<invalid character>
- Why 0x56?
- It's a special number to me.
- Contributor to
- FactLayer. Links below👇
Joined Jun 2018
something I've never considered before. Some people believe the "https lock icon" is a proof of validity rather than *only* a proof of encryption in transit.
Don't trust the lock to keep your data safe, but on the other hand, if it's missing, don't put in a password or a credit card number at all.
https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/
Just received this from a vendor, but it's still good advice regardless of the source:
Black Friday and Cyber Monday are the busiest online shopping days and the bad guys are out to get rich with your money. After all, ‘tis the season for scams and phishing.
So how do I stay safe this holiday season?
1/2
Another 0 day presents another opportunity to remind everybody:
*don't trust WiFi you don't control*
Whitehats have been able to grab "deleted" photos off an iPhone which connected to a WiFi point under their control. Other pieces of info are on the table to, but photos were the first things they could get to.
https://www.engadget.com/2018/11/15/iphone-x-bug-hackers-deleted-photos-files-apple/
So, I guess my quip about Facebook's plan to take over the living room has gotten a lot of traction.
I should do a #securityHygiene post about it.
The reasons are quite simple. Facebook has a poor track record on privacy - and they can't improve it since their business model is antithetical to privacy.
But with these cameras, not only are they invading your privacy, but the privacy of everybody who comes into your house.
1/2
a quick #securityHygiene note:
I've championed password managers to no end, and continue to do so, but please, make sure you turn off auto-fill on them.
Last thing you want is a rogue script scraping your login credentials because they were auto-filled on an non-login form.
Just a reminder - in the coming days, you'll be inundated with reminders/requests/hints to help the victims of Florence monetarily.
Be careful: while most are legit, many will be scams. Do your homework if you choose to donate your hard earned money.
Additionally, they may not even ask for donations, they may pull on your heartstrings to trick you into giving up pieces of your identity.
Give, but be smart in giving.
For today's #securityHygiene, I think I'll post about trust and HTTPS.
[web 101: HTTPS is the way your computer communicates securely with the server. (vs. HTTP)]
So we all know that we should only log-in or put in credit card info with sites over HTTPS, right?
Guess what: You have to make sure that every step of the way you've been HTTPS - an attacker could have put in a slight redirect to their site in one of the non-HTTPS pages otherwise.
(1/2)
Today's #securityHygiene post: Public charging stations.
I know you. Your plane is delayed, you're sitting in the terminal, tooting, watching netflix, reading the news, whatever... your battery warning pops up, you have about 10 more minutes before your phone dies and at least an hour before your plane gets there. But wait, there's a free charging station right over there!
Don't use it! The wires that send power can also send data; malicious data. Use your own power.
https://money.cnn.com/2017/02/15/technology/public-ports-charging-bad-stop/index.html
Riffing off @White_Rabbit's post a few minutes ago, my #securityHygiene toot for the day:
Be careful about what you post on social media and keep in mind what you've posted when sites ask you those "password recovery questions" like "What is your favorite movie?" and "What was the make and model of your first car?"
You start reminiscing about how you miss your childhood dog named "Candy," and an attacker may have access to change your password under those forgot password pages.
Remember, on days like this, unscrupulous scammers may try to use the death of somebody like McCain to their advantage.
If you get calls or emails asking for donations/personal information to "help" or "sign up" - just be careful.
Today's #securityHygiene post
There were a couple comments about 2 factor authentication (2FA) yesterday.
It's good, it's important, turn it on, *especially* for your email, banking, & CC sites.
In order of security, the three main types are:
SMS based - the site sends you a code you have to type in. This has been broken in the real world.
App Based - like Google authenticator or Authy - these have constantly changing codes.
Fob Based - there's a hardware token required for access
1/2
I've said "use a password manager" before, but I'm not sure if I've explained why.
The reason is simple, and related to @CoSoGuard. An email/username/password combination you had once is most certainly out on the web. A criminal might try these combinations against other sites.
Keeping passwords in a manager allows you to keep long, unique pwds for every single one of your accounts.
And those "tricks" like spelling the site name backwards... criminals know about them too.
Ok, getting back on my security soapbox.
Feel free to mute #securityHygiene to not hear my random (but informed) security thoughts.
<invalid character>
- Why 0x56?
- It's a special number to me.
- Contributor to
- FactLayer. Links below👇
Joined Jun 2018