Monday, December 31, 2018
Deadspin Dan Snyder Doesn’t Get It | The Slot Lawyer Who Filed Complaint Against Brett Kavanaugh Say
Deadspin Dan Snyder Doesn’t Get It | The Slot Lawyer Who Filed Complaint Against Brett Kavanaugh Says He Was ‘Like a Crazed Conspiracy Theorist’ | Splinter DoubleTree Fires Employees Who Evicted Guest for ‘Calling His Mom While Black’ | TV Club Outlander brings together Brianna, Jamie, and Claire for a complex reunion | The Root Career Criminal Learns His White Privilege Extends to Kicking Black Toddlers and Bonding Out (for Free) Hours Later |
from Lifehacker http://bit.ly/2GLpdNn
How to secure your Instagram account using 2FA
With our archives full to bursting with stories of hijacked social media accounts, it’s a very good idea to set up two-factor authentication (2FA) on all the platforms you use. 2FA combines your password with something else – a text message to your phone, a code generated by an authenticator app, or a physical key.
Although Instagram is part of Facebook, and Facebook supports several 2FA methods, the 2FA setup process isn’t exactly the same as it is for Facebook, so if you need a bit of help on how to get two-factor authentication on your Instagram account, we’ve outlined the steps in detail below.
While you can browse Instagram and use some Instagram features from a web browser, it’s really meant to be accessed within the Instagram app. To follow the steps below, you’ll need to be logged into the Instagram app on your smartphone or tablet.
-
- Go to your Profile by tapping the person icon in the bottom right of the app.
- Open the “hamburger” menu in the top right of the screen. Tap Settings at the very bottom of that menu.
- Scroll down to the Privacy and security section and open it up.
- Under the Security section you’ll find the Two-factor authentication option.
- Instagram will now show you a screen with a basic introduction to 2FA and the methods they support: Text message-based 2FA and app-based. Again, since Instagram is primarily app-based, authentication methods that play nicely with smartphones are what Instagram supports. (USB key-based 2FA devices like a Yubikey wouldn’t work in a mobile context.)
- On the next screen, you can choose the method(s) you’d like to use for two-factor authentication. While you can choose to enable both Text message and Authentication app-based 2FA, it may make things needlessly complicated for you – unless you’re confident you need both options at once, it’s best to stick with just one of these methods.
- The more secure of the 2FA options is to use an Authentication app. You’ll need to install a free app like the Google Authenticator or Duo Mobile app to complete the initial 2FA setup on Instagram, and you’ll also need to keep it installed to log in to Instagram afterward. So if you don’t have an authenticator app installed, go ahead and install one right now.
- Back on the Instagram 2FA setup screen, select the Authentication app option and tap Next, and you’ll be prompted to have Instagram work with your authentication app automatically – which takes care of some of the annoying setup legwork for you, so hit yes. You can use whatever trustworthy authenticator you prefer.
- Your phone will then switch you over to your authenticator app, and you’ll be asked if you want to add the token attached to your Instagram user name. Hit yes, and you’ll see your Instagram account name within the authenticator app, and a 6-digit numerical code underneath it. That code is your authentication token, and it will change at very frequent intervals. So you’ll next want to copy that numerical code and quickly go back to Instagram, where it is waiting for you to input your confirmation code (the numerical code you just copied).
- Paste the code in and you should get a confirmation from Instagram that app-based 2FA is now set up.
You’re not 100% done just yet. The next screen will show you your Recovery codes, which are sort of like an emergency escape hatch if you can’t get 2FA to work – say if you lose your phone and can’t use the authentication app, but need to log in to your account.
In the wrong hands, these codes would also let someone bypass your 2FA protections, so you want to keep them confidential and in a safe place. Some people take a screenshot of the codes and email the screenshot image to themselves, save it in their cloud photo storage, or they even print them out and put them in a locked safe — whatever works for you, as long as the chances of it falling into the wrong hands are minimal.
Once 2FA is set up on your account, Instagram will also send you an email confirming that this new security measure is in place, or if 2FA is ever disabled on your account.
from Naked Security http://bit.ly/2SyKADa
Sunday, December 30, 2018
This USB Battery Pack Also Has An AC Outlet, and It's Never Been Cheaper
Portable battery packs with USB ports are a dime-a-dozen, but your options are a lot more limited if you need a portable AC outlet. The Jackery PowerBar though is a great option at a solid price.
The PowerBar is a big battery pack, let’s get that out of the way right off the bat. It’s pretty similar in size to a tallboy beer can, albeit with flat sides, so you aren’t going to be sticking this in your pocket. But in that package, you’ll find a 20,800mAh battery pack, two USB ports (one of which features Quick Charge 3.0), a USB-C port that doubles as the input, and yes, an 85W AC outlet that can charge a laptop, power a lamp, or even run a small TV for a time. It’s also never been less than it is today — $82 — so this is a great chance to stay on the grid even when you’re off the grid.
Need even more power? There’s also a full-on solar generator on sale.
from Lifehacker http://bit.ly/2SuOk8w
Saturday, December 29, 2018
How to secure your Twitter account
Intrusions into your Twitter account might range from mild annoyance, to a serious PR fail, to an international political gaffe.
Regardless of how you use it, there’s no need to make it easier for someone who wants to hijack your Twitter account. It’s quite easy to improve the security of your Twitter account and it only takes a few minutes.
Enable two-factor authentication (2FA)
Having a strong, unique password is an important first step to securing your account, but passwords can be easily guessed or generated by an attacker, so by themselves they’re not enough to stop someone in their tracks.
Your best bet to keep someone out of your account is to also enable two-factor authentication, which means you’ll need a second factor – like a numerical code or physical key – to prove it’s you when you log in to your account. It’s extremely unlikely that someone trying to break into your account has both your password AND access to your unlocked phone, so it significantly reduces the chance of an account break-in by enabling two-factor authentication.
How to do it: To enable 2FA on your Twitter account, log in and click your profile icon, then go to Settings and privacy. Scroll down to Login verification, which is what Twitter calls two-factor authentication.
Twitter begins the setup with a text message (SMS) code, but once you have 2FA set up you have the option to stick with an SMS code, use a physical security key, or use a mobile authenticator app. Many people prefer to use SMS as it’s easiest, but this method has its own security flaws, so we recommend using an authenticator app on your phone.
For good measure, you may also wish to enable password reset verification, which will require you to confirm your email or phone number if someone (hopefully you) asks to reset your password.
Screen who can contact you
Twitter is great as a big, open platform where anyone can join in the conversation. But that openness can also be a bit of a pain, as harassers and crooks love the platform’s openness too. There’s a very simple way to make sure you aren’t bothered by lazy spammers who are just out to blast Twitter accounts with links to malware as quickly as possible: Screen who can contact you via direct message or by public reply.
You can opt to only allow people you have opted in to follow to send you a direct message (a private message that does not have a character limit, unlike standard tweets), and you can also opt to enable quality filters on regular tweets that you receive, so tweets by profiles of “low quality” will never reach you. This means that if someone with a phony account tries to send you a potentially phishy link – which can and does happen on Twitter, so always click with caution! – they’ll have to do a lot more work just to set up their account and get past basic quality filters, and most spammers won’t bother.
How to do it: To only allow people you follow to send you a direct message, go to Settings and select Privacy and safety from the left-hand menu, and then deselect Receive direct messages from anyone.
To enable the Twitter quality filters, go to your Settings and select Notifications from the left-hand menu. Under Advanced, select Quality filter.
On this page you can also opt to Mute notifications from people who have a default profile photo and haven’t confirmed their email address, which will filter Twitter accounts that haven’t finished their basic profile setup.
Check your connected apps
Do you remember which apps you’ve authorized to have full access to your Twitter account? It’s painlessly easy to sign up to a service using Twitter, but how long do you want that service to have that kind of access? It’s worth reviewing your connected apps to see what’s still lingering in there, and if you see something you don’t remember authorizing or haven’t used in a while, it’s time to revoke its permission to your account.
How to do it: In your Settings, select Apps and devices from the menu and take a look at the apps that are listed as connected to your account. Hitfor any app that you no longer need or want.
The nuclear option: protect your tweets
While the idea behind Twitter is that the conversation is public and open to everyone, you can opt to protect your account, which makes your tweets visible only to people that you’ve opted to follow.
Twitter itself notes that if you have tweeted publicly and then later change your account to “protected,” it’s very possible those initially-public tweets will continue to live on publicly in perpetuity – so protecting your account is not an “oops” button for erasing tweet you’ve regretted sending, but it is a good way to make sure you know exactly who’s reading your words. It’s the nuclear option for sure, but if you want control over who’s reading you, it’s the right option for you.
How to do it: In Settings, select Privacy and safety. Under Tweet privacy check Protect your Tweets. (You can always un-protect your tweets and make your tweets public if you ever change your mind!)
from Naked Security http://bit.ly/2EVBQD5
Friday, December 28, 2018
The Concourse A Transformer Exploded In New York And The Videos Rule Extremely Hard | Splinter Trump
The Concourse A Transformer Exploded In New York And The Videos Rule Extremely Hard | Splinter Trump Kicks Off His Friday With a Characteristically Incoherent Tweetstorm | The Root Recreational Marijuana in California Did Not Turn Out to be the Cash Crop the State and the Cannabis Industry Expected | Jezebel Girls On Wheels: Penny Marshall and Carrie Fisher Forever | The A.V. Club What’s your 2018 pop culture gift to the world? |
from Lifehacker http://bit.ly/2s0vzhM
Massive Ad Fraud Scheme Relied on BGP Hijacking
This is a really interesting story of an ad fraud scheme that relied on hijacking the Border Gateway Protocol:
Members of 3ve (pronounced "eve") used their large reservoir of trusted IP addresses to conceal a fraud that otherwise would have been easy for advertisers to detect. The scheme employed a thousand servers hosted inside data centers to impersonate real human beings who purportedly "viewed" ads that were hosted on bogus pages run by the scammers themselves -- who then received a check from ad networks for these billions of fake ad impressions. Normally, a scam of this magnitude coming from such a small pool of server-hosted bots would have stuck out to defrauded advertisers. To camouflage the scam, 3ve operators funneled the servers' fraudulent page requests through millions of compromised IP addresses.
About one million of those IP addresses belonged to computers, primarily based in the US and the UK, that attackers had infected with botnet software strains known as Boaxxe and Kovter. But at the scale employed by 3ve, not even that number of IP addresses was enough. And that's where the BGP hijacking came in. The hijacking gave 3ve a nearly limitless supply of high-value IP addresses. Combined with the botnets, the ruse made it seem like millions of real people from some of the most affluent parts of the world were viewing the ads.
Lots of details in the article.
An aphorism I often use in my talks is "expertise flows downhill: today's top-secret NSA programs become tomorrow's PhD theses and the next day's hacking tools." This is an example of that. BGP hacking -- known as "traffic shaping" inside the NSA -- has long been a tool of national intelligence agencies. Now it is being used by cybercriminals.
from Schneier on Security http://bit.ly/2ES5xov
Thursday, December 27, 2018
The Root Netflix’s Bird Box Is Really About How White People Don’t Want to See Racism | Deadspin All
The Root Netflix’s Bird Box Is Really About How White People Don’t Want to See Racism | Deadspin All The Times Lauren McCluskey Asked For Help Before She Was Murdered | Jezebel Is Melania Wearing Leather Pants, or Are Those Her Barbie Legs? | Splinter GOP Congressman Bravely Blasts Trump Over Shutdown Right Before He Leaves Office | TV Club An impressive battle and a surprising death can’t save Vikings from itself |
from Lifehacker http://bit.ly/2Rmvxz0
Four Tips for Finding Wine You'll Actually Enjoy
Objectively, wine is good.
However, finding wine that you actually love can be a challenge. So we visited Vanderbilt Wine Merchants to ask wine and spirits expert Jake Cahill to answer some of the most common wine shop questions.
How much does good wine cost? Can you judge a wine by its label? How do you become a wine expert yourself? Jake answers all these questions so you can feel good about your wine choices, even before you get a taste.
from Lifehacker http://bit.ly/2VdnPGw
Deadspin Matt Patricia Is Always Late | Jezebel Dave Chappelle Took Pete Davidson Into the Woods |
Deadspin Matt Patricia Is Always Late | Jezebel Dave Chappelle Took Pete Davidson Into the Woods | The Root Someone Secured a $1.5 Billion Bag, But Still Hasn’t Claimed Their Mega Millions Jackpot Prize | TV Club The Netflix Marvel series, ranked by season | Splinter Trump Says His Shutdown Is Specifically Harming Democratic Voters |
from Lifehacker http://bit.ly/2T890TM
Wednesday, December 26, 2018
Deadspin The Sad, Short Story Of The First Responder Bowl | Jezebel Queen With Golden Piano Seemingl
Deadspin The Sad, Short Story Of The First Responder Bowl | Jezebel Queen With Golden Piano Seemingly Out of Touch | The Root Atlanta Decides Not to Impeach Mayor on Misdemeanor Macaroni Charges | The A.V. Club Holmes & Watson crack the case of the 0 percent Rotten Tomatoes score | Splinter Trump Flees Political Chaos With Overnight Trip to Iraq |
from Lifehacker http://bit.ly/2StuNFi
Chris Gethard Thinks You Should Steal Toilet Paper From Work
At the live recording for our podcast, The Upgrade, comedian Chris Gethard admitted to having taken toilet paper from a previous employer (in his words a “Manhattan Improv Theater”—try to guess which one).
This led the rest of the guests, Brittany Luse and Eric Eddings of The Nod, YouTuber Akilah Hughes, and Lifehacker’s very own Melissa Kirsch and Alice Bradley to discuss the morals of taking all sorts of items—snacks, tampons, Tums—from work.
So is taking things from work a life hack? Watch the clip above and decide for yourself.
from Lifehacker http://bit.ly/2EQC1zz
The A.V.
The A.V. Club Will Ferrell and John C. Reilly hit career lows in the abysmally unfunny Holmes & Watson | Deadspin No One’s Scared Of Ben Simmons | The Grapevine Secret Santa Helped Lil Wayne Out with His Taxes... and It Just so Happened to Be Jay-Z | Jezebel Meghan Markle’s Christmas Gift to the Queen Was an Adequate Curtsy | Splinter Wanted: 1 Olympic Athlete to Scale Trump’s Ridiculous Border Wall |
from Lifehacker http://bit.ly/2LCeMuf
Tuesday, December 25, 2018
Monday, December 24, 2018
Sunday, December 23, 2018
Saturday, December 22, 2018
Friday, December 21, 2018
The Root Referee With Racist Past Forces Black Student to Cut Dreadlocks or Forfeit Wrestling Match
The Root Referee With Racist Past Forces Black Student to Cut Dreadlocks or Forfeit Wrestling Match | Deadspin Dodgers Deal Yasiel Puig To Reds In Otherwise Bleak Multi-Player Salary Dump | The A.V. Club Cardi B’s new “Money” video is ludicrously unsafe for work | The Muse ‘You Can’t Help Thinking of Michael Scott’: The Best of the Bad Welcome to Marwen Reviews | Splinter ‘I’m Drowning’: Your Stories of Buying Healthcare for 2019 |
from Lifehacker http://bit.ly/2QMJ8A0
Two Methods for Tying the Perfect Bow Every Time
Gifts are fine, I guess. But what really makes a present sing is the perfectly tied bow on top.
Alas, so few are dexterous enough to tie a perfectly proportioned bow without the ribbon twisting at the bottom.
So here’s a video demo showing two fool-proof (and Grinch proof!) methods for getting a perfect bow every time. The first shows a traditional box bow, in which the twist is—wait for it—on the top of the gift under the knot! The second method is a simple bow on the diagonal—surprisingly simple, but with the same great gift-giving effect.
from Lifehacker http://bit.ly/2Cs68eN
Ep. 013 – Breaches, Facebook and ransomware reinvented [PODCAST]
from Naked Security http://bit.ly/2GzQ9j8
Get a Free Copy of Ubisoft's Anno 1602 Today
Windows: To celebrate the 20th anniversary of the launch of Anno 1602—the very first game in the celebrated “Anno” strategy series (which has since stretched all the way to Anno 2205)—publisher Ubisoft is giving away the game for free.
The catch? It’s a Windows-only download, which Ubisoft even teases in its description of the promotion: “If you remember what Windows 95 looked like or if you were born in the 21st century take the time to discover or replay this classic for free.”
Advertisement
You also only have until tomorrow—Saturday, December 22—to grab the game. Otherwise, you’ll have to throw down $10 to relive the nostalgia of building pixilated colonies and fighting off rivals in the 17th century.
If this sounds like fun, but you hate the idea of having to learn the intricacies of a new, complicated strategy game, don’t worry. Since Anno 1602 has been out for more than two decades, plenty of players have already created some excellent walkthrough videos you can watch to ensure your first few attempts at building a new world don’t self-destruct:
from Lifehacker http://bit.ly/2T4aSN7
More phishing attacks on Yahoo and Gmail SMS 2FA authentication
The second report in a week has analysed phishing attacks that are attempting – and probably succeeding – in bypassing older forms of two-factor authentication (2FA).
The latest is from campaign group Amnesty International, which said it had detected two campaigns sending bogus account alerts targeting around 1,000 human rights defenders in and around the Middle East and Africa.
The organisation has its theories about who is behind the attacks but what will matter most to Naked Security readers are the methods being employed to defeat authentication.
Only days ago, researchers at Certfa reported on what they believed were targeted attacks against influential people with US connections which were able to beat 2FA.
Those targeted Gmail and Yahoo accounts secured using either SMS-based 2FA (where a one-time code is sent to a user’s mobile device), or generated by an authenticator app, also using an OTP-based protocol.
Likewise, the attacks detected by Amnesty also targeted Google and Yahoo’s 2FA, although this probably reflects their popularity rather than any specific weakness in implementation.
Phishing 2FA
As with Certfa, Amnesty’s evidence comes from analysis of a server used by the attackers to store credentials from stolen accounts.
This appears to include references to phished OTP 2FA codes but with an interesting twist – once they’d gained access to the account, the attackers also set up a third-party app password to maintain persistence.
This would mean that even if a phished individual realised they’d been hacked and regained access to their account, the attackers would have created a sneaky backdoor that wouldn’t be immediately obvious to many users.
Says the report:
App passwords are perfect for an attacker to maintain persistent access to the victim’s account, as they will not be further required to perform any additional two-factor authentication when accessing it.
In a second technique, the attackers appeared to have connected hacked accounts to migration services such as Shuttlecloud as a way of quietly monitoring activity in a clone account.
ProtonMail and Tutanota
Interestingly, the campaigns also targeted more specialised email services such as ProtonMail and Tutanota which are marketed as offering a higher level of security and privacy by default.
For example, even without authentication turned on, ProtonMail users must enter not only a username and password but an encryption code to decrypt the contents of their inbox. All messages sent between users of the service are end-to-end encrypted and users can see logs of all account accesses.
And, of course, users can turn on OTP-based 2FA which, given that ProtonMail is intended to raise the bar for attackers, one would imagine the majority of users would do.
But encryption keys and OTP codes are no different from usernames and passwords – in principle they can be phished if the attackers are able to jump through a few extra hoops.
According to Amnesty, in the case of Tutanota the phishing campaign was able to use a similar-looking domain, tutanota.org (the correct domain being tutanota.com).
To boost verisimilitude, the attacks added baubles such as an HTTPS connection/padlock, and a carefully-cloned replica of the real site.
Did the attacks succeed?
The evidence isn’t conclusive, but it appears that Yahoo and perhaps Gmail SMS 2FA was successfully targeted on some occasions. No evidence is presented regarding any compromise of ProtonMail or Tutanota accounts.
The question is where this leaves 2FA authentication that’s based on sending or generating codes.
It’s worth stressing that while man-in-the middle attacks on this form of authentication have been possible for years, it is not as easy as phishing a username and password.
To succeed, the attacker must grab the code within the 30-second window before it is replaced by a new code, which under real-world conditions must probably be done in less than half that time. This might explain why SIM swap fraud (where attackers receive SMS codes direct) has become another popular technique.
To be convincing, they might also have to know the target’s phone number because SMS authentication pages often list the last two digits as an authenticity check.
The message here is that while code-based 2FA is better than a plain old password, phishing attackers are now going after it with gusto. Rather than fall back on assumptions and probabilities, anyone who feels they might be a high-value target should consider moving to something more secure.
At some point we’ll all have to do the same. For the tech industry – and its users – the warning lights are flashing red.
from Naked Security http://bit.ly/2Cr9jUa
Deadspin Jon Gruden Hopes Nathan Peterman Is A Raider For A Long, Long Time | The A.V.
Deadspin Jon Gruden Hopes Nathan Peterman Is A Raider For A Long, Long Time | The A.V. Club Without hope or agenda: A defense of Love Actually | Jezebel When A Woman Dies From Suffering Over 40 Injuries, It’s Not the Result of ‘Rough Sex’ | Splinter Stephen Miller, Bald Once Again, Loses His Shit on CNN | The Root James Mattis Wrote a Resignation Letter That Is an Incredibly Subtle and Shady Read on Donald Trump |
from Lifehacker http://bit.ly/2EHuTGq
Thursday, December 20, 2018
Jezebel Scientology Attorney Demands Jezebel Remove Our Story on Shelly Miscavige’s Alleged Disappea
Jezebel Scientology Attorney Demands Jezebel Remove Our Story on Shelly Miscavige’s Alleged Disappearance | The A.V. Club The disastrous Welcome To Marwen strands a fascinating true story in the uncanny valley | Deadspin Cameron Jordan Is Trolling Ben Roesthlisberger Now | Splinter Trump Just Threw Congress’ Deal to Avoid a Shutdown Into Total Chaos | The Root Cops Force Doctors to Anally Probe Man for Traffic Violation, Then Bill Him $4,500 |
from Lifehacker https://ift.tt/2GznVVt
Update now! Microsoft patches another zero-day flaw
Microsoft has found itself fixing a lot of zero-day flaws recently, including CVE-2018-8611, (patched this month), and November’s CVE-2018-8589 and CVE-2018-8589.
Now it has released an emergency patch for a remote code execution (RCE) zero-day vulnerability in Internet Explorer’s Jscript scripting engine affecting all versions of Windows, including Windows 10.
Identified as CVE-2018-8653, the flaw was reported by Google’s Threat Analysis Group researcher, Clement Lecigne, and according to Microsoft is being exploited in targeted attacks.
The company hasn’t elaborated on which attacks but the fact it’s being exploited at all explains why applying Microsoft’s patch should be a high priority.
According to Microsoft:
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
Exploitation depends on the privilege level of the targeted user, and Microsoft’s latest advice says admins might consider limiting access to Jscript.dll if they don’t plan to implement the patch soon.
On server systems (Server 2008, Server 2012, Server 2016, Server 2019), the severity rating is lowered from ‘critical’ to ‘moderate’ thanks to a restriction called Enhanced Security Configuration.
Windows 10 too
Scroll down on Microsoft’s advisory and you’ll notice that the patch is also being offered as an update to IE 11 for Windows 10.
But, hold on, didn’t Windows 10 replace IE with the Edge browser which uses a different scripting engine, Chakra?
Indeed it did, but for backwards compatibility reasons, IE components remain a default part of all Windows versions (with the possible exception of Windows 10 Pro Long Term Service Branch (LTSB), a customisable Windows version used by larger organisations).
So even if you don’t use IE 11 – or any Microsoft browser – bits of it are lurking on every Windows system, presumably in case any older Microsoft applications or websites need to use them.
Windows 10’s new start begone! This has always been Microsoft’s OS philosophy – steer clear of hard forks and make backwards compatibility a high priority.
What to do
Apply the patch. For Windows 10 users running Windows 10 64-bit 1803 (April 2018), the update is KB4483234.
Users who’ve managed to upgrade to the much-delayed Windows 10 64-bit 1809 (October 2018), should look for KB4483235.
For anyone still on Windows 10 64-bit 1709 (October 2017), it’s KB4483232.
As for older versions, Windows 8.1 for x64-based systems and Windows 7 for x64-based Systems Service Pack 1, it’s KB4483187.
from Naked Security https://ift.tt/2PSY22g
Okay Google, Let's Maim the Wet Bandits for $130
Google Home Hub and Two Home Mini Bundle | $130 | Verizon Wireless
Skip the “Should AI Have Human Rights?” debate until next year and welcome a trinity of Google Assistant-powered servants into your home for just $130, and make the sadist and noted domestic terrorist, Kevin McCallister proud.
Simply add the Google Home Hub to your cart, and you’ll receive an automatic $20 discount and an additional pair of Google Home Mini’s. Whether you’re looking to invest in a smart home, or want to beef up your unpaid, digital workforce, this is a tremendous deal.
from Lifehacker https://ift.tt/2rLHGii
Jezebel Michael Rapaport’s Comments About Ariana Grande’s Age and Appearance Are Not Going Over Well
Jezebel Michael Rapaport’s Comments About Ariana Grande’s Age and Appearance Are Not Going Over Well | Deadspin Tom Wilson Corrects The Record With Decisive Beatdown Of Jamie Oleksiak | The A.V. Club What’s missing from our list of 2018's best movies? | Splinter Democratic Leadership is Already Hobbling AOC’s Climate Change Committee | The Grapevine #ThingsIdStillDoIfIWereRich Is Trending On Twitter Right Now, So Here’s My List |
from Lifehacker https://ift.tt/2V0PHgJ
How to Not Fail at YouTube, With Akilah Hughes
Comedian and YouTuber Akilah Hughes joined the conversation on “How to Fail” at our recent live podcast recording for The Upgrade.
While the high volume of dormant YouTube channels are ample proof that the site can be an ecosystem ripe for failure, Hughes offers her own thoughts on what it takes to get “good” at the platform.
Is anyone “good” at YouTube, though? Well that’s up for her to decide, because, as Hughes points out, that’s like someone being “good” at Facebook. And also, comedian Chris Gethard tells a story about being social media stalked at the gym.
from Lifehacker https://ift.tt/2LqXqQU
Wednesday, December 19, 2018
The benefits and limitations of AI in cybersecurity
Today’s AI cannot replace humans in cybersecurity but shows promise for driving efficiency and addressing talent shortage, a new report by ProtectWise has shown.
Penetration of AI-enabled security products based on number of security alerts received on a typical day
Conducted by Osterman Research, the study explores usage trends and sentiments toward AI among more than 400 U.S. security analysts in organizations with 1000 or more employees.
Key takeaways
Nearly three quarters of respondents have already implemented at least one product that uses AI, but findings uncovered mixed results and a learning curve that needs to be addressed in order to use AI at higher levels of sophistication and effectiveness.
“A lot of hype and confusion exists around AI and its role in the cybersecurity industry,” said Gene Stevens, CTO, ProtectWise. “In its current state, AI is a tool for driving efficiencies and addressing staffing needs, but it is not going to replace human intelligence any time soon. AI is well positioned today to create machine-accelerated humans: an army of hunters and responders who use a wide array of expert systems to help unearth and prioritize critical threats. In the future, AI will only become more valuable as the industry develops products that improve ease of use and capitalize on AI’s efficiency differentiators.”
Top findings from the report include:
- AI is already widely adopted – AI has already established a strong foothold, with 73 percent of respondents reporting they have implemented security products that incorporate at least some aspect of AI. Most organizations find AI’s ability to improve the efficiency of security staff members and make investigation of alerts faster as top priorities. Organizations with a higher proportion of AI-enabled security products are larger than those with less AI, and they have larger security teams.
- Executives, not the people who manage security, are the biggest advocates for AI – Fifty-five percent of respondents suggested that the strongest advocates for AI-based security products in their organization are IT executives, while 38 percent identified non-IT executives as the biggest internal champion.
- AI is yielding some real benefits – Overall, 60 percent of organizations perceive that AI makes investigations of alerts faster and the same proportion consider that AI improves the efficiency of their security staff. Moreover, nearly one-half of organizations view AI as beneficial for automating initial triage and for optimizing threat identification.
- AI-powered security products are weighed down by mixed results post deployment – According to respondents: 46 percent agree that rules creation and implementation are burdensome; and 25 percent said that they do NOT plan to implement additional AI-enabled security solutions in the future
- There is still work to do. More than half of all respondents believe that: AI doesn’t stop zero-days and advanced threats (61 percent); it focuses more on malware than exploits (51 percent); it delivers inaccurate results (54 percent); it’s difficult to use (42 percent); and AI-based products are more expensive than traditional ones (71 percent). The most important differentiator for AI-enabled security products when compared to traditional security products is their ability to automatically block threats, while automatic remediation or isolation is viewed as the least important feature of AI-enabled products.
“All of these findings imply that AI is still in its early stages and we have yet to see its full potential,” said Michael Osterman, principal analyst of Osterman Research. “But AI-based products offer significant promise for improving the speed of processing alerts and that it might at least be a ‘silver-plated’ bullet in addressing the cybersecurity skills shortage.”
from Help Net Security https://ift.tt/2EE5SvD
Why are some vulnerabilities disclosed responsibly while others are not?
EU’s cybersecurity agency ENISA has delved into the problematics of vulnerability disclosure and has released a report that addresses economic factors, incentives and motivations that influence the behaviour of the various vulnerability disclosure actors, as well as two case studies of recently disclosed high-profile vulnerabilities (Meltdown, Spectre, EternalBlue) that illustrate how the process occurs.
It examines the economic aspects of the infosec market and how they relate to vulnerability disclosure, as well as how classical economics concepts can be applied to the issue (tragedy of the commons, network effects, externalities, asymmetric information and adverse selection, liability dumping, moral hazard).
“Economics is a key driver of modern security and economic considerations often determine the decision of approaches to be taken when resolving issues. This report perfectly illustrates this fact and provides valuable insight into why different actors behave as they do in the vulnerability disclosure space,” noted Udo Helmbrecht, ENISA’s executive director.
Key insights
“Overall, the study has a produced a number of key findings. First and foremost, the study shows the importance that vulnerability disclosure, and predominantly CVD, plays in modern society. As witnessed in the case of EternalBlue, vulnerabilities in widely used software and hardware can cause immense societal harm across the globe and it is necessary to have processes in place to adequately identify, report, receive, triage and mitigate vulnerabilities,” the researchers found.
Other findings include:
- It’s important to approach vulnerability disclosure as an ecosystem. All actors involved in vulnerability disclosure should recognise the importance of setting up and running mutually beneficial structures that enables effective and efficient CVD to take place
- The actors should be provided with resources, good practice and voluntary standards
- Finders, coordinators and vendors must be able to constructively engage with each other in a timely fashion and in a shared language that both parties understand
- Ensuring safe harbour practices and legal safeguards for security researchers working to identify and report vulnerabilities is a must
- Most organisations should consider implementing a CVD process, and some may want to consider a bug bounty programme, but not at the cost of other information security interventions in the development and testing stage.
- While CVD and bug bounty programmes can identify certain types of vulnerabilities, they are unlikely to identify larger structural issues present in modern computing systems, so governments, academic instructions and private organizations should keep investing in long-term security research to identify and mitigate fundamental weaknesses such as design flaws or protocol vulnerabilities.
The report was compiled based on desk research, review of the available literature (academic research, technical reports, media articles, etc.) and interviews with experts from the vulnerability disclosure community (representatives from academia, bug bounty platforms, vulnerability disclosure programme operators, vendors, etc.).
from Help Net Security https://ift.tt/2SYfi8g
An overview of the Attivo Networks solution
This article is third in a five-part series developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks. The article provides an overview of the Attivo Networks solution offering and how it can be integrated into enterprise networks to reduce cybersecurity risk.
ThreatDefend platform overview
The Attivo Networks ThreatDefend solution is a deception-based platform that provides early and accurate detection of in-network threats and automation to accelerate attack analysis and incident response. The platform is based on decoys, lures, application, and data deceptions that misdirect, deter, and derail threats at initial compromise or that are moving laterally within the network.
The platform covers everything from legacy infrastructure to modern cloud architectures, and is simple to deploy from user networks, data centers, clouds, ROBOs, or in specialized environments based on machine self-learning deception preparation, deployment, and operations. The solution stands apart from other deception platforms in its approach to deception authenticity and in its inclusion of automated attack analysis and extensive native integrations for incident response.
The platform base involves BOTsink Engagement Servers, which support the central management of the deceptive deployment. These servers can be implemented as a physical, virtualized, or cloud instance. The primary BOTsink management functions include handling of alerts, coordination of analysis, and support for forensics, reporting, visibility tools, and integration of deception with enterprise security control systems.
The ThreatDefend Detection and Response platform includes BOTsink network deception; ThreatStrike endpoint deception; ThreatDirect distributed environment support for remote office and branch offices (ROBO) and microsegmented networks, and workloads in the cloud; ThreatOps incident response playbook orchestration; and ThreatPath for attack surface reduction by providing visibility into exposed attack paths that could be leveraged by malicious actors to advance an attack (see Figure 1).
Figure 1. ThreatDefend platform components
The ThreatDefend platform supports customized deployment of the functions most relevant to a given commercial enterprise. This facilitates easy deployment for large organizations, mid-sized companies, government entities, and service providers that offer detection managed services. This permits each entity to scale their deception deployment at their own pace and around the risk management needs of their organization.
Integrating ThreatDefend into an enterprise
Unlike other cyber security controls, the Attivo Networks ThreatDefend platform provides proactive in-network cyber security protection for all eight of the primary target components of the modern enterprise architecture. This broad security coverage of targets (see list below) facilitates accurate and efficient detection for legacy devices through the most modern cloud deployments.
1. Cloud Services – Cloud-hosted deception allows protection for application workloads hosted publicly or privately.
2. Data Center Network – Deception in the datacenter detects lateral East-West traversal, common in many advanced attacks.
3. Corporate Local Area Network – The traditional LAN remains an important target for deception processing.
4. Deployed Endpoints – Deceptive endpoint credentials planted at the endpoint are critical for detecting credential theft and reuse as well as proactively leading attackers to the deception environment.
5. Specialized Devices – Deception offers early detection in difficult to secure, specialized networks that are often an easier entry point for attackers. This includes IoT, ICS-SCADA, routers, switches, telecommunications, Point of Sale, and other specialized devices in which operations or innovations have come at the expense of security.
6. Software Applications – Software applications are high value targets for introduction of deceptive processing. Deception can be quite effective in setting up decoy application servers for accurate detection and for building threat intelligence on what an attacker is targeting and how they are attacking.
7. Remote and Branch Offices – The remote office branch office (ROBO) in an enterprise can be protected in an easy, cost-effective manner through forwarders, allowing organizations to scale efficiently to distributed environments.
8. Directory Services – This is an important location for deception since advanced attacks use directory services such as Active Directory to guide lateral traversal and escalate privileges. AD deceptions also play an important role in validating authenticity and the believability of endpoint deception credentials.
These virtual and physical components of an enterprise’s deception environment create the attractive decoys and breadcrumb lures that facilitate collection of engagement-based attack data, telemetry, and intelligence to the ThreatDefend platform for processing, analysis, interpretation, visualization, and reporting. Integration of the platform into an enterprise security stack is straightforward and complements DMZ protections at the perimeter such as firewall and IPS, as well as enterprise controls such as SIEM, EDR/AV, and GRC (see Figure 2).
Figure 2. General network configuration for ThreatDefend
Native integrations will also enhance the functionality of existing controls by automating the sharing of threat intelligence and incident response actions such as blocking, isolation, and threat hunting.
Attacks addressed by ThreatDefend
The Attivo Networks ThreatDefend Deception platform is designed to detect and respond to the most advanced offensive attack methods encountered in the modern enterprise. These techniques are used by malicious actors ranging from mischievous threat actors and disgruntled employees, to well-funded nation-state military teams targeting critical infrastructure:
- Reconnaissance – The first step in most cyber exploits involves the offense performing basic reconnaissance to collect information about a target environment.
- Ransomware and Crypto-mining Attacks – An increasingly frequent attack on the integrity of an enterprise involves ransomware demands after files have been seized via encryption or for the stealthy use of resources for crypto-mining.
- Advanced Persistent Threats – The most capable offensive actors utilize advanced persistent threats (APTs) to remain undetected inside a targeted enterprise for extended periods.
- Stolen Credentials – Most attacks include the theft of user credentials during some stage in the threat lifecycle.
- Man-in-the-Middle Attacks – The unauthorized collection of sensitive data via man-in-the-middle attacks has been a staple of most disclosure breaches.
The nature of cyber exploits continues to evolve in the coming years, likely to include more insidious attacks on cloud and mobility aspects of the modern enterprise. For many (thousands of) years, deception has played a powerful role in outmaneuvering the adversary. The ThreatDefend platform has brought commercially viable deception to the enterprise. The deceptive solutions offered by Attivo Networks have not only delivered exceptionally effective detection controls for today, but also a design that will withstand the test of time based upon ever-changing attack vectors and evolving attack surfaces.
After the holidays, article four in the series will go further into explaining how to apply deception for creating a proactive defense, including strategies for deception deployment, post-compromise incident response, and mitigation against returning attackers.
from Help Net Security https://ift.tt/2LtR03x
Shape Security partners with Okta to help prevent cyberattacks
Shape Security revealed a partnership with Okta. Through this integration, joint customers can leverage Shape’s technology to offer an additional layer of preventative security to their Okta identity platform to help thwart account takeovers. Shape’s technology will work with Okta’s platform to help determine whether a login attempt is legitimate or an attack.
One of the most common and costly types of cyberattacks is credential stuffing, the process by which criminals use automated processes to test hacked or breached account credentials on other websites or applications.
Depending on the industry, credential stuffing can account for up to 99 percent of a website’s login traffic. Shape Enterprise Defense detects and blocks automated attacks like credential stuffing on websites, mobile applications and APIs. The new integration helps defeat such attacks and provides an additional layer of security.
“Security should never compromise convenience, which is why Shape and Okta are creating products that provide invisible layers of protection without interfering with the user experience. This partnership is the epitome of that shared vision,” said Sumit Agarwal, co-founder and chief operating officer, Shape Security.
“Not only will this integration provide our joint customers with an extra layer of security before the login process, but it will also provide a highly secure, flexible and easy-to-manage sign-in infrastructure.”
Shape has created a collective customer defense, meaning that as soon as a new attack technique is identified, every organization within Shape’s network is protected from it. Today, Shape protected 100 million logins for the world’s largest companies, including:
- Three of the Top 5 US banks,
- Five of the Top 10 global airlines,
- Two of the Top 5 global hotels,
- Two of the Top 5 US government agencies.
Shape Enterprise Defense is a service that operates in parallel with the Okta Identity Cloud so that detected attacks can be stopped with no effort from enterprises. The integration reduces fraud by helping eliminate credential stuffing attacks.
“In today’s threat environment, all organizations need to make sure that only the right people have the right access to the right resources, a goal that Okta and Shape Security can help bring to fruition,” said Chuck Fontana, vice president of integrations and strategic partnerships, Okta.
“By leveraging Okta’s strength in securely connecting an organization’s customers to data and applications, combined with Shape’s ability to effectively detect and prevent account takeovers or fake registrations, customers can add an additional line of defense while still ensuring a frictionless user experience.”
from Help Net Security https://ift.tt/2rLgdNJ
Circadence brings Project Ares cybersecurity platform to Microsoft Azure
Circadence revealed that its platform, Project Ares, is now available on Microsoft Azure.
Circadence helps address one of today’s biggest cybersecurity learning challenges through its connection with Azure: scalability. By hosting Project Ares on Azure, Circadence has established a learning environment that can scale to replicate networks, complex enterprises, interconnected city infrastructure, and even military operations, with digital fidelity.
Within Project Ares, CyRaaS – or Circadence’s Cyber Range-as-a-Service – is the capability that spins up simulated, virtual environments. When cloned in CyRaaS, the learning model is computationally elastic. It can be used for individual skill-based learning, team collaboration and interaction, staff or student assessment, cyber-attack scenario testing, and more – and then be restored to the original state with the flip of a virtual switch.
CyRaaS creates learning experiences for cyber professionals who can now enhance their skillsets and performance without compromising operational infrastructure.
“Our virtual cyber ranges are built from the ground up based on rigorous security and privacy demands, which makes them able to support collective nation-state exercises, as well as model entire cities to develop living physical and fifth domain environments,” said Michael Moniz, co-founder, president and CEO of Circadence.
“The recent National Defense Authorization Act language underscores the United States government’s interest in moving its cyber ranges to the public cloud. With Microsoft Azure, Circadence is now positioned with both the content and technology to empower this digital transformation.”
Project Ares is emerging as a learning solution for enterprise, government and academic organizations seeking public and/or private, cloud-based cyber range options to develop their security professionals. Powered by Azure intelligent cloud, Project Ares:
- Eliminates the need for expensive in-house cyber range infrastructure;
- Enables integration into classroom, enterprise or agency work environments with browser-based access and 24/7 availability;
- Can integrate new security solutions as they become available on Azure for operational networks.
Additionally, the Azure Bot Service drives the Project Ares in-game advisor, Athena, which supports players as they advance through learning levels, helping to reduce the amount of instructor time and support required.
“Using our artificial intelligence solutions and the scalability of Microsoft Azure, Circadence is making rapid product advancements in the cybersecurity space. The virtual simulations they’re creating are helping cyber professionals enhance their skills without harming infrastructure, so they can be better prepared as the threat landscape evolves,” said Tom Keane, Corporate Vice President of Azure Global at Microsoft.
from Help Net Security https://ift.tt/2EEJORF
The Concourse Visionary Brain Genius Elon Musk Has Invented The World’s Worst And Most Expensive Sub
The Concourse Visionary Brain Genius Elon Musk Has Invented The World’s Worst And Most Expensive Subway | The A.V. Club The Faculty is the bleakest and most subversive film of the ’90s studio teen-horror cycle | The Grapevine Black Artists Are Rejecting Offers to Perform for Super Bowl Halftime Show | Splinter The Right-Wing Fever Swamp Is Not Happy With Donald Trump Right Now | Jezebel Scientology Lawyer Compares Leah Remini to Jason from Friday the 13th For Asking About Location, Safety of Shelly Miscavage |
from Lifehacker https://ift.tt/2QIjPio
Why Are Rappers, YouTubers, and TV Stars Suing Epic Games Over Fortnite’s Dance Moves?
A storm is coming for Fortnite. No, not the blue wave that keeps forcing you forward—a legal storm. Earlier this month, a trio of creators sued Fortnite’s publisher, Epic Games, over its use of the dance moves they created, which gamers can perform (and purchase) in-game with the push of a button.
Given Fortnite’s success, any lawsuit that could disrupt its ability to turn the game’s popularity into cash is a huge problem for Epic. That said, the lawsuit also has wider implication for other developers that potentially charge for pop culture dances or “emotes” in their games, as well as the wider cultural landscape—TV shows, movies, etc.
Advertisement
Everything’s happening pretty fast, and there’s a lot of legal jargon getting thrown around these cases, so it might be tough to understand the whole story. Let’s go through the basics, so you know what’s what and can follow these artists’ cases as the legal cases start to heat up.
Who’s suing Epic?
Three artists have filed copyright lawsuits against Epic, claiming they deserve compensation for the use of dances Epic created in Fortnite without their permission (or any kind of attribution). This has led many players to associate the dances with Fortnite instead of the dances’ originators, and has earned the dancers a whopping zero dollars from the sales Epic makes of the dancer’s original creations.
Advertisement
The first suit was filed by rap artist 2 Milly for using the dance he created to go with his song, “Milly Rock” without permission or credit. Here’s the song’s music video, which features the dance:
And here’s the “Swipe it” emote in Fortnite:
The second lawsuit, which seems to have gotten the most attention so far, is from Fresh Prince of Bel-Air actor Alfonso Ribeiro. Everyone knows Tom Jones-loving “Carlton” dance, otherwise known as “Fresh” within Fortnite:
Lastly, Russell Horning—also known as “The Backpack Kid”—has filed a third lawsuit over the use of his signature dance move, “flossing,” which Fortnite simply calls the “Floss.” (Technically, Anita Redd, Horning’s mother, filed the lawsuit on his behalf because he’s a minor.)
All three lawsuits request that Epic remove the emotes that correspond to the dances from the game, presumably until they pay a licensing fee, as well as damages. If you’d like to read the complete claims for all three lawsuits, Variety has published the full filing paperwork.
Advertisement
It’s also worth pointing out that this is not just about Fortnite. According to TMZ, 2 Milly, Ribeiro and Horning have filed a second set of lawsuits against a second game publisher, 2K Sports, over the use of their dances in its NBA 2K basketball game series.
Why is this happening now?
A trio of lawsuits at once may seem sudden, but a number of artists have publicly admonished Fortnite for using their dances without permission over the past six months.
Advertisement
In July, Chance the Rapper published a series of tweets suggesting that Epic should attribute Fortnite’s emotes to the dances they’re based on and, when applicable, license the songs connected to them.
Another artist, BlocBoy JB, tweeted shortly after that he would like to receive royalties from games that use the signature dance from his song “Shoot,” which Fortnite fans may recognize as the “Hype” dance emote.
In November, Scrubs actor Donald Faison said that Epic “jacked” his “Poison” dance from the show to make Fortnite’s default victory dance.
All of this, as Chance points out in his original tweet thread, is also part of a larger cycle of cultural appropriation. Four of the five artists we’ve mentioned whose dances have been put into Fortnite without permission are black. Corporate entities have found ways to repurpose and profit off creative works of black artists for a long, long time.
Advertisement
To put it another way: Artists have been pissed for a while. It was just a matter of time before someone decided to make things official and file a lawsuit.
Do they have a case?
Epic has told multiple outlets it does not plan to comment publicly on the suits while they’re ongoing, but it seems unlikely that they will claim otherwise.
Advertisement
Instead, Epic may try to claim that the dances are not distinctive enough to be worthy of copyright protection. It is possible to copyright dance choreography, but the U.S. Copyright office specifically states that “commonplace movement and gestures” cannot be copyrighted. That includes specific short dances like “the YMCA,” because it’s just people making shapes with their arms. According to a legal expert who spoke to Variety, Epic may also claim that the dances in Fortnite are part of a larger procedure that goes beyond “doing the dance.”
What does this mean for Fortnite?
Right now, nothing. No injunctions have been filed requesting Epic stop selling the emotes immediately, so they will probably stay in the game for the foreseeable future. If a court rules in favor of any or all of the creators, Epic may remove the dances to avoid paying the creators going forward. Even if the dances stay, though, any court decision would likely change how Epic—and other game developers—approach making emotes, particularly if they are being sold as in-game purchases.
Advertisement
To prevent exposure to lawsuits from other artists, companies would, in theory, start negotiating and purchasing permission to depict well-known dances in games, much like how companies pay licensing fees to play songs in games, TV, and film. This could include paying royalties to artists, if these dances show up as an in-game purchase.
A private settlement between Epic and those suing it, even if the creators get paid, would not create a legal precedent—maintaining the status quo. The artists behind the lawsuits have reason to hold out for an unequivocal victory, however: All three are currently in the process of formally securing the rights to their dances, and the results of the suit could impact his claim.
Since none of these lawsuits have been scheduled for trial yet, it will likely be months, maybe even years, before the results become clear.
from Lifehacker https://ift.tt/2SbO7H4