Can anyone steal my IP address and use it as their own?

Network engineer with BGP experience here.

Yes. But usually the attack would have been for a larger address block.

Let's say the "good ISP" is assigned to company 1.1.0.0/16. You are a customer of "good ISP" and your home router is a public IP address 1.1.5.5.

"EvilCo" wants you to look bad by downloading … inappropriate … content from 1.1.5.5. You have an unfiltered BGP routing protocol connection to the Internet and advertise 1.1.5.5/32.

This attack fails. While their BGP connection is not filtered (and we are talking about route advertisement filters, not packet filters), Internet ISPs generally do not accept IPv4 routes that are more specific than a / 24.

EvilCo advertises 1.1.5.0/24 in BGP. It works. Both 1.1.5.0/24 and 1.1.0.0/16 exist in the core internet routing table and the more special route wins!

Some mitigations:

  1. ISPs generally filter BGP connections to their customers and only accept certain routes, but there are many unfiltered BGP connections out there (I personally had access to one in a previous job … it was so old it was created before ISP tightened their standard configurations).
  2. Good BGP operators use a "BGP monitoring service" that sends them an email when someone else advertises one of the blocks assigned to them. (BGPmon)
  3. There is "route registration database" (RADB for example) and some ISPs try to route their routes using police databases, but these databases are generally incomplete.
  4. Requiring a larger block (/ 24) to attack makes the attack even clearer as it affects multiple people and all BGP updates are reported by multiple organizations.

It is also possible for a rogue operator within "Good ISP" to take special care of your / 32.

It is always possible to send traffic with a source IP of 1.1.5.5 without redirecting the block. However, this does not lead to a complete TCP handshake, so that no downloads take place.

Authentication – Can Chrome Extensions Steal Redirect-Uri's OAuth Token?

This is a duplicate of a batch overflow question because it may be more of a security and authentication best practice.

I'm working on authentication between a Chrome extension and Google Cloud Platform and trying to send it id_token JWT to an AWS server to get user data (and / or set up a session?).

My question is: How can I prevent Chrome extensions? tabs Permissions to read the GET request or the redirected URI that the fully validated user JWT has?

The JWT confirms that a user is who they are. How do I know that my Chrome extension is sending the request to my backend?

I have a few ideas:

  1. Maybe I can create a private window that can only control my extension

  2. Maybe I can use the nonce somehow or get the nonce from my server first

  3. Maybe my Chrome extension has a private key or a way to verify with my backend that has the public key

Any help would be appreciated, it is difficult to research this particular scenario.


var url = 'https://accounts.google.com/o/oauth2/v2/auth' +
          '?client_id=' + encodeURIComponent(chrome.runtime.getManifest().oauth2.client_id) +
          '&response_type=id_token' +
          '&redirect_uri=' + encodeURIComponent(chrome.identity.getRedirectURL()) +
          '&scope=' + encodeURIComponent(chrome.runtime.getManifest().oauth2.scopes.join(' ')) +
          '&nonce=' + Math.floor(Math.random() * 10000000);

chrome.windows.create({ url: 'about:blank' }, function ({ tabs }) {
    chrome.tabs.onUpdated.addListener(
        function googleAuthorizationHook(tabId, changeInfo, tab) {
            if (tab.id === tabs(0).id) {
                if (tab.title !== 'about:blank') {
                    console.log(url);
                    if (tab.title.startsWith(chrome.identity.getRedirectURL())) {
                        const id_token = tab.title.split('#')(1);
                        console.log(id_token);
                    } else {
                        console.error(tab.title)
                    }

                    chrome.tabs.onUpdated.removeListener(googleAuthorizationHook);
                    chrome.tabs.remove(tab.id);
                }
            }
        }
    );

    chrome.tabs.update(tabs(0).id, { 'url': url });
});

How much data can an app steal from my MacBook if I allow system-wide execution?

I am interested in knowing how to do it Monitor and possibly sandpit an app and its relative background processes in MacOS. Is there an internal utility hidden somewhere in the system tools (even the CLI), or maybe a tool from the Internet? I can't find anything about it. It also looks like everyone still thinks Mac OS can't get malware and it doesn't help.

Suppose I want to install an Android emulator to play Android games on my MacBook. I know that the majority of emulators are Chinese, so I expect a significant level of telemetry.
I choose the Mumu app. During the installation, the app asks me to enter my password so that a new helper can be created (what is it and what does it mean?). In order to do this and continue with the installation, I have to allow the (initially blocked) execution of "system software" under Security & data protection >> General (image).

If I ever played, how could I monitor the impact of this choice? Can an app with these permissions access other app data? I am particularly interested in keeping them safe:

  • Browsing history (e.g. Chrome, Firefox …)
  • key ring
  • Files around my hard drive (duhh …)

What is safe and what is not?
How do I know (possibly in real time) what a particular service / process / application with permissions is doing to my computer?

thank you in advance

Is someone trying to steal my password?

I have to make 2 entries to register with my bank. I don't save my password. I recently noticed that when I enter my password, a box appears at the bottom of the screen with the title "Password for this website ZV7Y …..".
I have not clicked the link because I know that this is not correct! Help!

How can someone not steal my Bitcoin with the Dumpprivkey command?

In an online course, the instructor told us that anyone can find a wallet's private key using dumpprivkey (address), where address is the address that is created from the key (which is public in a transaction in the Bitcoin chain is) that this command returns a WIF object. I guess that's not true because then everyone would steal everyone's Bitcoin by looking up the addresses in tx on the Cahin and executing the command. Can someone enlighten me? Dumpprivkey please command

vpn – Will more public credit cards steal credit cards than data breaches?

I recently heard a podcast sponsored by a VPN provider. In the conversation topics for the ad, the moderator said the following (I remember it from memory, but that's the essence)

Has your credit card ever been hacked? Be careful when using public WiFi networks when you buy something. The networks are full of hackers trying to steal your information. In fact, number one is how credit card details are stolen by hackers who download them via the coffee shop's WiFi. With VPN provider You can count on a safe experience …

Next, the benefits of a VPN are highlighted. This claim, however, does not agree with me. Will more details be stolen by public interception of WLAN than, for example, data breaches by major retailers? Or is this a "coverage bias" that increases news reporting (and thus recognition) in the event of major violations?

[ Politics ] Question: Should Hillary Clinton sue Jill Stein for working with the Kremlin to steal the votes and support Donald Trump in the election?

[Politics] Open Question: Should Hillary Clinton sue Jill Stein for working with the Kremlin to steal her votes and support Donald Trump in the election?

Is there a way to steal an asset from a Roblox game?

I've heard that in Roblox games assets (like sounds and images) are loaded on the client side, so theoretically there is a way to exploit the ID of the asset. What I want to do is just find out all the asset IDs in a Roblox game, but this will not be annoying to others. Is there a way to do this? I want to use these assets in my own game. It is a pain to look for each sound effect and picture individually.