraudsters attempted to place on the flat-sharing website EasyRoomMate offered a plush Kensington apartment for just £700 per month, far below the market rate. Atta Nasim, of Milestone Estate Agents in north-west London, called the price "crazy", adding that you would not get a garage for that price in the area. Land Registry documents show she is not the legal owner of a property there and when researchers visited the mansion block it was to find all the flats inhabited. Online rental fraud rising steeply
Sicurezza ICT: c'è ancora differenza tra Safety e Security? Il significato in 6 punti Safety, il significato: Oggi ha ancora senso parlare di una differenza tra Safety e Security? Con la progressiva informatizzazione delle aziende, che significato ha valutare come diversi e separati gli ambiti della sorveglianza e della protezione? Perché si tende ancora oggi a considerare la sicurezza come un servizio, invece che come un asset strategico? L'assunto fondamentale è che oggi il business non esiste senza Internet. La maggior parte dei processi è digitale o in qualche modo passa dalle tecnologie digitali. Proteggere le persone, le aziende e le informazioni è parte integrante di una strategia in cui convergono sistemi di videosorveglianza, telecontrollo, antintrusione, antieffrazione ma anche di protezione da tutte le derive del cybercrime che colpisce gli utenti in azienda oppure in mobilità, a casa come in automobile, in treno o a piedi. Che cosa significa Safety e cosa significa Security Il significato di safety e di security. La sicurezza nelle smart city Garantendo:
Istruzione non è solo educare le nuove generazioni alla conoscenza di nozioni e alla trasmissione del sapere, ma anche e soprattutto insegnare il rispetto dei valori fondanti di una società, riaffermare quotidianamente, anche in ambito scolastico, quei principi di civiltà, come la riservatezza e la dignità della persona, che devono sempre essere al centro della formazione di ogni cittadino. In quest’ottica il Garante per la protezione dei dati personali ha pubblicato "La scuola a prova di privacy". La guida tiene conto delle innovazioni previste, ma ancora in fase di attuazione, dell’ultima riforma della scuola, e raccoglie i casi affrontati dal Garante con maggiore frequenza, al fine di offrire elementi di riflessione e indicazioni per i tanti quesiti che vengono posti dalle famiglie e dalle istituzioni scolastiche. La guida è articolata in cinque capitoli, che riportano regole ed esempi: Vademecum sulla privacy a scuola — Notizie della scuola
AnchorFree
SentinelOne - Next Generation Endpoint Protection
Endpoint Security

The FBI has collected 430,000 iris scans in a so-called 'pilot program' To create that pool of scans, the FBI has struck information-sharing agreements with other agencies, including US Border Patrol, the Pentagon, and local law enforcement departments. California has been most aggressive about collecting scans, but agencies in Texas and Missouri can also add to and search the system. The result amounts to a new national biometric database that stretches the traditional boundaries of a pilot program, while staying just outside the reach of privacy mandates often required for such data-gathering projects. "The fact these systems have gone forward without any public debate or oversight that we've been able to find is very troubling," says Nicole Ozer, Technology and Civil Liberties Policy director at the ACLU of California, who likened the project to other programs, such as facial recognition and cell site simulators, that have also been put in place in the state. That changed in 2013, when the FBI launched an iris pilot program. Photo: Amelia Holowaty Krales
Memo to the DOJ: Facial Recognition’s Threat to Privacy is Worse Than Anyone Thought
biometrics privacy security

How To Find Wi-Fi Password Using CMD Of All Connected Networks
Forensics — Null Byte « Wonder How To
IT security

ForensicsWiki
How To Secure Your Wi-Fi Network Against Intrusion
Wi-Fi Best Practices | Mobile content from Windows IT Pro
Security Apps

Dr.Web Mobile Control Center – Applications Android sur Google Play
Dr.Web Security Space – Applications Android sur Google Play
Energy security and renewable technology
Energy security and renewable technology: Energy security
Energy security and renewable technology: Transportation
Necessity of Security Risk Analysis and its Uses by Jack H.
Mongodb - Security Weaknesses in a typical NoSQL database
10 tips to improve Mongodb security
Info Security

Energy security

Securities

Food Security

Windows 10 Security

WiFi Security

passwords and security

Jack's security tips