Open Source prevents backdoors. You can have a look at its source code and compile it yourself.

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.

One suggestion is to check user's passwords when they log in and you have the plain text password to hand. That way you can also take them through a reset password flow as they log in if their password has been pwned.

In 2017 NIST (National Institute of Standards and Technology) as part of their digital identity guidelines recommended that user passwords are checked against existing public breaches of data. The idea is that if a password has appeared in a data breach before then it is deemed compromised and should not be used. Of course, the recommendations include the use of two factor authentication to protect user accounts too.

TOTP values can be phished like passwords, though this requires attackers to proxy the credentials in real time

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.

trim off a bunch of excessive headers such as the content security policy HIBP uses (that's of no use to a lone API endpoint).

This isn't asking about which of the person's 500 doors was left unlocked, rather it's asking me to put the actual keys for over a billion doors up into a publicly accessible location with nothing other than my own personal best efforts to keep them safe.

So I'd have to encrypt them and the problem with encryption is decryption. If HIBP got comprehensively pwned itself - and that is always a possibility - to the extent where the encryption key was also exposed, it's game over.

So I'd have to encrypt them and the problem with encryption is decryption. If HIBP got comprehensively pwned itself - and that is always a possibility - to the extent where the encryption key was also exposed, it's game over. Or alternatively, if there's a flaw in the process that retrieves and displays the password such that it becomes visible to an unauthorised person, that's also a very serious issue.

Once common practice, websites emailing you your password is now severely frowned upon. You'd often see this happen if you'd forgotten your password: you go to the "forgot password page", plug in your email address and get it delivered to your inbox. In fact, this is such a bad practice that there's even a website dedicated to shaming others that do this.

Email is not considered a secure communications channel. You have no idea if your email is encrypted when it's sent between mail providers nor is it a suitable secure storage facility

Password reuse is normal. It's extremely risky, but it's so common because it's easy and people aren't aware of the potential impact.

So there's a lot of stuff getting hacked and a lot of credentials floating around the place, but then what? I mean what do evil-minded people do with all those email addresses and passwords? Among other things, they attempt to break into accounts on totally unrelated websites

Can G Suite Admin Read My Email?

An emerging way to bypass the need for passwords is to use magic links. A magic link is a temporary URL that expires after use, or after a specific interval of time. Magic links can be sent to your email address, an app, or a security device. Clicking the link authorizes you to sign in.

Hashing passwords won’t save you or your users. Once a database of passwords has been stolen, hackers aim immense distributed computing power at those password databases. They use parallel GPUs or giant botnets with hundreds of thousands of nodes to try hundreds of billions of password combinations per second in hopes of recovering plaintext username/password pairs.

Validating CloudTrail Log File Integrity PDF Kindle RSS To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the AWS CLI to validate the files in the location where CloudTrail delivered them.

Unfortunately no - it cannot be done without Trusted security devices. There are several reasons for this. All of the below is working on the assumption you have no TPM or other trusted security device in place and are working in a "password only" environment.

Own Your Encryption KeysYou would never trust a company to keep a record of your password for use anytime they want. Why would you do that with your encryption keys? With Graphite, you don't have to. You own and manage your keys so only YOU can decrypt your content.

This is acceptable because the standard security levels are primarily driven by much simpler, symmetric primitives where the security level naturally falls on a power of two. For asymmetric primitives, rigidly adhering to a power-of-two security level would require compromises in other parts of the design, which we reject.

Enligt Polismyndighetens riktlinjer ska en konsekvensbedömning göras innan nya polisiära verktyg införs, om de innebär en känslig personuppgiftbehandling. Någon sådan har inte gjorts för det aktuella verktyget.

emerging data threats

threat model

information security literacy

accuses Apple of seeking to “exclude competition … under the guise of security” by locking down the iPhone and iPad.

The payment provider told MarketWatch that everyone has a unique walk, and it is investigating innovative behavioral biometrics such as gait, face, heartbeat and veins for cutting edge payment systems of the future.

startup focused on creating transparency in data. All that stuff you keep reading about the shenanigans with companies mishandling people's data? That's what we are working on fixing.

To add insult to injury I learn that when Cloudflare automatically detects an anomaly with your domain they permanently delete all DNS records. Mine won't be difficult to restore, but I'm not sure why this is necessary. Surely it would be possible for Cloudflare to mark a domain as disabled without irrevocably deleting it? Combined with the hacky audit log, I'm left with the opinion that for some reason Cloudflare decided to completely half-ass the part of their system that is responsible for deleting everything that matters to a user.

When our analysts discovered six vulnerabilities in PayPal – ranging from dangerous exploits that can allow anyone to bypass their two-factor authentication (2FA), to being able to send malicious code through their SmartChat system – we were met with non-stop delays, unresponsive staff, and lack of appreciation. Below, we go over each vulnerability in detail and why we believe they’re so dangerous. When we pushed the HackerOne staff for clarification on these issues, they removed points from our Reputation scores, relegating our profiles to a suspicious, spammy level. This happened even when the issue was eventually patched, although we received no bounty, credit, or even a thanks. Instead, we got our Reputation scores (which start out at 100) negatively impacted, leaving us worse off than if we’d reported nothing at all.

Last year, Facebook said it would stop listening to voice notes in messenger to improve its speech recognition technology. Now, the company is starting a new program where it will explicitly ask you to submit your recordings, and earn money in return.

The most popular modern secure messaging tool is Signal, which won the Levchin Prize at Real World Cryptography for its cryptographic privacy design. Signal currently requires phone numbers for all its users. It does this not because Signal wants to collect contact information for its users, but rather because Signal is allergic to it: using phone numbers means Signal can piggyback on the contact lists users already have, rather than storing those lists on its servers. A core design goal of the most important secure messenger is to avoid keeping a record of who’s talking to whom. Not every modern secure messenger is as conscientious as Signal. But they’re all better than Internet email, which doesn’t just collect metadata, but actively broadcasts it. Email on the Internet is a collaboration between many different providers; and each hop on its store-and-forward is another point at which metadata is logged. .

Global spending on military robotics from 2000 to 2025

Now, Google has to change its practices and prompt users to choose their own default search engine when setting up a European Android device that has the Google Search app built in. Not all countries will have the same options, however, as the choices included in Google’s new prompt all went to the highest bidders.As it turns out, DuckDuckGo must have bid more aggressively than other Google competitors, as it’s being offered as a choice across all countries in the EU.

A Microsoft programme to transcribe and vet audio from Skype and Cortana, its voice assistant, ran for years with “no security measures”, according to a former contractor who says he reviewed thousands of potentially sensitive recordings on his personal laptop from his home in Beijing over the two years he worked for the company.

maybe the server is getting brute-forced some way. so the ssh connections are in use this way. In this case MaxStartups would only lead to more bandwith usage and higher server load. You should think about a non default port in high port range and something like fail2ban

t

greater integration of data, data security, and data sharing through the establishment of a searchable database.

I understand that GitHub uses "Not Found" where it means "Forbidden" in some circumstances to prevent inadvertently reveling the existence of a private repository. Requests that require authentication will return 404 Not Found, instead of 403 Forbidden, in some places. This is to prevent the accidental leakage of private repositories to unauthorized users. --GitHub This is a fairly common practice around the web, indeed it is defined: The 404 (Not Found) status code indicates that the origin server did not find a current representation for the target resource or is not willing to disclose that one exists. --6.5.4. 404 Not Found, RFC 7231 HTTP/1.1 Semantics and Content (emphasis mine)

Now using sudo to work around the root account is not only pointless, it's also dangerous: at first glance rsyncuser looks like an ordinary unprivileged account. But as I've already explained, it would be very easy for an attacker to gain full root access if he had already gained rsyncuser access. So essentially, you now have an additional root account that doesn't look like a root account at all, which is not a good thing.

My exploit was to set the setuid bit on the dash binary; it causes Linux to always run that binary with the permissions of the owner, in this case root.

In actuality, most people choose words from a set of 10,000 or more words, bringing the complexity of a 5 word passphrase to 16,405 or more times greater than that of a 8 character password.

Google found 1,494 device identifiers in SensorVault, sending them to the ATF to comb through. In terms of numbers, that’s unprecedented for this form of search. It illustrates how Google can pinpoint a large number of mobile phones in a brief period of time and hand over that information to the government

Google found 1,494 device identifiers in SensorVault, sending them to the ATF to comb through. In terms of numbers, that’s unprecedented for this form of search. It illustrates how Google can pinpoint a large number of mobile phones in a brief period of time and hand over that information to the government

Use a USB-condom. This is a device that plugs in between your normal cable and the computer and blocks the data lines

Use a USB cable with a "data switch". This cable is normally power-only, which is what you want 90% of the time. However there is a button ("Data Transfer Protection On/Off Switch") you can press that will enable data. An LED indicates the mode. This kind of cable is much safer and secure, plus more convenient for the users. It follows the security principle that if you make the defaults what you want users to do, they're more likely to follow your security policy.

As important as it is, we know that worrying about data security and password hygiene is about as much fun as doing your taxes.

В 2017 году количество устройств, подключенных к «интернету вещей», выросло до 8,4 миллиарда. Консалтинговое агентство Forrester прогнозирует, что к концу года более полумиллиона из них взломают. В Университете Иннополис уточняют, что в третьем квартале 2017 года в городской инфраструктуре стали фиксировать на 30 % больше случаев угрозы информационной безопасности. При этом каждый пятый из них оказался критичным. 

Blocking BEC AttacksAs technology evolves and deep fake AI grows popular, business email compromise (BEC) attacks are growing more common and sophisticated. Payton gave the audience a piece of advice: Do not use your public-facing domain name for moving money. Cybercriminals do their open source intelligence. They know your CEO. They know your CFO. They can figure out who your vendors are and your marketing campaigns. With knowledge gleaned from an Internet search, they have enough to send a social engineering email and transfer money. "Get a domain name that is not your public-facing domain name," Payton said. Get a set of email credentials only for people who are allowed to move money. Tell your bank you're no longer using the public-facing domain name for anything to do with wire transfers and money movement. From there, create a template to be used among employees sending and fulfilling financial requests. Decide on a code word you text to each other that isn't a term shared on social media, Payton advised. This way, a request that doesn't come with a code word will appear suspicious. A large healthcare provider adopted the method, she said – and it has already worked. The same strategy can be used for transferring intellectual property.

you probably referred to the positive case where no one overrides anything and so the property returns true, so no need to process further because it is really an automation. Yes, this is true. I just hope that it does not make websites skip the checks if this returns false.

Why can't I keep using script whitelists in CSP? The traditional approach of whitelisting domains from which scripts can be loaded is based on the assumption that all responses coming from a trusted domain are safe, and can be executed as scripts. However, this assumption does not hold for modern applications; some common, benign patterns such exposing JSONP interfaces and hosting copies of the AngularJS library allow attackers to escape the confines of CSP.

However, a broader problem is that your script-src whitelist includes domains that host Javascript which can be used by an attacker who finds a markup injection bug in your application to bypass your CSP. For example, https://cdnjs.cloudflare.com hosts Angular (https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.7.2/angular.min.js) which can be used by an attacker to convert an HTML injection into arbitrary script execution (here is a paper about this).

An API key is a simple encrypted string that identifies a Google Cloud Platform (GCP) project for quota, billing, and monitoring purposes. A developer generates an API key in a project in the GCP Console and embeds that key in every call to your API as a query parameter

This is useful if just a subset of the operations need the API key

PI keys are supposed to be a secret that only the client and server know. Like Basic authentication, API key-based authentication is only considered secure if used together with other security mechanisms such as HTTPS/SSL

API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Once the key is stolen, it has no expiration, so it may be used indefinitely, unless the project owner revokes or regenerates the key

Cloud Endpoints handles both API keys and authentication schemes, such as Firebase or Auth0

Access control for GCP APIs encompasses authentication, authorization, and auditing. Authentication determines who you are, authorization determines what you can do, and auditing logs record what you did

Application credentials provide the required information about the caller making a request to a GCP API. Valid credential types include API keys, OAuth 2.0 client credentials, or service account keys.

OAuth can be many things. It is most commonly used to allow an application (the consumer) to access data or services that the user (the resource owner) has with another service (the provider), and this is done in a way that prevents the consumer from knowing the login credentials that the user has with the provider

For each call to your API, user should send token with every API request and you should validate the encoded toke and either deny or send back the response.

Cloud IAP enables you to configure Cloud IAP policies for individual resources in a Google Cloud Platform (GCP) project. Multiple apps within a project can each have different access policies

principle of least privilege states that any process, user or program has only the privileges it needs to do its job

If you really want to impress your security consultant, then casually mention Kerckhoffs Principle which is a more formal way of saying ‘security through obscurity is not sufficient’

Hashing is the process of turning one set of data into another through a reproducible algorithm

symmetric key is. It’s a key that is ‘the same’ one used on both sides of the communication

asymmetric key is one where access to the key used to encrypt the message does not imply access to decrypt the message

Authorization is the process of determining whether you are allowed to do something or not

Security through obscurity is security through the design of a system. In other words, if the design of your system were to become public then it would be easy to expose

Role-Based Access Control gives permission to a more abstract entity called a role. Rather than giving access to that user directly, you give the user access to the role, and then that role has the access permissions set for it

This is why it’s important to ‘salt‘ your hash with a secret key so that knowledge of the hash algorithm isn’t enough to crack a lot of passwords

Encryption vs Encoding

new data provided by the Department of Human Services showed that almost half of all pension applications received last year were not processed within the timeframe set out in their Key Performance Measure standards

deploying an App Engine standard or flexible environment application and securing it with Cloud Identity-Aware Proxy (Cloud IAP)

API keys are for projects, authentication is for users

Endpoints Frameworks is supported only on the App Engine standard Python 2.7 and Java 8 runtime environments

it's not that there are new vulnerabilities that have been identified in the implicit flow, just that PKCE offers a more secure alternative that you should use if you have the option

PKCE (which stands for "Proof Key for Code Exchange" and is pronounced "pixie") was originally developed to solve a problem specific to native mobile apps using OAuth 2.0

While this has worked and continues to work for a wide range of web applications, security experts had (and continue to have) concerns that it leaves open some potential attack vectors

click a button that says "Sign in with GitHub." I am then sent to GitHub to sign in and, if this is my first time, grant permissions

Hundreds of millions of phone numbers linked to Facebook accounts have been found online.

JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool

JMX monitoring

Securing JBoss Application Server

If Bluetooth is ON on your Apple device everyone nearby can understand current status of your device, get info about battery, device name, Wi-Fi status, buffer availability, OS version and even get your mobile phone number

Authentication (from Greek: αὐθεντικός authentikos, "real, genuine", from αὐθέντης authentes, "author") is the act of proving an assertion, such as the identity of a computer system user.

Use a password manager like LastPass or 1Password.

Harry Potter: Wizards Unite, the Pokémon Go-style smartphone game co-developed by Niantic and WB Games

“Being able to feel safe with other people is probably the single most important aspect of mental health; safe connections are fundamental to meaningful and satisfying lives.”

Trauma victims cannot recover until they become familiar with and befriend the sensations in their bodies. Being frightened means that you live in a body that is always on guard. Angry people live in angry bodies. The bodies of child-abuse victims are tense and defensive until they find a way to relax and feel safe. In order to change, people need to become aware of their sensations and the way that their bodies interact with the world around them. Physical self-awareness is the first step in releasing the tyranny of the past.

Oops, I think that one might even be exploitable… I think I’m going to stop here. This needs a structured effort, not spending ten minutes every now and then. As I said, the codebase isn’t bad. But there are obvious issues that shouldn’t have been there. As always, spotting the issues is the easy part – proving that they are exploitable is far harder. I’m not going to spend time on that right now, so let’s just file these under “minor quality issues” rather than “security problems.”

LastPass has always been stressing that they cannot access your passwords, so keeping them on their servers is safe. This statement has been proven wrong several times already, and the improvements so far aren’t substantial enough to make it right. LastPass design offers too many loopholes which could be exploited by a malicious server. So far they didn’t make a serious effort to make the extension’s user interface self-contained, meaning that they keep asking you to trust their web server whenever you use LastPass.

Some of these actions will prompt you to re-enter your master password. That’s merely security theater

LastPass is run by LogMeIn, Inc. which is based in United States. So let’s say the NSA knocks on their door: “Hey, we need your data on XYZ so we can check their terrorism connections!” As we know by now, NSA does these things and it happens to random people as well, despite not having any ties to terrorism. LastPass data on the server is worthless on its own, but NSA might be able to pressure the company into sending a breach notification to this user.

Should you be concerned about LastPass uploading your passwords to its server?

Sharing of user data is routine, yet far from transparent. Clinicians should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent. Privacy regulation should emphasise the accountabilities of those who control and process user data. Developers should disclose all data sharing practices and allow users to choose precisely what data are shared and with whom.

To investigate whether and how user data are shared by top rated medicines related mobile applications (apps) and to characterise privacy risks to app users, both clinicians and consumers.

Hashicorp Vault: One-Time Password para SSH

Who would have thought crypto investors would be U.S. securities law experts by the end of 2018

vorsichtig in öffentlichen WLAN-Netzen sein

The NYCLU found nothing in the documents outlining policies for accessing data collected by the cameras, or what faces would be fed to the system in the first place. And based on emails acquired through the same FOIL request, the NYCLU noted, Lockport administrators appeared to have a poor grasp on how to manage access to internal servers, student files, and passwords for programs and email accounts. “The serious lack of familiarity with cybersecurity displayed in the email correspondence we received and complete absence of common sense redactions of sensitive private information speaks volumes about the district’s lack of preparation to safely store and collect biometric data on the students, parents and teachers who pass through its schools every day,” an editor’s note to the NYCLU’s statement on the Lockport documents reads.

politicians looking for issues to drum up with have made a whipping boy out of the social networks