Tale of the Tape Hackers have kicked some big time ass against major American companies in the past 10 years. JP Morgan Chase, Capital One, Equifax, Uber, LinkedIn, eBay are just a few of the large corporate victims. Just in 2021 many corporate IT hacks have made the headlines with the Colonial Pipeline hack being the most recent. Well, that was, until JBS a major American meat processing plant revealed it had also been breached just days ago. Colonial Pipeline CEO confirmed the company paid $4.4 million ransom. CNA Financial, one of the largest insurance companies in the US, reportedly paid hackers $40 million after a ransomware attack. Information on whether Acer ended up paying the ransom for their breach in March 2021 seems hard to come by but, the initial ransom demand was $50 million and included a threat to increase the demand to $100 million. If Acer did…
Articles by Joseph Lee
The LockPicking Lawyer on Youtube is a highly skilled locker picking professional. His videos sure to amaze and are a wealth of knowledge to pentesters looking for physical penetration testing attacks. However, not all of his videos attack the keyway with a set of picks. His videos that use other technology to bypass locks and security devices tell a very interesting tale about the state of the art of technology. I have included some of his videos with a brief description, all of which demonstrate different aspects of lock bypassing. In the first video, you see a new device on the market which is specially designed to take images of the inside of a Kwikset Smartkey keyway. The product is from a company called LockTech LTKSD, and costs about $350 USD. The implication is that this could be used to quickly build a physical key that can work with a…
Privacy Protection From Big Brother (Google and Other Corporations) Google wants to know whether you change your underwear everyday. It’s that simple. They want to know everything about you. Part of your online security is not letting Google or others know everything about you. Why you may ask? Because they can sell that information to employers who want to conduct a background investigations, serve you targeted ads enticing you, and who knows what else. While arguably this generates revenue to improve their products and services, it can also be considered an invasion of your privacy. Individuals involved in activism, or other activities may have their physical security put be at risk (such as police informants). Your information being available online may be considered a high-risk. Geo Location Sniffing You may also notice some websites immediately requests to know your location when you visit them. Well, the truth is that websites…
Everyone, their mom and dog has been confronted with Internet security. Everywhere in life; the mainstream media, workplace policies, and even casual social life includes news and warnings about cybersecurity. Facebook, Google, and Twitter are in the international news constantly being accused of privacy violations and of having a negative impact on younger people by changing their lifestyles to one of screen engagement. In addition to that, many people have had the personal experience of their online accounts or personal computer being hacked. On a national security level, just last week American oil pipeline company Colonial payed 4.4 million dollars to recover ransomed data. So, do we all need a deeper understanding of Internet / IT security? Yes. It’s is a big complicated field but also an important one for users to understand. So put your seat belt on and let’s do a deep dive into Internet security. What do…
Introduction The Alexa Top Websites (https://www.alexa.com/topsites) can be used to monitor the popularity trend of a website and compare the popularity of different websites (WikiPedia). In order to gauge the security posture of the internet as a whole mapping information from the Alexa Top Sites is useful. AlexaCheck.py assists by building a PostgreSQL database that stores header information from each website, the first listed resolved IP address, HTTP response code, and MX records. The header information also includes cookies that are passed during an initial connection. This approach was used to examine security of the Alexa Top Websites in a research paper CookiExt: Patching the Browser Against Session Hijacking Attacks. AlexaCheck.py can also accept a list of other domains you want to check for forced TLS encryption and inspect cookies and other header information. Specific HTTP Security Risks SSL/TLS Enforcement The Alexa Check database allows analysis of a particular website…
Patenting Innovation Is National Power As the Center for Strategic and International Studies notes, innovation in an important factor in a nation maintaining global power. Patents secure the rights for companies and national economies to generate GDP by producing products that other countries will buy and import. So, patents are critical to securing income from innovation. However, patenting strategy, whether on the national or corporate level is also critical to directing resources efficiently and effectively. You can’t have a patenting strategy if you don’t analyze the landscape. China’s activity in global patenting is booming. Although it does not necessarily represent a drastic increase in novel innovation, it does signal desire to compete. Some have been very critical of the value of China’s Patenting… Center for Strategic and International Studies (CSIS) CNIPA National Patent Development Strategy explicitly equates patent generation with innovation and calls for government incentives to bolster the number…
Session cookies constitute one of the main attack targets against client authentication on the Web. To counter these attacks, modern web browsers implement native cookie protection mechanisms based on the HttpOnly and Secure flags. … Our analysis of the Alexa-ranked top 1000 popular websites gives clear evidence that such risks are far from remote, as the HttpOnly and Secure flags appear as yet to be largely ignored by web developers. – CookiExt: Patching the Browser Against Session Hijacking, Journal of Computer Security (2015). Summary of Session-hijacking attacks When you login into a website, the web-server creates a “session” to identify your identity by sending the client browser a session cookie. Cookies have functions other than sessions, but perhaps the most important use of cookies from a security perspective managing your “state” or “session-state”. This is because a single IP address may have many clients connecting to the server, so…
NOTE: This vulnerability has been patched in Safari Last week, Rafay blog wrote a short blog piece about the recently publicized browser URL spoofing vulnerability in Safari. To summarize, the browser bar is considered the only reliable security indicator to validate the authenticity of the website. Looking at the browser URL bar at the top of your browser, and checking that the domain contained in the URL matches the domain of the site you expect to be visiting. If it says “google.com” or “facebook.com” you should be able to reliably tell that you are on the correct website. However, in addition, all browsers include a symbol to show whether the SSL/TLS certificates have been properly validated to authenticate the identify of the server you are communicating with, as well as initialize an encrypted connection to protect your data as it transits the internet. Besides the recent publicized vulnerability in Safari,…
If you have been around the internet since the mid 1990’s you may have the same sense of I have. The internet was better then. Gillian Anderson… and other reasons. Mostly the web wasn’t so… bull-shitty. There were less advertisements. There were fewer user interface changes to websites so you didn’t have to search for the button that some psychometric web-design team lead decided to move because you would look at ads longer if they made it harder to find. The real content still changed. Websites still changed and were updated. It was just mostly the content that changed not the UI. I suspect that nobody has felt the wave of the new “bull-shitty” internet more than people with disabilities. Yes, accessibility features existed in the 1990’s for computers. They may have been even better than the state they are in today. Perhaps as Bill Hicks might say, it’s that…
In 2021 new laws will be enacted in Canada that demand web-content be accessible to people with disabilities. The law applies to any organization with 50 or more employees and fines can be up to $50,000. The new regulation sets the gold-standard for compliance at WCAG 2.0 “AA” (Web Content Accessibility Guidelines double A) standard. This is the second level of the three levels included in the WCAG. If you are a website owner and you want assitance makign your website compliant with the new regulations, please contact me by email at joseph@ripplesoftware.ca or contact me using the website contact form. web-developer or compliance officer tasked with making sure your website meets this standard, read on to find out what the standard is and how you can make your site compliant. Overview of Web-Accessibility Laws in Ontario By January 1, 2021, Ontario businesses must make their public-facing websites conformant with…
