Disposable mail security updates for 15 November – 10 minute mail

For continuous coverage, we push out major Disposable mail security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

 

WordPress limit-login-attempts XSS

This WordPress plugin logs the IP-address of users that has multiple failed login attempts. However, in place of recording the actual IP-address, it is possible to log the value of the X-Forwarded-For-header instead.

When the administrator of the WordPress installation later logs into the dashboard the log is visible to them without proper filtering. This means that it is possible to use an XSS-payload as header value. Additional reading.

Expect-CT / Invalid Directive

During a scan of a website we check for several headers that we think improves the security by having set. For some we warn where they are lacking, for others we only warn if it is set to a invalid value.

To the list of checked headers we have now added Expect-CT when it is invalid, as that was submitted to us by a Crowdsource community member. More information about the header.

Spring Boot Path Traversal

Path Traversal bugs have received more and more interest from the security community, which also has lead to more submissions from our Disposable mail Crowdsource white hat hackers. This one was added in the latest release.

One vulnerability leads to another…

After looking at Crowdsource submissions and keeping up with the security community in general, our development team also added security tests to check for CVE-2018-3760: Ruby on Rails Path Traversal and CVE-2018-1271: Spring Path Traversal. 

Spring Boot / Health Route Exposure

After the last security update that included submissions related to Spring Boot, our further exploration of this lead to us adding more endpoints that are commonly exposed over the internet.

 

Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Already have an account? Login to check your assets.

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail security updates for 29 November – 10 minute mail

For continuous coverage, we push out major Disposable mail security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

WordPress wp-backup-plus Database Disclosure

Yet another WordPress plugin that publish the whole backup available for anyone to download. This continues to be a problem and shows the importance of disabling Directory Listening.

jQuery-File-Upload ImageTragick RCE

jQuery-File-Upload continue to be mentioned in Security Update after Security Update, and we still get Crowdsource submissions on different ways it can be used to exploit a system. We are looking forward to a more elaborated write-up in the future.

Microsoft Thumbs.db Exposure

It is commonly known that Mac OS saves a file in each directory called .DS_Store that contain a list of all files in that directory. However, as you do not per default actually see that file when using Mac OS itself, it is common that people accidentally upload this file to websites when they are uploading a whole folder.

Less known, although far from a secret, is that Windows actually have something similar called Thumbs.db. The file works in the same way and stores a thumbnail of all images in a directory. It happens in the same way that people accidentally upload this file. Read more here: https://github.com/thinkski/vinetto

Struts

This release our own security researchers spent some time fiddling around with Struts and implementing a lot of existing vulnerabilities, and ensuring all the tests works as they should.

 

Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Already have an account? Login to check your assets.

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

A security overview of Content Management Systems – 10 minute mail

Any developer would probably agree Content Management Systems (CMS) make it easier for web development teams and marketing to work together. However CMS assets like blog.company.com are also web application based and could be targets of hacker attacks. Why’s that? Simply because they are based on commonly used technologies, communicate with end users, bring in organic or paid reader traffic and build brand awareness.

Many companies spend resources on securing their main applications and neglect to also audit the security of the CMS platform because who would want to hack a blog? More often than not it is more about the technology than content itself that’s interesting to hack, which is why CMS security needs attention as well. Here is our overview including expert advice from our security team:

Deciding between closed- vs open-source CMS platforms: 

Once you’ve decided to go with a CMS you’ll have to decide which vendor to go with and part of that is if it will be closed- or open-sourced. Cost and usability are key factors in the decision, but it’s also important to keep in mind the security maintenance expected to keep it up and running. Using an open-source program means that anyone can access the source code and there is freedom to make changes to the source code and customize it for your website needs. A lot of eyes on the code also means there are people out there interested in testing and breaking the code, especially in widely used platforms.

There are people out there testing the security of closed-source CMSes but it’s not at the same rate since they are only available with purchase; however, such platforms have internal security teams doing the testing and making fixes to keep up security. We receive vulnerability submissions for both closed- and open-sourced platforms from our Disposable mail Crowdsource community of 150+ handpicked white hat hackers.

Crowdsource module developer Kristian Bremberg reviews many of these submissions, and contrasts the two:

“Open source lets anyone look at the code, and therefore increases the chances of finding vulnerabilities. However, there’s no guarantee that the code will be reviewed by independent security researchers. Closed-source software is often owned by a company which spends money on internal code review and security testing.” A comparison of open- vs closed-source CMS tools

How to secure your CMS or blog site:

There’s a lot you can do to make sure security risks are alleviated when it comes to maintaining a CMS tool. We previously shared best practices on securing the Magento CMS application, and these same practices can be applied to any other CMS option too. Exploitation can be done through the hosting service, blog themes, plugins or extensions or user management, and it seems like a no-brainer to use the mentioned best practices:

Clean up your plugins In addition to the mentioned measures, it’s also imperative to ensure the plugins added to your CMS application are also secure to use. If you don’t use it, then uninstall it so it doesn’t become a security risk. Many plugins are hobby projects that are only updated once in while which means they can become vulnerable without the owners notice, and for that reason we recommend running automated scans that cover plugins. We often receive submissions for CMS plugins and it is something we are continuously open to receive from our Disposable mail Crowdsource white hat hackers.

Scan your CMS platforms for common vulnerabilities It’s common for Content Management Systems to be hosted on a platform that’s different from the main web application. For example, blog.company.com may be hosted on a CMS like WordPress which is not regularly monitored by a web development team and the code may not always be reviewed after updates or adding features. By using a tool like Disposable mail to check a CMS for vulnerabilities, a findings report will show any vulnerabilities that may exist in the web application and with remediation tips. A code-savvy marketer could try to then fix the issue on their own or share it with a web developer or agency for the issue to be resolved.

Additional best practices:

  • 2FA and requirements for complicated passwords
  • Always use the latest version of the software
  • Subscribe to product and security updates from the vendor via social media or mailing lists

Expert point of view: how secure are CMSes and plugins?

We asked our co-founder and top-ranked security researcher, Fredrik Nordberg Almroth, about CMS security and here is what he had to say:

“If I were to approach this [an open-source CMS], I would not start with the main application since this where most security resources are spent and where most people are looking. I would look for other points of entry where few people are monitoring yet highly used like blog themes and plugins. In fact, plugins are the biggest concern, and small but chainable vulnerabilities are mostly here.”

Image: Disposable mail co-founder and top-ranked ethical hacker, Fredrik Nordberg Almroth, has legally hacked many tech giants including Google and Dropbox.

Fredrik Nordberg Almroth says:

“exploiting such chained vulnerabilities can usually impact other assets and infrastructure not directly related to the affected CMS. An example could be a simple reflected XSS that can be used to steal login credentials, which may be used elsewhere on other systems to a cookie XSS that affects sibling subdomains. An other example could be a server-side request forgery (SSRF) attack, that could be leveraged to access internal databases, CI systems and other internal assets.”

Although there is this risk whenever downloading a plugin or theme for open-source CMSes like WordPress and Joomla, Fredrik assures that in general open-source options are quite secure as long as you work proactively with security. There can be rare cases like Drupalgeddon 2.0 (CVE-2018-7600), and since they have high severity impact, they are often short-lived as patches are made as soon as possible to save the masses. CMSes that are SaaS-based are automatically updated making it even easier for users.

However not everyone checks the compatibility and security of a plugin or bundled application, and popular ones are downloaded at least 50,000 times so you can imagine the damage one web vulnerability could have. Some infamous examples include the bundling of ImageMagick and CK Editor applications, where a hacker was able to execute a RCE and XSS respectively. When it comes to closed-source CMSes, there are fewer people looking at these systems outside of the product security teams since one would need paid license access to get to the source code. However vulnerabilities could be found by the vendor’s own security testing activities or bug bounty hunters before a malicious actor gets to it.

Closing comments:

Overall CMSes are secure to use, and from a security standpoint, open-source platforms have an edge because they have more eyes examining the code and updates including security patches are automatic if they are web-based. If you have a CMS it’s most important to keep good user access security, use updated versions of the software and do research on plugins before using them.

CMSes are easy to use but can also be an easy way into your main application if its security is not monitored. Adding these pages like blog.company.com to the security scanning routine is a simple step to take to eliminate the risks.

Disposable mail is a SaaS-based web application scanner powered by ethical hackers. Our tool tests for 1000+ commonly found vulnerabilities including tests for WordPress, Joomla, Drupal, Liferay, Serendipity and other CMS and plugins/extensions. Have you checked the security of your CMS web applications? Try our tool for free and start securing your CMS today.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[PoC Video] jQuery-File-Upload: A tale of three vulnerabilities – 10 minute mail

TL;DR Three vulnerabilities in the second most starred Javascript repository on Github which two of them are remote code execution and the third makes it possible to permanently delete any uploaded file made by jQuery-File-Upload. The latter is intended behaviour however our research suggests that user privacy is not respected as content can easily be viewed by external actors.

Disposable mail Crowdsource has been working with three vulnerabilities in jQuery-File-Upload submitted by our security researcher community, and now we’ve implemented these security tests in the Disposable mail tool. Our research found out that jQuery-File-Upload is included in several different platforms and not properly configured. The following Proof of Concept is of CVE-2018-9206: Unauthenticated arbitrary file upload vulnerability and the remote code execution due to ImageTragick. Explanations of all three vulnerabilities follow.

CVE-2018-9206: Unauthenticated arbitrary file upload vulnerability

This first vulnerability has been known for a few years, since 2015. But in 2018 a CVE was finally assigned and the vulnerability was brought to public attention as Thousands of Applications were vulnerable to RCE via jQuery File Upload. The open-source file upload widget, jQuery-File-Upload, is the second most starred Javascript repository on Github, after jQuery JavaScript Library itself. The core of CVE-2018-9206 is a vulnerability within the server configuration and PHP components of the technology and not Javascript. While a RCE in Javascript would be surprising, it’s not as surprising in PHP.

The vulnerability is due to the code relying on Apache’s .htaccess support. This is a way to restrict files being uploaded or executed on an Apache web server.

# The following directives prevent the execution of script files
# in the context of the website.
# They also force the content-type application/octet-stream and
# force browsers to display a download dialog for non-image files.
SetHandler default-handler
ForceType application/octet-stream
Header set Content-Disposition attachment

# The following unsets the forced type and Content-Disposition headers
# for known image files:

ForceType none
Header unset Content-Disposition


<...>

The above .htaccess is included in jQuery-File-Upload and prior to version 9.22.0 it was the only protection against arbitrary file upload. The .htaccess files makes the browser download files with MIME application/octet-stream (for example PHP-files) instead of executing them in the context of the web server. This means that jQuery-File-Upload allowed any files to be uploaded, but not executed on the server, as they trusted the web server to make the check. After the patch, later versions have been changed so that the code checks the type of file being uploaded.

However, the problem is that Apache stopped to enable .htaccess support by default in version 2.3.9, making the only protection useless if not explicitly enabled. If another web server is in use (for example Nginx), there is no protection at all as .htaccess only works in Apache web server.

An attacker can simply upload any file and it will be handled by the web server. This leads to remote code execution as an attacker can upload PHP-files and execute them.

Remote code execution due to ImageTragick

The second jQuery-File-Upload vulnerability was also known within the hacking community for some years and was not publicly known until the technology started to get attention due to CVE-2018-9206, as more people started looking into jQuery-File-Upload’s code base. As the code makes use of ImageMagic, it may be possible to obtain remote code execution with GhostScript (CVE-2016-3714 AKA ImageTragick). This is demonstrated in the video.

An attacker can upload the following GhostScript saved with the whitelisted extensions; PNG, GIF or JPG.

%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%ping example.com) currentdevice putdeviceprops

The server will then execute the command ping example.com. Note that GhostScript will look a little bit different depending on the operating system and the ping command works in most environments, making our automatic tests very accurate to detect this vulnerability.

Note that this is a vulnerability in a library that jQuery-File-Upload uses, and not in the code itself.

An intentional but vulnerable feature

The third and last vulnerability found was an insecure direct object reference or IDOR vulnerability. One website owner responded that the issue was actually “intentional behaviour” but many users of jQuery-File-Upload may not know of the behaviour, making it risky to use.

Here’s why: The endpoint where files are uploaded to can be requested with GET and the server will respond with a JSON object containing all the previous uploaded files. This exposes the file names, upload path, thumbnail and whether it is possible to delete the file permanently from the server. The response will look something like:

{"files":[{"name":image.jpg","size":68549,"url":"http://example.com/image.jpg","thumbnailUrl":"http://example.com/thumbnail/image.jpg","deleteUrl":"http://example.com/server/php?file=image.jpg","deleteType":"DELETE"}

With this, a user can now view all the previous uploaded files by requesting the value in the url key. It is also possible to delete any file by sending the DELETE HTTP-method to the value in the deleteUrl key. This can easily be done with cURL:

curl -X DELETE http://example.com/server/php?file=image.jpg

When looking for websites using jQuery-File-Upload I came across a few cases where this “intentional behaviour” probably shouldn’t be “intentional”. One case was a dating site where users naturally uploaded images of themselves. By sending this request, I was able to view the whole user base of uploaded photos. In another case I was able to access all uploaded photos on a website which requires users to verify their identity by uploading a photo of their government ID or passport. I have reached out to Sebastian Tschan (the maintainer of jQuery-File-Upload) and all these websites which I found the vulnerability on.

Remediation

The first two issues have been fixed in the latest version of jQuery-file-upload, and we recommend to update the code to latest version as soon as possible. To remediate the the last vulnerability, you would restrict access to the endpoint where files are uploaded (usually server/php/index.php) if it is important that all the uploaded files should not be publicly viewable.

Do you use jQuery-File-Upload on your web applications and you’re not sure if you have secured the code? You can check the code with Disposable mail now. Just log in here. Not a customer yet? No problem! You can sign up for your account and free trial today.


 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail security updates for 13 December – 10 minute mail

For continuous coverage, we push out major Disposable mail security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

CVE-2018-14912: cgit Path Traversal

A vulnerability in cgit was recently made public by Google Project Zero. After getting it as a submission through Disposable mail Crowdsource we implemented it as a module. More information about the issue can be found here: https://bugs.chromium.org/p/project-zero/issues/detail?id=1627

 CVE-2018-5006: Adobe AEM SSRF via SalesforceSecretServlet

Adobe AEM, also called Adobe Experience Manager, has previously had a few known vulnerabilities. Frans Rosén, one of our security advisors, has done a presentation on this here: https://www.youtube.com/watch?v=_j9ZEIodMDs

However, a new SSRF was released recently, which in addition to all the other research has been implemented to the scanner.

Apache Hadoop RCE

Read more about the story around this vulnerability here: https://securityaffairs.co/wordpress/77565/malware/hadoop-zero-day-exploit-leaked.html

jQuery-File-Upload related vulnerabilities

The last of the three! See the following blog post: https://blog.detectify.com/2018/12/13/jquery-file-upload-a-tale-of-three-vulnerabilities/

 

 

A few of the other things implemented…

  • CVE-2018-9845: Etherpad Authentication Bypass https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9845
  • Exposed Docker configuration file
  • Header-Based SSRF
  • URL-based Authentication Bypass

Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Already have an account? Login to check your assets.

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

DeathRansom, started as a mere joke is now encrypting files! – Disposable mail news

A ransomware strain named DeathRansom, which was considered a joke earlier, evolved and is now capable of encrypting files, cyber-security firm Fortinet reports.
This DeathRansom after becoming an actual malware, was backed by a solid distribution campaign and has been taking victims daily in the last two months.

 Initially considered a joke – didn’t encrypt anything 

 When it was first reported in Nov 2019, the DeathRansom version didn’t encrypt anything and was deemed a mere joke. The infection left a simple ransom note and even though some people fell for the scam and paid the ransom demand, it didn’t do much anything else.

All the user had to do was to remove the second extension from the file to regain access.

 Now, a new version is released that actually works and will encrypt your files! 

 The developers seems to have evolved the malware further with a solid encryption scheme that works as an actual ransomware.
According to Fortinet, “the new DeathRansom strains use a complex combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm to encrypt files.”

 Researchers and security experts are searching leek ways and implementation faults in the ransomware.

 The DeathRansom Author

 Fortinet examined the DeathRansom source code and the websites distributing the malware payloads and were able to track down the ransomware author and developer.
The developer is a malware operator linked to various cyber crimes campaigns over the past few years. Prior to DeathRansom, the malware operator used to infect users with multiple password stealers (Vidar, Azorult, Evrial, 1ms0rryStealer) and cryptocurrency miners (SupremeMiner).

 Fortinet linked these crimes to young Russian named Egor Nedugov, living in Aksay, a small Russian town near Rostov-on-Don.
Fortinet said,”They are very confident they found the right man behind DeathRansom, and that they found even more online profiles from the same actor which they didn’t include in their report.”

 As of now, DeathRansom is being distributed through phishing emails. Fortinet says it’s working on finding any faults in the encryption scheme of the ransomware and creating a free decrypter to help victims.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

9 biggest web security news of 2018 – 10 minute mail

The year started off with a bang as the research of Meltdown and Spectre rendered almost all computing devices to be vulnerable. As the year moved on Facebook, Magecart and 2FA alternatives also were also part of security discussions. Here are our top 9 picks for biggest web security news of 2018:

Image for top security news for 2018

1. Meltdown and Spectre

Meltdown and Spectre are collectively 3 critical vulnerabilities had anyone with a computer made since 1995 on their feet. Meltdown (CVE-2017-5754) is a hardware vulnerability found to attack general memory data security and the name was given due to the ability of the attack to “melt” security boundaries. Spectre (CVE-2017-5753 and CVE-2017-5715) is reported to affect every single computer device, as it’s been verified that they affect Intel, AMD, and ARM processors. Their exploitation allows hackers to access passwords stored in a password manager or browser, personal photos, emails, private messages and even business-critical documents.

2. Facebook – “View As” feature

Facebook has been in the public eyes on several big occasions this year including the Cambridge Analytica scandal and Mark Zuckerberg’s testimony in front of the US Congress about data privacy. The year wouldn’t be complete without a hacker attack. Late September, 50 million people were automatically logged out of their Facebook accounts due to a hacker attack via the “View As” feature. The hackers began by exploiting the video uploading feature and eventually chained this together with a weakness in the “View As” feature. During this process a user token was generated when it wasn’t intended to happen for the one subject to “view as” and this appeared in the HTML code. From there the hackers gained access to the user account and automated their attack which eventually resulted in an activity spike to catch Facebook’s attention and take action in time. In total, there were 3 bugs that the malicious actors were able to chain together to gain access to user tokens. When Facebook was aware of this, it forced log out to reset tokens for 50 million users and an additional 40 million who were potentially affected. Whilst Facebook’s logging and monitoring practices were able to act fast and alert users well, the company seems to not want to take more security risks as there are plans to add a cybersecurity company to their group.

3. Marriott – 500 million users had data stolen.. Hackers had access since 2014

Going down as one of the largest data breaches to happen so far, 500 million Starwood guests had their personal details such as names, addresses, passport information and emails compromised to malicious hackers. Reports state hackers were in the system back in 2014 which happened before Marriott acquired the Starwood Hotel brand in 2016, and this has angered many security experts and people in general knowing that SPG aware of the issue and it was failed to be addressed during the acquisition. The personal information taken was encrypted however given 4 years time, one could be certain that the hackers were able to decrypt the details. It’s not certain whether Marriott was aware of this or not but we can expect cybersecurity to be taken more seriously in future business acquisitions.

  4. Another year of leaky S3 buckets, which led to AWS finally changing the privacy settings for bucket configurations

As in 2017, this year saw several high-profile companies fall victim to customer data leak to cloud storage, especially S3 bucket, misconfigurations including FedEx and GoDaddy. These are often the fault of the company due to AWS S3 bucket misconfigurations but we even saw a case where an AWS employee made the mistake of S3 bucket misconfiguration for GoDaddy. The consequence: public exposure of highly sensitive information including GoDaddy’s hosting infrastructure, operating system, workload and more which gave out a lot of competitive intelligence. This finally prompted AWS to make changes to the bucket settings and make it easier for users to block public access to buckets.

5. Implementation of GDPR and Google and Facebook slapped with fines

2018 also was the year for GDPR to come into play and this has all sorts of professionals scrambling to make sure their practices are compliant, lawyers were banking in on new business, some opportunists upgraded their careers to becoming a DPO and end users were bombarded with emails regarding GDPR, all before May 25th. There was no grace period to GDPR enforcement as Google and Facebook were given fines immediately. Not only did GDPR get ordinary people to start thinking a bit more on the privacy of their personal details, but it has challenged companies to work more proactively with security.

6. Magecart and third-party javascript

Magecart, an online criminal hacker group, has been using cross-site scripting (XSS) tactics to injection malicious code into different online credit card forms. By doing so they’ve been able to steal sensitive information including, yes of course, credit card details and personal names. This method is used widely and companies compromised by this attack are many and include British Airways and Inbenta, a 3rd party javascript used by Ticketmaster. This serves as a good reminder to always check web applications for XSS and especially third-party software as Magecart does not show signs of stopping.

7. SMS 2FA not secure

Reddit was hacked in June and their employee accounts were compromised despite having 2FA via SMS enabled. As their report explains, the attacker was able to intercept SMS messages containing the access code and use this to log into the employee accounts. This prompted a great discussion on what kind of 2FA is needed. Reddit themselves suggest using a token-based 2FA as well as ensuring passwords are complicated. You can find these tips and more in our tips for secure remote work.

8. Drupalgeddon

There was a remote code execution found in Drupal, and this critical vulnerability was aptly named Drupalgeddon v2.0. This affects versions between 6 and 8, and if exploited the bad actor would have access to all non-public data and also have the ability to modify or delete items. According to official notes, updating Drupal along will not remove backdoors or fix compromised sites. Therefore anyone affected would have to update right away but also run their own security checks to remediate the issue.

9. Stop playing security whack-a-mole

Parisa Tabriz, Director of Engineering at Google, opened up this year’s Black Hat USA calling on everyone to implement long-term defensive security. Rather than playing what she called security whack-a-mole and tackling security issues as they come up, there needs to be more strategic and proactive action to ensure security in a company. She cited the Google Project Zero as one way they’ve used offensive security examples to improve defensive security tactics, leading to more transparency and collaboration to make end users safer. Companies should build ongoing security processes and invest in training, build up security champions and develop a security culture in the organization. Some argue it needs to be thought of earlier in the development cycle, given more support for the adoption of DevSecOps.

What can we expect next year? We asked our security researcher and technical content writer, Linus Särud:

In 2019, we can expect more cloud-related issues on the rise as well as misconfigurations with third-party providers. They may not necessarily be from S3 bucket leaks due to the changes, but could be of similar nature.

Serverless, microservices and API are the “new thing” and we can expect acceleration in migration over to these services. As a consequence we anticipate more SSRF attacks. When companies go serverless and the traditional RCE is no longer possible, SSRF takes its place. It can be used to request internal servers and steal tokens or credentials used for cloud configurations. Early 2018, Google was vulnerable against this. Here is another write-up on how SSRF can be a problem when running on Amazon, causing the cloud to rain credentials.

Lastly, we expect more subdomain takeovers to occur and while this has been hyped for long there will be a lot to be discovered in this area. On the positive side, we anticipate more awareness of cloud security risks and the continued rise of devsecops where security is considered earlier in the development cycle and companies apply proactive defence instead of reactive measures, enabled by more automation and testing. There will more open discussions about personal data management because of the GDPR, NIS directive and other security regulations. People will start to think differently about the security of personal information, in a more protective way, which is a good thing!

Here’s to an even more secure 2019! Is your team equipped with all the tools to make 2019 a secure year for your teams? You can automate some of your security checks using Disposable mail. Ready to give us a try? Sign up for a free trial.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Privacy Alert! Xiaomi’s Security Cameras Not All That Secure? – Disposable mail news

If you think that if you have a security camera at your home then you are safe, you are absolutely wrong to sleep on your chair so freely!

Xiaomi instantly hit headlines when one of its security cameras displayed stills of a man sleeping on a chair.

Xiaomi, the global giant known for its great products at a low price per reports, had launched a “Home Security Camera” earlier. With increase in the use of security cameras the aspect of privacy and security are still a major concern.

The Home Security Camera by Xiaomi which offers a 1080p recording, infrared night vision, AI motion detectors ad lots more apparently was too high-tech when it displayed pictures from other cameras from “Google Nest Hub”.

Reportedly, the issue surfaced when a user reported that his Xiaomi Security Camera displayed still images from someone else’s camera on the Google Nest Hub of “a man sleeping in his chair”.

Allegedly, the user mentioned that the firmware the “Nest hub” and the “Xiaomi Security Camera” were freshly bought and working on the version 3.5.1_00.66.

Google, as a result of this case disabled Xiaomi integrations on its devices. Users could link the Xiaomi Home Security Camera to their Google accounts and access the Nest devices via the Mi Home application.

Xiaomi immediately, stunned with Google’s response apparently, issued a statement mentioning that they had fixed the issue and that in fact the issue happened owing it to a “cache update”.

The update which was supposed to make the security cameras better in terms of improved streaming quality ended up displaying images “under poor network conditions”.

Per sources, the company cited that over 1000 users had the above mentioned “integrations” and only a “few” with tremendously poor network were majorly affected.

Eventually, the service got suspended by Xiaomi as it mentioned to Google, allegedly.

It goes without saying that the conditions in which this incident took place are extremely rare and the entire satiation is under investigation by the security team of Xiaomi and that the issue wouldn’t occur at all if the cameras are linked to the Mi Home app.

Xiaomi also profoundly cited that for them, users’ privacy and security has always been paramount. The issue about the reception of still images while connecting to Mi Home Security Camera on Google Home hub is deeply regretted for. They also apologized for it profusely.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Top 5 Best WiFi Analyzer for Windows 2020 (100%Working) – 10 minute mail

Best WiFi Analyzers: Have you ever wondered there are so many spots at your house, office, college or at Hostel where there is no Internet Connection or we can WiFi Signal may not be of good strength (poor) and not proper reachable. However, Your router is compatible to spread signal to those spots as well but you ain’t getting signal. Mysterious, Right? Few steps back you are getting higher Mbps/Gbps of speed and moving few steps ahead you have lost signals. So in this article, we are gonna discuss why such things happen and how to fix this easily by placing your WiFi Router at right direction using these Free WiFi Analyzer Softwares and Apps for Windows 7/8 and Windows 10

Top 5 Best WiFi Analyzer for Windows 7/8/10
Best WiFi Analyzer for Windows | iTech Hacks

Most of the internet users make use of a wireless router to establish a wireless connection with their smartphones, laptops, etc. Most of the people secure their internet connection by setting a password for connecting a device to the router. To connect a device to this router, you are asked to enter the password on the device. This keeps unwanted people from using the internet for which they are not paying!

However, there are people who use unethical methods to connect to your router and start using your internet connection which results in reduced internet speed which is provided to you! But, you cannot find out who is connected to your router and from where! Thus, to solve this problem, developers have developed a software which runs on Windows PC and detects the devices which are connected to your router. This software is known as WiFi Analyzers. There are a number of such software available for the users. We have shortlisted this software and mentioned some of the best WiFi Analyzers for your Windows PC.

Also Read: How To Recover WiFi Password From Android Phone

Why we use WiFi Analyzer?

WiFi Analyzer is actually a Software or Apps that help you to Analyze your workstation, home, office WiFi signal strength and let your problem of not getting good speed will be solved by these WiFi Analyzers 2020. You can experience the benefits of these Windows WiFi analyzer tools on the laptop to optimize the network for maximum performance. You can check your internet speed at speedcheck. It will help you to place your WiFi Router in the right place so that you can get maximum speed and best performance.


The list of some of the Best WiFi Analyzers for your Windows PC:

#1 NetSpot

Top 5 Best WiFi Analyzer for Windows 7/8/10 itechhacks Free 2018
NetSpot : WiFi Analyzer

This is one of the best WiFi Analyzers due to its remarkable features which it has to provide its users with! You can use the free edition to use its features without paying a penny. There are other premium editions too, which are Home, Pro, and Enterprise edition. The Home edition will cost you $49, the Pro edition costs $149 and the Enterprise edition comes at a price of $499. Each edition has its unique as well as basic features.

The user-interface of this software is quite intuitive. On scanning, it can detect all the devices which are connected to your router and will also provide with the device’s details. It also displays a map and points the location of the devices which are connected to your router. You can download Netspot on your Windows PC from HERE.

#2 Xirrus Wi-Fi Inspector 2.0

Top 5 Best WiFi Analyzer for Windows 7/8/10 itechhacks Free 2018
Xirrus: WiFi Analyzer

Xirrus Wi-Fi Inspector 2.0 is another useful WiFi Analyzer and it comes loaded with quite a few unique features. Also, it is a widely used WiFi Analyzer with over 1 Million worldwide users. You can use this on your Windows 7. Some of its most useful features include:

1. It can locate WiFi devices near you.

2. The troubleshooting tools are easy to handle.

3. Search for WiFi connectivity issues.

4. Detect unauthorized devices connected to your router.

You can use a trial version of this software before upgrading to the premium version. Your PC must have Adobe Flash Player installed in it for running Speed Test. You can download Xirrus Wi-Fi Inspector 2.0 on your Windows PC from HERE.

#3 WiFi Scanner

Top 5 Best WiFi Analyzer for Windows 7/8/10 itechhacks Free 2018
WiFi Scanner

If you wish to manage your WiFi network in the easiest way possible, you must give a chance to WiFi Scanner. This software performs some interesting tasks such as:

1. It scans the nearby networks and compiles a detailed information so that you can solve any connectivity issue by comparing their data with yours.

2. You can use the speed test feature to check the upload and download speed provided by your router to your Windows PC.

You can download the trial version of this software and then upgrade to the premium version which will cost you around $15. You can download this software on your Windows PC from HERE.

#4 WifiInfoView

Top 5 Best WiFi Analyzer for Windows 7/8/10 itechhacks Free 2018
WiFi Info View

This is another software which provides with an extensive information about networks near you such as Network Name (SSID), MAC Address, Signal Quality, Frequency, Channel Number, Maximum Speed, etc. You can either inspect each network individually or use the summary mode to list the scanned networks all together!

You can download this software on your Windows PC from HERE.

#5  WiFi Analyzer for Windows 10

Best WiFi Analyzers for Windows
WiFi Analyzers for Windows 10

WiFi Analyzer for Windows 10 is officially available on Microsofts Store. You can download it for Free from the there official website easily. WiFi Analyzer turned your Windows 10 OS laptop into an analyzer allowing me to scan your Office, House and Hostel etc for access points. The app is free to use and download but some additional features have been reserved for the premium version. If you use this on your right OS then you will definitely get the best performance.

Also Read: Best Windows 10 Themes To Change Your Windows Look

Conclusion:

These were some of the Best WiFi Analyzers for Windows PC 2020. They are compatible with Windows 7/8/10. Some of them can also run on other operating systems such as MacOS, etc. You can try them out and know which one suits you the best. Each software has its unique feature which makes it stand out from the crowd.

If you know of any such useful Free WiFi Analyzer of 2020, which is not mentioned above, then please let us know about it in the comments section below.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail Year in Review 2018 – 10 minute mail

It’s been a great year for Disposable mail and there’s a lot that’s happened for us as we continue to grow our teams and business. Join us for a proverbial toast to the year as we share a recap of our highlights: Disposable mail year in review 2018

Successfully raised 5 million EUR in March 2018

In March, we were pleased to announce a successful series A funding round that raised €5 million led by New York-based venture capital and private equity firm, Insight Venture Partners. Our existing investors, Paua Ventures and Inventure, also participated in the funding round. The investment supports Disposable mail’s international expansion and continued R&D.

Over 50,000 vulnerability findings from Disposable mail Crowdsource submissions

In its second year, the Disposable mail Crowdsource white hat hacker platform has welcomed several high-profile hackers to our community. This year we created 185+ new security tests from our Crowdsource vulnerability submissions and these have generated over 50,000 unique findings in our client scan profiles. Want to meet a couple of our hackers? Check out our Meet the Hacker interviews with Gerben and Fredrik on the Disposable mail Youtube channel.

4 Hacker Schools

Knowledge sharing is a key part of the Disposable mail culture and part of our strategy on how to help our clients improve their own security skills and stay updated on our company happenings. For this reason, we started hosting Hacker Schools in our Stockholm office and invited our valuable customers to show our appreciation for our partnerships. This year our events featured hacker talks from our Disposable mail Crowdsource members, Gerben Janssen van Doorn, Carl SvenssonFrans Rosén (Disposable mail Security Advisor) and Fredrik N. Almroth (Disposable mail Co-founder). We also invited Spotify, Pipedrive and SBAB to speak about how they work with Disposable mail in their teams. We noticed that the concept took off this year and we started to see our office become a meeting point for Stockholm security professionals to network and exchange best practices on how to make their own organizations more secure. We look forward to more in our new office in 2019! Fredrik at Hacker School Image: Disposable mail co-founder Fredrik Nordberg Almroth speaking at Hacker School Photo collage of Disposable mail Hacker Dinners Image: Collage of Hacker Dinner Events in MEATMission in London, Stack in Las Vegas and REM Eiland in Amsterdam

Internationally hosted Hacker Dinners

We now have customers in 50+ countries and to build upon this presence, we hosted exclusive Hacker Dinner events in some of our up and coming country markets including London, Las Vegas and Amsterdam. We brought together some of our Disposable mail Crowdsource white hat hackers together with security professionals to dispel some myths of the hacker profile, talk about cool hacks and show how powerful crowdsourced security can be. These dinners also featured live lightning talks from Disposable mail’s own co-founder and security researchers, Fredrik N. Almroth, Linus Särud and Frans Rosén.

We attended 31 events with speaker or panel spots at 27 of these.

Highlights for the year include Frans Rosén’s keynote talk at AppSec EU and our debut at Black Hat. These events included app- and info-security conferences, client-side inspirational sessions and developer knowledge events. We gained a lot of security knowledge and shared our company swag with new friends to tag them with #gohackyourself. Martina, Disposable mail software engineer, has continued to show other security-interested developers how she previously hacked her own code to strengthen her coding skills at Code Night and two events dedicated to women who code – Technigo and PyLadies Stockholm. We look to continue supporting the security community and security-interest folks, share our product and research with everyone and keep pushing automation forward. We’ve created an events page where you can follow us on the road! Our CMO, Yasmin Tilles, has also shared the marketing secrets of Disposable mail with keynote presentations at various conferences including Conversion Jam and Business Model Summit.

Disposable mail achieves advanced technology partner status with AWS

We are now recognized as an advanced technology partner at Amazon Web Services and we were granted pre-authorization for application vulnerability scanning of AWS hosted applications.

Implementing Practical web cache poisoning module

In August, Portswigger Security Researcher, James Kettle, published research that got a lot of attention from the security and developer world. Web cache poisoning has long been thought of as a theoretical threat that a developer ought to think about but was never really taken seriously. However, Kettle proved how vulnerabilities could be realized and our security researcher team implemented tests to detect for this including adding several authentication bypasses.

API v2

Security should be easy to integrate into the development process and to make it easier for our customers we updated the API to version 2.0. This allows you to easily trigger scans and get Disposable mail data, all while supporting the standard REST format. Integrating it is easy as you can generate the API keys directly in the Disposable mail tool. This option is available for our professional and enterprise plans, and you can read the API v2 documentation here.

Added Domain monitoring service and 6 SAML integrations

We added Domain Monitoring Service (DMS) as a regular feature in the Disposable mail tool. It started with a customer request in order to monitor security issues on abandoned or forgotten domains.  We realized the potential and need for this and rolled it out as a regular feature in our tool. We also made it even easier for some teams to access the Disposable mail tool by building six different Security Assertion Markup Language (SAML) integrations including G-Suite and Onelogin.

Rebuilding of the dashboard & account completion

This year we took in a lot of helpful customer feedback to rebuild the tool into a more intuitive interface and continue to drive transparency while encouraging continuous monitoring. On the dashboard, users now see the Latest Scanner Updates and features posts from our Disposable mail Blog and Disposable mail Labs.

Widget on the Disposable mail tool dashboard Image: new widgets showing new security tests added and new content

We also added the “Account Completion” guide at the top menu to show you whether your Disposable mail account has been fully set up yet, to ensure you are not missing out on the best bits of our tool. Account completion menu in the Disposable mail Tool

Image: account completion feature

Let’s Encrypt SSL-certificates, GraphQL, Upload Policies and bypassing HTTPS

Our top story on Disposable mail Labs from 2018 was from Disposable mail Security Advisor and top-ranked white hat hacker, Frans Rosén. His research showed us all how he exploited ACME TLS-SNI-01 by issuing Lets Encrypt SSL certificates for any domain using shared hosting. Additional popular research included GraphQL Abuse, Bypassing Upload Policies and Signed URLs, and MITM regardless of HTTPS.

CORS misconfigurations

Our top article from 2018 on Disposable mail Blog was an explanation of CORS misconfigurations by Disposable mail Security Researcher and Technical Content Writer, Linus Särud. CORS is a header set by the web server and this article shares the most common ways to misconfigure it. View the article here.

20+ new employees and 18 different nationalities

It’s been a year of adding (a lot) more new faces to the team. In fact, we’ve welcomed 22 new colleagues so far in 2018 with many added to our tech teams. Diversity is a key part of our company as we are made up of 18 different nationalities at Disposable mail, and 40% of us are female! Want to join us? Check our job openings here.

A new and bigger office!

We were operating at capacity in our office, bribing one another for meeting rooms and getting creative with the spaces to squeeze in more people. In December, our new and larger office was finally ready and we have a lot more space for more.

 

Jury’s choice of Most Promising Cybersecurity Solution and Hottest Nordic Startups List

Our CCO Carl Svantesson was invited to pitch our company at PwC’s Cybersecurity Week in Luxembourg and won the prize of Most Promising Cybersecurity Solution – Jury Award! Thank you, Luxembourg! We were also listed as one of the hottest Nordic startups to look for in 2018 by Business Insider Nordic and Dagens Industri (in Swedish).   What a great year it’s been and we are looking forward to even bigger and better things next year! Will you join us on this journey in 2019?


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.