Tag: Privacy

For more than a year, we have been providing free intelligence services via the OpenTIP portal. Using the web interface, anyone can upload and scan files with our antivirus engine, get a basic sandbox report, look up various network indicators (IP addresses, hosts, URLs). Later on, we presented an easy-to-use HTTPS-based programming interface, so that you could use the service in your own scripts and integrate it in existing workflow.

OpenTIP web interface – upload, look up, get results!

Of course, it is much easier to use the API when there is a set of working examples. It is also more convenient to integrate with existing tools and scripts when you have a command line utility that interacts with the service. We decided have both in one package, by releasing Python-based command line tools for the service that also implement a client class that you can reuse in your own tools.

A few words about privacy

The OpenTIP service has its own Terms of Use, End-User Agreement and a Privacy Policy; and the command line tools can only be accessed with an API token, that in turn can be only obtained after agreeing to all the terms. Please read them carefully. By default, the “opentip” scanner may upload the files being checked if their hashes are not yet known to the service, so please ensure that you are familiar with the policies. And, of course, the sample upload can be turned off.

Setting things up

The command line tools need the “apikey”, that is, a usual web API access token. You can generate it at this page (you may be required to register or log in into the web version of the service). The key can then be permanently set up as an environment variable “OPENTIP_APIKEY” or provided as a command line option “–apikey VALUE_OF_THE_KEY”. By default, the API key has certain rate limitations that may be changed in future, so please contact us if your scripts hit the rate limits.

The tools and the Python 3 client class can be all installed from pip:

pip3 install opentip

The code is also published on Github, so you can easily inspect and package it yourself. At the time of writing, the package has no external dependencies and should run on any modern Python 3 distribution.

Once installed, Python will also generate two executables (scripts, or binary wrappers, depending on the platform), named “opentip” and “check_iocs”.

The OpenTIP Scanner

The scanner is named “opentip” (or “opentip.exe”), as is the primary tool for quickly checking files and directories. The standard usage banner is pretty simple and self-descriptive:

usage: opentip [-h] [–no-upload] [–exclude EXCLUDE] [–log LOG] [–apikey APIKEY] [–quiet] path [path …]

Check files and directories with OpenTIP.kaspersky.com, optionally upload and scan unknown files

positional arguments:
path File or directory location to scan

optional arguments:
-h, –help show this help message and exit
–no-upload DO NOT upload unknown files to scan with the Sandbox, default behaviour is to upload
–exclude EXCLUDE Do not scan or upload the files matching the pattern
–log LOG Write results to the log file
–apikey APIKEY OpenTIP API key, received from https://opentip.kaspersky.com/token
–quiet Do not log clean files

The easiest and most basic mode of operation is to provide the location of the files or directories to scan. Directories are processed recursively, and unknown files are uploaded for checking by default (subject to the privacy policy, use “–no-upload” to change default behavior). The results are printed on stdout, and can also be redirected to a log file. The “–exclude” option allows you to disable the checks for any path locations, and with the “–quiet” option the script will print out only the positive detections.

$ opentip .
2022-08-01 16:23:22,638 ./package/main.py: Malware: Trojan.Python.Lofy.a
2022-08-01 16:23:22,766 ./package/package.json: NotCategorized
2022-08-01 16:23:22,965 ./package/index.js: NoThreats

Typical output of the scanner

Since the package has no external dependencies, it can be used to quickly deploy the scanner and check a fleet of remote machines, and the OPENTIP_APIKEY environment variable makes it easier to use the scanner in containers.

The IOC checker script

The second tool, named “check_iocs”, has a different purpose: you can use it to quickly query the OpenTIP service for file hashes, domains, IPs and URLs.

usage: check_iocs [-h] [–apikey APIKEY] [–out OUT] type value

Check IOCS (file hashes, IP addresses, domain names, URLs using the service OpenTIP.kaspersky.com

positional arguments:
type hash, ip, domain, url
value Value of the IOC (hash, ip, domain, url, filename with the iocs)

optional arguments:
-h, –help show this help message and exit
–apikey APIKEY OpenTIP API key, received from https://opentip.kaspersky.com/token
–out OUT, -o OUT Write output as JSON to this filename

The script requires two arguments: the type of the input data (“hash”, “ip”, “domain”, “url”, “filename”) and either the actual value of the data to check, or the path of the filename that contains the list of values, one per line.

$check_iocs hash list_of_md5.txt
[IOC]: d41d8cd98f00b204e9800998ecf8427e : Unknown
[IOC]: 46c5070ed139ca8121c07eda20587e3f : {‘Zone’: ‘Grey’, ‘FileGeneralInfo’: {‘FileStatus’: ‘NotCategorized’, ‘Sha1′: ’24F7BAF656DCAC1FF43E4479AD8A5F4DF8052900’, ‘Md5′: ’46C5070ED139CA8121C07EDA20587E3F’, ‘Sha256′: ’04FC2B072775EA05AB6C9E117EFBFD1C56D2F1B45D1AC175001A186452269F3C’, ‘FirstSeen’: ‘1970-01-01T00:00:00Z’, ‘LastSeen’: ‘1970-01-01T00:00:00Z’, ‘Size’: 464, ‘Type’: ‘text’}, ‘DynamicAnalysisResults’: {‘Detections’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}], ‘SuspiciousActivities’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}, {‘Zone’: ‘Grey’}], ‘NetworkActivities’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}, {‘Zone’: ‘Green’}, {‘Zone’: ‘Grey’}]}}
[IOC]: 0067bc5d4d92fe9445e41f347944196e : {‘Zone’: ‘Red’, ‘FileGeneralInfo’: {‘FileStatus’: ‘Malware’, ‘Sha1’: ‘F666104C83CB18F2ED345A11C34EE9A32CD2ABC1’, ‘Md5’: ‘0067BC5D4D92FE9445E41F347944196E’, ‘Sha256’: ‘8B615582D92D42FEEFCEEBA03E65D16773F2B227ED1CD17C82462641A9D249D9’, ‘FirstSeen’: ‘2022-07-27T11:48:00Z’, ‘LastSeen’: ‘2022-07-30T12:44:00Z’, ‘Size’: 10466, ‘Type’: ‘Txt’, ‘HitsCount’: 10}, ‘DetectionsInfo’: [{‘LastDetectDate’: ‘2022-07-30T12:50:35.887Z’, ‘Zone’: ‘Red’, ‘DetectionName’: ‘Trojan.Python.Lofy.a’}], ‘DynamicAnalysisResults’: {‘Detections’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}], ‘SuspiciousActivities’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}, {‘Zone’: ‘Grey’}], ‘NetworkActivities’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}, {‘Zone’: ‘Green’}, {‘Zone’: ‘Grey’}]}}
[IOC]: e1dc5ff6a1febdd4db11901fc295364f : {‘Zone’: ‘Green’, ‘FileGeneralInfo’: {‘FileStatus’: ‘NoThreats’, ‘Sha1’: ‘49217E09D0C33FF3C958AFBDCB60F977E10104E0’, ‘Md5’: ‘E1DC5FF6A1FEBDD4DB11901FC295364F’, ‘Sha256’: ‘EAB0020A475BB1CF70CA5C9569DEFE5F1A7160A9D334144DA47924418EE2C9E7’, ‘FirstSeen’: ‘2022-07-30T10:03:00Z’, ‘LastSeen’: ‘2022-07-30T10:20:00Z’, ‘Size’: 34768, ‘Type’: ‘Js’, ‘HitsCount’: 10}, ‘DynamicAnalysisResults’: {‘Detections’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}], ‘SuspiciousActivities’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}, {‘Zone’: ‘Grey’}], ‘NetworkActivities’: [{‘Zone’: ‘Red’}, {‘Zone’: ‘Yellow’}, {‘Zone’: ‘Green’}, {‘Zone’: ‘Grey’}]}}

Typical output of the check_iocs tool

The output is much more comprehensive than the one provided by the scanner and is JSON-encoded, so that it can be parsed automatically.

The Python API class

Both command line tools are actually using a single Python class to access the OpenTIP service, and you can use the source code of the tools as a reference for your own scripts.

The OpenTIP client can be easily instantiated with a few lines:

from opentip.client import OpenTIP
client = OpenTIP(APIKEY)

To query the OpenTIP for a known indicator, use a single call:

client.get_verdict_by_ioc(ioc_type, ioc)

For example:

>>> client.get_verdict_by_ioc(‘hash’, ‘0067bc5d4d92fe9445e41f347944196e’)
‘{“Zone”:”Red”,”FileGeneralInfo”:{“FileStatus”:”Malware”,”Sha1″:”F666104C83CB18F2ED345A11C34EE9A32CD2ABC1″,”Md5″:”0067BC5D4D92FE9445E41F347944196E”,”Sha256″:”8B615582D92D42FEEFCEEBA03E65D16773F2B227ED1CD17C82462641A9D249D9″,”FirstSeen”:”2022-07-27T11:48:00Z”,”LastSeen”:”2022-07-30T12:44:00Z”,”Size”:10466,”Type”:”Txt”,”HitsCount”:10},”DetectionsInfo”:[{“LastDetectDate”:”2022-07-30T12:50:35.887Z”,”Zone”:”Red”,”DetectionName”:”Trojan.Python.Lofy.a”}],”DynamicAnalysisResults”:{“Detections”:[{“Zone”:”Red”},{“Zone”:”Yellow”}],”SuspiciousActivities”:[{“Zone”:”Red”},{“Zone”:”Yellow”},{“Zone”:”Grey”}],”NetworkActivities”:[{“Zone”:”Red”},{“Zone”:”Yellow”},{“Zone”:”Green”},{“Zone”:”Grey”}]}}’

To scan a file (with upload turned on by default), returning a tuple of (filename, results), call:

client.scan_file(filename)

Example:

>>> client.scan_file(‘package/main.py’)
(‘package/main.py’, ‘{“Zone”:”Red”,”FileGeneralInfo”:{“FileStatus”:”Malware”,”Sha1″:”F666104C83CB18F2ED345A11C34EE9A32CD2ABC1″,”Md5″:”0067BC5D4D92FE9445E41F347944196E”,”Sha256″:”8B615582D92D42FEEFCEEBA03E65D16773F2B227ED1CD17C82462641A9D249D9″,”FirstSeen”:”2022-07-27T11:48:00Z”,”LastSeen”:”2022-07-30T12:44:00Z”,”Size”:10466,”Type”:”Txt”,”HitsCount”:10},”DetectionsInfo”:[{“LastDetectDate”:”2022-07-30T12:50:35.887Z”,”Zone”:”Red”,”DetectionName”:”Trojan.Python.Lofy.a”}],”DynamicAnalysisResults”:{“Detections”:[{“Zone”:”Red”},{“Zone”:”Yellow”}],”SuspiciousActivities”:[{“Zone”:”Red”},{“Zone”:”Yellow”},{“Zone”:”Grey”}],”NetworkActivities”:[{“Zone”:”Red”},{“Zone”:”Yellow”},{“Zone”:”Green”},{“Zone”:”Grey”}]}}’)

To disable file upload for unknown files, instantiate the OpenTIP with no_upload=True.

>>> client = OpenTIP(OPENTIP_APIKEY, no_upload=True)
>>> client.no_upload
True

Any ideas are welcome

This is just the beginning, and we welcome any kind of input, pull requests and feature requests to make the service more convenient. If you have any issues or questions regarding the scripts, please contact us by creating a Github issue or using the OpenTIP contact form.

We released Python-based command line tools for our OpenTIP service that also implement a client class that you can reuse in your own tools.Read More

Domoticasoftware OpenHAB wordt op grote schaal onveilig gebruikt, wat een privacyrisico voor gebruikers vormt, zo stelt KPN op …Domoticasoftware OpenHAB wordt op grote schaal onveilig gebruikt, wat een privacyrisico voor gebruikers vormt, zo stelt KPN op …Read More

Using certificates to authenticate and encrypt data is vital to any enterprise security. For example, companies rely on certificates to provide TLS encryption for web applications so that client data is protected. However, not all certificates need to be issued from a publicly trusted certificate authority (CA). A privately trusted CA can be leveraged to issue certificates to help protect data in transit on resources such as load-balancers and also device authentication for endpoints and IoT devices. Many organizations already have that privately trusted CA running in their Microsoft Active Directory architecture via Active Directory Certificate Services (ADCS).

This post outlines how you can use Microsoft’s Windows 2019 ADCS to sign an AWS Certificate Manager (ACM) Private Certificate Authority (Private CA) instance, extending your existing ADCS system into your AWS environment. This will allow you to issue certificates via ACM for resources like Application Load Balancer that are trusted by your Active Directory members. The ACM PCA documentation talks about how to use an external CA to sign the ACM PCA certificate. However, it leaves the details of the external CA outside of the documentation scope.

Why use ACM PCA?

AWS Certificate Manager Private Certificate Authority (ACM Private CA or ACM PCA) is a private CA service that extends ACM certificate management capabilities to both public and private certificates. ACM PCA provides a highly available private CA service without the upfront investment and ongoing maintenance costs of operating your own private CA. ACM PCA allows developers to be more agile by providing them with APIs to create and deploy private certificates programmatically. You also have the flexibility to create private certificates for applications that require custom certificate lifetimes or resource names.

Why use ACM PCA with Windows Active Directory?

Many enterprises already use Active Directory to manage their IT resources. Whether it is on-premises or built into your AWS accounts, Active Directory’s built-in CA can be extended by ACM PCA. Using your ADCS to sign an ACM PCA means that members of your Active Directory automatically trust certificates issued by that ACM PCA. Keep in mind that these are still private certificates, and they are intended to be used just like certificates from ADCS itself. They will not be trusted by unmanaged devices, because these are not signed by a publicly trusted external CA. Therefore, systems like Mac and Linux may require that you manually deploy the ADCS certificate chain in order to trust certificates issued by your new ACM PCA.

This means it is more efficient for you to rapidly deploy certificates to your endpoint workstations for authentication. Or you can protect internal-only workloads with certificates that are constrained to your internal domain namespace. These tasks can be done conveniently through AWS APIs and the AWS SDK.

Solution overview

In the following sections, we will configure Microsoft ADCS to be able to sign a subordinate CA, deploy and sign ACM PCA, and then test the solution using a private website that is protected by a TLS certificate issued from the ACM PCA.

Configure Microsoft ADCS

Microsoft ADCS is normally deployed as part of your Windows Active Directory architecture. It can be extended to do multiple different types of certificate signing depending on your environment’s needs. Each of these different types of certificates is defined by a template that you must enable and configure. Each template contains configuration information about how Microsoft ADCS will issue the certificate type. You can copy and configure templates differently depending on your environment’s requirements. The specifics of each type of template is outside the scope of this blog post.

To configure ADCS to sign subordinate CAs

On the CA server that will be signing the private CA certificate, open the Certification Authority Microsoft Management Console (MMC).
In the left-side tree view, expand the name of the server.
Open the context (right-click) menu for Certificate Templates and choose Manage.

This opens the Certificate Template Console, which is populated with the list of optional templates.

Scroll down, open the context (right-click) menu for Subordinate Certification Authority, and choose Duplicate Template, as shown in Figure 2. This will create a duplicate of the template that you can alter for your needs, while leaving the original template unaltered for future use. Selecting Duplicate Template immediately opens the configuration for the new template.

To configure and use the new template

On the new template configuration page, choose the General tab, and change the template display name to something that uniquely identifies it. The example in this post uses the name Subordinate Certification Authority – Private CA.
Select the check box for Publish certificate in Active Directory, and then choose OK. The new template appears in the list of available templates. Close the Certificate Templates Console.
Return to the Certification Authority MMC. Open the context (right-click) menu for Certificate Templates again, but this time choose New -> Certificate Template to Issue.

In the dialog box that appears, choose the new template you created in Step 1 of this procedure, and then choose OK.

That’s all that’s needed! Your CA is now ready to issue certificates for subordinate CAs in your public key infrastructure. Open a browser from either the ADCS CA server itself or through a network connection to the ADCS CA server, and use the following URL to access the certificate server’s certificate signing interface.

http://<hostname-of-your-ca-with-domain>/certsrv/certrqxt.asp

Now you can see that in the Certificate Templates list, you can choose the Subordinate Certification Authority template that you created, as shown in Figure 4.

Deploy and sign the ACM Private CA’s certificate

In this step, you will deploy the ACM PCA, which is the first step to create a subordinate CA to deploy in your AWS account. The process of deploying the ACM PCA is well documented, so this post will not go into depth about the deployment itself. Instead, this procedure focuses on the steps for taking the certificate signing request (CSR) and signing it against the ADCS, and then covers the additional steps to convert the certificates that ADCS produces into the certificate format that ACM PCA expects.

After the ACM PCA is initially deployed, it needs to have a certificate signed to authenticate it. ACM PCA offers two options for signing the new instance’s certificate. You can choose to sign either through another ACM PCA instance, or via an external CA. Since you are using ADCS in this walkthrough, you will use the process of an external CA. The ACM PCA deployment is now at a point where it needs its CSR signed by Microsoft ADCS. You should see that it is ready in the AWS Management Console for ACM PCA.

To deploy and sign the ACM PCA’s certificate

When the ACM PCA is ready, in the ACM PCA console, begin the Install subordinate CA certificate process by choosing External private CA for the CA type.

You will then be provided the certificate signing request (CSR) for the ACM PCA. Copy and paste the CSR content into the ADCS CA signing URL you visited earlier on the CA server. Then choose Next. The next page is where you will paste in the new signed certificate and certchain in a later step.
From the ADCS CA URL, be sure that the new Subordinate Certification Authority template is selected, and then choose Submit. The new certificate will be issued to you. The ADCS issuing page provides two different formats for the certificate, either as Distinguished Encoding Rules (DER) or base64-encoded.
Copy the base64-encoded files for both the certificate and the certchain to your local computer. The certificate is already in Privacy Enhanced Mail (PEM) format, and its contents can be pasted into the ACM PCA certificate input in the console. However, you must convert the certchain into the format required by the ACM PCA by following these steps:
To convert the format of the certchain, use the openssl tool from the command line. The process of installing the openssl tool is outside the scope of this blog post. Refer to the OpenSSL site documentation for installation options for your operating system.
Use the following command to convert the certchain file from Public Key Cryptographic Standards #7 (PKCS7) to PEM.

openssl pkcs7 -print_certs -in certnew.p7b -out certchain.pem

Using a text editor, open the certchain.pem file and copy the last certificate block from the file, starting with —–BEGIN CERTIFICATE—– and ending with —–END CERTIFICATE—–. You will notice that the file begins with the signed certificate and includes subject= and issuer= statements. ACM PCA only accepts the content that is the certificate chain.

Return to the ACM PCA console page from Step 1, and paste the text the you just copied into the input area provided for the certificate chain. After this step is complete, the private CA is now signed by your corporate PKI.

Test the solution

Now that the ACM PCA is online, one of the things it can do is issue certificates via ACM that are trusted by your corporate Active Directory joined clients. These certificates can be used in services such as Application Load Balancers to provide TLS protected endpoints that are unique to your organization and trusted only by your internal clients.

From a client joined to our test Active Directory, Internet Explorer shows that it trusts the TLS certificate issued by AWS Certificate Manager and used on the Application Load Balancer for a private site.

For this demo, we created a test web server that is hosting an example webpage. The web server is behind an AWS Application Load Balancer. The TLS certificate attached to the Application Load Balancer is issued from the new ACM PCA.

Conclusion

Organizations that have Microsoft Active Directory deployed can use Active Directory’s Certificate Services to issue certificates for private resources. This blog post shows how you can extend that certificate trust to AWS Certificate Manager Private CA. This provides a way for your developers to issue private certificates automatically, which are trusted by your Active Directory domain-joined clients or clients that have the ADCS certificate chain installed.

For more information on hybrid public key infrastructure (PKI) on AWS, refer to these blog posts:

How to implement a hybrid PKI solution on AWS
Integrating Microsoft Active Directory with AWS Certificate Manager Private CA using Secardeo certEP

For more information on certificates for Mac and Linux, refer to the following resources:

Add certificates to a keychain using Keychain Access on Mac
Ubuntu – Installing a root CA certificate in the trust store
RedHat – Making CA certificates available to Linux command-line tools

 
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Want more AWS Security news? Follow us on Twitter.

Using certificates to authenticate and encrypt data is vital to any enterprise security. For example, companies rely on certificates to provide TLS encryption for web applications so that client data is protected. However, not all certificates need to be issued from a publicly trusted certificate authority (CA). A privately trusted CA can be leveraged toRead More

One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a “+” character after the username portion of your email address — followed by a notation specific to the site you’re signing up at — lets you create an infinite number of unique email addresses tied to the same account. Aliases can help users detect breaches and fight spam. But not all websites allow aliases, and they can complicate account recovery. Here’s a look at the pros and cons of adopting a unique alias for each website.

What is an email alias? When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that prefaced by a “+” sign just to the left of the “@” sign in your email address. For instance, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to my inbox and create a corresponding folder called “Example,” along with a new filter that sends any email addressed to that alias to the Example folder.

Importantly, you don’t ever use this alias anywhere else. That way, if anyone other than example.com starts sending email to it, it is reasonable to assume that example.com either shared your address with others or that it got hacked and relieved of that information. Indeed, security-minded readers have often alerted KrebsOnSecurity about spam to specific aliases that suggested a breach at some website, and usually they were right, even if the company that got hacked didn’t realize it at the time.

Alex Holden, founder of the Milwaukee-based cybersecurity consultancy Hold Security, said many threat actors will scrub their distribution lists of any aliases because there is a perception that these users are more security- and privacy-focused than normal users, and are thus more likely to report spam to their aliased addresses.

Holden said freshly-hacked databases also are often scrubbed of aliases before being sold in the underground, meaning the hackers will simply remove the aliased portion of the email address.

“I can tell you that certain threat groups have rules on ‘+*@’ email address deletion,” Holden said. “We just got the largest credentials cache ever — 1 billion new credentials to us — and most of that data is altered, with aliases removed. Modifying credential data for some threat groups is normal. They spend time trying to understand the database structure and removing any red flags.”

Why might spamming aliases be a bad idea? According to the breach tracking site HaveIBeenPwned.com, only about .03 percent of the breached records in circulation today include an alias.

Email aliases are rare enough that seeing just a few email addresses with the same alias in a breached database can make it trivial to identify which company likely got hacked and leaked said database. That’s because the most common aliases are simply the name of the website where the signup takes place, or some abbreviation or shorthand for it.

Hence, for a given database, if there are more than a handful of email addresses that have the same alias, the chances are good that whatever company or website corresponds to that alias has been hacked.

That might explain the actions of Allekabels, a large Dutch electronics web shop that suffered a data breach in 2021. Allekabels said a former employee had stolen data on 5,000 customers, and that those customers were then informed about the data breach by Allekabels.

But Dutch publication RTL Nieuws said it obtained a copy of the Allekabels user database from a hacker who was selling information on 3.6 million customers at the time, and found that the 5,000 number cited by the retailer corresponded to the number of customers who’d signed up using an alias. In essence, RTL argued, the company had notified only those most likely to notice and complain that their aliased addresses were suddenly receiving spam.

“RTL Nieuws has called more than thirty people from the database to check the leaked data,” the publication explained. “The customers with such a unique email address have all received a message from Allekabels that their data has been leaked – according to Allekabels they all happened to be among the 5000 data that this ex-employee had stolen.”

HaveIBeenPwned’s Hunt arrived at the conclusion that aliases account for about .03 percent of registered email addresses by studying the data leaked in the 2013 breach at Adobe, which affected at least 38 million users. Allekabels’s ratio of aliased users was considerably higher than Adobe’s — .14 percent — but then again European Internet users tend to be more privacy-conscious.

While overall adoption of email aliases is still quite low, that may be changing. Apple customers who use iCloud to sign up for new accounts online automatically are prompted to use Apple’s Hide My Email feature, which creates the account using a unique email address that automatically forwards to a personal inbox.

What are the downsides to using email aliases, apart from the hassle of setting them up? The biggest downer is that many sites won’t let you use a “+” sign in your email address, even though this functionality is clearly spelled out in the email standard.

Also, if you use aliases, it helps to have a reliable mnemonic to remember the alias used for each account (this is a non-issue if you create a new folder or rule for each alias). That’s because knowing the email address for an account is generally a prerequisite for resetting the account’s password, and if you can’t remember the alias you added way back when you signed up, you may have limited options for recovering access to that account if you at some point forget your password.

What about you, Dear Reader? Do you rely on email aliases? If so, have they been useful? Did I neglect to mention any pros or cons? Feel free to sound off in the comments below.

One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a “+” character after the username portion of your email address — followed by a notation specific to the site you’re signing up at — lets you create an infinite number of unique email addresses tied to the same account. Aliases can help users detect breaches and fight spam. But not all websites allow aliases, and they can complicate account recovery. Here’s a look at the pros and cons of adopting a unique alias for each website.Read More

Twitter has confirmed that it was breached last month via a now-patched 0-day vulnerability in Twitter’s systems, allowing an attacker to link email addresses and phone numbers to user accounts. This enabled the attacker to compile a list of 5.4 million Twitter user account profiles.

“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account. We take our responsibility to protect your privacy very seriously, and it is unfortunate that this happened.”

When a person submits a publicly known email address or phone number to Twitter, the system tells this person what Twitter account the email or phone number is associated with. The attacker took advantage of this and created a list containing 5.4 million Twitter users with scraped publicly available details of the accounts, including whether the account was verified.

This is especially worrying for users who want to remain anonymous on the platform. It’s a bit late now, but Twitter recommends anyone trying to stay anonymous should not tie a publicly known phone number or email to their Twitter account.

If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.

According to BleepingComputer, the attacker sold the data on twice, saying that “the data would likely be released for free in the future.”

Twitter introduced the vulnerability after updating its code in June 2021. A threat hunter reported this vulnerability in January 2022, with Twitter eventually awarding the researcher for the find as part of its bug bounty program.

While the company says no passwords were compromised, it continues to encourage users to enable two-factor authentication (2FA) for their accounts, either in the form of authentication apps or hardware keys.

The new school season is just around the corner. And while you are getting ready to go back to school, now is a good opportunity to check you are doing all you can to stay as safe as possible online.

Make sure you are doing these five things:

1. Use multi-factor authentication (MFA)

MFA has become a necessary security measure in a world where passwords still rule. It’s added security for your school-related accounts—and actually any online accounts you have, including social media.

MFA is an additional layer of security, after you enter your username and password. This could be a code generated by an app, a push notification you need to accept, a physical key you plug into your computer, or similar.

Use it wherever it is offered to you. Yes, it makes logging in take slightly longer, but it really does make your accounts safer.

2. Use strong passwords

By “strong”, we mean the best possible password string you can come up. If, for example, your school IT administrator sets a maximum password length of 10 and allows a mix of alphabets and numbers, then make your password 10 characters long with the maximum complexity you can.

And while we’re on the subject of passwords, remember to use a unique password for each of your online accounts. If you use the same email and password combination for every account, then if one gets breached you have to assume they have all been breached.

Of course, it’s impossible to remember a strong password for every account you have. This is where password managers come in. They can generate passwords for you, and will remember them all too. Just make sure you use a super strong password for your password manager itself, and protect it with MFA.

Lastly, never share passwords with anyone.

3. Be wary of links and attachments

When it comes to phishing and malware campaigns, danger doesn’t just lurk in emails. It’s on social media, SMS, chat platforms, gaming platforms, and other online watering holes, too.

Remember: if someone sends you an unsolicited link or attachment, you’re right to be suspicious. Treat it as suspect, and always verify with the sender if they’re someone you know, preferably via other means than the medium with which you received the link or attachment.

4. Share with caution

Students can do this in (at least) three ways:

Limit what you share. Don’t give away personal details on social media, including those which tie you to your school.
Be smart about what information you allow apps to access. Does that calendar app really need access to your location?
For high school and college students, think twice before sharing private photos with someone. Consider that they may be shared with others, and how you might feel if that happened.

5. Lock down your files

The school does its part to secure your most important data, but you have a part to play, too.

You can start by locking down the devices you bring to school, such as your smartphone and laptop. Make sure there’s at least a password or code that stops anyone from casually picking up your device, and then opening it.

If you use the cloud to store files, learn how to secure that properly—the cloud-of-your-choice will have a guide on that. Remember, the cloud can only be as secure as you, the user, makes it.

It’s easy when you know how

Thankfully, securing data doesn’t get any more complicated for regular users than the five tips we have listed above. Remain vigilant and remind yourself that cybersecurity and privacy are shared goals and responsibilities. Students should do their part in the same way that your school’s IT team is doing theirs.

Stay safe, and have a pleasant, risk-free school year ahead!

Facebook-oprichter Mark Zuckerberg heeft vandaag drie nieuwe opties voor WhatsApp aangekondigd die de privacy van gebruikers …Facebook-oprichter Mark Zuckerberg heeft vandaag drie nieuwe opties voor WhatsApp aangekondigd die de privacy van gebruikers …Read More