Uncategorized Archives - Page 92 of 156

Brave launches its own, privacy‑focused search engine

The Brave Search engine takes on Google, promising to let users surf the web without leaving a trace

The post Brave launches its own, privacy‑focused search engine appeared first on WeLiveSecurity

June 23, 2021/by Advantage Computer Inc.

How to tell if a website is safe

It can be difficult to tell a legitimate website apart from an unsafe one – follow these steps to identify and protect yourself from bad websites

The post How to tell if a website is safe appeared first on WeLiveSecurity

June 23, 2021/by Advantage Computer Inc.

Uncategorized

State‑sponsored or financially motivated: Is there any difference anymore?

What does the increasingly fuzzy line between traditional cybercrime and attacks attributed to state-backed groups mean for the future of the threat landscape?

The post State‑sponsored or financially motivated: Is there any difference anymore? appeared first on WeLiveSecurity

June 21, 2021/by Advantage Computer Inc.

Uncategorized

Week in security with Tony Anscombe

5 steps to take to minimize damage from a ransomware attack – The double-edged sword of OSINT – Watch out for vishing scams

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

June 18, 2021/by Advantage Computer Inc.

Security, Uncategorized

Get ready for the 2021 Google CTF

Posted by Kristoffer Janke, Information Security Engineer

Are you ready for no sleep, no chill and a lot of hacking? Our annual Google CTF is back!

The competition kicks off on Saturday July 17 00:00:01 AM UTC and runs through Sunday July 18 23:59:59 UTC. Teams can register at http://goo.gle/ctf.

Just like last year, the top 16 teams will qualify for our Hackceler8 speed run and the chance to take home a total of $30,301.70 in prize money.

As we reminisce on last years event, we’d be remiss if we didn’t recognize our 2020 winning teams:

Plaid Parliament of Pwning
I Use Bing
pasten
The Flat Network Society

We are eager to see if they can defend their leet status. For those interested, we have published all 2020 Hackceler8 videos for your viewing pleasure here.

Whether you’re a seasoned CTF player or just curious about cyber security and ethical hacking, we want you to join us. Sign up to learn skills, meet new friends in the security community and even watch the pros in action. For the latest announcements, see g.co/ctf, subscribe to our mailing list or follow us on @GoogleVRP. See you there!

P.S. Curious about last year’s Google CTF challenges? We open-sourced them here.

June 18, 2021/by Advantage Computer Inc.

Uncategorized

5 essential things to do before ransomware strikes

By failing to prepare you are preparing to fail – here’s what you can do today to minimize the impact of a potential ransomware attack in the future

The post 5 essential things to do before ransomware strikes appeared first on WeLiveSecurity

June 18, 2021/by Advantage Computer Inc.

Uncategorized

Most health apps engage in unhealthy data‑harvesting habits

Most medical and fitness apps in Google Play have tracking capabilities enabled and their data collection practices aren’t transparent

The post Most health apps engage in unhealthy data‑harvesting habits appeared first on WeLiveSecurity

June 17, 2021/by Advantage Computer Inc.

Security, Uncategorized

Introducing SLSA, an End-to-End Framework for Supply Chain Integrity

Posted Kim Lewandowski, Google Open Source Security Team & Mark Lodato, Binary Authorization for Borg Team

Supply chain integrity attacks—unauthorized modifications to software packages—have been on the rise in the past two years, and are proving to be common and reliable attack vectors that affect all consumers of software. The software development and deployment supply chain is quite complicated, with numerous threats along the source ➞ build ➞ publish workflow. While point solutions do exist for some specific vulnerabilities, there is no comprehensive end-to-end framework that both defines how to mitigate threats across the software supply chain, and provides reasonable security guarantees. There is an urgent need for a solution in the face of the eye-opening, multi-billion dollar attacks in recent months (e.g. SolarWinds, Codecov), some of which could have been prevented or made more difficult had such a framework been adopted by software developers and consumers.

Our proposed solution is Supply chain Levels for Software Artifacts (SLSA, pronounced “salsa”), an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain. It is inspired by Google’s internal “Binary Authorization for Borg” which has been in use for the past 8+ years and is mandatory for all of Google’s production workloads. The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats. With SLSA, consumers can make informed choices about the security posture of the software they consume.

How SLSA helps

SLSA helps to protect against common supply chain attacks. The following image illustrates a typical software supply chain and includes examples of attacks that can occur at every link in the chain. Each type of attack has occured over the past several years and, unfortunately, is increasing as time goes on.

	Threat	Known example	How SLSA could have helped
A	Submit bad code to the source repository	Linux hypocrite commits: Researcher attempted to intentionally introduce vulnerabilities into the Linux kernel via patches on the mailing list.	Two-person review caught most, but not all, of the vulnerabilities.
B	Compromise source control platform	PHP: Attacker compromised PHP’s self-hosted git server and injected two malicious commits.	A better-protected source code platform would have been a much harder target for the attackers.
C	Build with official process but from code not matching source control	Webmin: Attacker modified the build infrastructure to use source files not matching source control.	A SLSA-compliant build server would have produced provenance identifying the actual sources used, allowing consumers to detect such tampering.
D	Compromise build platform	SolarWinds: Attacker compromised the build platform and installed an implant that injected malicious behavior during each build.	Higher SLSA levels require stronger security controls for the build platform, making it more difficult to compromise and gain persistence.
E	Use bad dependency (i.e. A-H, recursively)	event-stream: Attacker added an innocuous dependency and then updated the dependency to add malicious behavior. The update did not match the code submitted to GitHub (i.e. attack F).	Applying SLSA recursively to all dependencies would have prevented this particular vector, because the provenance would have indicated that it either wasn’t built from a proper builder or that the source did not come from GitHub.
F	Upload an artifact that was not built by the CI/CD system	CodeCov: Attacker used leaked credentials to upload a malicious artifact to a GCS bucket, from which users download directly.	Provenance of the artifact in the GCS bucket would have shown that the artifact was not built in the expected manner from the expected source repo.
G	Compromise package repository	Attacks on Package Mirrors: Researcher ran mirrors for several popular package repositories, which could have been used to serve malicious packages.	Similar to above (F), provenance of the malicious artifacts would have shown that they were not built as expected or from the expected source repo.
H	Trick consumer into using bad package	Browserify typosquatting: Attacker uploaded a malicious package with a similar name as the original.	SLSA does not directly address this threat, but provenance linking back to source control can enable and enhance other solutions.

What is SLSA

In its current state, SLSA is a set of incrementally adoptable security guidelines being established by industry consensus. In its final form, SLSA will differ from a list of best practices in its enforceability: it will support the automatic creation of auditable metadata that can be fed into policy engines to give “SLSA certification” to a particular package or build platform. SLSA is designed to be incremental and actionable, and to provide security benefits at every step. Once an artifact qualifies at the highest level, consumers can have confidence that it has not been tampered with and can be securely traced back to source—something that is difficult, if not impossible, to do with most software today.

SLSA consists of four levels, with SLSA 4 representing the ideal end state. The lower levels represent incremental milestones with corresponding incremental integrity guarantees. The requirements are currently defined as follows.

SLSA 1 requires that the build process be fully scripted/automated and generate provenance. Provenance is metadata about how an artifact was built, including the build process, top-level source, and dependencies. Knowing the provenance allows software consumers to make risk-based security decisions. Though provenance at SLSA 1 does not protect against tampering, it offers a basic level of code source identification and may aid in vulnerability management.

SLSA 2 requires using version control and a hosted build service that generates authenticated provenance. These additional requirements give the consumer greater confidence in the origin of the software. At this level, the provenance prevents tampering to the extent that the build service is trusted. SLSA 2 also provides an easy upgrade path to SLSA 3.

SLSA 3 further requires that the source and build platforms meet specific standards to guarantee the auditability of the source and the integrity of the provenance, respectively. We envision an accreditation process whereby auditors certify that platforms meet the requirements, which consumers can then rely on. SLSA 3 provides much stronger protections against tampering than earlier levels by preventing specific classes of threats, such as cross-build contamination.

SLSA 4 is currently the highest level, requiring two-person review of all changes and a hermetic, reproducible build process. Two-person review is an industry best practice for catching mistakes and deterring bad behavior. Hermetic builds guarantee that the provenance’s list of dependencies is complete. Reproducible builds, though not strictly required, provide many auditability and reliability benefits. Overall, SLSA 4 gives the consumer a high degree of confidence that the software has not been tampered with.

More details on these proposed levels can be found in the GitHub repository, including the corresponding Source and Build/Provenance requirements. We are open to feedback and suggestions for changes on these requirements.

Proof of Concept

Today, we are releasing a proof of concept for SLSA 1 provenance generator (repo, marketplace). This will allow a user to create and upload provenance alongside their build artifacts, thereby achieving SLSA 1. To use it, add the following snippet to your workflow:

– name: Generate provenance

uses: slsa–framework/github–actions–demo@v0.1

with:

artifact_path: <path–to–artifact/directory>

Going forward, we plan to work with popular source, build, and packaging platforms to make it as easy as possible to reach higher levels of SLSA. These plans include generating provenance automatically in build systems, propagating provenance natively in package repositories, and adding security features across the major platforms. Our long-term goal is to raise the security bar across the industry so that the default expectation is higher-level SLSA security standards, with minimal effort on the part of software producers.

Summary

SLSA is a practical framework for end-to-end software supply chain integrity, based on a model proven to work at scale in one of the world’s largest software engineering organizations. Achieving the highest level of SLSA for most projects may be difficult, but incremental improvements recognized by lower SLSA levels will already go a long way toward improving the security of the open source ecosystem.

We look forward to working with the community on refining the levels as we begin adopting SLSA for our own open source projects. If you are a project maintainer and interested in trying to adopt and provide feedback on SLSA, please reach out or come join the discussions taking place in the OpenSSF Digital Identity Attestation Working Group.

Check out the Know, Prevent, Fix post to read more about Google’s overall approach to open source security.

June 16, 2021/by Advantage Computer Inc.

Uncategorized

OSINT 101: What is open source intelligence and how is it used?

OSINT can be used by anyone, both for good and bad ends – here’s how defenders can use it to keep ahead of attackers

The post OSINT 101: What is open source intelligence and how is it used? appeared first on WeLiveSecurity

June 16, 2021/by Advantage Computer Inc.

Uncategorized

Microsoft takes down large‑scale BEC operation

The fraudsters ran their campaigns from the cloud and used phishing and email forwarding rules to steal their targets’ financial information.

The post Microsoft takes down large‑scale BEC operation appeared first on WeLiveSecurity

June 15, 2021/by Advantage Computer Inc.

Testimonials

Zack is amazing! I have gone to him with computer issues for the past few years now and he always finds a way to fix things and at a reasonable price. This time I went to Advantage Computer Solutions to find a new laptop. I needed help because like most of us I had no… Read more “Amazing!”

Amanda Tolve

Cannot say enough good things about Zack Rahhal and his team. Professional, smart, sensitive to small biz budgets and a helluva good guy. Could not operate my small biz without them!

Karen Schloss

stars indeed. So reliable and helpful and kind and smart. We call Al and he is “on it” immediately and such a FABULOUS teacher, patient and terrific. So happy with Advantage Computer Solutions and Al and his AMAZINGLY WONDERFUL STAFF.

Nancy Alberga

I’ve been a customer of the staff at Advantage for many years now. They have never let me down! Whatever my need, however big or small my problem, they have been unfailingly helpful, friendly and professional. Services are performed promptly and effectively, and they are very fair with pricing, too. I am lucky to have… Read more “Whatever my need, unfailingly helpful”

Michael Lesher

I’ve known the Advantage Team for years. They are the absolute best techs in the field, bar none. I couldn’t tell you how many tens thousands of dollars they saved us over the years; they can be trusted to never scam anyone even though they would do so very easily. The turnaround time is also… Read more “Best Kept Secret”

Carlos Santos

I had an excellent experience with Advantage. Aside from being extremely professional and pleasant generally, Zack was incredibly responsive and helpful, even before and after my appointment, and really resolved IT issues in my home office that had been plaguing me for years. I am so relieved to not have to think about this anymore!… Read more “Excellent Experience”

Sonya G

Simply The Best! Our company has been working with Advantage Computer Solutions for a few years, Zack and his Team are AWESOME! They are super reliable – whether it’s everyday maintenance or emergencies that may arise, The Advantage Team take care of us! Our team is grateful for their knowledgeable and professional services – a… Read more “Simply The Best!”

Kara Steible

Advanced Technology Search

The engineering team at Advantage Computers is the best in the business. They are nothing short of technical wizards.

Susannah Rubenstein

Al, Nasser and Zack have been keeping our operations going for over a decade, taking care of our regular upgrades and our emergency system problems. When we have an emergency, they make it their emergency. Its like having a cousin in the business.

lenny steinbach

Lucille Laundry - Monroe St Passaic NJ

In many cases, exceptional people do not receive recognition for their hard work and superior customer service. We do not want this to be one of those times. Zack Rahhal has been our hardware and technical consultant for our servers, Pc’s and other technical equipment since April 2004 and has provided valuable input and courteous service to… Read more “Exceptional People”

John Belly

Cambridge Paving Stones and Wall Systems, Inc

I became a customer about 6-7 months and I can say nothing but great things about this business. Zack takes care of me. I am an attorney and operate my own small firm. I have limited knowledge of computers. Zack is very patient in explaining things. He has offered practical and economical solutions to multiple… Read more “Highly Recommended”

Nick T.

West New York, NJ

THANK GOD for this local computer repair business who saved me hundreds, my hard drive was messed up, i called the company with warranty they said it would be $600, I went in they did a quick diagnostic, and based on his observations he gave me a step by step of the possible problems and… Read more “Life Savers”

Desirée A.

East Rutherford, NJ

I don’t have enough words to express my appreciation for Nassar and Paul, and the other members of Advantage Computer Solutions. I live in Bergen County and travel to Passaic County because of the trust I have in the competence and honesty of Advantage Computers. What a blessing to have such seasoned and caring professionals… Read more “I don’t have enough words to express my appreciation”

Amy Neustein

Advantage Computer Solutions is absolutely great. They show up, do what they say they are going to, complete the job without issues (my other computer companies had to keep coming back to fix things they “forgot” to do….) and are fairly priced. Zack is awesome, reliable, dependable, knowledgeable….everything you want in a computer solutions vendor.

Holly Kaplansky

Minuteman Press Newark

Knowledgeable, Reliable, Reasonable Working with Advantage Computers since 1997 for both personal and business tech support has been a rewarding and enjoyable experience. Rewarding, in that the staff is very knowledgeable, approaching needs and issues in a very straightforward, common sense manner, resulting in timely solutions and resolutions. Enjoyable, these guys are really friendly (not… Read more “Knowledgeable, Reliable, Reasonable”

Ben Rowner

MR Capital Group, Inc

Excellent service! I am the administrator for a busy medical office which relies heavily on our computer system. We have used Advantage Computer Solutions for installation, set-up and for service. The response time is immediate and the staff is often able to provide help remotely. Very affordable and honest…. A++!!! Essex Surgical relies on Advantage… Read more “Excellent service!”

Trudy Holt

Essex Surgical

Advantage offers great advice and service I bought parts for my gaming pc online and they put it together in a day for a great price. They are very professional. I was very satisfied with their service. I am a newbie in terms of PC gaming so they gave me great advice on this new piece… Read more “Great Advice and Service”

Jose

Clifton NJ

Our company has been using the services of Advantage Computers since 2006. It was important to find a reliable company to provide us with the technical support both onsite and offsite. It was through a recommendation that we contacted Advantage to have them provide us with a quote to install a new server and update our… Read more “Great Service, Support and Sales”

John Mezzina

Synatech, Inc.

Our company has been working with Advantage since the 1990’s and have been a loyal client ever since. Advantage does not make it very difficult to be loyal as they offer services from the most intricate and personalized to the global scale. Our company has grown beyond its doors of a local office to National… Read more “Extremely Professional and Passionate”

Cherie Avinger

RCL Agencies, Inc. Clifton, NJ

Advantage Computer Solutions has handled all of our computer and IT needs for the past 2 years. The staff is always professional and the service is always prompt. When your computers are down or not working properly is affects all aspects of your business, it is wonderful to have such a reliable team on our… Read more “Handles all our Office IT”

Jennifer Raspanti

Optimum Orthopedics

Since 1996 the Housing Authority of the City of Passaic has been a client of Advantage Computer Solutions. Our Agency has utilized their outstanding services and expertise to solve our technologic problems and growth over the past eighteen years. We would like to personally thank them for proposing cost effective solutions while reducing labor-intense tasks… Read more “Passaic Housing Authority”

Michael S. O’Hara

Passaic Housing Authority

“When the computer I use to run my photography business started acting erratically and kept shutting down, I was in a panic. I depend on that computer to deliver final products to my clients. Fortunately, I brought my HP into Advantage for repair and in one day I had my computer back. Not only did… Read more “They made sure EVERYTHING was working”

Phil Cantor

Phil Cantor Photography

Brave launches its own, privacy‑focused search engine

How to tell if a website is safe

State‑sponsored or financially motivated: Is there any difference anymore?

Week in security with Tony Anscombe

Get ready for the 2021 Google CTF

5 essential things to do before ransomware strikes

Most health apps engage in unhealthy data‑harvesting habits

Introducing SLSA, an End-to-End Framework for Supply Chain Integrity

OSINT 101: What is open source intelligence and how is it used?

Microsoft takes down large‑scale BEC operation

Easy Contact

Company

Services

Testimonials