Introduction to Malware-blocking DNS Services
http://ift.tt/2CZ7fRs

Submitted December 19, 2017 at 12:22PM by cryptoaustralia
via reddit http://ift.tt/2CDSjqP

Breaking: Aggressive WordPress Brute Force Attack Campaign Started Today, 3am UTC
http://ift.tt/2kfwlE0

Submitted December 19, 2017 at 11:56AM by texmex5
via reddit http://ift.tt/2BuPA3V

Recent 1.4 billion password breach compilation as wordlist
http://ift.tt/2AVfJrx

Submitted December 19, 2017 at 09:25AM by stmiller
via reddit http://ift.tt/2yUqatE

Preventing Yet Another AWS S3 Storage Breach
http://ift.tt/2oHSdwn

Submitted December 19, 2017 at 03:54PM by nanooonanooo
via reddit http://ift.tt/2CBslEo

Are EV certificates worth the paper they're written on?
http://ift.tt/2zOmP0p

Submitted December 19, 2017 at 02:04AM by 57696c6c
via reddit http://ift.tt/2BHDvuO

Google Advanced Security Not Actually Inconvenient
Since October of 2017 Google has been marketing it's "Advanced Protection Program" as a system that sacrifices ease of use for security. As if the average end user would be losing essential functionality or having to jump through serious hoops in order to use their account. In practice this is in no way the case- for people like ourselves AND the average end user. Because android phones and tablets keep you logged into Google even after a reboot of your device, you only need to use your nfc/bluetooth key one time. It's an obvious distinction for those of us who live and breathe data security but I think we could be explaining this to our less tech-savvy counterparts a lot better. Google also claims this feature is geared towards politicians and journalists but not necessarily our teenage children and financially vulnerable grandparents. It stinks that Google finally enabled such a basic functionality and then greatly damaged the possibility of it going mainstream.

Submitted December 19, 2017 at 06:02PM by sweepstor
via reddit http://ift.tt/2BHGgw5

Introducing Merlin — A cross-platform post-exploitation HTTP/2 Command & Control Tool
http://ift.tt/2oLAhRp

Submitted December 19, 2017 at 05:13PM by Russel_
via reddit http://ift.tt/2oLEeWs

Linkedin unread notifications count is open for everyone
http://ift.tt/2D3dDHx

Submitted December 19, 2017 at 07:41PM by RandomAdversary
via reddit http://ift.tt/2oLgBgB

RAPID7 made this awesome Haxmas Music Album
http://ift.tt/2yY8ayo

Submitted December 19, 2017 at 08:12PM by Swerzi
via reddit http://ift.tt/2CGjX6J

TLS Exploit 'ROBOT' Based on 19 Year Old Vulnerability Affects More Than Just Websites
http://ift.tt/2oKC09J

Submitted December 19, 2017 at 08:34PM by Mi3Security
via reddit http://ift.tt/2D5MCmA

Unique and Professional Security Doors in London
http://ift.tt/2kOdFui

Submitted December 19, 2017 at 08:12PM by shopfronts1
via reddit http://ift.tt/2yXKXMT

Security In 5: Episode 135 - OWASP Top 10 - A10 - Unvalidated Redirects and Forwards
http://ift.tt/2AXHYFV

Submitted December 19, 2017 at 07:31PM by BinaryBlog
via reddit http://ift.tt/2B0haVG

ZDI releases second Top 5 bug of 2017. This one gets remote code execution in Apache Groovy.
http://ift.tt/2yYo0sM

Submitted December 19, 2017 at 09:05PM by RedmondSecGnome
via reddit http://ift.tt/2D4ew2F

Hex-Men: Chinese campaign targeting SQL Server & MySQLs DBs
http://ift.tt/2klvlyb

Submitted December 19, 2017 at 09:58PM by ribr
via reddit http://ift.tt/2BfNS9J

Dispelling Cybersecurity Myths - Recorded Future podcast episode 36
http://ift.tt/2kHSk5V

Submitted December 19, 2017 at 09:56PM by volci
via reddit http://ift.tt/2CEtuv8

GUI Tool for crafting ROP chains (WIP)
http://ift.tt/2D35Jhn

Submitted December 19, 2017 at 09:41PM by chillingswordfish
via reddit http://ift.tt/2D69liw

"Public Wi-Fi Attacks - Starbucks"
http://ift.tt/2yXVeIV

Submitted December 19, 2017 at 10:13PM by volci
via reddit http://ift.tt/2BddiVg

Top 25 passwords of 2017
http://ift.tt/2D4rYnb

Submitted December 19, 2017 at 10:10PM by kidbytheclouds
via reddit http://ift.tt/2yYWefG

Dispelling Cybersecurity Myths
http://ift.tt/2kHSk5V

Submitted December 19, 2017 at 09:30PM by volci
via reddit http://ift.tt/2kksrtk

Thoughts/Advice
I'm currently going through a vetting exercise on a new vendor/solution for my business.The vendor is offshore, but is touting that they are compliant with a litany of things (NIST, HIPAA, PCI, ISO, etc) as well as saying that the employ a zero-trust policy with everything they do. That's all well and good. That should be a pretty basic standard when you're providing this kind of service.Here's where it gets interesting. As part of the review that my team performs, we ask how vulnerabilities are remediated. Here's the answer that we've gotten:"<software/application that they've written internally> maintains a clear separation between various systems. The policy is enforced realtime and on a continual basis. It is simply impossible to access any internal systems without first authenticating, authorizing role, and providing an intent. <Vendor> follows a zero trust policy for cybersecurity."This seems really off to me. First, I would never, in the history of ever, say that something was impossible to access. Further, the vendor has peppered throughout their entire vetting their tool and how it employs passphrase technology and no user IDs to make their solution "impossible to hack".Thoughts?

Submitted December 19, 2017 at 09:27PM by OldFennecFox
via reddit http://ift.tt/2klgLqw

Kaspersky Lab Sues U.S. Government Over Software Ban
http://ift.tt/2yWuDvG

Submitted December 19, 2017 at 09:21PM by volci
via reddit http://ift.tt/2kMh1ht