Tuesday, January 17, 2017

Ignore warnings at your peril. 
McDonald's Website Flaws Allow Phishing Attacks
A researcher has disclosed a couple of unpatched vulnerabilities affecting the official McDonald’s website after the company ignored his attempts to responsibly report the issues.
Dutch security enthusiast Tijme Gommers discovered a reflected cross-site scripting (XSS) vulnerability in the search functionality of the McDonald’s website.
   According to the researcher, the McDonald’s website decrypts the password client side using a cookie that is valid for an entire year.  Since the same key and initialization vector are used for every customer, it’s easy to obtain a password in plain text.
An attacker can create a link that exploits the XSS vulnerability to load an external JavaScript file.  Once the user clicks on the malicious mcdonalds.com link, their password is decrypted and sent to the attacker.  Gommers said the vulnerabilities also expose names, addresses and other details.

For my Computer Security students.  Does this become a Best Practice by default? 
Google reveals its servers all contain custom security silicon
Google has published a Infrastructure Security Design Overview that explains how it secures the cloud it uses for its own operations and for public cloud services.
Revealed last Friday, the document outlines six layers of security and reveals some interesting factoids about the Alphabet subsidiary's operations, none more so than the revelation that “we also design custom chips, including a hardware security chip that is currently being deployed on both servers and peripherals.  These chips allow us to securely identify and authenticate legitimate Google devices at the hardware level.

For my Computer Forensics students and this is probably useful for researchers in general.
You might have heard about The Internet Archive.  It’s that dusty place on the web for all digital artifacts.  It’s not a tomb, but a cache of knowledge that makes up our digital experience.
Its web crawlers collect data from all corners of the web to build an historical collection that we can browse for free anytime.  If you think that’s a usable bit of work, then you will like what the Wayback Machine Chrome extension can do.
The Wayback Machine Chrome extension detects dead web pages and gives you the option to view an archived version of the page.

No matter how few numbers reside in your head, hopefully you know your own phone number!  However, there may be times when you need to look up the number of the phone you’re using.  Perhaps you had a brief bout of amnesia or are trying to return a lost phone.

Continuing a discussion with my students about the difference between ‘profitable’ and ‘successful.’  (and between ‘revenue’ and ‘profit!’)
Investors Try to Tap Into the Next Craiglist, Regardless of Earnings
In the race to find and fund the next Craigslist, venture investors aren’t letting a lack of revenue stand in the way.
The two leading contenders offering app-based classified listings have raised some $300 million in the past six months, despite generating virtually zero revenue.

For my student researchers.  What’s on your RSS feed?

For my gamers.  Do you want to play or get rich?  (Not bad for half a year.)
Pokémon Go generated revenues of $950 million in 2016
Pokémon Go generated an estimated $950 million in revenues in 2016, according to a report by market researcher App Annie.
Niantic Labs launched Pokémon Go on July 6, 2016, and it became a smash hit.  Within a couple of months, Niantic announced that it had been downloaded more than 500 million times.

With the Trump Circus replacing P.T. Barnum’s, this seemed appropriate.  (Do you see some anti-Trumpisms in them?)
10 Memorable Quotes From the 'Worlds Greatest Showman' P.T. Barnum

No comments: