Very Good Read: The Future of Sensors, Algorithms, and Recommendations

Abstract

One of the easiest technological trends to predict in the coming decades is the improvement and penetration of sensors and algorithms. In short—more sensors, in more places, gathering more data, which are fed to better and better algorithms.

Those algorithms will work together and be fed into a universal interface in both consumer and business environments, and that interface will arrive at conclusions and then make recommendations. This technology trend is universal because it aligns with a human universal, i.e., the desire to improve our lot.

When we’re at home, the combination of sensors throughout our house will include microphones, cameras, radio signals, air-quality, chemical detection in the sinks and toilets, etc.

These will obviously start basic and get more advanced. All combined, these sensors will be able to tell us if we’re hungry, tired, happy, sick, angry, depressed, and a thousand other emotions and moods—all in realtime.

Read more in https://danielmiessler.com/blog/the-future-of-sensors-algorithms-and-recommendations/?mc_cid=3512bae25b&mc_eid=35079f6e24

How to use Apache HttpClient securely?

Every java developer in the world knows and uses Apache HttpClient Library. This is one of the library can be found in every enterprise application. However, we often miss the security implications of using any library. Every library comes with security feature but it is always developer responsibility to incorporate security in every HTTP API integration.

HttpClient provides full support for HTTP over Secure Sockets Layer (SSL) or IETF Transport Layer Security (TLS) protocols by leveraging the Java Secure Socket Extension (JSSE). JSSE has been integrated into the Java 2 platform as of version 1.4 and works with HttpClient out of the box. On older Java 2 versions JSSE needs to be manually installed and configured

Standard SSL in HttpClient

Basically, every JVM has trust-store and JSSE is already installed then you do not need to worry about passing custom certificate in HttpGet request. Java takes care of it. Take a look in below code.

HttpClient httpclient = new HttpClient();   
GetMethod httpget = new GetMethod("https://www.verisign.com/");    
try {      
httpclient.executeMethod(httpget);     System.out.println(httpget.getStatusLine());   
} 
finally {     httpget.releaseConnection();   }

So, in simple terms if you application triggers a Get request then first HTTPS handshake happens between client & server. Server passes the certificate and client validates in JVM trust code. If you like to understand in graphics you can watch below video.

How to use custom SSL certificates in HttpGet Request?

Read the full document to understand it. Click here

Example code copied from the document.

import java.io.File;
import javax.net.ssl.SSLContext;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.util.EntityUtils;

public class ClientCustomSSL {
   
   public final static void main(String[] args) throws Exception {

      //Creating SSLContextBuilder object
      SSLContextBuilder SSLBuilder = SSLContexts.custom();
  
      //Loading the Keystore file
      File file = new File("mykeystore.jks");
      SSLBuilder = SSLBuilder.loadTrustMaterial(file,
         "changeit".toCharArray());

      //Building the SSLContext usiong the build() method
      SSLContext sslcontext = SSLBuilder.build();
 
      //Creating SSLConnectionSocketFactory object
      SSLConnectionSocketFactory sslConSocFactory = new SSLConnectionSocketFactory(sslcontext, new NoopHostnameVerifier());
 
      //Creating HttpClientBuilder
      HttpClientBuilder clientbuilder = HttpClients.custom();

      //Setting the SSLConnectionSocketFactory
      clientbuilder = clientbuilder.setSSLSocketFactory(sslConSocFactory);

      //Building the CloseableHttpClient
      CloseableHttpClient httpclient = clientbuilder.build();
      
      //Creating the HttpGet request
      HttpGet httpget = new HttpGet("https://example.com/");
 
      //Executing the request
      HttpResponse httpresponse = httpclient.execute(httpget);

      //printing the status line
      System.out.println(httpresponse.getStatusLine());

      //Retrieving the HttpEntity and displaying the no.of bytes read
      HttpEntity entity = httpresponse.getEntity();
      if (entity != null) {
         System.out.println(EntityUtils.toByteArray(entity).length);
      } 
   }
}

Just a thought: A phone controls you now.

Our society has changed so much now. A simple device (phone) has taken control of you & you have no control over it. Even husband & wife are sitting in each corner of the bed & checking Watsapp every min. Hoping, something will come up & may change his/her life.

In a week, We have 168 hrs but you or me do not have 5 mins to talk to parents, brother, friends or old colleagues. Even if you try they do not have time to speak to you. A kid wants to play with father but father is busy in facebook. Strange time and we all are sick in many ways.

If you ask anybody they say no time yaar then blame kids, work, unhealthy parents or partner. But, never check his/her total screen time in a week. As per research, On average a person can maintain maximum 200 contacts but now you can’t even maintain 10 people contacts because of phone.

My humble request to all readers is that Talk to the people who is next to you. Say hello to others in metro or workplace rather than chatting someone online on Facebook.

OFFLINE LIFE IS AS GOOD AS ONLINE. GIVE IT A CHANCE.

Email Security: What is credential phishing?

Credential phishing is a type of email-based attack that uses malicious web forms mimicking legitimate websites to steal the victim’s login credentials. Potentially targeted credentials can include any web-based service, including:

  • Microsoft Outlook Web Access (OWA) and other corporate web-based email services
  • Free webmail services (e.g., Gmail, Yahoo, Hotmail)
  • Cloud-based sync and sharing services (e.g., DropBox, Box)
  • Online shopping (Apple ID, Amazon, etc) and loyalty program logins 

The credential phishing site frequently appears to be a perfect copy of the targeted website, and as a result a quick visual scan by the victim does not arouse suspicion. However, the domain in the URL will be under the attacker’s control, rather than owned by the targeted organization, and may indicate that the site is not legitimate.

Credential phishing is one of most successful social engineering technique to target larger organizations.

CyberNews: Top Vulnerabilities this week

Following Vulnerabilities: 

CVE-2020-16898 — There’s an RCE in the Windows TCP/IP stack related to the handling of ICMPv6 Router Advertisements More 

CVE-2020-16898 Highlights

  • Do not disable IPv6 entirely unless you want to break Windows in interesting ways.
  • This can only be exploited from the local subnet.
  • But it may lead to remote code execution / BSOD
  • PoC exploit is easy, but actual RCE is hard.
  • Patch

Almost 800,000 internet-accessible SonicWall VPN appliances will need to be updated and patched for a major new vulnerability that was disclosed on Wednesday. 800,000 SonicWall VPNs are vulnerable to an RCE.

Discord Desktop app RCE

A few months ago, I discovered a remote code execution issue in the Discord desktop application and I reported it via their Bug Bounty Program.

The RCE I found was an interesting one because it is achieved by combining multiple bugs. In this article, I’d like to share the details.. More

Multiple vulnerabilities have been discovered in #Magento CMS, the most severe of which could allow for arbitrary code execution. More