I have some VPS and databases in GCP, I can access them by placing my IP on the white list, but only a few months ago my ISP implemented its CGNAT and I was affected. As far as I know CGNAT, allow multiple subscribers to have only one public IP.
Is it still safe to whitelist my IP or do I need another means or an additional layer of protection?
I found a strange behavior of Shopify, where an attacker can change the extension in a URL and the backend will send a type of HTTP content that matches that extension, for each of these extensions:
atom: application/atom+xml
bmp: image/bmp
css: text/css
csv: text/csv
gif: image/gif
jpg: image/jpeg
json: application/json
js: text/javascript
mp3: audio/mpeg
mpeg: video/mpeg
mpg: video/mpeg
pdf: application/pdf
png: image/png
rss: application/rss+xml
svg: image/svg+xml
tiff: image/tiff
tif: image/tiff
txt: text/plain
xml: application/xml
yml: application/x-yaml
zip: application/zip
For example, https://gavinwahl-test.myshopify.com/.foo.yml returns & # 39; Content-Type: application / x-yaml & # 39 ;, even a 404. https: // gavinwahl-test. myshopify.com/ search.svg returns the HTML of the actual search page but with image / svg + html content-type.
The search page also allows you to insert the text (escaped in HTML) of your choice:
https://gavinwahl-test.myshopify.com/search.zip?q=%50%4b%05%06%00%00%00%00%00%00%00%00%00%00%00%00 % 00% 00% 00% 00% 00% 00, for example, returns application / zip and is actually a valid zip file (despite having HTML around).
It seems that there should be a vulnerability here. The search query is escaped HTML, but we can tell the browser to interpret some other type of content that may have different escape rules. This has been done with EML files (Microsoft Outlook Express emails) previously. I know there are many vulnerabilities in which content of one type is interpreted as a different type of content, but Shopify states that this practice is safe and not exploitable.
Is there really a good argument that this is safe? Is there any way to get a reflected payload of xss based on the content type confusion?
(I have reported this as a problem to Shopify Security and they said it was safe, so I will publish it publicly)
I am trying to find out if the data created by a Mac user on a local Mac is really safe from other users on that same Mac. For example, in MacOS Catalina, I have three accounts:
Each user as a solid discreat password. FileVault is enabled.
If User 2 saves data in his private folder (not shared), is there any way for User 1 or Administrator to access that data without User 2's password?
The three users are me. I use the User 1 account for everything personal. I only use the Administrator for administrator functions. I created User 2, to use to work at home, in order to separate confidential work documents from my personal account. I think that if User 1's account is hacked or compromised, can a hacker get the information I saved on the same computer as User 2?
The only thing I can think of is that if the hacker gains access to the administrator account, a keylogger can be installed and my credentials can be captured when I log in to User 2.
Use a desktop or mobile wallet (Electrum or Mycelium) to spend bitcoins (be sure to write down your recovery seed and store it as a paper wallet). To receive and store them, use offline paper wallets. As soon as a paper wallet exceeds a certain amount (50mXBC for example), save it and start a new one. If you are spending and your online wallet runs out, open a paper wallet to complete the transaction, the remaining coins will remain in the online wallet.
NOTE: with "online wallet" I mean wallets like Electrum and Mycelium, do not web wallets like Coinbase or the Blockchain.info wallet.
Someone posted instructions for paper wallets in bitcointalk:
https://bitcointalk.org/index.php?topic=1559277.msg17075677#msg17075677
Do your own research before risking your coins by following what someone told you.
Do not use web wallets.
EDIT: Brain wallets (memorize a passphrase that is encoded to produce keys and addresses) are very controversial in the bitcoin community. The correct way to use them is to choose the passphrase evenly and randomly of a large set (at least 2 ^ 128).
Security enhancements include:
Add salt (something unique but trivial to remember, such as your full name, phone number or email address) to the passphrase to prevent hackers from attacking everyone at once.
The use of WarpWallet key stretching is an algorithm that derives keys from a passphrase using a difficult algorithm that requires a lot of memory, this makes them a lot harder to hack.
To generate multiple wallets from a passphrase, you can attach an index (add a number to the passphrase).
The main advantage of brain wallets is that there is no physical wallet to steal or confiscate, and the plausible denial of having bitcoin.
The disadvantages include the difficulty of remembering the passphrase (if you forget it, the coins are gone), the possibility of theft (there are hackers who constantly monitor the addresses created from weak passphrases and steal coins immediately) and the fact that in the unfortunate case of your death, your family could not recover your coins.
If you decide to use them, they can be used instead of the paper wallets in the first paragraph.
This is not safe and is definitely a scam.
A common way to do this is as follows. Using his username and password, the boy will secretly retrieve the recovery phrase from the wallet. Then it will allow you to change the password. Then, he will invent a story to convince him to buy some Bitcoins and put them in his wallet (or maybe he will only wait until he decides to do it on his own). You will think this is safe because he does not know the new password. However, using the recovery phrase, you can remove all coins from your wallet, even without the password.
If he really only wanted to access a Blockchain wallet, there would be nothing to stop him from making one for him.
The "S" part of "HTTPS" only means that the connection between you and that website is encrypted. Actually, it has nothing to do with whether or not you can trust the website to not abuse your connection to it. In general, these days there is not much an attacker can do simply by visiting a website (unless it is advanced and knows some special tactics or exploits "0day" to hack your browser). Which is extremely unlikely. As long as you have not specifically sent anything to the website, nor have you downloaded or executed anything from it, there is no reason to worry. I visited the website myself and noticed that I was giving an error that I am familiar with, which means that I am not currently allowing access to it.
If you are still worried and want to continue trying to protect your devices, Android devices have anti-malware applications that you can download. A simple search in the Play Store for such applications could help you find one. You can use them to help verify that there are no malicious applications running or installed on your device. To secure your email, I recommend that you change your password and verify active sessions, if available, making sure to revoke the extras you see.
I am a pretty nervous traveler, and recent events with Iran accidentally shooting down a passenger flight do not help. I am flying from Istanbul to Bangkok on Saturday with Turkish Airlines, and looking at the flight route, much of the flight will go over Iran. Many airlines (mostly American and European) currently avoid Iranian airspace, so why do many Arab airlines, such as Turkish Airlines, still fly over Iran?
In all the news today (2020-01-14) is the story that the NSA and Microsoft have reported a critical security vulnerability in Windows 10.
But I could not find clear instructions on how to ensure that Windows Update worked correctly.
When I click on the Start button and then type "winver" and click on "Execute command", I see that I have Windows 10 version 1803 (OS compilation 17134.191)
Windows> Settings> "Update and security"> "See what's new in the latest update", returns me to https://support.microsoft.com/en-us/help/4043948/windows-10-whats-new- en Recent updates, which don't seem to mention security at all.
The Windows Update feature itself seems scaly, confusing and unreliable.
I am the most expert in technology in my large extended family, and I generally try to help others (especially older generations) keep their systems running well, but right now I am struggling to find a set of steps that can guide them . to confirm that their systems are no longer vulnerable.
I will start by saying that you use CloudLinux / CageFS for your servers that are used to host web hosting clients / resellers. I will let other members add other ways to help keep everyone and everything as safe as possible.
Apkafe