Rants, Raves, and Rhetoric v4

Category: Cybersecurity

  • DOJ, Dreamhost, and DisruptJ20

    The government has no interest in records relating to the 1.3 million IP addresses that are mentioned in DreamHost’s numerous press releases and opposition brief. Basically, the Department of Justice served Dreamhost this warrant asking for the code backing the web site, the HTTP request and error logs, logs about backend connections to upload files to the…

  • TED Talk: Trolling a Spammer

    Back in the early days of spam, I did try replying to a few, but I never got anything like this. Suspicious emails: unclaimed insurance bonds, diamond-encrusted safe deposit boxes, close friends marooned in a foreign country. They pop up in our inboxes, and standard procedure is to delete on sight. But what happens when…

  • Phishing

    Over a month ago, I received a creative phishing attempt. We use a relatively popular service which is mimicked fairly well. I typically receive notification emails from it by an administrative assistant. This came from another name. That was my only real clue that made me look closer. Since, I have received almost a dozen,…

  • LastPass feature request

    There is no enforced standard for passwords for a web site, so they can be all over the place for requirements. Nor do sites typically explain what are the exact standards before a failure. And then most will state the minimum and types of characters. But, too many leave out the maximum number of characters allowed so…

  • Email Changes

    Ran across a site where if one changes the email address associated with the account, it sends the confirmation email to the new address. Say, I am a Blackhat and used a phishing attack to get the password for the account. Having legitimately logged in, I then change the email address associated with it from victim@outlook.com…

  • Verification Codes

    One would hope that verification codes would be extremely random. More randomness makes it harder for a malicious entity (person or computer) to guess the code. Less randomness makes it easier. With all the Two-Factor Authentication (2FA) out there, we hope there is enough randomness in these methods to make them unguessable by someone attempting to…

  • Scary Password Policy

    Doing a training thing for work next week. The training coordinator sent an email to 25 of us about how to access the learning portal. The username is email and password is a single word with an exclamation point. My first instinct was get in ASAP and change the password since so many other people…

  • Phishy Corporate Communications

    Received an email that looked phishy: Greetings, Please read this important e-mail carefully. Recently you registered, transferred or modified the contact information for the following domain name: ezrasf.com In order to ensure your domain name remain active, you must now click the following link and follow the instructions provided. http://verify.domain.com/registrant/?verification_id=999999&key=BFrrpxGDbb&rid=999999 Sincerely, Domain Registrar The web…

  • Posting To Your WP From Foreign Sites

    (This assumes a WordPress.org site not one on Wordress.com hosting.) Placing your username and password in the database of third party sites is not very good. If the account provided is the WordPress administrator account, then that means credentials for the most important account are potentially exposed. The password is going to be kept in…