Preventing Yet Another AWS S3 Storage Breach
http://ift.tt/2oHSdwn
Submitted December 19, 2017 at 03:54PM by nanooonanooo
via reddit http://ift.tt/2CBslEo
http://ift.tt/2oHSdwn
Submitted December 19, 2017 at 03:54PM by nanooonanooo
via reddit http://ift.tt/2CBslEo
The State of Security
Preventing Yet Another AWS S3 Storage Breach With Tripwire
It seems like everyday you see a new report about a massive data leak caused by someone accidentally exposing files stored in AWS S3 Buckets.
Are EV certificates worth the paper they're written on?
http://ift.tt/2zOmP0p
Submitted December 19, 2017 at 02:04AM by 57696c6c
via reddit http://ift.tt/2BHDvuO
http://ift.tt/2zOmP0p
Submitted December 19, 2017 at 02:04AM by 57696c6c
via reddit http://ift.tt/2BHDvuO
Google Advanced Security Not Actually Inconvenient
Since October of 2017 Google has been marketing it's "Advanced Protection Program" as a system that sacrifices ease of use for security. As if the average end user would be losing essential functionality or having to jump through serious hoops in order to use their account. In practice this is in no way the case- for people like ourselves AND the average end user. Because android phones and tablets keep you logged into Google even after a reboot of your device, you only need to use your nfc/bluetooth key one time. It's an obvious distinction for those of us who live and breathe data security but I think we could be explaining this to our less tech-savvy counterparts a lot better. Google also claims this feature is geared towards politicians and journalists but not necessarily our teenage children and financially vulnerable grandparents. It stinks that Google finally enabled such a basic functionality and then greatly damaged the possibility of it going mainstream.
Submitted December 19, 2017 at 06:02PM by sweepstor
via reddit http://ift.tt/2BHGgw5
Since October of 2017 Google has been marketing it's "Advanced Protection Program" as a system that sacrifices ease of use for security. As if the average end user would be losing essential functionality or having to jump through serious hoops in order to use their account. In practice this is in no way the case- for people like ourselves AND the average end user. Because android phones and tablets keep you logged into Google even after a reboot of your device, you only need to use your nfc/bluetooth key one time. It's an obvious distinction for those of us who live and breathe data security but I think we could be explaining this to our less tech-savvy counterparts a lot better. Google also claims this feature is geared towards politicians and journalists but not necessarily our teenage children and financially vulnerable grandparents. It stinks that Google finally enabled such a basic functionality and then greatly damaged the possibility of it going mainstream.
Submitted December 19, 2017 at 06:02PM by sweepstor
via reddit http://ift.tt/2BHGgw5
reddit
Google Advanced Security Not Actually Inconvenient • r/security
Since October of 2017 Google has been marketing it's "Advanced Protection Program" as a system that sacrifices ease of use for security. As if the...
Introducing Merlin — A cross-platform post-exploitation HTTP/2 Command & Control Tool
http://ift.tt/2oLAhRp
Submitted December 19, 2017 at 05:13PM by Russel_
via reddit http://ift.tt/2oLEeWs
http://ift.tt/2oLAhRp
Submitted December 19, 2017 at 05:13PM by Russel_
via reddit http://ift.tt/2oLEeWs
Medium
Introducing Merlin — A cross-platform post-exploitation HTTP/2 Command & Control Tool
tl;dr Evade network detection during a penetration test/red team exercise by using a protocol that existing tools aren’t equipped to…
Linkedin unread notifications count is open for everyone
http://ift.tt/2D3dDHx
Submitted December 19, 2017 at 07:41PM by RandomAdversary
via reddit http://ift.tt/2oLgBgB
http://ift.tt/2D3dDHx
Submitted December 19, 2017 at 07:41PM by RandomAdversary
via reddit http://ift.tt/2oLgBgB
Random Ⱥdversary
Linkedin unread notifications count is open for everyone
Mostly adversarial thoughts.
RAPID7 made this awesome Haxmas Music Album
http://ift.tt/2yY8ayo
Submitted December 19, 2017 at 08:12PM by Swerzi
via reddit http://ift.tt/2CGjX6J
http://ift.tt/2yY8ayo
Submitted December 19, 2017 at 08:12PM by Swerzi
via reddit http://ift.tt/2CGjX6J
Rapid7
NOW That's What I Call HaXmas! | Rapid7
Rapid7 presents: NOW That's What I Call HaXmas! Featuring some of our talented musicians. Happy holidays, and enjoy.
TLS Exploit 'ROBOT' Based on 19 Year Old Vulnerability Affects More Than Just Websites
http://ift.tt/2oKC09J
Submitted December 19, 2017 at 08:34PM by Mi3Security
via reddit http://ift.tt/2D5MCmA
http://ift.tt/2oKC09J
Submitted December 19, 2017 at 08:34PM by Mi3Security
via reddit http://ift.tt/2D5MCmA
Mi3 Security
TLS Exploit 'ROBOT' Based on 19 Year Old Vulnerability Affects More Than Just Websites
TLS vulnerability returns 19 years later, code-named Return of Bleichenbacher’s Oracle Threat or ROBOT. Researchers have found that countermeasures implemented in many systems are not sufficient and are vulnerable to Bleichenbacher-style attacks.
Unique and Professional Security Doors in London
http://ift.tt/2kOdFui
Submitted December 19, 2017 at 08:12PM by shopfronts1
via reddit http://ift.tt/2yXKXMT
http://ift.tt/2kOdFui
Submitted December 19, 2017 at 08:12PM by shopfronts1
via reddit http://ift.tt/2yXKXMT
jaishutters.blogspot.co.uk
What you need to look for security doors in London?
Nowadays, the concern for security has increased because of the escalating crime rates. While there are a wide variety of options available...
Security In 5: Episode 135 - OWASP Top 10 - A10 - Unvalidated Redirects and Forwards
http://ift.tt/2AXHYFV
Submitted December 19, 2017 at 07:31PM by BinaryBlog
via reddit http://ift.tt/2B0haVG
http://ift.tt/2AXHYFV
Submitted December 19, 2017 at 07:31PM by BinaryBlog
via reddit http://ift.tt/2B0haVG
Libsyn
Security In Five Podcast: Episode 135 - OWASP Top 10 - A10 - Unvalidated Redirects and Forwards
The last item in the mini series OWASP Top 10. Number 10, Unvalidated Redirects and Forwards. This episode goes in to the details on what this is and how to avoid having them in your application. OWASP Top 10 A10 - Unvalidated Redirects and Forwards Be aware…
ZDI releases second Top 5 bug of 2017. This one gets remote code execution in Apache Groovy.
http://ift.tt/2yYo0sM
Submitted December 19, 2017 at 09:05PM by RedmondSecGnome
via reddit http://ift.tt/2D4ew2F
http://ift.tt/2yYo0sM
Submitted December 19, 2017 at 09:05PM by RedmondSecGnome
via reddit http://ift.tt/2D4ew2F
Zero Day Initiative
Apache Groovy Deserialization: A Cunning Exploit Chain to Bypass a Patch
This is the second in our series of Top 5 interesting cases from 2017. Each of these bugs has some element that sets them apart from the approximately 1,000 advisories released by the program this year. Today’s blog examines a remote code execution bug in…
Hex-Men: Chinese campaign targeting SQL Server & MySQLs DBs
http://ift.tt/2klvlyb
Submitted December 19, 2017 at 09:58PM by ribr
via reddit http://ift.tt/2BfNS9J
http://ift.tt/2klvlyb
Submitted December 19, 2017 at 09:58PM by ribr
via reddit http://ift.tt/2BfNS9J
GuardiCore - Data Center and Cloud Security
Beware the Hex-Men - GuardiCore - Data Center and Cloud Security
In the last few months GuardiCore Labs has been investigating multiple attack campaigns conducted by an established Chinese crime group that operates worldwide. The campaigns are launched from a large coordinated infrastructure and are mostly targeting servers…
Dispelling Cybersecurity Myths - Recorded Future podcast episode 36
http://ift.tt/2kHSk5V
Submitted December 19, 2017 at 09:56PM by volci
via reddit http://ift.tt/2CEtuv8
http://ift.tt/2kHSk5V
Submitted December 19, 2017 at 09:56PM by volci
via reddit http://ift.tt/2CEtuv8
Recorded Future
Dispelling Cybersecurity Myths
Chief Security Architect Gavin Reid discusses cybersecurity myths that need to be dispelled, including the notion that companies should “do more with less.”
GUI Tool for crafting ROP chains (WIP)
http://ift.tt/2D35Jhn
Submitted December 19, 2017 at 09:41PM by chillingswordfish
via reddit http://ift.tt/2D69liw
http://ift.tt/2D35Jhn
Submitted December 19, 2017 at 09:41PM by chillingswordfish
via reddit http://ift.tt/2D69liw
GitHub
orppra/ropa
ropa - ROP chain creation as easy as drinking water
"Public Wi-Fi Attacks - Starbucks"
http://ift.tt/2yXVeIV
Submitted December 19, 2017 at 10:13PM by volci
via reddit http://ift.tt/2BddiVg
http://ift.tt/2yXVeIV
Submitted December 19, 2017 at 10:13PM by volci
via reddit http://ift.tt/2BddiVg
securingthehuman.sans.org
Security Awareness Blog | Public Wi-Fi Attacks - Starbucks
Security Awareness Blog blog pertaining to Public Wi-Fi Attacks - Starbucks
Top 25 passwords of 2017
http://ift.tt/2D4rYnb
Submitted December 19, 2017 at 10:10PM by kidbytheclouds
via reddit http://ift.tt/2yYWefG
http://ift.tt/2D4rYnb
Submitted December 19, 2017 at 10:10PM by kidbytheclouds
via reddit http://ift.tt/2yYWefG
Gizmodo
The 25 Most Popular Passwords of 2017: You Sweet, Misguided Fools
Every year, SplashData compiles a list of the most popular passwords based on millions of stolen logins made public in the last year. And each time, we own ourselves. Hard. 2017 is no exception.
Dispelling Cybersecurity Myths
http://ift.tt/2kHSk5V
Submitted December 19, 2017 at 09:30PM by volci
via reddit http://ift.tt/2kksrtk
http://ift.tt/2kHSk5V
Submitted December 19, 2017 at 09:30PM by volci
via reddit http://ift.tt/2kksrtk
Recorded Future
Dispelling Cybersecurity Myths
Chief Security Architect Gavin Reid discusses cybersecurity myths that need to be dispelled, including the notion that companies should “do more with less.”
Thoughts/Advice
I'm currently going through a vetting exercise on a new vendor/solution for my business.The vendor is offshore, but is touting that they are compliant with a litany of things (NIST, HIPAA, PCI, ISO, etc) as well as saying that the employ a zero-trust policy with everything they do. That's all well and good. That should be a pretty basic standard when you're providing this kind of service.Here's where it gets interesting. As part of the review that my team performs, we ask how vulnerabilities are remediated. Here's the answer that we've gotten:"<software/application that they've written internally> maintains a clear separation between various systems. The policy is enforced realtime and on a continual basis. It is simply impossible to access any internal systems without first authenticating, authorizing role, and providing an intent. <Vendor> follows a zero trust policy for cybersecurity."This seems really off to me. First, I would never, in the history of ever, say that something was impossible to access. Further, the vendor has peppered throughout their entire vetting their tool and how it employs passphrase technology and no user IDs to make their solution "impossible to hack".Thoughts?
Submitted December 19, 2017 at 09:27PM by OldFennecFox
via reddit http://ift.tt/2klgLqw
I'm currently going through a vetting exercise on a new vendor/solution for my business.The vendor is offshore, but is touting that they are compliant with a litany of things (NIST, HIPAA, PCI, ISO, etc) as well as saying that the employ a zero-trust policy with everything they do. That's all well and good. That should be a pretty basic standard when you're providing this kind of service.Here's where it gets interesting. As part of the review that my team performs, we ask how vulnerabilities are remediated. Here's the answer that we've gotten:"<software/application that they've written internally> maintains a clear separation between various systems. The policy is enforced realtime and on a continual basis. It is simply impossible to access any internal systems without first authenticating, authorizing role, and providing an intent. <Vendor> follows a zero trust policy for cybersecurity."This seems really off to me. First, I would never, in the history of ever, say that something was impossible to access. Further, the vendor has peppered throughout their entire vetting their tool and how it employs passphrase technology and no user IDs to make their solution "impossible to hack".Thoughts?
Submitted December 19, 2017 at 09:27PM by OldFennecFox
via reddit http://ift.tt/2klgLqw
reddit
Thoughts/Advice • r/security
I'm currently going through a vetting exercise on a new vendor/solution for my business. The vendor is offshore, but is touting that they are...
Kaspersky Lab Sues U.S. Government Over Software Ban
http://ift.tt/2yWuDvG
Submitted December 19, 2017 at 09:21PM by volci
via reddit http://ift.tt/2kMh1ht
http://ift.tt/2yWuDvG
Submitted December 19, 2017 at 09:21PM by volci
via reddit http://ift.tt/2kMh1ht
The Hacker News
Kaspersky Lab Sues U.S. Government Over Software Ban
Kaspersky Lab has taken the United States government to a U.S. federal court for its decision to ban the use of Kaspersky products in federal agencies and departments.
CSE Statement on the Attribution of WannaCry Malware
http://ift.tt/2yZm03K
Submitted December 19, 2017 at 09:17PM by julian88888888
via reddit http://ift.tt/2kl0pOp
http://ift.tt/2yZm03K
Submitted December 19, 2017 at 09:17PM by julian88888888
via reddit http://ift.tt/2kl0pOp
www.cse-cst.gc.ca
CSE Statement on the Attribution of WannaCry Malware | Communications Security Establishment
CSE believes that a safe and secure cyber space is important for the security, stability and prosperity of our country.
Annual Security Awareness Training is a Complete Waste of Time
http://ift.tt/2yYSdYJ
Submitted December 19, 2017 at 09:15PM by CurriculaAware
via reddit http://ift.tt/2kMsOfN
http://ift.tt/2yYSdYJ
Submitted December 19, 2017 at 09:15PM by CurriculaAware
via reddit http://ift.tt/2kMsOfN
Curricula
Annual Security Awareness Training is a Waste of Time - Curricula
Annual security awareness training is a waste of time. We discuss why an ongoing security awareness program is required to protect against cyber threats.
Keeping a list of passwords safe..?
Hi there, Our small business has the need for several passwords (bank accounts, visas, third party software, etc etc..). We've been running into the problem of losing our passwords, I think due to the lack of organization. Losing these passwords is a HUGE pain, i'm spending more time than I should on getting passwords reset. These are the two options I can think of, comments/questions/concerns are greatly appreciated! 1- a small book of accounts/passwords kept in a small safe. 2- online password keepers**one of our team members had voiced concern over keeping the accounts/passwords on an online service. Are there any trustworthy companies where this is not a concern? Recommendations?Cheers
Submitted December 19, 2017 at 11:02PM by elifast
via reddit http://ift.tt/2oLX8g0
Hi there, Our small business has the need for several passwords (bank accounts, visas, third party software, etc etc..). We've been running into the problem of losing our passwords, I think due to the lack of organization. Losing these passwords is a HUGE pain, i'm spending more time than I should on getting passwords reset. These are the two options I can think of, comments/questions/concerns are greatly appreciated! 1- a small book of accounts/passwords kept in a small safe. 2- online password keepers**one of our team members had voiced concern over keeping the accounts/passwords on an online service. Are there any trustworthy companies where this is not a concern? Recommendations?Cheers
Submitted December 19, 2017 at 11:02PM by elifast
via reddit http://ift.tt/2oLX8g0
reddit
Keeping a list of passwords safe..? • r/security
Hi there, Our small business has the need for several passwords (bank accounts, visas, third party software, etc etc..). We've been running into...