fbpx

The Security preference pane allows you to control the security level of the user accounts on your Mac. In addition, the Security preference pane is where you configure your Mac's firewall, as well as turn data encryption on or off for your user account.

The Security preference pane is divided into three sections.

General: Controls password usage, specifically, whether passwords are required for certain activities. Controls automatic log-out of a user account. Lets you specify whether location-based services have access to your Mac's location data.

FileVault: Controls data encryption for your home folder, and all of your user data.

Firewall: Allows you to enable or disable your Mac's built-in firewall, as well as configure the various firewall settings.

Let's get started with configuring the security settings for your Mac.

Launch the Security Preference Pane

Click the System Preferences icon in the Dock or select 'System Preferences' from the Apple menu.

Click the Security icon in the Personal section of the System Preferences window.

Proceed to the next page to learn about the General configuration options.

2 Using the Mac Security Preference Pane - General Mac Security Settings

Using the Mac Security Preference Pane - General Mac Security Settings

The Mac Security preference pane has three tabs along the top of the window. Select the General tab to get started with configuring your Mac's general security settings.

The General section of the Security preference pane controls a number of basic but important security settings for your Mac. In this guide, we will show you what each setting does, and how to make changes to the settings. You can then decide if you need the security enhancements available from the Security preference pane.

If you share your Mac with others, or your Mac is located in a place where others can easily gain access to it, you may wish to make some changes to these settings.

General Mac Security Settings

Before you can begin making changes, you must first authenticate your identity with your Mac.

Click the lock icon in the bottom left-hand corner of the Security preference pane.

You will be prompted for an administrator username and password. Provide the requested information, and then click OK.

The lock icon will change to an unlocked state. You're now ready to make any changes you wish.

Require password: If you place a check mark here, then you (or anyone who attempts to use your Mac) will be required to provide the password for the currently account in order to exit sleep or an active screen saver. This is a good basic security measure that can keep prying eyes from seeing what you're currently working on, or accessing your user account data.

If you select this option, you can then use the dropdown menu to select a time interval before the password is required. I suggest selecting an interval long enough that you can exit a sleep or screen saver session that starts unexpectedly, without needing to provide a password. Five seconds or 1 minute are good choices.

Disable automatic login: This option requires users to authenticate their identity with their password any time they log on.

Require a password to unlock each System Preferences pane: With this option selected, users must provide their account ID and password any time they attempt to make a change to any secure system preference. Normally, the first authentication unlocks all secure system preferences.

Log out after xx minutes of inactivity: This option lets you select a set amount of idle time after which the currently logged-in account will be automatically logged out.

Use secure virtual memory: Selecting this option will force any RAM data written to your hard drive to be first encrypted. This applies to both virtual memory usage and Sleep mode, when the contents of RAM are written to your hard drive.

Disable Location Services: Selecting this option will prevent your Mac from providing location data to any application that requests the information.

Click the Reset Warnings button to remove location data already in use by applications.

Disable remote control infrared receiver: If your Mac is equipped with an IR receiver, this option will turn the receiver off, preventing any IR device from sending commands to your Mac.

3  Using the Mac Security Preference Pane - FileVault Settings

Using the Mac Security Preference Pane - FileVault Settings

FileVault uses a 128-bit (AES-128) encryption scheme to protect your user data from prying eyes. Encrypting your home folder makes it nearly impossible for anyone to access any user data on your Mac without your account name and password.

FileVault can be very handy for those with portable Macs who are concerned about loss or theft. When FileVault is enabled, your home folder becomes an encrypted disk image that is mounted for access after you log in. When you log off, shut down, or sleep, the home folder image is unmounted and is no longer available.

When you first enable FileVault, you may find the encryption process can take a very long time. Your Mac is converting all of your home folder data into the encrypted disk image. Once the encryption process is complete, your Mac will encrypt and decrypt individual files as needed, on the fly. This results in only a very slight performance penalty, one that you will rarely notice except when accessing very large files.

To change FileVault's settings, select the FileVault tab in the Security Preferences pane.

Configuring FileVault

Before you can begin making changes, you must first authenticate your identity with your Mac.

Click the lock icon in the bottom left-hand corner of the Security preference pane.

You will be prompted for an administrator username and password. Provide the requested information, and then click OK.

The lock icon will change to an unlocked state. You're now ready to make any changes you wish.

Set Master Password: The master password is a fail-safe. It allows you to reset your user password in the event you forget your login information. However, if you forget both your user account password and the master password, you will not be able to access your user data.

Turn On FileVault: This will enable the FileVault encryption system for your user account. You will be asked for your account password and then given the following options:

Use secure erase: This option overwrites the data when you empty the trash. This ensures that the trashed data is not easily recoverable.

Use secure virtual memory: Selecting this option will force any RAM data written to your hard drive to be first encrypted.

When you turn FileVault on, you will be logged out while your Mac encrypts your home folder's data. This can take quite a while, depending on the size of your home folder.

Once the encryption process is complete, your Mac will display the login screen, where you can provide your account password to log in.

4  Using the Mac Security Preference Pane - Configuring Your Mac's Firewall

Using the Mac Security Preference Pane - Configuring Your Macs Firewall

Your Mac includes a personal firewall you can use to prevent network or Internet connections. The Mac's firewall is based on a standard UNIX firewall called ipfw. This is a good, though basic, packet-filtering firewall. To this basic firewall Apple adds a socket-filtering system, also known as an application firewall. The application firewall makes it easier to configure the firewall settings. Instead of needing to know which ports and protocols are necessary, you can just specify which applications have the right to make incoming or outgoing connections.

To begin, select the Firewall tab in the Security preference pane.

Configuring the Mac's Firewall

Before you can begin making changes, you must first authenticate your identity with your Mac.

Click the lock icon in the bottom left-hand corner of the Security preference pane.

You will be prompted for an administrator username and password. Provide the requested information, and then click OK.

The lock icon will change to an unlocked state. You're now ready to make any changes you wish.

Start: This button will start the Mac's firewall. Once the firewall has been started, the Start button will change to a Stop button.

Advanced: Clicking this button will allow you to set the options for the Mac's firewall. The Advanced button is only enabled when the firewall is turned on.

Advanced Options

Block all incoming connections: Selecting this option will cause the firewall to prevent any incoming connections to non-essential services. Essential services as defined by Apple are:

Configd: Allows DHCP and other network configuration services to occur.

mDNSResponder: Allows the Bonjour protocol to function.

raccoon: Allows IPSec (Internet Protocol Security) to function.

If you choose to block all incoming connections, then most file, screen, and print sharing services will no longer function.

Automatically allow signed software to receive incoming connections: When selected, this option will automatically add securely signed software applications to the list of applications that are allowed to accept connections from an external network, including the Internet.

You can manually add applications to the firewall's application filter list using the plus (+) button. Likewise, you can remove applications from the list using the minus (-) button.

Enable stealth mode: When enabled, this setting will prevent your Mac from responding to traffic queries from the network. This will make your Mac appear to be non-existent on a network.

Author:  Tom Nelson

Source:  https://www.lifewire.com

Categorized in Online Research

Looming behind the excitement at SC16 around new digital enterprise strategies is the growing menace of cyber-attacks. But in spite of these worries, the state of cybersecurity readiness at too many companies is woefully inadequate. 

That’s the finding of Bob Sorensen, research vice president, HPC Group, at industry watcher IDC delivered at the analyst group’s annual HPC Update breakfast at SC16 this week in Salt Lake City. Sorensen’s message: If your company has the characteristics of a cybersecurity “worst practitioner” (which tends to be among public utilities, hospitals and universities – manufacturers are generally “middle of the pack”), the time to adopt new cybersecurity strategies is now.

IDC conducted a study of cybersecurity at 62 large industries in the U.S. and Europeacross the financial services, technology, manufacturing, retail, hospital and academic sectors. Here are excerpts of his comments:

The State of Cybersecurity

The key concerns that came out in our study: Most US companies are underprepared to deal with cybersecurity threats. Even though there are lots of good best practices, they’re only being conducted by a small number of leading-edge firms. On average, firms are not availing themselves of what’s readily available, and that’s a cause for concern.

Detecting a breach can take up to two years. That’s really a disturbing concept, that someone could be nosing around corporate data that’s not only unprotected, not just to steal data, but to change it. Data integrity is a concern, the idea that the data you’re using to make critical decisions in research or business process environments may not be the right data, it may have been changed for nefarious reasons. It’s one of the silent concerns.

idc-security-2-sc16

The Big Fear: Reputation Damage

One of the things we found with the Target breach, a very public intrusion, is that Target really didn’t take a huge financial hit on the actual intrusion itself. There was insurance in place, there was pushing off losses to the finance companies that Target deals with.

What we found, what really scares companies, isn’t the loss of dollars, it’s the loss of reputation, which brings with it a future loss of income that you simply cannot determine. Companies…can buy insurance for a particular hit, that’s a known quantity, but what they can’t do is figure out how that affects their line of business down the line. Which speaks in some sense to the idea that there’s probably a lot of cyber-attacks we’re not finding out about simply because it benefits these companies greatly to keep attacks under wraps as long as possible.

Malware Manners

We heard this time and again: malware people are conducing themselves in a very proper and organized manner. The thinking with a lot of them is…they don’t charge too much because they don’t want to kill the goose that laid the golden egg. (Malware practitioners think of it as) a very refined, respectable business to be in. You come in and say: ‘Give us some money and we’ll go away.’ You give them money and they do go away because if they don’t, no one’s going to give them more money. And if they ask for too much money there are going to be problems. So right now it’s a very genteel world out there for malware.

Conflicting Priorities: Security and Access

IDC's Bob Sorensen

IDC’s Bob Sorensen

There’s a major tradeoff between security and easy access (to the network and to data). It’s something every business has to deal with. We asked questions about balancing security and processes, and the underlying goal is: ‘We have to do both, we can’t sacrifice our business plan for our cybersecurity.’ We found time and again even among the best practitioners in data security: Job 1 is conducting business, and that process is king. This is handed down from the board of directors of the company, and then they tell cybersecurity teams, ‘Make us secure under this realm.’

Proliferating Points of Attack

Heterogeneity is a problem: the idea of ‘bring your own device,’ multiple operating systems, clouds. There are lots and lots of end points out there, lots of way to enter a network, and these are things cybersecurity folks are definitely worried about.

We talked to the cybersecurity chief at Nike, he said he has 59 (network) access points to worry about every day because he has to make everyone who gets on the Nike website, who wants to look at the new and latest sneaker, has access, can order, can conduct business. That’s his job, and he has to work within those confines.

There is increasing access from the network edges. The one I would point out is suppliers. Supply chain issues I think are really interesting. More and more large industrial companies are increasingly tied electronically to their supply chain, and that is a real vulnerability….

Worst Practices: Wait and See

A lot of the worst practitioners really just buy insurance…. The worst practitioners time after time said, ‘We have the best tools, life has got to be good.’ The story we like to repeat: the companies that seem to be most sanguine with their cybersecurity infrastructure say: ‘We’ve never been hit before so we must be doing something right.’ They weren’t terribly forward looking when it came to actually making sure they were more secure….

Everybody (in the survey) had data breach plans, but… a lot of them were not IT-related. The thinking wasn’t to gather up forensics and figure out how to plug holes. It was how to deal with the publicity aspect, the legal aspects, the privacy concerns, the possibility of getting sued. This surprised us….

Best Practices: People vs. People

One thing we found is that the best practitioners see this as a people vs people battle. This is not a tool war where as long as you have the best software, as long as you roll out the patches when you’re supposed to, then life is good. It’s really about finding, hiring and retaining the best people to go after the people who are trying to get at you.

Best Practices: Be Proactive

An interesting concept that we see is that proactive cybersecurity team think in terms of educating the user base within their companies. They’re not just sitting back and making sure the patches are installed and making sure everyone changes their password every six months. It’s really more about reaching out…to the individual people within firms and making sure they understand their roles.

For example, one company closely watches social media. And they look for key events that they think could trigger a phishing attack. When it became known that Prince had died, they sent out an email to their entire company saying there’s a good chance you’re going to get an email in the next 24 hours asking if you want to see the Prince tribute video. So the idea is to proactively get employees to be aware of what their responsibilities are.

Another story we heard is about companies buying stolen credit card numbers. Not because they want to get involved in law enforcement but because it’s cheaper to buy stolen credit card numbers and put them in your database. So if someone tries to buy something with a stolen number you can kick them out. It’s an interesting, proactive way to do this.

So the good cybersecurity team isn’t waiting for problems, it’s going after solving them before they happen.

idc-security-best-practices-sc16

Data Scientists and Cybersecurity

Most companies aren’t using Big Data (for cybersecurity purposes) in the sense that we in the HPC community think about Big Data… When we asked companies why they weren’t using Big Data, they said they can’t find Big Data scientists who know how to do cybersecurity.

And when we went to companies that have lines of business that use smart data scientists, they said, ‘Yeah, they’re over there contributing to the bottom line of the company. We can’t bring them over to cybersecurity, they’re going to stay over there making money for the company.’

Virtual Cybersecurity Data Science

What I see in the future is really where HPC comes into play here. The goal for a lot of cybersecurity teams is real-time intrusion detection. They want to have a dashboard that tells them something odd has happened in the network. And a lot of folks think that deep learning – the idea that you have a system that monitors the steady state of the network and rises to the attention of humans where something has gone awry.

We’re going to see more efforts for high powered systems and deep learning to do real-time monitoring…almost as a way to get companies out of having to find data scientists. This might be an ultimate method toward dealing with cybersecurity… It’s something the HPC world is going to be involved in much more going forward.

Author:  Doug Black

Source:  https://www.hpcwire.com

Categorized in Internet Privacy

Choosing and managing passwords is the fundamental security measure in client’s control. Even if the application and it’s server is impenetrable, it means absolutely nothing if your password can be cracked by an average Joe.

You would think that all security conscious people would know how to protect themselves, but I frequently see cases like this:

CaliConnect’s Private PGP Key & Account Password Was “asshole209

Twitter– Launched & Hacked in 2 Hours (Password was: 123123123…)

Cantina Marketplace PWND: Admin Password was: “Password1” ?!

This tutorial contains explanations of password cracking when the server and client side are protected. These methods’ effectiveness highly depend on attacker’s processing power which we’ll analyze after attack methods.

If you just want to know easy way to be safe, jump to the ‘Easy way to manage strong passwords’.

Brute Force Attack

Brute-force attack is a technique of enumerating all possible password candidates and checking each one. This is no elegant attacking method, but sometimes it’s all that’s needed. This attack is feasible only for very weak passwords.

Dictionary Attack

Dictionary attack is a variant of brute force attack in which the attacker gathers all information about targeted password(s) and creates a ‘dictionary’. Dictionary is a customized list of password candidates, typically including a list of most common passwords first, dictionary words that are frequently used and some combinations. Next, the dictionary often contains all those words with common prefixes and suffixes such as numbers and punctuation signs.

Dictionary attacks are relatively easy to defeat by choosing a password that is not a simple variant of a word found in any dictionary. Many password cracking tools have built-in dictionaries. This page contains information on most popular tools, their dictionaries and collections of leaked password for analysis in one place.

fQnT1d0c{E}+p[;

Rainbow Tables

This attack is used when attacker owns the password database. It’s worth mentioning here because the complexity of your password will protect you even if the server is compromised. Protection wise, it’s enough to know that a strong password will do the trick here as well.

Skip this part if you just want to secure yourself without bothering with hashing, rainbow tables and salting.

Databases don’t contain plaintext passwords, but password hashes. Hash is the result of time-consuming function that obfuscates the input. When you enter your password, server calculates the hash of the entered value and compares it to the one stored in the database for the confirmation.

Very simple hash function example: take number 4 as the input: square it (16), take natural log (2.7725), multiply by pi (8.7103) and take factorial (gamma function) -> 189843.119. Now ask your friend how is 189843.119 related to 4. Chances are, no one can figure it out.

Password hashes often look like this one: qiyh4XPJGsOZ2MEAyLkfWqeQ

So, when an attacker compromises the password database he won’t be able to figure out your password (or will he?, read on). Here’s when rainbow table comes in – it’s a pre-computed table of passwords and their hashes. Attacker then compares the rainbow table hashes to those in the database. If hashes match, the password is discovered. Here’s a short example:

This is what we can find in a database:

User Password
RegularUser1 HgkHJgKHgKhKGhjfhgKvkGjKG
Administrator qiyh4XPJGsOZ2MEAyLkfWqeQ

Lets try to find this hash in the rainbow table:

Password Hash
password asdh4DFGsOZ2MEAyLkfWqES
qwerty qi8H8R7OM4xMfdMPuRAZxlY
pass1234 GsOZ2MEAM4xPuRAZxlqiyAFiy
passw0rd qiyh4XPJGsOZ2MEAyLkfWqeQ
abcdefgh nKv3LvrdAVtOcE5EcsGIpYBtniN


That’s why some servers ‘salt’ the hash by adding random value into the equation so the attacker can’t just download finished rainbow table, he needs to create a custom one for that salt and that requires a lot of time because hash functions are time-consuming. If different salt is used for each password, attacker needs to create a custom table for each password which is not feasible. Salt is stored next to the password, it’s no secret since it’s just making the attacker’s computer do a lot of ‘work’.

There’s only that much server side can do for you, it’s up to you to choose a strong password. If the attacker targets you specifically, he may create a rainbow table for your salt. It’s up to you to have a password that will not be in his table.

I’m surprised how many sensitive web services allow having weak password.

Practical analysis of these attacks

Analyzed time represents offline attack speed, online attacks are much slower than this, but it’s logical to seek for a password strong enough for offline attacks because it’s the maximum speed and it’s just a few characters away.

Password complexity depends on 2 characteristics: length and number of different characters. For example, if you use 8 digit password (only numbers – 10 characters): _ _ _ _ _ _ _ _ each field can contain 10 different characters, so there are 10*10*10*10*10*10*10*10 = 108 possible combinations. If attacker has a Pentium 4D, 3.2 Ghz processor he can try 2 million passwords per second. That means the password can be broken in 108 / (2*106) = 50 seconds.

Formula for the number of combinations the attacker need to try:

Awhere: A – number of different possible characters

B – password length

If password length is unknown, the attacker will usually try only the shortest ones. Let’s say he wants to try all 8,9,10 characters long passwords, the number of combinations is: A+ A9 + A10 .

Exponential growth

Luckily for us, password complexity rises exponentially when length increases. In the example above (only 10 digits) each extra character adds 10 times more possible combinations.

Here’s a table for passwords that contain only lower-case letters from English alphabet and digits – 36 different characters (Combinations = 36 ^ length):

Length (B) Combinations (36B) Individual capability 5000x individual
1 34 < 1 second < 1 second
2 1 296 < 1 second < 1 second
3 46 656 < 1 second < 1 second
4 1 679 616 < 1 second < 1 second
5 60 466 176 30 seconds < 1 second
6 21 76 782 336 18 minutes 1 second
7 78 364 164 096 10 hours 55 seconds
8 2 821 109 907 456 16 days 33 minutes
9 101 559 956 668 416 1 year 20 hours
10 3 656 158 440 062 976 60 years 30 days
11 131 621 703 842 267 136 2140 years 3 years
12 4 738 381 338 321 616 896 77025 years 110 years


X axis – password length in for 36 charset (letters and numbers)

Y axis – days to crack


Blue – Time in the first case was an experiment with previously mentioned Pentum 4D, 3.2 Ghz processor, affordable processing power for an individual.

Red – Time in the second case represents someone that can use 5 000 such processors.

We can see length 12 is sweet, it’s even more safe if we expand the character set to uppercase and lowercase letters, numbers and punctuation signs. Number of possible characters is 126:

Length (B) Combinations (126B) Individual capability 5000x individual
1 126 < 1 second < 1 second
2 15 876 < 1 second < 1 second
3 20 00 376 1 second < 1 second
4 252 047 376 2 minutes < 1 second
5 31 757 969 376 4 hours 22 seconds
6 4 001 504 141 376 23 days 47 minutes
7 504 189 521 813 376 8 years 4 days
8 63 527 879 748 485 376 1 032 years 2 years
9 8 004 512 848 309 157 376 130 000+years 184 years


X axis – password length in 126 charset

Y axis – days to crack


Blue – Time in the first case was an experiment with previously mentioned Pentum 4D, 3.2 Ghz processor, affordable processing power for an individual.

Red – Time in the second case represents someone that can use 5 000 such processors.

Conclusion

Using only lowercase or only uppercase letters and numbers, you need 11 characters long password.

If you’re using both lowercase and uppercase letters, numbers and punctuation signs you need 8 characters long password.

Neither should be predictable enough to be part of a dictionary attack list. I would recommend using 12 characters long password and wide charset.

Easy way to Manage Strong Passwords

Different password should be used for each sensitive account because attackers often check all your accounts for password they compromised.

Password should be at least 12 characters long and include uppercase and lowercase letter, number and a punctuation sign. You can easily meet those requirements by rambling on the keyboard, but it would be difficult to remember passwords.

Password Manager

Password manager allows the user to use hundreds of different passwords, and only have to remember a single password, the one which opens the encrypted password database. Needless to say, this single password should be strong and well-protected (not recorded anywhere).

Most password managers can automatically create strong passwords using a cryptographically secure random password generator, as well as calculating the entropy of the generated password. A good password manager will provide resistance against attacks such as key logging, clipboard logging and various other memory spying techniques.

To generate 1 strong password that’s easy to remember you can use a great source of entropy – your mind. Think of a sentence or two. Something like: ‘any sentence will do the trick, Just Make Sure It’s Over 12 Words’. Password would be: aswdtt,JMSIO12W (first letters in each word). You can remember the sentence easily and recreate the password later. Ideally, the sentence would include a sign and number.

There are many similar tricks out there if you don’t like this one.

Pattern

So you don’t like installing a manager? Think of a good pattern that will not be obvious. An example would be: pick 2 numbers: 6,7 and surround your password with 67 and shift+6 = &, shift+7 = /. Also, uppercase 6thand 7th letter. If your password right now is password -> 67passwORd&/ is easy to remember and strong. The word can be something you can remember for each site, but stay away from obvious like domain name.

Avoid common letter-number substitutions like o – 0, I – 1. Here’s the same link once again, I highly recommend taking a look at common dictionaries and tools attackers may try to use against you.

Source:  deepdotweb.com

Categorized in News & Politics

A responsibility that Facebook has with its users is that it needs to ensure that your account is not easily hackable. This means creating security systems, but there is always a problem: the most vulnerable point of any online system is the user who does not care right to their own information.

This usually comes in the form of insecure and repeated passwords. Then, no matter if the company built the Fort Knox; if someone has your email address and the password is "123456", your only chance of not being hacked is to have two-step authentication enabled. Face it: if your password really is "123456", you probably also have not activated the second verification step.

However, Facebook has taken a very unorthodox place to deal with this problem. Alex Stamos, chief security officer in the company, told CNET today the company negotiates directly with cybercrime in the deep web to buy databases with passwords stolen by hackers.

The fact is that these databases stolen end up revealing enough of human behavior on the Internet. By analyzing a huge amount of passwords, you can see patterns of which are those most recurrent, and therefore more fragile. On a bench 1 million keywords, imagine how many "123456" will not arise. Suddenly, you can see that many people are using the password "kittens", and it became dangerous.

By purchasing these stolen banks, Facebook can do this analysis and compare it with your own database (encrypted, it is true) passwords. Stamos reveals that to make this work, which is quite heavy for company computers, the social network was able to alert tens of millions of users that their passwords were not safe.

The executive explains that Facebook has the tools to offer more security to users, such as the aforementioned two-step authentication. It is the person's prerogative to use these tools or not, but the company says it is his responsibility to take care of those who choose not to activate the features.

Source:  olhardigital.uol.com.br

Categorized in Internet Technology

Over the past few years, there have been a lot of changes affecting the key technologies that power the internet.

HTML is the dominant web language and its new version, HTML5 provides impressive web enhancements for new web applications.

However, when this fifth version of HTML was released way back 2014, it became really popular to web and app developers, the issues surrounding its internet security risks also take hold.

Just like every new technology, HTML5 is bound to have defects and pitfalls. Internet security experts and commenters had also predicted this, long before its release.

HTML5 AND ITS IMPORTANCE

HTML5 is the 5th revision of the HTML standard developed by W3C. While it was approved as a standard in October 2014, its adoption began several years earlier.

This language mainly describes the contents and appearance of web pages. Due to its many new features, it makes web pages more interactive and dynamic.

Among these features include messaging enhancements, new parsing rules to enhance flexibility, elimination of redundant attributes and native multimedia support.

W3C developed HTML5 mainly to address the compatibility issues with the previous HTML version.

The main reasons why this version has become so popular is the essential elimination of browser plugins, reduction of web development time and mobile friendliness.

HTML5 is also supported by all the authority browser vendors including Google, Apple, Opera, Microsoft, and Firefox.

THE INTERNET SECURITY RISKS ASSOCIATED WIH HTML5

html5

As HTML5 approved as a standard in 2014 becomes more popular among developers, it introduces new internet security threat due to the new features and attribute.

As HTML5 becomes adopted on a very large scale with a large percentage of browsers. Mobile applications are now based on this language.

It is also important for developers and users to know about the internet security risks involved in order to be able to tackle them.

The security problems that affected the older version are still present.

More importantly, the new features in HTML5 present further internet security issues.

Below are some of the attacks made possible by HTML5.

1. CROSS ORIGIN RESOURCE SHARING (CORS ATTACK)

Cross-Origin Resource Sharing (CORS) is a feature that allows a resource to gain access to data from domains outside itself.

Using this feature, web pages can load resources including scripts, CSS style sheets, and images from different domains.

As such, a remote cyber attacker can inject codes on the web pages.

An API called XMLHttpRequest makes this possible. Basically, this is an API that facilitates the transfer of data between a server and a client.

Before the introduction of HTML5, a site could not make direct requests to another site using this API.

Now, HTTP requests can be made, provided the requested sites grants permission.

This is the point where vulnerability that can be exploited. Access can be granted through the following header in the responses; Access-Control-Allow-Origin.

If a website has wrongly defined this header or based on a wrong assumption, access control can easily be bypassed.

A similar threat called Cross-Site-Request-Forgery (CSRF) was present in HTML4. However, with HTML5 this is possible without user interaction.

 

2. HTML5 TAG ABUSE

The new attributes and tags introduced by HTML5 present in an internet security threats to cross-site scripting attacks. XSS attacks where attackers run malicious scripts through unencoded or unvalidated user inputs have been around for a while.

Developers often avoid them by filtering user inputs. This is basically not allowing users to input certain character sequences.

Some of the new attributes and tags in HTML5 can be employed to run scripts by bypassing input filters. With HTML5, any object can associate itself with any form regardless of its position on the web page.

This can be exploited for malicious purposes. Attackers can also modify web page forms using attributes in HTML5 such as formaction, fromenctype, formmetod, form target and formnonvalidate.

3. LOCAL STORAGE

Prior to HTML5, browser data was stored through web cookies. The local storage feature in HTML5 was developed to improve internet security and enable storage of more web data.

It allows browsers to store and delete data based on name-value pairs. The good news is that the origin-specific, meaning sites from different origins cannot access applications on local databases.

 

Unfortunately, it is vulnerable to the aforementioned XSS attacks.

XSS flaws resulting from developer errors, this can allow the execution of JavaScript codes leading them to the access of local variables.

Attackers can also redirect target site requests to different sites using DNS cache poisoning.

There are other internet security issues with HTML5 including Cross Document Messaging, Offline Web Applications, and the middleware framework.

Most of these internet security problems fall into the hands of the web developers.

As such, they can be mitigated by safe coding practices, regular code testing, education on the possible internet security threats, data sanitization and access restriction for untrusted code.

Source:  darkwebnews.com

Categorized in Internet Technology

We did plan on creating our own amazing, in-depth deep web security guide for beginners. But, we found one by Jolly Roger that is better than anything we could put together.

The original guide can be seen on The Hub Forums here:gttp://thehub7dnl5nmcz5.onion/index.php?topic=52.0. All credit goes to Jolly Roger who obviously put in a lot of time creating this fantastic guide.

When looking for sites on the Deep Web then just go and check out our mega Deep Web Links list. It is one of the biggest lists of hidden .onion URL’s on the internet.

Donations

Jolly Roger has put in a lot of work to create this comprehensive deep web security guide for beginners. If you appreciate the work he has done, why not give a small donation…

Tip for Beginners:

Before doing anything on the Dark Web or even learning about it, make sure you are protected with a VPN and Tor. The guide below goes into this, but you should be using a VPN to even read this guide or any other Dark Web related topic.

The Feds are watching everything, so you are better off not letting them know you are even interested in the Dark Web. This site here goes through pretty good VPN’s and they usually have good discounts.https://topvpnsoftware.com

The Guide

  1. INTRODUCTiON TO SECURE COMMUNICATION – TOR, HTTPS, SSL
  2. PGP, TAILS, VIRTUAL BOX
  3. PGP CONTINUED
  4. WHOLE DISK ENCRYPTION AND FILE SHREDDING
  5. JAVASCRIPT VULNERABILITIES AND REMOVING PERSONAL METADATA FROM FILES
  6. GENERAL SECURITY PRECAUTIONS WHEN POSTING ONLINE, LEARN FROM OTHERS’ MISTAKES
  7. EXIF DATA
  8. RETAINING A LAWYER, HOW TO HANDLE GETTING CAUGHT OR INTERROGATED
  9. COMBINING TOR WITH A VPN
  10. COMBINING TOR WITH A VPN CONTINUED
  11. CONNECTING TOR -> VPN FOR WINDOWS USERS
  12. TRACKING COOKIES
  13. LEARNING FROM OTHERS’ MISTAKES. LIBERTAS, DPR, SABU, LULZSEC
  14. HOW FAR WILL LAW ENFORCEMENT GO?
  15. FRAUDULENT PRIVATE MESSAGES
  16. LEARNING FROM OTHERS’ MISTAKES. HOW THEY BUSTED SABU
  17. LEARNING FROM OTHERS’ MISTAKES. SABU BECAME FBI INFORMANT AND BETRAYED JEREMY HAMMOND
  18. WHERE YOU MIGHT CONSIDER RUNNING TO, IF YOU HAD NO OTHER CHOICE
  19. SECURING YOUR ACCOUNT FROM FBI MONITORING
  20. INVINCIBILITY MINDSET, FEDERAL GOVERNMENT BULLYING TACTICS
  21. HOW TO CONNECT TO TOR OVER TOP OF TOR
  22. HOW TO VERIFY YOUR DOWNLOADED FILES ARE AUTHENTIC
  23. VERIFYING SIGNED MESSAGES WITH SIGNATURES AND SIGNING YOUR OWN MESSAGES
  24. AN EXAMPLE OF REALLY BAD OPSEC – SMARTEN UP!
  25. TOR CHAT
  26. OBTAINING, SENDING AND RECEIVING BITCOINS ANONYMOUSLY
  27. CLEARNET VS HIDDEN SERVICES – WHY YOU SHOULD BE CAREFUL
  28. THEY ARE WATCHING YOU – VIRUSES, MALWARE, VULNERABILITIES
  29. MONITORING YOU WITH AN ANTENNA
  30. COOKIES & JAVASCRIPT REVISITED, PLUS FLASH COOKIES AND OTHER BROWSER TRACKING
  31. A FEW RECOMMENDATIONS
  32. COLD BOOT ATTACKS, UNENCRYPTED RAM EXTRACTION
  33. THE STRENGH OF CRYPTOGRAPHY AND ANONYMITY WHEN USED PROPERLY
  34. PGP/GPG Email Addresses
  35. ANOTHER SCAM EMAIL – BEWARE
  36. AN INTRODUCTION TO AN EXPERT ON OPSEC, PLUS MD5 & SHA-1 CHECKSUMS
  37. IT IS OBVIOUS WHEN YOU ARE USING TOR
  38. ARE YOU USING SAFE-MAIL.NET ?
  39. YET ANOTHER EXAMPLE OF HOW STRONG CRYPTOPGRAPHY AND PROPER OPSEC CAN PROTECT EVEN PEDOPHILES
  40. LOCALBITCOINS PART 1 – POLICE ARE WATCHING IT!
  41. LOCALBITCOINS PART 2 – THIEVES, SCAMMERS AND COUNTERFEIT BILLS!
  42. LOCALBITCOINS PART 3 – MORE SCAM STORIES
  43. LOCALBITCOINS PART 4 – SELLERS BUSTED FOR MONEY LAUNDERING
  44. HIDING TOR FROM YOUR ISP – PART 1 – BRIDGES AND PLUGGABLE TRANSPORTS
  45. CAPABILITIES OF THE NSA
  46. WHY YOU SHOULD ALWAYS BACK UP YOUR DRIVES, ESPECIALLY ENCRYPTED DRIVES
  47. BITCOIN CLIENTS IN TAILS – BLOCKCHAIN AND ELECTRUM

 

Source : https://darkwebnews.com

Categorized in Deep Web
Page 5 of 5

AOFIRS

World's leading professional association of Internet Research Specialists - We deliver Knowledge, Education, Training, and Certification in the field of Professional Online Research. The AOFIRS is considered a major contributor in improving Web Search Skills and recognizes Online Research work as a full-time occupation for those that use the Internet as their primary source of information.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.