You can use this to test out your webserver:
https://geekflare.com/tools/x-frame-options-test
Category: cybersecurity
How to Stop SMS scams on your PHONE
The SMS scams are in the news lately. Here is what you need to know. In Australia, SMS scams have caused as much as 381m in losses.
While the Telcos and Government grapple with what best to do to reduce this, there are something you can do to stop spam on your mobile phone. You can block these spams by tagging them!
For iPhone, all you need is in Settings
Got a spammy-looking message in your Messages inbox? As long as you have iOS 7 or later installed on your iPhone, the steps are pretty simple. Open the message, tap Contact, then tap the little “i” button that appears.
Next, you’ll see a (mostly blank) contact card for the spammer who sent you the message. Scroll down to the bottom of the screen and tap “Block this caller.” C-ya, spammer.
For Android, it’s a little more complicated
The SMS-blocking situation for Android is a bit more complex than for iOS—although to be fair, it wasn’t possible to block text messages on the iPhone at all until iOS 7 came around.
While the “stock” Messaging app won’t let you block SMS spammers, there’s a plethora of apps on the Google Play store that’ll do the job…or used to, anyway.
Working in tandem with the standard Messaging app, third-party SMS-blocking apps (like SMS Filter or Mr. Number) let you create and manage what’s called a “blacklist”—that is, a list of phone numbers that you don’t want to hear from again. Other anti-spam apps, like Postman and Spam Blocker, will go ahead and flag suspected SMS spam.
But thanks to a new restriction in the latest version of Android—namely, that only one app at a time may tap into your SMS messages—many of these handy SMS spam-blocking apps have been rendered useless.
Now, it’s very possible that your particular Android phone hasn’t been updated to Android “KitKat” yet, in which case you’re free to shop around for a dedicated SMS blocking app.
Source: https://www.pcworld.com/article/436450/how-to-stop-sms-spam-on-your-android-or-ios-phone.html
CloudFlare shares Turnstile APP
Have you tried out CloudFlare’s Turnstile API as an alternative to CAPTCHAs? Do share with our community and leave your comment below.
Australia’s OPTUS suffers data breach
Source: https://www.theguardian.com/business/2022/sep/29/optus-data-breach-everything-we-know-so-far-about-what-happened
What data was taken?
Optus says the stolen data includes names, email addresses, postal addresses, phone numbers, dates of birth, and for a portion of the affected customers, identification numbers including passport numbers, driver’s licence numbers and Medicare numbers.
The dump of records released by the forum user contained all this information.
How common is this method of attack?
“Unfortunately, it can be pretty common,” Josh Lemon, a digital forensics and cyber incident expert at SANS Institute, said. But he said attackers tended to not target a single organisation. They usually scan across the internet looking for known vulnerabilities and exploiting those vulnerabilities all at once, he said.
“So for a threat actor to specifically just go after [one company] is a little bit unique in that sense.”
StarBucks Singapore suffers data breach
In an email sent to its members on Friday, Sep. 16, the coffee chain said that it had discovered “unauthorised activity online” and “some unauthorised access” to customer details, such as name, gender, date of birth, mobile number, email address and residential address.
Following this incident, Starbucks added that relevant authorities have been informed and that the firm is assisting them on this matter.
Learning from others’ mistakes: Love Bonito Case
Short story:
Home-grown fashion label Love, Bonito has been fined $24,000 over a 2019 data breach which saw personal information of more than 5,500 customers compromised. The root cause: The administrator account of a software used by Love, Bonito was compromised. It was used to manage its e-commerce website. An unknown third party accessed and obtained customers’ personal data via this gap.
Countermeasure: Try to apply Access control list to sensitive parts of your webapp. So that even if the admin account was compromised, it could not log in from just anywhere. It had to be accessed from within specific locations. Also enable multi factor authentication.
Source: https://www.straitstimes.com/tech/tech-news/love-bonito-fined-24000-over-data-breach-involving-over-5500-customers
Learning From Other’s Mistakes: RedDoorz Data Breach
The short story:
HOSPITALITY platform RedDoorz was found to have leaked the details of 5.9 million customer records in the largest data breach incident since Singapore’s Personal Data Protection Act came into force. The root cause was traced to the API key embedded in the mobile app that the developers used.
Even if ReDoorz had several pentests done. The mobile app was not screened. It however helped to reduce the overall fines levied on it.
Source: https://www.businesstimes.com.sg/garage/data-breach-at-reddoorz-hit-6m-customers-hospitality-platform-fined-s74000
Cisco lost 2.75GB of data to Yanluowang Gang
Source: Cisco Breached by Ransomware Gang, 2.75GB Reportedly Stolen (webpronews.com)
Cisco confirmed the Yanluowang gang compromised the company’s network but said the bad actors only made off with non-sensitive data. The data was from an employee’s Box folder.
More than 120 vulnerabilities disclosed as part of Microsoft Patch Tuesday
“Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its line of products and software, the most in a single Patch Tuesday in four months. This batch of updates also includes a fix for a new vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) that’s actively being exploited in the wild, according to Microsoft. MSDT was already the target of the so-called “Follina” zero-day vulnerability in June. Two of the important vulnerabilities CVE-2022-35743 and CVE-2022-34713, are remote code execution vulnerabilities in MSDT. However, only CVE-2022-34713 has been exploited in the wild and Microsoft considers “more likely” to be exploited.” – SANS @RISK