Feb 17 2021
Black Start: Preparedness for Any Situation
In Stephen King’s 1994 made-for-TV movie “The Stand,” most of the human race is wiped out by a deadly virus. As a result, power stations are unmanned and Americans are left without electricity for months. That is, until a husband and wife team works engineering magic at a power plant, flipping the right switches to bring the entire grid back online.
Anyone familiar with the black start process knows that in real life, it doesn’t happen with quite so much Hollywood pizzazz. But black start is a remarkable process and the controls and instrumentation used during a black start must operate with the utmost precision and speed.
A black start unit is one that can start its own power without support from the grid in the event of a major system collapse or a system-wide blackout. In the U.S., every region within the North American Electric Reliability Corp. (NERC) has its own black start plan and procedures. Each region also designates certain plants as black start units. The controls used on a black start unit include a DC auxiliary support system, an ignition source, a gas turbine and a diesel generator.
Carlo Barrera, senior consulting engineer at PAL Turbine Services LLC, has overseen several conversions of gas turbines to have black start capabilities, including projects for Puget Sound Energy and Massachusetts Municipal Wholesale Electric Co. For the city of Gardner, Kan., PAL installed its own programmable logic controller for turbine control. At a later date, black start capability was incorporated and proved out using a load bank.
Barrera said the DC auxiliary support system is perhaps the most important part of the control system. The battery system must have enough capability to provide DC power for multiple start attempts in case the gas turbine fails to start or fire the first time. “The battery systems need to have the capability in reserve power for two or three firing attempts if a true blackout emergency happens, since gas turbines don’t always start on the first attempt in a blackout situation,” Barrera said.
When the loss of AC power in the grid is noticed on a black-start turbine, an undervoltage relay initiates the start of numerous DC motor-driven auxiliaries. Devices like the turbine lube oil pump, liquid fuel forwarding pump, atomizing air compressor, starting clutch, diesel starting motor and shaft turning ratchet all require DC power to operate. DC auxiliary support system suppliers include GE, Siemens and ABB.
Source: Black Start: Preparedness for Any Situation
Feb 17 2021
5 Top Technology Tips for 21st Century College Students
Take Care of College Technology Addiction
Due to technology’s entertaining nature, you are likely to spend more than the recommended amount of time on it. If you find yourself taking more than 5 hours daily on social media websites, that is already a sign that you are leading towards technology addiction. In such a case, you may not focus on college academic work. Consequently, you may record unimpressive grades.
You need to find a way to deal with such an addiction. Create a plan with the specific hours you intend to spend on different daily activities. Stick to your routine and fight the urge to use your phone at inappropriate times. Ensure you have hit your daily targets before you use your tablet.
The trick is to ensure you maintain your focus. Besides, do not forget about face-to-face communication. Find time to spend with your friends. You can leave your technological devices in one location and travel to a different destination. It helps to ensure that you can live without these devices without feeling uncomfortable.
Safeguard Your Identity as You Surf Online
Although the internet has numerous advantages, there are also pitfalls to its use. For example, some tech-savvy people have the expertise to find people’s passwords within minutes. If you are a lazy person who prefers simple passwords, you may become a victim. They can use this information to your detriment.
How do you ensure your details are safe as you work online? For every account you sign up for, use a strong password. It could be a mixture of lower and uppercase letters, numbers, and special characters. Where possible, use the two-step authentication feature.
What are the additional tips that can help you? When entering an account password, ensure there is no one peeking over your shoulders. Do not allow untrustworthy people to use your devices. Additionally, do not click suspicious links.
5 Top Technology Tips for 21st Century College Students
Feb 17 2021
“ScamClub” gang outed for exploiting iPhone browser bug to spew ads
Digital ad company Confiant, which claims to “improve the digital marketing experience” for online advertisers by knowing about and getting rid of malicious and unwanted ads, has just published an analysis of a malvertising group it calls ScamClub.
According to Confiant, this group is behind a massive number of those annoying and scammy popup campaigns you will almost certainly have seen, where you visit an apparently honest web page and then get pestered with online surveys.
We’ve warned our readers many times about the risks of online surveys – even ones that don’t obviously or explicitly lead to attempted malware infections.
At best, you will often end up giving away a surprising amount of personal data, typically in return for a minuscule chance of winning a free product (fancy phones, high-value gift cards and games consoles are typically used as lures).
“ScamClub” gang outed for exploiting iPhone browser bug to spew ads
Feb 17 2021
Browser Tracking Using Favicons
Interesting research on persistent web tracking using favicons. (For those who don’t know, favicons are those tiny icons that appear in browser tabs next to the page name.)
Abstract: The privacy threats of online tracking have garnered considerable attention in recent years from researchers and practitioners alike. This has resulted in users becoming more privacy-cautious and browser vendors gradually adopting countermeasures to mitigate certain forms of cookie-based and cookie-less tracking. Nonetheless, the complexity and feature-rich nature of modern browsers often lead to the deployment of seemingly innocuous functionality that can be readily abused by adversaries. In this paper we introduce a novel tracking mechanism that misuses a simple yet ubiquitous browser feature: favicons. In more detail, a website can track users across browsing sessions by storing a tracking identifier as a set of entries in the browser’s dedicated favicon cache, where each entry corresponds to a specific subdomain. In subsequent user visits the website can reconstruct the identifier by observing which favicons are requested by the browser while the user is automatically and rapidly redirected through a series of subdomains. More importantly, the caching of favicons in modern browsers exhibits several unique characteristics that render this tracking vector particularly powerful, as it is persistent (not affected by users clearing their browser data), non-destructive (reconstructing the identifier in subsequent visits does not alter the existing combination of cached entries), and even crosses the isolation of the incognito mode. We experimentally evaluate several aspects of our attack, and present a series of optimization techniques that render our attack practical. We find that combining our favicon-based tracking technique with immutable browser-fingerprinting attributes that do not change over time allows a website to reconstruct a 32-bit tracking identifier in 2 seconds. Furthermore,our attack works in all major browsers that use a favicon cache, including Chrome and Safari. Due to the severity of our attack we propose changes to browsers’ favicon caching behavior that can prevent this form of tracking, and have disclosed our findings to browser vendors who are currently exploring appropriate mitigation strategies.
Source: Browser Tracking Using Favicons
Feb 16 2021
Data Obfuscation: An Image Is Worth a Thousand Lines of Malware
In this post, we are going to talk about MITRE ATT&CK® technique T1001 – Data Obfuscation. As the name indicates, this technique consists in making data, usually sent over Command and Control (C&C) communications, more difficult to detect and decode. There are countless ways to do that, but here we are going to focus on disguising payloads – which can simply be information, but also files written as malware or scripts – as images.
Why would someone do that? Mainly because every day lots of images are downloaded when a user is surfing the internet. Downloading an image-like file therefore blends perfectly into regular traffic and does not stand out for a network security control that, for instance, blocks the download of Windows binaries or PowerShell scripts, or does not look for malicious content in an image file. Since these files do not show up as executable, they can fly under the radar of an antivirus or endpoint detection and response (EDR) capability more easily.
Below we will show three examples of how to obfuscate data into image files, namely:
- Adding a JPEG header to the data;
- Appending the data to a JPEG image; and
- Embedding the data into a PNG image using Least Significant Byte (LSB) steganography.
Source: Data Obfuscation: An Image Is Worth a Thousand Lines of Malware
![Nmap 6 Cookbook: The Fat-Free Guide to Network Security Scanning by [Nicholas Marsh]](https://m.media-amazon.com/images/I/513N7nPke6L.jpg)
Feb 15 2021
How one man silently infiltrated dozens of high-tech networks
We know what you’re thinking: “I bet you this is what they call a supply chain attack.”
And you’d be right.
The “one man” in the headline is cybersecurity researcher Alex Birsan, and his paper Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies, which came out last week, will tell you how his “attack” worked.
Of course, Birsan didn’t literally do it alone and unaided (see the end of his paper for the section of shout-outs to others who helped directly or inspired him indirectly during his research), and he didn’t really attack anyone in the way that a criminal hacker or cracker would.
His work was done in accordance with bug bounty rules or pre-arranged penetration testing agreements, and Birsan actually includes bug bounties in his credits:
Source: How one man silently infiltrated dozens of high-tech networks
Feb 15 2021
California Consumer Privacy Act (CCPA) Foundation Self-Paced Online Training Course
Training course outline
The CCPA (California Consumer Privacy Act) is a California data protection law that came into effect on January 1, 2020. Following the passing of Prop 24, the CPRA (California Privacy Rights Act) will take effect officially on January 1, 2023 and replace the CCPA. The CPRA is widely viewed as California’s version of the EU’s GDPR (General Data Protection Regulation).
Just like the GDPR, it gives people more control over their personal data, and holds businesses more accountable for protecting the data they collect and process.
Once you have completed the California Consumer Privacy Act Foundation Online Training course, you will be able to:
- Demonstrate an understanding of privacy and cybersecurity law concepts, and basis of national/state jurisdiction
- Define terms used in the CCPA/CPRA and contrast to the GDPR
- Articulate the rights of consumers, and determine the duties of a business
- Examine the CPRA’s security requirements and prepare relevant responses
- Use the CPRA to determine what action(s) should be taken in the event of a breach
- Demonstrate an understanding of the CPRA’s penalty provisions
California Consumer Privacy Act (CCPA) Foundation Self-Paced Online Training Course
Feb 15 2021
Chinese Supply-Chain Attack on Computer Systems
Bloomberg News has a major story about the Chinese hacking computer motherboards made by Supermicro, Levono, and others. It’s been going on since at least 2008. The US government has known about it for almost as long, and has tried to keep the attack secret:
China’s exploitation of products made by Supermicro, as the U.S. company is known, has been under federal scrutiny for much of the past decade, according to 14 former law enforcement and intelligence officials familiar with the matter. That included an FBI counterintelligence investigation that began around 2012, when agents started monitoring the communications of a small group of Supermicro workers, using warrants obtained under the Foreign Intelligence Surveillance Act, or FISA, according to five of the officials.
There’s lots of detail in the article, and I recommend that you read it through.
Feb 14 2021
Want to become a CISO
CISO role is not only limited to understanding infrastructure, technologies, threat landscape, and business applications but to sway people attitude and influence culture with relevant policies, procedures and compliance enforcement to protect an organization.
#CISO #vCISO
Explore more on CISO role:
Feb 14 2021
PayPal addresses reflected XSS bug in user wallet currency converter
PayPal has fixed a reflected cross-site scripting (XSS) vulnerability that was discovered in the currency converter feature of user wallets on February 19, 2020, close one year ago.
The ‘reflected XSS and CSP bypass’ vulnerability was reported by the bug bounty hunter “Cr33pb0y” through the HackerOne platform.
“An endpoint used for currency conversion was found to suffer from a reflected XSS vulnerability, where user input was not being properly sanitized in a parameter in the URL. This could lead to a malicious user injecting malicious JavaScript, HTML, or any other type of code that the browser may execute. The malicious script will execute in the browser page DOM of another user typically without their knowledge or consent.” reads the summary published by PayPal.
PayPal has implemented additional validation checks and sanitizer controls for user input in the currency exchange feature before being returned in the response.
According to PayPal, the flaw resided in the currency conversion endpoint and was caused by a failure to properly sanitize the input in a parameter in the URL.
An attacker could have exploited the flaw to inject malicious code (JavaScript, HTML, or any other language) that will be executed within the browser.
Feb 13 2021
Some of the must have titles to improve tactical level Cyber Security acumen
- Black Hat Go: Go Programming For Hackers and Pentesters
2) Real-World Bug Hunting: A Field Guide to Web Hacking
3) Web Security for Developers: Real Threats, Practical Defense
4) The Linux Command Line
5) The Car Hacker’s Handbook
6) Rootkits and Bootkits
7) Practical Malware Analysis
8) Metasploit
9) Hacking
Feb 13 2021
Court documents show FBI could use a tool to access private Signal messages on iPhones
Court documents related to a recent gun-trafficking case in New York and obtained by Forbes revealed that the FBI may have a tool to access private Signal messages.
The documents revealed that encrypted messages can be intercepted from iPhone devices when they are in “partial AFU (after first unlock)” mode.
“The clues came via Seamus Hughes at the Program on Extremism at the George Washington University in court documents containing screenshots of Signal messages between men accused, in 2020, of running a gun trafficking operation in New York.” states Forbes. “There’s also some metadata in the screenshots, which indicates not only that Signal had been decrypted on the phone, but that the extraction was done in “partial AFU.” That latter acronym stands for “after first unlock” and describes an iPhone in a certain state: an iPhone that is locked but that has been unlocked once and not turned off.”
Feb 12 2021
Microsoft warns of the rise of web shell attacks
« Previous Page — Next Page »
