Reviewing Android Webviews fileAccess attack vectors.
https://ift.tt/2IKRBz7
Submitted May 15, 2018 at 03:37PM by clviper
via reddit https://ift.tt/2IjHFZF
https://ift.tt/2IKRBz7
Submitted May 15, 2018 at 03:37PM by clviper
via reddit https://ift.tt/2IjHFZF
3 Winners & 2 Losers: NIST Cybersecurity Framework 1.1
https://ift.tt/2IjqEis
Submitted May 15, 2018 at 05:17PM by Uminekoshi
via reddit https://ift.tt/2rJXkub
https://ift.tt/2IjqEis
Submitted May 15, 2018 at 05:17PM by Uminekoshi
via reddit https://ift.tt/2rJXkub
Nehemiah Security
3 Winners & 2 Losers: NIST Cybersecurity Framework 1.1 - Nehemiah Security
The introduction of the NIST cybersecurity framework 1.0 has been both expected and disruptive when it was first created in 2014. This framework has evolved the way many companies think about cybersecurity today. Many swear by it as well. This is why the…
Is there a CloudGen firewall that also have WAF features?
Hi, please excuse me for any technical mistake, I am a novice in terms of security.We are hosting an infrastructure on the cloud that contains multiple machines and a web application. Is there any CloudGen firewall that also could monitor and block threats coming on the web application? We also would like to have the less expensive one that covers everything we need.This should contain those features:SQL injection protectionCross site noscripting protectionCommon Web Attacks Protection such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion attackProtection against HTTP protocol violationsProtection against HTTP protocol anomalies such as missing host user-agent and accept headersPrevention against bots, crawlers, and scannersDetection of common application misconfigurations (for example, Apache, IIS, and so on.)Also OWASP protection.Thank you.
Submitted May 15, 2018 at 05:16PM by Gretyzdee
via reddit https://ift.tt/2L4917V
Hi, please excuse me for any technical mistake, I am a novice in terms of security.We are hosting an infrastructure on the cloud that contains multiple machines and a web application. Is there any CloudGen firewall that also could monitor and block threats coming on the web application? We also would like to have the less expensive one that covers everything we need.This should contain those features:SQL injection protectionCross site noscripting protectionCommon Web Attacks Protection such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion attackProtection against HTTP protocol violationsProtection against HTTP protocol anomalies such as missing host user-agent and accept headersPrevention against bots, crawlers, and scannersDetection of common application misconfigurations (for example, Apache, IIS, and so on.)Also OWASP protection.Thank you.
Submitted May 15, 2018 at 05:16PM by Gretyzdee
via reddit https://ift.tt/2L4917V
reddit
r/security - Is there a CloudGen firewall that also have WAF features?
1 votes and 0 so far on reddit
PagerDuty's publicly available Security Engineer training slides
https://ift.tt/2ra1QSz
Submitted May 15, 2018 at 05:57PM by infosecB
via reddit https://ift.tt/2rLUKDU
https://ift.tt/2ra1QSz
Submitted May 15, 2018 at 05:57PM by infosecB
via reddit https://ift.tt/2rLUKDU
PagerDuty Security Training
For Engineers - PagerDuty Security Training
This is an open-source version of 'Security Training for Engineers', PagerDuty's internal employee technical security training, open to all PagerDuty employees as part of our continuous security training program.
PagerDuty's publicly available Security Engineer training slides
https://ift.tt/2ra1QSz
Submitted May 15, 2018 at 05:57PM by infosecB
via reddit https://ift.tt/2rLUKDU
https://ift.tt/2ra1QSz
Submitted May 15, 2018 at 05:57PM by infosecB
via reddit https://ift.tt/2rLUKDU
PagerDuty Security Training
For Engineers - PagerDuty Security Training
This is an open-source version of 'Security Training for Engineers', PagerDuty's internal employee technical security training, open to all PagerDuty employees as part of our continuous security training program.
Security In 5: Episode 238 - Mini-Series Top 10 Reasons To Pen Test - 7 - Prioritize Risks
https://ift.tt/2ImQ5j9
Submitted May 15, 2018 at 06:35PM by BinaryBlog
via reddit https://ift.tt/2INszz0
https://ift.tt/2ImQ5j9
Submitted May 15, 2018 at 06:35PM by BinaryBlog
via reddit https://ift.tt/2INszz0
Libsyn
Security In Five Podcast: Episode 238 - Mini-Series Top 10 Reasons To Pen Test - 7 - Prioritize Risks
Continuing with the mini series, Top 10 Reasons To Run Penetration Tests in Your Business, we are up to number 7. This one talks about how penetration tests and their results can help you prioritize your risks. This episode talks about how this happens and…
Facebook Hack Shows It’s Time to Upgrade Our Method of Verifying Identity
https://ift.tt/292LeDh
Submitted May 15, 2018 at 08:26PM by dengorilla1
via reddit https://ift.tt/2GiExLH
https://ift.tt/292LeDh
Submitted May 15, 2018 at 08:26PM by dengorilla1
via reddit https://ift.tt/2GiExLH
Motherboard
Facebook Hack Shows It’s Time to Upgrade Our Method of Verifying Identity
All you need to get around two-factor authentication is Photoshop.
Canonical finally comments on Ubuntu Linux Snap Store security failure
https://ift.tt/2wDrhSq
Submitted May 15, 2018 at 07:55PM by CornCobBobby
via reddit https://ift.tt/2IkScE4
https://ift.tt/2wDrhSq
Submitted May 15, 2018 at 07:55PM by CornCobBobby
via reddit https://ift.tt/2IkScE4
BetaNews
Canonical finally comments on Ubuntu Linux Snap Store security failure
Over the weekend, we reported on an Ubuntu Snap Store app that had a hidden cryptocurrency miner. This was a disappointing discovery, as users’ machines were being hijacked to earn money for …
Beware of the Magic SpEL(L) – Part 1 (CVE-2018-1273)
https://ift.tt/2wI6VYn
Submitted May 15, 2018 at 08:55PM by 0xdea
via reddit https://ift.tt/2ImEWmj
https://ift.tt/2wI6VYn
Submitted May 15, 2018 at 08:55PM by 0xdea
via reddit https://ift.tt/2ImEWmj
GoSecure
Beware of the Magic SpEL(L) - Part 1 (CVE-2018-1273) - GoSecure
This February, we ran a Find Security Bugs scan on over at least one hundred components from the Spring Framework, including the core components (spring-core, spring-mvc) but also optional components (spring-data, spring-social, spring-oauth, etc.). From…
Beware of the Magic SpEL(L) – Part 1 (CVE-2018-1273)
https://ift.tt/2wI6VYn
Submitted May 15, 2018 at 08:55PM by 0xdea
via reddit https://ift.tt/2ImEWmj
https://ift.tt/2wI6VYn
Submitted May 15, 2018 at 08:55PM by 0xdea
via reddit https://ift.tt/2ImEWmj
GoSecure
Beware of the Magic SpEL(L) - Part 1 (CVE-2018-1273) - GoSecure
This February, we ran a Find Security Bugs scan on over at least one hundred components from the Spring Framework, including the core components (spring-core, spring-mvc) but also optional components (spring-data, spring-social, spring-oauth, etc.). From…
Nethammer: Inducing Rowhammer Faults through Network Requests
https://ift.tt/2KXyuzP
Submitted May 15, 2018 at 09:12PM by albinowax
via reddit https://ift.tt/2ImdJA4
https://ift.tt/2KXyuzP
Submitted May 15, 2018 at 09:12PM by albinowax
via reddit https://ift.tt/2ImdJA4
reddit
Nethammer: Inducing Rowhammer Faults through Network... • r/security
1 points and 1 comments so far on reddit
Dan Guido on Efail Vulnerability: "As an attacker, I could not care less about this technique. It's intellectually neat, but operationally stupid."
https://ift.tt/2KmxhB2
Submitted May 15, 2018 at 10:48PM by Derbel__McDillet
via reddit https://ift.tt/2L05CqC
https://ift.tt/2KmxhB2
Submitted May 15, 2018 at 10:48PM by Derbel__McDillet
via reddit https://ift.tt/2L05CqC
Dark Reading
'EFAIL' Email Encryption Flaw Research Stirs Debate
A newly revealed vulnerability in email encryption is a big problem for a small subset of users.
The Secure Developer: Security Training with Elevate's Masha Sedova
https://ift.tt/2KmnY3W
Submitted May 15, 2018 at 11:20PM by heitortsergent
via reddit https://ift.tt/2rIPuBP
https://ift.tt/2KmnY3W
Submitted May 15, 2018 at 11:20PM by heitortsergent
via reddit https://ift.tt/2rIPuBP
Heavybit
The Secure Developer | Ep. #16, Security Training with Elevate's Masha Sedova | Heavybit
In episode 16 of The Secure Developer, Guy is joined by Masha Sedova, co-founder of Elevate Security, to discuss how training for employees (even developers) can help companies stay one step ahead of the pack when it comes to preventing a breach.
Is there any way a HTTPS proxy can forward traffic without decryption?
Normally a HTTPS proxy decrypts the traffic and re-encrypts it. It basically sees all traffic unencrypted.Is there any web standard or proxy software that forwards HTTPS handshake and does not decrypt the traffic?
Submitted May 15, 2018 at 11:49PM by kickass_turing
via reddit https://ift.tt/2ImWivl
Normally a HTTPS proxy decrypts the traffic and re-encrypts it. It basically sees all traffic unencrypted.Is there any web standard or proxy software that forwards HTTPS handshake and does not decrypt the traffic?
Submitted May 15, 2018 at 11:49PM by kickass_turing
via reddit https://ift.tt/2ImWivl
reddit
Is there any way a HTTPS proxy can forward traffic... • r/security
Normally a HTTPS proxy decrypts the traffic and re\-encrypts it. It basically sees all traffic unencrypted. Is there any web standard or proxy...
Safe and Sorry – Terrorism & Mass Surveillance
https://www.youtube.com/watch?v=V9_PjdU3Mpo
Submitted May 15, 2018 at 11:44PM by dengorilla1
via reddit https://ift.tt/2IIPZWk
https://www.youtube.com/watch?v=V9_PjdU3Mpo
Submitted May 15, 2018 at 11:44PM by dengorilla1
via reddit https://ift.tt/2IIPZWk
YouTube
Safe and Sorry – Terrorism & Mass Surveillance
OUR CHANNELS
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
German Channel: https://kgs.link/youtubeDE
Spanish Channel: https://kgs.link/youtubeES
HOW CAN YOU SUPPORT US?
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
This is how we make our living and it would be a pleasure if you support…
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
German Channel: https://kgs.link/youtubeDE
Spanish Channel: https://kgs.link/youtubeES
HOW CAN YOU SUPPORT US?
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
This is how we make our living and it would be a pleasure if you support…
Sending Inaudible Commands to Voice Assistants. In the wrong hands, the technology could be used to unlock doors, wire money or buy stuff online -- simply with music playing over the radio
https://ift.tt/2jZvHtU
Submitted May 16, 2018 at 12:36AM by magenta_placenta
via reddit https://ift.tt/2Gkj2tX
https://ift.tt/2jZvHtU
Submitted May 16, 2018 at 12:36AM by magenta_placenta
via reddit https://ift.tt/2Gkj2tX
reddit
r/security - Sending Inaudible Commands to Voice Assistants. In the wrong hands, the technology could be used to unlock doors,…
2 votes and 0 so far on reddit
Linux Random Number Generator: A New Approach - Stephan Müller
https://ift.tt/1U8fgIt
Submitted May 16, 2018 at 01:01AM by rain5
via reddit https://ift.tt/2L1LTHa
https://ift.tt/1U8fgIt
Submitted May 16, 2018 at 01:01AM by rain5
via reddit https://ift.tt/2L1LTHa
Windows Updates Broke Your Networking? Free Micropatches To The Rescue (CVE-2018-8174)
https://ift.tt/2rM82Am
Submitted May 16, 2018 at 12:56AM by dielel
via reddit https://ift.tt/2IGg74e
https://ift.tt/2rM82Am
Submitted May 16, 2018 at 12:56AM by dielel
via reddit https://ift.tt/2IGg74e
0Patch
Windows Updates Broke Your Networking? Free Micropatches To The Rescue (CVE-2018-8174)
A Single-Instruction Micropatch For a Critical Remote Execution Issue by Mitja Kolsek, 0patch Team Last week, Microsoft issued an update...
Vote on your favorite incident response playbook
We recently held an incident response playbook contest on SecOps Hub. It's now time to vote on your favorite. These playbooks cover topics such as malware, ransomware, Crit/high event monitoring, and automating WildFire responses.Visit the community to vote today! https://www.secopshub.com/t/show-off-your-security-expertise-join-our-community-driven-contest/263/8
Submitted May 16, 2018 at 01:20AM by SecOpsHub
via reddit https://ift.tt/2L11bvM
We recently held an incident response playbook contest on SecOps Hub. It's now time to vote on your favorite. These playbooks cover topics such as malware, ransomware, Crit/high event monitoring, and automating WildFire responses.Visit the community to vote today! https://www.secopshub.com/t/show-off-your-security-expertise-join-our-community-driven-contest/263/8
Submitted May 16, 2018 at 01:20AM by SecOpsHub
via reddit https://ift.tt/2L11bvM
SecOps Hub
Show off your security expertise--join our community-driven contest!
We want to learn from you, so we’re running a contest to gather the best incident response playbooks from the community. It’s an open-ended contest–you pick the use case, draw up the playbook, and submit it to the community for consideration. The 3 top-voted…
315 Red Team Tips
https://ift.tt/2Il19kP
Submitted May 16, 2018 at 03:30AM by piedpiperpivot
via reddit https://ift.tt/2wJG4uT
https://ift.tt/2Il19kP
Submitted May 16, 2018 at 03:30AM by piedpiperpivot
via reddit https://ift.tt/2wJG4uT
Vincent Yiu
Red Team Tips
Red Team Tips by Vincent Yiu (@vysecurity).
Security policies applied by the employer/institution after linking Exchange/Office365 account
Hello everyone!I don't know if this is the right place to consult for this as it's a question geared towards the Windows platform.Whenever I wanted to sync my university email with the stock Android email app, it would pop out with a dialog that said that the account would become an administrator on my phone which basically could do as it liked remotely so that was always a deal breaker for me and I would check my email through the browser or third-party apps on my phone.This wasn't the case for the default mail app on the Windows 10, at least I hadn't noticed before. After not having used the app with any account for a long time and the OS itself receiving many updates such the Creator's I decided to set up all my mailboxes again on the default "Mail" app. This time, however, while linking the university's mailbox it said something along the lines of "setting company policies, please wait" very briefly. Now, this is the same account that wanted to be able to wipe out my phone remotely without notice which is an Office365 service that my university uses. Looking into what I could find, the result were vague.Thanks Microsoft! You could just tell me, y'know.I don't know how to go about finding the repercussions of what this has done and something tells me that simply removing the email account won't change anything. Any help would be appreciated, many thanks!
Submitted May 16, 2018 at 03:08AM by Ere-Eye
via reddit https://ift.tt/2Ihf9vM
Hello everyone!I don't know if this is the right place to consult for this as it's a question geared towards the Windows platform.Whenever I wanted to sync my university email with the stock Android email app, it would pop out with a dialog that said that the account would become an administrator on my phone which basically could do as it liked remotely so that was always a deal breaker for me and I would check my email through the browser or third-party apps on my phone.This wasn't the case for the default mail app on the Windows 10, at least I hadn't noticed before. After not having used the app with any account for a long time and the OS itself receiving many updates such the Creator's I decided to set up all my mailboxes again on the default "Mail" app. This time, however, while linking the university's mailbox it said something along the lines of "setting company policies, please wait" very briefly. Now, this is the same account that wanted to be able to wipe out my phone remotely without notice which is an Office365 service that my university uses. Looking into what I could find, the result were vague.Thanks Microsoft! You could just tell me, y'know.I don't know how to go about finding the repercussions of what this has done and something tells me that simply removing the email account won't change anything. Any help would be appreciated, many thanks!
Submitted May 16, 2018 at 03:08AM by Ere-Eye
via reddit https://ift.tt/2Ihf9vM