It often seems that 5G garners most of the headlines, but what can get lost in the shuffle is the newest and fastest version of Wi-Fi, which is called Wi-Fi 6.

Verizon is a leader in this new technology, and through its Fios Wi-Fi 6 Router, it hopes to reach the masses and enable them to fully enjoy 5G and faster and broader coverage.

If youre only looking for speed, youre definitely in luck. Wi-Fi 6 has been shown to achieve wireless transfer speeds as high as 1,500 Mbps, or 1.5 Gbps, which is about 60 percent faster than Wi-Fi 5. Its indeed a huge boost even from Verizons own previous routers, as the top speeds are now about 60 percent faster and boast 63 percent wider coverage.

Speed and coverage are surely important, but what the Fios Wi-Fi 6 really excels in is its ability to handle multiple devices. Today, with the constant use of smartphones and tablets to laptops and home security systems, many of the older routers have a hard time keeping up.

As more and more people adopt smart home technology and connect more devices, the need for a reliable router that provides more coverage throughout the home has become a necessity, Heather McDavitt, vice president of Verizon Consumer Products, said in a press release. Verizons new Fios Home Router and companion Fios Home Wi-Fi Extender are the perfect solutions for Fios customers who want to blanket their home with powerful and secure Wi-Fi.

The Fios Wi-Fi 6 features a 2.4GHz network and two separate 5GHz networks, which have become the standard for most Wi-Fi users as they are indeed faster, although they do have a shorter range and have a harder time going through certain walls. One of the 5GHz networks can be used for a dedicated Wi-Fi 6 backhaul connection between the router and Fios Home Wi-Fi Extenders. Those extenders build a mesh network that can provide stronger Wi-Fi signals all throughout a home.

Make sure to keep in mind that the Fios Wi-Fi 6 can only transmit data as fast as your internet plan allows, so you may have to upgrade to a more expensive plan if you really want to see a difference. Moreover, although these routers are compatible with older Wi-Fi devices, the faster speeds will only benefit devices that support the new Wi-Fi standard.

As for the price, you can rent the new Fios Wi-Fi 6 Router for $15 a month or buy it outright for $299. The Fios Home Wi-Fi Extender will cost $10 to rent or $199.99 to buy.

Ethen Kim Lieser is a Tech Editor who has held posts at Google, The Korea Herald, Lincoln Journal Star, AsianWeek and Arirang TV.

Read more here:
Verizon Fios Has a New Wi-Fi 6 Router (And You Might Just Love It) - The National Interest

SYDNEY, March 31, 2020 /PRNewswire-PRWeb/ -- As the world reels from the coronavirus pandemic, the situation has been seen as an opportunity for threat actors, who've taken advantage of the opportunity to target victims with scams or malware campaigns.

Now, according to analysis by SECTARA, hackers are exploiting coronavirus fears to spread their own infections, creating or taking over coronavirus information sites. Some of these appear to include state sponsored actors seeking to compromise corporate data systems. Others are opportunists, exploiting public demand for breaking information to launch payloads of ransomware and malware.

These sorts of activities include registering malicious Coronavirus-related domains and selling discounted off-the-shelf malware in the dark web.

Many victims of these exploits are individuals, looking for updates on coronavirus or seeking information about how to protect themselves and loved ones. Even more concerning is that organizations such government agencies, supply chains, hospitals, and pathology centers are also falling victim to this sort of attack. An attack which is coming on top of a global financial crisis when resources, finances, and supply chains are already compromised. These new attacks are on top of phishing campaigns that distribute malware such as APT36, AZORuIt, Emotet, and Nanocore RAT via malicious emails and links.

One of these, APT36, is a Pakistani state-sponsored threat actor which mainly performs cyber-espionage to collect sensitive information from India, has been using a decoy health advisory that taps into global panic around the coronavirus pandemic to spread the Crimson RAT. Crimson RAT is designed to steal credentials from victims' browsers, capture screenshots, and list the processes, drives and directories from victim computers [1].

According to security risk management expert Julian Talbot, author of the Security Risk Management Aide-Mmoire, "There are a wide range of groups who are executing malware and ransomware attacks to profit from the global health pandemic. These attacks are only likely to grow as the pandemic continues."

"Despite China's success with the lockdown, there is really no exit strategy until we have a vaccine, which is unlikely to be this year. Hackers and state-sponsored actors will continue to build ever more sophisticated attacks if we are not vigilant," said Julian Talbot. "We can't simply have a 30-day lockdown and then expect to be able to open all the cafes and venues immediately afterward like it was 2019. My assessment is that we are looking at a series of rolling lockdowns and travel bans until there is a vaccine.

"Our models indicate that we are exposed to a ripple effect in the event of any additional shock. With the markets already witnessing the fastest 30% drop in history, what would happen if we had another 9/11 event? "In combining the models we have published in the Security Risk Management Aide-Mmoire (http://www.srmam.com) with our software in SECTARA (http://www.sectara.com), results indicate that risks such as a major attack, nuclear reactor problem, utilities failure, or a reduction in supply of oil & gas to Western Europe, could create a cascading environment of security risk management crises."

"At SECTARA, we are taking the models from the Security Risk Management Body of Knowledge (SRMBOK) and applying them to the current coronavirus situation. We have made this model and even the software available for free as a public service," said Konrad Buczynski, CEO of SECTARA.

Staying Secure

"Our modelling indicates that businesses and individuals need to take a layered approach to protecting their computer infrastructure and personal safety," said Julian Talbot. "We have been publishing this information and key protective measures on several websites now including https://resourcesforcoronavirus.com, https://sectara.com, https://srmam.com, and http://www.juliantalbot.com."

It's clear that bad actors are prepared to use people's coronavirus fears and thirst for information against them. Given the impact we are already facing at a global level, organizations and individuals, need to apply, not just social distancing, but also sound security, and in particular, cybersecurity practices.

Some strategies to stay safe include:

In conjunction with SECTARA, Julian Talbot has also made the Security Risk Management Aide-Memoire (SRMAM) and all the models available for free. SRMAM provides a contemporary account of methods and principles detailed within the Security Risk Management Body of Knowledge (SRMBOK) as well as free high-resolution models and images, new research and updates advice linked to 2018 revision of the ISO 31000 - Risk Management standard.

"Cybersecurity, terrorism, the internet of things, and convergence of technologies are putting CEOs and Boards under pressure to maintain robust security solutions" according to Jason Brown, Chair of Technical Committee ISO/TC 262 responsible for development of the ISO31000:2018 Risk Management Standard. "It has never been more critical to maintain sound security practices."

The Danish hearing aid manufacturer Demant recently incurred what is estimated to be a $95M bill associated with a cyber incident that struck the company in early September and a Chicago-based futures brokerage will pay a total of $1.5 million for letting cyber criminals breach the firm's email systems and withdraw $1 million from a customer's account. Few organizations have reserve capital for these sorts of expenses, even in the best of times. The middle of a pandemic is not such a time.

The SRMAM is available now on Amazon and is provided at no charge for all SECTARA free and paid plan subscribers.

Join SECTARA on social media:

https://twitter.com/SECTARA1 https://www.linkedin.com/company/sectara https://www.facebook.com/Sectara-109150723888234 https://vimeo.com/366868175 https://www.youtube.com/channel/UCncolyiA80EE18-NDXJ04rA/

About Julian Talbot:

Julian Talbot has written and co-authored several books including the Security Risk Management Body of Knowledge (SRMBoK). He is a Fellow of the Risk Management Institute of Australasia, recipient of The Australian Security Medal, and holds a Master of Risk Management. His experience includes Manager of Property and Security for the Australian government's most extensive international network (the Australian Trade Commission), Manager of Security for Australia's largest natural resources project (Woodside's $24 billion NW Shelf Venture), Operations Manager for IMX Resources' East African Exploration operations, Senior Risk Adviser for the $30 billion Australian Department of Health & Ageing, and Head of Security and Risk for Malaysian Smelting Corporation's Indonesian operations. Julian has also held several roles as Company Director, Risk Management Practice Leader and later CEO of the $30 million Jakeman Business Solutions, and Divisional Manager (People & Advisory Division) of the $240 million ASX listed Citadel Group Limited.

About SECTARA:

SECTARA (Security Threat And Risk Assessor) was created for security consultants and corporate security managers frustrated with the lack of advanced security risk assessment (specific) software and tools. Performing risk assessments using MS Office products, in particular, can be a tedious process, plagued by styling / formatting problems, layout selection and the routine need for reverse engineering to assure logic throughout.

Such methods are not particularly collaborative, present data security concerns and often drift beyond the bounds of recommended security standards and their assessment methodologies (because we are all human). Moreover, enterprise risk systems are necessarily generic and security risk consultant's needs are very specific. It's also difficult to get IT and expenditure approval for internally hosted systems, especially ones that are not part of 'core' business.

SECTARA was developed in response to those problems, providing a security risk assessment and security management environment in which best practices for the security industry are within easy reach and available at an affordable cost.

Importantly, risk assessment methodologies detailed within leading global security standards have been accounted for within the system, in a way that addresses the needs of the most advanced security practitioners, but also keeps it simple for those new to the industry.

Julian co-designed SECTARA (Security Threat and Risk Assessor) to align with SRMAM philosophies; the SaaS software platform was recently recognised as the #1 Risk Management Product by GoodFirms. He sits on its Expert Advisory Board along with Jason Brown, Geoffrey D. Askew AM and Konrad Buczynski, each a formally recognised expert responsible for design and implementation of some of the more advanced security risk and resilience programs within industry.

SECTARA enables anyone who is responsible for performing security risk assessments to create and complete them quickly, simply and with methodological rigour. Inbuilt data libraries assure productivity gains, and the software is suitable for any scope and industry.

SECTARA has a premium cybersecurity pedigree courtesy of David Begg (CISM, IRAP Assessor and Head of Cybersecurity), and field-level encryption means that nobody, including developers, administrators or anyone else, can view unencrypted sensitive data.

[1] https://www.scmagazine.com/home/security-news/cybercrime/foreign-apt-groups-use-coronavirus-phishing-lures-to-drop-rat-malware/

SOURCE SECTARA Pty Limited

See the rest here:
SECTARA and SRMAM link in the fight against Coronavirus cyber threats - Benzinga

Comcasts reputation has never been the greatest, but in its foray into the Wi-Fi 6 universe, it should be applauded for setting the bar high with the xFi Advanced Gateway.

This particular Gateway, now in pristine white (previous generation was black), can support Wi-Fi 6 (synonymous with 802.11ax), which has been shown to achieve wider coverage and eye-opening wireless transfer speeds as high as 1,500 Mbps, or 1.5 Gbps -- about 60 percent faster than Wi-Fi 5.

But what Wi-Fi 6 really excels in is its ability to handle multiple devices. Today, with the constant use of an array of smartphones and tablets to laptops and home security systems, many of the older routers have a hard time keeping up.

Enter the xFi Advanced Gateway. This new router features four dual-band antennas that can fully support 2.4 GHz and 5 GHz (faster than 2.4 but shorter range) bands, one 2.5 Gbps Ethernet port, three 1 Gbps Ethernet ports and Bluetooth LE and Zigbee radios that can connect to all-important IoT devices.

Moreover, if you choose to utilize xFi Pods, this setup can build a mesh network that provides stronger Wi-Fi signals all throughout a home.

It hasnt, however, been all smooth sailing for Comcasts new router. Such as in this particular review(from our very own Executive Editor), some customers have complained that they have lost all semblance of consistency when it comes to download speeds. Even on a gigabit plan with Xfinity, you can get 800 Mbps on some days and 300 to 500 Mbps on others. Interestingly, some pointed out that the older routers did not suffer from such issues.

In addition, wireless connectivity took a big hit, especially if you live in a multi-floor home. Smart TVs and cell phones would take seconds to connect and streaming in high-end quality was nearly impossible. Even toggling between 2.4 and 5 GHz bands did little to assuage the problem.

Yes, hiccups are expected in newer generations of devices, and what matters now is how to smooth out these hiccups. If that can successfully happen, there is no reason why the xFi Advanced Gateway cant compete with other Wi-Fi 6 routers out there.

On a more positive note, if you lease a Gateway, youll also receive at no extra charge Comcasts xFi Advanced Cybersecurity, which offers additional security protections for your network. Its indeed a nice perk because as we all know, you can never be too careful when accessing the internet via Wi-Fi.

Ethen Kim Lieser is a Tech Editor who has held posts at Google, The Korea Herald, Lincoln Journal Star, AsianWeek and Arirang TV.

More here:
Don't Sleep on Comcast's New Wi-Fi 6 Router - The National Interest

At one major US agency, some officials have resorted to holding meetings on iPhone group calls because the regular conference bridges haven't always been working, according to one federal employee. But the workaround has its limits: The group calls support only five participants at a time, the employee noted.

"Things have worked better than I anticipated, but there are lots of hiccups still," said the employee, who spoke on condition of anonymity because he is not authorized to speak on the record.

As they increasingly log on from home, Americans are having to meld their personal technology with professional tools at unprecedented scale. For employers, the concern isn't just about capacity, but also about workers introducing new potential vulnerabilities into their routine whether that's weak passwords on personal computers, poorly secured home WiFi routers, or a family member's device passing along a computer virus.

"All it takes is one of their kids to get [electronically] infected and it spreads inside the house," said Marcus Sachs, a former vice president for national security policy at Verizon.

From there, experts say, malware could easily jump from a compromised employee's machine into a connected office network.

A big test for government computer systems

This year, those numbers may shift dramatically.

"I'm sure every agency right now is scrambling to load-test their VPNs and access points to make sure not just 10 or 20 percent of their workforce can log on, but 70 or 80 or 90 percent," said the former chief information officer of a major US agency. "That will be a challenge, for sure."

Not all government agencies use VPNs exclusively anymore. As online storage and computing platforms have taken hold in corporate America, so too have they spread in government IT systems. Now, it's more common to see civil servants logging into cloud-based applications and services from wherever they are.

Others may not have access to office computing devices that they can take home with them either because they were never expected to work remotely, or perhaps because their work may be extremely sensitive.

How the intelligence community is adapting

Among the federal workers most hamstrung by efforts to reduce their presence in the workplace are members of the intelligence community. Working on topics and systems that are classified makes it difficult at best to work from home, if not impossible.

"There are some very senior military and government officials who have the capability to do up to Secret [work] from their house, but we're talking about four-star generals and admirals and things like that," said Jamie Barnett, a retired US Navy rear admiral and senior vice president of government services for the secure communications firm RigNet.

"For other classified work, there's going to be limited facilities to be able to do that," Barnett added, "so that's going to take some grappling."

Agencies have already enacted safety measures and made leave policies more flexible. The Office of the Director of National Intelligence -- which oversees 16 different intelligence agencies -- says it is "reducing staff contact88 through a variety of options including staggered shifts, flexible schedules, and social distancing practices."

In a business that demands 24/7 attention, the agencies "are also developing and implementing appropriate response plans" an ODNI spokesperson added.

Dealing with COVID-19, however, "is a contingency for which the IC never prepared," said former National Intelligence Council chairman Greg Treverton.

Some who work in intelligence are contractors who, due to contract provisions, must physically report to a government facility and do their jobs under direct oversight, said the former CIO. It's possible those contracts may be reinterpreted in light of the coronavirus crisis, he said.

Intelligence officials certainly have technology and practices that would make them among the most digitally secure to work outside the office, but they're still exposed. In the best of times, for example, intelligence officials can't even bring their mobile phones into the workplace, recognizing the security risk that they are.

Working at home, "you get more vulnerable and you get much less efficient because you're being careful," adds Treverton, who said that for the country at large, the security issues associated with teleworking are an "enormous vulnerability."

Still, the rise of cloud computing means many workplaces are in a much better position for telework than they were even a few years ago.

"If this had happened five years ago, I would guess that a very, very large percentage of government employees would not be able to remotely access their systems or do anything from home," said Gordon Bitko, a former FBI chief information officer. "Today, that's definitely not true. I can't speak to every agency, but it's far, far greater than it was."

Continue reading here:
Millions of Americans are suddenly working from home. That's a huge security risk - CNN

From smart doorbells to outdoor cameras and models with facial recognition, there are a ton ofhome security cameraoptions out there. Indoor security cameras keep watch when you aren't home, looking after your valuables -- or simply monitoring a mischievous pet.

They range in price from 20 bucks up to several hundreds of dollars and offer a variety of features and specs. I've highlighted three of my favorite models below to help guide your decision if you're on the hunt for a new indoor home security camera.

Let's start with price: The Wyze Cam only costs $20. In a sea of costly security cameras, the Wyze Cam offers a killer value. Couple that with its straightforward app, easy installation and solid performance -- and you have an excellent indoor home security camera.

The thing that sets it apart even more is its free two-week cloud storage and built-in microSD card slot for local storage. You have to buy a microSD card separately, but that's standard for most cams with local storage. It supports Alexa and Google Assistant voice commands and has a motion detection zone feature. Read more from CNET.

Read more: Top cheap home security devices in 2020

The $200 Netatmo Smart Indoor Camera, previously called the Netatmo Welcome, is one of the few indoor security cameras that works with HomeKit Secure Video. HomeKit Secure Video is a service that works with the iOS-only Home app. It offers 10 days of free event-based video history, stored in iCloud.

Few security camera companies offer free cloud storage anymore (ahem, Arlo) -- and even fewer offer 10 full days of free cloud storage. Wyze is an exception with its two weeks of free storage, which is one reason why it's my current favorite indoor cam.

The Smart Indoor Camera from Netatmo has 1080p HD live streaming, a 130-degree field of view, night vision and local storage with an included microSD card. It also has facial recognition capabilities when you create a database of friends and family members. In addition to working with HomeKit, the Smart Indoor Camera also supports Alexa and Google Assistant voice commands. Read more from CNET.

Read more: Our favorite DIY home security systems of 2020

At $299, the Nest Cam IQ Indoor is definitely pricey. But it also happens to have a ton of high-end features with a lot of appeal. First, it has 1080p HD live streaming, free person alerts and 4K image sensor. That 4K image sensor allows for a feature called "Supersight" that zooms in on a person and tracks them within the camera's field of view.

If you pay for Nest Aware, which starts at $5 per month, you get access to the facial recognition feature. With facial recognition, you can create a database of friends and family in the app and then receive custom alerts when the camera recognizes"Dave" or "Molly."

The Nest Cam IQ Indoor also has a built-in Google Assistant speaker for general or smart-home-specific voice commands. Read more from CNET.

Read more:

Now playing: Watch this: The Nest Cam IQ brings 4K for a high price

1:40

Read the original:
The best indoor home security cameras of 2020 - CNET

DALLAS-FORT WORTH, Texas, March 19, 2020 (GLOBE NEWSWIRE) -- Monitronics International, Inc. and its subsidiaries, doing business as Brinks Home Security, (Brinks Home Security or the Company) (OTC: SCTY) will issue a press release to report its results for the fourth quarter and full year ended December 31, 2019 after the market closes on Thursday, March 26, 2020. The Company will host a conference call that day at 5:00 PM ET, in which management will provide an update on Brinks Home Securitys financial results as well as other matters impacting the business including the Companys continued response to the COVID-19 Pandemic.

Participating on the call will be Brinks Home Securitys Interim Chief Executive Officer, William Niles and Executive Vice President and Chief Financial Officer, Fred Graffam.

To access the call please dial (833) 712-2984 from the United States, or (602) 563-8728 from outside the U.S. The conference call I.D. number is 1865698. Participants should dial in 5 to 10 minutes before the scheduled time.

A replay of the call can be accessed through April 2, 2020 by dialing (800) 585-8367 from the U.S., or (404) 537-3406 from outside the U.S. The conference call I.D. number is 1865698.

This call will also be available as a live webcast, which can be accessed at Brinks Home Securitys Investor Relations Website at https://ir.brinkshome.com/.

About Brinks Home Security

Brinks Home Security (OTC: SCTY) is one of the largest home security and alarm monitoring companies in the U.S. Headquartered in the Dallas-Fort Worth area, Brinks Home Security secures approximately 848,000 residential and commercial customers through highly responsive security solutions backed by expertly trained professionals. The Company has the nations largest network of independent authorized dealers providing products and support to customers in the U.S., Canada and Puerto Rico as well as direct-to-consumer sales of DIY and professionally installed products.

Contact:Erica Bartsch Sloane & Company212-446-1875ebartsch@sloanepr.com

The rest is here:
Brinks Home Security to Report Fourth Quarter and Full Year 2019 Results on March 26, 2020 - GlobeNewswire

In response to the unprecedented increase of remote and work-from-home workers, we are takingproactive steps to providecompanies across the globetools necessary to enable their employees to be immediately productive as they work remotely while ensuring that company resources anddata stayprotected.

Effective today, we are offering free, no-obligation use of our SSO and MFA products for six months.* Any company, regardless of the size, the number of employees, or deployed apps, can leverage our platform for secure and convenient access to their applications and endpoints.**

Our goal is toensure that companies impacted by thecurrent situationcanrapidly supporttheirremote employeeswhile keeping theirresources, applications, anddata safe.

The following functionality is included, withoutcost or long-termobligation,to any company:

To get started withIdaptive,all you need to doisfill outthis form.Thereis no need to provide a credit card or sign contracts.

If you have any questions,please reach out by calling(408) 495-8124 or sendingus an email our team will be happy to answer them!

Stay safe!

Go here to see the original:
Everybody Work From Home Idaptive is Ready to Help - Security Boulevard

As the world sits back and waits for Coronavirus to pass, the normally frantic pace of security news has slowed just a bit. Google is not exempt, and Chrome 81 has been delayed as a result. Major updates to Chrome and Chrome OS are paused indefinitely, but security updates will continue as normal. In fact, Google has verified that the security related updates will be packaged as minor updates to Chrome 80.

Speaking of COVID-19, researchers at Check Point Research stumbled upon a malware campaign that takes advantage of the current health scare. A pair of malicious RTF documents were being sent to various Mongolian targets. Created with a tool called Royal Road, these files target a set of older Microsoft Word vulnerabilities.

This particular attack drops its payload in the Microsoft Word startup folder, waiting for the next time Word is launched to run the next stage. This is a clever strategy, as it would temporarily deflect attention from the malicious files. The final payload is a custom RAT (Remote Access Trojan) that can take screenshots, upload and download files, etc.

While the standard disclaimer about the difficulty of attribution does apply, this particular attack seems to be originating from Chinese intelligence agencies. While the Coronavirus angle is new, this campaign seems to stretch back to 2017.

Its a fairly common practice to build web services with a dedicated front-end server, and then a back-end server or group of servers. I just recently migrated a handful of websites that I host to this paradigm, using an Nginx server as a shared front-end that routes traffic to the appropriate Apache back-end server. Nginx scales better than Apache, and it helps ration public IPv4 addresses. There is an attack that takes advantage of this arrangement: HTTP request smuggling.

When using a dedicated front-end, common practice is to share a TCP connection, and potentially an SSL connection, and send all the traffic to the back-end in a single shared stream. Particularly when using SSL, the performance gain is substantial. Using a shared stream does introduce a dose of extra complexity. What happens when the front-end interprets a request differently than the back-end, and how does the back-end make sure to keep requests separate?

Back in 2005, an attack was devised that took advantage of the problems inherent in these two questions. The original HTTP Request Smuggling attack (whitepaper) was as simple as including two Content-Length headers in a request. It was found that in some combinations of front-end and back-end software, the front-end would use the last Content-Length header to interpret the request, whereas the web server itself would use the first header. With a bit of careful request crafting, then, an attacker could send a single HTTP request to the front-end, and have that single request interpreted as two separate requests by the back-end. This seems like a rather unimpressive attack, until you consider that many deployments rely on the front-end server for request verification and security controls. If you can sneak a malicious request past the front-end by embedding it in one that is harmless, you may have a path to attack the back-end server directly.

Request Smuggling didnt catch on as a viable attack, and so much time has passed that all the major products automatically catch and mitigate this particular attack. Revealed at DEF CON 27, HTTP Desync is a new take on this old attack. Rather than specify content-length twice, this attack uses both content-length and chunked encoding. Its another approach to the same end goal, give two different lengths that are understood differently. There are a handful of clever techniques that [James Kettle] covered in his DEF CON talk, like adding non-standard white spaces in the Transfer-Encoding: chunked header. One end sees the header as non-standard and ignores it, and the other might clean up the whitespace before processing the headers, leading to desync.

You may think that SSL protects against this technique, but were describing a scenario where the SSL certificate is installed on the front-end server. All the incoming requests are decrypted and interleaved together, and then may or may not get re-encrypted en route to the back-end. Because its that interleaving that gives rise to this class of vulnerability, the SSL connection doesnt have an impact.

What can you actually do with this sort of attack? Bypass source IP restrictions to a certain endpoint, to name the simplest. Have your WordPress sites /wp-admin page restricted to just one IP address? An HTTP Desync can bypass that restriction. In another example, [James] was able to dump all the custom HTTP headers the front-end was using, and then spoof some of those headers to gain admin access to an entire web service. The whole talk is great, check it out below:

The related news from this week, [Emile Fugulin] took a look at HTTP Desyncs and discovered that Amazons Application Load Balancer is potentially vulnerable in its default configuration, when paired with a Gunicorn back-end. If youre using ALB, he suggests looking at the routing.http.drop_invalid_header_fields.enabled option, and turning it on if you can. Gunicorn has been patched, so go make sure youre running the latest version there, as well.

Well this is awkward. Trend Micro disclosed a set of five security bugs in its products, and revealed that two of them have been actively exploited by attackers. The details are a bit sparse, but it seems that the two attacks found in the wild require some level of authentication before they could be exploited. The two vulnerabilities that seem the most alarming are CVE-2020-8598 and CVE-2020-8599, both of which allow remote compromise before any authentication. Its humorous to see that the vulnerability bulletin lists a mitigating factor, paraphrased: You have a firewall and NAT, right? If you use Trend Micro, make sure its up to date, and maybe do a quick audit on what ports are open on your workstations.

This story sneaked in just in time. An unnamed security researcher discovered a flaw in Netflixs handling of session cookies, combined with their use of unsecured HTTP connections for a few endpoints. Yes, Netflix is still vulnerable to Firesheep.

That could have been the end of the story Netflix should have made their bug bounty payment, fixed their unsecured subdomain, and all would be well. Instead, when our anonymous researcher submitted his finding through Bugcrowd, the firm that handles Netflixs bug bounty program, the official response was that this finding is out-of-scope for a reward. Thats not surprising, its normal for a researcher to disagree with the target company about how important a vulnerability is. As one might expect, once the researcher was told his findings were out-of-scope, he made them public and shortly got an official scolding from Bugcrowd. Apparently an out-of-scope bug submission is still in-scope enough to be kept secret. Even more concerning, Bugcrowds documentation doesnt seem to include a set timeline, but implies that all disclosure must first receive the target companys permission.

Bug-bounties are great, but Bugcrowd puts researchers into an ugly catch-22. I think its ethically rotten to refuse a payout, and then continue to hold a researcher over the barrel on an issue.

Thats it for this week, stay safe and do some security research!

Read the original post:
This Week In Security: Working From Home Edition - Hackaday

With the outbreak of the coronavirus, companies and organizations around the world are going to work remotely or work from home, popularly known. So can this cause a security vulnerability?

After the coronavirus epidemic, many organizations, including Webtekno, started to carry out their work remotely or from home. As a result, internet services gained great importance.

Whenever internet and technology come to the agenda, people think of privacy and security. Of course, precautions should be taken while an important part of working life begins to be realized over the internet connection.

Is the internet strong enough?Internet and informatics are currently keeping life going all over the world. Companies want their employees to work from their homes. Education and training activities will also be held on the internet.

According to CNN news, the US Air Forces own virtual private network can support the simultaneous use of only 72,000 people. On the other hand, the number of staff of the US Air Force working from home is 145 thousand. It also has 130 thousand contract employees. Of course, this is just one example. Doctors will start visiting via video call, employees will do business with remote access.

How suitable are infrastructures for working from home?Speaking of our country, first of all, it is necessary to consider the legal / legal side of the business. Currently, regulations need to be made in the law for working from home. It is also included in the 100 billion lira package announced recently, for which arrangements will be made. (For example, some departments could not submit exams and homework on the internet).

Secondly, the power of infrastructures comes up. Infrastructure needs to be as strong as needed. Although there have been problems in the past, we hope that the necessary lessons have been learned from these problems.

The third stage is the concept of security. More internet usage has the potential to cause more security vulnerabilities. For this, people and users of systems must take precautions.

More remote access and use of information is of course one of the first alternatives that people think of, especially in such difficult times. It is not easy to use this method, but it is not impossible.

Go here to see the original:
Is the Rising Number of People Working from Home a Security Risk? - Somag News

Give the space a fresh coat of paint to make it your own. Every time I move into an apartment, I paint no matter what, said Kevin Dumais, a New York based interior designer. Now is not necessarily the time to figure out the perfect hue to complement your furniture and lighting. So, if you dont have the time or energy to sort through paint swatches, choose a clean white, knowing you may paint rooms again later. Mr. Dumais suggests a hue like Benjamin Moore White Dove. Something that feels fresh and clean until you can figure out what you want.

By the time youre done shelling out mind-boggling sums for your down payment, closing costs and the moving van, your savings account may be drained. But try to build a cushion into your budget so that you have a little extra left in the quiver, should you need extra cash.

Appliances may break, the sellers may have neglected regular upkeep in the months while the house was on the market, leaving you with gutters full of leaves and a furnace in need of a tune up. Added to that, a first homeowner accustomed to calling the super when things go awry may be unaware of all the tasks required in ordinary upkeep. More than half the respondents to a 2018 HomeAdvisor survey of new homeowners reported spending more time and money on projects than they expected they would during the first year.

There is a pretty steep learning curve for a lot of people about what goes into the proper maintenance, said Dan DiClerico, a HomeAdvisor home expert. Every house has its quirks. Until you know yours, you may miss a few things.

For former renters, the first year as a homeowner can come as a shock. Lawns need to be mowed, air filters changed, windows caulked and appliances repaired. Ilyce R. Glink, the author of 100 Questions Every First-Time Home Buyer Should Ask, recommends setting aside 2 percent to 5 percent of the homes selling price for upkeep. So, if a home costs $500,000, budget $10,000 to $25,000 a year for repairs, improvements and maintenance, depending on the size of the home and land. (The estimate includes the costs of big ticket items, like a new roof or boiler, which would only be needed once every 20 years or so, but still need to be factored in with annual costs.) Expect your first year to be among your more expensive ones.

You hire movers, you need carpet, you need to paint, Ms. Glink said. There is a push to nest and build out after you move in.

Your list of dream projects may be long. So prioritize. A boiler might be boring, but you need it more than a set of Roman shades. Were entering a very uncertain period here. Its all the more important to do what you can, as a homeowner, to avoid unexpected emergency repairs, said Mr. DiClerico, of HomeAdvisor. Focus on the nuts and bolts. You can certainly wait on a new chandelier.

Excerpt from:
Here Are the House Keys, Now What? - The New York Times