The origin of this practice can be traced back to a password primer written by a man named Bill Burr in 2003 when he was a manager at the National Institute of Standards and Technology (NIST). He’s the reason I’ve sometimes had passwords based on whatever was in my line of sight at the time of the change (like Stapl3r2015!) and sometimes had password themes like colors+date (like Red!20160310, Blue!20160608, Yellow!20160906). Continue reading
Generally finding bugs is a problem, unless you can get paid for doing it! This week, The Tor Project announced a new bounty program for folks who can find bugs in Tor and Tor Browser. Earn up to $4,000 per bug depending on the severity.
Details are available at HackerOne, so sign up for an account and start trying to break stuff!
Although WannaCry, the massive worldwide ransomeware attack, is the biggest story these days when it comes to cyber crime, it’s definitely not the only issue causing problems for sites right now.
Last week, website security leader Sucuri identified code that appears to be WordPress API related, but is actually sending active cookie data to attackers. This is most problematic when the active user is a site admin because it gives someone the opportunity to create a new admin user which can be then used to do considerable damage to a site and/or gain access to user data.
It’s no surprise that we’re very interested in how our current administration is impacting topics like Net Neutrality and Internet Privacy. When Ajit Pai was appointed to be FCC chairman a couple months ago, we encouraged everyone to stay informed and keep an eye out for new issues. Well, this week the House voted to undo rules which prevented Internet Service Providers (ISPs) from selling user data to the highest bidder, just the latest roll back of protections that had been put in place by former President Obama. Although President Trump has not yet signed the roll back into effect, the White House has suggested that he will and the implications for Internet privacy concerns are pretty significant. (Update – As expected, President Trump did sign the bill in question on April 3rd, 2017, to repeal online privacy protections established under the previous administration.)
Delivering secure and reliable services has been a top priority for developers since day one. Applying the best, most reliable technologies has always been the key to securing a client’s data and traffic. But, due to multiple vulnerabilities found in some core products used to encrypt data and traffic, security practices need to be revisited.
We’re seeing reports this morning that a massive security breach associated with WordPress 4.7.0 and 4.7.1 has apparently led to the defacement of up to 1.9 million pages across almost 40,000 domains.
Upgrading to version 4.7.2 should fix the issue and WordPress urges anyone who hasn’t already updated to do so immediately. WordPress actually announced the security issue in a blog post at the beginning of February, but apparently there are still many sites that either weren’t aware or didn’t realize how serious the issue really is.
If you or anyone you know is running a WordPress site, please make sure it is updated to 4.7.2 as quickly as possible.
This past Friday, when most of the world was watching (or actively not-watching) the events in Washington, D.C., the formerly shuttered, Snowden-affiliated webmail service Lavabit announced it was re-launching with a new generation of email privacy and security.
If you’re unfamiliar with the history, here’s the gist: Lavabit formed in 2004, in part because of privacy concerns around email. They launched as an email service with significant protection and encryption capabilities and served a relatively small group of folk for almost a decade.
In the wake of the October 21st cyberattack on Dyn – an event that caused websites including Amazon and Netflix to go offline for hours – there has been a real rise in fear as to the ramifications of the Internet of Things. The Dyn attack was accomplished with malicious code that got into innumerable “smart” devices, from webcams to baby monitors, bombarding Dyn with requests and bringing its services to a halt – thereby crashing popular websites and services. But what if the goal had been to shutdown a power plant? Or to sever vital emergency communication lines? Or to bring down an airplane?
Android devices running on Qualcomm chips are at serious risk of being cracked. Apparently unlike iOS devices, Android devices store full-disk encryption keys in software, software that can be cracked – easily.