Security

The protection resistance is matter of time, money or opportunities. Anything is vulnerable directly or indirectly.

on ne peut chiffrer ou déchiffrer une donnée, l'inscrire ou la supprimer d'une mémoire sans apporter et déposer une trace sur l'ordinateur, sans modifier et prendre quelque chose qui s'y trouvait auparavant.

— Zythom: Le principe de l'échange de Locard

It's cheaper to get hacked than build strong IT defenses

— Sad reality: It's cheaper to get hacked than build strong IT defenses • The Register

I sense a weak password

areoplanes include strict systems to separate the cabin from the cockpit [...] concept of "security domains"

— When fictional worlds are an accurate representations of IoT security – LearntEmail

We had cryptographic potatoes for dinner. They were salted and hashed.

— Andromeda Yelton

Don't trust anyone

• The Bare Minimum of Security

Resources

• Template:Information security — Wikipedia

• Articles - CGSecurity

• Mozilla Observatory

• Defence in depth — Wikipedia

• Slides and code and Erlend Oftedal's stuff on Github

• CERT Vulnerability Notes Database

• Hack-with-Github/Awesome-Hacking: A collection of various awesome lists for hackers, pentesters and security researchers

• A practical guide to securing macOS

• Free OS X Security Tools Objective-See

• IP lists of suspicious activities (some lists are non-free) I-BlockList | Home

• Wiki Pages - html5security - HTML5 Security Cheatsheet - Google Project Hosting

• CS253 - Web Security - Stanford course for a comprehensive overview of web security

Web security

• A practical security guide for web developers

• Projects/OWASP Secure Web Application Framework Manifesto/Releases/Current/Manifesto - OWASP

• HTML5 Security Cheatsheet and HTML5 Security Cheatsheet

• The Open Web Application Security Project - OWASP

• Everything you need to know about HTTP security headers - Appcanary

Data access and integrity

See Data access and integrity

Malware

Types: ransomware, etc.

SMTP stands for Simple Malware Transport Protocol.

— Kevin Beaumont

• Detect and report ransomware: Crypto Sheriff — The No More Ransom Project

• [How malware bypassing anti-viruses work](Straight Pole + Curved Hole Illusion.mp4)

• Malware — Wikipedia

• svent/jsdetox: A Javascript malware analysis tool

• Microsoft Malware Protection Center - How Microsoft antimalware products identify potentially unwanted software

• Malware Domain List

• Marco Cova's Blog » malware

• zynamics.com - BinDiff

• Readers of popular websites targeted by stealthy Stegano exploit kit hiding in pixels of malicious ads

• Evolved DNSChanger malware slings evil ads at PCs, hijacks routers • The Register

• Massive AdGholas Malvertising Campaigns Use Steganography and File Whitelisting to Hide in Plain Sight | Proofpoint

• Mac Malware of 2016 - Objective-See

• RAA - An entirely new JS ransomware delivering Pony malware - ReaQta https://news.ycombinator.com/item?id=11934717 https://gist.github.com/Antelox/020c727e1917bd018441cb6425cae397

• FotoForensics - Malware

• Helpful(?) coding tips from the CIA’s school of hacks | Ars Technica

DDoS

Could be a protest, a capabilities test, etc.

• Definition of DDoS, Attack Types & Characteristics Glossary | Corero

• Denial-of-service attack — Wikipedia

10MB + 10x CC to the same email = 100MB into the inbox while you sent only 10MB

Subscribe to more than 1000 mailing-list will flood your mailbox

SPAM and Phishing

A targeted fishing after a smartphone has been stolen, to get unlocked the protection This is what Apple should tell you when you lose your iPhone

• Warning: beware of fake TibiaMaps.io copies! · TibiaMaps.io - Phishers copy site, add malware, & buy Google ads to make them appear above the original website in search results

• Phishing — Wikipedia

• Email spoofing — Wikipedia

• authenticate your email domain with SPF

• Protect domains that don’t send email - GOV.UK

Report

Return-Path: <user@sender.com>
Delivered-To: user@receiver.com
Received: ...
Received: ...
Received: ...
Received: from [AA.BB.CC.DD] (port=54579 helo=blah.com)
	by emailrelay.com
	(envelope-from <user@sender.com>)
From: Sender <user@sender.com>
To: "Receiver" <user@receiver.com>
Subject: SPAM

whois AA.BB.CC.DD, search for OrgAbuseEmail to report an abuse or use the address abuse@AA.BB.CC.DD

• internet-signalement.gouv.fr - Portail officiel de signalements de contenus illicites - Accueil

• Phishing Initiative

• Report a Suspected Web Forgery hl=en&url=http%3A%2F%2Fexample.com

• Signal Spam

• Report Phishing | APWG

Wi-Fi

• KisMac2 – security tool for Wi-Fi https://github.com/IGRSoft/KisMac2

Harassment

Aka spontaneous events, flash mob, strike, protest, sit-in (sit-in against a business , DoS IRL), SPAM, unsolicited, etc.

Could handle the mass of people, crowd overtake

Issues: health, order, safety, etc.

• Spoofed Grindr Accounts Turned One Man's Life Into a 'Living Hell' | WIRED

• Thousands attend Mexican girl's 15th birthday party after social media invite goes viral

• Girl, 14, fears 21,000 party guests after Facebook invite blunder - Telegraph

• 1,500 People Attend Girl's Birthday Party After Public Facebook Invite

• Harassment — Wikipedia

• Wrong Number Puts Rotterdam, NY, at Center of Turkey-Netherlands Rift - People call the wrong phone number, Rotterdam Police could refer to Politie Rotterdam, Netherlands or Rotterdam Police Department, New York, USA

• A Tweet to Kurt Eichenwald, a Strobe and a Seizure. Now, an Arrest. - The New York Times - Send a blink GIF to a photosensitive epilepsy person.

• Dennō Senshi Porygon — Wikipedia - trigger a seizure in vulnerable users with a movie (contains flashes) or with strobe lights

• Use Virtual mobile number or spoof SMS to send lot of SMS to one target (DDoS)

• An interesting thought on IRL equivalence of DDOS attacks on a business. I'd love to hear your thoughts. : DepthHub - 16 year old arrested for DDOS attacks against Visa, Mastercard and PayPal : news

See DDoS See Usurpation & social engineering

Sabotage

black hat trolling, social sabotage, guerilla

• Simple Sabotage Field Manual by United States. Office of Strategic Services | Project Gutenberg - Declassified OSS document https://web.archive.org/web/20121126170237/http://www.gutenberg.org/files/26184/page-images/26184-images.pdf

• L'art du sabotage social par Horizon Gull - Montbazon 2016 - YouTube - see Être stupide, où l’art du sabotage social selon les leçons de la CIA and CIA-conseil-sabotage-social.pdf

• https://web.archive.org/web/20120927000536/https://www.cia.gov/news-information/featured-story-archive/2012-featured-story-archive/CleanedUOSSSimpleSabotage_sm.pdf

• The Art of Simple Sabotage - CIA

• Simple Sabotage Field Manual : Office of Strategic Services : Free Download, Borrow, and Streaming : Internet Archive

• SPECIAL OPERATIONS FIELD MANUAL -- STRATEGIC SERVICES (PROVISIONAL) - CIA-RDP89-01258R000100010010-5

• Manuel de sabotage simple sur le terrain — Wikipédia

• Value of simple sabotage in wartime - Sabotage - Wikipedia

Backup

The 3-2-1 rule can aid in the backup process. It states that there should be at least 3 copies of the data, stored on 2 different types of storage media, and one copy should be kept offsite, in a remote location

— Backup - Wikipedia

• Qu'est-ce que la stratégie de sauvegarde 3-2-1 ?

• Backup Strategies: Why the 3-2-1 Backup Strategy is the Best

• You Need a Backup AdmiralAsshat/nothing_of_value: Source for my personal website.

• https://infosec.uthscsa.edu/sites/default/files/documents/Backup.pdf