Penetration Testing and Vulnerability Assessments Are NOT Going Anywhere Anytime Soon. We Still Suck at Basics
https://ift.tt/2HgJeHh
Submitted April 21, 2018 at 09:14PM by dbalut
via reddit https://ift.tt/2HOf8fn
https://ift.tt/2HgJeHh
Submitted April 21, 2018 at 09:14PM by dbalut
via reddit https://ift.tt/2HOf8fn
Dawid Bałut
Penetration Testing and Vulnerability Assessments Are NOT Going Anywhere Anytime Soon. We Still Suck at Basics
I’ve seen following questions pop up very often, so decided to write some brief blogpost about it from my POV. For how long will the security testers’ work be required? What is the future of …
Provider storing passwords unencrypted/hashed
I was wondering, why my provider would verify my identity by asking for the 3 first signs of my password. So i asked them by email and they told me it would'nt be necessary. Only the first 3 signs are known to them. Is this plausible, or is my password stored in an unencrypted database which could potentially be hacked? How would i go on on convincing them to change this?
Submitted April 21, 2018 at 10:55PM by sffilk0908
via reddit https://ift.tt/2vxDhEC
I was wondering, why my provider would verify my identity by asking for the 3 first signs of my password. So i asked them by email and they told me it would'nt be necessary. Only the first 3 signs are known to them. Is this plausible, or is my password stored in an unencrypted database which could potentially be hacked? How would i go on on convincing them to change this?
Submitted April 21, 2018 at 10:55PM by sffilk0908
via reddit https://ift.tt/2vxDhEC
reddit
Provider storing passwords unencrypted/hashed • r/security
I was wondering, why my provider would verify my identity by asking for the 3 first signs of my password. So i asked them by email and they told...
Overall Security Strategy
I'm looking to begin a new security strategy for my colo'd server. I'm very interested in cyber security overall and would like to explore some of the different areas within. I enjoy hands on experience and learn best from it as well.I have a colo'd server which publicly hosts stuff and also has my "lab" on it. I'm looking to develop a security plan to better protect the VMs and overall network. VMs range from linux variants to windows ~20-30VMs total.I want to be able to emulate an enterprise as close as possible to learn more about the different aspects. Of course this starts with AD and tieing in SSO for apps and stuff. I would like to know what type of software I should look into and what log aggregation stuff I should use (I've worked with Splunk a little). I also like the idea of Security Onion which uses ELK so that's an option too since I'm sure it'd easily ship the logs to a centralized server. That covers network IDS and packet logging etc. On the hosts for linux and windows, what should I use for HIDS or other malware scanners that can communicate to a "centralized" server. I saw something about OSSIM but would like community input.Aside from network and host based stuff talked about above, is there anything else I should look into? If you have a diagram that talks about the different security areas of a network (such as network and host based (and more) that I can use as a "checklist" that'd be great.
Submitted April 22, 2018 at 12:08AM by Gamerfanatic
via reddit https://ift.tt/2HgY1G2
I'm looking to begin a new security strategy for my colo'd server. I'm very interested in cyber security overall and would like to explore some of the different areas within. I enjoy hands on experience and learn best from it as well.I have a colo'd server which publicly hosts stuff and also has my "lab" on it. I'm looking to develop a security plan to better protect the VMs and overall network. VMs range from linux variants to windows ~20-30VMs total.I want to be able to emulate an enterprise as close as possible to learn more about the different aspects. Of course this starts with AD and tieing in SSO for apps and stuff. I would like to know what type of software I should look into and what log aggregation stuff I should use (I've worked with Splunk a little). I also like the idea of Security Onion which uses ELK so that's an option too since I'm sure it'd easily ship the logs to a centralized server. That covers network IDS and packet logging etc. On the hosts for linux and windows, what should I use for HIDS or other malware scanners that can communicate to a "centralized" server. I saw something about OSSIM but would like community input.Aside from network and host based stuff talked about above, is there anything else I should look into? If you have a diagram that talks about the different security areas of a network (such as network and host based (and more) that I can use as a "checklist" that'd be great.
Submitted April 22, 2018 at 12:08AM by Gamerfanatic
via reddit https://ift.tt/2HgY1G2
reddit
Overall Security Strategy • r/security
I'm looking to begin a new security strategy for my colo'd server. I'm very interested in cyber security overall and would like to explore some of...
Slow loris noscript not working properly
Hello everybody!So recently I learned about the Slow Loris attack and thought about testing it against my rpi server. So now matter how high I set the number of connections to be, the server still worked, it only worked slower, but for short intervals of time. Here is the code I used! Does anyone have an idea why it doesn't work properly?
Submitted April 22, 2018 at 12:16AM by daviddvd267
via reddit https://ift.tt/2vA3ja7
Hello everybody!So recently I learned about the Slow Loris attack and thought about testing it against my rpi server. So now matter how high I set the number of connections to be, the server still worked, it only worked slower, but for short intervals of time. Here is the code I used! Does anyone have an idea why it doesn't work properly?
Submitted April 22, 2018 at 12:16AM by daviddvd267
via reddit https://ift.tt/2vA3ja7
Pastebin
[Python] import socket, random, time, sys headers = [ "User-agent: Mozilla/5.0 (M - Pastebin.com
The CIA Wants To Compromise Your Router
https://ift.tt/2EFbSjv
Submitted April 22, 2018 at 12:55AM by Iot_Security
via reddit https://ift.tt/2HhH1eQ
https://ift.tt/2EFbSjv
Submitted April 22, 2018 at 12:55AM by Iot_Security
via reddit https://ift.tt/2HhH1eQ
KitGuru
The CIA Wants To Compromise Your Router - KitGuru
While WikiLeaks isn’t everyone’s cup of tea, if you’re in the IT field and haven’t investigated the
Millions of Chrome Users Have Installed Malware Posing as Ad Blockers
https://ift.tt/2Hcdnvu
Submitted April 22, 2018 at 05:55AM by OneSob
via reddit https://ift.tt/2qNuf1c
https://ift.tt/2Hcdnvu
Submitted April 22, 2018 at 05:55AM by OneSob
via reddit https://ift.tt/2qNuf1c
Motherboard
Millions of Chrome Users Have Installed Malware Posing as Ad Blockers
Andrey Meshkov, the cofounder of ad-blocker AdGuard, took a look at the noscript in some popular ad-blocking knockoffs and found some shady business.
Debugging Windows Services For Malware Analysis / Reverse Engineering
https://ift.tt/2vAXVna
Submitted April 22, 2018 at 11:57AM by khasaia
via reddit https://ift.tt/2HW9dVT
https://ift.tt/2vAXVna
Submitted April 22, 2018 at 11:57AM by khasaia
via reddit https://ift.tt/2HW9dVT
secrary[dot]com
Debugging Windows Services For Malware Analysis / Reverse Engineering
This blog is about malware analysis and reverse engineering. I’m Lasha Khasaia
New Version of Satan Ransomware Uses EternalBlue Exploit to Spread Via the Network and then Encrypt Files
https://ift.tt/2vHzBjR
Submitted April 22, 2018 at 02:06PM by TechLord2
via reddit https://ift.tt/2HiguSO
https://ift.tt/2vHzBjR
Submitted April 22, 2018 at 02:06PM by TechLord2
via reddit https://ift.tt/2HiguSO
bartblaze.blogspot.co.uk
Satan ransomware adds EternalBlue exploit
A blog about malware and information security.
Is my Kingston MicroSD Legit ? Is it safe if not?
https://ift.tt/2qQtGTE
Submitted April 22, 2018 at 02:10PM by aymanbt
via reddit https://ift.tt/2JiDJs7
https://ift.tt/2qQtGTE
Submitted April 22, 2018 at 02:10PM by aymanbt
via reddit https://ift.tt/2JiDJs7
Book review: "OAuth 2 In Action" by Justin Richer and Antonio Sanso
https://ift.tt/2F6BS7A
Submitted April 22, 2018 at 03:36PM by alexandertsvetkov
via reddit https://ift.tt/2K4QRT7
https://ift.tt/2F6BS7A
Submitted April 22, 2018 at 03:36PM by alexandertsvetkov
via reddit https://ift.tt/2K4QRT7
Surfing the code
Book review: OAuth 2 In Action by Justin Richer and Antonio Sanso
“Drupalgeddon2” touches off arms race to mass-exploit powerful Web servers
https://ift.tt/2K24G4J
Submitted April 22, 2018 at 06:22PM by NISMO1968
via reddit https://ift.tt/2HiL3HT
https://ift.tt/2K24G4J
Submitted April 22, 2018 at 06:22PM by NISMO1968
via reddit https://ift.tt/2HiL3HT
Ars Technica
“Drupalgeddon2” touches off arms race to mass-exploit powerful Web servers
Bug patched in March is still being exploited to take full control of servers.
Is Psono password manager worth it?
https://psono.com/
Submitted April 23, 2018 at 01:39AM by DotJersh
via reddit https://ift.tt/2K8P1Rg
https://psono.com/
Submitted April 23, 2018 at 01:39AM by DotJersh
via reddit https://ift.tt/2K8P1Rg
Psono
Psono - Self Hosted and Open Source Password Manager for Companies
Free open-source password manager for businesses with SAML, LDAP, audit logs, and compliance policy features. Supports Windows, Linux, Mac.
Breaking bad to make good: Firefox CVE-2017–7843
https://ift.tt/2qSwgIN
Submitted April 23, 2018 at 02:27AM by kmodi
via reddit https://ift.tt/2HKbIgk
https://ift.tt/2qSwgIN
Submitted April 23, 2018 at 02:27AM by kmodi
via reddit https://ift.tt/2HKbIgk
Medium
Breaking bad to make good: Firefox CVE-2017–7843
Private Browsing Mode (PBM) is one of the most widely known and used feature in not just Firefox but any major browser. Browsers are…
[Question] Selfies in order to turn off 2FA? Tumblr account retrieval dilemma
So, my desktop went kaputz one day and I had to re-login to my regularly used sites/services after fixing it.Unfortunately, due to some sort of error on Google Authenticator, the codes given were not working when I tried to log into Tumblr. I contacted Tumblr support and these were their directions:We can go ahead and remove your old two factor mobile account so you can gain access again to add your new number. For security reasons though, we just need a little more info from you.Is there a photo of you on the blog? If so, please send us the URL of the specific blog post. We can also use your avatar/portrait photo if it’s a clear picture of you or you don’t have another picture.The other thing we need from you is a photo of yourself for comparison. Please take a picture of yourself holding a piece of paper that says “Tumblr, this is literally me,” then send the photo in a reply to this email. You can send both of these items, the photo and the permalinks, in the same email. We need to be able to clearly see your face in both photos for comparison.In a world where deepfakes exists, is this really the best way identify a user trying to reclaim their account? It just sounds so ridiculous. Is this really secure?Note: Tumblr has 2FA, but it's not very good. Kind of like it was slapped on because everyone else was doing some sort of MFA. There are no backup codes, there are no backup security questions, and there is no backup sending the code to your phone. A poor attempt at a good concept.Thank you so much for reading. Please let me know if there is a better security-oriented sub I can discuss this issue on.
Submitted April 23, 2018 at 03:32AM by throwawayrants
via reddit https://ift.tt/2Hn2Qxq
So, my desktop went kaputz one day and I had to re-login to my regularly used sites/services after fixing it.Unfortunately, due to some sort of error on Google Authenticator, the codes given were not working when I tried to log into Tumblr. I contacted Tumblr support and these were their directions:We can go ahead and remove your old two factor mobile account so you can gain access again to add your new number. For security reasons though, we just need a little more info from you.Is there a photo of you on the blog? If so, please send us the URL of the specific blog post. We can also use your avatar/portrait photo if it’s a clear picture of you or you don’t have another picture.The other thing we need from you is a photo of yourself for comparison. Please take a picture of yourself holding a piece of paper that says “Tumblr, this is literally me,” then send the photo in a reply to this email. You can send both of these items, the photo and the permalinks, in the same email. We need to be able to clearly see your face in both photos for comparison.In a world where deepfakes exists, is this really the best way identify a user trying to reclaim their account? It just sounds so ridiculous. Is this really secure?Note: Tumblr has 2FA, but it's not very good. Kind of like it was slapped on because everyone else was doing some sort of MFA. There are no backup codes, there are no backup security questions, and there is no backup sending the code to your phone. A poor attempt at a good concept.Thank you so much for reading. Please let me know if there is a better security-oriented sub I can discuss this issue on.
Submitted April 23, 2018 at 03:32AM by throwawayrants
via reddit https://ift.tt/2Hn2Qxq
Should I setup my Fido U2F key in a way that it needs to be used every time I login to my gmail?
I'm a newbie so this might be a dumb question...but:So I bought a fido U2f key a while back, and set it up with my gmail account and removed any text recovery (as easier to have my phone compromised, than them having my fido u2f key).However, on my personal laptop I have it set to never ask for my Fido U2f key. My question is: isn't my Gmail still easily succeptible to hacks if I get keylogged? All the hacker needs to do is to get me to open an exe file and get control of my computer (forget the name of this type of hack), and thus in control of my gmail without my Fido U2f key.Is this correct, or am I missing something?
Submitted April 23, 2018 at 10:24AM by SurfaceCuriosity
via reddit https://ift.tt/2HGVNz1
I'm a newbie so this might be a dumb question...but:So I bought a fido U2f key a while back, and set it up with my gmail account and removed any text recovery (as easier to have my phone compromised, than them having my fido u2f key).However, on my personal laptop I have it set to never ask for my Fido U2f key. My question is: isn't my Gmail still easily succeptible to hacks if I get keylogged? All the hacker needs to do is to get me to open an exe file and get control of my computer (forget the name of this type of hack), and thus in control of my gmail without my Fido U2f key.Is this correct, or am I missing something?
Submitted April 23, 2018 at 10:24AM by SurfaceCuriosity
via reddit https://ift.tt/2HGVNz1
reddit
Should I setup my Fido U2F key in a way that it needs... • r/security
I'm a newbie so this might be a dumb question...but: So I bought a fido U2f key a while back, and set it up with my gmail account and removed any...
GDPR. Practical tips
https://ift.tt/2F7mXKn
Submitted April 23, 2018 at 12:39PM by DhoundSecurity
via reddit https://ift.tt/2HSt2NH
https://ift.tt/2F7mXKn
Submitted April 23, 2018 at 12:39PM by DhoundSecurity
via reddit https://ift.tt/2HSt2NH
Medium
GDPR. Practical tips
Everyone has heard about the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which enters into force on May 25, 2018…
Exploiting CVE-2018-1038 aka TotalMeltdown
https://ift.tt/2vHZ6kG
Submitted April 23, 2018 at 12:54PM by xpnsecurity
via reddit https://ift.tt/2F8TLlW
https://ift.tt/2vHZ6kG
Submitted April 23, 2018 at 12:54PM by xpnsecurity
via reddit https://ift.tt/2F8TLlW
XPN InfoSec Blog
Exploiting CVE-2018-1038 - Total Meltdown
This week I had some free time to look into CVE-2018-1038 aka Total Meltdown. The aim was to create a quick exploit which could be used to elevate privileges during an assessment. I ended up delving into Windows memory management more than I had before.
Privacy concerns when looking for a new smartphone
Greeting!I'm in the business of buying a new phone. I'm somewhat concerned about the general security and privacy of the biggest brands. I really don't like apple, so I'm mostly focusing on android.Does anyone have any suggestion on brands to look out for or to avoid?Any good resorces on things to think about after purchase in terms of configuration and what to install/uninstall?
Submitted April 23, 2018 at 02:11PM by artog
via reddit https://ift.tt/2vANkIS
Greeting!I'm in the business of buying a new phone. I'm somewhat concerned about the general security and privacy of the biggest brands. I really don't like apple, so I'm mostly focusing on android.Does anyone have any suggestion on brands to look out for or to avoid?Any good resorces on things to think about after purchase in terms of configuration and what to install/uninstall?
Submitted April 23, 2018 at 02:11PM by artog
via reddit https://ift.tt/2vANkIS
reddit
Privacy concerns when looking for a new smartphone • r/security
Greeting! I'm in the business of buying a new phone. I'm somewhat concerned about the general security and privacy of the biggest brands. I...
CVE 2017-7843 : Firefox Private windows
https://ift.tt/2HlqFWq
Submitted April 23, 2018 at 01:07PM by kmodi
via reddit https://ift.tt/2FaEpNM
https://ift.tt/2HlqFWq
Submitted April 23, 2018 at 01:07PM by kmodi
via reddit https://ift.tt/2FaEpNM
Reddit
reddit: the front page of the internet
r/firefox: The latest news and developments on Firefox and Mozilla, a global non-profit that strives to promote openness, innovation and opportunity on the web.
Security OS for Android
Hey, im searching for a security OS like Copperhead but i have a lg g6 and copperhead doesnt support lg g6. Could anyone help me?
Submitted April 23, 2018 at 03:09PM by TheSparkling
via reddit https://ift.tt/2JgY5Cc
Hey, im searching for a security OS like Copperhead but i have a lg g6 and copperhead doesnt support lg g6. Could anyone help me?
Submitted April 23, 2018 at 03:09PM by TheSparkling
via reddit https://ift.tt/2JgY5Cc
Reddit
reddit: the front page of the internet
r/security: A friendly and professional place for discussing computer security.
Pervert hacked people's CCTV systems to record them having sex
https://ift.tt/2HNcbOu
Submitted April 23, 2018 at 03:06PM by Iot_Security
via reddit https://ift.tt/2JgY80Q
https://ift.tt/2HNcbOu
Submitted April 23, 2018 at 03:06PM by Iot_Security
via reddit https://ift.tt/2JgY80Q
walesonline
Pervert hacked people's CCTV systems to record them having sex
Steven Hankers had a database of up to 3,000 passwords for people's home security systems