Monday, October 31, 2022

If you want something done right...

from here and here

I'm not trying to suggest that your security should be entirely your responsibility. I know there are improvements that can be made that are outside of the hands of individuals, but if you're waiting on that or worse relying on that - you're gonna be waiting a long time and it's not going to be pretty.

If those external improvements happen, that's great, but until then - you've got to take matters into your own hands.

It looks so realistic

found on Grateful

Not that I'm condoning killing people (goodness knows there's enough death going on already), but this would be an excellent example of using cover to disguise or otherwise hide your activities.

Friday, October 28, 2022

This trick is a treat

from here and here

Honestly, I really ought to do this. This is one of the most practical Halloween costumes I can imagine. It hides your identity, it's easy to use, it folds up into a small space when you're done with it. What's not to like?

Be afraid, terrorists

found on Memebase

When you look like someone out of a horror movie (Poltergeist 2?) it's bound to creep out friends and enemies alike. I'm not sure that would actually serve as a meaningful deterrent, but one can hope.

Thursday, October 27, 2022

Skills not included

from here and here

It was always just hacker cosplay, so why shouldn't everyone get to try it?

Cybersecurity Awareness Halloween Edition


Watch on YouTube

How weird is it that Cybersecurity Awareness Month is the same month as Halloween? It's almost as though someone knew cybersecurity awareness would focus on scaring people.

Wednesday, October 26, 2022

IT Security

from here and here

Of course you won't be able to access the data either, but at least other people can't get it.

(There is no clown, just other people's nightmares)

Maybe you should take care of that before you die

found on Flickr

I'm pretty sure by the time you're a skeleton there's nothing you can do to protect the secrets on your phone, so you should really consider doing something about it long before that happens. Now would be a good time. 

Tuesday, October 25, 2022

Modern Nightmares

from here and here

There's often a certain amount of hacking involved in ransomware deployment, but usually not like that.

Attack Of The Zombie Network shirt

Product Page

Since the spooky season is nearly upon us, now seems like a good time for a spooky shirt.

Monday, October 24, 2022

But not about riding it

from here and here (image source)

I don't see any opening except at the top, so I have to assume this bike isn't going anywhere with thieves OR it owner.

The reason they couldn't fly into Mordor

found on Reddit

They will take your prescious things, if you're not careful.

Friday, October 21, 2022

For those with advanced persistent toes

from here and here (image source)

I'm not sure what these are supposed to protect the wearer from, but just because I don't know doesn't mean it isn't a valid part of someone's threat model.

Privacy that's only as strong as the weakest barrier

found on eBaum's World

Sometimes it's a window, sometimes it's a door, and sometimes it's a wall. 

Thursday, October 20, 2022

Security by impurity

from here and here (image source)

Just as there is no security by obscurity, so too is there no real security by impurity. I could wear gloves, or push the buttons with a stick if it came down to it. Also, I could probably just pick the lock too.

That being said, someone definitely knows how to put the ick, in Kwikset.

BMW demonstrates your next getaway vehicle


Watch on YouTube

Don't take your eyes off the car or you may not be able to find it again.

Wednesday, October 19, 2022

I didn't see anything when I slipped and fell into the database

from here and here

A quick check of Have I Been Pwned indicates that yes, SHA1 is still being used. 

I didn't think it would be worth it to look for MD5 at first, I was so sure the age of MD5 was over and I would have had to look for a while to find an example, but nope, there was a breach using MD5 added at the beginning of this year. I didn't have to look far at all.

Why I outsource the job to a password manager

found on Reddit

Committing new strong passwords to memory is not the slightest bit easy. It's just not what human brains were built for, so don't feel bad about the fact that your memory is where new passwords go to die. Adapt to your own limitations and use assistive technology like a password manager.

Tuesday, October 18, 2022

Curiosity killed the corporate network

from here and here (USB image source)

I've found USB drives before. I know how strong the sense of curiosity can be, but I also know what can go wrong, and even though Microsoft has tried to make it harder for malware to spread that way, it's still possible - especially with social engineering (and they're already have the advantage of piquing a curious person's interest).

Ransomware shirt

Product Page

If a ransomware operator ever asks me for "2 bit coins", I'm going to have to try sending them quarters, since 2 bits is 25 cents.

Monday, October 17, 2022

Flunking Cryptography 101

from here and here

The revelation that Microsoft Office uses ECB (electronic codebook) mode for it's encryption (not just now but as far back as 2010) is stunning. If you've read a book on cryptography then you would know better than to use ECB mode. If you haven't read a book on cryptography then what the heck are you doing writing the crypto code in something as important as Microsoft Office? 

How do you put someone so green in such a position? Alternatively, if it wasn't a mistake, if it wasn't a matter of a lack of experience (because the failings of ECB were widely known long, long before the creation of Office 2010 - I knew about it in university in the 90s) then could this have actually been a kind of backdoor?

Now it's my hotspot

found on Izismile

At least it's not 123456. Not that the extra 2 digits add much security but still, it could be worse. 

Friday, October 14, 2022

No location tracking data for you!

from here and here

The newest thing that's supposed to be the end of passwords is the passkey, and colour me shocked but it requires a cell phone. Now cell phone based authentication has been misused for tracking so many times now I'm not even going to pretend to believe there was any other motive involved in that particular design decision.

No protection is perfect

found on Izismile

I'm sure the argument could be made that covering that spot would have provided better protection, but it also would have blocked the camera. Protection doesn't exist in a vacuum. If it prevents legitimate use then that's just another way in which it can be imperfect.

Thursday, October 13, 2022

How some sites advertise their insecurity

from here and here

When they say your password is too long what they're really telling you is that they haven't the faintest idea of how to store your password securely and you should expect that any data breach will expose your password - so you definitely shouldn't be reusing one from elsewhere. Ideally you should use something randomly generated by a password manager. I mean you could also just not sign up at all, but if the password leak doesn't affect anything else, what's the harm? It would be great if they were protecting you from the bad guys, but so long as you're protecting yourself from their incompetence at protecting against the bad guys then any damage should be minimal.

Oh, it should go without saying that you absolutely should not use the site for anything related to money. Don't use it for email (the key to your online life) or any other kind of communication either.

Kitboga : I Made an AI Bot to STEAL from SCAMMERS (and it's working)


Watch on YouTube

It's one thing to sit there on the phone trying to ruin a scammer's day all by yourself, but what if you could train a computer to do it for you? Well, it would certainly free up your time and you could ruin multiple scammers' days at once. I'm definitely in favour of scaling up scammers' hardship through automation and I hope this gets even better.

Wednesday, October 12, 2022

No backsies

from here and here

I'm not going to go into specifics about why this is a desirable outcome, except to say that it makes things easier for the defenders. So by all means, if you're a malware author, keep testing your creations against Virustotal. It's totally good and fine and it warms my heart to learn that some of them are still doing it.

Mile high downer

found on iFunny

I'm sure what He-Mans' friend meant to say was that he didn't like people who abuse drugs... like airport security. They're so bad at their job they must be using what they're confiscating.

Tuesday, October 11, 2022

One reason to encrypt your data

from here and here

Maybe you've heard the saying "Dance like nobody's watching, encrypt like everyone is"? Well, ransomware operators are one of the ones who are watching.

Cat Phishing In Progress sticker

Product Page

No, that 'nice' person on the Internet does not need your credit card number. All they're really interested in you for is your money.

Monday, October 10, 2022

What's in your threat model?

from here and here

It's probably safe to say that banks aren't really prepared for customers making withdrawals at gunpoint, but it sounds like the ones in Lebanon need to start planning for it.

Good thing they don't use the hands-on approach

found on Izismile

Gotta find those Internet connected anal beads somehow. 

Friday, October 7, 2022

The biggest target takes the most hits

from here and here

Apparently Chrome has more than twice as many vulns this year as the next leading browser. I know more vulnerabilities doesn't necessarily mean Chrome is less secure than it's competitors. It has the most market share so it gets the most attention from people trying to find vulnerabilities. However, while that doesn't make it less secure, it does make it less safe. More attention from attackers (successful attention at that it appears) means that users of the software face more attacks than users of the alternative browser - and that has been the rationale behind using alternative software for a long time. If you're using something that has a smaller target on it's back, you're less likely to fall victim.

Attribution is hard

found on Izismile

If attribution of public privates is this difficult, just imagine how difficult attribution of cyber attacks is.

Thursday, October 6, 2022

It does make for an easier getaway

from here and here (source article)

It's either some very brave/brazen thieves, or it's an indictment on the quality of police work the local police force is capable of.  If they're so bad at their jobs that thieves don't fear getting caught then it's no wonder they do this.

Countermeasure Win


Watch on YouTube

This is why attackers have to be careful not to bite off more than they can chew. Their targets may have countermeasures that are surprisingly effective.

Wednesday, October 5, 2022

Look who thinks they won the browser wars

from here and here

Who's looking forward to seeing their ad blocker get lobotomized? That seems to be where we're headed if Google has it's way. It reminds me a little bit of the controversy over PatchGuard in Windows Vista years ago. A security mechanism was added to the system that blocked access to functionality that malware and security software alike made use of. 

Google's new extension system will basically be doing something similar, with ad blockers getting the short end of the stick. One of the big differences here, though, is that Google is the world's largest advertising company, so they will definitely have an incentive to not make exceptions for ad blockers, even though those are an important way to block malware online.

If ad blocking performance deteriorates too much in Google Chrome in comparison to other browsers, though, Google is going to start losing their dominant position in the browser market.

Are you not amazed?

found on Huge LOL

I'm not going to claim all pirated software is full of malware (that always seemed to be little more than a scare tactic), but there definitely was some tainted software out there, and being able to consistently avoid it (while still downloading) required some deliberate care. 

Tuesday, October 4, 2022

Trying to ensure it'll never be FULL of spyware

from here and here

People come up with all kinds of creative solutions when left to their own devices. They may not be good solutions, however. 

Your Smart Toaster Is In My Botnet mug

Product Page

This is a cute graphic, though this isn't the best viewing angle. I guess it just provides motivation to move and get a better look at it so you can read the caption under that angry little smart toaster.

Monday, October 3, 2022

MULTI FACTOR!

from here and here

I have had enough of these multifactor snakes on this multifactor plane.

Earliest depiction of the Trojan Horse

found on Izismile

The story of the Trojan Horse, whether or not it's apocryphal, is clearly a very powerful one that has stuck with us for a very long time.