Ayodejioak's Posts
Nairaland Forum › Ayodejioak's Profile › Ayodejioak's Posts
1 2 3 4 5 6 7 8 9 10 (of 33 pages)
What just happened? Yesterday, it emerged that more than a billion unique email address and password combinations had been posted to a hacking forum for anyone to see in a mega-breach dubbed Collection #1. The breach was revealed by security researcher Troy Hunt, who runs the service allowing users to see if they’ve been hacked called Have I been Pwned. He has now loaded the unique email addresses totalling 772,904,991 onto the site. The data includes more than a billion unique email and password combinations – which hackers can use over a range of sites to compromise your services. They will do so by utilizing so-called credential stuffing attacks, seeing bots automatically testing millions of email and password combinations on a whole range of website login pages. The data originally appeared briefly on cloud service MEGA and was later posted to a popular hacking forum. The Collection #1 folder is comprised of more than 12,000 files weighing in at 87 gigabytes. Most concerningly, the protective hashing of the stolen passwords had been cracked. This means they are easy to use because they are available in plain text rather than being cryptographically hashed as they often are when sites are breached. Should I be worried? In a word: Yes. It’s a massive concern, not least because scale of this breach is huge: Yahoo’s breaches saw 1 billion and 3 billion users affected but the stolen data hasn’t actually resurfaced yet. And unlike other huge hacks such as Yahoo and Equifax, this breach cannot be tied down to one site. Instead it appears to comprise multiple breaches across a number of services including 2,000 databases. https://cdn.grahamcluley.com/wp-content/uploads/2015/08/password-wide.jpeg Hunt says there are many legitimate breaches in the directory listing, but he cannot yet verify this further. “This number makes it the single largest breach ever to be loaded into HIBP,” he adds in a blog. What’s more, his own personal data is in there “and it’s accurate”, he says. “Right email address and a password I used many years ago. Like many of you reading this, I’ve been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public.” Finding out if you’re affected If you are one of the 2.2 million people that already use the Have I Been Pwned site, you should have received a notification: Nearly half of the site’s users – or 768,000 – are caught up in this breach. If you aren’t already a member, you need to visit Have I Been Pwned now. Once on the site, you simply need to type in your email address and search, then scroll down to the bottom of the page. The site will let you know if your email address is affected by this breach – and while you are there, you can see if your details were stolen in any others too. To find out if your password has been compromised, you separately need to check Pwned Passwords– a feature built into the site recently. This feature also helps you to use strong passwords: if yours is on there, it’s safe to assume others are using it and your accounts could be easily breached. What if my details are there? Hunt says in his blog: “Whilst I can’t tell you precisely what password was against your own record in the breach, I can tell you if any password you’re interested in has appeared in previous breaches Pwned Passwords has indexed. If one of yours shows up there, you really want to stop using it on any service you care about.” If you have a bunch of passwords, checking all of them could be time-consuming. In this case, Hunt suggests 1Password’s Watchtower feature which can take all your stored passwords and check them against Pwned Passwords in one go. Most importantly, if your password is on the list, do not ignore it as it can be used in credential stuffing attacks mentioned earlier. Hunt says: “People take lists like these that contain our email addresses and passwords then they attempt to see where else they work. The success of this approach is predicated on the fact that people reuse the same credentials on multiple services.” More generally, as the number of breaches and their sheer scale increases, it’s time to clean up your password practices. In addition to using two-factor authentication, passwords should be complex – such as a phrase from a favourite book or a line from a song. At the same time, security experts don’t rule out analogue books containing your password – as long as these are not stored on your device or with it. If you take these measures into account you should be able to avoid using the same password across multiple sites. Ideally, start using a password manager to ensure you can remember these. Source: Forbes, via itblogr - http://itblogr.com/how-to-find-out-if-your-password-has-been-stolen/ |
Cc: lalasticlala Mynd44 OAM4J |
DavidBolu2019:News like these got me wondering how vulnerable or secure mobile telecom and financial in companies Nigeria can be. |
A British hacker whose cyberattacks took the nation of Liberia offline has been jailed for almost three years. Daniel Kaye launched a series of attacks on Liberian cell phone operator Lonestar in October 2015, which became so powerful they knocked out the west African country’s internet the following year. Kaye, 30, had been hired to carry out the attacks by a senior employee at rival operator Cellcom, Britain’s National Crime Agency said in a statement, although there is no suggestion that Cellcom was aware of the activity. He pleaded guilty to creating and using a botnet, a series of computers connected in order to attack systems, and possessing criminal property last month. Kaye was sentenced on Friday at Blackfriars Crown Court in central London to two years and eight months in prison. While living in Cyprus, Kaye used a botnet he had created to trigger repeated distributed denial of service (DDoS) requests on Lonestar, causing the company to spend around $600,000 in remedial action. The additional impact of customers leaving the network caused the company to lose tens of millions of dollars in lost revenue, the NCA added. Following his arrest in February 2017, Kaye was extradited to Germany, where he also admitted to attacks on Deutsche Telekom that affected around 1 million customers in November 2016. “Daniel Kaye was operating as a highly skilled and capable hacker-for-hire,” Mike Hulett, Head of Operations at the NCA’s National Cyber Crime Unit, said. “His activities inflicted substantial damage on numerous businesses in countries around the world, demonstrating the borderless nature of cyber crime,” he added. “The victims in this instance suffered losses of tens of millions of dollars and had to spend a large amount on mitigating action.” Source: http://itblogr.com/hacker-who-took-down-a-nations-internet-jailed/
|
lynkyinka:Sure, add me up! |
FlyingTOMATOE:Here! Thanks!! |
Peterjosh:Apparently, link shorteners are being blacklisted here. Thanks to the mods/antispam bots. |
CeeKay17:I might not be able to perfectly communicate the level of ease, but It's definitely a possibility. My first route will be making a number of connections with US based recruiters on LinkedIn. They have access to numerous H1-B's for expatriate employment that don't even go obvious enough to make it into job boards. - Call that express entry If you have some unique coding, technical or application skills you can easily get a large corp sponsor you on any of these platforms: Kickstarter, Ycombinator, Gitlab/Github to mention a few. I have a friend who will be enroute to the San area in Cali this weekend. He got an awesome offer with Microsoft, He resumes next week. It's his first trip out of Naija too! |
hadizabala:By non-technical definition, the term hacking implies tweaking or making something work in the way it wasn't designed to. A simple 'hacking' experience in our everyday life can include something considered insignificant as removing the SIM card in your smart phone using a safety pin - The safety pin wasn't designed for that functionality, but yes! it works. In technical terms, I have abilities to tweak a computer into performing some 'off the record' tasks as a result of my input while leveraging ethics (within a legal, ethical,authorized and controlled environment). Drawing conclusions from both definitions, I am an ethical hacker. |
Wonderz1:If I get a Naira everytime someone asks me this question, I'll be friends with the Joneses by now. Not all cybersecurity professionals have or need coding skills. But without some knowledge of at least one language, you may find your path forward somewhat limited. As a cyber security expert, you also get to do code review for applications, you want to be familiar with what inputs are being called, if there are any sort of malicious injection within every line of code and 'the only way to find what you're looking for is to know what to look for' - Ayodejioak. I can bet you need at least some beginner or intermediate level of programming in the following languages in your Cyber Security Career: Python, JavaScript, HTML, C, C++, Assembly, PHP It's also cool to mention how getting the syntax of any programming language is the fastest approach towards learning them. If you're scared of starting, start with HTML. If you have Basic HTML/CSS experience, I recommend Python. Python is arguably the most useful as well as easy to learn PL in the history of coding. As a matter of fact I learnt basic python in 5 hours watching this youtube video - https:///2vPbMns . It could have been 4 hours but I love to play while working. ![]() |
mogbojaiye:Hi mogbojaiye, First and foremost, I must commend your giant stride towards chasing your IT dream by taking the entry level certification course for CompTIA A+ and N+. Before I answer your question, I want to make a distinct clarification: Certification body matters so much but unfortunately, many don't even understand - There is a difference between taking a Linux+ or A+ at NIIT or HIIT and actually taking the certification exam by CompTIA. NIIT and co are mere 'middle-men' trying to prepare you for the real exam. Yes, you get a certificate of completion, similar to completing a freaking JAMB tutorial and getting a signed document stating that, but can you get enrolled into Unilag with this document? Nope! I like that you mentioned CCNA also. I'm not sure what you mean by the branches of CCNA, but I'm sure this link - https:///2TiTFjq will help you learn more about the certification. If you are planning on writing the exam, In my opinion, the CCENT >> CCNA (ICND 1 &2) which is literally breaking the whole exam into two, looks like a better track. Speaking from experience, it is very possible to apply for a 100% remote job from Nigeria. Just have these 4 pieces in your backpack: Faith, Mind-blowing linkedin, goodluck/said skills, and lastly 'among many others' I admin a few blogs, apps, forums and other websites centered at IT which will be beneficial for both starters and seasoned IT professionals. I do not hoard information so I'll be giving out lots of content for free. Stay tuned. |
Apologies for the late response and mentions. Had to host the family for the holidays. Now let's get to the parts where questions get answered. |
Stan999:One great thing about studying in US how seamlessly easy it is to port across courses. You can literally be a biology major today then a Licensed pentester tomorrow. As a matter of fact, my first degree from Nigeria was something close to elect engr but my long nurtured passion propelled me to my IT dream.... So, I'll say 'Go for it!' Now, compensation is usually dependent on BOTH the state and firm for a simple reason: Big firms have targeted states for their HQs and branches. You won't find a freaking Microsoft HQ in the middle of Iowa, or utah. That being said, while everybody wants to secure a cybersecurity position in DC, TX, VA, and the rest of the premium cybersecurity US states, it is ideal to start somewhere then climb up the ladder in no time. |
Lorenzop:You know yourself much more than everyone else. If self study is your thing, go for it man. You remind me of my first certification ever, Usually everyone (even nerds) follow the CompTIA trifecta: CompTIA A+ --> N+ --> S+ but I felt my couple years of work as at then qualified me for a Security+ off the bat without having to go the long route. I gave self study a shot, and I was right! Don't hesitate to reach out |
You really don't have to follow the cybersecurity route. I have a colleague next to me, all he does is write python scripts for days and the rest is story. Its ideal to be comfortable your area of choosing, while applying these same principles to your expertise: Software dev, Digital design, LPN, Big data analysis, AWS, pen-testing or what ever rocks your boat! |
MPVGoddess:Great question. Most tribe have a saying that translates to the fact that every bad has an iota of goodness. That being said, I do more of giving out tips, tricks and fastest routes rather than bore you with epistle. 1. Enrol in a school (community colleges are way cheap) and major in CS - computer science. 2. While in school, start preparing for your entry level certifications ( CCNA, CompTIA N+ etc). The interesting fact is how your classes will overlap with some 80% of the certification coursework. I ll be digging deep very soon! |
IdaraCHODB:I think it's better if someone else gains more info from a public convo like this. Tho we can always find alternatives going forward. |
tolugar:Well, that's funny. I'll rather stick to the context of this topic! |
It's just another day here, working within the Blue team of one of America's largest IT firm, downing my Cheetos and my Maltina ($6 per bottle). I stopped biting, ask me anything!! Cc: lalasticlala, 1forall, CrazyMan
|
![]() I was among the pioneer corpers of Mangu camp, Plateau. Couldn't even explain how I completed the 3 weeks orientation. Come and see how corpers were lying just to get outta that shiithole. Imagine a man having menstrual imbalance!! ![]() |
Whats up with this Nairaland Antispam bot? |
In recent decades, there exist an imminent familiarity of terms like; Bluejacking (sending of unsolicited messages over Bluetooth-enabled devices, Clickjacking (A malicious technique of tricking users into clicking something different from what they perceive), Juice jacking ( A cyber attack wherein malware is installed on to, or data surreptitiously copied from, a computer device using a charging port that doubles as a data connection) and Pagejacking (illegally copying a legitimate website content to another website with the aim of replicating the original website) including an endless "jacking" list in computer security, but none like Formjacking. In September 2018, Formjacking was officially announced by Symantec Corp in this article (www.symantec.com/blogs/threat-intelligence/formjacking-attacks-retailers), with properly outlined records of massive widespread afterward. Formjacking, which is the use of malicious JavaScript code to steal credit card details and other information from payment forms on the checkout web pages of e-commerce sites, has been making headlines lately. Taking a closer look at the more technical aspects of formjacking and detail a new campaign affecting many top shopping sites, below is a typical example of a javascript injection for the primary purpose of formjacking. https://content.connect.symantec.com/sites/default/files/styles/blogs_inline_small/public/2018-09/Formjacking_Infographic_700.png The code shown collects the payment information entered by users on the website and posts it to the domain google-analyitics.org in the scenario. This domain is usually a typo-squatted version of the legitimate Google Analytics domain, google-analytics.com and very easily admissible by users. Taking note of the increasing number of payment information-stealing script injections available daily especially by script kiddies who have little or no technical understanding of injection attack, but skilled enough to make use of off-the-shelf tools and judging by the current security trends today, This was no news. The image below shows how the infection chain is implemented. https://news-cdn.softpedia.com/images/news2/payment-info-stolen-from-high-profile-store-users-via-formjacking-redirection-524154-2.png This attack chain is unique because it is the exact opposite of legacy supply chain formjacking attack which went viral during the evolution of the e-commerce industry, where attackers compromise popular third-party script library providers. As many websites load these scripts, with one compromise the attacker manages to load their malicious code on a large number of sites all at the same time. These script creates a script element and sets a fixed .js source which then forces the browser to load malicious obfuscated JavaScript from the original website, which in turn collects the entered payment information and posts it back to the attackers’ domain. The scripts are obfuscated for difficulty in detection and apply a hook onto forms on the website and collect all the information entered by visitors. The javascript also extracts the URL loaded in the browser and determines if the checkout page of the original site is active. If it has, the script sends the collected form information, which is now the payment information, back to the attacker-controlled domain. This version of a formjacking script was used in various high-profile breaches such as Ticketmaster UK, Shopper Approved, and Feedify. Prevalence In recent months, an uptick in formjacking attacks against high-profile websites across the globe have been noticed. Websites from security-conscious countries like the U.S., Japan, Germany, and Australia, among other countries, have also being injected with formjacking scripts. Conclusion Considering the current standpoint of this vulnerability, which allows attackers to gain unauthorized access to the customer's checkout information of large companies by exploiting the weaknesses in smaller businesses used by the larger company to provide different services, the big picture of this attack points to the fact that the actual number of infected websites is bound to be higher. Unfortunately for prospective and current victims. It is hard and almost impossible to tell the existence or extent of a formjacking attack as their websites continue to operate as usual, because attackers are sophisticated, stealthy and take advantage of the fact that this is a much more recent vulnerability. Source: http://itblogr.com/meet-formjacking-a-major-ecommerce-website-attack/ |
I appreciate the mods and those who took their time to show love and support, considering the fact that this write-up is officially my first and the R& D took only 3 hours. For those of you sounding like I told you my name is assistant God, forgetting i'm just another mere imperfect mortal like you, "Well done sir!" |


