LifeLock’s Customer emails made Vulnerable
Per Krebs, “Identity theft protection firm LifeLock — a company that’s built a name for itself based on the promise of helping consumers protect their identities online — may have actually exposed customers to additional attacks from ID thieves and phishers”.
Here’s what we know so far:
- LifeLock, an identity protection company, has put millions of customer emails at risk for phishing and identity theft attacks, thanks to a bug on its website.
- The bug enabled customer email addresses to be harvested by simply changing one number in the URL of a web page used by customers to unsubscribe from LifeLock communications.
- It’s important to note that this is not a breach, but it is a vulnerability to pay attention to, since ID thieves can use email addresses to steal other personal info.
How to protect your info:
Here are some tips to help you protect yourself:
- Be skeptical of email communications urging you to take immediate action or claiming that they are privacy policy updates.
- Do not click on any suspicious-looking links in those messages and instead forward any suspicious email to the company itself. Call the company directly to confirm whether any such messaging is actually from them.
- Do not enter any personal info or credentials via links in emails. If you need to make updates, go directly to the company’s website to do so.
- Check your credit report regularly to keep an eye on any unauthorized activity.
- Consider locking your credit file to help prevent potentially fraudulent access.
Reference:
LifeLock Bug Exposed Millions of Customer Email Addresses – https://krebsonsecurity.com/tag/lifelock/
OWASP Mutillidae II
OWASP Mutillidae II Web Pen-Test Practice Application
OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulnerabilities and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an “assess the assessor” target for vulnerability assessment software.
Features
- Has over 40 vulnerabilities and challenges. Contains at least one vulnerability for each of the OWASP Top Ten 2007, 2010, 2013 and 2017
- Actually Vulnerable (User not asked to enter “magic” statement)
- Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver. Mutillidae is confirmed to work on XAMPP, WAMP, and LAMP.
- Installs easily by dropping project files into the “htdocs” folder of XAMPP.
- Will attempt to detect if the MySQL database is available for the user
- Preinstalled on Rapid7 Metasploitable 2, Samurai Web Testing Framework (WTF), and OWASP Broken Web Apps (BWA)
- Contains 2 levels of hints to help users get started
- Includes bubble-hints to help point out vulnerable locations
- Bubble-hints automatically give more information as hint level incremented
- System can be restored to default with single-click of “Setup” button
- User can switch between secure and insecure modes
- Secure and insecure source code for each page stored in the same PHP file for easy comparison
- Provides data capture page and stores captured data in database and file
- Allows SSL to be enforced in order to practice SSL stripping
- Used in graduate security courses, in corporate web sec training courses, and as an “assess the assessor” target for vulnerability software
- Mutillidae has been tested/attacked with Cenzic Hailstorm ARC, W3AF, SQLMAP, Samurai WTF, Backtrack, HP Web Inspect, Burp-Suite, NetSparker Community Edition, and other tools
- Instructional Videos: http://www.youtube.com/user/webpwnized
- Updates tweeted to @webpwnized
- Updated frequently
- Project Whitepaper: http://www.giac.org/paper/gwapt/3387/introduction-owasp-mutillidae-ii-web-pen-test-training-environment/126917
Download it here or https://sourceforge.net/projects/mutillidae/
Warning Banner Sample for Systems and Network Devices
System/Network Login Banners
Login banners provide a definitive warning to any possible intruders that may want to access your system that certain types of activity are illegal, but at the same time, it also advises the authorized and legitimate users of their obligations relating to acceptable use of the computerized or networked environment(s).
A requirement for successfully prosecuting unauthorized users who improperly use an organization’s computer is that the computer must have a warning banner displayed at all access points. The banner must warn authorized and unauthorized users:
- what is considered proper use of the system;
- that the system is being monitored to detect improper use and other illicit activity;
- that there is no expectation of privacy while using this system.
The technical details for implementing banners is dependent on the particular operating system and access point. Below are long- and short-form login banners that are acceptable to use on any organization’s system.
Long-Form Banner:
* * * * * * * * * * W A R N I N G * * * * * * * * * *
This computer system is the property of [Organization Name]. It is for authorized use only. By using this system, all users acknowledge notice of, and agree to comply with, the [Organization Name] Acceptable Use of Information Technology Resources Policy (“AUP”). Click here to read the policy.
Users have no personal privacy rights in any materials they place, view, access, or transmit on this system. The [Organization Name] complies with state and federal law regarding certain legally protected confidential information, but makes no representation that any uses of this system will be private or confidential.
Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized [Organization Name] and law enforcement personnel, as well as authorized individuals of other organizations. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of authorized [Organization Name] personnel.
Unauthorized or improper use of this system may result in administrative disciplinary action, civil charges/criminal penalties, and/or other sanctions as set forth in the University’s AUP. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use.
If you are physically located in the European Union, you may have additional rights per the GDPR. Visit the web site dataprivacy.utk.edu for more information.117-120217-18
ALL USERS SHALL LOG OFF [Organization Name] OWNED SYSTEM IMMEDIATELY IF SAID USER DOES NOT AGREE TO THE CONDITIONS STATED ABOVE.
* * * * * [Organization Name Department]* * * * *
Short-Form Banner:
* * * * * * * * * * W A R N I N G * * * * * * * * * *
This computer system is the property of the [Organization Name]. It is for authorized use only. By using this system, all users acknowledge notice of, and agree to comply with, the [Organization Name] Acceptable Use of Information Technology Resources Policy (“AUP”). Click here to read the policy. Unauthorized or improper use of this system may result in administrative disciplinary action, civil charges/criminal penalties, and/or other sanctions as set forth in the [Organization Name] AUP. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use.
If you are physically located in the European Union, you may have additional rights per the GDPR. Visit the web site dataprivacy.utk.edu for more information.
LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
* * * * * * * * * * * * * * * * * * * * * * * *
Mile2® Certification Updates
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Cyber Security Job Posting
Title: Cyber Security
Location: Patuxent River, MD 20670
Duration; Full Time
Security Clearance: Active Secret
Certification: DoD 8570 IAT Level II (Security+CE, CCNA-Security, GSEC, SSCP) or IAM Level II Certification (CAP, CASP CE, GSLC, CISM, CISSP).
Job Description:
· Demonstrate subject matter expertise in DoD Information Assurance Certification and Accreditation Process (DIACAP) and / or Risk Management Framework (RMF).
· Ensure information systems security and application security policies and procedures (Security Technical Implementation Guides [STIG], Information Assurance Vulnerability Management [IAVM], and Federal Information, Security Management Act (FISMA)) are followed.
· Develop/implement system security plans, control implementation, system requirements, test procedures, etc.
· Conduct information system (IS) security assessments and validations.
· Provide security recommendations/remedial actions to the client to ensure IS compliance is met and plan of actions and milestones are define accordingly.
Please provide the following information
Rate Expectation:
Full Name:
Contact No:
Alternate contact (if any):
Email address:
Current Location:
Relocation:
Availability:
Visa status
Kindly share your detailed resume at sandeepk@etalentnetwork.com
Using Login Banner on a Mac OS X system
What is a login Banner?
A login banner is a statement made by the system owner that asserts their rights and informs the users of the system what expectation of privacy they should have. Login banners are a critical aspect of IT system security as they allow IT systems administrators and IT Security staff to monitor the system for intrusion and abuse.
Why do we need login banners?
In any modern IT system log monitoring, network monitoring, and security monitoring take place at regular intervals. It is theoretically possible that, while performing their work related duties, an IT systems administrator will come across user information (such as a file stored on the system). The purpose of the login banner is to inform any user of the system that they may be monitored and that unauthorized or malicious access may be prosecuted. Administrators should use login banners on any system that supports their use.
Sample Login Banner
As a login banner is a form of legal assertion, please consult your General Counsel and Information Services before using the following login banner for use on any systems:
Access to electronic resources at [Organization] is restricted to employees, students, or individuals authorized by the [Organization] or its affiliates. Use of this system is subject to all policies and procedures set forth by the [Organization] located at www.xyz.com.
Unauthorized use is prohibited and may result in administrative or legal action. [Organization] may monitor the use of this system for purposes related to security management, system operations, and intellectual property compliance.
Command to issues warning banner on Mac OS X
sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText “Your Warning Message Here”
You will be prompted for your password. Once that is complete, you can log out to see the warning banner (requires you todisable automatic login).
