Tag security
Post details
Lightspin obtains credentials to an internal AWS service by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension.
Post details
🧠 Reminder that "beefstew" is not a good password. It is not Str0g4|\|off
Chris Heilmann (@codepo8)Tue, 05 Apr 2022 08:57 +0000
Post details
My bank: 🏦: I need you to jump through security hurdles to keep your money safe. Me: 🙋♀️: No problem! Cybersecurity is a process, not a destination! Also My Bank: 🏦: Whoa, whoa, whoa. 21 digit password? Let's not get crazy. Also, I have never seen the character "&" in my life.Brianna Wu (@BriannaWu)Tue, 29 Mar 2022 14:59 +0000
Post details
📢 On June 23rd, I will be presenting in @tweakers Summit 2022: How did the Log4j crew survive Log4shell? tweakers.net/partners/devsu… Game on! 🎮Volkan Yazıcı (@yazicivo)Tue, 29 Mar 2022 07:06 +0000
Post details
Wow, @Zoom's decision to bypass the security settings of their customers in order to boost its marketplace demand is a bold move, to put it mildly. CISOs discovering this after the fact will be fuming.Tobie Langel (@tobie)Mon, 28 Mar 2022 08:33 +0000
Automagically Auditing GitHub (Actions) Security using OpenSSF Scorecards (6 mins read).
How to use the OpenSSF Scorecards GitHub Action to audit your GitHub and GitHub Actions configuration, and a breakdown of some of the issues raised by it.
Post details
Since #Log4j you've heard how OSS vulns impact most orgs, how OSS is underfunded & we need to do more to help, but did you know OSS security has improved drastically in the last 4 years? In 2017, 35% of OSS libs used had a known flaw. In 2022 it's < 10% veracode.com/state-of-softw…Chris Wysopal (@WeldPond)Wed, 09 Feb 2022 19:36 GMT
Post details
Kelsey Hightower joins us from Google to discuss the question "Can DevSecOps be damaging?"
Post details
Eight years later, and this is now a thing 😃 gov.uk/security.txt No monetary reward (sadly, but I get why).Post details
Should GOV.UK Run A Bug Bounty? shkspr.mobi/blog/?p=9760Terence Eden (@edent)Tue, 04 Feb 2014 12:05 GMT
Terence Eden (@edent)Fri, 04 Feb 2022 07:43 GMT
Post details
Federal government memo: "Consistent with the practices outlined in SP 800-63B, agencies must remove password policies that require special characters and regular password rotation from all systems within one year of the issuance of this memorandum." Yes!Post details
The federal government just dropped a 29-pg memo laying out its "transition to a zero trust approach" A few surprises: ✴️ there's more in it than just zero-trust ✴️ it goes beyond what most orgs do today I read the whole thing so you don't have to... bastionzero.com/blog/i-read-th…Sharon Goldberg (@goldbe)Thu, 27 Jan 2022 14:52 GMT
Simon Willison (@simonw)Thu, 27 Jan 2022 19:21 GMT
Post details
Please do not teach the computers how to recognize us even with most of our facial features covered.
Post details
iOS 15.4 beta has a new ‘Use Face ID with a Mask’ option and the masked FaceID icon is absolutely adorable.
Sebastiaan de With (@sdw)Thu, 27 Jan 2022 19:38 GMT
Renaissance Mandalorian (@indik)Fri, 28 Jan 2022 03:42 GMT
Post details
Over 20 thousand servers have their iLO exposed to the internet, many are outdated and vulnerable i5c.us/d28276SANS ISC (@sans_isc)Wed, 26 Jan 2022 11:20 GMT
Post details
"Securing the (open source) software supply chain" naturally focuses attention "upstream" in the supply chain. And there is so much to do _downstream_ in how we assemble and operate software more securely. Improvements downstream don't need to wait on investments upstream.Matthew S. Wilson (msw) (@_msw_)Sun, 16 Jan 2022 17:18 GMT
Post details
Imagine how much worse this could have been (and how long it would have gone undetected) if the change was siphoning AWS credentials instead of graffiti in the terminal.
Post details
Looks like the AWS CDK is broken because the dependency on colors.js which has a totally hilarious bug: github.com/aws/aws-cdk/is… It shows "LIBERTY LIBERTY LIBERTY".Soenke Ruempler (@s0enke)Sun, 09 Jan 2022 18:43 GMT
Aidan W Steele (@__steele)Sun, 09 Jan 2022 23:22 GMT
Post details
Looks like the AWS CDK is broken because the dependency on colors.js which has a totally hilarious bug: github.com/aws/aws-cdk/is… It shows "LIBERTY LIBERTY LIBERTY".Soenke Ruempler (@s0enke)Sun, 09 Jan 2022 18:43 GMT
Post details
One might say they have bad ApeSec
Post details
look i know all this shit sucks beyond comprehension but “did not take proper precautions when moving his ape” is just an objectively funny sentence.
Yeet Takeshi (@alex_navarro)Sun, 02 Jan 2022 18:11 GMT
Ed Zitron (@edzitron)Sun, 02 Jan 2022 18:13 GMT
Post details
look i know all this shit sucks beyond comprehension but “did not take proper precautions when moving his ape” is just an objectively funny sentence.
Yeet Takeshi (@alex_navarro)Sun, 02 Jan 2022 18:11 GMT
Post details
Implementors use the terms interchangeably unless they are making distinctions. Even at a TLS working group meeting, no-one will care if you say SSL. Also it's basically always SSL certs, no-one says TLS certs. TLS "Well actually"ing is just idiotic gatekeeping.
Post details
It's name is TLS (Transport Layer Security). It's called SSL (Secure Socket Layer). It is network encryption. It's name is called Haddock's Eyes.twitter.com/jpmens/status/…Robᵉʳᵗ Graham (@ErrataRob)Fri, 31 Dec 2021 18:20 GMT
Colm MacCárthaigh (@colmmacc)Fri, 31 Dec 2021 18:23 GMT
Post details
Just use an npm package.
Den Delimarsky (@DennisCode)Sun, 26 Dec 2021 05:17 GMT
Post details
Thank you, @awscloud. aws.amazon.com/security/secur…Corey Quinn (@QuinnyPig)Thu, 23 Dec 2021 23:57 GMT
Post details
I wanted a way to monitor trending CVEs on Twitter So I built CVEtrends.com - data comes from Twitter + NIST NVD APIs - back-end: Python, Flask, PostgreSQL, and Redis - front-end: React + Bootstrap It's a quick MVP, but let me know your thoughts and feedback...Simon J. Bell (@SimonByte)Tue, 23 Nov 2021 13:53 GMT
Post details
Just had to inform a large UK professional body that maybe using Tomcat 6.0.45 (6.x was EOL'd 5 years ago) on their public website maybe isn't a great idea
Russell Howe (@rhowe212)Tue, 21 Dec 2021 16:34 GMT
What are folks' thoughts about using a password manager i.e. KeepassXC to store TOTP data (not the recovery codes) for MFA? My initial thought is that this sounds like a Bad Idea, but not sure if I'm being a bit too paranoid?
Post details
Good news: Log4j is the only library you use that’s been trivially vulnerable for about a decade.haroon meer (@haroonmeer)Mon, 20 Dec 2021 11:12 GMT
Post details
A whole lot of engineers worked all weekend and deserve the week off. Friendly reminder that you should give it to them.emily freeman (@editingemily)Mon, 13 Dec 2021 06:06 GMT
Post details
from @BlackHatEvents USA 2016: A Journey From #JNDI/LDAP Manipulation to Remote Code Execution Dream Land by @pwntester and @olekmirosh blackhat.com/docs/us-16/mat… now the exploit vector presented in 2016 is the #log4jRCE. attached slide #11 from the presentation below. :)an0n (@an0n_r0)Sat, 11 Dec 2021 12:23 GMT
Post details
I see folks making fun of the CVE issued for the default password on Raspberry Pi I personally want to see CVEs for EVERY _static_ default credential. I want it to show up in searches for the vendor name or product, CVE counts for a vendor, and in risk ratings for the product.Tom Sellers (@TomSellers)Wed, 08 Dec 2021 16:54 GMT
Should That (Secret) Thing Be In Your Querystring? (2 mins read).
Why you should be very cautious about putting potentially sensitive values into the querystring of web APIs.