This document discusses various cybersecurity trends and threats non-profit organizations should be aware of in 2010, including malicious bots, bandwidth theft through malware, insecure hardware and software, social engineering attacks, and weak user passwords. It provides recommendations for spam filtering and access control lists, considers options like OpenID for centralized authentication, and emphasizes the importance of ongoing education to help non-profits securely manage their online resources with limited budgets.
Facebook was created by Mark Zuckerberg and his Harvard college friends. It allows users to create profiles, connect with friends, share photos and videos. It has over 1.3 billion active users. Zuckerberg became a billionaire due to Facebook's success when he was 23 years old. The document discusses Facebook's creation and growth over time under Zuckerberg's leadership.
This document discusses internet security. It begins by defining the internet and its types such as dial up, DSL, cable, wireless, satellite, and cellular. It then defines internet security and its objective to establish rules and measures against attacks over the internet. The document outlines the history of internet security from 1960 to 2000. It discusses common internet security threats like viruses, trojan horses, worms, hacking, phishing, and spyware. Finally, it recommends techniques to improve security such as using strong passwords, antivirus software, firewalls, authenticating data, unlinking accounts, and blocking cookies.
This document discusses several common internet threats to personal safety, including malware, cyberbullying, email spoofing, phishing, pharming, computer viruses, and spyware. Malware refers broadly to malicious software like viruses, worms, and Trojans that can damage computers. Cyberbullying involves bullying others online through means like social media and messaging. Email spoofing, phishing, and pharming are scams used to trick users into providing private information. Computer viruses and spyware can also negatively impact devices without consent. Overall, the internet presents risks that require users to practice safety, security, and ethics.
This document is the contents page for issue 9/2010 of the magazine "Practical Protection IT Security Magazine". It lists the titles and authors of articles in the issue, including pieces on email security issues, VoIP technology, web malware techniques, IPv6 security implications, session riding attacks, and the biggest hacking breach in cyber history. The contents page also provides information about the magazine's editors and production team.
WORM VIRUS ACCESS CONTROL HOW DO WORM VIRUS/COMPUTER WORMS WORK AND SPREAD HOW TO TELL IF YOU’RE COMPUTER HAS A WORM TRPOJAN TYPES OF TROJAN ACCESS CONTROL DISTRIBUTED DENIAL OF SERVICE SQL INJECTIONS & DATA ATTACK AUTHENTICATION BASIC AUTHENTICATION
Jimmy Wales was born in 1966 in Alabama. He dropped out of graduate school for finance to pursue business ventures. In 2001, he founded Wikipedia, which became the world's largest online encyclopedia. Wales also founded Wikia, a for-profit web hosting company. He has advised governments and universities on internet and technology issues.
This document provides guidance for computer users in a workplace setting. It discusses important parts of the computer to know, how to log in securely, and rules for safe computer use such as keeping machines clean, using strong unique passwords, backing up work, and reporting any strange computer activity. The document also covers anti-virus software, firewalls, appropriate internet use, social media policies, how work is saved on the company network, USB security risks, and guidelines for when and how to properly contact the IT help desk for assistance.
This presentation is intended for an experienced audience knowledgeable about MS Office, internet, networks, Windows operating systems, and general PC troubleshooting. Attendees should understand common IT security issues like viruses, spyware, malware, and botnets as well as remedies for these issues. The presentation will be delivered by Mishra and comments from the audience are welcome.
An Introduction To IT Security And Privacy for Librarians and LibrariesBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more.
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systemskhalavak
Hacking risks exist due to vulnerabilities in systems used by carbon-based lifeforms and software programmed by humans. Social engineering techniques that exploit human psychology remain effective means of tricking people into compromising security. Common tools are readily available to help hackers access networks and devices. Major motivations for malicious cyber activity include financial gain from cybercrime and political/ideological goals of hacktivists and nation states. Overall, humans and the software they create continue to be the weakest links that enable a variety of actors to engage in hacking activities.
Lecture about network and host security to NII studentsAkiumi Hasegawa
The document discusses securing IT environments and provides an overview of key topics in IT security. It begins with an anecdote from the author about receiving an email on New Year's Eve 1999 regarding attacks originating from their university network. The document then covers agendas items like keywords in security including CIA and AAA. Current security trends from the Ministry of Internal Affairs and Communication are examined, along with malware trends and the top 10 security threats. The document concludes with remarks on how to avoid malware infections through software updates, anti-malware software, firewalls, and safe email practices.
The document describes how to steal Gmail credentials using social engineering and the Social Engineering Toolkit (SET). It involves tricking a victim into entering their login credentials on a spoofed Gmail login page hosted on the attacker's machine. The attacker first sets up Kali Linux in a virtual machine and launches SET. They then change the victim's Gmail bookmark to point to the attacker's IP address hosting the fake login page. When the victim tries to access Gmail, they enter their credentials which are stolen by SET. The document warns readers to be vigilant against these kind of social engineering attacks.
1) Password cracking is the process of recovering secret passwords through various techniques like hashing, guessing using dictionaries, using default passwords, brute force, and phishing.
2) Common password cracking techniques include exploiting weak hashing algorithms, guessing using common words and personal details, using default passwords for applications, trying all possible character combinations through brute force, and tricking users into revealing passwords through phishing.
3) IP spoofing involves modifying the source IP address field in the IP packet header to disguise the identity of the sender or impersonate another system and exploit weaknesses in the connection-oriented TCP protocol.
The document defines threats, vulnerabilities, and various types of malware such as viruses, worms, and Trojans. It provides examples of how malware like the ILOVEYOU virus and Sasser worm spread and caused damage. The document also discusses how compromised computers can be used in botnets for spamming and denial of service attacks. It concludes with recommendations on security best practices like keeping systems updated, using antivirus software, and practicing cyber awareness.
The document discusses computer security and provides 10 suggestions for keeping computers and networks safe. It focuses on hardware, software, and user security issues. The key recommendations are to use firewalls and encrypt wireless networks, install and regularly update antivirus and other security software, be cautious of emails from unknown senders and links within emails, securely manage passwords by making them complex and unique to each account and changing them regularly, and back up important data.
Windows FE (Forensic Environment) allows forensic examiners to boot an evidence machine to Windows instead of Linux or other operating systems. This allows examiners to use their familiar Windows-based forensic tools rather than needing to learn Linux applications. Windows FE is based on Windows PE (Preinstallation Environment) but is designed for forensic analysis, where Windows PE is for system preparation and installation. Booting to Windows FE preserves evidence better than hardware write blocking and allows examiners to efficiently image, triage, and examine evidence machines using their preferred Windows software tools.
This presentation is in English; the announcement (beneath) & talk were in Dutch (NL)
OpenTechTalks | Ethisch hacken met Kali
Overheden, bedrijven en particulieren worden steeds kwetsbaarder voor aanvallen van black hat hackers, criminelen die de lekken in computers uitbuiten voor geldgewin of louter om schade te veroorzaken. Daartegenover staan de white hat hackers: zij testen computersystemen op fouten en dichten de lekken voordat malafide hackers inbreken. Tijl Deneut (UGent/Howest) geeft een overzicht van welke vormen van cybercriminalteit er bestaan en hoe je je ertegen kunt wapenen. De focus ligt op Kali Linux, een besturingssysteem dat honderden beveiligings- en testprogramma's bundelt. Volgende vragen komen aan bod: hoe installeer je Kali Linux? Hoe kun je in een veilige omgeving testen? Is ethisch hacken eigenlijk wel legaal? Algemene IT-kennis is aangewezen. Achteraf drinken we een glas in het café van Vooruit.
This document provides tips and guidance on internet safety. It discusses the benefits of internet use but also the risks like malware, phishing and exposure to inappropriate content. It emphasizes that children and adults use the internet differently and parents should be involved in their child's online activities. It provides tips for safe internet practices like using antivirus software, strong passwords, backing up data and installing security updates.
The document summarizes the contents of an iForensics Prevention Workshop. The workshop covers topics related to corporate espionage and cybercrime, including the hacker subculture, TCP/IP fundamentals, reconnaissance techniques, and compromising networks. Attendees will learn about common vulnerabilities, penetration methods, and how to identify security risks. After the workshop, a security consultant will assess specific vulnerabilities at each participating business. The goal is to help businesses protect themselves from the estimated $2 billion in losses each year due to corporate espionage.
This document provides an overview of a workshop on iForensics prevention. The workshop covers topics such as the hacker subculture, TCP/IP fundamentals, reconnaissance techniques, compromising networks, effective Windows and Unix countermeasures, and advanced security techniques. It also discusses statistics on internet fraud and provides a catalog of security products. The goal is to help participants identify common vulnerabilities and protect themselves from cyber threats.
Modal verbs are used to change or complete the meaning of the main verb. They express concepts like ability, possibility, deduction, obligation, prohibition, and advice. Modal verbs don't use third person singular 's' and are followed by the basic form of another verb. They don't change spelling or have infinitives or participles. Negation uses 'not' rather than a form change. Examples are given for ability (can, could, be able to), possibility (may, might, could), deduction (must, can't), obligation (have to, must), prohibition (must not), and advice (should, ought to).
1) O documento discute os efeitos positivos da fibra alimentar no metabolismo e na saúde, incluindo a redução do risco de doenças crônicas como doenças cardíacas e diabetes.
2) A fibra pode ser solúvel ou insolúvel e é encontrada principalmente em alimentos de origem vegetal. A fibra tem efeitos locais no trato gastrointestinal e efeitos sistêmicos.
3) Um maior consumo de fibra pode trazer benefícios à saúde, como a redução da inflamação de baixo gra
iSheriff provides SaaS security solutions that protect organizations from modern web and email threats. Its services include anti-spam filtering, antivirus protection, web filtering, data leakage prevention, and reporting. Traditional security methods are ineffective against evolving threats like blended email attacks and malware. iSheriff blocks these threats through real-time analysis and prevents users from accessing malicious websites.
This document discusses adjectives and their usage. Adjectives describe or modify nouns and usually precede the noun. Adjectives can also follow linking verbs like "be". Adjectives ending in "-ed" describe feelings and "-ing" adjectives describe what causes feelings. When using multiple adjectives to describe a noun, there is a general order of opinion, size, age, shape, color, nationality, material. This order is memorized using the acronym "SOSHACONAM".
1) O documento discute os efeitos positivos da fibra alimentar no metabolismo e na saúde, incluindo a redução do risco de doenças crônicas como doenças cardíacas e diabetes.
2) A fibra pode ser solúvel ou insolúvel e é encontrada principalmente em alimentos de origem vegetal. A fibra solúvel forma géis e é fermentada no intestino, enquanto a fibra insolúvel aumenta o volume fecal.
3) Uma dieta rica em fibras está associada a menores níveis
The document contains announcements from a church bulletin including:
- The bible story of the week about Samson from Judges 13-16
- Needed clothing item donations for Meadowlane School
- An upcoming Genesis bible study on Wednesdays and Sundays
- A Saturday event on May 1st at St. Andrew's called "Share the Light of Christ" with special speakers
- The Meadowlane Neighborhood Clean Up Day on May 22nd
- Information on volunteering for Special Olympics and a summer meal program at Meadowlane
- Third and fourth graders will receive new bibles on May 2nd during worship
Cognates are words that have similar spelling and meaning in English and Portuguese, often derived from Latin, such as chocolate, television, telephone, and radio. False cognates or false friends are words that look similar in both languages but have different meanings, like push, cigar, engaged, and parents. The document provides examples of cognates and false cognates and asks for the meanings of several English words in Portuguese, such as actually, adept, college, contest, fabric, prejudice, and service.
Sophos Threatsaurus: The A-Z of Computer and Data Security ThreatsConnecting Up
The document provides an introduction to various computer and data security threats. It discusses how threats have evolved from disruptive viruses to more stealthy malware aimed at financial gain. Today's threats are more likely to secretly install keyloggers, turn computers into zombies for spamming, or exploit social networks. Spear phishing targets specific individuals within organizations. Predicting future threats is difficult, but wherever there is opportunity for financial gain, criminals will attempt to misuse data.
How to Secure Web Apps — A Web App Security ChecklistPixel Crayons
These days, web apps are increasingly becoming integral to our lives as they are used everywhere in the world. However, they often lack the kind of protection that traditional software and operating systems have, making them vulnerable to both internal and external sources.
As per Cyber Security crimes, the rate of cybercrimes is to cost the world $10.5 trillion by 2025. The rise of ransomware, XSS attacks have become a nightmare for established business enterprises worldwide. However, with the right strategy, you can effectively escape cyber threats.
In this blog, we will discuss the top 9 tips on making your web app safe and secured.
It’s better to take precautions than to feel sorry later. Implement the top tips listed above with the help of the best web development company in India.
This document provides information about computer hacking tools and skills. It discusses hacking tools like SQLI Helper, Dark Port Scanner, Sonic Bat virus creator, Brutus password cracker, and IP Tools. It also mentions Cain and Abel password recovery tool. The document outlines essential hacking skills like network packet sniffing, password hash cracking, rainbow tables, and cryptanalysis attacks. It emphasizes the wide IT knowledge required to become a skilled hacker, including fundamentals like networking, operating systems, and programming.
- Over 3700 SAP security notes have been issued addressing vulnerabilities like XSS and authorization issues. Two-thirds require urgent patching.
- SAP modules like CRM and ERP show vulnerabilities, as do newer platforms like SAP HANA and mobile apps. Over 160 industry solutions also have vulnerabilities.
- A scan found over 11,000 SAP servers exposed online with many having interfaces like WebRFC exposed without proper access controls. Over 25,000 systems had internal interfaces exposed.
- Future trends will
Slides from a workshop titled Data Privacy for Activists on January 29th, 2017 for the Data Privacy PDX Meetup group.
Workshop included presentation and live demos of:
- leaked credentials
- metadata fingerprinting
- VPN use
- Encrypted Email
The document summarizes a data breach that occurred at Target Corporation between November and December 2013. Hackers installed malware on Target's point-of-sale systems that stole payment card information for over 110 million customers. This led to fraudulent purchases and significant costs for Target, including a $1 billion estimated total cost, 25% drop in stock price, resignation of the CEO, and closure of some stores. The document outlines the nature of the attack, malware used, response by Target, and implications for digital security leadership.
This presentation discusses computer and internet security. It explains that hackers seek personal information like passwords and credit card numbers. It recommends using antivirus software and secure passwords to protect against malware, viruses, and identity theft. Social networking sites can also pose privacy and security risks if too much personal information is shared. The presentation stresses the importance of computer security and maintaining privacy online.
This presentation discusses computer and internet security. It explains that hackers seek personal information like passwords and credit card numbers. It recommends using antivirus software and secure passwords to protect against malware, viruses, and identity theft. Social networking sites can also pose privacy and security risks if too much personal information is shared. The presentation stresses the importance of computer security and limiting what information people share online.
Most users do not see front-line activity and 'normal business usage' to be a contributing factor to network security; but it's not all about the back-end. Business behavior is a direct impact to business information system risks.
Webinar Security: Apps of Steel transcriptionService2Media
The document summarizes the key challenges around mobile app security from a webinar on creating secure apps. It highlights issues like insecure operating systems, networks that can't be trusted, malware, and how developers are responsible for protecting users' data despite these challenges. The presenter asks how developers can create "apps of steel" that are securely designed without massive effort. The response covers mitigation strategies like secure development processes, multi-factor authentication, threat modeling, and key management.
The document discusses computer security risks for lawyers and provides recommendations to protect against these risks. It notes that while lawyers rely on technology, computer security is often absent from legal education. It describes various types of malware and how they can access systems remotely to steal data like screenshots and keystrokes without detection. The document recommends practicing safe online habits like avoiding suspicious links and downloads, using strong passwords, keeping software updated, and installing antivirus software. It also recommends protecting mobile devices, encrypting data, using VPNs on public WiFi, and storing only encrypted files in the cloud. Regular backups are also advised in case of data loss or device failure. Following basic security practices can help lawyers protect client data both in and outside the office
(1) The document is a seminar report presented by Parag S. Kosarkar on the topic of ethical hacking.
(2) It introduces ethical hacking and discusses techniques like SQL injection, keylogging, phishing, remote administration tools, and cookie stealing.
(3) The report provides steps people can take to protect themselves from being hacked, such as using antivirus software, firewalls, and secure passwords.
computer and society impact of Computer in society Sumama Shakir
This document discusses computer and society, the impact of computers, and computer ethics. It begins by noting how computers are now ubiquitous and impact daily life and communication. It then outlines several major applications of computers in fields like management, banking, industry, engineering, medicine, and transportation. Both positive impacts like efficiency and data storage, and negative impacts like costs and data loss are discussed. The document also covers computer ethics, including issues around intellectual property, privacy, and how technology shapes society. Specific ethical concerns are outlined, like plagiarism, hacking, and phishing scams. Finally, the document provides tips to avoid phishing scams and promote responsible computer use.
Similar to Who's that knocking on my firewall door? (16)
Details of description part II: Describing images in practice - Tech Forum 2024BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and transcript: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
UiPath Community Day Kraków: Devs4Devs ConferenceUiPathCommunity
We are honored to launch and host this event for our UiPath Polish Community, with the help of our partners - Proservartner!
We certainly hope we have managed to spike your interest in the subjects to be presented and the incredible networking opportunities at hand, too!
Check out our proposed agenda below 👇👇
08:30 ☕ Welcome coffee (30')
09:00 Opening note/ Intro to UiPath Community (10')
Cristina Vidu, Global Manager, Marketing Community @UiPath
Dawid Kot, Digital Transformation Lead @Proservartner
09:10 Cloud migration - Proservartner & DOVISTA case study (30')
Marcin Drozdowski, Automation CoE Manager @DOVISTA
Pawel Kamiński, RPA developer @DOVISTA
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
09:40 From bottlenecks to breakthroughs: Citizen Development in action (25')
Pawel Poplawski, Director, Improvement and Automation @McCormick & Company
Michał Cieślak, Senior Manager, Automation Programs @McCormick & Company
10:05 Next-level bots: API integration in UiPath Studio (30')
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
10:35 ☕ Coffee Break (15')
10:50 Document Understanding with my RPA Companion (45')
Ewa Gruszka, Enterprise Sales Specialist, AI & ML @UiPath
11:35 Power up your Robots: GenAI and GPT in REFramework (45')
Krzysztof Karaszewski, Global RPA Product Manager
12:20 🍕 Lunch Break (1hr)
13:20 From Concept to Quality: UiPath Test Suite for AI-powered Knowledge Bots (30')
Kamil Miśko, UiPath MVP, Senior RPA Developer @Zurich Insurance
13:50 Communications Mining - focus on AI capabilities (30')
Thomasz Wierzbicki, Business Analyst @Office Samurai
14:20 Polish MVP panel: Insights on MVP award achievements and career profiling
Implementations of Fused Deposition Modeling in real worldEmerging Tech
The presentation showcases the diverse real-world applications of Fused Deposition Modeling (FDM) across multiple industries:
1. **Manufacturing**: FDM is utilized in manufacturing for rapid prototyping, creating custom tools and fixtures, and producing functional end-use parts. Companies leverage its cost-effectiveness and flexibility to streamline production processes.
2. **Medical**: In the medical field, FDM is used to create patient-specific anatomical models, surgical guides, and prosthetics. Its ability to produce precise and biocompatible parts supports advancements in personalized healthcare solutions.
3. **Education**: FDM plays a crucial role in education by enabling students to learn about design and engineering through hands-on 3D printing projects. It promotes innovation and practical skill development in STEM disciplines.
4. **Science**: Researchers use FDM to prototype equipment for scientific experiments, build custom laboratory tools, and create models for visualization and testing purposes. It facilitates rapid iteration and customization in scientific endeavors.
5. **Automotive**: Automotive manufacturers employ FDM for prototyping vehicle components, tooling for assembly lines, and customized parts. It speeds up the design validation process and enhances efficiency in automotive engineering.
6. **Consumer Electronics**: FDM is utilized in consumer electronics for designing and prototyping product enclosures, casings, and internal components. It enables rapid iteration and customization to meet evolving consumer demands.
7. **Robotics**: Robotics engineers leverage FDM to prototype robot parts, create lightweight and durable components, and customize robot designs for specific applications. It supports innovation and optimization in robotic systems.
8. **Aerospace**: In aerospace, FDM is used to manufacture lightweight parts, complex geometries, and prototypes of aircraft components. It contributes to cost reduction, faster production cycles, and weight savings in aerospace engineering.
9. **Architecture**: Architects utilize FDM for creating detailed architectural models, prototypes of building components, and intricate designs. It aids in visualizing concepts, testing structural integrity, and communicating design ideas effectively.
Each industry example demonstrates how FDM enhances innovation, accelerates product development, and addresses specific challenges through advanced manufacturing capabilities.
In this follow-up session on knowledge and prompt engineering, we will explore structured prompting, chain of thought prompting, iterative prompting, prompt optimization, emotional language prompts, and the inclusion of user signals and industry-specific data to enhance LLM performance.
Join EIS Founder & CEO Seth Earley and special guest Nick Usborne, Copywriter, Trainer, and Speaker, as they delve into these methodologies to improve AI-driven knowledge processes for employees and customers alike.
Navigating Post-Quantum Blockchain: Resilient Cryptography in Quantum Threatsanupriti
In the rapidly evolving landscape of blockchain technology, the advent of quantum computing poses unprecedented challenges to traditional cryptographic methods. As quantum computing capabilities advance, the vulnerabilities of current cryptographic standards become increasingly apparent.
This presentation, "Navigating Post-Quantum Blockchain: Resilient Cryptography in Quantum Threats," explores the intersection of blockchain technology and quantum computing. It delves into the urgent need for resilient cryptographic solutions that can withstand the computational power of quantum adversaries.
Key topics covered include:
An overview of quantum computing and its implications for blockchain security.
Current cryptographic standards and their vulnerabilities in the face of quantum threats.
Emerging post-quantum cryptographic algorithms and their applicability to blockchain systems.
Case studies and real-world implications of quantum-resistant blockchain implementations.
Strategies for integrating post-quantum cryptography into existing blockchain frameworks.
Join us as we navigate the complexities of securing blockchain networks in a quantum-enabled future. Gain insights into the latest advancements and best practices for safeguarding data integrity and privacy in the era of quantum threats.
Data Protection in a Connected World: Sovereignty and Cyber Securityanupriti
Delve into the critical intersection of data sovereignty and cyber security in this presentation. Explore unconventional cyber threat vectors and strategies to safeguard data integrity and sovereignty in an increasingly interconnected world. Gain insights into emerging threats and proactive defense measures essential for modern digital ecosystems.
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...Erasmo Purificato
Slide of the tutorial entitled "Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Emerging Trends" held at UMAP'24: 32nd ACM Conference on User Modeling, Adaptation and Personalization (July 1, 2024 | Cagliari, Italy)
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Chris Swan
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.
You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter.
The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
The Rise of Supernetwork Data Intensive ComputingLarry Smarr
Invited Remote Lecture to SC21
The International Conference for High Performance Computing, Networking, Storage, and Analysis
St. Louis, Missouri
November 18, 2021
Quantum Communications Q&A with Gemini LLM. These are based on Shannon's Noisy channel Theorem and offers how the classical theory applies to the quantum world.
What Not to Document and Why_ (North Bay Python 2024)Margaret Fero
We’re hopefully all on board with writing documentation for our projects. However, especially with the rise of supply-chain attacks, there are some aspects of our projects that we really shouldn’t document, and should instead remediate as vulnerabilities. If we do document these aspects of a project, it may help someone compromise the project itself or our users. In this talk, you will learn why some aspects of documentation may help attackers more than users, how to recognize those aspects in your own projects, and what to do when you encounter such an issue.
These are slides as presented at North Bay Python 2024, with one minor modification to add the URL of a tweet screenshotted in the presentation.
Cookies program to display the information though cookie creation
Who's that knocking on my firewall door?
1. “Who's knocking at my firewall door?”
And, other sundry things to know for the non-profit hands-on CIO
Security is like play putty these days; everything is malleable and every changing. How is a CIO
or IT manager with limited experience in a low-budget nonprofit to keep up without breaking the
bank?
First off, for 2010, there are some security items you should be aware of as trends emerge.
•Robots.txt...Ever see that file on your webserver? (Ro)bots (or spiders) are scripts or applications that
search out information on the web. Search engines constantly scour the web for information using this
method. The robots.txt file can be a powerful tool to exclude the search bots from reading/indexing
your webpages. But, bots also are used by those nasty folks on the web that like to steal your
information or trash your website. They are the basis for most cybercrime as they constantly will knock
on your servers' door constantly without any user interaction. Bots are of those that constantly knock
on our firewall door or seek our passwords to break into our “secure” portals and websites.
•Where did my month's bandwidth allowance go? Malicious hacking of websites using SQL
injections, open ports, poor permissions, etc., leads to malware installation. They get to use your server
to meet their profitable needs.
•Is my hardware secure? Well, really, the question is more about whether the operating system is
secure. While Microsoft Windows still carries its woes on attacks, Macintosh, as a viable commercial
product and now with Leopard on a near open source platform, proves it can possibly stay ahead of the
malware infiltrators. Time will tell. But, you don't have to be brave anymore to play around with other
operating systems. Try a flavor of Linux like Ubuntu or Linux Mint or the 20+ other distributions out
there. Even Google's Chrome OS is a prime choice slated to be the next netbook OS of choice.
•Software piracy. Careful about buying cheap software from unknown sources. They may be infected.
Remember the malware scare about free downloads a decade ago. Well, it's back.
•Social networking sites, yes, are the next and prime targets for cyber do-no-gooders. We recently saw
this in the Google/China case where Chinese crackers (bad hackers) broke into activist Gmail accounts.
Bad China country, bad.
•Is it the wave or my surfboard that is muy mal? Malvertising and toxic web search results will be
on the rise. Those poor newbie Luddites will have your day humming and your work queue crashing.
Other platforms like Java and Flash could end up being the (once again?) culprits. Maybe it is time to
invest in another operating system and migration now save your hair and fingernails.
•Smartphones. Smart for you but dumb enough for the malicious hacker to inject all kinds of nice stuff
in there. While Windows still is the most vulnerable, the other operating systems may “light” enough to
also be affected eventually. It will be interesting to see how Apple's iPhone and Google's Android will
evolve.
•Hands-on hacking. There are reports all over the web that long-term plans for inside jobs maybe on
the rise. (see http://arunaurl.com/3cd2) Check your new IT staff or contractors out very well. Getting
referrals from known friends and colleagues may be the way to go even if it costs you a few bucks
more. For more info, web search for: hacking “inside job”
(As of late, the China/Google scandal commandeers at least the first three search pages. Click ahead for
more variety.)
•Cloud computing. A network cloud is just a collection of servers living out on the Internet providing
various services much like how websites are served from a webserver but in a much larger scalable
2. fashion. Software as a Service (SaaS) are online applications that frequently live on cloud servers much
like how you access your webmail account. The jury is still out on where and what it's evolving into but
be assured if you're passing vital information constantly over the web to who knows where to be
processed heavily on the cloud, someone will figure out how to 'wiretap' your line.
•Clickjacking or User Interface (UI) Redressing. According to Wikipedia: “a malicious technique of
tricking Web users into revealing confidential information or taking control of their computer while
clicking on seemingly innocuous Web pages. A vulnerability across a variety of browsers and
platforms, a clickjacking takes the form of embedded code or script that can execute without the user's
knowledge, such as clicking on a button that appears to perform another function.” Get it?!
For many of these issues, good spam/virus filtering is essential. At my organization, we use
http://Zimbra.com's Collaboration Suite Network Edition which has a good configuration of
SpamAssassin designed for it. But, I also use http://Death2Spam.net as an incoming mail filter proxy.
In addition, ZCS has a robust access control list (ACL) management system to customize which staff
gets access to what on a very granular level. It's fairly reasonable for a non-profit and works quite well.
These and others are plenty to watch out for and educate yourself on but could take some semesters in
studying to get comfortable with. I am a trained social worker and life coach besides being a self-taught
computerist since 1976 on my Commodore Vic20. The promise of learning a trade yourself is true and
can be realized if dedicated to it. Hooking up with a cohort or a group of like-minded folks that has
each others' interests and backs to support is a great way to not only learn but to build, gain and
exchange trust with your peers. I have 3 or more people (and discussion boards) I can contact at any
time of the day (really!) when trouble arises to get an instant answer. Plus, there is always the trusty
search engine.
But, there is an even more basic, fundamental problem that only recently has information technology
begun to tackle. This being passwords. This has got to be the most vulnerable access point for the
majority of login instances ever. Think about it.
You just finished six months of review and in the sandbox with a new open-source collaborative
communications system for your office staff. A central oasis of tools, functions and widgets that will
excel productivity for the organization. Comes with a speed server software, powerful spam/virus
blocker, ample security, ACL in such granularity it will prevent an flea from accessing any feature and
so on. You also invested in two rack-mounted dual quad-core w/ 16gb of RAM powerhouse “pizza
boxes” to boot and a new router. You're cranked up and ready to go!
You give your staff the pre-training, the pre-launch training and the on-launch training.
You set them up with their profiles and temporary passwords that are already randomly hardened with a
combination of numbers, capital letters and punctuation symbols. After logging in for the first time they
are instructed to change their temporary password.
But, as you make your rounds to check in on how they are doing, you oversee a few logging in with
their dog's name, the name of the org, the current year and make of their car, or even their birthday
which is now seen by the millions of Facebook, MySpace, Friendster, Tribe, Twitter and who knows
what other social networking profiles out there!
I have little hair left on my head but that is hereditary but for you it could be diagnosed as latent onset
of Trichotillomania. I get my calm from 30 years of T'ai Chi practice. But, I digress.
3. There is an answer that could hold you over for the time being. Many web-based applications and
SaaS products are beginning to adopt http://OpenID.net standards. This means one cryptic, difficult
password for your staff to remember to log into many online websites. In fact, the password doesn't
even get stored on the website and there is no way to trace it back. Yes, if there is keylogger malware
that made it into a computer you could be tracked that way but this is a viable alternative.
In addition, if you are a little more concerned (sorry cynics, this is way short of paranoia), keyed
password certificates on a thumb drive could work, too.
Security is always changing and evolving. It morphs this way and transmogrifies that way and reveals
new cracks in the systems we use each and every day from our cellphones to ATMs to voting machines
providing fertile ground for those with malicious intentions to infiltrate our data and productivity every
day, if not, every second. It is not only a full time job but also though process gnawing at us with
anxiety whether we are going to be the next victim of tampering.
If you set up enough monitoring and preventive measures, even if you get a lot of port-knockers, any
apparent breach will become very, very noticeable thus reducing your time in research as the culprit
pops up on your screen or in a email notification, and in psychological therapy due to lack of sleep and
excessive anxiety and delusional paranoia.
There is no real protection anywhere in life. But, what you can do is prevent like learning a self-defense
martial art by educating yourself enough and using powerful tools developed by trustworthy others that
have direct meaning and service to your needs.
Live long and prosper.
~ Spock
Bruce M. Wolfe, has a masters degree in Social Work with an emphasis on Social Development and is
the Chief Information & Technology Officer for http://MarinInstitute.org, an alcohol industry
watchdog and president of vCampaign, Inc., developers of low-budget modern campaign websites. He
is a 35+ year practitioner of a variety of martial arts of which most has been in the Chinese internal
school.