Security

The danger behind professional requests on LinkedIn

I was asked to install malware during a fake interview

Once or twice a month, I get a reach out to join as a technical advisor. I got two in the last month, except both were fake and meant to install malware on my machine! Both had a similar script. Someone reached out over LinkedIn to join their team as a technical advisor. Then they share a link to their code respository - without even asking me to sign an NDA or adding me to their org! Then I was asked to try out the code where doing npm install alone would have triggered the malware. Here are the stories in detail. ...

Introducing Amazing Sandbox - run third-party tools and AI agents securely on your machine

Sandbox your tools before they harm you

To keep your machine secure, run third-party tools inside Docker

Keep yourself secure - Always run third-party CLI tools inside Docker

Nillion

Nillion and one-time pads

Don't leave Android WebView debugging enabled in production

WebView debugging can be enabled via “WebView.setWebContentsDebuggingEnabled(true)”. Leaving WebView debugging enabled in production Android apps is a bad idea. Anyone who gets hold of the unlocked phone can access the app’s data forever.

Thoughts on Snapchat's snafu

Deciphering Snapchat’s security hole

Android Security related tools

A lot of work is happening in academia and industry on tools to perform dynamic analysis, static analysis, and reverse engineering of android apps. A list of those tools can be seen at https://github.com/ashishb/android-security-awesome.

Preliminary analysis of Facebook Click jacking Attack "Chica Sexy"

Came across a few interesting posts like this on my wall today.

How do you store my password?

As the world moves towards cloud-based storage and computing, the task of storing our data on a PC hard disk is being replaced with cloud-based storage providers. This includes our emails, social data, professional data, and financial data. Accessing this data requires authentication, despite its various limitations, username and password are still the standard way of authentication [though OpenID is slowly becoming popular]. One thing which is crucial in this case is how web services store user’s password.

Preliminary analysis of Facebook clickjacking - aprilfoolsprank

If you have been already a victim of this, then change your password and unlike the page as soon as possible. A malicious app called “aprilfoolsprank” which likes a page on a user’s behalf and tries to phish a user into disclosing his/her Facebook login and password is taking its toll on Facebook users.