Rashomon of disclosure
In a world of changing technology, there are few constants - but if there is one constant in security, it is the rhythmic flare-up of discussions about disclosure on the social-media-du-jour (mailing lists in the past, now mostly Twitter and Facebook).Many people in the industry have wrestled with, and contributed…
How to Phish for Social Media & Other Account Passwords with Blackeye
Social media accounts are a favorite target for hackers, and the most effective tactics for attacking accounts on websites like Facebook, Instagram, and Twitter are often based on phishing. These password-stealing attacks rely on tricking users into entering their passwords into a convincing fake webpage, and they have become increasingly…
Hacking macOS: How to Bypass Mojave’s Elevated Privileges Prompt by Pretending to Be a Trusted App
The macOS 10.14 security update tried to make parts of the operating system difficult for hackers to access. Let's take a closer look at how this new feature works and what we can do to spoof the origin of an application attempting to access protected data. Apple introduced some security…
Podcast Episode 39: Headless eCommerce, Scaling for eCommerce Growth with Topher DeRosia
Topher DeRosia is the Developer Evangelist for BigCommerce and a frequent WordCamp speaker. He’s worked with WordPress for a long time and is the man behind HeroPress, telling the stories of people whose lives have been transformed by WordPress. HeroPress is now syndicated on WordPress.org/news, bringing these inspirational stories…
New Research: Lessons from Password Checkup in action
Posted by Jennifer Pullman, Kurt Thomas, and Elie Bursztein, Spam and Abuse researchBack in February, we announced the Password Checkup extension for Chrome to help keep all your online accounts safe from hijacking. The extension displays a warning whenever you sign in to a site using one of over 4…
OS X forensic acquisition: a basic workflow
OS X is, in effect, a *nix based system. Therefore the forensic image acquisition processes are very similar to those used on Linux systems.Today I’d like to share my personal acquisition workflow for Apple Mac systems. ‘Light’ evidence collection A first assessment could be performed with a ‘light’ acquisition tool,that…
Cloudflare Global Network Expands to 193 Cities
Cloudflare’s global network currently spans 193 cities across 90+ countries. With over 20 million Internet properties on our network, we increase the security, performance, and reliability of large portions of the Internet every time we add a location.Expanding Network to New CitiesSo far in 2019, we’ve added a score of…
Meet Bluetana, the Scourge of Pump Skimmers
“Bluetana,” a new mobile app that looks for Bluetooth-based payment card skimmers hidden inside gas pumps, is helping police and state employees more rapidly and accurately locate compromised fuel stations across the nation, a study released this week suggests. Data collected in the course of the investigation also reveals some…
Microsoft CTF protocol can be exploited on all Windows versions
Google Project Zero disclosed a vulnerability in CTF, a Microsoft protocol used by all Windows versions since Windows XP that can be exploited with ease. What is CTF? What CTF stands is currently unknown: it is part of of the Windows Text Services Framework , that manages the text shown…
Building a GraphQL server on the edge with Cloudflare Workers
Today, we're open-sourcing an exciting project that showcases the strengths of our Cloudflare Workers platform: workers-graphql-server is a batteries-included Apollo GraphQL server, designed to get you up and running quickly with GraphQL.Testing GraphQL queries in the GraphQL PlaygroundAs a full-stack developer, I’m really excited about GraphQL. I love building user…
How to Beat LFI Restrictions with Advanced Techniques
One of the most common web application vulnerabilities is LFI, which allows unauthorized access to sensitive files on the server. Such a common weakness is often safeguarded against, and low-hanging fruit can be defended quite easily. But there are always creative ways to get around these defenses, and we'll be…
Patch Tuesday, August 2019 Edition
Most Microsoft Windows (ab)users probably welcome the monthly ritual of applying security updates about as much as they look forward to going to the dentist: It always seems like you were there just yesterday, and you never quite know how it’s all going to turn out. Fortunately, this month’s patch…
Podcast Episode 38: Automattic Buys Tumblr from Verizon
The Wall Street Journal reported on Monday, August 12, 2019 that Verizon is selling social media and blogging platform Tumblr to Automattic for an undisclosed sum, though rumors state that it may be as low as $3 million dollars. After the announcement, Automattic CEO Matt Mullenweg discussed the news on…
On the recent HTTP/2 DoS attacks
Today, multiple Denial of Service (DoS) vulnerabilities were disclosed for a number of HTTP/2 server implementations. Cloudflare uses NGINX for HTTP/2. Customers using Cloudflare are already protected against these attacks.The individual vulnerabilities, originally discovered by Netflix and are included in this announcement are:CVE-2019-9511 HTTP/2 Data DribbleCVE-2019-9512 HTTP/2 Ping FloodCVE-2019-9513 HTTP/2…
Magic Transit makes your network smarter, better, stronger, and cheaper to operate
Today we’re excited to announce Cloudflare Magic Transit. Magic Transit provides secure, performant, and reliable IP connectivity to the Internet. Out-of-the-box, Magic Transit deployed in front of your on-premise network protects it from DDoS attack and enables provisioning of a full suite of virtual network functions, including advanced packet filtering,…