Cybersecurity

The Earn It Act is a problem for end to end encryption. As security professionals we know that criminals have the option to use encryption just as ordinary people do and if a court cannot decrypt the digital data to obtain incriminating evidence against a crime sometimes otherwise obvious crimes go unpunished. If the The Earn It Act goes into effect companies like Signal would need to comply in order to be protected by Section 230 which is a law that says that companies that provide a communication platform are not liable for the content that is posted on their platforms. The compliance guidelines are said to be unlikely to include end-to-end encryption. "Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society, wrote a detailed breakdown of some of the myriad problems with this bill. She also astutely points out that the bill would give unprecedented power to Attorney General William Barr, a vocal critic of end-to-...

This week I'd like to share the tale of when last year, this time, April 2019, I noticed that my XBOX Live profile page was either defaced or a bug caused my profile image to be replaced with the image at this URL . One can see in this screenshot of my profile page the defacement. The incorrect image is the Woody Allen portrait drawing. It was interesting to me so I dug around a little bit. I used the browser developer tools to examine the markup. That wasn't allot of help. I knew less about website security then. As much as I know it may have been a cross sight scripting attack (XSS). This was an example of a persistent website defacement attack. This W3Schools page  has a straight forward example of an implication of XSS. I found many users who's profiles had been defaced and when I contacted many of them they thought I was joking or hadn't realized that it had happened to them. Here is a link to a reddit discussion about it. https://www.reddit.com/r/xbox3...

Bluetooth is one of those protocols that is off most security professional's radar because an attacker usually needs to be in very close range to intercept a BT connection. BT vulnerabilities should be kept in mind however. There are a number of vulnerabilities in BT. BlueBorne is a vulnerability discovered in several Bluetooth implementations. Btlejacking relies on the jamming vulnerability tracked as CVE-2018-7252 and affects BLE devices with versions 4.0, 4.1, 4.2 and 5. https://cyware.com/news/latest-bluetooth-hacking-techniques-expose-new-attack-vectors-for-hackers-a16cfb5e Connecting to a Bluetooth low energy device (BLE) apparently can be done with JavaScript. https://evothings.com/doc/tutorials/how-to-connect-to-ble-devices.html

Today when the average person searches for something on the internet they use Google. After all Google was a search engine first before it became a giant data corporation. There are pros and cons to using Google's services. First is Google's business model. First and foremost Google is a data company. In contrast to a company such as Mozilla. Google's business model has never been a commitment to user privacy and stores every move its users make so that it can aggregate that data into useful services and monetize it. That can lead to a problem when a user would like to run internet searching for information that they expect to not be stored in a profile. That is where the search engine DuckDuck go comes in. DuckDuck go claims that they don't store your information ever. I am a big fan of the DuckDuck go privacy model. I understand the place for data and what Google does with data is certainly impressive. Yet sometimes I feel more comfortable with the piece of mind tha...

There are a number of factors that set Signal by Open Whisper Systems apart from any other encrypted messaging platform. The first being that it is open source. https://github.com/signalapp/Signal-Android Signal uses e-to-e encryption or end-to-end. Next, given that it is open source anyone can analyse the code for back-doors and the strength of the encryption. The celebrity whistle blower Edward Snowden  https://twitter.com/Snowden  endorses Signal and so do many IT professionals who report on controversial subjects. Even if the company is subpoenaed Signal retains nearly nothing on the user.  https://www.theverge.com/2016/10/4/13161026/signal-subpoena-court-order-encryption-police-open-whisper Signal is showing up in mainstream more all the time. https://www.wired.com/story/signal-encrypted-messaging-features-mainstream/ Security can even be improved upon the default settings with a few tweaks of the app settings. https://theintercept.com/2016/07/02/s...

I've been hearing more and more about cases where the scammers are getting hacked by the good guys. The BBC facebook page put this video up that I find very interesting for example. https://www.facebook.com/bbcnews/videos/289623162011871/ The podcast Hacking Humans  has twice reported on hackers replacing the automatic message in scam calls. https://thecyberwire.com/podcasts/hacking-humans/87/notes https://thecyberwire.com/podcasts/hacking-humans/86/notes The YouTube channel by Jim Browning has been working on this topic for a while too. https://www.youtube.com/channel/UCBNG0osIBAprVcZZ3ic84vw/featured https://www.youtube.com/watch?v=xb_rgQ4IDS8&feature=youtu.be It's thrilling to see a means to get back at scammers and to see how relentless they can be. I am a huge fan of a feature I have on my Pixel 2 phone by Google called 'call screen'. A demo is seen at the URL below. https://support.google.com/phoneapp/answer/9118387?hl=en Basically if I don...