I have a few VPS and Databases in GCP, I can access them by whitelisting my IP, but just few months ago my ISP rollout their CGNAT and I was affected. As far as I know CGNAT, allow multiple subscriber to have a single public IP.
Is still safe to whitelist my IP or I need another means or extra layer of protection?
I found a strange behavior of Shopify, where an attacker can change the extension on a URL and the backend will send back an HTTP content-type matching that extension, for each of these extensions:
For example, https://gavinwahl-test.myshopify.com/.foo.yml returns ‘Content-Type: application/x-yaml’, even though it’s a 404. https://gavinwahl-test.myshopify.com/search.svg returns the actual search page HTML but with image/svg+html content-type.
The search page also allows you to insert [html-escaped] text of your choice: https://gavinwahl-test.myshopify.com/search.zip?q=%50%4b%05%06%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00 for example returns application/zip and is actually a valid zip file (despite having HTML around it).
It seems like there should be a vulnerability here. The search query is HTML escaped, but we can tell the browser to interpret in some other content type which may have different escaping rules. This has been done with EML (Microsoft Outlook Express mail message) files before. I know there are lots of vulnerabilities where content of one type is interpreted as a different content type, but Shopify claims that this practice is safe and not exploitable.
Is there actually a good argument that this is safe? Is there any way to get a reflected xss payload through based on the content type confusion?
(I have reported this as an issue to Shopify Security and they said it was safe, so I’m posting it publicly)
So, I have Google alerts set for a few words, and one of these alerts had a link to the site “chatsosedi.ru” which I opened. I found out the site isn’t https. I clicked on it before realizing. Is it safe, & what can I do to secure my email and phone now? Thanks
All over the news today (2020-01-14) is the story that the NSA and Microsoft have reported a critical security vulnerability in Windows 10.
But I haven’t been able to find clear instructions about how to ensure that Windows Update has worked properly.
When I click the Start button and then then type “winver” and click “Run command”, I see that I have Windows 10 Version 1803 (OS Build 17134.191)
Windows > Settings > “Update & Security” > “See what’s new in the latest update”, it bounces me to https://support.microsoft.com/en-us/help/4043948/windows-10-whats-new-in-recent-updates, which doesn’t seem to mention security at all.
The Windows Update feature itself seems flaky, confusing, and unreliable.
I’m the most tech-savvy in my large extended family, and I generally try to help others (especially older generations) keep their systems working well, but right now I’m struggling to find a set of steps I can walk them through to confirm that their systems are no longer vulnerable.
This is Making a DNS setup for 20+ domains hosted on the same IP-address more manageable continued.
We’re already using the www version as primary. Each
www is a
@, and it’s
@ resolves to an IP address.
For convenience, I consider resolving each
www to a common, shared
CNAME, and dropping
@ altogether because the it can’t be a CNAME.
Provided the website doesn’t link to example.com anywhere internally, is it a good idea to only keep www.example.com. I figured if someone types example.com and it does not exist, the browser will auto-try www.example.com, right?
I have just downloaded the google’s flutter framework from the original website. But when I run flutter doctor I got this message:
““idevice_id” cannot be opened because the developer cannot be verified.
macOS cannot verify that this app is free from malware.
Firefox downloaded this file today at 15:27 from flutter.dev.”
Should I be worried that I am running untrusted code from the internet? Even if the project is powered by Google?
I use this device only for work/dev but I have some sensitive files on this mac.
But maybe the real problem is: Why developer should make a lot of security exception while working? Should I download binaries and run this code?
I loathe passwords with completely random letters and digits. It’s so much nicer to have a password made up of proper words. Even if the total length is much longer, it’s easier to memorize, transcribe, etc.
So I thought of this password generation scheme:
result = "" while (result.length < 12) result += randomWord() if (result.length < 16) result += shortRandomWord() result += randomInteger(1000, 9999)
In this example, assume that
randomWord() returns an English dictionary word of length 4 to 10, and
shortRandomWord() returns one of length 4 to 5. This is sure to give you a password of length 16 to 21, made up of 2 to 5 words, plus the 4 random integers.
Is this a good password generator? How does its entropy compare to a function that generates a password of length 8 with random letters and digits?
On all web services that require passwords, like gmail, you are asked to set a long password. Like 8 characters or more.
The reason being higher security.
But the same services limit the number of login attempts to 3-4 tries before locking your account and asking for more info. Something which I find very annoying, but that’s another topic.
So how is a short password insecure if they limit log in attempts ? If the pw has 5 characters someone can not try all combinations in just 3 attempts.
This must have been asked before but can not find it. The closest I found was this post but it lacks (perhaps in my knowledge of the documents in it) a clear understanding in the preparations of for example a room where two world leaders would meet, why both of them would be confident enough to be sure that they are not being monitored?
I’m reading a lot about entropy of macOS…
I know it doesn’t use Yarrow anymore but as per this FIPS 140-02 doc a NIST compliant DRBG.
I read a lot:
https://github.com/briansmith/ring/pull/398 How can I measure (and increase) entropy on Mac OS X? https://stackoverflow.com/questions/5832941/how-good-is-secrandomcopybytes http://serverascode.com/2014/03/04/yarrow.html https://stackoverflow.com/questions/3170500/random-number-generator-dev-random https://stackoverflow.com/questions/42197958/secrandomcopybytes-provider-sha1prng-or-nativeprng-type-in-objc
Even mailed Craig F: https://apple.stackexchange.com/questions/362531/does-macos-still-use-yarrow-as-its-cryptographically-secure-pseudorandom-number
I see that
SecRandomCopyBytes is now effectively using:
I have much old code using
/dev/urandom, on Catalina is it still valid to use `/dev/urandom/ for key material, is it cryptographically secure?
I don’t want to port everything to a macOS specific lib.
libsodium seems to use
/dev/random, so I guess it’s ok?