Tag security

🧠 Reminder that "beefstew" is not a good password. It is not Str0g4|\|off

Chris Heilmann (@codepo8)Tue, 05 Apr 2022 08:57 +0000

My bank: 🏦: I need you to jump through security hurdles to keep your money safe. Me: 🙋‍♀️: No problem! Cybersecurity is a process, not a destination! Also My Bank: 🏦: Whoa, whoa, whoa. 21 digit password? Let's not get crazy. Also, I have never seen the character "&" in my life.

Brianna Wu (@BriannaWu)Tue, 29 Mar 2022 14:59 +0000

Wow, @Zoom's decision to bypass the security settings of their customers in order to boost its marketplace demand is a bold move, to put it mildly. CISOs discovering this after the fact will be fuming.

Tobie Langel (@tobie)Mon, 28 Mar 2022 08:33 +0000

Since #Log4j you've heard how OSS vulns impact most orgs, how OSS is underfunded & we need to do more to help, but did you know OSS security has improved drastically in the last 4 years? In 2017, 35% of OSS libs used had a known flaw. In 2022 it's < 10% veracode.com/state-of-softw…

Chris Wysopal (@WeldPond)Wed, 09 Feb 2022 19:36 GMT

Eight years later, and this is now a thing 😃 gov.uk/security.txt No monetary reward (sadly, but I get why).

Post details

Should GOV.UK Run A Bug Bounty? shkspr.mobi/blog/?p=9760

Terence Eden (@edent)Tue, 04 Feb 2014 12:05 GMT

Terence Eden (@edent)Fri, 04 Feb 2022 07:43 GMT

Federal government memo: "Consistent with the practices outlined in SP 800-63B, agencies must remove password policies that require special characters and regular password rotation from all systems within one year of the issuance of this memorandum." Yes!

Post details

The federal government just dropped a 29-pg memo laying out its "transition to a zero trust approach" A few surprises: ✴️ there's more in it than just zero-trust ✴️ it goes beyond what most orgs do today I read the whole thing so you don't have to... bastionzero.com/blog/i-read-th…

Sharon Goldberg (@goldbe)Thu, 27 Jan 2022 14:52 GMT

Simon Willison (@simonw)Thu, 27 Jan 2022 19:21 GMT

Please do not teach the computers how to recognize us even with most of our facial features covered.

Post details

iOS 15.4 beta has a new ‘Use Face ID with a Mask’ option and the masked FaceID icon is absolutely adorable.

Sebastiaan de With (@sdw)Thu, 27 Jan 2022 19:38 GMT

Renaissance Mandalorian (@indik)Fri, 28 Jan 2022 03:42 GMT

Over 20 thousand servers have their iLO exposed to the internet, many are outdated and vulnerable i5c.us/d28276

SANS ISC (@sans_isc)Wed, 26 Jan 2022 11:20 GMT

"Securing the (open source) software supply chain" naturally focuses attention "upstream" in the supply chain. And there is so much to do _downstream_ in how we assemble and operate software more securely. Improvements downstream don't need to wait on investments upstream.

Matthew S. Wilson (msw) (@_msw_)Sun, 16 Jan 2022 17:18 GMT

Looks like the AWS CDK is broken because the dependency on colors.js which has a totally hilarious bug: github.com/aws/aws-cdk/is… It shows "LIBERTY LIBERTY LIBERTY".

Soenke Ruempler (@s0enke)Sun, 09 Jan 2022 18:43 GMT

One might say they have bad ApeSec

Post details

https://twitter.com/edzitron/status/1477703853944434688

look i know all this shit sucks beyond comprehension but “did not take proper precautions when moving his ape” is just an objectively funny sentence.

Yeet Takeshi (@alex_navarro)Sun, 02 Jan 2022 18:11 GMT

Ed Zitron (@edzitron)Sun, 02 Jan 2022 18:13 GMT

https://twitter.com/edzitron/status/1477703853944434688

look i know all this shit sucks beyond comprehension but “did not take proper precautions when moving his ape” is just an objectively funny sentence.

Yeet Takeshi (@alex_navarro)Sun, 02 Jan 2022 18:11 GMT

Just use an npm package.

Den Delimarsky (@DennisCode)Sun, 26 Dec 2021 05:17 GMT

https://twitter.com/QuinnyPig/status/1473887418973446146

Thank you, @awscloud. aws.amazon.com/security/secur…

Corey Quinn (@QuinnyPig)Thu, 23 Dec 2021 23:57 GMT

I wanted a way to monitor trending CVEs on Twitter So I built CVEtrends.com - data comes from Twitter + NIST NVD APIs - back-end: Python, Flask, PostgreSQL, and Redis - front-end: React + Bootstrap It's a quick MVP, but let me know your thoughts and feedback...

Simon J. Bell (@SimonByte)Tue, 23 Nov 2021 13:53 GMT

Just had to inform a large UK professional body that maybe using Tomcat 6.0.45 (6.x was EOL'd 5 years ago) on their public website maybe isn't a great idea

Russell Howe (@rhowe212)Tue, 21 Dec 2021 16:34 GMT

Good news: Log4j is the only library you use that’s been trivially vulnerable for about a decade.

haroon meer (@haroonmeer)Mon, 20 Dec 2021 11:12 GMT

A whole lot of engineers worked all weekend and deserve the week off. Friendly reminder that you should give it to them.

emily freeman (@editingemily)Mon, 13 Dec 2021 06:06 GMT

from @BlackHatEvents USA 2016: A Journey From #JNDI/LDAP Manipulation to Remote Code Execution Dream Land by @pwntester and @olekmirosh blackhat.com/docs/us-16/mat… now the exploit vector presented in 2016 is the #log4jRCE. attached slide #11 from the presentation below. :)

an0n (@an0n_r0)Sat, 11 Dec 2021 12:23 GMT

I see folks making fun of the CVE issued for the default password on Raspberry Pi I personally want to see CVEs for EVERY _static_ default credential. I want it to show up in searches for the vendor name or product, CVE counts for a vendor, and in risk ratings for the product.

Tom Sellers (@TomSellers)Wed, 08 Dec 2021 16:54 GMT