QUICK NEWS

{NEW} - A new css video is up.

{OLD} - New video courtesy of Skhilled, Thanks for posting it up.

Video of the moment:


Internal Links

SMF Sites

Quick Info

Uber breach

Started by Oldiesmann, Sep 17, 2022, 10:56 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Oldiesmann

For those who haven't heard... https://www.wired.com/story/uber-hack-mfa-phishing/

QuoteThe attacker, who could not be reached by WIRED for comment, claims that they first gained access to company systems by targeting an individual employee and repeatedly sending them multifactor authentication login notifications. After more than an hour, the attacker claims, they contacted the same target on WhatsApp pretending to be an Uber IT person and saying that the MFA notifications would stop once the target approved the login.

The hacker is reportedly 18 years old as well.
Christian Metal Fans - https://www.christianmetal.fans

Bigguy

#1
Really, thats a very interesting story. 18 years old and can do that. Someone should higher this boy right away.
"It's the American dream....cause ya have to be asleep to believe it." - George Carlin

Skhilled

#2
I'm not surprised at the hacker's age. Also, companies disregard security to make things easier for themselves, unfortunately with horrible conquesences. :(

EDIT: While I was at that site I saw this interesting bit:

Internet Expert Debunks Cybersecurity Myths:
https://www.wired.com/video/watch/expert-debunks-cybersecurity-myths

Bigguy

Very interesting for sure. i do most of what she said.
"It's the American dream....cause ya have to be asleep to believe it." - George Carlin

LandyVlad

@Skhilled is that an article?

If so can you C&P it here please?  Wired is blocked by my work firewall. It's ironic in this instance as I work in the Security branch...  :D
I reject your reality, and substitute my own.

Skhilled

It is a video but they do have some printed text about it although it is a very good article and video! :):

Cybersecurity expert Eva Galperin helps debunk (and confirm!) some common myths about cybersecurity. Is the government watching you through your computer camera? Does Google read all your Gmail? Does a strong password protect you from hackers? Will encryption keep my data safe? Eva answers all these questions and much more. Eva Galperin is the Director of Cybersecurity at the Electronic Frontier Foundation. Updated 8/20/2020: A previous version of this video incorrectly stated that Google scans Gmail data to target ads. Google stopped this practice in 2017.

Released on 07/29/2020
Transcript
It is vitally important
that your password not be the same
across different platforms,
because when platforms get compromised,
the usernames and passwords sometimes get dumped
and passed around among hackers.
Hi, my name is Eva Galperin.
I work for the Electronic Frontier Foundation
where I am the director of cybersecurity,
and I'm here to debunk some myths about cybersecurity.
[bright music]
The government is watching me through my camera.
It is possible to remotely trigger somebody's camera
if you install a remote access tool on their device.
That is something that hackers do.
That is something that criminals do.
That's something that governments do,
but in order for the government to install the software
that they need to do in order to track you
through your camera, they need a warrant from a judge.
It is more likely that you will be watched by hackers,
or if you're a student, by your school,
than it is that you are going to be watched
by the government.
Since it is possible for someone to turn on your camera
without the little green light going on,
if you would like to make sure
that when that happens that they don't see anything,
then it is recommended to put a sticker over your camera.
Most people aren't targeted with this stuff,
and usually you don't have to worry.
What I recommend that people do is
that they download antivirus software
from pretty much any antivirus company
and just run a scan on the highest setting.
The dark web is a scary place full of illegal activity.
The dark web is a network of websites
that you have to use something like Tor browser
or any of the other sort of
guaranteed-to-be-anonymous browsing applications
in order to get to.
And it can be any kind of website.
This is not necessarily just used for selling drugs
and trading child porn.
For example, Facebook has a dark website.
They have .onion site that you can only get to
if you are logged in using Tor.
Tor and other applications like it
are not just used by criminals.
The other people who frequently need anonymity online:
journalists, activists,
people who are talking to journalists,
and of course, people in authoritarian countries
who are very worried about their government spying
on their social media use.
Tor browser, originally funded by the US Navy.
The government needed a way
for people to be able to go to websites
and maintain their anonymity
and not have their digital footprint seen
by the people who were running the websites.
Privacy is dead.
If privacy was dead,
governments and law enforcement wouldn't have to keep trying
to kill it by proposing new laws
and talking about all of the stuff
that they can't possibly get into.
But most importantly, privacy is not about living
as a hermit on a mountain by yourself,
never communicating with anybody.
Privacy is power over your information.
Understanding what kind trail you leave behind
enables you to limit that trail,
or enables you to limit who can see that trail.
The kind of security and privacy advice
that you give to people really varies person by person,
but there are a couple of things
that are good for everybody,
like eating your broccoli and taking your vitamins.
You should have long, strong, and unique passwords
for all of your accounts.
And you turn on the highest level
of two-factor authentication you're comfortable using.
Take your software updates.
This is how you benefit from the work of the security team.
And finally, that you actually sit down
and you think about your threat model.
You think about what you wanna protect
and who you wanna protect it from.
Google reads all my Gmail.
Google actually does read all of your Gmail.
Google is storing all of your email
if you are using a Gmail account.
They automate scripts which read the contents of your mail
and who you're mailing back and forth to.
What they do not do is read your email
and then tell the government what's in it.
Google has extremely strict privacy rules internally,
and if a government or law enforcement wants
to get their hands on this data,
they have to show up with a subpoena
for the metadata or a warrant
for the actual contents of your email.
But there is a difference
between protecting your data from hackers,
protecting your data from advertisers,
from governments and law enforcement.
A strong password protects you from hackers.
This is partially correct
in that a strong password is one of the things
that you need in order to secure your account.
It is vitally important that your password not be the same
across different platforms,
because when platforms get compromised,
the usernames and passwords sometimes get dumped
and passed around among hackers,
and hackers will do what we call credential stuffing,
where they try to get into your account
using these old passwords from other platforms.
You should also be very careful
about your security questions.
Your security questions are usually things about you
that a person who knows you relatively well knows.
A person who knows you well might know the name
of the street that you grew up on,
or the name of your favorite teacher,
or your favorite breed of dog.
And so instead of answering those questions truthfully,
I recommend answering them
as if they are simply more passwords.
So now you have a different, long, strong,
unique password for every account,
and trying to remember them all is a pain,
and this is why I recommend using a password manager,
which you install on each of your devices
and will generate new passwords for you.
That way you can make sure
that you never forget your password
as long as you remember the single password
to your password manager.
So how often should people change their passwords?
Sometimes programs or companies will require you
to change your password every 30 days or every 90 days.
This is actually not helpful at all.
It turns out that users create shorter
and more memorable passwords
when they have to change them all the time,
that they don't change them very much,
and therefore you're not actually getting
a big gain in security.
Your best bet is what we call Diceware,
where you use somewhere between five
or six randomly generated or randomly chosen words.
That way you get a very long,
very difficult-to-crack password
that is also fairly easy to remember.
Encryption will keep my data safe.
Encryption is scrambling the data
or the metadata so that it is not possible
for somebody who sees it to read the information
that you are sending.
Encryption is used in two very different ways
on the internet.
One is called encryption in transit.
Encrypting data in transit is
if you look at your browser and you see the URL
at the top of your browser,
you'll see that it probably starts with the letters HTTPS.
The S at the end there stands for security.
It means that the information
which is being sent between you
and the website that you're going to is encrypted
so that anybody else who is sitting on the network,
somebody else in your coffee shop,
the IT manager at your office,
whoever it is that runs the network at your school,
all of those people can only see
that you are going to the website
and they can't see specifically what page you're going to,
and they can't see what it is that you're doing there.
For example, they can't see
what pictures you're downloading,
or they can't see what password you're entering.
The other kind of encryption is end-to-end encryption.
When you encrypt something in transit,
you are trusting the person who runs the website,
but no one else.
And when you are doing end-to-end encryption,
you don't even have to trust the person
who runs the website.
The only person that you're trusting is the person
that you are messaging,
and that is because you have an encryption key,
and the person that you're sending a message to
has an encryption key,
and that is how these things get locked down.
The good news is that there's a lot of powerful encryption
that's being used to protect you every day,
and you don't even know it.
WhatsApp, for example, has more than a billion users
all over the world,
and their messages are end-to-end encrypted.
But what's most important is to understand
where your data is going, who has access to it,
and what they would have to do in order to access it
if you did not want them to.
Public wifi is safe.
Back before the majority
of the web was encrypted using HTTPS,
it was extremely easy for anybody
who was sitting on the same network as you,
including somebody sitting on the same public wifi as you,
sitting in a cafe with you,
to not only see everything that you were browsing
and everything that you were typing in,
but also to inject false information
into that stream so that you would,
say, type your password into a website
that the hacker controls,
and now the hacker has your password
and they can log into your stuff.
It used to be extremely unsafe,
and it was really common
for hackers to hang out on public wifi.
This is less true now that the web is mostly encrypted.
A lot of people recommend using VPNs.
VPN stands for virtual private network.
It is just a way of creating a tunnel
between you and wherever your VPN is
in order to protect your browsing or your internet activity
from whoever is running the network that you're on.
For example, if you are in a hotel and you use hotel wifi,
and you log into work using your VPN,
the hotel can only see that you logged into the VPN.
They can't see what your traffic looks like.
But work can see all of your traffic,
and so you need to be able to trust them.
Cyber attacks are the new warfare.
Most of what we think of as cyber warfare
is actually cyber espionage,
and in the cases where there is cyber warfare,
that's extremely rare.
Probably the most famous example of that is Stuxnet,
when the US and Israel worked together
on a piece of software which broke the centrifuges
that the Iranian government was using
in order to refine radioactive materials
for their nuclear weapons program.
But really, it almost never happens.
What is important is
that governments are not the only threat actors out there.
For the most part, if you are an ordinary person,
you are more likely to be targeted by criminals,
by hackers who want your money.
A lot of what people think of as hacking
is actually security research,
people who are trying to break systems for the better
in order to inform both users
and the people who make the systems
about these vulnerabilities
before bad people take advantage of them.
The hacker mentality can be applied to anything.
Hacking is not about being a bad person.
It is about understanding systems and subverting them.
Understanding the limits of surveillance
and of hacking is really important
in order to build out a place for yourself
where you can feel safe
and where you can understand where your information is going
and who has access to it.