<invalid character>
- Why 0x56?
- It's a special number to me.
- Contributor to
- FactLayer. Links below👇
Joined Jun 2018
I have a feeling the next OWASP Top 10 will see misconfiguration moved from position 6 to 1.
As a side note, "Due a to a misconfigured server, a researcher found a constant stream of Elsevier users’ passwords."
https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-exposed-online
It should not have been exposed. It should not be logging passwords.
a couple of bit "configuration errors" here.
ok, I haven't done one of these in a while, but here's a #SecurityHygiene / #CoSoSec post.
A reminder: turn on 2 Factor Authentication (2FA) this makes sure that if an attacker has your password, they still can't get in without a token that you should physically possess.
If given a choice, do not use email or SMS as this 2nd factor. They are easily intercepted.
Use TOTP (app based 2FA list here: https://www.protectimus.com/blog/10-most-popular-2fa-apps-on-google-play/)
Or if you feel like dropping $50 for real security, get a FIDO2 key.
This is failure on both sides. Ignore the politics of the app.
The app should have been coded more securely. The researcher should have contacted the publisher/developer and given time for them to fix before announcing the vulnerabilities publicly. Likewise, the developer should not have responded like this.
https://gizmodo.com/owner-of-maga-friendly-yelp-knockoff-threatens-to-call-1833247075
As much work as this would load up on me, I'd love to see some of these changes come to COPPA.
"Senate lawmakers on Tuesday introduced new bipartisan legislation that gives kids under 16 years old and their parents substantially more control over their data while further limiting the data-collection practices of apps, websites, and online services."
https://gizmodo.com/new-senate-bill-bans-online-ads-targeting-kids-under-13-1833236559
However, I would change this to all users, or failing that, 18 and under.
This is an interesting message in the play.google.com developer console.
"WARNING!
Using this console may allow attackers to impersonate you and steal your information using an attack called Self-XSS.Do not enter or paste code that you don't understand."
I never thought about that particular vector before
A health org in MI was breached and 600k people may be affected.
According to the company website, exposed information could include names, addresses, dates of birth, SSNs, insurance contract information and numbers, phone numbers and medical information.
The company says it does not believe personal information was extracted.
https://www.wxyz.com/news/data-breach-compromised-information-of-more-than-600-000-in-michigan
Devs... WTF?
You're embarrassing me in front of the security guys!
Researchers asked 43 freelance developers to code the user registration for a web app and assessed how they implemented password storage. 26 devs initially chose to leave passwords as plaintext.
https://twitter.com/PwdRsch/status/1103021803503607808
Those devs were then asked to rewrite their code to 'store passwords securely.' And 8 chose to use base64?!?!?!?
oh, FFS Equifax, can't you do anything right?
"If you don’t already have an account at the credit bureau’s myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday."
https://krebsonsecurity.com/2019/03/myequifax-com-bypasses-credit-freeze-pin/
"...people with histories of domestic violence have managed to trick telecommunications companies into providing real-time location data by simply impersonating US officials over the phone..."
For those who may be in danger of such things, you may want to consider a location mocking app. Although, TBH I'm not sure if that would defeat E911 which the carriers use.
Comcast's weak security helped phone number thieves
they were all defaulted to 0000
#SecurityHygiene tip: never accept a default pin, always change it ASAP.
This just makes me sad.
To find out if your energy company is storing your password in plaintext, navigate to a "forgot password" link. See if "SEDC" is in the copyright section of the email they send. (or if they just send you your password outright)
I know I've said this before
But don't use other people's USB cables. EVER.
For anything.
If this theory is correct, Bezos was undone, not by his security, not the government, but by his girlfriend's poor security habits.
Goes to show you, you're only as secure as those you associate with.
https://threatpost.com/theory-simple-hack-behind-bezos-alleged-compromising-images/141651/
Be careful. Your threat models probably don't account for all attack vectors.
Wait... Canadian McD's sells poutine?
This story serves as a reminder. Be careful who you share your credit card data with, be extra careful when choosing a password that's linked to your credit cards.
And FFS, companies... don't blame the victim when they are breached using your app.
Any #CoSoSec-interested parties in the CO area? This looks like a good 1-day event.
Devs - once again, know the difference between a trusted and untrusted input.
UX people - sometimes devs make things slightly more complex than you'd like them to be on purpose.
A number of e-ticketing systems allowed third parties to view, and in some cases even change, a user's flight booking details, or print their boarding passes.
https://betanews.com/2019/02/06/airline-eticketing-passenger-risk/
some good #CoSoSec reading, not just for us tech-type people, but for anybody considering smart-doorknobs, or having them considered for you.
https://tisiphone.net/2019/01/28/security-things-to-consider-when-your-apartment-goes-smart/
<invalid character>
- Why 0x56?
- It's a special number to me.
- Contributor to
- FactLayer. Links below👇
Joined Jun 2018