Information Security

230 readers
1 users here now

founded 1 year ago
MODERATORS
1
 
 

I tested using Google's Gemini as a helping hand in Linux log based threat hunting - and it is actually helpful, although not ready to take the security analyst's job (yet).

2
 
 

A blog post I made based on discussions at a conference last week - we need to teach smart things like self driving cars and ships to defend themselves against cyber attacks. This outlines how we should approach it.

3
 
 

cross-posted from: https://programming.dev/post/8121843

~n (@nblr@chaos.social) writes:

This is fine...

"We observed that participants who had access to the AI assistant were more likely to introduce security vulnerabilities for the majority of programming tasks, yet were also more likely to rate their insecure answers as secure compared to those in our control group."

[Do Users Write More Insecure Code with AI Assistants?](https://arxiv.org/abs/2211.03622?

4
 
 

Hello everyone!

My name is Anton Kachanov, I am an information security specialist and I have 7 years experience in developing different secure solutions for the pharmaceutical industry and for some big international binary trading platforms.

Every year we have fewer and fewer rights to privacy online. Our messages and our files from online storage may be easily disclosed to third parties. And our money from online payment systems may be easily stolen.

It doesn’t have to be this way, and today I will look at several real cases of privacy violations and talk about my products and how I am going to ensure the privacy of my online life and, I hope, yours.

Messengers

In 2023 our life is impossible without messengers. I use various instant messengers every day at work and at home. It’s free, fast and easy. But I would also like it to be safe and private.

Unfortunately, all well-known and widely used instant messengers are not safe and private.

On the Tor network it is easy to find a person willing to hack your account in Viber, WhatsApp, Telegram, Facebook and Instagram for only 100–200 dollars.

In addition, using your messenger, it is easy to violate human rights. One of my familiar persons from Russia was the admin of a small group in a Telegram and he actively spoke out against the War between Russia and Ukraine in this group. In Russia, a criminal case was opened against him for insulting government officials and slander.

In addition, for the last couple of years I have been regularly receiving spam from scammers 2–3 times a month.

All this prompted me to create my own messenger called “Mystery Messenger”. It does not have the shortcomings that I indicated above.

The main highlight of my messenger is lack of registration. You don’t need to create an account and you don’t need to verify your phone number.

All information about yourself like avatar, name, last name, and all messages will be stored on your device. No need to worry about free space on your phone. In fact, it does not take up as much space as it might seem at first glance. All instant messengers store local copies of all your messages on your phone to reduce the load on their servers.

Due to the fact that your account is not stored on the server, it is impossible to find you on the server by name or by telephone number. This will completely rid you of spammers and scammers.

To start a new chat with somebody, you need to share your QR-code with him. After that, he will be saved in your contacts list and you will be able to write to him any time.

All messages and all information about you will be encrypted with an asymmetric cipher on your device and sended to your opponent in encrypted form through my servers and will be completely deleted from the server after receiving them.

So if someone hacks my server, they won’t be able to get access to all your messages. And even if he will get access to one or two of your undelivered messages, he will not be able to read them. I also will not be able to read your messages because using asymmetric cipher only the sender and the recipient can decrypt it. You can read more about asymmetric ciphers on the internet.

I have already developed the server and the client application will be available in May 2024.

This and other projects you can find on my official website. The link will be at the end of this article.

Cloud storage

Today, cloud storage is a popular and most convenient way to store your data.

Firstly, you save space on your device. Secondly, it is very convenient to share your data with anyone. This is convenient for individual use and for business.

However, today cloud-based storage is one of the leading targets for hackers:

  • In 2022 39% of businesses experienced a data breach in their cloud environment;
  • In 2023 75% of businesses said more than 40% of data stored in the cloud is sensitive (on average only 45% of this sensitive data is encrypted).

Giants that provide cloud storage services, such as Google, Microsoft and Dropbox, don’t want to provide reliable protection of users’ data!

Unfortunately, until recently I was forced to choose one of the existing public solutions, but last month I launched beta testing of my secure online storage “FortressCloud”. And anyone can participate in beta testing and give me feedback on how I can make it better.

The main highlight of my solution is the key generation algorithm.

Each file will be encrypted with a set of unique keys, so one file will be separated into many chunks and each chunk will be encrypted with its own unique key! Decryption keys or their hash sums are not stored either on the server or on the user’s device.

Keys will be generated on the fly using your key-phrase on the client side after that file will be encrypted on your device and sended to the server in encrypted form.

Thus, hacking my server or even a user’s personal device usually will not allow an attacker to gain access to files stored in the cloud!

This and other projects you can find on my official website. The link will be at the end of this article.

Finance

Today, many of us use different payment systems for quick transfers to other countries. It’s easy and fast.

But find a reliable and proven solution is not easy. Some payment systems are unreliable and some allow themselves to block customer accounts, sometimes without giving reasons.

Personally, I have a problem with several payment systems that I use. So I’m Russian and I live in Cyprus, but I do not have citizenship and I recently renewed my residence permit.

Despite the fact that I submitted an application for renewal of the permit a month before the expiration of the first one, I received a new one 1.5 months after the expiration of the old one.

And many payment systems just froze my accounts until I provided them with a renewed document. This was honestly earned money, on which taxes were paid. But payment systems don’t care.

But for today, to avoid such problems, you can use cryptocurrencies. Many crypto wallets do not require you to verify your identity, and you will not have the same problems as I did. But many people do not understand what cryptocurrencies are and how to work with them.

My payment system is called “Black” (It’s not racism, it’s just my favorite color. Sorry) should solve this problem.

Firstly, it does not require identification confirmation. And secondly my product will allow you to deposit crypto (or easily buy it with P2P payments) and convert it to any of 159 fiat currencies without commissions inside the “Black” system. You can use dollars, euros, swiss francs, sterlings and more other currencies inside the “Black”.

You will be able to withdraw it to your crypto-wallet or to your bank card with P2P payments.

In the future, it is planned to add the ability to pay for purchases but now I have MVP where you can just make deposit from your crypto-wallet to your “black”-account, convert to any of 159 currencies, send and receive money in useful fiat currency from other customers and withdraw them to your crypto-wallet.

This and other projects you can find on my official website. The link will be at the end of this article.

Before conclusion

While working on the above products I asked myself a question:

Having given the world anonymous messengers, anonymous cloud storage and even an anonymous payment system, will criminals use my products?

I have researched this issue, and I have a strong answer “NO”. Criminals developing and using their own anonymous solutions. They will never trust and use third-party services.

So my projects will in no way increase the number of criminals and, unfortunately, will not reduce their number in any way.

But my projects will help make the online life private for everyone. I believe that every person deserves it.

Conclusion

Thank you for reading this article to the end.

I tried to make this article as short as possible and include only key highlights of my solutions to this article.

But if you are interested, you can find more details on my official website: https://akachanov.org/

There you can learn more about me and about all my projects, and contact me for any reason.

I will be glad to receive any feedback, advice and any support for my projects. All of them are currently being developed by one person and have no funding.

Best regards.

5
 
 

I am curious if anyone has advice on a good start to get into InfoSec. I just bought a car, used a separate phone number and somehow marketers found my actual number, so want to get a better handle on how to handle personal data.

6
 
 

Now ever since I got a label printer I made it a habit to... well... label everything. It's been the a gamechanger in organizing my stuff.

This habit includes having a tiny label with my street address and mail address on most any item that I loan away or tend to regularly lug around with me as a general reminder of ownership. I forget about and lose stuff all the time, so this gives me some piece of mind with most of my medium-value little gadgets. I believe (and have experienced) that people are generally decent and will return lost stuff to me if it's easy for them to find out to whom it belongs.

Now it has occurred to me that this practice might be detrimental when applied to a smart cards in general and my Yubikeys in particular. After all, shouldn't a lost Yubikey be considered "tampered with/permanently lost" anyway, whether it's returned or not? And wouldn't an Email address on the key just increase the risk of some immediate abuse of the key's contents, i.e. GPG private keys, that would otherwise not be possible?

Or am I overhtinking this?

7
 
 

cross-posted from: https://lemmy.kevitprojects.com/post/8452

What do you guys think about this?

8
 
 

It was a meme about a cyber security guy not giving out his personal information, not even to girls he likes. I can't find it on here anymore