The security thread
- Started
- Last post
- 39 Responses
- sted2
Amazon.
Change your passwords around amazon systems from all amazon sites to AWS accounts. No official info yet but there is a huge database for sale, with aws security credentials.
- Ooft, that'll torpedo Bezos massively, if true - especially where AWS is concerned.detritus
- i just changed it like 2 weeks ago! is this a separate breech from the big one last month?sarahfailin
- yes, they released some parts of the db to prove that it's realsted
- They can only hack your account *IF* you change your password... dun dun dunrobthelad
- uan1
Being privacy-aware in 2016
https://vox.space/blog/89/being-…
incredible how much you are supposed to do, be aware of when surfing the web and caring about your privacy. it's good to see competent people caring about it and sharing the knowledge.
- sted2
Today is Tumblr
Hackers Stole 65 Million Passwords From Tumblr, New Analysis Reveals
- Thankfully, I'm not on Tumblr. But yeah, it's pretty scary how many breaches there are.Continuity
- wait for insta :)sted
- Oh the fucking humanityset
- sted1
https://motherboard.vice.com/rea…
:D
Roughly 800,000 accounts of the popular pornography website Brazzers have been leaked to the public after a recent data breach.
- drgs1
so my Linkedin account has been "pwned"
what are they going to do with my login exactly?
- Your LinkedIn suddenly updates to 'Junior Fry Cook and Waste Management Technician at Kysten Rundt'prophetone
- nothing if you don't use the same email+password everywhere.sted
- if you use the same password for everything then you should be worried.Al_dizzle
- cherub0
I'm new to html forms, and this is my first time doing backend stuff. I am using a simple html form to plug into my action php
Simple question.
What is the general consensus?
Is GET more insecure, or POST?
why?
- POST doesn't show the data in the URL.uan
- ^thats what I read too. And apparently bots can mess with ur form if you use GET? or something like that?cherub
- bots and humans. you can hack both...you can try sql commands in the form to hack into the site if you want.uan
- that's why using the wp default login is a better idea...all the known attacks are covered.uan
- Always sanitize your inputs to filter XSS and SQL injection and use SSL/TLSspot13
- sted2
Move your private projects out of github, entire source was leaked, breach is expected.
- Bennn0
seriously, I dont care if the gov is spying on my sms... what i say over there is very uninteresting... like making joke to my gf, asking her whats for dinner or "want me to buy ticket for this show"
I'm using Signal anyway because I like it.
- but i get the point tho. i know.Bennn
- http://i.imgur.com/F…moldero
- What? No sexts? How boring :)ETM
- Continuity1
'WhatsApp backdoor allows snooping on encrypted messages'
- whatsapp is owned by facebook, is anyone really surprised?hans_glib
- Oh, no, certainly not surprised. Indeed, this vulnerability has been known for some time, according to the article. This is more of a PSA on my part.Continuity
- sted0
Popular BitTorrent client uTorrent's forum, which has over 388,000 registered members and sees tens of thousands of visitors each day, has been hacked.
https://torrentfreak.com/utorren…
it's important to mention that you should never register at any circumstances on torrent sites.
- I would expect hackers to attack banks, or corporations and stuff...but this is like thieves going after thieves.Maaku
- ...assuming they're black hat and/or independentprophetone
- it makes perfect sense, not like a bunch of content pirates can run to the authoritiesterry_cloth
- sted1
Today is myspace day:
Hacker Tries To Sell 427 Milllion Stolen MySpace Passwords For $2,800
- there are that many myspace users?bulletfactory
- read the article maybeimbecile
- sted1
An unpatched vulnerability in Apple's Safari web browser could be exploited to allow for the transfer of local files from a victim's machine or mobile device. Although Apple requested the researcher to hold off on disclosing the vulnerability, the researcher felt the timeline for a patch was too long. Apple stated it would not release a patch until Spring 2021. The vulnerability abuses the Web Share API, which allows users to share links from Safari through third-party applications. Using the "file:" scheme, an attacker could pass a link to the navigator.share function containing a file from the user file system. To perform the attack, a user must be compelled to visit a malicious website and perform actions detailed on that website. The researcher provided a proof-of-concept with an innocuous image file, which he urged visitors to share amongst their friends. Upon pressing the share button, the user is presented with various ways by which to share the image. Should the user choose email, the code, image URL, and an arbitrary file are attached. Additionally, he was able to demonstrate the stealing of the passwd file. In some cases, the victim may not notice the attachment or the name of the attachment may not be displayed, giving the attacker a slight advantage as the attachment could be out of sight on the victim's screen. The victim would need to scroll down to see the attached file. This vulnerability affects devices running iOS 13.4.1 and 13.6, macOS Mojave 10.14.16 with Safari 13.1, and macOS Catalina 10.15.5 with Safari 13.1.1. Further details can be found in the links located within the Reference section below.
- Boring. If there is no RCE, move on. If they want the /etc/passd they could just ask, those are only system users...grafician
- monNom1
Do you use 3rd party/open-source scripts in your website and application builds? Should you trust them?
This guy lays out a shockingly simple method to spread malware and steal user data by taking advantage of developer laziness: Offer free opensource plugins, npm dependencies, etc.
- Related: Hotjar said recently they will stop collecting keystrokes and form-input data in their recordings. IE: Your analytics was/is keylogging your users.monNom
- sted1
Adult Friend Finder and others
Sexual secrets for hundreds of millions exposed in largest hack of 2016Adultfriendfinder.com - 339,774,493 users
Cams.com - 62,668,630 users
Penthouse.com - 7,176,877 users
etc..
Total: 412,214,295 affected usershttp://www.techspot.com/news/670…
http://www.theverge.com/2016/11/…
- sted1
Spotify is writing massive amounts of junk data to storage drives
http://arstechnica.com/informati…
It's in the air since the summer but still nobody knows what data is actually written on the users disk (as it isn't using that much network traffic). Spotify now made an official statement (after 4 months)
- I read this, it read/writes so much data it reduces the life of SSD's from years to weeks.face_melter
- sted2
Several Sites Including Twitter, Spotify, PayPal, SoundCloud Suffering Outage Dyn DNS Under DDoS Attack
https://www.dynstatus.com/incide…
http://motherboard.vice.com/read…
some say that this is is related to these events:
https://www.schneier.com/blog/ar…
- face_melter0
I recommend following @SwiftOnSecurity - an entertaining and informative albeit sometimes jargon-heavy mix of security news/talk and Taylor Swift.
- You got me at "Taylor Swift"Maaku
- he's my infosec man crushprophetone
- sted0