December 2018 | Page 2 of 2

Trending

Is Marriott’s breach the biggest data breach in 2018?

By Korede Ola December 10, 2018

Last Friday, Marriott sent out millions of emails warning of a massive data breach — some 500 million guest reservations
had been stolen from its Starwood database.

One problem: the email sender’s domain didn’t look like it came from Marriott at all.

Marriott sent its notification email from “email-marriott.com,” which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate — the domain doesn’t load or have an identifying HTTPS certificate. In fact, there’s no easy way to check that the domain is real, except a buried note on Marriott’s data breach notification site that confirms the domain as legitimate.

But what makes matters worse is that the email is easily spoofable.

Often what happens after a data breach, scammers will capitalize on the news cycle by tricking users into turning over their private information with their own stream of fake messages and websites. It’s more common than you think. People who think they’re at risk after a breach are more susceptible to being duped.

Companies should host any information on their own websites and verified social media pages to stop bad actors from hijacking victims for their own gain. But once you start setting up your own dedicated, off-site page with its unique domain, you have to consider the cybersquatters — those who register similar-looking domains that look almost the same.

Take “email-marriot.com.” To the untrained eye, it looks like the legitimate domain — but many wouldn’t notice the misspelling. Actually, it belongs to Jake Williams, founder of Rendition Infosec, to warn users not to trust the domain.

“I registered the domains to make sure that scammers didn’t register the domains themselves,” Williams told TechCrunch. “After the Equifax breach, it was obvious this would be an issue, so registering the domains was just a responsible move to keep them out of the hands of criminals.”

Equifax, the biggest breach of last year, made headlines not only for its eye-watering hack, but its shockingly bad response. It, too, set up a dedicated site for victims — “equifaxsecurity2017.com” — but even the company’s own Twitter staff were confused, and inadvertently sent concerned victims to “securityequifax2017.com” — a fake site set up by developer Nick Sweeting to expose the company’s vulnerable incident response.

With the Equifax breach not even a distant memory, Marriott has clearly learned nothing from the response.

Many others have sounded the alarm on Marriott’s lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant’s use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords.

Williams isn’t the only one who’s resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named “email-mariott.com” on the day of the Marriott breach.

“Please watch where you click,” he wrote on the site. “Hopefully this is one less site used to confuse victims.” Had Marriott just sent the email from its own domain, it wouldn’t be an issue.

A spokesperson for Marriott did not respond to a request for comment.

Source: Tech Crunch

Technology

10 websites you wish you knew earlier

By Korede Ola December 8, 2018

The internet is indeed an e-world of its own. As of 2012, a survey by Netcraft, a provider of cybercrime disruption services across a wide range of industries based in the UK showed that a total number of 144,000 websites launched daily, which amounts to over 51 million annually.

As of January 2018, (6 years later) the figure stood at 1,805,260,010 (over 1.8 billion) websites. Some of these websites grow big enough to rank among the world wide web’s top 500. Sadly, the rest of these websites get almost no visitors and rank lower not because they suck that bad, but just because the top can only fit too many at a time.

Below is a carefully researched, compiled and comprehensive list of 10 useful websites you wish you knew earlier.

1. The Internet Map
If not the coolest website on the internet right now, the internet map, designed by Ruslan Enikeev for a personal non-commercial project just as the name implies is indeed a map of the internet.

The designer claims that this website continuously archives all other sites on the internet, representing them in dots. The sizes of the dots depict the ranking of the websites according to Alexa (Website ranking Algorithm by Amazon) making Google, Facebook among others a distinct turquoise sphere among the rest.

2. Radio Garden
Ever been curious enough to imagine how listening to radio stations from other countries sound? The user interface is quite intuitive, featuring a dynamic world map of live radio across the globe. It has navigation similar to google earth and unique features including Add favorite stations, history lookup, jingle mode, RDS, and mute mode guaranteed to make you want to bookmark this website immediately.

Asides most social media websites, Radio Garden is ranked as one of the very few controversial sites where users get payable contents for free. The Radio Garden has a similar working concept as radiooooo.com asides the fact that radiooooo lets you choose your desired year and genre of radio.

3. Internet’s first website
The http://info.cern.ch/hypertext/WWW/TheProject.html created by Tim Berners-Lee is the home of the first website. Considering how there are over 1.8 billion websites in 2018, there was none 27 years ago. This first web page of the internet, published on August 6, 1991, was landmark informing the World of the world wide web project and ran on a NeXT computer at the European Organization for Nuclear Research, CERN. It comprises steps on how to create Web pages and explained the meaning of a hypertext.

In the absence of CSS, and simplified website builders including Dreamweaver, Elementor, Divi, and Envato, you should prepare your mind for something ‘amazing,’ especially before attempting to open this website.

4. Web Oasis
Most times, it gets boring staring at that static google.com home page right? How about making https://weboas.is/ your homepage instead?
Asides the cool hacking theme, Web Oasis has prebuilt bookmarks of most websites across the internet with clear navigation links which unveil on mouse hover plus a fully customizable user interface/elements, an add-on for everyday use including News, Tech, Radio, Crypto, quick notepad editor, Weather, Finance, a secure password generator, and even an arcade game.

It also has an embedded chat room, a 2-character shortcut search engine mode, and a section on the screen’s top right corner showing your local system information. Now, this is the real Google, literally housing all of your wants on a single website.

5. Cymath
If Cymath was available decades earlier than 2013, then the internet would have been a better place, especially for students looking for a step-by-step approach towards the solution to their mathematics problems. Cymaths is every student’s dream plus you can have all your assignments done, be it graphs or equations.

It’s inventors believe in the ideology of open education, and that every student deserves math help that is reliable and accessible, powered by a combination of artificial intelligence and heuristics, so that it solves math problems step-by-step like a teacher would.

6. Konboot
The fact this that this website is available on the surface web is amusing. Konboot prides themselves as the world’s best remedy for forgotten passwords for a simple reason – it bypasses the authentication process of your (or probably not your) operating system without overwriting your old password or leaving a digital footprint.
Technically, this website lets you log in to any Windows or Mac Operating system with full rights without prior knowledge of the machine’s password. Konboot is designed primarily for tech repairs, forensic teams, and security audit reasons. Piotr Bania is the mastermind behind this rare tool.

7. User testing
Finally, a freebie on the internet that isn’t a hoax? Except for the fact that this isn’t free money, you earn it. User Testing or usability testing pays between $10 – $30 for every website you test. The goal of user testing is the get a digital product in front of a customer as early as possible.
Users are asked to perform a specific task that simulates real-world usage of usually a website. These tasks can be as easy as opening multiple pages across a selected website while having a voice and screen capture, A/B tests, preference tests and eventually taking a UI/UX review questionnaire afterward. These tests take less than 10 minutes to complete, no experience is required, and the is no cap on the number of tests a user can take per day.

8. Awwwards
Unlike Amazon’s Alexa, which ranks websites with algorithms based off of web statistics, visits, relevance, and SEO optimization strategy, Awwwards typically accepts website submissions and allow users to rate these sites based on four distinct features: design, usability, creativity, and content.
Awwwards is the abode of a vast collection of mind-blowing websites across the internet where users not only get a chance to rate them based on design, creativity, and innovation on the internet but also gather unexplored ideas regarding their next projects. Users are also able to query and search directories based on their respective niche as well as hire and apply for website design positions site wide.

9. Rhyme Zone
Are you a Poet, song lyricist, into essay writing, a rapper, or just looking for rhythm? Then you should try out Rhyme Zone. RhymeZone is arguably the best and fastest way to find English words for any writing. It has been running continuously since 1996.
It is a concise guide for finding corresponding rhymes, antonyms, synonyms, descriptive words, definition, thesaurus, lyrics, poems, homophones, similar sounding words, related words, similar spellings, picture search, Shakespearean novel search, and letter matching.

10. Library Genesis
Library Genesis is a search engine for the biggest archive of free e-books on the internet allowing free access to content that is otherwise paywalled or not digitized anywhere else on the internet.
Irrespective of the type of books you read; novels, tech, educational material, LibGen (Sci-Tech), Scientific articles, Fiction, Comics Standards, and Magazines, you are rest assured such books reside here.
LibGen initially used the domain name libgen.org but was forced to shut down and to suspend use of the domain name due to copyright issues from authors In late October 2015. The LibGen website is blocked by a handful of ISPs in the UK for obvious reasons. As of 5 June 2018, Library Genesis claims its database contains over 2.7 million books and 58 million science magazine files.

Bottomline: Now that you’ve probably bookmarked these rare but real websites, spread the love by telling someone about this today.

Cybersecurity

Meet Formjacking, a major e-commerce website attack

By Korede Ola December 7, 2018

In recent decades, there exist an imminent familiarity of terms like; Bluejacking (sending of unsolicited messages over Bluetooth-enabled devices, Clickjacking (A malicious technique of tricking users into clicking something different from what they perceive), Juice jacking ( A cyber attack wherein malware is installed on to, or data surreptitiously copied from, a computer device using a charging port that doubles as a data connection) and Pagejacking (illegally copying a legitimate website content to another website with the aim of replicating the original website) including an endless “jacking” list in computer security, but none like Formjacking.

In September 2018, Formjacking was officially announced by Symantec Corp in this article, with properly outlined records of massive widespread afterward.

Formjacking, which is the use of malicious JavaScript code to steal credit card details and other information from payment forms on the checkout web pages of e-commerce sites, has been making headlines lately.

Taking a closer look at the more technical aspects of formjacking and detail a new campaign affecting many top shopping sites, below is a typical example of a javascript injection for the primary purpose of formjacking.

The code shown collects the payment information entered by users on the website and posts it to the domain google-analyitics.org in the scenario. This domain is usually a typo-squatted version of the legitimate Google Analytics domain, google-analytics.com and very easily admissible by users.

Taking note of the increasing number of payment information-stealing script injections available daily especially by script kiddies who have little or no technical understanding of injection attack, but skilled enough to make use of off-the-shelf tools and judging by the current security trends today, This was no news.

The image below shows how the infection chain is implemented.

This attack chain is unique because it is the exact opposite of legacy supply chain formjacking attack which went viral during the evolution of the e-commerce industry, where attackers compromise popular third-party script library providers. As many websites load these scripts, with one compromise the attacker manages to load their malicious code on a large number of sites all at the same time. These script creates a script element and sets a fixed .js source which then forces the browser to load malicious obfuscated JavaScript from the original website, which in turn collects the entered payment information and posts it back to the attackers’ domain.

The scripts are obfuscated for difficulty in detection and apply a hook onto forms on the website and collect all the information entered by visitors. The javascript also extracts the URL loaded in the browser and determines if the checkout page of the original site is active. If it has, the script sends the collected form information, which is now the payment information, back to the attacker-controlled domain. This version of a formjacking script was used in various high-profile breaches such as Ticketmaster UK, Shopper Approved, and Feedify.

Prevalence In recent months, an uptick in formjacking attacks against high-profile websites across the globe have been noticed. Websites from security-conscious countries like the U.S., Japan, Germany, and Australia, among other countries, have also being injected with formjacking scripts.

Conclusion

Considering the current standpoint of this vulnerability, which allows attackers to gain unauthorized access to the customer’s checkout information of large companies by exploiting the weaknesses in smaller businesses used by the larger company to provide different services, the big picture of this attack points to the fact that the actual number of infected websites is bound to be higher.

Unfortunately for prospective and current victims. It is hard and almost impossible to tell the existence or extent of a formjacking attack as their websites continue to operate as usual, because attackers are sophisticated, stealthy and take advantage of the fact that this is a much more recent vulnerability.

Certifications

Top 10 IT certifications in 2019

By Korede Ola December 6, 2018

Considering a career in Information Technology (IT)? Well, it all solely depends on some actionable plan. Depending mainly on strengths, many find it seemingly stress-free to decide a track to pursue in the IT field, ranging from Data Analytics, Programming, Networking, Audit, Risk assessment, Blue/Red teaming, database administration, Cloud and Cyber Security.

Bringing a professional IT certification to the table, whether as a prospective or as an existing employee, creates a room to stand out in the job market or being open for a salary renegotiation respectively.

We have arrived at a comprehensive list of top 10 must-have IT certifications for 2019 in ascending order:

#10 CERTIFIED SCRUM MASTER (CSM)

A scrum master is the facilitator or coordinator of any team. In recent years, there exists a dire need to have someone who facilitates, moderates, documents and visualizes the team’s projects (called iteration or sprints). Scrum Masters make use of the Agile methodology which is dependent on the Scrum framework.

In an IT product development, for instance, employees are grouped into smaller subsets called sprints, for the primary intent of reviewing progress and analyzing the next line of action (usually called “show and tell”). Meetings are recurring daily and typically last between 30 minutes to 2 hours, with a lot of post-its, markers, and stand-ups.

Detailed Information

#9 CompTIA Security+ CERTIFICATION (SECURITY+)

The CompTIA Security+ is considered the best certification the properly covers the baseline of cybersecurity methodologies including Threats, attacks & vulnerabilities, Identity & access management, technologies & tools, risk management, architecture & design, cryptography & Public key infrastructure (PKI), and Internet of Things (IoT).

Most CompTIA Security+ certification exam takes prefer going the Trifecta route, which involves having to initially obtain the A+ exam, which covers more of IT hardware fundamentals and N+ which includes more of the Network portion of Security+ creating a tremendous overlap between both the Network+ and the Security+ certification exam.

Detailed Information

#8 CCDP – CISCO CERTIFIED DESIGN PROFESSIONAL

The CCDP is an advanced Cisco certification for senior roles within the IT networking track including Network design engineers and system engineer analysts. Over the years, Cisco certifications are underrated, resulting to minimal attention drawn to advanced level Cisco certifications and Cisco enthusiasts going for the entry and mid-level Cisco certifications like CCENT, CCNA, CCNA Security, CCNP, CCIE and CCDA which are pre-requisites to the CCDP certification.

The CCDP certification tests advanced physical, logical and technical expertise in network design concepts as well as principles required in developing various layers on enterprise architecture for network devices

Detailed information

#7 CEH – CERTIFIED ETHICAL HACKER

The CEH is called the ‘recruiter’s certification’ in IT, especially within the cybersecurity track, this is because many hiring managers/recruiters love to see this certification in their prospective employee’s resume. The CEH can land you a wide range of jobs from the Security Operations Centre (SOC) analyst or Incident Response analyst to even senior roles like penetration tester and other red teaming (offensive security) jobs.

Surprisingly, many will argue that the CEH, which remains one of the most expensive certifications has lost its value of credibility and given similar CompTIA certifications like CYSA+ and CompTIA Pentest+ a competitive hedge in recent years

Detailed information

#6 MCSE – MICROSOFT CERTIFIED SOLUTIONS EXPERT

The MCSE certification is a Microsoft certification program that specifically for Windows Operating System engineers. It is broad enough to be sub-categorized based on the career path into four main categories:
MCSE: Desktop Infrastructure
MCSE: Server Infrastructure
MCSE: Business Intelligence
MCSE: Private Cloud

“Is MSCE worth it?” is usually a question its enthusiasts can relate to for the one reason that Microsoft Certifications seem underrated and less threat posing in the recruiter’s niche today, or maybe Microsoft is just best at improving the almighty Windows Operating System

Detailed information

#5 AWS – AMAZON WEB SERVICE

Amazon is indisputably the saving grace in e-commerce websites across America and the rest of the world. In 2015, Amazon introduced AWS which is a cloud-based web hosting service that beats its predecessors; Microsoft’s Azure and Google cloud platform hands down.

AWS is a fast-rising certification, gaining credibility and popularity with the intent of becoming IT’s most sought-after certification today. AWS covers the required coursework for cloud practitioners, Web Developers, IT architecture, Security operations and virtual storage techs with four main sub-divisions:
– AWS Certified Foundational
– AWS Certified Associate
– AWS Certified Professional
– AWS Certified Specialty

Detailed information

#4 OSCP – OFFENSIVE SECURITY CERTIFIED PROFESSIONAL

Just like its name, the OSCP is the most recognized, top-tiered, respected and valued professional red teaming cybersecurity certification. It entails prior successful completion of the PWK (Penetration with Kali Linux) course as well as the 24-hour hands-on exam testing advanced technical knowledge using the latest ethical hacking tools and techniques and conducting penetration tests.

The OSCP certification is neither a beginner nor intermediate certification but for professional pentesters, blue/red team, security professionals, network administrators and threat hunters seeking an industry leading certification.
It requires a strong background off networking, substantial usage of Linux OS and comfortability writing/using bash, Perl and Python scripts.

Detailed information

#3 CISSP – CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL

The CISSP is an independent Information Security IT certification governed by the International Information System Security Certification Consortium or (ISC)², referenced as the “Zenith” of Cybersecurity certifications.

The CISSP is an ideal certification for Chief Information Security Officers (CISO), IT Managers, Security Architecture and Engineering, veteran-grade security practitioners and executives who deem it fit to crown their accomplishments with certifications.
The requirements can be cumbersome, one of which includes a minimum of five years of direct full-time security work experience in two or more of the (ISC)² information security Common Body of Knowledge (CBK).

Detailedinformation

#2 CGEIT – CERTIFIED IN GOVERNANCE OF ENTERPRISE IT

The CGEIT is a highly competitive vendor-neutral certification with the primary aim of testing, validating and certifying IT governance skills, proudly managed by an international professional association known as Information Systems Audit and Control Association or ISACA.

The CGEIT aims at testing the abilities of IT professionals in the practice of delivering quality governance. Similar to the CISSP certification, the CGEIT certification also requires proof of at least five years of experience in job domains related to IT governance including Framework for the governance of enterprise, Risk optimization, Strategic management, Resource optimization
and Benefits Realization.

Detailed information

#1 ACTIVE SECURITY CLEARANCE

Bearing in mind that a Security clearance is not a certification, a security clearance in “active” status is usually issued, administered and coordinated by the United States Government. It is a must-have document, before securing all Federal and most state jobs with an exception for individuals who demonstrate an ability to acquire one within a stipulated time (usually 3-6 months post-employment).

Most security clearances are issued by the Department of Defense (DoD) and categorized as Confidential, Secret, and Top Secret with the amount and detail of information varies accordingly with the level of clearance requested.

Detailed information

Conclusion

Information Technology (IT) is a fast thriving career path in the last decade, with the capabilities of improving age-old programs like C, Python, Java and eventually creating a new approach towards data analytics including practices implored in machine learning, AI and IoT thereby opening doors to new inventions within the IT sector in general. The modes of obtaining an IT certification are now seemed straightforward, as opposed to the last decades, where materials, exams were either too expensive, with limited availability, deliberately hardened for segregative purposes or simply optimized for senior positions.

Trending

Chrome now blocks ads on deceptive websites (MSN)

By Korede Ola December 6, 2018

Google is acting on its promise to kick deceptive websites to the curb.

The newly released Chrome 71 now blocks ads on “abusive” sites that consistently trick users with fake system warnings, non-functional “close” buttons and other bogus content that steers you to ads and landing pages. The sites themselves won’t lose access the moment Google marks them abusive, but they’ll have 30 days to clean up their acts.

The browser has more safeguards, too. Chrome will warn you when a site appears to be hiding the real costs and terms for a transaction. If a site is trying to rope you into a subscription without telling you that you’ll be charged, you might get an alert that could save you a lot of money. Google will try to get in touch with affected sites to have them modify their sites, but they’ll have to appeal the decision to have a chance at lifting the warning.

Chrome 71 is available now for Linux, Mac and Windows, and it’s rolling out to Android and iOS users over the course of the weeks ahead. Google hasn’t detailed everything that’s new, but the efforts to thwart malicious sites are clearly the highlights. The company has moved from blocking obvious threats like malware to the sneakier tactics that may not compromise your computer, but could prove annoying at best and costly at worst.

Source: MSN

Cybersecurity

Quora says 100 million users hacked (BBC)

By Korede Ola December 5, 2018

Question-and-answer website Quora has been hacked, with the names and email addresses of 100 million users compromised. The breach also included encrypted passwords, and questions people had asked.
In a statement, Quora said the situation had been “contained”.

Last week, hotel chain Marriott admitted that personal information on up to 500 million guests had been stolen.
Quora released a security update in a question-and-answer format.

“We recently became aware that some user data was compromised due to unauthorized access to our systems by a malicious third party,” it began.
“We have engaged leading digital forensic and security experts and launched an investigation, which is ongoing. We have notified law enforcement officials.”

It said it was also in the process of notifying all affected customers and reassured them that it was “highly unlikely” that the incident would lead to identity theft “as we do not collect sensitive information like credit card or social security numbers”.
Security expert Troy Hunt was one of those affected. He tweeted: “Short of not using online services at all, there’s simply nothing you can do to ‘not’ be in a breach, there’s only things you can do to minimize the impact when it inevitably happens.

Users were asked to reset their password and will be prompted to do so when they next try to log in. Those wishing to delete their account can do so in the settings section and the deactivation will happen immediately.
Some users commented on Twitter that they had forgotten they used the service.
One tweeted: “Nothing like a data breach to remind me that I have a Quora account.”

Source: BBC