Information Security Blog | Cyber Security Blog

others

Information Security Blog | Cyber Security Blog
others

others (95)

Read More

With Windows 10, Microsoft is also working on a new ‘Blue Screen of Death’ messages incorporating QR codes for easier redress for issues.

Microsoft’s dreaded ‘Blue Screen of Death’ for Windows 10 is being provided a nice makeover in that a QR Code will now be containing all the information that led to the crash along with possible remedies to turn things around.

Users will be able to scan the QR codes using smartphones or other compatible devices to better understand what led to the crash. The codes will also be hiding a URL, which is supposed to lead to the site that can help sort out the issues.

That for sure makes for a much-simplified approach compared to the BSOD’s of yore which usually contained a lot of technical details much of which were indiscernible to the general populace. While that was replaced with the frown face for the first time in Windows 8, the QR codes are expected to make things even more user-friendly.

However, the new BSOD incorporating QR code are part of the latest Windows 10 Insider Preview builds and is only expected to be incorporated in the Windows 10 Anniversary update that is due out later this summer.

However, the said makeover for BSOD could also open up new security vulnerabilities if it isn’t properly implemented. A possible security risk being envisioned is that malware could easily fake a system crash and launch the BSOD complete with a QR code.

The code, in turn, could be enough to mislead a user into believing all the wrong stuff to lure them into downloading the wrong patch, possibly containing malware. Let’s hope such a security scenario does not go undetected with the Microsoft engineers.

Read More

The FBI recently announced it had figured out how to crack into the security of the San Bernardino terrorist’s iPhone, and now Apple desperately wants to find out how the feds did it.

The Department of Justice officially withdrew its case against Apple, saying it no longer needed help from Apple, as it had secured assistance from an unnamed third-party, The Los Angeles Times reports.

But now, Apple is panicking at the prospect its iPhone 5c can easily be breached by outside parties at seemingly the drop of a hat. The FBI is totally uninterested in responding to Apple’s pleas, especially given the fact that Apple CEO Tim Cook said he would fight the DOJ every step of the way in court. That sort of no holds barred opposition from Apple has not engendered much support in the federal government.

“One way or another, Apple needs to figure out the details,” Justin Olsson, product counsel at AVG Technologies, told The Los Angeles Times. “The responsible thing for the government to do is privately disclose the vulnerability to Apple so they can continue hardening security on their devices.”

Read More

End-to-end data encryption on WhatsApp will no doubt endear the service to users who mind so much about their security and privacy, but not with governments that are struggling to battle the growing threat of terrorism. If one of them isn't, group chats will be unencrypted.

Let's explain this in WhatsApp's own words.

He added that the latest version of the app will encrypt every call, message, photo, video, file and voice message that is sent on the platform by default, including group chats.

WhatsApp's use of encryption has already caused friction in Brazil, where authorities recently arrested and then released a Facebook Inc. executive after the company said it was unable to unscramble a user's encrypted messages.

Now, WhatsApp has made a decision to take a major stand against both law enforcement, cybercriminals, and hackers.

'Do not take companies promises to keep your data safe seriously, even if Whatsapp means well, this article highlights details on WhatsApp end-to-end encryption that everyone else is afraid to tell you, ' he writes.

 Jan Koum, WhatsApp's co-founder, who grew up in Soviet-era Ukraine, said: 'The desire to protect people's private communication is one of the core beliefs we have at WhatsApp and for me it's personal. However, WhatsApp claims the actual content of the messages is not held on the servers at all. WhatsApp started rolling out its end-to-end encryption feature.

The Criminal Procedure Code in Singapore requires technology companies to disclose information, or any codes they may have to unlock locked or encrypted information.

Yes, that's good news for those indulging in sending across images of their nether regions. But there's a downside to the encryption business too.

Der Spiegel notes that end-to-end encryption is only available if all the participants in a conversation are using the latest version of the software. Koum and Acton have touched upon this topic also. But it also underscores the way the growing availability of encryption to consumers is expanding the scope of the debate over how law enforcement should deal with data secured by the technology.

Is end-to-end encryption as foolproof as it’s cracked up to be?

It's a catch-22 situation.

The FBI and the Justice department didn't comment on this new action from the company, but it has been noted that WhatsApp's services were used to facilitate certain criminal acts, such as the Paris attacks previous year. That means even if someone cracks one key they will most probably get only a part of the conversation and cannot use that key to decrypt the rest of the messages in that conversation. Closing the system lets terrorists run amok. 

Read More

In recent months, Mozilla developers were actively improving and modifying the user interface associated with security and privacy in the Firefox browser. The screenshot shows the changes that have affected output of notifications in the browser address bar.

The first change, which draws attention, is bringing the same general appearance of icons for sites protected by DV certificate and the EV certificate. Historically, in Mozilla Firefox padlock icon for sites protected by DV-certificate was somewhat different in their color theme from the same icons for sites with EV-certificates, which raised many questions from poorly informed user. In the updated version, all inconsistencies were eliminated - icons of locks have become the same.

Changes also affected the sites where the mixed content is loaded. As seen from the screenshot, notice of it have been revised and become more understandable.

Thanks to the new design improvements, users now are able to determine whether to trust the site or avoid it.

Google Chrome also was actively improving. Browser developers are planning to notify their users when the page of the site is insecure (http). Going forward, Google Chrome will mark all unencrypted sites padlock icon with a red cross in the address bar. For this purpose, Google Chrome will mark all padlock icons of unencrypted sites with a red cross in the address bar.

Google makes it clear that the web moves to the full transition to https. Many large companies and organizations supported the initiative, named «Encrypt All The Things», the essence of which boils down to the abandonment of traditional, less secure HTTP protocol and transition to HTTPS.

Google announced plan for a full transition to HTTPS back in 2014. At that time one of the Chrome Security Team members suggested to mark all HTTP-sites as "unsafe".

This change will bring more attention to sites that could be potentially unsafe.

It is currently remains unclear whether marking all HTTP-pages will be implemented by default in Google Chrome. However, now you can test it by typing in the browser "chrome: // flags" and selecting «mark non-secure origins as non-secure».

Read More

Today several Windows user has reported that their system has been infected withPetya Ransomwareand as a result they have become unable to access their files as well as its data in its original format. Generally it infiltrates targeted computer when user click or download infectious attachments come from unknown sources. You must know that it is one of the severe Ransomware that can affect Windows based system completely and make your files like .jpg, .mkv, .mp3, .doc, .xls, .gif etc and make them encrypted. In order to make data inaccessible it uses AES 256 encryption algorithm and it can not be decrypt without unique key. After being installed on the targeted computer Petya Ransomware will download Zemot, CMSrute and other malware infection without taking your approval. Apart from that it is also possible that you may face several unknown applications and programs to ruin system performance in complete manner.

After being infected with Petya Ransomware, user may find unknown and unwanted message on the computer screen because it install on txt file inside the encrypted folder. Due to this README.txt file you may receive ransom note on the computer screen saying that you files on the disk has been encrypted and you have to pay money in order to get back your files in its original format. Sometimes after getting such messages innocent users get scare and pay the demanded money. But the bad news is that even after paying money situation remain same and still files are encrypted. Therefore it is advised that not to do as it says and mustremove Petya Ransomwarefrom the computer as soon as you can.

Read More

This past weekend security researcher and “artful hacker” Mike Olsen discovered that surveillance cameras he purchased through Amazon were embedded with malware. Olsen had purchased the USG Sony Chip HD 6 Cameras, marketed as “Affordable High Definition CCTV Video Surveilance” to provide outdoor surveillance for a friend’s home. In keeping with the marketing pitch, he thought the 6 cameras and recording equipment were a good deal.

In a blog post, Olsen describes how he received the cameras and experienced trouble as soon as he tried logging into the administrator page to configure the system. “First of all something seemed a bit off, the interface showed the camera feed but none of the normal controls or settings were available.” Since Olsen is a software engineer, he began to investigate the underlying CSS code of the page which is supposed to contain the camera’s settings. He thought a simple flaw was hiding the settings he required to configure the surveillance system. Instead, he found an iframe emedded linking to a suspicious website.

The website in question was brenz.pl which has been associated with distributing malware for years. Accordingly the site was being used to distribute malware as far back as 2009. Since this surveillance system has the malware link embedded in its administrator page, malware targeting the system could potentially be used to steal data from the device or infect the user’s computer in other ways.

The method of infecting users with malware by hiding it inside devices is not wholly unexpected, though most of us would expect a purchase from Amazon to be relatively safe. In this case one of the people who purchased the device, Mike Olsen, had the necessary skills to uncover the problem with the device. As more people integrate internet-connected devices into their homes, more cybercriminals will use it as an opportunity to compromise home networks.

Read More

What is Swift?

Swift is Apple’s new programming language, which has been in development for the past four years and which looks to replace Objective-C as the main language for app development on Apple’s platforms, OSX and iOS.

It’s a major departure from the syntax of Objective-C and takes a lot of cues from other languages, such as Haskell, C#, Ruby and Python, which Apple presumably hopes will make it appealing to bright young coders, keen on modern languages.

Although it’s a major departure, Apple have taken a lot of trouble to make the transition to Swift as painless as possible. It is fully binary compatible with existing Objective-C libraries and maintains a close relationship with the Cocoa frameworks.

That means that developers can introduce Swift into their apps at their own pace, by writing discrete modules that should seamlessly interoperate with their existing Objective-C code.

What are the improvements around Objective-C?

Type Inference

In Swift there is no need to annotate variables with type information as the compiler can infer type based on the value a variable is being set to. Due to the dynamic nature of Objective-C, type is not truly known at compile time because methods may be added to existing classes, entirely new classes added or instance type changed all at runtime.

Type Safety

With Swift, the compiler can be more helpful in catching subtle type related bugs. As the compiler knows more about type in any method call, it can optimise certain call sites and jump directly to the implementation using C++ style vtable dispatch, rather than going through dynamic dispatch as in Objective-C. This enables smart optimisations that can make code run faster.

Control Flow

The humble switch statement has undergone a radical overhaul in Swift and can now match against ranges, list of elements, boolean expression, enums amongst others. It doesn’t fall through by default, and is further enhanced by Swift’s flexible pattern matching.

Optionals

An optional type is a type that might contain a value of a type. It allows you to more easily convert between types and avoid null checks. Optionals can be chained together to protect from exceptions when calling multiple methods or properties in a chain where one call might return “nil”.

Strings

Strings are now easier to deal with in Swift, with a cleaner syntax than Objective-C, eg: concatenate strings using “+=“.

Read More

Here are three tips that can help in the selection process of a developer:

1. Hire for DNA first, then work experience. 
When I hire web developers, their personal DNA is the most important consideration. While experience is important, the bigger predictor of success is someone's innate DNA and how it fits your company. Are drive, determination, persistence, curiosity, important to you culture? Or, are you more low-key and relaxed about time management and deadlines? Whatever characteristics make up your culture, you want to ensure that the web developer will fit in.

For example, a brilliant web developer who has worked at a large financial institution may not do well at a startup. Why? A startup typically requires traits like versatility, adaptability, risk-taking and a self-starter personality, but these may be less important at a large company.

So, make a list of your company's DNA requirements. Do you foster an environment of relentless drive? Do you want great team players? If you come up with five requirements, make sure the interviewee matches at least three. Hiring for DNA also can help you to start to define a company culture and ensure that your team will work well together.

Of course, it's easy for some people to fake it in an interview, so you may need to evaluate them in other ways to ensure they're a good fit.

2. Try out a new developer with a small project first.
Although you might think you've identified your ideal candidate, just to be sure you should give him or her a small, non-critical project. That can let you observe the person in action and provide additional information beyond the job interview.

You can see how efficient the candidate is in delivering products and how buggy the final product is. Did he or she go above and beyond to get the product delivered? How creative was the solution? How well did he or she work in a team and communicate problems and delays? 

3. Pick a developer with aptitude, not a particular skill set.
In the tech space, skills become obsolete every two years, give or take. So, it's better to hire a web developer who can learn new technologies easily rather than someone who knows a specific technology now but may not adapt when a new one comes along.

  • The easiest way to detect whether someone will adapt well to change is to ask questions that will reveal whether a Web developer has a love for learning. For example:
  • What new programming languages did you learn recently?
  • What are your go-to places for learning new tech tips and tricks?
  • What are your favorite technology conferences?
Read More

So now this is the list how traditionally people test their framework, but can you afford this, and off course issues will be there, so will be the errors, but yes of you still believe in erasing than backspace, probably the article would interest you.

A Paper and Pencil

Paper and pencil you say?  The most powerful and dirt cheap of usability testing tools says I!  The reality is using a paper and pencil to draw interfaces, wireframes, and cards for card sorts and a host of other usability mechanisms is an extremely fast, extremely effective way to conduct usability testing.

Paper and pencil are amazingly simple to use, communicate quite effectively, are so low cost you probably have them all over the office and home, and are just about as cheap as dirt.

You can’t go wrong using paper and pencil to help conduct early prototype usability testing, it’s a great way to get quick, fast and meaningful results at a rock-bottom price.

Pros – Cheap, fast and extremely effective

Cons – Early design stage testing only, not for use in testing interactio

Concept Feedback

Concept Feedback was and is designed as a way to gather input and feedback from experts about new designs for marketing or advertising purposes.  However, this tool can be used by web site designers and usability researchers to gather information about potential new web site designs, or interfaces.

It works quite simply, you submit your concept to the expert community, and reviewers provide their suggestions, recommendations and input about your design.  You then judge the quality of their responses by taking into consideration each reviewer’s quality score, higher scores mean more people consider this reviewer an expert, which means their advice might be worth more.

This community of experts is available free of charge, and because each reviewer can be graded by others it offers a means to determine the quality of each opinion you receive.

Cons – From a usability testing perspective the reviews are not conducting actual tasks (they’re viewing an image), which means interaction feedback is not possible. In addition, there’s no guarantee the reviewer’s opinions reflect the actual user experience once the site is live.

Read More
SERM Tips to make your life easier!! - 2.8 out of 5 based on 4 reviews

The results can be disastrous, ranging from bruised feelings to tens (or hundreds) of millions in lost sales. Whilst creating an intentional reputation monitoring/management plan ahead of time is certainly optimal, usually by the time we get the call the business is already bleeding profusely. We have successfully listed our views:

  • Evaluate the authority of the page on which the negative content is published. As with any SEO assignment, start by taking a look at PageRank and inbound links profile using Yahoo Site Explorer and other tools. If the offending result is not on a site’s homepage, then take a careful look at older and similar interior pages along with their archives. Google’s algorithmic regard for any page tends to accumulate over time as a result of numerous factors, known and “black box.” Therefore it’s a good idea to keep in mind that any page’s clout might increase over time. Be advised and plan accordingly.
  • Since some offending results violate copyright or trademark laws, a strong understanding of and willingness to utilize legal channels can be important arrows in the SEO sharpshooter’s quiver. Sometimes the first salvo we fire is from our client’s law firm in the form of a cease and desist letter. Be aware of laws as pertain to protected marks and intellectual property. Certainly taking the             legal route can yield results and sometimes the expense makes sense. Our legal team has scared many an idiot off our client’s back. Some rouges just don’t want to mess with lawyers and can be “encouraged” to take down their problem content.
  • Determine the likelihood that the substance of proposed defensive content will further provoke and backfire virally. We find it’s best if newly created content and subsequent promotional activity do not appear to be directly related to the problem we’re competing with. My grandmother used to tell me never to “get into a pissing contest with a skunk. Even if you win…you stink. “Instead, create defensive content that builds on strengths of your business to contradict the negatives raised by a bad editorial. Build your content to outrank the perpetrators.