Tuesday, January 31, 2017
Adequate Man What Is The Worst Bodily Fluid To Clean Up?
Adequate Man What Is The Worst Bodily Fluid To Clean Up? | The Slot Did Paul Ryan Just Call This Press Conference a ‘Waste of My Fucking Time’? [Updated] | Gizmodo First Genetic Results From Scott Kelly’s Year In Space Reveal DNA Mysteries | The Root Why the Muslim Ban Matters to Black People |
from Lifehacker http://ift.tt/2jA910I
Build Your Own Accent Light with Concrete and Some LEDs
Now that LED strips exist, it’s super easy to make your own lighting. Case in point, YouTuber Darbin Orvar shows off her light cube packed between a couple of slabs on concrete.
The easiest part of the this project is wiring the LEDs to a USB port, which just requires a small amount of soldering. From there, the concrete is formed, then the shade is made from a polycarbonate sheet. The end result is a clever looking little light that can plug into any phone charger with a USB cable. Of course, you don’t really have to use concrete if you don’t want to, but the video provides a pretty good base idea for any number of different materials.
Concrete LED Light Cube | YouTube
from Lifehacker http://ift.tt/2kOI9iC
This Two-Minute Video Explains the Basics of Three-Point Lighting
It’s not just the camera that separates a professional-looking video from an amateur one. You need excellent and proper lighting, too, and it all begins with a strong grasp of three-point lighting. This video explains what you need to know in a bit over two minutes.
Three-point lighting is so named because the system involves three separate lighting components: key light, fill light, and back light. Imagine that your whole film setup, including the camera, your subject(s), and your lights, as the face of a clock as reference for where the lights should be positioned, and note the differences between these lights:
- Key Light: The key light is your main light to illuminate your subject, like an interviewee. The purpose is to create shadows and give your subject a more 3D look. It is typically positioned to the right of your camera, at the 4 o’clock position.
- Fill Light: The fill light fills in shadows and gives you control over the kind of tone and mood you want to set. For example, more fill light gives your subject a softer look, like in talk shows, whereas less creates a dark and moody sort of look, like in movies and dramatic interviews. Fill light sits at 8 o’clock position.
- Back Light: Located behind and above the subject, the back light lights up the person’s head and shoulders and separates him from the background. Without it, the person blends into the background and looks flat.
These are the basics, and the rest of it is simply fine-tuning your setup to get the best conditions for your subject and type of video.
Video Production Basics: How to Use Three-Point Lighting | expertvillage
from Lifehacker http://ift.tt/2knS3Xs
Deadspin LeBron James Has Had Enough Of Charles Barkley’s Shit | Jezebel State Senator Demands Relea
Deadspin LeBron James Has Had Enough Of Charles Barkley’s Shit | Jezebel State Senator Demands Release Of Melania Trump’s Immigration Documents | Gizmodo First Genetic Results From Scott Kelly’s Year In Space Reveal DNA Mysteries | The Grapevine No, You Can’t Just Wake Up and Decide to Be Black |
from Lifehacker http://ift.tt/2kcJLza
Facebook and GitHub test new account recovery option
Facebook and GitHub have partnered to provide GitHub users who employ two-factor authentication an easier way to recover access to their account in case they get locked out of it.
Users may lose their phone or U2F key, or change phones without re-enrolling, and they lose access to the account.
“Currently, if you lose the ability to authenticate with your phone or token, you have to prove account ownership before we can disable two-factor authentication. Proving ownership requires access to a confirmed email address and a valid SSH private key for a given account,” Stephanie Wills, community manager at GitHub, explained. “This feature will provide an alternative proof of account ownership that can be used along with these other methods.”
Delegated account recovery
This so-called delegated account recovery option should be a safer alternative to security questions.
It’s also easy to use: initiate the storing of a token on the security settings page on GitHub and confirm that the token will be stored with Facebook. If you ever get locked out, you can initiate the recovery process by logging into Facebook and using the Recover Accounts Elsewhere feature.
The token is encrypted and signed by GitHub, and can’t be used by Facebook. When a user initiates the recovery process, Facebook countersigns the token and sends it back to GitHub, who then verifies the validity of Facebook’s countersignature, the signature of the original token, and checks that the token has not been revoked. Finally, GitHub decrypts the secret in the original token and uses it to verify the owner of the token.
“GitHub only stores the token ID, user ID, and token state. Facebook only stores a token with an encrypted secret that is associated with a Facebook account and does not become valid until it’s used in a recovery,” GitHub security engineer Neil Matatall assured, and added that no personally identifiable information is exchanged between Facebook and GitHub.
“This process helps limit the impact of database dumps and SQL injection vulnerabilities without an additional compromise of the encryption and signing keys.”
Other services can implement it, too
For the moment, the feature can only be used to recover access to GitHub accounts with Facebook’s help. The reverse option – GitHub saves tokens for Facebook accounts – is also planned.
The author of the Delegated Account Recovery specification is Facebook security engineer Brad Hill. Facebook has published the protocol behind the account recovery feature on GitHub, and hopes that other services will adopt it in the future.
“Both Facebook and GitHub plan to publish open source reference implementations of the protocol in various programming languages to make it easy to build secure and privacy-preserving connections among your accounts and ensure you never lose access,” Hill noted.
This limited release of the feature is meant to allow independent bug hunters to test its security before wider adoption by other services.
from Help Net Security http://ift.tt/2jQyiHe
LinkedIn Gets a Design Update, Suggests Ways to Boost Your Profile
Earlier this month, LinkedIn updated with a new design. If it’s been a couple of weeks since you’ve logged on, here’s what’s new.
Beyond the design, which includes a more streamlined navigation bar, LinkedIn added some useful features. A few of them include:
- Greater insight into who’s viewing your content: You can now see who’s reading and engaging with the content you share, including the company, job title and location of the people who are interested in your updates.
- Better suggestions to make your profile stand out: We’ve improved profile suggestions so you can more easily see what you need to do to look your best professionally, for example, suggested skills based on what recruiters are searching for.
- More intuitive search: You now have one universal search box to easily find people, jobs, companies, groups and schools. You can refine your search by using filter options on the right hand side, with the ability to search posts coming soon. Also, we’re investing further to better understand signals on what they searching for? Or who you are searching for so we can bring you the best results for any search query.
The update is on the desktop version of the app and it also includes real-time messaging. They also plan to offer suggestions for conversation icebreakers. If there’s a posting you’re interested in, for example, LinkedIn will tell you if there’s anyone in your network who works for that company. To check out the changes for yourself, head to the link below.
LinkedIn Desktop Redesign Puts Conversations and Content at the Center | LinkedIn Blog
from Lifehacker http://ift.tt/2jqQSqL
IoT Ransomware Against Austrian Hotel
Attackers held an Austrian hotel network for ransom, demanding $1800 in Bitcoin to unlock the network. Among other things, the locked network wouldn't allow any of the guests to open their hotel room doors.
I expect IoT ransomware to become a major area of crime in the next few years. How long before we see this tactic used against cars? Against home thermostats? Within the year is my guess. And as long as the ransom price isn't to onerous, people will pay.
from Schneier on Security http://ift.tt/2knhuZ2
Privacy expectations and the unfortunate reality
A recent survey that polled 5,710 Americans on private browsing (aka “Privacy Mode”, aka “Incognito Mode”) revealed that 46 percent of them have used the option at least once, and 32.9 percent of those use it daily.
The survey, performed by DuckDuckGo, has shown that the number one reason people use private browsing is “Embarrassing Searches”:
But the most troubling results of this survey were those regarding users’ knowledge about private browsing.
It should be common knowledge that the private browsing mode only prevents users’ browser history from being recorded on the computer or device they use, and that it does not offer any additional privacy protections. Alas, 66.6 percent of the polled users overestimate the privacy protections of private browsing.
Here are the most common misconceptions regarding the mode:
As long as users don’t make the effort to know what they use, what to ask for, and are not ready to boycott software and services that don’t protect their privacy, the situation won’t change.
But it’s not just the users’ fault.
Boycotting services that do not care about user privacy is often difficult:
- Sometimes there is no other good option, and you need a service to remain competitive.
- Sometimes the information provided by the operator regarding privacy protections is false, difficult to interpret, misleading, or incomplete – and there are no effective penalties that would stop them putting users’ privacy in danger.
- Sometimes a company offers protections at the beginning, and slowly does away with them as it attracts enough users to start monetizing the service.
There is no easy solution for this problem. Users should strive to keep themselves constantly informed and demand more protections but, realistically, most of them will never do that. The number of hours in their day is finite and there are other, more pressing needs they need to satisfy.
Unfortunately, privacy is an intangible asset that most people don’t consider at all until they actually suffer real damage from losing it. Until we can come up with an effective way to force them to care and push them to ask for more, all of us are stuck in this limbo.
from Help Net Security http://ift.tt/2jQRlyx
Can your Netgear router be hijacked? Check now!
Yesterday, researcher Simon Kenin of Trustwave SpiderLabs released information about an authentication bypass flaw affecting a wide variety of Netgear routers, as well as PoC attack code for triggering it.
The vulnerability (CVE-2017-5521) can be exploited by attackers to discover the password required to take over control of an affected device.
“The bug is exploitable remotely if the remote management option is set and can also be exploited given access to the router over LAN or WLAN,” he explained.
“When trying to access the web panel a user is asked to authenticate, if the authentication is cancelled and password recovery is not enabled, the user is redirected to a page which exposes a password recovery token. If a user supplies the correct token to the page http://router/passwordrecovered.cgi?id=TOKEN (and password recovery is not enabled), they will receive the admin password for the router.”
Patching for Netgear is a slow process
He discovered the vulnerability almost a year ago, but revealed it only now because Netgear has been slow to push out fixed firmware for affected devices.
“In June [2016] Netgear published a notice that provided a fix for a small subset of vulnerable routers and a workaround for the rest. They also made the commitment to working toward 100% coverage for all affected routers,” he noted.
“The notice has been updated several time since then and currently contains 31 vulnerable models, 18 of which are patched now, and 2 models that they previously listed as vulnerable, but are now listed as not vulnerable. In fact, our tests show that one of the models listed as not vulnerable (DGN2200v4) is, in fact, vulnerable and this can easily be reproduced with the POC provided in our advisory.”
How man vulnerable devices are there?
Trustwave found over 10,000 remotely accessible vulnerable devices, and estimates that there are many more non-remotely accessible affected devices in use – possibly even a million.
“The vulnerability can be used by a remote attacker if remote administration is set to be Internet facing. By default this is not turned on. However, anyone with physical access to a network with a vulnerable router can exploit it locally. This would include public wifi spaces like cafés and libraries using vulnerable equipment,” Kenin explained in a blog post.
There is also the possibility of devices getting hijacked and turned into bots, or their DNS settings modified to quietly redirect users to malicious sites.
Netgear has likely not finished with pushing out firmware for all affected router models, so users might want to look into implementing the workarounds delineated in the advisory: enable the password recovery feature on the device (if password recovery is set the exploit will fail), and disable remote management.
from Help Net Security http://ift.tt/2kmtaLA
Europol and GCA will fight cybercrime through the exchange of information
Europol and the Global Cyber Alliance (GCA) signed a Memorandum of Understanding (MoU) to cooperate on decreasing systemic cyber risk and improving internet security throughout Europe and beyond.
As part of the MoU, Europol and GCA will fight cybercrime through the exchange of information on cybercrime trends and joint international projects to increase cybersecurity.
The two organisations will partner to offer best practice recommendations that help organisations secure their networks and domains through the Internet Immunity project. Europol and GCA will initially focus on improving adoption of the DMARC email validation policies, a vital tool that enables organisations to authenticate email and prevent spoofed and fraudulent email.
Additionally, as part of the common efforts in the fight against cybercrime, GCA has agreed to sign up as a supporting partner of the No More Ransom project. Due to continuous interest from public and private sectors, a third enlargement of the No More Ransom project is expected to be announced in the coming weeks.
“Cybercrime and cybersecurity are cross-cutting issues, and key tools must be developed to keep cybercriminals at bay. This is all the more important considering that other crime areas, like for instance terrorism and human trafficking, are becoming increasingly cyber-facilitated. Therefore, establishing MoUs with organisations such as GCA, designed to confront, address, and prevent malicious cyber activity, is in line with the priorities described in Europol’s 2016 Internet Organised Crime Threat Assessment (IOCTA),” said Rob Wainwright, Europol Director.
“We are bombarded with news reports of cyber attacks and breaches that compromise sensitive information or impair the operations of critical services or infrastructure, but greater awareness of the problem has not led to greater security,” said Phil Reitinger, President and CEO of the Global Cyber Alliance. “Cooperative relationships focused on outcomes, such as the one we are forging here today, will reduce systemic cyber risk in Europe and around the globe.”
Manhattan District Attorney Cyrus R. Vance Jr., said: “The partnership marks an opportunity for GCA to collaborate with European cyber experts and for members of Europol to learn about GCA and its innovative tools. As part of its core mission to reduce cyber vulnerability worldwide, GCA recently announced the release of powerful tools designed to combat phishing attacks and other cyber threats. These tools are free and available to organisations of any size, and it is my hope that through this partnership, others will be encouraged to develop and implement practical safeguards against malicious cyber activity.”
from Help Net Security http://ift.tt/2jQdOMh
Why companies shouldn’t feel helpless in the fight against ransomware
According to recent reports, ransomware is now a billion dollar business for cybercriminals. Attackers are honing in on the weak spots of organisations; human behaviour through social engineering and ineffective cyber protection techniques based on static analysis. They’ll lure individuals to open phishing emails, or simply wait for users to click on a compromised website before executing malware that alters data and corrupts or deletes back-ups.
Certainly, these figures point to the fact that cybercriminals have tapped into a lucrative form of attack and ransomware has become one of the more prolific means of targeting organisations. From our own findings, nearly half of all businesses reported that they had been attacked by ransomware in the past year, with 81% of companies indicating that they’ve suffered from three or more attacks. Ransomware, it would appear, is ramping up.
Given the prevalence of ransomware attacks and the impact they can have, it is perhaps not surprising that organisations now express a sense of powerlessness and are prepared to accept that cyber criminals are ahead of the game. In fact, a third of all organisations now report that they feel helpless in the face of these attacks.
Is this the new reality? Should users feel they’ve been left ‘high and dry’ when it comes to protecting themselves against different variants of ransomware or is there hope that they can arm themselves and avoid the operational and financial fall-out that a ransomware attack leaves in its trail?
Are we resigned to ransomware attacks?
For the victims of ransomware that have had their data and, in effect, their business held hostage, there can be serious repercussions with businesses grinding to a halt or forced to put emergency contingency plans into action. Organisations may suffer the loss of irreplaceable data or the financial consequences of downtime compounded by the man hours and human resources which need to be dedicated to decrypting data or restoring it from backups.
In November, hackers infected and took over more than 2,000 computers used to operate San Francisco’s public transport system. This resulted in the Municipal Transportation Agency (MTA) opening its gates and allowing passengers to travel for free. Ransomware attacks can even put the safety of individuals at risk, as seen when an attack on the Hollywood Presbyterian Medical Centre in the US took systems off line for a week and caused massive disruption to its healthcare systems. In the UK, an attack on the computer network at Northern Lincolnshire and Goole NHS Trust in October encrypted a number of the Trust’s servers resulting in the cancellation of operations and appointments.
It seems there is also a direct impact for security teams in the aftermath of an attack with not only the reputation of the organisation damaged, but jobs being put at stake. In our research, nearly a quarter of organisations which experienced an attack reported that the buck stops squarely with the Head of Security and that a senior member of security staff had lost their job in the wake of an attack.
Perhaps, unlike other forms of cyber attack, the very nature of a ransomware attack can make organisations feel resigned to the fact that the cyber criminals are winning. Loss of data, revenue, downtime and the ‘human’ impact can be devastating. However, in spite of organisations’ sense of powerlessness, should they feel that the fight against ransomware is futile? Is ransomware, in any way, less preventable than other forms of malware?
Fight ransomware
The fact that so many organisations are being attacked, multiple times, does point to the fact that traditional, signature-based detection methods, which look at the identifiable characteristics of malware – such as the servers it’s communicating with – are not adequate to protect against ransomware.
Examining the characteristics of ransomware, however, we can see that it’s actually not so different from other forms of malware. What’s different is the payload and the after effect that this has on a company.
In common with other viruses, ransomware is designed to hide itself from detection, through encryption or evasion techniques such as wrappers – which protect executable files – enabling malware to bypass every security mechanism. Signature-based methods will not identify malware that has been modified or obfuscated. Nor can it detect malware which has been designed to recognise when it’s in a virtualised environment; a technique used by the Cryptowall ransomware. Attackers can quickly adapt and create more variations on a theme that will render these static techniques redundant.
We must look for different ways of protecting against threats and detecting new malware variants. Approaches which analyse the malware’s behaviour and determine a threat’s next action based on attack patterns, techniques and crowd-sourced threat intelligence, will remove this blind spot in malware detection and protection. Focussing on the malware’s behaviour means that we’re not reliant on static indicators that can be easily changed.
Ransomware may be on the rise, but there are approaches that can help organisations in the fight back against this stealthy and burgeoning threat. Cybercriminals are developing new techniques, but innovative approaches that can discover and stop this new breed of threats means the fight is far from lost.
from Help Net Security http://ift.tt/2jxLrSe
Monday, January 30, 2017
Irregular application testing: App security in healthcare
Nearly half (45%) of NHS trusts scan for application vulnerabilities just once a year, with less only 8% doing so on a daily basis, according to Veracode. This potentially leaves them with outdated software and at an increased risk of a cyberattack, potentially exposing patient data to the wrong hands.
The new findings were gleaned from a Freedom of Information (FoI) request submitted to 36 NHS trusts, with 27 responding. The responses also revealed 50% of health trusts also only scan web perimeter apps once-a-year as well, leaving patient data at risk of cyberattacks through legacy websites and third-party plugins.
There are some promising results, however, with the request also revealing that 12 percent of trusts scan web application perimeters daily, demonstrating a growing awareness of the role application security plays to safeguard sensitive patient data.
These findings coincide with the recent Veracode State of Software Security report, which revealed healthcare as an industry once again has the lowest vulnerability fix rate globally, with the second-lowest OWASP pass rate and the highest prevalence of cryptographic and credentials management issues.
The report presented metrics drawn from code-level analysis of billions of lines of code across 300,000 assessments performed over the last 18 months, revealing that 67% of healthcare applications failed OWASP policy compliance.
The below percentages detail the prevalence of high profile vulnerabilities within the global healthcare industry, based on first-time application scans:
- Cross-site: 45.4%
- SQL Injection: 28.4%
- Cryptographic credentials: 72.9%
- Scripting issues management: 47.7%
The NHS was also one of the worst performing sectors in terms of the number of data breaches reported to the ICO last year, contributing to 64% of the total figure in the April 2015-March 2016 period.
The Health Secretary Jeremy Hunt has also recently announced that data from approved health apps will now feed directly into personal health records, with the NHS website soon to allow patients to book appointments, access medical records and order prescriptions. Indeed, he has called for the NHS in England to be paperless by 2018.
“In light of recent ransomware and other cyberattacks on healthcare organisations, the industry’s low scores on these application security benchmarks is troubling,” said Paul Farrington, Manager, EMEA Solution Architects, Veracode.
“Our new research certainly raises fresh concerns regarding the safety of patient information here in the UK, as well as across the globe. There appears to be a lack of emphasis on application and web app scanning within the NHS, which could put trusts at an increased risk of losing patient data to hackers.
“The Information Commissioner’s Office has the authority to fine trusts up to £500,000 for data breaches, so there’s even more of a reason for trusts to ensure they’ve placed an emphasis on their cyber hygiene. With hospitals correctly demanding rigorous sterilisation of surgical instruments and cleanliness from staff to fight the risk of infections spreading, the same should be considered when assessing their digital cleanliness to defend against the growing – and changing – threat of cyberattackers.”
from Help Net Security http://ift.tt/2kODLvB
Machine learning in cybersecurity will boost big data, intelligence, and analytics spending
Cyber threats are an ever-present danger to global economies and are projected to surpass the trillion dollar mark in damages within the next year. As a result, the cybersecurity industry is investing heavily in machine learning in hopes of providing a more dynamic deterrent. ABI Research forecasts machine learning in cybersecurity will boost big data, intelligence, and analytics spending to $96 billion by 2021.
“We are in the midst of an artificial intelligence security revolution,” says Dimitrios Pavlakis, Industry Analyst at ABI Research. “This will drive machine learning solutions to soon emerge as the new norm beyond Security Information and Event Management, or SIEM, and ultimately displace a large portion of traditional AV, heuristics, and signature-based systems within the next five years.”
ABI Research finds the government and defense, banking, and technology market sectors to be the primary drivers and adopters of machine learning technologies. User and Entity Behavioral Analytics (UEBA) along with Deep Learning algorithm designs are emerging as the two most prominent technologies in cybersecurity offerings, especially in innovative hot tech startups.
Established antivirus (AV) players in the market, such as Symantec, continue to transform some of their solutions from highly trained supervised models to unsupervised and semi-supervised ones in preparation of the constantly shifting threat variables.
SIEM’s log-based methods are expected to be separated altogether and integrated within different operations of UEBA, unsupervised, and deep learning solutions. Signature-based AV systems will be absorbed completely and comprise only a subsection of supervised machine learning models.
Enterprise-focused powerhouses like IBM will transform the way enterprises employ machine learning in every market sector, from healthcare to enterprise analytics to cybersecurity. Companies such as Gurucul, Niara, Splunk, StatusToday, Trudera, and Vectra Networks are attempting to take the lead in innovative applications of UEBA. Other market entrants like Deep Instinct and Spark Cognition are employing more feature-agnostic models, deep learning, and natural language processing.
“This radical transformation is already underway and is occurring as a response to the increasingly menacing nature of unknown threats and multiplicity of threat agents,” concludes Pavlakis. “The proliferation of machine learning is also causing an explosion of agile startups, such as JASK, focusing more on SIEM complementary network traffic analysis and even pioneering application protection such as Sqreen.”
from Help Net Security http://ift.tt/2kOHMAg
Ease Into Decluttering Your Home With a "Limbo Box"
Getting rid of your unnecessary belongings is tough, but it’s even harder when there are memories attached to them. If you’re trying to pare down, but can’t quite say goodbye to some things you know you don’t need, a “limbo box” can help.
In this video from the Clean My Space YouTube channel, Melissa Maker shares four of her favorite decluttering tips, including a way to ease the pain of letting go. Take the items you’re attached to and place them in a box, then hide them away as if you’re getting rid of them. Try to keep them out of sight, and if you can store them at someone else’s place it’s even better. After some time passes, you’ll realize you’re just fine without them, and it will be easier to say goodbye once and for all. Or maybe, one or two of the items might still feel too valuable to you, and you’ll know for certain they’re worth keeping.
Letting Go Of Stuff - 4 Decluttering Roadblocks & How to Overcome Them! | YouTube
from Lifehacker http://ift.tt/2jo8q75
Picky ransomware targets specific subset of would-be Netflix users
Aspiring Netflix users who don’t want to actually pay for the popular video on demand service are being targeted with a new type of ransomware.
Detected as Netix by Trend Micro, the ransomware is hidden in an executable (Netflix Login Generator v1.1.exe) that poses as a software for creating valid Netflix login credentials.
The file is usually offered for download on sites sharing crackers and free access to paid online services. Users who download and run the file will be faced with the above screen. Clicking the “Generate Login!” button will open another one, offering a username and password.
Whether the login credentials actually work or not is unknown. But the other executable dropped by the initial one does work, and it starts encrypting a variety of file types in the machine’s C:\Users directory, including images, videos, archive files, and Office documents.
“The ransomware employs AES-256 encryption algorithm and appends the encrypted files with the .se extension. The ransom notes demand $100 worth of Bitcoin (0.18 BTC) from its victims,” Trend Micro warns.
The ransomware needs to connect to a C&C server to work and to receive the ransom note and warning to display:
Interestingly enough, only users of Windows 7 or 10 are in danger from this particular piece of ransomware, as it won’t run on other versions of the OS.
Victims are urged by the crooks to pay the ransom in order to receive the decryption key, but should know that even if they do, there is no guarantee they will get the key.
Regularly backing up important files is the best way to assure yourself that even if you fall for social engineering approaches such as this one, you’ll be able to avoid paying the ransom and losing your files forever.
from Help Net Security http://ift.tt/2jKBOmu
The Concourse “I Don’t Believe I’m In The U.S.
The Concourse “I Don’t Believe I’m In The U.S. Anymore” | Jezebel Disobey Orders | Gizmodo Hackers Locked Every Room in This Hotel Until a Bitcoin Ransom Was Paid | The Root The Radical Uses of Anger: All White Women Are Not the Enemy, But White Supremacy Always Is |
from Lifehacker http://ift.tt/2kKmS9I
Cultivate a “Hip Pocket” Skill for Career Success
There are lots of skills that you can learn to advance your career, but instead of tackling all of them, focus instead on building one or two “hip pocket” skills that set you apart from your colleagues.
Hip pocket skills make you more valuable because they’re something useful that not many people on your team excel at, or they’re a specific skill usually not common in your field that you manage to make work well. Since they’re often unique to your workplace, you have a better idea of what they may be, but here are a few suggestions:
- Relationship Management: Good old “soft skills” and “people skills” are criminally underrated. Being able to establish and maintain good relationships between your team and other teams is invaluable. It isn’t always easy to do this in a way that comes across as genuine, which is why it can set you apart.
- Communication: Being able to explain your ideas in ways that are easy to understand puts you miles above others, especially if you become a good public speaker.
- Specific Tools and Software: If your company or team uses specific tools or programs frequently but they’re niche and difficult to manage, becoming the go-to person who understands them gives you knowledge others on your team will seek you out for.
- Data Analysis: Excelling with numbers, even if it’s just being able to track your department’s budget, is a hard skill that you can apply to roles throughout your career.
Once you identify the skill you want to build, set aside time each week to learn more until you’ve mastered it. Of course, some skills, like relationship management, take practice, so the sooner you start, the faster you’ll succeed.
Tips On How To Succeed At Work | CNBC (YouTube)
from Lifehacker http://ift.tt/2kjaYlW
Google launches its own Root Certificate Authority
Google is known for slipping fingers in many pies, so it should not come as a surprise that it has opted for starting its own Root Certificate Authority.
With the increased implementation of HTTPS across their products, it makes sense for Google to wade in that particular pool. With this step, the company is also minimizing its dependency on other organization, and allowing its engineers to control issued certificated from start to finish.
“The process of embedding Root Certificates into products and waiting for the associated versions of those products to be broadly deployed can take time. For this reason we have also purchased two existing Root Certificate Authorities, GlobalSign R2 and R4. These Root Certificates will enable us to begin independent certificate issuance sooner rather than later,” explained Ryan Hurst, a manager in Google’s Security and Privacy Engineering unit.
Until now, the company was operating its own subordinate Certificate Authority (GIAG2), issued by a third-party, to handle its SSL/TLS certificate needs. This CA will still be operated by Google, but a new entity – Google Trust Services – has been created to operate the new Root Certificate Authority.
In the announcement, Hurst said that its new Root CA will issue certificates on behalf of Google and parent company Alphabet. In a previous post on Mozilla’s bug-tracking system, he also noted that the new CA is a commercial CA that will provide certificates to customers from around the world.
“We will offer certificates for server authentication, client authentication, email (both signing and encrypting), and code signing,” he explained. “We will not require that customers have a domain registration with Google, use domain suffixes where Google is the registrant, or have other services from Google.”
The announced change won’t mean much to users of the various Google services – as long as a certificate is valid and doesn’t ring an alarm bell, it pretty much goes unnoticed.
On the other hand, developers who build products that connect to Google’s services will have to include the new Root Certificates.
“Google maintains a sample PEM file which is periodically updated to include the Google Trust Services owned and operated roots as well as other roots that may be necessary now, or in the future to communicate with and use Google Products and Services,” Hurst pointed out.
from Help Net Security http://ift.tt/2jKnE4N
New Rules on Data Privacy for Non-US Citizens
Last week, President Trump signed an executive order affecting the privacy rights of non-US citizens with respect to data residing in the US.
Here's the relevant text:
Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
At issue is the EU-US Privacy Shield, which is the voluntary agreement among the US government, US companies, and the EU that makes it possible for US companies to store Europeans' data without having to follow all EU privacy requirements.
Interpretations of what this means are all over the place: from extremely bad, to more measured, to don't worry and we still have PPD-28.
This is clearly still in flux. And, like pretty much everything so far in the Trump administration, we have no idea where this is headed.
from Schneier on Security http://ift.tt/2jlWUsy
Monday review – the hot 27 stories of the week
from Naked Security http://ift.tt/2jMZHaC
Yes, I can see your Pattern Lock code! [Chet Chat Podcast 257]
Sophos Security Chet Chat – Episode 257 – Jan 27, 2017
Join Sophos security experts Chester Wisniewsi and Paul Ducklin for the latest episode of our regular security podcast.
If you enjoy the podcast, please share it with other people interested in security and privacy and give us a vote on iTunes and other podcasting directories.
from Naked Security http://ift.tt/2kJMpzQ
The latest on the critical RCE Cisco WebEx extension vulnerability
Since Google bug hunter Tavis Ormandy revealed the existence of a remotely exploitable code execution flaw in the Cisco WebEx extension for Google Chrome last week, Cisco has pushed out several updates for it in quick succession.
We’re now up to version 1.0.7 (the initial update to fix the flaw was 1.0.3), and ostensibly the vulnerability has now been fixed.
The latest update of the security advisory detailing the issue says that the WebEx extensions for Firefox and Internet Explorer on Windows systems were also found to be sporting the same flaw, and have now also been updated.
Cisco WebEx browser extensions for Mac or Linux, and Cisco WebEx on Microsoft Edge are not affected, the company claims.
The company has offered users the option to switch to Microsoft Edge to join and participate in WebEx sessions, and has pointed both users and administrators towards a Meeting Services Removal Tool that can help them remove all WebEx software from a Windows system, just in case.
Malicious web requests aimed at exploiting the flaw can also be blocked by those using web proxies or web gateways by creating a specific URL filtering policy. The policy would not allow URL requests containing the flaw triggering string pattern through.
But is this the end of this problem, has the issue been thoroughly and finally fixed? Can you use WebEx on you Windows safely again? Unfortunately, we can’t know for sure – a new security update might just be around the corner.
The only good news is that Cisco’s Product Security Incident Response Team is currently not aware of any malicious use of the vulnerability.
Still, if you want to mitigate the risk, you can uninstall the WebEx extension for the time being, and switch to running a temporary application when you need it. Alternatively, as researcher Filippo Valsorda advises and instructs, you could opt for creating a dedicated WebEx profile.
from Help Net Security http://ift.tt/2jucWMs
Sunday, January 29, 2017
Is it time to call an MSSP? Five signs that it can’t wait
Small and midsize businesses (SMBs) are fighting an uphill battle when it comes to managing their network security. According to a 2016 Ponemon study, 69 percent of SMBs don’t have the adequate budget or in-house expertise to achieve a strong cyber security position. As a matter of fact, more than half of the study’s SMB respondents experienced a data breach or cyber attack in the past year with an average cost of $879,582.
This is not a coincidence. Cyber criminals deliberately attack SMBs because they present weaker targets, they can be part of a supply chain to bigger companies, and because changes in the dark web have made it more profitable to sell small batches of credit cards or personal information.
Traditionally, small businesses focus their limited IT resources on everything but network security. To overcome this issue, many SMBs have turned to the cloud and to small, local managed service providers (MSPs) to handle their IT needs.
New security solutions allow traditional MSPs to easily “plug in” security services such as prevention, detection, and response capabilities as an affordable subscription for SMBs with very little hassle or setup required. This creates a new kind of service – the managed security service provider, or MSSP.
Signs it might be time to pick up the phone and call an MSSP
But how do SMBs know when to consider getting outside support for their security needs? Here are five signs it might be time to pick up the phone and call an MSSP:
1. Limited resources and expertise within your organization: Your organization has a limited IT staff that doesn’t have the required experience in security that today’s emerging threat landscape demands. You often find your organization falling behind in reactive mode to security incidents. In addition, you don’t have the resources to configure, monitor, and update your security products to ensure ongoing protection.
2. Budget restrictions: Your organization doesn’t have budget allocated to IT security. More often than not, security is not on the budget for SMBs (51 percent of small businesses surveyed recently by Experian did not allocate any budget towards risk mitigation for cyber attacks), and until recently, managed security services have been a luxury reserved for only large enterprises. However, with the emergence of ongoing threats targeted towards SMBs and the introduction of security solutions that focus on ease-of-management and monitoring, traditional MSPs are adding security-as-a-service to solution portfolios that provide cost-effective security.
3. Lack of visibility into IT: Do you know what data and IT resources your business uses? SMBs often do not have visibility into what resources are being consumed, where these resources reside, and how they potentially interact. Whether it’s a laptop running lightweight bookkeeping software, or a point-of-sale solution running a SaaS application, the ability to identify what data is being used, where this data is stored, and how it’s processed by users and applications is key to keeping that data secure.
SMBs also tend to adopt practices such as “Bring your own Device” and “Bring your own Identity” to keep things simple for customers and help their employees be as productive as possible. This leads to very fluid controls that create security risks and unpredictable complexities and make it even more difficult for a business to understand its IT resources. MSSPs can help identify and fill these critical security gaps with monitoring and reporting services and design an organization’s network and platform infrastructure to ensure proper identity and control measures, while continuing to satisfy ease-of-use and productivity requirements.
4. A vulnerable business ecosystem: Your business interacts with multiple vendors and other businesses, and often your applications reside in a broader ecosystem. If you have a contractual or permanent interface with a partnering business, such as a healthcare, hospitality, or financial services organization, attackers may target your IT system to launch an attack at one of your direct or indirect partners. Even if you’re sure that your business is of no interest to attackers, consider working with an MSSP to protect your relationship with your partners.
5. Compliance – To be, or not to be: Does your business follow the necessary security standards for its industry, such as PCI 3.0? Compliance and regulations are usually what drive the need to explore and implement security practices. MSSPs use comprehensive reporting techniques to identify compliance requirements and find any gaps where your business does not adhere to them. If you’re confused by the compliance requirements in your industry, it may be more beneficial to have an expert handle them instead of taking the time and effort away from your business to learn it yourself.
SMBs offer ripe targets for today’s cyber criminal. In 2016, smaller organizations were targeted specifically with spear-phishing trojan attacks and point-of-sale attacks, including one that affected 350+ Eddie Bauer stores. Remember the Home Depot attack that stole 56 million credit card numbers in 2014? That’s what SMBs now face regularly. To overcome these challenges, SMBs need to be vigilant in protecting their employees, customers and partners. If any of the five signs listed above resonate, it’s time to talk with your existing trusted IT partners or MSPs to ensure that their security service properly addresses your needs.
from Help Net Security http://ift.tt/2kK6WA2
Increasingly sophisticated attacks call for advanced protection tools
A new NTT Security report underscores the need for more advanced tools to protect organizations’ data and networks from the evolving tactics, techniques and procedures (TTPs) used by cyber-attackers.
The attribution problem
A topic of considerable public attention is the ability to determine the source of cyber-attacks, to determine their credibility and motivation. The report cites hackers’ rampant use of “false flagging” to disguise the true source of an attack. For example, an attack may appear to have originated from a server in China or Russia when in fact the source may have actually originated from a source in the U.S. or other country.
This allows attackers to cleverly disguise their motivation, which may be establishing ongoing network access, stealing financial data or withdrawing funds directly from an organization
“Attribution is very difficult, primarily because you can’t always completely trust “source” information. Most attackers don’t want to be found so they go out of their way to cover their tracks,” Jon Heimerl, Manager, Threat Intelligence Communication Team at NTT Security, told Help Net Security.
A cybercriminal from one country might attack from a launching pad in another country (like a bulletproof hosting provider who cares more about revenue than what their services might actually be used for). A cybercriminal might also attack from a victim they have previously hacked.
An attacker might plant evidence to make it appear as though the attack was conducted by someone else, like a criminal from Ukraine using malware with Russian language settings, or using techniques and tools that are widely “known” to be used by Chinese hackers. This is called “false flagging”.
Heimerl explains that international ISPs and hosting providers feel no obligation to cooperate with investigations because:
- They feel the perception of being implicated in “hacking” activities could make them look bad in the eyes of their legitimate customers.
- They feel doing so could make them targets of revenge from their criminal customers.
- They are themselves unethical.
- They just don’t want to help “foreigners”.
Many international law enforcement bodies are not especially cooperative in investigations. For some, they do not view hacking activity which takes place in a foreign country as their responsibility. Some governments do not even consider “hacking” illegal as long as it takes place somewhere else.
Top targeted vertical markets for cyberattack
“Analysts observed a 35 percent decrease in the number of cybersecurity attacks during Q4 2016, which is certainly a positive trend; however, it is imperative that organizations not be lulled into a false sense of security,” said Rob Kraus, Director, Security Research and Strategy, NTT Security. “At the same time, the intensity and sophistication of these attacks are on the rise. Hackers are shifting their strategy from widespread attacks to a more focused effort to compromise specific targets they can leverage, opening the door for more malicious and potentially lucrative actions.”
Among the top targeted vertical markets for cyberattack, the Q4 report cites the retail industry as particularly attractive to attackers. This is largely due to the fact that most retailers process customers’ credit and debit card information through their systems.
Retail organizations can implement numerous best practices, such as deploying IT security tactics that are aligned with the Payment Card Industry Data Security Standard (PCI DSS), which can help increase controls around cardholder data and reduce fraud.
Increased client botnet activity driven by attacks on IoT devices
Recent developments have shown that we can expect more massive attacks driven by IoT-powered botnets.
“There are simply too many devices fielded with too many insecure passwords and services. It may very well be functionally impossible to secure them all in their current state. With hard-coded passwords and locked configurations, some of them are simply “unfixable”. Even if manufacturers evolve and begin making more secure devices, it is not sure the market will be willing to support the increased cost and complexity,” said Heimerl.
“Meanwhile, existing devices will likely remain connected in an insecure state, as manufacturers move on to new endeavors. While we may be able to improve future devices and make wiser use of some of these devices, the majority of IoT devices are going to remain vulnerable for many years,” he concluded.
Malicious traffic from Russia
Malicious traffic from Russian Federation hosts jumped from 10th place to the top 3. A significant amount of this increase was detections from the RIG exploit kit, hosted at IP addresses owned by ISPs in Russia. As the Angler, Neutrino and Nuclear exploit kits disappeared, activity from RIG has jumped dramatically, especially in Q4 ’16. Like all exploit kits, RIG targets vulnerabilities in end-user machines – user workstations, so these are ultimately attacks against users at these organizations.
“NTT Security observed increases in activity in our entire client base – across all industries, but manufacturing, non-profit, health care, education and finance showed increases elevated above other industries. Alerts associated with Russian sources also included activity from spyware, keyloggers and Trojans, such as the use of banking Trojans Gootkit and KRONOS, for gathering of credentials and follow on use,” said Heimerl.
from Help Net Security http://ift.tt/2jIuMyI
Half of IT pros don’t know how to improve their security posture
Mid-market enterprises have high confidence in their cybersecurity defenses, but they struggle to defend against malicious activity that has become more sophisticated and targeted, according to Arctic Wolf Networks.
How would you rate your organization’s overall IT security posture?
The data revealed a cybersecurity dissonance among mid-market enterprises, highlighting the disparity between what IT professionals believe versus the reality of their security posture. Ninety-five percent of IT professionals believe their cybersecurity posture is above average to great, yet 100 percent of these same respondents report that their organization’s cybersecurity could improve in one or more areas.
Cybersecurity dissonance
Additional data supporting the cybersecurity dissonance includes:
- 72 percent of respondents report that their role covers so many different areas that it is difficult to focus on IT security as much as they should.
- 50 percent of the respondents said that security is so complex, they don’t know where to start to improve their organization’s security posture.
- 51 percent say they would like their organization to assign more budget and/or resources to IT security.
“Most mid-market enterprises believe they are safe because they have the traditional perimeter defenses in place,” said Brian NeSmith, CEO of Arctic Wolf Networks. “This falls far short of what’s needed for rigorous security in today’s complex threat environment. The challenge smaller enterprises face is that they have all the same security issues as large enterprises with only a fraction of the budget and less specialized personnel.”
Struggling with cybersecurity challenges
The survey polled 200 IT decision makers in the United States who have involvement in their organization’s cybersecurity programs.
Despite their overly optimistic view of their own security structure, the survey found that organizations are, in reality, struggling with several cybersecurity challenges, including:
- 90 percent say they need the capability to detect and respond to threats beyond their traditional perimeter defenses.
- 50 percent indicate that security alerts are investigated “when IT staff have time.”
- 77 percent of security alerts are investigated after more than hour.
- 52 percent of security alerts are investigated after more than one day.
- 63 percent admit they may not be able to stop zero-day threats.
- 88 percent report that having a security operations center would improve their company’s security.
Do you think you are spending enough on security?
“Many mid-market organizations seem to have a sense of security bravado that leaves them particularly vulnerable to compromise,” said David Monahan, Senior Analyst, Enterprise Management Associates. “Malicious activity has been on a steady increase over the last few years and has been especially targeting small and midmarket business because they have valuable data but are generally unprepared for the assault. Seventy percent of ransomware attacks happen to organizations under five thousand employees and sixty percent of the attacked organizations go out of business within six months. Given these types of statistics, it is imperative that mid-size organizations seriously consider services that are specifically designed to provide the mid-market businesses with enterprise-grade security that fits a mid-market budget.”
The survey found that a security operations center (SOC) was highly desired but largely viewed as being out of budget among survey respondents. A SOC is the most essential element of modern security, but they are very expensive and complicated to operate. Of the survey respondents, 59 percent reported that a SOC was too expensive for their organization. The survey data showed that a SOC costs, on average, $1.4 million to establish.
from Help Net Security http://ift.tt/2kKfPtt
Five Easy Photo Improving Tricks Anyone Can Do
Taking great photos doesn’t necessarily require tons of training and nice equipment. You can improve all of your photos with just a few tweaks to the way you shoot.
In this video, YouTuber and professional photographer Peter McKinnon shares the five easiest things you can do to improve the quality of your photos:
- Use angles: Take 10 extra seconds before you shoot to think about the best perspective for your subject. Move around a little and find an angle that looks more interesting that straight-on.
- Shoot through: Shoot your subject through a group of people, some foliage, or dangle something in front of the lens. Give the photo a little more depth and complexity.
- Think opposite: If everybody is taking photos from the same spot at the same angle, try something different. Shoot the subject from the other side, from up close, upside down, at a weird angle, etc.
- Find the light: Lighting is super important, so take some extra time to find the best light for your shot. Don’t settle. If the light isn’t good enough, consider coming back at a time when it is, or try to add your own. And never forget about golden hour.
- Framing: Use objects, people, and whatever else you can find to frame your subject and tell a story. Framing creates a more interesting dynamic and gives the photo atmosphere.
A lot of this can be boiled to down to thinking before you shoot, but not many people realize how little is required to turn a boring shot into something eye-catching. It can be fun to fire off tons of point-and-shoot snapshots, but just a tiny amount of prep time can drastically improve almost every single photo.
5 tips to INSTANTLY up your PHOTO GAME | YouTube
from Lifehacker http://ift.tt/2jLB521
A Tool Handle Makes the Perfect First Lathe Project
A lathe is an extremely cool tool, but it’s also a pretty intimidating machine. YouTuber I Like to Make Stuff decides to learn basic how to use his new machine by making a tool handle.
The project here is clearly a beginner’s one, and Bob at I Like to Make Stuff is learning along while making the video, which means you get to see some trial-and-error stuff as he learns exactly what to do. That might sound annoying, but it’s pretty useful since his problem-solving skills are probably pretty close to what yours would be as a beginner as well. Either way, a tool handle is a quick, cheap way to learn how to use a machine that’s a little terrifying to behold.
First Lathe Project: Simple Tool Handle | YouTube
from Lifehacker http://ift.tt/2k6U4VI
This Tutorial Shows You How to Fake Tilt Shift Videos
You’ve probably seen those fun time lapse videos that make subjects look miniature, like toys or models surrounded by a realistic looking environment. This style requires a tilt shift lens, but this tutorial shows you how to create the effect without one.
The tutorial is via Rob & Jonas’ Filmmaking Tips and explains the step-by-step process of creating a “tilt-shift effect.” It will tell you how to shoot the footage to optimize it, then explain how to process it in Final Cut Pro. As PetaPixel points out, the tutorial emphasizes the grain and saturation in post-processing, which makes the effect more effective.
...you can “trick” your viewers into seeing the result as a miniature world and not just a regular image with blur attached. You’re trying to make it look like this is a scale model, and we’re used to scale models (toys in general) being colorful and vibrant, not dull and muted like our world often is. Ignore this advice at your own peril.
If you use Premiere instead, this video tutorial explains how it’s done, using the same overall process but with Premiere’s options. For more detail, check out the video in full above or head to the link below.
Tutorial: How to Fake a Tilt-Shift ‘Look’ in Post and Miniaturize the World | PetaPixel
from Lifehacker http://ift.tt/2k6pVWE
Make a Spanish Tortilla in Just Ten Minutes With Potato Chips
Traditional Spanish tortillas usually start with potatoes that have been cooked in olive oil until soft—which can take over half an hour—but you can get one on the table in just ten minutes with the help of kettle cooked potato chips.
The above video can walk you through the entire recipe—including how to flip it without everything falling apart—but all you need is four or five eggs and three cups of kettle chips. Season the eggs with salt and pepper, whisk until frothy, and combine with the chips until they’re well-coated. Heat some olive oil in a non-stick pan until it starts to shimmer, and pour in your egg and potato chip mixture. Cook until the tortilla is just set, flip to get the other side, and then transfer to a cutting board for slicing.
How to Make a Potato Chip Spanish Tortilla | Serious Eats
from Lifehacker http://ift.tt/2kgTMho
Saturday, January 28, 2017
Learn How to Make "Kevin's Famous Chili" From The Office
Kevin Malone on The Office doesn’t do a lot of things well, but he sure does know how to make a delicious batch of chili. It’s probably the thing he does best. Here’s how to make it at home.
In this video, YouTube chef Andrew Rea shows you how to make a chili recipe that’s been passed down the Malone bloodline for generations. In case you’re unfamiliar with the source material, the character describes how he makes his famous chili as he spills it all over the office carpet. It’s quite tragic, but it’s also one of the characters most memorable moments.
To make the chili yourself, you’ll need some dried ancho chiles (toasting them yourself is optional,) and some dried cascabel chiles to even out the flavor. You’ll also need some chicken stock, jalapenos, chopped tomatoes, garlic for pressing, and some onions for under-cooking. Just follow along and you’ll have a killer batch of chili in no time. As a joke, Rea serves the chili on a piece of carpet, but I’d recommend using a bowl. You can find the complete ingredient list at the link below.
Binging with Babish: Kevin’s Famous Chili from The Office | YouTube
from Lifehacker http://ift.tt/2jCpC71
Bake Pasta in a Bundt Pan for the Most Crispy, Delicious Edges
The best part of baked pasta is all the crispy corners and bits of broiled cheese, and cooking it in a bundt pan lets you maximize that joy.
As Justin Chapple shows us in the video above, a bundt pan provides a ton of surface area for your pasta loaf to get crispy on, while keeping the interior noodles nice and tender. To make your own, combine cooked pasta (about a pound) with 4 3/4 cups of cheese—Justin uses a mixture of Fontina, cheddar, and Parm—1 1/2 cups whole milk, three eggs, and salt and pepper to taste. Stir it all up, transfer the noodles to a greased bundt pan, and bake at 425℉ until the cheese is all nice and bubbly.
How to Make Bundt Pan Pasta | Mad Genius Tips | Food & Wine
from Lifehacker http://ift.tt/2jqmLuB
Make a DIY Soft-Focus Camera Lens for $15
Sometimes clear focus isn’t what you actually want in a photo. Maybe you’re trying to create an impressionistic scene that evokes something other than literal reality. And one way to completely change your photos is to make your own soft-focus lens.
There are a variety of places you can buy an intentionally distortional lens, most prominently Lensbaby. Their best sellers are a little under a hundred bucks, though, so it’s a little pricey if you’re just looking to experiment. In this video from Randy Snook, though, we see how he makes a rough and ready lens for under $15 that he nicknames the Pipe Dream.
There are just a few elements that go into Snook’s lens: a 1 1/4" PVC joint union, the lens itself (specifically, a 65mm single element positive meniscus lens), and a Canon to 55m reverse adapter ring so that the pipe can actually attach to the camera. All the items are just a few dollars each but the trickiest item to find is the lens; Snook got his from Surplus Shed (it’s item #L5032).
The assembly is pretty simple: Snook paints the PVC parts black to minimize light leaks, carefully screws in the adapter ring to the pipe (with a little glue, since the pipe doesn’t actually have threads for the ring), and uses a few dabs of hot glue around the perimeter of the lens to hold it in place. The he screws the disassembled pipe parts back together. Remember that if you use a different lens, it will likely have a different focal length so this exact pipe configuration may need adjustment. Then you’re ready to try it out and take some dreamy shots.
The Pipe Dream Soft-focus lens | Randy Snook via PetaPixel
from Lifehacker http://ift.tt/2kdRI9p
Friday, January 27, 2017
Fix a Dented Ping Pong Ball With Boiling Water
If your table tennis smash is a little too powerful, or your beer pong game has gotten out of hand, here’s a quick fix for those dented ping pong balls.
As this video from youtuber Lifehacker & Experimenter demonstrates, just put on a kettle and boil some water. Place the ping pong ball in a glass, pour the boiling water over it, and the heat will force the material back into shape. You can fish it out with a fork or just grab it with your fingers if you’re careful. And if you have a bunch to fix, you can do the same thing with a pot of simmering water, or just use them every time you sous vide. Now your table tennis match or epic game of beer pong can continue.
How to Fix a Dented Ping Pong Ball - Table Tennis | YouTube
from Lifehacker http://ift.tt/2kvwn9p
Deadspin Oh God The Knicks Are Going To Screw This Melo Shit Up So Completely, I Can’t Wait | The Sl
Deadspin Oh God The Knicks Are Going To Screw This Melo Shit Up So Completely, I Can’t Wait | The Slot What the Hell Is Wrong With Paul Ryan’s Phones? | Gizmodo Everything Trump Fucked Up in Science and Technology This Week | The Root Woman Who Caused Emmett Till’s Death Admits to Lying |
from Lifehacker http://ift.tt/2kbrcgR
Friday Squid Blogging: Squid Fossils from the Early Jurassic
New fossil bed discovered in Alberta:
The finds at the site include 16 vampyropods, a relative of the vampire squid with its ink sac and fine details of its muscles still preserved in exquisite detail.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
from Schneier on Security http://ift.tt/2jygQH7
News Feed Adds Interactive Audio News to Amazon Echo
By default, the Amazon Echo can by deliver news reports by request, but is a little limited if you want to hear the latest stories from multiple outlets on specific topics. With News Feed by Audioburst, you can hear snippets of audio from a variety of news outlets through Alexa for a more lively look at the news.
Audioburst’s technological focus is making audio searchable by transcribing it in real time. With News Feed, they’re putting that tech to use by delivering a range of news reports to Alexa on any topic. If you ask about the results of a basketball game, for example, you’ll hear clips of the actual news rather than a simple summary delivered in Alexa’s amiable but robotic voice. You can see a few comparison in the demonstration below:
News Feed is free, and you can enable it on your Alexa devices here on Amazon or in the Alexa app.
News Feed by Audioburst via Product Hunt
from Lifehacker http://ift.tt/2kBYdEe
Four Ways to Make a Too-Small T-Shirt Bigger
If you have a favorite t-shirt that’s a little too small to wear comfortably, or just doesn’t fit quite right anymore, you don’t have to toss it or donate it. Here are four simple methods to loosen it up or size it up so you can wear it again.
The method you use depends on what you want to preserve about the shirt, your level of sewing skill, and what you want the shirt to look like.
- Add Slits: This is a no-sew technique and preserves the whole shirt, so if you have one that’s made of really comfy material, this is a good option. This is the first example in the video above, but you can cut a vertical slit down the front from the neckline, remove the sleeves and cut bigger armholes, or cut slits up the side for a looser fit, it’s up to you.
- Combine With Another Shirt: You need to be able to sew in a straight line, and this method will be easier if you have sewing machine. Thrift or buy a plain t-shirt that’s similar in color to the shirt you want to size up. Cut the arms off the original shirt and cut down the side seam to separate the back and front. Cut wide strips from the plain shirt and sew them between the front and back of the original shirt. Trim around the armholes. You can also use fabric glue instead of sewing, but the look won’t be as clean and the shirt won’t be as durable.
- Transfer the Design: If you mainly want to preserve the imagery on the shirt and have medium sewing skills, this is a fitting technique for you. Cut around the image, leaving an inch or two as a buffer. You’ll end up with what is essentially a large patch. Sew the patch to a new, larger shirt in the same color as your original shirt. Again, you can use other attachment methods like fabric glue, but they won’t hold up as well over time as sewing.
- Make New Sleeves: This technique requires medium sewing skills since you’ll be creating new sleeves and sides to attach to the original shirt. Buy fabric that is similar in color to your original shirt, or use another shirt you already have, and trace a pattern for sleeves and sides that will end up connecting the front and back of the original shirt. Cut the arms off the original shirt and cut down the side seam. Sew each side and sleeves together, then sew to the original shirt.
The last two techniques are best suited for dark colored shirts where the thread will be less noticeable. You can always practice on an old shirt or a cheap thrifted shirt before cutting up your treasured tee. Check out the full video above for a visual step-by-step walkthrough of each technique.
4 Ways to Upsize T-Shirts | Coolirpa (YouTube)
from Lifehacker http://ift.tt/2jF04Ut
Phishers’ new social engineering trick: PDF attachments with malicious links
It is – or it should be – a well known fact that attackers occasionally email potential victims with PDF attachments containing malware or exploit code.
But the latest attacks through PDF attachments are geared towards pushing users to enter their email account credentials into well-crafted phishing pages.
Attack variants
Microsoft security experts saw a lot of variants of the same attack, and they all start with spoofed emails supposedly delivering asked-for documents.
In one variation, the PDF makes it look like there has been an error, and the document can only be displayed with Microsoft Excel. But instead of actually opening it with their own software, potential victims are urged to open it by following the link offered in the PDF:
If they do that, they will be redirected to a web page that makes it seem like the document can only be opened if the user signs in with their email credentials.
In another variant, the PDF urges users to click on a link that will supposedly allow them to view a Dropbox-hosted document online. Again, they are redirected to a phishing page that “allows” them to view the document only if they log in with their email credentials:
In this particular case, when they enter their credentials they are actually shown a decoy PDF document, making it more likely they won’t notice right away that they have been phished.
What to be on the lookout for
“Social engineering attacks are designed to take advantage of possible lapses in decision-making. Awareness is key; that is why we’re making these cybercriminal tactics known,” Microsoft’s Alden Pornasdoro explained.
“In these times, when we’re seeing heightened phishing attacks with improved social engineering techniques, a little bit of paranoia doesn’t hurt. For instance, question why Adobe Reader is trying to open an Excel file. Ask why Dropbox is requiring you to enter your email credentials, not your Dropbox account credentials.”
Microsoft Edge users have a slight advantage here, as the Microsoft SmartScreen technology blocks these phishing pages from loading. Firefox users who have updated to the last stable version could be helped by the fact that the browser now flags HTTP login pages as insecure.
from Help Net Security http://ift.tt/2kb7K4t
Whisply Easily Encrypts Files, Shares Via Dropbox, Google Drive, and OneDrive
We’ve previously featured BoxCryptor, which allows you to easily encrypt files on your computer. However, if you only need to encrypt a few files and don’t want to install an app, Whisply can help.
Whisply comes from the same company that makes BoxCryptor. It lets you upload several files, select how secure you want them to be, and then choose a cloud storage service to upload it to. Whisply claims it doesn’t have a file size limit, but it recommends avoiding more than 10MB uploads.
Of course, if you need to be extra careful with your encrypted documents, you might not want to upload them to a third-party service. However, this fills a handy niche for those who need to keep their files safe but aren’t familiar with how encryption tools work, or if you need to encrypt a file while you’re away from your desktop. It can also serve as a helpful introduction to encryption in general.
from Lifehacker http://ift.tt/2jEFpzO
Remote attackers can force Samsung Galaxy devices into never-ending reboot loop
A single SMS can force Samsung Galaxy devices into a crash and reboot loop, and leave the owner with no other option than to reset it to factory settings and lose all data stored on it.
This is because there are certain bugs in older Samsung Galaxy phones and tablets that can be triggered via SMS, and used by attackers to force maliciously crafted configuration messages onto the users’ device. The bugs allow these types of messages to be executed without user interaction.
As the ContextIS researchers who discovered the vulnerabilities explained, this avenue of attack can be abused by crooks to hold users’ devices for ransom.
“First a ransom note is sent, if ignored then the malicious configuration message can be sent,” they noted. If the victim pays up, a configuration message can later be sent to stop the rebooting.
Vulnerable Samsung Galaxy devices
The vulnerabilities in question, CVE-2016-7988 and CVE-2016-7989, can be triggered through SMS on the S4, S4 Mini, S5 and Note 4, but not on newer Samsung devices.
“It’s worth noting that although newer phones such as the S6 and S7 aren’t affected over the air, [a similar result] could be accomplished by a malicious app abusing CVE-2016-7988,” they added.
Update your devices today
These specific issues are related to modifications Samsung made to to the Android telephony framework and are found in a Samsung-specific application for handling carrier messages. They’ve since been patched (November 2016).
“We responsibly disclosed this to Samsung who handle the patching process with carriers. We extended our standard 90 day disclosure policy to allow Samsung time to arrange for the patches to be made available,” the researchers told Help Net Security.
Whether all users of vulnerable devices have received the patches is difficult to tell. “The Android update process is a bit of a minefield and is well illustrated in this HTC diagram,” they commented.
They also noted that it’s possible that the same avenue of attack could be abused to target other devices – it all depends on how this same technology is handled by other vendors.
from Help Net Security http://ift.tt/2jEzRpe
Research into Twitter Bots
There are a lot of them.
In a world where the number of fans, friends, followers, and likers are social currency -- and where the number of reposts is a measure of popularity -- this kind of gaming the system is inevitable.
from Schneier on Security http://ift.tt/2k9mS1O
Facebook gets physical for safer logins
Facebook has been offering the two factor authentication login option for a while now, and is now trying to make its use easier than ever before.
“Most people get their security code for login approvals from a text message (SMS) or by using the Facebook app to generate the code directly on their phone. These options work pretty well for most people and in most circumstances, but SMS isn’t always reliable and having a phone back-up available may not work well for everyone,” Facebook security engineer Brad Hill explained, and announced that, from now on, users can register a physical security key to their account.
So, instead of entering a confirmation code after entering the password, users can simply tap their physical security key, and they’re in.
Aside from making the login process faster and easier, the option offers protection against phishing attacks, as you don’t have to enter a security code, and phishers have no way of getting your security key.
Also, the security key can be used for two-factor authentication schemes offered by other online services (Google, Dropbox, GitHub, etc.).
Using a security key with your Facebook account
Instructions on how to add a security key to your account can be found here, but you have to know there are some limitations for its use.
It currently works only with certain web browsers: the latest version of Chrome or Opera. “At this time we don’t support security key logins for our mobile Facebook app, but if you have an NFC-capable Android device with the latest version of Chrome and Google Authenticator installed, you can use an NFC-capable key to log in from our mobile website,” Hill also pointed out.
So, you’ll still need to set up an alternative login approval method, just in case.
from Help Net Security http://ift.tt/2jb2NJ2
Thursday, January 26, 2017
Connected homes and new hacking risks
Eight out of ten US consumers have a home data network and more than a third of them connect entertainment systems, gaming consoles and other smart devices to the Internet, increasing the risk of home cyber attacks, according to The Hartford Steam Boiler Inspection and Insurance Company (HSB).
Of the 81 percent of consumers who said they have a Wi-Fi or other home data network, 38 percent had electronic devices other than personal computers, smartphones or tablets connected to the Internet. The connected devices include smart televisions, music systems, thermostats, security cameras, door locks, alarms, lighting, home automation and other smart devices.
Although cyber attacks on non-computing home systems and smart appliances are so far relatively uncommon (10 percent of those responding were victims), the increase in connected devices is creating a new pathway for attackers, the results showed.
“Cyber criminals are always looking for new targets,” said Timothy Zeilman, vice president and counsel for HSB. “And home devices like smart TVs and appliances are often designed for easy use and not security. Compounding the problem, many consumers don’t take even basic measures such as changing default passwords and updating security software.”
The most common type of non-physical damage experienced through attacks on home devices, appliances and systems were viruses or other unwanted software on their systems (59 percent) and damage to software or operating systems (45 percent).
Damage to home devices in a cyber-attack usually results in a financial loss, the survey showed, with 87 percent of the victims spending money to respond. The losses were often substantial — 42 percent of the victims in the survey spent between $1,000 and $5,000.
The problem will likely get worse as the number of connected home devices increases, Zeilman said. In response, new cyber insurance coverages are becoming available for consumers. Once offered only to businesses, cyber insurance for individuals can pay for expenses related to cyber attacks on home computers, home systems, and appliances and other connected devices, cyber extortion, data breach and online fraud.
from Help Net Security http://ift.tt/2k8dCLe
Five emerging technology trends essential to business success
People hold the power to shape and apply technology to create positive change, improve lives, and transform business and society, according to Accenture Technology Vision 2017, the annual technology report that predicts the most significant technology trends that people will apply to disrupt business over the next three years.
We are beginning to see the emergence of technology for people, by people – technology that seamlessly anticipates our needs and delivers hyper-personalized experiences.
“The pace of technology change is breathtaking, bringing about the biggest advancements since the dawn of the Information Age,” said Paul Daugherty, Accenture’s chief technology & innovation officer. “As technology transforms the way we work and live, it raises important societal challenges and creates new opportunities. Ultimately, people are in control of creating the changes that will affect our lives, and we’re optimistic that responsive and responsible leaders will ensure the positive impact of new technologies.”
What creates innovation breakthroughs
Accenture surveyed more than 5,400 business and IT executives worldwide. Nearly nine in 10 respondents (86 percent) said that while individual technologies are rapidly advancing, it is the multiplier effect of these technologies that is creating innovation breakthroughs.
With advances in artificial intelligence, the Internet of Things and big data analytics – humans can now design technology that’s capable of learning to think more like people and to constantly align to and help advance their wants and needs. This human-centered technology approach pays off for businesses, as leading companies will transform relationships from provider to partner – simultaneously transforming internally.
Five emerging technology trends that are essential to business success
AI is the new UI. Artificial intelligence (AI) is coming of age, tackling problems both big and small by making interactions simple and smart. AI is becoming the new user interface (UI), underpinning the way we transact and interact with systems. Seventy-nine percent of survey respondents agree that AI will revolutionize the way they gain information from and interact with customers.
Design for humans. Technology design decisions are being made by humans, for humans. Technology adapts to how we behave and learns from us to enhance our lives, making them richer and more fulfilling. Eighty percent of executives surveyed agree that organizations need to understand not only where people are today, but also where they want to be – and shape technology to act as their guide to realize desired outcomes.
Ecosystems as macrocosms. Platform companies that provide a single point of access to multiple services have completely broken the rules for how companies operate and compete. Companies don’t just need a platform strategy, they need a rich and robust ecosystem approach to lead in this new era of intelligence. Already, more than one-quarter (27 percent) of executives surveyed reported that digital ecosystems are transforming the way their organizations deliver value.
Workforce marketplace. The number of on-demand labor platforms and online work-management solutions is surging. As a result, leading companies are dissolving traditional hierarchies and replacing them with talent marketplaces, which in turn is driving the most profound economic transformation since the Industrial Revolution. Case in point: Eighty-five percent of executives surveyed said they plan to increase their organization’s use of independent freelance workers over the next year.
The uncharted. To succeed in today’s ecosystem-driven digital economy, businesses must delve into uncharted territory. Instead of focusing solely on introducing new products and services, they should think much bigger – seizing opportunities to establish rules and standards for entirely new industries. In fact, 74 percent of the executives surveyed said that their organization is entering entirely new digital industries that have yet to be defined.
from Help Net Security http://ift.tt/2jvRYzN